December 2019 - Internet Governance | Security

Working Together Towards Trust – doteditorial

The joined forces of many different stakeholders is needed to allow trust in digitalization to flourish, says Lars Steffen, Director of eco International.

dotmagazine - Developing Trust in Digitalization

© wildpixel | istockphoto.com

There’s been a lot of talk in the Internet industry recently about trust, and in the need to increase trust in the Internet and the services offered through it. This is not something that any single actor can achieve, and it also doesn’t happen overnight. When it comes to trust in an industry, technology, and innovations, it takes the concerted effort of many different stakeholders to develop the conditions in which trust can develop and flourish. Trust develops through having positive experiences, through expectations being met, through openness, consistency, and reciprocity, and through the sense that you are in safe hands. How can the Internet industry achieve that for the Internet? By working together to ensure that end users – be they individuals or businesses – are not exposed to negative experiences in the Internet.

An ambitious goal, some may say, but this is exactly the challenge that the Internet industry, the technical community, academia, governments, and civil society from all around the world come together for at the Internet Governance Forum each year. In 2019, the IGF took place in Berlin, and brought together several thousand stakeholders for a week of discussions, insights, and painstaking negotiations towards recommendations that could be transported back to home countries to inform the development of national frameworks to improve conditions for Internet access, and make the Internet a safer place to be. The overarching themes in 2019, in which the eco Association was strongly involved, were digital inclusion, security, safety, stability and resilience, and data governance.

What is needed is to bring these individual threads together to weave a strong safety-net for users. This will allow us to work towards building greater trust in what is perhaps one of humanity’s greatest achievements and the largest machine ever built – a planet-spanning network of networks, which can offer enormous benefits to all who can access it.

Security, safety & stability

When it comes to trust, our first thoughts tend to relate to security, safety, and stability. At the IGF, Thomas Rickert, Attorney at Law and eco Director of Names & Numbers, contributed to two panels on IoT security and ethics. The overall strong impression is that IoT devices are not just growing in the number, but that the accompanying security threats are growing at equal pace. What we currently see is that a lot of consumer IoT devices are designed to have very short lifecycles, with the natural consequence that security is given a low priority by manufacturers of such devices. The panelists discussed a range of ways of dealing with the IT security issues posed by unsecured devices, as Rickert outlines in his report, “Legality, Security & Ethics in the Digitalized World.” However, the complexity of some of the solutions begs the question of how much knowledge we expect end users to have in order to secure their devices. What about the usability? While it is certainly important to raise security awareness among users, it is essential to make security consumer friendly and intrinsic in connected products, and not to demand too much of lay consumers. 

This echoes Gordon Muehl’s call, in his video interview, “Bringing Together Safety and Security to Protect the Physical World,” for the IT security industry to make security ‘easier to consume.’ It should not be left up to end users to be responsible for making their devices and their networks secure. When it comes to trust and security, Muehl makes the connection to the development of the automotive sector – consumers trust in the technology, because the safety mechanisms have been engineered into the products. (For more on IT security, see the video interviews with Prof. Thomas Jaeschke, “Management Responsibility for Information Security,” Jens Kroppmann, “IT Security in SMEs – Closing the Gap,” and Stephanie Kemp, “Trusted Transactions.”)

If you think about it, back in the 1940s and 1950s, seatbelts were not required in cars, and air bags and ABS brakes didn’t yet exist. Now they are a part of our expectations as customers and part of our model of trust in the “automobile” product. What is needed in IT products is that security becomes integral to digital products – to protect data, to protect customers, and to prevent manipulation. 

State-sanctioned encryption backdoors – when encryption is weakened rather than strengthened

Encryption is one area where we already have technology that makes the user experience more secure on the Internet, a topic of discussion at the IGF in which eco board member Klaus Landefeld was involved.
One of the primary outcomes of this discussion was that we – as an industry and as an Internet community – have to explain to law enforcement and governments that the weakest link in the chain is the weakest part of this whole system, and state-mandated backdoors represent this weakness. So, to keep the Internet safe, stable, secure, and resilient, encryption is key. 

Open, distributed, and permissionless

Quite the opposite of state-mandated backdoors is the concept that openness and transparency can, in fact, increase the level of security and reliability of a system. Rafael Laguna, CEO of Open-Xchange, points out in his video interview, “Email – A Wonderful Tool with a lot of Freedom,” that “Every crypto expert would say a crypto algorithm can only be good if the world looks at it – it’s out there in the open.” Laguna sees the federated-nature of email as central to its security, and in particular need of protection in the current messaging landscape. Having a distributed infrastructure is also key to trust in the blockchain technology, as Kevin Wittek explains in his article “Creating a Federated Blockchain as a Service Platform.” Much like email, blockchain, he explains, offers a new concept of “distributed trust architecture,” but a federated blockchain also requires human trust in the federation operating the blockchain.

Access to the open Internet

The Internet may be open and distributed in structure, but half of the world’s population is still not yet online. This means that billions of people are currently missing out on the benefits of being online – be that access to information, to communication technology, to education, to health care, but also, quite simple, the ability to participate in the economic potential of the Internet.

As a result, access and digital inclusion were major topics at the IGF. One topic of discussion was the creation of community networks, as eco Chair of the Board Oliver Süme recounts in his summary of a high-level panel on access and inclusion – the need to provide frameworks on the digital level, but also on the legislative level, which could leverage initiatives to start community networks. Measures discussed included, on the one hand, working on the regulatory level to provide the conditions for open frequencies that could be used for public Wi-Fi, and, on the other hand, the funding of basic backbone infrastructure. Because the simple truth is that even if you build up community networks, you still need to have an access point to the rest of the world.

But equality of access to the Internet – and to the wealth of possibilities this entails – is not only an issue for developing nations. Even though, in the US, Western Europe, and other parts of the world that are – from a statistical point of view – fully online, we still have major blind spots (take rural Germany as an example). This issue was discussed in a panel session by eco, the Alliance for the Strengthening of Digital Infrastructures in Germany, and Initiative Digital. It causes challenges for SMEs in rural areas, which struggle to get access to sufficient infrastructure for digitalization, in order to offer their services online and participate in the digital economy. 

Language as a barrier to access

Moving from infrastructure to the DNS, eco has been involved for several years in the topic of Universal Acceptance (UA). This is about supporting not only ASCII scripts, but also every other native script in the world to be used online, and doing this not only on the content level, but also in the DNS. This means that,  in the future, users can use domain names and email addresses in their own native script and native language.

This is important against the backdrop that the next billion users will come online in Asia, Africa, or maybe in Latin America – and that many of those people do not use ASCII as their primary alphabet, and also that they are not native speakers of English. So, to give the next billion the possibility to use their native language and their native script when they are online – and thus to reduce hurdles to them getting online – Universal Acceptance will be an important step, as Ram Mohan COO at Afilias, explains in interview. Mohan calls on governments to become active in creating incentives to help achieve the social goal of digital inclusion and ensuring universal access to resources on the Internet.

On this note, the Universe Acceptance Steering Group and the Dynamic Coalition on DNS Issues (both of which I am active in) focused on Universal Acceptance throughout the year 2019. We are currently working on bringing governments on board to drive this initiative as well. So it was great to see that the representative of the German Federal Ministry of the Interior, Constanze Bürger, gave a presentation at the IGF about how they are working on making German government IT systems UA-ready.

In one IGF panel discussion on UA, however, the argument arose that this would also create fragmentation of the Internet on the language level. But from my personal perspective, just because the Internet originated in the U.S. and made use of the Latin alphabet in its development does not mean that all the other parts of the world should be forced to learn English and use the Latin alphabet just to make use of this technology. If we have the technical possibilities to give all peoples, regardless of origin and language, the same level of service, convenience, user experience, etc., then we should make this possible. 

DNS blocking – throwing out the baby with the bathwater

And when we go up from the technical layer to the content layer, then we touch what turned out to be a major hot topic for the IGF 2019: whether DNS can be a tool to tackle illicit content online. This is a topic that both Ram Mohan and Thomas Rickert deal with in their dotmagazine contributions this month.

Switching off a domain name is, on the one hand, overly powerful and, as Rickert explains, it is rarely the best option for getting illegal content offline. On the other hand, blocking a domain is like sticking a finger in a hole in a leaky dam wall – that blocked content is going to come out somewhere else. Because technically speaking, the content is still available via the IP address or other domain names which point to it. Certainly, dealing with illegal content is a contentious issue across borders and jurisdictions. What is for one country indicative of freedom of speech is for another country a grave insult. This makes it difficult to find consensus on how to deal with content. So Rickert calls for a more nuanced approach to content, rather than DNS blocking – a technique that Mohan designates “blunt force instrument.”

One area where these is broad consensus, however, is child sexual abuse material, and here, the eco Complaints Office, as part of the international INHOPE network, supports end users and industry partners in ensuring the takedown of such content, and the prosecution of the perpetrators.

The IGF – as a multi-stakeholder platform involving not only the Internet industry, but also governments, the technical community, academia, and the civil society – functions as a seismograph about which topics move the diverse community that runs the Internet. And all of it, in the long run, boils down to one aspect, and that’s trust

 

Lars Steffen is Director International at eco – Association of the Internet Industry (international.eco.de), the largest Internet industry association in Europe. At eco, he coordinates all international activities of the association and takes care of the members from the domain name industry and the blockchain community. He further represents the industry as Community Outreach Co-Coordinator of the Universal Acceptance Steering Group at the Internet Corporation for Assigned Names and Numbers (icann.org), to facilitate the support of internationalized domain names and email address internationalization.