"Integral to creating and maintaining a powerful brand is defending the brand from abuse that might otherwise adversely affect consumers' trust. At MarkMonitor, we believe a holistic approach — encompassing systematic prevention, detection and rapid response across all aspects of online brand abuse — is most effective at defending global brands. We highly value the trust our customers place on our approach to safeguard their brands in digital channels," said Frederick Felman, chief marketing officer, MarkMonitor. "We are honored to be recognized by the Online Trust Alliance for the third year for our commitment towards online safety and consumer trust."

OTA, a nonprofit organization that works collaboratively with industry leaders to enhance online trust, completed comprehensive audits analyzing more than 750 domains and privacy policies, approximately 10,000 web pages and more than 500 million emails for this report. The composite analysis included over a dozen attributes focusing on 1) site & server security, 2) domain, brand, email and consumer protection, and 3) privacy policy and practices. In addition to the in-depth analysis of their web sites, Domain Name Systems (DNS), outbound emails, and public records were analyzed for recent data breach incidents and FTC settlements. Key sectors audited include the Internet Retailer 500, FDIC 100, Top 50 Social Sites as well as OTA members.

"Consumers are trading billions of pieces of personal data in exchange for desired services. They rely on the integrity of the businesses collecting and storing this information to protect them," said Craig Spiezle, president and executive director of the Online Trust Alliance. "We are very pleased with the voluntary level of adoption many consumer-facing websites implemented this year that went above and beyond baseline compliance."

Nearly a third of the companies reviewed made the Honor Roll, including MarkMonitor. The report indicates that company size and/or sales are not true measures of the level of security and privacy a company implements. "All companies are equally evaluated by the same criteria regardless of size. We have seen large e-retailers with significant sales fail to make the Honor Roll; conversely we have seen small to mid-size companies taking top grades," said Spiezle.

Started in 2005 as an effort to drive adoption of best practices, the objectives of the Honor Roll are to 1) recognize leadership and commitment to best practices which aid in the protection of online trust and confidence in online services, 2) Enable businesses to enhance their security, data protection and privacy practices, 3) Move from compliance to stewardship, demonstrating support of meaningful self-regulation, and 4) Promote security & privacy as part of a company's brand promise and value proposition.

Being named to the 2013 Honor Roll is a significant achievement considering the large number of companies that received failing marks for inadequate domain and consumer protection (22%), insecure websites (11%), and inadequate privacy policies or data collection practices (35%).

To review the full 2013 Honor Roll report, please download a free copy at:
https://otalliance.org/2013honorroll.html

"We have always made clear that we comply with valid legal requests. And last week, the Director of National Intelligence acknowledged that service providers have received Foreign Intelligence Surveillance Act (FISA) requests.

We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures — in terms of both the number we receive and their scope. Google's numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide."

Read full story: NPR

Although the idea originally was to hack into untraceable servers that could (most like would) be based abroad, now it appears that the Dutch government has used its imagination some more. Hacking devices, the obligation to cooperate in an investigation against oneself by providing passwords, tapping devices and e.g. Skype, it's all in the concept. Not surprisingly there is a lot of commotion from privacy advocates and organisations.

Anyway, I've had my say in the mentioned blog post and reiterate that this is a very, very sensitive topic, that could cross boundaries that we as society may not want to cross. Let me provide you with some links, so you can study it yourself. Unfortunately everything is in Dutch. Below you find links to the law texts, including explanations/intentions and a link to a blog post by PHD student Jan Jaap Oerlemans of the University of Leiden who provides some excellent observations.

Here's the official government publication on the law with links to the actual texts.

Here's the link to Jan Jaap Oerleman's blog.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Over twitter, Eric Schmidt, Google CEO, recently opined the same thing. Evgeny Morozov, professional naysayer, asked for a graph.

So here is a graph and a list. I used PolityIV's democratization scores from 2002 and 2011. I used the World Bank/ITU data on internet users. I merged the data and made a basic graph. On the vertical axis is the change in percent of a country's population online over the last decade. The horizontal axis reflects any change in the democratization score — any slide towards authoritarianism is represented by a negative number. For Morozov to be right, the top left corner of this graph needs to have some cases in it.

Change in Percentage Internet Users and Democracy Scores, By Country, 2002-2011
(Look at the Raw Data)

Are there any countries with high internet diffusion rates, where the regime got more authoritarian? The countries that would satisfy this condition should appear in the top left of the graph. Alas, the only candidates that might satisfy these two conditions are Iran, Fiji, and Venezuela. Over the last decade, the regimes governing these countries have become dramatically more authoritarian. Unfortunately for this claim, their technology diffusion rates are not particularly high.

This was a quick sketch, and much more could be done with this data. Some researchers don't like the PolityIV scores, and there are plenty of reasons to dislike the internet user numbers. Missing data could be imputed, and there may be more meaningful ways to compare over time. Some countries may have moved in one direction and then changed course, all within the last decade. Some only moved one or two points, and really just became slightly more or less democratic. But I've done that work too, without finding the cases Morozov wishes he had.

There are concerning stories of censorship and surveillance coming from many countries. Have the stories added up to dramatic authoritarian tendencies, or do they cancel out the benefits of having more and more civic engagement over digital media? Fancier graphic design might help bring home the punchline. There are still no good examples of countries with rapidly growing internet populations and increasingly authoritarian governments.

Written by Philip N. Howard, Professor in the Department of Communication at the University of Washington

That the Internet is or will be embedded in laws is unavoidable. Are there lessons to learn here? All this is not totally new. The telephone was a new communication device installed in a home that could be listened into. The local pub or store phone as the 20th century equivalent of a phone shop or Internet cafe? How did our (great-)grandparents deal with this technological advancement in their laws?

Issues at stake

Schneier correctly points out that the potential for direct influence on personal life the Internet brings is much higher than ever before. The surveillance possibilities on and joining databases through the Internet are nearly limitless. This takes wisdom and restraint on the side of governments to deal with in a proper way.

Usually things just sort of happen because it's technically possible, with all risks and potential damages to personal private lives hanging in the balance. Followed by court rulings and proposed changes to the law to make it possible anyway.

The question on what a democratic society deems proportionate and desirable is a correct one and needs answering, soon.

History's lessons?

As the Internet is also a modern day equivalent of the 1880s Wild West, governments are desperately trying to get to terms with it. Whether through the GAC, WCIT, ITU, UN, etc., it all is a fight for control over this new beast.

From the 1880s onwards telephone started spreading and lived the wild west live. Budding private companies were doing what they were doing, creating a chaos of the wires hanging over streets. No regulations, no control, no oversight. As this was mainly a national issue, governments started to deal with this problem. Wrote Telecommunication acts, following on the telegraph laws, nationalised companies, etc.

Reading roughly through parliamentary texts personally, in my case to find relevant passages to "Rights of way" in the Dutch 1904 law, I saw all sorts of concerns politicians and civil servants were struggling with at the time. Concerns that were not so different from today's, as long as we look at them in a little bit more abstract fashion.

There are, at least, three lessons to learn here.

1. What were the concerns of government on telecommunication in those days?
2. What lessons can we learn from writing laws on a new communication acts? And what mistakes to avoid?
3. Were there voices that feared governmental intervention then and if so who were they and what did they protest on?

In short this is all in the archives of national libraries. It's not as if we are inventing the wheel here. Telephone lines even crossed borders in those days to.

Conclusion

It is high time that the academic world comes up with studies that compare occasions in which technological advancement was embedded into law through the past 150 years from the particular point of view Schneier addresses. There must be valuable lessons there that the western world can learn from and assist in avoiding past mistakes or perhaps amend concerns. That alone would be quite a feat. What should be self-regulation, what regulated and for both in which way successfully accommodated? Questions that are to be reviewed and answered with restraint and wisdom.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

There are two Bills that are floating through the corridors of power on the Hill that could potentially change the course of civil and political rights within the United States and the world. One was introduced through the House of Representatives and the other through the Senate. The two Bills touch on a common thread that are premised on "national security" however there are interesting challenges that will surface should the Bills be passed that affect global public interest that require further examination, introspection and discussion.

Cyber Intelligence Sharing and Protection Act (CISPA)

US Representatives Mike Rogers (R-Mich) and Dutch Ruppersberge (D-Md) took the Cyber Intelligence Sharing and Protection Act (CISPA) to the floor last year, despite the threats that President Obama would veto the Bill on the version that it was then. On 25th April 2012, President Obama's Administration released a statement saying that:

"Legislation should address core critical infrastructure vulnerabilities without sacrificing the fundamental values of privacy and civil liberties for our citizens, especially at a time our Nation is facing challenges to our economic well-being and national security. The Administration looks forward to continuing to engage with the Congress in a bipartisan, bicameral fashion to enact cybersecurity legislation to address these critical issues. However, for the reasons stated herein, if H.R. 3523 were presented to the President, his senior advisors would recommend that he veto the bill."

The US House of Representatives approved the CISPA on a bipartisan vote of 248-168. Proponents of CISPA believed that they could get the Bill ready for the President to endorse. On 7th May, 2012, the CISPA was received in the Senate and the Bill was Read twice and referred to the Select Committee on Intelligence.

Cybersecurity and American Cyber Competitiveness Act 2013

The US Senate has introduced a new Bill called the Cybersecurity and American Cyber Competitiveness Act 2013 through Senators John D. (Jay) Rockefeller IV, Chairman of the Senate Commerce, Science, and Transportation Committee, Tom Carper, incoming Chairman of the Senate Homeland Security and Governmental Affairs Committee, and Dianne Feinstein, Chairman of the Senate Select Committee on Intelligence and recently issued a Press Release.

The two Bills are controversial because on one hand, they address an important aspect of security and it is critical that countries work towards securing cyber space through having relevant legislative framework in place but what is also equally important is that considerations such as human rights provisions such as rights to privacy and other issues such as data protection rights be a part of the equation. It is also important that lawmakers remember that the foundation of freedoms and rights is also based on the notion that individuals are protected from arbitrariness otherwise there is a devolution to a Police State. There has to be a balance.

Policy should precede legislative framework and where these factors along with other key considerations such as objectionable content are identified. Given the interdependencies of the Internet through its architecture and the series of relationships and transactions, the enforcement of US control over other states through these two Bills means that every Policy made by the global community within Multistakeholder organizations' like Internet Corporation for Assigned Names and Numbers (ICANN) will be subject to these laws if passed.

There was much debate and controversy around the WCIT and rhetoric included "Hands off the Internet" but it would appear that they were being selective when they said that.

Last year the US Government decided to return two domain names, namely Rojadirecta.com and Rojadirecta.org which it improperly seized and held in its possession for well over a year, without so much as an explanation. These sites are Puerto 80's popular sports streaming sites, which the government seized back in February 2011. Puerto 80 responded by petitioning the government for return of the domains. What was fascinating about this was that Puerto 80 is a Spanish company, and a Spanish court had already found the sites legal. The courts in the US disagreed holding that the US government did not have to return the domains and Puerto 80 appealed and then late last year the US Government mysteriously dropped the matter without an explanation.

Even if the Bills were to contain provisions to protect the privacy rights and civil liberties of Americans, there is no guarantee that the rights and protections would extend to non-Americans. The challenges to an open and internet are occurring within the United States. These Bills could waive all the existing privacy laws that were crafted to protect ordinary American citizens.

Will we see more domain name seizures, DNSSEC filtering etc? What would be the impact on Whois?

The thing about Pandora's Box is once it is opened there is no going back.

Caveat – These views are solely my own and do not reflect the views of any of my affiliations.

Written by Salanieta Tamanikaiwaimaro, Director of Pasifika Nexus

The Judgment show the Testimonies of Superintendent and the Principal in stating that the sensors do not give exact readings nor are they able to pinpoint the exact location of the students.

The plaintiff, a sophomore student, whose claim against the school was based on her religious conviction that wearing the smart card was a violation of her religious freedoms and a breach of her civil liberties and privacy rights. Whilst the Plaintiff has no issue with wearing normal identification cards that do not have tracking devices and no issues with surveillance cameras and her belief system propels her to reject the tracking device component of the ID.

In examining the reasons proffered by the school, its motivation is to ensure that student attendance is optimum as it impacts on State funding. The smart card allows access for the purchase of meals and other services. The Plaintiff had claimed that the smart card was the mark of the beast as foretold in the Bible which was why she could not accept this smart card.

The School had offered to remove the chip where she could wear the badge without the tracking device but the Plaintiff did not want any part of the badge. The Judge ruled that the Plaintiff failed to show a constitutional violation. The Defendant had pointed out that the Vatican uses smart cards as part of security to which the Plaintiff had retorted that her faith was not linked to the Vatican.

Religion aside, in examining the policy decisions for the use of smart cards in schools, one cannot help thinking about the recent school shootings in the United States. In 2008, it was reported that a Superintendent in Texas was pushing for teachers to be able to carry guns in school.

Michigan is also reported to be considering Guns in School Bill.

In the age of artificial intelligence, and where technology is always evolving faster than we can ever imagine, and in the era of biometrics, an individual's information is stored in repositories shared over multiple databases. As technology continues to evolve, institutions will exercise their discretion on their adoption. This creates interesting considerations by Privacy Commissioners and Privacy Rights advocates.

I cannot help wondering if bank employees, medical employees, aviation staff all had tracking devices where their employers could know for certain where their employees were. If we take the rationale employed by the District Court Judge where the student is not free but is subject to rules. What happens when organizations start to create rules to force people who have a contractual relationship with them to start wearing tracking devices?

When a school wants to encourage attendance through enforcement and tracking students' movements, it becomes obvious that this is from a place where "trust" has died. The ability to penetrate into systems to retrieve student information and track students exists. In light of the violence in schools, if someone knew what they were doing they could misuse the information to track students or carriers.

When a school and its teachers are able to create a culture and an environment that creates vision and inspires and empowers students, they will not need to be told to attend and you would certainly not need smart cards to bolster attendance too nor guns to defend against school violence.

A far deeper introspection is required and it goes beyond smart cards and guns. It is about the system! Otherwise there is no rhyme nor reason.

Written by Salanieta Tamanikaiwaimaro, Director of Pasifika Nexus

Top Ten Featured Blogs from the community in 2012:

#1		DNS Changerby Paul Vixie | Mar 27, 2012 | Viewed 66,094 times
#2		Trademarking .generics - the .bank Fiasco!by Konstantinos Komaitis | Jan 18, 2012 | Viewed 17,124 times
#3		Refusing REFUSEDby Paul Vixie | Jan 11, 2012 | Viewed 11,860 times
#4		MegaBust's MegaQuestions Cloud the Net's Futureby Philip S Corwin | Feb 13, 2012 | Viewed 10,430 times
#5		Anonymous Plans to Go After DNS Root Servers. What Will Be the US's Response?by Terry Zink | Feb 15, 2012 | Viewed 9,813 times
#6		Why the Dot Com Kingdom Will Continue to Rule Post New gTLDsby Naseem Javed | Jul 24, 2012 | Viewed 9,771 times
#7		Fake Bank Site, Fake Registrarby Garth Bruen | Mar 27, 2012 | Viewed 8,977 times
#8		Why Vint Cerf is Wrongby Wout de Natris | Nov 21, 2012 | Viewed 8,891 times
#9		Internet Governance and the Public Interestby Paul Diaz | Mar 19, 2012 | Viewed 8,384 times
#10		IPv6 Subnetting - The Paradigm Shiftby Chris Grundemann | Jul 19, 2012 | Viewed 8,380 times

Top 10 News in 2012:

#1		ISPs Are Not Broadcasters, Says Supreme Court of CanadaFeb 10, 2012 | Viewed 35,128 times
#2		Iran Blocks HTTPS, 30 Million Reported Losing Email AccessFeb 11, 2012 | Viewed 11,016 times
#3		Vint Cerf: The Launch of a New Larger InternetJun 05, 2012 | Viewed 8,257 times
#4		The Digital Marketing & gTLD Strategy Congress Announces Keynote, Speakers, Initial PartnershipsJan 08, 2013 | Viewed 7,841 times
#5		Akamai Reports 460 Times Increase in IPv6 Requests Over Its Platform Since Last YearOct 22, 2012 | Viewed 6,976 times
#6		Saudi Arabia Objects to Certain Proposed New gTLD Strings Such as .Gay and .WineAug 15, 2012 | Viewed 6,764 times
#7		Department of Commerce Cancels IANA Contract RFPMar 09, 2012 | Viewed 6,343 times
#8		SPECIAL: Updates from the ICANN Meetings in TorontoOct 17, 2012 | Viewed 5,802 times
#9		Most U.S. Agencies Expected to Miss IPv6 DeadlineSep 28, 2012 | Viewed 5,411 times
#10		Websites Go Dark Protesting SOPA and PIPA, Senators Change CourseJan 18, 2012 | Viewed 5,299 times

Top 10 Industry News in 2012 (sponsored posts):

#1		MarkMonitor Offers New gTLD Application Databaseby MarkMonitor | Jun 15, 2012 | Viewed 6,992 times
#2		DotConnectAfrica Participates in ICANN-45 Toronto, Unveils New IBCA Initiative at ICANN Public Forumby DotConnectAfrica | Oct 23, 2012 | Viewed 6,822 times
#3		ICANN 45: New gTLDs Not Far Away Nowby Afilias | Oct 25, 2012 | Viewed 5,676 times
#4		MarkMonitor to Exhibit at Internet Tech Policy Exhibition and Reception to be Held on Capitol Hillby MarkMonitor | Jan 24, 2012 | Viewed 5,355 times
#5		CentralNic and REG.RU Confirm Strategic Partnershipby CentralNic | Jul 30, 2012 | Viewed 5,244 times
#6		MarkMonitor Fraud Intelligence Report, Q4 2011by MarkMonitor | Feb 17, 2012 | Viewed 5,037 times
#7		Afilias Participates in Global Test of Multilingual IDN Emailby Afilias | Jun 28, 2012 | Viewed 4,857 times
#8		Implementing a Cyber-Security Code of Conduct: Real-Life Lessons From Australia (Webinar)by Nominum | Apr 30, 2012 | Viewed 4,665 times
#9		Top-Level Domain Survey Findings Not Surprising, But Still Concerningby MarkMonitor | Sep 05, 2012 | Viewed 4,509 times
#10		Public Interest Registry Releases Results of Bi-Annual Domain Name Reportby PIR | Aug 14, 2012 | Viewed 4,462 times

Additionally, you can also check the leaderboards for CircleID's overall top 100 community and industry participants.

Written by CircleID Reporter

IGF 2012, Workshop 87

In this workshop on international cooperation and critical (Internet) infrastructure the debate also was on standards. There was a very clear call not to regulate on security standards. For two reasons. The minimum standards will be what everyone adheres to, while at present we try to better ourselves each and every day. As the panellist from Google said:

"If you have a treaty or regulation that sets a bar, typically what businesses will do will think as long as I hit that regulation, I'm fine. Whereas right now, you have people constantly striving to be better and have higher and higher bars..."

It seemed like all in the panel, from very different backgrounds, agreed on this quote.

This may be true for companies like Google, SIDN, Anti-Virus, for CERTs, etc. On the other hand it's quite clear that for companies that are more on the fringes of the Internet, cyber security does not seem to be a priority. At least where the product for the end user is concerned. Whether this has a financial background, stems from ignorance or a naiveté towards the Internet, I do not know. Probably a combination. It doesn't really matter, what does matter is that this behaviour has to alter. How to go about this?

(There is a transcription of workshop 87 on the IGF website on this page (although it is not complete) and the report is on the NLIGF website here.)

First I look at an example of minimum regulation and the effect on the Dutch National Railways (NS) which made me doubt regulation.

Minimum standards. A good thing?

The inspiration for this post I found last night while reading NRC Handelsblad. The National Security Board released a report on a train accident which caused 1 death, 24 severely injured people and an overall 165 injuries. The story is quite telling on two accounts, which, I think, are directly juxtaposable to Internet security, as you will see.

Before giving the facts around this story I have to explain the following. Since the liberalisation of the railways the national company has been split into several companies among whom transport (NS) and rail system (ProRail). This complicates this story a little, but let's pretend it's still one as it does not change the insight I've gained. The report delivers the following facts on the NS:

- new trains meet only the bare minimum of technical standards;
- the decorations in the train were not checked for security;
- chairs are made to clean easily but are dangerous for passengers;
- tables are to thin and caused the death and serious injuries;
- the security system is mainly still based on 1950′s technology;
- during construction work the network is over-used;
- 150x a year a red light is ignored with no emergency brake in place in many cases;

In short NS has cut on the budget of securing its network optimally for years, backed by budgets determined at government level I suppose. Perhaps the discussion whether one major accident a year is allowable is at work here. The other part of the examples is about the interior of the trains. Cleanness over security. Decorations that may not have been tested properly, endangering the passengers/costumers. The NS has not adhered to a duty to care for its customers, one conclusion reads.

The main question however is would the NS have performed better without regulation, without the minimum standard for technical security? At present it seems to stick to the minimum requirements, with the present results on in-car security for the passengers. A point for Google in this discussion it looks like.

Let's go back to the Internet world.

How to engage industry?

More and more devices will connect to the Internet over the next years, "The Internet of things". From coffee machines, to refrigerators, TVs, aircos, perhaps even the dog's leash. Who knows? Every single device will need to have a built in security, securing the end user from harm. Let me give some examples of threats I can think up here.

Expensive TV programs ordered through hacks at high cost to the unsuspecting end user? Fridges that order new stock to other addresses? Garage doors opened through hacks? Cars that could do ...? Game consoles that spy on the use of other devices in the home? Just guessing here from the past examples of sms scams, autodialers, spying webcams, etc.

Often I suspect that the ability to do something technically leads to implementation, while cyber security is only thought of after implementation. Money was saved, processes automated, remote access granted, etc. Leading to high costs to mend things. Again we are on this road, towards the Internet of things. How can we prevent making the same mistakes again? How can high-tech device and appliance companies be engaged in discussions on security before the product is unleashed at the totally unaware public?

What about engaging these companies through an organisation like MAAWG? Awareness raising, trainings, the exchange of useful knowledge that is already available in the Internet industry to prevent further harm? Determine the current best practices together and implement them? It sounds like a plan. But who makes himself available to do the reach out, invitations, program building? Still these are steps that need to be taken to secure the Internet of the future.

Is it an idea to impose a duty to care for the customer where (all) Internet related products are concerned? Not a regulation of minimum standards, but a duty to deliver secure products at ever bettering, competitive standards? And who regulates negligent companies? Consumer Authorities, judges?

What is the way forward?

This is just an idea. There may be other ways. What are your ideas? Let's try and put them together and discuss. Something needs to happen soon and every day lost is a day wasted where cyber security is concerned. I'm looking forward to hear your ideas.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Workshop 87

This workshop took on one of the most difficult topics concerning Internet governance, cross border cooperation between (public and private) entities. The specific topic was incidents concerning critical (Internet) infrastructure, but could have been on cyber crime, fraud, spam, botnet mitigation, etc. The discussion would hardly have been different.

The participants came from governments, an international governmental organisation, the CERT community, private companies, an Internet resource organisation, in this specific case a ccTLD, national centres for botnet mitigation (to be) and a regulatory body. In short all but traditional law enforcement, who, NL IGF found, could not be enticed to participate in a discussion on cross border cooperation. There was an interesting discussion between the different panellists, showing, among other things, that public — private cooperation is a normal phenomenon for most participants, but not always easy to achieve, nor always institutionalised. They all shared recommendations, which will be published soon on the website of NL IGF. Let's go into specifics relevant to this blog post.

Regulatory bodies

Traditionally a regulatory body has a task to regulate a market. The Internet so far has managed to stay away from regulation. Mainly because the Internet is a market that works and does not need regulation.

This has shifted somewhat in the past four years, as the Internet has become substantially less safe to use and governments worry about safety and security of the state, its citizens and institutions. This is normal as it is one of the main tasks of the state. The discussions are mostly about how the Internet can become safer, looking at the public functions some private organisations perform, like distributing domain names and IP addresses. It is not in this context that the term 'regulatory bodies' was used by me at the IGF.

Enforcement bodies

Several regulatory bodies have been given enforcement tasks on spam, malware, online fraud, identity theft. They come from a telephony, consumer and privacy regulatory background. Some function very successfully like the U.S'. FTC, the Australian ACMA and the Dutch OPTA, in other countries enforcement tasks were given to regulatory bodies also, but they are less or unsuccessful, e.g. because they do not give enough or any priority to enforcement tasks. For known and unknown reasons. The bodies who are successful, need to be engaged in Internet governance. Especially now that initiatives are sprouting in several countries on cyber security strategies and botnet mitigation centres. An international comparative study shows that cooperation does not come natural to most national centres and regulatory bodies. (Click here for the study.)

If countries can become more aware of the possibilities they have at "regulating" around the Internet, this would make the Internet environment safer for everyone, without impeding in any way on private initiatives that have made the Internet to what it is today. Better, if public and private parties know what they can expect from each other, a lot of efficiency can be reached at saving energy and cost. Like the Cyber Crime Working Party initiative at RIPE NCC has shown and is working on, through managing expectations and standardizing information streams. And best is when through coordination a national body is able to chose which entity is best equipped to deal with an incident. Private? CERT? Regulatory? LEA? All together? This can only happen when all are equipped in the right way and connected at the national level. Preferably through a national strategy.

The participant from a regulatory body in the NL IGF panel in Baku e.g. also runs the national CERT and the national botnet mitigation program. In other words, from his perspective there is a clear need for more cooperation. Especially with countries that have not given the kind of priority his country has to security and safety tasks. Because on the one hand Finnish government and companies are threatened from abroad and there is no one at the other end to stop these threats, while at the same time he has information on threats going to these countries, with no one to mitigate them on the other side. Cyber security cooperation works both ways, if there is a level playing field.

Foreseeable results

By engaging these regulatory bodies, including traditional law enforcement, into discussions of Internet governance, several results can be achieved. Governments are made aware of the need to speed of action at the enforcement and security level and learn first hand what works, copy and help shape best practices and are made to understand that doing nothing is no longer an option. Regulatory bodies get to know counterparts at major companies, organisations and governments that they need to engage with in order to be more successful. The Internet industry gets to know their counterparts within law enforcement and builds a trusted relationship. Only by supplying information governments and law enforcement can be made to understand where true priorities lie. This way both sides can manage expectations and efficiency is reached in their mutual contacts.

Self regulation

I, for one, am convinced that the Internet and ICT industry can go a long way making the Internet a safer environment for all end users through self-regulation. Not that this is common practice at this moment, as in the past years the technical community has focussed on enabling the ease of use of the Internet and ICT products, while others have focussed on making money.

It is only if industry fails at self-regulation that regulation becomes an option. Several recent initiatives show that diverse Internet industry bodies are working on self-regulatory initiatives that can make a major difference in the future. Governments are supporting these initiatives like AbuseIX in The Netherlands, the German, Swiss and Finnish botnet centres and the EU funds 50 % of the ACDC project.

However, this is not enough. If law enforcement does not become involved or is made to understand where cyber crime meets cyber security and (is made to) prioritize accordingly, all present and future initiatives are mopping activities only, as the criminals remain in control of the tap. They need to get arrested or if this is impossible, frustrated in such a way that they employ themselves elsewhere. Only a public — private partnership can achieve this.

Communication and cooperation

Mr. Cerf's own company, Google, in the panel stated that they cooperate in a standardized as well as in an ad hoc way to mitigate security incidents. With public and private institutions. I.e., most likely including, government bodies that (also) have regulatory and enforcement tasks beyond market regulation. And this is a good thing as communication, understanding, trust and cooperation lead to a safer Internet.

If the world manages to establish these lines of communication and cooperation, crime on the Internet will be pushed back to more acceptable levels. If this does not happen, it is the Internet and the Internet industry and companies that will get hurt in the process.

Every day life is not safe, but we are all under the impression that it is and function as such. The same situation needs to be created for the Internet. This can only be achieved if government and private sector cooperate, just like in the offline world and that includes regulatory bodies. That is why Vint Cerf is wrong and with his comment runs a risk of frustrating developments that the world actually needs rapidly in order to keep the Internet as it is. A great open tool for all (well almost all if we bar criminals), to use at ease, in work and play. Something no one with a right mind wants to lose. (This last comment is not aimed at Mr. Cerf, but at the ongoing WCIT discussion.)

For the transcript of my intervention and Mr. Cerf's response click here and scroll to the near bottom.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

The proposed digital rights are the following: (1) the right to Internet access; (2) the right to informational access; (3) the right to informational freedom and (4) the right to digital informational self-determination. Put briefly, the White Paper proposes that such rights be included within Chapter II entitled "Declaration of Principles" of the Constitution of Malta, in other words as mere declaratory, non-enforceable "rights".

While the government's efforts are commendable, the White Paper is riddled with misconceptions and does not go far enough.

The notion of human rights: Beyond perceptions

The White Paper unfortunately bundles the so-called "right to Internet access" — on which there has been extensive academic debate as to whether it should even be recognized as a legally enforceable right (let alone a fundamental human right) — with the other three "digital rights" which have a human rights pedigree, being facets of or closely linked with the fundamental human rights to freedom of expression, freedom to receive and communicate ideas and information, and the right to privacy and informational self-determination.

The White Paper discusses whether access to the Internet is a fundamental human right. A curious — and rather dangerously demagogic — argument is made in the White Paper based on what it calls "the people's perception". Basing itself on a 2010 BBC (UK) survey, the White Paper argues that there seems to be a widespread perception in the general public that "fundamental human rights play a part in the discussion" whether access to the Internet is a human right and that indeed, "it would be politically inadvisable to ignore this perception" because "the people have so dictated" (p.7). This perception, the argument continues, is bolstered by "(1) the sense of liberty which the Internet itself has promoted, coupled with (2) the people's broad interpretation of their existent fundamental rights and (3) their limited understanding of Internet governance and regulation" (p.8). Indeed, the White Paper continues, this perception "can only grow stronger" and "indeed evolving into an expectation that access to the Internet should be recognized as a right if not a fundamental human right" (its emphasis, p.9). The same argument that fundamental human rights play a part in this discussion "because the people have so dictated" is repeated on page 11 of the White Paper.

I disagree strongly with this argument. Technology is an enabler of rights, not a human right itself. What gives certain basic — indeed fundamental — rights the status of human rights is not the fact that "the people" have such a "perception" which then develops into an "expectation". It is the fact that certain rights are inalienable rights to which each human being, by virtue of being a human being, is inherently entitled. This is a high bar and, as Vinton Cerf puts it, "it is a mistake to place any particular technology in this exalted category, since over time we will end up valuing the wrong things." Indeed, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, though recognizing that "the Internet has become an indispensable tool for realizing a range of human rights, combating inequality, and accelerating development and human progress," stopped short of declaring that access to the Internet is itself a human right, but encouraged states to consider "ensuring universal access to the Internet should be a priority." (para. 85).

In spite of the abovementioned criticism of the demagogic undertones in the White Paper, it is however laudable that the Maltese Government considers universal access to the Internet to be a priority issue for Malta, both through government policies and by itself taking and encouraging the private sector to take the necessary infrastructural measures. The discussion whether this should also be done through the enactment of a legally enforceable (though ordinary) right to Internet access is also timely.

Rights to receive information and freedom of expression already exist

Freedom of expression and the right to receive information are already protected as legally-enforceable human rights in the Constitution of Malta. Moreover, article 41 of the Maltese Constitution is technology-neutral. Its first sub-paragraph provides, in clear and unambiguous terms that: "Except with his own consent or by way of parental discipline, no person shall be hindered in the enjoyment of his freedom of expression, including freedom to hold opinions without interference, freedom to receive ideas and information without interference, freedom to communicate ideas and information without interference (whether the communication be to the public generally or to any person or class of persons) and freedom from interference with his correspondence". Thus, the right to freedom of expression, including the freedom to receive information and ideas, is not dependent or conditional on the type of medium used to exercise or enjoy this fundamental human right. The manner in which Article 41 of the Maltese Constitution is drafted is broad enough to encompass new technologies and new media. There is thus no need for repetition, especially through some declaratory provisions in the Constitution which are not enforceable. Such rights already exist: what holds offline, holds online.

The proposed right to digital informational self-determination and privacy

The fourth proposed right is the most interesting, though it does not go far enough. The White Paper proposes the introduction of the following provisions: "The State recognizes and shall promote and protect a culture of informational self-determination and privacy of the individual on any form of information and communication technologies, including electronic communications networks, and shall take such appropriate measures to eliminate any unnecessary restrictions thereto that are justifiable in a democratic society."

However, the White Paper seems to have gotten the wrong end of the stick. The right to privacy, though recognized at a European and international level as a fundamental human right, is not a constitutionally enforceable right in the Maltese Constitution. The Constitution of Malta, in section 32(c), does recognize that "every person in Malta is entitled to the fundamental rights and freedoms of the individual" including "the right ... to respect for his private or family life". However, section 32 is not an enforceable section. It is merely declaratory. Indeed it is the only section in Chapter IV of the Constitution entitled "Fundamental Rights and Freedoms of the Individual" which is not enforceable before a court of law. Nor is the right to privacy elaborated further in any of the subsequent and enforceable human rights provisions in the Constitution. However, the right to privacy is recognized as a fundamental human right in the European Convention Act, section 8(1) of which reads: "Everyone has the right to respect for his private and family life, his home and his correspondence." However, it is important to highlight that while the fundamental human rights provisions in the Maltese Constitution are entrenched and thus require a two-thirds majority vote in Parliament for their amendment, the European Convention Act, like any other ordinary piece of legislation, may be amended or repealed by a majority vote in Parliament.

It is commendable that the Maltese Government sees the need of recognizing and promoting a culture of informational self-determination. However, it would be more effective if this were done through a legally enforceable and constitutionally entrenched right. The right to informational self-determination is, as the Federal German Constitutional Court in the famous 1983 Census Case stated, the individual's right "to determine for himself whether his personal data shall be disclosed and utilized." It is inextricably linked with the inviolability of human dignity and the individual's right to the free development of his personality insofar as he or she does not violate the rights of others.

It is thus high time that the right to privacy and the right to informational self-determination are enshrined as an enforceable and entrenched right in the Maltese Constitution. What we do not need is another declaratory provision in the Maltese Constitution, let alone one which is tied only to information and communication technologies. Such a right should be technology-neutral, apply offline as well as online, and constitutionally entrenched and enforceable.

Tailpiece: A hotch-potch of Internet governance, regulation and jurisdiction

The White Paper makes an unfortunate sweeping statement when it claims in one fell swoop that "the Internet is regulated and governed" (p.8). It does recognize that there is a difference between the notions of "Internet governance" and "Internet regulation" and indeed states that entering into a discussion on such a distinction is beyond the scope of such document. However, it then states that "[t]he idea that Internet is an unregulated sanctum emanates from an old school of thought that sought absolute independence from earthly laws [sic] for citizens of cyberspace. Such a concept has long been defeated because the Internet is regulated and governed." Indeed. Such sweeping statements ignore the chequered history of Internet governance, the role of ICANN, the WSIS multi-stakeholder approach to Internet governance, and so much more. They also overlook the difficulties of applying traditional legal notions of jurisdiction and enforcement to cross-border acts (which could be criminal or civil in nature) and transactions.

Further on, the White Paper states that these four proposed "digital rights apply across borders, apply to individuals but also businesses, while posing an obligation on the State to take appropriate measures to eliminate any unnecessary restrictions to such rights that are not justifiable in a democratic society." (p. 23). While forgetting for a moment that, being declaratory in nature, the proposed digital "rights" do not impose any obligation on the state, the White Paper seems to be claiming that such rights will have extra-territorial application. The wording used is unfortunate because it gives the impression that the White Paper is overlooking the basic notion in public and private international law that a state can, in principle, only legislate for matters that occur or have an effect on its territory or citizens. If a statute is to have effect beyond Maltese borders, this must emanate from the provisions of some international treaty that both Malta and the other sovereign state are parties to.

Written by Emily Mary Weitzenboeck, Postdoctoral Research Scholar

(Inter)national cooperation

Two things stand out for me in this discussion: information can be extremely hard to find on and around the Internet; national and international cooperation is apparently very hard to achieve.

a. Researching the Internet
The first is that it is often unclear where criminal activities, spam, hacks, espionage, etc. on the Internet really comes from. This all has to do with flaws in soft and hardware, the ease with which Internet resources can be acquired, hosting companies that specialise in bullet proof hosting and borders in the real world, that do not exist online and many, many more. Most of the options to change this lie beyond the grasp of governments, in the private realm.

b. Cooperation
The second is that national and international cooperation is very hard to establish, as the report of De Natris Consult shows. In other words receiving data and evidence from abroad takes time, effort and at times is completely impossible as some agencies and countries are not able to or flatly refuse to cooperate. People that state that this need to be bettered, are spot on, but also need to realise that this is going to take years if not decades to realise. If ever. At the same time: start working on it today, right after reading this blog post. Don't lose another second to start achieving it.

I'm not even bringing in coordination of effort between different entities at national and international level here, as it is too far beyond the reality of most people. One of the answers to a securer Internet does lie here though.

Both these approaches are in the realm of governments, so why do most not make haste to better the positions of agencies to investigate, cooperate and coordinate and their ability to have more success at what they are meant to do in the first place?

We have to conclude that the two roads presented here to a safer Internet at present do not present a solution.

Hacking

So, back to hacking. The public person advocating it most loudly in The Netherlands is Ronald Prins, CEO of Fox IT, accused on Twitter by Dutch ex-parliamentarian Femke Halsmema of having a commercial interest in the matter. Whether true or not, is not really relevant here, as the idea is embraced by a Dutch minister (and his advisers). I want to go back to crossing lines. What if we reverse the subject?

Dictatorships

In a dictatorship there are many laws that are not acceptable in a democracy. Still, they are the applicable law in those states. So here we are, hacking away and at some stage a dictatorship decides to do so also and manages to hack into a server, in this country, of a secure hosting company hosting the domain of subversive elements (free speech advocates in our vocabulary) within the dictatorship. As a result it arrests the whole organisation and executes most members after a show process. Soon after the executions the dictatorship reports the hack to the The Netherlands' government as part of an investigation on the basis of laws X and Y. This is only reciprocal, right? (I would not be surprised if this is not already standard practice, illegally, unannounced, without anyone knowing. Making it standard practise is another matter.) It's not something that a country like The Netherlands wants to see happening.

Democracies

In a democracy the rule of law is the standard. If a country is to allow hacks nationally or internationally, it could only be after due judicial process before the hacking and checks afterwards. Nationally I'd say that this is and should be the standard. The law allows it or not and has obligatory, standardised procedures before it is allowed.

Internationally international law and agreements kick in immediately. The question whether a hack could ever produce actionable data and evidence is a principal one. But even if this hurdle is taken, the circumstances should be the same as nationally. Any other way the rule of law is undermined, with all the negative consequences to a democracy. So if hacks are to be allowed, not without due judicial process in The Netherlands and elsewhere. The circumstances and specifics must be very well defined, for any country wanting to go this way. A sort of last resort when all else fails.

Securing a nation

An element that I think is seriously overlooked in this discussion, is how does a country want to protect its citizens, institutions and industry from online threats? By counter hacking surely not. Even if copying actionable data and evidence from servers and computers situated abroad is to be allowed, if the criminals are active from an unwilling country, not much changes. I have more confidence in another approach, on which more at a later stage. It will take cooperation, international cooperation even.

Concluding

Yes, I do believe that, under the proper circumstances, hacking could be a tool used in investigations. E.g. to determine the location of a server when this is unclear. It ought to be a sort of last resort though. If not it is going to be easier and easier for enforcement agencies to cross lines further and further, invading privacy further and deeper, "as we have nothing to hide". A descending scale. It did not work this way in the past and shouldn't in the future. Innocent until proven guilty seems to become a burden, but this is one of the bold underscores of democracy. Also in times of the Internet. Again: do not do a digital something just because you can, without discussing consequences in a serious way!

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

The role of government

In everyday life government has many roles. Here we limit ourselves to security. (In short) citizens expect their government to uphold the rule of law and protect them, its citizens, to the best of its abilities in a general sense and where necessary individually. The same goes for institutions, economic interests, the environment, air traffic control, etc., etc. Citizens on their end are supposed to know and uphold the law. The government is given special tasks and powers to do so even up to the exclusiveness on the use of violence in order to protect and/or prevent harm. As a next best citizens expect to have law breaches investigated and enforced. All this is written down and specified in laws. After a judicial process governments by way of trials can punish in the form of penalties or a prison sentence.

If there is a downside, this is it. Government institutions investigate breaches of the law or take preventive measures to provide security, which always infringe on someone's basic, individual rights or privacy; which are wavered for the common good. The level up to which and the context within these sort of measures are taken, depends on the society one lives in. This is a sort of "social contract" that a government and its citizens have signed. In the analogue life the present "contract" between government and citizens is seen as normal in a constitutional democracy. It is safe to say that it is the digital environment that worries people the most. It's new and unknown. For all concerned.

The digital environment

There's a few angles I want to focus on, free speech advocates, government and the Internet, the dark side of the Internet and the role of governments and finally the tendency to move forward into the digital realm just because it's possible.

– Internet free speech advocates
Is the "contract" working in the digital world also? It appears not to be. The Internet freedom advocates fight for free speech and non-governmental interference on the Internet. And I can not agree more on free-speech. This is the greatest good in a democracy, something, by the way, a lot of people seem to forget sometimes.

Lately it appears that "rightist elements in western governments", as they are called somewhat conspiratorial here and there, are working hard on making freedom of speech and privacy less common, through drafting and accepting "reactionary" laws. The stirring of fright caused by terrorist actions, although the mere threat is enough, religious biases, populist's demands and the general uncertainty of the economic crisis are all used to draft or amend these laws. (If you like to read more, I suggest Nick Cohen's excellent 'You can't read this book'.)

Yes, a lot of people are frightened or are made to feel frightened and some laws are passed as a result, which downplay individual rights. These are but a few examples of what Internet freedom advocates warn for and up to a certain extend I can see why. Other causes for concern have to do with storage and joining of databases, insecure storage, etc. by governments. Quite often these concerns are expressed in a more general sense, despite the fact that some accumulation of data is the result of the above mentioned laws. I come back to this shortly under the sub header 'Don't do something because you can' below.

– Who "owns" the Internet
On the other hand Internet critical infrastructure is not owned by governments for the most part. It's in private hands. It was private investments and innovations that brought all the positive excitement on and around the Internet. As a consequence the role of governments in Internet security, protocols and governance is more limited than one would expect. They can play a significant role in their own infrastructure and seem to do so at present, but what can they do in the private realm? If, on top of that, we take into effect the borderless nature of the Internet, an individual government's role is even downplayed more. One government('s institutions) have no say in another government's jurisdiction, leaving it powerless and subjected to the good intentions of its colleagues. (see below)

In a more abstract sense this is different, as a government wants to protect the nation and its interests. It is here where the discussion of Internet freedom and Internet governance converge and clash. The question is how big the role of an individual government is or can be on the borderless Internet. It may just not be as big as some want and can't be without stopping the way the Internet works. Its a brave new world, but also a little like the 1880′s Wild West. We are all experimenting here, including governments. What works they ask themselves? Laws? Regulating the Internet? Influencing private Internet organisations? Surveillance? Counter-hacking? Impinging fundamental freedoms? ??? What will not work for the West, if not for all, is cutting yourself of the Internet and develop your own in splendid isolation.

– The darker side of the internet
Let us not forget to look at the use the Internet is put to also. From spam, fraud, extortion, phishing, the spreading of malware, attacks and all the way to espionage or disruption of the functioning of companies, institutions and states. Harming individuals, organisations and, so far luckily only in theory, wrecking a whole society.

Do we not then expect government to play the same role in the digital realm as in our analogue lives? My guess is that we (all) do, however it seems that something has gone wrong in the perception on the how and what governments do, what they are for in the first place. It does seem that people tend to get very disappointed if a government fails to protect, even where a government does not have a role to play. As a conclusion I think I can put here that "we" expect our government to protect us from online criminal or terrorist harm, but I also need to ask: to what extend and can it?

– Monopoly on violence and the Internet
As long as violations of laws on or through the Internet are committed within a country, there is no problem. All empowerment through laws can be used in investigations and subsequent actions against individuals or legal bodies. The hard part is to have another entity cooperate as soon as a violation is or appears to have been, committed from abroad. As De Natris Consult's study into national and international cooperation concerning online threats shows (click here), cooperation is not as simply achieved as might be expected. There's a world to win here.

As an interim wrap up: governments have no ownership of the Internet and run into borders. In the end this tends to make them ill suited to protect an online society. They do not feel comfortable with this situation.

My favourite quote, as some may already know, is: "It's international, we can't do anything"! This is just not true. In the end every violation on the Internet is domestic, unless there is no law against that specific (cyber) crime in a country. But isn't stealing, stealing? Fraud, fraud? Extortion, extortion? Etc.

So governments run into the problem of jurisdiction at borders, where (cyber) criminals do not. Is the solution to have international permission to do digital investigations abroad or better (suited) cooperation programs that take required speed of assistance into account? Or to create an Internet task force with cross border coordinating powers, that can tap into the best suited and equipped organisation to work with in any specific country? My guess is either of the latter two, but that is not for me to decide.

– Don't do something because you can (at least not on impulse)
In the past decade and a half we have entered a brave new world. A world that seems to offer endless possibilities to us and to governments. Let's look at us first. Yes, you and me. "We" seem to dive into every opportunity on offer on the Internet with abandon. Hardly checking consequences. We involve ourselves in illegal activities, that we may not even see as illegal any more, e.g. illegal up and downloading, file sharing, downloading illegal copies of software, ordering illegal substances, etc. We click on anything and give away our most private data because the offer of a free something competition and we share them on social websites. Not very careful, are we?, as most of these actions come with chance of a viral contamination that potentially threatens society as a whole.

But what about entities? Companies have connected their networks and installations to the Internet and so have governments. Why? Just because they could, it seems to save money and such a good idea and the ease of working remotely. Let's call it innocence in the face of progress.

The consequences of these opportunities have become abundantly clear in the past years. Governments are contemplating or are in the process of taking measures. Companies still seem to lag behind. Cost vs. profit? Short term policy and shareholders' primary concerns vs. long term security? It may just be true.

At the enforcement side governments have also entered this brave new world and they are finding out what the possibilities in this world are. And yes, they are starting to use them. Why? Just because they (technically) can, it seems to save money, the ease, because they truly do not see another option in this borderless world, etc. At the same time net neutrality is seen as a great good by some governments, including the Netherlands. A bit at odds? Perhaps, but not necessarily so.

Yes, it is dangerous to just do something because it is possible. Governments and industry are discovering just that in embarrassing and (financially) painful ways and are starting to pay the price. Probably many times over the savings. That goes for connecting critical infrastructure directly to the Internet without thinking through the consequences (for security) first. On clicking on anything that is presented, but also weak protection and losing privacy sensitive data over and over again. The same goes for routinely taking surveillance techniques to the Internet without thinking through the democratic consequences and the innocence presumption first.

The Internet does create a tremendous opportunity to nation states to connect, store and analyse data, to track and follow people. It is very hard not to give in to these possibilities, as it makes enforcement, at first sight, so much easier. Temptation vs. integrity? A good reference question could be: would this technique be used in a dictatorial state to keep track of the population's activities? If yes, then maybe it's a bad choice if you're in a democracy.

Privacy and web 2.0 use of data

What surprised me, is that the concerns for web 2.0 solutions in the cloud, the terms and conditions of web services like Google, Facebook and all sorts of apps did not concern the audience as much. Some speakers did bring this in, but from the interface level. The ease with which privacy could be protected through a click or not. Not what happens with data behind the interface. The concern for governments as discussed above, all rise from the fear of losing privacy. Isn't the same true here?

An app that comes, unasked for, with an smart phone, announces an update. Reading the terms it says something like: "You consent to the app looking into your contacts list, your e-mail box" and what not. What for? What reason could an app have for browsing my, and by default also my contacts', privacy sensitive data and perhaps even the content of private messages? Isn't this at least as scary as a government snooping around the Internet? In my opinion it is. Who knows what happens with your data, to whom it is shown, sold or handed over to because of investigations in other countries? Still, how many people read the terms and conditions of an app at updating (or before installing) and don't except because of these terms?

This as an aside, but isn't it also governments that the public tends to look at to sort this out? E.g. through privacy laws and the enforcement there of? Yes, it is. A role we accept as normal. Because it doesn't effect us, I add hesitatingly?

Is mistrust a populist trend?

It could be that the distrust of governments, in this context, is a part of the general lack of respect that government officials are shown over the past years. E.g. the attacks on ambulance personnel, police or teachers, aggression in hospitals, project X parties and what not. However, I don't think so. It is at least one layer deeper than this. The people discussing the topics on online privacy seem to have a general distrust of the motivation of government's actions towards them individually and towards society as a whole. A mistrust they may not have off line where drugs or organised crime investigations are concerned (and don't effect them personally?, I add hesitatingly again).

And it certainly does not fall into the "We need to punish harder", "except when I violate a law" trend.

It's also too easy to discard this all as just conspiracy theory thinking. To do so may be very damaging. The same goes for holding up hands in defence and saying: "but you don't understand what governments (don't) do!" That may just be the underlying problem, but not an excuse not to act and address the issue. This could even be very damaging to a government's credibility.

So where must we look then?

A new contract between governments and society

When a government in the face of its actions loses its credibility with a large part of society, it loses its rights and legitimacy to govern. When citizens lose their trust in their government, the result is distrust, frustration, anger and in the end upheaval. (Just look at what is happening in Greece this very moment.) The balance between justified investigations and, unnecessary, infringing basic rights is tender as the discussion on privacy and online freedom at NL IGF suggests.

I see two main questions a government has to ask itself:
1. In how far can we protect you? and
2. To what extend should we go to protect you?

The answer may be all telling: No, we can't always protect you and neither should we want to as it would no longer be democratic and certainly impinge on (your) basic rights and freedom of speech. We all know from the analogue world what these rights are. They are in principle no different in the digital realm.

However, to a lot of people there seem to be major differences and especially because of the way they perceive governments acting on and around the Internet. This gives cause to discuss the boundaries of government's actions on the Internet. The outcome of the questions above on the extend a government can protect its citizens, on and offline, could serve as a starting point. The choices thus made in democratic fashion lead to a renewed set of commitments, that were discussed, decided on and supported by the majority. Let's call the outcome a renewed "contract" between the government and its citizens for the digital age. It may be a good step in the direction to normalise relationships between the two and put an end to experimenting.

Conclusion

A government has an important role in protecting the state, the nation and its institutions, organisations and citizens from harm and attacks; in short "us". In the digital realm it sometimes can't do this, as attacks come from anywhere in the world and sometimes even from people('s ICT tools) who are unaware of their direct role. Still when security fails, often government is directly blamed. For government to be able to play its role towards and on the Internet, it may be very important for governments to explain what they do, why they do it and the results they get. Without overstepping boundaries of the rule of law, protecting individual rights that are part and fundamentals of constitutional states. And protect free speech at the same time.

At present too many people seem to miss the balance between actions, the law and their privacy and freedom. Whether true or false. This sentiment should concern governments deeply, as the balance between the two is very delicate. Only by seeking dialogue and to discuss necessary measures, trust can be found and support gained for a new contract between governments and citizens for the digital age. A government deserves respect, but also needs to make sure it earns that respect through its actions.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement