The Internet is facing a conundrum: how can engineers and others design technologies that address cybersecurity and data privacy when the adoption of these technologies are in the hands of local, regional, and national authorities who all have different policies? If this gap isn’t bridged, it could fragment governance of the Internet, and undermine users’ confidence that the global network will work as intended.
That’s the premise that brought together more than 45 representatives from governments, academia, industry, and nongovernmental organizations around the world who attended the first Experts in Technology and Policy (ETAP) Forum on Internet Governance, Cybersecurity and Privacy held in May, in San Jose, Calif.
The event was sponsored by the IEEE Internet Initiative, whose mission is to promote a platform to connect the voice of the technical community to global policymaking for Internet governance, cybersecurity, and privacy. The forum was a neutral platform for technologists and policymakers to share their insights. Among those represented were the CERT Division at Carnegie Mellon’s Software Engineering Institute, the China Internet Network Information Center (CNNIC), Cisco, the International Center for Information Ethics, Symantec India, and the U.S. Department of Homeland Security.
One speaker captured the so-called “Internet conundrum” that separates technologists and policymakers.
“If you have a perfect technical solution it cannot be deployed without the policy solution,” said Xiao Dong Lee, CEO/CTO for CNNIC. “And if you have a very good policy but no technical solution, it means nothing.”
In a report that summarized the meeting , the ETAP forum participants identified 20 of the most important Internet governance issues, which they reduced to the following five high-priority issues. The participants described each issue, current government arrangements, and how IEEE could help.
1. Data analytics
Data analytics can be a powerful tool to better society, but it has risks and unintended consequences. The mathematical models needed for anonymizing data are complicated, however that doesn’t mean attempts for creating them shouldn’t be tried. There is no consistency in laws because most are based on the concept of notice and consent. The data privacy regulations of some countries require that a person making a report containing personal data must be notified of certain collection and retention practices regarding information submitted through this system, as well as consent to certain terms and conditions regarding the information submitted by that person.
For example, in the United Statues, notice and consent rules vary by sector, with different rules for health care and finance. IEEE could develop a standardized approach for guaranteeing anonymity.
2. Multi-stakeholder governance
This issue will be critical in the discussion of privacy versus security, an area where tension still exists. Norms of behavior are needed. A suggestion was made to create the role of science diplomat. Science diplomats were used during the Cold War in which American and Russian nuclear scientists helped bridge the gap when official diplomatic channels stalled. With its chapters in nearly every country, IEEE is uniquely positioned to create and support the role of science diplomat.
3. Protecting Internet traffic, managing metadata analysis, and how to implement privacy and security at scale
This discussion focused primarily on the balance between security and privacy. It covered topics such as the Internet of Things, surveillance, tracking, metadata, and media access control addresses for privacy. There is strong tension between end users and their desire for privacy and control, and commercial entities, regulators, and law enforcement officials. Local regulations present a mosaic of security rules. For example, in Detroit, police are not allowed to use data from private security cameras whereas they are in the United Kingdom.
Even within a region like the European Union, variations exist due to culture and context. Regardless of the strength of local regulations, their enforcement also varies. A technological solution for upholding a regulation may not be available. IEEE could form a task force to address privacy issues; provide greater visibility of research articles through its established channels; and tailor educational seminars, webinars, and other outreach efforts to policymakers on the local level.
4. Fragmentation of the Internet due to local policies and how to avoid it
Technology tends to be universal, but policy is local. However, technology may also become fragmented, driven by local preferences or mandates. Market issues such as net neutrality also follow different models that arise from local economics and business models. An Internet activity may be a crime in one country but might not be illegal in another. If data passes from one country through another en route to a third country, each is likely to have different data surveillance rules. Which country’s rules, if any, should apply? Perhaps a future IEEE ETAP forum could engage local policymakers. Another suggestion was to have government regulatory agencies propose policies and have IEEE examine them, which could provide feedback on the resulting consequences and trade-offs.
5. Algorithmic decision making that exacerbates existing power balances and ethics
An algorithmic function or an autonomous system may play the role of another team member in an operational setting, but there is a general lack of understanding about how algorithms work. Code developers often eliminate ambiguities in software by making choices. Laws and regulations may be ambiguous but code is not. Technology and market factors may influence regulations, when in the past the reverse has often been true.
There are few regulations regarding algorithms. IEEE’s role could include providing insight into how algorithmic decision-making is developing and what directions it’s likely to take. IEEE could also be an unbiased evaluator of sources of data, possibly for standards development. In addition it could become a validator of algorithms, an evaluator of algorithm performance, or a developer of testing methodologies for algorithms, especially in high-value use cases where lives may be at stake. And IEEE could develop testing standards, particularly in cases where regulators might require them.
Future ETAP forums will refine these issues with the goal of taking action on several. In addition, participants at other forums can also establish priority issues of their own. The next forum will be held on 10 August in Tel Aviv.