[Privsec] workshop report for security and privacy

[Gus Hosein]

Hi all...

FYI, below is the workshop report for the Rio workshop entitled  
"Security and Privacy Challenges for new Internet Applications: A  
Multi-stakeholder approach".

Keep well...

gus.

Workshop Report
Security and Privacy Challenges for new Internet Applications: A Multi- 
stakeholder approach
by Gus Hosein, LSE

This workshop was jointly organised by the London School of Economics  
and Political Science, Privacy International, and the Dynamic  
Coalition on Privacy.

Fortunately there wasn't a main session during our workshop, but  
unfortunately our workshop started at the tail end of the 'Openness'  
main session.

The Issue

The goal of this workshop was to identify and discuss the upcoming  
challenges for both security and privacy.  As companies move to  
develop more and more advanced online services what are the challenges  
that lie therein?  What are the challenges for data protection  
enforcement as it tries to negotiate security and privacy,  
particularly as we are dealing with global dimensions?

'Security' in this discussion included the full spectrum of ideas:   
security of individual rights, security for companies doing global  
business, national security.

Workshop format

The speakers were:
- Anne Carblanc from the OECD
- Simon Davies from Privacy International
- Marie Georges, from the french privacy regulator, CNIL
- Carlos G. Gregario from Argentina
- Johanna Shelton, Policy Counsel and Legislative Strategist for Google

(biographies available below)

Gus Hosein chaired the panel, representing the London School of  
Economics and Political Science.  The organising team communicated  
regularly by email with all the organisations involved in the months  
prior to the event, and met individually with each of the speakers in  
person upon their arrival in Brazil.

The order of speakers was as follows:

1.  Introduction to the panelists (GH)
2.  Opening of the discussion, motivations for the workshop, diversity  
of discussion (GH)
3.  First speaker:  Anne Carblanc -- discussion of global standards,  
upcoming OECD work on the Future of the Internet
4.  Second speaker:  Johanna Shelton -- discussion of challenges for  
new internet applications within current legal frameworks
5.  Third speaker:  Simon Davies -- framing the variety of discussions  
on security and privacy in new internet applications
6.  Fourth speaker:  Marie Georges -- discussion on security and data  
protection challenges
7.  Fifth speaker:  Carlos Gregorio -- discussion of the various  
pressing internet, security, and privacy policy issues
8.  Discussion

We used short initial presentations of 10 minutes and moved to  
interactive discussions.

The presentations were very informative.  The variety of speakers was  
significant, with representation decided upon by sector (e.g. industry  
and government were present), region (three continents were covered),  
jurisdiction (national and international governmental organisations),  
and sex (the panel was predominantly female).  Each speaker offered a  
rich discussion of the variety of challenges encountered in their  
fields.

While we previously agreed that short presentations were the ideal way  
to generate discussion, the audience was smaller than expected due to  
competing events.

As a result, at the last minute, the panel chair decided to give  
speakers more time to present.  While this was satisfactory to the  
presenters, perhaps the audience understandably started to notice a  
lack of cohesion in the points being raised.  Because there were so  
few sessions on privacy the speakers felt that they needed to comment  
on all privacy issues without necessarily keeping to the challenge of  
new internet applications.  The questions that followed also dealt  
with the full variety of privacy concerns rather than focussing more  
specifically.

The question and answer period was still very interesting.  Questions  
were addressed to the panel as a whole and to individual speakers.   
The audience was actively engaged, and the panelists were forced to  
think on their feet about the role of technology in governance.  In  
the end this turned out to be a very rich discussion.

The lack of strict adherence to the theme of the workshop in the  
question and answer phase reflects upon the nature of the audience as  
well. It is possible that the audience was not specialist enough to  
appreciate the content being delivered.  Cloud computing is an  
advanced policy issue and with so few panels and workshops involving  
privacy's finer details all these had to be raised in this workshop.   
As a result it was difficult to get into the finer details of  
challenges, e.g. the chair had to interrupt speakers as they referred  
to international bodies and regulators by their short-hand names that  
much of the audience could not be expected to know.

Despite the rich discussion and active interest of the audience, one  
of the reasons why the discussion varied from the theme of the  
workshop was because of the diversity of the speakers.  The issue of  
cloud computing and trust in centralised services is a pressing issue  
that is not being widely discussed.  Yet with the wide variety of  
speakers at such a public event, the speakers could not truly focus on  
the issue sufficiently without either losing the attention of the  
generalist audience, or without speaking beyond what their  
institutions would permit.  As a result, only two speakers could  
actually reflect actively and dynamically on what was being discussed  
while the rest had to consider their organisation's expectations.

Possible follow-up

The reality is that for the past two IGFs, we have been trying to push  
the discussion on privacy as an advanced public policy issue.  Rather  
than focussing generalised discussion on privacy, we have offered  
discussions on identity management and cloud computing, amongst other  
issues.  We have done so because we are perplexed as to how the UN  
could have ignored privacy for so long in all of the Information  
Society discussions.  So we tried to appeal to the issues that had  
been previously discussed, e.g. security, by finding commonalities  
with privacy.

The IGF needs a fundamental discussion on privacy rights.  Privacy has  
to be elevated as a point of discussion otherwise we'll all progress  
too slowly in the finer and more challenging policy issues.  After  
all, how can we discuss the challenges of cloud computing or internet  
advertising without first having settled, within the IGF processes,  
that privacy is a value and a right worth upholding in the information  
society?  Without having identified privacy, we can not even begin to  
define it, and in turn we can not have evolved and necessary debates  
about pressing governance issues.

Following from that we can then engage in the debates that are  
thriving outside of the UN with little input from UN-related actors.   
The discussion emerging from our workshop identified a number of  
these.  For instance, internet advertising will fund the future of the  
internet, and is on the top of the agenda of all the online companies;  
yet policy-makers are well behind on their consideration of the  
challenges that lie therein.  Another policy issue is the role of  
technologies in protecting and enhancing privacy.  For instance, we  
discussed in the workshop how Digital Rights Management technology,  
traditionally designed to protect the interests of copyright-holders,  
may be designed in ways to promote the interests of individuals in  
their attempts to enforce informational self-determination.

The IGF must begin discussing these key issues.  Our workshop, both in  
its achievements and limitations has exposed these necessary next steps.

Biographies

Anne Carblanc
Anne Carblanc is an OECD official responsible for policy issues  
related to the security of information systems and networks and the  
protection of privacy. Prior to joining the OECD, she was Secretary  
General of the French data protection authority (CNIL). She had  
previously served in the French judicial system as a judge in charge  
of criminal investigations and as the Head of the criminal legislative  
unit in the Ministry of Justice.  Ms Carblanc has a degree in modern  
languages and literature, a Master's degree in Law, and qualified as a  
judge (Ecole Nationale de la Magistrature).

Marie Georges

Marie is a Counselor of President for Advanced Studies, Development  
and Cooperation, for CNIL.  She joined the ‘Commission Nationale de  
l’Informatique et des Libertés’ (National Data Protection and  
Liberties Commission) by 1979, and she participated in the  
implementation of services and procedures, and was then successively  
charged with the follow-up of the Data protection law in the sectors  
of the interior, finance and statistics, social and medical affairs,  
and telecommunications networks, amongst which, the Internet.  Placed  
at the disposal of the European Commission as an national expert, she  
participated in the elaboration of the European Directive on Data  
Protection from 1991 until it was passed in 1995, and she participated  
in the elaboration of the complementary Directive on Data Protection  
and Privacy in the telecommunications sector.  After returning to the  
CNIL, she was in charge of the Telecommunications sector, and then  
Head of the Division of European and International Affairs and  
Advanced Studies from 2001 to 2005.

Johanna Shelton

Johanna Mikes Shelton serves as Policy Counsel and Legislative  
Strategist for Google Inc. in Washington DC.  Johanna joined Google in  
June 2007, after serving as Senior Counsel for Telecommunications and  
the Internet for the U.S. House of Representatives Committee on Energy  
and Commerce under Chairman John D. Dingell (D-MI).  Her portfolio  
included all telecommunications, Internet and media issues before the  
Committee.  She previously served as legal advisor for broadcast and  
cable issues to FCC Commissioner Jonathan Adelstein and as counsel for  
Representative Rick Boucher (D-VA) focusing on broadband and  
intellectual property.  Before that, she was an attorney with the  
Federal Communications Commission’s Common Carrier Bureau and at  
Latham & Watkins in Washington DC.  She received her J.D. magna cum  
laude and a B.S. in Business Administration summa cum laude from  
Georgetown University.  Following law school, Ms. Shelton clerked for  
the Honorable Karen Nelson Moore, U.S. Court of Appeals for the Sixth  
Circuit.

Simon Davies

Simon Davies is widely acknowledged as one of the foremost privacy  
experts in the world, and is one of
the pioneers of the international privacy arena.  His work in the  
fields of privacy, data protection, consumer rights and technology  
policy has spanned more than twenty years.  Simon is perhaps best  
known as the founder and Director of the watchdog group Privacy  
International, but is also an academic, consultant, journalist and  
author.

Carlos G. Gregorio

Carlos G. Gregorio is Research Director at the Instituto de  
Investigación para la Justicia (Research Institute for Justice), based  
in Buenos Aires, Argentina. He was the coordinator of a project to  
create awareness among Latin American and the Caribbean judicatures to  
protect the personal information on their websites. He has been  
consultant of the Inter-American Children's Institute (OAS), the APC  
Monitor Project of Internet Rights; and advisor to numerous government  
and development institutions in Latin America, Africa and Europe.