Cooperation Working Group
RIPE 88
23 May
9 a.m.
Cooperation Working Group
JULF HELSINGIUS: Good morning. I'm glad to see at least some of us have survived the whiskey BoF. Welcome to the Cooperation Working Group session. We have some interesting speakers lined up, but first, a little bit of administrative stuff.
The minutes of the last meeting have been online, I posted the link yesterday, so you might not have had a chance to look at it. If you find anything wrong with the minutes, let us know and we'll get it fixed.
The other administrative thing which also already was mentioned on the mailing list is that we have reselected Desiree to continue as co‑chair. Thank you, Desiree, and thanks for the support.
(Applause)
And speaking of Desiree, I am actually going to ask her to come up and introduce the speakers. Of course we have a kill season line monitoring the online discussions so we are covering all bases.
DESIREE MILOSHEVIC: Good morning everyone, as you can see, somebody was partying late last night. It's my pleasure to present to you the programme we have put together for you today.
Also, to welcome people online, and so, what we have is four speakers today. Our first presenter is Emmanuel Kessler from EUROPOL and he will give us some update. It's been quite some time since we had a law enforcement agency talk to us, so we we column come him. We are really happy he is here.
Following up this update and we hope to keep some questions for the end, we will hear from Jeanette Hofmann, she is an academic from Berlin, she is with the Weisenbaum Institute. So, she had two professorship looking into Internet governance issues. Also, the high level executive committee member of net moon DL plus 10 event that just took place in Brazil last month, trying to revise some of the main Internet governance principles. So we hope you have some questions for her as well.
And following that, we will welcome Osama Al‑Dosary, who will be talking to us about solid projects, so something more technical end, so I really look forward to that. Last but not least, we will welcome Romain boss from the RIPE NCC, who will give us some updates and trends about the regulatory atmosphere in Brussels, what's happening with the elections, and I also hope that you'll enjoy his talk. With that, no further ado, I welcome to the stagey Manuel Kessler.
EMMANUEL KESSLER: Thank you very much. Thank you for the floor, I am very glad to be here today to share with you the latest input from EUROPOL. I think it makes sense to explain to you who we are, how do we work, what we can do all together. And why the governance matters, why the cooperation with the RIPE actors is really important for us.
So, to give you an update. First, I would say that, well, I have joined EUROPOL for three years now. Previously, I am a police officer, I worked in France in the national cybercrime unit, so on international cooperation.
So, first. Just to tell you who we are, how do we work.
Indeed, EUROPOL is law enforcement agency. We are a support agency, a cooperation hub. It means that colleagues from the Member States, from Germany, Poland, France, Spain, all Member States, come to us so request, to require our support on big investigations, on main transborder and complex investigations. We work against organised crime groups. So, on very important cases, operational cases, we will then provide to our colleagues of the Member States support package. What is a support package? Indeed, we will provide to our colleagues support on forensic analysis. We will provide them support on crypto currency tracing, support to coordinate the investigations. We have the premises, we have some experts, we have our own operational capacities. There is a lot of agency with poll at international level. You are Interpol, EUROPOL, American poll. Indeed the capital cities of these agencies may be different. At EUROPOL level, and we cover most of the countries of RIPE indeed, at EUROPOL level we have our own operational capacities and it is a strong point for us to support our colleagues.
You see the main tasks, the main missions on the screen. Of course we have here 100 people with law enforcement background, but not only, we have people with civilian background, legal background, communication background, and we will work at every level against cybercrime. In EUROPOL you have a centre dedicated to cybercrime, another one to organised crime, another one to financial crime, and also another one to terrorism also. So, we are the cybercrime centre of EUROPOL.
We work on all the scope of cybercrime, cyber threats, we recover cyber attacks. Indeed cyber‑dependent crime, botnet, malware, ransomware, DDoS attacks. We cover child sexual exploitation, child sexual abuse material. We have in EUROPOL the second databases with 64 million of contents, it is useful for us to trace back the paedophile online. To give you an example, during each year we organise big operations and we, on a dozen of operations, we have identified ‑‑ we have saved 700 children. And we have identified 230 paedophiles, to give you an example of what we can do at operational level, with other colleagues from the Member States. We don't lead investigations, I want to be clear, we just support, and our colleagues from the Member States lead the investigation but they get the benefit from our support.
Indeed, we are here to promote the law enforcement interest about digital investigation. If we have the capacity at legal level, technical level to do them, we will do them, and we are here to share the voice of law enforcement in the debate. We don't negotiate. We are not a negotiation agency, we are an operational agency, but we share the view with all partners that are interested.
We have also our own forensic capacity. What is a digital investigation? It is forensic and access to information. These two points are major in a digital investigation. We have a forensic club that will provide analysis of contents, servers, laptops, smartphones, they will analyse that. They will assist the colleagues in the Member States during operations, and we will work on some decryption activities. We have been created ‑‑ well more than ten years ago. We have now great maturity at service level to bring the best support as possible.
Just to give you an example. Facing a major cyber attack, how can we work? We have, of course, our capacities, the you 100 people, experts that are in the centre, we will work on to do some cyber‑threat assessment. We will support with our databases to do some cross matches of information. We are 24/7. We work permanently. The forensic lab, and we will go on missions in the Member States. We have a cooperation groups with all colleagues from various countries. These countries have a liaison officer who work permanently in EUROPOL. They work in an open space. All together it is a matter of trust here between people. They will do some identification of operational cases to prepare them and to bring them to the justice once they are ready to be launched. So, it's a great ‑‑ I say it's a great tool at international level. Each time you see an international success with EUROPOL at international level on cybercrime, the joint cybercrime action task force is involved on that.
We have also developed, we try to push innovation. Against crime it is essential to innovate permanently. We have developed against ransom wears for example. This model here, which is international ransomware response model. In instead of working on cases for the complains, the idea was to target the capacities of criminals. I just mention that ‑‑ well, at EUROPOL level we do not ‑‑ we work against what we call high value targets. We do not work on youngsters, little fish. We work on the most dangerous people, I have to mention that because that's our task, our mission.
And we ‑‑ for young people, young offenders, we also promote some more activities, actions, for example our Dutch colleagues are very active on that. The idea with some first offenders, to keep them on the right side because we need some capacities on cyber security, these people may have some capacities to work on the right side and so we promote this kind of approach. But for the tough guys, for the organised crimes groups, that's our goal our job at EUROPOL to work against the most dangerous groups.
We have this model against ransomware was very useful. Because thanks to that, we have operated a large number of cases against ransomware as a service, against capacities of cyber criminals, VPN, and it is useful. Why? Because more than identifying guys, we are also ‑‑ we can also, in this investigations, identify new that's. Two years ago we worked against VPN lab that was used by organised crimes group, and during the investigations we observed that the criminal groups were to target 100 new companies and we were successful in preventing these new attacks. So that's why here, we help victims. In EUROPOL, we also consider victims.
The last point here, no more ransom.org, that's a success with Private Secretary. We created this platform to victims some decryption keys against ransomware. The platform is available to public, 38 languages at international level around on this platform we cover about 180 families of ransomwares, and we, in this partnership, we have 200 partners from the private sector.
Of course, the private sector is essential in our success.
Now, you have here some examples ‑‑ I invite you to go to the EUROPOL site. You will have all the operational cases that have been achieved which were successful. It will give you an idea about what we can do. We worked on ransomware at various levels against platforms of crime as a service, ransomware as a service. We worked against organised crimes groups behind the ransom wears and we worked against the capacities to do some crypto currency mixing. This is so far essential and we work to disturb these capacities from attackers. The more we disturb that the better we may protect victims. That's our goal in EUROPOL, the protection of victims to avoid new victims indeed.
Why I show you all these examples? I show you all these operational examples because without the support of Private sectors, of partners, it couldn't be possible, clearly. So, all these cases have been achieved with the great support from companies, from private sectors, from organisations. That's why I just give you some examples of how we can be successful on protecting victims all together.
So, now of course, e‑governance is a real matter for us. E‑governance, what are our interests? Our interests are at BoF level. The first level of interest is about DNS abusers of course. You know well the problem. You know well the matter of the security matter on that. And for us, it's a kind of prevention approach that we would develop on that. DNS abusers, we have to fight against that to struggle, because it will limit as much as possible the threat. It is so essential for us.
We watch ‑‑ we are currently in EUROPOL increasing, developing our capacities on that to be more involved on these matters, so in the future, I hope you will have more opportunities to see us and we will have more opportunities also to discuss with you very, very clearly.
The second point of interest for us is about the access to information. Indeed, in a new job if you receive request from the law enforcement, it's not only in operational cases. Keep in mind that behind the operational cases, there are victims. And so, each time you are in a capacity to provide any information to positively answer the request, you help us greatly, in identifying the attackers, helping the victims and preventing clearly new victims.
We have this interest from the law enforcement perspective to have data sets that are reliable, informs that is precise, concrete, reliable. I'm not very fond of aggregation to be honest, so some of you know that, because for us it is very essential to be in the capacity to trace back the attacks and to see the people behind the attacks.
At EU level we have various matters of interest currently. We have the NIS 2 directive, we have the article 28, as, you know, about DNS. Each time we can get some concrete information with this access to information, it will be very helpful on our side. So it is a situation on DNS. It is a situation on IPv4, IPv6.
So, two years ago, I had a discussion ‑‑ just to conclude ‑‑ and in this call, someone told me but why would we have to help the law enforcement? Good question.
Indeed, when you are in law enforcement you believe in your job, you believe in your work, and so we were very surprised about this question, to be honest. Thinking ‑‑ and we didn't really answer to this question because it was it was a real surprise for us. Later on I thought about this question, and I just observed that the reality experienced by these people was very different indeed from what we can experience. The question was very provocative, to be clear. Maybe for that person we were nasty people, I don't know, or it was only provocative, but the reality maybe sometimes very different from one person to another. On our side, I just see law enforcement officers working on a daily basis against offenders, crimes, observing people, victims in very bad situations, whose lives may be completely disturbed and jeopardised by these people. So I just share you this insight and this feeling that I have.
Indeed, we need partners. We need friends. We need people to achieve this protection of victims, and I really thank you for your attention. I am ready to answer any of your questions. I will be here also tonight. So thank you very much.
(Applause)
JULF HELSINGIUS: Thank you very much. We have a queue forming up.
AUDIENCE SPEAKER: Thank you, Erik Clement from Orange and representative from the ETNO as well, which is the organisation of the telecommunications in Europe. So first, thank you. And just to underline, I appreciate your presentation. And so I would say that we consider EUROPOL as a big partner for that, and very happy as well to help you and could cooperate together and to serve, particularly ‑‑ so important issues you have to deal with first. And so, as my capacity of member of the community, as well as the RIPE community, so thank you very much, we are with you and we had the possibility to propose on the anti‑abuse policy, so to make for the RIPE NCC the possibility to check the anti‑abuse e‑mailing database. So thank you so much.
AUDIENCE SPEAKER: Thank you for your presentation. I am Alex from the Amsterdam Internet Exchange. We are an EC3 partner, and I can recommend everyone here who wants to do something with policy and the police and EUROPOL to contact you or the EC3 people and request access maybe to the next meeting, June 13th.
EMMANUEL KESSLER: Thank you very much for your sharing. I am remind that we are very glad of these partnerships. We work in real trust with our partners. My operational partners are in relevant contacts with the companies. They know each other as people, and it really helps us in our success.
JULF HELSINGIUS: We need some questions. I am going to come with an actual question.
You spoke about DNS abuse. And as somebody who went through the rather traumatic experience of the ICANN EB dB to replace Whois, I remember the endless discussions about what DNS abuse is. I'd be curious about what your definition of DNS abuse is.
EMMANUEL KESSLER: Well, great question. And hard to be honest, hard to answer in a nutshell.
DNS abuse, for us, it's about ‑‑ it's a step to the crime clearly, it's a preparative step we consider. So for us, it's an area we have to work on clearly, because how do we work in an investigation framework? All my colleagues, investigators, will work on identified matters, cases. They will work on a DNS abuse, but it's like a breath, having a breath. They have a breath, but after that, they have another breath. So, we have maybe at law enforcement level to consider more globally the DNS abuse matters, to work more closely with partners on that to prevent that. It's not easy, because it's ‑‑ we are a little bit out of our activities to be clear, but clearly we will try to increase our involvement.
AUDIENCE SPEAKER: Alistair Woodman, thank you very much for the work you do. I have been following the Cyber Resilience Act from the EU, and the EU politicians clearly think that there is a lot of money at stake with cybercrime. Can you comment on the growth of activities and possibly the appearance of AI on the side, on the other side and whether that's affecting either the rate of attacks or the complexity and cunningness of attacks?
EMMANUEL KESSLER: Good question. How you know there is ‑‑ well, we, so far we have produced a report on AI, on the use, the bad uses of AI. There are ‑‑ AI can be an important thing for law enforcement because it can help us with machine learning for example, to process a huge number of information it is essential. Many operational cases were achieved thanks to AI. If you consider sky assisting grow chat for example, we had ‑‑ we have 1 billion of messages to process, and here you can have 30 cops in a room with pizza and beer ‑‑ we need AI clearly. So we were successful to work on this. AI is also a threat because of course organised crime groups will use AI. We have assessed the various possible use to launch cyber attacks for example. AI will enable more people to be in a capacity to launch cyber attacks. We have started to observe that on the DarkNet on ‑‑ we observed some starting large language model like ChatGPT for criminals but dedicated on the DarkNet. So far they are not the most efficient but they will improve in the future. We have to see that, we have to prepare for that and to be ready against that. So AI will be used to launch more cyber attacks. It will be used on scams. You have all received some messages with mistakes promising a lot of things. Click on this point and you will have a fortune. But it will more and more credible in the future, because the bad guys will use AI very clearly. So here again, there is a threat. So we have to consider that. We work on that. We have an innovation lab in EUROPOL that is dedicated to work on the AI evolution.
AUDIENCE SPEAKER: So you don't go towards the little players, the script kiddies, I understand. You go to the big malicious organisations. What about State operators and the discussion around that because State operators as being States, before you know it the whole thing becomes political? How do you deal with the political side?
EMMANUEL KESSLER: Indeed, we are a law enforcement agency. We are not a security service or intelligence service. States supported activist will be more in the scope of security services because it's very particular. But of course, well we work on cyber attacks. Sometimes well we don't know who may be behind the cybersecurity attacks. Sometimes it can happen. But very clearly, each time ‑‑ it the linked linked, destabilising political matters, it may be more for our colleagues from the security services. We will ‑‑ we have worked against major cases, we have worked on ***not BT I cry, for example, but it was a huge huge matter. On that dimension of State sponsored attacks, well, we are not really in our scope, to be honest.
JULF HELSINGIUS: If I can continue on that question a little bit on State actors. Yes, you coordinate among law enforcement. How do you actually ‑‑ what is valid law enforcement and what isn't? To pick an example that's outside of your area, don't pick on any one you might actually be working with, let's say we have Afghanistan's, Taliban's religious police saying this person has not been wearing a head scarf and we need you to help us track down this person without the head scarf?
EMMANUEL KESSLER: Well, indeed, we cooperate ‑‑ we have, of course, cooperation agreement with our partners. So, we have strategic agreements with some countries. It may be Brazil, Turkey, other countries outside the EU that's possible. We have operational agreements. We have countries that are not in the EU as well. But of course, they have been value dated, considering that there are protection matters, they have been negotiated by the higher authorities, so there is a whole framework. We don't do anything with anybody, that's not the rule. We work ‑‑ we have strong partners from outside the EU. You have seen the G cat, some of these partners to give you the example. So, we have the US, we have Australia, UK, of course, some other partners outside the EU may soon join the J cat because it's very efficient. But in EUROPOL we work considering the EU legislation clearly in any circumstances.
JULF HELSINGIUS: Great thank you. Anything online? No. Okay. Thank you very much.
(Applause)
.
Our next speaker is virtual.
JEANETTE HOFMANN: Good morning everybody. Thank you for the invitation. I am giving a short report about NETmundial+10 and I thought it might be best if we go back to the or.
Contingency of NETmundial, which was 2013 and 2014. The actual origins of NETmundial have to do with Edward's Snowden's revelations about surveillance activities of the US in 2013. As you may recall, there was a lot of protests against using the Internet to collect intelligence about users, and also governments around the world. One of the most forceful voices at that time was Dilma Rousseff. I don't know how to go forward with the slides myself, I guess you have to do that, right?
.
Can you go forward with the slide?
One of the forceful voices at that time was Dilma Vana Rousseff, the president of Brazil, who gave a talk at the UN in autumn 2013 where she made it clear that what the US Government was doing was absolutely unacceptable and that there would be new rules required for how to actually use the Internet and cyber space. That presentation caused some concern among the Internet community because she clearly saw the sort of formulation of those rules for the Internet as a multilateral matter to be negotiated among governments. And that have the moment when the Internet community tried to talk to her and say that this would be a matter of a multistakeholder process and not just a multilateral issue
.
So Fada Shaday from ICANN went to Brazil to talk to her and after some back and forth, they agreed to sort of organise a conference where all governments, civil society, technical community, academic community and the private sector would be invited to come up with rules and principles for the use of the Internet.
The outcome document of NETmundial had two sections, one was on Internet governance principles, and a roadmap. And these Internet governance principles that cover the issues you see on the slide, they form the basis for NETmundial plus 10.
Before we look at those guidelines, a brief comment on the approach of NETmundial, which was fairly new at that time.
There was, in the sort of very short time frame, there was a high level committee that was supposed to represent all stakeholders. There was an online consultation that came up with a draft document and the NETmundial meeting was about revising that draft document. And what was so new about this whole process is that we indeed managed to produce an outcome document that got the consent from nearly all governments who were present at NETmundial. And the way we did this, and the reason why that was possible at all, is because the NETmundial outcome document contained agreed language that came from documents discussed at the UN. So, all the principles that we formulated, the roadmap document, they were based on agreed language that we sort of collected in the last night of NETmundial from New York.
And because of that approach, everybody thought that NETmundial sort of lifted multistakeholder approaches to a new level that would form the benchmark for everything to come, which unfortunately was not the case because the UN more or less managed to ignore this document and just pretend it did not exist.
NETmundial plus 10 process:
It started in the autumn of '23 at the IGF in Kyoto. A scoping group was formed to discuss whether or not to organise a NETmundial plus 10 event, and it also discussed the potential topics and the goal. And the goal that you see formulated on the slide was more or less to work on the principles discussed at NETmundial 2014, because everybody thought that the multistakeholder approach is sort of on a slide downwards. Less and less organisations take it really seriously. It has, in many organisations, turned into sort of lip service that doesn't really shape decision‑making processes any more, and also what might be seen as another short coming, there is no innovation in this process any longer.
So, in early 2024, the Brazilian organisation, CGI, issued a short statement announce that go there would be a NETmundial+10 conference in March there was another high level committee formed, in March of this year a public consultation was started where people were asked questions such as: Are the NETmundial principles still valid today or how should they evolve? And then a lot of sort of concrete questions about specifics of these principles were asked. The result of that consultation of the basis of a draft document, and then in late April, the NETmundial+10 stakeholder conference took place and agreed on a final document.
Here, you see the final document, and I will now mention a few details about it.
First, about the focus.
Interestingly enough, one of the debates we had in Sao Paulo about the outcome document actually concerned language. It was about the question why we still talk about Internet governance instead of digital governance, what many people who attended the conference found actually more adequate. And it turns out that a lot of the multistakeholder processes that we practice today are indeed tied to the language, to the wording, terminology, Internet governance. Whereas digital policies that sort of cover a much broader scope have no clear institutional home and no clear process. In fact, the UN nowadays claims competence and authority overrule making for digital policies. This is why many people at the table in Sao Paulo were reluctant to change the language. This is why we agreed on a thing that would mention Internet governance but also digital policy principles.
The second issue concerned the scope, internet governance originally concerned the management and the governance of names and numbers, and now the scope is sort of extended to not only multistakeholder organisations such as RIPE or ICANN, but also the new statement addresses multilateral processes and asks them to update their own governance structures and take on board multistakeholder process principles that would allow non‑Government actors to get involved and to sort of provide for meaningful participation of non‑governmental actors.
So, the concrete outcome, the substantial outcome of the NETmundial+10 document are so‑called Sao Paulo multistakeholder guidelines. They aim to make what we associate with multistakeholder approaches more concrete and provide bench marks against which transnational decision‑making processes can be measured in terms of how multistakeholder friendly they actually are.
So, one of the guidelines we agreed upon says multistakeholder processes should be mindful of power a similar trees between diverse stakeholders. As all of you are aware there are representatives or individuals with more or less resources when they participant to participate in a decision making or negotiation processes and there might be ways to help organisations with less resources in terms of participation and making meaningful contributions. And the guidelines specify some of them.
Another more controversial guidelines is about multistakeholder processes governed by the rule of law and respect to international human rights principles. Why the respect to international human rights principles was fairly ‑‑ there was consensus about that, the rule of law is a bit more critical, because it also means that multistakeholder processes should respect rule of law of non‑democratic countries which can be, in many cases, be very restrictive. We simply had not enough time to iron out critical and controversial guidelines such as this one, and that is also if you want a call to look at these guidelines, discuss them, and also amend them where necessary.
Another aspect concerns the identification of relevant stakeholders for giving decision‑making processes. As some of you know there was controversial language about the roles of stakeholders in the RIS IS outcome document of 2005, and lots of people have argued about that, that multistakeholder and multilateral processes should sort of aim for being inclusive instead of putting stakeholders in specific categories and close the door in front of them.
The document has rather exclusive language about this, and the guidelines are firm, the NETmundial+10 stake outcome document sort of suggests more flexible language by suggesting that multistakeholder and multilateral processes should sort of aim for flexibility and look at what is at stake, what kind of expertise, but also in terms of what kind of effectiveness is at play here and then decide on that basis who should be included and who might be less relevant to a given decision‑making process.
Another final section of this outcome document is tiled as messages to ongoing processes. This is important. There is one section about the IGF that suggests that the IGF needs more resources to function properly, and that also its working methods in the long run should be reconsidered to make the IGF more effective.
Another section includes the global digital compact, which is an an initiative which is at stake right now and the UN suggests new processes and also institutions, and the outcome document of NETmundial+10 here suggests that no new organisations and processes are really needed in the space of digital policies. Instead the existing organisations should be strenghtened instead of sort of trying to redistribute scarce resources of even more organisations, and thereby risk also a fragmentation of the Internet and digital policy processes.
That's my short overview. Thank you very much.
(Applause)
JULF HELSINGIUS: Thank you Jeanette. So, we will open the room for questions.
AUDIENCE SPEAKER: Good morning, I am Paul Rendek for DStream group. Hi Jeanette. Nice to see you. It's been a long time. Thank you very much for this update. What I really like to see is that the principles that were done in NETmundial, those ten years ago, I remember that very clearly, the pedigree of this community really lies in a lot of those bulletpoints you listed. I'm happy to see that they are going to be used in this.
I think the part I'm a bit concerned about, and you did state that in the end, was you have already got this very full basket and I think they are just trying to shove a little bit more into there. I am a bit more confused than I even was at NETmundial at the beginning. But I think the question I have is: We're ten years down the road now, and what's going to happen with NETmundial now? I mean, is this going to be taken more seriously in the UN circles? Why would we as a community want to actually invest our resources into this is my question?
JEANETTE HOFMANN: I think that's a good question. Of course, such a statement won't change the tide in the UN, which is clearly more multilateral than multistakeholder at the moment. I would see the practical relevance in this outcome document first as a point of reference for organisations who claim access to multilateral processes. Sort of they can refer to this document and sort of suggest to multilateral processes to be more open and inclusive. And the second one, and this concerns specifically the guidelines, that is meant to be sort of first benchmark for organisations to sort of ‑‑ who want to practice or do practice multistakeholder processes and look at these guidelines and ask themselves how good they fair with their own approach and where they might want to change.
AUDIENCE SPEAKER: Peter Koch. Morning Jeanette. Good to see you again. And thanks for the work that you and others have been doing in the organising and more so in in that high level committee, doing the drafting so on and so forth. So, the language that you refer to in the statement might sound kind of very abstract and high level to much of the audience, at least in this room, and you mentioned some of these key words like relevant stakeholders, which of course have more connotations than like original meaning. And just to remind everybody that in the preparation of NETmundial, or around that time, we had a special discussion about the very role of this community, the technical community, where RIPE explicitly, is one of the four that has been successfully doing self‑governance for quite a while now. Being a member of another stakeholder community, you mine reluctant to answer my question, but my question still is: What would be your recommendation to the technical community which claims the seat at the table not so much because we have had it for ages but probably because it's more necessary than ever given that the complexity of the Internet infrastructure is growing? So what would be your suggestions, advice, you name it, how do, say, spread the news and get the resources and get the people on board that are needed to understand that this participating in things like this is kind of doing the the cost of doing the business?
JEANETTE HOFMANN: Thank you for this question, Peter, which is really dear to my heart. There was a reason why I mentioned the power asymmetries. As you know, knowledge is a form of power and the language we use to express information and knowledge and negotiate it, can be really, really exclusive. I follow vaguely what's going on at ICANN and all the acronyms are by now really beyond me. I feel excluded knowing that nobody wants to exclude me.
So, what I think what the technical community really needs to work on is how they sort of express their own recommendations. There is a way of being more inclusive and sort of help organisations that are not resourceful in terms of technical staff, for example. But who might be affected by decisions, organisations such as RIPE are making, to help them understand what is at stake. That really matters also for acceptance and legitimacy of organisations that have a clear technical focus. I have been arguing for decades that a lot of ‑‑ full understanding, that there are lots of policy implications of issues that look very technical to you and are sort of your own territory. But there is a way of including other stakeholders who might be affected and you would benefit from it. You would also thereby, be able to see perhaps new dimensions of what you are doing.
AUDIENCE SPEAKER: Alistair Woodman: So, we have just had a very good talk earlier on from the police talking about data gathering and why they need to be able to do this and do it extensively in order to capture some very large criminal entities.
So, I don't see how to resolve the problem of individual freedom as well as the ability to be able to go after these very organised criminal gangs. And from a technical status, you either collect all the data or you don't collect any of the data. I don't think you can tell before or after what's going to be useful and what isn't. And we live in a world where we are going to collect all the data. Prices and everything else keep going down and people keep collecting the data irrespective of what's happening.
So, to a certain extent, I also think about what's been going on in the US at the moment with Boeing, and other indications there. There were some whistleblowers there that were very badly treated. I don't think that's anything to do with data gathering. I think this has got to do with the fact that they don't get protected. We look at the case of what's happening in the United Kingdom at the moment with the Post Office scandal and some of those other types of things. The whistleblowers there should have been protected. I don't think this is an issue with data gathering either online or whatever it is. It's that we, as a civil society, do not protect the whistleblowers. So I think if you wanted to do something about this, my view of the world would be you would give somebody who blew the whistle 50 years' worth of income from some organisation and just everybody would go great, they have busted people and, you know, sometimes you would have to give them that money and put them in some other place and look after them because they are going to be attacked by other people.
But, we're not going after the problem the right way. If I see what happened to Snowden and other types of things, there's been so many other examples that we would not solve with these types of problems. You need a different solution to the problem.
I'll rest my statement there.
JEANETTE HOFMANN: If I may briefly comment. I would say ‑‑ I mean, I understand that whistleblowers is a way to go, but I think there is also a more institutionalised response, and that is sort of make sure that there is democratic oversight; that organisations who overstep their boundaries are held accountable, and that needs a setting where I think multistakeholder approaches can help to get it right. At the moment we can see that our intelligence services are not very well controlled bi‑national apartments parliaments and even so on the international transnational level. I think there is a political and a technical dimension in improving political oversight over those who collect data for whatever purposes in law enforcement.
AUDIENCE SPEAKER: Then I have got a very good counter‑example of what went on at the moment in the United Kingdom with the post office. They had a political oversight process. There were a whole bunch of people there, they either did not care and were just doing their job and did not pay any attention, or were complicit in this and they are pretending that they did not know. I do not see that you solve this by having extra people oversight thing. You need to protect whistleblowers and you need to be able to embarrass executives and people in public in front of things so that things get cleared up. Putting more bureaucracy on these things does not fix them, it just hides it and puts it under the covers. So more multistakeholder foo thing, whatever it is, where we all try to be nice to one another behind the covers, does not help. You need to be able to embarrass, speak truth to authority directly. And these people who are willing to step up need to be protected by civil society, by us. This is not expensive. This can be done.
JULF HELSINGIUS: Thank you. Do we have anything online?
ACHILLEAS KEMOS: Yes, we have a couple of questions.
So, first, Sascha: "Can you tell us if there are real possibilities for lowering international roaming prices? Can you tell us if there are real possibilities for lowering..." yeah, I don't know the relevance of this question. But there you have it from Sascha speaking for himself.
From Bruno Santos: "A lot has been said internally at our meetings about what could be the future users of the ESP Gs and messages emerging from NETmundial+10. Do you think the Sao Paulo guidelines can be used to analyse current and future member state approaches and/or processes?"
JEANETTE HOFMANN: Regarding the last question, perhaps I should mention that too, that it's sort of regarded as a rolling document, it should be improved. Organisations should work on it. And I think that the Brazilians should start a repository for critical feedback of the state of guidelines right n.
Ow. But I would encourage all organisations to have a ‑‑ to look at them and see to what extent they have perhaps already implemented those guidelines and which guidelines they see as either superfluous or not sufficient.
AUDIENCE SPEAKER: Paul Rendek. I don't play in this world as much as I used to, and I don't know how the, I guess, ISTAR, what they were called at that time, organisations collectively work to provide any input on this. All I can say is that I hope the RIPE NCC is looking at this. And if, again if you go back to the first slide you had, you had that list of kind of the criteria involved in here. Look at them. This organisation, RIPE, has worked so hard over the last years taking a look at accountability, taking a look at inclusion, enabling environment access and the rest of it. I think these issues are always on the table here. So, I think this community has something to contribute here. I don't know how this is going to be done collectively, but I do urge this community and ICANN and ISOC, if they are still involved in all of this, to have their voice in here and to stand true to what we always have actually contributed to this process. I don't know how involved you will be, Jeanette, I hope you will be on the side of the technical community somewhere, because it's great ‑‑ it would be great to have you on this team, so to speak, but I guess the comment that I'd like to have listed down is that I urge this community to have a voice here and to stand behind these principles. We have not veered from them at all.
JULF HELSINGIUS: If I might just comment. The RIPE NCC has actually provided an input document to this process. Any more online questions?
ACHILLEAS KEMOS: No. Simply that Bruno thanked Jeanette for her answer.
JULF HELSINGIUS: Then I'm going to thank Jeanette for a great presentation. Thank you for participating here, and let's give her an applause.
(Applause)
.
Moving onto the next speaker, we have Osama.
OSAMA AL‑DOSARY: My name is Osama Al‑Dosary and I want to talk to you about solid, a social link to data, and I put in the title web infrastructure which I believe has the potential to be infrastructure for us in the future. And it has the goal of decentralising the web for privacy and innovation, hopefully that will be clear went we go through the presentation.
Before I want to start I want to start with a disclaimer. I'm not a developer, nor am I involved directly with the project. And actually, in terms of affiliation, I work with different entities. I work with the Saudi Internet Exchange. I work with with the national research education network in Saudi Arabia and different operators as well. My background as well, I haven't done development in over 20 years, at least not as a job. And I am really here as a concerned netizen.
So, the power of the web is in its universality. What does that mean? When we talk about universality, we're talking about the ability to have access through any browser, any application ‑‑ sorry, any operating system or hardware, we're not limited by that, and the interoperability as long as you conform to the standard you can be interoperable and the independence of any centralised entity. Anybody can put together their own application or content and be accessible online as long as you have an Internet access. And that simple, let's say, principles allowed for the rapid growth of the web as we know it, and it grew to enormous extent and we have this success. But, it hasn't been without challenges. So, a couple of challenges that we faced in the past include browser wars. So if you are not on the right browser, then potentially you are limited from accessing certain content or application. And that left many people dependent on the browser, whether we're talking about users or the developers themselves. Then we have the platform wars. That's another example. So if you are not on that platform, then you either have to compete if you are talking about, as a developer, you either have to compete directly with that platform, or you have to be somehow dependent on that platform completely.
Now, this platform wars kind of led to a state where we have this new Mondaytisation model where in order to make money, and I actually use this quote from, made famous by Tim O'Reilly: "If you are not paying for a product, you are likely the product." And it led to this consolidation of detail where platforms grew very, very rapidly and they were able to consolidate a large amount of user data and utilise that to actually monetise and make profits from user data. This resulted in you have these massive walled garden silos of data in a handful of organisations.
Now, this has serious ramifications. Some may ask, okay, what's the big deal? What's the problem?
.
Well, does somebody remember Cambridge Analytica? A serious problem. They were utilising user data from Facebook to basically politically manipulate individuals and people, and Facebook was fined about 5 billion US dollars by the Federal Trade Commission, and also paid a fine to the UK information Commissioner's office. And now this is, this problem is something that ‑‑ this is just an example of something that we know of. There may be others that we don't know of.
And to summarise the challenges that we're facing that we are now, or to a certain extent we are he at the mercy of decentralised platforms whether we are developers or use. And the personal data if we're talking about utilising this data in a useful way for users or developers, it's not scattered, it's not easy or practical to reuse this data. Then statement, we have far reaching consequences for privacy.
And introducing SOLID that can hopefully help with, what SOLID is, once again the name is social‑linked data, it is a set of conventions for building decentralised applications that decouple the application from the data. It relies on W3C standards, it also uses a modular design to, and it's quite extensible and it actually provides true data open source, and it allows for the reuse of existing data.
As I mentioned, it uses standards, but also how it functions. So just to find of explain at a simple level. Essentially you have these data pods where you store the data and it's basically a web server, and its data agnostic and application agnostic. So any kind of data can be stored on this data pod and any application can utilise and interconnect and get that ‑‑ make use of that data for the application. This illustration may help a little bit here. So imagine where you would have, here you would have different types of data, and you may have different pods for this data. So you may have a pod for medical information, your medical information, your schedule data, your photos, contacts, posts. And you may have different applications online that need to access the different types of data. And to take an example. If we're talking let's say a social media application such as Facebook, it could potentially utilise your data from your contacts, from your photos, etc. Maybe there is a hospital application that could get access to your medical data, and maybe a schedule, if you are trying to schedule an appointment or such.
Now, SOLID actually allows kind of ‑‑ we can think of it as a recourse adjustment for the web. So, he believes that we are kind of a bit off‑track on the web on the development of web, and he believes, he calls this a course of correction. It allows for the interoperability and the collaboration, it provides the privacy and control that we need, and it also helps with innovation and the sustainability that we need in the Internet.
So, how it helps with the interoperability. Basically it's based on open standards, and different applications can access the different types of data that you need in the pods. And every time we have a new application that comes in, it's easily introduced because simply you just access the data that already exists. In doesn't have the problem of needing to build a network. So every time you have a new application, you need to build a network and data in order for it to be useful or functional or successful. Here, a new application comes in quite easily, and its access to your data can be of utility almost immediately.
And from a privacy control perspective, we have now, as individuals, control of the access to this data. So, I can decide which applications can access which part of my data, and you can imagine this is it is similar to how you control on your phone which application when you install one, has what access to what type of data or what type of feature on your phone. You can think of this as something similar. You have that same level of granular control through SOLID.
In addition, it helps with potential compliance and sovereignty laws and data laws such as GDPR so on and so forth, so you can enforce the data pods themselves can be either in a specific location or be under a specific type of controls.
And this is my favourite part, the part that I believe is very important, which is that it helps in driving innovation sustainability. You see here this is a scenario where you have multiple platforms competing with each other, and the data and the app are just together, they are one monolithic thing and the competition is essentially based on the data open source, who has the most data has the ability to actually have monetise better. But what happens is that if a new application comes in, it becomes very difficult for them to compete because the barrier to entry is very, very high for them. And we see all the time these new applications come in, even though it may be very nice, provide very nice features and so forth, it can't compete simply because it's too difficult to build that, what they call, have that network effect and build that database of user information to be useful.
With SOLID, we have ‑‑ it actually provide greater competition because the applications don't hoard the user data, so they compete on a more level playing field, they compete on the innovation that they need, the innovation that is needed for them to be successful. And the competition as well because of the decoupling we have competition on different layers, we have competition on the application layer but we also have competition on the data layer, the data storage layer, so the data pods themselves can also be competing with each other. You may have different variety of types of pods. You may have one that has limited storage, one that has low latency, one that has high bandwidth and maybe one that has a secure backup mechanism.
SOLID already has, there are already pods online, so if you go to SOLIDproject.org there is already pods online and it can be used and we have provider already providing that. There is a lot of tools online available. And a lot of open source tools you can build on.
Just this is a small case study. The Flemish data utility company was created in order to create trust with citizens that have a bit of apprehension of sharing their data. So this utility company was created based on SOLID, that stores user data, it stores citizens' data, and provides them the assurance and the granular control for them to decide how their data is used.
INRUPT, is Tim Beardsley company company, even though the project was developed from MIT, it's strongly supported by INRUPT, and INRUPT's goal essentially is to redecentralise the web and they provide the needed maintenance for the common building blocks for SOLID.
And what I would like to do, so if you like this concept, I believe in this concept, I believe in the potential for it to actually opening up the web once again and the Internet, providing us with greater privacy and innovation. So if you agree with me, my goal here is really to spread the word. If you agree with me, I would like you to also spread the word. If you are a provider, you can host the pod. If you are a developer start playing with it, and if either, then just spread the word, and more information is available here. Thank you.
(Applause)
JULF HELSINGIUS: Thank you. We have time for a few quick questions. I think there is one online.
ACHILLEAS KEMOS: Yes, it's from Chris Buckridge. Project has been working on a decentralised social networking protocol which feels like it's in a similar place to SOLID at least in principle. Do you know if there is any connection or coordination between these efforts or are they competing approaches?
OSAMA AL‑DOSARY: Which effort? I'm not aware of this project. SOLID has been in the standardisation process since 2019 approximately, and, you know, I am hopeful that it will become another W3C standard soon.
JULF HELSINGIUS: Any other questions online?
ACHILLEAS KEMOS: Nothing for the moment.
JULF HELSINGIUS: I don't see any one at the mic. So thank you very much.
(Applause)
And for our last thing, we are glad to have updates from the RIPE NCC on their activities, because that's one of the important functions of this Working Group, to help coordinate between the community efforts in this space and the RIPE NCC. Romain
ROMAIN BOSC: Thank you. Hi. I am Senior Public Policy Officer at the RIPE NCC. I have been in the job for eight months now, and I'm going to run you through some of the activities. But mostly giving you a sense of direction of travel and the trends that are actually shaping the discussion processes on issues relevant to us.
So a bit of trends. Our strategic approach and what are the current priorities.
Implementation. The Council has just published the conclusions and recommendations on the future of EU policy making, and I invite you to actually take a look at these. They are hyperlinked in my presentation and indeed implementation, implementation, implementation. This is the key messages of the Council to the Commission and to the Member States to ‑‑ I mean there has been a lot of new legislation, new rules applied across the cybersecurity strategy, a lot on platform regulations data governance, and what Member States, MEPs, everyone is quite aligned to say now is the time to focus on the implementation.
We also have a few legislative reviews already tabled on the agenda for the next mandate. A current one is GDPR on the way right now. We will have the Digital Single Services Act in 2025, alongside copy write frameworks, so we expect a lot of discussions on these issues. The other big trends and priority for the EU is the economic security approach and digital sovereignty. Well digital sovereignty is not a clearly defined concept, there is different interpretations, how open should it be. That's quite a vivid debate. There is a lack of consensus across Member States. If you take, for instance, discussions on the European certification on Cloud, this is a prime example. But basically, for the ‑‑ use the time to focus on managing trading relations and rethinking dependencies in key sectors. And I quote the conclusions of the Council that for the EU it's about "Charting its own path in digital transformation."
Another quite significant trend or priority is the security and resilience of digital infrastructure and networks. Boosting operational cooperation and security risk management, how the EU at different levels, so the technical, the political, a lot of discussions on standards, how do we actually work with the EU as the technical community to actually shape the standards and ensure that those norms and policies and standards that the EU is working on actually work together with those driven and shaped by the technical community, the Internet standards. That remains to be defined. But the EU itself is promoting its own certification schemes. One agency that is increasingly relevant for us to work with is the Europe and cybersecurity agency. We had our technical expert participating in the conference in Helsinki last week. So that's definitely a way forward for us.
Moving on to a quick outlook on the political landscape. The elections are taking place in a few days. The situation should roughly remain the same. We have a trend towards the right ‑‑ a shift towards the right. But basically the EPP, the leading party, so the liberals and conservatives, should remain in the lead. They will probably, that's my take, don't quote me, retain the Commission Presidency. However, we see a quite divided or fragmented cycle in the parliament with uncertain coalition dynamics. What is concern however is the divided national political climate, the geopolitical context doesn't help, that's the least we can say. And the direct effect of this might be more volatility and uncertainty when it comes to policy discussions.
Another certainty is that security and defence will only be higher on the EU priority agenda including cyber, cybersecurity, cyber defence.
Moving on to some of the main strategic focus areas that we have. And I'd like to take the opportunity to remind that the RIPE NCC has a very tense, very rich strategy report that includes some of the main ‑‑ I mean, the main priorities that the RIPE NCC is working on. Part of it is building resilience in the face of political legislative and regulatory changes. How do we do that precisely is by fostering community dialogue and engagement through the community, that includes the governments and technical bodies across the service region, and Europe is an important one, again shaping the discussions, both at the global and the technical level. If you take Internet governance and digital policy.
We are also working on, you know, sharing the knowledge from the technical community through learning and training activities. And here, again, we need to actually get closer to the technical partners within the governments and the public sector at EU level.
And one of the key trends of the RIPE NCC is actually to be able to provide data and insights on Internet operation, and this is through a lot of the services that the RIPE NCC has been developing, RIPE Atlas, RIPEstat and that's a clear trend on how we can actually help inform the key decisions being taken in the EU as well.
And that's the last point.
Accountability that has been a principle and a priority that has been much discussed throughout the various Working Groups. For us, it's really important to remind EU stakeholders our reality and the evolving environment in which we operate. The RIPE NCC is the secretariat for the community. Our role is to facilitate the discussions and implement the RIPE community principles and policies, and to really bring this bottom up engagement to the fore. And it's also important to remind that we have to remain neutral towards our members and between them equally. That's important because there are a lot of discussions affecting the members at the EU level and I will get into that.
The RIPE NCC is acting as an association under Dutch law. So we are complying with Dutch and EU laws in many areas. Various governments and legal jurisdictions across the service region, that means we have to understand the implications of other national legislation applying to our members across the service region. And we are part of this global ecosystem of Internet governance, the regional Internet registries and the root servers.
Some of the key priorities we have been working on lately is the high level Internet governance discussions. You heard from Jeanette Hofmann, this is happening right now, there are negotiations on the global digital compact. A few days ago took place, the NETmundial, and we are heading towards the negotiation or the review of the so‑called WSIS process. For us, it is really about aligning with governments, and government agencies on Internet governance matters.
Economic sanctions is another one, and you heard Hans Petter and various colleagues already talking about this. The key priority here for the RIPE NCC is to ensure accuracy of the RIPE database, and the integrity of routing.
Again, cybersecurity and resilience, a key priority. The RIPE NCC is advancing Internet resilience and routing security, promoting RPKI up take.
Law enforcement is another one. And we really work on the involvement of EUROPOL in law enforcement agencies, so this is in these RIPE meetings.
And finally, the discussions on IP inter‑connection and net neutrality that we expect to be ‑‑ and that RIR quite active at the moment in light of the white paper that the European Commission just published. And for us, all these issues, it's a matter of monitoring and reporting the situation to the community.
So, I will just run a quick through the next slides. Internet governance, discussions what we are seeing basically in this process is that the RIPE NCC is the a key part of the technical community. We see the multiplication of Internet governance foray and institutions as a risk of duplicating efforts and shutting out the voice of the technical community. The DG C negotiations, in our view, should really be open and transparent. We are asserting our role as trusted technical partners and advisors. And on this we are also working closely with the European Commission, which is a strong supporter of the free and open and stable Internet. We remind that the Internet core functions should remain, inter‑operable, stable and trustworthy.
A couple of next steps. One is the WSIS high level forum meeting taking place in a few weeks, and the EuroDIG meeting taking place in June, we will have Mirjam Kuhne, the Chair of the community, participating and joining a panel on this important event.
.
The other one is sanctions. I'm not going to repeat what has been said already, but there are quite intense discussions on implementation and harmonisation the EU level. Our priorities maim being compliant with EU sanctions regulation, ensuring here again the the accuracy of the RIPE database, and we are advocating for harmonisation for exemptions applying to Internet number resources.
We are currently engaging with the European Commission and the national authorities on this matter. And last but not least, this white paper that the European Commission has published in February on how to master Europe's digital infrastructure needs, three pain pillars: Investment and innovation for Europe, discussions on a single market, and the regulatory frame applying to telecoms and digital players, and a focus on security and resilience of digital infrastructure including submarine cables, but noly what We see as an important matter from the community's perspective is the debate on IP inter‑connection. The paper is floating the idea of having a possible disparate resolution mechanism. And as you may know, I mean the paper doesn't mention it, but there's been quite a vivid debate on the so‑called network fees and all the fair share debate.
And we will have the revision of the electoral communications code in December 2025, with a possible new proposal, even though the Commission should focus on implementation, we might see a proposal on the so‑called Digital Network Acts. And in this, we are also monitoring and engaging with BEREC, which is about to publish an update on its report on IP interconnection in June. There is an open consultation run by the Commission that is open until 30th June. And the RIPE community, our Chair, Desiree, is leading a session with a guest speaker from the European Commission, Peter Stockman, from the unit dealing with telecoms regulation, we have an open session on June 6. So if this is a matter of interest to you join, and that's it for me. So thank you for your attention.
Is there any questions?
.
(Applause)
JULF HELSINGIUS: Thank you. I think we have time for a couple of quick questions, although I am painfully aware that I'm keeping you from coffee. Those of you, like me, who were at the whiskey BoF really need that coffee.
AUDIENCE SPEAKER: Alex from the Amsterdam Internet Exchange.
The e‑evidence package that's currently being gone through the Commission, the implementation thereof, I think, is of high importance to RIPE, because it will give all the police officers within the EU access to the RIPE database. So I would urge you to look into this.
ROMAIN BOSC: We are looking into it. The evidence got adopted last year and this is indeed part of the dialogue we have having with EUROPOL and law enforcement agencies. Defining the modalities of this dialogue and cooperation is key for us, yes.
JULF HELSINGIUS: Thank you. Anything online?
ACHILLEAS KEMOS: Nothing online, so wishing everybody ‑‑ thanking everybody and wishing them a nice coffee break.
JULF HELSINGIUS: I can agree with that. Thank you everybody.
(Applause)
(Coffee break)
LIVE CAPTIONING BY
MARY McKEON, RMR, CRR, CBC
DUBLIN, IRELAND.