ACMA receives a major compliment

In 2004, when I first entered the anti-spam arena, this was a mantra that I had to hear very often: "Spam is international. We cannot do anything", spoken with a lot of emphasis and some despair. Unfortunately in 2012 this is still true for many countries. Not because of the fact that it is impossible to do something about spam, no, but due to a lack of initiatives. I think that a great compliment to Australia's ACMA (Australian Communications and Media Authority) was published on CircleID in a comment to an article about the impact of Canada's spam law on local businesses. Brett Watson, an Australian internet engineer, writes:

"However, my present (and general) lack of anything to complain about reflects well on the law and its enforcement… Perhaps what's most telling is that I have, for the first time, subscribed to some advertising newsletters in recent years. I don't feel the need to jealously protect my email address any more, or diligently use uniquely tagged addresses when handing them over. I trust ACMA to keep the companies in line, and the trust seems well placed so far."

This proves that fighting spam is effective and that the combination enforcement with filtering by ISPs keeps mailboxes clean. Spam hasn't gone away, but at national level companies are disciplined and mostly act within the law in the few countries with vigorous enforcement bodies.

Who enforces what?

Privacy and spam are closely related. Spam is seen as an invasion of privacy. But it goes way beyond mere privacy. Privacy sensitive data is often used, sold or worse stolen in order to approach people. Whether to sell a(n illegal) product, phish for more (bank)data or industrial espionage, a stolen e-mail address is often the basis of law violations. The patchwork of enforcement agencies, unclear enforcement powers, the lack of understanding of the issues at stake, of resources, training or powers, the unavailability of online reporting of spam or cyber crime, all make that enforcement is far from optimal in most countries.

Standardisation of spam and cyber crime law

Could a standardised law, with a standardised toolkit for enforcement agencies make a difference? Yes, I think that it would. For the public it would mean that there is the certainty that when the law is broken, it is clear who to report to and that it is likely that an investigation follows. That it makes a difference to complain. For senders it also sets clear boundaries. Their business continues, as is proven in e.g. The Netherlands, but in compliance with the law. Next to that it offers this clearness in 27 states.

As spam, e-fraud, phishing, cyber crime and worse are all so closely related and often involves several countries, it makes sense to be more directive from Brussels. At national level there are so many different laws, ministries and enforcement agencies involved, that coordination there is almost utopian. Next to the fact that success without industry participation is clearly unthinkable. Despite the fact that the Dutch National Cyber Security Centre is a promising initiative, it is obvious that for most countries this form of public-private cooperation is hard to attain.

A proposed course of action for the EU Cyber Security Centre

The discussion about the EU Cyber Security Centre is under way. Let me give a pointer on what the centre could do. To my mind it ought, also, to actively collect, analyse and share data with those involved: public and private entities, universities. This gives the centre coordinative powers in matters cross border and across different enforcement organisations as well. Two difficult hurdles taken… should this come to pass. The combination of the overview and oversight with the transparency caused by available, shared data makes all concerned answerable for their (lack of) actions to the centre and each other. I am also convinced that this model will lay the foundation for cooperation with whole new groups of Internet industry partners that are now harder to reach/convince.

Ambition at Commissioner level

If Commissioners Kroes, Malmström and Reding used their powers to harmonise the laws and enforcement in the way Ms. Reding proposes for privacy, i.e. the same law and enforcement tools, standardised enforcement agencies and a point of case handling, the fighting of privacy infringements, spam, malware and cyber crime may actually take a turn for the better. They are so intertwined that another approach is (well, should be) almost unthinkable.

The combination of a pro-active EU Cyber Security Centre with a layer of harmonisation where enforcement is concerned will prove to be a structural step forward from the present situation in many countries. Yes, this is ambitious, but it is clear that the present approach is not going to change much. Everything cyber is still a field day for criminals and a private company, Microsoft, so far is the most successful in fighting botnets. This ought to be different, shouldn't it?

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Read full story: BBC

Could it be true that Nokia, RIM and Apple opened up to Government interception?

It is no longer directives only to ISPs and Telecom companies. The lawful or not-yet-lawful pressure to open up for "lawful intercept" is now extended to Phone Hardware Manufactures, Computer Hardware Manufactures, possibly even Chip Manufacturers and other component Manufacturers. Perhaps even hard disk manufacturers. Governments in some or many countries are probably exploring or implementing methods to build in secret doors to own capabilities to intercept communication of any kind.

I am concerned, not because Government of India is alleged to have intercepted US China Economic and Security Review Commission as ALLEGED and MAGNIFIED in this article (You spy on us, we spy on you, is a game that Governments play all the time)

What concerns me is the fact that there is an allegation of phone and computer hardware companies in addition to telecoms and ISPs forced to compromise on the integrity of their products and services "in exchange for market presence" in one or two billion-population geographic regions, quite possibly also in billion dollar geo-regions. This is happening, as reported, now for inter-governmental intercepts, but it would soon lead to wider compromises resulting in the intrusion of user's private space. (Or, is it already happening?) Governments (not only India as magnified in the Computer World article) pressure companies, even ones that are global and very large and make them open secret doors for surveillance of computers, phones, and all communication.

There are clear signs of this happening in a phone or computer you 'own' or on the cloud which hovers all above you.

I have always suspected that this has been happening from the time a Global Software Company in the US was harassed on anti-trust charges ten years ago. Even that probably had some thing to do with untold pressures on the company to open back doors in their operating system. (Perhaps. I don't know. Don't know at all. All that I am saying is entirely based on what occurs in my mind. I have not read or heard anything that supports this theory.)

Is the pressure on companies such as Nokia so overwhelming? (If what is said in the article is true)

Written by Sivasubramanian M, CEO, Turiya and President, Internet Society India Chennai

Unbelief

The 8 o'clock news item ended with the soothing words that everything possible was being done to secure the websites. What?, I thought. After all the items in the past year on the public broadcast news on hacks, phishing, hacked companies and websites, you guys never bothered to check your own? Apparently this is a thought that doesn't spring up in anyone's mind till it's too late. Or is it?

Ignorance or not caring?

So either the level of ignorance on security at the IT side of companies and organisations is disconcertingly high. Are these people so ignorant or incompetent security wise? If this was the year 2000, I'd answer yes, but not in 2011.

Or the situation is much worse. Do people not care because losing privacy sensitive data is of no concern to them? Nothing is lost that damages an organisation. Some reputation at most, but nothing that seems to ring much longer than the news item. Is this a reason why no money is spent on preserving the data in a secure way? That there is no incentive to do so, because there is no consequence attached to losing the data? In the end no one seems to be held accountable.

Well, there's Diginotar, isn't there?

Only in a situation like Diginotar the consequence was ultimate, bankruptcy, but in most other cases there is no alternative for the persons whose data was lost. The voters of Radio 2's "Top 2000", who were the hardest hit by the hack, will vote again next year. The same goes for most other hacks. Does anyone switch from Sony or Visa, Ticket.nl, etc., to another company because of a hack? Usually not. Also there is no legal consequence from an enforcement point of view as privacy commissioners are not focussing on commercial companies and may not have the teeth to really bite.

Why do they need all this data?/What do they use it for?

When I'm filling in an online form, I usually wonder what they need all this data for. There is absolutely no need for me to fill all this in in order to participate or order something. Still it's asked, obligatory fields too and subsequently lost through hacks, as apparently it's also stored for about forever. So, I'm only guessing here, they either ask far too much or they use it for other (commercial?) purposes. Maybe it's a good thing when companies and organisations start asking themselves whether they need all this data, if they can't protect it. Maybe for a government to think about rulings?

Privacy debate

Journalist Brenno de Winter on Twitter stated that it's about time we had a national privacy debate. A good idea, but not something we should all wait for as the answer, because in the meantime there will not be a website left to hack.

It's also time for a debate with organisations and companies that are responsible for hosting, creating, maintaining, etc. websites on what the quick wins could be. Like in right now.

What could be a good result? I guess, to progress to a situation in which all major organisations in the Netherlands, whether public or private, that store data on a grand scale:

• are aware of threats;
• comply to socially wanted and needed levels of security;
• have and maintain secure websites, including older versions and have their passwords to a higher level.
• (160 times the same password for public broadcast websites maintenance!);
• and on a voluntarily basis;
• built new websites from now on that are automatically secured.

How to achieve that? I can think of a few ways, but then so can you, right?

The debate could tackle enforcement of non-complying organisations and if the privacy commissioner isn't able to do so, give it to OPTA (in The Netherlands. Elsewhere an agency with like enforcement powers). I'm thinking along the lines of a "duty to care" ("zorgplicht") which is already in the Telecommunication Act.

Or we can decide that we don't care, so we can stop publishing about it. Let's not forget that that is also an option. Not one that I'd favour by the way. Apparently self-regulation isn't working, so do something about it.

Let's make 2012 the year of securing websites!

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

If you've ever looked up information about a domain name you've used a Whois service. It's the public information system about contact information for a domain name or IP addresses, though in this article, we will just talk about domain name Whois.

In some generic and sponsored Top Level Domains (gTLDs), Whois is run authoritatively by the gTLD. In older gTLDs such as .com and .net, the authoritative Whois service is run by the registrar responsible for the domain name. While some TLD operators run their own infrastructure, when a TLD operator uses a back-end service provider, that provider also provides the TLD Whois service. This public information system is of interest to law enforcement agencies and bodies, attorneys and courts, those studying the commerce of domain names, and those trying to address technical administration issues. It is typically operated as an open system that anyone can query. However, that very well could change over time and in certain circumstances, as I explain later in this article.

How you access Whois

Most people query Whois information through a web-based query page, usually through a registrar's Whois website, as well as those of gTLDs. The information returned is typically only relevant to the registrar's offered gTLDs, but there are also more generic Whois query tools. (Whois also has a machine level interface offered for querying on Port 43, which is what those nice web-based Whois query pages are actually talking to behind the scenes.)

What does Whois provide?

The content returned in different registry and registrar implementations of Whois can vary in how the output is displayed, but they are all more or less providing the same area of information. Whois services return contact information by area of responsibility for the domain: technical, administrative, billing or finance, along with the registrant of the domain, the registrar, and registration date. The contact information itself typically contains items such as name, address, email and phone numbers.

Would you like your Whois, thick or thin please?

Thick Whois: Gathered by the registrar during the registration process, this information is stored in the registry of the gTLD operator, which is responsible ensuring the data is valid. Most gTLDs conduct periodic Whois compliance audits rather than a complete real-time validation of submitted Whois data. Even if a gTLD offers thick Whois, registrars are required to maintain their own Whois service for their domain names. Since the registrar has the ability to update the related Whois information in the actual registry in near real-time, it is expected that the registrar maintain synchronized Whois data output between what their Whois service offers and what the gTLD Whois service offers.

Thin Whois: This really only applies to .com, .net and certain ccTLDs where the gTLD's Whois offers much less information about the domain. Its primary value is to point to the registrar's Whois service, where one should expect to find the detail Whois we see in a thick Whois. In this model, the registrar's Whois service is authoritative and must remain in compliance with ICANN's Whois data output requirements.

Why is this model not as desirable? It comes down to compliance monitoring. It's easier to hold a number of gTLD's accountable for Whois compliance under the thick model than to run periodic audits on many registrars for the many gTLDs they may service.

Privacy

Local privacy laws and practices in a global operating environment remain a challenge. Requiring full public Whois output can violate privacy rights of the region/jurisdiction where a registrant operates.

ICANN allows for exceptions to their requirements for thick Whois contact data where local laws contravene those requirements. This means that, theoretically, a gTLD might have to treat the Whois output of a registrant differently based on their residence or in relationship to the corporate home or operating region of the gTLD itself. It's clear there will be some variation in the way gTLDs approach Whois output as a result of these issues.

Whois proxy services have been offered by registrars for some time now. These are services that provide indirect contact information for those Whois contact areas previously mentioned. For example, instead of putting the real registrant's email address, the email address in the Whois output simply may be a forwarded email address. It still allows you to reach the registrant, but likely it's first filtered by the registrar to see if it's a valid request related to the domain. This product was born out of domain commerce parties mining Whois output for email contacts and incorporating those emails in various email marketing campaigns — some for legitimate products and some not.

Operating a robust Whois service in the new gTLD environment

Operating a solid thick Whois has a number of upcoming challenges. Whois is frequently a target of companies looking to mine the data. This is done by first downloading daily zone files for a given gTLD, which is free to the requestor and an ICANN required provision by gTLDs. These companies then use automated tools to systematically query the list of active domains and collect contact information for commercial purposes. Unfortunately, Whois queries can be quite small in comparison to the large amount of output the reply generates. This means someone mining Whois can readily apply load on the gTLD Whois servers. In short, an unprotected Whois server is easily knocked over with excessive load.

A good back-end registry service provider will have a plan to address this. Most apply a combination of Anycast network based Whois services with significant infrastructure capability and, mostly important, a source-based rate-limiting system to control how quickly a data miner can submit automated queries. Ask your back-end registry service provider what they can do for you and make sure those capabilities are reflected in your Abuse and Access policies in your Whois Service.

A Future for Whois

The changing environment of our Internet is bringing great new opportunities but also new challenges for Whois. For example, one problem is that new Internationalized Domain Name (IDN) TLD registries can't offer contact information in the native characters those IDN registries support in their domains. Another problem is that traditional source based rate-limiting, currently effective against data-miners, is not effective in the burgeoning new IPv6 number space.

Whois capabilities being considered are tiered permissioned access to Whois services with related variable output to reflect the different needs of Whois consumers and localized privacy issues. Both consumers and providers alike have expressed an interest in an industry-wide, standardized Whois output structure for some time.

Work is underway in several areas to address a number of these shortcomings in Whois optional functionality. Some recent examples of these efforts include ICANN's Internationalized Registration Data Working Group (IRD-WG), various ICANN project groups working on specific IDN TLD implementation script issues, the WHOIS-based Extensible Internet Registration Data Service (WEIRDS) discussion list in the Internet Engineering Task Force (IETF), and ICANN's Whois Survey Working Group (concerned with Whois functional requirements).

The most important message a potential gTLD applicant can take away on Whois is this: Expect that the once "simple" service will become a much more complicated. Anticipated new functionality in Whois and integration of that functionality into your related Abuse and Access policies should be addressed by the back-end service provider you are considering.

Written by Michael Young, Chief Technology Officer at Architelos

Read full story: Associated Press

Read full story: Electronic Frontier Foundation

These tricky little trackers have lawmakers pressing the FTC to investigate, and the IAB scrambling to defend industry practices. Here's coverage from Information Week, Mashable and the Wall Street Journal.

All this gives me a strong case of deja vu all over again, as the expression goes. Back at the dawn of the online advertising age I headed up communications for Advertising.com. We were right in the middle of the "cookie wars" of that time, trying to explain what they did (and didn't) do and trying to head off regulation by the FTC. More recently, I wrote back in 2008 about ISPs looking to get into the tracking business via software from companies like Phorm and NebuAd.

In that 2008 post I talked about a list of principles promulgated by groups like the Network Advertising Initiative and the Online Privacy Alliance that companies were supposed to adhere to in their online practices:

1. Adoption and Implementation of a Privacy Policy
2. Notice and Disclosure
3. Choice/Consent
4. Data Security
5. Data Quality and Access

No question many companies are not being faithful to those principles today. But rather than focusing on the regulation issue, I'd like to suggest companies simply be more transparent with users about the current online quid pro quo — lots of information services in exchange for some personal information. Sound a bit naive? I don't think so&ndah; I think it would be smart business.

From the dawn of the online advertising age, companies have been very reluctant to clearly spell this out for users. Online consumers get lots of free or very inexpensive services and lots of convenience, in exchange for sharing information about themselves. Sometimes this sharing is explicit — registration, subscribing — but more often its done behind the scenes, using tools like cookies and now supercookies.

The Internet has become such a part of daily life and commerce that companies should find the courage of their convictions and spell this out for consumers. Stop talking about personalized advertising as if people are dying for that. News flash — most consumers want no advertising at all. But if you explain the benefits they receive in exchange for a reasonable (yes that's a flexible term) amount of shared personal information, I think the vast majority would go along.

Let's take a very basic example. Do you really want to input your ID and password at sites you visit every day? No you don't, it's convenient for that site to place a cookie on your computer so you are recognized and let right in. Companies need to spell this type of benefit out, and/or get their industry associations to do so. It would be a more effective tack than increasingly tenuous stories about the effectiveness of industry self-regulation.

To put it bluntly, the Internet is too essential to the everyday life of millions of consumers for them to turn back now. Companies should clearly explain the business model that makes so much information and so many services available online. They should also follow the principles above, including better protection for personally identifiable information. And/or, explain more clearly why some are extremely hard to do, such as providing user data quality and access.

Online companies can make this case to the public, if they choose to. When we've brought the current status quo out of the shadows and start discussing it more openly, all parties will be better off.

Written by Christopher Parente, High Tech Public Relations

Makes me think of another kind of multi-stakeholder model I saw last week on a photo safari in Kenya's Masai Mara National Reserve. Out there on the savannah, grazing animals have evolved cooperative behaviors to reduce the risk of being overtaken by their natural predators. You can watch gazelle, antelope, zebras and wildebeests grazing the same patch of grass or sipping from the same waterhole, while a few take their turn watching out for cheetahs and lions.

These animals might not like sharing their grazing or drinking resources, especially during the dry season. But you don't see the zebras kicking the smaller animals away, since that kind of in-fighting would make all of them easier targets for predators. It was truly fascinating to watch how multiple species of animals evolved cooperative behavior when it's in their shared interest.

It's just as fascinating (well, not quite) to watch the cooperation among multiple species of Internet stakeholders at meetings of the IGF and ICANN. There we also see cooperation among competitors in Internet policy: the private sector and civil society.

Both private sector and civil society advocates compete for the attention of the public, governments, and technical standards groups. Private sector interests are advanced by ISPs, online services, content publishers, e-commerce platforms. Civil society advocates for human rights, free expression, and online privacy. Understandably, these two sometimes clash over policies for online privacy or protection of copyright and trademarks.

Still, we have cooperated to defend "our" Internet against unilateral control by governments and inter-governmental organizations like the United Nations. Like the animals on Kenya's savannah, we take turns responding to threats to our multi-stakeholder model.

Now I'm not saying that governments are predators, but in some respects they have similar power over the private sector and civil society: Only governments can block content by law, or imprison people who defy their orders. Like the big cats on Kenya's savannah, governments will eventually get their "Lion's share". The shared interest of business and civil groups is to limit how governments can restrict the Internet innovations of today and tomorrow.

That's why I was so dismayed by what I heard today at the IGF, when a self-declared consumer advocate accused the private sector of sabotaging the multi-stakeholder model. Jeremy Malcolm of Consumers International presented his new paper, "Arresting the decline of multi-stakeholderism in Internet governance". Malcolm's agenda is to get the IGF to oppose legal or technical protections for copyrighted content. I've always disagreed with him about that, but we somehow managed to cooperate on opposing government "predation" on internet innovation.

Until now, that is. In a packed room at the IGF, Malcolm accused the business and technical community of "complicity" in blocking his agenda. In his paper, Malcolm says:

"the private sector has no interest in furthering public values that true multi-stakeholderism would promote, ahead of its own power and profits, which could be threatened by further democratizing governance processes."

My jaw dropped, too. Malcolm is damning the same private sector motivations that produced the most democratizing technologies the world has ever known: Internet search, email, social network services, e-commerce platforms, etc.

Malcolm ended his presentation by exhorting his civil society colleagues to work with business and technical community to protect the multi-stakeholder model. That's like the Zebra asking the antelope to stand guard after kicking him away from the watering hole. As they say on the African savannah, choose your friends carefully, but be even more careful not to make old friends into new enemies.

Written by Steve DelBianco, Executive Director at NetChoice

IP address space is a finite public resource. Traditionally, folk who need IP addresses fill in a simple form documenting how current addresses are used and explaining how the requested IPs will be used. It's a simple process that takes a few minutes to complete, and even less time to process. Having been a Hostmaster at one of the RIRs, I have some experience in this area. Back in the very early days of the IANA, requirements were even more simple and many organisations got lots more IPs than they could actually use due to the classfull nature of addressing at the time. These early Allocations are often called "legacy space", as they were made prior to the formation of the RIR system as we know it.

There seems to be a vocal minority clamoring for the removal of this needs requirement in some of the RIR regions, some of whom are undoubtedly hoping to profit from the sale of IP addresses, while others seem to be guided by free-market philosophies. Unfortunately, neither motivation seems to advance the public interest in IP address distribution, despite their rhetoric to the contrary.

If organisations were allowed to obtain IP blocks from the RIRs (or from other companies) without first demonstrating that they needed them, the Internet would have run out of IPv4 long ago. This would obviously not have been in the public interest, as Internet growth would have stagnated.

Recently, we have seen the Internetgovernanceproject blogging about this issue and they talk about the needs requirement as a "barrier to trade". While this may be the case, a much bigger and more damaging barrier to would be erected if folk were allowed to flog their IP resources (legacy or not) to the highest bidder without any regard for Internet resource stewardship. In the theoretical case that IGP raises, where Asian companies looking for more addresses than they think they can get from their RIR are eyeing legacy IP blocks. IGP seems to think that such organisation should be able to buy legacy blocks without demonstrating that they actually need these resources. In other words, the companies who have the most cash "wins", which is not a philosophy normally associated with public interest outcomes. Many in the RIR policy communities are concerned that this will lead to hoarding and speculation, driving up the cost of doing business for all while enriching the few.

The current RIR system works incredibly well. It is the most respected part of the ICANN system in terms of openness, transparency and true bottom uppity-ness. Normally, IGP decries the heavy influence in ICANN processes by monied interests, but in this case, they seem to be cheerleading for the monied interests due to some deep seated Ayn Rand-ian laissez faire-ness. Inexplicable really, but I digress.

Now that we are faced with the impending run out of IPv4, several RIR policy communities are placing greater restrictions on allocation and assignments as a natural reaction the coming shortage. For example, in the AfriNIC region, consensus was reached at the last AfriNIC meeting on a "Soft Landing" policy, which is now in Last Call. Amongst other things, this policy specifically states that resources allocated to the AfriNIC region are meant to be used in the region, thus precluding inter-region transfers.

Currently the APNIC community is in the process of restoring the justification of need for transfers, which was relaxed just last year.

Asking folk why they need a certain number of addresses has worked to prevent hoarding and speculation of Internet resources for many years. It is even more important now that we are running low on the supply side of IPv4. RIR policies are set by groups of people working together to reach consensus positions. Asking that we allow the "Invisible Hand" to determine policies going forward is not responsible stewardship, it's just crass commercialism.

Written by McTim, Co-Chair of the African Network Information Center Policy Development WG

Canada's Anti-Spam Law

To begin with, as a precursor to Canada's Anti-spam Law coming into effect later this year, the Office of the Privacy Commissioner, the Canadian Radio-television Telecommunications Commission, and Industry Canada have all issued regulations, the latter two in draft form with an RFC.

The regulations define express and implied consent, how unsubscribes should work, what disclosure information should be presented to subscribers, and the manner in which it is displayed. The regulations are, in essence, where numerous T's are being crossed, and i's being dotted, and are well worth a glance.

My organization, CAUCE, as well as numerous others will doubtlessly be submitting responses to the RFCs, if you have a dog in the email fight, by all means feel free to comment as an individual, or as a representative of your employer, as appropriate.

CAUCE has written, briefly, about the CRTC and Industry Canada regulations, and will be issuing our full platform, shortly.

Usage-Based Billing

UBB, or usage-based billing is the hot topic of discussion at the CRTC these days, with, well, more than the traditional two sides to the issue.

Basically, the issue is about how big network service providers sell connectivity to smaller ISPs dotting the countryside, most predominately (but not limited to) in rural areas in Canada. Some mega-providers want to place bandwidth limits on their wholesale prices charged to SME ISPs, which would mean an inevitable rise in prices for Internet end-users who use any small or medium-sized provider. The CRTC (Canada's telecoms regulator) was ready to approve UBB, until a consumers' group, OpenMedia.ca began to make a lot of noise, and the previous Minister of Industry warned the CRTC that were they to approve any UBB scheme, the government would nip it in the bud.

This issue has had more twists and turns than a plateful of spaghetti, and I am simplifying to the point of disservice, I suggest you take a dive into Michael Geist's blog where he has kept a running commentary on UBB, which actually began becoming a topic of interest almost a year ago.

Over-the-Top Services

Even casual observers can also see how UBB might have effect upon Apple TV, YouTube, and Netflix, and sure enough, the CRTC is also holding hearings on what they call 'over the top' (OTT) services. The CRTC are, as crazy as it sounds, considering regulating these services here in Canada.

The CRTC are also holding hearings, again, on UBB. Read all about them here.

Lawful Access

You didn't think we were finished did you? Well, we're not! Lawful Access, a passel of bills that have been lurking since 2005 are once again threatening to show up on the order papers for the fall legislative session. They are, as some have put it, a solution in search of a problem.

In the most simple of terms, lawful access allows any police officer in Canada to show up at an ISP, assert a reasonable suspicion about a given account, and the ISP is required under these laws to turn over everything about a given subscriber, no questions asked, no court order necessary. The ISPs were, at one point, against these proposed laws, but only because it would cost them something to actually do the investigative work. Since then, there have been clauses inserted to ensure the police forces pay for each such 'request' they make, and opposition from the ISPs has all but vanished.

This post on the CAUCE website explains Lawful Access in detail.

I'm sure there are people in other parts of the world who are shaking their heads in disbelief at all of this; Canada wants to drive small ISPs out of business, regulate YouTube, and have cops walk into ISPs without court oversight and grab user data. When did Saudi Arabia become the upstairs tenants to America?!? Did the Bush neo-cons find a new gig up north? And, given how short their summer is, why are Canadians wasting all this time in meeting rooms?

These latter questions are rhetorical, and I'd best leave them unanswered.

Written by Neil Schwartzman, Executive Director, CAUCE North America

This 2 day meeting, "The Internet Economy: Generating Innovation and Growth”, had the objective of exploring a number of current issues in the public policy space, including:

• how best to develop high speed broadband access,
• how to leverage broadband for economic growth,
• metrics of broadband development and its impact, and
• how best to maintain openness and promote continued growth.

The presentations I heard at this meeting could be broadly classified into a number of themes, as outlined below.

Public Policy: The Internet as a brilliant success of Multi-Stakeholderism

The first theme was somewhat self-congratulatory in nature, and noted that the Internet has been very effective in achieving economic growth. One speaker cited from a McKinsey report that the level of economic growth attributable to the Internet in 15 years, as measured by GDP growth, equalled the level of GDP growth experienced in the Industrial Revolution over 50 years.

The speakers who talked to this theme espoused freedom of expression, freedom of governance, and freedom of enterprise — online. The Secretary General of the OCED proposed that the OECD, and its working methods of inclusion of governments, the private sector, civil society and the technical community, was uniquely positioned to further this effort. As he noted in his presentation to this meeting, "The OECD has already established many of the social norms that define the Internet today." He espoused a light touch public policy environment as a platform to provide growth, and a driver of innovation that improves efficiency and growth. In other words, when handled with some consideration and care from a perspective of public policy and governance, the Internet will continue to play the role of a critical enabling tool for wealth creation.

The prevalent meme of today appears to be "multi-skateholderism," which appears to relate to today's mixed environment of public and private sector activity, coupled with explicit recognition of civil society and other vested interests, including the technical sector as stakeholders in the process.

The tone of such presentations on the success of the open Internet and upon light touch public policies and multi-stakeholderism was generally upbeat, with some concessions to the challenges of security and net neutrality, but overall there was a sense that if the process was well structured, then such challenges could be properly addressed to the satisfaction of all.

In many ways this is little more than self-congratulatory rhetoric about the positive outcomes that have resulted from the general deregulation of the telecoms sector in the late 20th century and the associated shift of the model of service in this sector from a single public sector utility telecom operator to a diverse set of competitive private sector actors. However, an implicit subtext within this theme was a critical commentary on alternative approaches to coordination frameworks for national and international communications, notably the ITU-T, and a rather barbed criticism of the ability of such treaty-based institutions to perform the necessary structural changes to their institutional model that would allow the institution to reflect the broader set of stakeholders that are peer players in today's landscape. Perhaps behind the rhetoric is one more piece of preparatory activity in the extended leadup to the renegotiation of the world telecommunications treaty by the set of nation states that have some level of commitment a communications industry structure that is now largely based on private sector activity within a framework of open competition, and a general desire to reduce, to some extent, an indefinite continuance of the encumbrances, obligations, and structural cross-subsidies that are associated with the current treaty obligations that stand behind the ITU-T.

The Faltering of the Traditional Carrier

A number of speakers on the topic of broadband infrastructure were critical of today's network infrastructure. A salient comment I heard at one point was: "This sector really has a problem in meeting demand."

Some of the now-privatised telcos (for example, the presentation from Telecom Italia) were effectively claiming that with the impositions of net neutrality and the imposition of a public policy agenda of ubiquitous equitable access for all to a high speed broadband infrastructure funded through private capital investment was not a viable proposition.

The broader question was raised in a presentation from the Korean delegate, who raised the question as to who should fund broadband network infrastructure construction. The Australian presentation made that case that such large scale broadband infrastructure projects exceeded the capacity of private enterprise, and therefore the responsibility to lead such projects fell to the public sector. Although it has to be noted that this leadership comes at the considerable cost of around $2,000 per capita in the Australian case, and it therefore takes a relatively robust economy to underwrite such a significant level of public capital expenditure within the broader collection of public sector issues. Many other OECD economies appear to have largely left the activity of the construction of broadband network infrastructure to the agenda of the private sector, particularly where financing is concerned, and limited their involvement to cheering from the sidelines. The outcomes so far from such an approach are not exactly stellar.

Another carrier, AT&T, asserted that public communications policy in broadband infrastructure is being driven by a vocal minority rather than the mainstream and asserts that this imbalance in policy formulation will result in subsequent retrograde intervention that will restore what he termed as "20th century regulation." He argued for continuance of deregulation and a "hands-off" policy response by government. He noted that a policy priority of broadband access, at an affordable price, as a enabler of economic outcomes, and a lever to improve delivery of social services and utilities. Interestingly, he noted a $95B infrastructure investment by AT&T over the past 5 years and claimed that this cost could not feasibly be recovered from the end user base because the imposition of additional costs onto the consumer base would exclude large sectors of users from the network, and this would be counter to a an objective of ubiquity of access. Given the stated preference for continuation of an industry model that is a deregulated industry lead by private sector investment, it would appear that AT&T is constructing a case to forego the concept of network neutrality with respect to their carriage services, and they apparently wish to have the ability to impose additional costs on content industry actors if they want to have high speed visibility to users on AT&T's broadband network and recover a significant proportion of their investment in this manner.

Network neutrality is a significant issue in today's industry, and it appears to be used by the carriers and operators as a keyword for their lack of incentive for infrastructure investment beyond the existing cooper loop wired infrastructure, citing that net neutrality acts as an investment disincentive that brings the financial returns on capital investment in infrastructure below what they consider to be acceptable levels that are able to meet the cost of private capital in their enterprises. At the same time they are pointing to the lack of radio spectrum as the reason for a lack of further investment in mobile data infrastructure, and accusing application developers of generating mobile content applications that make extravagant use of bandwidth, and hence extravagant use of spectrum as being part of the problem they face.

With some small level of dissension, there appears to be a general admission that demand on today's Internet is not only outstripping current levels of supply, demand growth now is outstripping the sector's business plans, capital investment capability and even technical capability, and the resultant need to exercise common constraint in an environment of limited resources is counter to an industry whose relatively crude content and service models appear to be based on continued abundance of the basic commodity of bandwidth and ubiquitous connectivity.
Security and Privacy

This is one of those mantra topics - everyone agreed that security is a Good Thing (at least I heard noone argue against the concept!), and all speakers who touched upon this topic appeared to agree with the proposition that this was a current issue and by no means a solved problem. But where to go from here was definitely not so clear.

It was clearly recognised that the quantity, breadth and detail of information that is now online poses some serious concern. The risk profile of unintended information exposure now includes individuals, organisations and even nation states. The security industry is becoming overwhelmed with the onslaught of new threats on a continuing basis, and the underlying concern is that the current level of cyber attack may mutate at any time into attack profiles associated with cyber warfare between nation states.

Industry commentators perceive this topic to have a low priority in the political agenda, where politicians want lower prices and greater regulatory control, while the ability of the private sector to invest in the necessary resources and measures to support greater levels of online security is limited by the relatively low value placed on this activity by end users. In some ways the issue of security in todays networks, particularly as they relate to high end security measures that are capable of defending a national communications system against broad scale infrastructure attack of a scale and intensity anticipated in the context of a concerted and well resourced attack (such as envisaged in a cyber warfare attack, for example), is seen to be beyond the scope of conventional private sector infrastructure operators. At the same time the public sector is showing some signs of uncertainty as to how to engage with this agenda, as this is a matter that is well beyond simple regulatory responses.

Hand-in-hand with security is the topic of privacy. It was asserted that the challenge about privacy is not about technology, as today's technology is adequately capable of supporting privacy, but is about the nexus of privacy policies and technology. In order to implement scalable systems that respect and adhere to privacy policies and are functional, there is a need to invest in an effort to define common privacy and authentication standards, i.e., standards relating to the nature of credentials that appropriately define individuals and roles, reputation mechanisms and validation of such credentials and the associated topic of negotiation of trust. The privacy management reference model is looking at operational privacy management in online services, and public standards need to be considered in the development of services. There is some optimism that policy entropy and conflicting standards can be addressed, assuming that the various actors in the area talk to each other and work in the context of industry-driven standards that are based on interoperable implementations. There is the expectation that the industry can deploy systems that can manage privacy conflict and ensure compliance with public policy frameworks that would engender trust and confidence. It was suggested that governments need to support the effort to foster the greater use of standards organisations to facilitate the development of data privacy standards and their adoption.

IPR and Intermediaries

This is a long-standing issue in this sector. The copyright holders have been reluctant, or incapable, on the whole to modify their business model to adapt to the capabilities of computing systems and computer networks to replicate and redistribute content. In the face of monotonically declining sales revenue of traditional media, and the collapse of many of former major players in the media-based content distribution industry, the content industry resorted to legal means to attempt to curb the decline in their industry.

The Digital Millennium Copyright Act in the United States is perhaps the most well known, but no means unique, example of this push for legislative remedies to unauthorized redistribution of content, and the industry has, at least in the realm of the public policy debate successfully managed to apply a lexicon that includes emotive terms such as "theft", "illegal", and "piracy" to such redistribution activities and have this lexicon adopted by the broader industry and in public policy debates.

However, such actions have been largely unsuccessful in terms of reducing the level of such unauthorized redistribution of content and the associated revenue leak that such redistribution represents to copyright holders. The copyright industry has now turned its attention to attempts to coerce the carriage providers to act as co-opted vigilantes in the efforts to enforce intellectual property rights.

This effort runs counter to the general principle of the role of a common carrier, where, in somewhat approximate terms, the carrier is bound to respect the privacy of the parties to whom it has contracted to act as a carrier, and in return is not held to be liable for the content carried across its network. However, there is a strong push to have the public sector to force the carriage sector, and all others who act as "intermediaries' in the provision of services and content to users, to play an active role in enforcing the intellectual property rights of copyright holders of the material. Rather than starting from an assumption that carriage providers and intermediaries are not liable for the content they carry on behalf of users, the default position being pushed in the context of this OECD meeting is one of assuming that such liabilities already exist, and the consequent agenda is to "limit" such liabilities.

It has been pointed out by critics of this approach (such as in a recent blog on this topic) that the wording of the communiqué from this meeting that some of the stakeholders, notably the technical community according to this particular critic, acted in a way that played into the hands of the IPR efforts: "Lacking the historical perspective, ITAC failed to see the camels nose being inserted under the tent in the IPR and Intermediary Liability sections."

Some of the presentations at the meeting were staunchly in favour of the copyright industry's proposals for making carriers and ISPs liable for content. In particular the presentation by Vivendi went as far as claiming that the entire content creation industry would come to a complete halt if IPR theft was not halted using all available means. The assertion was made in this context that: "Copyright is a key component of economic growth."

An alternative view was put forward by Deezer (and presumably Pandora, were they to be present) is that "piracy" is just one competing service model for distribution of content, and the real goal of this industry should be to create business and service models for the distribution of content that represent a superior service proposition to users as compared to resorting to unauthorized redistribution of content in the form of "piracy". Such new service models should allow IPR to be respected and due royalties paid in the use of copyright material. From Deezer's reported commercial success, this is evidently an achievable objective.

In any case, the default position of assuming some unspecified level of liability on the part of intermediaries, including carriage providers, and the need to "limit" this liability with respect to copyright material was maintained in the deliberations prior to this meeting, and the Civil Society Information Society Advisory Committee (CSISAC) was unable to endorse the resultant communiqué.

IPv6 - The Elephant in the Room

Oddly enough for a meeting that was intended to discuss the public policy aspects of the internet's future growth and the maintenance of the Internet's openness and ability to innovate, evolve and generate societal wealth through efficient and novel forms of connectivity and communication, the one topic that implicitly threatens the entire framework of today's Internet rated barely a mention in the meeting, namely the exhaustion of the IPv4 address pool and the industry's marked indifference to adopt IPv6. It was the unacknowledged elephant in the room.

While one speaker, Vint Cerf, highlighted the need to place IPv6 adoption as a matter of urgent priority in the public policy agenda, and noted that without IPv6, innovation on the Internet will suffer and beneficial outcomes from an open and accessible communications environment would cease, and we simply have no alternatives at this point in time. He noted that if this meeting can conclude with the imperative to deploy IPv6 across all parts of the Internet, then it would be a useful meeting with a positive message. Oddly enough, the chairman's summary at the end of this particular session omitted any reference to IPv6, despite this topic being the major theme of Vint's presentation.

There was certainly an air of disconnection that persisted through the meeting on the continued omission of any mention of IPv4 address exhaustion and the risks posed to the further growth of the Internet if IPv6 is not adopted in a timely manner. It got to the point that when a speaker from the UK Regulatory Office subsequently mentioned IPv6 and the need for the public sector to actively support its adoption, parts of the audience broke out in spontaneous applause.

It appears that despite many years of active promotion of IPv6 the message is still not getting heard within the area of public policy. The comprehensive transition of the Internet to IPv6 is a central pillar of any expectation that the Internet can continue to grow and sustain a vibrant environment based on open competition and innovation. So far we appear to have failed to effectively make that case that in a networked environment that stalls on IPv6 the resultant NAT and ALG-ridden IPv4 environment is one where the current incumbents will hold all the addresses and any further competitive entry into the Internet by new actors, at both the levels of carriage and content services, would be effectively limited to the terms and conditions imposed by the incumbents. Such a scenario is about as good a definition of the failure of an open market as one could find, and its one that the Internet would do very well to avoid.

Where To From Here?

Somehow I'm missing the sense of driving optimism and opportunity that was associated with the 2008 OECD Ministerial on the Future of the Internet Economy. It's not clear to me that multi-stakeholderism is sufficiently powerful a mantra to shake off the issues that confront this industry as it slowly shifts into a phase of success-disaster.

Yes, the mobile market is a massive commercial success, so much so that we are now running out of useable spectrum space in the most populous parts of the networked world.

Yes, the wired internet is transforming our economies, so much so that the pressure to recable our infrastructure from copper to fibre is now an essential prerequisite to keeping pace with demand, but the capital is not there and the sustainable carrier business models are not there to undertake this effort.

Yes, the provision of content is a runaway success, but the copyright industry still cries foul and in an effort to curb some of the reported massive damage being inflicted to the entertainment industry there is an effort to rip apart the principle of common carrier and hold all elements of this industry liable for the unauthorised distribution of content.

And yes, we've managed to distribute billions of computers, but at the same time we've managed to create significant areas of vulnerability, and we are now witnessing the exploitation of these weaknesses shift from elements of organised crime to the distinct possibility of cyber warfare waged between nation states.

But I don't believe that any of these issues present insurmountable challenges. In seeking productive responses to these challenges we need to make sure that we are looking in the right place. These problems appear to arise from an intersection of rapid shift in the technology base of this industry intersecting a set of business and policy frameworks that are often somewhat conservative in their response to change. I would like to believe that many of the answers we are looking for lie in adaptation of business models and public policy frameworks, and the tools that will best assist this common effort are probably economic in nature.

For that reason I believe that the OECD has a valuable role in the coming months and years, and I am heartened to see the OECD continue to engage all stakeholders in a public dialogue that I hope will be ultimately fruitful and productive for the future of the Internet.

Written by Geoff Huston, Author & Chief Scientist at APNIC

Regardless of nationality, citizenship, color or religion we all share a commonality online in that we are all equally at risk of the threats and abuses so prevalent on the Internet. We all are equally vulnerable to spam email, equally at risk of infection from malware and spyware, and equally targeted by identity theft and online fraud. Our personally identifiable information is equally at risk online no matter where we are from or what flag we represent. As citizens of the global Internet community, we share equality in risk, because we are very similar in nature and demographics. From the operating systems installed on our PC or laptop, the web browser or email client we use, to the Internet Service Provider we connect to every day, we all share commonalities that expose us to the same types of risks and threats when online.

While we as individuals are unique in our life experiences such as education, wealth, stature and etiquette, we shed the majority of these traits once we connect to the Internet. We move from the uniqueness of an individual to a commonality brought on by the technology we use, and it is this technology that brings with it the risks to our freedom and security online. All technology used to interact on and communicate with the Internet, whether hardware, software, analog or broadband, wired or wireless, brings with it types and severities of risk to our online security and privacy.

Access to the Internet has always brought with it a set of risks, but more importantly it has provided a set of freedoms: freedom to express our ideas and opinions, freedom to learn about the world and the truths it contains, and freedom to communicate across the boundaries of territory, government, class and religion. There is power in the freedoms we have online but with this online freedom--as with personal freedom--it brings with it risk and insecurity. These are the inescapable costs of using the Internet, accepting the luxury of this online freedom also means accepting the risks.

We are all familiar with the issues of security on the web. Our online identities have always been the target of hackers and malware, but the threat has changed. With our bank accounts, medical records, and other personal information migrating to Internet-connected systems at an ever increasing rate, the online threats once thought of as nuisances are now regarded as some of the most serious risks to private businesses and governments. And while the majority of attacks seek some type of financial gain for the perpetrators, we are becoming aware of an even larger threat as we watch the maturing of state-sponsored cyber attacks and cyber terrorism.

Here in America we are fortunate to enjoy the freedom and security that much of the world takes for granted. These freedoms have for a century been the subject of intense debate, cause for civil protest, and the justification for world wars. Many of our best and brightest have given everything to ensure it, some giving more than others but each sacrificing in the name of freedom.

As a global Internet community, however, we have yet to come together as a unified people to enforce and guarantee our online security and privacy, both aspects of our online freedom. We continue to enable our own victimization with complacency and inaction. Until we as citizens of this global community take upon ourselves the responsibility to secure and protect our online identities, until we become stewards of the Internet community to use on a daily basis, until we decide to fight as hard for the privilege of freedom online as we have to secure our freedoms and liberties at home, the Internet will remain a place of risk and threat.

Written by Mike Dailey, IT Architect and Sr. Network Engineer

Read full story: External Source

For those of you coming in person, we look forward to seeing you! For the rest of you here are the remote participation details:

• Webcast:
• Transcription
• Questions

There is no need to register for remote participants — all are welcome. For those unfamiliar with backchann.nl, one can not only ask questions but also vote on questions already asked. There are chatrooms associated with both the transcription and the webcast. For those wishing to comment via twitter the hashtag is #INETny

Here'a brief schedule (times are EDT = UTC-4):

09:00 Opening remarks
09:30 Keynote + Q&A: Sir Tim Berners-Lee
10:30 Panel: Pushing technology boundaries
12:00 Lunch
13.00 Keynote + Q&A: Vint Cerf
13:30 Panel: People Power
15:00 Keynote: Lawrence E. Strickling
15:20 Panel: New Privacy Models
16:30 Closing discussion
17:30 End

The full agenda is on bit.ly/inetnyagenda

More info: isoc.org/nyinet

Written by Joly MacFie, VP (Admin) - ISOC-NY