Archives

Cooperation Working Group session
19 November 2015
9 a.m.:



CHAIR: Good morning everyone. I am Colin Anderson. I am filling in for Meredith Whittaker who is acting as the sole Chair but can't be here. I'll try to take her place as best as possible. But I think that we have a great set of sessions for you this morning. And I think that you will appreciate having woken up, and I respect the fact that you have, so, I'll try to reward that.

First up, is value Tina Pavel, who is going to take to us on the development of the EU policy based especially around digital privacy. Then we'll move in session based off of that and we'll give everyone time for questions after each of their presentations. So, value Tina, please.

VALENTINA PAVEL: Hello, good morning. So, I work for digital rights NGO doing mostly advocacy work on privacy and freedom of speech, and I thank you very much for inviting me to share some of the recent EU developments in terms of privacy and data protection. So, I will talk about three major points, but I will still talk a bit more with the Safe Harbour decision because it has some implications that you might want to look into.

Could you flag me when I have like two or three minutes left so I won't take so much time.

So, as you may have heard, the European Commission proposed reform on data protection. This is well underway, but the discussions between the European institutions are still ongoing, and it's a policy priority for 2015 to finish the negotiations and to adopt the final text. And once this text is adopted, it will have ‑‑ it will bring high level of compliance obligations with significant financial resource and an administrative costs, so, this is something that should be definitely watched over.

Until it gets adopted, the directive on data protection is still in place, so, all the rules are mentioned in the directive, but the new text of laws will be regulation which will have immediate effect, that means that the national countries will not transpose the text into national laws, it will have immediate and direct application. And those others proposed directive, dealing with law enforcement issues.

Now, the second thing I want to mention is the EU‑US umbrella agreement, which puts in place a comprehensive data protection framework for EU‑US law enforcement cooperation and the agreement covers all personal data exchanged between the two countries. For the purpose of prevention, detection, investigation and prosecution of criminal offences.

The good thing is that the umbrella agreement offers EU citizens equal treatment as they will have the same judicial redress rights as US citizens in case of privacy breach. So that's the most important thing of the umbrella agreement.

Now the Safe Harbour decision represents an arrangement between the UN to US which allows exchange of data for commercial purposes. This agreement dates back in 1998, where the two states agreed on this framework to transfer data across the Atlantic as long as companies comply with the set of privacy principles, so this is self certification mechanism for companies, and this has recently been ‑‑ this agreement has recently been declared invalid by the European Court of Justice.

So, to simply put, the European ‑‑ under the European regulation the transfer of personal data to a third country is only possible if that third country ensures an adequate level of protection. So, Safe Harbour was designed to assure this thing, that US had an adequate level of protection for the EU high standards in terms of data protection.

And what does this mean for business?

Business in the ‑‑ you could transfer personal data to US without any additional requirements. So if you were a US company, you just abided by the Safe Harbour principles and that was it.

But I'm going to spend a little bit more time on explaining why data transfer is such a big problem because, as we all know, just transferring data from two computers or two countries from a technical point of view, it's no problem. I mean, you can just easily transfer data. But if you look at it from a human rights perspective, things get a little bit complicated, and that's because the Safe Harbour only applies to US companies. That means that the data transferred could be accessed by US public authorities and here the problem is twofold.

First, one of the data protection principles was breached because you have to ‑‑ once the data is collected for one purpose, cannot use it for a different purpose. So, by US public authorities accessing and collecting the data this principle was breached.

And the second problem is mass surveillance programmes, because generalised access to the content of electronic communications is compromising the right to privacy.

Also, the problem with the transfer of data to the US was that there was no legislation in place if you wanted to access your personal data to modify the data or to do some rectification with the data, so, in EU perspective, this affects the right to judicial protection.

Now, what has changed after this decision? Safe Harbour is not ‑‑ was not and still isn't the only basis on which transfers can take place between the two countries. So, it's not time to push the panic button for this, because there are two other mechanisms. Standard contractual clauses and binding corporate rules. But, what the Court says is that even if you use this mechanism, data protection authorities can still look into the transfer and stop or block the transfer if this is the case.

So, all of the transfers which are still taking place under the Safe Harbour decision are unlawful and should be stopped.

And what are businesses supposed to do?

Well, some might advise them to keep calm and do not panic because the European Commission is going to issue guidelines indicating what type of mechanisms they can use and under which circumstances for the transfer between the two countries to still take place.

This would be to alternatives, and I also have to point out that the concerns on the Safe Harbour are not new. There have been negotiations between the European Commission and the US authority to introduce new Safe Harbour agreement, but as civil society already voiced, this will not solve the problem because the root of the problem lies in domestic ‑‑ in US domestic laws and international commitments. So, until a revised framework of third countries in this respect will take place, there is no point in adopting a Safe Harbour which will still be invalidated counting the Court's judgement.

So, to conclude: I think that countries, and especially the US, need to realise that mass surveillance simply undermines national security, and for that reason also, global security of our data. It has both economic consequences as well as political, and countries have to make clear that mass surveillance is a violation of human right law, and they have to bring back surveillance programmes under control.

In my opinion, this is probably the only way the Internet will still be open and privacy will still be protected.

And that would be the points I would like to mention today, but if there are any questions, I would be more than happy to expand on these issues.

(Applause)

AUDIENCE SPEAKER: Shane Kerr. You mentioned briefly that there is an umbrella agreement now for law enforcement between the EU and the US, and you mentioned this as a good thing because now you citizens have the same rights for redress and so on as Americans do. But my understanding is there's basically no privacy regulation in the US at all and you basically have very, very little rights except for extremely narrow defined cases. It's not clear to me that it's great news, so maybe you can ‑‑ or maybe you can talk to ‑‑ a little bit about what kinds of protection that is actually gives you citizens.

VALENTINA PAVEL: Thank you for this question. I actually wanted to point out one important aspect from my point of view, I think the umbrella agreement is actually a paradox if we look at the court's decision, because it clearly says and ‑‑ so, if you want to have an equivalent standard of data protection, you need to revise domestic laws and you need to have good international commitments, and the US does not have that. And to be honest, it looks quite silly in a way that the US umbrella agreement was recently finalised, the negotiations were finalised but at the same time you have the European Court of Justice that says, hey, this is not really how protection works.

SHANE KERR: I agree, it does seem paradoxical. I have sympathy for the law enforcement area. I don't know. Do you detect that there is any kind of ‑‑ like you mentioned there was kind of alternate routes, they're trying for plan B, but even if this is something that regulators and parts of the Executive Branch are very interested in, as you said, without changes in legislation or international treaties, it's not really much that can be done. So, do you detect that the law makers or people are actual power are starting to notice that this is something and maybe addressing this?

VALENTINA PAVEL: Well ‑‑

SHANE KERR: I'm sorry, I'm not asking you to read the mind of Members of Parliment or anything.

VALENTINA PAVEL: Of course, but I think there is enormous pressure which is put ‑‑ at least from a civil society point of view, definitely there has been a very long letter signed by NGOs from both sides of the Atlantic specifically asking for meaningful data protection reform laws, and until this is achieved, I'm afraid that all compromise, let's say, agreements will fall under the European Courts of Justice.

AUDIENCE SPEAKER: Alexander from National Configuration. So your report was on digital privacy on EU. I am neither a US citizen nor EU citizen. What about my digital privacy? Maybe the Russian regulators try to protect Russian citizens digital privacy in some way, is there any attempts to communicate to European Union to have something like the US?

VALENTINA PAVEL: You mean like to have a similar Safe Harbour agreement between Russia and EU?

AUDIENCE SPEAKER: Maybe, maybe not, maybe there is a decision not to have it with somebody else but the US. I want to see this new part of digital privacy, not the US but to other countries, just some words.

VALENTINA PAVEL: To be honest, I haven't heard of any negotiations of agreement between EU and Russia, but what comes to my mind is the fact that Israel, for example, stopped its agreement with EU after seeing the Court's judgement. And the principles were kind of like the same ‑‑ I'm not sure of all the details, but this is what I remember reading ‑‑ that I see lately also stopped the data transfer.

AUDIENCE SPEAKER: I'll take the opportunity to ask a question. So one of the things that I was curious about right after the decision is whether there was a parallel, for example, with the EU regulations having to do with cookies, because sometimes when I'm travelling the only way that I know that I'm in Europe is I get this useless tool bar that says: Consent to this agreement or leave this website. What's to stop this decision from turning into like I'm going to start to getting layers of things that I consent to by remaining on this site, tracking cookies, data storage in the United States, what's to stop essentially Google saying either leave the site or accept that your data is going to be stored in the United States?

VALENTINA PAVEL: Thank you for your question. This is a very good one, because, in many European countries, the cookie directive was badly implemented. I think maybe Romania is one of the best examples in this case, but as you mention, this is the status quo, when you went to the website you don't have a real choice, you just kind of if you stay for, I don't know, a few seconds on that website, you have chosen to accept the cookies, which is ‑‑ which in fact was not the intention of the directive. But, hopefully this situation will change once the data protection reform is going to be adopted, because the new regulation, the new data protection regulation will have more specific rules on pro filing and of course the cookie directive will need to be synchronised with the new rules, and hopefully one of the conclusions will be that, just by visiting a website cannot simply express a valid consent for cookies. I'm not sure if this answers...

(Applause)

COLLIN ANDERSON: I get to be the person who is both both stand‑in Chair, question asker amd presenter. I have got the Trinity.

So, you know, one of the things that I mentioned is part of the purpose of the Cooperation Working Group is to bring in outside voices on issues that are sort of concurrent to this space, that are happening, that I think also warrant the participation of the people in this room because in a policy making context, it is often ‑‑ I lived in Washington D.C. ‑‑ and it's often expressed that people within bureaucracies are well meaning but don't necessarily have technical insight and there is a sort of disconnection that starts to occur especially when you go into you know, for example, a governmental institution and newer not a practitioner any more.

And so I think that one of the opportunities that we have is in a lot of these issues, in Safe Harbour, what this means for data retention, in routing policies, having to do with nationalisation of networks. Even in export control policy.

So I want to do sort of a quick debrief of one of the things that's in the policy space that is actually impactful for people in the audience and is something more importantly that people in the audience can contribute to in terms of adding critical voices, making sure that technical definitions are appropriate and determining whether something is a good thing.

So, you know, a quick history of what's going on. Essentially after the ‑‑ there was a set of disclosures that showed that western countries, especially European countries were involved in providing surveillance items to law enforcement intelligence agencies in authority authoritarian states. There is three really good examples. One is Fin Fisher who is a making of Government graded malware, was providing providing spy aware to the Bahrainian Government which was used to spy on independent media and activists in the country and abroad.

A.m. success was selling call monitoring centres and Internet traffic monitoring centres to the Libyan Government which allowed for surveillance in the order of tens of thousands or hundreds of thousands of Libyan Internet users in the country. This was disclosed when the intelligence offices were ransacked after the revolution. And then thirdly, it was disclosed that Area SPA, and Italian company in partnership with other mostly French companies was providing ‑‑ was in the process of providing a centralised monitoring system for the Syrian Government in the middle of 2012. So this was especially controversial because in the former two cases you had sort of this transition of of what had been security partners and thought of as stable, all of a sudden becoming unstable and this is a case where there was clearly a human rights impact and a stability question in play that was a lot more undeniable.

So, these things became especially in 2012, a very big part of a conversation of what is the impact of regulators on providing technology to authoritarian regimes that could be used for infringing human rights or even just national security abuses.

And this all just was exacerbated by I think the Snowden disclosures, there was sort of this impact that we don't talk about which is the disclosures made about UK and US spy also basically told a lot of governments around the world, hey, there's stuff that we can buy that is pretty cool and we want access to it. So, since then there's been a market that has grown exponentially to cater to especially developing countries that don't have the in‑house capacity to manufacture this equipment.

This makes for an interesting policy conversation, which is what is the role of regulators in preventing or facilitating the export of surveillance technologies to third countries?

So, there's a couple of ways in which this conversation about the role of regulation in a proliferation of technologies have taken place. The most visible is essentially encapsulated by something called the Wasnar arrangement. The Wasnar arrangement is an arms control treat re that came out of the especially the cold war alliances having to do with the proliferation of military and conventional arms and things that could be used for sort of nuclear proliferation.

And some of you have heard about this because this has become a thing and I'll mention that later. I want to preface a conversation about Wasnar, which was this, actually a lot of things that we encounter on a daily basis are export control. Export controls aren't a blanket prohibition, it's essentially a regulation that could prevent the transfer in certain cases. Three examples are this:

You know, we are all familiar with the Crypto wars, essentially encryption is controlled under the Wasnar arrangement. In these 41 states essentially and more. Encryption is something that you supposedly have to go through a licence to be able to export. Now this is changed over time, so even it would be even in theory that bringing your laptop which is encryption built in would be an export and subject to a licence, but you don't have to apply for a licence every time you take your laptop out of country because even though there are controls on the transfer of this, they are liberalised, there's licences, exemptions made for, you know, being a basic human being who is travelling across borders. So that's encryption.

But actually some you might remember this commercial, that when the para Mac G4 came out, actually Apple was prevented from transferring it outside the country or allowing the sale out of the United States, and mostly just disallowed from selling to certain countries. And because what was happening was that actually their export controls on what's called high performance computing, and the G4 had reached this point where it had actually become considered a super computer and so therefore it was subject to these controls. And until they were sort of making this an campaign that it's so powerful that it's considered a tank, at the same time that they were trying to advocate for these hurdles to be removed. And then there's even stuff like actually anti wire tapping systems for communications cables are controlled.

So, running a long time already.

Actually, so, in 2012, in terms surveillance technologies what was interesting is all of a sudden there were controls on things that weren't necessarily traditional military items. And the first was MC Catcher, items for intercepting mobile communications, tracking MCs, basically for surveillance of cell phones.

And then in 2013, what we saw was an expansion which was which was a thing called the intrusion software restriction which controls for the sale of essentially Government grade malware, things made by hacking team in fin Fisher. At the same time there was also controls placed on what was considered IP network surveillance devices, so what these are is it's actually an interesting technical definition, because you go in to the export controls and they say OSI layer sub, collection based off of that ‑‑ Carrier‑Grade Network although they don't define what they consider Carrier‑Grade network. So they built‑up this idea of essentially an item that does deep packet inspection on a national backbone, collects metadata and then does correlation based off of that metadata. That would be controlled for export.

So, these two things have come into effect at the start of this year in the EU. Although, elsewhere, and actually in the EU as well, these controls have not been without controversy, I want to book mark this because I have done entire presentations on this at black hat, but suffice it to say, the first implementation of the intrusion software control started to regulate what looked like pen testing equipment and sometimes the transfer of information related to vulnerabilities.

So, again, I flag this because you know, as people who run networks, things like metasploit are a part of the daily tool kit and they start to interact with a policy conversation that's happening.

So, the second end of this, and maybe more pertinent to RIPE, which is these things have happened in the Wasnar space, there is now three controls. One having to do with M C catchers, one having to do with Government grade malware and the other essentially mass surveillance devices.

Europe is moving forward in an interesting way, and I think that that starts to show where the rest of the space is going to go. So, the first development was Germany actually implemented its own set of controls which are for law enforcement monitoring centres and data retention centres, so these are essentially devices on a network that take, warrant information for Internet traffic and then signal to network device that is they should do collection based off of this warrant information, and then after that, it also controls for the systems that are used for collecting that data and storing it and making it searchable for law enforcement items. Now this only regulates when it's being purchased by a Government, it is not regulated when it's being purchased by a telecommunications provider. It also doesn't cover things like quality of service, billing functions and that he is sorts of things. So this is now a control that exists in Germany and if you sell these items or you are trying to transfer it outside of Germany, you would have to apply for a licence to the German Government before you can legally do so.

Second out of the three European initiatives is what's called a catch all control, which is essentially an interesting thing about the way that information technology works is, basically all information technology has encryption now. And so, all information technology products are actually subject to the encryption control. Again like your laptops. But, because there's this set of exemptions and licence that is exist, most of the time it's okay.

With the Dutch Government did though was it said, okay, we have these sets of licences in place and it's okay. However, if you have reason to know or if you have been told by a national authorities that that encryption related item could be used for the infringement of human rights specifically having to do with surveillance of electronic communications, those licences don't ‑‑ those exceptions don't apply and you have to actually go to the Government before you can export this. So this is really interesting. So, it's saying essentially any information technology, because they all use encryption, before it can be exported if you have reason to know that it could be used, or it will be used in a situation where human rights are in play, there is now a sort of goalkeeper here. There is a regulatory function that is approving or disapproving that transfer.

So, thirdly, one of the things that the Europeans is basically saying so Wasnar was this idea of conventional arms or anti proliferation, very military national security orientated and all of these controls as they are in place are focused on national security. However, what you are seeing in, for example, Switzerland and other countries, Italy as well, is that now all of a sudden this concept of human security, which is very much about human rights and the flow of refugees is in play, and so as much as these rules apply to issues of security, national security, they now start to deal with human rights criteria, and so now all of a sudden when authorities are looking at a licence application, they need to look at the human rights implications of that as well.

So this is something that has sort of worked through various member states and countries associated with the European Union but maybe not a part of it.

Last slide: Those three things are important things to flag because they are emerging issues. So what the European Union is doing right now it's going through an export control reform process which is basically the export control policies of the European Union are a patchwork of different member states implementations and they are all incongruent, they have different criteria. So we have seen this for example. Italy sort of attempted to firstly crack down on hacking teams transfers to countries like Sudan, but then what ended up happening is that the hacking team had friends in the Italian Government and that all of a sudden was not a roadblock any more. And so what the EU has started to do is essentially impose from the top a set of common criteria. And what this ‑‑ what has been proposed especially by the MEP Shakai from the Netherlands, is a human security is a criteria for licence applications, potentially autonomous lists which are essentially all the EU member states have their own set of controls in addition to the Wasnar controls. And then catch all controls having to do with when there's potentially a human rights infringement.

So these are things that are actively happening in the European policy space and there are technical definition beings thrown around such as what is with a lawful centre, what is a data retention suite for surveillance purposes, what is a network surveillance device? When is DPI no longer a quality surveillance mechanism but a thing to block, you know, content that is considered ‑‑ covered by freedom of expression and fundamental human rights?

And so these are all things that have technical definitions, run into the work that people do here, maybe run into the personal interests of the people in this room, and there are opportunities. A consultation for this just closed last month, but there is still ‑‑ there is still venues to speak with policy makers on what is appropriate. There is a science technology and I think engineering Working Group in the EU that is ‑‑ that you can work within and you can participate in. And all of these things I think need the expertise of the people that are here and would be welcome because sometimes policy makers know that they don't know everything about how the Internet.

All right. With that. Any questions?

AUDIENCE SPEAKER: Nearly all you are talking about doesn't exist in our reality. Because first of all, with historical review, the limitations which you talked about with computers was never limitations for real ones who really wanted to buy super computer from US and install it in Russia. So the same situation changes dramatically since that, so, all this technology for surveillance, for penetration like are available Open Source and we have Internet which distributes them. So again anyone what wants it really will get it. And for example, IS eye catchers who ‑‑ is available as open hardware, open software everything. So, these regulations looks strange and like somebody in Government seek to write something but how it's going to be controlled. It's not a question, it's just a statement because it looks like ‑‑ but unlike this, I want to give you a successful example of export regulation of surveillance equipment. You know, as peninsula agreement was acquired by Russia and now Russia rules lows work on this and they require bulk typing in offices and it's being provided by producers and a company who runs the telco wanted to buy surveillance equipment from Ericsson and Ericsson say sorry, your sanctions we can't tell it to you in this territory. In some cases it works, but I think in general it would not work at all.

COLLIN ANDERSON: That's true, and one of the conversations that happened when we're talking about these regulations is this idea of foreign availability. Is the members ‑‑ are the members of Wasnar really the primary vendors of that? And for MC Catchers it's not necessarily the case, but when you start to get into the IP network surveillance, which is multi‑million dollar equipment, that becomes less about things that are easily found oft chef. Maybe assembled especially by people with the good ‑‑ enough expertise. But, at least there are circumstances in which you get out of export controls accountability and opportunities to block, especially for example, European equipment which sometimes is more sophisticated or has greater support and so you have seen even for MC Catchers in Switzerland, after the implementation of this human security notion, blocking of Swiss exports to Bangladesh, Vietnam and other places. It doesn't say that they can't get it from China but at least what it starts to put is a goal mark the EU and the United States will not be responsible or will not participate in human rights abuses.

AUDIENCE SPEAKER: Like an ostrich position.

COLLIN ANDERSON: I think that there is a mixture. I think that there are opportunities where ‑‑ there are situations in which it's like fine, I'm going to buy from somebody else, I'm going to buy from somebody in China. And then there are opportunities where it is actually the EU and the United States are the primary vendors and sell the best version of this equipment and building walls around those actually do have a human rights impact because if they get the thing that only is capable of support 2% of the countries traffic versus 20%, maybe there is a measurable impact made off.

I have ran out my time and I want to give more time to my colleagues, so if you would like to talk about this further, I'm in the hall. It's been my entire year, so decidedly I would be happy to speak about it more, I really enjoy export controls.

(Applause)

OANA NICULAESCU: Hello everyone, today I'm going to discuss the results of the analysis of the study he worked during this summer with the people from M‑Lab.

I talk about income inequality, access inequality and geography and how they affect the way people are interconnected.

We started by asking ourselves some questions. One of them was how does Internet access in one region compare with another region. And what is the factors that are influencing it. We sometimes take good Internet access as a given. We expect to have it, especially nowadays. But, is that realistic?

During the past summer, we worked on finding out what are the characteristics of communities with good Internet access, good speed, good latency and what makes those communities good candidates for ESPs to have such good access so broadband Internet. We found that there is a difference in Internet connection between different communities. And those differences have correlated with such factors like the population number, the number of households and the median count of those communities. In other words, if you are living in a poor community with a low number of neighbours, then statistically significantly more likely to have bad Internet access than some of your friends that are living in a community with a high population and a high median income.

Let's talk a little bit about the data. The analysis was done using public data and this is available and used to produce the results. The datasets used were provided by the national broadband map and the M‑Lab team using ... what we set out to do was to find whether there is any correlation between the socio‑economic factors and the Internet characteristics. We started by studying the national road map detail. Then we found out that there might be some inconsistencies with this dataset.

We went to the M‑Lab data that was more precise, but we did it better. We analysed both of those datasets for the same region independently and then compared the results and see if there was any difference between the M‑Lab dataset and the broadband map dataset.

You are now probably wondering what exactly is this data? The measurement lab, I don't think needs any introduction. There are datasets is globally collected data, aggregated using some statistical methods like, and gives us the users insight about the upload, download speeds, latency, jitter and much more.

The broadband map.gov, provides information about availability, speed and location.

The method of collecting this data, it's self‑reporting, so, that's where the ‑‑ of my income. Who is the dataset released by the national broadband map in June last year, it was the latest, and the M‑Lab dataset was data collected over 15 months period from January 2014 to April 2015.

In the study, we analysed communities. We had to define those communities and we thought that a community would map pretty well with a county in the USA.

Now, I'll go quick overview of the methodology.

We used statistical analysis in our study and the methodology is important in the light of how it helped us to reach the conclusion. We started by doing an exploratory analysis, like we wanted to decide on which factor is most important for us. After this stage we took out those factors that have the greatest weight in our data, like households, median income, population. Keeping those factors in mind we had the cluster analysis. We wanted to see that clusters are ‑‑ having any ‑‑ using the Internet data and we wanted to see if those clusters are showing any such economic factors in common. We discovered that, yes, those communities cluster based on their Internet statistics, latency speed, jitter, uptime and so on. They were also showing similar characteristics. To be sure that there was an actual correlation between the two we finished by doing a linear on the datasets that confirmed that connection between the Internet factors and the socio‑economic factors.

Getting to the results. And what do they mean.

We are going to get a couple of slides and see how the median income and the download median and upload mean yen and the median road time trip is correlating with population and the median income.

Here we observed that the connection between median income and median download, speed in mega bytes. The higher the income, the higher the download speed for those communities. This means that the median income average of $70,000 a year and above, communities with those this median income, the performance in those communities, it's 1.51, 1.7 times better than in the communities with a median income of $50,000 a year or below. The same thing can be said about the relationship between median income and median round time trip. It can be seen that the round time trip goes down when the median income goes higher. This means that services like VoIP, which is useful for communities that are at the disadvantage economically might not be actually available for exactly those communities.

What about population? We found out that population is not such a big determinant of the quality of service on its own. As we can see, there is no clear correlation between population and median round time. But in a ‑‑ but population correlate with median income, between the two types of communities, those with good Internet access and those with bad internet access.

So why is this important? We found a clear separation between rural and urban population, like population with ‑‑ like people who are living in communities with high median income and people who are living in communities with low number of people and low median income. This means that people in the cities get a much inter Internet performance than poor people in rural areas. Policy wise we must find solution to level the field. What can we do about this and how can we change the trend? This is the opposite side of what the Internet promises. It promised to be the equal eyes err, that's notes happening.

And for future work, we wish to extend the study to the whole of the USA. Right now it was done for two regions of the USA, the New England region and the South Atlantic region. We wanted to see that if we tried to ‑‑ we started doing it in New England and we wanted to see that it wasn't just a fluke, it wasn't just happening for that region. So we did a study for the South Atlantic region. It would be really interesting to see what's the situation in the whole USA and in other parts of the world like Europe.

As a conclusion, we invite you all to help bring the Internet to everyone by ex supposing who is getting the access ‑‑ who is not getting the access they should. That's all.

(Applause)

AUDIENCE SPEAKER: Hi, Chris. You talk about availability and you talk about actual results like RTT and those statistics. To what extent does your results control for ISPs offering a range of services of different cost points and then poor people choosing the poorer one, which is more affordable for them and richer people just naturally choosing the most expensive option.


OANA NICULAESCU: We wanted to to see how the Internet compared with each of these communities. But that's really hard because the information about the price of the Internet it's not easily available, like you have to actually data might all those providers sites and get the information from there. It should be, in my opinion, it should be available you know, a database somewhere, like to see how the price of the internet exchange, so I can't actually answer your question, because we don't have that kind of data yet.

AUDIENCE SPEAKER: Chris Bruckridge, RIPE NCC, speaking on my own behalf as well. I'm just curious, the sort of the two points you seem to be talking about are urban wealthy populations and rural poor populations. Is there any study or have you considered where urban poor fit into that?

OANA NICULAESCU: The country is road mapped mostly to urban and rural. How we get to the conclusion that difference between urban and rural population is that US counties were mapped to cities and to ‑‑ I don't know, smaller towns.

CHRIS BUCKRIDGE: I questions my question is whether this is allowing enough for density as opposed to socio‑economic position.

OANA NICULAESCU: Yes, density.

AUDIENCE SPEAKER: Rob Seastrom, I'll go with the crowd here and say I'm speaking on my own behalf. Did you correct or factor in to any degree the type of access technology? I live in a county that has both fairly dense suburban and urban area and farm land. There are many people who are quite wealthy and have no choice other than wireless from southwest, and there are people who are poor and yet they are in an over build place and might have a choice between HFC and fibre in the home. I'm interested in slicing the data that way and seeing if the correlation actually goes with the density more so than necessarily anything else.

OANA NICULAESCU: We didn't actually correlate with that. It was that kind of the data, if the Internet is copper or fibre or whatever, was available in the broadband map dataset, but we sort of aggregated that and only considered who had access to fibre and who didn't. We didn't actually slice it for each category.

AUDIENCE SPEAKER: Okay, so it's fibre and it's everything else? So HFC and WSIS and DSL are all in the same bucket?

OANA NICULAESCU: Yes.

AUDIENCE SPEAKER: I think that more fine‑grained analysis might prove illuminating. Thank you.

AUDIENCE SPEAKER: So, a very interesting presentation. I wanted to say that for your work and basically actually so. Other work I have seen, it's very interesting to show that, to basically two countries' regions, because they can use this information and we have researched thing, we have a lot of data, we collaborate with a lot of the researchers and governments. So if you are interested to continue this work, please contact us, we would love to help in any area we can, either publishing on labs, having outreach and also crunching data, providing more data, because it would be great. I mean mthis is in line with our to basically provide ‑‑ make sure that more people can get access especially in RIPE region for this specific case, but we would support that, so thank you.

AUDIENCE SPEAKER: I just want to ask something around, you know, we generally expect rural areas to have poorer performance for a lot of physical reasons, longer copper distances, that sort of thing. So, we might speed, higher latency as a property of being in a rural area, but we might also expect to see lower incomes as a property of being in a rural area. You earn more in the city. So, is it actually a lower income that's driving the, you know, any lower performance, or are these actually just properties of living in a non‑urbanized area.

OANA NICULAESCU: I think that's an interesting question, but...

COLLIN ANDERSON: What was the location of your dataset? So my recollection your dataset included suburban populations that were rural and may be removed from Metropolitan areas, but richer. So, if you think of New England, you think of, you have some parts of New England that are sort of distant from New York as a city, but are very, very wealthy, like the Hamptons and things like that. I think that it's not rural, but it's not heavily densely populated. You have larger houses, larger spaces in the community, but you have more wealth, so and so there was a diversity of density. And I think that one of her slides showed that there wasn't a strong correlation between population density and down throughput. Just as a numbers game.

(Applause)

COLLIN ANDERSON: Next up, Farzaneh Badii.

FARZANEH BADII: Hi all. I am a fellow at Humboldt Institute for Internet and Society. The scope is wider but we wanted to present it to you to get comments and feedback. So nothing is set yet.

And so, the proposal is about accountability of RIRs, and so by accountability, we mean that the decision makers be answerable to those affected by the decisions.

And so the organisation should be answerable to ‑‑ well they say the community, we don't know still what that is, we have to find out ‑‑ so there are certain mechanisms to ensure accountability and Jan Sholta, a very good scholar, came up with it. There should be transparency, there should be consultation, evaluation and correction.

So, why accountability important for RIRs? First of all we always come up with these really great Internet governance principles, the right to quality, like treating everyone equally, inclusiveness, rule of law, and all these things, but then if you don't have the mechanism to enforce these, then they are just a bunch of idealistic principles.

So, we need accountability mechanisms to ensure that these principles are upheld. And also, it grants legitimacy to the organisation.

Well, it is a case study, it's not an in‑depth cases study, so, I accept any kind of correction or criticism.

So, in RIPE, who is accountable, so RIPE NCC is accountable and to whom are they accountable to? And I have taken this off their website, I'm not saying it on my own. So the RIPE community. So the RIPE community refers collectively to any individual or organisation, whether members of the RIPE NCC ‑‑ and that's very interesting ‑‑ so whether members of RIPE NCC or not, that has an interest in the way the Internet is managed, structured or governed.

What do we see here based on the Sholta criteria and mechanisms of accountability? In RIPE we see that while transparency exists, all the Working Groups are open and there is consultation, there is a policy development process, and election for membership and all that. Then there is evaluation. Of course there is appeals during the policy making process and also there is corrections, so appeals after the proposal is submitted.

But when we look at RIRs in general, and when we look at organisations, we see that there is kind of like a common approach to their governance structure and this might be the, theoretically it might be because it's mimetic, so they just copy each other, or it's coercive, there might be a regulation to adopt the accountability mechanism or it could be normative, so it could be accepted practices within these organisations and we call that ‑ I'm very scared to say this ‑‑ institutional isomorphism. The title of this presentation was institutional isomorphism, but they told me, don't. So, what is institutional isomorphism? As I said you guys, either like RIRs go and copy each other, and they just have a harmonised approach. And what we want to investigate, we want to investigate whether the approach is similar in RIRs, and the hypothesis is that institutional isomorphism actually exists and proving or disproving it entails that we look at all the RIRs.

And what is institutional isomorphism exists? Similar approach leads to harmonisation but this is not necessarily a good thing, because harmonisation might not work in different regions, not work for all the regions, for example, also effective changes in accountability mechanism is more difficult. Why? Because well, we just stick to this really amazing, effects I have ‑‑ well we don't know it's effective ‑‑ mechanism which is called multi‑stakeholder process ‑‑ so we just say, oh, multi‑stakeholder process is really good, but do we actually look at effectiveness and see if it's effective for everyone or are we just copying each other because we want to be in ‑‑ we want to be appropriate in the public eyes, not inappropriate in the public eyes of course.

So that's what we want to look at. So, does the institutional isomorphism exist and the accountability mechanism that the RIRs have is simply because they copy each other or is it because it's effective and it actually makes them accountable?

So the concluding remark is that institutional environment affects accountability mechanisms and we have to ‑‑ if we want to come up with best practices cannot just go and look at RIRs in general and the majority is doing this this is the best practice, we need to look at the accountability relations and look at the stakeholder groups and look at the regions. And if institutional isomorphism exists actually in RIRs then we probably won't need regional registries.

Thank you.

(Applause)

AUDIENCE SPEAKER: Hello, Nurani from NetNod. I have a bunch of questions and comments. We can take most of them off line. But, before I venture into this, I just wanted to understand that what you want to look at is actually not necessarily the accountability mechanisms per se in ‑‑ in the various RIRs but you want to look at this isomorphism part. Are all the RIRs actually similar because ‑‑ and area they similar? Is it because they copy each other? Is it because they have a model that works or...

FARZANEH BADII: That's one the part of the research. We also look at organisational learning. So if there is organisational learning, then it means that you guys are doing effective work, so...

AUDIENCE SPEAKER: So I'm going to bombard with you a couple of points and you can choose which ones to respond to and then we can continue the discussions.

One thing is I think that's important to keep in mind, this account, so there are buzz words that are popular now because they are popular in sort of the greater Internet governance structures or processes, multi‑stakeholderism is one of them, and I think in the RIR community, having been part of sort of the RIR community for a very long time we have always claimed that we have had this before, this term became popular. We just didn't call it multi‑stakeholderism. We always had the principles of transparency, bottom up, inclusive, etc., that anyone who wanted to participate in policy making could. We just didn't call it multi‑stakeholderism because we weren't inventive enough in coming up with buzz words.

The other is accountability. I just wanted to point out that these are are principles that sort of shape the RIRs, and it's shaped the RIRs in various ways, and I think you know, yes, the similar ‑‑ the RIR communities are similar but they have evolved and that's the organisational learning that you were talking about. The RIPE community was very different ‑‑ it was in a different community but it had different processes 15 years ago. We shaped policy in a different way. Some of these processes that are very well defined now were not well defined 15 years ago. So that was a learning process for us. Defining these processes, writing them down, telling people about them to make it easier for people to participate.

I also wanted to say that you also need to be a little bit careful when you talk about the RIPE NCC and RIPE, and I know this is may be complicated, but when we talk about accountability, we're not really only talking about accountability of the registry, because the policy making and the decision making takes place in the community. And that takes me to the next point about accountability.

I think accountability in the ICANN structures, is defined as okay, so we have all these power structures, how can we find ways of dismantling that power when we have to?

Well, I actually think in the RIR communities, we are in a more true way talking about community empowerment, and so instead of putting lots of powers at the top of our structures and then finding ways of kicking those people off those power positions, we talk about community empowerment and we spread the powers throughout the community so to speak.

And then just very quickly, because I know there are others who have comments. Then, trust, and that's the other part accountability. You can't have accountability unless you have trust. And I think that trust is something you get with the community empowerment. And, again, I think this is something that the various RIR communities have developed over time.

The part about isomorphism is also that you have to understand that the RIRs in one region are not just accountable to that community in that region, so you also have stakeholders who are actually have got a stake in several RIRs, so, I think that's where you get that learning, sharing process. What we learnt in the RIPE region I make take with me to the ARIN region and they go, yeah, that makes sense.

And then I just want to say one final thing about accountability. And that's one thing that Jan Schultz has said when he presented this thing about what is accountability? And that is, he said a great thing and that was that accountability is never achieved. It is something that's pursued. And I thought that was a great thing to keep in mind when looking at accountability.

FARZANEH BADII: Thank you very much. I think those were statements, do I have to respond?

SHANE KERR: I am speaking for myself. So thank you, I think it's a little bit brave coming into a meeting of a Regional Internet Registry and saying here is some observations which you may find uncomfortable.

So, I also spotted some of the same things that Nurani did as well. I think in terms of comparing the different regional registries, certainly I find RIPE unique in that what is now the policy making body of the RIPE NCC predated the registry. RIPE was just some folks who had some problems and got together for coffee and had lunch, and then evolved from there, right. Now, it's very far from that today, but it's very weird to try to explain what RIPE is to people who aren't kind of steeped in the culture, because there is no RIPE incorporated. There is no RIPE institute, there is no RIPE Government body. It's basically just anyone who declares themself a member of the RIPE community, that's what makes RIPE. It's hard to map that on to other structures and other things. I mean there are clubs and people who just do this but coming at it from the point of view of a regulator or from a legal framework, in some ways it doesn't make any sense answered I think it's hard to get your hands around that. Other regions don't have that. In ARIN, they had to boot‑strap up a community after the registry was created. And part of the reason you see the isomorphism ‑‑ part of the reason you see this isomorphism, these similarities, is because they were deliberately modelled after existing registries, so, ARIN didn't have a community, they needed one, let's go find one that seems to be working pretty well, and at that time RIPE had something like that.

So, I think it's no surprise ‑‑ and I think honestly, you see this in any field of human endeavour. If people are working on something, they are trying to solve similar problems, they often come up with similar solutions. It's not to say that there is not cultural transference and things like that, but you know, covergent evolution does happen in organisations as well as in nature.

I'm sorry, I was annoyed at people for making speeches at the microphone and here I am doing it.

I'll just say the final thing also that I noticed about multi‑stakeholderism stuff. We didn't have that 15 years ago, it's not something that we had, but we still had the same approach to our community, so I think multi‑stakeholderism doesn't actually match to what we do, because we don't split our community members up into particular, representing particular communities. Everyone does, of course, but that's not how we approach it in RIPE. I'm done.

AUDIENCE SPEAKER: Good morning. Axel for the RIPE NCC, actually similar to what Kavi said a bit earlier, this is very interesting. I really like you turning up here at this time after we have more consciously shaped ourselves around accountability and how we interact with our members and our community. I would very much like to support you in your endeavour. And talk to you much much more about this type of thing. It's really interesting. Thank you.

PETER KOCH: Speaking for myself. Part of the RIPE community is living the lie that the only rule is that there are no rules and that has certain consequences for accountability. The one point I was ‑‑ the minor point I was going to suggest is that on your slide where you say who is accountable, you mention that the RIPE NCC is accountable and then further on you suggest that, oh, yeah, the Working Groups are open and so on and so forth, but the Working Groups are in no way, shape or form attached to the RIPE NCC, right? So there must be something else that is accountable, and the interesting aspect you might want to look at is the self‑referential or not nature of the policy development process itself. I'm very glad to see that somebody is going to investigate that, because there might be some interesting things to find. Thank you.

AUDIENCE SPEAKER: My name is Valentina, I'm from the Association of Technology and Internet in the Bucharest. My question is related to what you put on your first slide or second slide with to whom is RIPE accountable to, and you underline the fact that it's basically everybody, and now I'm kind of asking RIPE in its whole, another problematic aspect which deals with spam. Because, I'm not sure if many people know, a very large section of the Romanian IP space allocated by RIPE is blocked and then reallocated to end users, so how much of the IP space is blocked by spam related block lists and, you know, what's there to prevent this and if nothing is there, who is accountable for this?

FARZANEH BADII: Guys, be there, be accountable.

AUDIENCE SPEAKER: I have been looking for an answer on this, so thanks.

PAUL RENDEK: I'm so happy you actually came here and did this because I have been pushing us in this area, all the RIRs actually, in the whole accountability area, because I could see that this was going to come in our direction. I'm surprised it's you, that's the first one that's come here and brought this forward from this perspective outside taking a look at this. The question that was just asked was a very good one because I think that when you start going into the accountability and you start looking at this, you probably could pull everything, including the kitchen sink, into RIPE and RIPE NCC and start looking for the accountability of it.

So, I think it's important to map out what you will be looking for when you are throwing the word accountability around and what that means.

And I very much welcome you to dip into all the different RIRs to see what's going on there because you may be thinking that it looks very homogenous from the outside. There is a lot of window dressing that goes on to make it look like that. From an operational perspective, to get it that way, can be ‑‑ can create some heartache, and I'm one that sits in the middle that.

So, I very much welcome this study, and you know, I think you know the crew of people that I work with at the RIPE NCC and I don't know, I can't speak for the other RIRs but we certainly would like to help you with any information you need to make your study go where it needs to go. Thank you.

(Applause)



TAHAR SCHAA: So now I have to be quick I see. My same Tahar, I'm consult for German Government I am speaking on behalf of Constanze who couldn't join the meeting, and I would like ‑‑

We just talked about who the RIPE is accountable for and who is the community. And very often we speak here about the role of governments like the role in a bad way and so they want to force us to accept surveillance and all this stuff. But, this may be, I don't comment on this, but there is another role of government's, because there are ‑‑ they are part of the community itself. They need addresses too. They need to use the Internet for themselves too, so they are ‑‑ they have also the role to be part of the users of the Internet, and this is a quite new role, because in the past, the main actors in saying hey, we are the Internet, we are the users, we are the providers, are ISPs and some NGOs, but Government itself never stepped forward and said okay, we are users too of the Internet and therefore we have rights to have our needs to be respected also.

The German Government somehow decided to do this. And we found out ‑‑ I go over it because I have to be quick ‑‑ that we think that we have to engage in the community, in the same way than any other stakeholder, to be respected, so if we want to have some policies changed, we have to do a proposal, we have to do the discussion on the mailing list and all the stuff, it's okay. But on the other hand, what we would like to have and what we expect somehow is that if the RIPE community wants to reflect all the users in the Internet, then governments are also users and they have to be reflected in policies and all the stuff. If these requirements and their needs are somehow legitimate, somehow senseful. And so we see ourselves as an equal part of the Internet community, nothing staying above all the others. We learned a lot about the community in the last years, and it's this evil word multi‑stakeholder, but it's just the way the RIPE worked for years and it's just a new buzz word from my perspective. But what we would like to have is that it's respected that we are some kind of new type of user. We have what we call a Government LIR and Government LIRs have some slightly different requirements than ISP LIRs. There are also the role of enterprise LIRs and what I call the communities, please respect that there are now more types of LIR users in the world.

So, please be happy if there will be some policy proposals with the content of our needs so that all the users are reflected, we too.

So this is somehow the conclusion. And we have one positive example that this works. And I think this is not only important for us as Government LIRs, it's important for the community to keep the legitimation in the point of view of the other governments, we had a proposal made by MOD in the UK, it's change of the RIPE NCC allocation and assignment policy for IPv6 and now it reflects a little bit more the requirements of governments, and we propose ‑‑ and we plan to propose another proposal to make the subsequent allocation criteria consistent to this change. So, we keep on working and we are happy with it. Thank you.

(Applause)

AUDIENCE SPEAKER: It's a comment, thank you for this. I think you are really on the right track. I just wanted to mention in the RIPE NCC we are also aware of this, let's say, change in the community, and we are ‑‑ we have already, we have started a few years ago to start to engage with governments and then others work of the policy team and our ER and comes, but for next year, as was presented in Axel's presentation, we are going to focus on the statistics and we want to show it basically to the whole community that actually it has changed over time, we used to be mostly ISPs academia but now there are a lot of different organisations in our community and we want to highlight it and you are completely right that the whole community has to understand that it's not just any more an ISP community. So thank you for that. And I can assure you, especially for next year, we really want to focus on giving that message even more structure. Thank you.

AUDIENCE SPEAKER: Nurani from Netnod. I'll keep it very short. I think it is fantastic to see this. I think you are actually setting an example for other governments, and it shows ‑‑ and also not just by doing this, but by being active in this community, it shows ‑‑ I won't say a new way, but it shows a really really constructive way of engaging between two communities and becoming part of this community. So thank you.

CHRIS BUCKRIDGE: I have 30 seconds so I'm going to solve that by speaking very quickly. My name is Chris Buckridge and I work with the RIPE NCC and I am giving a quick update on the thing that we call WSIS plus 10 and I am going to start with a slide very similar to a slide I presented six months ago at the last RIPE meeting but basically what is WSIS, why is the plus 10? WSIS is the World Summit on the Information Society and it was an UN event convened in 2003 and 2005, two separate big meetings, but it was a seminal event in the new current understanding we have of Internet governance as sort of encompassing technical but also much wider public policy, policy related issues. That World Summit came out with a number of outcomes there. The significant ones are the Tunis agenda, which is a document that same out of the second, second meeting and which is referred back to as the sort of defining document for much of this. But the other was the creation of the IGF which obviously has been happening for the last ten years and which we see as very important in the Internet governance world.

So what's happening now is it's ten years since that second WSIS meeting, and the UN General Assembly, which is sort of the overseeing organisation for WSIS originally is doing a ten‑year review, so that review includes taking stock of what's been done, what's happened in that time. Noting where there might be continuing gaps or challenges, gaps in sort of where the reality is not meeting the ideal of what policy Internet should achieve and identifying future priorities. So seeing this WSIS as an ongoing programme, and ongoing activity and what the UN and policy makers hope that it can achieve.

So, this review process is essentially happening in a high level meeting on the 15 and 16 December officially, but that's really the culmination of a much longer process and I have got here really what's been going on throughout this year, the key points here are that, it's been facilitated by the general assembly, there are two what they call host facilitators and that's Latvia and the UAE, and there's been a sort of iterative process of releasing drafts of the output document, getting feedback, comment, discussion, negotiation, that will continue up until the end of the high level meeting in December. And there are details on all of that and that URL there.

For this community what's important to know I guess is actually Internet governance as we see it from the RIPE community, from the RIPE NCC membership, RIPE NCC, it's a very small part of this. WSIS is much more focused on development issues, ICT for development. It has focused on the things like human rights. There's some quite heated discussions at times. It does touch on things like cyber security but from a more political aspect than most of us are considering it. But it also then talks about the IGF, that was one of the key outputs of the original WSIS meetings and so that ten‑year ‑‑ WSIS gave a ten‑year remit to the IGF, so have an annual meeting every ten years. With the IGF that took place last week in Brazil, that remit has now expired and so part of this discussion in the UN General Assembly so to renew or extend that mandate for the IGF. And we as the RIR community and as the broader technical community have been supportive of the IGF and very supportive of saying this is something we would like to see continue; that there is a community there around the IGF, that this is a useful thing to happen in its current form so as a non‑decision making body, more of a ‑‑ if you want to put it negatively, an talk fest ‑‑ if you want to put it positively, a chance for people to come together to discuss issues and maybe head off the kind of regulation that policy makers would be inclined to do and that might cause problems elsewhere.

What we're seeing in the current discussions, the current draft is that it is likely to be renewed by the general assembly for ten years and essentially under the same remit as it was originally. Which is, another important part, because there have been certain member states pushing that it be a more decisional body, more of a sort of ‑‑ well, closer to a UN body I guess, a traditional UN body.

The other concern for this community I think is replacing the word multi‑stakeholder with multilateral and there is a lot, I guess, negative buzz around that term, multi‑stakeholder, but if you want to see it in a more positive light, try to replace it with multilateral, suddenly it looks a whole lot nicer. There are a lot of states who really would like to see a lot of these decisions much more solely in the hands of governments. And that's something that really the original, WSIS in a very innovative way, pushed away from and said no, Internet governance is something that needs to take in the needs all stakeholders involved in the decision‑making process, involved in, well, things like WSIS and the IGF. Not everyone agreed with that at the time, and there are still plenty who don't, so there is still this sort of ongoing conflict there.

And enhanced cooperation is one term that sort of gets to the root of that where a lot of governments are saying, we were promised enhanced cooperation between stakeholders to ensure that this worked and we haven't seen that, there is not enough opportunity for governments here to participate which is obviously something we would see a little differently.

And then the final thing is this is that is an ongoing process. There will be this review but one of the discussions is then what happens in five or ten years? And the two sides of the argument here are again about those governments who would like to see the UN general assembly, the UN governments have a much more hands on, controlling role in this, so saying let's have a summit again in five years and look at what we can do versus those who say actually you have set up the IGF, that's a useful tool, a useful forum that happens every year, we don't need the general assembly coming in here every five years so say yes you can keep going with this. It's more of a sort of stand‑alone event and that's how it should be.

But so then the other key thing to know and this I think has been some source of confusion. This WSIS review is not multi‑stakeholder in the true sense of all parties having a role in the decision‑making process. WSIS was somewhat multi‑stakeholder. The IGF is certainly a multi‑stakeholder event, it follows that model. This is really an UN General Assembly review and there have been member states who are very supportive of multi‑stakeholder models who have pushed for other stakeholders to have input. That's included the co‑facilitators who have been very outgoing in trying to get the input of others, but at the end of the day, this is going to be a decision by those UN member states and part of ‑‑ well indicative that have is the fact that we have a draft now, the next stage of negotiation for that draft would have been called informal informal negotiations which will only include the UN Government delegations in New York, there'll be no one else in the room.

So, at that point, it can be ‑‑ you can wonder what is our role here? Area we worried about this? I think our role here is to support those member states who are supportive of the multi‑stakeholder model. They are sort of in this process pushing our argument for us. Anything we can do to support them to provide them with information is useful, is important. And then also, obviously, whether it's multistakeholder or not, this is something that will at a very high level have an effect on this community. So part of what the RIPE NCC's role here is to report back to you and so we'll certainly be doing that after this meeting in December.

And so finally, there is just some links here to some just additional information. The WSIS plus 10 website. The latest draft which we have, which, as I say, is still subject to further negotiation. And actually this WSIS plus 10 joint statement. This is something that came out at the end of last week, and came out of the IGF process where there were discussions about the WSIS plus 10 and a number of the technical community organisations put together this statement and sought other organisations and individuals to sign on. They are actually now more than 100 organisations and individuals who have signed on to this. And it essentially makes the points that I have made here, that the continuation of the IGF is important. That the respect of and continuation of a multistakeholder approach is important, and then also that the focus of WSIS on development and on connecting those who don't actually have Internet access should be the priority for an organisation like the United Nations. That's, it that's where we are, and if anyone has any questions, I'm happy to answer them quickly.

AUDIENCE SPEAKER: Is the open WSIS joint statement still open? So if I have an organisation, would I be able to sign it? And broader than that, outside of sort of listening to report backs in December and seeing how you go through the process, if I'm interested in engaging, for example, for advocating to member states that are friendly to a multistakeholder process, what would be the best venue for me to start in that like sort of advocacy role?

I am an Internet citizen like 90% of the people who have asked questions.

CHRIS BUCKRIDGE: Thank you Collin. First question, yes I believe it is still hope. If you go to that website I believe there is a link there that you can sign up. In terms of engaging governments, it's quite late in the process I think at this point. Certainly, as I say, we will plan to be there in December. Others like the Internet Society have numerous people engaged in this. But, I think ‑‑ well, two things: The draft ‑‑ the language of this output document will be I think relatively final by the time we get to day one, 9 a.m. of that high level meeting. They don't leave these sorts of the things to final chance negotiations like that. So, at this point, given that the negotiations between now and that point are going to be purely UN /Government focused, you could try talking to your Government, and I know the US State Department is involved in this and I can connect you with people there if that's useful. But ‑‑ there's probably not a lot that can be done at this stage of the game.

AUDIENCE SPEAKER: Paul Rendek. Actually, that's great. I'm happy to see that somebody is taking an interest in this. For this particular meeting that's coming about in December, we're not excited about it actually. We think that from the documents that we have seen or were the preps or non‑preps that we have seen from governments going into this meeting, I don't think it's going to be anything that's going to give us too much excitement. I think what's going to raise the eyebrow is when they all come together and decide that they need a summit and then they're going to go give themselves a couple of years to prep and in those couple years to prep, we are going to need this community behind this in this because we will be going back into the whole space with this and probably in some cases starting again from ground zero and this is where we're going to need community people coming and being a part of this. We certainly will be rallying the troops at that time. But for me I think it's important to follow, it maybe see the issues and then see what's going going to come out this. I'm more interested to see what's going to happen after all this has happened in December.

AUDIENCE SPEAKER: I think Paul just answered my question. I just wanted to say do we have to care about this?

CHRIS BUCKRIDGE: As I say, this is happening at a very high level, and I think ‑‑ yeah ‑‑ the challenge in this is always to connect what's going on at that level to the more operational on‑the‑ground realities. Yes, and that's not always an easy thing, it's not always something that's very apparent. So do you have to care about it? Maybe. Yes, with an if.

(Applause)