From gus at privacy.org Wed Apr 30 11:19:45 2008 From: gus at privacy.org (Gus Hosein) Date: Wed, 30 Apr 2008 11:19:45 +0100 Subject: [Privsec] workshop report for security and privacy In-Reply-To: <47C81497.7040809@zedat.fu-berlin.de> References: <47C81497.7040809@zedat.fu-berlin.de> Message-ID: <20080430105106.D0B5B42779D@mail.gn.apc.org> Hi all... FYI, below is the workshop report for the Rio workshop entitled "Security and Privacy Challenges for new Internet Applications: A Multi-stakeholder approach". Keep well... gus. Workshop Report Security and Privacy Challenges for new Internet Applications: A Multi- stakeholder approach by Gus Hosein, LSE This workshop was jointly organised by the London School of Economics and Political Science, Privacy International, and the Dynamic Coalition on Privacy. Fortunately there wasn't a main session during our workshop, but unfortunately our workshop started at the tail end of the 'Openness' main session. The Issue The goal of this workshop was to identify and discuss the upcoming challenges for both security and privacy. As companies move to develop more and more advanced online services what are the challenges that lie therein? What are the challenges for data protection enforcement as it tries to negotiate security and privacy, particularly as we are dealing with global dimensions? 'Security' in this discussion included the full spectrum of ideas: security of individual rights, security for companies doing global business, national security. Workshop format The speakers were: - Anne Carblanc from the OECD - Simon Davies from Privacy International - Marie Georges, from the french privacy regulator, CNIL - Carlos G. Gregario from Argentina - Johanna Shelton, Policy Counsel and Legislative Strategist for Google (biographies available below) Gus Hosein chaired the panel, representing the London School of Economics and Political Science. The organising team communicated regularly by email with all the organisations involved in the months prior to the event, and met individually with each of the speakers in person upon their arrival in Brazil. The order of speakers was as follows: 1. Introduction to the panelists (GH) 2. Opening of the discussion, motivations for the workshop, diversity of discussion (GH) 3. First speaker: Anne Carblanc -- discussion of global standards, upcoming OECD work on the Future of the Internet 4. Second speaker: Johanna Shelton -- discussion of challenges for new internet applications within current legal frameworks 5. Third speaker: Simon Davies -- framing the variety of discussions on security and privacy in new internet applications 6. Fourth speaker: Marie Georges -- discussion on security and data protection challenges 7. Fifth speaker: Carlos Gregorio -- discussion of the various pressing internet, security, and privacy policy issues 8. Discussion We used short initial presentations of 10 minutes and moved to interactive discussions. The presentations were very informative. The variety of speakers was significant, with representation decided upon by sector (e.g. industry and government were present), region (three continents were covered), jurisdiction (national and international governmental organisations), and sex (the panel was predominantly female). Each speaker offered a rich discussion of the variety of challenges encountered in their fields. While we previously agreed that short presentations were the ideal way to generate discussion, the audience was smaller than expected due to competing events. As a result, at the last minute, the panel chair decided to give speakers more time to present. While this was satisfactory to the presenters, perhaps the audience understandably started to notice a lack of cohesion in the points being raised. Because there were so few sessions on privacy the speakers felt that they needed to comment on all privacy issues without necessarily keeping to the challenge of new internet applications. The questions that followed also dealt with the full variety of privacy concerns rather than focussing more specifically. The question and answer period was still very interesting. Questions were addressed to the panel as a whole and to individual speakers. The audience was actively engaged, and the panelists were forced to think on their feet about the role of technology in governance. In the end this turned out to be a very rich discussion. The lack of strict adherence to the theme of the workshop in the question and answer phase reflects upon the nature of the audience as well. It is possible that the audience was not specialist enough to appreciate the content being delivered. Cloud computing is an advanced policy issue and with so few panels and workshops involving privacy's finer details all these had to be raised in this workshop. As a result it was difficult to get into the finer details of challenges, e.g. the chair had to interrupt speakers as they referred to international bodies and regulators by their short-hand names that much of the audience could not be expected to know. Despite the rich discussion and active interest of the audience, one of the reasons why the discussion varied from the theme of the workshop was because of the diversity of the speakers. The issue of cloud computing and trust in centralised services is a pressing issue that is not being widely discussed. Yet with the wide variety of speakers at such a public event, the speakers could not truly focus on the issue sufficiently without either losing the attention of the generalist audience, or without speaking beyond what their institutions would permit. As a result, only two speakers could actually reflect actively and dynamically on what was being discussed while the rest had to consider their organisation's expectations. Possible follow-up The reality is that for the past two IGFs, we have been trying to push the discussion on privacy as an advanced public policy issue. Rather than focussing generalised discussion on privacy, we have offered discussions on identity management and cloud computing, amongst other issues. We have done so because we are perplexed as to how the UN could have ignored privacy for so long in all of the Information Society discussions. So we tried to appeal to the issues that had been previously discussed, e.g. security, by finding commonalities with privacy. The IGF needs a fundamental discussion on privacy rights. Privacy has to be elevated as a point of discussion otherwise we'll all progress too slowly in the finer and more challenging policy issues. After all, how can we discuss the challenges of cloud computing or internet advertising without first having settled, within the IGF processes, that privacy is a value and a right worth upholding in the information society? Without having identified privacy, we can not even begin to define it, and in turn we can not have evolved and necessary debates about pressing governance issues. Following from that we can then engage in the debates that are thriving outside of the UN with little input from UN-related actors. The discussion emerging from our workshop identified a number of these. For instance, internet advertising will fund the future of the internet, and is on the top of the agenda of all the online companies; yet policy-makers are well behind on their consideration of the challenges that lie therein. Another policy issue is the role of technologies in protecting and enhancing privacy. For instance, we discussed in the workshop how Digital Rights Management technology, traditionally designed to protect the interests of copyright-holders, may be designed in ways to promote the interests of individuals in their attempts to enforce informational self-determination. The IGF must begin discussing these key issues. Our workshop, both in its achievements and limitations has exposed these necessary next steps. Biographies Anne Carblanc Anne Carblanc is an OECD official responsible for policy issues related to the security of information systems and networks and the protection of privacy. Prior to joining the OECD, she was Secretary General of the French data protection authority (CNIL). She had previously served in the French judicial system as a judge in charge of criminal investigations and as the Head of the criminal legislative unit in the Ministry of Justice. Ms Carblanc has a degree in modern languages and literature, a Master's degree in Law, and qualified as a judge (Ecole Nationale de la Magistrature). Marie Georges Marie is a Counselor of President for Advanced Studies, Development and Cooperation, for CNIL. She joined the ?Commission Nationale de l?Informatique et des Libert?s? (National Data Protection and Liberties Commission) by 1979, and she participated in the implementation of services and procedures, and was then successively charged with the follow-up of the Data protection law in the sectors of the interior, finance and statistics, social and medical affairs, and telecommunications networks, amongst which, the Internet. Placed at the disposal of the European Commission as an national expert, she participated in the elaboration of the European Directive on Data Protection from 1991 until it was passed in 1995, and she participated in the elaboration of the complementary Directive on Data Protection and Privacy in the telecommunications sector. After returning to the CNIL, she was in charge of the Telecommunications sector, and then Head of the Division of European and International Affairs and Advanced Studies from 2001 to 2005. Johanna Shelton Johanna Mikes Shelton serves as Policy Counsel and Legislative Strategist for Google Inc. in Washington DC. Johanna joined Google in June 2007, after serving as Senior Counsel for Telecommunications and the Internet for the U.S. House of Representatives Committee on Energy and Commerce under Chairman John D. Dingell (D-MI). Her portfolio included all telecommunications, Internet and media issues before the Committee. She previously served as legal advisor for broadcast and cable issues to FCC Commissioner Jonathan Adelstein and as counsel for Representative Rick Boucher (D-VA) focusing on broadband and intellectual property. Before that, she was an attorney with the Federal Communications Commission?s Common Carrier Bureau and at Latham & Watkins in Washington DC. She received her J.D. magna cum laude and a B.S. in Business Administration summa cum laude from Georgetown University. Following law school, Ms. Shelton clerked for the Honorable Karen Nelson Moore, U.S. Court of Appeals for the Sixth Circuit. Simon Davies Simon Davies is widely acknowledged as one of the foremost privacy experts in the world, and is one of the pioneers of the international privacy arena. His work in the ?elds of privacy, data protection, consumer rights and technology policy has spanned more than twenty years. Simon is perhaps best known as the founder and Director of the watchdog group Privacy International, but is also an academic, consultant, journalist and author. Carlos G. Gregorio Carlos G. Gregorio is Research Director at the Instituto de Investigaci?n para la Justicia (Research Institute for Justice), based in Buenos Aires, Argentina. He was the coordinator of a project to create awareness among Latin American and the Caribbean judicatures to protect the personal information on their websites. He has been consultant of the Inter-American Children's Institute (OAS), the APC Monitor Project of Internet Rights; and advisor to numerous government and development institutions in Latin America, Africa and Europe. From bendrath at zedat.fu-berlin.de Wed Apr 30 23:51:19 2008 From: bendrath at zedat.fu-berlin.de (Ralf Bendrath) Date: Thu, 01 May 2008 00:51:19 +0200 Subject: [Privsec] privacy workshop proposal for IGF 2008 Message-ID: <4818F7E7.3000901@zedat.fu-berlin.de> Hello, FYI: A few members of the IGF Dynamic Coalition on Privacy have submitted the following privacy workshop proposal for the IGF 2008. We are still looking for panelists. Suggestions and volunteers are welcome. Best, Ralf ----------------------------- 1. Name of proposed workshop "Policy aspects of Privacy Enhancing Technologies (PETs)" The workshop could fit under any of the following themes * Managing the Internet (Using the Internet) * Critical Internet resources * Arrangements for Internet governance * Global cooperation for Internet security and stability 2. Provide a concise description of the proposed workshop theme including its importance and relevance to the IGF. Technologies specifically designed to support privacy and data protection in the information society have been researched for many years, and are now gradually becoming deployed. The first part of the workshop will provide a conceptual grounding for policymakers deliberating responses to privacy threats and summarise recent advances in PET research. In the second part of the workshop, a diverse panel of stakeholders will discuss policy options for encouraging adoption of PETs, appropriate for various privacy contexts, in an open dialogue with workshop participants. The workshop is relevant for the IGF, because past experience shows that many policymakers do not base their decisions on the latest knowledge of privacy-enhanding technologies, especially those that enhance privacy and security at the same time. (see the report from the workshop "Privacy in Internet Identity Management: Emerging Issues and New Approaches" form more information. This workshop is a follow-up to the Rio IGF in the sense mentioned above. 4. Provide the name of the organizer(s) of the workshop and their affiliation to various stakeholder groups. Describe how you will take steps to adhere to the multi-stakeholder principle, geographical diversity and gender balance. * Caspar Bowden ? Chief Privacy Adviser EMEA, Microsoft Technology Office (business sector) * Gus Hosein - Privacy International (civil society) * Jan Schallab?ck - data protection authority of Schleswig-Holstein, Germany (government) * Ralf Bendrath - Technical University Delft (academic community) [Members of the Dynamic Privacy Coalition] The organizers are from various stakeholder groups, and through the IGF Dynamic Coalition on Privacy, they have working contacts to a wide network of stakeholders from all world regions and genders. Although the composition of the workshop presenters has not been finalised, we will aim to ensure as far as possible that there is diversity of representation by gender and geography, consistent with the aim of providing the highest quality expertise available. 8. Were you part of organizing a workshop last year? Which one? Did you submit a workshop report? Some of us organized two workshops together with other members of the IGF Dynamic Coalition on Privacy: * Security and Privacy Challenges for new Internet Applications: A Multi-stakeholder approach * Privacy in Internet Identity Management: Emerging Issues and New Approaches We have just submitted reports for both of them , as well as for the meeting of the Dynamic Coalition on Privacy. 7. List similar events you and/or any other IGF workshops you have organized in the past. The organizers have constantly been working in the field of internet privacy and security for a number of years and have organized numerous events. In the IGF context, the organizers were involved in organizing two privacy workshops both at the IGF 2006 and the IGF 2007. They are also active members or facilitators of the IGF Dynamic Coalition on Privacy. 9. Under which of the five IGF themes does the proposal fall under ? * access * security * emerging issues -- ------------------------------------------------------------------- Dipl. Pol. Ralf Bendrath Technical University Delft, Netherlands Faculty of Technology, Policy and Management, Section ICT Work: http://www.ict.tbm.tudelft.nl Blog: http://bendrath.blogspot.com Info: http://userpage.fu-berlin.de/~bendrath PGP / GnuPG Public Key: http://userpage.fu-berlin.de/~bendrath/ralf-bendrath-public-key.asc