Report on the IGF Roundtable: Balancing the need for Security and the concerns for Civil

Liberties

Security threats are real. Governments are concerned

about Cyber warfare and related threats, business
entities suffer from cyber crime in various ways while
the average user faces various forms of security threats
online. These threats are real but the measures against
these threats are considered disproportionate and
happen to cause greater harm sometimes than the
threats to be warded off. Moves to address the security concerns often result in breach of
privacy, This round table was organized to bring together different points of view on
Security and Privacy and encourage a free and unrestrained debate to look for convergence
in some areas between the two sides. The roundtable approached this broadly with a view to
define and enumerate concerns on both sides and look for unseen common grounds.

http://bit.ly/igf323

Panelists:

Alejandro Pisanty (Workshop Chair) Director General for Academic Computing Services of the
National University of Mexico (UNAM) and Member of the Board of Trustees of the Internet
Society

Prof Dr.Wolfgang Benedek, Director of the Institute of International Law and International
Relations of the University of Graz, Austria and of the European Training and Research
Centre for Human Rights and Democracy in Graz (ETC)

Steve Purser, Head of the Department of Technical Competence and Security, European
Network and Information Security Agency (ENISA)

Prof. Simon Davies, Founder and Director, Privacy International and visiting Senior Fellow,
London School of Economics

Bruce Schneier, "Security Guru" and Internationally renowned security technologist and
Writer.

Barrister Zahid Usman Jamil, Councilor of the ICANN Generic Names Supporting Organization
(GNSO) and Member of the Mutlistakeholder Advisory Group (MAG) of the Internet
Governance Forum

Apologies:

Katiza Rodriguez, EPIC.

Robin Cross, IP Justice -
Andres Piazza
Jean-Marc Dinant

Audio Recording of the Workshop:

http://isocmadras.blogspot.com/2009/12/igf-worskhop-323-roundtable-balancing.html

Contact for further information

Sivasubramanian Muthusamy
Isoc India Chennai
isolatednet@gmail.com

Workshop co-organized by
Electronic Privacy Information Center (EPIC)

A brief substantive summary and the main issues that were identified:

Prof Dr.Wolfgang Benedek, Director of the Institute of International Law and International
Relations of the University of Graz, Austria and of the European Training and Research
Centre for Human Rights and Democracy in Graz (ETC)

When 9/11 happened, the reactions were to tighten security and to introduce new kinds of
regulations. Our title is large, Security Vs Civil Liberties and balance could be refuted in a
certain way. Why should we balance absolute human rights against security interests?
Article 17 of the International Covenant on Civil and Political Rights does not contain any
qualifications. But Article 8 of the European Convention on Human Rights has certain
possibilities for restricting rights, in particular for public safety and security. But in
International covenants, under article 4 a state has to declare a state of emergency to
introduce any restrictions. Article 8 of the European Convention on Human Rights, the
qualification is that such measures have to be necessary in a democratic society. We have
certain Standards developed by European court of human rights in Strasbourgh, on how to
deal with such restrictions. Also the standards developed by the European Court are
restrictive on such restrictions.

During the terror attack in 2009 in Mumbai, India, many International participants of the IGF
Hyderabad had to take a flight from Mumbai to Hyderabad despite adverse travel advisories.
There is a certain measure of insecurity that we have to take into account in our world of
today. You can not fully avoid risks. The anti terrorist legislation which we have seen over
the last few years are under the presumption that you can largely avoid risks and therefore
you have to give away freedom in order to preserve security. We have given away quite a
good part of our freedom but I am not sure of its effect on security. The hypothesis is that
there is problem of proportionality between between the measures of restriction and the
gains on security due to the measures.

Steve Purser, Head of the Department of Technical Competence and Security, European
Network and Information Security Agency (ENISA)

One of the fundamental rights of citizens is the right to understand what is going on, but we
don't understand what is going on in terms of security. We use a lot of acronyms which are
not easy to grasp.

Citizens have to develop Electronic Common sense - a way of behaving in electronic world if
we have to make progress.

Prof. Simon Davies, Founder and Director, Privacy International and visiting Senior Fellow,
London School of Economics

Privacy was nascent and almost invisible as an advocacy stream twenty years ago. Over the
past twenty years people have developed a sense of privacy as a fundamental right, though
not as an absolute right. There are restrictions on privacy, there always have been. There is
nothing different today from what it was twenty years ago or a few hundred years ago. What
I sense is the emerging social contract which involves right to know, right to understand, the
right to be brought into the equation of the way society works. That is part of the way
people expect society to go or the way Governments to behave.

A fundamental problem is that while people want to assert their right to privacy. When
people talk about the right to preserve their privacy, they are constantly told to justify their
position. There is a slippage on the security end. one of the biggest problem we face in
balancing security and civil liberties is that Security has become such a means to an end,
security has become such an industry that it is almost self fulfilling. For Instance in England,
the government claimed that it should collect all data related to cars going in and out of
London for national security purpose. The objection to this idea of high-jacking data from
the congestion management system in the name of security without providing any evidence
or adequate justification, without providing a matrix by which it could be judged, examined
if it is a justifiable claim. while data protection rights are eliminated in the name of National
Security. The objections were thrown out because the Government maintained that the
citizens can get information about what the Government is doing therefore the rights are
asserted The information that we get is that the Government is collecting the information.

This is a vicious loop and exemplifies the problem we are facing. National security and
security in general are a means to an end, it is not quantifiable. Try getting the FBI or CIA to
quantify their claim of national security for privacy exemption- it is extremely difficult. There
is a disconnect between the expectations of citizens who want to assert their privacy rights
and the expectations of many security professionals who believe that the mere mention of
word security should give them a golden pass through the privacy conundrum. That is not
an emerging problem it is a growing problem, the one that we have to deal with.

Bruce Schneier, "Security Guru" and Internationally renowned security technologist and
Writer.

We are here having this conversation, because the Internet in a sense is a very identifying
technology. Someone who wants to send an email needs to know where you are. When you
send a query to a search engine, the search engine needs to know where to send the
information back to. Internet and Information Technology have a lot of identity embedded
in, but it is sloppy, because it is the computer that is identified not the person. There is a lot
of identity, but there is a disconnect between the computer and the person in the chair, a
disconnect between the network and the person. This sloppiness is bothersome to a lot of
people in government or corporations who want to use their data for political purpose or for
marketing, for control. We have entered an era where national security is the pass to do
anything, in a way that it was when there was a war on drugs was ten years ago that you can
use that phrase to justify anything.

There is a wide-spread belief that there is a situation of Security Vs Privacy, that in order to
have security you have to give up your rights to privacy. If you want more privacy, you have
to give up security. This is meaningless. For instance the metal detectors in a building are a
security measure, but they have nothing to do with privacy. The locks that we use in a hotel
room are essential to security. that is nothing to do with privacy. There are dozens,
hundreds of security measures that have nothing to do with privacy. Identity based security
has to do with privacy. There is a wide spread belief between governments and the
corporations pushing these technologies that If we knew who everybody was we can pick out
the bad guys. This is fueling the desire for information which is pushing on our privacy.
Already the police have extraordinary powers to invade our privacy but there are limits on
that power. There is a warrant process, a disclosure process, a judicial process, all designed
to limit the powers when they invade our privacy. that is a key thing to pay attention to. the
only thing security vs privacy if we look at one threat We live in a world where there are
many threats. Terrorists are a threat, repressive governments are the second threat.
unethical corporations are the third threat. nosy neighbors are the forth threat. When you
look at all the threats you quickly realize that privacy is not antithetical to security, privacy is
component of security. In order for us to be secure we must also have privacy. They are not
in opposition at all.

By giving away our privacy in some misguided attempts to make us secure against terrorism,
we are actually reducing our security against governments against multi national
corporations against those who are in power. Privacy is empowering. Giving privacy to
people raises their power with respect to government. That is why it is important and that is
why it is part of security.

Barrister Zahid Usman Jamil, Councilor of the ICANN Generic Names Supporting Organization
(GNSO) and Member of the Mutlistakeholder Advisory Group (MAG) of the Internet
Governance Forum

Corporations tend to want to identify users and collect a lot of data. From user perspective,
in social networks, there is anonymity. One does not have to disclose information, or present
national identity card. One can have multiple identities but Law enforcements can trace the
IP address from the mac address.

Businesses have to maintain certain amount of credibility, certain amount of security for
consumers about their privacy. To that extent it is imperative on the part of business to
maintain privacy, the difficulty is when they are faced with national regimes, who wish to
make use of the data that businesses have collected. This a challenge for business.

Do businesses avoid regimes that don't respect privacy? Too much regulation legislation
affects innovation. It is not practical for business to avoid territories that are not completely
free. It is important to make consumers feel secure about the privacy of their data.

Steve Purser, Head of the Department of Technical Competence, ENISA

There is a need for a cultural change, need to develop electronic common sense, People
need to need to develop a basic risk management strategy by which they can handle all risks
on or off the Internet.

Legislation is a clumsy tool, heavy handed tool, takes time to develop, and by the time it is
developed it becomes obsolete. Legislation is national. Internet is global. legislation does
not satisfy needs. It is softer measures, proactive, preventive measures that will win the day

Bruce Schneier

If we examine the history of common sense, we find that it is slow to develop. New
technologies can take 20 or 30 years before the new generation develops common sense. It
is clumsier than legislation. It takes even longer. Legislation becomes obsolete by the time it
is enacted, so it is clumsy. Common sense is clumsier than that. We live in a world that
changes faster than ever before. A thousand years ago, one did not see anything new in all
his lifetime. Now we see something new every year. We might be living in a world where
common sense can no longer catch up. It changes so fast that it is impossible for people to
integrate new risks, new trade offs, new socialization, faster than they change.

Twitter did not exist two years ago and there may be something new two years from now. By
the time we develop common sense about twitter, it is too late, twitter may be gone.
Younger generations are better at detecting nonsense on the Internet. We might be heading
to an era where common sense becomes obsolete. We don't know what that means to
society.

Simon Davies

The phase of change is such that common sense can not engage the problems we face, we
face the interesting dilemma similar to the migration from agrarian to the industrial, to the
cities, Legislation ultimately had to take over. Industrial health and safety for example had to
be taken over by the state as a requirement. We don't want that to happen in the Internet.
Perhaps we need to find another formula, perhaps we have to lean towards engineering
solutions.
Prof Wolfgang Benedek

There is considerable difference between north and south, privacy as known in the North is
not known the same way in the south.

Zahid Jamil

The European debate, the American debate on Security Vs Privacy, it is not a debate that
translates well in some developing countries. It gets misunderstood, misused,
misinterpreted in developing countries and actually affects freedom of expression. For
instance it is not possible for Internet users in Pakistan to tune into Hulu video casts on their
laptops because these are prohibited from broadcasting in Pakistan. VOIP can not be used
because it affects [telecom] business. Skype is blocked in many countries. Had there been a
debate when began, some governments might have decided that the Internet would be
undesirable because there is pornography,

Users wont know what to do, because things are moving too fast from a southern
perspective, Legislation about privacy would lead to legislation on morals.

Alejandro Pisanty (Workshop Chair) Director General for Academic Computing Services of the
National University of Mexico (UNAM) and Member of the Board of Trustees of the Internet
Society

The legislation and rules that protect privacy are sometimes seen as a huge obstacle to
protect people in enforcement of the right to safety and security. Privacy rules from
telecommunication law in several countries make traffic data - for instance, who is calling
who - confidential. If there is a kidnap or extortion going on, the police force can not get the
traffic data in a timely manner to follow up and persecute the criminals. The procedures that
the law and order agencies have to go through will allow time for a kidnapped person to be
killed by the time the warrants are obtained to get the phone companies to release the
necessary data related to a phone call or the IP address information for an email message
associated with the crime.

Rebecca Mackinnon, Co founder, Global Networks Initiative

In china measures ostensibly to protect children are used to control political content.
Measures to fight terrorism are used to oppress minorities while at the same time there are
legitimate concerns among people in china about crime on the Internet. So we do have these
universal concerns but they play out in different regimes in very very different ways. The
danger of unintended consequences is that certain regimes use what is happening in the
West as an enabling excuse to solidify their powers. So it is very difficult to have one size fits
all type of legislation.

Legislation is an over-blunt instrument. Companies are caught between governments and

citizens, In some places governments can be a force for good in law enforcement, but in
some cases they are not. So an initiative such as the Global Networks Initiative which is a
multi-stakeholder initiative of which Google, Yahoo and Microsoft at present form part of of,
becomes relevant in arriving at base principles on free expression and privacy. As these are
applied, how each company approaches the base principles depend upon the specific
circumstances in a specific country so the multi-stakeholder process arrives at benchmarks.
In some cases legislation may be helpful, but in other cases government is part of the
problem.

A gentleman from the Asia pacific region:

In Asia Pacific most of the problems related to Security and Privacy come from Governments.
Governments have their own explanations; National Interest is higher than personal
interests. This gives governments the excuse to compromise on personal privacy.

John Laprise, North Western University Qatar

There is a semantical issue that exists within Us Government. There are two parallel privacy
definitions On the one hand there is the traditional protection of privacy which is protection
from intrusion by governments. At the same time there is a responsibility of the federal
government to protect their citizen's privacy from intrusion by outside the country. In United
States the later definition always triumphs the former definition. In the post 9/11
environment, measure to sift through external communication is done in the name of the
second definition of privacy.

Audrey Ponk Intel Corporation

We need accountability mechanisms rather than overly burnt legislation. There is evidence of
movement towards developing accountability mechanisms. How can we find accountability
mechanisms that find a middle ground. One example is about how law enforcement
agencies obtain crucial information in time sensitive situation, for example in a situation
where a hostage could die if the information isn't available in time. There are cooperative
mechanisms, accountability mechanisms that have worked in the past, in different
jurisdictions globally, not to circumvent but to enhance the judicial process, so that
corporations who hold private information or access to information can work together to get
critical data in critical situations. release the crucial data By these cooperative mechanisms
law and order agencies have been able to obtain crucial information in time.

Alejandro Pisanty(Chair)

Historically, mostly in Europe, Privacy was split into Private Life and Intimacy. It was found
that it was very hard to protect them legally. Personal data is much easier to define and
legislate. Personally identifiable data is in the hands of the State. This data is of two types,
that which is mandatory as in tax return data and that which is provided to the State as
optional Information or obtained by the State legally or illegally by surveillance, espionage
and other legal and illegal means. Then there is data in the hands of private parties.

There are three kinds of law. The law in Europe which ie extremely exacting and demanding
with all kinds of rights embedded in the legislation for citizens. Users has all kinds of rights
whether to allow or disallow transfer of the data. Another would be the US kind of view. In
the US private data is handed out voluntarily to business establishments, like information
disclosed voluntarily to the local mega store or video store, It is assumed to be voluntary.
Many companies are sloppy about data protection. The market hypothesis is that one can
choose the companies that are good at data protection, which is also equally sloppy as a
hypothesis. in protecting the data. The third would be the law prevailing in the rest of the
world, which is the law of the jungle.

The split between intimacy and data protection looked right 30 years ago. Now even extreme
examples of intimacy provide digital data recorded in a permanent form This gives rise to
some very complex situations, whereby our intimacy has also become a provider of data.

Steve Purser

For every rule with a good example, there is one with a bad example. Context is enormously
important. In security there are very few tools and it is a question of using the best tools.
Lets talk in terms of alternatives. One is the idea of common sense which is limited. One is
the idea of using legislation which is slow. The third is the idea of using software but human
brain is more powerful than software. We need to develop Electronic Common Sense. We
know that there can not be 100 percent security. If someone is to approach on the street and
ask for details one is cautious, but it is amazing how much of information is shared in a chat
room.

Wolfgang Benedek
When it comes to law enforcement, the mechanisms are there. Particularly after the Madrid
and London bombings. In Austria, the police have to simply sign a form, these provisions are
used mostly in case of saving someone from suicide. That would be a computer search and
would require a warrant from a judge. But in Europe there are data retention directives that
require data to be retained for a period of 6 to 24 months. Vast amounts of data are to be
collected allegedly for anti terrorism, anti-crime measures. It goes beyond reasonable limits
and disproportional to keep all this data This directive is challenged together by business,
civil society and by governments. Austria has challenged it in court and have asked human
rights groups to suggest ways of implementing the directives in the most human friendly
manner.

US has been secretly collecting swift and credit card data, and when discovered, US is
negotiating with European governments to do this transparently.

Bruce Schneier

Social network sites avoid any mention of privacy as they want the users to share
information. But they have very exacting privacy rules that are buried and they are very hard
to implement. It is wrong to think that people will get better choices if companies compete
on privacy. The goal actually is not to give people better choices, often the goal is to make
better profits which they achieve by giving people fewer choices.

Zahid Jami

Data retention is a serious concern for business. It is a cost issue. If we concentrate on

security aspects, it is important that we don't confuse the developing countries in the very
high level of some of the discussions. It would be useful to come down to developing
countries and make them aware. There are such a lot of obstructions created in
evangelizing, informing or making aware developing countries the benefits of the Budapest
convention 0n cybercrime. It is not a law enforcement agency tool, or for cooperation
between governments. It has specific human rights articles that require safeguards, due
processes, judicial oversight, all of which get lost in translation and not conveyed to the civil
society in the country. There were specific clauses and articles that were removed from the
legislation when these model clauses go down to developing countries. Nobody was made
aware of it. This is a convention with some balance, this convention need to go down to the
developing countries, It needs to be explained to business that the model clauses from EU
on data transfer is a frame work. If the developing country does not have the legislation, the
businesses at least have to subscribe to the model clauses. These are duties and obligations
if businesses in a developing country have to do business with the European union.
Simon Davies

Companies have to some how ignore privacy One of the ways privacy isn't invaded through
exception, in the name of public security.

In the movie Batman the Dark Knight, Batman has built the capacity to look into all mobile
phones in Gotham city. The dialog against the use of such technology is revealing.
http://warnerbros2008.warnerbros.com/assets/images/TheDarkKnight_Script.pdf

INT. LAB, RESEARCH AND DEVELOPMENT -- DAY

Fox enters the dimly-lit room. At one end is an extraordinary array of thousands of
tiny monitors. Fox approaches, fascinated, as they quietly display architectural
patterns individually and in concert. The images become a MAP.

FOX: Beautiful. Unethical. Dangerous. You've turned every phone in the city into a
microphone...
Lucius presses a key. The BABBLE of a MILLION CONVERSATIONS at once fills the
room. Every cell phone in the city.

BATMAN And high frequency generator/receiver.

FOX Like the phone I gave you in Hong Kong. You took my sonar concept and applied
it to everybody's phone in the City. With half the city feeding you sonar you can image
all of Gotham.

Most privacy is systematically invaded Whether it is batman or real world, if citizens are to
give away privacy, the authorities have to be more accountable, they have to give away some
of their secrecy, legacy of being able to hold back. That would be an enduring formula for
the protection of privacy. If we can keep that as a concept in mind, then many of the
problems of privacy systematically will disappear.

Wolfgang Benedek

In the process of bringing the cyber-crime convention to developing countries, the human
rights dimension is lost. The problem is that in the Cyber-crime convention it is said that the
human rights part is left to the national governments. This is a structural flaw in the cyber-
crime convention that human rights concerns are not included on the same level as security
concerns. More has to be done in order to get the full concept across. We have some
orientation, from rules. In International Covenants on Civil and Political rights, Privacy is not
explained in any large way. APC in 2001 in its Internet Rights Chart tried to translate privacy
into this environment This is being updated to bring it up to actual needs. Stakeholders are
not against human rights.

Zahid Jamil

In developing countries there is one convention available, one standard. We have a model
law from the commonwealth which is based on the Budapest Convention. We will take
something out of the convention for privacy and human rights. That convention focuses on
preservation and not on data retention. Second, it talks about judicial oversight,due process,
and incorporates the UN convention on human rights and the European convention on
human rights. These clauses have to be explained to the developing countries, otherwise it
is only the Security protocols that are adopted and nothing else.

Investigating agencies ask for information. To what extent the law and order authorities are
themselves accountable? Developed countries have tribunals to look into the use of
regulatory powers but such accountability mechanisms do not exist in some developing
countries. These are aspects that need to be looked into.

There is a lot that each of us can do to protect our privacy.

The framework of Rights against Obligations applies to citizens and not to Governments.
There is a real imbalance

Bruce Schneier:

There are some rights that simply come as rights. That is the way the world has to work.

If people are going to throw their private data without worrying about consequences, it
wouldn't help. One obligation is to behave responsibly while giving out data. Another has to
do with delegation.

Sara State Department, United States of America

The e-government Act in the United States requires the Government to disclose what it does
with personally identifiable data collected. There are privacy impact assessments published
which can be shared with developing countries.

Zahid Jamil

The best practices can be shared with the developing countries who can determine the level
they want to implement.

Bruce Schneier

The number of exemptions to that act make it irrelevant.

Eric Iriarte Peru

United States was to sell some arms to Chile, which transparently appeared on the US
government website. In Latin America there are no laws for data protection, laws are based
on security. In Mexico there is very quick movement for access to information, without any
privacy laws, which means access to information is sought without any cause.

Pranesh Prakash, Center for Internet and Society, Bangalore, India

A lot of debate is happening on a theoretical level. A lot of good ideas are coming out. These
ideas have to be translated into good systems of governance in countries like India.
Consumer organizations are trying to make human readable privacy signs such as that of the
creative commons. Concerning citizen's privacy a lot of systems that have been discredited
by Bruce Schneier such as Key escrow are sought to brought to India. There is a national ID
scheme that many countries are freezing. In India open wireless is no longer allowed without
being registered with Government. There have been debates on these issues, but these
debates find actual recognition in the governance systems. That translation is very
important.

Concluding Remarks from Panelists

The debates taking place across the pond have to be relevant for other countries and it
should be made sure that it is not mistranslated.

We need to think of data as the pollution problem of the Information Age. All processes
produce it. It stays around. It has some secondary uses and has to be disposed off properly.
Just like in the Industrial Age, in the rush for progress in the Information Age, we tend to
ignore pollution, ignore the issue. The decisions we make today will have profound effect in
the next ten, twenty, fifty years.
Are you afraid that our children will ask us tomorrow "Why didn't you forbid me to put my
data in facebook? I cant get a job"

Actually that is not true. There is the greatest generation gap since the Rock and Roll. That is
the old generation talking. We already have CEOs who blog. Soon everybody will be on
facebook. We can't tell our children not to do something. They are right and we are wrong.

Security is not in general algorithmic. Most good security solutions need a lot of brain
power. We need to look at alternatives and choose wisely. We have three social solutions.
One idea of good practices, or electronic common sense. One is the idea of intelligent
software, the third is legislation and each has its place and the key to issue is using them
wisely..

The Internet is one of the large spaces where there is large freedom. This obviously makes
government uneasy and find ways of control. In Europe there is a proposal to give one single
identity to every Internet user who has to disclose it everytime he goes online. We have to
make sure that it does not happen. The security debate has a chilling effect on privacy and
other civil liberties. We have to explain civil liberties to all stakeholders in a way that they are
not afraid and make them see them as a common way of interacting in cyber space.

When in future is so obsessed with exposing themselves, privacy would lose its important.
People would be suspicious of non disclosure. I am wondering if we left the engineers out. I
am wondering if we can do something in the next 12 months which involves the engineers.
We have to get the engineers involved. That is one of the missing ingredients.

Can we ban the word security for a year? security is a very charged word. Can we use the
phrase risk management instead?

There are a lots of different words,security, risk, privacy, vulnerability. different shades of
the same thing. We have to hit security head on. It is emotionally charged and you cant
ignore the word, cant ignore the emotional charges. One of the reasons why we have nutty
policies in my country is because people of afraid. Fear. That is another word. These words
are important. The emotions are important. And the meaning right or wrong, erroneous or
true are all important. This is hard, not easy, it is not new. The old notion of security is as
old as multicellular life. The first thing that you will introduce to life forms is how to
reproduce, how to eat and how to avoid being eaten. This is it.

Security is not black and white, it is shades of Grey. As we move further and further into
technological development we have to understand that we are less in control. There we see
Bruce's point about data pollution a good one. The classic book on security says first list
your assets, then value your assets and then protect your assets. A lot of companies don't
even know their assets. And by the time they define their assets, it has all changed. Part of
security is compromise. It is being able to live with a bit of fussiness and taking the best
alternative that is open to you. I do like the analogy of risk management. It is essentially risk
management of a particular sort.

Alejandro Pisanty, Chair:

Thank you very much. We can call this to a close.

Conclusions and further comments:

National security and security in general are a means to an end, it is not quantifiable.

Citizens have to develop Electronic Common sense - a way of behaving in electronic world

We have given away quite a good part of our freedom but its effect on security has been less
than proportional

Privacy is not antithetical to security, privacy is component of security. In order for us to be

secure we must also have privacy.

There is considerable difference between north and south, privacy as known in the North is
not known the same way in the south

The danger of unintended consequences is that certain regimes use what is happening in the
West as an enabling excuse to solidify their powers. So it is very difficult to have one size fits
all type of legislation.

We need accountability mechanisms rather than overly burnt legislation.

if citizens are to give away privacy, the authorities have to be more accountable, they have to
give away some of their secrecy, legacy of being able to hold back. That would be an
enduring formula for the protection of privacy.

There is a structural flaw in the cyber-crime convention that human rights concerns are not
included on the same level as security concerns. More has to be done in order to get the full
concept down to the developing countries

Developed countries have tribunals to look into the use of regulatory powers but such
accountability mechanisms do not exist in some developing countries. These are aspects
that need to be looked into

The best practices can be shared with the developing countries who can determine the level
they want to implement.

A lot of debate is happening on a theoretical level. A lot of good ideas are coming out. These
ideas have to be translated into good systems of governance in countries like India.

We have to explain civil liberties to all stakeholders in a way that they are not afraid and
make them see them as a common way of interacting in cyber space.

Sivasubramanian M
President, Isoc India Chennai

isolatednet@gmail.com