IGF 2024-Day 0-Workshop Room 2-Event 97 Giganet Annual Symposium-- RAW

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

JAMAL SHAHIN: Is this one working?  My mic is working.  Okay.  We're online.  Okay.  Everything is working.

(Audio is distorted)

 

JAMAL SHAHIN: Good.  Thank you.  Great.  Can I start?

(Audio is distorted)

 

JAMAL SHAHIN: Can I hear myself?  Can I start?

(Audio is echoing)

JAMAL SHAHIN: I think we'll start with the introduction.  Okay.  We're moving to an online presentation.  We need to start.

Then I'll put the headphones on.  Okay.  No problem.  Thank you.  Great.  Ladies and gentlemen, ‑‑

(Audio is distorted)

JAMAL SHAHIN: I'm going to start.  Ladies and gentlemen, the staff members and the audio, their participants online and onsite, welcome to you all.  It is a pleasure to be opening up the academic symposium of Giganet.  None of you can see online.  It is a gorgeous, palace of a building that's hosting us.  We're grateful to our host for the utmost best to make everything work.  They are also talking very loudly.  It is difficult for me to hear.  Can you close the door please?  I suppose closing the door doesn't change much.  Okay.  We're here as part of the Giganet Academic Symposium.  This is the Global Internet Governance Academic Symposium.  Yet again representing parts of the Giganet membership, the academic community, we've been here every year on Day 0 to provide our academic network.  The space to talk within the construct of the IGF.  We're very happy that we're able to have this space from the IGF secretariat to give some space to some of the discussions around some of the academic thoughts on Internet Governance.  Since 2006 when Giganet was founded, we've been actively participating in these events.  We have a special bond with the IGF.  It is very nice to yet again be here in Riyadh to present our work.  What I also wanted to say was Giganet has been moving into the IGF proper.  We have the IGF Day 0 event.  We also have different events that we're co‑organising or organising as part of the whole series.  There will be three other events that will take place over the course of the IGF where Giganet members have been engaged in.

I would actively also call on Giganet members who are onsite or who will be onsite in the coming days to join our workshop group where we will be able to communicate and share our locations, if you want.  Or at least trying to meet up more informally beyond the academic discussions.  So the agenda for today, running a bit late.  I'll be very brief.  We have one panel discussion, then we have a roundtable and then we have a second panel discussion.  We'll be starting off the first panel, which I will be chairing myself with Roxana Radu who will be giving a paper on what she has titled "Turning the tide."

We'll talk about and give Roxana who actually due to exceptional circumstances will be presenting online at the time to talk.  Then we'll move to Sophie who will be giving a nonsystemic literature review on sovereignty as a presentation.  Then we'll move to Isa for the third paper.  Then we'll move on to the roundtable.  I'll give the floor to Milton to present that.  We'll do that later.  First of all, I would like us to start with Roxana.  I hope Roxana, you are online and you are able to get yourself on screen

Ladies and gentlemen at the back, is it possible to move to our presenter?  Online presenter.  We don't have much time.  I would be gratefully appreciated.  If we could resolve this issue.  As soon as possible.  We have Roxana's slides online.  Do we have Roxana?  Roxana, I can see you in the list.  I can't see.  Looks like your camera isn't on.  If you could turn your camera on.  As soon as you've done that, I'll be able to leave the floor and enjoy your presentation.

 

ROXANA RADU: Good morning.  Are you able to hear me now?

JAMAL SHAHIN: Wonderful.  Roxana is ready to start.

ROXANA RADU: I still can't enable video.  I hope that's still all right.  There's an echo.  I think we're going to get started.

JAMAL SHAHIN: Good.  Roxana, the floor is yours.  I'm going to put some headphones on and grab myself a seat to enjoy your presentation.  If you could please limit yourself to around eight minutes for the presentation.  That would be grateful.  We can have some discussion at end.  Thank you very much.

ROXANA RADU: Thank you, Jamal.  Thank you, everybody.  I'm sorry I couldn't have talked in Riyadh.  I would love to be in the room with you.  Unfortunately, I didn't make it.  I'm just going to get started on the presentation.  The year‑long project that we've been conducting at University of Oxford.  For those online, I think there's a possibility to see my slides.  I'm not sure about the people in the room.  Here's an overview of my presentation.  We'll start with a couple of thoughts on how ransomware as a phenomenon has evolved.  The methods that we've applied to look at the five different case studies.  We'll then go in to some of the findings.  Both the framework that we have developed and some of the important observations from the different case studies.  We'll talk briefly about what is happening in the ecosystem at the level of cybersecurity policymaking and conclude with a couple of thoughts.

I hope I can do all of this in the remaining seven minutes and a and a half.  Just briefly, ransomware is not a new phenomenon.  Obviously, it has been in the public attention a lot more.  Particularly since the pandemic started.  Early to mid-2020.  We have seen an evolution in the entire ransomware ecosystem, primarily because it has now turned into a service.  This is the infrastructure that you can rent at moment.  We'll do quite a bit of work.  We've seen cases targeting critical infrastructure more and more so.  We've also seen this trend to go for the most sensitive data out there.  Including attacking very vulnerable targets such as hospitals or education facilities.  If we look at what has happened in the last couple of years, it is fair to say we've had different forms of extortion made possible by ransomware from the single encryption which was more the story of the early 2000 all the way to double extortion, triple extortion where there's a DDOS attack.  DDOS stands for denial of service.  If you send many requests to the server at the same time, making it impossible for the server to respond.  Then we have now another form adding in personal communication with the victims.  Taking the data of the customers and blackmailing them for not releasing the data.

It is becoming a lot more complex.  There are also entire networks that prepare a ransomware attacks with very specialised roles within the network.  You have those that just collect access.  You have those that are in charge of distributing ransomware and so on and so forth.  There's always a percentage system, part of the manual will go back to the around infrastructure.  With all of this happening, we've seen governments being caught a bit off guard.  I refer to this a little bit as a whack‑a‑mole game with the ransomware gangs.  We've tried different things.  We've been able to publicise more information about the business model.  We've caught some of the people behind it.  Very few of them.  A lot of them in countries that we have no extradition agreements for.  The government, so far, has not done much to deter the cyber criminals from engaging further in this.  We've seen ransomware high in the political agenda.  This looks very far away.  President Biden and President Putin from 2021 was the first high‑level summit that had ransomware as the main topic discussed.  When they met in Geneva, they were based on the attacks in the U.S.

There was a significant reduction in the number of attacks.  It didn't last that long.  Some of them were put down by the Russian police and popped up again later.

Of course, the invasion of Ukraine, we've seen the first quick stop on all ransomware.  Immediately after increase with all sorts of pledges and allegiance messages on forum published at the time of the attack.  So it is a lot more political than some of the experts have claimed.  Of course, there's an economic rationale behind it.  These are cyber criminals looking for money.  They will target anything that's known vulnerabilities to them.  It is not so much about going after a particular target, of course.  We've moved into more valuable targets altogether.  But it is all about casting a wide net and getting whenever is ‑‑ whoever is not prepared for it has not patched the systems and so on and so forth.  Rather than we're going to go after one particular target.  We've seen entire countries being paralysed by ransomware which is what generated the idea for the project.  We've seen Costa Rica in 2020 after the attack by the ransomware gang being unable to do much in the coming month.  After this, they are still recovering from this attack.  It can be extremely, extremely damaging.

In this project, we decided to look at two different research questions.  The first one is quite basic.  How have governments been responding to the ransomware in 2020 when the phenomenon has definitely shifted towards being the number one cybercrime out there?  The second one, also tying this in with discussions.  In some specialised groups, is there enough evidence to suggest that we have now a shift towards active cyber defence or if you wanted fighting back ransomware with offensive capabilities.  This is the second question that we were interested in capturing.  We are completing now the five case studies.  We have five jurisdictions.  From Costa Rica.  On one side of the spectrum all the way to Australia.  The spectrum looks at defensive versus offensive capabilities.  We've also added in Singapore, the UK, and France.  We've selected the cases because these countries have had a very particular stance to cybersecurity.  They also show that the levers pulled at the domestic level range quite a pit.  Here we have a number of these changes that we have observed over the year that were well documented in the literature.  One feature that is common across the case studies is the membership in the counter ransomware initiative.  This is a coalition that the U.S. has put together after the critical infrastructure attacks in 2021.

By now, it has around 40 members.  Around the world.  Here we've seen also the moves to set up permanent operations to fight ransomware.  Some more successful than others.  Then we've had the expansion of mandates of existing institutions granting you powers to public authorities.  Quite a bit of space there to act at the national level.  In addition to potentially deploying some offensive capabilities to fight ransomware groups, disrupt networks, and so on and so forth.

We've come up with a framework to better understand what is happening at a domestic level.  We ended up with too much information.  Not only have countries been in the process of reforming their cybersecurity institutions more generally, but they have paid quite a bit of attention to addressing ransomware.  They've done so at the technical, institutional, legal, regulatory, and political level.  It made sense for us to distinguish this dimensions, we've tried to appear from Costa Rica to Australia.  We've seen the capabilities of the different solutions to deal with the problem.  Some countries are placed somewhere in the middle.  They are doing less in Australia, but significantly more than Costa Rica.  These are different countries.  I'll walk you through the results very quickly.  I know we don't have a lot of time.  Just to give you a sense of where we are in the paper.

In Costa Rica, we've seen a move to tackle two dimensions of the framework.  One was on the technical level looking at Cloud computing solutions and all sorts of protection tools for various ministries.  They are still recovering from this attack.  This is a work in progress.  I would say importantly as well, there has been a move on a regulatory level to try to improve Costa Rica's capability to access information about different incidents, but also to be able to report internally.  Something that has been accelerated, because of the attack.  They were confronted with.  Like many countries in Latin America, they don't yet have a full institutional set up to tackle cybersecurity.  This is a work in progress.  There are a number of discussions currently in the government to set up what is needed.  Part of that is a new digital transformation strategy.  But also figuring out what kind of bilaterals might be helpful to avoid situations like the one they faced in 2022.  In Australia, at the other end of the spectrum, they have been vocal about some of the measures they were pursuing, including specific task forces that would look at disrupting networks outside of the traditional borders of Australia.  That was one of the reasons we wanted to include them in the project.  Obviously, they've been at the forefront of the operations that included cyber capabilities that we would otherwise call defensive or active cyber defence.  They been reforming their legal frameworks that allow and make it feasible for them to develop the networks outside of Australia.  This is all a work in progress.

We've seen a lot of investment in the signals directorate, as well as investment in preparedness of the systems.  Particularly testing critical systems.  There's a plan to establish a mandatory no‑fault report obligation as well as a very close link to the private sector and lots of discussions across different committees on how to strengthen the threat information exchanges.  Moving on to France.  We're seeing there's a different cyber posture over there.  France has obviously aligned very closely with everything that the European Union has been going on the topic.  It's even led in some of the cyber discussions.  Domestically and legally interesting, there's a separation between what can be done on defensive missions.  That's one part of the government.  The cybersecurity agency.  Then there's also the offensive capability and offensive missions in the cyber com.  There has been stronger cooperation among this different institutions since 2018.  France has traditionally never attributed any cyberattack.  The internal distinction remains quite strong.

There's also a provision that allows the state to carry out technical operations to characterise and attack and neutralise its effects.  Which is quite specific in the French legislation that we're now analysing further.  Within the international space, we're seeing that France has been not only advancing some of the cyber resilience frameworks by the European Union, but also called writing and being one of the partners within NATO.  We are now looking at the ‑‑ what has been extremely interesting in France with this focus on domestic, industrial capabilities.  The so‑called digital sovereignty, or the strategic autonomy.  France has invested massively in a number of startups that are working on cybersecurity.  It has also invested in protecting better their own governmental systems.  This is a case that is somewhere in the middle for our domestic levers.

Singapore is interestingly always given as the work they've been doing in the cybersecurity within Asia.  There's lead from Singapore on a number of international initiatives on the UN side.  We have the OBWG led by the Singapore diplomat and also the cybersecurity agency has been actively regionally as well as the counter ransomware task force.  They have been leading a few of the Working Groups there.  Very much positioning themselves as a center of expertise and as partners you could count on in case of cyberattacks.  We are exploring here a couple of things.  In the regulatory level, there's a licencing of cybersecurity service providers.  There's a mandatory code of practice for practice for critical and instructional operators and mandatory operation to report payment that's currently under consideration.  There's been quite an upgrade of the legal framework with the cybersecurity act from 2018, but also various additional elements that have to do with sharing information or even going as far as block access to online content, if suspected to be used for crime in their online cyber harms act.  A number of related, legislative moves that are making ransomware ‑‑ let's say they are attacking ransomware from different sides, if we wanted to use the terminology.  We are seeing also moves to label different cybersecurity products in particular for IOT.  There's a vetting system that's very much used across Singapore for a number of devices.  Technically, there's planning for the protective DNS which is a move that the European Union has also endorsed with their DNS.  There are a number of other plans to trace ransomware payments and act at different levels in the ecosystem to try to limit.

We were reading in the literature a lot about empowering private actors to act on ransomware in whatever way they found justified.  Unfortunately, that does not seem to be supported by the data that we have on Singapore.  That's something that we're still looking in to.  Then we had the case of the UK that I have not included here for brevity which is quite close to what we have observed in Australia.  Same type of approach to disrupting networks outside of the UK jurisdiction as well as lots of internal support for active cyber defence.  The UK has had for a really long time a posture in which they work operating internationally to go after different networks.  It has never been part of the national strategy to consider offensive capability.  That's now changing.  Some of the key findings that we've seen lots of variation at national level.  We've seen also increased centralization and responsibility for countering ransomware.  I think that's key.  It used to be decentralised business.  Different parts of the government were responsible for different things.  Now there's this move for sharing more information across not only the state institutionsing but also with the private sector and the other way around.  There's clear focus on putting more resources behind fighting ransomware and also centralising some of the responsibility.  On the question of how much of it is now on the offensive side is that question remains question of dependency.  They are more prone to use some of that ‑‑

JAMAL SHAHIN: If it is possible, I'm going to take the microphone.  Thank you for your presentation.  We'll get to Sophie now.  I'll try to work out how to get Sophie's slides on the screen.  Okay?  Thanks a lot.

ROXANA RADU: Thank you, Jamal.

SOPHIE:  Hello, everyone.  I hope you can hear me.  I'm interested in what is digital sovereignty mean in the European context?  We were seeing state and non‑state actors using digital sovereignty as a discourse.  I was wondering how we could study and approach the social process.  So I went ‑‑ I'm sorry.  Yes.  Of course, as a good student, I started with the existing digital on digital sovereignty.  There's a few observations that have been made by others.  There's quite a divergence between approach that is our state centric and those who are not.  At the same time, there's a need to add more theoretical engagement.  Currently a lot of literature is mainly descriptive.  I wanted to ‑‑ I tried to fill the gap.

I've been wanting to do this by exploring simple interactionist world theory that started from an American philosopher that write in the turn of the 21st century.  Ever since his ideas have been applied to international relations.  It also bares a strong resemblance with constructivism at large.  According to Meeks, an individual has a self ‑‑ I'm sorry.  Can we go to the previous slide?

Do you want me to ‑‑ all right.  For the sake of time, I'll just do it without the ‑‑

 

Just one second.  An individual has itself.  It consistence of two parts.  I and me.  The me signals to the ability of the individual to look at itself as an object.  It can look at itself by engaging the expectations of others.  This is then been applied to the level of states.  This is done by whole state.  He said that states have a role conception and have a self.  They will also engage in what Meeks would refer to as a rule‑taking process.  In which it will enter into a reflective state and will try to figure out what is the best role for their self.  It can be the self of the nation or actor like the European Union.  According to Meeks, the process largely happens unconsciously.  We're just engaging in our normal life.  Whenever we have an ethical situation, the self tends to reflect on which fits the situation better.  After an actor comes up with a role, I want to have a stronger government or regulatory role, et cetera, it will start to engage in the role‑making process.  This is signaled by changes of behavior.  It can be engages in neopolicy discourse and also to commit themselves to new agreements.  Then a really crucial part.  Which I think is really interesting in terms of digital sovereignty is the concept of alter coasting.  I can only have a role if this is accepted by others.  I therefore need to try to influence others.  This is done by all actors.  That's why it is slight of the court.  He focuses on the fact that all actors are doing this.  All actors are participating in the role taking process and role making process.  Ultimately, the roles that all of the individuals ‑‑

(No audio)

 

(No audio)

 

SOPHIE:  In terms of the social process.  I have to go through the concept very quick.  I do think the concepts can be really useful to study both state and non‑state actors.  We could apply the framework to both.  In the framework, you want identify the situation of an actor.  You would reflect on themselves.  This is by the institutions, the parliament, council, and commission.  It really shows us how the actors are reflecting upon their role.  After that, we should look in to how they are actively making this role.  If we follow the insights, it is expected they will engage with the notion of sovereignty to create the space for themselves or to reject the certain role.  Then, of course, last but definitely lost least, look at the interactions.  I think this is the point that we're now seeing the social process in which the actors are interacting.  Which will result ultimately in the digital sovereignty.

Just to conclude, insights are useful and can provide us with a new perspective to study digital sovereignty.  It is also found in the fact it can be used by state and non‑state actors.  We can use the roles in which state and non‑state have.  This social process is important not only for the digital space, but our society at large and democracy itself.  All right.  I have to go through the presentation quickly.  If you want to read more about this, you can go to the web site of the United Nations University in Belgium.  I'm Sophie Hoogenboom.  From there I engage with the concepts.  Thank you so much for your attention.

 

(No audio)

SPEAKER:  Can you hear me?  It is nice to be here.  I'm going to talk about Internet governance.  Next slide.  The agenda I will just give a brief description on the governance models and approach with the information, research, and questions and acknowledgments.  Finally the preliminary results.

Next slide please.  If just to give a brief background about the governance approach, it is basically ‑‑ next slide ‑‑ first we have the regulatory approach for the markets and the companies with many governmental involvement.  It is primarily by the market.  It gives more economy to the companies.  It gives more freedom for the companies to self‑regulated.  However the criticism to this approach the platform lack the self‑regulating capabilities and problematic issues like hate speech, et cetera.  It appears it has not achieved the desired outcomes.  Relying only and exclusively to self‑regulate is no longer feasible.  Then next slide please.  Instead of the regulatory approach is predominantly presented in the U.S. and back.  It is more of regulatory approach where the concept triggers to more regulatory framework that includes the public and private sectors and more involvement of the government.  Next slide please.  Then the third approach as the approach.  This mainly involves more control from the government and the state as a regulator.  The approach has been extensively criticized for control, cybersecurity, dominance over cyber space.  Then ‑‑ next slide please.  It was a research gap on the Arab countries.  We don't know which approach is mainly we can describe or analyse in these countries.  However the scholars have been working on this and just refers to it as control.  This was the main interest of the research.  Next slide please.  Today I'm going to explore the place of Egypt.  Just to give you a background about the trajectory of Internet regulations and Egyptian.  If we need from 2011.  Anyone can say anything again.  Anybody at any time without any kind of constraints.  So it was sometimes we described, but at the same time, there's no regulation.  There's no constraints at all on speech on platforms.  And then in 2014, there was regulations that started to be more prevalent.  2016, this was the new media law.  For the first time, the digital platforms were included in the regulatory framework in Egypt.  It was the sort of new looking in and the cybersecurity law also accepted for 2018 and then 2020 this was the first time the application law.  They are working on this law.  It is kind of the Egyptian version of GDPR in the Egyptian phase.  In this research, I'm interested to explore the regulations and Internet regulations pertaining the information.  If we just wanted to give a brief description about this information.

The powers have linked the information to confirmation base.  It is just spreading false information for intention.  Rumors, fake news, disinformation, deception.  The scholars have been working on this phenomenon.  They have been linking the information with the bias and confirmation bias and tendency to spread with their attitudes and beliefs.  Also it was linked with conspiracy thinking at times and the misinformation spread.  Sometimes.

 

 

JAMAL SHAHIN: Ladies and gentlemen, ‑‑

(Audio is distorted)

JAMAL SHAHIN: Now everything has gone down.  Everything has gone down.

>> I had my timer.  It was just eight minutes.  Maybe because we started late.

JAMAL SHAHIN: That's not your fault.

>> Oh.  Technical problem.  I thought because it is 11:00.  They have to finish.

A lot of stress today; right?

JAMAL SHAHIN: Right.  Are we working?  Is everything working?

(Audio is clear and loud)

JAMAL SHAHIN: Excuse me.  Is this working?  Are we connected?  Is it working?  That's my question.

(Audio is clear and loud)

JAMAL SHAHIN: Yeah.  I need to know whether we're actually online or not.  We're running late now.  Sorry, everybody, online.  You heard me get upset.  They can hear me online.  Okay.  Right.  Ladies and gentlemen, we had three presentations.  It is really a bit difficult to understand if everybody in the room can hear me or not.  You can hear me in the room; right?  Good.  Online can also hear me.  Thank you very much to the three presenters.  I have some points.  I'm sure there's some questions.  I feel that if it is okay with you, Milton, who will be starting the next section, I can see.  I will be the discussant now.  I'll start with the list of things.  I want to see in the room are there people that have questions about the presentations that we had?  Maybe I'll start by triggering some thoughts.  Okay.  Please put your headphones on, so that you can.  Can you hear me?  Okay.  You can hear me?  It is just ‑‑ I need the headphones to hear me.  I know when I was sitting in the back, I couldn't hear unless I had the headphones on.  There's more silicone than carbon in the room.  There's a huge number of computers and screens and technology that are helping us get through this event.

There's also quite a lot of noise.  I do have some points that I would like to raise from the different presentations.  I'll start initially with Roxana.  I hope you are still online with us.  Once I find my notes.  Right.  Okay.  Anyway.  Roxana, your presentation on ransomware was very interesting.  Stimulating us to think about this one particular ‑‑ yeah.  Five minutes.  I can remember what I wrote.  Stimulating us to think in one particular way in which governments are having to deal with a certain type of threat.  One of the things that struck me that you mentioned, of course, the countries are being held to ransom.  It reminds us that it's been happening with public infrastructure in the Netherlands and the particularly the Deutch Universities.  They dealt with this in the slightly different way.  We are not sure how they dealt with it.  We know it was in a slightly different way.

I wanted to ask you looked at different countries in your response.  I'm quite aware that the European Union is doing quite some work in this area.  That made me think about the different types of actors that are engage.  You talked about the Biden Administration launching a coalition against ransomware.  I'm wondering what kind of actors are involved in the frameworks.  Are these just the states?  Are these also different private sector actors?  I have quite a few other questions.  They are all written on my sheet of paper.  Once I've gone through the other list for other presenters, I'll get back to you on those.  I'll have some time to find my notes.  Right.  For Sophie, this is not an unfamiliar topic to me.  I still have some questions for you.  Maybe also just thinking about the type of paper that you are presenting here.  Which gives us insight into the way that we can think about digital sovereignty.  You've seen the literature attempt to try to work out how to understand and how to contextualise and position the topic.  Okay.  What that has led to is a lot of in a sense attempts to describe digital sovereignty without buying into the reception.  What I think your paper does and what I think your piece does rather than let's think of it as a piece.  It sets the basis for a larger project in understanding digital sovereignty.  Right?  Of course, you know, what I mean by that.  I think that's the role of this is to actually position yourself in the space.  One thing I was thinking in terms of trying to understand how to actually turn this in to a more concrete article‑type of piece was actually to link to some of the other reflections that have been carried out or thinking about the literature and digital sovereignty.

You are presenting a slightly different take on this.  Looking at work of George Meeks and looking at the raw theory comes in.  There have been others that try to understand and map out where the literature lies.  One of the things is to do the initial exercise and say why this body of work actually contributes to the discussion on digital sovereignty.  A lot of what you've been doing is looking at how this relates to the work on sovereignty; right?  Of course then in your paper, you try to make the case for the digital.  That would be nice to do in the context of the other bodies of literature.  I'm thinking one of the things might be just to do kind of a more bioliometric type of survey and where the body of theory fits into the debate.  That's one comment.

Sam, thank you for your presentation.  You talk about the War world and Egypt in specific.  I'm wondering how much of Egypt is a case for the rest of the Arab world.  That might be something interesting to reflect on.  And another thing that really triggered me, at least thinking about work that you did you started presenting the different types of models.  I was interested to see that I break them into self, toll, and late night.  I don't know if you would like to see the European model as the co‑regulatory model or whether it is more leading and moving eastwards to a different type of model.  I'm in the sure about that.  What I was thinking was have you looked into the literature of people like O'Hara who wrote the book called "Four Internets."

I don't know if you are familiar with that work.  It might be useful to give you insight.  Also thinking about the work of Anna Bradford looking at digital empires, of course.  I was particularly interested in wanting to focus on the Middle East region.  A colleague of ours, Sophie and mine at the UN called Malo, started doing a study looking at the digital sovereignty in the Middle East and found very little material to work on.  It is actually quite interesting that you are able to get the insights.  It would be very interesting to you to talk to him.  He was looking more at the cybersecurity angle of things.  His reflections in that space also needed ‑‑ well, you know, also he found that there was very little that was being thought about in the space.  I found it funny that you said, oh, the Middle East in the model is just the word control.  I think that's something that could evolve in the way that you frame this kind of research.  Right?  It is not really a question.  It is more of a suggestion.  I would be very interested to know if Egypt, for example, is very comparative to ‑‑ comparable to other countries in the Middle East or other different types.  I think this evening ‑‑ after the roundtable, Monica will be talking about a country a bit further to the east.  And their policies and their space and how they govern the platforms.  There's quite some stuff there.

Would you like to respond to the questions?  I would suggest that you do that in the positions that you are in.  If there are any other questions from the audience, we'll take one and a half questions when we've passed and given the answers.  Roxana, you are up.

 

SPEAKER:  Thank you, Jamal.  The social, political aspect is important.  It is different within the Arab countries.  We cannot say one approach with all.  But in order to know this, I'm willing to do further case studies.  Then I can group them maybe depending on the commonalities or differences.  Then it will absolutely be important to take it from this lens.  Anna Bradford, the second part, she did brilliant work.  I read her work.  Also the other scholars on classifying these different approaches.  I did some literature.  Yes, it is very little.  It is not as much.  But this little material ‑‑ I read they just described this slide.  They put it in one box.  It is a controlled approach.  It is as you said there's differences between within the different Arab countries.  For example, there are many on the additional economy and depending on the GDP and the services and the Internet infrastructure.  There's a lot of things that we can build at home.  This was ‑‑ I'm exploring the case of Egypt, I'm willing to do other case studies in the future.  It is already planned.  Thank you to put me in contact with your colleague.  I can share with him my work and the data.  Everything.  Thank you so much.

JAMAL SHAHIN: Okay.  Are there any questions from the floor?  Give the due respect that we need to our panelist.  Who is coming up next?  We have full days ahead of us here to continue the discussions.  I hope we will do so in this space.  Thank you very much to our presenters once again.  Milton, would you like to take the floor and introduce this session?  Or?  Thank you very much.  What I would prefer to do is could you hold the question until after the next session?  We're already 12 minutes late.  I don't want to offend our invitees anymore.  Thank you very much.

Yes.  Congratulations!

MODERATOR:  We need one more chair.  Greetings, everybody.  This is kind of an open debate.  Can everybody hear me?  Can you hear me?  No?

>> I can hear you.

MODERATOR:  You can hear me.  Okay.  I am Milton Mueller.  I'm a Professor at the George Institute of Technology in the U.S.

We have Alisa Heaver with the Deutch Ministry of Economic Affairs.  We have someone who almost needs no introduction.  Wolfgang Clamvacter who has been a participant from the Internet government circles from the beginning.  What we want to discuss today is the concepts and controversies around the concept of multistakeholdersism.  I think I sort of started this debate by issuing a challenge to the notion.  I have to say that from the very beginning when we were in the world summit on the information society together, Wolfgang and I, I have not been happy with multistakeholder as a word that describes the form of governance that we thought we were trying to defend in the period of the late 90's and early 2000s. 

What was my critique of multistakeholdersism?  It was number one it does not describe a governance model.  It describes sort of lots of people participating.  It doesn't tell you what is being governed.  It doesn't tell you what is the governance structure.  It doesn't tell you what the authority is.  I represented multistakeholdersism as kind of a rhetorical solution to the problem of the clash of non‑governmental and governmental forms of governance that occurred at the World Summit in the early 2000s.  The concept of multistakeholdersism made it easier for the established sovereign system of international governance to accept innovations like ICAN, the regional Internet registries, and other forms of governance that were emerging for the Internet at time.  In my view, the key differentiating characteristic of what people want to call multistakeholdersism was not the multiple stakeholders.  It was that it was governance by non‑state actors.  That we were going outside of the sovereign system and turning over governance authority to the Internet community itself.  I prefer the term Internet self‑governance.  When we did the transition, in 2016, I think the world that was frequently used was, yeah, the people said who are you transferring authority to?  The answer was to the global Internet community that we were creating our own system of governance for our own community.

Now, many people have interpreted this as me being against multistakeholdersism.  This is a level of confusion of the debate that Alex has introduced.  He's presenting me as if I'm against the Internet institutions.  Everybody that knows me knows I'm a big supporter of the Internet institutions and the model.  I want us to understand what they really are and not have the vague label.  One of the reasons I think we need to have a better label is that: we can see the term multistakeholder being adopted by almost anybody now.  All right?  So the UNESCO says it is a multistakeholder organisation.  It is an intergovernmental organisation.  It is fully embedded in the sovereign system.  It does not share authority with non‑state actors.  The ITU sometimes likes to call itself a multistakeholder institution.  Anybody can adopt the term.  They may not share authority and give you power.  That's why I think you need to rebrand.  Now I think one of the things that makes people uncomfortable about my position is, in fact, that we have invested so much equity in the label multistakeholder, that that was the brand that we used to fight off, you know, attempts by authoritarian countries or the ITU to incorporate the private‑sector‑based institutions into the intergovernmental system.  This was often framed as a fight between multistakeholder versus what?  What was it a fight against?  It was a fight against a sovereign control of the Internet.  I just want us to be clear about what it is.  I don't want to oppose the existence.  I don't want to incorporate them into the international government regime.  I want us to recognise they represent an innovative departure from sovereign, state‑based governance.

 

PANELIST:  I didn't realise that he gave the speech.

(Audio is disported)

PANELIST:  They said it is the right time, if I remember.  He called the word.

(Audio is clear and loud)

PANELIST:  The funeral of the multistakeholder position.  I have a different position.  My position is that I see the NET10 conferences the start of the new beginning of the multistakeholder approach.  I see it also, you know, emergence of the terminology a little bit different from how Milton has presented.  Because in my eyes, I was inside the processes in the United Nations when it started in 202.  Four years after ICAN was established.  There was a story before ICAN.  I see two sources for the emergence of what was called the multistakeholder approach or the multistakeholder concept.  First for theoretically to the 1960's, 70's, and 80's when people realised it would be the global problems which go beyond the national directory based concept like environment and energy and development, war and peace.  At the same time, we did see the role of non‑state actors.  Both business and NG organisations.  It was when David Bell wrote his famous piece.  They spoke about the power shift.  The power shift says, okay, we see a shift from national, centralised governments to non‑state actors.  Central governments and national governments.  This was in the 90's before the dot‑com boom started and before we saw the emergence of ICAN and the Internet governance society.  It was triggered by John and the committee on new treaty LDs.  This was a memorandum of understanding which was signed by the technical organisations.

(Audio is distorted)

PANELIST:  And by business organisations.  The memorandum, the general of the ITU said this is a turning point in international law in history for the first time.  We see a collaboration between intergovernmental organisations and non‑intergovernmental.  The U.S. was not satisfied.  They needed private.  Which later become ICAN.  The U.S. government understood that the governments have to play a role.  We can see the Advisory Committee.  This is just history.  We came to the world summit on the information society.  We had two different approaches.  Which was by the U.S. government.  Private sector leadership is the best thing for the governance for the Internet.  To try this government which argued, okay, private sector leadership was good for one million Internet users.  But for one billion Internet users, we need now government leadership.  Private sector and governmental leadership.  This conflict could not be settled.  That's why the secretary general of the United Nations established the Internet governance.  Where I was a remember.  Way back for the conflict in the private sector, leadership, and governmental leadership.  And to compromise with proposed the summit was the Internet does not need leaders.  It is such a complex system.  We see a global complexity.  You need to collaboration for all stakeholders.  They are all stakeholders have to collaborate hand in hand in their respective roles.  The best thing is on equal footing.  Equal footing did not appear in the final text.  This was the moment when the multistakeholder approach was presented as an alternative to one stakeholder approach.  Because government leadership was one stakeholder approach.  Private sector leadership also one stakeholder approach.  We argued in the beginning that more than private sector and society.  We have the academic and technical community.  There are stakeholders and what we need if we want to come to solutions in the Internet governance ecosystem.  We need the engagement of all stakeholders.  This was more or less the implementation of the Internet governance when we had the first meeting.  He said okay, the Internet is an innovation in technology.  What we lead now is innovation in policy‑making.  So the multistakeholder approach was seen as such an innovation for policymaking.  This is the source.  I was always against multistakeholdersism.  The answer is if we want to set up the approaching we need the involvement in all stakeholders.

It depends from the issue.  The involvement of the staying holders will be different in the field of cybersecurity or in the management of the domain name system.  It will be different in the field of digital trade than if we talk about Human Rights.

It is a very complex system.

JAMAL SHAHIN: My approach to governance.  Hello.  Can you hear me?

(Audio is distorted)

JAMAL SHAHIN: How is this?  Is that better?

 

PANELIST:  Can we close the doors?

JAMAL SHAHIN: That doesn't make any difference.  We can close the doors.  It might help a little bit.

 

SPEAKER:  Thank you.  Thank you letting the government be part of the conversation as well.

MODERATOR:  Right.  Anyway, if I would summarise the difference so far between the perspective and mine, it is that he is saying that it is a blend of ‑‑ it is a compromise between private‑sector led and state‑led governance; right?

SPEAKER:  Sorry.  I didn't catch the question.  My audio was cutting off.  Could you repeat it?

MODERATOR:  Yes.  Can you hear it now?

SPEAKER:  Yes.

MODERATOR:  Okay.  He thinks the multistakeholder describes an indeterminant blend of private sector and public sector or state‑led governance.  I'm saying what really distinguishes the Internet institutions is that they are on the private sector side.

SPEAKER:  I don't think all of the Internet institutions are on the private side.  I think that most institutions are ‑‑ if we take ICAN, for example.  It is not only private sector.  That's active there.  It is also government.  It is also academia.  It is also ‑‑ it is also the business community.

Yeah.  Sorry.  I think it is all different types of stakeholders and different types of views that are all there.  They come together and decide upon the issues in front of them.  It is much more than that.

MODERATOR:  I'm not talking about the authority.  It is entirely in the hands of a private California non‑profit public benefit corporation.  Of course, governments participant through the GAC.  That's fine.  I mean Civil Society and any non‑state actor.  It is held by the non‑profit private corporation.

 

SPEAKER: Yeah.  I think that we ‑‑ well, we saying governments have agreed upon this model or the way that ICAN is structured to ‑‑ well.  To show to a certain extent give up rights as government to fully ‑‑ fully regulate the domain name system.  We've seen that governments shouldn't be governing the domain names.  We need the registries to be part of the discussion.  If it happens as something we do not like in government ‑‑ sorry.  We can give GAC advice.  If they take a decision that doesn't appeal to the GAC.

MODERATOR:  Yes.  Terrible sound.

PANELIST: Can you hear me?  Milton raises the question who has the final decision making capacity?  Who has author upon a certain resource or a certain field?  But, you know, I have argued for years we have a new complexity in the Internet world because ‑‑ that's why I refer not only to speak about my distinct holder approach but also as a holistic approach.  Because, you know, in the Internet, everything is linked to everything.  If you have a technical approach, then you should understand that this technical issue has a political and economic, social, implication.  It is fully political approach.  You should also understand that this political approach has an economic, social, and technical implication.  So it means that it is not only that you need all stakeholders involved, you have to also broaden your view and to see if you manage one problem what are the side effects to take in to consideration.  So far, decision making is only the final element in a longer process which called ‑‑ which we have called in ICAN the policy development process or the PDP.  Sometimes the PDP is more important than the final decision making.  This is international law.  Certainly making international law is a monopoly for subjects of international law.  Only states of subject of international law.  But the intergovernmental system that makes Internet law today is embedded in a multistakeholder environment that means in any other case, the policy is made in the multistakeholder process and then represented by governments for the decision for the governments.  We have also in the ICAN which is private sector where the PDP is more important than the final decision making capacity of the board.  I was a member of the board.  Certainly we have rating for the PDP coming from the GNSO or the CNSO and more or less rubber stamp what came out from the PDP which is a multistakeholder process.  The government and governmental Advisory Committee is involved in the PDP.  The government advise is not legally binding.  If they give advice to the board and the board disagrees, we have a procedure for consultation.  We have to sit together and negotiate, you know, what could be the final thing.  Sometimes the board wins.  This is a structure for the management of one piece of the whole Internet governance ecosystem.  There are many other pieces.  They have a different model.

That's why I avoid.  All of this together certainly you could call it multistakeholdersism.  It is multilateralism.  It is a stupid idea to have multilateralism against multistakeholdersism.  It is two sides of the coin.  We are all in one boat.  We have to find a way to settle the problems and key elements of the multistakeholder approach.

SPEAKER: I do not agree that multilateralism and multistakeholdersism are two sides of the same coin.  I think there's a real big difference between multilateral institutions and multistakeholder institutions, to be honest, Wolfgang.  Because in the participation possibilities for stakeholders outside of ‑‑ well, stakeholders in the multilaterally institution are much more limited than in multistakeholder as ICAN is.  Anyone can register to the ICAN meeting and show up either online or offline, onsite.  Start to participate.  Even though I should say it is quite a difficult process to really understand.  That's something else.  One can go to an ICAN meeting and be there.  Maybe for those that don't know me besides the brief introduction that I work in the Ministry of economic affairs in the Netherlands, I've been a GAC representative for the past three and a half years.  On ICAN, I guess I know something.  I'm also one of the MAG members of the IGF.  That's a slight extra introduction.

MODERATOR:  All right.  That I appreciate, Alisa.  That's one of the things that I don't like about the Wolfgang's holistic approach.  Is that it blurs the lines between multilateralism and sovereignty‑based governance and non‑sovereignty‑based governance by nonstate actors.  Lots of complex interactions going on in Internet governance as in all forms of global governance.  We have to be distinct about who has authority.  In the case of ICAN and the Internet regional registry, the authority is not in the hands of states.  We don't want it to be in the hands of states.  We have to be clear that's the distinguishing feature of these institutions.  However much they might get advice from governments or incorporate governmental actors into the systems, it is fundamentally a different source of authority.  Now we have some questions, I think.

SPEAKER: May I ask you something?  Do you ‑‑ I think we all agree that there's not that much of a difference between ‑‑ sorry.  What I want to say is that you kind of stating it as if it is very, very important or very big issue.  About ‑‑ how do we say this?  When we take the multistakeholder model or Internet self‑governance and what you are stating it is.  When it comes to the principles, I'm not hearing that much difference.  I'm just mentally hearing and stating it differently than Wolfgang is.  Most of the things you fundamentally agree upon.  We are having a whole discussion on Internet self‑governance or multistakeholder governance.  As fascinating as I find this debate, I would also maybe think we should put some more effort in to solving issues that we are trying to deal with in the multistakeholder fashion or in ICAN or in the different institutions.  So much discussing the model itself.  Unless we are going to go further in to detail, which principles so we find important to the model and inclusivity and those kind of aspects.  That's the much more interesting debate, I think.  Instead of having a very high‑level debate on should we call it basically Internet self‑governance or multistakeholder model or should we call it ‑‑ I don't know.  The Rodeo Model.  Everything goes.

MODERATOR:  The reason we have to have the conversation is because of the rise of digital sovereignty as a principle or norm in many parts of the world.  If you don't understand why global Internet governance and the so‑called multistakeholder model is a departure from digital sovereignty and territorial sovereignty of states towards global governance, then you are going to slip in.  The distinctive feature of the institutions is going to be lost.  We're going to go back in to a territorially fragmented Internet.  Frankly, you know, that's where we're going.  Even in the United States right now.  I think it is very important not unpractical or sort of academic issue.  I think the reason I'm so heated about it is precisely that the rise of this concept of digital sovereignty and the territorialisation of data and governance.

PANELIST: Milton, you have to be realistic.  The whole Internet revolution did not remove the intergovernmental system or the 193 nation states which are a member of the United States.  What the reality is that the Internet is a layout system.  And in the WCAG, we're more differentiated.  We're differentiated between the evolution of the Internet and use of the Internet.  Since the evolution of the Internet is mainly the technical layer and the use of the Internet is the application layer.  The majority of the political problems are sitting.  While on the technical layer, you have one world and one Internet.  The whole world, including China, Russia, Uruguay, and Argentina, are using the protocols.  This is universal.  On the application layer, you have 193 member states and 193 jurisdictions.  That means you have a natural conflict between the one world, one Internet concept.  And the one world, 193 jurisdictions concept.  The challenge is ‑‑ the technical layer will rule the world.  This is evolution.  The risk is what you say is that the government will overtake the technical layer and be separated.  The challenge is and the multistakeholder approach is an instrument which can avoid either or development.  Neither the governmental or private sector leadership.  You make arrangements in between where the technical layer and the public policy layer application layer comes together.  I think this is the challenge.  So far, this is the multistakeholder guidelines that are very helpful.  Because they offer criteria where you can say, okay, is that you can measure.  You know, where ‑‑ what is the specific role of stakeholders in certain concrete fields?  That means we have to move forward to stumble forward.  Not to say, okay, we go back to the 19th or 20th century where we have rule of the sovereign state or we overtake it by the technical community and correct some of the elements.

MODERATOR:  If you've read my book on fragmentation, Wolfgang, you would know I argue there be never be technical fragmentation.  There's very little risk of technical fragmentation in the sense that the Internet protocols and the addressing and naming system of the Internet will continue to be globally governed.  The problem is, as I said, jurisdictional fragmentation which is governments imposing different laws and rules on the territorial basis.  We can't get in to that.  We would like to get some questions from the audio.  We have Mr. Kato and online question, I've been told.

AUDIENCE:  Thank you very much.  On the interesting debate.  I'm curious on some of the points.

MODERATOR:  Hold it close.

AUDIENCE:  Thank you for the debate.  I have one question to Milton.  When you say authority and the government ‑‑ can you hear me?  I want to know about the government.  I'm curious about the distinction.  You talk about the parliament of the government and the national.  The constitution.  If they have the authority, the final authority to make the laws or make decisions, the presenter gives us a selected and elected by voters and the law.  It says multistakeholder should select those.  It is somewhat of an organisation or even the institutions where they need some different, you know, stakeholder as a part of the board member.  Which is ICAN.  You know, representation on that kind of decision making unit of the organisation can be the authority in your definition.  Also in some cases and in some countries, even if the institutions says that parliament has a final decision or ‑‑ we see many interesting examples of what we call a democracy of decision making.  That's why, you know, this concept of the multistakeholdersism may have more complex aspects, I think.  Just a question for you.  For this interesting debate.  Thank you.

MODERATOR:  I'm not sure how to ‑‑ I think that was more of an observation than a question.  We have a question here too.  Yup?  Let's collect a bunch of questions and try to answer them.  We have online questions too apparently from Mark and Alex.

AUDIENCE: Good morning, everybody.  Yes.  My name is Honorable (?) it is the development of the committee.  Guinea is very happy to participate in the forum.  The Guinea parliamentary has adopted laws on the personal data protection.  The law on security.  What is my question now?  For all of the stakeholders, the major problem today it is the application of the law.  Because Internet criminals are often ahead.  What is the experience of your country for this?  Thank you.

MODERATOR:  All right.  Questions about cyber criminals.

What happened to Nottingham?  He's gone?

AUDIENCE: Great to see the symposium.  Sorry I couldn't pick up in person.  This might be ‑‑ arguing about labels might not be the best use of the time.  I specially agree with that since the multistakeholder term has been the ball work of the non‑stakeholder Internet governance model since 2004 and especially 2005.  I don't understand the eagerness to understand something that worked very well from the non‑state Internet.  Since they went on record and the interpretation of what I said, let me reassure everyone.  I don't think he's against Internet institutions.  I think you care deeply about them.  Which is great.  So do I.  So the difference maybe is that I don't think, for example, ICAN and other institutions represent a private sector run Internet governance system.  I don't think that putting the private sector and the Civil Society in the technical community and academia in the same bucket really helps our cause.  Which gets me to the point of why these definitions and these arguments about definitions are kind of important in a way as well.  Arguing that way, Milton, basically also suggests there's a private sector domain out there in the world governance system that's only run by the private sector.  I have no knowledge of that.  There's no such thing as a private‑sector only governance model at the moment where national sovereignty doesn't apply.  What does exist is the Civil Society or non‑profit led governance model.  That's the international humanitarian law.  Even though they don't manage resources in the technical context, the international committee of the Red Cross does have an international system.  That's only something if you are a non‑private sector.  If you are private sector, you have no hope in hell in removing yourself.  I think we should think about the rush.

(Audio is cutting in and out)

(Audio is cutting in and out)

(Audio is indiscernible)

(No audio)

(Audio is cutting in and out)

PANELIST: It is international law.  It is multistakeholder.  Here comes my challenge for the future.  This is an ongoing process.  That means government or intergovernmental organisations will achieve better results if non‑state actors will challenge.  Like they said, 30 years ago, let's say a new quality of the revolution in international law.  I think this is the challenge for the future to change the policy development processes in intergovernmental organisations.  Here we need procedures, so that means our non‑state actors can participate in the intergovernmental process and unfortunately we have seen in the digital context the multistakeholder consultations.  We have to debate in the first committee of the United Nations and negotiate the cybersecurity where state actors may commence.  We have this in the cybercrime.  There are no procedures in place.  How government has to handle input from non‑state actors.  I can have a procedure.  If governments give advice, then they have a procedure.  How the advice is handled.  This is my hope for the future: we have to develop procedures in the non‑governmental organisations deal with the input from non‑state actors in the Civil Society and the technical and academic community.  Then we can reach better results.  It is not a question.  I don't think it is belligerent.  It is for the people.  This is the key driver.  So far we should not fight senseless battles.  The challenges are too big.  We have to collaborate.  This is a compromise.  This is complicated.  We have to do this.  Thank you.

SPEAKER: I'll take your question.  The question from the person from Guinea.  Well, obviously, coming from the Netherlands, we have also dealt with cybercrime issues and then also sometimes being so ‑‑ one could say ahead of law or not being caught immediately.  We also have the GDPR.  The data protection law and many different cybersecurity laws.  Most recently, we have the network information security ‑‑ the NIS2 regulation.  Which intends to ‑‑ well, stop cyber criminals.  We have short time.  I can't explain it in depth.  So what is our experience to capture?  I think it is also really working together within government and with non‑state actors.  We have different foundations that try to find the criminals as well besided us from government.  We work closely together with the domain registry and they inform all of the registrars if something happens regarding the DNS abuse.  They have different policies to ensure the registrars and registrants is a compromised domain name or maliciously registered domain name to take it offline.  It is a whole sector approach.  As a government, you'll never, ever be able to holistically fight cyber criminals.  You need to work together with the whole chain ‑‑ supply chain to ensure you can catch the cyber criminals.  Also internationally work together your neighbouring countries or with the whole African Union and internationally work together with other countries to exchange information.  I think it is something that you'll never be able to do by yourself as a government.  You'll always be two steps, five steps, maybe 100 steps behind of the cyber criminals.

MODERATOR:  All right.  I will now thank our panelists.  Can you hear me now?  Okay.  I think we are going to have to bring this to a close.  I appreciate your participation.  I think it was great.  I think we had very multistakeholder approach here.  (Laughter)

 

MODERATOR:  And I look forward to continuing this debate in terms of ‑‑ I think it is relevant.  I think it is something that we have to face.  Particularly with the tendency to question the role of the state and the private sector and non‑state actors in governance.  I think that's ‑‑ we have to be very clear about what side of that divide that we're on and what are those roles?  With that, we'll bring it to a close.  I'll turn it back over to Jamal.

JAMAL SHAHIN: Thank you.  No.  Is it working?  Now it is working.  It was only me that couldn't hear me.  That was interesting.  There was a really stimulating debate.  I think that stimulated four days of conversation.  Unfortunately, we only had 45 minutes.  I want to thank our speakers for that.  Hopefully we'll be able to catch them in their audience meetings basis.  I hope you can hear me.  Oh.  Mind you, if I just say 50%, if you just hear 50% of what I say, I hope you will still understand what I'm trying to get at.  We have a ‑‑

(Audio is cutting in and out)

JAMAL SHAHIN: Online for an onsite conference.  I find this ‑‑ there we go.  I just got training in how to hold a microphone.  This is the first time I had to be online for an onsite conference.  This is a cyborg opportunity.  Anyway, we're moving on.  We have a panel of two speakers.  First of all, I'm delaying slightly because our second speaker is entering the building, I believe.  I think that she probably won't make it for Monica's first talk.  I will pass the floor swiftly now to Monica who is going to talk about cyber spaces in new sphere of oppositional struggle.  I think we'll already have interesting ‑‑ Monica is being a photographer for the moment.  I think you can see that online.  Let me bomb their photo.  There you go.  Right.  Monica will be presenting to you her work in progress that's about cyber space as a new sphere of oppositional struggle.  She's giving the case of Iran for this.  We look forward to your interesting presentation, Monica.  The floor is yours.  I will ‑‑

MONICA:  Yes.  Okay.  It was my pleasure to talk about some research I've done recently.  My area of research is the cybersecurity, cyber terrorism of Iran.  As of today's talk, I will talk some ‑‑ okay.  Thank you.  Today we were talking about cyber space as a new sphere of oppositional ‑‑ in the case of Iran.  In the agenda, I can see briefly going forward.  On September 2022, Iran's morality poll detained for violating the law for the proper wearing of the hijab.  It is different from the previous process.  It led the beginning of the demonstration across the country.  Let's talk about the latest protest.  The forum of the protest has been changing.  Because of the new technologies, protesters are increasingly using social media to spread themselves and their views.  The Internet is becoming the way to find the oppressive government.  Actually the wave of most recent content was unleased only on the surface by the mandatory hijab‑wearing laws.

It was called by the brutality of the regime itself.  They struggled for basic rights.  It has actually been more than 30 years.  The latest protest we have in 2022.  You can see the struggle is ongoing.  One of the biggest milestones in the struggle ‑‑ yes?  Okay.  Thank you.  One of the biggest milestones of the fight for right ‑‑ women's right or Human Rights in general was 2009.  We are now witnesses of the digital revolution.  We are entering new spheres of struggles which is cyber space.  The importance of cyber space become ‑‑ began to grow during the protest follows the 2009 elections and imminently after.  It was in the alternative public spaces that Iranian began to live life more fully represented who they were.  Of course, the importance of cyber space as an space to fight the oppressive government is even more apparent during this protest in 2022.  It is possible to distinguish at least five functions that the social media or Internet or cyber space in general currently performing for Iranian activist.  You can see the virtual public space and the function and social mobilization function and communication and the international solidarity.  Briefly, I can talk about some of them.  The most obvious use is to report taking space in public places to spread information about general about place and time and to gain social recognition of the protests.  The second function is spreading information on the new forms of discontent.  One of the best known examples is, of course, my Sophie Freedom.  It was an online movement.  She created a Facebook page where a woman posts photos of themselves without head scarfs.  Another one was the silent solidarity protest of Vita Mohamad of 2017 climbed on to some kind of electrical box without her head scarf and wave it like a flag.  Of course, without the Internet and cyber space, probably no one would ever have paid attention to the girl or to her protest and the photo of the Iranian who took off her head scarf went viral.  And so on and so on.  The situation, of course, is also important.  If we are talking about social mobilization and the commentary function.

Iran is a huge informational bubble.  The content of which is the true official channels must be consistent with the official government message.  The formal message to the warning area is therefore what authorities wanted to say.  Iranians therefore tried to comment actions in other ways.  For example, the Twitter posts and so on.  Also the public space.  It is really, really important.  Iranians have begun to explore their view in an extremely artistic way.  You can see the examples here.  The regime activity has largely moved into the digital sphere where when we have freedom to create, publish what you want.  And, of course, we also have the last one.  Which is the last function.  Which is gaining international recognition and solidarity.  You can see the examples of the people who are protesting against the Iranian regime all around the world.  All around the world in the different countries.

Of course, the action has to have reaction.  How does the government respond to social discontent in cyber space?  The signs of the evolutionary Iran's government's recognition of the cyber space was evident as soon as 2003 when the organisational structures for cybersecurity was created.  But few years later in 2009, the role and importance of the digital sphere for the government increased.  We have two main factors.  It was the protest and the attack of the presented elections.  How the government combating social of the Internet.  Of course, we can say in multiple ways.  They try to suppress the activism in the cyber space.  One of the form on freedom of expression used by the authorities.  It is to information in online public spheres.  The one example is cyber.  In 2016, for example, the account of musician was hacked.  The perpetrators changed his biography and changed his profile picture with the flag of Islamic Republic of Iran.  There's no effective way for the Iranian government to deal with outbreak of discontent.  It is true mass Internet shutdowns.  There are several types of network shutdowns from massive, national, to local and selected spheres.  Recent shows between 2010 and 2022, eight instances of network capacity cuts in Iran, two of which were the most significant.  One of them during the Arab Spring and the second one during the protest, more recently after the death of Max Ami.

Then we have much more precise, sophisticated tools to control the public.  We have something like seems.  The intercept published a report that Iran's presence was a spy.  Which is the CM and uses it to track and control its own citizens.  You can see the programme offers nearly 30 different functions.  The most important of them was, for example, limiting data speeds of the phone and collection of meta data and building of the information in special services used such as VPN and analyse all of users to track the locations and so on and so on.  Last but not least, the biggest part of my research recently was analyses of 55 advanced persistence tread groups that are and operate on behalf of Iranian government.  As you can see, the sizable portion of the cyber activities related to surveillance of its own citizens.  You can see that it is in here.  It is about 20% of the whole operations in cyber sphere by the Iranian government.  Of course, the cyber surveillance refers to the tracking of the activities of the individuals whose actions are perceived as dangerous to the national interest of Iran.  Oh, you can see also that you can have ‑‑ we have Iran in here.  Also 13 of the 55 organisations conduct malicious cyber activities which are aimed at activities and oppositionist as they are called by the government.  Of course, the sectors that I ‑‑ that are most attacked.  Here we can see the NGOs and activists of Iran.

To sum up, we can see that the digital sphere has become a major venue both for Iranian citizens who contest the social, economic, political situations in the country, and to countering the activity by government.  The government has developed extensive mechanism.  We can say Internet censorship, and shutdowns, and the CM system.  The Iran national Internet also and other one.  To sum up, cyber space has become a tool of Iranian government in suppressing internal opposition and also the place and sphere when the oppositional struggle has begun and has continued through the last 15 years.  Thank you very much.  I hope ‑‑ yeah.  Thank you.

JAMAL SHAHIN: Thanks, Monica.  Whilst we wait for our final speaker, it is my job to ask you some difficult questions.  First of all, I want to say thank you very much for submitting this paper.  It was a very interesting read.  You went in to quite a bit of the overall history.  I thought this was very, very useful for the reader as they went through the paper trying to understand things.  Looking at the context from 2003 onwards.  Okay.  So many addressing those kinds of issues.  What I also thought was interesting was this kind of reflection that you have on the idea of the Internet as this virtual public space.  The crosses many boundaries.  It allows many boundaries to be crossed.  And also operates not in the kind of the territorial means.  Here we see the interposition of territoriality and the community of activist in your case that virtually exist.  You show very much how this one particular state is trying to implement certain rules that are seen in a way as being kind of contextual to that particular culture and territory.  You see how there's the clash between the non‑spatial and spatial in the sense.  I find that interesting space to look at.  Particularly because it gives or affords a lot of freedoms to people to then feel they are beyond the boundaries of sovereign control.  To then carry out sort of these different types of discussions or these different types of acts.

I had a couple of really kind of concrete questions about the work.  You talked about the SME; right?  You said it was going to be or it was foreseen as being operational.  I think from what we've seen in other regions of the older, there are also challenges to developing something that is completely fail proof, secure in that sense.  I think that, you know, maybe that's one angle to train to impose locked doors on people.  That doesn't actually work.  Anyway.  Okay.  You know, I wanted to know if that was operational in your sense.  I also wanted to know is there, like, as there's a transnational community of activists, I wanted to know what kind of the relationships were between the members of the community that you've mentioned or the community, the artists, the groups, and those in different regions of the world.  Are they sharing insights and are they organising along the certain models they are following that they are replicating from other parts of the world?  And similarly for the enforcers.  The networks that is the software in the hardware that empowers the SME.  Is that then something that's been developed in other parts of the world?  It would be interested to know which parts of the world it was.  If it was maybe some of those spaces where we've known.  We are talking about state control here; right?  There's state control via proxy.  They were talking about platform governance.  There are ways to control the platform in different ways in getting the platforms to control themselves; right?  I mean you see how it works with Apple in China, for example.  Limiting the thing that is are sold on the app store; right?  That kind of thing happens in Europe as well.  We call it regulation in Europe.  It is not in Europe; we call it something else.  That's a very important point to bear in mind as well.

Finally, the control by platforms or by corporate means and so on.  I think that's an important aspect to raise in this paper.  Finally, I wanted to just bring your attention to you heard Sophie earlier on about digital sovereignty, and Milton referring to the concept and might have heard me talking about it at some point.  I'm wondering to what extent is a lot of the actions that take place here that seem to you at least your ‑‑ my assumption is that you find this to be not a desirable state of play; right?  Playing against the virtual public space.  How much of this is digitised by a digital sovereignty discourse?  In fact, the rest of the world is now kind of jumping upon and saying we all need digital sovereignty.  Then you can have a country like this one.  It would turn and say so do we.  Now the digital sovereignty relies on imposing our norms and values within the territorial sovereignty; right?  How does that day out?  Those are interesting discussions that might tie in to what you've been doing; right?  They might contextualise this across the broader sense.  I think that's one of the recommendations.  I know you are focusing on the one case.  We would also like to see what kind of networks and what kind of experiences are brought around the world and around the virtual free space that's the Internet, that plays into this kind of story.  Those are my questions.  Do you want a couple of minutes to respond while we wait for our next speaker to appear?  Maybe you want to stay there.  Hide behind your computer, you don't have to.  I'll come over with the microphone. Thanks very much for you presentation as well.

MONICA:  Hearing myself.  Yeah.  I'm hearing a lot.  Which can be translated in the Iranian Internet service.  The plan to create an internal national network actually from 2011, I think.  As a project of three main phases.  Which were initially scheduled.  But, of course, we can see that the ‑‑ now the Internet is 60 to 70% ready.  The first phase was concluded.  It was the international Internet traffic.  The second phase which involved, for example, moving the host of all of the Iranian led service is partly done.  The third phase which is and which has to be ‑‑ has to have domestic, developed applications and services begin operating.  We can see that Iranian government had the ability to ‑‑ ability to be able to have intentional software.  For example, the operating systems, the services, and the different kind of software which government is doing building right now.  Basically 60 to 70% of the project is done.  Of course, the government said that by 2024, it should be fully completed.  You know, we can ‑‑ we are entering the 2025 and it is not done.

Okay.  The second question about the governmental platforms.  Yeah.  Yes.  I actually in Iran it is prohibited to access the platforms like Facebook, like Twitter, Instagram, X, and so on.  But, of course, Iranians are highly sophisticatingly good at bypassing this law.  This prohibition.  They are using VPNs and different kind of tools to access the platforms.  You can see from what I showed in my presentation, they really are doing great on the platform.  The case of international networks, I think, you mentioned, actually there's no networks between the Iranians.  I mean the Iranians are all around the world.  They are changing their views. There's no such network which is connecting the dots all around the world.

Of course, the last question about the digital supremacy opposing values on the place.  It is for me hard to place the Iran in the digital conspiracy discussion.  As you can see how it is now.  It is states where you cannot predict what will be in the future.  The tools of governance of platforms and that cyber space is developing.  Actually there's no known strategy of cyber space and cybersecurity.  We can also ‑‑ we can only predict on the basis of activities the government is taking.  We cannot propel what will be the behavior of space in future.  Yeah.  Basically that's.

JAMAL SHAHIN: Thanks very much.  Does anybody else have a comment or a question for Monica?  Then we'll move on to our next presentation.  Our speaker is approximately 800 meters away.  She's stuck in a queue.

She will take over the presentation now.

YIK CHAN:  Sorry, everybody.  In the correction point, I have been able to correct my badge.  I have to do my presentation online.  Sorry.  Can I share my screen?

JAMAL SHAHIN: We have about four minutes.  We have about 45. ten minutes for presentation and a few minutes for questions.

YIK CHAN:  Yes.  Thank you.  Can you see my screen?  Okay.  My presentation is about the right to data portability: rules, narratives, and the implementation.  So this presentation is about right to data portability ‑‑ this presentation includes five parts.  First of all, I would like to talk about data portability and the research questions, RtDP in Chinese scholarship.

I think I'm going to skip the data about right to data portability.  Basically the right to data portability is digital right introduced by the EU in the GDPR.  Which has two key elements.  One is the right to data subject to personal data from the data controller.  The second is the right to transfer the data from one data controller to another.  This is an important right for three reasons.  The first reason is about self‑control.  Self‑determination of your personal information.  The second is a mechanism to prevent the competition and the market data from the data market.  To prevent a kind of model to prevent the power to improve the competition in the market.  That's why they introduced the tool and the right to data portability in the GDPR.

There are two conditions to restrict the right.  The first one is for the public interest, the second is allow and not affect the right and freedom of others.  How has the right to data portability been protected in China?  What is the specific conditions actually shaped the regulation and the environment of the right.  First of all, I like to look at topics.  I try to skip this.  We do not have much time.  Also the methodology I used to research for the collected interviews.  We conducted by the participate and interview and the observation and the platforms.  The second way use of some secondary data.  First of all, we look at Chinese scholarships.  How do they shape the right to data portability?  There's a positive view.  I'm looking at that view.  Basically the right to data portability does not meet the conditions to become a basic right in China, and should be regarded as a goal to strive instead of the right.  The second theory also is if they want to adopt this right in China, it has to be localised.  They are having some difficulty to implement, because there's a concern.  The privacy copyright and the copyright issues.  So this is the scholarship.  Basically, if one can localise the right to data portability and difficulty.  We need this.  Therefore, I want to conduct an analysis of the pace and explore what are the real difficulties and why they think it is difficult.  This is the reason I started to do the research.  Okay.  So the next slide.

The example I use is food delivery platform in China.  It integrated surveys with Lyriks.  They collect the different types of personal data from the users.  That's why we choose this bigger case study.  Because the preference as we mentioned.  They also have a privacy policy.  They can ‑‑ the data they collect has to be protected by the law.  According to the law.  What kind of data do they collect?  Including this here?  So this is the personal data they collected and the personal data information and personal identity and identity information and personal health and physical information and the contact and extras.  This is the information they collected.  The secondary way this is the Chinese.  I can translate it to you.  How the data has been processed by the preference.  This is a circle.  First of all, we have the user, then this is a data.  This is a survey.  The platform collects the data from the user to here.  This is the data storage.  This is platform A and platform B.  Actually platform A is the deliver platform.  They share the data to platform B.  How do they share it?  They transfer the data from here to here.  Okay?  We can see the data is collected from the user to the data storage in platform A.  Then corrected and transferred to platform B.  They also share the data.

How do they?  This is a collection ‑‑ data collection and process.  They collect and store it and use the process to transmit and also disclosures.  When they collect the data with the process data, they also do the kind of encryptions.  Also it is according to the scope, it is evolved.  They can divide the data of the specific object and, of course, it was the difference between the specific object and the non‑specific object.  Also they classified the data according to different confidential entities and the portion.  They have this kind of classification of their data.  There's no restrict.  According to different category of the data and different authorization requirement of who can have access to the data.  This is how to use the platform.  They classify the data and security of the encryptions as well.  The most important thing is about the transferring the data sharing.  How do they transfer the data and share the data with the third parties?  Basically, the transmission of data would be based on the data encryption storage in a security manner, such as using the security transmission protocol, using data transmission tools.  If the data has to be exported, it should be evaluated and authenticated.  And the permission.  Also compared with national law and regulations.  If there's a third party that wants to transfer the data, so they have to also pass this recorded data outbound for the assessment by the platforms.  There's a kind of security and the procedure for the platform to export the data to the third party.  There's also more important as they share the process and join the process and user information.  Because, for example, there's insurance company.  They have to share the data.  Not only share, but also join the process of data for the developed platforms.

How do they do that?  They have a kind of data processing.  They have to sign the agreement.  Secondary, they also have to pass the security methods, inform the user of the purpose ‑‑ yeah.  Sorry.  Hello?

JAMAL SHAHIN: I need to stop you now.  If that's possible.  We would like to give a minute for asking questions.  We really have to leave the room at 45 after.  Thank you.

YIK CHAN:  Thank you.

JAMAL SHAHIN: Any questions?  No questions.  I think we have to close now.

YIK CHAN:  Yeah.  I hear you.

JAMAL SHAHIN: Thank you very much.  For me personally, it is interesting to look at Chinese model.  We often look at it in Europe.  We don't often hear about the intricacies of the Chinese model.  It is useful to get insight.  Thank you for sharing that with us.  Since you'll be here, I would encourage anyone that wants to reach out to Yik Chan to do so.  That's what she looks like.  You'll bump into her, I'm sure, at other events throughout the conference.  Thank you very much.  It's been a great pleasure to hear all of the presentations and to participate in some of the discussions around this.  I'm very excited for the rest of the event.  It sounds like it is a real affair.  There's going to be quite some things to do around here if you are here.  If you are online, I noticed and recognised some people sitting in North America right now, please enjoy your sleep.  Get back to sleep.  Giganet has had its academic symposium now.  If you are still around, we hope to see you at other sessions.  Thank you very much, everybody.  Have a wonderful IGF.