Expert E-Consultation on Cyber Security, Justice, and Governance

On 3 November 2014, The Hague Institute launched its first e-consultation, which sought to contribute to the work of the Commission on Global Security, Justice, and Governance. This was the first of a series of e-consultations on topics relevant to the research and policy agenda of the Commission.

This consultation brought together over 75 international cyber security and cyber governance experts and built on the high-level Expert Consultation on Cyber Security, Justice, and Governance hosted by The Hague Institute, The Stimson Center and the Observer Research Foundation in New Delhi on 18 October 2014 following the conclusion of the India Conference on Cyber Security and Cyber Governance.

Summary of Phase I (Focus: Cyber Security) Facilitators: Ian Wallace (Visiting Fellow for Cyber Security, The Brookings Institution); Sash Jayawardane (Researcher, The Hague Institute)

Phase 1 of the expert e-consultation ran from 3 – 19 November 2014 and focused on issues relating to cyber security. Facilitator Sash Jayawardane circulated a discussion prompt on 3 November, posing three questions for discussion. These questions built on an expert discussion, which took place in New Delhi in October 2014, chaired by Commissioner Dr. Jane Holl Lute. A summary of the expert interventions made in response to the questions posed during the e-consultation is provided below.

1. Do you agree with the assertion that cyber hygiene should be a technical and policy priority in efforts to enhance cyber security? If not, what alternatives would you propose?

Of the three questions posed in the discussion prompt, the expert group explored this question in the greatest detail.

Initial interventions from cyber security specialists did not support the idea of cyber hygiene being the primary focus for governments.

Paul Rosenzweig (Principal, Red Branch Consulting) acknowledged that cyber hygiene is an important component of cyber safety, and should be included in school curricula and the development cycle for new cyber products and services, but was clear that it should not be a policy priority for governments. According to Rosenzweig, prioritizing cyber hygiene misunderstands the nature of the cyber security challenge, implying that users are the problem. Instead, the focus should be on how to deal effectively with insecure software. Rosenzweig proposed that the answer to pervasive insecurity is to reconfigure the incentive structures for the private sector to make a greater investment in secure software through measures including liability, regulation, subsidies, or taxation.

Rosenzweig also observed that governments should focus their efforts on cyber threats to which the private sector is unable to respond effectively, i.e. those threats posed by powerful state and non-state actors.

John Mallery (Research Scientist, MIT) agreed with Rosenzweig, stating that “informed technical opinion is that we need technical architectures that are secure by default, and host architectures that implement key security concepts …” According to Mallery, while industry is slowly making progress in this regard, encouragement through public policy would help speed up the process.

Alejandro Pisanty (Professor, National University of Mexico/ Chair, ISOC Mexico) agreed with Rosenzweig and Mallery that cyber hygiene should not be a policy priority for governments, pointing out that cyber hygiene does not address the threat of cyber attacks perpetrated by powerful state or non-state actors.

Suleyman Anil (Head of Cyber Defense, NATO) cautioned against underestimating the value of practicing proper cyber hygiene and articulated two reasons why cyber hygiene is important and should be the responsibility of a range of actors, from the individual to the state: (1) 90% of incidents/compromises in computer networks are caused by known vulnerabilities and can be prevented; (2) failure to implement cyber hygiene best practices on a given network makes it difficult to provide assistance when threats do occur. Anil underscored that networks can be secured effectively at a reasonable cost and noted that the majority of banking, airline, enterprise and state networks are properly protected.

Sherif Hashem (Vice President for Cybersecurity, National Telecom Regulatory Authority of Egypt) concurred with Anil on the importance of proper cyber hygiene, noting that “cyber hygiene is a domain where ALL – governments and the private sector, as well as the general public – can achieve a very high return on investment on a short term basis.”

Anil noted, however, that even with cyber hygiene practiced properly across the board, residual risks would remain, namely, those posed by state actors. He proposed that the solution to this non-technical (national and international) security issue is not cyber hygiene, but rather, international agreements and national legislation.

Gideon Rop (Project Support Engineer, DotConnect Africa) observed that while it is possible and desirable to create technologies that are secure by default, there is still a profound need to educate end-users about proper cyber hygiene and create awareness about cyber policies.

Facilitator Ian Wallace then asked what the responsibility of the state should be with regard to cyber security, if we accept that the state is the ultimate guarantor of security, but cyber hygiene should not be a policy priority. In particular, Wallace asked participants to focus on how the relationship between the state and the private sector should be managed, and what incentives the state should provide to encourage the private sector to make greater investments in cyber security.

Alejandro Pisanty, Kamlesh Bajaj (CEO, Data Security Council of India) and Rahul Sharma (Senior Consultant, Data Security Council of India) highlighted the need to be clear about what is meant by “cyber security” when attempting to understand what role governments and other entities should play.

According to Bajaj, cyber security should be defined “as distinct from information security, organization security, and finally national security” although it may overlap with or have an impact on these other facets of security.

In line with arguments made by Rosenzweig and others, Bajaj highlighted the importance of exploring what incentives are available for the private sector, which owns and operates most cyberspace infrastructure, to invest in cyber security, sometimes even beyond its business case. Bajaj underscored that cyber security must be the responsibility of organizations, rather than individuals, since it is impossible to ensure that millions of new users are aware of cyber hygiene best practices or will adhere to them. According to Bajaj, it is important to focus on the global harmonization of cyber security frameworks and standards, as well as global regulatory compliance.

In a similar vein, Rahul Sharma noted that in the absence of global agreements on cyber security essentials, maintaining secure, interoperable networks is challenging. He wrote that collaboration between the private sector and industry at a global level is imperative for improving cyber hygiene. Sharma agreed with other contributors that while we need to educate users about security and privacy online, manufacturers and developers must strive to create products and software that are secure by default. He also agreed that incentives should be provided for building secure products, resilient networks and practicing better cyber hygiene.

Sherif Hashem added that most manufacturers and developers understand the need for products that are secure by design. This requires time and investment, however, and there is a tendency to focus instead on gaining, maintaining or increasing market share. According to Hashem, even when deploying new systems and services, service providers as well as operators, may try to speed up the deployment process of a new service or system at the expense of adequate security verification and testing.

Facilitator Ian Wallace then posed a final round of questions for this portion of the consultation: (1) What is the role of the state in creating conditions for a stable and secure cyber ecosystem (focusing on measures that can be operationalized in the next 3-5 years)?; and (2) is there scope for Tallinn Manual-type exercises with regard to other existing legal/regulatory frameworks that may be applied to cyberspace? If so, what other frameworks most usefully lend themselves to such analysis?

In response to these questions, Paul Rosenzweig expressed skepticism about the ability of governments to effect positive change in order to create a safe and stable cyber ecosystem. While accepting that economic incentives cause the private sector to under-invest in cyber security, Rosenzweig did not think that governments could correct this market failure effectively. The primary issue, according to Rosenzweig, is that the state’s methods of controlling or correcting market failure are a product of hierarchical decision-making systems that lack the speed and flexibility to keep up with the development of threats in the domain (e.g. legislation to enhance information sharing about cyber security threats and vulnerabilities is of little use against current, sophisticated threats). Rosenzweig believes that encouraging the private sector to invest more heavily in cyber security may involve (1) a liability system that penalizes the marketing of buggy, unpatchable code; and (2) a regulatory system that emphasizes resilience over prevention.

Kamlesh Bajaj cited a Verizon report stating that nearly 80% of cyber attacks and successful breaches could be prevented by cyber security best practices being implemented effectively. He posed the question as to whether major companies that have suffered cyber security breaches (e.g. Target, JP Morgan Chase) were simply not patching known vulnerabilities or whether other factors were at play. He also cited a SANS Institute report and International Association of Privacy Professionals (IAPP) report stating that employee security awareness maybe a weak link in the cyber security chain. Bajaj believes that there is a regulatory role for the state to play, but the challenge lies in determining how far such regulation should go. Alternative or complementary options to regulation could be the provision of financial incentives or leaving cyber security to market forces alone.

Samiran Gupta (Head of India, ICANN) stated that, ideally, the state would work in close cooperation with other stakeholders to create nuanced policies, which allow for economic growth while ensuring a safe and stable ecosystem. To this end, he suggested that states with the ability to do so should come up with a set of principles that can be harmonized across geographies. Gupta also provided examples of what could be included in these principles:

1. Prioritize capacity building at the security, human capacity, political and user levels: This involves identifying minimum common technical standards (security); ensuring sufficient people are trained in how to keep the internet stable and secure in each country (human capacity); ensuring that all political representatives go through a brief program to ensure adequate skills with regard to cyber security issues (political); and ensuring adequate proliferation of ISOCs and similar local institutions which can create awareness about cyber hygiene (user).
2. Build trust with key local companies: States should empower public and private sector companies to become domain leaders in specific aspects of technology; provide financial incentives (e.g. tax rebates) for doing so.
3. Build a network of friends: States should prioritize active participation in global cyber governance fora to better understand key issues and build relationships.

On the subject of international cooperation between states, Gabi Siboni (Director, Military and Strategic Affairs and Cyber Security Program, Institute for National Security Studies, Israel) ventured that the most likely area of such cooperation is that of financial crime in cyberspace. According to Siboni, such cooperation, which is based on the alignment of state interests, could help build confidence for interstate cooperation on other, trickier cyber issues. He also proposed the creation of an international cybercrime center focused on solving crimes and conducting successful prosecutions, which is complementary to existing mechanisms such as Interpol. Siboni suggested that Europol (particularly its European Cybercrime Center) might serve as a model for the establishment of such a body. Siboni contends that such an effort to combat financial crimes in cyberspace will result in best practices proliferating amongst countries involved in the initiative. This will provide a starting point for negotiating global standards and agreements.

With regard to what existing legal or regulatory frameworks may be applicable to cyberspace, Siboni highlighted that national legal systems and evidence laws are inadequate for the purpose of addressing cybercrimes. Resolving this issue should therefore be a priority.

2. Is there merit in broadening our understanding of cyber security to include concepts such as human security? Why or why not?

There was very limited support for expanding our understanding/definition of cyber security to include human security.

Conor Seyle (Deputy Director, Research and Development, One Earth Future Foundation) pointed out that the term “human security” remains both contentious and somewhat under-specified. Originating in the 1994 Human Development Report, the term has been defined differently by various parties. Relevant definitions include that of Mary Kaldor (2007), who has stated that human security approaches to conflict are built around identifying and enforcing human rights first and foremost.

According to Seyle, while it is plausible theoretically to include cyber security in the concept of human security (e.g. by demonstrating that cyber security is important for economic growth and the protection of personal information), there is little utility/practical value in doing so. This is because there is little institutional overlap between those working on human security and those working on cyber security, and there is no obvious constituency to support such an amalgamation. Moreover, cyber security-related issues are primarily technical, and therefore must be distinguished from national security issues, which arguably have a greater impact on human security.

Lucas Lixinski (Senior Lecturer, UNSW Australia) and Rahul Sharma also expressed reservations about expanding the understanding of cyber security to include human security. Sharma pointed out that aspects of cyber security that relate to human rights are already addressed by existing international instruments such as the ICCPR and UDHR, while the UN has taken up related issues on several occasions, including in its recent report “Privacy and Human Rights in the Digital Age” (2014). Sharma also pointed out that while conventional definitions of cyber security do not typically involve references to human rights,[1] many states are cognizant of their rights obligations in the context of cyberspace.[2] According to Sharma, all actors operating in the sphere of cyber security should be held accountable for rights violations, including intelligence agencies and data controllers.

Facilitator Sash Jayawardane pointed out that while there is a case to be made for maintaining a distinction between cyber security and human security, it is nonetheless important to consider that the pursuit of some forms of cyber security (e.g. the protection of critical infrastructure from terrorist attacks) may necessitate measures which have serious implications for human security (e.g. surveillance of electronic communications). It is therefore worthwhile considering how to balance the sometimes conflicting demands of cyber security and human security.

Facilitator Ian Wallace noted that it is important to remember that the security of information systems is a means rather than an end, i.e. the ultimate goal of cyber security is safer and more stable societies, where individual rights are protected. He pointed out that even with the best cyber hygiene practices, it is not possible for individuals to defend themselves against more serious cyber threats, which is where the state must step in. An interesting question which then arises is how states should balance the need to protect data against the need to protect its citizens (which may involve weakening security to access information about criminal/illegal activity or general surveillance).

3. The Commission is interested in exploring how efforts to create security and justice can be mutually reinforcing or disruptive in an interdependent world. In your view, does cyber security reinforce justice? If so, how?

This question received the least attention during the expert consultation.

Alejandro Pisanty observed that cyber security can both strengthen and weaken justice. Cyber security can enable people to interact safely within a secure and stable cyber ecosystem, which allows them to exercise a variety of rights. In this situation, cyber security reinforces justice. On the other hand, state actors can use cyber security/ information security as a pretext for clamping down on fundamental freedoms and rights through the use of surveillance, censorship, Internet kill switches etc. Such conduct undermines justice.

Anja Mihr (Head of Rule of Law, The Hague Institute) advanced the notion of “cyber justice,” which refers to the application of human rights principles and frameworks in cyberspace, as a helpful concept in considering the impact of cyber security measures on end-users. Mihr contended that cyberspace does not require new frameworks or principles in order to realize cyber justice, but rather, effective governing, monitoring and enforcement regimes that guarantee and safeguard the rights of users in cyberspace.

Key Observations/Avenues for Further Exploration by the Commission

(Phase I: Cyber Security) The Appropriate Role of Government in Cyber Security

• Cyber hygiene is an important component of a safe and stable cyber ecosystem. It should be treated as an essential part of digital literacy and the development cycle of cyber systems and products.

• Cyber hygiene should not, however, be the top policy priority of governments. Governments should instead (1) focus on threats to which the private sector cannot effectively respond, i.e. threats posed by powerful state and non-state actors; and (2) provide the private sector with the right incentives to invest more in secure products and resilient networks, and practice better cyber hygiene.

• The threats posed by powerful state and non-state actors are primarily non-technical, and will likely be resolved through multilateral or bilateral agreements and/or national legislation.

• Effective incentives for the private sector to invest in cyber security are likely to involve (1) a liability system that penalizes the marketing of buggy, unpatchable code; and (2) a regulatory system that emphasizes resilience over prevention.

• To create a more safe and stable cyber ecosystem, states should also prioritize capacity-building; build trust with key local companies; and build a network of friends.

• Cyber security is best achieved through technical architectures that are secure by default and host architectures that implement key security concepts.

Opportunities for International Action

• Global harmonization of cyber security frameworks and standards, as well as global regulatory compliance is an important step in ensuring stable, interoperable networks.

• Networks can be secured effectively at a reasonable cost.

• Cyber security is primarily the responsibility of public and private organizations, not individuals.

• International cooperation should be based on an alignment of state interests.

• International cooperation on combating financial crimes in cyberspace could be the first step in an incremental approach to international cooperation on more sensitive cyberspace issues.

• International cooperation on combating financial crimes in cyberspace could involve the creation of an International Cybercrime Center, which is complementary to existing mechanisms like Interpol.

Recommended Focus Areas/ Issues for Further Exploration

• Consider whether the state should encourage greater private sector investment in cyber security through regulation, the provision of financial incentives or other means. Attempt to clarify what these regulations, incentives and/or means should be.

• With regard to human rights, human security, and the provision of justice in cyberspace, consider how existing legal principles and frameworks, which protect rights offline, can be implemented online.

• Consider how national criminal legislation (e.g. laws of evidence) can be adapted to enable the prosecution of crimes in cyberspace and support international efforts in this regard.

Summary of Phase II (Focus: Access to the Internet and the Freedom of Expression Online in the Global South) Facilitators: Sunil Abraham (Executive Director, Center for Internet and Society, Bangalore) and Sash Jayawardane (Researcher, The Hague Institute).

Phase II of the expert e-consultation ran from 17 November – 3 December 2014 and focused on issues relating to Internet access and the freedom of expression online in the Global South. Facilitator Sash Jayawardane circulated a discussion prompt on 17 November, posing three questions for discussion. These questions built primarily on an expert discussion, which took place in New Delhi in October 2014, chaired by Commissioner Dr. Jane Holl Lute. A summary of the expert interventions made in response to the questions posed during the e-consultation is provided below.

1. Should governments in the developing world allow zero-rating and other alleged network neutrality violations in order to increase Internet penetration?

Keerti Nagappa (Lawyer) acknowledged that zero-rating deals can help introduce emerging markets to the Internet, but underscored that these deals have significant implications for net neutrality, competition and innovation. Nagappa noted that many countries have moved to prevent zero-rating for these reasons. For example, Chile has banned carriers from offering zero-rating deals, while the EU Parliament adopted strong net neutrality laws in April 2014, which ban carriers from charging for providing faster services or differentiating between services based on source or content.[3] Nagappa also referred to the comments of Rohan Samarajiva, CEO of LIRNEasia that zero-rating deals can result in customers considering select services, such as Facebook, as synonymous with the Internet,[4] which has implications for market competition. Despite this, zero-rating can be important for some vulnerable populations, particularly those that are economically disadvantaged. In Prof. Samarajiva’s words “…if they do not get zero-rating, will they use the full internet? Or just have nothing?”[5]

Sunil Abraham suggested that regulatory responses from the broadcast era may help address some of the challenges posed by zero-rating. For example, imposing “must carry” requirements (i.e. providers of walled-garden services must carry some competing options) and “must provide” obligations (i.e. providers of walled-garden services must provide additional services such as (1) complete access to the Internet for a few hours per day, and/or (2) text only access to the whole world wide web, and/or (3) access to all government websites), may address the concern that zero-rating has a negative influence on competition and innovation.

Alejandro Pisanty pointed out that consumers who opt for zero-rating may do so to get more advantageous deals with regard to specific services, but also access the open Internet via WiFi or public broadband services. We should not therefore assume that the only people consuming zero-rating are those who cannot otherwise afford to access the Internet.

2. In your view, are there circumstances in which circumscribing the freedom of expression online is legitimate? What specific principles and procedures can help reconcile the right to free expression with competing concerns of the State (e.g. security)?

Lucas Lixinski and Rahul Sharma contended that the freedom of expression online is not substantially different from the freedom of expression offline. Lixinski noted that given the divergence of national/regional attitudes towards the freedom of expression, the most likely manifestation of common ground with regard to this issue is “a loose commitment to the notion of freedom of expression, and its [practical] application … according to local sensitivities of the place of jurisdiction.” According to Lixinski, this means that the principles and procedures that can help reconcile the right to free expression online with competing concerns are precisely the same as those that apply in an offline context.

Sharma posited that acts violating the freedom of expression, which are punishable offline, should also be punishable when committed online in order to “maintain parity and justice.” He also underscored the importance of understanding the respective roles of anonymity and attribution in the context of the freedom of expression online. According to Sharma, an ideal system would allow individuals to express themselves online anonymously, while retaining the ability to attribute online content to individuals when required by law. Sharma contested the notion that perfect attribution would be detrimental to human rights, asking what purpose imperfect attribution would serve.

Sunil Abraham expressed general agreement with the principle of equivalence advanced by both Lixinski and Sharma, but noted several important differences concerning speech online, which may need to be considered when contemplating appropriate regulation:

• Greater penetration due to mobile internet, which means more people are involved in the production of speech as well as its consumption;
• Persistence of online speech over time, given the storage capabilities of Internet platforms and peer-to-peer distribution;
• Personal computing and devices allow for extreme speech that is not subject to social mediation by others.

Paul Rosenzweig noted that while Abraham’s observations about the differences between speech online and offline are valid, we are still incapable of determining precisely how to treat speech online differently by accounting for these factors. He pointed to the case of Elonis v. United States, which is pending before the US Supreme Court, as an illustration of this difficulty.[6]

Keerti Nagappa, however, supported making a distinction between online and offline speech in regulatory approaches. With regard to the particular quality of the persistence of speech online, Nagappa pointed out that in a recent social media-related defamation case, the New Delhi High Court made a distinction between online and offline speech by adopting the Single Publication Rule and rejecting the Multiple Publication Rule for libel on the Internet. The court essentially held that the Multiple Publication Rule would constitute a disproportionate interference with the freedom of the press, since an aggrieved party could file suit every time a web page containing the offending material was accessed.[7]

Commenting on the tensions between the freedom of expression online and competing concerns, such as national security, Dr. Kamlesh Bajaj observed that while there are legitimate reasons for governments to conduct surveillance (e.g. counterterrorism operations) the mass surveillance of citizens without probable cause or proper legal authorization amounts to censorship and is a human rights violation. Dr. Bajaj underscored the importance of imposing limits upon the manner in which state actors can circumscribe derogable rights, and securing international agreement on what these limits should be.[8]

In this regard, Nagappa called attention to the work of Derek Bambauer, who proposes a process-oriented framework for actualizing “legitimate” censorship by the state. The framework includes the following criteria: Openness about censorship; transparency about what is censored; accuracy of filtering; and degree of citizen participation in decision-making about censorship.[9] Nagappa pointed out, however, that as Milton Mueller has argued, such approaches may encourage censorship by legitimizing state processes.[10]

3. What can governments in the Global South do to increase broadband penetration? What sort of partnerships should the government seek with the private sector and civil society in this regard?

Lucas Lixinski stated that Internet cafes sponsored by the state and civil society groups can provide access to those who are unable to own the necessary hardware or service subscriptions. He noted that it is important to consider how to overcome hardware access issues in developing countries.

In response to this observation, Sunil Abraham used the analogy of generic drugs in the sphere of public health, noting that those who cannot afford branded hardware could still purchase generic hardware “packed with innovations” at significantly lower prices.[11] Abraham noted, however, that “rights holders and mobile phone manufacturers with substantial patent portfolios are demonizing cheap phones as counterfeits … this must be resisted to protect both growth of the Internet and the availability of innovations in the marketplace.”[12]

Enrico Calandro (Researcher, Research ICT Africa) and Gideon Rop pointed out that Internet access and affordability remain key challenges in the Global South. Calandro noted that states must “design and implement effective strategies for the broadband sector to grow.” Reflecting on problems particular to the African context, Calandro observed that political interference in regulatory processes is problematic as it undermines regulatory freedom. Additionally, regulatory independence is also limited by fragile democratic states and authoritarian regimes. Calandro underscored that ineffectual interplay between governments, regulatory agencies, and markets result in low levels of access, high prices and low quality broadband services. He shared several recommendations developed by Research ICT Africa to overcome regulatory bottlenecks:

• Where backbone competition is unfeasible, state-owned entities should be consolidated through PPPs, together with the unbundling of backbone elements and the creation of open carrier networks;
• Resale of fixed-broadband to reduce prices and compete with mobile broadband;
• Release of spectrum through competitive evaluation and allocation of frequencies, as well as through migration and refarming;
• Removal of special taxes and duties on ICT equipment and services;
• Incentivizing infrastructure sharing to reduce rollout costs and prevent unnecessary duplication;
• Developing and implementing demand-side stimulation policies.

Rahul Sharma noted that while it is important for governments to provide TSPs and ISPs with incentives to rollout Internet infrastructure in remote areas, revenue generation is not proportional to rollout costs for OTT players vs. Internet infrastructure companies. The central question then arising is what incentives can governments provide for TSPs and ISPs to invest in less developed areas?

Alejandro Pisanty noted that while it is important to consider what governments can do to enhance access to the Internet, it is equally important to focus on what the government should not do with regard to Internet access. In this regard, regulatory frameworks that undermine opportunities for community organization; technological innovation; user-defined requirements, design, construction, implantation, operation and pricing of networks are important elements.

Key Observations/Avenues for Further Exploration by the Commission (Phase II: Internet Access and the Freedom of Expression Online in the Global South)

The Appropriate Role of Government

• To facilitate broadband access in the Global South:
  • Where backbone competition is unfeasible, state-owned entities should be consolidated through PPPs, together with the unbundling of backbone elements and the creation of open carrier networks;
  • Resale of fixed-broadband to reduce prices and compete with mobile broadband;
  • Release of spectrum through competitive evaluation and allocation of frequencies, as well as through migration and refarming;
  • Removal of special taxes and duties on ICT equipment and services;
  • Incentivizing infrastructure sharing to reduce rollout costs and prevent unnecessary duplication;
  • Developing and implementing demand-side stimulation policies.

• Practice regulatory forbearance to the extent possible in order to allow competition and innovation to thrive.
• Put safeguards in place to protect against political interference in regulatory processes, which should be independent.

Opportunities for International Action

• Review existing frameworks/guidelines for balancing the right to the freedom of expression with national security considerations and attempt to reach consensus amongst nation states on norms for responsible state behavior in this regard. Examples of such guidelines/frameworks include the Johannesburg Principles on National Security, Freedom of Expression and Access to Information (1996) and Bambauer’s process-oriented framework for actualizing “legitimate” censorship by the state.

• Attempt to reach consensus both amongst nation states and within the private sector about how best to make low-cost, generic hardware and software available to users in developing countries.

Recommended Focus Areas/ Issues for Further Exploration

• To improve access to the Internet in the Global South, explore what incentives governments can provide for TSPs and ISPs to invest in less developed areas.

• Consider further how speech online may differ from speech offline, and what regulatory and legislative implications this may have for protecting the freedom of expression online.

• Consider whether net neutrality violations like zero-rating should be permitted in emerging markets in order to provide Internet access to those who otherwise would be unable to access this vital social and economic resource. Explore ways in which competition and innovation can be ensured in such instances through, for example, “must carry” or “must provide” obligations similar to those found in broadcast regulation.

 

  [1] Tim Maurer and Robert Morgus, “Compilation of Existing Cybersecurity and Information Security Related Definitions” (October 2014), available at https://newamerica.org/downloads/OTI_Compilation_of_Existing_Cybersecurity_and_Information_Security_Related_Definitions.pdf accessed December 08, 2014.

[2] United Kingdom of Great Britain and Northern Ireland, “Response to General Assembly Resolution 68/243 ‘Developments in the field of information and telecommunications in the context of international security’” : “There is scope for potential confusion in the use of the term “information security” in that it is used by some countries and organizations as part of the doctrine that regards information itself as a threat against which additional protection is needed. The United Kingdom does not recognize the validity of the term “information security” when used in this context, since it could be employed in attempts to legitimize further controls on freedom of expression beyond those agreed in the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.” Available at https://s3.amazonaws.com/unoda-web/wp-content/uploads/2014/07/UK.pdf accessed December 08, 2014.

[3] David Meyer, “In Chile, Mobile Carriers Can No Longer Offer Free Twitter, Facebook or Whatsapp,” GIGAOM, May 28, 2014 https://gigaom.com/2014/05/28/in-chile-mobile-carriers-can-no-longer-offer-free-twitter-facebook-and-whatsapp/ accessed December 1, 2014, and BBC, “Net Neutrality Law Adopted by European Parliament,” April 3, 2014 https://www.bbc.com/news/technology-26865869 accessed December 1, 2014.

[4] Rohan Samarajiva, “Facebook = Internet?” LIRNEasia, May 17, 2012, https://lirneasia.net/2012/05/facebook-internet/ accessed December 1, 2014.

[5] Rohan Samarajiva, “Nothing is Better Than Something, Or the Paternalistic Approach to the Internet” LIRNEasia August 16, 2014, https://lirneasia.net/2014/08/nothing-is-better-than-something-or-the-paternalistic-approach-to-the-internet/ accessed December 1, 2014.

[6] Lyle Denniston, “Argument Preview: Social Media as a Crime Scene,” Supreme Court of the United States Blog, November 29, 2014, https://www.scotusblog.com/2014/11/argument-preview-the-social-media-as-a-crime-scene/ accessed December 1, 2014.

[7] Aparajita Lath, “Defamation on social media: Delhi High Court adopts the ‘Single Publication Rule,’” SpicyIP, July 12, 2014, https://spicyip.com/2014/07/defamation-on-social-media-delhi-high-court-adopts-the-single-publication-rule.html accessed December 4, 2014.

[8] For an instructive example of guidelines for circumscribing derogable rights, refer to the Johannesburg Principles on National Security, Freedom of Expression and Access to Information (1996) https://www.article19.org/data/files/pdfs/standards/joburgprinciples.pdf accessed December 1, 2014.

[9] Milton Mueller, Networks and States: The Global Politics of Internet Governance (Massachusetts: MIT Press, 2008) Chapter 9, (Kindle edition, location 2139 to 2148).

[10] Ibid. Kindle location 2146 to 2168.

[11] The Center for Internet and Society, “Pervasive Technologies: Access to Knowledge in the Market Place,” https://cis-india.org/a2k/blogs/pervasive-technologies.pdf/at_download/file accessed December 1, 2014.

[12] For further information, see Sunil Abraham, “Smartphones, Tablets, and the Patent Wars,” The Economic Times, March 8, 2012, https://articles.economictimes.indiatimes.com/2012-03-08/news/31135829_1_sim-cards-patent-law-indian-patent-act