Emma Llansó at the Center for Democracy & Technology writes that the International Telecommunication Union is ill-suited to regulate cybersecurity. The United Nations-backed ITU will meet in December to try to expand its control over the Internet. The CDT believes that the issue of cybersecurity perfectly illustrates why the ITU should not be given expanded regulatory authority to include matters of Internet governance.
The UN body is holding the World Conference on International Telecommunications (WCIT) this December in Dubai, UAE to renegotiate the International Telecommunication Regulations (ITRs), the UN’s core telecommunications treaty. The ITRs were in 1988 and sets forth general principles for the operation of international telephony systems. The CDT reports that some Member States of the ITU want to use the WCIT to expand these regulations to Internet matters by amending the ITRs. The CDT and others have warned of the risks to online freedom and innovation if the UN is allowed to regulate the Internet. The CDT has released a paper (PDF) that examines in detail some of the proposals pending before the ITU relating to cybercrime and cybersecurity.
The CDT states that cybersecurity is undeniably a critical issue for the future of telecommunications and indeed for global commerce, development, and human rights. On the other hand, it is ill-suited to the kind of centralized, government-dominated policy-making that the ITU represents.
Cybersecurity requires agility: Given the pace of technological change, governmental bodies are not likely to be the source of effective technical solutions. The CDT predicts those solutions will emerge from multi-stakeholder efforts, involving ICT companies, technologists, academics, and civil society advocates, as well as governments.
Moreover, the cybersecurity issue inevitably leads straight into questions of human rights and governmental power: surveillance, privacy, and free expression. None of these are issues the ITU has any expertise in or any ability to assess and balance. The CDT suggests, rather than adopting vague wording that could be used by governments as justification for repressive measures, the ITU should endorse existing standards initiatives such as those underway at the IETF and continue to serve as one forum among many for the development of consensus-based, private sector-led efforts.
According to the CDT briefing, the Arab States regional group has offered a proposal to amend the ITRs to require Member States to “undertake appropriate measures” to address issues relating to “Confidence and Security of telecommunications/ICTs,” including “… online crime; controlling and countering unsolicited electronic communication (e.g Spam); and protection of information and personal data (e.g. phishing).” The governments of the middle-east have a history of manipulating the Internet to silence dissent.
Another example of why the UN should not control the Internet comes from the African Member States cybersecurity proposal which deals with data retention. The CDT reports the requirement will force communications companies to retain data about customers and communications for the benefit of the government rather than for business purposes.
Analysis by CDT says that this requirement goes against American criminal laws. This data retention law turns the presumption of innocence on its head since these cybersecurity data retention laws apply to every citizen regardless of whether they have committed a crime. Further, because data retention laws require service providers to store information that identifies people online, they threaten anonymity online, implicating the rights to both privacy and free expression.
The CDT writes that several cybersecurity proposals to amend the ITRs refer to the routing of communications. One proposal from the Arab States regional group would amend the ITRs to specify that “A Member State has the right to know how its traffic is routed.”
The proposal is justified on the grounds of security, according to the CDT which some Member States clearly interpret to mean national security. In its comments, Egypt argued, “… Member States must be able to know the routes used … to maintain national security. If the [Member State] does [not] have the right to know or select the route in certain circumstances (e.g. for Security reasons), then the only alternative left is to block traffic from such destinations…”
The brief explains that Internet protocol (IP) networks transmit communications and interconnect entirely differently than traditional telephone networks; in that context the Arab States proposal to “know how traffic is routed” simply would not work and could fundamentally disrupt the operation of the Internet. If the Arab States proposal were applied to all Internet communications, the requirement that countries be able to “know” how every IP packet is routed to its destination would necessitate extensive network engineering changes, not only creating huge new costs but also threatening the performance benefits and network efficiency of the current system.
The brief goes on to explain that the Arab States proposal could also serve to legitimize governmental efforts to set up controls on the Internet traffic, by enshrining in an international treaty. Changes to IP routing rules to carry out the Arab States’ cybersecurity proposal could give the Member States more technical tools to use to block traffic to and from certain websites or nations. The regulations on routing that the Arab States proposal condones could take a variety of forms, from prohibiting certain IP addresses from being received inside a country to tracking users by IP addresses and blocking specific individuals from sending or receiving certain communications. “Knowledge” of IP routing could also encompass countries keeping track of what websites their citizens visit or with whom they email – all in the name of national security.
These types of regulations, which could be legitimized if the Arab States proposal is adopted, could threaten user rights to privacy and freedom of expression on the Internet.
rb-
The UN must not be allowed to expand its control over the Internet. ITU regulation will be bad for cybersecurity.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
The IPocalypse has stuck in Europe. RIPE NCC, the Regional Internet Registry (RIR) for Europe, the Middle East, and parts of Central Asia announced on 09-14-12 that it is down to its last “/8” worth of IPv4 addresses. ArsTechnica reports it is no longer possible to get new IPv4 addresses in Europe, the former USSR, or the Middle East, with one small exception: every network operator that is a “RIPE member” or “local Internet registry” (LIR) can get one last block of 1024 IPv4 addresses. To fulfill these requests, the RIPE NCC is keeping that last /8, which has 16.8 million addresses, in reserve.
Every year for the past five years, some 200 million new IPv4 addresses have been put into use. Ars cautions, without a steady supply of fresh addresses, many Internet-related activities are going to become problematic in the years to come. Fortunately, 20 years ago the Internet Engineering Task Force (IETF) foresaw the IPv4 IPocalypse, where the 3.7 billion 32-bit IPv4 addresses would run out, would become a problem, and started working on a replacement: IPv6. However, the IPv4 depletion didn’t happen as fast as the IETF originally predicted, and IPv6 adoption has languished.
So IPv6 adoption got a big kick in the implementation from World IPv6 Launch. Eventually, IPv6 will replace IPv4, but the transition won’t be pretty. I have covered some of the IPv6 issues here, here, and here. Give it some time, Europe and the rest of us will survive the IPv4 IPocalypse.
In addition to the stressors themselves, IT admins also told GFI that they routinely put in many overtime hours beyond the traditional