Go back to talks View external

Internet Governance Forum 2017

December 2017 Palais des Nations, Geneva, Switzerland
#Internet policy #Human Rights

Session: Biometrics and identity in the Global South.

Role: Speaker.

Description

Biometric technology has grown steadily in use for the most different purposes, by governments and private actors, without a proper discussion about its impacts, without sufficient transparency of its providers and the conditions of security of the information, and without discussion about the impacts the individuals whose data goes in the machine (beyond the enthusiasm for larger amounts of data). From national identity cards and airport controls, to health service providers and retail vendors, biometry has become synonymous with identification. All in contexts where data protection laws and privacy safeguards are nonexistent or ineffective, where governments are eager to gather ā€œdataā€ for any purpose, and where foreign companies easily gain the attention of local governments to provide these technologies as ā€œsolutionsā€.

In this session, we will address the human right issues surrounding the implementation of biometric technologies for identification in developing countries, in order to discuss how its deployment could affect privacy and freedom of expression, and how it already may be affecting it. We will bring together digital rights activists from different countries, who will discuss implementation cases from their own countries, along with actual and potential consequences and implications regarding their specific context.

Session: The Government Hacks Back ā€“ Chaos or Security? A Debate

Role: Speaker.

Description

The workshop proceeded in an Oxford style debating format and discussed the motion ā€žThis house believes that governments should have authority, under certain circumstances, to ā€˜hack backā€™ devices which serve as attack tools in order to neutralize the threat posed to systems within their jurisdiction.ā€ During the first half of the debate (approximately 40 minutes) two teams of two speakers each discussed the motion and related questions: Maarten van Horenbeeck and Leandro Ucciferri (Team 1) and Tatiana Tropina and Sven Herpig (Team 2). After the first half of the session, participants from the audience joined the debate by posing questions and making interventions themselves. For the sake of brevity, the following two paragraphs will summarize different positions of both speakers and audience participants in line with the team positions.

Team 1 argued that governments should under no circumstance have the authority to engage in ā€˜hack backā€™ acts, because

  • Malware can act unpredictably. Therefore, governmental hacking and ā€˜counter-strikesā€™ in the digital realm can have systemic and uncertain effects which can cause grave collateral damage for technical infrastructure, nation-states, and individuals.
  • Governmental hacking on foreign territory can harm the privacy and safety of individuals abroad.
  • The use of offensive tools for counterstrikes in cyberspace can undermine trust in the security of the internet and in international security.
  • Governments should focus on implementing measures that promote information security at a national and international level, and addressing root causes of cyber crime instead of investing personnel and financial resources into hacking capabilities.

Team 2 argued that if governments authorize hack backs, they should clearly and transparently define the parameters, legal basis, and ways of execution of ā€œhack backsā€, and implement very strict safeguards.

  • Team 2 agreed that hack backs can pose systemic risks and might have undesirable consequences for technical, human, and international security.
  • Therefore, IT security should always be prioritized over other national security interests.
  • Governments should only authorize measures on the preventive end of the scale, such as passive reconnaissance/intelligence gathering in foreign networks, DDoS attack mitigation, botnet takedowns and containment with assistance from national ISPs and in coordination with other nations.
  • More aggressive hack back practices, such as penetration of foreign systems to alter data, might make sense from a national security perspective, but will negatively affect international security and cause unforeseeable collateral damage.
  • Law enforcement agencies will need to comply with strict legal safeguards for hacking, whereas actions by intelligence agencies are much harder to control and oversee.
  • Any discussion of law enforcement or intelligence agenciesā€™ use of offensive cyber measures needs to be realistic - governments around the world are already conducting or preparing to conduct ā€˜hack backsā€™/offensive ā€˜counterstrikesā€™/ā€˜active defenseā€™ measures in cyberspace. Hence, the question is not whether, but how and under which safeguards ā€˜hack backsā€™ should take place.