IGF 2019 – Day 2 – Convention Hall II – The Future of IoT : Toward More Secure and Human-Centered Devices

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR: Hello.  Hello, everybody.  Welcome to the session.  And the future of the Internet of Things.  We'll be talking about, how to get to a more secure future with more IoT devices.  We're joined today by panelists around the world.  We'll be visiting Ghana, Indonesia, Germany, Uganda and we're going to split this session into two rounds.

In the first round, we're going to hear from the first two speakers.  We'll be hearing from Benedikt Abendroth, from Microsoft.  Senior security program manager.  And we'll be hearing from Walid Al Saqaf.  After that, those two comments we'll be questions and we'll continue with our remaining speakers from around the world, who I look forward to introducing you to.

My name is Solana.  I work with the Mozilla foundation.  I'm based here in Berlin and I come to this field with a great degree of recent interest because we've just published a publication ourselves, which is called privacy included, rethinking the smart home.

And it's part of our annual publication that Mozilla does where we look at smart home devices and try and assess them on privacy and security.  And in the context of this work, in talking to many people who are experts on this topic and who are working at different levels to try and figure out how to solve these, whether it's in the home, or in cities, or at the national level.

I know that we'll be looking at the full range of this problem and the opportunities afforded by IoT as part of this discussion.

So, I would like to start by welcoming Benedikt to give us his perspective from Microsoft.

>> BENEDIKT ABENDROTH: All right.  Thank you for providing me with the opportunity today to speak, and also a special thank you to the organizers of this session.  My name is Benedikt.  I work at Microsoft at the headquarters in Redmond and I lead security of an IoT project called Stratosphere.  Today, I want to talk about three things.  First, the proliferation of IoT, specifically in the context of microcontrollers, second, the security risks those devices are facing and third, what we at Microsoft think is necessary to protect against the threats they're facing.

So, as I'm the first speaker, I wanted to set the stage briefly by talking about how massive the impact of IoT already is and will continue to be.

You've probably heard many numbers in terms of how many IoT devices there are.  I don't think it really matters which number you choose, what you have to take away is that it's a very large number.  The one estimate that I usually like to refer to is that there are about 80 billion connected things by 2025 so if you could put that into context of how many people there will be, that is a very impressive number.

So, why is that number so high?  I think at a high level, there are two reasons for why that number is so high.  First, from a technology perspective, I think we've seen several trends over the last decade that have spurred the growth of IoT.

One being declining hardware costs.  Another one being the miniaturization of sensors and another one being the emergence of hyperscale Cloud computing.

Those things together have enabled IoT to increase at such a large scale.  And because of that, anything from airplanes, elevators, solar panels, toys, even soap dispensers, now, can be connected to the internet.

I think second, also, from a consumer and industry perspective, there are a lot of benefits that come with connecting devices.  For example, sensors can detect whether there is a gas leak in the house and notify rescue services.  Enterprises can monitor millions of devices that are deployed and they don't need to send a technician to check on each one.

So, I think those are the reasons at a high level of why IoT is growing so much.  And it's frankly also a large opportunity for industry and businesses.  It introduced business model.  Increasing ones.  That is a huge market, obviously, that companies are trying to capture.  To some other things, there are a few reasons why that number of IoT devices is so large.

As I said in the beginning, I wanted to focus on one particular category of IoT devices.  And first of all, what does IoT actually mean?

IoT can mean many things.  One of the nice things that about IoT is that there's no universally agreed on definition so there's many different viewpoints, but, at its core, we think that it's about a new concept of how we interact with the physical world.

And one particular area of IT, microcontrollers.  And what you see here on the left side is one example.  And just in that category alone, 9 billion MCU power devices are built and deployed each year.

So, that is a huge number.  And those devices are very, very small.  A microcontroller can be the size of a thumb nail.

And they're basically in everything.  They're in street lamps, refrigerators, washing machines, HVACs, microwaves, medical devices, one might actually be in the microphone here as well.

MCUs were actually introduced in the early 70s and brought very simple computing to many different devices.  But, historically, MCUs weren't really connected to the internet and today, in fact, only 1 percent of those MCUs out there are connected to the internet.

But, that number of 1 percent is definitely about to change.  What you see here is a diagram of one of the first MCUs that has a radio built right into the dial.  When we saw this for the first time in 2014, we knew this would kick off a huge shift in the IoT world and this particular chip that you see here.  If you would have bought it in a volume of about 100,000 devices in 2014, it would have cost about $2.50.

So, think about that number for a second.  For, basically, the cost of a cup of coffee, you can now add internet connectivity to pretty much anything.

I think that is very fascinating.  But, as with most things, technology, with a lot of opportunities, to also come a lot of risks and that is something that I wanted to talk about as well today.

There's a new head line about IoT devices being hacked pretty much every single day.  Fridges sending scam, baby monitors being used to spy on families.  The someone even used a fish tank thermometer to infiltrate a corporate network and of course we all remember the attack that took down the vast majority of the east coast for the better part of the day in September, 2016.

And the consequences of apple these are very severe.  It can have an impact on your physical security, even.  And as we learned, it can even have a socioeconomical impact.

So, who is behind all of these attacks?  What you see here on the left is a categorization that is used by the U.S. government.  And what you can see, and when you go into the details of what the motives and interests are, is that all of their methods and interests and motives are very, very broad.

There's a lot of different actors.  Some of them might want to damage your infrastructure and entire industries.  Others want to promote specific agendas with highly visible attacks.  Some want to steel intellectual property, sensitive data.  Some might just do it for fun and for recognition.

So, I think what is important to state here is that overall the range of actors behind the attacks in the IoT devices in any network system broadly is very, very broad and their motives can be very different but what is clear is that behind all of these different motives, the fact that every single IoT device from a soap dispenser to a car, they're all facing many, many threats.

So, what you see here on the next slide is how those attackers actually gain access to an IoT device.

So, the question is, what do they see when they look at an IoT device?  If you're a hacker, this is basically what you see.  That's the battle field for a device level attack.  This is what you see when you try to, let's say, want to hack into a connected medical device.

Starting at the bottom, you can gain access via physical access to the device.  You can use one of the IOs.  You can leverage a vulnerability in the operating system.  Anything in the network that connects the operating system to the network or the Cloud, you can compromise the communication itself, if a weak encryption is used.

You can get access via an application if there's flaws in the security of that app, and you can basically attack any of the levels you see here.  As you can see, these attack services are pretty limited when you think about it from a theoretical perspective by what is unlimited is the way attackers can compromise those attack surfaces.  And hackers can get very creative and innovative.  The bad guys can just innovate as much as the good guys, basically.

So, what can happen when an IoT device, when a bad actor hacks an IoT device?

Well, a lot of things can happen, actually.  One example being a device can be completely bricked and held for ran so many.  Imagine someone locking the thermostat on your device in the middle of winter and demanding you pay $100 to get heat to your house.

They can also be used, there have been vulnerabilities found in pace makers that would allow an attacker to administrate a shock to the patient.  Data can be breached, attackers can gain access to the location of someone and pretty much track their location 24/7.

Data can even be changed.  Imagine an oil rig that is using about 80,000 sensors to collect millions of data points and just changing a few of them, that could have huge consequences on how that oil rig is operated.

Or you could just use a device to gain access to a network with the example of the fish tank thermometer that I mentioned.

So, I think when you all add it up, we can all agree that those are things that shouldn't happen.  So, I just wanted to mention one brief example of using a device for malicious purposes.  If you look at one example here.  I think what manufacturers more broadly should think about is that what are the risk that uses of those devices are facing and in what environment do they operate in?

So, although you might think that a stove top care can ad to, let's say, a car, might not have the same level of consequences, think about someone weaponizing a stove top in someone's home.  Opening the gas valve.  Igniting the ignition.  Those are things that can have very, very severe consequences instead so, we think that every single IoT device, every single user deserves to be protected sufficiently.

So, the question is, how can you achieve that level of protection for all those devices running on MCUs.

In our research, we have learned that in order to be highly secure for all of those devices, you should at least have seven properties.  I won't go into the technical details here, if you want to learn more about it, you can use the search engine of your choice or look at the link at the bottom of the slide but in a nutshell, a device is only as secure as its weakest link and we have to determine that these are the protections required to secure a connected device in the threat landscape I just laid out.

Some of those properties are delivered in hardware.  Some are delivered in software.  Some depend on the network of the Cloud service but together these properties work to protect the connected device from all the attacks I've mentioned and also allow the security to be renewed if a compromise has happened and it enables them to be updated over time because many devices are connected and now days, IoT landscapes aren't just being used for one or two years, many of them are deployed for ten years or even longer.

So, we've outlined these properties in the research paper and if you'd like to, feel free to have a look.

And finally, I'd like to conclude with what governments are actually doing to address that space.  In the U.S., the most prominent example, recently, is probably California, which has passed legislation that will require IoT devices to have certain minimum security standards for passwords.

There are several bills that are introduced in Congress being discussed right now.  In Europe, most people should be familiar with the cybersecurity act that will introduce cybersecurity frameworks that will very likely include IoT as well.

Most governments, one example being the UK, actively working on informing certain examples with their work.

In Asia Pacific, the government, started a train in which they tested the password of 200 million IoT devices.

And most recently, just last month, a joint report was put together by the Dutch agencies that called for governments to play a more active role in securing IoT devices.

I'd like to conclude by getting back to the botnet attack I mentioned earlier.  That attack took place in September 2016.  That is, at least in the technology space, a very, very long time.  It's more than three years ago and I think someone would have a really hard time arguing that much has improved in the state of IoT service security since then.

So, we probably all agree that consumers deserve better protection and I hope this panel will move the needle forward in the right direction.  Thank you very much.

(applause)

>> Thank you, Michael.  Our next speaker is Walid Al Saqaf.

>> WALID AL SAQAF: Thank you very much.  Emphasize a pleasure being on this panel.  I would like to emphasize that both, I have two hats.  One as an academic working on internet studies and the other is on the Board of the Internet Society.  But, of course, I will not use the latter hat as much as I can.  Simply looking at it, from theoretical, let's say, scholarly perspective.

And one of the interesting things that we do as scholars is often look into data, and data helps us understand reality around us.

Here I'd like to use the opportunity to refer to some recent research that's been done by the Internet Society in collaboration with the consumer international.  There is very little one can do in this space.  Given the idea, the Internet of Things is rather complex and broad.

So, what is it that users like?  What is it they think of when it comes to Internet of Things and that's the question of perception or attitude, so to speak.  I'd like to maybe get this going by perhaps asking the audience here about the same questions just to get to see if it matches and seeing the reliability of doing that, so, how many of those in the room, maybe you can raise your hand, based on the question I asked just to get to see if it matches.

So, should the regulators be the ones that take into account privacy and security standards in the Internet of Things?  How many of you think the regulators are supposed to be the ones that to that?  On the panel as well?  About less than half.  Okay.

How about the manufacturers themselves?  The manufacturers are supposed to be the ones that should be taking those into account.

>> Can you say yes to all of them or do you have to pick one?

>> WALID AL SAQAF: Well, one by one to see if it links well with the data.  A few hands, actually.  On the panel here.  I don't want to give you extra weight.  You're just a participant here.

All right.  So, another thing is, you know, for every single Internet of Things device, you have number of players.  So, you have the obviously, the manufacturers.  And you have the regulators, allowing that particular piece of Internet of Things to come into the country and being sold.

And also, the retailers, which is the level where you communicate directly with the consumers.  So, how many of you think that retailers should also be the ones championing privacy and security standards in the Internet of Things?  Retailers?  One?  Interesting.

So, just to give you a sense of how far detached this group is, 88 percent of those being surveyed in the survey, which is a number of users, 1,000 users each from about five countries and so, countries were Australia, Canada, and France, Japan, that's actually six countries, UK and US, so, this was the sample.  A thousand from each of those countries.

And the question about whether, this is the consumer speaking, whether they thought security and standards should be secured by regulators, it was a whopping 88 percent.  Close to 90 percent.  So, it was the, yeah, so, regulators, meaning the governments so, interestingly enough, that was much higher, let's say a bit of a percentage when it comes to here, so, manufacturers were the 81 percent that were found to be those that should be responsible for setting up the standards for privacy and security.

Then came the retailers being 80 percent.  So, I mean, in terms of the in order, I think it matches.  But, in terms of the enthusiasm in this room, maybe it also plays a role that you're in the late afternoon and, I'm assuming that we can multiply that be three, looking at the activity.

So, this is basically an indicator that how consumers think this comes to Internet of Things.  Regulators come apparently on top.  And this applies basically to these rather industrial countries.  It's difficult to know if it would apply also to developing countries or others, that have maybe fewer number of Internet of Things.  But, then, also the survey, they were also additional questions when it comes to how they view the Internet of Things themselves.

So, maybe another question, maybe to the panel in this case, since you are the most active in voting.  How many of you think that you should distrust the way data is shared on Internet of Things devices?  Distrust?  Distrust?  Okay.

Almost full.  You actually trust in the way data is shared on Internet of Things?  So, I'm not involved.  So, I'd say 100 percent.  Okay. That's cool.

(laughter)

All right.  How many of you think that people, how many of you think or feel that Internet of Things devices are creepy.  Creepy in the sense of, really a bit wary of what it does.  Okay. Yes as well?

>> I mean, I'm selling one.

>> WALID AL SAQAF: You're conflicted, I guess.  And here on this side, you also find them creepy?  Good, so, that level of, I'll give you first the questions and then come to the results.  Here, the question is about people who know how to disable data?  Do you actually know how to disable?  I mean, it's a bit of a personal question, but you're free to answer.  Do you know how to disable data collection on your devices?  The ones that you use at home?  One, two, three.  Is this yes or no?

>> So the extent that it's possible.  Yeah.

>> WALID AL SAQAF: Basically around, I would say, 60, 70 percent.  All right so and the last question would be, how many of you on the panel would own a smart device and will not buy one due to ‑‑ I mean, not own neither buy one because of the security concerns.  You would be quite worried?

>> I have one.

>> WALID AL SAQAF: Okay. So you all own one, but, there are some people that may actually never provide an Internet of Things device because they're worried about security concerns.  They mainly believe the risk is too high to take the functionality.  So, some of you already know, but 75 percent of people distrust the way that data is shared.  75 percent of those who have been surveyed say they distrust the way data is shared.

63 percent find that connected devices are creepy.  So, now we're talking about attitudes of individuals.  63 percent of those feel that they are creepy.  50 percent of those actually do not know how to data on data devices.  So, they have the devices, they can't disable data.  And there is a percentage of 28 percent of people that would never apparently buy an Internet of Things device because they are more or less fearful of the security concerns so this is what we are dealing with in an industrial associate society.  So, I know this research is quite extensive and it's not possible, giving it time to go through all the details but I recommend that you look at this and realize that these are small, major, I would say, reason to be concerned about the future of the Internet of Things mainly because we are trying to communicate with perception.  Not necessarily an accurate perception.  I mean, something that reflects reality.  But, there is a strong negative perception of the Internet of Things.

And while this does not necessarily show that they are bad or good, it does reflect on, partly on what the individuals or consumers think based on my opinion as a person who has been working in the journalism field and studies of aspects of media.

The portrayals we've heard earlier from my colleague on various hacking attempts and the vulnerabilities and the cases where a simple web cam can actually lead to disrupting services for millions of people as happened in the east coast a few years ago, this all piles up and creates, let's say, a perception that is negative.

So, part of the problem deals with the reality that there are cases, maybe inflated cases, but there are cases that cause concern for the consumers.

And what is interesting about this information as well is that there is lack of awareness of how to deal with these devices.  So, it reflects on the difficulty for you as a user to understand how the manual works or let's say, how you read the manual.  How you interact with the device.  What are the options for you to get rid of the risks or reduce the risks?

So, apparently, it has to do with the way you read the instructions, understand them, or sometimes not read the instructions and understand them.

And so the idea here is to look into this from purely a consumer angle and look into it that this could help us as people involved in the internet, trust in the internet, to build on smart solutions, smart connect smart campaigns that raise awareness about how do you not only use the Internet of Things in a proper way but also utilize the data functionality of it.

Make sure that you know exactly what is it that you can allow to be collected and what is it that you cannot.

So, in, to conclude, the idea here is to not only consider the physical manufacturer related Internet of Things, that's also very crucial and important, but the also, to also understand how is it that users interact with these devices.

And this is a bit of maybe a reflection on to Microsoft that produces these devices.  And is it possible that you look into ways in which you can interact more openly and directly with consumers and consider their fears and worries and understand that implication on your product as well as other Internet of Things devices simply because in today's digital way of things, Internet of Things are not stand alone devices.  They are interconnected.

So, it means that the weakest link would be something probably not produced by Microsoft.  Something that's less, let's say, prevalent, less visible, but might be the one single problem that would cause a huge security vulnerabilities, apparently not only to one household, maybe to other households that are connected and even to computers that are connected across the world so it does show us that it's important to look into the user's perspective on this and I'd like that to be my contribution.  Thank you.

>> SOLANA LARSEN: Thank you, Walid.  Can you please repeat the name of the study and where people can find it?

>> WALID AL SAQAF: Yes, so, if you go to the internetsociety.org, a simple search of the trust opportunity, exploring attitude to the Internet of Things.  This is a study that has been done this year in May.  It's quite extensive.  I recommend you check it out.  Thank you.

>> SOLANA LARSEN: Thank you for that.  In our product reviews at Mozilla, in our annual guide, which is called privacy not included, we have something called the creep‑o‑meter where readers can rate themselves whether they find the device creepy or not based on the information available about it.

So, for instance, the privacy policy of the company, whether the data is encrypted, these kind of things similar to what you mentioned in terms of what makes a device secure.

And there's a question at the end on the website where it says, would you buy this product and many times, people say, yes, they will buy products even when they find them creepy.

And I think that's something that's also mirrored in your study, in the one that you mentioned.

>> WALID AL SAQAF: Yeah, absolutely.  And one thing that is more important for us to recognize is that if there are any even simple vulnerabilities that have been discovered very recently, for example, after the actual device has been produced and sold, then it's a major responsibility for all these layers, both the regulators, the manufacturers, and the retailers to warn consumers because occasionally they get away with having things like this.

Children in the families.  Might release consequences that are catastrophic.  Where are the consequences, how they intervene, that's a very good head way to a discussion of how is it that we can look into the Internet Governance aspect of this.

>> SOLANA LARSEN: I think we've covered some on security, we've talked about privacy.  I think many times in these conversations, the words privacy and security are conflated a bit or used interchangeably.

Do you see any connection between the two?  Because you were talking a lot about security.  Are more private devices, in terms of what data is collected or shared with others, are they also more secure?  Where do the two meet in your view?

>> BENEDIKT ABENDROTH: Yeah, that's a great question.  I think in many cases, they're the same.  In some cases, a bit different.  I think security should be at a minimum standard in terms of what consumers should expect when they buy a device, whether they find it creepy or not or whether they know at great detail what the device includes from a feature perspective.  Someone like my mom, for example, I wouldn't expect her to read the seven properties paper and then take that and go to a German retailer and make an informed decision on which fridge to buy based on the security features it has.

I think one of the big challenges that consumers frankly just don't have any information about the security of devices.

And I think, we think that having more information out there about giving the consumers the tools to make a better informed decision based on the security that is out there is very crucial.  But I think security, in many ways, can help protect privacy, let's say, using a more secure encryption to communicate the communication between devices.

And there have been cases in the United States, for example, where the Federal Trade Commission has actually settled with the manufacturers of devices based on false claims they have made about both the security and privacy of devices.

I think, to sum up, both security and privacy are very important and in some ways, intersect.  But consumers should expect to meet a minimum bar for both security and privacy.

>> SOLANA LARSEN: I would like to welcome people from the audience, if anybody has questions for either of our 21st speakers, you're welcome to stand up.

>> Hi.  In some circles, it has been proposed that manufacturers actually print something like a best before date, date where they give, we will provide updates and software updates up to that date.

And some even more radical voices, one would say, have argued that after, past that date, the manufacturer should be obliged to provide the tools and the means for the people that have bought that software, that device to actually update the software themselves to patch it, and thus, transferring the software to the open source domain.

What do you think about that?

>> WALID AL SAQAF: Thinking of it from a consumer perspective, let's say they are a device.  First of all, again, whether it's online or offline, a device will have to be secure.  It has to be very well prepared in terms of instructions, of how to use it, et cetera.

And it's generally a consumer protection act.  The only difference, major difference, let's say, is that no longer is it only confined to this environment.  Now, it is connected sometimes to a network, sometimes to the world.

So, based on, might be connected to a Cloud service, for example.  So, in this case, there are two major layers of where I think is important to look into.  The first is, the consumer himself or herself, has the consumer, the awareness of what is it that he or she is dealing with?  This particular device?

Do they get the information when they, you know, buy it?  Are they, when they get the reviews, for example, they sometimes look into Amazon.com and look into that, and is that sufficient?  Or is there something more to be done before the purchase happens?

The second thing is, once the purchase is concluded, how do you do, when you have the concerns?  Is it enough to simply look into the manual?  Or is it possible to communicate directly through the web with the manufacturer?

Or, is it, is there a certain support unit that needs to be located particularly for things that might change the firmware, where, very rapidly.

So, there are things that are presale and after sale, just like any other device.  Just that making sure that they are aware of these possibilities, that's one thing.  Another aspect is obviously, to the other side.  I mean, the manufacturer in this case.

And expiry date would look feasible in cases where there is supposedly updates to the firmware, or routine updates to the way the device would work.

In a live environment like the internet, it's difficult to imagine something being static.  It's constantly changing.  There are different protocols.  Sometimes, the protocols are in the code, which actually need to be updated.

So, if you're offline, for a particular period of time, and there are bugs that were discovered, and then fixed, and patched, but you do not update the firmware in time, then you already have it wrong.

So, it's very complex in how many layers should be added, but I strongly believe that it's a two‑sided process.

Both the consumer side needs to be aware more and that's why the campaign that is lost by consumer international called connect smart tips.  It's very useful if you are willing to buy an IoT, to look into it.  In p and then there's on the other side, the industrial manufacturers and retailers.  The third side is the governments, and I know that we have a colleague from the government as well.  So, later on, we can discuss that, too.

But, yes, it's multidimensional.  Multifaceted.  And that's how it ought to be.  Yes.

>> SOLANA LARSEN: I like that question a lot because it does point to the technology itself being part of solution, and how we think about how to design things, how to program things, and how to connect them to one another.

It's all part ever dealing, I think, with both threats and opportunities.  And why it's so difficult for a lot of people to think about what can be done.

Because it is at so many levels, both in the home, and in public space, public bathrooms, as you mentioned.  I would like to go to the next speaker today.  Oh, we have a question online, it seems.  One more question.  Hello, people watching on the internet.

>> Hello, there is one question from Benjamin from Namibia to everyone, and the panelists.  The question is just to play the devil's advocate with the consumer they are obsessed with sharing.  How far is cybersecurity or privacy available on these activation, sharing everything online, and internet, by the young generation.

>> SOLANA LARSEN: So, is there a youth aspect to this question.  Is the trend toward sharing personal information online, how does that connect to this issue?  That's how I understood the question.  Is that a fair interpretation?

>> MARIT HANSEN: Okay. Hi.  I'm Marit, data protection commissioner and of course we get those questions all day.  We see that many of the young or old or whatever aspect of our society, represented community, they have contact‑specific needs to they're or not to share or to hide some information.

So, even kids hide some information, but, of course, it's always the question, who is your adversary and it may be your parents, it may be your teachers, and then they're very good at hiding those.

And about this closure, automatic disclosure, must not happen but if you want to share, this is part of our social activities, that is not necessarily something bad.

But, mandatory sharing, this would not be the right default for many of those occasions and think of a smart home, if every smart home device posts everything on the website, I think everybody agrees this should not be a default.

>> SOLANA LARSEN: Yes, we have not had a chance to discuss business models surrounding IoT, or the general, I think ecosystem and trend of data and data sharing.

Let's see if we get to it later.  Or soon.  I'd like to introduce Lily from Botswana who is representing GT Net.  And there's a presentation, too.

>> LILY BOTSYOE: Hello, everyone.  And good afternoon.  My name is Lily Botsyoe from Ghana and I represent the Ghana community.  I also coordinate the Ghana IGF and I'm excited to be here.

I think the panel wanted a youth perspective to issues regarding IoT and cybersecurity and that's why I'm on it and I'm excited to actually represent youth because we conducted something based on IoT awareness in much this year and I'll share with you what we actually came up with to sensitize people on IoT and its awareness.

So, my first slide says, the future is exciting.  And the question is, are you ready?  Just put up your hand.  The future is exciting.  Are you ready?  The future is exciting.  Are you ready?  Okay. So, yesterday, I walked ‑‑ books.  I found something quite interesting.  There's books that had the interest of humans.  I passed by to ask what they meant.  What they told me was what internet of humans seeks to do is actually to put humans at the center of everything, tech and IoT and every imagined technology.

So, the perspective of humans, and build technology.  That's a step for humans.  I think that's a step toward human‑centered and secured IoT devices.

So, I'm here to actually give a bit, talk a bit about the best practice from the consumer perspective.  Also mention what manufacturers can do, and government and all.

And I'm excited because the tone and the floor have already been set with what we can do.  Now, we already know that there's an increase in the number of devices connected, and when there's increase interconnectivity and the communication between devices, there's also a greater risk of cyberattacks because your information and data has been communicated and over a network.

And you may not know who is looking and who wants to intercept the information and for what reason.  So, the IoT is given every day items and ability to share data, and for a particular purpose.

And I'll go on to share with you on what IoT actually is used for on a broader scale.  So, we have IoT youth for industrial activities.  An example is where you have the health institutions having data of patients, in realtime, on IoT devices and being connected over a network to a doctor who maybe needs the information or even serving underserved or underresourced places and places like Africa where I come from and more.

And where you go into the places that are underserved and underresourced, may want to even go into connectivity and inclusion and all the other infrastructure that comes with being connected.

They come on to look at the consumer bit to IoT.  The wearables, the fitness trackers, the smart fridges, the smartphones, and more.

Everything is smart in your home.  Everything that can actually give you information or communicate some data to you in your home.

So, that's an angle we're going to take the security issue from.  So, some problems of IoT.  I just made it very bland because there's more to it than what can be on the slide.  When we talk about privacy, that's more guiding a user's identity or information the user feels is sensitive and wants to keep to himself or herself, and wants to have it private.  Wants to seclude it from everybody.

So, because you have data actually flooding and communication is ongoing, you may not know to what extent your data is being shared online.  Like, we have you signing up for to be on a social media platform, they ask for your credentials and let's say the only normal thing you should see on somebody's social media platform should be, say, e‑mail address, name, and maybe, yeah. just that.

And maybe the person shared the location and where they live and all that is out there.

They'll be asking, how far is too far.  Like the question that just came before, the person asked it, what can we say about youth actually sharing information in this day and time.

And it comes up to say that if you don't want the information out there, you don't put it there., you actually put it into the hands, the risk of being prone to attacks is high.

Content, you've been in an activity online.  Because there's this popular thing we all say, the internet never forgets.

And we will, on the slide, I just moved from, the issue of security.  So, security now also comes to deal with how secure your data is.  So, if they're taking your data for something, what is it being used for?  What's, who sees it?  Where is it going?  I remember at the IGF last year, there's a whole session that was actually prolonged because of how interesting it was and it was on the issue of algorithmic transparency and the right explanation.

I don't want to start a debate here, but people had wanted to know what exactly it is that tells Facebook that I was in this place with this person, so you should send me their friend suggestion.

And maybe probably my location was on, the person's location was on, so the communication gets to that point of, me being suggested to ask somebody of a friend by the mere fact that we're in the same location.

So, if you're also looking at, how secured your data is.  There's another one on the slide that says, loopholes and frameworks.  So, in that part of the world, IoT is in other technologies where you're all trying to grow with it and come to adapt.

Yesterday, we had the UN Secretary‑General say something that I thought was profound.  He said the growth of technology and all these, yeah, the growth of technologies seriously outpaces the rate at which you're able to set policies too much up for them.

You can be seen how things are changing fast and how we are building now.

We can't catch up with it, but, as I'm going out there, there are supposed to be things that are checking it before it gets out of hand.  And, Mr. Walid actually made me research a paper I had already taken in my room.

So, these were the statistics he gave us.  He asked how many people should be responsible for the security of IoT and access their care for it. ‑‑ and the access that came for it.

This is what people had to say.  Me, for one, actually believes that it's a shared responsibility.  It's a shared responsibility.  So, the manufacturer can actually put or go by privacy by design, and put privacy in every step of the way.  Add in human values to how other things is built and even go so far, that's because, you ask that because they taught you privacy and security, and consciously add into it, not making it look like it was an afterthought.

So, everything is carefully planned.  The IoT device is out there, and then we have maybe the play of privacy by default where there's some strict thing that's actually come to play without, necessary human input.  We go to where they've done their bit, maybe playing by high standards and working with you and giving you what you desire.

And then we have, let's say if you're in an organization and you're buying these IoT devices in organizations, you set off firewalls and now data and all this stuff.

And then we come to the user bit, we, the consumers.  Mr. Walid also said, I think it's profound, that in every system, the ‑‑ is human.  Once you have all this in play, a little breach on one device can lead to a whole disruption over the Cloud and there are many, many, many such examples where we have even well‑established organizations which have products out there get an attack.

And that's not because they probably play their role.  A little bridge by somebody sitting somewhere.  So, I just mentioned the roles we all have to play.  My other task is to share briefly what best practices there are, especially from a personal or a consumer perspective so everybody can actually keep that in mind because the possibility in IoT is massive and that's why I asked that the future is exciting and are you ready?

Yeah.  So, I mentioned that a couple of my friends and I from the youth IGF turned 18, joined the world in consumer rights day by taking to Twitter and using it to help educate people on how to stay safe while using IoT devices and the very little things you can do in small ways to keep you safe.

So, I'll share a couple of what I did online and I'm glad that some of the people who did this are also in this room to witness.

Okay. So the first one, don't connect your devices unless you need to.  And I learned this when I was taking my model for IGF last year, they said, you should use the internet or technology as a tool and not just a space.

So, if you want to trim the hedges in your house, you go for something proper for trimming hedges.  You wouldn't go for scissors.  That's a lot of work.

So, also, when you need your devices to do something, say, maybe you want to order an uber, your location should be on.

Otherwise, there's really no need if you're not in the moment sharing your location with anybody or using the location for anything.  You don't know who is collecting the data, what can be done in the background, tracing where you've been and the movement and everything.

So, and other parts could be even setting policies, especially if you're in an organization that guards plug and play.

So, nobody puts a device into a computer and is able to quickly work with it.  There should be policies at every step that says that, okay, this is what we're allowing.  And this is what's not going to be allowed at this step and the next.

And creates a separate network for guests.  This is just one of the things we should actually take note of in organizations in your homes so that people, you don't give people access into your network because once they are in, that's when they can do everything they want do.  So, you can create a very separate one for guests in your home, in the office so that you're on very, very different networks for people who visit you.

And this cannot be hammered enough, actually.  And I'm very guilty.  I can't for the life of me envision the number of passwords I would have to set if I was very committed to setting new passwords.

But, it's what should be done.  You pick good passwords and you try to set different passwords for every device.  Maybe you have, maybe Google has passwords for every device.  I have reservations, I don't know how to say.  Some part of me says, I don't know whether it can be shared, you are saving the password for later.

But the right way to go is if you can pick good ones, remember that there are very, very different ones that you can pick every time for every device.

Then, I mentioned this already.  Turn off universal plug and play: Vulnerabilities on the system.  Yeah, if you just have somebody being able to connect to your Wi‑Fi, well, not just Wi‑Fi, the port.  The USB ports, the information that is being shared, you don't know what is being monitored while they are on.

You said, make sure you have the latest firmware and also remember to update software.  So, this one, from my part of the world, we normally see the outlets.  You can actually, I've scheduled a lot of software updates and I literally have to do something about it because I feel it's going too far.

But, we sit and do not so much until there's an issue then everybody runs around trying to fix what went wrong.

But, if you're able to be proactive to even go ahead of time to set all these updates, even set reminders for them, we may be benefits of IoT.  Benefit that.  Especially moving forward in the future, where everything is moving from manual to digital.

And in the revolution we are, which is the fourth industrial revolution.

So, keep personal devices out of the workplace and protect each area of your life.  And that's a safe clue.

And so, we know all these and that's basically what I came to share from the best practices, the steps you can do to stay safe online.  And actually, I'll ask a question.  The future is exciting.  Are you ready?  Okay. So that's fine.  Thank you

(applause)

>> SOLANA LARSEN: Our next speaker ‑‑ thank you, Lily.  Our next speaker is Wahyudi Djafar, from Indonesia, representing ELSAM.

>> WAHYUDI DJAFAR: Yeah.  Thank you very much.  Good afternoon, everyone.  Firstly, I would like to thanks for this opportunity.  I just shared an experience and the coalition about how the auction of IoT in things, in Indonesia, especially related to the issue of data security and data privacy in the use of the IoT.

I will begin with the update of the current situation in digitalization in Indonesia and how far on the aspect of the issue of the IoT.  As you know, Indonesian government has just finalized the structure of the network which will cover entire parts of the country from the west to the east with the tree platform.

The collaboration of the infrastructure is expected to bring significant impact of for the crew in Indonesia.  It's including platform in IoT.  It is stated by the government.  And for the information, the 2019, the data Indonesia at the association shows that at least 171 billion of the 267 million people have been connected with the internet.

So, it is the biggest market for IoT platform but the business from the IoT platform records devices with the use of things, platform, and then earlier in 2019, by Indonesian company is still less than ten percent, so, it is the opportunity.

In the last, the government, 2024, planning has placed the digital transformation as one of its main priorities which becomes the basis of the development of digital base economy and the public services.

So, for five next years, the Indonesian government has priority how to digitalizing platform services and how the digital support system about the digital economy.

How about the use of the IoT.  So far, the use of IoT in Indonesia can at least be developing in several sectors, for example, agriculture, related to prediction of ‑‑ option of fertilizers, and the second, a sector of freezer for the automatic fish feeding and the smart city and smart living, there is, yeah, the government launched the program, 100 smart cities for five years.

And other than that, there is the development of an IoT platform by industry to automate the position and has been a marked thing.

And particularly related to the development of smart city, the cities in Indonesia, usually the platform from the traffic management, pollution control and criminal prevention.  Consequently, it becomes a n trend entire city in order to monitor the activities of the citizens.  For example, in Jakharta, we have more than 7,000 city cameras, most of them are equipped with facial recognition technology, whose platform is integrated with the population database system.

So, the police can scan the peoples if they conduct criminals because the city cameras is integrated with the database population systems.

So, the policies can identify who are the names, the number, the identity, and where is the address.

And what was the challenge of the IoT in Indonesia.

And in general, the use of IoT in Indonesia deals with at least three minor challenges.  The first regulation, second infrastructure, and third, human resource.  Other than that, the challenge related to the guarantee of privacy and data protection.

And in the content of the regulation, Indonesian government identifies that at least, there are three problems of the level of the regulation.  The first, the issue about the frequency standard in the use of the IoT.  A second of the device standardization, and the level of local content requirement of the technology.  So far, Indonesian government has only respond by pressing the Ministry of management and regulation to regulate the use of technology, which also includes IoT.

So, the last minister regulation respond by IoT product to spread their products, especially the local government.

Meanwhile, relative to infrastructure, the government states that the connecting will the also connect the infrastructure problems and the challenge of the IoT is actually in the vulnerability of collected data privacy and data security.  Considering that until today, Indonesian government has not had a law, as a cybersecurity law.  Regarding the policy, during 2010, there have been at least 232 million cyberattack in sir Sudan and Indonesia in which 1,022,000 of them were malware attacks.

Other than task there are several times especially involving a number of digital upstart companies.  It remains as the comprehensive and short investigation have never been conducted because there is the law to give the mandate to the government or institution to conduct of the investigation.

And what is the vulnerability in the data privacy and data security.  Basically, in the main problem that Indonesia deal with to balance with the development base of technology innovation is the legal to insure the protection in data privacy and data security.

Indonesia, at least, has shorted to lows, related to data privacy, but they may have contradictory, it is based original, and consequently, there is no ‑‑ that a privacy protection, sectoralism among the government institution also implicates in certainty of the oversight of data protection.

So, there is a suspected link and a bruise, the conduct, including the remedy of the victims.

In regulation, governments attempt to finalize the process of the protection bill formulation to be discussed in the coming 2020 of the bill, mostly adopting of the principles and the ‑‑ from GDPR.

Meanwhile, the unclear which are responsible for ‑‑ cybersecurity.  The number of false inclusion with the unfair rule creates full notability in the cybersecurity.  Because most of the state institution take responsibility to handle of the problem and challenging of the cybersecurity.

And there is no unclear definition and a rule of the institution.

‑‑ has tried to provost the initiative of the innovation and cybersecurity and resilience by the public.  And do not accommodate the multistakeholder approach and tend to let loose against the common citizen.

The government tries to monitor all the traffic b and the internal traffic so the public refuses the initiative from the parliament.  The problem of law and regulation above become more complicated with the lack of awareness and knowledge of the public, and the government apparatus to ensure the data and privacy.  The information especially related to the data security and privacy, undeniably becomes one of the biggest challenges for Indonesia.  The accelerated internet users and as a conclusion, as closures, responding, telling us in the future it needs to develop the policy and regulation which seriously consider human rights aspects granted individual security, protocol, devices, data and the network.

Human must be placed as a center, as the Mayor of the victims of cyberattack or the explanation are human, not to mention, human rights based on human‑centric.  For development which is banned.  The geographical borders, especially for Indonesia, we may have an initiative to deliver it low which specifically stipulated the provision of personal protection to the personal protection principles and international standard.

And we hope in the next year, we have the data protection law, the comprehensive data protection law, and also the cybersecurity.  Because we need to protect our privacy and digital security in the situation, the government has the priority b to conduct transforming a digital.  Thank you very much.

>> SOLANA LARSEN: I wonder, for context, you didn't mention what ELSAM does.  Could you mention what the organization does.  I'm assuming from your passion, you might be a associate actor.

>> WAHYUDI DJAFAR: Yeah, basically, it's a human rights organization focused in the digital rights.  And with the model of multistakeholder approach in Indonesia, also the government and private sector to discuss in deliberating the draft of bill or regulation to minimalize the risk of the law in regulation because in the past experience, if the government and the parliament deliberation of the law and the deliberation of the bill, it is mostly complicated and give the, big, have the high rise to the civil society, especially in this issue of right to privacy.

>> SOLANA LARSEN: Thank you very much.  I think your situation is one that many people in different countries will recognize, of governments, and also manufacturers and service providers pushing forward before necessary data protection legislation is in place to properly secure humans.

One company which is perhaps a bit further down the line of discussing data privacy, Germany, where we are now.  Our next speaker is Marit Hansen and she has a presentation for us.

She's the chief of independent center for data protection in Germany.

>> MARIT HANSEN: Yes, thank you very much.  I'm the data protection commissioner of ‑‑ we have a data protection provision in Germany.  The northernmost state.  And if we're lucky, we'll see in a minute even where it's situated.

>> There it is.

>> MARIT HANSEN: I have no idea what this presentation is about.  But at least you'll see it has a very long term, and it doesn't seem to work.  And I cannot do anything.  Does it work?

>> SOLANA LARSEN: Should we continue?

>> MARIT HANSEN: Oh, we can see it there.  We can see it.  Very good.  Very good.  Okay. So, the northernmost.  Okay. Thank you, but, unfortunately, the text is missing on the slides now.  Interesting.

It should, some pieces are missing.  Doesn't matter.  The presentation will be online afterwards and I will try to jump to only the very interesting parts.  I'm the regulator.  I'm one of many, many regulators in Europe.  Especially in Germany, the northernmost part.  You see here, Berlin is Far East and south.

And I want to talk about something where you see some images and no text.  This is a normal situation.  There are many people and there's data processing in the fog.  You don't know what is happening.

They're very big and tall buildings, and it's really a question of imbalance in power.

And this is the main motivation for data protection and also very often for privacy reasons.

And therefore, our main idea is not security of assets but the perspective of the individual.  And one thing, which is now very much debated, is the GDPR.  The general data protection regulation.  And there's a sentence about the protection of fundamental rights and freedoms of natural persons and the protection of personal data.

And, yeah, there, you see all rights that are now not seen.

For example, it's also about nondiscrimination.  It's a protection of personal data.  It's about freedom of speech, freedom of assembly and everything is part of the rights and freedoms on the European level.

Let's hope for the best that we see something later on.  By the way, the universal format that was demanded is JPEG.  All right.  At least we see something here later on, and I think that's all right.  How to implement it now.  We heard about security, we heard about confidentiality, integrity, availability, these are typical security protection goals.

And here we see that there are some more things, for unlinkability, to separate those parts, those contexts that should be separated and therefore, unlinkability is often not considered, it's the other way around.  Very often, what is disclosed is linked, linkable to the human being and to the other data sets that are existing.  For example, what we heard about the facial recognition which is immediately recognizable.  So, unlinkability is to separate.

And also, this is a question of the separation of power, which is a necessary thing, I think, in Democratic societies and this should be reflected by technology aces well.

The other thing which is very often lacking on the right side here is transparency.  The way of something where we can understand what is happening, and where we heard already from the statistics that very often people are not aware of what is happening, and this is one reason for the feeling that something is creepy.

So, if it's not to be understood, it's hidden, you cannot find out, you I do not understand even if you read the protection privacy, the policies, then obviously we have some difficulties but especially with IoT, and again with artificial intelligence, it poses new questions.

And the third thing is intervenability on the left side here again.  When we heard about deactivating IoT sensors.  This is something which is not taken for granted.  Very often, it's not clear how to deactivate something.  And sometimes manufacturers, or providers of services, do not offer to deactivate what is happening.

So, this is something to intervene, to change something, especially in the case of mistakes, but also, if I don't want to be observed, if I want to shut down my smart home, for example, this should be possible.

Let's try again.  Now we see that some slides are better than others, but I don't want to discuss so much with you on that.  It's always a question, who is in control.  But, sometimes it's evenness for states, for example, for smart cities, to profit from the data.  That it's not an option to deactivate everything, of course, provided that the data protection rights, the other rights, are guaranteed.

So, otherwise, if everybody is asked first, I don't think that it's possible that all sensors ask ourselves and we have to react on everything.

On the other hand, sometimes it's necessary, for example, if you want an overview of what is happening in the world, it can be part of some statistics, some aggregated information, but you should really think of, is it possible to deactivate or not?  And if not, how are the rights protected?

It must not be usually personal data or it has to be guaranteed that there's sufficient protection.

Okay. And now, something I think we haven't seen before is not the technology issue.  I'm a computer scientist myself.  But, we have more social issues, societal issues, with IoT.

And we see, meanwhile, many cases of kids going with smart watches to their classrooms, not because they are so smart.  Not because they want to have a look and profit from the technology, and look up some internet sites or so.

No, because their parents want to activate voice control and trying to listen in how the teachers treat their kids.

So, this is a new effect, that people have a smart watch and they are used as a vehicle to establish some control from the side of parents.

They want to protect their kids.  The kids are tracked by GPS but also the teachers or the other kids are monitored because they might not treat the kid well enough and then the parent can jump in and say, oh, teacher, don't do that again.  Be a little bit nicer to my kid.

In my area, we take, so, if we are asked as a regulator, we have to answer, no.  The classroom, if the teachers don't want to be observed, if the other kids, of course, don't want to be observed, this should not be the standard, so the smart watches are removed beforehand.

The same is happening now with caregivers.  Also, the family is so, well, they are very, perhaps, not visiting often enough.  They want to make sure that the caregivers are visiting the patients often enough.  They want to monitor what is happening with their family members that are patients in this hospital example.

Of course, similar technologies are also used by employers.  We see that monitoring also their employers.  People take it for granted that that's a right because they have to protect the kids or the grandma so this should happen, then, that way, and I think there are new ways where we have negotiated the rules of living together.

And this is another thing where we see that a smart home may not only be attacked by outsiders, as we heard in the first talk by Benedikt.

So, the bad actors from the outside.  It may be the administrator, which may be your wife.  Which may be, your husband.  Which may be, the parents or the kids.

They're administering the smart home and they may, for example, control the heating, the lighting, and the blinds, in a way they like, and not you like.

Or, they want to shut down the doors so that you must not go inside anymore, or perhaps that others are invited to come in and you cannot close them anymore.

So, this may be also a question of power.  It's not something the data protection regulators usually jump in because there's no organization treating the personal data or the sensors in the wrong way but this is a power play play which is very often happening with stalking and you other victim cases and we must not forget that.  Even if security is high.  The administrator can control something.

What about then?  The transparency and the intervenability of the victims, of the others, it's not solved yet.  Okay. Coming back to the slides now.  My conclusion is, we have so many opportunities in building better technologies, data protection by design and by default, is meanwhile, demanded by the general data protection regulation which has the same setting in throughout Europe, so, this is, I think, a good thing.  But, very often, it's not addressing the manufacturers.  It's addressing the controllers.  So, only those who are using the data for their purposes and a liability discussion has not been finalized yet.

And also, there are, I think, not the right incentives for improving the situation.  It's a little bit, if a breach is happening, everybody is promising, now, this won't happen again.

And next day, we have the next breach.  So, I believe that it could be done better.  Right now, it's not only tying trouble so that in one year's time everything will be solved.  We need better incentives.  And let me stop here.  Thank you very much.

>> SOLANA LARSEN: Thank you.  We've heard about security.  We've heard about privacy.  We've heard about surveillance.  Here, to give an African perspective on IoT and law enforcement, is Michael Ilishebo.

>> MICHAEL ILISHEBO: Good afternoon, everyone.  I know we are tired.  This could be the last session of the day.  So, I'll try at all costs to be very brief.  I've set my time at five minutes.  Let me see if I can beat my clock.

So, basically, my name is Michael Ilishebo.  I work for Zambia police.  I am a digital forensic analyst.  I also investigate cybercrime.

Basically, if you look at IoT, the Internet of Things and law enforcement landscape now, to an extent where you have to imagine, to compare the two sides of the coin, from are the European perspective and to the African perspective.

To the European perspective, it has been a great tool in terms of enforcing their law like everything has been done on behalf of the law enforcers.  Information is easily acquired, evidence is everywhere, but in this case, if you look at it from the African perspective, it has not been an easy journey.

Basically, if you look at it, you start with our laws.

IoT is a technology that actually interconnects many devices to the internet.  This simply means that if you're investigating a crime, you're looking for evidence.  Most of the evidences in these IoT devices, most of them are Cloud based.  Most of these IoT devices, they don't have that much information to store information.  As it is out, they keep their information in the Cloud.

So, that, in itself, has caused a great challenge for us back home.

Let's take an issue of a self‑automated car.  I can imagine that if I was to go back home with a self‑driven car and I allow it to drive through our town center without a driver, I don't know how people look at it because we're used to seeing a car with a person driving it.  I can imagine that that is through a point.  The traffic.  They see a car which is coming but there's no human being in it.  Anyone can help me?  What happens?  You are in Africa, you are on duty, a police officer, you see a car coming and there's no driver and it stops seeing because it's been programmed, stands in between it.

Suppose that car is involved in an accident.  Who do you charge?

So, basically, on top of IoTs, despite the knowledge having already penetrated the African market, the laws governing the management of IoT in terms of digital evidence opposition is not there in most African countries.  You have the evidence, but which statutes, which laws are you going to use to have that law, that evidence admitted in the courts of law.  So basically, as much as we are trying to embrace IoT, we also need to come up with legislation that allows us to exist, with machines, IoT devices and any other technology to come on the market.  Put it this way.  In order of the law enforcement, they've come across, in terms of Internet of Things is either a smart watch or even a mobile device.  Many people have smart TVs.  But those smart TVs, don't have internet connections.  People now are buying Google Home devices, but because of the price in terms of data usage and in terms of internet, those things are as good as not being smart.

Something can only be smart if it has access to the internet.  So, basically, from the law enforcement's perspective, it has proved itself to be a very serious challenge when you, for example, you're given a device, a Google, or an, Amazon Echo Dot to extract evidence from.

The Amazon Echo Dot has no actual big need for you to extract whatever it was able to hear in the background, meaning that you really have to go to the account of the owner.  Is it iTunes or what?  Yeah.  Whatever account or the Google account if you're using a Google Mini home.  So, basically, just an introduction to IoT in itself on the African continent has proved and provided a very serious challenge in the way we investigate cases and fight cases.

This time around, they're talking about intelligence.  Web cameras are able to do facial recognitions.  You may have that camera but do you have the necessary law on how that is able to be used.

Are you able to admit that evidence or that you've acquired in the courts of law.  That is not the case.  So, basically, when you look at IoT.  Let's look at it on both sides of the coin.  If you're in Africa, look at it from the African perspective.  If you're in Europe, look at it from the European perspective.  Thank you.

>> SOLANA LARSEN: I would like to ask you a follow‑up question since your presentation was a bit shorter.  This trend that we heard from Indonesia of governments being pushed to move forward with technology, maybe perhaps before the laws are ready or before the infrastructures are ready, is that something that you've experienced as well?  Do you think that the push to think that these technologies are going to solve everything for detectives or for law enforcement or that the pressure to install security cameras in public places, do you think that has been a motivating factor?  Do you think it's going too fast, I guess is what I'm ‑‑

>> MICHAEL ILISHEBO: Basically, if you are to look, the law is always the afterthought.  Technology comes in.  You have a problem.  You think of a law.  So, basically, we cannot ignore that the rate at which we are adopting technology is so faster than the way we come up with registration.

So, basically, as he has explained in his presentation, it's common.  Not Indonesia or anywhere else.  If you don't deploy technology, you may have a law but without technology, what is the law for?  Basically, as he's put it.  Most governments are able to push technology advancements.  Innovation.

>> SOLANA LARSEN: Benedikt from Microsoft, I don't suppose you can imagine a world where manufacturers from the corporate sector would only sell these technologies to jurisdictions that had strong data privacy protections or laws in place?

>> BENEDIKT ABENDROTH: I think all consumers should be able to benefit from technology but I also think consumers should be protected.  Microsoft isn't able to govern or decide what the rules should be in that case.  We've come forward on other issues such as facial recognition where we think as technology as you care is being deployed at such a rapid case and puts consumers at risk then Democratically accepted leaders should be able to come forward and decide where the law should be drawn and that applies to not just IoT, I think, everything in technology that is invasive.  I think governments should be more a part of that.  How they do that, including industry, but I think if consumers can be heard even physically as can happen in IoT then government should definitely play a leading role.

>> WALID AL SAQAF: A question that occurs every year at IGF is that regulators are not equipped with the knowledge of understanding the technicalities of these machines, these devices, how do you face this both maybe in European and African perspective

>> MICHAEL ILISHEBO: Try to rephrase your question again.

>> WALID AL SAQAF: So, regulators may not have the competence, full knowledge of understanding how the technology works.  Behind the scenes or let's say below, I mean, how do you deal with lack technological understanding by the regulators sometimes.

>> MICHAEL ILISHEBO: Basically, if you look at regulations, I'll give an example of where I come from in Africa and in specific, Zambia.  If you look at regulations, right now, other countries are talking about AI regulations, ethics and norms.  We haven't yet gotten there.  And yet, some of these devices are coming in the country not through government, they could be coming through the private sector, business entity who wants to deploy a business and they want to say reduce on the number of workers.  They'll deploy machines or any automation that will cut the cost of running business.

As a result, in the long run, you have almost all banks landing without, you're able to transact without physically meeting with another person at the bank counter.  So, basically, it is such times when the devices and the technology has found itself and looked at itself within a country.  So, basically, for regulators, they do a good job when and if technology exists and they're able to regulate it, in the absence of that law, that will require you to regulate an activity or technology.  I don't think it's possible.

So, basically, if you talk of, back home, if I am partaker, I pay load tax, which part of the tax comes from the gas gases we produce, like the carbon tax we produce.  But, if I brought an electronic car, am I going to pay carbon tax?  Because the laws are around carbon tax?  Until we think of that have, ten, 20 cars, they'll he think of let's add an answer to this law.

>> SOLANA LARSEN: I want to encourage anybody who stand in front of the audience to come with questions and perhaps we have questions online but I'll let Marit answer as well.

>> MARIT HANSEN: Thank you.  It's not only a technology versus law question.  It's something that needs more disciplines and therefore I think IGF is one of the right addresses where we get together where meeting is possible.

And it has to be attractive for the other disciplines, for all disciplines to cooperate.  To work together.  It can also be a question of staff, security, job role.  But, also to understand each other which I think is the baseline which is one of the basic problems.

So, if everybody is trained in University or practical industry job or so.  Very often, you learn your stuff only.  The same terms are used by so many entities there's a misunderstanding and also, I think people feel a bit discriminated.  If the ideas are not picked up because there's a misunderstanding.  Personally, I think we should understand the problem, that we look forward to have this debate.  And also, come to solutions.  Come to better than each single discipline can do.

For Germany, I think very often, there's no equality of payment, or also the jobs have different possibilities of people not looking for regulator jobs, usually.  They do.  Don't expect to train, very far front technology folks.  Also, not for the inventors.  Innovation, in industry academia.  They are often years ahead.  Everybody needs to bridge the practice, but I think that's one entity, we have not data with the questions, the civil rights organizations.  Where they are concerned.  The regulators may try to regulate, what is in the law.  The law is lagging behind and sometimes in the better, the feeling, the ways, the needs to change.  I'm not sure how they are right now part of sanitization.

>> SOLANA LARSEN: Yes, we've discussed the role of a consumer as a purchaser of goods but maybe less as a citizen also and somebody who pushes for change in this field.

I think we're all used to in conversations about the internet this blurring of lines between private and public.  In Malawi, we saw how home as influence on the family, or has influence on teachers, friends, other people you're in touch with.  I'm wondering from the youth perspective if you see any kind of new behavior or socialization of new ways to engage with these technologies in the way that you expected to take your shoes off when you entered to somebody's house.  What is the equivalent when you're talking about IoT and smart devices?

>> LILY BOTSYOE: It's interesting.  What is happening in Ghana and IoT, getting to know IoT operators, an increase in the number of communities and open spaces.  So, people can get talking.  Get to explore these devices together P. I think that's a right.  We recently launched a slack community in a car.  We've had two events so far.

So, we understand that we are catching up with the trends and trying to understand where nobody is going to lend them to show us so we join communities like Slack groups, python foundation and I also did Mozilla Open Leaders, so I did a Mozilla Sprint in Ghana.

So, what we do is to meet as young people, try to explore.  What is it that's happening elsewhere in the world, sometimes you have webinars.  We have understand the information is out there.  You come to the raw areas.  Connectivity.  My friend from Zambia, I would say.  It gets to that point.  The idea is maybe, once we gather information from the CTs then how it actually gets into the raw area.  So, somebody sees a flying car and doesn't say it's witch craft.  No, it's pure technology.

So that's how we are catching up with it.  There are many, many resources that we look out for, especially online for those who are a actually connected in the cities and trying to also find it in the communities used to do outreaches.  So, that's the way we are going about it.  With regulations that he mentioned.  Ghana has a data protection act, very interesting one.  Which mandates that anybody who works with anybody's personal data has to be registered with an agency so they're able to regulate what you're doing.

But, what's beyond that, how do we know that these people are actually registering.  How do we know by way of data being collected and what it's being used for.

So, once it comes out, once the actor, there's more to be done.  Beyond that, the GDPR in Ghana comes into play in companies which have international business.

When dealing with a company in Europe, a Ghana company, that's when you really put GDPR into focus.  When people are checking on the other side.  Locally, data protection, let them know how these entities and IoT as a whole.

>> SOLANA LARSEN: I want to repeat again if you do have a question, stand in front of the microphone or hold your hand.  I have many questions so we can keep going.  I wonder in Indonesia.  Is there a question?  Please come forward.  If you like, you can introduce yourself as well.

>> Hi, I'm a data protection guy.  My name is Klaus and this is a question addressed to our African guest.  I assume that there's a lot of mobile phone users, maybe less smartphones, so, what is a security aspect in which way are you dealing with these issues?  Thank you.

>> LILY BOTSYOE: Can I attempt?  He is a law enforcer so you have the final say.  He is.  From where I sit and from engagement of people, especially during the cybersecurity, in April, we had somebody from the Ghana police service talking about statistics regarding cybercrimes, especially using mobile phones, very popular, called Sakawa.  What he realized is that it's been increasedly in a number of attacks when people call in.  Somebody has to send a lot of money to do something and later on found out it was not registering the first please.

There are many things that guide this.  You find out there's a crime.  But how do you go to imprison somebody, or penalize somebody there's nothing to behold.  If Ghana, we talk about once there's a crime, there's a cybercrime unit in the Ghana police so with that they can find out but most of these actually go through a lot of processes because the crime has been perpetrated somewhere in the world with maybe a Ghanan number or more.  In Ghana, the train is actually moving many, that is really accessible, everybody can grab one.  It's accessible so the crimes are really prevalent.  And enforcing or trying to curb all these, we have the partner in the cybercrime letting people know there's more to somebody calling you and giving directions and sounding so alarmed and wanting help to you doctor leaving the human aside for the world and trying to help.

And that's what's happening currently in Ghana and from what I know.  Ask the law enforcer.

>> MICHAEL ILISHEBO: So, basically, in Zambia, the use of mobile smartphones is actually high.  Actually, there are more mobile smartphones in use than nonsmartphones so basically, I will tackle your questions on two fronts.  On the first front is owning a mobile phone in itself, you don't need to register to anyone.  However, if you want to buy a SIM card to use in that mobile device, there are laws that governs how in terms of registration, the providers through our regulator have to get your detail and your biometrics, meaning they have to look up your image.

In the event that a crime has been committed, when people are doing biodata acquisition, like, they want to know who is behind this phone number, at least, your face will come alongside that information you use for registration because in terms of crime, there's been a major increase when it comes to swap.  We have another transaction which is called mobile money.  We don't go to the ATM.  We still go to the ATM in a provisional way but for easy transfer of cash, you transfer money with the mobile devices and the numbers registered in that platform so of course money now sits in a digital form, later, crimes which are now committed in terms of frauds are high.

Then, to answer your question in terms of another society aspect, I have this mobile device.  Say, there is a problem with this, it's got a problem and there is an update.

So, basically, in Africa, the cost of data is high.  Very few, and I mean, very few people try to update their mobile devices to the latest software or any other part that is released because if you want to spend 1GB of data, to update your mobile phone, the first thing you look is the cost, not the actual importance of that part you're bring into your mobile device because if you don't patch your device, probably somebody will hack into your banking application on your mobile phone or have information that sits on.  So, basically, the cost of internet because access is there, but, for ability is actually compromising on the aspects of security.  Thank you.

>> SOLANA LARSEN: Do we have online questions?  Do we?  No.

We talked a bit about regulators who maybe don't understand the technology, but, that is also a problem in the Civil Society sector and I wonder in your experience in Indonesia trying to fight plans around Smart Cities or privacy invasive technologies that are being implemented, what challenges have you found getting broader support from Civil Society?  Are the women's groups involved?  Are the youth groups involved?  What is missing for the citizen voice to become more impactful for the future?

>> WAHYUDI DJAFAR: Yeah, based on our experience, the government often give what is the tactical response or sporadic response to the innovation of the technology with the technical regulation aspect but this regulation in several times limiting the rights of the peoples.  So, the Civil Society, including the vulnerable groups, vulnerable community tried to identify what is the impact of technological innovation, especially to the vulnerable groups because in the several situations, the technological innovation was creating the new discrimination, especially to the vulnerable groups so the Civil Society tried to set up of the regulation or the recommendation of the regulation to the government because the government, they are often of the have the lack of knowledge and lack of understanding.

What is the impact of the technology rights and what is the impact of the technology to the fulfillment of the rights, et cetera.

So, also tried, based on the Democratic system, tried to engage with the government with the model of the critical engagement in the several times we give what is the full year recommendation of the government but in other occasion, the civil society tries to criticize all of the policies or what is the program from the government so we tried to develop the models of the strategic engagement with the government to implement the multistakeholder approach in the internet policies.

>> SOLANA LARSEN: Thank you.  We're about at time.  We've heard a bit about this automated car with no driver.  I remember the first time that I saw one, I think, I'm not from Africa, and I was not in Africa, but, I was still as startled as the email People that you described.

And it was in Mountain View, California, and suddenly, it made sense to me.  Because there are no people walking anywhere around.  There are no pedestrians in that part of America.  So, all of a sudden, a car with no driver seemed less risky.  And I think, it was an interesting moment for me in terms of technology is developed in one part of the world.  It's implemented somewhere else.  It's difficult to see all the ramifications of implementation in different parts of the world.

we've heard from Civil Society, youth groups, corporate sector, government.  I think it's important that all of us hold each other in check.  There are risks in terms of all of our behaviors and engagements with these technologies and I hope that we can look forward to a brighter future where we understand these things and work towards some more trustworthy IoT for everybody.

Thank you very much for listening this late evening talk.  Thanks.  Bye.

(Session was concluded at 18:29)