[discuss] CGI.br contributions to NetMundial

Carlos A. Afonso ca at cafonso.ca
Mon Mar 17 13:47:26 UTC 2014

Hi people,

Please find attached in plain text three contributions sent by CGI.br to

- Evolution and Internationalization of ICANN

- The Importance of a Multistakeholder Approach to Cybersecurity

- Privacy and Surveillance

There is another contribution which simply reproduces our 10 Principles,
which are well known, so no need to replicate here.

fraternal regards


-------------- next part --------------
The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

    Entitled by: Cristine Hoepers, Klaus Steding-Jessen, Henrique Faulhaber
    Region: Brazil
    Organization: Brazilian Internet Steering Committee - CGI.br
    Sector: Other
    Keywords: Multistakeholder, Internet Ecosystem, Cyber security, Internet Security, CERTs


Most Internet security threats are increasingly complex, affecting multiple sectors at the same time, and requiring coordinated efforts to be detected and effectively mitigated. This is specially true to incidents involving botnets, spam, malware and DDoS. In the past 20 years several multistakeholder forums and initiatives that deal with Internet security threats were created - most of them have been very successful in bringing different sectors together to mitigate security incidents and counter cybercrime. All these efforts highlighted that the effectiveness depends on cooperation among different stakeholders, and that cybersecurity can't be achieved via a single organization or structure. Also, governments need to participate more in security forums and improve cooperation with other stakeholders. New forums and initiatives should not replace existing structures; they should aim at leveraging and improving the multistakeholder structures already in place today.


The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

1. Introduction

Most Internet security threats are increasingly complex, affecting multiple stakeholders at the same time, and requiring coordinated efforts to be detected and mitigated.  This is specially true to incidents involving botnets, spam, malware and DDoS (Distributed Denial of Service) attacks.

The scenario gets more complicated when critical national infrastructures are connected to the Internet, becoming exposed to the same vulnerabilities as other systems, and can be attacked by the same tools or techniques used for attacks in other contexts.

The protection of critical infrastructures and government networks connected to the Internet have both Internet security and defense aspects - the protection of these infrastructures is done most of the time by government organizations.  What is worrisome is that we are increasingly seeing purely Internet security issues being perceived by governments as purely defense issues.  This is leading to a scenario where, for example, the vital cooperation already existing among CERTs (Computer Emergency Response Teams) with National Responsibility being undermined by a tendency to move all existing Internet security capabilities into government or intelligence organizations.

The Internet ecosystem's security, stability and resilience should remain multistakeholder. The cooperation among different sectors and stakeholders, already existing today, is key to mitigate most of the current threats.

In the remainder of this proposal, we will briefly discuss several current multistakeholder forums and initiatives, pointing out their strengths, and bringing to attention issues that need to be considered when discussing a framework to improve the multistakeholder approach in order to achieve more effective cybersecurity.

2. Existing Multistakeholder Forums

There are some international forums that already exist today and that congregate different stakeholders, cooperating to handle security incidents and mitigate specific threats.  Most of these forums were created to mitigate specific categories of attacks or threats.  As nowadays the threat landscape changed and there is a prevalence of what is technically referred to as combined threats, most of these organizations are dealing with similar security issues.  What follows is a description of each one of these organizations.

2.1. FIRST - Forum of Incident Response and Security Teams

FIRST is the Forum of Incident Response and Security Teams - http://first.org/.  A Computer Security and Incident Response Team (CSIRT), sometimes also referred as CERT, is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. Their services are usually performed for a defined constituency that could be a parent entity such as a corporate, governmental, or educational organization; a region or country; a research network; or a paid client (Source: http://www.cert.org/incident-management/csirt-development/csirt-faq.cfm).

The first CSIRT, the CERT Coordination Center, was created in November 1988, after the security incident known as "Internet worm" or "Morris worm" brought major portions of the Internet to its knees, and made clear the need to more coordinated efforts to respond to security incidents on the Internet.  After this incident, several other teams were created. The FIRST was formed in 1990 in response to a second worm, the "Wank worm", and this incident highlighted the need for better communication and coordination among teams of different organizations.

FIRST is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs.  FIRST brings together a wide variety of CSIRTs from around the globe including educational, commercial, vendor, national, government and military.  FIRST members develop and share technical information, tools, methodologies, processes and best practices, and use their combined knowledge, skills and experience to promote a safer and more secure Internet environment.

2.2.  CSIRTs with National Responsibility and the NatCSIRT Annual Meeting

Since 2006, the CERT(R) Coordination Center (CERT/CC) has been hosting an annual technical meeting for CSIRTs with national responsibility. This meeting provides an opportunity for the organizations responsible for protecting the security of nations, economies, and critical infrastructures to discuss the unique challenges they face while fulfilling this role.  As a result of these meetings, an online Forum is maintained throughout the year, as well as a list of CSIRTs with National Responsibility: http://www.cert.org/incident-management/national-csirts/national-csirts.cfm

It is noteworthy that there are very different models of National CSIRTs, ranging from not for profit, to academic, to government teams. Also, several countries have more than one team, demonstrating the complexity of increasing cybersecurity and performing incident handling at a national level.

2.3. APWG

APWG (http://apwg.org/) was founded in 2003 as the Anti-Phishing Working Group, at which time its mission was to counter phishing attacks.  But, as the technology evolved, APWG is not focused only on phishing anymore, but on mitigating other attacks that are used to perpetrate cybercrime.  APWG has more than 2000 members and research partners worldwide, from financial institutions, retailers, solutions providers, ISPs, telcos, CSIRTs, universities, defense contractors, law enforcement agencies, trade groups, treaty organizations and government agencies.

2.4. MAAWG - The Messaging, Malware and Mobile Anti-Abuse Working Group

MAAWG is The Messaging, Malware and Mobile Anti-Abuse Working Group (http://www.maawg.org/) and brings the messaging industry together to work collaboratively and to successfully address the various forms of messaging abuse, such as spam, viruses, denial-of-service attacks and other messaging exploitations.  To accomplish this, MAAWG develops initiatives in the three areas necessary to resolve the messaging abuse problem: industry collaboration, technology, and public policy.

2.5. ISOC - The Internet Society

ISOC - The Internet Society (http://www.internetsociety.org/) - is an organization dedicated to ensuring that the Internet stays open and transparent. It has initiatives in Internet policy, technology standards, and future development.  ISOC has a special project called "Combating Spam Project", in partnership with MAAWG, dedicated to demonstrating to policy makers, clearly and effectively, the tools and industry partnerships that are available to tackle spam.

3. Examples of Successful Multistakeholder International and National Initiatives

In the past few years, CSIRTs, Network Operators and members of the aforementioned forums became involved in some specific projects and working groups aimed at mitigating specific big threats, implementing best practices or better understanding the Internet threat environment.  In this section we are going to describe some of these successful multistakeholder initiatives.

3.1. The Conficker Working Group

Starting in late 2008, and continuing through June of 2010, a coalition of security researchers worked to resist an Internet borne attack carried out by malicious software known as Conficker. This coalition became known as "The Conficker Working Group", and seemed to be successful in a number of ways, not the least of which was unprecedented cooperation between organizations and individuals around the world, in both the public and private sectors (Source: http://www.confickerworkinggroup.org/).

The work of this group involved members of Internet Governance Bodies, Software and Hardware Vendors, Content providers, Universities and Research Centers, and was vital to mitigate the worm's malicious payloads and to help clean systems throughout the Internet.  A Lessons Learned document can be find in the previously listed homepage.

3.2. DNS-changer Working Group

The DNS Changer Working Group (DCWG - http://www.dcwg.org/) was an ad hoc group of subject matter experts, and included members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham.  The work of the DCWG was coordinated with FBI investigations, and received help from several National CERTs and ISPs.

This working group was created to help remediate Rove Digital's malicious DNS servers.  The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.

The cooperation among all these stakeholders made it possible to gradually alert and help disinfect the end users' devices, without disrupting their access to the Internet.

3.3. Multistakeholder initiatives at a National level

There are several multistakeholder initiatives at a National level. In this section we will briefly describe some of these initiatives.

3.3.1. The Dutch Cyber Security Council

The Dutch Cyber Security Council has 15 members from government, industry, and the scientific community, for a total of three scientists, six public sector and six private sector representatives. The Council is supported by an independent secretariat.  The Council oversees the Dutch National Cyber Security Strategy and offers both solicited and unsolicited advice to the Dutch government and society. The role that the Council played during the DigiNotar incident, for example, demonstrated the effectiveness of this kind of public-private partnership in the digital domain.

In July 2013, the Council issued an advice on the new National Cyber Security Strategy, published in October 2013. The advice specifically focused on the need for close cooperation and coordination in the field of incident detection and response. Only through active information sharing, timely response and seamless collaboration can a secure digital environment be established.



3.3.2. The Japanese Cyber Clean Center

The Cyber Clean Center (CCC) is a core organization taking a role to promote bot cleaning and prevention of re-infection of users' computers, which were once infected by bots, based on cooperation among government, software vendors and ISPs.  The Cyber Clean Center has a Steering Committee and three working groups in the layer below: the bot countermeasure system operation group; the bot program analysis group; and the bot infection prevention promotion group.



3.3.3. CGI.br Port 25 Management Initiative

For a long time, Brazil was present on most spam rankings as a top spam relaying country. Determined to reverse this situation, the Brazilian Internet Steering Committee (CGI.br) has conducted, since 2005, a number of activities, such as academic studies and technical analyses, which lead to the adoption of Port 25 management as the most effective measure to be taken to prevent spammers from abusing the Brazilian broadband infrastructure. This initiative was lead by CGI.br's Anti-Spam Working Group (CT-Spam), which provided a forum where different stakeholders were able to meet.

For almost 20 years, Brazil has developed a model of multistakeholder Internet governance. Therefore, a measure of such importance as the blocking of outgoing port 25 traffic in residential networks could not be adopted without all sectors affected being asked to contribute to this decision-making process.

Bringing together the experience of more than a dozen telecom companies, thousands of Internet service providers, representatives of civil society and the academic community, as well as the technical staff of CGI.br, the process of adopting Port 25 management was broadly discussed.  This was specially important because the implementation required a concerted effort, with e-mail service providers making sure they offered Message Submission via a different port (587), and migrated at least 90% of their users' base before broadboand providers could block outbound port 25 traffic.

It is also important to highlight that both the National Telecommunications Agency (Anatel) and the Ministry of Justice have played a key role in providing support for the telecom companies and the consumer protection entities respectively. Anatel signed a Cooperation Agreement with CGI.br, which gave the telecom companies legal grounds to proceed with the adoption. The Ministry of Justice, on the other hand, published a Technical Note explaining the benefits of such measures for consumers.

As a result of this initiative, Brazil is no longer listed as one of the top spam relaying countries in the world, according to several public rankings.



3.3.4. CERT.br - Computer Emergency Response Team Brazil

CERT.br is the Computer Emergency Response Team Brazil, maintained by NIC.br, a not for profit organization created to implement the decisions and projects designed by the Brazilian Internet Steering Committee - CGI.br.  All CERT.br activities take into account the need to involve all stakeholders to successfully increase the level of security and incident handling capacity of the networks connected to the Internet in Brazil.

Besides doing Incident Handling activities, CERT.br also works to increase security awareness in the Brazilian community, maintaining an early warning project with the goal of identifying new trends and correlating security events, as well as alerting Brazilian networks involved in malicious activities. CERT.br also helps new Computer Security Incident Response Teams (CSIRTs) to establish their activities in the country.

A clear example of the success of this approach is the Brazilian Distributed Honeypots Project, which, through a network of distributed honeypots in the Brazilian Internet space, increases the capacity of incident detection, event correlation and trend analysis in the country.  These honeypots are passive sensors that provide valuable situational awareness, without collecting production traffic neither performing any type of surveillance.  This project has sensors in more than 40 Brazilian partner organizations, ranging from government and energy sectors, to academia, ISPs and Telecommunication Providers.



4. The need for improvement of the multistakeholder collaboration in cybersecurity

Achieving a satisfactory level of Internet Security is not an easy task, but the experience accumulated by several successful initiatives demonstrates that, in order to be effective, any cybersecurity initiative needs to involve several stakeholders. More than that, the reality is that more often than not, the security measures need to be taken by systems administrators, network operators or security professionals in their own networks. However, cooperation with others is key to be able to understand the threats and better evaluate the effectiveness of their actions.

In the document "Conficker Working Group: Lessons Learned" (http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf), published in January 2011, although the word "multistakeholder" is not used, some of the success factors listed point to the importance of cooperation and the involvement of different stakeholders.  Here are some examples:

-    Utilize a trust model; the scope of the working group needs to be a manageable size to be effective and include those directly affected, and yet large enough to include a broader universe of those impacted.

-    Incorporate a consensus model without hierarchy to allow the group to adapt and respond to fast changing conditions.

-    Gain the participation and support of key governing and regulatory bodies.

-    Formalize communications with stakeholder groups vs. relying on social networks.

These four points bring to light issues like the rapid change of the threat landscape, the need for rapid communication, the involvement and support of governments and the fact that several stakeholders need to cooperate.

Although the Conficker Working Group was very successful, as well as other initiatives listed in the previous section, there are still some stakeholders that could improve their cooperation. For example:

-    Network Operator Groups (NOGs) and Regional Internet Registries (RIRs) should be more involved with security issues.  There are some areas like routing security (and newly proposed protocols like RPKI or SBGP) or DNSSEC that need worldwide adoption to be effective.  RIRs could also work more closely with the CSIRT community to improve the WHOIS system to help the incident handling process.

-    Software vendors need to become involved and be more pro-active; after all, most of the security problems we face today are software-related problems.  The real challenge is to improve software security and get the software industry to a more mature level.

-    The governments, including military and intelligence sectors, in addition to traditional security and defense strategies, need to improve their awareness of the multistakeholder nature of the Internet and the vital importance of the cooperation to address security threats.  They need to participate more in the national and international security forums and improve cooperation with other stakeholders.

Considering government cyber security strategies, it is noteworthy that about 130 parties, including public and private parties, knowledge institutions and social organisations, were involved in the drafting of the Dutch "National Cyber Security Strategy 2 - From awareness to capability" (NCSS2) (https://www.ncsc.nl/english/current-topics/news/new-cyber-security-strategy-strengthens-cooperation-between-government-and-businesses.html). The strategy starts with the following statement:

    "We are moving from structures to coalitions in which all parties -- national and international -- are represented in order to achieve supported standards."

And adds that

    "The correlation between security, freedom and social-economic benefits proposed in the NCSS2 is a dynamic balance that is intended to be realised in a constantly open and pragmatic dialogue between all stakeholders, both national and international. (...) In order to bring the dialogue about cyber security between the various stakeholders to a new level of maturity, the following three management areas are of the utmost importance: (self) regulation, transparency and knowledge development."

This is a good example of the recognition of the importance of a multistakeholder approach to the Internet ecosystem's security, stability and resilience.

5. Recommendations

As stated before, achieving a satisfactory level of Internet Security is not an easy task, and the multistakeholder initiatives previously discussed are good examples of frameworks that can effectively deal with cybersecurity current and emerging issues.  Therefore, it is recommended that all national and international organizations involved with Internet Governance, for instance, Local Governments, RIRs, United Nations, European Union, ISOC Chapters, among others, should take the following into consideration:

1.    The experience accumulated by the several successful initiatives described in this contribution demonstrates that, in order to be effective, any cybersecurity initiative depends on cooperation among different stakeholders, and it can't be achieved via a single organization or structure.

2.    There are stakeholders that still need to become more involved, like network operators and software developers.

3.    Governments, including military and intelligence sectors, in addition to traditional security and defense strategies, need to improve their awareness of the multistakeholder nature of the Internet and the vital importance of cooperation to address security threats.  They need to participate more in the national and international security forums and improve cooperation with other stakeholders.

4.    There is room and a need for new forums and initiatives, but they should not replace existing structures.  Any new initiative should aim at leveraging and improving the multistakeholder structures already in place today.

-------------- next part --------------
Evolution and Internationalization of ICANN

    Entitled by: Flavio Rech Wagner
    Region: Brazil
    Organization: CGI.br - Brazilian Internet Steering Committee
    Sector: Other
    Keywords: ICANN, internationalization, multistakeholderism, accountability, IANA functions


CGI.br understands that ICANN?s evolution shall be guided by two main tenets: (1) ICANN has to be fully internationalized and has to develop a proper framework for both vertical and horizontal accountability; and (2) ICANN's institutional evolution shall seek a better equilibrium among all stakeholders and among all countries. Instead of specific proposals, this document highlights goals to be pursued after the NetMundial meeting and posits requirements to be observed and questions to be asked in the course of that quest. CGI.br assumes that ICANN shall remain the responsible institution for the assignment of names and numbers and understands that keeping ICANN as focal point for those activities is the best alternative for the assurance of a unique and global Internet. It does not mean that ICANN?s operation and governance system are to remain unchallenged. Instead, it means that it is better to count on a fully established system to be enhanced than to start a whole new system.

Evolution and Internationalization of ICANN 

CGI.br - Brazilian Internet Steering Committee  (Note 1)


The Brazilian Internet Steering Committee (CGI.br) understands that ICANN?s evolution shall be guided by these main tenets: (1) the organization has to be fully internationalized and it has to develop a proper framework for both vertical and horizontal accountability; and (2) ICANN's institutional evolution shall seek a better equilibrium among all stakeholders, as well as among the different countries. Instead of listing a set of specific proposals, this document highlights some objectives to be pursued after the NetMundial meeting and posits some requirements to be observed and some questions to be asked in the course of that quest. It bears on the assumption that ICANN should be the responsible institution within the Internet governance ecosystem for the assignment of names and numbers, including the full spectrum of the IANA functions. CGI.br understands that the maintenance of ICANN as a focal point for those activities is the best alternative for the assurance of a unique and global Internet, for it has the established technical capacity and the policy-making mechanisms that can keep the Internet running without compromising its availability in the furtherance of current global Internet governance discussion fora, such as NetMundial and IGF. It does not mean that ICANN?s operation and its governance system are to remain unchallenged. It simply means that it is better to count on a fully established system to be enhanced than to start a whole system from scratch.

1. The role for an internationalized ICANN

CGI.br supports the measures that have been taken in regard to ICANN's internationalization, but understands that so far they have been focused mainly on the operational level of its mandate (Note 2). Far more important than those efforts is placing ICANN under a new international legal-institutional framework that replaces the current contract (the Affirmation of Commitments) with the USA government and removes ICANN's direct or indirect subordination to the US legal system (Note 3). In realistic terms, this goal may be achieved within a 5 to 10 years time frame, following a sequence of steps that are still to be devised, following a roadmap for the international Internet governance ecosystem that is expected as one of the outcomes of multistakeholder fora like NetMundial, IGF, and others.

One of the main IANA functions is the global coordination of the allocation and registration of IP addresses. ICANN is still legally responsible for this function, but its practical execution is completely decentralized by the global structure of five different Regional Internet Registries (RIRs). These RIRs have in turn created a coordination forum - the Number Resource Organization (NRO). The RIRs and the NRO coordinate the process of distribution of IPv4 and IPv6 blocks, also taking into account a well designed and consensual strategy for the transition of the number resources. CGI.br strongly believes that this is a very good example of how other IANA functions can be decentralized and delegated, without removing the overall institutional responsibility of ICANN over those functions. It also serves as a very suitable model for the internationalization of IANA functions.

The sound solution for the internationalization of ICANN - considering that it should keep all its current responsibilities - has to encompass the discussion of adequate solutions for the effective internationalization of all IANA functions (not only the allocation and registration of IP addresses). In the search of an adequate legal and institutional framework that replaces the current contract with the US government, it will be extremely relevant to decide which entity, or set of entities, will be made responsible for the management of the root zone file, such as to guarantee its stability, security, and reliability. An adequate direction for that matter can be the assignment of this task to a set of international entities (in a way similar to the RIRs/NRO structure for IP allocation) that are already responsible for other aspects of the Internet governance, that operate in a well-balanced multistakeholder model, and that bear the required technical qualifications.

A third aspect of the evolution of ICANN towards its internationalization is its accountability. ICANN is currently accountable to the US government, according to the goals and mechanisms that are established by the AoC. In theoretical terms, those present to the NetMundial meeting shall bear in mind the fact that there are different sorts of accountability that depend mostly on the nature of the relations and of the interest of the actors in a specific institutional setting (Note 4). Within democratic political institutions, for instance, vertical and horizontal accountability are two different components of overall accountability (Note 5). Vertical accountability means that each specific organ within the ICANN chart has to be fully accountable to its direct constituents. Horizontal accountability means that, within the ICANN system, every single organ has to be fully accountable to all others as well. And all of the system has to be fully accountable to Internet users in general, in a reliable, open and transparent, and timely manner. How can ICANN, in an international legal and institutional framework different from the AoC and from the current bylaws that guide the corporation, be accountable to the public interest, represented by all end users of the Internet, in a way that is consistent with universally accepted principles of use and governance of the Internet which respect fundamental human rights and promote social, economic, and cultural progress of citizens of all countries?

An adequate roadmap for the evolution of the global Internet governance ecosystem, together with a roadmap for the internationalization of ICANN, must firstly look for this set of principles for the use and governance of the Internet, from which the definition of accountability mechanisms for ICANN will be possible. In a certain way, the set of stakeholder groups that are present in ICANN also represents the international public interest, expressed by a set of principles for use and governance of the Internet - or, with the appropriate improvements in the structure and operation of ICANN, they may be able to represent this public interest. A possible way for improving the accountability of ICANN is to assign the oversight responsibility within the new institutional setting to be proposed as an outcome of NetMundial to already existent stakeholder groups within the ICANN system. Another approach would be the assignment of that oversight to entities outside ICANN, as long as they are recognized as representative of the international public interest. A clear advantage of this second approach is the avoidance of an overlapping reality, in which the organization responsible for policy making is also responsible for the oversight of policy implementation.

2. Leveling the playfield among stakeholders and countries

In a paper presented at the 8th Annual GigaNet Symposium, Laura DeNardis and Mark Raymond classified multistakeholderism according to the type of stakeholders involved (States, firms, non-governmental organizations, and/or international organizations) and the nature of authority relations enshrined within a specific political community (hierarchical, polyarchic, or anarchic). The matrix derived from those two variables yields thirty three different forms of multistakeholderism (Note 6). CGI.br has its own model of governance - recognized as a best practice within several different fora, including the Internet Governance Forum and ICANN itself. It has successfully created a decalogue of fundamental principles for the use and governance of the Internet in Brazil. Both CGI.br's governance model and its decalogue can inform the way forward for the global governance of the Internet, not only because they represent the commitment of all stakeholders involved, but also because it expressly deals with cultural and socio-economic developmental issues that can serve the purposes and interests of developing and the least developed countries in global governance at large (Note 7).

A first step on that direction shall be the establishment of a serious and permanent discussion about the appropriate contours of multistakeholderism for Internet governance in the 21st Century. Bearing in mind the study conducted by DeNardis and Raymond, CGI.br believes that the best model comprises all of the relevant actors within their scope of action and is polyarchic in form (the one in which authority is neither centralized within a single entity nor inexistent).

Despite being polyarchic in nature, ICANN multistakeholder governance sometimes can tilt between anarchy (in which economic and political power outside institutional constraints is the enforcing mechanism) and hierarchy (in which the Board or the GAC, for instance, imposes restrictions on the action of other stakeholders). In light of that abstract reality, analyses of the structure and operation of ICANN have revealed various problems regarding an inadequate balance among the various stakeholder groups. Examples of problems are: the inadequacy of the mechanism for governments? participation via the GAC; the very small influence of civil society upon the final decisions of the GNSO and the Board; and the capture of ICANN by the domain industry (both registries and registrars). To these problems we must add the lack of balance among different countries, whereby developing countries (both their governments and representatives of their civil societies and private sectors) have a very small influence on the policy cycle. The current structure of ICANN, including the Board, the SOs and the ACs, with their respective roles, and in particular the daily operation of these bodies, do not seem to achieve an adequate balance among all stakeholder groups and among all countries (Note 8).

Although the improvements regarding transparency and accountability suggested by the ATRT 1, and revised and enhanced by the ATRT 2, go in the right direction, they lack enough generality, since they basically reflect priorities and conditions expressed by the AoC. A revision of those recommendations under a much more general framework could bring important enhancements to the structure and operation of ICANN. 

In the following, we suggest some specific paths to be followed. This is merely illustrative and shall be taken as a point of departure for further discussions:

1.    Even if the GAC keeps its role as an advisory body to the Board, government representatives should participate effectively in the policy development processes in the GNSO. Governments' influence on those policies only when they are being considered by the Board for final deliberation should be avoided, as it represents an unduly advantage over other stakeholder groups.

1.    The weight of registries and registrars in the policy development processes should be reduced. The current structure of ?houses? in the GNSO gives them the same weight as all other stakeholder groups together, while, in fact, those other groups represent the interests of all other sectors of the society and are thus better placed to represent the public interest.

3.    The structure and the role of the ALAC should be revised, since there is a clear redundancy among the ALAC and stakeholder groups in the GNSO; also the ALAC does not take part in the policy development processes in the GNSO. If the ALAC is meant to represent, in theory, the interests of all Internet users, who should be considered as very important stakeholders (maybe even the most important ones), this seems highly contradictory. Besides, the participation of individuals and entities in the ALAC neither follows transparent rules nor guarantees an adequate global representation of users.

4.    The composition of the Board should be revised in order to reflect a better balance among stakeholder groups, considering the ultimate goals of ICANN, which should be materialized by a set of principles adopted by the organization for the use and governance of the Internet. In particular, in order to reinforce its multistakeholder nature, the number of Board seats allocated by the NomCom could be reduced, thus increasing the slots for Board members directly elected by the SOs.

5.    Sufficient funds should be provided to promote and ensure the participation of individuals representing stakeholder groups from developing countries. Mechanisms should be implemented to ensure their effective participation in the different organizations, committees, and working groups of ICANN.

6.    Once an adequate and balanced participation of all stakeholder groups (including governments) and all countries in the policy development processes in the GNSO is ensured, the role of the Board regarding the final approval of those policies should be revised. The Board should have only an oversight role over those processes, in a way to guarantee that they follow the adequate balance among all stakeholder groups and that the public interest has been served. The guidance for the Board shall derive from the overarching set of principles for the use and governance of the Internet to which ICANN should be committed. Also the Board accountability and transparency mechanisms should be improved, in such a way that the global society is able to check that the actions of the Board are consistent with the safeguard of those principles.



1. CGI.br thanks the collaboration of Mr. Diego Rafael Canabarro in the drafting of this document. He is a PhD candidate in Political Science and Research Assistant to the Center for International Studies on Government (CEGOV) at the Federal University of Rio Grande do Sul (UFRGS), Brazil.

2. ERMERT, M. ICANN CEO Wants To Shift ?Centre Of Gravity? Away From US. IP Watch, April 9, 2013. Available in: www.ip-watch.org/2013/04/09/icann-ceo-wants-to-shift-centre-of-gravity-away-from-us/.

3. FROOMKIN, F. Almost Free: An Analysis of ICANN's ?Affirmation of Commitments? (January 20, 2011). Journal of Telecommunications and High Technology Law, Vol. 9, 2011; University of Miami Legal Studies Research Paper No. 2011-01. Available at SSRN: http://ssrn.com/abstract=1744086.

4. LERNER, J. S.; TETLOCK, P. E. Accounting for the effects of accountability. Psychological bulletin, v. 125, p. 255?275, 1999.

5. O'DONNELL, G. (1999), "Horizontal accountability in new democracies", in Schedler, A.G., O Diamond and M F Planner (editors).

6. DENARDIS, Laura; RAYMOND, Mark, Thinking Clearly About Multistakeholder Internet Governance (November 14, 2013). Available at SSRN: http://ssrn.com/abstract=2354377 or http://dx.doi.org/10.2139/ssrn.2354377. See also DENARDIS, Laura. ?Multistakeholderism and the Internet Governance Challenge to Democracy,? Harvard International Review Vol. XXXIV, N. 4, Spring 2013.

7. http://www.cgi.br/regulamentacao/pdf/resolucao-2009-003-pt-en-es.pdf

8. FELD, H. Structured to Fail: ICANN and the Privatization Experiment. Who Rules the Net? Internet Governance and Jurisdiction. A. THIERER and C. W. CREWS. Washington, DC, USA, Cato Institute, (2003). --- PALFREY, J. G. The End of the Experiment: How ICANN's Foray into Global Internet Democracy Failed. Harvard Public Law Working Paper No. 93; Berkman Center Research Publication No. 2004-02. Available in: <http://ssrn.com/abstract=487644>. --- HUSTON, G. Opinion: ICANN, the ITU, WSIS, and Internet Governance. The Internet Protocol Journal, v. 8, n. 15-28, 2012. --- KLEIN, H.; MUELLER, M. What to Do About ICANN: A Proposal for Structural Reform. April 5, 2005. Available in: <http://Internetgovernance.org/pdf/igp-icannreform.pdf>. --- LACROIX, D. (2013a). Governance of Top Level Domains (TLDs): a failed revolution? 1st International Conference on Internet Science, Brussels, April 9-11, pages 133-141, 2013.

-------------- next part --------------
Privacy and Surveillance

    Entitled by: Veridiana Alimonti
    Region: Brazil
    Organization: Brazilian Internet Steering Committee - CGI.br
    Sector: Other
    Keywords: right to privacy, human rights, surveillance, fundamentals


Information and Communications Technologies provide powerful tools for collecting, storing and processing personal data. Such tools can be used by both the private sector and the Government, and in both cases they should comply with strict standards on the protection of the fundamental right to privacy. Edward Snowden?s denunciations of mass spying by the United States National Security Agency gave rise to a global general interest in the surveillance of citizens worldwide. Although PRISM-based programs and rules have been a reality for many years, Snowden's episode does not lose its relevance. States, civil society organizations and technical community has now a precious opportunity to set a needed path for the construction of global solutions to this issue within the Internet governance ecosystem. The purpose of this submission is to contribute to this discussion.


In addition to enhancing the dissemination of ideas and opinions and allowing for the creation and manifestation of diversity, Information and Communications Technologies also provide powerful tools for collecting, storing and processing personal data. Such tools can be used by both the private sector and the Government, and in both cases they must comply with strict standards on the protection of the fundamental right to privacy.

Internationally, this right is provided for in article XII of the Declaration of Human Rights, which protects one from any arbitrary or illegal interference with its private life and assures the protection of law against such interferences and attacks. Similar provision is given under article 17 of the International Covenant on Civil and Political Rights, among others.

Different national and regional laws also include the right to privacy with more or less details. In Brazil, privacy protection is an indelible clause (?cláusula pétrea?) of the Brazilian Federal Constitution of 1988, covering the inviolability of the communications (articles 5, X and XII), and is part of the Brazilian Internet Use and Governance Principles approved by CGI.Br - Comitê Gestor da Internet no Brasil, (Brazilian Internet Steering Committee) in 2009. Its strict relation with the exercise of freedom of expression, with the access to the information and with the base principles of a democratic society was reaffirmed in the recent UN resolution ?The Right to Privacy in the Digital Age?, proposed by Brazil and Germany and supported by 55 co-sponsorsing countries.

Edward Snowden?s denunciations of mass spying by the United States National Security Agency gave rise to a global general interest in the surveillance of citizens worldwide. Although PRISM-based programs and rules have been a reality for many years, such as the Echelon Program or the Communications Assistance for Law Enforcement Act (CALEA), Snowden's episode is quite relevant for some reasons.

The first and most important of them is the opportunity that is opened for reviewing such practices in reply to the coordinated international reaction. The second one is the increased understanding that any reaction implies recognition of the global scale of the network, and therefore the international effort to set parameters and control mechanisms for surveillance. The third one consists of evidences that the fight against spying goes through telecommunication networks, different Internet layers, hardware and software. The question, therefore, is how to protect the privacy and the personal data in this context.

The current international Internet governance ecosystem lacks a proper body with authority to discuss and coordinate solutions from the perspective of human rights protection. Multistakeholder spaces such as the Internet Governance Forum (IGF) or the UN Commission on Science and Technology for Development (CSTD) could be structured as bodies responsible for coordinating discussions and actions and entitled to make recommendations to other international bodies towards more effective privacy protection globally.

Given the current international law and human rights perspective, CGI.br also considers that the definition of parameters for ensuring privacy of communications must be based on some fundamentals:

- Initially, the principle of legality must be respected, i.e., the need for clear and accurate legal provision for cases where communication surveillance is admitted must be ensured. These law provisions must confer such powers only upon authorization by the competent judicial authority and for a legitimate aim clearly delimited that serves to the protection of relevant legal interests required in democratic societies. Communications surveillance may not be established based on discrimination of race, color, religion, gender, language, nationality, social origins, political opinions, or other similar criteria.

- Such limitations to privacy in communications must be necessary, adequate and proportional considering the legitimate goals intended to be achieved. ?Necessary?, because it must be the only means or the least offensive alternative to human rights able to effectively achieve the intended legitimate aim. ?Adequate? because it is necessary that it is proper to achieve this specific aim.  ?Proportional?, because it must always be considered that the practice of surveillance is harmful to the exercise of fundamental rights and to democracy. In such context, the adoption of these practices must entail the balancing of the seriousness involving the breach of privacy in relation to the legitimate aim intended to be achieved, with the establishment of measures and differentiated degrees of intrusion for criminal investigations and other investigations.

- The limitations to the right to privacy on communications must be determined by a competent and impartial judicial authority that is independent from other authorities that conduct the surveillance proceedings. Court order shall be issued in the due process, subject to the procedures provided for by law, publicly known and in line with the protection of human rights. Full legal defense cannot be excluded also, and user notification may be waived or postponed only in specific cases set forth by law.

- Transparency of the States in the use and scope of the techniques and powers related to communications surveillance is required. Periodic reports must give information about refused and approved requests, about what is the service provider that has received them and about the type of investigation. The applicable legislation and the procedures put in place by the service providers, regarding those requests, also must be publicly available. The practice of surveillance by the State must be under the supervision of other entities. The compliance of these measures, however, doesn?t avoid the concern that the surveillance on communications may compromise the integrity, security and privacy of the communication system.

- Finally, it is relevant to establish protection related to the international cooperation on the provision of data and against the illegitimate access to the information of users. In the first case, among others, it is important to assure international standards with high level of human rights protection by means of agreements clearly documented, publicly available, and subjected to the guarantees of procedural fairness. In the second case, it?s necessary that countries are encouraged to consider on their legal systems the appropriated responsibility to improper usage and providing of data, as well as stipulate defense mechanisms to the individuals affected. The legal protection of privacy may also imply the guarantee of data destruction or its return to the individuals as soon as the material obtained through surveillance procedures has accomplished the purpose for which it has been collected.

These fundamentals are inspired by a proposal developed by different international civil society organizations and supported by more than 400 entities around the world, entitled ?International Principles on the Application of Human Rights to Communications Surveillance? (available at https://en.necessaryandproportionate.org).

More information about the discuss mailing list