Privacy and Internet Policy at Internet Government Forum Australia

A couple of weeks ago I participated in the Australian Internet Governance Forum, both on a panel about Internet privacy (which also delved into the murky waters of data retention) and I also ran a 90 minute session on Government and Internet Policy. Both were fascinating. Below I’ve briefly wrapped each one up.

Privacy Panel

I sat on the IGF privacy panel as an open government person, and it was a fascinating discussion. Other panelist

You can watch the Privacy Panel video on the auIGF website, but you (quite ironically) have to provide your name and email address. If you just want to get the gist of the panel, check out the IGF session captions. I’ve copied the caption service transcript at the end of this post for my archives. They did a really good job on the day, but we all spoke quite fast, so it’ll give you a good but rough idea of what was said.

Government and Internet Policy session

My personal goal in this space is to have a more nuanced public dialogue on Internet policy such that we make more informed, collaborative and inclusive debate on where we as a society, want from the Internet, and such that we can avoid government policies having unintended results that inhibit the social or economic opportunities we have enjoyed to date.

I thought it would be interesting to get some of our Internet policy and practise luminaries to discuss Internet policy. It was a robust and fascinating discussion resulting in some great insights and ideas. Core ideas that came out where a) the Internet cannot be defined because the moment you do so, the technology changes, but b) there are some core values/principles that underpin the Internet that could be used to assess policy. It was interesting to have some, at times, quite contrary thoughts in the room, but to see that by the end of the session, the different perspectives were largely two sides of the same coin.

What I rapidly realised during the session was that most people in this space are focused on a very narrowly defined patch, and each patch is being dealt with largely in isolation from the rest. For example, the idea that “we don’t need to worry about policies that deal with content (such as Internet filtering) because we are focused on the domain name space”. In my opinion this is somewhat problematic because it makes it too easy to play divide and conquer by policy.

As a result of this session I’m writing a short paper on some core values of the Internet that migh be a good basis for reviewing government policies around the world so we can start to reframe Internet policy in terms of what is good for society, rather than the relatively unhelpful and specialised “open vs closed Internet” debate we have seen completely fill the airwaves recently. I’m going to do some policy analysis on some of the big ones against this list of values to see how the model stacks up.

Check out the wiki page where we captured the ideas contributed to this session.

As part of setting up the wikipage for this session, I also invited other sessions to use the wiki. Two other sessions decided to use the wiki and you can check them out at http://auigf.wikispaces.com/

Below are the outcomes of the session, and below that all the content that led us to this outcome.

Values of the Internet

Potential list of values, perhaps “public good” aspects we take for granted, things “on the net”? Perhaps government should be able to confirm they agree with? Perhaps “please make a commitment”. Perhaps the values could be then compared and contrasted with policy positions:

  • Coordination not control– committing to protecting coordination efforts and commitment to participate in coordination:
    • Social: more collaborative approach which might lead to more citizen centric policy.
    • Economic: capacity to tap into other efforts, more effective policy outcomes that align with how the Internet is actually run/managed/governed.
  • Interoperability– open standards, no undisclosed/forced gated communities
    • Social: avoids lock in or out, people can make informed decisions, increased usability, accessibility,
    • Economic: fair market competition,
  • Peer to peer global connectivity– people/devices/all ports/all teh things/any to any – connecting directly to each other
    • Social: free expression, non discriminatory
    • Economic: freedom to provide and accept and service, facilitates innovation, we don’t know what the next killer protocol is going to be, so freedom for future opportnuities,
  • Route around damage– capacity to deal with issues
    • Social: gete around censorship,
    • Economic: resilience, high availability, availability during natural disasters,
  • Distributed control– no single point of failure or control, eg multi-source networks of trust
    • Social: uncapturable, ability for civil disobedience and dissent,
    • Economic: no single point of failure, avoiding damage of monopoly rents
  • Non-discriminatory approach– users, devices, content, jurisdiction, technology neutral/common access, free flowing data
    • Social: affordability, accessibility, availability
    • Economic: free market

Perhaps some point about public information, gov role in providing public infrastructure/information/emergency information/open data (bushfires)? Maybe this is more a policy recommendation than a core value?

Additional comments and points:

Internet must have the capacity to deliver:
All ports, protocols, content, origins and all destinations.

What is the different between the Internet and public roads?
NBN as a policy example where there is a a purposefully neutral policy approach.
Technology doesn’t limit the application. Public communications. Will a private market service the need and if not, then public investment. What are the parameters for determining a market factor. Is it accessible for everybody? Eg comparison with electricity grid.
Consistent addressing structure
Consistent naming structure
Availability, predictability, stability
Government needs to commit to an Internet that is coordinated and not controlled.

Below is the rest of the content of the wiki from my session (for my archive, from the date of this post):

Session Info

Facilitated by Pia Waugh, this workshop looked at the role of governments in Internet management, policy development and regulation. Participants were invited to exchange views on the pressures and issues that could drive governments to take an increased regulatory role, the areas in which meaningful government engagement would be of benefit, and the areas where the open and multi-stakeholder model should be retained. Topics included current parliamentary deliberations on reforming national security legislation and the potential impact on business and end-user rights.

Session Methodology

We kicked off the session by, as a group, trying to identify the high level categories of problem spaces that the plethora of Internet related policies, legislation, codes and trade agreements are trying to deal with. As part of this we had a first shot at identifying the various mechanisms these approaches adopt in trying to achieve their goals.

Then we dived into a discussion about the technical characteristics of the Internet and their social/economic implications. That discussion had some healthy debate that resulting in some consensus that the technical characteristics of the Internet are constantly changing and shouldn’t be pinned down. However, that there *are* some overriding principles/values that underpin the Internet as it was, is, and should continue to be.

We ran out of time to compare and contrast our key categories and the various mechanisms of enforcement, with the model of how we define the characteristics of the Internet. Hopefully this can be part of an ongoing discussion in this community.
The outcome of the session is captured in this wiki, which forms the basis of a paper that can be fine tuned over the coming month in the lead up to the International IGF meeting in Baku and is a part of the Australian contribution to the international discussions.

Where people identify specific tangible policy recommendations for the Australian Government, please add them below. Feel free to copy and paste from existing working this space so long as you give attribution. This will be presented to the Australian Government along with a copy of the paper above.

Policy & Legislation

Please contribute to the Internet related policy/legislation page as this list is far too long to be on this page. From this rather extensive list of policies, legislation, codes and even trade agreements, we can see a number of categories of problem spaces emerging:

Summary of Issue Categories

Policies tend to have one or a number of theme categories inherent (please add/modify this list as it’ll be basis of discussion):

  • Individual interests
    • personal safety (eg cyberbullying)
    • market meeting the needs of the community public vs private?
    • privacy
    • identity astroturfing
    • free expression (and thought, limiting behaviour on the internet?)
      • illegal vs inappropriate behaviour
    • rights? access, usability,
    • consumer safeguards role of gov? market distortion questions?
    • net neutrality
  • National interests
    • skills
    • economic growth
    • national/economic security (eg cyberwarfare)
    • sovereignty
    • knowledge
    • trust and confidence – transactional confidence as well as who
  • Culture & democracy
    • shifting cultural norms can and often respond to shifting cultural norms
    • social inclusion languages, accessibility, access, (need definition)
    • use of the internet in democracy evoting, astroturfing
  • Market challenges
    • intellectual property (copyright for copyright sake? international sake, software patents, trademarks domain name policy)
    • creative/digital industries in Australia
    • innovation (?)
    • competition
  • Legal challenges
    • prejudice and justice on trial proceedings
    • local jurisdiction vs international scope of the Internet difficulty of local enforcement on an international thing, some people chosing selectively the jurisdictional that suits their purposes

It was suggested the above ideas might boil down to the two categories of Ownership and Accountability. Thoughts?

Summary of Implementation Mechanisms

The tools and mechanisms used in policies range from (please add/modify this list as it’ll be basis of discussion):

Government Mechanisms

  • Social
    • Education/marketing of an idea of information
    • Civil remedies
  • Legal
    • Judicial oversight as requirement for legal enforcement mechanisms?
    • Tweaking of criminal acts (personal and corporate)
    • Media law
    • Injunctive takedown orders, suppressions,
    • Contract law
  • Regulation & industry
    • Content regulation
    • Industry regulation imposed, co-regulation (relegatory framework designed to be administered by industry framework) or self/community regulated
    • Codes of conduct
    • Private arrangements eg changes to services, filtering
    • Standards
    • International coordination needs more consideration
    • Public/private partnerships collaborating to achieve an outcomes
  • Gov investment strategies
    • Taxes to accelerate or retard particular behaviours
  • Technology mechanisms
    • Copyright protection
  • Enforcement & Monitoring
    • What role should gov play in both/either?
    • The scope of intelligence agencies
    • Monitoring/management:
    • Monitoring is in all directions including sideways
    • Monitoring of networks, publicising/disclosing network performances
    • Forensics of online information get context on issues
    • Evaluation and analysis of policy values and metrics chosen, evidence
    • Enforcement and publicity of enforcement related to the capacity for an enforcement agency to do its job it directly related to its visibility

Citizen mechanisms
The tools and mechanisms used by citizens to protect themselves (please add/modify this list as it’ll be basis of discussion):

  • Countermeasures how easy it is to work around the enforcement, race to the bottom
  • FOI

Further Policy Recommendations for Australia

Any specific Australian Government policy recommendations you have for the Australian Government, please feel free to link to existing papers, but pragmatic and tangible policy suggestions would be much appreciated.

  • Have official Australian Government participation and active voice in international Internet policy, representing the best interests of Australians

7) Further Contributions Post Session

Canberra Manifesto (contributed by Bret Treasure after the event)

The Internet is our most powerful communication, business and innovation tool. Although it is disruptive and although it may challenge individual governments, institutions, industries and businesses, its overall benefit to the people of the world is clear. The Internet is a path to a more connected and improved society; we look to governments to plan for that future.

So we make these requests:

  • That prior to legislating, Governments take into account the self-expression, community, efficiency and innovation that a decentralized collaborative regulatory structure has delivered
  • That prior to legislating, governments look to existing laws
  • That governments support a globally focused, multi-stakeholder, open approach to Internet regulation
  • That governments foster competition in the delivery of Internet services and access
  • That governments enact principles-based law rather than technology-specific law
  • That governments facilitate inclusion and accessibility
  • That governments respect such fundamental human rights as privacy and freedom of expression
  • That governments address the challenging issues that arise without using them as political tools.

auIGF Privacy Panel Transcript

auIGF 11 October 2012 Session time 2:30pm-3:30pm

[Welcome to Red Bee Media Australia’s Live Remote Captioning Service.]

UNKNOWN SPEAKER: In order to watch it. I think it’s those kinds of copyright restrictions on access to content – it seems cruel to me in an age of digital abundance we have these types of issues for the visually impaired and me as a consumer, if I want to read a book on my iPad, I got a voucher, eBook, which is the only format it’s compatible is kindle fire. These are the digital restrictions, the types attached.
UNKNOWN SPEAKER: I think a lot of us would continue to continue the discussion, but we are eating into the AGM times, the next panel – thank you to all of our panellists and for your questions and contributions. Thank you.
(APPLAUSE)
CHAIR: Can I ask the next panel to come up and those that are staying to stay. If this panel could move t next could come up. We will get going straight away.
The most vehement about openness are the ones who want the strictest rules about privacy, which strikes me as being slightly odd.
For what it’s worth, I’m happy to pay for content. I think I should be allowed to choose the content I watch, rather than have Channel 9 or 10 or 7 decide what they want to import from the UK.
We will do a quick panel switch and move to privacy. Let me read you what we said about privacy. We wrote this three months ago: things have moved on a bit since then. As with the copyright debate, the massive social and commercial changes brought about by the growth of the Internet over the last decade are also forcing law-makers… (reading .).
So they said a lot’s happened in the last three months since I wrote that and we can probably start and finish this discussion with three words – mandatory, data retention. The changes to national security legislation currently delivered by the joint parliamentary committee on changes are a hot topic when it comes to privacy, evidenced by the in excess of 200 submissions. We will come back to it later on.

Firstly, I want to set the scene folks, more broadly. What is privacy today? Does it mean the same things as it means to an 18- year-old? I said I was talking with curt and I said earlier on, for me it’s privacy I want to be able to tell you you’re allowed to know nothing about me. For the Facebook generation, privacy is, I want to publish everything about myself where ever I want to but you’re not allowed to do anything with that information. Those are two fundamentally opposed views. Let’s talk about that with the panel. I will briefly run down the introductions. Curt Wimmer you met, he was here. And Cheryl Landon is the director of auDA, and is the former Chair of the ICAANN advisory committee thing.
This is Craig Ng, General Crown sil for APNIC. This is Roger Clarke, the Chair of the Australian Privacy foundation. This is Pia Waugh, Open Government advocate, former ICT policy adviser to Senator Kate Lundy.
And… Adam is not here. Your name is not on my list.
ADAM.. I am here.
CHAIR: Never mind. I was going to do a pirate thing, but I won’t. It wouldn’t be fair. Okay. What do we mean by privacy?
What do we mean by privacy, Cheryl?
CHERYL: everything I will say in no way reflects upon or is to be seen as the views of any of the organisations that I represent.
I’m a member of or have been a director prior or currently to.

Future I will reserve my judgement on. I think privacy is a dream. I think we lost it. I think privacy was something that may all want to and perhaps in a glazed-eyed moment dream that we could have again, but we walk around with these things, w are geo locating ourselves. We have huge amounts of data collected and we do so willingly. So to say that we have a level of privacy, I think, is a pipe dream. What I do have, however, and we can get back to that later, Chris, is very firm views on what happens with it.

CHRIS: good excellent. Craig, you’re a Facebook junkie, you put anything up on Facebook, given the chance. What do you think? CRAIG: That’s true. I think that the Privacy Act in Australia is a misnomer. For us to be comforted by the fact there is a Privacy Act, to think we are protected, our privacy is protected is totally wrong, because our Privacy Act is so limited in its scope that the traditional concept of privacy to people on the street, you know, privacy not to be photographed; you know privacy not to be put up on Facebook and for your picture to appear and tagged immediately, there is no protection against it. So, you know, and I’ll be interested to talk about privacy act in a moment, but our Privacy Act protects us from such a minute scope, that it’s virtually ineffective.

CHRIS: curt, from an American perspective?
KURT: We don’t even have a privacy act. We entirely react. To specific problems. I think privacy is an agreement. It depends upon, you know, what you can work out with whoever you are giving up voluntarily your privacy to and whatever pledges and promises that are made or basically that we enforce through the act, I think.
CHRIS: Okay, Pia?

PIA: all right. Basically, privacy is whatever an individual perceives it to be. The problem is that of course that depends on your technical literacy. With a relatively technical ill literate population, you have no privacy. People want to protect themselves as much as as little as they want but because the IT skills have gone so down, those people are not aware of what privacy they have. A lot of people don’t think about environmental policy. There was a case study where data was published that looked at floa and fauna in the northern seas of Australia and in a couple of weeks a particular species of fish was almost done to extinction. I think there’s a huge amount of optimism that I have, which is…

CHRIS: can you slow down a little bit… These guys are really good, but…
PIA: Sorry, weirdly enough, it’s ten timings as fast in my head. I will try.

CHRIS: I have to stop you – I have the concept on fish privacy, which I think we could spend hours discussing!

(LAUGHTER) PIA: Environmental privacy is what people don’t think about. And there is the panoptic of things going on about the state of being able to see into the lives of the people, one of the cool things is the people can see back into the lives of the state. That’s interesting, though I think there is a lot less privacy than there was simply because there is the capacity to get to data, it creates possibilities for better democracy as well. The final point I will make is that there is a disturbing trend towards looking at inappropriate behaviour as opposed to illegal behaviour. The enormous amount of data available from people who are not technically literate enough to turn it off means that there is a whole judgement call going on inappropriate behaviour, rather than illegal and I’m concerned about that.

CHRIS: Adam?

ADAM: The cyber punk manifesto says that privacy is the right to selectively reveal oneself to the world. It is about saying this is a piece of information about me and this is the audience in which I give authorisation to view that piece of information.

There are lots of talk of the young generation these days putting all this information on Facebook and how they are giving up their privacy and they don’t care and it’s fine. They do care. They care quite a lot. We know that, because when things like Facebook’s timeline update came to and people in France realised there was a discrepancy between the intended audience of some messages that were posted on people’s walls, or in their inboxes, it’s not 100% clear if that was a bug replicating that information. There was certainly people who said that message was private. Now it’s public. That’s not okay. There are heaps of examples of people actually saying there is no way that would have been intended for a public audience, like a young woman who called up Triple J and said: “I wrote a dirty poem to my boyfriend”. His parents were able to read it because it was on her wall. The assumption that we are giving up our rights and saying we don’t care about it is false and we do care.

CHRIS: I’m sure you do, I agree. Roger.

ROGER: where to start. A privacy is the interest individuals have in a private space. We have a fair bit of con sis ten – – consistency. That’s abstract. The only people who are interested in that kind of abstract rubbish are people like me who publish articles on it. Privacy is a specific gut feeling every individual has and each individual has it differently at different times. It is utterly situational and utterly personal. If we have a list running down the screen of a privacy breaches reported in Australia this week, there would be enormous diversity and we would react differently to the examples as they came across the screen. That is how it is. And yes, it would be nice if we could divide it up and tackle just some of the things, the Privacy Foundation is so stretched across that great list. That’s not the reality. Now, the critical thing that you’ve been raising, the assumption that’s built into the wording we were given, has to do with the “privacy is dead” proposition. It’s not dead because people demand it. They don’t walk in the streets saying: “We want a real Privacy Act instead of this rubbish semi-data protection act”. They don’t do that kind of thing. It’s the abstract. People are only interested in the spefpbg. — specific. They will walk against an Australia card and against an access card and they will walk against data protection and a range of specific things. People demand it. Privacy ain’t dead. Privacy pauses in between flurries. One thing I that will hammer, but I won’t give you the explanation because I will get more air time later, won’t I Chris? (LAUGHTER)

The igeneration, the digital natives, that lot, I call them the igeneration for obvious reasons because “i” stands for everything in this conference, the igeneration will be more privacy sensitive than previous generations. I will explain when I get the chance.

PIA: I want to make a comment. I always find it funny, a lot of my peers didn’t get computers until they were in late High School or university. I had a computer since I was four because my mum was a geek. Now when I was a kid there was an active campaign called “stranger danger”. It taught you all the basics and so when I was on, you know, when I was dialling into remote servers and having chats with people in the mid-90s and running up huge STD phone bills for my school, I, you know, you applied those principles t principles applied directly. One of the myths we face is that online privacy is somehow a completely different thing from meet space. I never call it in real life, because I believe online is real life as well, but meet space privacy is not that different. I think part of the problem we have is that we’re trying to treat it like something different, whereas the basics of stranger danger and tech literacy, chose things combined give us the tools to maintain our personal level of privacy to our satisfaction.

CRAIG: A small point. I think privacy is something that moves with time as well, just like copyright. I think it’s a balance. It’s a balance between society that wants to protect privacy verses safety. So you know, those of you in Australia would be familiar with the case of Jill Meagher who recently passed away. CCTV suddenly is acceptable and encouraged and well, I haven’t heard a lot of…

UNKNOWN SPEAKER: I will disagree.

CHRIS: on CCTV – in the UK, where I’m from, it is almost universally loved. Everyone thinks it is fantastic, not everybody, but general people, society, thinks it is great. And it is in fact supported and promoted by all of the great British detective modern detective programs who, which refer constantly to the fact that almost every crime is solved due to CCTV.

CHERYL: What are the statistics on the crime solution, it’s infinitesimally small.

CHRIS: I’m not suggesting being a fan of it, but it can be embraced. In Melbourne it is happening now because of an individual event. You said you violently disagree. Go ahead and violently disagree.

CRAIG: I didn’t say violently. The statistic that was out after the case was that in the UK one in 1,000 cases are solved with the aid of CCTV, and another report that was put out said that the amount of money that gets poured into CCTV could be better spent putting in street lights.

CHRIS: I agree. Still loved though.

PIA: Sorry, I saw a brilliant speech by, can I can’t remember his name, I will remember it, but about the difference between security theatre and security reality. This is part of the problem. There is a lot of theatre going on. The talk is on the Linux website from a couple of years ago. But the, but I think this is a big issue. And data logging is a really good example of theatre verses reality as well. So we will get to that one.

CHRIS: do we have CCTV in the states publicly?

CURT KLS: NOT TO THE EXTEND AS IN — NOT TO THE EXTEPBLT AS IN THE STATES.

CHRIS: do you want to say something, Josh? We will get on to data retention. I know you want to talk about it. Yes, Josh?

JOSH: With regards to the CCTV stats on solving crimes, one may have to ask: does the presence of CCTV prevent or prevent crimes happening in the first place?

I don’t know.

UNKNOWN SPEAKER: Initially there is a lull when people see that there is an increase in surveillance of them. But they get used to it. And that deterrent fades a away and then it gets used for tracking people.

CHRIS: I will get to you.

UNKNOWN SPEAKER: More fine-grained than that. Crimes of passion are uninfluenced. Crimes are maybe briefly deterred, but there are still thieves who do it in front and get photographs taken of them. Mostly it is displaced, almost all of the effect of CCTV that’s been measured in the States is dace placement of behaviour.

CHRIS: you’re all talking about facts.

(LAUGHTER)

UNKNOWN SPEAKER: We’re not talking about data retention.

CHRIS: it makes people feel better.

Paul Evans, you had something in I have a remote comment from Tom.

PAUL: I want to smile for the camera. Hi.

(LAUGHTER)

20 years ago, Roger, you and I were implemented the Privacy Act. Do you agree with Craig that it is almost a piece of relic-try? Do we need to revive it?

CRAIG: The privacy act is distinct from the amendments and was worth having. It’s since been cut away by a myriad of slashes. Obviously every successive act overrides it in many respects. It’s never been adapted to take account of technological change. There’s been many end runs and every loophole has been used and many loopholes have been found that weren’t designed in the first place. It’s become poor. Fit was enforced, if it was enforceable it would help but the limited power that the Privacy Commissioner has got are not used either. I think the Privacy Foundation protects you better than the Comigtser. — Commissioner, I would say that.

CHRIS: Tom, do you have a remote thing?

TOM.. Yes, this is from ‘Dude D’. He says: “If privacy is a dream, why do you have curtains?”

(LAUGHTER)

CHERYL: I’m happy to respond to that. Chris knows I’m happy to respond to that because I’ve given up my right to privacy. There is not a single curtain in house. There are not doors in my house.

UNKNOWN SPEAKER: She lives on top of a mountain.

CHERYL: there are also no neighbours. We’re all wearing curtains right now. I can change that.

CHRIS: all right. Now, back away… Thank you.

All right.

So there’s a wander through the joys of what privacy means or may mean or may not mean.

(Pause). There’s obviously a balance required, right? Between privacy and, let’s just call it security. We could argue about the term. Let’s call it security. We will get on in a minute to data retention. There’s a balance required between security and privacy, some of our information has to be available. How do we, what’s the perfect, is there a way of striking that balance? Who should decide? How should we decide? Yo go ahead. You waved at me.

Slowly.

PIA: I will articulate madly, will do that to slow myself down. You see, it’s funny. I see the balance as not necessarily between – there is a balance between security and privacy, but the balance between openness and privacy is challenging. I think the only way to strike that balance is firstly to not assume that any one group or any group in isolation can make that decision, there needs to be an ongoing dialogue and debate in the society and community and done in a transparent way and it needs to be done in an iterative way. One of the things I’ve thought about and I’ve started to look at ways, have started doing projects to implement is looking at policy from an iterative approach – how can we have, dare I say it, an agile approach to policy development, where rather than the policy developers in isolation with a smaller group of stakeholders, you have open policy development and then in the first instance, so you get more peer review, more transparency and then upon implementation, it’s constantly being monitored, to use the term, and reviewed and recommendations made and fed back to the policy. It’s only through having that ongoing approach to policy can government policy maintain flexibility and be able to respond quickly to new challengers and opportunities. So in a way our entire approach to policy needs to fundamentally shift to answer that specific question. In the question about managing the balance between openness and privacy, the part of that debate ends up being, well, you know, we need to have a certain amount of low, you know, you can’t goo too high res into a lot of data stats because it is very easy, with age location to identify 80 per cent of people from a data set, so you need to make sure it’s low grain enough to protect privacy, but high grain enough to still get policy outcomes, research outcomes, transparency, and to help the society and the different aspects of that society make well-informed decisions.

CHRIS: I have Cheryl and Roger. But I want to check in with Kurt. You said a little while ago you tended to be over reactive in the States. A lot of, it’s hard to go back, once you’ve taken a step forward with legislation.

P9/11 example is a good one.

KURT: There is a balance between privacy and security, but that is your right of privacy as against the state. There is another balance that’s sort of a balance between privacy and maybe free content, which might be your balance as against commercial operators. You know what, as to the first balance, I think you are right. I think once you sort of change that calculus, you never get it back. September 11 I think did that to us as a society, and it’s very hard to get it back. We have the Patriot Act passed in moments after September 11.

CHRIS: Sounds like a demine act that says you should be patriotic to America.

KURT.. We’re great at acronyms.

CHERYL: I read a — made a couple of notes. One thing I want to come back to were Pia’s words that there shouldn’t be this big difference between the digital world and the cloud, our second lives and thirds verses the hard copy one that we’re all used to and historically perhaps have our benchmarks from. But when we make a choice on privacy or what I’m going to expose or not expose to whatever audience in the, inverted commas “non-digital” and, therefore, some people believe “real world”. There are those of us who think that is the opposite. I’m making an informed choice. I decide as suggested whether I put up curtains or not; whether I walk down the street with my credit card number printed on my T-shirt or not. These are things that I would decide I should or should not do. So I know what I’m doing. And who has access to the material I’m exposing or allowing to be collected. So what I would like to also bring into the table for the panel is how we ensure that the individual or perhaps small community or group or state knows what information is connected – is assured of the accuracy of that information. You know what, typos happen; wrong bits get connected to the wrong name. Do we have ability to redress and repeal and write these errors when they occur? It’s basically what’s been used, how it’s being used, why it is being used and that you know about it. It’s informed consent and control.

CHRIS: can I will go to Roger and then I have a comment from over here and then there.

ROGER: Pia joined my board and may be following me as chair. Everything she said a few more things as well. Privacy protection is the process of achieving balance among multiple constituents. It is the APF works with. There is no privacy absolutism, that is nonsense. What is the balance among? Among interests of the individual themselves, you have to trade off multiples. Interests of the group, interests of community, of society, and unfortunately, terribly powerfully, interest of corporations. There is all sorts of balances that have to be done. A further factor is that the four dimensions of privacy I’ve always used are the weakness of the so- called Privacy Act. It’s only a data protection act. The other three are behavioural privacy, privacy of individual communications, and privacy of the physical person. When you go on television on the news straight after the announcement that $3 million of CCTV cameras are going to be strewn across Melbourne because Jill Meagher’s been murdered, you have to think through very carefully the balances. Physical privacy is sufficient that such that about the worst invasion of privacy you can suffer is to be killed, about the second worse is to suffer serious violence to yourself. They are all part of privacy. There’s many different balances. How do we do it? There’s a small set of principles which government agencies, legislators and corporations try hard to avoid. If they would work on these principles x we would get somewhere. The first is justification. Why are you doing this? How is this going to work, what is the problem you’re trying to solve and what is the mechanism whereby the change will occur? It is proportion natural, taking into account the side effects it will have? Is it transparent? Do we have the information to work with, or are you hiding things from us? Are there controls in place, which includes mitigating measures in order to overcome the necessary negative effects on privacy, and is there accountability? Can we clobber the people who play the game badly. If those things would be applied, if privacy impact assessments were forced on organisations, public and private sector, we would address these problems.

CHRIS: that solves the problem, we can all go home. Perfectly fine. Rob.

ROB: One of the balanced points I think is between privacy and free speech and freedom. There’s discussion about the right of the individual to choose how much of them about themselves will be revealed. But three comments made in private comments in recent weeks I think illustrate that there is more than just the choice involved. Mitt Romney and his 47% comment made at a private dinner, Alan Jones’ comments about the Prime Minister’s father, made at possibly, possibly not, a private function. And the former Speaker’s texts clearly intended by him to remain private. Each of those things are things that do have, there is a genuine public interest. People may disagree as to what extent the public interest probably for Romney’s cases, it is clearly relevant to probably the most important election that will happen in the next four years.

CHRIS: that is unfair!

ROG — ROB: in each case there is potential public interests. The balance about not always having the right of individual to choose how much privacy is revealed is important.

CHERYL: I need to respond briefly to Rob. I think what you made is an important point. I think there are times when one knowing what one is doing, and a public person is one of these categories, they should assume that they are giving up certain likelihoods of the right to privacy. I’m not a particularly public person, but I do believe and mostly it happens, that just about everything I say, do, or otherwise, is probably going to be recorded, photographed, taken down, in many cases transcribeed into three or four languages. And and it will be searched on the Internet. Because of that, I would be incredibly stupid and I’m not, to do anything, say anything, or transmit anything that I would not have published on the front page of the following morning’s newspapers. I’m not saying it may not make interesting reading from time to time, but you do it informed. So it’s just dumb to think that if you are public, you should do that.

CHRIS: Now I understand why you often speak in headlines. I will go to this gentleman here.
PAUL: I’m retired, so can say anything I like. This is the fourth session today, and three out of the four I think had the same message that we’re all missing. And that is the education of the young. I’m not talking about High School students. I’m talking about peer, stranger danger, walked past a daycare centre and a little kid said, “Hello stranger”. I thought, there you go, he’s got the message. I didn’t speak to him. I kept going.

(LAUGHTER)

There was a camera there, I didn’t tell you.

The reference to the igeneration and I call them exactly the same is probably right. When you start out in primary school, what are you, five? Six years old, thereabouts, and half the tackers have got telephones already. So why aren’t we teaching them that this telephone is communication device which can get you in a lot of hot water. They’ve all got mum and dad’s computer to play, learning games on, and/or I’m a small bugger I can do all sorts of thing t why are we not teaching them from that age onwards that these are devices that are tools that you can use that have inherent dangers and you need to learn about them? Then you have an informed choice to be an absolute idiot on Facebook, or Twitter or any of those other devices. I, like quite a lot of people in this room, came to computers in the middle of our working careers, so that we were already suspicious of the damn things. You know, we looked at these square boxes and went, “I don’t know about that”. Like most of us, I think we all do our electronic banking and all that sort of stuff and…

CHRIS: what’s your password again?

PPAUL.. I write it on a poet-it note! We’re all fairly bleary about things like that. So we inherently have that privacy attached to us because I don’t know about you, but when I was a kid, I was seen and not heard at the dinner table. Until a certain age. Whereas now the kids probably sit in the dinner table bloody texting somebody. So who knows.

CHERYL — PIA: you’re still carrying your phone around, that’s meta data.

PAUL: Mine is turned off unless the AFP has the triangles on the towers running. We need to educate the young ones, so they are the generation coming forward and they will carry the privacy, they will understand what digital rights are; they will know where to go with copyright, and all of those other ones linked together, that’s where it ought to be.

CHRIS: speaking at a young one, I’m looking forward to being educated. I’m sure that will happen.

Now, Craig wants to say something, hold on.

I’ve got this gentleman here, comments at the back. I had Narell and John, and Geoff and we are still, we still haven’t got to data retention. That is kind of my ultimate goal was that we wouldn’t get there. You want to bring data retention in? I promise we will get to data retention. Narell; you want to deal with this point before we go to data retention? Let me take that off you. Don’t worry guys, I will do it myself. You relax.

NARELL. What was it, 100 or so years ago and this funny electricity thing happened. People were terrified the kiddys would be burned and the adults, the parents, were terrified because they could see how dangerous it was. There were very real dangers. And over time we figured it out and we incorporate that into our parents practising and we rapidly teach children not to stick things in power points and occasionally we miss out the occasional kiddy. (LAUGHTER)

CHRIS: how occasion — how nicely put…

(LAUGHTER)

CRAIG: I agree with the education point, but the erosion of privacy is the function of technology. You know, once upon time when, you know, when I was a younger kid, when you receive a letter it’s private to you. You ep it, you lock it, no-one sees it. You know, today my email is hosted by Google. My, I use Chrome, and I synchronise my website together, and…

CHRIS: what’s your password again!

CRAIG: I trade convenience for having my information in the Cloud. I trust Google to some extent, but do I trust the Government not to access my data at some point? We will talk about data retention. My data is everywhere. Every time I step on a tram, my electronic Miki card tracks it. Every time I use my credit card it’s tracked. And my credit card company keeps it for more than seven years. We’re worried about two years of, you know, it’s a balance. We’re talking about what sort of data we’re talking about, but you know, I used to be a partner in a law firm and you know, record retention policies, everything is kept for seven years, so your interaction with your banks, other commercial entities, those records are kept for seven years. So it’s a bit of a balance.

CHRIS: Quickly, then we will go to data retention. Geoff you’re on.

GEOFF. I thought we lived in a society that believed in redemption. I did something wrong, I went to court and got tried by a jury of my peers, I served the time and then I was erased, I could start again. Even the jurists who tried me are not meant to have knowledge of my previous heinous misdemeanours before this particular one. Privacy is about time as much as it is about now. What we’re seeing now is the data logged is never, ever, erased. The person I was when I was 16 is not the person I am now. I’m a different person. There are things I did then that I really rather no- one would know about. Oddly enough, I it was pre-Google. You guys don’t know about it. But my children can’t do that. I think that’s really sad. I think that’s incredibly bad. I think it’s bad that we’re trying to impose standards on our children that we as children never had. I’m not sure they’re capable of doing that. I would like to understand your views. I’m not concerned about privacy. I have nothing I’m ashamed about. When you think about yourself, when you were 13, and does that still apply to you now?

CHERYL: I didn’t have nothing I’m ashamed about. Education has been pointed out and a number of our users. And when we put things out on Google, to be fair, that you know, it’s going to be there forever.
CHRIS: I’m going to go to certain people desperate to speak. I want you to please be crisp.

PIA.. We’ve had a period of tile. I will say00 years, of pretending to be something we’re not. We’ve all drunk the Machiavelli Cool Aid, we pretend we’re pristine and norm Mall. I think that is a big opportunity for us to become more mature as a society and realise that we aren’t, you know, pristine little Stepford lives and that’s a good thing. Though in the short term there will be pain and there will be pain, I think in the long- term it is good for us. That’s it.

ADAM.. One of the problems with that is that there are still regimes in the world who like to kill people. For dissenting views. And when you start saying that privacy in the West is something that we don’t really care about, that much, and we should be a little bit more open and we should be allowing a little bit more access to we can grow as a society, it’s dangerous, because we start allowing companies like Fin fisher and CISCO to build devices that get placed into Syria and end up being very damaging.

CHRIS: you end up being killed precisely because you’re not private. You say stuff you’re not…Should you be saying it? I wasn’t being literal, I was, but it doesn’t mean it’s my view. Roger?

ROGER.. I say that the identification would be more privacy sensitive. No-one — the indie case would be more privacy sensitive — the igeneration would be more privacy sensitive. Young kids are risk-takers. It’s a function of age. It becomes more risk-adverse as it gets older.

They accumulate more things to hide. They had some when they were young, but not many, they get a lot more as time goes by. The current generation habit ten much earlier and bit ten more often than our generations were bit ten. Their indiscretions, carrying on from Cheryl, we can see they’re record which yours and mine weren’t. And they’re seen by more people again later than ever was the case in the past. Guess what? Each generation each generation is becoming more savvy. We need them to teach that way around, not that way around. And each, the igeneration will, as a result, be much more sensitive…

UNKNOWN SPEAKER: This is why groups like the crypto party has been a success. After the cyber Crime Bill was passed recently, there was no party like a crypto-app install party. So someone started the hashtag and said let’s get people together, drink beer and teach each other how to increase your communications so that data logging is difficult.

PIA: There was a case study of people who had kids. We’re very security conscious. Maybe bad people could take them and you know take our children. Here is this story on the front page of the Sydney Morning Herald with the parents, holding the children in swim suits and talking about how much they care about their privacy. Come on.

CHRIS.. What do we have from the ether? What will the wireless tell us? If you can get a microphone that works?

Technology is fantastic.

A question from Liam Comford from the Pirate Party Australia. He asked: are consumers making informed trade-offs. Do consumers have proper appreciation for how far-reaching the risks of their information of self- disclosure are. If not, what can be done about this?”

CHRIS: they’re not. I have basically no clue what the apps, what information the apps I use on my phone are giving to whoever it is, I don’t have a clue. I mean, I believe that if I use, if I get my apps through iTunes, there’s more of a chance I have protection than on android. I read that somewhere I and I don’t know if it’s true. That’s, and I consider myself to be reasonably okay about this stuff, I have no idea. I am going to move on to data retention.

Data retention: what do we think, good or bad?
Can we start with, can we start with you, Kurt. So, you know the prose – Data retention, two years, mega data, pretty much everything.

KURT: When this came up, I was practising in London and we wrote a paper for the House of Lords saying what the human rights and data protection records are with data protection. It’s the same as you see today. You have to look at it from two lenses. One is human rights law is a proportion natural, is it necessary in a democratic society, all the usual tests. And it’s questionable, it seems to me, to sort of gather information on everyone in the society, in case you lailter need to — later need to use it. But even from a data protection/ privacy act perspective, it is clearly an incursion of existing data protection/ privacy rights. I think it is a serious problem. I think it’s one that, you know t Europeans have already gone down that road and then there is, we’re starting to get pushback from the constitutional courts, but it’s tough. I have trouble seeing the notion that 23 million people need to be surveyed and — surveiled and capture whatever small percentage of criminals it is have to be captured.

CHRIS: it’s Australia, there’s a higher percentage here.

(LAUGHTER)

CHRIS: I will go to to this pirate gentleman here and then come back to the panel. While the microphone is coming, you’ve heard the argument: if you have nothing to hide, you’ve got nothing to worry about. We will talk about that in a minute.

GLENN: Glenn from Pirate Party.

CHRIS: speak up, slow down.

GLENN: if data protection is implemented currently to the report if in the process, we can’t verify the proposal because the Attorney General refuses to release the information on the draft legislation, what chilling effect do you think this will have on the way people use the Internet?

PIA: You guys are awesome as loaded questions.

CHRIS: as a lawyer, that’s referred to as a leading question! We will go to Cheryl and then Craig next.

UNKNOWN SPEAKER: (Inaudible) in not providing the information needed on proper public debate and it’s to the Parliament they should fling the thing back in their face. Leaving process aside. What’s different about the proposition? An organisation could come and say that they need data retention and here’s that justification and we would need to argue it through. What is different? Why does this matter so much? It matters because hitherto our ephemeral conversations were that and didn’t end up tracked into files, we used to read things in libraries, we used to read things in our homes. It’s now trapped into protocols, trapped into logs. Every book your download is trapped into logs, it is behavioural privacy, not just our privacy. It is a’s — that is the chilling effect. Narell was trying to get it through to the committee. It’s hard to get basics through let alone the more subtle points. This audience is different, of course.

GLENN: You’re saying that mega data in a grey gate is content?

UNKNOWN SPEAKER: It is massive content. In the past suspicion had to exist about a person before the big guns could be rolled out and interception achieved. We all support that. A PF policy supports appropriate powers for law enforcement agencies. Ipso facto suspicions based on anything that turns out in the future to be a bad thing.

GLENN: that’s with the assumption that people who have access are good people.

UNKNOWN SPEAKER: We don’t have — we don’t believe that in the APF. We say there will always be another bigotry. If you’re in Cambodia for a long time, a degree from a university is one you didn’t realise you will run into. There will always be new nasty things that turn up with ipso facto suspicion generation. They can mine for it because of the richness of what’s available and the power of the things we have. If we don’t teach our technology to forget, going back to Geoff’s point, we’re in deep trouble. Then I would worry about us having lost privacy. I haven’t, by the way, I don’t believe we have lost it, we will lose it, unless we act and beat off stupid things like the proposal.

CHRIS: who wants the next crack? Cheryl?

CHERYL: You said me. Hear, hear to the speakers. I agree if there is a like or dislike, it gets a big dislike from me. The thing that really worries me about this potential huge net dragging through the waters of everything we do digitally, and keeping it for the length of time that it is, is proposed to, is exactly the same rational as we think there might be a disease, and so we’re going to treat you with absolutely everything. We don’t know what the consequences of this is going to be. The unpredictabilities are not worth the risk of taking it. There is more than adequate, as has been discussed on this panel and earlier ones, ways of tracking the real bad guys when you have due process, and proper suspicion. But there is no transparency, there is no accountability, there is no ability for the individual to have what we’ve been talking about, informed consent, or knowledge of its use, how can you give away for a whole community, the right that they should have to know where their data is or isn’t being collected and stored? What worries me most is that it’s the purpose behind it. Because I’m already admitting to huge digital footprints being left in my wake, we’re all leaving them. They are so disorganised and so disparate, that it’s a huge effort.

Every one of the Twitter people or feeds I follow is analysed. You will learn a lot about me. It may not be a bad thing, but what, as Roger said, is huge change in the future?

PIA: I didn’t make it explicit, but I’m not speaking on behalf of any employers. I need to be clear about that. I have three problems with the data retention issue: the first one is it’s based on a faulty legal precedent. Apparently the European legal precedent has been overturned in European Courts and there is information today or tomorrow about that from the NSW Cyber Laws space centre thing, so that’s the first one. And that keeps getting references, you know, part of the precedents and you know, that’s a good thing it’s been overturned. The second thing is it’s not based on a good logical precedent. The quote, and I did a blog post about this issue and I quoted and there was a good story about it quite recently that was well researched and there was a quote there from the AFP saying that if we, I guarantee you if we don’t have access to this data, we can’t possibly catch anonymous. Now, there’s so many things wrong with that sentence, not least at all any geek worth their salt misbehaving knows how to encrypt, how to use proxies, how to do touring. The data retention won’t help catch these people. The premise is illogical. There is no evidence about how this will help people catch the bad guys. The third thing; the biggest one, whenever I explain this in normal words to normal people, they get enraged, but what happens is that the entire issue is part of the whole suite of issues which is geeks verses spooks playing out in gladiator war games in tiny dark corners and it is not a society-wide conversation about the Internet and society and what we are and are not happy to compromise on. We need to reframe this entire debate to be about what do we want, what do we not want and I’m running a workshop tomorrow, where I will do exactly that.

CHRIS: thank you. We are coming to the close. I think Pia had a —
UNKNOWN SPEAKER: Pia had a car analogy.

PIA: I won’t advertise any more. If we went to the Australian society and said: we will put a tracker in your car. Everywhere that you, where you begin the trip, end the trip, everyone that gets in the car, but we won’t record what they say, we could, but we won’t. And people would go nuts. We all know we have the technology with phones, but if we actually proposed that, people would go crazy, yet that is meta data effectively.

CHRIS: I will take a couple of comments from the floor and close up with the panel. So, yes? Brief. And crisp. To the point.

JOHN: Current hat would be electronic function in Australia. The Attorney-General’s apartment will be appearing before the joint committee on intelligence and security at 3.45 tomorrow at Parliament House. Please come, unless there is something on here, of course.

I just wanted to follow up on Pia’s point about the European experience and just give a little bit of detail about those countries that have actually declared data retention to be unconstitutional. They are Germany, everyone’s heard of Nastazi and Bulgaria, which had an oppressive regime, they are Romania which had one of the most oppressive mass surveillance schemes; they are Czech Republic, which had similar experiences as well. If you look at these countries, these communities, these are societies that have genuine experience of what mass surveillance does to its society. They have said this stuff is not acceptable.

I think that is the way we need to look at this. We’re lucky in this country. We don’t experience this. We have no experience of what mass surveillance can do in terms of the corrosive effect on society and we’ve all talked about the issues. I could go on at length and I won’t.

You know, we need to learn from the experience of these societies and say this is not acceptable in this liberal democracy that we apparently live in.
CHRIS: good point. Thank you. (APPLAUSE)
JOHN: hopefully we don’t have to learn that through a world war or revolution.
PIA: We are in a revolution, man.

CHRIS: You’ll be first off – oh, never mind! (LAUGHTER).

Very quickly, please.

UNKNOWN SPEAKER: I think there are two sides today ta retention. There’s the public domain and then there’s the governmental one. I don’t know how many of you are aware unless you’ve just download your Medicare statement for your tax, but the Australia card has arrived, we haven’t looked in the mail. You cannot download a Medicare statement from Medicare unless you join Australia online, which links you to Centrelink and human services and the ATO. The four main services that the Federal fraudulent policing societies gather data from when they will prosecute you. So there you go. It’s already happening.

CHRIS: encouraging news. Very quickly, Geoff? Quick one from Geoff. I want 30 seconds to a minute of closing comments from panel.

GEOFF. I want to remind people when they consider data retention in the coming years. Two facts: we’ve run out of V4 addresses, right. And two, what that means for data retention. Because we’ve run out of the four addresses, carriers now have to put in carrier-grade nats. When you talk about the data gathered by ISPs, it is no longer the fact that you were online on this day and used that address. No, no, no. Many folk are using the same address. The data that will be created is which TPC sessions you opened to which address. Let me translate that. Every site you visit, every ad that gets delivered, every email is then logged. Everything. That’s the way carrier grade logs. It’s an enormous amount of data. But this is data that Google would kill for. This is you, in all of its gory detail. This is part of data retention. That’s a very spooky concept.

CHRIS: minute at the moment going down the line. Kurt.

KURT: I think what this shows is that this group which cares about Internet governance, the future of the Internet, has a huge stake in privacy. This isn’t just an issue we happen to care about because we care about a lot of issues that surround online activity. It goes to the trust that people put in the Internet, your ability, a medium for the future and core Internet governance issue, not just data retention, but privacy generally.

CHERYL: When I started off saying that privacy is a dream and a myth from the past, it’s also hugely important and something has to be on the current agenda. It’s all about informed and personal choice and control over data and its use.

CRAIG: While we should be concerned about data retention, we not be distracted by the data retention debate, and lose sight of the fact that data access is a more important issue. There’s data everywhere already. The question is who has access to that data and when. And I’m worried that this debate about data retention takes the focus away from access which I think is the bigger issue.

ROGER.. That merger of the larger control agencies in the VHS cluster has been brought to you by the perpetrators of the access card who were promoted to be the team that developed that process. Does that tell you something about the persistence of senior executives in government? Second point is that the John Lawrence down here, who produced himself from being from the FA is also a director of the Internet…

(LAUGHTER)

PIA.. I didn’t want to go into it. Briefly, I want to make one point to final Liz, but on that particular thing, the goal I think of privacy in terms of how government relates to citizens and I believe part of the goal of australia. gov.au, is to give people more permission about, not permission, but the ability to say, yes, I do, or don’t want to share particular types of data. I think that is a laudable thing that needs to be encouraged. I don’t think the goals of that website are about the goal. And the big thing is, the Internet, we’re limited by the fact that governments themselves are jurisdictional and geo-spatially jurisdictionally defined entities all trying to, from their tiny area, you know, putting limitation from how the Internet works, but the Internet is a global thing. And ultimately it’s not legislation that is going to protect people, people can protect people. We need to be better skilling our people and stopping the getting in the way of the Internet being the awesome thing it can be, has been and certainly will be.

Chris: FINALLY?
UNKNOWN SPEAKER: We can’t educate our children saying that privacy matters when the Government says it doesn’t.

CHRIS: Please join me in thanking the panel. (APPLAUSE)
Now, it’s afternoon tea time. It’s also ISOC AGM time. It doesn’t get much more exciting than this. We will reconvene here at 3.50. Ten to four for our final panel of the afternoon.
Please be on time. Thank you.

Thank you for using Red Bee Media Australia’s Live Remote Captioning Service.