WCIT Redux

Richard Hill has published an article in the Oxford University Press International Journal of Law and Information Technology. In it he offers his analysis of the 2012 ITRs and some of the criticisms lodged against them. Given his prior position as a senior staff member at the ITU, Mr. Hill is in an excellent position to offer opinions based on his experience in the process leading up to the WCIT and the WCIT itself.

The process leading up to the WCIT and the WCIT itself saw the introduction of a large number of proposed changes to the ITRs. Most of these proposals were not adopted in the final treaty text but they form part of the record of the development of that text. Mr. Hill fails to mention these proposals and ignores their import in his analysis. I consider this significant given Article 32 of the Vienna Convention on the Law of Treaties (quoted below).

Article 32
Supplementary means of interpretation

Recourse may be had to supplementary means of interpretation, including the preparatory work of the treaty and the circumstances of its conclusion, in order to confirm the meaning resulting from the application of article 31, or to determine the meaning when the interpretation according to article 31:

(a) leaves the meaning ambiguous or obscure; or (b) leads to a result which is manifestly absurd or unreasonable

Rather, Mr. Hill relies solely on Article 31 as the basis for his arguments to conclude that “it is incorrect to conclude that the WCIT outcomes establish a new international regulatory regime for the Internet and give new powers to the ITU”. He goes on to say that they do not “threaten the current multi-stakeholder model for Internet governance or free speech”. From the narrow perspective of Article 31, these statements might be true. However, when one considers preparatory work and the discussions at the WCIT itself, a rather different analysis emerges along with conclusions inconsistent with the narrower approach.

Preamble

Mr. Hill first addresses criticisms targeted at text in the Preamble. He states:

“The criticized provision in the Preamble states: ‘These Regulations recognize the right of access of Member States to international telecommunication services.’

“It has been stated that this is an unprecedented new clause which is inconsistent with established principles of international law. It is a dilution of human rights as applied to the individual and creates new rights for governments to avoid international sanctions.”

Mr. Hill believes that this statement does not grant any additional rights. He argues that  the 2012 ITRs must be interpreted within the constructs of the ITU’s Constitution which permits Member States to “cut off communications with any other Member State”.

However, given that the 2012 ITRs are subsequent to the ITU Convention, it could be argued that the ITRs have precedence and as a consequence, the Constitutional provision to “cut off communications” no longer applies. This certainly would be the interpretation per Article 31 of the Vienna Convention were it not for the clause in the ITU Convention that states “In the case of inconsistency between a provision of this Constitution and a provision of the Convention or of the Administrative Regulations, the Constitution shall prevail”. (The ITRS are Administrative Regulations as defined in the Constitution.)

From this perspective, one sees that the issue might not be as clear cut as Mr. Hill would have us believe. Rather, we have a set of conflicting instruments that will necessarily require interpretation if a conflict ever arises. How that conflict is resolved is far from clear and will likely entail a look at the preparatory process as well as the WCIT itself in order to determine what was intended by those drafting the treaty text.

During the discussion at the WCIT on the inclusion of the controversial “states rights” text, delegates of some Member States supported its inclusion as a means to balance the rights of sovereign states with the rights of individuals (which are now also expressed in the Preamble). While these comments are seen by many as a demonstration of a fundamental misunderstanding of human rights, they also serve to place the inclusion of this text in context. That context is human rights and an agreement between the 89 signatories that human rights might somehow be balanced with sovereign rights in the area of telecommunication.

An interpretation analysis that focuses solely on Article 31 of the Vienna Convention misses this critical point, while one that includes Article 32 takes into consideration treaty preparatory work and the circumstances of its conclusion. This information could be considered in determining which provisions of the ITU’s governing documents prevail. If the 2012 ITRs are determined to have precedence because of their increased scope (human and states rights) and their later adoption, they could be considered to in fact grant a significant right to Member States that accede to the treaty. Seen from this perspective, one can understand why 55 nations chose to no accede.

If the provision in fact does not grant an additional right because of conflict with the Constitution, one wonders why this provision was added and why the possibility of conflict was not raised by ITU legal staff. Those most familiar with the ITU’s foundational documents would have been aware of the possible conflict and were in a position to raise the issue at the conference. The issue was not raised during the Conference and as a consequence the record demonstrates no opposition based on discussion at the time. Instead, the record shows that states favored an expansion of rights for states as well as the concept of balancing state and human rights.

Authorized Operating Agency

Mr. Hill next addresses use of the term “authorized operating agency” and asserts that “there is no reason to think the new ITRs (which apply to exactly the same entities) could create problems. While it is my hope that no problems arise from the change from Recognized Operating Agency (ROA) to authorized operating agency, I do not share Mr. Hill’s confidence regarding possible problems.

There was significant discussion during the preparatory meetings for the WCIT and at the WCIT itself regarding Recognized Operating Agency and Operating Agency (OA). On the one hand, numerous Member States supported a change to OA and others preferred retaining ROA. At the Conference, “compromise text” was proposed and discussed. The addition of the term “public”, while helpful, is not equivalent to “public conveyance” which some had argued for. Had that term been adopted in the final text, I might agree with Mr. Hill’s assessment but as the text stands, supported by the discussion at the WCIT, I find there is considerable opportunity for problems to arise in this area.

Regional Traffic Exchanges (Internet Exchange Points)

Mr. Hill then discusses regional traffic exchange points and concludes “there is general agreement that implementation of national and regional Internet exchange points should be encouraged” and consequently “it is hard to understand why this provisions should be criticized”. If one believes that the ITU should expand its scope and that the ITRs should address technology-specific issues, I might agree with Mr. Hill’s statement. However, I would prefer that the ITU’s scope remain limited and that the ITRs avoid technology-specific references.

Regarding scope, it is clear both from the preparatory work and the WCIT itself that many Member States prefer an expansion of the ITU’s scope. In particular, proposals to change the definition of telecommunication to include ICTs was (and is) especially concerning to many. Formal inclusion of “information technologies” within the scope of the ITU would be a fundamental change, and could present considerable opportunity for confusion and problems.

If we examine “traffic exchange points”, we find that the discussion leading up to the Conference was about Internet Exchange Points (IXPs) and an “accommodation” was made to avoid technology-specific language. However, there can be no doubt that the language in the ITRs is in fact a reference to IXPs and that by its inclusion in the ITRs, the signatories intend to include the Internet within the purview of the ITU. Some find this objectionable and it is surprising (to them) that others find understanding that objection “difficult”.

From the perspective of a high-level, limited, technology-neutral set of ITRs and a limited, perhaps even more limited, role for the ITU one has no difficulty understanding the objection to the proposed text. From the perspective of an increased role for the ITU, understanding is less forthcoming.

Spam and Security

The last of the treaty provisions to be analyzed are those related to security and spam. Mr. Hill points out that the spam provision is non-binding, that several countries already have spam provisions in place, that states are free to do as they wish, that the ITRs are subordinate to theITU Constitution which recognizes human rights, and that Article 1 (Purpose and Scope) contains an overarching provision that excludes content.

It is true that some nations have spam provisions in place. It is equally true that experts generally regard these efforts as ineffective in mitigating spam whereas private efforts of an international scale have proven quite effective. ITR provisions suggesting that state cooperation will have a positive impact on spam mitigation are at best misguided and at worst will draw attention and effort from other demonstrably successful efforts. This would be most unfortunate.

Mr. Hill also correctly points out that states are free to do as they wish with respect to content. What the new provision in the ITRs does is to provide international recognition of that fact and at least some measure of support since there is a call for cooperation “in that sense”. Those wishing to use the ITRs as a pretext for content filtering will certainly overlook the admonition in Article 1.

Perhaps more importantly, a review of the WCIT record will reveal that during the discussion of this provision, several attempts to introduce the content admonition within the text describing “unsolicited bulk electronic communications” were rejected because it was clear that the only way to determine if a message is spam is to examine its content and stating that this provision did not relate to content was absurd.

A quick look at a definition of spam will reveal the need to view content in order to classify a message as spam. The New Oxford American Dictionary defines spam as follows:

(n) Irrelevant or inappropriate messages sent on the Internet to a large number of recipients

(v) Send the same message indiscriminately to (large numbers of recipients) on the Internet

Determining relevance or appropriateness are matters of opinion and judgement that require analysis and review of message content. The group charged with drafting the spam text recognized this and chose to address the absurdity by kicking the problem “upstairs” where a provision in Article 1 was inserted. However, the absurdity remains.

Mr. Hill claims that Article 1 prevails and that content can not be considered in determining if something is spam. But that leaves us with a completely inoperative treaty provision that surely the ITU legal staff would have recognized and raised to the attention of the Conference. That did not happen and as a consequence we are left to determine what was intended.

An article 32 interpretation yields an analysis that reveals significant dialogue on the subject of spam and the desire of many signatories to address it through state cooperation. A number of non-signatories objected to this text for a variety of reasons including its content-based nature. One possible interpretation of the final text might be that the signatories intended for content to be considered and begrudgingly added the Article 1 admonition in an attempt to induce others to accede. Since that failed, and we are left with an absurdity, the provision in question could now be considered to address spam in all its content-filled glory.

This seems to me both a more accurate reflection of events and likely interpretation given available facts and an analysis of those that signed and those that did not. Those signing wished to address spam at the state level whereas many of those not signing did not.

While an argument can be made that the signatories intended that content not be considered in the application of the spam provision, the facts and a fuller analysis demonstrate something quite different.

Mr. Hill’s arguments on the security provision are interspersed with his analysis of the spam provision and my commentary above applies to security as well. In addition, if we review the record of treaty preparation we will see that security discussions included the phrases “cybersecurity and “information security”.

Some claim the phrases are interchangeable. However, having participated in the discussions leading up to the WCIT I find them quite different with those advocating an  “information security” regime far more tolerant of human content-related provisions than those preferring the cyber term. These are fundamental differences and as with the spam provision, we can see that many of those that chose to accede to the 2012 ITRs hold this “broader” security interpretation. Those that did not prefer a narrower focus.

What the treaty means in practice likely will be determined by those that operate under it, not those who do not. To see what a number of those states intend, I suggest reviewing WCIT Document 47-E.

The ITU’s Internet Governance Role and Scope

Mr. Hill concludes his analysis of objections to the ITRs and WCIT outcomes with an analysis of Resolution 3 which “invites Member States to discuss Internet-related technical, development, and public-policy issues within the mandate of the ITU at various ITU forums, and to engage with all their stakeholders in this regard”. He concludes that the provision promotes multi-stakeholder consultations. That is certainly one interpretation.

Another interpretation, one more Article 32-like, reveals that the proponents of this Resolution in fact desire, if not demand, a far greater role for the ITU in the Internet and its Governance. Such a move would not promote multi-stakeholder consultations given the limited role available to many stakeholders at the ITU. Membership is required to participate directly. Governments have a controlling and out-sized role at the institution. Delegates are ill-prepared to engage in Internet-related conversation lacking both  technical background and practical experience.

While not treaty text, the message from the signatories is clear. They desire a substantial role for the ITU with respect to the Internet and its Governance.

Conclusion

Mr. Hill has provided us with a thoughtful analysis of the the 2012 ITRs and objections to certain provisions. From his perspective, these objections are unfounded and based on an “incorrect” interpretation of the text. Though I disagree with his analysis, I suspect many will agree with his interpretation (perhaps including the Oxford University Press).

I have attempted to review Mr. Hill’s analysis and suggest alternative interpretations of text and to offer a different perspective on the events leading up to and concluding with the WCIT. I find the larger context not only important, but also essential in interpreting the treaty text represented by the 2012 ITRs.

Posted in Uncategorized | 1 Comment

ICANN and the RAA

ICANN and the Registrar Stakeholder Group announced they have reached agreement on a new Registrar Accreditation Agreement (RAA). The script called for a huge collective sigh of relief, but that never materialized in Beijing – the latest stop on the ICANN magical mystery tour of world capitals. This latest incarnation was the largest of these gatherings meaning more people than ever before were incarcerated in meetings rooms for days on end, including weekends, discussing issues of supposed import but making precious few decisions or taking any meaningful action.

Fortunately the Internet continues to function astoundingly well without “improvements” to generic Top Level Domains (gTLDs), the subject of intense conversation, dialogue, and debate at ICANNN for years now. This will continue for the foreseeable future as ICANN struggles to decide such issues as whether bank and banks, bar and bars, or lawyer and lawyers are confusingly similar. The answers to these questions seem obvious enough to anyone even vaguely familiar with taxonomy, for example the average person that has used a book index or the Yellow Pages.

Confusingly Similar, or Simply Confusing

Such a person needing an attorney might look in the lawyer section of the Yellow Pages to obtain contact information for a recommended law firm. Unfortunately, the firm in question has more than one practitioner and has chosen to place their ad in the lawyers (note the plural) section. The average person does not find the firm and is confused, being certain they had remembered the firm name correctly. They might not be aware that the classification system employed distinguished between single and multiple practitioners and therefor might not know to search in the next category.

Of course this is a contrived example because no taxonomist of even modest skill would choose singularity or plurality as a distinguishing characteristic. In addition, even if that classification had been chosen, lawyers being smart people, would advertise in both sections to ensure that the easily confused average person would find them straight away. The Yellow Pages publisher would be pleased because revenue would double for each category that had both singular and plural entries. I leave it as an exercise for the reader to determine who “wins” in this obviously contrived scenario.

If TLDs in the DNS represent a taxonomy, and I believe there is very strong evidence of this, maintaining some semblance of order and sensibility in that taxonomy is desirable. That should be a guiding principle in deciding what strings are delegated into the root. If employed, that principle would clearly inform ICANN that singular and plural gTLDs of the same name must be avoided. Common sense also dictates such a decision.

Costs, Benefits, and Legal Advice

Another way to look at the singular/plural issue is from a cost/benefit perspective. For what benefit might ICANN determine that singular and plural versions of all gTLDs should be allowed? Does the benefit outweigh any costs? Who benefits? Who incurs costs?

A doubling of the number of TLDs could benefit contracted parties who might see increased revenue from registrants that determined registrations in both singular and plural gTLDs were warranted. Similarly, dispute resolution services might be rewarded with additional revenue. Attorneys that prosecute disputes will also benefit from the additional, if repetitive workload. Registrants pay direct costs of multiple registrations and disputes. Everyone will pay the indirect costs of errors in reporting, documenting, and investigating issues related to names in any gTLD that has both singular and plural variants.

Why would the Community subject ourselves to these costs?

One theory is that ICANN the corporation wishes to avoid lawsuits resulting from decisions it makes as part of the new gTLD program. This is a reasonable policy and ICANN’s “stick to the guidebook” fair and equitable treatment of all parties is commendable, to a point. Where the guidebook has missed something crucial, ICANN should step in and “do the right thing”. That’s the case here with the cost to correct almost certainly less than the cost to avoid. Unfortunately, any cost to correct would be borne immediately by ICANN should there be lawsuits resulting from a common sense decision, whereas the bulk of the cost to avoid likely would be borne by registrants over time. One choice introduces negative externality costs to registrants, the  other does not. With experience as our guide, negative externalities will likely win.

Fortunately, regardless of the decision ICANN makes, the Internet will continue to grow and provide benefit worldwide. Unfortunately, ICANN’s reputation as steward of the Internet’s name space can be tarnished if it chooses to avoid correcting what can be described as an obvious oversight in the guidebook.

Postscript

This post started as a review of the proposed RAA but as I continued my reading of the nearly 70 pages that constitute that agreement, I realized that a comprehensive review would require more time than I could likely commit to such an endeavor.

I recognize and appreciate that a number of people devoted countless hours to the process that led to this proposed agreement. They undoubtedly strived to produce an agreement suitable for both parties, and their agreement in principle is evidence that they succeeded. Sadly, they have also produced what I consider an agreement so complex and intricate as to render it inscrutable to the general public and nearly impenetrable to those skilled in the art. How is this “in the public interest”?

I have a single suggestion and that is to start from a clean slate with a Community-developed term sheet that is in the public interest. From there an ICANN-led drafting group should produce standard contract language (boilerplate) and language specific to the Community-developed terms, and no others. This language should be reviewed as it is developed by representatives of the registrar, registry, and registrant communities – the three communities bound by contract directly or indirectly to ICANN. This process should be repeated for registries and registrants in order to ensure that ICANN’s contracts impose fair and equitable requirements on all groups in the Community and that the Community works together to ensure its health and the Security, Stability, and Resilience of the Domain Name System and the Internet.

Posted in Uncategorized | Leave a comment

Déjà Vu All Over Again

What is WHOIS

Emily Taylor has written an excellent article outlining the issues surrounding WHOIS, its recent review, and the even more recent action taken by the ICANN (Internet Corporation for Assigned Names and Numbers) Board. I recommend reading Emily’s article as background for what follows and won’t attempt to provide a précis of the myriad issues surrounding WHOIS. Suffice it to say that the issues surrounding WHOIS have remained unresolved for over a decade and are a constant irritation for ICANN and the Community.

Life after WHOIS

Yesterday, ICANN announced that it had completed the selection process for its Expert Group on gTLD Directory Services (a longer and newer way to say WHOIS). It is encouraging to see Susan Kawaguchi, a WHOIS Review Team alumna, as one of the thirteen members of the Expert Group. Her presence will ensure at least some continuity between the work of the Review Team (I was a member of that team) and that of this Expert Group.

In its original announcement of the Expert Group, ICANN stated that:

The objectives of the working group are to

  1. define the purpose of collecting and maintaining gTLD registration data, and consider how to safeguard the data, and
  2. provide a proposed model for managing gTLD directory services that addresses related data accuracy and access issues, while taking into account safeguards for protecting data.

This output will feed into a Board-initiated GNSO policy development process to serve as a foundation for the GNSO’s creation of new consensus policy, and requisite contract changes, as appropriate.

(reformatted for clarity)

This could be seen as an extremely broad remit, were it not for the Affirmation of Commitments (AoC) that states:

ICANN additionally commits to enforcing its existing policy relating to WHOIS, subject to applicable laws. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information.

The Affirmation of Commitments

The AoC contains a set of promises from ICANN and the United States Department of Commerce. In it ICANN covenants, among other things, that it has a WHOIS policy and further that said policy requires unrestricted public access to WHOIS information. The AoC establishes a set of promises to the Community, a framework under which ICANN will operate. Any deviation from the promises made require careful consideration and should not be undertaken lightly or through a select group appointed by ICANN.

It is within this framework that the recently selected Expert Group must operate and as a consequence, it has a much narrower remit than outlined in the original announcement. Let’s look at the objectives of the Expert Group with the AoC in mind as opposed to the isolated setting as presented in the original announcement, where the AoC was not mentioned at all.

The first objective states “define the purpose of collecting and maintaining gTLD registration data, and consider how to safeguard the data”. Defining the purpose of gTLD registration (WHOIS) data not only makes sense, it is required in certain jurisdictions in order to comply with “applicable laws”. Given the diversity of the Expert Group members, collecting a set of purposes for the data should be a relatively straightforward matter, provided that the discussion does not wander into discussions of whether the data should be collected. That issue is already a matter of policy and this group is not chartered to address that issue.

Moving to the second part of the first objective, “consider how to safeguard the data” should be similarly simple given that this data is required to be accessible to the public, without restriction, subject only to applicable laws. As a consequence, safeguarding this data can only relate to ensuring that the data can only be modified by those authorized to do so. In the absence of the AoC, this phrase could be taken to mean that the Expert Group could consider access control mechanisms that might restrict access to data. But as we saw above, policy already exists and requires unrestricted access to this data.

The second objective is to “provide a proposed model for managing gTLD directory services that addresses related data accuracy and access issues, while taking into account safeguards for protecting data”. Access to and protection of the data have already been discussed within the context of the AoC. Access is required to be public and unrestricted and protection should be limited to ensuring that unauthorized changes  are not made. What remains, is for the Expert Group to propose a model for managing services while addressesing accuracy issues, the heart of the WHOIS debate for some time now.

Such a model would be most welcome and would be entirely in line with the Affirmation of Commitments provided that it does not restrict public access to registration information. This access is assured by ICANN through promises made in the AoC and it is entirely appropriate that ICANN honor these commitments.

Déjà Vu or une aube novelle

Time will tell whether this Expert Group can remain within its charter. If it does, it just might be of utility to the ICANN community. However, if it ventures afield from the covenants in the Affirmation of Commitments requiring unrestricted public access to certain registration data, it will have failed the Community. The transparency afforded by such unrestricted access, subject to applicable laws, is essential to the health and vitality of the Internet. It permits individuals and other entities, to know with whom they are interacting when that knowledge is both necessary and permitted.

Obfuscating, or otherwise concealing personally identifiable registration data is warranted in certain circumstances, e.g. an individual not engaged in commerce. If this Expert Group could help establish what those exceptional cases are, along with suggestions for how to best deal with them, the discussion might be advanced significantly and the Community would be in their debt.

We will know before long whether this Expert Group is the dawn of something new, or simply déjà vu all over again.

Posted in Uncategorized | Leave a comment

WCIT Denouement

Something [WCIT] this way comes*

It is midnight in Dubai and I am listening to the final readings of the International Telecommunication Regulations (ITR). This instrument is the final output of two weeks of negotiations at the World Conference on International Telecommunication (WCIT), a gathering of the world’s nations to update the the ITRs. The Chair goes through the document article by article, section by section, and with each passing “thank you”, this Conference draws to a close.

Many in the room are elated. They have won hard-fought victories. Their issues are significant. Their chosen solutions adopted by a majority in the room. They can return home proud of their achievement. We should respect their effort and the result it yielded.

Others in the room experience different emotions. They run from sadness, disappointment, and frustration to acceptance, resolve, and pride. We worked tirelessly. We yielded where appropriate but remained resolute and principled throughout. We return home knowing we did all that we could and that the best possible outcome was achieved.

WCIT Effort

I was fortunate to be a member of the United States Delegation working with a range of industry, civil society, academia, and government experts. We were led by Ambassador Terry Kramer and entered the Conference with a set of principled positions on the Internet, liberalized markets, competition and others. These positions were based on the input of some 100 delegates plus expert contributions from others interested in the Internet and telecommunication.

Like many delegations, ours was a truly multi-stakeholder affair bringing expertise to bear on the full breadth and complexity of issues related to this treaty conference. These issues ranged from arcane telecom accounting practices to the implications of placing the Internet under intergovernmental control.

In the run up to the Conference, we were repeatedly told that the WCIT would not address the Internet or its Governance. The reality on the ground proved otherwise with a number of contributions either directly referencing the Internet or obviously reading on it. Considerable effort was expended in removing or mitigating the more egregious proposals. In the process we and others communicated the benefits of a free and open Internet, liberalized markets, and competition.

Unfortunately, not all of the contributions were dealt with in a manner that enabled the United States and others to accede to the treaty. (At this writing 89 nations have signed with 55 taking other positions.) I’m sure we all wished for a different outcome, one where consensus was achieved. Sadly, that did not occur and instead a series of [non]votes were taken in order to make progress. Such is the way of a treaty conference, or any outcome-based event with a firm deadline.

Consensus

Consensus-based decisions take time. Principles must be understood, positions presented, compromises made. Throughout the process, enlightenment occurs at various times and in varying ways. Individually we consent to the will of the group. We accept the decision, because it is one we have made.

Complex issues require even more time, especially when they interact. Such was the case of this Conference that covered areas like accessibility, energy efficiency, e-waste, liberalized markets, expanded regulation, mobile roaming, human rights, and of course the Internet. In the end, there simply wasn’t enough time to bring everyone together on all the issues. Outcome was selected over consensus. Efficiency prioritized over understanding. Majority imposition over free choice. There is a lesson here if we choose to recognize it.

As the events unfolded in the final days of the WCIT, I could sense something important was occurring but couldn’t recognize it for what it was in the fog of the moment. With time came clarity and I now see both the stark contrast between the Internet Community and intergovernmental agencies’ decision making as well as the implications of that contrast for the Internet.

The Internet is proving to be the economic engine of the 21st century. It has developed without the aid of significant government oversight. It is governed by institutions that permit anyone to participate with most decisions made by true consensus. Given the breadth of debate that can occur when industry, academia, government, and individuals get in a room, it should be no surprise that decisions can be excruciatingly slow and frustrating to observe. At the same time, the process ensures that we have adequate time to learn and as a consequence we make better-informed decisions.

Lessons Learned

While Internet decision making may not occur at Internet speed, the Internet itself remains incredibly agile because individuals innovate, small groups self-form to repel attacks and address security incidents, and the community grows through a sense of ownership and pride of achievement. I’ve come to believe that the style of governance is in no small measure responsible for the success of the Internet and it is essential that it be preserved.

Would volunteers spend years of their lives on efforts where decisions are taken by a simple majority of “those in the room” that might result in their work being abandoned? Will investors fund startups that could have a similar fate? The answer to both is clearly no and the events in Dubai demonstrate how very real the potential for just such outcomes is if we cede control of the Internet to an intergovernmental agency.

What became obvious in Dubai was the power of consensus and its importance for the Internet. Voting has no place in our decision making. Straw polls, temperature taking, and other informal mechanisms to gauge consensus are important tools to achieve consensus but they are no substitute for it. When the individual chooses to consent to the will of the group, the group is strengthened in a way no vote can achieve.

The Road From Dubai

I’m now nearing the end of my day-long return journey that coupled with my day-long outbound leg bracket my time in Dubai and an experience I will never forget. I will miss the US Delegation meetings and the people I now consider friends and colleagues. Hopefully we will see each other again at the WTPF, plenipot, WSIS Review or other venues where some governments will attempt to exert control over the Internet through an intergovernmental entity. We saw it in Dubai and will likely see it in Geneva, Busan, or any of the various cities where intergovernmental agencies convene.

__________________________

* anon, Dubai UAE, December 2012.

Posted in Uncategorized | Leave a comment

On the Ground in Dubai

A quick update from Dubai, and apologies for not providing one earlier. Our days are long typically starting before 8 and running until 10 or later. Fortunately we get a lunch break that is long enough to eat and decompress a bit from the morning’s sessions. But we know dinner is a long way off.

Important portions of this conference are being webcast, recorded, and transcribed. This is significant, and may give the world its first opportunity to peer inside an international treaty conference, in real time. If you happen to watch the live feed, view a recording, or read a transcript, you might be surprised by the deferential language, style of interaction, and pace of events; unless you are in the diplomatic corps.

Member States intervene to express their position, employing language and protocol that is familiar to them. At the IETF, we hum, but in both cases the intention is to give the chair a sense of the room. The chair’s responsibility is to take that sense, encourage compromise, and move the meeting forward. In the case of the WCIT, the chair, Mohamed Nasser AL-GHANIM of the United Arab Emirates, has been fair, skillful, and impartial. As in the technical world, such a chair is frequently the driving force to success.

Steering an assemblage of nearly 200 nation states is no small matter and is complicated by the diversity of subjects that will be discussed and the range of views found in contributions. Think of this Conference as an IXP with today’s traffic loads, packets flying around destined for  different continents, each requiring a bit of special attention, all managed by a single server from a decade ago and you get an idea of what the Chair must contend with.

Our hosts, the United Arab Emirates, are gracious, the facilities unparalleled, and support services superb. As an all-too-regular attendee of large-scale events, I find the facility impressive and well-suited to this Conference. Rooms are well-equipped with all the accoutrements of a modern day event including power, wifi, and a range of eateries at the venue. These may seem like inconsequential things, but their availability and quality facilitate exchange of information and dialogue in a relaxed setting.

Given the diversity of opinion, strength of position, and limited time, I expect the facilities themselves will play a significant role in the outcome. Of course, the delegates and their mutual desire for reaching common ground are important, but that is a given. A superb chair and equally superb facilities are not and we are most fortunate to have both in Dubai.

Progress has been made but this is a complex Conference. It will be some time before a better sense of the larger room will become apparent and predictions can be made.

I’ll provide updates as and when I can.

Posted in Uncategorized | Leave a comment

The Road to Dubai

I’m writing this on the first leg of a day-long journey to the International Telecommunication Union’s (ITU) World Conference on International Telecommunication (WCIT). I’m breaking a self-imposed writing moratorium on the subject to set down some thoughts regarding the WCIT, and the road beyond.

Prior to the WCIT, the ITU hosted what has been praised as a successful World Telecommunication Standardization Assembly (WTSA). Closely following the WCIT will be the ITU’s World Telecommunication Policy Forum (WTPF) in May with preparations already well underway. In parallel, the United Nations is ramping up efforts to conduct a World Summit on the Information Society (WSIS) review in 2014/2105 with a set of open preparatory consultations in 2013.

While the WCIT will not be about Internet Governance, the WTPF is designed to discuss the Internet and its Governance. A quick review of WSIS documents and the Tunis Agenda reveals the same. Many of the same the actors that will participate in the WTPF and WSIS review are gathering at the WCIT and I suspect there will be informal discussions on the topic. From my perspective, this is a good thing and Dubai is where next year’s journey begins. It is one I look forward to and have great hopes for.

The coming year will be a telling time for the Internet and its Community – and by that I mean everyone that uses or is touched by it. Decisions will be made that will impact the world that we and future generations live in. Will history be kind to us? Time will tell.

Perception

The Internet is a conundrum when viewed in the large. Some define it simply as a network of networks; an excellent and useful definition. Others define it by a set of ideals and principles; open, transparent, and generative. Yet others might refer to it as a big telegraph. And there are other definitions and perceptions of just what this thing we call the Internet is.

From my perspective, each is in some way right, not all can be simultaneously true, and therein lies the conundrum. How can everyone’s view of the Internet be correct when not all can coexist? Welcome to the real world, the world of individual perception. The challenge for us all as we enter into discussions is to make ourselves not only heard, but understood while listening to and understanding others.

Guiding our discussions on the road to Dubai and beyond, I hope we weigh our actions against a simple maxim, “Will our children and grandchildren be better off as a result?”  Keeping that in mind should help us focus on the future without losing sight of the present, enabling us to provide an Internet worth inheriting. It should also signal to our children, the responsibility they and future generations have.

Internet Trust

The Internet exists as a consequence of the diligent efforts of untold volunteers who believe in a set of principles and ideals. They did and do yeoman’s work and deserve not only our appreciation for their effort, but respect for their motivation. Knowingly or not, they have placed the Internet into a kind of trust and we, the Community, are both beneficiary and steward.

This Internet Trust is an unusual non-entity that exists to ensure that the ideals and principles that are the foundation of the Internet are maintained and observed. In addition to simultaneously existing and not existing, this Trust operates without any documentation; its structure is amorphous. No one, yet everyone is responsible for the principles and ideals with each member of the Community having a different perception of them.

One of the marvelous things gained by not explicitly defining the Internet or documenting the Trust through which it is governed, is the ability to adapt and change as needed. These changes are made by stewards, each of us, who are obligated to act in the best interest of the Trust and its beneficiaries. If we act responsibly, our children, grandchildren, and the Internet will be better off.

While I believe this to be true, I’m at a loss to suggest a way forward other than to trust each other to recognize the responsibility we each have as a steward of the Internet. If we understand stewardship and act accordingly, we will have a successful year. If instead we act on our own behalf, we may fail to preserve the Internet Trust, and will have failed our children, their children, and the world.

Less is More

The research that led to the Internet had as its hypothesis that a reliable network could be constructed with unreliable components. Reliability came through the resilience of numbers. It has proven not only workable, but a phenomenal success and we are well-served to keep this in mind in the coming year.

As an after-the-fact corollary, we have found that value can be rapidly derived through application of the end-to-end principle. Adherence to this principle has unleashed creative genius on a scale not seen before. Services have been and can be developed and deployed rapidly, some with minimal uptake, others with exponential growth.

We have also found that distributed, decentralized, perhaps unrecognizable governance structures work surprisingly well. Two billion people enjoy the benefits of the Internet on little more than a handshake, a non-existent trust, and loose collaboration. Is more required? Is more desirable? Is change necessary or are current mechanisms sufficient?

These questions and others will be the subject of the coming year. In order to answer them we need to listen to each other, learn from each other, and trust each other to work for the good of the Community. I see no other way, and Dubai is the first step on our path.

While I write these musings; I’m reminded by the captain to stow my laptop, buckle-up and await a smooth landing in Dubai. Stay tuned for some on-the-ground reports and hopefully a smooth two weeks of WCIT.

Posted in Uncategorized | Leave a comment

A Very Modest Proposal

I have been silent for some weeks, at least in public, on the World Conference on International Telecommunication (WCIT) and the European Telecommunications Operators Network Association’s (ETNO) proposal for a New Internet Ecosystem. I’ve been reflecting on private comments made by a well-respected colleague who suggested that I might be contributing to the ETNO cause by regularly calling attention to it. I took the suggestion seriously, reflected on it, but ultimately determined continued silence was not my preferred approach.

My reasons to return to the topic are varied, but the determining factor was the continued push by ETNO to advocate for their proposal on a global scale. Their campaign is choreographed, well-funded, and follows traditional FUD principles that are designed to create an atmosphere conducive to the acceptance of their proposal for radical change.

Genesis of the ETNO Proposal

In 2010, AT Kearney produced a report at the behest of Deutsche Telekom, France Telecom, Telecom Italia and Telefónica – four leading members of ETNO. The report has been referenced on several occasions to support changes in the International Telecommunication Regulations (ITRs) that would significantly, and radically alter the Internet economic model. Perhaps unsurprisingly, ETNO’s members would be the primary beneficiaries of the proposed changes and they have been the most vocal proponents for such change.

The AT Kearney report argues that the Internet “risks becoming a victim of its own success” as a “fresh wave of innovation” utilizes “more capable devices and new high-bandwidth services”. In particular, free video traffic “threatens to swamp available network capacity and cause unacceptable levels of congestion for users of all services”.

Continuing the report states that by itself, technology can provide only part of the solution to this otherwise disastrous end-state of the Internet. Higher capacity networks, traffic management, compression, and caching, will ameliorate the situation but additional measures are necessary. The report suggests that a combination of the following economic changes, each benefiting the report’s sponsors, are required:

    1. Modification of Retail Pricing Schemes
    2. Traffic Dependent Charges for all Traffic
    3. Enhanced Quality Service over the Public Internet
    4. Enhanced Quality Services Based on Bi-lateral Agreements

To support its proposed changes, the AT Kearney report assumes the Internet is a two-sided market, one where content providers and end-users are brought together by infrastructure providers (carriers).

Two-sided markets are a relatively new concept in economic theory conceived at about the turn of the century to explain behavior in the software and credit card markets.  These markets are characterized by two distinct groups that provide each other with network effect benefits that are facilitated by bringing the two groups together in a single market. Wikipedia has an approachable article explaining the concept, giving easily recognizable examples of two-sided markets. It also provides examples of one-sided markets like the telephone, instant messaging, fax (document exchange), and email. Interestingly, all of these are Internet services in use today and many other one-sided services either currently exist or are likely to evolve, e.g. video chat.

Largely using data from European markets, the AT Kearney report makes the case that bandwidth is being consumed faster than it is being produced and that without some change to the Internet’s economic model, the Internet will become unusable. This is a frightening prospect, and if demonstrably true, action certainly should be taken.

It is interesting to note that this is not a novel claim with one pertinent example being a 2008 statement by Jim Cicconi, then Vice President of Legislative Affairs for AT&T: “We are going to be butting up against the physical capacity of the Internet by 2010″. Of course the Internet did not reach capacity and instead, using the current economic model, investment in Internet infrastructure proceeded at a pace sufficient to prevent the dire consequences predicted. This allowed AT Kearney to repeat the claim, just as the earlier prediction was eclipsed, repeating a cycle that no doubt will continue.

Analysis

Two-sided market models are an important new tool for economic analysis and as they mature will no doubt assist policy makers with decision making. At present, there is little research on the Internet as a two-sided market and that research is not definitive in terms of suggesting whether the current economic model can be improved. All of the research that I have reviewed employs simplified models of the Internet and all reports express caveats with their conclusions.

None of the research views the Internet simultaneously as a one-sided and two-sided market. None make the unequivocal suggestion that the current Internet economic model is unsustainable in the long-term. None suggest that the model must be changed. All suggest that additional research is warranted. For example, in Njoroge et. al., the authors spend some 25 pages to conclude “Our results suggest that net-neutrality regulation could possibly be an inapt policy to increase value in the Internet…”. They then go on to say:

While our results are suggestive, our model is obviously stylized so they need to be taken with caution. One simplifying feature of our analysis is the lack of transaction costs in the non-neutral regime. Incorporating them presents new analytical challenges but it constitutes an important area to explore, because they would reduce the revenue earned by the platforms and thus they are likely to temper (perhaps in a negative way) the investment incentives of ISPs.

ETNO would have us believe that such research is inviolate, that the current economic model is unsustainable and must be changed. Their campaign relies on the fear that the Internet will somehow collapse from congestive bandwidth failure. They enhance this fear by expressing uncertainty within the WCIT context of their ability to invest in infrastructure (while telling financial markets they will invest). And they employ others to doubt the current economic model using a regional analysis and a simplified model of a complex system to support global change.

This is a well-considered campaign and one that could dramatically change the Internet. It plays on a base human emotion, fear, to grab the listener’s attention and references reports, research, and analyses to provide a rational explanation for the listener’s fear. To further influence listeners, the campaign employs repetition and selective presentation of “facts” from reports. Omitted from these presentations is any mention of fact or statements that do not support the campaign’s objectives.

Repetition, selective presentation/omission, and loaded messages to obtain emotional rather than rational responses are well-known propaganda techniques. They are employed by marketing departments to encourage us to buy products; some useful, others not. Politicians regularly use them in an effort to get elected. Lobbyists might consider them as appropriate air cover for regulators who have an obligation to make fact-based decisions using best-available information, not just that which is conveniently and selectively supplied.

Change is Inevitable

Change can be beneficial. Change can be detrimental. Change is inevitable.

Some might argue that the Internet has caused detrimental change where others see benefit. The AT Kearney report itself mentions the huge economic and social benefits of the Internet and the desire by governments to enhance those benefits through broader adoption and continued innovation. Is a change to the Internet’s economic model required for this to occur? To date, the answer has been an unequivocal no as has been demonstrated in practice over a span of years regardless of what any theory might suggest.

ETNO would have policy makers believe that such a change is required and relies on inconclusive research to support its claim. While claiming to seek no regulatory imperative, ETNO is seeking a mandate within the ITRs, to force certain parties (operating agencies) to “negotiate commercial agreements to achieve a sustainable system of fair compensation for telecommunications services and, where appropriate, respecting the principle of sending party network pays”. As a general matter, the ITRs are themselves an international regulatory instrument and the specific text proposed by ETNO imposes a mandate on certain parties. This is regulation, pure and simple.

What is missing from the ETNO campaign, is any mention of potential negative consequences of the dramatic regulatory change they are proposing. Policy makers are being asked to rely on ETNO’s assessment, based on nascent research that is neither definitive nor conclusive, that the fundamental change being proposed will be beneficial. Others (CDT, ISOC, Forbes, CNET) have pointed out potential negative consequences of implementing ETNO’s proposal and one hopes that those charged with revising the ITRs will pay particular attention to them.

Change is Happening

Change can be beneficial, but one wonders why ETNO is arguing so strongly for this specific change, a regulatory mandate in the ITRs, given the following from their latest “Contribution”:

Quality based delivery is already in operation.

Companies such as Akamai, Level 3 and Limelight, already successfully offer quality based content delivery to Over the Top players/Content Providers. Moreover, Google has built the largest worldwide IP backbone to improve the quality of its delivery. Quality is based on Content Delivery Networks, web acceleration, caching, buffering and other techniques.

In the last year, telecoms operators have been receiving requests from Google, Akamai and other carriers looking to move their own servers from the edge of the network into domestic networks. This is needed to improve the Quality of Service (QoS) and the Quality of Experience (QoE).

Moving content closer to its use/consumption is a well-known technique to improve user experience and to reduce congestion. As noted by ETNO, Content Delivery Networks (CDNs) already offer these services and more importantly, these services have requested that “telecoms operators” provide “domestic network” access.  This is exactly what the ETNO proposal seeks to mandate, but it is happening today without mandates. One wonders then, why they are necessary.

It would seem that all that remains is for ETNO’s members to negotiate with the CDNs and to enter into contracts to provide the desired services. No modification of the ITRs are required since ETNO’s members are free to enter into commercial agreements with whomever they choose, as specified in Article 9 of the current ITRs.

ETNO has demonstrated, that the parties are at the table needing no regulatory change to entice them. If ETNO’s members can provide quality services at an affordable and competitive price, contracts could be signed on terms that are amenable to both parties, and ETNO’s members will increase their revenue. If they are unable to do so, they may need to resort to other tactics; perhaps international regulatory mandates.

A Very Modest Proposal

So my very modest proposal is this, make no change to the ITRs as suggested by ETNO. The evidence is lacking as any balanced review will show. The tools to address the (perceived) problem already exist as demonstrated by those claiming they require new tools. Reject emotionally loaded arguments. Conduct rational analyses. Favor successful practice over unproven theory. Continue to research current and new models. Embrace the Internet.

Posted in Uncategorized | 4 Comments

A Modest Proposal

In Regulation as Innovation I suggested that the European Telecommunications Network Operators’ Association’s (ETNO) “sender pays” proposal was retrograde rather than innovative, as advertised. Perhaps I was too quick to criticize what at first blush appeared to be an attempt to exact a tax on certain Internet companies or to impose a tariff on “imported” content. After further consideration, I see the advantages of the ETNO proposal and offer a modest improvement that I believe benefits the larger Internet Community, not just ETNO’s members.

The Current Situation and Inherent Risk

Apparently current Internet technical, policy, and economic models, have created an environment that is not conducive to infrastructure providers and could jeopardize the Internet itself. Luigi Gambardella (ETNO’s executive board chairman) stated recently that “we believe that this situation is putting at risk our capacity to invest”. If true, this is a serious situation indeed, no doubt already reported to financial regulators, and should be addressed before any real damage can be done.

Fortunately, ETNO and Mr. Gambardella are aware of the severity of this problem and have proposed a fundamental change to the economic model on which the Internet, and the innovation that drives it, relies. This proposal is known as “sending party pays” and draws on decades if not a century of experience in the telegraphy and telephony industries. It is a well-understood concept and as a consequence should require little discussion or debate.

Since my earlier post, ETNO has embarked on a campaign to garner support for their proposal in BrazilAspen, and no doubt other locales. In Aspen, speaking of the proposal, Mr. Gambardella noted that “This would benefit us because we could have additional revenue” – clearly advantageous. Of course in any zero-sum game, gains must be offset with losses and in the ETNO proposal, it is the Over The Top (OTT) providers that sit on the other side of the scales. (In full disclosure, my employer has been listed as one of the OTT players.)

Benefits of Investment

OTT players fully understand the need to have adequate infrastructure in order for their customers to enjoy the myriad benefits of the Internet. They regularly invest in systems, new technology, security and audits, standards development, high bandwidth Internet connections, content delivery networks, usability studies, Internet governance initiatives, and generally attempt to provide their customers the best experience possible. All of this is funded by revenues generated by innovative business models enabled by a new class of services unimagined just a few years ago.

I have no direct quotes to offer from OTT executives, but I suggest that they might say something like “if implemented, this ETNO proposal would put at risk our capacity to invest”. This too is a situation best to avoid and leaves us with a conundrum in our zero sum game. Infrastructure providers claim to need substantial new revenues and believe OTT providers should be required to give it to them. OTT providers, while sympathetic to the plight of infrastructure providers rely on current OTT income streams to support their businesses.

This appears to be an intractable situation, and ETNO has reasonably proposed that regulation be (re)introduced in order to return the market to one more suitable to them. Given their history in a regulated industry, this is understandable and regulators, knowing how to regulate, might take this opportunity to restore their own “rightful” place in the market. Everyone benefits in this scenario, except the OTT players. Two out of three isn’t so bad in American baseball, but the Internet is global in nature and we can do better.

Progressive Sending Party Pays (PSPP)

Mr. Gambardella has expressed the desire of ETNO members to “have the freedom to make commercial agreements based on the value of the information” as justification for their sending party pays proposal. Ignoring the fact that they have that freedom today, I will agree with that sentiment but suggest that the relationship should be inverse rather than direct. Further by this very slight change to the ETNO proposal, all interested parties benefit and we can address an issue high on the ITU’s current list of expansive initiatives – SPAM.

Everyone, except spammers, hates SPAM and regards it as worthless or worse than worthless. It is a nuisance and represents a significant cost for all in the Internet ecosystem – the ITU reports that 70% of all email is SPAM. Infrastructure providers are forced to provide additional bandwidth to carry traffic, users deal with an ever-increasing onslaught of malicious mail, Internet companies staff fraud and customer service departments to handle complaints, governments enact legislation and prosecute crimes, prison systems must accommodate convicted criminals, and productivity losses continue to mount. Something must be done.

Using the ETNO proposal and progressive income tax systems as guides, I determined that a mashup of the two could provide a solution to the investment problems of ETNO’s members without jeopardizing the economic engine of the Internet. Further, appropriate application of this mashup technique could benefit the entire Internet ecosystem by providing infrastructure funding from those that make significant use of it. This mashup is a win, win, win, win.

Everyone Benefits

My modest proposal is that regulators require that spammers pay for the traffic they generate and that these funds be transferred to infrastructure providers. Further this should be a progressive system so that as one generates more traffic, they are required to pay a higher rate. While somewhat more complex than a “straight tax”, progressive taxes are a well known and generally accepted concept with obvious benefits as evidenced by the number of countries that employ them. Perhaps less obvious, but no less important, is the recognition that an international entity must ensure that payments are made in a timely fashion and to monitor and mitigate fraud and abuse.

As mentioned earlier, this is win, win, win, win. ETNO’s members win because they receive funds for investment they otherwise could not make. OTT providers win because they are not forced to incur unneeded expenses and therefore can continue to innovate. Regulators win with a new set of regulations and a complexity structure that ensures robust and lengthy discussions on a wide range of topics. Lastly, the Internet Community wins with infrastructure enhancements, continued innovation, and regulation not directed at “positive elements” of the Internet economy.

This is but a brief, and swiftly compiled proposal for PSPP. I contribute the mashup to the Internet Community confident that it will be used in an appropriate manner.

Posted in Uncategorized | Leave a comment

WCIT Public Consultation Opens

The International Telecommunication Union (ITU) announced that it has opened the public consultation for the upcoming World Conference on International Telecommunication (WCIT). The ITU has now completed its action items related to the Council landmark decision from last month.

However, before you rush to submit your comments, you might want to take a look at the “Open consultation process” terms and conditions. Terms and conditions are commonplace on the web and it was no surprise to see the ITU include them here. However, some might be surprised at the language contained therein. For example:

  • I hereby formally agree to use the webpage solely to submit appropriate content.
  • neither the submitted content nor any part thereof shall contain or refer to any language of a false or incorrect, inflammatory, threatening, defamatory, unlawful, obscene or other unethical nature
  • I hereby formally agree that ITU, at its sole discretion, is entitled and authorized to reject the submitted content if it considers that these terms and conditions are not respected.
  • I hereby formally accept, without any restriction, that my personal data (name, title, company/organization/institution, country and e-mail address), as provided to ITU when submitting the submitted content, be made public by ITU… Note also that you are not obliged to include a name or any other personal data in your submission.
  • decisions on the part of ITU shall be final, binding upon me and without appeal.

For the moment, I won’t be submitting comments. The ITU is well within its rights to require an agreement of the form they have provided, and I support that right. What I don’t support is the concept of an “Open consultation process” conducted on behalf of an entity where that entity determines what is appropriate, correct, or ethical and additionally provides no means of recourse.

Perhaps this is what is meant by preeminence.

Posted in Uncategorized | Leave a comment

The ITRs and Cybersecurity

Cybersecurity is a top-of-mind issue with calls for individual vigilance, national legislation, and international treaties to address gaps that are exploited causing significant harm and financial loss on a daily basis. The vast majority of these calls are well-intentioned though even among the best-intentioned, some are poorly directed.

Such is the case with all of the proposals that would introduce security into the International Telecommunication Regulations (ITRs) of the International Telecommunication Union (ITU).

The ITU

The ITU is a venerable institution dating to 1865 with the establishment of the International Telegraph Union. Since then it has added radio and telephony to its remit, become an agency of the United Nations, and adopted and modified a set of International Telecommunication Regulations. Its primary members are 193 Member States (nations) that adopt through consensus Resolutions, Decisions, and Regulations. They are assisted by some 700 industry Sector Members that may participate in certain Conferences, Fora, Assemblies, meetings, etc. but have no formal vote.

In the coming months, a multi-year preparatory process will conclude in a two-week December World Conference on International Telecommunication (WCIT) in Dubai where Member States will decide how to modify a set of international regulations. The decisions made could impact industry in meaningful ways and the potential exists to significantly expand regulation beyond traditional telecommunication (telegraphy and telephony). This expansion has not been well-advertised and possibly impacted industries may have little or no representation at this conference or other fora where their fate will be discussed and decided.

The ITRs

The International Telecommunication Regulations is a treaty level instrument negotiated between nations within the context of the ITU. The regulations address telecommunication, defined by the treaty signatories as:

Any transmission, emission or reception of signs, signals, writing, images and sounds or intelligence of any nature by wire, radio, optical or other electromagnetic systems.

 On the one hand, this definition is broad covering virtually every form of human communication, including intelligence (though as I previously pointed out, this is likely a reference to an 1840 definition of that term). On the other, it is decidedly narrow and limits telecommunication to, “transmission, emission or reception … by wire, radio, optical or other electromechanical systems”; the means.

Form and means are addressed by the definition of telecommunication in the ITU’s Constitution, Convention, and Regulations. But not content. This is almost certainly a well-considered and very deliberate omission, and one that should be maintained.

Proposals to Introduce Security into the ITRs

As I mentioned in Landmark Decisions, the ITU has taken the unprecedented (for it) step of making available to the public the WCIT “main conference preparatory document”. This is a difficult to understand document containing a confusing array of sometimes overlapping proposals for changes to the ITRs. Amidst the confusion, one thing becomes clear, (cyber)security will be a topic of conversation at the upcoming WCIT conference.

Security, including cybersecurity, is mentioned 37 times in the WCIT preparatory document whereas in the current ITRs, it is not mentioned at all. In fact, security occurs just three times in the ITU’s Constitution, Convention, and Regulations the basic and defining documents of the ITU itself. In each case, security is used in reference to national security and the sovereign right of a nation state to interrupt its telecommunication service or to stop transmission of individual private telecommunications. As an ITU term of art, security is easy to understand, unambiguous, and notably enables a nation state to solely determine when its security is in jeopardy and to unilaterally act to mitigate what it perceives as a threat.

How might a nation state determine that an individual private telecommunication endangers its security? The most likely answer is by examining the content. Another reason might be to limit communication between specific sources and destinations, fearing what might be contained in any telecommunication between the parties. Finally, a nation state might determine that it’s security was best assured by interrupting all telecommunication service, again concerned about content.

It would seem that security, as an ITU term of art, is reserved for nation states and their right to examine private telecommunications, prohibit their transmission or interrupt all telecommunications. Security then, is a sovereign issue and is clearly and unambiguously addressed in the ITU Constitution obviating the need to address it in he ITRs. In fact, introduction of the term there might lead to ambiguity, confusion, and controversy when the ITRs are applied in practice.

Use of an alternate term, perhaps cybersecurity from other related proposals, could  reduce or eliminate this ambiguity by clearly differentiating between the sovereign national security issues of the Constitution and telecommunication security issues that might be addressed in the ITRs. To minimize confusion, a definition of cybersecurity should be developed and agreed upon. Helpfully the ITU has just such a definition, found in its Recommendation X.1205

Cybersecurity

The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.

Cyber environment includes users, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks 

Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment.

Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following:

  • Availability
  • Integrity, which may include authenticity and non-repudiation
  • Confidentiality

n.b. The definition above has been reformatted and includes a referenced definition for clarity.

Other definitions exist for cybersecurity covering cyber-warfare, -terrorism, -espionage, and -crime. Regardless of the specific definition, cybersecurity is a broad concept like that expressed in X.1205 and encompasses considerably more than transmission, emission, or reception – the scope of the ITRs.

Including cybersecurity in the ITRs necessarily expands their scope far beyond their original and updated intent. This burdens the ITU itself and the national administrations charged with effecting the implementation of the regulations within their respective national borders. No study or analysis has been conducted to determine the scope, cost, benefit, or impact of such burdens that would apply to some 193 nations around the globe and untold corporate entities that could be subject to expanded regulation.

Is this the “light touch” regulation the ITU claims the world needs?

Conclusion

As pointed out earlier, security when applied to telecommunication, requires examination of content. As a consequence, inclusion of even the most benign (cyber)security proposals in the ITRs could require or at least encourage Member States to perform inspection of telecommunications. While such inspection might, enhance security, it unquestionably would impinge on an individual’s right to privacy, especially when arbitrarily applied to all telecommunications. This would be in contravention to article 12 of The Universal Declaration of Human Rights and article 17 of The International Covenant on Civil and Political Rights as reinforced by the recent United Nations Human Rights Council Resolution.

Cybersecurity, as defined by the ITU and others, is a broad concept covering far more than telecommunication. It is a global concern, deserves attention of global scale, and requires that the full breadth of its issues be addressed. A treaty limited to international telecommunication, while global in scope, can not and should not attempt to address that full breadth. Rather it should remain silent and recognize that cybersecurity must be addressed when and where subject matter experts can devote proper attention to the complexity of the issues, and nation states express their desire to fully cooperate in specific areas.

The Council of Europe’s Convention on Cybercrime is an excellent example of such attention and cooperation. It concretely addresses a complex set of issues and establishes a framework within which the various actors involved in the prevention, mitigation, and prosecution of cybercrime can cooperate. Though imperfect, it demonstrates how we should address other aspects of cybersecurity.

The Convention on Cybercrime is principled, but goes beyond principles. In 25 pages it details provisions for criminal law, procedural law, jurisdiction, and international cooperation. Warrants, preservation of evidence, disclosure of traffic data, expedited requests, and confidentiality are comprehensively addressed.

The ITRs by their nature and definition, are “general principles”; high-level statements that facilitate international cooperation related to telecommunication. They are limited to the means of such communication, whatever form it might take. Introduction of a few sentences or paragraphs into the ITRs cannot begin to address an issue as broad and complex as cybersecurity. We do a disservice to ourselves and to the world believing that such a casual treatment of so complex an issue could have any measurable impact

Cybersecurity is an important issue that should be addressed deliberately, comprehensively, and willfully. It deserves attention and consideration by a range of experts that will not be found at a two-week conference on telecommunications.

We can do better.

Posted in Uncategorized | Leave a comment