The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> CHRIS BUCKRIDGE: Emily, can you hear us? You should be able to unmute yourself. I think we made you cohost. So, you should be able to unmute. Jean‑Jacques, I believe you're there. If you're able to turn your camera on. We can do a sound test for you as well.
>> JEAN‑JACQUES SAHEL: Hi. I hope you can hear me.
>> CHRIS BUCKRIDGE: We can. It's a little crunchy. It's probably our end.
>> EMILY TAYLOR: Hey. I'm now unmuted.
>> CHRIS BUCKRIDGE: Excellent. Also, a little crunchy in the sound department. But we'll see ‑‑
>> JEAN‑JACQUES SAHEL: It's just our regular voice, David.
>> Yeah. Thanks, Keith.
>> CHRIS BUCKRIDGE: Maybe one of you could keep talking.
>> EMILY TAYLOR: Yeah. I'm just going to talk about any old stuff. How's all going there, Chris? I've seen some beautiful photos of the venue.
>> The scenery is spectacular.
>> EMILY TAYLOR: It looks amazing.
>> Okay. Something happened then.
>> EMILY TAYLOR: Something good?
>> Something good, Emily. Let's see. Keep talking a little, please.
>> EMILY TAYLOR: Yeah. How are you, Jean‑Jacques? Are you good?
>> JEAN‑JACQUES SAHEL: I am well. It's nice to be back at the IGF, actually continuing the discussion. Thanks for inviting me. It's a pleasure. Thank you.
>> CHRIS BUCKRIDGE: Well, we might get under way here. We have a small but dedicated audience with us. Hopefully that will grow as people come back from lunch. Thank you for joining us. This is the session for the Dynamic Coalition on DNS issues. And the title of the session today is beyond borders, impact on the Global South. My name is Chris Buckridge. I'm moderating as an IGF (?) Without any particular (Off microphone). I'm joined with four guests. We have Keith Drazek here to my left and further to my left we have Bertrand. Online we have Jean Jacques Sahel, and Emily Taylor. They can introduce themselves and however they would like to identify. We had hoped to be joined by Bruna Martins dos Santos. She has found herself occupied with another session taking place right now. She sends her apologies. But I'm sure we'll soldier on and we'll manage without her.
So, this session is following on from what was really a successful session at last year's IGF in Kyoto discussing the governance gaps and addressing online harms.
There were a number of outcomes of that that's a good and concise report on the IGF website. It essentially found that the lines between content and structure, infrastructure can become very blurred very quickly when we start talking about online safety and user safety. That leads to challenges, leads to problems and needs to be addressed.
So, the calls to action that came out of that particular session were for industry and tech community to build capacity, particularly with policymakers, to educate policymakers around the issues, the concerns, the consequences that can come from actions that have not been fully considered. But also, for the tech community and the industry to develop better coordination mechanisms to handle online harms.
So, that's leading us back here today to this session, which is going to build on very similar things and look at what's developed in the last 12 months, but also using NIS2, which is the second version of the directive on the security of networks and information systems. And it's a directive in the European Union, which has had some impact and intersection with DNS operations, with operators in the EU and beyond.
There have been discussions of that at ICANN meetings over the last 12 months. I know there was a very good discussion in Hamburg which is nearly 12 months right now. But it's an ongoing discussion in that community.
I think we'll probably touch on some of those issues here, but hopefully also being in an IGF space rather than an ICANN meeting, people also making a little bit generalised into how these kinds of issues can be addressed in a multistakeholder fashion and what really needs to be considered and what we need to aspire to.
So, we have sort of two segments of this discussion. In the first one I'm going to speak to Emily and Jean‑Jacques. It's essentially about supporting policymakers in developing adequate measures for addressing online harms reflecting on that NIS2 directive but also general governance gaps and jurisdictional challenges, which I know both Emily and Bertrand have worked very, very extensively on. And what collaborative steps there are to support policymakers.
I think I'm going to go to you, Emily, first if that's okay and hope you can provide background and context beyond what I've been able to on the NIS2 situation as it applies to this community and more broadly. What are the significant governance gaps that NIS2 directive seeks to address? What are the impacts of that, particularly in the DNS industry?
>> EMILY TAYLOR: Thank you, Chris. Thank you for moderating today. Best wishes to everybody attending the IGF in Riyadh in person. My name is Emily Taylor ‑‑
>> CHRIS BUCKRIDGE: Can I pause you one second? We have had much worse sound than we had.
>> EMILY TAYLOR: I'm sorry to hear that.
>> CHRIS BUCKRIDGE: Are we able to have the sound check how this is working because good sound in the room but the sound from online is terrible.
>> EMILY TAYLOR: I can hear you very well.
>> CHRIS BUCKRIDGE: Maybe keep speaking and see if they're able to ‑‑
>> EMILY TAYLOR: What I'll do is I'll introduce myself because it doesn't matter if you can't hear that bit. My name's Emily Taylor, I'm a co‑founder of the DNS Research Federation, a nonprofit that's dedicated to understanding the impact of the architectural layers of the Internet on policy.
I'm also a founder of the global signal exchange, a partnership with the global antiscam alliance. And we work very closely on the DNS issues Dynamic Coalition which we've done for several years.
So, I'd like to just preface my remarks about NIS2, because it's never a good look for a Brit to be criticizing European legislation. And I would just like to say for context that I voted to remain every time I got the opportunity and would do so again.
The context for ‑‑
>> CHRIS BUCKRIDGE: Emily, it's almost impossible to hear. I know the sound from the other Zoom participants is fine. So, Zoom itself is working. It's the.
>> EMILY TAYLOR: The sound in the room.
>> CHRIS BUCKRIDGE: From Zoom software to the system here is working very poorly.
>> EMILY TAYLOR: Oh, I'm sorry to hear it. We can hear you beautifully.
>> CHRIS BUCKRIDGE: I'm going to see if we can jiggle a connection or something.
>> EMILY TAYLOR: Maybe start with somebody in the room. We can ‑‑ anything that you can do. I'm ready to respond.
>> CHRIS BUCKRIDGE: Okay. Maybe give us 30 seconds and see if there's anything we can do here. Emily, could you speak again.
>> EMILY TAYLOR: Is this any better? I will keep saying random words. Is it fine in the room? Even worse. Okay.
>> JEAN‑JACQUES SAHEL: I assume ‑‑ I can hear you perfectly, Emily.
>> EMILY TAYLOR: I can hear you perfectly, Jean‑Jacques.
>> CHRIS BUCKRIDGE: Okay. Maybe we'll start with Bertrand and hopefully they'll keep trying to fix this. And we'll come back to you, Emily. Thank you. Thank you, both, for your flexibility.
>> BERTRAND DE LA CHAPELLE: Does that work? So, I was expecting ‑‑ apologies, I have a sore throat, so my voice is not exactly the way it's supposed to be.
There are a few things that are important, and I will let Emily, when she's back, develop more specifically the elements regarding NIS2.
What I think we need to understand at a higher level is that there's a sense of powerlessness by all the different actors regarding something that's extremely difficult to address, which is online abuse. Because it is spread, we have international network or transnational network that doesn't recognise borders, which is a very big value of the Internet. At the same time illegal actors that are based on 190 different jurisdictions and legal systems. And at the international level I want to highlight also in the context of the whole ‑‑ they have not produced in the last 20 years on the Information Society any comprehensive framework to address these international issues. We need to recognise it. We need to continue the highlight those that have managed the Internet since the beginning and working under a multistakeholder approach have allowed the Internet to function, including during the harshest period during the pandemic where the whole world was hanging on a thread, which was the Internet.
The problem of online abusers is a paradigm for how can we address things that are transnational with an apparatus that is a series of national laws? And that creates two fundamental questions. One, is the compatibility of the laws that are adopted in one country or region versus the laws of another country. The second thing is the question of territoriality. The compatibility of the laws question is something that is a requirement in terms of coordination between the different actors.
For the European Union, the feeling that there is critical mass market and for better or worse there is an affect, leads to a desire to adopt legislation that is, one, solving a certain number much problems for the block itself. But also apply to actors that are outside of the block. Because those actors are performing services on the territory of the European Union.
So ironically ‑‑ I want to emphasize how ironic it is. In order to defend your sovereignty as a state or a group of states, you need to do extraterritorial regulation which is the exact opposite of territorial sovereignty. And it's a conundrum. I don't want to belabor too much. There is one concept I would like to share, which is we should be talking about responsible extraterritoriality. Because it is unfair to tell a government thou shalt not have any extraterritorial legislation, but it's unfair for a government or group of governments to say we have the capacity to do anything we want, because you're located elsewhere, and you impact our territories.
So, I'm very fond of what I'm increasingly calling the Goldilocks rule, the famous story of Goldilocks and the three bears where there is a soup that is too hot, one that is too cold, and one that is just right. In regulation, we need to have this constant reminder of responsibility under the Goldilocks rule, which is there are things that you need to do. I mean, you need to be beyond a known action, but there are things you shouldn't be doing because it is excessive. This applies for the governments and this applies ‑‑ we'll talk about it afterwards ‑‑ to the operators. That's the way to understand responsibility.
And the final remark is because it is a transnational problem, it is something that cannot be solved by either the governments alone or the companies alone, but it is a cooperation, coordination. Because otherwise, the abusers are going to move from one place to the other. And it's a constant working exercise. I wanted to introduce this notion of responsible extraterritoriality to say that responsibility is not only on the side of the public ‑‑ private actors, but also on the side of the public actors when they elaborate their legislation.
I'll let Emily, if she's back on, develop more specific aspects of NIS2.
>> CHRIS BUCKRIDGE: Thank you very much, Bertrand. We'll give Emily to try out the technology again. It's fascinating for me, having been in the space for a while, I think most of us in the room have, to hear the term extraterritoriality move from what was essentially a curse word to something that is being integrated and accepted as necessary but with caveats. So that's a very important journey to understand, I think.
Emily, can we try you again and see if the audio is better?
>> EMILY TAYLOR: I do hope that you can hear me. I can hear the room perfectly. And I think that Jean‑Jacques can hear me and the other Zoom participants can. If you follow the transcript.
>> CHRIS BUCKRIDGE: Keep talking. It seems like the transcription can hear you. We still can't hear you well, but while you're talking, they're better able to try and remedy the situation. Please keep talking and we'll hope that it gets better as we go forward.
>> EMILY TAYLOR: First of all, I'd like to say I'm very angry with Bertrand for using the Goldilocks analogy, because I had thought of the Goldilocks analogy, and I was very proud of myself. So, wait for it when it comes in later.
But just, as context, Bertrand has set the scene as usual, beautiful. One of the things I would like to state, before diving into NIS2, is the complexity and sheer scale of EU digital regulation.
I think this is ‑‑ and also how complex it is for anyone to comply with the regulation. At a recent legal conference, it was reported that there was a guy walking around with a T‑shirt that said, only God is GDPR compliant. I think this really highlights the complexity of trying to comply with EU legislation.
There are currently 115 pieces of digital legislation from the European Union representing thousands of pages. For small and even large businesses this is complex. And there are also internal inconsistencies. So, amid this orgy of law making, why should the DNS escape?
Because the approach is contagious. Here we have the second version of a directive, which has to be transposed into each member state law whose purpose is to strengthen basic cybersecurity hygiene.
And thinking about Bertrand's remarks about the necessity for business, for all stakeholders to work very closely with regulators, I think it's worthwhile reflecting that there is a very small part of the NIS2 directive that relates to the domain name sector. The shorthand reference is Article 28.
But one thing I wanted to highlight is that after the European Commission and other EU governments participated ‑‑
>> CHRIS BUCKRIDGE: One second. We've lost your audio completely, which I'm hoping is the first step to rectifying ‑‑ are we able to connect back? Can you continue speaking, please?
>> EMILY TAYLOR: Sure. So, the regulation relating to who is ‑‑ nothing at all?
>> CHRIS BUCKRIDGE: Sorry, Emily. In hoping to make a bad situation better, we've made it worse.
>> EMILY TAYLOR: Okay.
>> CHRIS BUCKRIDGE: Emily, one more go, please.
>> EMILY TAYLOR: Yes. Shall I just carry on speaking and hope people can read the transcription?
>> CHRIS BUCKRIDGE: Yeah. Emily, if you can. Just carry on. We'll read the transcription. And hopefully we'll get it sorted shortly.
>> EMILY TAYLOR: I'm going to make a few observations about Article 28 of the NIS2 directive, which for those who are not familiar with it, relates to the registration data of domain names and imposes obligations on the domain name supply chain to take certain actions without getting into the detail of what it says. But just one reflection before I dive in is that the NIS2 draft came in to being after the Commission and several other Member States governments participated in an expedited policy making process through ICANN that was designed to sort out who is.
So, the fact that legislation emanated as a result of that or after that tells us that something didn't go quite right.
So, three observations about where we are. This is a directive. So, under European Union system that means that every member state has to make a law at national level to reflect it. And the overwhelming trend that we have been seeing in our NIS2 Article 28 tracker, which you can look at on the DNS Research Federation website. Number one observation is lateness.
The Commission has in fact started infraction proceedings against 23 of the 27 Member States for failing to transpose the directive before the deadline of the 17th of October.
The second is, and here I'm channeling Bertrand, the Goldilocks effect. Inconsistency among the Member States. So, there is a number of Member States that are taking, perhaps, too soft an approach, like Mummy Bear with less than was in the directive. Some perhaps taking too hard an approach, like Daddy Bear. Here an example is the Czech Republic which is imposing fines up to $2 million per offense for failure to comply with Article 28.
And then there is the just right Baby Bear approach where several Member States have taken exactly the draft of the directive.
So maybe with the guidance of the NIS2 cooperation group, a group of governments supplemented with the European Commission officials, that will help to smooth the wrinkles. But what we're looking at the moment is a diversity, a lack of harmonisation, even within the European Union itself. To take the theme of extraterritoriality a little further, this is the first experience I've had of a directive that has extraterritorial effect.
So, as well as very clearly in Article 26 framing the scope of the Article 28 ‑‑ sorry, there are so many Article numbers ‑‑ to capture whoever is providing services in to the European Union.
We also have the prospect of forum shopping within the Union itself. So, if you can provide a Nexus to a country where the transposition suits your purposes, then why not try to take action in that member state against somebody else who has perhaps a stronger Nexus with a different one? I think we're going to have, as we lawyers say, a field day ahead as we start to navigate the complexities of this.
I'm very sorry that we lost Bruna as a speaker due to logistical issues this morning, because one thing that we really wanted to highlight in this workshop was the impact of extraterritoriality on Global South. And the democratic deficit, if you like, of states and people who are affected by legislation that they have no say in framing, and they have no recourse in challenging. They are just obligated to follow it.
Now, clearly, there is an awful lot to recommend the EU approach in that it is a thoughtful process. There is a lot of internal consultation and consultation with stakeholders. In a lot of ways the European Union is becoming the world's regulator in technology with those 115 pieces of regulation.
But what we're also seeing, as Bertrand mentioned, is that other states do take that extraterritoriality for their own regulation, states that don't have the same protection for fundamental rights and freedoms. And therefore, there is a prospect of many cross‑cutting obligations and very confusing landscape for those who want to challenge it.
So, I would just, as a final remark, I would just wrap up by saying it's still not clear who the NIS2 Article 28 applies to. And that the DNS Research Federation, we will be publishing the results of our ecosystem discovery, which will show that the extraterritorial effect does apply in the NIS2 Article 28 that many service providers from outside the Union will be caught by its provisions. And also highlight a blog series we've started to roll out using case studies from other industries on know your customer. One of the aspects of Article 28 is that you're supposed to verify and make sure that who is data is accurate. Georgia's in the room. She might be able to say a few words later in the Q&A, Chris. We're looking at the dating app in the industry, from finance, and from crypto to see what lessons might be learned from the domain industry as they're facing the implementation of this new regulation.
So, I will leave it there and look forward to joining the discussions later.
>> CHRIS BUCKRIDGE: Thank you very much, Emily. It's great to hear you clearly.
>> EMILY TAYLOR: I can hear you.
>> CHRIS BUCKRIDGE: All right. Here we go. Great to hear you clearly if I cannot hear myself clearly. It's my headphones. Technology, huh? I appreciate your commitment to the Goldilocks metaphor as well. You took us deeply into that. It would be good to break up ‑‑ I know we still have Keith and Jean‑Jacques to hear from. That's the second segment. If we could hear from anyone in the room that has been triggered or inspired or has thoughts based on what we've discussed so far.
I know, also looking to Bertrand and Emily and also Jean‑Jacques and Keith, we talked about one of the questions we had and is a little on what you were saying, Emily, what lessons there might be for policy making in non‑European countries. You were talking about industry. You highlighted, as a director, this is quite in some ways uniquely European mechanism and creates further fragmentation by the inch implementations.
Are there lessons for policy making, policymakers in non‑European regions about what's happened here? Maybe if either of you ‑‑
>> EMILY TAYLOR: I can have a go or Jean‑Jacques might or one of the others might. I hesitate to really ‑‑ to instruct policymakers on this. I think my reflection would be for the industry and other stakeholders, there is a global coordination for regulating domain names or at least coordinating domain name policy.
I think the fact that we've seen regulation in the European Union on domain name policy should make us pause and reflect on what fell down in that. Because there's abundant expertise. There is an awful lot of discussion of the issues. And I'm not going to pretend that the issues relating to who is are simple. They're not simple. They are about understanding and accepting that there are multiple legitimate points of view here. There are legitimate points of view and legitimate expectations of privacy of individuals not to have their name, address, phone number, email address published to the whole world at large.
There are also legitimate expectations that law enforcement and, yes, even the enforcement of civil law rights, such as intellectual property rights. Those also are legitimate. And somehow we have to navigate this.
But actually, the best people who know the issues have failed to reach consensus over a 25-year period, despite abundant discussions within ICANN. I think we should reflect on what went wrong and how the ICANN process and multistakeholder processes can evolve to break dead lock and reach balanced and moderate solutions that serve the public interest.
>> CHRIS BUCKRIDGE: Thank you very much, Emily. We have a question here in the room.
>> AUDIENCE: Hi. I'm Owen Fletcher, for the record Goldilocks analogy and the idea, as I think you put it, Bertrand, extraterritorial, those are both interesting ideas strikes me that one could interpret the middle ground you're trying to reach in a lot of different ways. What are the sorts of lines that you have in mind that you would hope not to see crossed in these regulations?
>> BERTRAND DE LA CHAPELLE: I think, first of all, what I now call the Goldilocks rule is a mindset. It's having constantly the question in mind what is not enough and what is too much? It can vary from case to case. On the case of extraterritoriality, to go back to what was discussed about the impact on third countries, it is not new with the NIS2 or other. It's true with the GDPR. I've had discussions with people in Africa or Latin America who feel that if on the one hand they consider the protection of privacy is absolutely legitimate and important, it was basically pushed down their throat without them having any say in this.
So, if we accept, as Chris was mentioning, that instead of being an absolutely acceptable exception, extraterritoriality is part of the package of regulating transporter thing. There's a new type of consultation that needs to take place, which is involving the stakeholders, I.E. those who have a stake and those that are impacted by. Which means that in the international arena, I don't know how to do it. But we're lacking the space where, for instance, the European Union or the United States, for that matter, would basically have a way to explain early on what the mechanisms of the new regulation are before it is actually implemented.
And I want just to mention that the horror of the United States authorities about how can you imagine having something extraterritorial immediately prompts the reaction, it hurts when you are on the receiving side, right? Because we've been receiving extraterritoriality from the United States for ages. And now, it's a competition, which is dangerous. It is a legal arms race, as we've qualified this for more than five years. And this legal arms race is really dangerous, because we're talking about a fragmentation of the Internet. But it's not the Internet that's fragmented. It is the legal regime that applies to the Internet that is already fragmented. And it risks becoming incoherent.
So, there's no simple answer to your question, apart from having this sort of compass in mind where who are the stakeholders? Who am I impacting when I'm making a decision beyond my territorial authority? And how far am I going in terms of an intended consequence? I love Emily's remark that God is GDPR compliant. I constantly rage against GDPR which spends more time on refusal than reading the article that I'm trying to access. This is an unintended consequence that was not taken into account.
So too much or too little is just a guiding principle.
>> CHRIS BUCKRIDGE: Thanks, Bertrand. I'm going to give it briefly to Keith. David, we have comments online. Georgia, I also see your hand.
>> KEITH DRAZEK: I'm Keith Drazek. I'm with Verisign, the reg straighter operator from dot‑com and dot net. I want to provide a little context about the challenges facing the ICANN multistakeholder process and the bottom‑up consensus building policy development work. Emily is absolutely right, there was an expedited policy development process that was initiated around the time of GDPR going into effect.
And there was intense work. That work was divided in the ICANN space into two components. There was the Phase 1 work to ensure compliance. ICANN's contracts were able to be in compliance with GDPR. I think that was highly successful. There was a second phase that was focused more on the questions of access and disclosure to registrant data that had previously been publicly available, generally speaking, acknowledging there were privacy and proxy services and other aspects. But generally speaking, a system that was publicly available that had people's personal data available for search online.
The questions of access and disclosure became quite sticky and very challenging and resulted in not a lot of satisfaction for anybody. There was very little consensus, if any, on that question. There's ongoing work within the ICANN space to figure out next steps about standardized access in the disclosure systems. But Emily is right. The multistakeholder process within ICANN did not produce results that were satisfactory to everyone.
I think what we've seen in NIS2, particularly Article 28, is a reaction to the fact that the ICANN community didn't deliver something that was satisfactory, in this case, to the European Commission, the European Union regulators there. Therefore, we've now seen regulation coming out that essentially has overtaken or leapfrogged the work in the ICANN space that is still dragging on frankly.
As somebody who participates actively in the ICANN community on a daily basis, I acknowledge that the ICANN community and the multistakeholder system must become more efficient, more effective, more able to deliver results in a timely fashion, or we risk what we've seen recently, and especially with NIS2 Article 28 is regulation coming from a particular jurisdiction that has extraterritorial impact and could result in a fragmented approach where we end up with a number of different regulations from a number of different jurisdictions.
As an operator of registry services and in the Technical Community and the business community, that type of fragmentation is very unhelpful. It's very ‑‑ it's a real challenge for any operator to have multiple requirements coming from multiple jurisdictions and having to operate in that type of environment.
So, as a general statement, as a multistakeholder participant, we have to be more nimble in our ability to deliver, so that we can avoid this type of extraterritorial regulation or at a minimum make sure that there's better collaboration, better coordination so there's more consistency in whatever variation or variability there may be. Thanks, Chris.
>> CHRIS BUCKRIDGE: Thanks very much, Keith. David, please. We have some remote comments. And then we'll.
>> DAVID MCAULEY: We have a remote question for Emily from Sebastian, I would like to read it out. Over to you Emily. Are the Article 28 requirements on every registrant's data on legislation which was drafted to secure critical infrastructure?
>> EMILY TAYLOR: I'm happy to jump in. Chris, shall I respond to the question now or do you want to go to Jean‑Jacques and Georgia first?
>> CHRIS BUCKRIDGE: A relatively brief response. Then we can go to Georgia and then Jean‑Jacques.
>> EMILY TAYLOR: I can keep it very brief. Excellent question, thank you very much. It is quite an anomaly in the NIS2 directive to see ‑‑ it's a little bit like a little spaceship has landed in the middle of this directive which is about network security, all the stuff you would expect in a cybersecurity approach. And it's also, I think, flags some bumps in the road ahead. Because in the main the implementation of the directive at national level has been handed to the national cybersecurity center who are very comfortable with issues such as how do you safeguard against insider threats or raise your game of basic cyber hygiene but maybe less comfortable with the domain name system and the intricacies of this.
I think it provides both an opportunity and a threat for those interested in the domain name system because it's likely to remain a back order but not to have that much expertise in terms of those who are in charge of the regulation going forward. So, thank you for the question.
>> CHRIS BUCKRIDGE: Thanks, Emily. Georgia, please. Georgia, may not be able to unmute herself. Can we make her a cohost so she can unmute or just unmute her. Okay. We'll go to Jean‑Jacques, first. Jean‑Jacques, thank you for your patience. You're one of our speakers and this is your first turn at the mic.
>> JEAN‑JACQUES SAHEL: Okay. Let's try. I hope hear me okay. I wanted to just comment briefly on this first part on extraterritoriality. I think rather than extraterritoriality remains a good or bad word, I think the problem is that it's very often in my mind something that leads to ineffectiveness.
What I'd like to offer in terms of thinking about the risks, it's actually two things. I want to also mention that it's not just now days about some countries from the Global North. We're seeing countries from anywhere in the world starting to do extraterritorial legislation. Some of them in such a way that they might well have an impact well beyond their borders, whether it's because of the sheer size of the fines that they're talking about or because ‑‑ we have countries currently that are proposing fines that amount to 30% of turnover for online harms from one piece of online harm. Frankly, it's ridiculous.
Either they think they're going to important enough that they will have an impact internationally and companies will pay up or they'll take the risk that their medium will have a vastly reduced amount of information and resources available from the Internet because a huge number of platforms will refuse to bother with that country. That's the wrong way to think about it.
The policymakers across the world really need to think about the practical impact of what they're proposing. That leads me to two key concepts I think that are hugely important here. The first is impact assessment. And the other is consultation on multistakeholder participation.
Impact assessment in the EU at least and some other places having an impact assessment, as you propose legislation is mandatory under law. I really think it's needed. It can be broader or smaller. But at least it should consider things like economic impact but also technical impact potentially and impact beyond. And that's frankly not done well in many places. Not that it's easy. I think when you're putting together a new piece of legislation, you need to think of the impact it's going to have on businesses and you need to think about the impact it's going to have on whatever is the practical application which may be the Internet infrastructure. I really do think a lot of legislation we've seen around the world ‑‑ it's not just about the EU, around the world related to the Internet hasn't done its homework in terms of impact assessment.
If you have a proper impact assessment then it leads to the consultation process. Very often we see consultations being posted on a website. Actually, if you want to do things well as a policymaker, you don't just publish the consultation on a website for people to see. You proactively go out there to elicit, to solicit input from the relevant stakeholders, whether it's GDPR or legislations elsewhere. I don't think we should point the finger at the EU, because I think that's unfair. We should have a much more stakeholder involvement because that's where you have the proper input where you might have the Technical Community weighing in, if you do this, XYZ might happen or you might have the other side of the house that says, be careful what you wish for.
For instance, you're working on privacy legislation, you want to make sure the other side of the government that's dealing with safety and security is able to make sure it aligns with their objective so you end up with a balanced outcome. If you're thinking about consumer groups, they might be able to tell you the impact on consumers. You're passing legislation on online harms. You want to make sure that the process is to support consumers and not too complex and burdensome which means consumers will just not report or seek redress because it's so complex.
Again, I think we really need to think about it from a process perspective. We need much better impact assessments across the board and related to that much better multistakeholder involvement, not just an anonymous consultation that very people will see and respond to. I hope you heard some of this.
>> CHRIS BUCKRIDGE: We did. Compliments to the audio staff here. We've got it all fixed now. It's working well.
Georgia, please.
>> GEORGIA OSBORN: Hi, everyone. I hope you can hear me. Yeah. Thank you so much for everyone's comments on it. I just wanted to touch on what Jean‑Jacques said about the impact assessment. I come from law enforcement sort of practical background. My first thought around this was how can we make practical solutions around this? I'm not a lawyer. So, the Article 28 of the NIS2 directive to me was like, how can we, as an industry, create solutions that can help this and can help us move forward?
As Emily mentioned, I've been doing a project around KYC. I'm looking at how other ‑‑ or know your customer, which is a way that businesses or organisations can get to know a consumer to ensure that fraud or criminal activity is not taking place. And it happens differently in very different industries. But I think it's important to note that in some industries it's not regulated to be so. Such as the dating app sector, which have voluntarily put in various KYC processes to help understand who their customer is, but also to protect them.
I think my point here is around the impact assessment which is not always being done but in terms of other industries, they have an understanding of what the harms are, what the real harms are in terms of dating apps, in terms of banking and finance, which is where a lot of fraud kind of ends up. Ultimately the point of the NIS2 directive was to help bring cybersecurity up to a high standard for everybody.
So, I think when going into this, it's really important to know what the principle is behind it, but also how we can get to practical solutions. And I thought this could be, in terms of industry, collaboration. How the dating app sector have done it is that they've solicited third‑party providers to help them with it as well as automation and technical solutions.
But it seems to have worked very well. And they haven't ‑‑ customers don't decide not to use a service because of that. If anything, they probably decide to use a specific service, because it's safer for them as a consumer. So, I just wanted to kind of point that out in terms of general understanding from my point of view for practical understanding of NIS2, that industry kind of works together to create solutions. It doesn't necessarily have to be regulation led.
>> CHRIS BUCKRIDGE: Thanks very much, Georgia. I think the points you're making segues very nicely into what was in segment two of this discussion. It's been a bit of an organic discussion in the meantime, which has been great. But the segment B that we have sketched out here was about promoting industry collaboration. Developing that ecosystem to engage with policymakers to ensure that there can be that multistakeholder process.
So particularly looking at building that collaboration within the DNS ecosystem, but looking beyond that as well and addressing governance gaps with the focus on the Global South. We talked about that a little already and data sharing practices. Georgia, I think you gave us some interesting and specific ones.
But I do want to go to ‑‑ Keith is probably ‑‑ we have Keith and Jean‑Jacques to speak. Keith, I'll ask you first. Particularly in the DNS industry, but what are the current barriers that we see cross‑sectorial, cross‑silo collaboration work.
>> KEITH DRAZEK: Thank you very much, Chris. That's a perfect segue. I know we've talked specifically about NIS2 here in the first segment of. But I want to use that as an example and jump off from that to say, NIS2 Article 28 in particular, I think is an example where it was a reaction to something else as a result of regulation. And we want to try to, as an industry, I say industry, I'm talking about in this case, the Internet infrastructure industry where we have registries and registrars at the DNS level. Then we've got focus primarily on technical harms, again talking about online harms here. And then hosting provider CDNs and ISP and the infrastructure stack. We all have our different roles and responsibilities and technical capabilities to mitigate harms within our operations or in our experience.
We, as industry, need to do a better job of collaborating and cooperating to identify those harms and to make sure that there's a clear understanding among us as to our respective roles and responsibilities. So, there's enhanced or improved cooperation and information sharing about what we're seeing, about trends, about abuse reporting, and to make sure that the most appropriate actor is taking that action proactively.
But all of this is in the context of enhanced industry engagement, so we can engage externally with regulators so that as they seek to regulate, as we expect they will, they do so in an informed way.
So, looking ahead, I think what we are hoping to achieve through enhanced industry engagement is to be able to work with regulators, to work with legislators, to make sure that any regulation that does come is more aligned with a full understanding of who we are, what we do, and how we do it, what the limitations are, in terms of our technical capabilities. Importantly, Chris, you asked what are the obstacles or the challenges. At least for those of us who operate in the ICANN stakeholder. ICANN prohibited a content moderator from getting engaged in content matters. So, we in the registry and registrar space have contracts that require us to take action.
That same regime does not exist as you start talking about hosting providers and other actors up the stack. They certainly are required to be compliant with local law, jurisdictional law, jurisdictional requirements. But it's not the same contractual regime we have in the DNS space. So, I think it's important for those of us who are registries and registrars to also engage with content operators, hosting providers, et cetera, to make sure we're aligned and having better engagement, both operationally together but as we engage with regulators. Chris, I'll stop there and happy to continue the dialogue.
>> CHRIS BUCKRIDGE: Thanks. To me, certainly it jumps out that the complexity of that venue ecosystem of where to actually ‑‑ where is the appropriate place to governor to regulate or make these kinds of arrangements is clearly a barrier or at least a hurdle to be overcome. So really an interesting note there.
Jean‑Jacques, can I come to you? Coming from a different perspective there. I guess also asking you where you see the barriers to that crossing the street collaboration. And also, the perspective from Global South to shape more inclusive governance and collaboration models. Are there lessons or things we can look at to sort of improve that?
>> JEAN‑JACQUES SAHEL: Thanks, Chris. Can you hear me, by the way.
>> CHRIS BUCKRIDGE: We can.
>> JEAN‑JACQUES SAHEL: Brilliant. Thank you. I'll come back on the detail on crossing the street collaboration. But I think we need to place it in a broader perspective of the fact that around the world, both in the north and the south, we do need to reinforce, to make sort of both the industry government and broader multistakeholder dialogue an ongoing part of policy and legislative development. I don't think it's happening remotely as much as it should be. We still see in panels even in places like Brussels where you may have just one part of industry next to the policymakers, not all sectors that should be represented. Very often Civil Society and consumer groups are not there.
So, you're missing the point in terms of comprehensive and effective policy development and legislative development. I think that's quite important. I think we really need no mainstream this idea of a regular dialogue.
I think it's really important when we talk about online harms, because if we focus on the role of industry, online harms are evolving very fast. And governments cannot realistically catch up all the time.
They have to have it in the industry and the Technical Community at least and consumer groups to better understand the consumer perspective. That is absolutely necessary in order to understand the practical realities of online harms and how to best deal with them. That's really not happening sufficiently. Again, that's not just a north or south issue. I think that's across the board.
So, we really need to mainstream what we here at the IGF and in the WSIS process for the past 20 years which is Internet Governance for the Internet it could be obvious it's needed at national level as well when developing laws. That's still not happening for other relevant sectors. That's the first thing. We need to improve that.
In terms of the practical realities, I think there are some issues in terms of basic understanding of some of the ways in which we deal with online harms in the digital world. There's a very low understanding of the processes that exist to flag at a very basic level whether as a user or a government. That touches on the extraterritorial aspect. The government can submit a removal request under its national laws, and it will be just for that country. Then if they submit a flag like users can against a company's policies, then that could be handled at a global level, if it fits inappropriate behavior that's understood at a global level.
There's an interesting area here where, again, an industry government will really help to find the most practical and effective ways in which to pursue online harms, to deal with them. So, I think a bit of that is around capacity building and having that dialogue.
I want to flag here, friendships, some of the UN industries like the UN Office on drugs and crime have been helpful in organising sessions for law enforcement and local government agencies for them to get in touch with digital platforms and understand those reporting processes. More of that would be really, really helpful. Then they would help with some of the focus of today's discussion which is some of the day‑to‑day constraints we have in going after online harms.
For some of the most egregious harms, there's a need for sharing intelligence on fraud, and sharing data. Some of that data can be sensitive. It can be accounts, personal names, if we're talking about criminals. For that to be safe for a legal perspective we need legal frameworks. As we've discussed before, they don't always exist fully in terms of international frameworks. At the local level they might exist, but we don't always have an alignment between safety laws and data protection laws.
So, in some cases we have or in many cases unfortunately, what we encounter is companies across sectors ‑‑ it's not just the digital sectors. If you're talking about scams, you need cooperation from the banks and telecom companies. If you want to be effective, you have to be able to identify that something is a piece of scam, as a digital platform we only have a part of the puzzle. We might not always able to ascertain something is a criminal harm from what we have access to. We may need to corroborate that data from banks or transactions. To share that intelligence we find, hold on, I can't share that data because data protection laws are stopping me from doing that. That might not be the case but it's not very clear in the law. We might need more guidance and clarifications. That's often what happens. I think that's something that you've mentioned the discussion under who is and the GDPR. I think we're finding similar types of types of headaches if not constraints in relation to scams where a number of companies are saying, who he, I can't exchange data. It's not about scams it's finding bad people. There are supposed to be caveats and carve‑outs in the GDPR, for instance, in order to tackle things like criminal activities. I'm not comfortable from a legal standpoint that I won't be in breach of GDPR if I exchange that data. That's within the EU, which is an advanced framework. We find that in many jurisdictions.
There's a need to really think about making sure that we have alignment between different laws. That goes back to my earlier comment that when you are crafting the law, you might want to make sure you have the right stakeholders around the room and have a fit between different laws. Often what happens, laws are developed in silos. You end up with conflict in laws between safety and security law you need to deal with financial crimes and scams but the other that says you can't exchange data. As a company, you're stuck. You want to do the right thing but prevented from doing so in many ways.
An additional thing in relation to that is the importance of due process generally. When we are dealing with online harms. Here what we find is that there's often a lack of understanding of some of the processes by, at least the digital platform, probably some of the other intermediaries, which is we need to abide by due process. That means that we have to review every flag that we are presented with following due process. That includes making sure it fits with human rights safeguards. Although it might not be very detailed. Human rights is an area where we do have international frameworks. However, I can tell you from experience that in many jurisdictions, again, both North and South, we find governments saying, why are you doing this human rights review? You're not respecting the law. Our national law. You're trying to impose another country's construct on to us by pretending that you need to do a human rights review? That's far from the truth if you look at least the processes we have at Google. We specifically refer to human rights guidelines by the United Nations. They're well accepted.
But we do find this pushback. I think that's where there really needs to be an understanding where we do have international frameworks, they should be followed and understood. Where we have constraints or gaps, this is the focus, there are gaps in terms of some of the data that we're able to share. I think this is where we need to look to some of the conventions, in particular I want to mention the convention on cybercrime, the Budapest Convention which has a second additional protocol which has human rights and safeguards of the those are the policies that are at a respected level where most countries would adopt and that enables us to share the data along with governments in the knowledge that we are abiding by well understood and accepted and stable international legal frameworks.
I think I'll stop here. Thank you for the time. Happy to take questions later on, of course.
>> CHRIS BUCKRIDGE: Thank you very much, Jean‑Jacques. A huge amount to digest and unpack there. Certainly, it's interesting the phrase the convention on cybercrime requires a further explanation to be clear what we're talking about. I did appreciate and seizing on a small part of what you were discussing there and linking to a lot of the other discussions around the center is leveraging the UN Agencies and the opportunities they have for building that capacity and education.
I have Bertrand here with a hand and then Emily. I'm also seeing that (?) in the chat room has made references and perhaps will be able to speak. There's a hand. Wonderful. Also, Keith. Please, Bertrand.
>> BERTRAND DE LA CHAPELLE: Many, many interesting thoughts to what Jean‑Jacques was saying. One general element is when we talk about online harms, it requires the same kind of coordination or multiple actions that the creation of the Internet requires itself. The Internet is the result of an enormous convergence effort by many actors, each doing something in their corner in a way that is coordinated and interoperable, yet independent.
I think when we're dealing with online abuse, we would need increasingly to have a better coordination between the different actors along with what is labeled, and I think Keith has use it, along the stack. Whether it's DNS operators, registries and registrars, hosting providers, cloud providers, content delivery networks, and all sorts of actors along the stack.
The second thing is very briefly, I cannot emphasize enough what Jean‑Jacques was saying about the importance of implementing multistakeholder approaches, consultation, code drafting, development of legislations, at each national level. Multistakeholder approach is not only for the global level. It will be implemented progressively at the national level and sometimes below the national level, in municipalities you can develop rules by consulting broadly the actual stakeholders of this particular region.
And I want to emphasize also we're talking a lot about regulation, regulation, regulation. Regulation is something that still has a very ‑‑ I wouldn't say rigid, but top-down approach where there's a regulator and the regulated.
I think in many of the discussions that we have, we should be talking about setting the rules. Because setting the rules is more flexible. You can set the rules collectively and the implementation of those rules can be one or another actor. Sometimes the implementation of the rule may not be done by the administration of a particular public authority. If you take the right to be forgotten, for instance, it is a private entity, in this case Google, that has been passed by the highest judiciary authority in Europe to arbitrate between the freedom ‑‑ the right to freedom to access of information and the right to privacy. Setting the roles and the roles and responsibilities between private and public actors is the multistakeholder approach, I believe.
Another thing, and Jean‑Jacques was alluding to it, I can testify for running a process within the Internet and jurisdiction. I am the Executive Director of the Internet and jurisdiction Policy Network. And during the last few years we've run a process on the question of content moderation on platforms.
I can tell you that the question of what is the geographic scope of public authority's request for content restriction was an extremely contentious debate. For instance, in one country because the content is absolutely unacceptable order another platform in another country to take this content down globally. I will tell you it was not possible to reach an agreement among a certain number of actors. Because there's a question of territorial sovereignty and a question of public interest of dealing with abusers.
So those questions of what is the extent of the role? The fact that when a registry or registrar acts at the level of the domain name system, the impact is global. Likewise, for the hosting provider, if you cut the access aside without jeopardizing, you (?) aside anywhere in the world. The geographic scope of action against abusers on content related is a tricky topic because the legislation is different on the content. I don't get into the hate speech and things like that. There are some content that are going to be sufficiently egregious to justifying an action on a global level and others that will be trapped between the different legislations. And the final point is Jean‑Jacques, again, was alluding to a very, very problematic issue coming from the siloed approach of legislation.
The tension between the allegations and the requirement of security and law enforcement has been an ongoing discussion. And unfortunately, when those legislations are being drafted, the other parts of the ministries of government are not sufficiently involved. I've seen that in international when I used to be the French thematic Ambassador for digital issues, you could have the representative of the French government, and it goes for any government, taking political position in one forum whereas the authority was taking another position in another forum. Because their orientation, their perspective on the different topics was not the same.
So, this tension between the conflict of laws coming in one country or conflict of laws between different jurisdictions across borders is one of the biggest dangers for having something that is legally interoperable internationally. I think I'll stop here.
>> CHRIS BUCKRIDGE: Thank you very much, Bertrand. I'm going to go to Emily and then Farzaneh and then Keith before a closeout from Georgia, our rapporteur. We have 15 minutes. Please bear that in mind. Emily, please.
>> EMILY TAYLOR: I won't go on. I'm keen to hear from Farzi as well and the others. On the final point that Bertrand mentioned, a really important one, which is the need for the different agencies within government to support a balanced approach. I just wanted to highlight on this issue a recent advisory by the UK information Commissioner, which is the national Data Protection Authority who cares really what the UK Data Protection Authority says, because we've left the European Union, but actually we're still bound by the same laws. So, it's an interpretation of GDPR. I think it's important for this debate.
And it's guidance on scams and fraud. And what they are saying is there is no legal barrier under data protection to sharing information for the purpose of fighting scams and frauds so long as it is done in a thoughtful and proportionate way. I think this is a really important issue. It casts my mind back more than 20 years. And this is a very local example. Forgive me on this. There was two children were murdered in a small village in one part of the United Kingdom by a school care taker who had previously been fired from his job in a different part of the country for concerns over child protection. That information was not passed on to his new employer because of data protection issues.
And that caused both the law enforcement and the Data Protection Authorities to make very strong combined statements on how that was a poor interpretation of the law. Of course, it had tragic consequences.
One final point before closing. We've talked a lot about silos. Along with Jean‑Jacques, this year we've been thinking a lot about fighting scams and fraud online and how to encourage signal sharing in a thoughtful and data protection compliant way. I think one of the things that illustrates how no single actor has the full view is thinking about scam journeys, thinking about attack chains, and how scammers will go from establishing an identity using infrastructure. That's involving domain names but also VPNs and other infrastructural elements making that false identity, engaging with victims and then cashing out which is when the banks start to see the fraud and then rinse and repeat. Unless you're joining up the intelligence between those different silos in the fraud journey, you are not going to be able to get ahead of the frauds and scams. The cost of which at a global level is running into trillions of dollars and only 9.95% of cyber criminals are prosecuted in the criminal forum. We're not winning. You don't throw human rights out the window anticipating Farzi's intervention, you have to do it in a rights and thoughtful way but you also have to protect people from frauds and scams.
>> CHRIS BUCKRIDGE: Thank you, Emily. Farzaneh, your reply. Can we make Farzaneh a cohost, people in the back, AV. Sorry. Farzaneh will be able to unmute momentarily. There you are.
>> AUDIENCE: Thank you. Sorry about that. So ‑‑ I'm sorry. I was at another session, so I missed some of the important points of discussion. But I just wanted to mention that so the Brussels effect of NIS2 might be an actual overreach and not necessarily show the leadership that they showed when they came up with GDPR. And that's not just because I am an overzealous activist for privacy. It's because GDPR was actually a General Data Protection Law. It did not single out domain name. It did not single out different operations. Of course, it affected different operations. But largely, it brought privacy, much needed privacy for, I want to say globally, but it did bring us ‑‑ it did give us some tools to work with to bring some much-needed privacy for domain name registrants whose sensitive data was published sometimes without them knowing, mailing address. It's including mailing address.
So, one of the things that ‑‑ so NIS2 wants to back pedal all of these protections that we ‑‑ after a long time, we have achieved, especially at ICANN, and it will have ‑‑ it has ‑‑ I believe it has an adverse effect on the multistakeholder process. Because NIS2 is not really the loopholes in the multistakeholder community that ICANN could come up with a solution. We just did not agree that the questions of accuracy of data, the questions of disclosure. We just didn't agree for multiple legitimate reasons that it should be treated and should be tackled in the way that NIS2 decided to tackle, which can lead to intellectual property overreach, which can lead to stripping domain name registrants off of their privacy rights. It can also have an effect on network operators on ccTLDs that are not for profit and now have to comply with this law. And it doesn't ‑‑ in some circumstances they say that it might not even help with security.
Another thing is that unfortunately, the implementation of NIS2 in different countries, for example, in Belgium, if I remember correctly, intellectual property rights holder can ask for the domain name registrant private sensitive data. And they are not going to be informed about that, about that request for their data, the data holder is not going to be informed about it.
So, these are like ‑‑ the transposition of the law is very problematic as well. As well as its impact on the multistakeholder process that unfortunately we didn't ‑‑ we were discussing these issues at ICANN, and somebody came up with a solution for us, which is going to have impact on human rights, on the multistakeholder model, and on various operation of networks.
>> CHRIS BUCKRIDGE: Thank you very much, Farzi. Keith, last word to you.
>> KEITH DRAZEK: Thank you, Chris. We'll hand it to Georgia briefly. Thank you very much. I want to touch briefly on a couple of things pulling from Jean‑Jacques's remarks earlier about the need of stakeholder engagement. I want to talk a minute about due process and tie it all together in the context of so‑called trusted flaggers, as an example.
As we look at the attempt to mitigate online harms within our respective areas of responsibility and technical capabilities, the concept of trusted flaggers, which is typically outside of due process. It's typically something that is identified outside of a court order where we are either asked or expected to or encouraged to take the recommendations of an entity to take action within our capabilities as a registry or registrar, a domain name takedown which disrupts the route of the content. If it's a content host, then it would be removal of the content itself.
But the concept of trusted flaggers, I think, is an example where we as industry need to make sure that we have inputs from a range of stakeholders, Civil Society interests to make sure there is recourse for the impacted party. Privacy, the ability to make sure that there's transparency about the actions that are being taken.
We need to engage with law enforcement. We need to engage with those who would seek to be trusted notifiers, trusted verifiers when action is being requested outside of a court order or outside of the traditional due process.
So, this is an opportunity, I think, for industry to engage with a range of stakeholders as we develop our own processes and as we engage with authorities in terms of whether we talk about regulation or, as Bertrand said, rulemaking. The opportunity to do better, to be more proactive and get ahead of regulation. These are important factors as we look forward to (Off Microphone). Thanks, Chris.
>> CHRIS BUCKRIDGE: Thanks very much, Keith. I want to turn now to Georgia who has been our rapporteur and ask if she has final takeaways from this session. Thanks, Georgia.
>> GEORGIA OSBORN: Thank you so much. Thank you so much for the engagement in this session. It's been an exciting discussion. And I think from the first segment we looked at the NIS2 directive and the extraterritoriality, looking at the Goldilocks effect. There's a lack of harmonisation in the EU currently that's causing confusion. Also, we looked at the difficulty in terms of jurisdiction and that extraterritoriality effect is not clear to everybody.
And then the second segment we looked at the importance of industry collaboration to prevent online harms and the reluctance to sometimes tackle content but that the importance to engage with different stakeholders across the stack, but also some of the practical realities of online harms. That does tie in to the difficulty with the NIS2 directive and implementing this directive in this complex ecosystem that we're in.
Better coordination between different actors across the stack between DNS operators, registries, registrars, hosting providers, but wills as Keith just mentioned law enforcement and everybody is really important and also implementing multistakeholder approaches, not just at a global level but a national level making it more efficient and better for us all. Working together with regulators. I guess those are my final takeaways. I really appreciate everyone's engagement in this discussion. I think it's been a fantastic discussion. And I think that's it from me.
>> CHRIS BUCKRIDGE: Thank you very much, Georgia. I want to thank all our speakers. Jean‑Jacques, I realized I didn't get a chance to get any final words from you if you have any final ‑‑
>> JEAN‑JACQUES SAHEL: Thank you very much for organising on all this. Obviously.
>> CHRIS BUCKRIDGE: Thank you for being online. Emily, thank you for being an online speaker. Bertrand and Keith here in the room, thank you. David, our remote moderator, thank you. Thank you for all in the room to get through the audiovisual issues we had. It took some effort. I think we got there in the end. As Georgia and Jean‑Jacques say, this is a discussion that needs to continue. We built on last year's workshop with this one. There will be opportunities in Oslo in six months. Thank you for the discussion. Thank you, all.