Documentary coverage of IGF-USA by the Imagining the Internet Center

Posts Tagged ‘FTC

IGF-USA 2012 Case Vignettes: Turning Principles into Practice – Or Not: Internet Governance/ICANN; Consumer Privacy; Cyber Security; Dialogues about Lessons Learned

with one comment

Brief session description:

Thursday, July 26, 2012 – This workshop was aimed at examining the role principles are playing in framing debates, achieving consensus and influencing change – or not. Proposals for Internet principles are popping up everywhere, from national to regional and global discussions, on a wide range of issues. In 2011, IGF-USA examined a number of principles in a session titled “A Plethora of Principles.” This session follows on that one. Session planners noted that it’s not enough to simply develop a set of principles, the question is: how are principles actually implemented how are they inspiring change? Are they new voluntary codes of conduct, new regulations, new laws? Principles can become a baseline for gaining high-level agreements. They may go beyond the expectations possible through legislation or regulation, so some argue that principles should be written to be aspirational. Some argue for legislation, regulation or enforcement mechanisms to ‘hold industry accountable’ to promises made in principles designed as sets of commitments. This workshop examined three case vignettes: 1) How the principles of a white paper were incorporated into ICANN’s formation and what the status of these principles are today within ICANN’s mission and core activities; 2) how consumer privacy principles have fared in global and national settings in terms of these points ‘turning into practice’; and 3) how cybersecurity/botnet principles are faring.

Details of the session:

The moderator for this session was Shane Tews, vice president for global public policy and government relations at Verisign. Panelists included:

  • Becky Burr, chief privacy officer, Neustar Inc.: Turning White Paper Principles into actuality in ICANN
  • Menessha Mithal, associate director of the division of privacy and identity protection, Federal Trade Commission: Consumer privacy principles
  • Eric Burger, director of the Georgetown University Center for Secure Communications: Cybersecurity and botnets
  • Carl Kalapesi, co-author of the World Economic Forum’s report Rethinking Personal Data: Strengthening Trust: the World Economic Forum perspective

Carl Kalapesi speaks as a respondent at “Turning Principles into Practice- or Not” during theIGF-USA conference in Washington, D.C. on July 26, 2012.

Before an informal agreement, policy or formal regulation is adopted, passed or approved it takes its initial steps as an idea. The trick lies in bringing it from a formative state to something actionable, otherwise it may languish as a suggested goal, followed by and adhered to by no one.

During the IGF-USA panel titled “Turning Principles into Practice – or Not” participants shared successful case studies as examples of how to create actionable practices out of ethereal goals. Citing processes ranging from US efforts to counteract botnets to domain name system governance and to consumer privacy, three panelists and one respondent drew from their own experiences in discussing ways in which people might successfully bridge the gap between idea and action.

Meneesha Mithal, associate director of the Federal Trade Commission’s Division of Privacy and Identity Protection, weighed in on the efficacy of principles versus regulation by offering a series method to act on a problem.

“It’s not really a binary thing – I think there’s a sliding scale here in how you implement principles and regulation,” she said. She cited corporate self-regulatory codes, the work of international standard-setting bodies, multistakeholder processes, safe harbors and legislation as possible means for action.

Mithal highlighted online privacy policies as an example of the need for a sliding scale. The status quo has been to adhere to the concepts of notice and choice on the part of consumers; this has resulted in corporations’ creation of lengthy, complicated privacy policies that go unread by the consumers they are meant to inform. Recently, pressure has been placed on companies to provide more transparent, effective means of informing customers about privacy policies.

“If it had been in a legislative context, it would have been difficult for us to amend laws,” Mithal said, though she admitted that such flexible agreements are “sometimes not enough when you talk about having rights that are enforceable.”

And Mithal did note that, given the current climate surrounding the discussion of online privacy, it’s still the time for a degree of broad-based privacy legislation in America.

Eric Burger, a professor of computer science at Georgetown University, spoke on the topic of botnets, those dangerous cyber networks that secretly invade and wrest control of computers from consumers, leaving them subservient to the whims of hackers looking for a challenge, or criminals looking for the power to distribute sizable amounts of malware.

Given the sheer number of stakeholders – ISPs concerned about the drain on their profits and the liability problems the strain of illegal information shared by the botnets, individual users concerned over whether their computers have been compromised and government agencies searching for a solution – Burger said that the swift adoption of principles is the ideal response.

Among those principles are sharing responsibility for the response to botnets, admitting that it’s a global problem, reporting and sharing lessons learned from deployed countermeasures, educating users on the problem and the preservation of flexibility to ensure innovation. But Burger did admit the process of arriving at this set of principles wasn’t without its faults. “Very few of the users were involved in this,” he said, citing “heavy government and industry involvement, but very little on the user side,” creating a need to look back in a year or two to examine whether the principles had been met and whether they had been effective in responding to the swarm of botnets.

Becky Burr, chief privacy officer and deputy general counsel at Neustar, previously served as the director of the Office of International Affairs at the National Telecommunications and Information Administration, where she had a hands-on role in the US recognition of ICANN (NTIA). She issued a play-by-play of the lengthy series of efforts to turn ICANN from a series of proposed responses into a legitimate governing entity, which was largely aided by a single paragraph in a framework issued by President Bill Clinton’s administration in 1997.

Written as a response to the growing need for the establishment of groundwork on Internet commerce and domain names, the paper called for a global, competitive, market-based system for registering domain names, which would encourage Internet governance to move from the bottom-up. The next day, the NTIA issued the so-called “Green Paper” which echoed many of the principles of the administration’s framework and drew extensive feedback from around the world, including negative feedback over the suggestion that the US government add up to five gTLDs during the transitional period.

After reflection on the feedback to both the white and green papers, and a series of workshops among multiple stakeholders to flesh out the principles of stability, competition, private-sector leadership, bottom-up governance and realistic representation of the affect communities, ICANN held its first public meeting Nov. 14, 1998, underwent several reforms in 2002, and ever since, in Burr’s words, “is still the best idea, or at least no one’s figured out a better idea.”

“The bottom line is to iterate, make sure you articulate your principles and try to find some built-in self-correcting model,” Burr said.

Shane Tews acts as moderator at “Turning Principles into Practice- or Not” during the IGF-USA conference in Washington, D.C. on July 26, 2012.

While Burr’s play-by-play described how a relatively independent, formal institution was formed to offer DNS governance, Carl Kalapesi, a project manager at the World Economic Forum, offered a more informal approach, relying on the informal obligations tied to agreeing with principles to enforce adherence.

“Legislative approaches by their nature take a very, very long time,” Kalapesi said. He vigorously supported the importance of principles in offering “a common vision of where we want to get to,” which leaders can sign onto in order to get the ball rolling.

He offered the example of the “Principles of Cyber Resilience,” offered to CEOs at last year’s World Economic Forum with the goal of making them more accountable for the protection of their own networks and sites while still allowing them flexibility to combat problems in a way that best suited their own work-flow and supply chains.

Central to Kalapesi’s argument in favor of principle-based solutions is their flexibility.

“Half of the uses of data didn’t exist when the data was collected – we didn’t know what they were going to do with it,” he said, alluding to the concerns over the use of private data by the likes of Google and Facebook, which accelerate and evolve at a rate with which formal legislation could never keep up.

Burr later echoed this point in theorizing that 1998′s Child Online Protection Act might soon be obsolete, but Mithal remained firm that a “government backstop” should be in place to ensure that there’s something other than the vague notion of “market forces” to respond to companies who step back from their agreements.

— Morgan Little

Online privacy concerns engage IGF-USA panelists in lively debate

leave a comment »

Panelists shared their philosophical differences about online confidentiality and self-regulation in a discussion about privacy and security implications for Web 2.0 at the Internet Governance Forum-USA conference Oct. 2, 2009, in Washington, D.C.

All panelists agreed that online privacy remains an important issue, and that corporations have an ethical and legal responsibility to ensure that their consumers continue to enjoy some level of anonymity and confidentiality online. But they disagreed about whether self-regulation or government-enforced standards are the best method to achieve that end.

Ginger McCall, EPIC staff counsel, said companies’ privacy policies are often overwrought with technical and legal jargon, making them difficult for users to comprehend. They become too robust that users often click through them without much acknowledgement.

Privacy policies, in my experience, are generally just disclosure policies. They don’t exist to protect users’ privacy. They exist to protect companies from liability.   – Ginger McCall

McCall said an overriding concern is that the policies often allow companies to change their guidelines at any time often with no notice to the users.

A bigger problem, still, is that companies are able to collect information about users without ever providing them with the information they have gathered.

demooy_IGFUSA_09“One creative suggestion that I might make is that businesses just give consumers everything they know about them,” said Michelle Demooy, a senior associate of consumer-action.org. “If you’re not a bad actor, it can’t hurt you to give consumers everything you know about them. It can only strengthen your brand going forward.”

Both McCall and Demooy specifically expressed growing anxiety about cloud computing, which allows Web hosting services to house the documents and data of users on their corporate servers. (Think of Google Docs and Gmail, for example.) So what used to be on a person’s personal computer is now on a larger server.

“It’s great for information sharing and collaboration, but not for privacy,” McCall said. “But it allows companies or outsiders to create detailed profiles of users. We need to see a stronger security system and we need to see companies are following through. There needs to be a strong regulation of cloud computing. There should be binding legal standards, terms of services have to be revised and privacy policies must be more transparent.”

Kathryn D. Ratte, from the division of Privacy and Internet Protection of the Federal Trade Commission, said the FTC supports self-regulation not government directives. She says allowing technologies to emerge promotes innovation.

“Our policy has been to enforce self-regulation,” Ratte said. “We analyze what’s going on in the market and put forth standards to adhere to. The flexibility allows us in some ways to act more quickly. We can just address these issues as they raise issues for consumers.”

Jeff Brueggeman, vice president of public policy for AT&T, said the FTC has laid down an ample baseline for legal protection on the Internet that certainly needs continual monitoring but not government intervention.

The FTC is taking a proactive but engaged approach. We don’t give consumers enough credit for the value they place on their privacy. More and more privacy is going to be a marketing advantage that companies are going to assert on the Internet. What we want to have is competition to maintain and secure your privacy, as well.  – Jeff Brueggeman

McCall, though, said self-regulation is not a strong enough policy and that legislation with teeth is definitely possible.

“Self-regulation in the Internet context fails because there’s not really enough transparency about what’s going on and what harm is happening,” she said. “A lack of transparency allows companies to act in whatever manner it wants in the short term to make money. It also suffers from the problem in that it only allows for possible remedies after the fact. Having a real comprehensive regulatory system would allow companies to know what’s permissible and not permissible.”

Ratte said consumers do need assurances that their data will be securely protected, but the FTC has not taken a stance on comprehensive privacy policy legislation. Still, they do advocate that companies treat consumers fairly and honestly.

The FTC has come out strongly saying that the rules that apply at time of the collection of data have to continue to apply and if there’s a change. The company should go back to the customer and get opt-in consent.  – Kathryn D. Ratte

But McCall and Demooy both said vigorous legislation is possible, and if companies are acting in good faith and treating consumers with respect and responsibility, then they shouldn’t be worried about governmental regulations.

“Privacy policies have their place, but they aren’t really helping consumers,” Demooy said. “If they’re not working, let’s not bang our hammer against that stone. Let’s try to build something that does.”

-Colin Donohue, http://www.imaginingtheinternet.org