Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to Ruling the Internet: Governance Debates in Eurasia
Similar to Ruling the Internet: Governance Debates in Eurasia (20)
Recently uploaded
Recently uploaded (20)
Ruling the Internet: Governance Debates in Eurasia
- 1. Fragmented Internet: National Interest or Human Rights Violation? United and Undivided: How to save the Internet from national territorialisation The Contest of Rules: US, China, Russia Rival in Setting the Norms of Behavior in Cyberspace Ruling the Internet: Right or Might? Digital +Report
- 3. EDITORIALIntroducing Digital.Report+ All Things ICT in Eurasia Welcome to the inaugural issue of Digital.Report+, a bi-annual English-language publication exploring the relationship between political, social, and economic factors and ICT developments in Eurasia. Addressing a global professional audience, Digital.Report+ bridges a gap that separates one of the most rapidly growing ICT markets from a global community of business leaders, regulators, investors and scholars. The first issue of our journal, “Ruling the Internet,” focuses on the future of the global network. The original vision for the Internet as a unifying communications platform for free exchange of information, collaboration, and, later, economic growth is coming under ever greater scrutiny from governments and security services across Eurasia, and the world. Concerns about the internet’s governance and management are widely spread. Plans for possible fragmentation into national segments are openly discussed. Digital.Report+ explores these controversial issues through an interview with Michael Yakushev, ICANN’s VP of Stakeholder Engagement for Russia, CIS and Eastern Europe, and opinion pieces from leading Russian experts: Nikolai Dmitrik, a legal expert with Park Media Group; Alexandra Kulikova, a Cybersecurity Program Coordinator from the PIR-Centre think tank in Moscow; and Fedor Smirnov, Secretary of the ISOC Russia chapter. The first issue also addresses ICT market liberalization in Belarus in an interview with Igor Sukach, CEO of Atlant Telecom, Belarus’ leading private telecom service provider. The evolution of personal data regulation by Russian authorities after 1991 is covered in an essay by Nikolai Dmitrik, Digital.Report’s Senior Scientific Advisor, an expert on the issue. To provide its readers with a broad spectrum of information and analysis on ICT, Digital.Report+ offers a Policy Digest that explains some of the past developments and future trends in the region, a snapshot of ICT Influencer activity on social media, engaging infographics, and a policy debate. We are looking forward to engaging you! TheSecDev FOUNDATION With Support From: Published-by: With so much talk about States aiming to cut off the internet in a bid to control information, we wanted to reflect the connection between the real and digital worlds. The web might be virtual, but it is still inextricably linked to the physical space. Illustrations By: Jesus Rivera Michael Berk Managing Editor Contact: Michael Berk Managing Editor michael.berk@digital.report @DigitalReportEN @DigitalReportRU www.facebook.com/digital.report/
- 4. Fall 2015 Nikolay Dmitrik Alexandra Kulikova Nikolay Dmitrik ICT Panorama: Interview: Social Media Influencers, Trends, and Chatter from Eurasia. Jacob Appelbaum Interview: Michael Yakushev ICANN Vp 6 Fedor Smirnov Fragmented Internet: National Interest or Human Rights Violation? 11 United and Undivided: How to save the Internet from national territorialisation 14 The Contest of Rules: US, China, Russia Rival in Setting the Norms of Behavior in Cyberspace 17 Personal Data: The Post-Soviet Approach 24 Top 5 Cities for Digital Nomads: Which are the best cities in the post-Soviet space to be a digital nomad? 22 Interview: Igor Sukach 28 Debate: Are the recent terrorist attacks sufficient basis for increasing government regulation of the internet and electronic surveillance of citizens? 30 32 34 11 24 Digital +Report ICT Policy Digest 4 Michael Berk Editorial 1 Introducing Digital.Report+All Things ICT in Eurasia
- 6. Digital Report+4 ICT Policy Digest Country Highlights Membership in the Eurasian Economic Union, a free trade agreement between five ex-USSR states advanced by Russia, accelerates integration processes within the country, according to sources. This is likely to lead to closer cooperation with Russia in the ICT sector, including the adoption of its information security paradigm, often manifested in blocking of sites and regulatory restrictions. Igor Schegolev, Aide to the President of Russia, proposes that foreign Internet companies pay taxes in Russia, “in accordance with international practice.” In the meantime, Roskomnadzor, Russia’s official media watchdog agency, temporarily blocks Reddit, select Wikipedia pages, and threatens to block Facebook and Twitter. President of Ukraine Petro Poroshenko signs the law on the 4G mobile standard, to be fully deployed in 2017. Eight carriers already expressed their interest in using 4G. Meanwhile, the National Commission for the State Regulation of Communications and Informatization proposed legislation to de-anonymize mobile users by making it mandatory to register their IDs with the mobile contracts. The authorities continue to block numerous Internet resources, including user-generated-content platforms such as Vimeo, Flickr and Tumblr, and local news sites that publish information critical of the government (Zonakz, Ratel). The pattern of often extrajudicial blocking demonstrates lack of transparency and continued disregard for human rights online. The public debates regarding the law “On Access to Information” addressed shortcomings related to provisions outlining public access to government information. The launch of the Cyrillic domain zone .БЕЛ on 30 September is expected to cause a significant surge in public, business and government activities on the Internet, leading to renewed relevance of information/cyber security issues. Due to the continued military confrontation in East Ukraine, the government pursues widening of authorities for law enforcement agencies and curtailing of civic freedoms as one of the methods in the overall approach to national security. The US Department of Justice blocked bank accounts worth around $300 million that are suspected to be part of the dealings between relatives of the President of Uzbekistan Islam Karimov and mobile companies MTS and VimpelCom. The move is part of the investigation into the recently exposed corruption in Uzbekistan’s telecommunication sector. July August September The Central Electoral Commission of Moldova approved the Declaration of Information Security Policy, which contains provisions for increasing popular trust for and effectiveness of the elections process in Moldova. The State Duma, Russia’s lower house of parliament, approved the so-called ‘Right to be Forgotten’ law. From 1 January 2016, Russian citizens will have the right to demand that search engine companies remove links that contain false or outdated information about them. The government plans to introduce a number of draft legislations in the Fall 2015 dealing among others with electronic communications, critical government data infrastructure. An Action Plan for 2015-2016 focusing on the development of an ‘information society’ and information technologies was adopted as well The authorities continue blocking Internet, including user-generated-content platforms (see August). In September, government completed its public consultations on the draft legislation regarding Access to Information (open data). Due to continued security problems in the country the government blocked social media sites, such as Facebook, YouTube and Odnoklassniki. Alternative news sites, such as RFL/RE remain blocked since August as well. IGeorgia’s Ministry of Defense held talks with counterparts from Estonia to discuss bilateral cooperation on cybersecurity. Many post-Soviet countries rely on Estonia’s world-renowned expertise in matters of ICT development.
- 7. Digital Report+ 5 The Ministry of Interior unveiled a new police unit tasked with the investigation and prevention of cyber & hi-tech crimes. Molded after US and EU examples, the unit will also be providing a real-time support to citizens who became victims or witnesses of cyber crimes. According to corporate and government sources, the investment into and development of fixed access to Internet by ISPs will remain a ‘high priority’ due to faster speeds and greater reliability of these networks. The law enforcement investigation, which included intercept of suspects’ calls sanctioned by the President, and uncovered signs of a widespread corruption led to the dismissal of the Minister of Communications and High Technologies. Internet Service Providers will be required to guarantee connection speeds for their clients. The national regulator proposed to legislate that the actual speed cannot fall below 70% of that specified in the contract. President of Uzbekistan Islam Karimov signed the law “On Electronic Government.” The legislation outlines the framework for openness and transparency of governmental institutions, equal access of users to e-governance services, as well as information security. ICT Policy Digest October November December Regulation and Policy Cybersecurity Internet Blocking and Surveillance European Court of Human Rights gives a legal appraisal of Russia’s mobile communication surveillance practices. ECHR considers them to be in contradiction with Article 8 of the European Convention on Human Rights, which provides a right to respect for one’s “private and family life, his home and his correspondence.” The amendments to the Law “On Combatting Terrorism” significantly expand powers of law enforcement agencies, including legalized blocking of Internet and telephone system. Periodic blockings of social media networks, such as Facebook and Twitter, under the pretext of fight against extremism and terrorism were common throughout 2015. Representatives of the Ministry of Information Technologies and Communications, Ministry of Interior, and Ministry of Defence formed a Working Group on cybersecurity policy. The WG’s primary objective is to develop a multi-sector strategic vision, establish specific priorities and operational tasks that ensure Moldova’s cybersecurity. The Institute of National Strategic Studies under the Ministry of Defence began the development of a National Cybersecurity Strategy. Considering the increasing regulation of Internet content and more frequent blocking of sites, there is a strong concern regarding preservation of balance between security and free access to Internet and information. After five years of consultations, Kazakhstan adopted a new Law on “Access to Information.” The law stipulates rights of citizens to obtain government information, including live transmission of government proceedings and management of open data. Also, new initiatives aimed to improve operations of the e-commerce sector are expected in the near future. The Law on E-Commerce will feature clear definitions of critical terms and specify consumer rights during purchasing on-line. In Minsk, countries of the Commonwealth of Independent States, a loose association of nine ex-USSR republics, sign documents that outline a range of collaborative measures on countering cybercrime. The representatives of mass media and civil society submitted a public petition to the authorities regarding the fate of many web sites blocked by the government without due legal process. Among over 15 sites listed are Reddit, Flickr, LiveJournal and Fergana News.
- 8. Digital Report+6 An international lawyer by training, Michael (Mikhail) Yakushev has an extensive and diverse background in Telecom/IT and Internet Business. He worked as Chief Counsel of Moscow-based branches of multi-national corporations like Orange/Equant, Microsoft, and SAP; he was also the Head of Legal Service of the Russian Federal Ministry on Telecommunications (2004-2006), and VP of Russian Internet holding group Mail.Ru.Group. Michael participated in numerous international expert groups on Internet Governance, including G8 DOT-Force, UN WGIG, and WG on Cross-border Internet of the Council of Europe. He is well-known in the countries of the former USSR for his research work, articles and books on different legal aspects of Internet Governance.
- 9. Digital Report+ 7 Michael Yakushev, Internet Corporation for Assigned Names and Numbers (ICANN) Vice President of Stakeholder Engagement for Russia, Commonwealth of Independent States (CIS) and Eastern Europe, took the time to answer some of Digital Report’s questions. Mr. Yakushev discusses online government censorship, ICANN’s role in Internet governance and regulation, and some of the challenges the World Wide Web will face in the future. What is your attitude towards government control of the Internet and the blocking of websites? Does Roskomnadzor (Russian Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications) act in contradiction with the constructive approach by ICANN? As long as government regulations do not contravene the stability and technical security requirements of the Internet, they fall outside the jurisdiction of ICANN and remain under state sovereignty. If a country has Internet access, then de-facto ICANN has fulfilled its duties there. However, this raises a crucial question: at what point do government regulations start threatening the stability and security of the Internet? This could occur when a government blocks an entire domain zone. This specific issue opens up a host of potential problems. Specifically, the attempts of some countries to keep the distribution of IP addresses under their jurisdiction. For example, some players believe that the distribution of IP addresses should be done at a national level, just like phone numbers. However, there are as many first-level phone codes as there are sovereign states, slightly more than 200. Regarding the Internet, the problem is of an entirely different scope; there are 10 to the 28th degree IP addresses in IPv6 protocol. Thus, we are not talking about a limited resource which states can distribute. We are talking about quadrillions of addresses. We would face serious conflicts if one registrar occupied an address area that was claimed by several others. Such conflicts would occur if different registrars attempted to claim the same address. Another protective layer is the DNS Sec system, which minimizes attempts to reset (or “substitute”) domain names. An organization that regularly fabricates data about requested domain names will eventually find itself blacklisted. Malicious actors will be disconnected on a technical level if they are considered a source of malevolent activity on the network. Taking into account that the responsibility for blocking websites lies with Internet providers, could they be blacklisted by ICANN and other organizations responsible for stability and development of the Internet? ICANN cannot sanction providers and my organization should not be viewed as an absolute power. There is a whole range of organizations that are not very well represented in Eastern Europe but are actively involved in defining Internet standards and monitoring their implementation. These include the Internet Engineering Task Force (IETF), the Internet Society (ISOC), and the Regional Internet Registry (RIPE NCC). The latter is responsible for distribution of IP addresses in Europe and is located in Amsterdam. ICANN Vice President: Interview with: Michael Yakushev The Internet We Know and Want May Soon Disappear for Good
- 10. Digital Report+8 By the way, this is a perfect example. Three quarters of the Netherlands has been reclaimed from the sea. Residents constructed dams and created more land. Importantly, the owner of the plot of land closest to the sea is solely responsible for the dam protecting all the territory behind his land. If the sea breaches the dam, the owner of this plot is fully responsible. However, if he becomes the owner of this plot, he takes the full responsibility and the owners of other land plots place their trust in him. If a breach or another unfortunate event were to occur, the other owners would all come to support him. This is an example of mutual trust when everyone’s security depends on the security of one. When the Internet was conceived and developed as we know it today, it was based on this principle of absolute trust. If we were to remove this principle, the Internet as we know it would collapse. That Internet, the one we know and want, may disappear for good. Internet freedom is based on mutual trust. The more actions that undermine this trust, the more mechanisms for punishment and containment we need. But this would be a completely different Internet. So is the Internet about to collapse? No, it is too early to say. Everything is very dynamic, even the very idea of what may and may not be censored on the Internet. Twenty-five years ago, one could hardly imagine that a law against gay propaganda would be adopted in Russia. At that time, homosexuality was considered deviant, denounced both in law and public opinion. However, in Europe it is considered a normal sexual behaviour, even though it is forbidden in other states. That is why it is very difficult to have a common international opinion on the dissemination of information about sexual minorities. Thus, the main international issue is not in reaching consensus about what should or should not be censored on the Internet, but in search of the answer for the following question: “What should we do so that the current system remains secure and continues developing?” There is consensus on this matter, and I believe that fears of the collapse of the Internet are groundless. The number of connections is increasing, the number of top-level domains has reached one thousand, and the total number of all domain names is in the hundreds of millions, if not billions. Yes, some excesses exist on the national level but the Internet is flexible and able to solve those problems. Is it possible to say that cyber security issues are used as a political instrument? Do some states practice what Professor Anatoly Streltsov contends when he describes how cyber security is used as a proxy to increase control over online content? Anatoly Streltsov is a well-known theorist of information law. At the same time, his position reflects the position of the majority of Russian cyber-security officials. From their point of view, information security is based on a triad: personal security, social (business) security, and security in international relations. In this theory, state security is tied with social or business security, while cyber security becomes a tiny part of cyber crimes. Most specialists in the world, especially from Europe and the USA, do not share this point of view, proving through their arguments that what we (Russia. -ed) consider security is not correct. The arguments are complex and this is all one can say about this in brief. Of course, like all of us in Russia, I personally respect Mr. Streltsov immensely. Certainly, security is of high importance, and this is not the communist epoch with its opportunities for excesses. However, security is the underlying state of stability, which is based on trust. It is not accidental that I constantly repeat this. That is why the more mutual trust we have, the greater our security. The less trust we have, the less security and the greater need for mechanisms to ensure our security. That is why Western states practice a utilitarian approach to cyber security; one that relies on a set of measures to provide for the technical security of the Web and minimizes the possibility of hacking, data theft, and so on. Russian officials prefer to talk about the categories of information and psychological war, which is not very well received by their Western colleagues. They are, in essence, speaking different languages. However, technical experts and computer specialists can define cyber security very clearly. It is possible that this may be the reason for many misunderstandings. Say, when we try to “push” for something important to us and foreign opponents provide an opposing point of view, then we think - If we were to remove this principle, the Internet as we know it would collapse. -
- 11. Digital Report+ 9 this is political influence. It is extremely important to speak the same language and be able to reach a compromise. Does ICANN implement programs to improve cyber security in Russia and the Commonwealth of Independent States (CIS)? Yes, it does. Of course, this is to a lesser extent in Russia. Our activities are focused on states with lower levels of Internet penetration. In Russia, just like with cyber security, this is not an issue. Experienced professionals manage domain zones and registrars. In this sense, there are no problems with domain and overall network security in Russia. As for educational activities in less-developed states, say in East Asia and Africa, we have two departments devoted to this activity. One of them focuses on security matters and the other on educating interested stakeholders, such as law enforcement and registrars. We would gladly implement education campaigns in Belarus if there were a need. However, our Belarusian colleagues operate on a perfectly acceptable professional level. (This interview was conducted by DR’s Belarusian correspondent. -ed) Does it make sense to work with national populations as a whole? Is the problem of cyber security considered multifaceted, depending both on the professionalism of law enforcement and the level of knowledge of civil society? This is absolutely correct and exactly what is necessary. However, the “clients” of ICANN are registers and registrars and not end users. We teach our children how to cross a street, what a traffic light is, and so on. Taking into account that many children now use tablets, we should teach them what and what not to do online. We really need this education and not only for children. It should also target teachers so that they know what to teach and have more information than children who largely know how to skirt Internet controls. Adults must also be taught to use public services and should feel safe both online shopping and online banking. However, protecting citizens is the responsibility of individual governments. Moreover, a low level of cyber literacy is common; there is much work to be done in Europe, just like in Russia and Belarus. The investments into cyber security are massive. Why do these investments not reach citizens in the form of knowledge? Yes, in fact the investments go only into certified laboratories. Clemenceau said that “war is too important a matter to be left to the military.” The military must win on a tactical level while politicians and diplomats win on a strategic level. In other words, we should not leave decisions as to whether or not to go to war with the military. They are not able to make such decisions. In the same manner, the responsibility for decisions in security domain must not reside within offices that have a particularly special or narrow professional approach to the issue. In Russia, for example, some offices are responsible for the protection of private data. Nevertheless, if your personal data were stolen from a cellular phone company, the company would produce thousands of certificates stating that all their services and systems are successfully certified and the company is not responsible. That is it. But your data is gone. What might the solution be? Do we need a new agency to protect private data? We need an understanding that the rights and interests of a citizen are primary. We have to first think about protecting user needs and only after that about technical certifications. Will cyber security threats increase in the future? Does it make sense to take active measures today to prevent these future risks? What security problems will present the largest challenges in the future? Yes, the probability of new risks increases with time. The main challenge is that a new generation is growing up, a generation that is much more comfortable using computers and connecting to the Internet. They will be more creative than our generation and if we underestimate or misunderstand this, we will face hacker attacks and phishing cases of an order of magnitude greater than today. Imprisoned criminals in Russia already widely participate in SMS phishing attacks from their prison cells, attempting to steal money via their cell phones. Two years ago, Kaspersky Laboratory published information stating that the restrictive online environment had lowered the initial age of criminal activities to 13. For a minute, pretend that the Russian government restricted Anna Karenina in the country. (Anna Karenina contains a suicide, the description of which is illegal in Russia. -ed) A child trying to find this book on the Internet while circumventing government restrictions would sooner or later come across a proposal to make some money via criminal activities. He or she starts down this path and then we see a sharp increase in cyber crime. We may lose a whole generation while the criminal world becomes younger and more inventive. This is the law of large numbers in action.
- 12. 10th ANNUAL IISRC CONFERNCE The SecDev Foundation is a proud sponsor of the 10th Annual International Information Security Research Consortium Conference 25 - 28 April 2016 • Garmisch-Partenkirchen, Germany Conference Themes: Towards a Code of Responsible State Behaviour in the Information Space The Applicability of the Geneva Convention to Cyberspace PPP & Critical Infrastructure Protection Effective Extremist Propaganda Counter Measures Cyber Weapon Non-Proliferation Contact administration@digital.report for more info.
- 13. Digital Report+ 11 Fragmented Internet: National Interest or Human Rights Violation? Fragmentation of the internet, triggered by Snowden’s revelations, is a key issue for internet governance researchers and practitioners alike. As Professor Milton L. Mueller argued during the 2015 Annenberg- Oxford Summer Institute, there are two types of fragmentation: unintentional technical incompatibility and intentional limitations of acc, the latter of which raises concerns in both academic and civil societies. Today’s internet is generally open, interoperable and unified, but governments across the world strive towards greater control of the net. Some threats to internet freedom are of a technical nature (threats to Domain Name System, DNS), others political (internet censorship and blocking), and others still economic (breakdown peering and transit agreement) and legal (local privacy regimes). Over the past few years, Russia has taken many steps towards more fragmented internet access, particularly by introducing blacklists, requiring bloggers registration, and holding discussions about a “disconnected Runet’ (a scenario when .RU top level domain may be separated from the global DNS). Fedor Smirnov Twitter: @ISOC_RU Fedor Smirnov is the Chief Marketing Officer at Webnames.ru, an accredited ICANN registrar. He holds a Ph.D. in Linguistics and Bachelors of Arts degrees in German/English Philosophy and Financial Management respectively. He is currently a Board Member and Secretary of the Russian Federation ISOC Chapter.
- 14. Digital Report+12 field to be “around the construction of the internets role in the everyday life of its users.”[2] There is a need in Russia to oppose the state-sponsored framing of the internet and expand internet imaginaries beyond security threats and leisure. Global organizations focusing on internet development (e.g. Internet Society) may need to put forth stronger efforts in the promotion of core values of an interoperable internet in Russia. Such initiatives will never be effective without bottom- up campaigns including e-participation, citizen activism, and social entrepreneurship that benefit from the global nature of the internet. Fragmentation of the internet is supported by state actors in many countries and requires permanent monitoring and more attention from media and internet policy researchers. Data localization proposals, introduced with good intentions to protect citizens’ personal data from external threats, may instead just create fragmented, disconnected networks or “national segments” of the internet. This kind of fragmentation will devalue core principles of the internet and transform it from an open communication platform into over-regulated media space used for national interests, including propaganda and the violation of human rights. Russia is not the first country to implement data localization requirements. Along with countries like Vietnam, Brazil and India, Western democracies such as Germany, France, and Canada are heading towards a fragmented internet as well. Russia’s tendency towards fragmentation resulted in the Russian Data Localization Law (242-FZ) that took effect September 1, 2015. The law, which pushes Russia further down a data localization trajectory, stipulates that digitizedpersonal data of Russian citizens should be recorded, systematized, and stored using databases located within national territory. Websites that break the law will be added to a special register, which will enable Russian government-controlled communication regulator Roskomnadzor to block those who are non-compliant. While the government claims the Russian Data Localization Law will guard Russian internet users’ privacy, the law does not necessarily guarantee better protection of personal data as it facilitates government access to sensitive information. New legislation would make operational activity of foreign companies in Russia more complicated, generating additional costs and adding new barriers for global players that want to enter the Russian market. While some consequences of this law are not clear, data localization goes against underlying principles of internet openness and negatively affects the internets resilience and stability in Russia. At the Annenberg-Oxford Summer Institute, Professor Monroe Price, Director of the Center for Global Communications Studies (CGCS), raised a crucial point during a discussion on fragmentation when he posed the global unfragmented internet as a human rights issue In his analysis of internet regulation processes in Russia, Dr. Gregory Asmolov, a researcher at the London School of Economics and Political Science, considers the core struggle for researchers and practitioners in the internet governance [1] Anupam Chander, Uyen P. Le (2014) Breaking the Web: Data Localization vs. Global Internet. California International Law Center. Retrieved fromhttp://papers.ssrn.com/sol3/ Delivery.cfm/SSRN_ID2427869_code366600.pdf?abstractid=2407858&mirid=1 [2] Asmolov, G. (2015) Welcoming the Dragon., The Role of Public Opinion in Russian Internet Regulation. Center for Global Communications Studies. Retrieved from http:// www.global.asc.upenn.edu/publications/welcoming-the-dragon-the-role-of-public- opinion- in-russian-internet-regulation/ While the government claims the Russian Data Localization Law will guard Russian internet users’ privacy, the law does not necessarily guarantee better protection of personal data
- 16. Digital Report+14 United and Undivided: Internet governance has become a frequent topic for discussion, especially in Russia. Since September of 2014, Russia has hosted two major internal events dedicated to this topic: a Security Council meeting in September, dedicated to the possibility that Russia could be cut off from the Internet, and the Russian Internet Governance Forum in April 2015, the main theme of which was the principle of national sovereignty over the Internet. To avoid states breaking the Internet into pieces in pursuit of their own interests, it would be best for the global community to set up an international agreement similar to those regulating the use of the open seas, space, and Antarctica. Nikolay Dmitrik Nikolay.Dmitrik@digital.report DR’s Senior Scientific Advisor and Head of Legal Consulting ParkMedia Consulting. In 2006-2012, as an Officer of the Legal Department of the Ministry of Telecom and Mass Communications of the Russian Federation he took part in the development of legislations on personal data, e-signatures, e-government services and access to information. Author of more than 40 scientific papers in the field of ICT regulation. How to Save the Internet From National Territorialisation
- 17. Digital Report+ 15 WHY IS THE INTERNET NOT YET DIVIDED? It is not that simple. The Internet has another, more global, side. In the middle of last century, humanity faced the same question: to divide or not to divide, but at that time we were talking about open seas, aviation, space, and the Antarctic. National bodies resolved not to divide these into sections but rather to create a deterrence mechanism prohibiting any single country from claiming ownership over a global good. Currently, the Internet is not divided because its value rests in its global nature. This is easily visualized via the example of a lap pool. A community swimming pool is most effective when used communally by all visitors. Nevertheless, this effective sharing of a common good would quickly collapse if several users reserved their lap lanes. Upon seeing the first reservations, others would immediately follow suit, being scared they would be left without space to swim if they did not act. Internet governance is currently precariously balanced. The US administration knows it governs the Internet and knows other governments realize this. However, any attempt to impose this control would lead to the Internet’s immediate segmentation, leaving the US in control of Internet only within its own national borders. Are the steps taken by Washington sufficient to avoid the division of the Internet? Evidently, no. HOW DO YOU SEE THE POTENTIAL REGULATION OF THE INTERNET? First, we have to recognize that the relationships and needs of the Internet are in a superposition state. They are neither solely interstate, nor domestic. Thus, we can determine whose interests intersect in a specific problem only after we determine the effects of the problem on a case-by-case basis. This requires a new governing approach (other than material law or principles of conflicts of laws), which would allow us to take into account different sets of national legislation that touch upon the Internet. In this case, the division into national segments at the infrastructural level will not create divisions between countries on a content level. The Internet deserves a Multilateral Convention and International Governing Body. Second, we need a system of checks and balances instead of a mutually assured destruction. This system must demonstrate to each state that any attempt to control the global Internet outside of its borders will lead only to the removal of this state from the global network. This must apply to every state without exception. Third, legal mechanisms could also support limitations that are already built into the actual technologies of the Internet themselves, also known as lex informatica. Whatever we say about Internet decentralization now, the Internet still has a single governance centre. This is not a problem for a local or national telecom network. If we are talking about something with global value, we must remember that the Earth is round and it does not have a single point on its surface that everyone agrees to be its centre. In order to satisfy all sides, we require a multilateral process. Ideally, it should be a multilateral convention and an international governing body. The Internet is no less deserving of these methods than the open seas. WHY GOVERN THE INTERNET? The answer to this question evolves from the philosophical to the deadly serious upon deeper consideration. The level of Internet penetration, especially within the public offices, is so high that he who governs Internet, governs the world. However, there is a problem: no one knows exactly where attempts to govern the Internet will lead. Let me illustrate this with the example of VISA and MasterCard systems in Russia in 2014. As a result of Western sanctions, both companies stated they would be forced to discontinue their services for several sanctioned Russian banks. I participated in the drafting of the Law on the national payment system from 2007-2012. At that time, the attempt to create a national payment system to compete with the international ones fell apart with the argument “why reinvent the wheel, we already have Visa and MasterCard.” And now, we have a different reality: Visa and MasterCard can only continue operating in Russia so long as they do not exclude sanctioned Russian banks from their services. Besides that, Russia has moved to create a national electronic card payment system designed to compete with existing credit cards. On the one hand, countries The Internet faces the same dilemma. For a long time, states did not use Internet technologies for a significant portion of their day-to-day work. For Russia, this period ended in 2010. Since then, the overwhelming introduction of e-government technologies has significantly raised public-sector dependence on the Internet. As a result, the issue of Internet governance within national boundaries has turned into an issue of life and death, at the national level. Why specifically mention governance within national boundaries? At the moment, state sovereignty is unambiguously superior to the Internet within a country. States remain states. No one has abolished the principle of sovereign equality contained within both the Charter of the United Nations and national constitutions. But how strong and unequivocal would be a government answer to the question: should we govern the Internet? It will obviously answer: “yes, we should govern the internet.” ++ All government work relies extensively upon the Internet, both internally and externally. ++ From the time of the Internet’s creation, no internal control mechanisms have been invented (leaving aside loud declarations which rarely amount to anything) which protect users from crime, the spread of illegal information, or simply from the imposition of unwanted information or views on them. ++ The Internet and information technologies are becoming increasingly more important for national economies. Taking into account these opinions, the Internet is yet another area where a government must provide order and support the rule of law. In order to achieve these goals, every state must demarcate, consider, and protect the Internet within its own national borders.
- 18. WANT TO BE HEARD? Digital.Report is a bridge between West and East on all things ICT. We specialize in facilitating dialogue between parties, advising on sound public policy choices and delivering actionable information. We believe in an open and free Internet. Contact us today to explore how we can collaborate on ensuring your message is heard by the right audience. Email administration@digital.report.
- 19. Digital Report+ 17 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 111000100011010100111101101000100111004111100110100 The Contest Of Rules: US, China, Russia Rival in Setting the Norms of Behavior in Cyberspace The shift of cyberspace governance discussions towards a normative framework demonstrates states’ efforts to formulate ‘rules of the game.’ Recent multinational and bilateral agreements on cyberspace governance fall under the domain of non-binding soft law, in which norms agreed upon are not set in stone. As fundamental differences exist amongst individual states’ visions of cyber governance (for example views on state sovereignty in cyberspace), and with the uncertainties a rapidly developing cyberspace brings, hard laws often imply commitments that are difficult to honour. Non-binding agreements and norms leave room to manoeuvre as seen in the recent UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security report and talks between the US and China. Alexandra Kulikova Twitter: @AVKulikova ICANN ‘s Global Stakeholder Engagement Manager. A former Program Coordinator for the Global Internet Governance and International Information Security Program in Moscow/Russia, Alexandra holds an MSc in Media and Communications Governance from the London School of Economics. For five years, she headed the RBCC Bulletin, the monthly business magazine of the Russo-British Chamber of Commerce. Alexandra’s research expertise includes cybersecurity, information security, global internet governance, internet development.
- 20. Digital Report+18 on the political good will of all signing parties regarding information sharing, CERTs and CSIRTs cooperation, and joint efforts in investigation against at attacks. The current level of trust in the international arena makes it difficult to imagine that non-binding principles could act as an effective measure of restraint for the twenty states-signatories (Belarus, Brazil, China, Colombia, Egypt, Estonia, France, Germany, Ghana, Israel, Japan, Kenia, Malaysia, Mexico, Pakistan, Republic of Korea, Russia, Spain, UK, US) let alone any other aspiring cyber nations. Though it sets an important precedent for consensus, this report does not tackle some key issues on bilateral agendas, which will need individual fine-tuning. What is most interesting is how some issues, which were not included in the agreement, are currently addressed. UN GGE is a consensus platform, and given the long-standing differences in stances formulated by the most vocal participants (the US, Russia, China), this reveals the ongoing contest over who sets, shapes, and interprets international norms, representing the ultimate manifestation of power in a multipolar world. Both China and Russia are quite successful in domestic norm building, which reflects Chinese and Russian authorities’ tough position on content control and online data sovereignty. In this regard, the recent research paper, “Benchmarking Public Demand: Russia’s Appetite For Internet Control,” by the Center for Global Communications Studies at Annenberg School for Communication, gives a good sense of the domestic norms setting success enjoyed by the Russian authorities. China and Russia have attempted to push these norms at the international stage for further legitimation, but beyond the Shanghai Cooperation Organisation (SCO) ‘Code of Conduct for information security’ their success has been modest until recently. However, some of the ‘Code of Conduct’ language is present in the UN GGE report. For instance, clause 26 explores how states should “[refrain]in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations… and non-intervention in the internal affairs of other States.” Clauses 27 and 28 also suggest that state sovereignty and international norms and principles flowing from sovereignty apply to states’ conduct on ICT-related activities and to their jurisdiction over ICT infrastructure within their territory. Still, in other fora the concept of state sovereignty in cyberspace remains a stumbling block, as well as what ‘objectionable content’ implies. The latter is increasingly important to spell out, as radical groups like ISIS actively use online platforms for recruitment. This might give an extra opportunity for the wider acceptance of what up to recently has been qualified as a ‘domestic norm’ for a number of countries (e.g. taking down extremist/terrorist content). As for the US cyber norm promotion, one principle of state behaviour laid out by the US State Department in May 2015 states that “no country should conduct or support cyber enabled theft of intellectual property, trade secrets, or other While the United Nation’s bureaucracy is typically perceived as ill paced for dynamic ICT governance, in June 2015 a major breakthrough occurred. Representatives from twenty countries Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security. The GGE agreed on a range of non-binding norms for state behaviour as well as confidence and capacity building measures in cyberspace – something many were skeptical about. The agreements, reflected in the report published in August, outline some important commitments which states have refused to recognize since the late 1990s when the Russian Federation started promoting the norm building process through the creation of the UN GGE. These include, inter alia, the commitment to not attack each other’s critical infrastructure and cyber emergency response systems (CERTs and CSIRTs), to not knowingly allow illegal third party cyber activity from within their territory, to carry out due investigation on malicious activity before counteractions are taken to assist in investigations of cyber attacks and cyber crime launched from the country’s territory, and to commit to peaceful use of ICTs as a cornerstone of peace and security in cyberspace and beyond. Building on the success of the previous UN GGE in 2013, which acknowledged the applicability of international law to cyberspace and encouraged future elaboration of norms and confidence building measures (CBMs), the current GGE managed to build upon and agree on some minimum conditions for international cyber stability. Since the release of the report, numerous discussions have focused on the practical implementation of the agreement, as well as the feasibility of the non-binding norms-based approach to cyberspace governance in general. While the agreement is a positive step, the extent to which the given commitments will actually translate into practice depends ... China and Russia are quite successful in domestic norm building, which reflects Chinese and Russian authorities’ tough position on content control and online data sovereignty...
- 21. Digital Report+ 19 confidential business information for commercial gain.” It was not included in the set of norms in final UN GGE report, which might have contributed to the intention to pursue the issue on the bilateral level. At the end of August, the media reported that the US planned to impose sanctions on Chinese companies and individuals found guilty of commercial espionage. A related Executive Order, signed back in April 2015, gave the Treasury Department wide authority to employ economic sanctions against cyber hackers whose actions have harmed national security. Though not drafted to address exclusively Chinese offenders, given the long track record of bilateral tension over the issue, it is viewed as such. Cyber issues certainly framed the agenda of Chinese President Xi Jinping’s September 22-25 state visit to the US. A White House statement released at the end of the state visit, articulated the two countries’ agreement to not engage in cyber theft and cooperate on cyber crime issues, a surprise amid scepticism many have had about cajoling China into any promises. While this may give an impression that the US cyber agenda is gaining the upper hand, this is most likely wishful thinking. The talks are an interesting carrot and stick exercise. In addition to the reported US sanctions for intellectual property cyber theft, ahead of President Xi Jinping’s visit, sources announced that the US and China are developing their own cyber deal similar to the China – Russia agreement signed in May. While the deal would not be regulated by any international accords both countries are signatories to, it would echo and reinforce the UN GGE agreement. In retrospect, this rumoured bilateral pact looks like a Plan B in case the efforts to settle more urgent cyber theft issue lead nowhere. Indeed, Mr. Xi Jinping has been sending mixed messages by both standing his usual ground on some norms and seemingly suddenly giving in on others, which he previously refused to embrace on behalf of his country. In an interview ahead of his visit to the US he reiterated China’s traditional stance that “rule of law also applies to the Internet, with the need to safeguard a country’s sovereignty, security and development interests as relevant as in the real world.” However, he also recognized the urgency to fight what his country has been accused of by admitting that “cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should ...If the US corporate sector eases on data disclosure in China, this could give grounds for US law enforcement to request similar access to data for intelligence purposes...
- 22. Digital Report+20 be punished according to law and relevant international conventions.” Speaking to tech-firms in Seattle, Mr. Xi Jinping pledged readiness to set up “a high-level joint dialogue mechanism with the United States to fight cyber crimes,” pointing out that his government “will not, in whatever form, engage in commercial theft nor encourage or support such efforts by anyone.” Coupled with promises to welcome foreign investment, this appears to be a candid commitment to stronger bilateral relations, followed by the US-China joint pledge not to “conduct or knowingly support cyber enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors,” which few expected. Still optimists should not hold their breath due to the non- binding nature of the US-China talks and UN GGE norms. The language of the cyber commitment reveals some important reservations, which leave much room for interpretation in the future. Along with some other CBMs on timely responses “to requests for information and assistance concerning malicious cyber activities” and establishing “a high-level joint dialogue mechanism on fighting cybercrime and related issues,” the US-China talks also suggest that the two sides “agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cyber crimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.”: The allusion to national laws is a useful caveat to any future conflicts over lack of cooperation. Additionally the activity of non-state actors is not addressed, allowing for deniability of failure to commit. China must be feeling fairly comfortable with the soft law solution since, even if US sanctions follow if China does not honour this US-China commitment, sanctions might backfire. First, cyber attack attribution is difficult and the accused will most certainly deny any wrongdoing (as seen with the Sony Pictures attack). Second, sanctions will deliver a blow to US companies’ business with China, impacting the thousands of jobs that rely on these ties. Third, China can retaliate against the threat of sanctions by pushing US tech firms to comply with China’s desire for increased control over data flows. While this could force some US companies to leave the Chinese market, US tech firms giving China access to encrypted communications could also have larger implications for domestic US data access. If the US corporate sector eases on data disclosure in China, this could give grounds for US law enforcement to request similar access to data for intelligence purposes. This also reveals an interesting interplay between the two faces of cyber espionage – for intelligence or commercial ends – representing different perceived threats on both countries’ sides. Since Snowden’s revelations, which ironically were made public when China and the US last addressed cyber crime issues face to face, China feels its actions in the cyber sphere are justified, given the scope of the US cyber intelligence intrusiveness. The US sees SIGINT efforts as a legitimate part of any country’s foreign policy. Though the commitment to non-compromising ICT products with “harmful hidden functions” features at least in the UN GGE’s set of norms (even though the verification remains a challenge), IP theft looks more like a sore point on the bilateral agenda, probably addressed in a broader context of US-China relations with inevitable trade-offs. Unless the US curtails some cyber intelligence, other incentives must be offered to push the Chinese to make concessions and embrace more US-promoted norms. In any case, in its current vague form, which addresses only governments and does not incorporate none-state actors, the agreement is a comfortable and symbolic half-step, saving face for both sides and leaving the door open for further negotiations. With the dormant Russia-US cyber deal from 2013 in mind, there is a triangle of agreements among Russia, China and the US embedded in the UN GGE accord. Non-interference with domestic affairs via ICT tools might be more of a priority for Russia given current geopolitical turmoil despite record domestic public approval rates. While supporting this norm, China does not seem to view it as a critical one – a tightly controlled digital domain is well-preserved in the country and faces no palpable threat. The US, on the other hand, places much importance on curtailing commercial cyber espionage. All three countries are united by the desire to protect their critical infrastructure against cyber attacks though this most tangible ‘common denominator’ is less relevant in peacetime. The struggle will continue in the domain of little or no normative consensus in cultural, historical and practical terms, lined with strategic economic bargaining where conceptual understanding fails. Non-interference with domestic affairs via ICT tools might be more of a priority for Russia given current geopolitical turmoil despite record domestic public approval rates.
- 23. LIKE WHAT YOU ARE READING? WE NEED YOU! Digital.Report+ is a creative vehicle enabling you to reach decision makers. We seek collaborators, sponsors and partners to launch this publication in Spring 2016. Let’s build a strong digital Eurasia together. Contact us at administration@digital.report!
- 24. Digital Report+22 Astana 0.90 $ Chisinau 0.59 $ Moscow 0.99 $ Tbilisi 0.82 $ Kiev 0.53 $ SignsStreet English Moscow Astana Kiev Moscow Tbilisi Chisinau Kiev Astana Prepare your passport you will need a visa No visa required your visaplease ! 1/2LBeer TOP 5 POST-SOVIET CITIES FOR A DIGITAL NOMAD Wecomparedavarietyofindependentstatisticstofindthebest.
- 25. Digital Report+ 23 443 $ Astana 380 $ 333$ 195$ K iev Tbilisi Chisinau 935 $ Moscow 1 Bedroom apartment Tbilisi Moscow Astana ChisinauKiev 42 10 14 11 08 Internet Service Chisinau#1 MOLDOVA Chisinau 61Tbilisi 78 Kiev 73 Astana 53Moscow 42 ICT DevelopmentIndex Rating
- 26. Digital Report+24 PERSONAL DATA: Protecting privacy in the Soviet Union was not a priority for quite a long time. It was only in 1977 when Article 56 was included in the new Constitution. The article stands out for being one of the shortest included in the Constitution consisting of just: “The privacy of citizens, their correspondence, phone conversations and telegraph communications are protected by law”. Four years later, a leading Soviet legal scholar, Nikolai Malein, opined after analyzing the status of citizens’ privacy protection that some of the norms in the legislation might protect certain privacy aspects, but did so insufficiently and inconsistently. For example, there was no law included forbidding officials in public offices, enterprises or organizations from sharing private information acquired during execution of their official duties. Despite Soviet lawyers’ continued insistence that the privacy of citizens must be protected, the situation persisted until the adoption of the 1993 Constitution of the Russian Federation. A peculiar anecdote is that this problem appeared to be of greater concern for those scholars who took part in the Second World War. Having survived the war, with many losing all in the process, they fought hard for the right of future generations to their own, private world to which the state would not have direct access. The Post-Soviet Approach Nikolay Dmitrik Nikolay.Dmitrik@digital.report DR’s Senior Scientific Advisor and Head of Legal Consulting ParkMedia Consulting. In 2006-2012, as an Officer of the Legal Department of the Ministry of Telecom and Mass Communications of the Russian Federation he took part in the development of legislations on personal data, e-signatures, e-government services and access to information. Author of more than 40 scientific papers in the field of ICT regulation.
- 27. Digital Report+ 25 Convention. The ratification of the Convention appeared to be a ‘forced decision’ for Russia. Practice has demonstrated that European organizations, above all Europol, did not consider the level of data protection in Russia as adequate and, therefore, did not share personal data from European sources requested by Russian law enforcement agencies. Due to the efforts of another lawyer (and Second World War veteran), Sergey Alekseev, the contemporary Constitution of Russia includes two articles devoted to privacy. The Constitution affirms the protection of privacy, personal and family secrets, honor and good name for everyone. Every citizen should enjoy the right to secrecy of their correspondence, phone conversations, as well as post, telegraph, and other communications. Similarly, the gathering, storage, use, and distribution of information about the private life of a citizen are forbidden without that person’s prior consent. Public offices, local authorities, and their officials must provide every citizen with an opportunity to review the documents and information directly related to their rights and freedoms, unless there are legal provisions specifying another approach. Privacy protection issues were on the rise in the decade following the adoption of the 1993 Constitution. In addition to the Constitution, the federal Law on Information was enacted in 1995, which established the concept of “personal data” and contained relevant confidentiality provisions. Unfortunately, the Law also included an absurd (and, thus, never implemented in practice) stipulation that any private entity, whether an individual or organization, processing personal data must obtain a prior license. Also in 1995, the right to sue for protection of privacy in a court of law was introduced into the Civil Code. Notwithstanding these achievements, many other elements of a comprehensive approach to personal data, such as a supervisory authority or obligation to notify when processing personal data, did not emerge until 2005. In reviewing the cases aimed at protecting privacy from the late 1990s to the early 2000s, a pattern emerges: If a request for personal data was perceived as illegitimate, it would be denied, only to be followed by a court appeal. The courts, upon reviewing the case, would usually rule in favour of the citizen protecting their privacy. The original request for information typically came either from government agencies (e.g., court bailiffs) or from a private person (e.g., a request from a citizen to produce a voters’ list). No cases were identified, however, where the petitioner seeking court protection of their rights was the same person whose personal information was the subject of the original request. This may be seen as a trend - the protection of personal data was a subject of interest not to the people whose information was requested, but to the data holders, such as banks, election committees or law enforcement agencies. This trend eventually determined how the actual practice has evolved over time. The court disputes were conducted between the data holders and those who wished to get access to it, as opposed to data holders and individuals whose data they possessed. In 2001, Russia signed the Council of Europe’s “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.” A Federal Law “On Personal Data” structured along the similar Directive of the European Commission was adopted in 2007 to implement the What follows is a review of the legal framework addressing specific aspects of personal data protection. INFORMATION SECURITY The original text of the Law required controllers and third parties accessing personal data to ensure confidentiality of such data, excluding cases where depersonalized or publicly available data is processed. In reality, the fact that personal data was considered confidential by default led to a presumption that it must be kept secret at all times, just like it is done with secret information in criminal investigations or official and professional secrets. As a result, controllers faced strict requirements to ensure security of personal data, and the Federal Service for Technical and Exports Control along with the Federal Security Service (FSB, in Russian) were tasked with supervising their implementation. A detailed list of measures including by-laws dealing with the use of certified protection tools, software, and cryptographic means aimed at ensuring information security was promptly developed. Soon after the enactment of the Law it became apparent that the stipulated requirements were too strict. They were extremely expensive to implement for small businesses (public notaries, for example) and posed unattainable goals for large ones, such as airlines. Due to these reasons, a new version of the Federal Law “On Personal Data” was adopted in 2011. It Elements forming the Russian personal data legal regime, which is similar to the EU Directive 95/46/ EC of 24 October 1995: ++ Definition of key terms, such as “controller”, “data subject” and “processing”; ++ Establishment of the basic principles of personal data processing; ++ Naming the criteria for making data processing legitimate (consent of the data subject, performance of a contract, legal obligation, etc.); ++ Special categories of data (sensitive data), for which special processing requirements are set; ++ Information to be given to the data subject; ++ The data subject’s right to access data; ++ Limitations for automated individual decisions; ++ Confidentiality of personal data; ++ Controller security obligations when processing personal data; ++ Supervisory authority on the protection of individuals with regard to the processing of personal data; ++ Notification obligation; ++ Transfer of personal data to third countries.
- 28. Digital Report+26 introduced a multi-level classification of security measures in accordance with varying degrees of potential risks and probability of resulting consequences. In addition, the special agencies’ supervision over implementation of these data security measures was narrowed down to government offices only. Information security stipulations for all private controllers became de facto recommendations only. SUPERVISORY AUTHORITY The Russian public agency authorized to protect the rights of personal data holders is the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor). The agency also oversees Internet service providers and media, as well as guiding the implementation of blocking websites that contain illegal information in Russia (the “Internet blacklist”). The Law provides Roskomnadzor with significant power regarding supervision over the controllers and their activities related to personal data. Controllers are required to submit to Roskomnadzor a notification form consisting of 11 items prior to beginning processing of personal data. For example, one of such items is called “The overview of measures used to ensure security of personal data in accordance with the requirements to protect personal data.” Other items include description of internal policies regarding data processing, a list of data categories and so on. Roskomnadzor is authorized to request any documents or information from the controllers, conduct a review, and limit their access to personal data or block processing of such data in the event that any violations of legal requirements have been identified. In practice, however, this broad authority is quite toothless. According to Roskomnadzor, there are over 1 million personal data controllers in Russia, so inspecting each one of them at least once would take nearly 30 years. Moreover, these inspections include only a formal review of documents to verify whether there is a personal data processing policy in place, a dedicated officer responsible for data processing has been appointed, or documents describing security measures meeting the legal requirements are in place. Roskomnadzor has neither resources nor sufficient authority - strange as it may seem - to practically audit, or at least evaluate the security systems in place. PROTECTION OF DATA SUBJECT’S RIGHTS The federal law “On Personal Data” is a legal act administrative in nature. When addressing the rights of a data subject and the responsibilities of a controller, the law envisages only an administrative responsibility (fines) for controllers that do not comply with legally required procedures. Prior to 2011, the previous version of the law stated in general terms that a personal data subject has the right to protect their rights and legal interests, including the right to receive compensation for incurred costs and/or moral damages through the courts. The author managed to find only three court cases related to compensation for damages between 2007 and 2011 (all cases were for moral damages) initiated by personal data subjects. Only in one of these cases did the court rule in favor of the plaintiff. By comparison, during the same period, Roskomnadzor examined more than 6,000 administrative complaints related to the violation of personal data rights. Since 2011, the Law contains the dedicated provision of compensation for moral damages inflicted on an individual through the violation of their rights. As a result, the number of compensation cases has been Privacy Protection in Russia 09.10.1977 12.12.1993 01.01.1995 19.12.2005 25.07.2011 01.09.2015 20.02.1995 27.07.2006 Article 56 of the USSR Constitution mentions protection of privacy for the first time Articles 23 and 24 of the Russian Constitution stipulate: the right for protection of private life, personal and family secrets; the banning of collection, storage, use, and distribution of private information without consent of a person; the right of any individual to survey the materials directly related to their rights and freedoms. Privacy, as well as personal and family secrets are included in the list of non-material values protected by the Russian Civil Code and can be defended in courts. Russia ratifies the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS N 108). Amendments to the Federal Law “On Personal Data” including: obligatory requirements to ensure information security of personal data by state- owned controllers; a mechanism for moral damages compensation. Data localization requirement comes into effect. The Federal Law “On Information” introduces the concept of personal data and stipulates the requirement for its confidentiality. The Federal Law “On Personal Data” is enacted. The Law contains all elements comprising a legal regime for protection of personal data, in line with the EU Directive.
- 29. Digital Report+ 27 steadily increasing to over a hundred. The courts often take the side of individuals, exacting compensation for damages from banks, bailiffs, or public utilities that distributed or processed personal data in an illegal manner. DATA LOCALIZATION Inspired by the 2014 EU Court of Justice ruling on the “Right to be forgotten”, the Russian legislature introduced amendments to the Federal Law “On Personal Data”. These amendments set forth the legal mechanism for implementation of court decisions forbidding illegal processing of personal data. To ensure such activity is possible, all data must be stored locally. A controller, therefore, was required to record, systematize, store, update, or extract personal data of Russian citizens using databases physically located within the territory of the Russian Federation. The enactment of these amendments was postponed by nearly a year. During the consultations between controllers and Roskomnadzor a common approach was agreed upon: while the cross-border transfer of data will not be limited in any way, all organizations dealing with the personal data of Russian citizens must have facilities to store such data in Russia. It seems that such an approach is acceptable for all interested parties since many leading controllers have already installed or rented storage servers on Russian soil. *** Russian legislation dealing with privacy protection has evolved significantly over the decades, from a single article in the Soviet Constitution to a fully-fledged legal system of personal data protection. The main question on the agenda, however, is still: does this system really protect citizens? The clunky bureaucratic system based on a European model is only capable of reproducing paperwork and reports, creating work for officials, and proving its own value with the fines it imposes on others for a lack of papers or improper filing. Indeed, codifying and systematizing data protection processes is an important mechanism by itself. One could even progress to another stage, where the controllers make their employees learn and understand regulatory documentation. However, the distinctive feature of the Russian system is that if one limits itself to examining paper documents only, the whole process would stop right there and then. In the absence of court decisions to impose heavy fines on those who break personal data protection laws in favor of data subjects, the Russian controllers will remain unmotivated to proactively protect personal data. As for the data subjects themselves, the right to protect their personal information has long ago turned into legal fiction exemplified by the right to press the “I agree” button. As in Europe, the Russian controllers have not managed to find a universal approach combining Big Data technologies with the principles of personal data protection. Detractors of the European model are growing louder in their views that the system is incapable of dealing with this challenge. At this juncture, however, it is unlikely that a reform of personal data legislation will take place any time soon. The existing legislation was adopted not to protect the privacy of citizens, but to facilitate data sharing with European institutions. As it stands at the moment, the Russian legal framework fully meets this objective.
- 30. Digital Report+28 Belarus could soon be among the top 30 nations on the International Telecommunication Union’s ICT Development Index, says Igor Sukach, CEO of Atlant Telecom, Belarus’ leading privately owned ISP. ISP Market Liberalization Equals ICT Development in Belarus Igor SukachInterview with:
- 31. Digital Report+ 29 To what extent do state regulators in Belarus consider the importance of developing the telecommunications market and what steps are taken to stimulate economic growth? The government understands the necessity of enhancing the telecommunications sector as part of Belarus’ broader informatization agenda. Belarus is currently 36th on the ICT index, and for a small country like ours it is a significant achievement. Undoubtedly, the Ministry of Communications and Informatization aims for the country to be among the top 30 nations. The government understands that it is impossible to build a modern society without addressing the challenges of informatization. The goals, which the government sets before ISPs, further the country’s informatization and coincide with private sector goals. Commercial operators want to provide as many people as possible with high-quality Internet access – this is what generates our revenues. Thus, the goals of the state and the telecom business community in Belarus concur, and it’s already yielding results. What is the role of foreign investments into Belarus’ telecommunication sector? Should domestic investments exceed foreign ones? Clients and the telecom sector do not care where investments come from. Subscribers are interested in modern services, which are in high demand everywhere. The issue is this - there aren’t always enough financial resources to develop all sectors of the national economy evenly. So, attracting foreign investment to Belarus is completely reasonable. In a healthy economy, investments first go into the banking sector, improving the general economic climate within the country, and then – to telecommunications. Atlant Telecom was Belarus’ first telecom company to attract foreign investments. What significance has this had for the company and the market in general? In November 2011, the European Bank for Reconstruction and Development became the owner of 35% of Atlant Telecom shares. This was EBRD’s first significant investment into Belarus’ private telecommunications market – a new experience not just for the company, but also the entire telecom sector. Telecommunications companies grow and develop rather quickly, so to be successful they have to attract serious financial infusions. The easiest way to do it is to attract a new shareholder-investor. To fully appreciate the role of foreign investment, one has to see what Atlant Telecom was at the time. First and foremost, we were an ADSL provider, but we had already begun developing Ethernet services, which was and remains at the forefront of the technology’s evolution. Today, there’s not a single provider in Belarus that prioritizes ADSL growth. Thanks to the EBRD’s investments, we were able to focus on building the Ethernet network. Within four years of receiving the investments, our client base grew ten-fold, from 18,000 to 190,000. This development is not only highly regarded by the company’s shareholders, but is also a significant step forward for Belarus’ telecommunications market. No other company in the country has had comparable levels of growth, which allows Atlant Telecom to remain the leading operator of fixed Internet in Belarus. How effective is the development of the private data transfer industry in Belarus? Are private companies able to realize their full technological and economic potential? For a long time, Belarus’ national operator [Beltelekom – Ed.] had monopoly over several areas of the telecommunications business – for instance, on international communication channels. Partially, this remains so even today, although the monopoly gave way to an oligopoly: there are now two state-run operators, Beltelecom and beCloud. In a developed economy, where demonopolization of the telecom market took place a while ago, it is the norm for the national operator to have a 50-70% share of the market, while their immediate follower has another 20-40%. Given that the demonopoliztion of Beltelecom started late, and is still underway, their immediate follower, Atlant Telecom, has only around 5% of the market. This is why the state monopoly in Belarus has impeded the speed of development of telecommunication companies, especially private ones. However, demonopolization is ongoing and we are hopeful about the future. The telecommunication business is very capital-intensive, so development will be slow without foreign investments. Demonopolization offers the chance of enticing these investments. What regulatory measures would telecom companies in Belarus most like to see implemented? In every country, telecommunications are heavily regulated. The regulations may be liberal, but they are still in place—and in every country they are manifested differently. I can’t say that in Belarus telecommunications regulations are necessarily stricter than in other countries. The main difference in comparison to Western countries is that in Belarus access to external communications channels is not liberalized. If such liberalization were to take place, it would be a powerful developmental impulse for the Belarusian telecommunications sector. Having said that, the problems that the industry is experiencing today are due not only to domestic legislative restrictions. Macroeconomic issues not unique to Belarus pose a most acute challenge, too. I am talking about the ongoing economic crisis, including the devaluation of the Euro, as well as the Russian and Belarusian ruble. To what extent must telecommunications services providers abide by national or international standards on data transfer? I am not aware of any country that has developed and maintains its own technical standards for data transfer. There are a number of international standards that prescribe certain norms and rules for all. Yet Belarus, for instance, has specific requirements for operators. We have an institution of authorized operators that provide services to governmental organs working with state secrets. It is completely normal for the government to regulate services, which governmental organizations use. The state outlines its requirements and operators decide whether they conform to these and whether they are fit to enter a certain market segment or not.
- 32. Digital Report+30 THE DEBATE: Rafal Rohozinski Co-Founder & CEO of The SecDev Group and Senior Fellow with the International Institute for Strategic Studies in London NO. It would be a mistake to respond to recent terrorist acts by focusing on control of the internet as it is not the only means by which to prevent these actions. Yes, terrorists use the internet, and quite efficiently sometimes. Small groups can operate globally because they can communicate and send payments across borders. In some cases, criminal activity online can fund the activities of these groups. But terrorist groups are ultimately a small minority. It’s important that police and other authorities have the ability to practice lawful intercept as part of normal security practices designed to detect, track, and deter terrorists — before they act. But, I believe that traditional police and intelligence techniques are more important in identifying groups and individuals than in monitoring internet traffic. If we recognize that terrorist groups are interested in changing the way we live through fear and intimidation, then the worst thing we could do is to allow them to do so, which includes diminishing the clear benefits we derive through the internet. The internet requires policing, but terrorism is perhaps the least good reason for imposing greater controls. Are the recent terrorist attacks sufficient basis for increasing government regulation of the internet and electronic surveillance of citizens?
- 33. Digital Report+ 31 Shavkat Sabirov Dmitry Zolotukhin President of the Internet Association of Kazakhstan Director of the Institute of the Post- Information Society and Principal with the OSINT.Academy project. Former Senior Advisor to the Minister of Information Policy (Ukraine) NO. Terrorism and religious extremism are significant challenges in our country that require constant attention and effective solutions. And solutions will be found in any case. In Kazakhstan, the strengthening of government regulation over the internet is also a permanent and ongoing process that began in 2006. This control is constantly increasing on a global scale. It led to the OSCE adoption of special measures aimed at improving trust between countries on cybersecurity matters. However, electronic surveillance of citizens and active measures taken to combat terrorism relate to the professionalism and qualifications of the individual officials involved. In various countries the approach differs. In some places, it’s done in an awkward and crude manner. In others, it is done professionally and without provoking the public. NO. First, most experts in the field consider this path ineffective and senseless. Even if some terrorist activities can be monitored, there will always be individuals who come up with ‘non-trivial solutions’, thus staying out of sight of security services, whereas all of us will pay the price of curtailed freedom. Second, total surveillance will require tremendous resources, including human resources, to process the accumulated Big Data very likely leading to human and system errors. As a result, we’ll again end up with neither security nor privacy. Third, introducing increasing surveillance over citizens as a result of fear means a conceptual victory for terrorism. As one Ukrainian activist said: “every democracy can be scared into fascism”. Lastly, I do not think that the ‘impending loss of privacy” should be emphasized so much. Soon enough, we will have technologies that will be able to ‘see’ everyone, so the dilemma of ‘is it a privacy breach or not’ will cease to be so prevalent. Things will be accepted by default.
- 34. Digital Report+32 ICT PANORAMA Social Media Influencers, Trends, and Chatter @GovernmentRF 28 Oct 2015 Russia will continue supporting innovative growth despite economic challenges #Medvedev @OpenInnoEN Russia is home to a massive Internet audience and some leading IT corporations, but its innovative development has been patchy – and now troubled by geopolitical tensions. Government of Russia @MIP_UA 16 Nov 2015 #новини #міп #мінстець Телеканал іномовлення #UATV розширює мультимедійні можливості... http://goo.gl/wwf16LUkrainian international broadcasting channel #UATV to enhance its multimedia capacities Ukraine has been developing an international broadcasting system in response to Russia’s foreign media campaign over the Ukrainian crisis. Ministry of Information, Ukraine Ministry of Communications and High Technologies starts special campaign within The month of improving the quality of communication services @AzerbaijanMCHT 21 Nov 2015 Azerbaijan’s impressive record in ICT development is tainted by its poor freedom of expression standards. Ministry of Communications and High Technologies, Azerbaijan @nnikiforov 21 Nov 2015 Попробуйте новую версию портала #госуслуги https://beta.gosuslugi. ru - проверить и оплатить налоги, штрафы, долги Try the new version of our e-gov portal beta.gosuslugi.ru – look up and pay taxes, fines, debtsIn recent years, Russia has steadily increased the number of e-government services available to its citizens, but higher-level corruption is still a pressing issue. Nikolay Nikiforov, Minister of Communications, Russia
- 35. Digital Report+ 33 Digital must be ‘new normal’ for governments, to stay relevant, responsive and accountable in 21st century @Ansip_EU 01 Dec 2015 Former Prime Minister of Estonia, a global leader in ICT integration into society, is now working on building Europe’s digital future. Andrus Ansip, European European Commission Vice-President for the#DigitalSingleMarket At first stage about 500 and in total 2 000 populated areas will have fast&high-quality #internet #Georgia @PrimeMinisterGE 13 Nov 2015 Georgia is among top-scorer for Internet Freedom across Newly Independent States – more affordable access for more people, however, remains a challenge and priority. Prime Minister, Georgia IGovernment services – now in one e-system: Wide implementation of ICT…Uzbekistan with its newly established Ministry of ICT Development is committed to digital progress, yet authoritarian tendencies often stand in the way. @GOVuz 3 Dec 2015 Государственные услуги — в единой электронной системе: Широкое внедрение информационно- коммуникационных технол... Government of Uzbekistan MPs voted in favor of the proposed international broadcasting system Various political forces overwhelmingly support the establishment of Ukraine’s international broadcasting system to give the country a voice in global media discourse. @MIP_UA 4 Nov 2015 #новини #мінстець #МІП : Депутати проголосували за систему іномовлення України в 1МУ читанні http:// goo.gl/iiDwBY Ministry of Communications, Ukraine “...Digital must be ‘new normal’ for governments, to stay relevant, responsive and accountable in 21st century...”
- 36. Digital Report+34 Jacob Appelbaum is an American human rights advocate, hacker, and cybersecurity expert - considers himself part of the “cypherpunk” generation. A master of encryption, he worked with Julian Assange of WikiLeaks and was among the early recipients of documents revealed by Edward Snowden. Today, the 32-year-old is waging a war against governments that engage in mass surveillance of their citizens. After US intelligence agencies began following him closely, Appelbaum left for Germany. A passionate advocate of online privacy, in an interview with Digital.Report+, Appelbaum speaks against state surveillance and promotes the use of encryption software. Image: Wikipedia / Tobias Klenze /
- 37. Digital Report+35 For many years, Appelbaum has been an ambassador for one of the most popular internet anonymizers, TOR. Created for anonymous communication online, TOR helps users, such as the WikiLeaks founders, for example, remain incognito. Human rights activists and dissidents all over the world rely on TOR for the same reason. TOR has a wide range of backers including Google, the UN Human Rights Committee, the United States and Germany,, as well as individual donors. State funding of TOR, however, does not curb Appelbaum’s criticism of government approaches to surveilling their own populations. Mass Surveillance Belongs in the Past Jacob AppelbaumInterview with: What is TOR and what is its appeal? TOR is run by a human rights, non- profit organization that focuses on one of the most fundamental rights, in our view – the right to privacy. We produce free anonymizing software and help disseminate it to people all over the world who use our encryption programs. By using them, you can communicate and search the Web without the fear of being monitored and intercepted. TOR was launched in 2002, and I joined the project in 2004. It’s hard to tell exactly how many people use TOR globally, but we can presume no fewer than dozens of millions. According to our statistics, around 3,000,000 people go online daily via TOR, but these figures are constantly changing. Does TOR have competition? No serious competition. TOR has many advantages; it’s easy to navigate and works with all existing operating systems – iOS, Linux, Windows. We are continuously perfecting it, and following the latest technological development to see what we can apply to ensure online security for our users. Some people use a VPN, which is also a great way to protect your personal data. And it’s necessary to keep them protected these days, because potentially anyone can access them – it’s really not that difficult to do. The problem is that most people are not technically savvy. Imagine a world where we can be – and are – monitored. If people knew they were being monitored, many would change their behavior. So understand this: after 9/11, we are all being surveilled. Every time you send a text message, or make a call, or open your browser – it is not confidential, and it is easy to intercept your correspondence or conversation. State surveillance never stops. I worked with WikiLeaks after 2010, and we had to suspect everyone because at the time it felt like everyone was connected to intelligence services. I can no longer make a call without thinking that I am being wiretapped. I lost trust in the system and intelligence services that so often act outside the law. And they don’t inform you that you are under surveillance or that surveillance has stopped. Why should I be vulnerable? I only have one demand for intelligence services: when you want to surveil me, please, let me know in advance. Every time. Then I will be able to challenge your decision in court, if I find it unjustified. TOR secures the transmission of data, but technologies are always evolving – is it really that difficult to decrypt encrypted information? Yes, in theory, you can decrypt encrypted correspondence. But, for one, it is not easy to do from a technical standpoint, plus it requires a court warrant. Secondly, TOR challenges the balance of power by erecting barriers in the path of those who want to “listen in” on you. For example, my associates and I use encryption programs and live in a world practically free of mass surveillance. Perhaps, we should be talking about limiting mass surveillance, and not its full removal? Doesn’t it sometime help to locate criminals? Where do we draw the line between security and freedom – especially these days, when the terrorist danger is so acute?