Listers, This might be usefull to some. Regards ---------- Forwarded message ---------- From: Richard Hill <rhill@hill-a.ch> Date: Wed, 22 Jun 2016 15:01:48 +0200 Subject: [Internet Policy] Report of the GCIG To: "Internetpolicy@Elists. Isoc. Org" <internetpolicy@elists.isoc.org> The Global Commission on Internet Governance has released its report, see: http://ourinternet.org/report I found this report to be well researched and well written, and worth reading carefully. As far as I can tell, it is well aligned with ISOC's positions and priorities. For what it is worth, I reproduce below some portions that I found worth singling out. There are no page numbers in the report, so I could not include page references. Best, Richard ======================= CORE ELEMENTS OF A SOCIAL COMPACT FOR A DIGITAL SOCIETY There must be a mutual understanding between citizens and their state that the state takes responsibility to keep its citizens safe and secure under the law while, in turn, citizens agree to empower the authorities to carry out that mission, under a clear, accessible legal framework that includes sufficient safeguards and checks and balances against abuses. Business must be assured that the state respects the confidentiality of its data and they must, in turn, provide their customers the assurance that their data is not misused. There is an urgent need to achieve consensus on a social compact for the digital age in all countries. Just how urgent is shown by current levels of concern over allegations of intrusive state-sponsored activities ranging from weakening of encryption to large-scale criminal activity to digital surveillance to misuse of personal data, and even to damaging cyber attacks and disruption. ----- Governments should not create or require third parties to build back doors or compromise encryption standards, as these efforts would weaken the Internet and fundamentally undermine trust. Efforts by the technical community to incorporate privacy-and-security-enhancing solutions into all standards and protocols of the Internet should be encouraged. The Commission urges member states of the United Nations to agree not to use cyber technology to attack the core infrastructure of the Internet. Governments seeking a peaceful and sustainable Internet should adopt and respect norms that help to reduce the incentive for states to use cyber weapons. Governments should agree on infrastructure assets and services that must not be targeted by cyber attacks. Businesses should purchase cyber insurance to cover the liability costs of breaches of their systems. Cyber liability insurance vendors can be persuasive in promoting best practices in the corporate sector. Cyber premiums should be higher if best practices are not followed. Insurers need to have better data to appropriately identify and price cyber risk and to develop appropriate products. Government regulations should require routine, transparent reporting of technological problems to provide the data required for a transparent market-based cyber-insurance industry. There is a need to reverse the erosion of trust in the Internet brought about by indiscriminate and non-transparent private practices such as the collection, integration and analysis of vast amounts of private information about individuals, companies and organizations. Private surveillance based on "big data" is often conducted under the guise of a free service. ... Users should not be excluded from the use of software or services that allow them to participate in the information age, and they should be offered the option of purchasing a service without having to agree to give the provider access to their personal information. International rules are also required to ensure that the holders of large repositories of data are transparent about how they collect, use and share user-generated data. Interception of communications, collection, analysis and use of data over the Internet by law enforcement and government intelligence agencies should be for purposes that are openly specified in advance, authorized by law (including international human rights law) and consistent with the principles of necessity and proportionality. ... governments should use competition as a tool to expand Internet access facilities to the maximum extent possible, while investing to ensure availability when market forces prove insufficient. The disruption to traditional jobs and skill requirements can create economic hardship and civil discontent. Rather than attempting to preserve old jobs by stifling innovation, governments should help workers adapt to the new economic reality via skills training and educational programs. The Internet has indeed reached a crossroads. Choices need to be made - and making no choice is itself a choice. It is all about who should have what power to control the future of the Internet. Our advice is based on the belief that only a normative approach can address the myriad challenges facing Internet governance. We call on governments, private corporations, civil society, the technical community and individuals together to create a new social compact for the digital age. There is a growing concern about the market power and data collection capabilities and practices of the large Internet platform companies as well as other private data intermediaries. The failure to incorporate security as an essential design feature by vendors and larger customers of the IoT raises concerns that its explosive growth could result in the "weaponization of everything." Legal thresholds for lawfully authorized access to communications data must be redefined to ensure that the aggregated collection of metadata - such as an individual's full browsing history - are treated with the same respect for privacy as access to the actual content of a communication, and should only be made under judicial authority. In all cases, the principles of necessity and proportionality must be applied. Governments should not compromise or require third parties to weaken or compromise encryption standards, for example, through hidden "backdoors" into the technology as such efforts would weaken the overall security of digital data flows and transactions. Individual users of paid or so-called "free services" provided on the Internet should know about and have some choice over the full range of ways in which their data will be deployed for commercial purposes. They should not be excluded from the use of software or services customary for participation in the information age, and should be offered the option of purchasing the service without having to agree to give the provider access to their personal information. Terms of use agreements should be written in a clear and accessible manner and should not be subject to change without the user's consent. Businesses should demonstrate accountability and provide redress in the case of a security breach or a breach of contract. To assure the public that their data is being appropriately protected, states that do not already have comprehensive personal data protection legislation and a privacy enforcement authority with legal enforcement powers should take steps to create such regimes. Governments should initiate efforts to develop international consensus on norms about how to deal with cases where the goal of protecting data comes into conflict with the requirements of law enforcement or security agencies to investigate terrorist activity or attacks in an emergency situation. At a minimum, any solutions should be derived through a multi-stakeholder process, broadly agreed, and must be subject to legal oversight, governed by principles of necessity, proportionality and avoidance of unintended consequences. Businesses should purchase cyber insurance to cover the liability costs of successful breaches of their systems. The market for cyber insurance is immature in comparison to the seriousness of the threats, and the capital available to the industry is currently inadequate to underwrite the full risk. Pricing the risk is difficult in the absence of reliable time series data, making it difficult for insurers to put a reliable figure on the likely losses from breaches. More research is urgently needed to support greater accuracy when pricing risk. To assist the public to understand and practice the essentials of cyber hygiene, governments should undertake significant campaigns to raise awareness and develop the needed skills. Cyber-security awareness programs should start early, for example, by incorporating cyber hygiene into primary and secondary education curriculums. Consistent with the recognition that parts of the Internet constitute a global public good, the commission urges member states of the United Nations to agree not to use cyber weapons against core infrastructure of the Internet. The disruptions resulting from the rapid spread of the sharing economy are already being felt. All levels of government (national, subnational, local), industry, civil society and the technical community, need to be engaged on the new regulatory challenges posed by the sharing economy. _______________________________________________ To manage your ISOC subscriptions or unsubscribe, please log into the ISOC Member Portal: https://portal.isoc.org/ Then choose Interests & Subscriptions from the My Account menu. -- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A