Author Image

Mid-year review of digital policy: When technology meets humanity

Jovan Kurbalija
Published on June 30 2018
We reflect on key developments in digital diplomacy and governance, assessing progress and setbacks in international digital policy efforts.

Six months into 2018, technology continues to meet humanity around data protection, ethics and artificial intelligence (AI), online gaming addiction as a health condition, the security of Internet users, and many other digital issues. Governments, business and users worldwide are in search of the right balance between technological innovation and the progress of humanity.

Six months is a long time in the digital field. It was packed with events dominated by the Facebook and Cambridge Analytica scandal, and the political scrutiny that followed, plus the 25 May deadline for the entry into effect of the EU’s General Data Protection Regulation (GDPR). Dotted in between was the Arizona fatal crash, which made us temporarily wonder whether the future of autonomous vehicles was at stake; the Tech Accord signed by several companies in April, which subtly reignited the debate on the proposed Digital Geneva Convention; and the EU’s latest proposals for taxing the Internet economy.   

These developments are setting 2018 apart from last year. Concerns over fake news and online extremism, the rocketing rise of crypto-currencies, and the need for new governance models – which came loudly with regular punctuality throughout 2017 – have this year been replaced by a more subdued but constant ‘ humming’ that something must be done in dealing with the social, economic, and policy aspects of digital developments.

The good news is that more time and thought have been put into developing smart approaches to innovation while addressing digital problems. The search for new digital policy solutions will continue on global, regional, and national levels.

Half a year is also long enough to spot some trends, starting from linguistic ones such as the increased use of the prefix ‘tech’, to more fundamental ones, such as the reframing of AI debates on dystopian fears towards more optimistic narratives on the positive impact of AI.
 

plot, Fluval Plant Spectrum 3.0 Bluetooth LED

The arrival of ‘tech’

 

The language used in digital policy discussions is evolving in 2018. The prefix or descriptor ‘tech’ is establishing dominance in describing digital-related issues (as a prefix, techplomacy, or as a descriptor, such as with the phrases tech industry, tech policy, etc.). Our analysis of The Economist’s texts on digital issues published between 1 January  and 28 June 2018 shows that the adjective tech is now used more often than previously dominant prefixes (digital, cyber, net, online, and e-).

This mid-year review helps us take a step back and zoom out our lenses in order to see the wider picture of digital policy developments beyond the quickly changing trends and ongoing daily developments. It builds on the GIP Digital Watch observatory’s analysis of digital developments, summarised during the Geneva Internet Platform briefings on the last Tuesday of every month and the Geneva Digital Watch newsletter.

For each of the 10 major trends in digital policy, the number in brackets indicates their ranking in January 2018. Each of the trends analyses what to expect until the end of the year.
 

1. (1)  GDPR: Data at the centre of digital politics
2. (5.) Artificial intelligence: Between philosophical considerations and practical applications
3. (3) Digital trade and the Internet economy
4. (2) Cybersecurity geopolitics: The search for new governance mechanisms
5. (6) Bitcoin and cryptocurrencies: between boom and bust
6. (4.) Courts: Active makers of digital rules
7. (7.) Content policy: Fake news and violent extremism online
8. (10.) ICANN: Online identities, jurisdiction, and governance
9. (9.) Encryption: Pressure on backdoor access
10. (8.) Net neutrality: global impact of FCC’s new order

1. (1)  GDPR: Data at the centre of digital politics

Anticipation of the GDPR’s entry into effect on 25 May marked the first half of the year, as businesses and organisations updated their data policies and procedures to comply with the new rules.

Predictions of the impact of the GDPR range from views that the tech industry will adapt to it, to those who argue that the GDPR will change the Internet profoundly or even mark the end of a unified Internet. It will take a few years before we will know the real impact of the GDPR on digital developments. So far, there have been the following main developments, and predictions for the next six months:
 

Court cases

On 25 May, Max Schrems, on behalf of the European consumer protection organisation Noyb, initiated the first two legal proceedings against Facebook, Instagram, and Google’s Android system. Schrems claims that these companies do not provide users with free choice, since they do not ensure that the users’ consent is freely given, as requested by the GDPR. If this is proven, each tech company could face hefty fines up to €20 million or 4% of their annual global turnover, which may be counted in billions for the major tech companies.

These two cases could have as decisive impact as Schrems’s previous court case in which the Court of Justice of the European Union invalidated the EU-US Safe Harbour agreement.
 

Emerging data and tech business models

diagram, An Introduction to Internet Governance

internet of things artificial intelligence, Internet of things

Current tech business model

Tech companies such as Google and Facebook use the data generated by users, such as behaviour patterns and interests, in order to match users to the relevant vendors. The companies therefore earn their revenue by turning user data into advertising intelligence.  It is estimated that 90% of Google’s revenue in 2015 (USD$75 billion) came from advertising (Rosenberg, 2016).

Emerging tech business model

 
AI provides the ‘thinking’ for the Internet of Things (IoT) devices and gadgets. It is, for example, what transforms ‘dumb’ vehicles operated by a driver into intelligent driverless vehicles. AI has already been integrated into a wide range of tools, from
vacuum cleaners to toothbrushes, and even automated personal assistants.

IoT devices generate a lot of data while they are being used. This data, often labelled as big data, is used for data analysis and constant upgrades of AI algorithms.

Learn more about the AI-driven business model: Visit our trend page on artificial intelligence.

The GDPR directly affects data management, and consequently, the tech industry’s business models. It affects both the current Internet business model based on monetising data for advertising, and the emerging AI-driven business model which uses data for the development of new algorithms.

The tech industry has been preparing for the GDPR for quite some time. Initially, Mark Zuckerberg reacted enthusiastically to the GDPR, saying that Facebook would apply the GDPR rules globally on all Facebook accounts, by ensuring a high level of privacy and data protection. Yet, in April, Facebook revealed plans to move 1.5 billion users based in Africa, Asia, Australia, and Latin America out of reach of the new laws, by shifting them from Irish to US jurisdiction. Zuckerberg also added a qualifier to his initial statement by saying that Facebook would apply the GDPR globally ‘in spirit’.

While Zuckerberg’s initial GDPR enthusiasm was surprising, the latest ‘in spirit’ qualifier is more realistic, since Facebook’s business model depends on data. Any restriction in managing data could affect the company’s bottom line.

One important component of the Internet companies’ business model is represented by their policies on the use of cookies, one of the main carriers of user data. The way in which these policies are implemented can represent a potential source of exposure to the GDPR sanctions for companies. Faced with the GDPR-generated regulatory complexity, some tech companies reacted by banning users from the EU from accessing their pages. Thus, online business models based on ads are facing their biggest challenge ever in order to comply with the GDPR, and some are even questioning their very existence in their current form.  

While giant tech companies have the resources to handle the GDPR’s impact, it remains to be seen how it will affect smaller companies with fewer resources to deal with the legal and policy aspects that the GDPR introduces.
 

Privacy Shield in trouble

The Privacy Shield agreement between the EU and the USA is under new strain following the Cambridge Analytica scandal and the introduction of the GDPR. The Cambridge Analytica scandal shook the trust between the EU and the US tech industries since Facebook failed to provide the protection of user data that was required by the EU’s privacy policy and Privacy Shield. The GDPR will increase pressure on the application of Privacy Shield provisions. Members of the European Parliament on the Civil Liberties Committee (LIBE) asked the European Commission to suspend the Privacy Shield framework. This is just the beginning of the anticipated debate about the review of counties that fulfill the criteria to be listed as data transfer compliant.
 

ICANN’s WHOIS

The Internet Corporation for Assigned Names and Numbers (ICANN) was among the organisations immediately affected by the GDPR’s entry into force. Many questions have surrounded the collection of domain name registration data, via the  WHOIS system (which domain name registries and registrars have traditionally implemented as part of their contractual obligations with ICANN). Can data on domain registrants in the EU be collected and stored? And although the GDPR allows for the processing of data to be based on the legitimate interest, under what conditions can this processing take place?

When German registrar EPAG stopped collecting the data of technical and administrative contacts associated with domain name registrations, ICANN reacted by initiating a court case against EPAG for breach of contract. A court in Bonn, Germany, initially dismissed the case filed by ICANN, which then appealed the court’s decision to the Higher Regional Court of Cologne, announcing that its action was part of its ‘public interest role in coordinating a decentralised global WHOIS for the generic top-level domain system’. The organisation has also asked the Higher Regional Court to refer the issues brought to its attention to the CJEU if the court ‘does not agree with ICANN or is not clear about the scope of the GDPR’. On 21 June, the Bonn court announced it had decided to revisit its initial ruling.

Internally, ICANN introduced an Interim GDPR Compliance Model, followed by the Temporary Specification for gTLD Registration Data, adopted by the ICANN Board in May 2018. Under this specification, the publication of personal data via the WHOIS system is no longer done by default. More recently, ICANN has also proposed a possible unified access model, which would allow legitimate users – such as law enforcement agencies and intellectual property rights holders ‒ to access non-public  WHOIS data based on an accreditation process.

However, these issues are still open. The temporary specification can only be in place for one year, and the ICANN community needs to develop a more long-term policy before May 2019. The ‘unified access model’ also remains subject to discussion. Courts will probably have an important role in implementing the GDPR standards, and in deciding whether legitimate interests should prevail over privacy rights.
 

What can we expect in the next six months?

The main focus will be on three developments. First, court proceedings will signal the way in which courts will interpret some the GDPR provisions, such as those on the use of user data for the improvement of services (e.g. what is considered to be the legitimate use of data). The more flexible the interpretation, the more options tech companies will have to monetise the data they collect. Second, it remains to be seen how national data authorities of the EU member states will implement the GDPR. Many national authorities need to develop institutional capacities and implementation mechanisms. Third, by the end of the year we will have a clearer picture on the impact of the GDPR on the Internet business including major tech companies, small start-ups and the emerging data-driven AI sector.
 

2. (5.) Artificial intelligence: Between philosophical considerations and practical applications

AI was, as predicted, a prominent topic throughout the first half of the year. The investment-driven approach by countries worldwide, the technological developments that continued to push the boundaries, and the increasing debate on philosophical, ethical, legal, and economic aspects placed AI prominently higher on our list. It is expected to remain prominent throughout the year.  

Research and innovation made news headlines: from AI systems that can learn from implicit human feedback, ‘see’ through walls, or understand 3D spaces, to IBM’s Project Debater that can debate with humans on complex topics.
 

Countries develop AI strategies

On the policy side, countries have continued to pay increasing attention to developments in the field of AI, and develop strategies and plans. China has been pursuing its ambitious Next Generation AI Development Plan, and announced the development of a USD$2.1 billion technology park specifically targeted at AI companies. India has also been working on setting up its first AI institute. France announced a national AI strategy built on several pillars: support for AI research and development, sharing of new data sets by public entities to be used for AI services, and regulations allowing companies to experiment in multiple industries (such as autonomous cars). In the UK, the Select Committee on AI in the House of Lords published its ‘AI in the UK: Ready, willing and able‘ report, with recommendations to support the UK government and other stakeholders in ‘realising the potential of AI for society and economy, and to protect society from potential threats and risks’. The European Commission also outlined its AI approach, with a set of measures to put AI at the service of Europeans and boost Europe’s competitiveness in this field’. The US government announced that its does not intend to introduce heavy regulation for AI, but instead, support research and development in the field; a Select Committee on AI was created with this purpose.
 

AI and the future of work

The impact of AI on the workforce and the need to adapt the education and formation systems is another prominent issue. At the national level, some countries have started looking more carefully into the matter. The UAE, for example, have launched a nationwide programme – ‘Industrial Revolution X’ (IR-X) – aimed at equipping AI nationals with the skills needed to keep pace with technological progress, and formed a Council to oversee the integration of AI into the governmental and educational sectors. At the international level, the G7 Ministers of Employment discussed, at their March meeting, how the new economy is impacting industries and workers, and underlined the need for human-centric AI developments and for multistakeholder dialogue and co-operation on AI. The Global Commission on the Future of Work, established by the International Labour Organization (ILO), has been working on recommendations on how to achieve a future of work that provides decent and sustainable opportunities for all, in the context of ongoing technological progress. The future of work will be a prominent issue as the ILO celebrates its 100th anniversary next year.
 

Security implications of AI

A lot of attention has been paid in recent months to ethical, accountability, and security issues surrounding AI. From the World Economic Forum meeting in Davos in January, to the AI for Good Summit, and the G7 meeting in June, world leaders spoke about the need to develop AI in responsible ways, to the benefit of humanity. In April, a Declaration of cooperation on AI signed by 25 European countries pointed to the need to ‘ensure that humans remain at the centre of the development, deployment and decision-making of AI’ and ‘prevent the harmful creation and use of AI applications’. The industry has also shown concerns about such issues. In June, for example, Google published a series of principles to guide the company’s work on AI; among them, AI should be socially beneficial and avoid creating or reinforcing unfair bias.

Autonomous cars also attracted a lot of attention in the first half of the year. Concerns about safety, liability and insurance issues around such vehicles came into focus in March, when an Uber autonomous test car driving in Tempe, Arizona (USA) was involved in a fatal accident.  On the regulatory and legislative side, measures have been announced in different parts of the world. In the USA, several states, such as Arizona and California, have introduced regulations outlining strict conditions under which autonomous vehicles can be tested and operated on, on public roads. The UK government has commissioned a review of driving laws ‘to ensure that the UK remains one of the best places in the world to develop, test and drive self-driving vehicles’. China has introduced national guidelines for the testing of autonomous cars on public roads, complementing rules already in place at the local level. The European Commission has also outlined its vision on automated mobility, as well as a set of action points aimed at transforming the EU into a ‘world leader in the development of connected and automated mobility’.

The January predictions also made a reference to the ongoing debate on lethal autonomous weapon systems (LAWS). The issue was discussed in several frameworks, including at the Munich Security Conference, where Germany announced it does not have any intention to acquire autonomous weapons, and the April meeting of the Group of Governmental Experts on LAWS (which focused on the characterisation of autonomous weapons systems, the human element in the use of lethal force, and possible options to address the humanitarian and security challenges posed by LAWS).

The broader security implications of AI were also brought into sharper focus. The ‘Worldwide threat assessment of the US Intelligence Community‘, published in February, listed AI and other disruptive technologies among the areas that could generate security concerns to the USA. In March, a bill was introduced in the US Congress aimed at creating a National Security Commission on AI, whose tasks would include, among others, the addressing and identification of national security needs with respect to AI. A report on The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation cautioned against the security threats that could be generated by the malicious use of AI in three main areas: digital security, physical security, and political security.
 

What can we expect in the next six months?

First, we can expect in the coming months a further shift from the ‘binary’ framing of AI issues (utopia vs. dystopia) towards a more ‘analogue’ and nuanced debate. So far, we have seen many reflections by philosophers and public figures, ranging from the promise that AI will be a great enabler of humanity, to fears that AI is one of the greatest threats to humanity. These grand narrative discussions increasingly focus on the specific aspects of AI, ways of governing AI and addressing the risks.

Second, AI discussion is shifting towards highly specific legal debates. For example, in the context of the GDPR discussion, there is a very detailed debate on how companies can use data for their AI projects. Since data is the key input for AI, the application of GDPR will be decisive for the future of AI.

Third, in the aftermath of the fatal Arizona crash, the general discussions on AI and robotics have been pointing to concrete life situations, interests, and rights. Thus, similar to the previous phase when courts had to fill in the gap on data and the regulation of platforms (in particular the Court of Justice of the European Union), we can expect that the courts will also start filling this normative vacuum in the AI field.

Ultimately, when citizens approach the courts to exercise their right to justice, courts have to rule in one or another way. In many cases with emerging technology, courts create new rules and practices by applying existing laws to digital realm, as with right to be forgotten. By definition, court decisions are sub-optimal policy solutions since they rely on existing rules developed for the pre-AI era, and therefore look at these cases from the legal perspective. One of the main challenges for governments, the private sector, and citizens will be to create new approaches and modalities to deal with AI and society which will optimise the key interplay between AI-driven innovation for the benefit of humanity and the protection of human rights and public interest.
 

3. (3) Digital trade and the Internet economy

In digital trade, 2018 saw a continuation of trends from 2017. In early 2018, trade diplomats were looking at ways and means to overcome disagreements that formed at the World Trade Organization (WTO) Ministerial Meeting in Buenos Aires (December 2017), at which they could not agree on a new e-commerce mandate. The first half of 2018 also brought into the sharper focus the risks from trade protectionist trends and potential trade wars. So far, the digital economy has remained outside the reach of different trade protections measures. However, further escalation of trade tensions, including a trade war, could spill over into the digital economy.
 

Multilateral trade initiatives progress slowly

At multilateral level, meetings were held between the 71 member countries of the WTO that signed the Joint Statement on Electronic Commerce at the 11th WTO Ministerial Conference (MC11) last December, committing to carrying out ‘exploratory work toward future WTO negotiations on trade-related aspects of electronic commerce’. In line with this goal, several member states put forward non-papers seeking to identify potential elements that could form the basis of a future agreement. They expressed an interest in exploring several specific areas, including market access commitments, trade facilitation, consumer protection, and data flows.

While advancements in the multilateral setting have happened at a slow pace, e-commerce issues have been negotiated at great speed under the framework of regional trade agreements (RTAs). These regional instruments will likely fill the regulatory gaps that multilateral settings are not currently able to address. The North American Free Trade Agreement (NAFTA), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), and the Regional Comprehensive Economic Partnership (RCEP) are examples of initiatives that are being advanced by negotiators.
 

New proposals for taxing the digital economy

Governments have also been increasingly concerned about the taxation of economic activities of Internet companies. While Internet companies have significant economic earnings in national territories, their contribution to tax revenue is not proportionate, and their presence in several different jurisdictions facilitates finding tax havens and engaging in tax-avoidance practices.

In the USA, the Supreme Court issued a decision in the case South Dakota v. Wayfair, and overruled a 1992 decision (Quill vs Heitkamp) that prevented states requiring online retailers to collect sales tax when there was no physical business presence in the state. Many states have been trying to overturn Quill in order to be able to collect taxes from online sales.

In Europe, the European Commission has presented several proposals for digital tax reform, which are currently under discussion. They include a long-term tax proposal which would allow EU countries to tax profits generated within their territory, even if the company providing the online services in question does not have a physical presence there, and a proposal for a 3% interim tax on revenue from digital activities that are currently not subject to taxation. The proposals came just as the Organisation for Economic Co-operation and Development (OECD) published its interim report on tax challenges arising from digitalisation. OECD countries agreed to review the current international tax system in the context of the digital economy, yet the report acknowledges the disparity of positions that will need to be bridged. France is planning to introduce a tax on e-commerce, with the goal of revitalising trade in city centres and protecting small businesses.

The push for the taxation of online activities is a global trend. Vietnam is collecting taxes from retailers that use social networks to sell their products, while more recently, the Ugandan government decided to impose a tax on the use of social media in an effort to increase revenue. The Israel Tax Authority plans to tax Internet platforms based on their operations in Israel. India considers taxation of tech platforms with a significant economic presence in the country.  Pakistan plans to tax Internet giants with 5% tax on digital revenue.
 

Growing interest in inclusive finance

The beginning of 2018 was marked by a growing interest in inclusive finance as a way to accelerate development and the achievement of the sustainable development goals (SDGs). Inclusive finance seeks to engage individuals who are currently outside banking and financial systems in the formal economy. It relies on mobile telephony, blockchain technology, and other digital tools.

While technology provides tools, government policies are decisive for the deployment of inclusive finance in economies worldwide. For example, the success of the M-Pesa mobile banking system in Kenya has been possible due to the enabling policies of Kenya’s telecom and banking regulators.

Inclusive finance is provided by a wide range of actors. It was started by mobile network operator SafariCom, which provides M-Pesa services for online payment. Mobile network operators remain the main operators of inclusive finance, with 255 mobile money services worldwide.

Commercial banks have also started innovating with inclusive finance services. In Kenya, this service is now provided by Equity Bank. Money transfer operators, such as Western Union, have started moving into inclusive finance as well. TransferWise, MoneyGram, and WorldRemit are new inclusive finance actors enabled by digital technology.

Fintech (financial technology) companies are also innovating in inclusive finance with the use of blockchain technology. New actors offering inclusive finance include Internet platforms such as Google, WeChat, Alibaba, Facebook, and Amazon.
 

What can we expect in the next six months?

The digital economy in the next six months will depend on developments in global trade. So far, the digital economy has been shielded from the ‘trade war in the making’. If the current trend evolves into a real trade war, the digital economy will inevitably be affected by the introduction of new tariffs and reduced data flows across national borders.

In multilateral initiatives, we can expect a gradual build-up of discussions within the WTO’s plurilateral context, and more intensive processes in regional trade negotiations. The tech industry can expect more regulatory pressure from governments worldwide, in particular,  on competition, taxation, data and privacy, and cybersecurity.

On taxation issues, the main dynamics will be in the EU around the deep division between larger countries (France, Spain, Germany, Italy) and smaller countries (Ireland, Luxembourg, Malta) on the ways and means how to tax the digital economy.  

In development and the economy, inclusive finance will increase in relevance as a new development approach aimed at involving the next billions into the economic life of developing countries.
 

4. (2) Cybersecurity geopolitics: The search for new governance mechanisms

In 2017, cybersecurity featured high in the public space with the WannaCry attacks, the Microsoft Digital Geneva Convention proposal, and the failure of the UN GGE to reach consensus on its 2017 report. So far this year, we have seen a continuation of the search for new governance mechanisms, albeit at a slower pace compared to last year.  This creates more time to build trust, explore new ideas, and start the search for new cybersecurity solutions on a global level.
 

Internet companies sign Tech Accord

In April, 34 global companies – including Microsoft, Facebook, LinkedIn, Arm, ABB, Telefonica, Cisco, and Dell – signed the Cybersecurity Tech Accord, publicly committing to protect and empower civilians online and to improve the security, stability, and resilience of cyberspace.

Since the Tech Accord was originally proposed as part of Microsoft’s Digital Geneva Convention, this development reignited the discussions on the proposed convention. Civicus, an international civil society network, is advocating for measures to protect civilians in cyberspace, which, it suggests, should be based on a Digital Geneva Convention. The ICRC expressed an interest in the idea of a Digital Geneva Convention for addressing the human costs of cyber-attacks in conflict, particularly if critical infrastructures are attacked.

Beyond the Tech Accord, earlier this year, IT companies including Siemens, IBM, Deutsche Telecom, and Airbus presented their joint Charter of Trust for a Secure Digital World, calling for shared ownership of cyber and IT security by different stakeholders, responsibility throughout the supply chain, security by default, education, certification of critical infrastructure and solutions, transparency and response, regulatory frameworks, and joint initiatives. In March, the AES Corporation, Atos, and Enel joined the charter, while Cisco, Dell Technologies, Total, and TÜV SÜD AG joined in May.
 

Building blocks for global cybersecurity

Multiple actors have called for global cybersecurity mechanisms. Russia and India, for example, called for keeping up the UN GGE, while UN Secretary-General António Guterres spoke about the need for serious discussions on the international legal framework for cyberwar using the competence of the First Committee of the UN General Assembly. In the area of child safety, UNICEF called for more co-operation to protect children online. In January 2018, WEF launched the Global Centre for Cybersecurity, to ‘prevent a digital dark age’ through the co-operation of governments, the corporate sector, experts, and law enforcement agencies.

Switzerland has initiated the Geneva Dialogue on Responsible Behaviour in Cyberspace, while the Global Commission on the Stability of Cyberspace has continued developing proposals for new norms, in particular, related to the protection of the public core of the Internet and the prohibition on the disruption of elections through cyber-attacks.
 

Regional initiatives making up for lack of global initiatives

If global initiatives are lacking, regional initiatives are gaining ground. The Commonwealth has adopted a Commonwealth Cyber Declaration, highlighting cybersecurity and anchoring cyber policy in national environments, while introducing some new concepts for international co-operation. In its statement on cybersecurity co-operation, the Association of Southeast Asian Nations (ASEAN) recognised the need to build closer co-operation and coordination among ASEAN member states on cybersecurity policy development and capacity building initiatives. In April, 14 Indo-Pacific countries established the Pacific Cyber Security Operational Network (PaCSON) as a vehicle for closer sharing of cybersecurity threat information, tools, techniques, and ideas among the members.
 

More cybersecurity vulnerabilities revealed; risks increase

While we have a lull in diplomatic cyber debates, cybersecurity risks are increasing. Revelations about vulnerabilities in different services and the Internet infrastructure – some usually considered to be quite secure – have become a regular occurrence. These include discoveries of vulnerabilities in numerous implementations of the popular PGP software, and in the hardware design of some of the most widely used computer chips.

The risks are also being increasingly recognised. The World Economic Forum (WEF) report on Cyber Resilience: Playbook for Public-Private Collaboration warns that cyber threats are outpacing the ability to overcome them. WEF’s annual Global Risks Report 2018 also recognises cybersecurity as one of the world’s most critical risks.

The International Committee of the Red Cross (ICRC) has also put cyber-attacks at the top of its focus in 2018. The US Intelligence Community marked cyber-threats among top global threats in its Worldwide Threat Assessment. McAfee and the Center for Strategic and International Studies estimated the costs of cybercrime for business at almost USD$ 600 billion, or 0.8% of the global GDP, in their study Economic Impact of Cybercrime – No Slowing Down.
 

Dealing with offensive cyber-capabilities

While evidence of investing in offensive cyber capabilities by states remains scarce, there are increasing efforts to understand what offensive cyber capabilities are, and how to address the increasing militarisation of the digital domain. The Global Commission on the Stability of Cyberspace (GCSC) has commissioned several research projects whose results were presented at the GlobSec meeting in Bratislava, and will be published in a new edition of collected briefings. More time might need to pass, however, before more states begin discussing transparency related to their own cyber capabilities and policies for the responsible disclosure of vulnerabilities.
 

Capacity development for cyber policy

The need for capacity development is an area of consensus in the field of cybersecurity. Many countries lack the expertise to participate actively in cybersecurity policy processes and negotiations. The lack of inclusive cyber negotiations could affect the implementation of agreed norms and policy mechanisms. Thus, effective capacity development will have a practical and direct impact on developing a stable and sustainable Internet.

The Global Forum on Cyber Expertise keeps the dynamics of activities as the main point of convergence among various capacity development initiatives. In April, the New America Foundation published a report on building cybersecurity capacities for developing countries under the title  Securing Digital Dividends. At regional level, the ASEAN Leaders’ Statement on Cybersecurity Cooperation features capacity development prominently. The Organization for Security and Co-operation in Europe (OSCE) holds continuous sub-regional training programmes, such as in South-Eastern Europe. The Geneva Initiative on Capacity Development for Digital Policy, launched in December 2017, provides a framework for training Geneva-based diplomats, including a just-in-time course on Digital Commerce.
 

What can we expect in the next six months?

The search for a cybersecurity arrangement will continue. At the high political level, by the end of the year, we will know if any compromise has been reached on the future of the UN GGE track. A few options are being considered, including: the end or modification of the UN GGE, the establishment of a UN Open-ended Working Group on ICT Security or a Committee on the Peaceful Use of ICT. Some argue potentially controversial voting of cybersecurity proposal in  the UN GA.

In parallel to the UN track, many other initiatives will further develop. The Global Commission on Cyber Stability is likely to develop new norms. The Geneva Dialogue will start mapping responsible behaviour of governments, business, and civil society. A group of civil society organisations  announce continuation of debate on the Geneva Digital Convention. The tech sector will flesh out proposals from the Tech Accord. Regional initiatives are likely to accelerate, in particular in Asia, where digitally savvy Singapore is presiding over ASEAN.
 

5. (6) Bitcoin and cryptocurrencies: between boom and bust

After 2017, the year of the cryptocurrency revolution, the first half of 2018 brought a sharp drop both in the value of and the interest in cyber currencies. After bitcoin reached its peak with a price of  USD$ 19.343 on 16 December, it started 2018 with the value of USD$ 13.412 and its worth dropped at a fast rate to USD$ 6.387 on 30 June. Public interest in bitcoin also dropped sharply as illustrated in the graph below, showing Internet searches for the term ’bitcoin’. In parallel, the interest of governments in regulating bitcoin increased. Many countries introduced laws for regulating initial coin offerings (ICO) and the security of cryptocurrencies.

Source: CNBC.com

Regulation of initial coin offerings

Many countries worldwide made an effort to place ICO under regulation. In Europe, the Swiss government and its top financial regulator FINMA, strengthened coin classification and ICO requirements by issuing the second edition of Switzerland’s ICO Guidelines. Malta set up the Malta Digital Innovation Authority, and implemented legislation on blockchain technology and cryptocurrency trading. This led to the move of the world’s second biggest cryptocurrency exchange, Binance, to Malta. In Asia, South Korea and Thailand made announcements about stricter control, and South Korean exchanges are set to try self-regulation to prevent money laundering and improve transparency. US regulators continued their previous stance to treat an ICO as a securities process under the control of the US Security and Exchange Commission. Other countries like Belize, Bermuda, Belarus or India have also announced work on ICO regulation. 
 

Crypto-jacking raises concerns

The constant rise in crypto-jacking and the weak security of crypto -exchanges means cryptocurrencies were the news quite often in the first half of 2018. There was news about numerous hacks of online exchanges, and powerful computers and systems being infected by  crypto-jacking worms (software that mines cryptocurrencies on your device without your permission and without you noticing). Partly because of this, the price of Bitcoin, compared to the dollar, continued its steep fall. At the beginning of 2018 one bitcoin was traded for around USD$ 13 000, but mid-June, the price fell to around USD $6 000, which means that the value of bitcoin halved in just six months.
 

Issuing national cryptocurrencies

Venezuela is pushing forward with the first national cryptocurrency, the Petro. Venezuela is keen to push its cryptocurrency, offering a discount on its crude oil if it is paid in the Petro. Russia and Iran are also working on the idea of a state-issued cryptocurrency.

On a collaborative note, the EU established the European Blockchain Partnership. A total of 22 EU countries will share their expertise in this regulatory field. They will also prepare for the launch of a EU-wide blockchain application.

By the end of the year, we can expect greater regulation of cryptocurrencies, which will make them – on the one hand – more secure financial mechanisms and – on the other -less attractive innovative financial tools.

Cryptocurrencies are very vulnerable to regulation. Any new regulation immediately impacts value of cryptocurrencies. Thus, we can expect further drop in the value of bitcoin and other cryptocurrencies.

Blockchain, the underlying technology behind bitcoin, will have to show its announced potential for governance, development, policy and other applications in practice.
 

6. (4.) Courts: Active makers of digital rules

So far in 2018, we have not seen landmark court decisions on the same scale as we have seen in the past few years, such as court decisions on the right to be forgotten, the Safe Harbour framework, and ride-sharing company Uber. However, courts worldwide are getting busier. The GDPR has already triggered a few court proceedings. More are expected to come.

On the right to be forgotten, the courts have been asked to provide interpretations in specific situations, such as one in the UK concerning data about old crimes and one in Canada concerning a ban on a victim’s identity.
 

Courts interpret copyright rules

The role of the courts is also important in the interpretation of copyright legislation in practice. In the USA, recent cases centred on the interpretation of the doctrine of fair use, but also on intermediary liability ‒ such as liability for embedded tweets and in-line linking. At the same time, EU courts are resolving numerous dilemmas about intermediary liability, especially when addressing the removal of copyright infringements from online platforms, and imposing stricter obligations on ISPs.
 

Other digital policy issues tackled by courts

A United Arab Emirates (UAE) court has imposed strict jail sentences for using social media to publish false information, rumours, and lies about the UAE. The role of the courts should not be underestimated as a last resort to defend the Internet as such, as is demonstrated in the US lawsuit by tech companies against the FCC over the repeal of US net neutrality rules.  

Courts will continue filling the regulatory gap on national and international levels. We do not expect any major case, such as the right to be forgotten, to crop up before the end of the year. The main focus will be on the court cases triggered by the introduction of the GDPR.
 

7. (7.) Content policy: Fake news and violent extremism online

The same prediction as the beginning of the year still holds: governments will continue to increase pressure on Internet platforms to take responsibility for the content they host. While companies have advanced the fight against the spread of illegal content, governments have now started passing new rules that will push companies to take more action.
 

Using AI to fight illegal content

Companies have advanced the fight against the spread of fake news. They are experimenting in using AI in detecting and removing fake news and violent extremism content. Governments continue to apply pressure on companies. Germany has had a mixed experience in applying a new regulation against illegal content. France is considering new regulation on fake news. Civil society warns against censorship as a collateral consequence of fight against fake news.
 

Increasing pressure by public and governments

Following growing public attention about topics such as fake news and illegal content in 2017, the first half of 2018 saw policy discussions intensify on the responsibility of online platforms for the content they host. As expected, Germany’s new regulation against illegal content, and France’s announcement that it would develop legislation against fake news at the start of the year, were followed by policy developments elsewhere.

For example, the UK has announced the creation of a National Security Communications Unit to combat disinformation and ‘anti-Western propaganda’, and the country is developing new online safety laws that will combat harmful content. The EU has also stepped up its efforts to combat misinformation. Having established an expert group on fake news and online disinformation, the EC is now working on a Code of Practice for Internet companies to manage fake news. More generally, it has issued a recommendation to combat illegal content more swiftly and effectively, demanding that such content is removed within one hour after it has been detected, and has re-evaluated its code of conduct on countering illegal speech online.  

In the USA, alleged Russian misinformation campaigns in the context of the 2016 presidential election have lead to the indictment of 13 Russians, and Internet companies have been questioned by the US Senate about their responsibility in hosting extremist content. Even more significantly, the USA has amended the Communications Decency Act, which is now able, in specific circumstances, to hold Internet platforms accountable for content posted by others.

Discussions on fake news and illegal content are not confined to Europe and North America. New legislation about online content is being developed by a large number of countries. In the context of fake news, Malaysia has passed the world’s first law explicitly outlawing fake news, with prison sentences of up to six years for distributing misleading information. In East Africa, governments have started to develop or implement a number of measures that will significantly impact online content. In an effort to combat online gossip, Uganda has proposed a social media tax, Kenya has passed a new bill that criminalises illegal content, online abuse, and the distribution of misinformation, and the Tanzanian government is obliging content providers to register with the state and pay for a license. In the meantime, Papua New Guinea will remove access to Facebook for one month in an effort to remove fake users and to study the effects of social media on Papua New Guinea’s society.
 

Content policy and freedom of expression

The many new initiatives, laws, and regulations have not been introduced without criticism. The fight against illegal content and misinformation is always coupled with concerns related to freedom of expression. In addition, question marks are raised related to Internet companies’ role in deciding what is, and what is not, allowed online. In an increasingly regulated space, many fear that companies will be removing more content than strictly necessary in an effort to avoid fines and repercussions by governments.
 

Timing and content

Time is of the essence in content policy.  It may take a few minutes or hours for fake news or hate speech to get viral. Thus, many negotiations boils down to time that Internet platforms take to remove incriminitated content following ‘notice and action procedure’. For example, 24 hours from 2016 EU’s ‘Code of Conduct’ shrunk to 1 hour from removal of terrorist content as required by the latest EU Recommendation on measures to effectively tackle illegal content online (1 March 2018).
 

Content liability of Internet companies

Are Internet companies liable for content they provide? Currently, in accordance to the Section 230 of the US Communications Decency Act (1996), tech companies are not liable for content provided by their users. But, this regulation is under increasing attacks of public, governments and, even, Internet companies. Many argue that something needs to be done in order to deal with fake news, hate speech and other questionable content. However, content liability is one of messy policy issues that does not have an easy solution. Some argue that tech companies should be liable since they benefit from the content. Other are concerned that this liability will give tech companies a lot of power over deciding what is right and wrong in modern society.  Yet, the others argue that intermediary liability would put unproportional pressure on Internet company and shift them from tech to content policing companies.
 

What can we expect in the next six months?

While discussion on regulating the Internet platform will continue, some solutions are needed fast. In this context, Tarleton Gillespie’ proposal for a set of 12 measures for content policy could be policy innovation in the making. They include transparency of moderation policy of tech companies, establishing minimum moderation standards, and appointing a public ombudsman. A search for content policies may be effective since there is common interest of tech platforms on the one hand, to have predictable rules on content and, on the other, governments worldwide to prevent hate speech and the spread of fake news.
 

8. (10.) ICANN: Online identities, jurisdiction, and governance

As anticipated in January, ICANN was busy during the first half of the year trying to determine whether and how to adapt its policies to the GDPR. This issue, and other debates related to generic top-level domains (gTLDs), increased ICANN’s prominence in public debates.  

With regards to new gTLDs, the ICANN community has continued its work on reviewing the programme, but a new round of new gTLDs is not envisioned before 2021. According to a possible timeline presented by the New gTLD Subsequent Procedures Working Group,  ICANN could, in a best-case scenario, open up a call for applications for new gTLDs in the first quarter of 2021, nine years after the 2012 new gTLDs round. For this timeline to be met, the ICANN community would need to be very efficient in going through the various preparatory stages, including, among others, the related policy development process within the Generic Names Supporting Organisation, a public comment period on the Applicant Guidebook, and board approval of the policy. Given that, during the previous round, the Applicant Guidebook went through multiple revisions over a three-year period, some commentators believe that the 2021 timeline might be overly optimistic.

The .amazon issue seems to have gone off of the radar screen, as the ICANN Board mandated their CEO to facilitate negotiations between the Amazon Cooperation Treaty Organization’s (ACTO) member states and the Amazon corporation. In doing so, the Board followed advice provided by its Governmental Advisory Committee, which suggested that such negotiations would help the parties reach ‘a mutually acceptable solution’ to allow for the use of .amazon as a top-level domain name.

One topic that may attract increasing attention within the ICANN community relates to the management of the Domain Name System root server system (RSS). This system has worked well and has remained largely unchanged since its creation. But in June 2018, ICANN’s Root Server System Advisory Committee (RSSAC) issued an advisory for the ICANN Board noting the need for ‘new governance structures and business models to meet the rigorous requirements of governance, accountability, and transparency’. RSSAC made suggestions for such a new governance model, and noted that any new model would require ‘multistakeholder review and community driven consensus’. The advisory was discussed at the recent ICANN62 meeting in June, and it is expected that it will gain broader attention in the upcoming period.
 

9. (9.) Encryption: Pressure on backdoor access

The 2018 prediction that governments would likely increase pressure on Internet companies to provide backdoor access to user data or reduce levels of encryption, especially in dealing with major terrorist risks as suggested by the ‘Five Eyes’ countries Joint Communique in 2017, has not had widespread fulfillment, although the situation in Russia has brought the possibility into sharp focus. The Supreme Court of the Russian Federation ruled that the Telegram messaging service must share its private encryption keys with Russian authorities, which was reaffirmed upon appeal. The telecommunications regulator Roskomnadzor started blocking the messenger service on April 16.

In response to previous government pressure for backdoor access, Silicon Valley tech giants have strongly phrased their position on closing backdoors in a statement by the Reform Government Surveillance (RGS) coalition, articulating a sixth core principle on the importance of Ensuring Security and Privacy Through Strong Encryption.
 

What can we expect in the next six months?

Encryption will remain high on the digital policy agenda. The relevance of encryption could be triggered by a major crisis or security attack. So far, there are no policy solutions.  for, often, opposite interests of tech industry to protect privacy of their traffic and governments’ interest to have access to Internet traffic for (un)justified reasons, including fight against terrorism and criminal investigations.
 

10. (8.) Net neutrality: global impact of FCC’s new order

As predicted in January, the discussion on technical network neutrality did not gain new focus in the first half of 2018. In the USA, the Federal Communications Commission’s (FCC) decision to repeal the 2015 Open Internet Order came into effect in June. Beyond the USA, there were few debates on net neutrality.
 

FCC’s order comes into effect

Much of the attention this year was on the regulatory situation in the USA. With the new FCC order coming into effect, several states across the USA decided to take the matter into their own hands, and have been working on keeping net neutrality protections in force. In some cases (such as in Montana and New York), state governors issued executive orders to support net neutrality, while in others, bills have been put forward in state legislative bodies (the most prominent examples being in California and New York). In addition, several court cases have been brought against the FCC order, by attorneys general in 21 states and several other entities and organisations such as the Mozilla Corp, the Open Technology Institute, the Free Press, and the Coalition for Internet Openness. In the federal Congress, a bill to reverse the 2017 FCC order has gained a lot of attention as it passed the Senate, being currently up for debate in the House of Representatives.

The situation in the USA, however, does not seem to have impacted net neutrality regulations in other parts of the world. In June, for example, the Body of European Regulators for Electronic Communications (BEREC) and the Telecom Regulatory Authority of India (TRAI) reinforced their commitment to net neutrality rules, and signed a Memorandum of Understanding through which the two parties aim to promote competitive markets, technological innovation, and value for consumers.
 

Increased market power

The beginning-of-the-year predictions, however, also noted that increased attention would be paid to issues related to platform neutrality and the increasing market power of large technology companies. This became evident in January when entrepreneur George Soros cautioned that such platforms ‘have grown into ever more powerful monopolies’ and called for ‘more stringent regulations, aimed at preserving competition, innovation, and fair and open universal access’.

The need for regulations to govern the behaviour of technology companies seems to concern traditional telecom companies also. In one example, AT&T called for an Internet bill of rights that would apply to all Internet companies (including platforms); such a bill, the company argued, would ‘guarantee neutrality, transparency, openness, non-discrimination and privacy protection for all Internet users’. Even technology companies themselves seem to be aware of the need for some sort of regulation.

Regulatory authorities are exploring an extended concept of net neutrality. The French regulator, for example, argues that net neutrality is not enough to ensure an open Internet. Users’ choice is affected by ‘other intermediaries [that] have the power to hamper users’ ability to access the online content and services of their choice’.
 

What can we expect in the next six months?

It remains to be seen how the end of net neutrality will impact the Internet in the United States. Will it increase the cost of Internet access? Will Internet access providers filter and prioritise certain content? Given the centrality of the US, the new trends in net neutrality will have an inevitable impact on the global economy.

Net neutrality could be challenged as governments increase regulatory pressure on tech companies in areas such as privacy, taxation, and content policy.
 

 
What’s next?
Follow these and other trends in digital policy via the GIP Digital Watch observatory. In addition, join us for the monthly briefings on the last Tuesday of every month, and download the monthly Geneva Digital Watch newsletter.

Contributors to this review: Stephanie Borg Psaila, Tereza Horejsova, Arvin Kamberi, Marilia Maciel, Adriana Minović, Virginia (Ginger) Paque, Clement Perarnaud, Vladimir Radunović, Barbara Rosen Jacobson, and Sorina Teleanu.


cross-circle