Synopses of the discussions held earlier. Derek Wyatt MP, Considering the issue of internet governance Most of the world governing bodies came out of WWII. Are they appropriate for a 21st C globalised world? If we discuss how we look at he net, is where it is right now currently appropriate. Is WSIS the right place? Or should it be the WTA but the WTA is falling over. And the net can undermine them all anyway. WSIS in Tunisia was really about ICANN, and the discomfort with America's hold on it. But in places like the Middle East where they have no search in Arabic, they get understandably frustrated. [Google then corrects they have Google Arabic search and can do page translation although that's in beta. Some of the problems are that it's an intricate language to translate and potential for misunderstanding is great, so volunteers provide feedback on translation which is why they are beta.] Three areas to consider: regulatory centre which seems to work well; internet user behaviours like gambling and porn and which is the most appropriate way to deal with them; and non-internet issues like copyright and DRM. Old paradigm was the telcos were run by government and geographically constrained, but hankering by government to bring internet into that paradigm. That was part of the issue at WSIS, that politicians don't like not having control. Question about whether America is driving policy by default, e.g. by trying to turn the net into another TV channel, by clamping down on things like gambling. But would the UK be good at being a centre of light-touch regulation. Question: do we need a new body? Exiting organisations like G8 and UN are no good if they take 3 years to come up with a policy. It's like ISO taking so long to ratify standards that business have already adopted. Internet is going to be pervasive and need to look at socio-economic impacts. Internet Governance Forum, point is to get a bit closer to the users and create a multi-stakeholder discussion. Need to keep track of pace of change. How can any regulator hope to keep up? To manage the era we're in needs a fresh look at the institutions. In terms of child protection issues, for example, is getting credit card companies to work more closely with child protection. But some issues in the ether are going to be very hard to manage, and the idea that there's a quick fix at the UN is wrong, because it takes one rogue nation to make it impossible to enforce. The issue is to chase the money, because that's where you can have an impact. Around child porn and child safety, there should be controls. And in this country we've been very successful with the IWF. But what mechanisms could be used internationally, so that we can extend good practice in this country out to other countries. Following the money has been one way to deal with this but there's a range of issues we need to deal with. One of the disappointing things APIG found in the US is that they use the First Amendment to say 'We can't do anything' about child abuse. But can we do something? Every country accepts that child abuse is wrong. How you try to get organisations and countries to subscribe to dealing with it has to be done on a case by case basis. The solution that doesn't work is when you try centrally to resolve the issue because you're left still with an awful lot of questions that need to be addressed. It's an awareness raising issue, a following the money issue, it's tackling the crime. When people start coming aware of the things you can do, and the mechanisms you can do, you're in a better position to get people to sign up to address those issues. The US is actually starting to recognise that they can start doing things about it because they have a mechanism that allows them to do it. As a consequence of the voluntary approach to blocking child porn, America have now agreed to follow our system and IWF provide that data to US ISPs that aren't already getting it. The model is being picked up in many places, and interest in the IWF is outstripping their resources, e.g. China and Japan interested in it too, and trying to get head round self-regulation instead of legislation. Alun Michael MP, Security and eCrime Alun Michael has taken on chair in EURIM on ecrime. Today's session was short, just a taster of what will need to be talked about in developing parliamentary understanding. Tension between benefits of freedoms and opportunities of internet, and the vulnerabilities, security risks etc. Have gov't buildings secure if people are unsafe on the street; online equivalent of a fort, where the barons are secure but the peasants are at risk. What happened to HO strategy on ecrime? Need ecrime to be demystified, it's not virtual crime, but real crime with real victims and real damages. Is there a need for legislation on encryption? Is it reducing opportunity? Need education not awareness, because awareness is too skimpy. Have to give people knowledge and the tools to do something about it. Security and a false sense of security are not too far from each other. Too much security can be problematic at the moment. Going forward there are major issues, many industrial, some parliamentarian. People fear internet crime more than mugging or car crime, they think it's more likely to happen. 40% thought big online organisations should insure users against fraud. International co-operation, not just to take down the criminals but to follow the money and find allies. Take civil action where it's most effective. Need to get away from the idea that 'there ought to be a law about it'. Quote: Laws rarely prevent what they forbid. Need to look not just at what you can prosecute, but how can you create an environment where you can protect those who deserve it and make it hard to make money by illegal means. My question: Where do victims report ecrime? If someone steals a sword I've created in an online game which has real value, both in the game and offline, where do I report that? Local police are not going to be interested. Guy from Tiscali talking about getting intelligence about illegal operations, but had no one to report it to. Who deals with acting on this information? Every stakeholder needs to do what they can, but we need to know what that is. Need specialist departments for specialist crimes. Have set up help lines for children concerned for what's happening on the net. So crime that involves a financial action is different from one that results in a physical crime. Can't imagine we have one crime agency. Getting into the heart of the discussion that needs to take place. Need to have the police involved, along with industry people, because that's the only way to get a capacity for parliamentarians to take intelligent action. In terms of reporting, it's huge, and we need to be clear about what expectations are. With child abuse, there are important lessons to be learnt, (but not inappropriately translated to areas of crime where not appropriate), is about actual physical abuse. Success of partnership on child abuse, police would never have had resources to work on online child abuse on an investigative basis. But the take-down regime doesn't work for, say, fraud. Specialists on ecrime is tricky. Do you separate e-fraud from e-abuse from e-security? You need expertise but you need it linked into the mainstream, yet must not go to lowest common denominator. [Although I didn't hear an answer for exactly where I would report an ecrime, such as the theft of my virtual sword.] Mark Gracy, ISPs in the content driven era Short debate. But three key areas: - why should ISPs have mere conduit - perhaps they could do more - is mere conduit the only problem? Why do ISPs have mere conduit status. It drives innovation, social/economic development. without it, no protection for ISPs for content they can't control. If it was lost there'd be no innovation, no growth. If ISPs have to control traffic, then that's added cost and could fall back onto consumer. Should ISPs be doing more. Public expectation that perhaps they should. They appear to have the means and the technology to control traffic. ISPs should also be a bit more proactive in the messages they are giving out, how things work, what the implementations of some technologies actually means. Should be more responsible for their services, perhaps a need for an understanding of the issues. Has to be everybody involved, not just industry, but end users too. Ask infringers why they are infringing not just make assumptions. Is mere conduit the only problem? Other bits of legislation get in the way, on IP front, ISPs control the network and have the customers, and have to protect their customer data because of Data Protection act. So we need to look at other bits o legislation. Are ISPs hiding behind mere conduit and not doing things because they don't need to. Should they do more? But if they start saying 'we can do this for this area of this issue' that the floodgates might be opened. Implications. Are different attitudes across the world, even within the EU. Not enough time to debate in enough detail but still an argument that IPSs is that we do need mere conduit status, it's very important. Some people have issues around the way that ISPs approach types of content and they want something done. But everyone needs to be involved. MS guy talks about parental controls. Should ISPs take out insurance against the problems they face, the way that financial companies do against fraud. Can't be purist and say that ISPs have no responsibilities. If a postman knows there's a crime being committed, he has a moral and legal obligation to report it. But the ISP industry needs to be very careful with their language, if they say 'we are only a pipe', then people draw parallels with other conduits and say 'no, there are responsibilities'. If one as a network provider one takes legal advice, the advice has come back 'don't look too closely because if you do and you see things, you are liable'. If one wants to be a responsible provider, it's not a good position to be in. Close to issue on confidentiality, and we need to create new boundaries. Lots of work is being done on parental controls to help people understand them, Kite Marks, going into schools and helping children understand the issues, etc. Everyone has a part to play. Internet remains a good thing for peopel to use, but we need to make sure people understand what it offers and how to protect themselves. Liability for internet is codified in the ECommerce Directive, and you have the mere conduit status, and limitation of liability for hosting and caching, for which the test is actual knowledge of illegal things, and that you act expeditiously to do something about it. But it's not clear that that exactly means. Should ISPs be deciding of content actually is illegal? Is that not for the court? For defamatory material, they have to ask lawyers if the content bares defamatory, not is it defamatory because that's the court's decision. Customer also has freedom of speech. Yes, do need insurance so if ISPs do get sued, they claim it back. Or have a clearer notice and takedown methodology. What is 'actual knowledge'? What is 'expeditious'? How do we trust the complainant to be telling the truth. Can cite lots of cases where the complainant has got it wrong. But just because the complainant is well known, say, does not mean that their customer is breaking the law. Important that ISPs have the mere conduit protection, and this is not wiping our hands of the issues, and ISPs do act responsibly, e.g. having acceptable use policies, working with IWF, police, etc.