Internet Governance Forum-USA, 2012
Case Studies: IG/ICANN, Cybersecurity,
Consumer Privacy - Lessons Learned or Not
Brief session description:
Thursday, July 26, 2012 - This workshop was aimed at examining the role principles are playing in framing debates, achieving consensus and influencing change – or not. Proposals for Internet principles are popping up everywhere, from national to regional and global discussions, on a wide range of issues. In 2011, IGF-USA examined a number of principles in a session titled “A Plethora of Principles.” This session follows on that one. Session planners noted that it's not enough to simply develop a set of principles, the question is: how are principles actually implemented how are they inspiring change? Are they new voluntary codes of conduct, new regulations, new laws? Principles can become a baseline for gaining high-level agreements. They may go beyond the expectations possible through legislation or regulation, so some argue that principles should be written to be aspirational. Some argue for legislation, regulation or enforcement mechanisms to ‘hold industry accountable’ to promises made in principles designed as sets of commitments. This workshop examined three case vignettes: 1) how consumer privacy principles have fared in global and national settings in terms of these points ‘turning into practice’; 2) how the principles of a white paper were incorporated into ICANN’s formation and what the status of these principles are today within ICANN’s mission and core activities; and 3) how cybersecurity/botnet principles are faring.
Details of the session:
The moderator for this session was Shane Tews, vice president for global public policy and government relations at Verisign. Panelists included:
- Becky Burr, chief privacy officer, Neustar Inc.: Turning White Paper Principles into actuality in ICANN
- Meneesha Mithal, associate director of the division of privacy and identity protection, Federal Trade Commission: Consumer privacy principles
- Eric Burger, director of the Georgetown University Center for Secure Communications: Cybersecurity and botnets
- Carl Kalapesi, co-author of the World Economic Forum's report Rethinking Personal Data: Strengthening Trust: the World Economic Forum perspective
Before an informal agreement, policy or formal regulation is adopted, passed or approved it takes its initial steps as an idea. The trick lies in bringing it from a formative state to something actionable, otherwise it may languish as a suggested goal, followed by and adhered to by no one.
During the IGF-USA panel titled “Turning Principles into Practice – or Not” participants shared successful case studies as examples of how to create actionable practices out of ethereal goals. Citing processes ranging from US efforts to counteract botnets to domain name system governance and to consumer privacy, three panelists and one respondent drew from their own experiences in discussing ways in which people might successfully bridge the gap between idea and action.
Meneesha Mithal, associate director of the Federal Trade Commission’s Division of Privacy and Identity Protection, weighed in on the efficacy of principles versus regulation by offering a series method to act on a problem.
“It’s not really a binary thing - I think there’s a sliding scale here in how you implement principles and regulation,” she said. She cited corporate self-regulatory codes, the work of international standard-setting bodies, multistakeholder processes, safe harbors and legislation as possible means for action.
Mithal highlighted online privacy policies as an example of the need for a sliding scale. The status quo has been to adhere to the concepts of notice and choice on the part of consumers; this has resulted in corporations' creation of lengthy, complicated privacy policies that go unread by the consumers they are meant to inform. Recently, pressure has been placed on companies to provide more transparent, effective means of informing customers about privacy policies.
“If it had been in a legislative context, it would have been difficult for us to amend laws,” Mithal said, though she admitted that such flexible agreements are “sometimes not enough when you talk about having rights that are enforceable.”
And Mithal did note that, given the current climate surrounding the discussion of online privacy, it’s still the time for a degree of broad-based privacy legislation in America.
Eric Burger, a professor of computer science at Georgetown University, spoke on the topic of botnets, those dangerous cyber networks that secretly invade and wrest control of computers from consumers, leaving them subservient to the whims of hackers looking for a challenge, or criminals looking for the power to distribute sizable amounts of malware.
Given the sheer number of stakeholders - ISPs concerned about the drain on their profits and the liability problems the strain of illegal information shared by the botnets, individual users concerned over whether their computers have been compromised and government agencies searching for a solution - Burger said that the swift adoption of principles is the ideal response.
Among those principles are sharing responsibility for the response to botnets, admitting that it’s a global problem, reporting and sharing lessons learned from deployed countermeasures, educating users on the problem and the preservation of flexibility to ensure innovation. But Burger did admit the process of arriving at this set of principles wasn't without its faults. “Very few of the users were involved in this,” he said, citing “heavy government and industry involvement, but very little on the user side,” creating a need to look back in a year or two to examine whether the principles had been met and whether they had been effective in responding to the swarm of botnets.
Becky Burr, chief privacy officer and deputy general counsel at Neustar, previously served as the director of the Office of International Affairs at the National Telecommunications and Information Administration, where she had a hands-on role in the US recognition of ICANN (NTIA). She issued a play-by-play of the lengthy series of efforts to turn ICANN from a series of proposed responses into a legitimate governing entity, which was largely aided by a single paragraph in a framework issued by President Bill Clinton’s administration in 1997.
Written as a response to the growing need for the establishment of groundwork on Internet commerce and domain names, the paper called for a global, competitive, market-based system for registering domain names, which would encourage Internet governance to move from the bottom-up. The next day, the NTIA issued the so-called “Green Paper” which echoed many of the principles of the administration’s framework and drew extensive feedback from around the world, including negative feedback over the suggestion that the US government add up to five gTLDs during the transitional period.
After reflection on the feedback to both the white and green papers, and a series of workshops among multiple stakeholders to flesh out the principles of stability, competition, private-sector leadership, bottom-up governance and realistic representation of the affect communities, ICANN held its first public meeting Nov. 14, 1998, underwent several reforms in 2002, and ever since, in Burr’s words, “is still the best idea, or at least no one’s figured out a better idea.”
“The bottom line is to iterate, make sure you articulate your principles and try to find some built-in self-correcting model,” Burr said.
While Burr’s play-by-play described how a relatively independent, formal institution was formed to offer DNS governance, Carl Kalapesi, a project manager at the World Economic Forum, offered a more informal approach, relying on the informal obligations tied to agreeing with principles to enforce adherence.
“Legislative approaches by their nature take a very, very long time," Kalapesi said. He vigorously supported the importance of principles in offering “a common vision of where we want to get to,” which leaders can sign onto in order to get the ball rolling.
He offered the example of the “Principles of Cyber Resilience,” offered to CEOs at last year’s World Economic Forum with the goal of making them more accountable for the protection of their own networks and sites while still allowing them flexibility to combat problems in a way that best suited their own work-flow and supply chains.
Central to Kalapesi’s argument in favor of principle-based solutions is their flexibility.
“Half of the uses of data didn’t exist when the data was collected – we didn’t know what they were going to do with it,” he said, alluding to the concerns over the use of private data by the likes of Google and Facebook, which accelerate and evolve at a rate with which formal legislation could never keep up.
Burr later echoed this point in theorizing that 1998′s Child Online Protection Act might soon be obsolete, but Mithal remained firm that a “government backstop” should be in place to ensure that there’s something other than the vague notion of “market forces” to respond to companies who step back from their agreements.
– Morgan Little
Return to IGF-USA 2012 Home
The multimedia reporting team for Imagining the Internet at IGF-USA 2012
included the following Elon University students, staff, faculty and alumni:
Jeff Ackermann, Bryan Baker, Ashley Barnas, Katie Blunt, Mary Kate Brogan, Joe Bruno, Kristen Case, Allison D'Amora, Colin Donohue, Keeley Franklin, Janae Frazier, Ryan Greene, Audrey Horwitz, Elizabeth Kantlehner, Perri Kritz, Morgan Little, Madison Margeson, Katie Maraghy, Brennan McGovern, Brian Mezerski, Julie Morse, Janna Anderson.