14 May 2015
2:00 p.m.:

CHAIR: There are a couple of lunch meetings that are running a little over, so we're going to delay for just a minute or two more to see if my co‑chair with make it. And then we're going to get started. But if she can't, I'll cover and then she'll cover so it's all really mellow.

We're going to get started and I'm Meredith, I am co‑chair, and,my other co‑chair is going to be here in a second. I want to welcome to the stage Alexandra Permyakova. She is going to be talking about Russian perspective on Internet governance, she is a RACI student and this is part of her research. We are really happy to have her, and your slides are going to be up there and I'll give you time.

ALEXANDRA PERMYAKOVA: Thank you Meredith. Hello. I am a student at national research university, the hire school of economics in Moscow Russia. Today I would like to tell you about the Internet governance in Russia and my aim is to provide you with information about the current situation in Russia. In the end of my presentation, you will have time to ask questions.

I would like to start my presentation with the general information. On this slide you can see the Internet accessibility around the world. The level of Internet penetration in Russia is 73%, which is comparable to the situation in other countries. For example, Poland, 63%, or US 87%. The number of Internet users in Russia is growing rapidly, and time spent on the Internet is growing respectively. Also, the average age of Russian Internet users is 33 years.

Curiously that the concept of Internet governance had not even existed in Russia until the recent time. Only in 2012, the discussion came to the Internet content and this nature became subject of debate in Russian society. The discussions led to the adoption of the law in 2012. The law set out a single register of band sites which were blocked by all Russian ISPs. So, Russian continental model of sons sore ship on the Internet. The main characteristics are the following:

First, filtering socially dangerous resources clearly defined categories.
Second, the fight against copyright violations.

Today the list of countries that have implemented continental model of censorship includes, France, Germany, Great Britain and Belgium.

And now we are going to discuss the most important laws on Internet governance in Russia. The most known is the Federal law, which establishes prohibiters for access to film that are legally available online. So as to combat the distribution of pirate video content and to protect the IP rights to films. This is a Russian SOPA.

Second, the Federal law which let's ross common absorb blocked websites with extreme content, defined by the attorney 's office.

Next, the bloggers law which came into force I think one year ago, now Russian bloggers have to register if they have more than 3,000 followers unique visitors per day, and it all imposes additional responsibility on them for the refining the accuracy and reliability of post information following election law, respect interpretation and privacy, restraint from using course words and so on. Those responsible web page, in social networks, blog‑hosting services as well as online forums.

And now, the last but not least, the Federal law which says that all companies should keep Russian clients' data in Russia, including Facebook, Twitter and so on. The law will come in force in September 2015. There are a lot of talks about this law because it makes a lot of problems with current application infrastructure.

Let's move on. Russians Stakeholders on Internet are the same as all over the world. Government, and IT companies. The amount of ‑‑ Yandex, rambler and co‑and mail RU group and Google. The biggest in those represented in Russia are the Russian Association For Electronic Communication, Coordination Centre for TLD RU and the Safe Internet League.

The Government is represented mostly with RS common absorb. The regularly on frequency and band regulation came Internet watchdog with a wide authority, including issuing the control and supervision of mass media, IT, mass communication and telecommunications.

Next slide, about a view from Russia.

Recently, the new project was presented. The institute of Internet development, the main goals of the project are: Public and private research in the interests of IT industry and Government; establishment of an expert committee; and development a list of national interests on Internet.


IT community wrote a collective letter to the Russian president, Vladamir Putin, which represents the position of branches against the law on Internet tax. The Kremlin supported IT community and based on the ideas in the letter, rejected the concept of the law on Internet tax.

And now we are going to talk about different aspects. First, economic aspect.

The volume of Internet dependent markets was more than 6.7 trillion rubles to the end of 2013. It is comparable to 10% of Russia's GDP.

Legal aspect: All online processes which have an effect on off‑line necessitate legislative regulation.

Next, political aspect:
There is also a cautious attitude towards information control companies like Facebook, Google and so on. It can carry obvious political risks.

Google is being watched by the anti monopoly service Russia. After Russia biggest search engine Yandex filled a complaint Google before being in third company full access to Android platform. Jansux want manufacturers like Samsung want to install their software which seems forbidden by Google, they are not explicitly.

And the next social cultural aspect: Two years of attempts of State regulation run into a law digital lis tee of Russian Internet users. We can tighten the rules for using the Internet, but it will only stop its development, but does not soft problem. It's necessary to support and train users, not intermediate future users but teach about risks that the Internet poses.

The level of digital literacy of the Russian population was 15% in 2013. By the end of 2014, their share of media literature population reached I think 20%, while the number of users of legal content on the the Internet is just 10 million people.

Ministry of Telecom and the mass communications, or the Russian Federation has prepared a special problem to improve the competitiveness of the Russian media industry and the level of development of the citizens. All the modern means of mass communication. The programme for their development of media literacy is also done learning the bakes of parental control in which parents develop the skills of the course that personal safety of children on their actions, in social networks and the Internet. Citizens are told the basics of security related to the preservation of both personal and confidential information. Older people are taught the basics of fraud on the Internet.

Also, the programme of the digital device has entered into an active phase in Russia. In the next ten years high speed Internet should appear in every time ‑‑ in every town, where lives at least 2,050 people.

So, obviously, political aspects were the agent of Internet governance in Russia. However, it's hoped that other aspects will also play a significant role in the future.

So, thank you for your attention. If you have any questions, feel free to ask me and it will be great if you tell me about laws on Internet governance in your country. Thank you.


CHAIR: Thank you.

AUDIENCE SPEAKER: I do not have questions, but I want to comply your request and tell you about laws in my country. My name is Alexander and I live in Russian Federation. She represented an an official view with what's going on in Internet law in Russian Federation. I must mention that all those Alexandra mentioned actively used an an Internet censorship force, because some of these laws were intended to protect children against harmful information, maybe how to consume, how to commit suicide and some sexual content. So, most of the important filtering implemented by these laws are against Russian opposition, you can check there is some civil incentives monitoring this thing. Also, Alexandra mentioned that there is, that laws against Internet tax was cancelled by Mr. Putin. One maybe, but the Russian of PMA or something like this always on the run to implement new laws how to get money from Internet users. Actually, they are already getting money from any Flash users, any device with Flash memory is being taxed by Russian copyright holders, so now they are running for Internet.

What else? Okay. Russian citizens are not being listened by Russian Government. There is special kind of collection petitions at Russian Federations where identified citizens could vote for or against some laws. For example, laws against filtering ‑‑ laws about filtering and laws intended for filtering of cooperated content collected 100,000 authorised signatures of Russian citizens, and over 100,000...

That's about laws in Russian Federation. I think I have ‑‑

CHAIR: Thanks for the comment. Please announce your name and affiliation.

AUDIENCE SPEAKER: My name is Maxime Buracoff, also from Russia, and from RIPE NCC as well. I haven't heard the official position, but I think Alexandra said there are problematic issues, she named a few laws that prohibit a lot. So, probably that's what it is, right now. I have a question, a different one.

You mentioned that Russia is leaning towards the continental model that you named France, Germany and so on. Can you go deeper into that and give more examples how we compare?

ALEXANDRA PERMYAKOVA: So, as I already said, Russian Institute continental model of censorship on the Internet. It's like in Germany, Belgium, Great Britain and France, and the efforts to combat child pornography and copyright common to all the countries in this group. However, the goals are the same, but our methods are different from country to country, and for instance, in France and Germany, there are laws declaring blocked materials press ‑‑ denying the holocaust and inciting ethical and ‑‑ also, many countries have laws against the violation of privacy.

CHAIR: Thank you. And that was a great short summary. I think this brings us really nicely into the next presentation, you see here like you have different justifications for what is effectively the same technical means, sensoring opposition content or child pornography or whatever your justification is. And we are now going to have Corin Cath talking about what are the possibilities and ways forward for building technological standards that instantiate human rights. So, thank you very much.


CORINNE CATH: Hi, thanks for the kind introduction, I hope I can do justice to the level that Meredith has set right now. But as mentioned before I am studying at the Oxford Internet Institute and I'm looking at how human rights principles could or could not be instantiated within Internet protocols and standards and I'm mainly focusing on the IETF.

Now, it's not possible to talk about the IETF without mentioning this important motto, so, they work by saying we reject kings, presidents and voting. We believe in rough consensus and running code. But, the IETF is much more. Their main goal is to make sure the Internet works better and we have a very specific definition of how to get there.

So, a little bit of history. A lot has changed over the years, in the beginning of the IETF, the IETF community, there was a lot of overlap between the end users of the Internet and the people who were building protocols. Now, we have had a presentation by the ISOC people beforehand we were saying that certain groups participate more than others do and what we can see now is that civil society engagement in comparison to other Stakeholders in protocol development is very minimal and this is increasingly starting to become a problem, as the Internet sort of reach expands and its impact on civil society is becoming increasingly large.

So, I believe there is two things that need to be done right now.

First, it's very important to get a better understanding of the actual impact of standards and protocols on society, whether these are intentional or not.

And the second thing is to sort of investigate the possibilities for eninsuring that the impact of these things is in line with existing human rights standards and ethical norms.

So, I'm looking at the following research questions:

Could and should human rights been instantiated in protocols?

Is it possible to translate human rights to technical concepts?
And how should civil society organisations participate in the creation of standards?

As might be clear at this point, I am not a technical engineer. I am an anthropologist by training and I have a Masters in human rights. And the way I have gone about trying to figure this out ‑‑ this is not me trying to bring my point of view across but I have gone into the community and just asked them. So I have done at least interviewing, participant observation, and discourse analysis of the different RFCs to try and find some answers to the questions that I have posed beforehand.

And doing this, I have run into a bunch of different tensions and tussles. Which can be divided in three different plains. The first one is mainly philosophical. So, who actually sets the standards, who are the party at the table and what kind of an impact does this have on the outcome?

The other thing is that something that came up with the interviews repeatedly, people said yes, but if you want to do this you have to taken into account that the human rights as you define them are, in some places, seen as a very western conceptualization of human rights.

And then the other thing is can standard setting bodies, which are not like many other bodies, places where people are elected democratically, there are very few checks and balances as such. Can these places get the legitimacy necessary to encode laws.

Then very protocol specific. When you are trying to do this, should you do it in a way that allows for tussle between the different Stakeholders, this is an argument that's often made by David Clarke from MIT.

But then on the other side, what about the existing path of contingency of technology in a sense that we are now making decisions about technology which take it in a certain direction. And can you even translate human rights to technical concepts? How would that work? What would that look like?

Then the very sort of practical things that people raise is like how do you get all the Stakeholders at the table? Is this something you want? Something that a lot of people gave push back on is we don't want to try and transform the IETF into an ICANN or an ITU or that's not what we do, we are in the business of being technical engineers and solving technical problems.

And then even if you find a solution to all of these problems, there is still the fact that you know IETF standards and protocols are voluntary, there is no way that we can enforce them. So, even if you find a way to are sort of of make sure that they account for human rights, if somebody then decides to deploy them in a way that's not completely according to the spec, there is nothing we can do about it. Another practical thing is how do you deal with the existing barriers to entry to the IETF? So this is something that was also mentioned in the ISOC research. Although considering if you look at other standards in bodies, it's very open. There are still barriers to entry, we can think of stuff as it is expensive to fly to the meetings, it takes a lot of time to keep up with mailing lists, you need to have a pretty well understanding of English to be able to participate in these debates.

So, this is where I am with the research that I'm doing right now. I hope that in the upcoming months, I can follow some next steps and get to a little bit more something that's a little bit more closer to somewhat definitive answer to the questions I have posed.

But right now the steps I have taken, I have gathered the interviews, right now I'm working on trying to synthesise the data and look at general themes that are coming up, and then bring these findings back to the IETF and get more feedback and that's also something I'm interested in hearing from this community like how do you see this research? Is this possible? Is this something we should even be considering doing or not at all?

And in trying to distill some lessons from that look at best practices and start an ongoing conversation with the community. Because, it is impossible to negate the fact that increasingly, whether it's a crash collision or whether this is a good thing, human rights and Internet architecture management are coming together. And then there is the tiny bit of I actually have to graduate. That's sort of the last step.

And so, are there any people whose like specific feedback? Any questions, anything that is unclear, I'd love to hear what you have to say.

CHAIR: Thank you Corinne. I imagine there are a couple of thoughts. And I see back here and then we'll go around.

AUDIENCE SPEAKER: Hi, my name is Iljitsch from Ben a.m., I have been participating in IETF process for about a decade now. One thing I wondered about an earlier slide it it says there is very little involvement from civil society into the IETF. So, it seems to me like that that indicates an unstated assumption that as long as the people involved are participating, then the outcome will be good, and I don't think that's necessarily the case. Maybe the people, they participate but the outcome is still bad or maybe the outcome can be good through other means than participation.

CORINNE CATH: Would you have any suggestions like what would be a different way of participation then?

AUDIENCE SPEAKER: Well, it's not so much that I have all the answers ‑‑

CORINNE CATH: Neither do I.

AUDIENCE SPEAKER: But, it's more that this seems to suggest as long as we just make the civil society participate, then we're okay, and I think that's too simple. I could be wrong in both directions, either that you do have the participation but not the good outcome or maybe there are other ways to get the good outcome. From my experience in the IETF, is that these ‑‑ most of the people that participate, they are, they do keep ‑‑ they feel strongly about the rights and wouldn't trample them easily, so, I think we're all people, of course, so even the IETFers, they want to have human rights, so, I think most of us look out for that kind of stuff, although of course we mostly look out for the technical stuff, so, I'm sure there's ‑‑ it will be helpful to have more guidance, these are things where stuff can go wrong if you don't pay attention.

CORINNE CATH: Thank you that's very useful.

CHAIR: Sounds like there needs to be some measurement.

AUDIENCE SPEAKER: Hi, thank you for your interesting presentation. I wanted to follow up on tussle and how you are approaching it. As I appreciate the tussle theory, it seems to accept the idea that protocol design could at least in digicode a systemic bias in policy norm, so for example you could develop protocols that were systematically hostile to censorship or ones which were systematically available to surveillance or hostile to surveillance and that tussle theory suggests that that is a bad idea. That what we should do is develop protocols that are as neutral as possible to that, i.e., that they allow both for censorship and lack of censorship and allow those debates to be conducted elsewhere rather than at protocol‑design stage. I was wondering do you adopt that theory of tussle?

CORINNE CATH: Well, the way that tussle has been explained to me in the interviews that I did is more about trying to figure out to what extent you should allow the different agendas of the stakeholders and the people within the IETF have space within that. Because I'm pretty sure that they have taken a pretty clear stance on the fact that censorship or pervasive monitoring is not something that should be allowed within protocols so I think in that sense within the IETF, that is not necessarily an ongoing tussle.

AUDIENCE SPEAKER: Certainly, I perceive that as at least to that limited extent a rejection of tussle theory.

CORINNE CATH: Perhaps in this very specific area, yes. But I don't believe that that is the case for all the different areas going on.

AUDIENCE SPEAKER: Hello, I am Joe. I have been involved in different issues having to do with human rights and the Internet for the last 25 years, first a very quick comment on your slide. Yes, one can actually incur human rights in the protocols, we do have the evil bit.

More structurally, I think we really have a challenge in the fact that we, as technical people, often understand human rights fairly well; whereas the human rights people don't understand the technology at all. And that's our challenge.

CORINNE CATH: Fair point.

AUDIENCE SPEAKER: Jim Reed, just a computer engineer from Scotland. A couple of points I would like to make about your presentation.

If you have some thoughts about IETF engagement and this whole privacy issue. I think what you have just said is quite correct. I think for civil society groups and privacy activists and all these other people, trying to participate in the IETF is going to be difficult because you need to have a certain clue level and also a certain level of engagement by following all these retchet mailing lists to figure out what the hell is going on and it's bad enough for the engineers trying to do it but someone coming in from the outside is going to have a great deal of difficulty trying to make sense of that and they are probably going to be overwhelmed by it all. So maybe some guidance on that.

Something else I'd like to suggest is a small stepping stone along this way is that a few years ago when all this stuff kicked out the IETF decided in their infinite wisdom they were going to make security at the heart of anti‑certificate of everything else they do, therefore, all the new RFCs had to have a security consideration, maybe the IETF might want to consider doing similar with something to do with privacy considerations, other aspects of human rights. This is, if this protocol is adopted, it may have certain consequences, either positively or negatively, or hopefully to be a fairly neutral thing in that particular debate. At least it would help people to start thinking about those things.

CORINNE CATH: There is a human rights protocol consideration group which is recently been set up within the IRT F that is trying to do system thing. So...

AUDIENCE SPEAKER: Hans Petter Holen, Chair of of RIPE, speaking for myself. The reason I got involved in this in the first place is I believed that we are doing this in order to make the world a better place by making more people communicate. Now, I don't really understand yet so I'm very eager to read your thesis when it's out how the human rights and protocols fit together.

Another perspective: How does protocols designed by the IETF versus priority protocols like Facebook or what not versus the ITU model affect the same thing? Because, my initial thought on that would be that as long as we're working openly with protocols like in the IETF, it's a much better chance of succeeding with this.


AUDIENCE SPEAKER: Marco. A brief reply to Jim regarding the barrier of entry to the IETF, there is a programme for Internet Society that we have been contributing to. I am personally involved in, a lot of community members have also been contributing to engage policy makers and regulators to try to explain the processes and make them feel comfortable, just to make people aware that we are ‑‑ these issues are being addressed to some extent.

CHAIR: You don't question people's level of cluefulness?

MARCO HOGEWONING: In about a week's time we try to provide them with enough clue that the IETF makes sense.

AUDIENCE SPEAKER: It's Paul Wilson, just speak in my personal capacity. I want to put on record that it's what the previous speaker said is quite wrong, rather a damaging unfortunate assumption to say that human rights people know nothing about technology. I mean, this is a very outdated view. I'd prefer you, for instance, to the Rights Con event which is an annual event of extremely high calibre where you would find a bunch of young technologists with a collective intelligence equal to what you would find in this meeting, people who are generally a lot younger and a lot more open minded as well. So please take ‑‑ I'd suggest to take this stuff seriously not and write it off.

AUDIENCE SPEAKER: Sean turner, IETF Working Group Chair for TLS, we have had pretty successful examples of people assuming to as well in the testify. One person that comes to mind was a technology, a package contributor so he nails it pretty good but I think you were at the IETF meeting, so there are some people we do actually try to help them get integrated in and not eat their lunch basically.

CHAIR: Thanks a lot Corrine.


Moving along we now have someone local from an organisation you heard about in the last Working Group, bits of freedom, Ray owe, I hope I pronounce that had right who is going to talk a little bit about privacy advocacy and what is the space between the technological implementation and some the activities around promoting certain values.

REJO ZENGER: I am from the digital rights organisation Bits of Freedom in the Netherlands, and what we do is we are protecting fundamental freedoms in when it comes to digital communications, so we mostly we are working on privacy issues and freedom of speech. And we do this by lobbying both governments and companies. And if that doesn't work, then we will do a campaign and we also try to develop tools to empower the end users.

But for me, it always boils down to one thing, which is freedom, and the question of this session, or the title of this session is where do human rights fit in the outside stack?

And actually I don't really have an answer and if you would force me then I would probably tell you all of them. And why I would give that answer, I will elaborate on that right now.

So, this is Marshall McLuhan, and he was an a ‑‑ you probably know him ‑‑ he was, he is a well known Canadian philosopher on communications theory, and well his work is viewed as one ‑‑ a cornerstone on media theory. He is best known for quite a few expressions and three of them I'm going to mention here.

First of all, if you would have asked him what technology is, he would say technology is the extension of man. And to illustrate, the knife is an extension of the butcher, and a gas pedal is an extension of the motorist, the driver. He also created the, or thought of the expression: "The medium is the message." And McLuhan said that a medium affects the society a lot more not only by the content of the medium, but also by the medium itself. Think of a television. If you asked people how they are influenced by the television, they will tell you that they were shocked by the news from, for example, the earthquake in Nepal. But, they do not realise that they were also influenced by the fact that they can see that news item at dinner time, when they are laying down on the couch with a slice of pizza in their hand. But the fact that that medium made that possible is also impacting our society.

Like, in the past, maybe they would have heard of the earthquake but then they would have heard in a different setting, maybe not at home but at some other time.

And he also speaks figure and ground. When we're talking about new technologies, we very often mostly focusing on the authority term positive affects of this technology. We tend to ignore at first at the beginning, we tend to ignore the longer term effects of the technology. And sometimes they are negative as well. Think of a car. When it was introduced, it was a symbol of freedom, of mobility, everyone could just get everywhere, there were no longer limits when it comes to travelling. And now, we know better, because probably most of you when you are commuting, you are in a traffic jam.

And that is because the car gave us the freedom, we started to live not that close to work any more, but everyday you need to travel from your home to work and back.

And the same goes for the previous expression, like in: "The medium is the message," the message is a thing that is figured is in the foreground, while the medium is in the background.

So, technology, I think, will ‑‑ the choices we make there will shape everybody's freedom. And with that in mind, I would like to raise two issues that are currently going on in the Netherlands. And I think that will ‑‑ that are imimportant to all of you.

The first one which was discussed this morning as well, I understand, is net neutrality. In the Netherlands, we have this in law and it says: "Providers of Internet access services do not hinder or slow down applications and services on the Internet unless..." so there are four exceptions, but I will not go into them now.

Probably, most of you already know this, it says: "Providers of Internet access services ,"so it's just the last name and that's weird because the explanatory memorandum to this provision in law says: "The article aims to maximise choice and freedom of expression on the Internet for the end users." Of course, it says maximising choice of freedom for end users. And I think that Dutch law is a good one but it only protects the last lane, it will only protect the last part between the access provider and the end user. But all of you know the story of NetFlix and Comcast where it was a problem ‑‑ where there was a problem at the other malls, and I'm wondering how we can solve the problem.

So, I think the easiest answer would be let's extend the law, the regulation to this other mouse as well but I think that would be a bad decision.

For one of the problem is not known. We don't know exactly which agreements or which peering agreements between companies actually impact ‑‑ have an impact on the freedom of the end user. We don't know what the role of the CDNs in all of this.

And the other thing is that I think that the Internet has become what it is now because there was a lack of regulation. So I think that's not a reason why we should keep, try to keep regulation out of it as long as possible.

Then the question is, how do we ‑‑ so, I think we can agree that there is a potential problem there. But I think we need to find a way to monitor this, to make clear, to clarify the real problems and to make sure that we know what exactly is a problem. And then we need to think about solutions to that and that's why I hope that in the Q&A or maybe after the session, you will come to me and you will be able to talk to me about how you think this should be solved and if it's a problem at all.

And the other thing which I wanted to mention is the untargeted wire tapping which they are planning to introduce in the Netherlands. So, the current Dutch Intelligence and Security Act, which oversees the Intelligence Services in the Netherlands, only permits bulk interception when it is eater communications, so with satellite or radio, but it does not allow for bulk interception on cable. So, on a firewall for example. Of course, Dutch Secret Service, they have the power to wiretap someone specifically or a target on an organisation, but they are not allowed to do that in bulk. But this is something which the Dutch Government wants to change.

So in 2011, at the end, when I was enjoying the CCC in Berlin the oversight committee published a report on the use of signal intelligence by the Dutch Military Intelligence Services. And they noted that the current legislation didn't match the needs and the practices of the Intelligence Services, so they were saying the legislation regarding the powers of the Intelligence Services do not match or are even at odds with the (desired) practice. And note, the brackets around the word desired.

So, the committee's advice to the Government was you maybe should look into this problem and maybe change the law, and of course the Government said okay, let's do this.

But, then, this guy came around, and of course, he has been a pain in the ass for the Dutch Government. So, the Dutch ‑‑ the Snowden disclosures didn't really make the Dutch Government pull back their proposal, but they were delaying it, they are postponing the proposal.

One of the documents that Snowden ‑‑ that was released via Snowden was saying this second quote here, and it says: "The Dutch have some" ‑‑ sorry this is a quote from a GCHQ note, so the GCHQ is the UK Intelligence Service. And they were saying: "The Dutch have some legislative issues that they need to work through before their legal environment would allow them to operate in way that the GCHQ does."

So, how does the GCHQ operate? What did it mean by operating the way we do? And of course, they were aiming for the programme Tempora and under the programme ‑‑ you probably know it ‑‑ is they are tapping into more than 200 fibre‑optic cables, apparently they are.being able to process all the data that comes from those cables for 46 of them at a time and the total capacity is believed to be 21 petabyte a day and that's in 2012, so probably it's more nowadays.

So that's more or less a full take and comes close to what the NSA meant if they were saying collect it all.

So, why is this important to you? I think this is important to you because most of you will probably have some kind of network infrastructure in the Netherlands. So, if the Dutch Government will push through with this proposal, then your network will be a potential target for the Dutch Intelligence Service as well and I think that's why you should be worried about this.

That's it from me for now. To I will say question everything. Thank you.


CHAIR: Thank you. Questions...

AUDIENCE SPEAKER: May I continue my comment on the first presentation in this session. You are really lucky about all this wiretapping thing because in Russian Federation all wiretapping is bulk and uncontrolled, first of all. And the second of all, Russian Security Services are running with a new low incentive, and first of all, now, it's bulk and equipment for ‑‑ might be ‑‑ so, Security Service don't spend money on this. Operators spend money, and also Russian Security Services are running for a new law enforcing operators to keep all traffic for last 24 hours just in case. They have not enforced it through parliament but they are going to do. So you are very lucky.

CHAIR: So you are actually lucky because there is a worse model. Maybe we need a protocol to stop that.

AUDIENCE SPEAKER: Carsten. I just wonder what your recommendation would be, because essentially my guesstimation is would fall like into two parts. One recommendation to your fellow Dutch countrymen and the other one might go to, well, foreigners regarding from Dutch perspective. So, what is essentially to be done to have influence on this law in the making?

REJO ZENGER: I think that the most important thing is that you make yourself heard and I think there are several ways to do this.

For one ‑‑ so if we are talking about the wiretapping by the way, so one I know the MI6 is working hard on talking to parliament members for example and explaining to them why this would be a bad idea. And I think that companies which ‑‑ so members for the MI6, it would help if the help them bring up this message or if they would even go if you are in it, if you have the possibility to talk to the members of parliament yourself for example.

AUDIENCE SPEAKER: But... just thinking about me being a German, I would wonder whether German parliamentarians would actually listen to non‑German speakers coming from other parts of Europe trying to influence German law ‑‑ the German law‑making process because every now and then I even believe they don't listen to Germans even.

REJO ZENGER: We hear some disturbing stories from Germany the last couple of weeks. I think they will listen, because there is one thing, because the Netherlands we have the AMS‑IX, there are a lot of foreign companies active in the Netherlands and I think the Dutch Members of Parliament are at least listening to them because if they are not listening, they are risking those companies moving to other countries. So, I think the economic argument is a very strong one.

CHAIR: Thanks. And you know, quickly before this, is there anything, if you want to do a plug, is there anything that Bits of Freedom is doing to help aggregate and amplify some of the views from the community here?

REJO ZENGER: So, that's why I'm here, for one, so, please come to me after the session. But in general, we, as Bits of Freedom is doing a lot of campaigning and doing a lot of lobbying. So, this is not only, of course, just talking to the members of parliament but also talking to people from the community to learn from their concerns and to take that with us and, when we are discussing this with members of parliament.

AUDIENCE SPEAKER: Erik Bais. So, just to give a quick comment on the other questin by the other speaker. Actually in the Netherlands, currently there are ‑‑ they define three different type of logistical ports, the seaports, the airports and the digital infrastructure is very distinguished economic value that the Dutch Government is now actually trying to embrace and see what the actual impact is. From that perspective, the Dutch hosting community is actually already working in that whole discussion and trying to lobby you know this is really bad for business. There is a larger impact here.

On the fact will companies actually move out? We have seen that in the AMS‑IX discussion when we had the discussion with the AMS‑IX going to the US, we had similar discussions there. And actually companies saying yes, we actually chose for the Netherlands because it had very good laws, and now they are actually trying to reverse that. Will it actually be better in the UK or in Germany? I doubt it.

AUDIENCE SPEAKER: Vesna, internet citizen from Holland, I would like to invite everybody who likes what Bits of Freedom is doing for fighting for the digital human rights to support them by donations and sponsorships and put your money where your mouth is and help Bits of Freedom.


AUDIENCE SPEAKER: Hi, Bastion for AMS‑IX, as AMS‑IX was mentioned a couple of times I do feeld I do need to come to the microphone. Nothing new to add, I think Bits of Freedom is doing really great work here. I can echo what Erik just mentioned what we were trying to do as an industry as well in the Netherlands and AMS‑IX is very supportive of that. Normally AMS‑IX does not take ‑‑ we tend to be neutral. As such we don't tend to be involved in political discussions and take a specific position there. But as the proposal is coming from Dutch legislators, or the Government in this case, very much focused on the security aspect, they do mention the privacy aspect, but say people don't about this, this is all covered and everything you know is going to be, a due diligence and it's going to be controlled, and appeal procedures whatever. We have entities like Bits of Freedom focusing on the human rights issues and the privacy aspects and we felt that the economic part of the whole thing, the balance between security, privacy in this case, and economic environment, we felt that that was something that had to be put on the agenda, we have been working very hard you know, either in the media, directly lobbying, talking to people. I have to say as the proposal itself, for to change the law is not there yet. We have to see it once we have it what we do as the next step, but I'm working also with other industry partners, ISPs, telcos, etc., to prepare to see what we can do when the proposal itself is actually there. But I do ‑‑ I can only echo here that also other networks, especially the larger ones, right, the usual suspects, who also have a serious presence here in the Netherlands, I am sure if they can also talk directly to parliamentarians and other decision‑makers, sifts, etc., that will really have an impact, I can only urge you know, please do so. And if you want to work with AMS‑IX in this case, and we are not in contact about this particular dossier as of yet, please come to me and see what we can do together on this.

CHAIR: Thank you.


I'm going to step through the holigram for just a second because this next talk touches really closely to some work that I have been working on for a while. I run a research group at Google called OpenSource research so this could have sat in the OpenSource round, this could have sat in a number of different talks, it's pertinent to a lot of this, but I think it belongs here because the framing becomes interesting. One of the things that I focus on is, you know, how do we make, you know, assured security and privacy easier for everyday internet users to access and use, right, so how do you provide end‑to‑end encryption, how do you provide assurance of privacy, assurance that terms of service are honoured, assurance that you know your communications are not intercepted, a number of things at a user interface level and at even a technical level, right, so part of this is you know some of the issues with Open Source and with the massive decentralised inter dependent network that is the internet, how do you assure this when there is so many upstream dependencies, when there is so many different edge cases, when auditing and validation tools and testing aren't standardised necessarily, and you know, there is an effort now at Linux foundation that I have been working on very ‑‑ working with closely and that I'm really happy about to start to look into these things, and improve the ability to more or less guarantee and assess security starting with these core Open Source components, and so this may sound like an Open Source group talk, but it bears directly on the ability for us to push through very, you know, legible and human readable legislation, policy and alternatives to a lot of things we're seeing here. I'm speaking for myself not my organisation, but you already know what I think. So, Dan Kohn from Linux foundation is one of the founders of this and is going to go into the core infrastructure initiative.

DAN KOHN: Thanks, Meredith. And Meredith was also helped us set up this group a year ago, and has been instrumental in moving it along.

So, I want to just give a brief intro on why we set up the core infrastructure initiative, what the goals are, and then I do want to circle black and leave plenty of time for questions and your thoughts and ideas for how we can do better.

I think this idea is pretty obvious to this group. I mean, all of you are the modern bridge builders that the people who are building the infrastructure that is really making Europe run today. And I think we all understand that this infrastructure is absolutely critical to every attacks, not just business, but communications, personal, family, human rights, and also that like bridges there is safety aspects involved to it. When we look at it, in 2013, sorry, for the US examples, but six and a half billion dollars was spent on the new Bay Bridge in the San Francisco area, a little bit north of that, 1.3 billion dollars, note this year, it was in 2007 to build this beautiful new project, this incredible new bridge to reduce congestion.

And when you look in the Open Source world it touches everyone, all these billions of dollars are being spent on, you know, Facebook and Amazon and Twitter and Google and everyone are all running on top of Open Source. It would be great to say, okay, everything is wonderful we have reached this golden age, but we haven't. And a Heartbleed was a huge wake up call for the Linux foundation, and really for the entire technology industry and I'd say the rest of the world, where a year, just a little bit over a year ago when this occurred, it was billions of dollars were spent, and people's lives were impacted by this. And there was a realisation that Heartbleed was just the canary in the coal mine, that it was just the beginning, so I just updated these slides this morning to include the new venom indicator on here, this is, as of yesterday, you are probably all familiar, an issue with virtual machines, but last year we had poodle, we had ShellShock with Bash, we had some major issues with the network time protocol, and Heartbleed with open SSL, and so other than the trend towards sort of clever naming and cartoon characters for Open Source security bugs, what did we learn from this and what's the process to deal with it? I do want to emphasise this is not just an Open Source issue, that closed source applications and platforms like Windows, like Acrobat, like Flash, are also having a huge number of security holes.

But, the idea for Open Source was that this wasn't supposed to occur, that with enough people looking at these projects making use of them, taking advantage of them, they would find the bugs and they would be fixed. And I think part of the lesson is that that was naive, and the other lesson is to look at what are the actual economics involved behind these different projects.

And so, the core maintainer of the network time protocol demon, Harland Sten is making less than 25 K a year, or was before we got involved. The author of GNUPG which is not just essential for personal internet privacy on e‑mail but also used for signing packages so is a core piece of technology for all kind of Linux and other distributions had an article published a few months ago talking about going broke. Open SSL, before our involvement, was getting by on less than $2,000 in donations per year. And Open SSH, Theo Derat, is taking part time jobs in order to fund his work. The Bash maintainer has a totally separate job at the University of Indiana and is just able to work on Bash a little bit part time even though it's used in the security path of almost every web server on the internet.

So, I mentioned 2007 in that same year this bridge was the most travelled bridge in the state of Minnesota, and you may recall that that bridge, 35W, collapsed killing 13 people. And it was a lesson about the need to invest in infrastructure. And unfortunately now that Amtrak derailment a couple of days ago seems to be a similar lesson about investments in security and reliability that could have been made that weren't.

So, our message is that Heartbleed was the I‑35W bridge of Open Source, and that we were able to look at this crisis and say, to quote Churchill, among others: "You should never let a crisis go to waste." And in an incredibly short amount of time the Linux foundation was able to put together a tonne of top technology companies to look at and invest in these different projects but also to look at how to prevent future issues like this.

So, why is this hard? Software is complex and I think one of the lessons here is that every piece of software in production has bugs, very likely has security bugs, secure code is incredibly hard to write, even when it is written well and is up to the standards, it's very hard to maintain and so Heartbleed is a perfect example, was a small patch to add a very finer feature that only a small number of people were going to use, wound up making the entire software insecure. And although we are looking to improve certain aspects of the Open Source community, in many other ways, Open Source is working incredibly well and we don't want to break all the things that are going great about it.

So, we do believe we can fix this. We think that Open Source better testing, better tools, better infrastructure, can help a number of projects. And that we can share the best practices from some of the best funded, best run projects so that others can take advantage of that.

So, we founded the core infrastructure initiative. We got 20 of the top technology companies from around the world to come together. I will point out we don't have many European companies on this list, which is something that we would like to change. And in a very short period of time we brought them together and said, let's invest some resources and try to make the internet and the software running it more secure. We also have a great advisory board, you can see ‑‑ read about some of these people on the site.

So let me just finish with a couple of the core areas where we're focused. I would love to hear from you after the session is over if you have specific ideas of what we should be investing in, and also if you think that your company perhaps should be a member of CI I and should help us be directing where we put these funds.

So, the first is what I'll describe as putting out fires, which is a specific project that has had meaningful challenges that have not gotten funding but that are being used extremely widely, are in the critical path of a number of different internet protocols and processes, and I have mentioned a lot of these folks, we're funding them we have a new announcement coming out in just a couple of days of several new projects that we're funding that are going to be improving infrastructure and provide some of these full technologies.

So, number 2, is a census, and we're going to be Open Sourcing the code behind this in another month or so, but the idea is to go through essentially every Open Source project, kind of everything that's available in the universe and say how actively maintained is this, there a bug tracker for it? Are the bugs being triaged and worked on? How many maintainers there are. All these metrics that are available in public information we're trying to then assign a score for different projects, and say, hey, some of these seem very little risk, very well run, some of them seem concerning and problematic. Are there some automated mechanisms we can use to run this census? And then in particular can we then, in a manual way, start going through some of the higher risks project and see how they are doing and whether we can help them.

The idea is we have created a tool, a simple Python tool that fetches a bunch of data and runs it through a very simple algorithm and spits out a number. We would love your help and your developer's help in improving that tool, finding now data sources and improving that algorithm. You'll see some announcements there as well.

The third area that this ties into is a set of security best practices guidelines, and this is not designed to be a process that is expensive or that takes weeks of effort or bureaucratic recollect it's designed to take what are really considered best practices, what kind of every well run project can agree, yes, you should have a source code repository, it should probably be GIT, maybe it's me curial or one or two others but one that is widely available and used, you should have a public bug track are, you should have a security mailing lists, all these kinds of things that maybe ten years or five years ago were more expensive or difficult, but any modern wel‑ run Open Source project should be following these, and then to have a checklist and some automated tools that can show, yes, projects are following it. And can allow people the downstream making use of these projects so know that their upstream is following best practices. Here again, the goal was for this to be an Open Source project that anyone can contribute to that we are trying to take into account, have exceptions for, but that can be very widely adopted.

So, the good news is that we are having an impact. You can see on the far right, right here, this is open tickets on the open SSL issue tracker, and that the funding that we have provided there, has already dramatically improved the security of that project, allowed them to go fix a lot of things that were broken, has gotten a huge amount of new blood involved. But, there's a lot of other projects out there that need help and as I said particularly with the census and best practices area, we're interested in trying to create tools and frameworks that help Open Source in general, and the internet in general.

So, this stuff really matters. I have been involved in Open Source for 20 something years and this is actually the most rewarding enjoyable project I have ever worked on, because it's so critical to everyone that these protocols, these systems are reliable, and we really need your help to do that.

So, please come chat with me afterwards or send me an e‑mail, it's on the next slide, we're curious about Open Source projects that need help, initiatives that could work across multiple projects and we are interested in bringing in new members to the core infrastructure initiative, particularly companies that are relying on this software today and would like to help fund it to make sure that it's getting the investment that it needs.

Thank you very much.


CHAIR: Questions?

AUDIENCE SPEAKER: Blake Lillis. Just a comment, something that's worked particularly well for us, historically, over the last probably 15 years or so, is for a lot of organisations whether you are an ISP, a hoster whatever, in general, internally, as an operator, it's probably hard for you to come up with, like, justify the CAPEX to donate to an Open Source project and so forth. Something that we have done is, you know, it started out as we had our employer colo rack and some ICANN route servers in there and we started sponsoring Open Source projects with colo and bandwidth which is something that is fun for us and we can sort of, I shouldn't say give it away, but definitely sponsor and there are a few projects like that and we have extended that actually after Harland Sten's NTP plea for help several months ago, I can put a bug internally and reached out to him for that.

Second part of this, is, some Open Source projects have sort of guidelines for providers that want to do this, most don't. You know, well here is our donation page or contact us, and that's about it. And if there was sort of a more standardised way that, you know, people within hosting shops and ISPs can with to their management and say, well, here is how we do this, you know, here is like, are they going to put our logo on their website or whatever, just sort of make up a very basic set of guidelines and framework so that one within an organisation that wants to donate colo and bandwidth or other resources to an Open Source project can say, okay, this is how we do this, boom, and make is very easy for them to make the case to their management for this to happen, then I think this will really help them move forward. It's probably more valuable to the Open Source projects than just a cash donation, I would guess, because it's operationally helpful with them.

DAN KOHN: I appreciate the comment. I would say one of the ideas behind core infrastructure initiative is that there is something of an impedeness mismatch between big companies that, particularly are more comfortable funding endies that are audited that have financials that you can get on the phone. And Open Source developers, some of whom, I won't follow all cliches, tend to work very late at night, are a little hard to get hold of, are a little strange when you talk to them. So part of what we're doing is to provide that impedance mismatch or to fix it and say we can contract with these developers, we can make is easy for them and wire the money in whatever country they're in and then we can provide a very stable, reliable source for companies to fund. And, also of course we can pool, pool funding.

But I do think there is some other interesting initiatives in the smaller level, one of them I am familiar with GIT tip which is how someone can have a little logo on their project and someone can click on it and give them a donation and say this helped me, I appreciated it, I'd like you to keep working on it and I am interested in those sorts of things at the smaller level that aren't necessarily the kind of bigger funding that we're doing.

AUDIENCE SPEAKER: I'll get with you later and show you some of the stuff that we do like about contracts with the projects.

DAN KOHN: I'd like to hear about your experience.

CHAIR: I'm going to add quickly there is a mailing list and developer community spinning up around this, so skill sharing in kind resources just sort of asking questions about others who are ‑‑ might have discreet knowledge about what is happening. I'll post that on the cooperation group mailing list, but I think that's a huge element of this that's being catalysed in large part by you guys.

SHANE KERR: I was going to ask about talking to a lot of big organisations and asking them to participate, because they have been kind of free riding in the past, but have you discussed ‑‑ how are you going to address the possibility of them actually then influencing the direction of these projects? Is that a concern or something that's being ‑‑

DAN KOHN: I think it's always a concern. I think there is a tragedy of comments, there is always a probability with Open Source of any big company can say hey, somebody else will take care of it, I don't need to worry about it. I'd say frankly we have gotten some benefit from the fact that these security problems have been so big that in their boards and to their customers, they have needed to have an answer for how are you taking this seriously? What are you doing and they say okay we have joined this group, we are investing these resources etc. And then on the okay, how do we ‑‑ and you know, we have this issue, this is part of the impedeness mismatch of saying, these Open Source developers don't work for us, and we can't tell them no, you're going to stop doing new features and you are going to go do this. What I'd say here is that the Linux foundation has been helpful on the cultural side in that we have this experience of two decades working with the kernel developers and say hey, those folks run their own organisation, we provide support for them, we do conferences and websites and events and infrastructure and legal and other sorts of pieces. And yes, we do occasionally send a firmer message and say, guys, if you don't follow these best practices we are not going to be able to continue funding you, but at the end of the day, it is their project, and they are very welcome to turn down our funding. And the things that we're asking them for, we're hoping are going to be no brainers, you should use a source code repositories, you should have an issues list, someone should retain that issues list; if you can't do that right now, we'll help you with ‑‑ I mean, all these sorts of things that most of us could get together and say yeah, this is how Open Source project should run. But I do want to say there is some creative tension there about not directing it but still having the money go in a way that the donor feels worthwhile.

SHANE KERR: Can I squeeze in another question? I was the only one in the line. I'll talk to you later.

CHAIR: I think there are also efforts right now ‑‑ so I'm doing this again ‑‑ to ensure that solutions to problems that are unknown are not dictated by the funders and there are kind of groups of developers who are publishing sort of ideas about attacking this and making sure it comes out of that community instead of being a mandate that may not understand the culture and may have motives that aren't at the best interests of the project.

SHANE KERR: Just for full disclosure, the reason I mentioned this because I have been involved with sponsored project in the past, Open Source efforts, and you end up meeting the needs of your sponsors in the end, which, while by proxy, the needs of big powerful IT companies are mine, they are not really mine, so, that's all...

AUDIENCE SPEAKER: Hello, Andreas Smith, I used to do some research on the compatibility of the Open Source principle and organisational aspects of security, so I think this is a highly fascinating topic, and presentation you have given. You said we are able to fix this using auditing and security best practices.

DAN KOHN: I don't think I said fix it, but that might be too strong... please go ahead.

AUDIENCE SPEAKER: We are able to fix this, I think this was a quote. So, I am wondering, my question is: Do you see a national security institution as a risk you want to hatch against and you want to protect your communities against, and the outcomes of your projects?

And if so, do you think you are able to compete against budgets of these security institutions and how would you be able to protect against intrusions by these national security institutions?

And third, do you think the openness of your projects is a strategic disadvantage against such risks?

DAN KOHN: Let me just answer for myself, which is just, I believe that we can strengthen all the protocols, all the software being used, and my understanding in a post‑Snowden world is that strong encryption does work, that it is applicable and that the key thing is that you are not screw it up, that you don't link keys, that you don't have software that has bugs in it. And so, I see what we're doing as having an impact, even against the kind of nation state adversaries. Now, I also am not so naive to think if at that nation state were targeting me or one person specifically and were able to break into their computer or other sorts of things, that any software can necessarily secure against that, but I do think that we're genuinely helping here. And even if there's a massive budget mismatch of, you know, hundreds of billions of dollars and tens of millions of dollars, I still think that we are improving things.

But I'd be happy to chat with you more about it afterwards, if you have a different viewpoint.

CHAIR: Hans. ...

AUDIENCE SPEAKER: Hans Petter, can you go back one slide please. Have your company joined CI I? My question is how?

DAN KOHN: Just, send me an e‑mail or come up and chat with me, I would love to have you join. Right now we only have a single membership level and it's 100,000 dollars US per year. We are open to having some smaller companies, we have talked about a separate membership level and so please don't let that give you the heart attack ‑‑

AUDIENCE SPEAKER: That number was a no‑go.

DAN KOHN: Just to explain the context. It's because we set it up very quickly and we wanted to get the biggest companies, the biggest technology companies in the world involved and get it kicked off in an a way that we had resources, but are also have interested in having small companies.

CHAIR: I want to clarify something that sort of join as a sponsor that is sort of funding doing these things. There are a lot of efforts for people who want to get involved in the development, involved in the specification, involved with other people that don't cost money and could actually be sponsored through CII or if your company or you or if somebody you know has skills or want to be engaged in this effort, you could actually get funding for that through this, but if you have a tonne of money, it's good to fund this because this is a good thing.

DAN KOHN: Thank you for that Meredith and in particular those two projects I mentioned recollect the census and the best practices you are going to see them on GitHub in the next couple of months and wearying err to get requests from the community so there's absolutely no membership requirement for those.

AUDIENCE SPEAKER: Just a short comment. So, as was already explaining, most of the Government proposals I was talking about are announced or proposed with the idea ‑‑ with the argument that it is needed for security.

So, my suggestion would be to all of you, ask your Government if they really want to have cybersecurity or a more secure society, because if they want, then they don't need to invest lots of money in Government malware or bill wiretapping and a the only thing they need to do is invest in industries like this because that will cost them a lot less but it will be a lot bigger profit.

DAN KOHN: Thank you.

CHAIR: Thank you very much.


We are running short of time also, in this session, but we have a short update from RIPE NCC, Chris.

CHRIS BUCKRIDGE: I have two minutes for this, but in the interests of keeping it short, I have consolidated the whole process down to a mathematical formula. Unfortunately it gets a bit longer from here on out.

What I want to talk to you a bit about today is the WSIS plus 10, which is a bit of a buzz word around the place in terms of internet governance this year. And really, requires a bit of background here the WSISes is the World Summit on the Information Society and it was basically refers to two events held back in the early part of this century, 2003 and 2005, which are sort of the kick start I guess of the modern paradigm of internet.governance, this is where the UN and other Government agencies really started to take an interest in what is now seen as internet governance. And so those two WSISes events had a number of outcomes in terms of documents there was the Geneva plan of action, and then from 2005, there was the tune I say agenda for the information society and that tune I say agenda in particular is really one of the most widely references internet governance documents these days. There are also then the the WSIS targets which is the specific targets they wanted see happen in the comings years, the WSIS action lines which coordinated how those targets were going to be achieved.

What also came out of that was the call for the creation of what was to be the IEGF, the internet governance Forum, that's happened, we are now ten years down the line with that. And a call for enhanced cooperation the that basically just refers ‑‑ well what, there is some disagreement about this, but it essentially refers to finding new ways to communicate and cooperate between the different Stakeholder groups, so Government, technical community, business, civil society. And all of this has been sort of under the watchful eye of various UN agencies, the ITU is one we obviously have a lot to do with, UNESCO, CSTD which is a branch of the UN general assembly and there are tensions going along with the different role that these different agencies have.

But to condense down what this was all about. Essentially, the WSIS outcome is focused on development, access, bridging the digital divide. And these are I think things we can all agree with very important, certainly things that governments and the UN have a very strong interest in and certainly things where there is still a lot of work to do.

What happened at WSIS and what happened in the period since is that internet governance issues served as a bit of a lightning rod. So internet governance in a lot of WSIS documentation doesn't play a huge part, but the satisfaction of various people with say the historic distribution of IP address space or the role of the US Government or ICANN itself, those issues became a sort of lightning rod where a lot of discussion centred on, perhaps because the development issues were sort of a little less tractable, more indistractible.

So RIPE NCC has been involved from the beginning here. We worked with iSTAR colleagues to engage with both the 2003 and 2005 events. The internet pavilion which was part of the 2005 event was really a key moment where iSTAR groups, or the internet society, ICANN, the RIRs, circled the wagons is one phrase thrown around, to sort of say to the UN, to governments, this is our vision of what internet governance is, this is how we see this as being important.

And one of the things that came out of that then is that we in the internet technical community see these, we have these longstanding policy making principles, this model, it's bottom up, it's open, it's transparent. What that roughly equates to then is what came to be called the multi‑Stakeholder model. No everyone will see an exact parallel between those things but in the technical community that multiStakeholder model is roughly equivalent to what we're doing at the RIPE meeting and other meetings like this. So, having that multiStakeholder model recognised in the WSIS process was an achievement, a very important achievement and having the IEGF coming out of that process as a new mechanism to build the cooperation across Stakeholder groups was also a real achievement and it's become a really important part of the internet governance ecosystem.

So the WSIS plus 10 is an opportunity and it was actually laid out in the Tunis agenda that this should happen, where the UN itself looks back over ten years and sees what progress is being made and what happened in that intervening time. What progress has been made on the action lines? What targets have been reached? What's happened with the IEGF and should that go forward? Should its remit be extended indefinitely for a set period? What happens in this discussion in the WSIS plus 10 will actually have a very important impact on how the UN and its agencies approach internet governance issues, how national governments, national regulators, region groups approach internet governance.

And so, this is building to a high level event, which is being held in New York in December this year.

So, in terms of how we're engaging here, in terms of our message, and this is put forward, I have put here with the caveat that there are many unknowns in this process, including what that high level event at the end of the year will look like, whether we as non‑governmental stakeholders will actually have the opportunity to participate there, and what that might look like. With that caveat aside, we really strongly support the idea that this WSIS discussion should continue in a multiStakeholder way, we agree that development and access really need to be the focus of this WSIS process, and there have been a lot of successs in that over the years, there are obviously a lot of areas where there is a lot to be done. There is still a digital divide and it's important to recognise that. But, as we say, as I pointed out at the beginning, that needs to be the focus. Having a sort of discussions sidetracked to critical internet resources, to internet governance issues, is not productive. We have the processes and instructions to do internet governance. IETF, IEGF, RIRs, ICANN are all part of that and the processes we're seeing in terms it of IANA stewardship transition for one thing are also part of that. We have these processes and structures and we need that to be recognised going into the this WSIS process, and so that's what part of the message we're bringing.

The plan? At this point is to work closely with all the stakeholders over the coming months, that means technical community, iSTAR colleagues, it means talking to governments, to the public sector, to regulators, and it means working with civil society groups as well who often have honestly a lot more experience in some these UN agencies, UN general assembly levels than we have. It's sharing that information, that expertise is going to be vital. And so we'll be following developments in terms of how we can officially participate in this.

What we'll also be doing is producing information so that those people in their various roles in these discussions actually have the information that we can give them in terms of the progress being made in IANA stewardship, in terms of the role that the technical community has in technical processes.

In terms of what you can do. One of the things that we are quite interested in doing is looking at what is our community doing to aid in development. We hear from a lot from various IXPs, from ISPs, commercial organisations, this sort of social responsibility spending that they are doing, there are efforts going on to assist operators in the developing world, to provide that kind of assistance, and there's not really an overview of all of what's going on there, all of those initiatives. What we'd like to do and try and feed into this process is report on what the RIPE community, say, is doing, not just the RIPE NCC but actually you, the members, the community, to actually contribute to the goals and the spirit that was laid out in WSIS.

I have put an e‑mail address there, what we would like to hear about your stories, your experiences, the initiatives that you are trying to, or that you have had success with, talk to me in person, send an e‑mail to that rather long e‑mail address.

Beyond that, we also want you to talk to your governments, or we do have certainly Government people in the room, talk to your community members. We need to sort of build communication across the different stakeholder groups going into this WSIS discussion and so anything we can do to aid that is going to be important over the coming months.

I have got a final slide here which will mostly be useful if you're going to have a look at the slides later on. Just a few articles and pieces that provide some useful perspective on what's going on, something a little bit more in‑depth than I have been able to here. And that's it. I don't know how much time we have, but if there are any questions.

AUDIENCE SPEAKER: Hello. Narani from NetNod. Really nice presentation Chris. I think I should come up to the microphone and say that since I have been very vocal in the past about how I think the RIPE NCC should report to the community, it didn't have any pretty graphs or geeky jokes, but I think it was really really succinct.

CHRIS BUCKRIDGE: That title was supposed to be a geeky joke.

AUDIENCE SPEAKER: But having these really short succinct updates on particular event processes or issues I think is really, really good, it's really ‑‑ I think when you try to give an overview on everything that's happening in the internet governance space you lose people, so I think this was fantastic. The fact that you focused really closely on what are the messages and then also how do we get the community involved? Yeah... so, I just wanted to say fantastic, thanks.


CHAIR: I also would like to say thank you very much for RIPE NCC for doing this work and actually by having these kind of presentations, having the possibility for the Cooperation Working Group like now, having two slots actually, that's very nice and during lunch time also RIPE NCC had this governmental roundtable meeting with several governments coming, and discussing what IANA stewardship tricks process and how governments should or should be involved and several of the governments I hope are here, also the Cooperation Working Group right now. So, one thing actually I think is also very important, additional to us, Nurani was saying is actually how old this internet governance related processes are hanging together, I guess of course that outcome on the IANA transition process, the several outcome that we hope hopefully is also going going to make an impact on the WSIS plus 10 process. So, a lot of things are linked here.

And by saying that, I would like to close the session, but I just need one minute because I would like to say ‑‑ well, okay, I wouldn't really like to say good‑bye because that's not really the case at all actually, on the contrary. But I'm stepping down as a co‑chair of the Cooperation Working Group, I have been doing this very, very nice work in Cooperation and all the work with the RIPE NCC as a co‑chair since the start actually, I think it was like six and a half years ago or something, we had the first Cooperation Working Group meeting, and now we have two slots in the agenda, and we have many good discussions and many participants coming and being interested in what we have to say and what we are doing in the community in the cooperative way. We see many governments coming here, that's also very good. And in addition to that we have the governmental round table meeting. So by saying that, I would like to say thank you very much to everybody. And I'm going to be around, of course, because I think I'm busy enough having my seat in the RIPE NCC Executive Board, and of course I'm going to participate all the ways in the Cooperation Working Group meetings but not as a co‑chair any more, Alan and Meredith are doing a great job, they put this programme together, so ‑‑ well, see you again. But not as a co‑chair. So thank you very much everybody.


And see you in autumn.