{"id":19688,"date":"2012-09-11T17:33:13","date_gmt":"2012-09-11T21:33:13","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-07-31T13:29:54","modified_gmt":"2021-07-31T17:29:54","slug":"itu-regs-bad-for-cybersecurity","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/itu-regs-bad-for-cybersecurity\/","title":{"rendered":"ITU Regs Bad for Cybersecurity"},"content":{"rendered":"

\"ITU<\/a>Emma Llans\u00f3<\/a> at the Center for Democracy & Technology<\/a> writes<\/a> that the\u00a0International Telecommunication Union<\/strong><\/a> is ill-suited to regulate cybersecurity<\/strong>. The United Nations<\/strong><\/a>-backed ITU will meet in December to try to expand its control over the Internet. The CDT<\/em> believes that the issue of cybersecurity perfectly illustrates why the ITU<\/a> should not be given expanded regulatory authority to include matters of Internet governance.<\/p>\n

\"Center<\/a>The UN body is holding the World Conference on International Telecommunications (WCIT) this December in\u00a0Dubai, UAE<\/a> to renegotiate the International Telecommunication Regulations<\/strong> (ITRs), the UN’s core telecommunications treaty. The ITRs were in 1988 and sets forth general principles for the operation of international telephony systems<\/strong>. The CDT reports that some Member States of the ITU want to use the WCIT to expand these regulations to Internet matters<\/strong> by amending the ITRs. The CDT and others have warned of the risks to online freedom<\/strong> and innovation if the UN is allowed to regulate the Internet. The CDT has released a paper<\/a> (PDF) that examines in detail some of the proposals pending before the ITU relating to cybercrime and cybersecurity.<\/p>\n

The CDT states that cybersecurity is undeniably a critical issue for the future of telecommunications and indeed for global commerce, development, and human rights<\/strong>. On the other hand, it is ill-suited to the kind of centralized, government-dominated policy-making<\/strong> that the ITU represents.<\/p>\n

\"ITU<\/a>Cybersecurity requires agility: Given the pace of technological change, governmental bodies are not likely to be the source of effective technical solutions. The CDT predicts those solutions will emerge from multi-stakeholder efforts, involving ICT companies, technologists, academics, and civil society advocates, as well as governments.<\/p>\n

Moreover, the cybersecurity issue inevitably leads straight into questions of human rights and governmental power: surveillance, privacy, and free expression<\/strong>. None of these are issues the ITU has any expertise<\/strong> in or any ability to assess and balance. The CDT suggests, rather than adopting vague wording that could be used by governments as justification for repressive measures<\/strong>, the ITU should endorse existing standards initiatives such as those underway at the IETF<\/a> and continue to serve as one forum among many for the development of consensus-based, private sector-led efforts.<\/p>\n

\"\"<\/a>According to the CDT briefing, the Arab States<\/strong><\/a> regional group has offered a proposal to amend the ITRs to require Member States<\/strong> to \u201cundertake appropriate measures” to address issues relating to \u201cConfidence and Security of telecommunications\/ICTs,\u201d including \u201c… online crime; controlling and countering unsolicited electronic communication (e.g Spam); and protection of information and personal data (e.g. phishing).\u201d The governments of the middle-east have a history<\/strong> of manipulating<\/a> the Internet to silence dissent<\/a>.<\/strong><\/p>\n

Another example of why the UN should not control the Internet comes from the African Member States<\/strong> cybersecurity proposal which deals with data retention. The CDT<\/em> reports the requirement will force communications companies to retain data about customers and communications for the benefit of the government<\/strong> rather than for business purposes.<\/p>\n

\"UN<\/a>Analysis by CDT says that this requirement goes against American criminal laws<\/strong>. This data retention law turns the presumption of innocence on its head<\/strong>\u00a0since these cybersecurity data retention laws apply to every citizen<\/strong> regardless of whether they have committed a crime. Further, because data retention laws require service providers to store information that identifies people online, they threaten anonymity online, implicating the rights to both privacy and free expression.<\/p>\n

The CDT writes that several cybersecurity proposals to amend the ITRs refer to the routing of communications. One proposal from the Arab States regional group would amend the ITRs to specify that \u201cA Member State has the right to know how its traffic is routed.\u201d<\/p>\n

\"national<\/a>The proposal is justified on the grounds of security<\/strong>, according to the CDT which some Member States clearly interpret to mean national security. In its comments, Egypt argued, \u201c…\u00a0 Member States must be able to know the routes used … to maintain national security. If the [Member State] does [not] have the right to know or select the route in certain circumstances (e.g. for Security reasons), then the only alternative left is to block traffic from such destinations…”<\/p>\n

The brief explains that Internet protocol (IP) networks transmit communications and interconnect entirely differently than traditional telephone networks; in that context the Arab States proposal to \u201cknow how traffic is routed\u201d simply would not work and could fundamentally disrupt the operation of the Internet. If the Arab States proposal were applied to all Internet communications, the requirement that countries be able to \u201cknow\u201d how every IP packet is routed to its destination would necessitate extensive network engineering changes, not only creating huge new costs but also threatening the performance benefits and network efficiency of the current system.<\/p>\n

The brief goes on to explain that the Arab States proposal could also serve to legitimize governmental efforts to set up controls on the Internet traffic, by enshrining in an international treaty. Changes to IP routing rules to carry out the Arab States’ cybersecurity proposal could give the Member States more technical tools to use to block traffic to and from certain websites or nations. The regulations on routing that the Arab States proposal condones could take a variety of forms, from prohibiting certain IP addresses from being received inside a country to tracking users by IP addresses and blocking specific individuals from sending or receiving certain communications. \u201cKnowledge\u201d of IP routing could also encompass countries keeping track of what websites their citizens visit or with whom they email \u2013 all in the name of national security.<\/p>\n

These types of regulations, which could be legitimized if the Arab States proposal is adopted, could threaten user rights to privacy and freedom of expression on the Internet.<\/p>\n

rb-<\/em><\/strong><\/p>\n

The UN must not be allowed to expand its control over the Internet.\u00a0 ITU regulation will be bad for cybersecurity.<\/em><\/p>\n

Related articles<\/h6>\n