Cooperation Working Group session
26 May 2016
CHAIR: Good morning everyone, I am Collin Anderson, I am serving as a proxy for Meredith right now who took about an hour to find a cab, it's a hard time to learn a lesson about availability. She will be here and she will be your Shepard and your single Chair for this session momentarily.
I'm just going to start for time... so, we have a full agenda, we're going to start off with Jesper Lund who is from the IT Protocol Association of Denmark, who will start with a review. We will shift in with Jan, who will speak about Ziana stewardship transition and then Holgar, who go talk about reproduceable builds and then Chris Buckridge will give us an update on the technical community representation, and then finally, and I am interested here so I'll especially not participate in this, we'll have an update and a conversation about the elections co‑chairs with has catalysed more conversation on our working list than recently. So, with that...
JESPER LUND: Thank you. And thank you for the invitation to speak at this event. And talk a bit about IP association and some of the work that we do in Denmark. My name is Jesper Lund. I am Chairman of the IP political association.
Just let me introduce a brief introduction to IP political association. We are a volunteer organisation with about 250 members founded in 2002 as a board with seven members I am Chairman. Our main objective, generally speaking, is to promote privacy and freedom in the information society, which we do as time permits, through various initiatives such as consultation responses to legislation, media contact, something that has, in particular, picked up since the Snowden revelations in 2013, since media concern with privacy and surveillance and we do some sort of traditional actualism work in 2007, we made what we called a privacy CD, called polyp IX, tour for Internet access and various encryption software. Last but not least we are a member of the European digital rights so we work in Denmark and the European Union.
So of the issues that we are currently working on and I'll be speaking about two of these. Mandatory data retention for Internet service providers in Denmark and Europe. Website blocking and online sense certificate ship. These are the two I'll get into in a minute, related to these areas are demand from intellectual property holders, that's ISPs stop online infringements by their users often through self regulatory measures that they try to impose on the ISPs. And net neutrality in the urine even, there is a new regulation European) regulation they start toned force in April, and we have worked closely with sort of as part of the Working Group on our advocacy work then this regulation was adopted by the European parliament.
The first topic that I'll get into is telecom data retention. So, in 2006, the European Union adopted the data retention directive, which for telecommunication companies, but mainly cellphone, but also some internet access providers, to retain data, traffic data or metadata about the activities of their customers. This directive was declared invalid two years ago but the Court of Justice of the European Union, but the national legislation still exists in most member states of the European Union. And in fact, some countries are, including Denmark and the United Kingdom, are looking to extend the scope of their data retention legislation.
The main focus of this legislation has been on telephone systems, so, call incoming and outgoing calls, were part of the list of metadata that must be retained for a certain period and be available for the police, for investigations and location data from mobile towers, but around Europe, governments are starting to worry what happens if criminals will be using the Internet instead of calling each other. So there is an attendance to look at sort of (tend an see) have a tend answers to look at the telephone system to the Internet as well. That brings me to sort of Internet data retention. That could in principle be done in various ways. Sort of one possibility would sort of try to enforce various communication services, to keep data about who has communicated with whom, that would be in the spirit of the telephone data retention. One problem here is that software hundreds if not thousands of different communication providers. Some are service that is we run ourselves. And some of these are outside the scope of Danish and European Union law.
In some countries, particularly Denmark and the United Kingdom, politicians have gonen a called two different things in Denmark, it's called session locking. In United Kingdom it's called Internet connection records. But basically the same thing. I should mention that this was actually used by Denmark between 2007 and 2014. But, distinct from that, there's currently a proposal in Denmark and the United Kingdom for Internet connection records, and the it's sort of Internet service providers must keep metadata about every Internet packet that is sent or received through their network. This could be the source and destination, IP addresses and port numbers of every IP packet that is more or less hard how it is implemented in Denmark in the first round between 2007 and 2014, and in that way, the Government thinks they get something that is similar to call detail records known from the telephone system. And the idea that police can get access to this information if somebody is suspected of a crime, and they can see what communication services has been used by this potential suspect, and maybe, this is more contested, they can even see, they claim so, who has communicated but with whom by looking at the destination IP addresses, assuming that it was a peer to peer communication service.
So, this title of this slide is Internet connection record, the same thing, it's the equivalent of an itemised phone bill. That was the word used by trees a May, the home secretary of the United Kingdom when this was introduced in ‑‑ when this was proposed in, before the UK parliament in November 2015. Sort of the real many reasons why IC Rs are not really the modern equipment of an itemised phone bill.
First of all, I don't need to say that here, the Internet works quite differently from the telephone system. So, there's an a number of reasons, I could spend my 15 minutes on that, saying why Internet connection records are not really good substitutes of call detail records.
So, then, what makes this even more strange that this has been proposed in Denmark and the United Kingdom, more or less at the same time, is that it has actually been used and failed miserably, because Denmark had Internet connection records or session logging, as it was called in the Danish legislation, for seven years between 2007 and 2014. And this turned out to be a complete disaster, the police was unable to cope with the amount of data, they were unable to use the information for anything useful. The sort of self evaluation done by the Minister of justice, this was not an independent report in any way, this he could come up with maybe one or two cases in terms of over a seven year period involving very minor crime like home banking fraud or something like that on a very minor scale, where this had been marginally used for.
So, for that reason, the whole thing was repealed in Denmark in 2014. But sort of done in a software clever political way with an option to bring it repeal not because they didn't like the idea of keeping information about people's activities on the Internet, but because the pick implementation had been sort of not useful and not effective for police investigations. So that sort of a political trick of repeeling something with an option to bring it back if they somehow feel that they can improve the system, and indeed it only took six months because before the first rumours for a re‑introduction of session logging in Denmark started to surface, and now, so right now the proposal is ‑‑ it's going forward in the United Kingdom and I think it's going to be adopted unfortunately in Denmark the situation is that ‑‑ so it's currently on hold, the Minister of justice wants it desperately, but ‑‑ so the cost of reimplementing system in the way that the police police would like to see it it's so massive that they are not going to go through it with it in the current version and they are working on sort of finding something that is cheaper and still effective. Let's see how that goes.
One thing I would like to say here before this audience, is that a lot of this is based on confusion by Government officials and politicians about how the Internet works and sort of, taking advice from the Internet community at an earlier stage could perhaps be helpful in preventing things like this. So we have organisations like ours that speak out against that, sort of our problem so to speak is that we will speak out against any mandatory data retention proposed because we say this is mass surveillance, the entire population should not be put under suspicion by sort of really having a police investigation looking into their activities on the Internet or on the telephone system for that matter. But sort of, they are sort of, apart from there that are technical issues about why this is really not a good idea. That would be good to have those being part of the debate.
So, the second issue that sort of I also mentioned is website blocking in Denmark mainly. So, without going into sort of too much details about what can be done in Denmark in terms of website blocking, there are three types of content that can be blocked. One is child pornography, where we have a voluntary scheme involving Internet service providers. Copey right websites with alleged copyright infringements cab blocked via court order and special legislation that also allows unregistered gambling sites, meaning gambling sites that do not pay taxes to the Danish Government, even if they are in other countries, can also be blocked.
So this is done through sort of DNS spoofing or blocking, it's not particularly effective, but I still think you should be concerned about it, because once you have established the principle that you can't block access to the Internet, sort of it's only a matter of choosing a more effective method of doing it at a later stage.
The next thing that is sort of up for blocking is probably sort of terrorist or radicalised content. That is already discussion about this in Denmark and also in the European Union. So our interest in this area, we have opposed to this since it started in 2005, because it's a slippery slope to more blocking and even when this is done through the courts by a court order, so it is a court proceeding between the Applicant from the rights holders and the ISPs, so fundamental rights of citizens and of the whole proportionality is not really taken into account.
So, my final point here is that sort of voluntary blocking, so even for some really bad stuff like child pornography is a bad idea because it starts the slippery slope towards more blocking, and Ale to point to a specific case where the voluntary blocking made it easier for the courts to order blocking of a sort of copyright infringing website. In 2006 there was a court case in Denmark where rights holders wanted a specific Internet service provider to block access to the website of all MP 3, which was a Russian music website that everybody has forgotten about now. But the interesting thing, the blocking was ordered, or the injunction was ordered and the interesting thing is the reasons given by the Court was that there was already a blocking system in place, so it was very easy, it could be done at no cost, there was no technical impediment to not blocking this website and since it was important for rights holders and since it could be done basically for free by the Internet service provider, the proportionality assessment which was sort of between threes two factors was very easy for the Court so they ordered the blocking of that particular website, and many more in later court orders. But so the issue here is what if these Danish Internet service providers had not fallen for the temptation and the greed to this voluntary scheme for blocking child pornography content a couple of years earlier, would the Court outcome have been different? I think that is certainly a possibility, because then there would have been a real cost to setting up this DNS blocking system that is used. So, I think that is something that should be taken into account as well.
So on the final slides, some of the slides are uploaded through the website. There are some things with other reading. And on this note, I'll thank you for your attention.
MEREDITH WHITTAKER: Thank you. A couple of questions, we have a little bit of time if anyone has any questions, that was a great presentation. Thank you. Maybe, if someone thinks of one, we'll have other question sessions, so I'll just stay here and it's my pleasure now to introduce Jan Aart Scholte morning. Thank you for coming. Thank you Meredith, Chris, Colin and Gergana for the invitation and arrangements.
My name is Jan Scholte. I am at the university of Gothenburg, I am a global governance scholar and I was pulled into the IANA transition as one of its accountability advisers a couple of years ago. I had never been in Internet governance space and I am still trying to find my way. As you will see from this presentation.
I won't tell you anything that you don't know already, I think but perhaps coming at it as a global governance scholar maybe I'll put something into a little bit more systemic order that you have otherwise had in scattered thoughts. Thanks to many people including a number of in room who have guided me a little bit on this, you are not responsible but I'm still grateful to you.
I am going to go through the slides quickly because I do have my 15 minutes, but they are on the website if you want to contemplate especially the early pieces a little bit more.
I'm a global governance scholar, as I said, research err, and in traditional global governance it happens through intergovernmental agencies, in my mainly worked I worked with body like the international monetary fund, the commonwealth and so on. So when I came into this space I was looking around and trying to figure out what was going on. So, I have put together a few thoughts about what I think are maybe distinct I recollect features of what happens in Internet governance spaces and say something about their possibilities, promises and then also maybe say a few things about their challenges, problems, pearls, at which point you'll lay into me, which is good.
This is all the IANA stuff. You know it and as I say it's not so much about the IANA transition as what my experience of the IANA transition has made me think about global governance.
Which is basically, I have put together seven sort of distinguishing features what I think is going on here, which is different from what one normally sees from global governence, in the old style. One is that it's transcaler. I can show you. You see, political types can have their jargon too. You throw your ACs and SOs at me and I'll throw transcalarity at you. Okay, so the transcaler meaning that it operates across local national, regional scales of global activity and you indeed also move across those spaces in your day‑to‑day work. It's trans secretary oral, which is it involves civil society, business and official circles in economics mixes. It's die fuse, Internet governance doesn't happen in one place, it happens in many, many places in complicated relationships with one another. It's fluid in that if you made a map of Internet governance today or this year and then you made another one last year or next year it's going to look different and that means that you have to keep up quite quickly.
Overlapping mandates of a number of organisations, so the ITU and the ICANN can have arguments all the time and the different RIRs can see whether they can coordinate this that and the other together.
Ambiguous hierarchies, it's not always clear who is ahead of whom and that makes for some nice confusion, and the absence of a final arbiter, meaning that in this kind of global governance there is not a last decision point an what's interesting about the IANA transition in that sense it's the withdrawal of the notional final arbiter, almost in recognition that there can't be one. So the US Government withdraws itself too.
Sorry for being a little bit quick but I do want to bet to the things that are going to provoke you more.
One thing that might provoke a little bit. One thing that I found is I have been listening through these last two years is everyone is always talking about bottom up, horizontal, and etc. And I look at things and I don't think they are bottom up at all or they are not ‑‑ anyway, they are bottom up in the sense that yes, Government officials don't tell people what they are up and they are bottom up in the sense that, yes, the people who do the work on the internet are making the rules. But in geopolitical terms it's not bottom up at all. It's incredibly concentrated in the global north in the whole in Europe and North America, and the bottom in geopolitical terms in terms of the global south is not on a PAR at all. It's not bottom up in social terms in terms of class, race, gender, age, in terms sacksality faith and so on. There it's very clear. Look around the room here, it's clear enough and that's replicateed in pretty much every Internet governance space. In social structural terms I don't find it terribly bottom up either. Nor in cultural terms. If you don't speak the English language, if you don't know kind of the western ways of this, that and the other again, you are going to have a harder time navigate ago multistakeholder space of Internet governance than you were if you were to go to the UN or traditional. It's just when I hear this endless horizontality, bottom up, congratulations of how it's all so democratic and so on, I think ‑ ehh, hold on, hold on.
That's a transition to the promises and the pearls.
Promises, really good promises, I have loved, loved, being in this IANA transition process because it is so incredibly creative and rich, and the richness of when you sit in a room and the experience that people bring into the room. When I have sat in other meetings of the international monetary fund or trade organisation, abuser creates who don't know much of what's going on and following very rigid kind of rules and so on. You come in these spaces and what people know, the insights they have, the inspiration that they have is really really, you don't realise how much there is until you have been in some of the other spaces where I think I probably don't want to go back to again after this.
Okay. But but the create ‑‑ the speed, I know, you were always complaining Athina about how slow, come on, CCWG, what's going on? I ask you, where else would you see a fundamental reconstruction of the constitution of a global governance arrangement in less than two years? If you had thrown this ‑‑ if you had gone to the you nations with this, after two years, the W, it L took eight years to get the basic document together. I know people complained at being really slow, but I found it actually very fast.
Adaptable people. People finding new pace of doing things, ready to be flexible, try something new and something else. Again a very good promise. People addressing issues that were important. I put forum shopping here. A nice thing about Internet governance is because you have got so many places where people are making rules, if you don't like what's going on in one place you can run off to another and you can keep moving around until you find the place that's going to answer what you want. That's kind of openness in Internet governance that you don't tend to find in some other areas.
Relevance and quality. Again the people who are making the rules are the people who actually, on the ground are doing the stuff so the rules tend to be well constructed and relevant and good quality.
Domain objecting see. Again, this kind of meeting, this is a global governance through a regional arrangement meeting. You can walk through the door. You don't need a passport, you don't need a badge, you can just walk through the door, people, once they figure out what they want to say or not, can pick up a mike and talk, that's an openness which in other traditional global governance arrangements you don't have at all. That is really, very, very welcome.
That's the applause.
Challenges: Retooling. I mean, you know when I came into this two years ago, €, you probably remember the first time you walked into an Internet governance space, you really have to learn everything from all over again. Because, it is easy and it takes an incredible investment of time and energy to figure out exactly how everything works. It's open in one sense but there's a huge investment in terms of trying to figure out what's going on. So retooling is a real barrier to entry to some extent for many.
Navigating the labyrinth. By that I mean once you know how everything is figured out, actually going through all of these place Yours sincerely hard. And having the resources and the time to be able to go from the IG, it to the IETF, you know, to ICANN in Dublin and then here to Copenhagen. I mean, if you want to have a life outside of your suitcase, then it's quite a challenge.
Negotiating the cultural diversity. There I was going back to what I said earlier, what often happens is people don't actually negotiate the cultural diversity. They ask everyone to follow the main culture, and to fit in with that. But if the Internet governance is really to address the cultural diversities I think one is going to have to do a bit better than that. At the moment, if you take a look at the top eight countries by Internet use, only one of them is in the euro American sphere, the United States. Everybody else is China, India, Indonesia, nigh injury a, Japan, Russia and son. If the future of global Internet governance is going to cover all this it has show greater diversity of culture.
Living within incoherence and uncertainty. People have said so many things can go wrong because there's so many forces and it's so complex and it can go in so many direction that is you kind of have to live with the possibility that things aren't going the way you want them to go. So, one of the lessons of dealing with this kind of governance might be to learn how to fail well. And with a sense of humour.
Duplication and inefficiency. So many people so many things, it's likely many of them will do the same things.
Securing compliance. You don't have a police force and you don't have a military to make people do what you want them to do in global Internet governance. That means you have got to rely much more on legitimacy. You have the consent of the people who you govern. And legitimacy can take a lot of time and can take a lot of effort to get so that people have the confidence, the trust to follow the rules that you put forward.
Checking special interest capture. I was in the CCWG accountability and it was wonderful and great, but you know the Adobe Connect room, you have the list of everybody who is there and everyone who is participating. Seven out of eight people only put their name. They don't tell you where they're from. And why they are there. And I asked the research assistance at one point I said can you tell me who all these people are. Suddenly ‑‑ I'm not saying this was special interest capture, suddenly you find out there are major corporate interests of certain kinds or make civil interests, governments and so on, and that's not very transparent. So, I think it was all about avoiding capture, the IANA transition, avoiding capture by certain governments and the like, I think there are other captures that might have happened too or could have been at risk and we could have talked about that a bit more. Related to that special interest capture, the accountability and indeed how do you make these Internet governance institutions accountable, you can't elect the leaders from a general population, there's not a global parliament that keeps it in check and so on. You have got to devise new accountability arrangements and that is what the CCWG I think did do so very, very well. They were real creative in trying to say we are not going to have global elections or global parliaments, we're not going to have a nation state on a global state but we're going to make it accountable anyway. There is more to do and work stream too to go forward with that, but in terms of what was accomplished in Work Stream 1, pretty good. One of the things though that is there nor work stream too is the accountability of the stakeholder represents and the amount of times that people didn't want to talk about this. Raised it in the Frankfurt meeting, Istanbul etc., and every time, no, no, but in the end it is there for work stream two. What is the accountability, the transparency, the consultation, the evaluation and the redress mechanisms that were available for the people who are in the room claiming to represent other people?
So, that they themselves are holding the institutions accountability but they them testifies in turn have to have an accountability chain too and there is still a lot more work to do there. Fostering access and turn over, goes a bit back to the beginning. How do you get in? How do you let lots of people in? One official unnamed said to always talks about off boarding, she said on the one hand there's a challenge to get people on board in the multistakeholder process, but then once you have got them on board it can become difficult to get them off board, in terms of transition and refreshing and renewal and so on.
Those of you who work a lot in this space have a check he will, I guess it says something.
Main take away: Main take away. As I have said I have really enjoyed and celebrated the novelties of Internet governance but I do think there is something to celebrate and to worry about. So embrace the whole multi‑stakeholder reason, but maybe take out the 'ism', a little bit less religion and look at it in a bit critical fashion.
What to do? Academics are not good at saying what to do. Maybe one thing there is to do when you are working in Internet governance, no matter where you are, remember that you are part of a much larger policy centric network, a larger Stakeholder universe, where you are in the place maybe you can have more control over the consequences of your action ifs you remember you are not just in this room, that you are part of a much wider and complex picture.
Be ever‑ready to renovate policy processes. It's wonderful, in this space, that it is so adaptable and so that creativity can be let loose, but creativity only gets let loose if you let it loose, of yourself. And then, maybe finally, those structural power issues, this bottom up stuff, I'll call it an ideology of bottom up and provoke you a bit more. Maybe, even resist using that language. So that it makes you think each time again, no, multistakeholderism is a political space, it's a place of power hierarchies like anywhere else, and then it means asking what are those power hierarchies? When are they causing unfair outcomes and what can one do to try and minimise those harms?
Thank you very much.
MEREDITH WHITTAKER: That was great. I love a good power analysis. Anyone have any questions?
AUDIENCE SPEAKER: I don't know how much time we have. I was happy to see you challenging the multistakeholder as an idea ideal as annism and a bottom up part of it too, because people who have been on the bottom of bottom up, regardless of what geographical part of the world they are from are very familiar with the rhetoric there. But one thing that seemed to be missing from your analysis was the degree to which ICANN itself was an interest in this process, and I think that was a biggest tension of the reform process was that the whole thing was being run by a corporation that you know has a 60, 70 million dollar budget and has many staff members, and so when you talk about the accountability of the supporting organisations, you know, you have got to be aware of the potential for hypocrisy there because those supporting organisations don't control the root, they don't get millions of dollars of fees, they don't finance their own activities, mostly they are financed by ICANN and so some of us when we resist that had we were thinking you know, let's get our priorities right, let's make the big guy accountable first, then we can talk about the bottom‑up processes.
MEREDITH WHITTAKER: I'm going to call that a comment not a question. Then I'm going to move over to Patrik.
PATRIK FALSTROM: So I think it's interesting you bring up the issue with the accountability and the risk for takeover also from sort of the non classical sort of threats that were listed. I have a question whether you have been looking at how to move this forward because as a co‑chair of the ICG we have already sent one note to the implementation of the ICG and CCWG reports where we saw some indication that this actually continues by having people still trying to enact things that were not covered in the regional work, which means that the community spent an all of amount of time to actually box in the vary areas that had to be implemented but still would see some risk for capture. And yes, no question no answer is enough for me it something that you specifically have been looking at how to this inboxing thing, whether that is something you believe that is successful or whether there is still risks given the way these communities work?
SPEAKER: Academics always say yes, but and/or,
PATRIK FALTSTROM: That's a crystal clear answer, thank you. See you in the bar.
AUDIENCE SPEAKER: Nurani Nimpuno from NetNod. Love this talk and I would love to have at least another half hour to discuss this. I just thought I wanted to make some comments about this community, in relation to this bigger Internet governance sort of community, and I think first of all you're comments about diversity are so important, because if we look critically at our own community as sort of a sub group in this larger community, we are open and one can come here, there is an informality to this and we uphold this as you know, as fundamental and I think we should, but of course it also means that you need to be able to come to the meetings, you need to understand the lingo, you need to dare to go up to the microphone, etc., and you need to be aware of those very hidden barriers of entry. One thing that struck me when we started participating in the ICANN's accountability work, was how much time we spent on setting up structures and processes in case someone would go crazy or abuse their power, and how we can ensure that we could remove people from positions of power. And one thing that I see as fundamentally different in the number community as opposed to this larger ICANN community, is that, is where you place the power. If you place a lot of power at the top of your structure then you need a lot of mechanisms to be able to remove that power. If you distribute the power in the whole structure, which I actually think we have done a lot better in the number community, then you won't need as many sort of safeguards. And there I actually, I think when you talk about this bottom up, cannot have bottom up if you have a lot of power at the top of your structure. And it comes back to this informality, and the ICANN world there is so many processes and there's so many structures that you need to be aware of in order to participate in that, in those processes at all. While in this community, it's a lot more informal, and it's something I'm incredibly proud of, but again I think that we need to be very careful of just, because it's informal doesn't mean it's accessible, so, if you have the time, I'd like to hear some of your comments about your reflections of that, you know, if a process is well documented it's complicated and there are certain, you know ‑‑ if you study the bible of that organisation, you know exactly where to go. There is a strength in that of course, but it also, you know, the bureacracy makes it very hard to participate.
And then, just a comment about this thing about avoiding this language, and avoiding the language of multistakeholderism and I realise that it's a word I have takeen my mouth a lot, but it's actually also a word that I think again in this community, we have been, when we craft text and other things, we have actually often avoided it because we often, our position is that multistakeholderism, the term was invented basically in the WHOISes process, but the phenomenon existed long before the UN got its eyes on this.
So, yeah, just a few reflections on this community as opposed to the larger one and I'd I'd like to hear if you have any thoughts or reflections on the differences between those two communities.
MEREDITH WHITTAKER: Thank you. I want to just be conscious of time. We have I guess two, but we have four more questions.
AUDIENCE SPEAKER: Hi, I see monitor could you tanney. I'm not going to speak anything about the CRISP or the CCWG but I would like to speak as a member of the Internet community coming from Japan. Very interesting observation and analysis. I want to touch on a topic of issue of diversity. Through my experience I really felt like Japan was one of the economies that you have mentioned that in terms of the Internet economy, we have quite a bit of pie, but then you don't see much voices. And your observation is very true that this, like a filtering or natural filtering, natural blockage of information on what's being discussed globally and Japan, so if nobody shares any information, the amount of information the Japanese community gets is zero. So, what we have done as JPNIC, at least we have the expertise around the area of the IANA stewardship and what's happening in the CCWG. So we actually shared, updated our Community, so we haven't gotten to the perfect stage. We have regular active contribution in this area. We have actually managed to get 90 individuals signing to support the transition. So we're taking small steps. And we want to do it like the Internet way. So there's no one who will tell, okay, you have to translate all the information, but we, as the participants in the community discussions, voluntarily think okay, I have expertise in this area so I can share this with our community back home and we can slowly take steps. At this stage, we have no expertise in the area of security where we observe a hot topic on the Internet governance arena, so we're trying to reach out to our colleagues in J P cert or other areas that has expertise in this area within Japan, so if we can spread these words and collaboration slowly, maybe we can change this issue of diversity a little bit and I'd certainly be interested to hear if there are any other suggestions, not necessarily in in room here, but while we're here at the meeting. Thank you.
AUDIENCE SPEAKER: My name is Andrea by Kelly I work for ICANN but I have two questions, I know you are an academic so maybe you are not going to look for a straightforward answer. From your analysis, what do you think can be done to overcome this cultural barrier that you addressed and I think it's a very relevant one. And the other question is about how much, from your experience, you will sees this multistakeholder process can be adopted outside the realm of Internet governance and how much other global organisations within the UN or outside the UN could learn and could make use of this experience. Thank you.
AUDIENCE SPEAKER: I am Paul Rendek from the RIPE NCC. First, it's such a pity that we don't have probably a day to spend on what you have put up in those slides because I think you would have a really rich discussion here, so thank you very much for coming and sharing that firstly.
I have a question from the multistakeholder side of things, because I think this buzz word came up. Everybody jumped on it, it means very different things to very different stakeholders or sectors. But, I want to approach this from a different side. Have you done any research in taking a look at what really has been the buy infrom any particular sector on this whole bottom up, multistakeholder process in the long term? So, if I can be blunt, if I'm looking forward to see what's coming, is this multistakeholder process that we're in right now tolerated because there is no other solution or there is no definite control mechanism that somebody has figured out to put on top of this whole circus or reign a, sorry, circus is probably not the right word here, this arena that we're working in, right, and I wonder if there is any research been put into that or if you are interested into looking into something like that, because I would like to gauge where we're moving forward. Because I highly doubt that everybody has embraced the multistakeholder word or you know moving forward, but is there a chance for this? So that's a question I have.
AUDIENCE SPEAKER: Hello, Constance Brunner, from the German Government and we are an LIR. I just want to have some remarks. Thank you for your presentation. It's very interesting. As Government, from the governmental side, we see a lot of changes in that Internet development process. We have to take over responsibility, that's clear, that's absolutely clear, and we have to join the mechanism that the Internet process and to the development process offers us, so in Germany, we realised that and we learned about, we started our own Internet Governance Forum in Germany, and we realised it, and this process brings so many paradigm changes for us, for the community. We, as a Government, we are a new kind of user in the community, so, we have to fight with all that changes and problems. But we have to take the methods in here and we have to accept it. Otherwise it wouldn't change anything. And on the other hand side, we have to realise in the hierarchical organisational parts, the multistakeholder process is so different to our decision processes, the multistakeholder process brings in new kind of organisational stuffs, so, this would be changed a lot in the governmental behaviour. So we are going to learn and we see and it's very interesting to discuss this and thank you for your words.
MEREDITH WHITTAKER: Thank you so much. I don't know if you have any quick thoughts addressing so many rich comments.
SPEAKER: I'll just say, as briefly as possible, and usually when dak demand IX say they are going to be brief they are not. Milton, entirely right. Staff accountability is on stream 2 as well. Would I say the large corporate interest, the intellectual property interests which is very, very strong in the CCWG, I think those need an extra check.
Patrik I already gave a yes answer. Nurani, so much there. I think it does take a lot of time on the accountability because there are no established answers on, it it just takes a lot of time to work through something new. If you go an established mechanism you know what to do. In this case people had to make it up from scratch. Informality is power, there is power in T‑shirts and pony tails.
The diversity stream is already active I think very active in the stream 2.
Matthew and others are really working on that so I think it's going to be kept in play. I'm sorry I didn't catch the person from ICANN's name. But what do you to overcome the cultural barrier, on the one hand you do all these things about language and interpretation, but I think on the other hand more deepey you need a knew ethics of what I would call trans cultural politics, which is not an assimilationism, it's not a multi‑culturalism. I have written on that. The point is a new ways of dealing with cultural diversity and cultural difference, new politics, new mind sets. This could go to other realms. Yes, that's why I am especially interested in this as an academic.
Paul, the buy in, will it be tolerated and go further? I think it will go further if people emphasise the promises and address the problems. Again, it's not an automatic yes or no, but if it's going to go forward, the promise that is I mentioned really have to be emphasised and developed. The pearls really have to be addressed and taken seriously.
And then Constance on Government. Government is a Stakeholder. It is a Stakeholder, it's not multistakeholderism here and governments there. It's Government within multistakeholderism. Government has a perspective. Government has expertises, Government has expertises especially in negotiating the public interest that other types of actors often don't have. Government has possibilities and ways of distributing resources and where necessary, making a fair distribution of resource that is other types of actors don't often do. In those ways I think Government in particular has a role. Thanks very much for all the comments. I wish we could talk more.
MEREDITH WHITTAKER: Thank you great. A little behind time but we're going to leave time for this. I think Mizuni made a wonderful comment, that is a great segway, about the desire for and need for security expertise in the governance community in the broader Internet policy community. That's what this is. I would encourage those who are in the governance space to listen up because this may seem a little technical, but here we have Holger Levsen, a Debian developer, talking about a project called reproduceable builds which holds out hopes for being able to affirm and secure different software packages, different pieces of code in ways that could be verifiable and lead to some very interesting policy outcomes. This is the kind of knowledge I think it's great for the technical community involved in policy to then take back to some of the larger multistakeholder organisations.
HOLGER LEVSEN: I will talk about reproduceable builds. I have done a lot of work in Debian in the last, 10, 15 years. In the last year, I have been mostly been working on re produceable builds, exclusively funded by the confer structure NSF, with *Luna, there's many more people working on reproduceable builds, this is the whole Debian team, I am just one and the work I present is the work of all these people and many more.
We have a Jenkins set supply which has these contributors and these are the contributors who didn't contribute to Debian stuff. This is about many other things so there's many people working on many things. I hope I will not put too much information on you.
So, who of you contributes to free software? That's nice. Who of you heard about reproduceable builds or seen a talk about it? Great. So, what is it about? Why do we do this? It's better explained by this talk from mike perry two years ago at the K S congress, they give what I give now in two minutes, they explain in 45 minutes, it's really nice. They had an example of a remote root exploit in the SSH D where the ‑‑ you have 500 kilobytes of binary and a single bit difference decides whether somebody else can get root on your machine or not and cannot find that bit by looking at the bits.
The other thing they had they had a live demo of a kernel module which modifies the source and memory. So you look at the source on the DNSSEXY, the source is fine and you build the source and the binary is compromised. They had a live demo there in the talk.
Then there is final insensitive to correct developer machines, like Bit Torrent started, Bitcoin, it was their client because they were afraid that bitcoin had a market capitalation of 4 billion or something, so if they would Hack these machines you would get 4 billion, censorship budget is hundreds of millions in several states. There is lots of money involved. Also you probably leave your computers alone with physical access, you can compromise any computer basically, so these are the problems which I'll just mention here very briefly.
There is other things like the CI A had this design where they thought about putting trogans into SDKs which developers used and that was a plan or CI A but this happened in the wild, last year there was this X ghost code comparability and developers downloaded it and I think not what's app, but some application there was 20 million don't load which was compromised because of this, so this is a real problem in the real world.
And our solution is that we promise that everybody can generate bit by bit identical binaries from the same source. If you can take the source, create the binary and you get the same bits that I got, that's what we call reproduceable builds. And I'll show the demo first. I don't show you a demo because it's a bit short time. So when you build binary, you have sources, it's the upper thing and then I build the same binary five times and you see all the check sums are different. And with reproduceable builds all the binary check sums are the same. That's basically what I'm doing. And in a big scale.
And we think this should be the norm. And we also think we want to change the meaning of free software, it's only free software if it's reproduceable. Or to put it the other way: I can only be sure that this binary comes from free software if it's reproduceable. It's just a binary and it might be anything. (Free)
So, what have we done?
We started one‑and‑a‑half years ago, three years ago the Debian project started, bitcoin and torrent did it in 2012 already. In the last year we have set up this web page, reproduceable builds org, where we set up the best practices, which are listed there. We used to have on the Debian we keep it, but this is the authoritative resource power at pork. We set up test reproduceable builds where where he test software so we build it twice with variations and show the results. We continuously test Debian testing, unstable and experimental. We do this on AMD 64, I 3886 and A R mm‑hmm F. We also do all this testing. It's building all the time many many software. And it's a Jenkins set up with 300 Jenkins jobs and 28 hosts and many contributors. It's 10 K of code, it's simple.
So, we have dispersed resources in the Cloud. We have mostly built in RAM. And we also have some small arm board so we can test some arm. We plan to get some arm 64 boards this year. Just to do the testing at the moment.
And when we built Debian, or when you build anything, we build it first, and then we modify the environment so we change the host name, we change the time zone, the language, the low calls, the user name, we change the kernel on I 386 we build with a 32 and 64 bit kernel. We change the CPU type if we can do this: We change the file system, because also the file system returns the entries in different orders depending on the file system. And we also change the bit date. So we have some nodes running in the future. They run one year, one one month and three days in the future. So one build is from 2016, at the moment the other is from 2017 and we finder errors, we find lots of errors.
That's a bit less variations when we test other stuff. But that's the basic principle.
And the problem we found. Our time stamps and interestingly not so much time stamps in the binaries but mostly time stamps in documentation. So all the documentation or most of them put time stamps in there.
Then time zone, also affect the time stamps, so if you unzip old zip archives from 1980 today, the time zone will be applied, so this can also cause variations in the build. Same with the locales. And then there is everything else I would guess is probably 15 or 20% of the problem while the first three are 80% of the problem or something.
We documented this. On the web page we have this documentation with the several types of problems, and Luna gave a talk at the CCC camp where he gave example how to work around it. You can call G slip with minus in, then it will not put time stamps in there, it will put the two minutes order there. We have documented several work‑arounds there, or tricks. And we wrote difficult owe scope, which is a tool which can examine two objects and examine them recursively. So, it takes whatever an archive contains a PDF and this contains an image, so it will take this and if only the image has it, that it will display the images side by side and show you you the bits which are missing. It falls back to binary comparison. And I'll show you an example how it looks like. So these are the ‑‑ you can see the differences between the two versions. In the beginning, difficult owe scope ‑‑ you can give it two ops, to file systems, to ISOs, two directories, give it two objects and it will compare T it's useful for other use cases, like if you have a new version and see what has changed between the two versions, you can use it for that even though it was not developed for T if you want to give difficult owe scope a try, go to this web page and you can upload two objects and it will present the differences. (Difficult owe scope) it's really, really useful. That difficult owe scope is only for debugging, if you want to see if something is reproduceable the bits have to be a bit by bit identical. So that it's not the tool to check if something is reproduceable. It's just the tool to see if it's not pre‑produceable, to find out why.
Then we came, another thing we have this build date which are embedded in many build products an they are normally not useful for the user. They are just an estimate when a software was built so you can probably estimate that the libraries are recent but it doesn't say anything. Because if you can build the software today and in two years and the result is bit by bit identical, the build date becomes meaningless and you want to have the date of the last modification.
So, we wrote a source date EPOC, and that be be used instead of the current time. It can be used for random seed, but need a seed which is static.
In Debian we set from the last change log entry. We have adapted it for necessary DS P, free BSD, other projects. And it's adapted in many sources, we have got a patch in GCC, so the minus minus date and time macros. There's I think it's 20 or 30 tools by now which use sort date EPOCH. The spec is 2 kilobytes architects or something, it's really really short.
In Debian, we are now at the stage that in unstable 88 .5%, so over 21,000 binary packages are bit by bit reproduceable in our framework with with all variations. In unstable we are over 90%. And it took us one‑and‑a‑half years. So the green is the reproduceable packages. The oranges are the unproduceable ones and the red are the ones failing to build from source.
To help analysing it. We take, we categorise them, so we have issues like whatever, pie doc puts a time stamp in there and then we put packages which have these issues, so we found over 190 different issues in 3,000 packages so far. And in AMD 64, we have almost 1800 reproduceable packages left but only 200 without a he had no. All the other we have looked at have analysed maybe not completely, but most of the stuff we looked at already, we still haven't found the solution but we at least found some problems. And these nodes are maintained in a simple GIT file, where there are 40 people I think contributing to it. At the moment, the nodes are only Debian, but we want to make them cross distrow, because the same software will have the same issues in other distributions as well. This is planned to happen over this year.
For Debian packages, you can just go either test reproduceable builds org, and this URL, it will show you, if you go there, it will show you that Linux is not reproduceable because of variations in the documentation because we vary the shell, so whether you build with besh or desh, test for the Linux file, Firefox is reproduceable, go, check out your favourite software and see if it's reproduceable. And because 20,000 packages is way too many, nobody cares about them all, we have package sets which require essential, but also the desk tops at norm and K DE have language set, like the Perl packages are 99% reproduceable and Java I think is the lowest with 66%. Kepak /APBLGS are the packages which are used to create the Debian CDs and used in the infrastructure, so there we had 85% reproduceable. 85% sounds nice, but it's still 400 packages which are not reproduceable. And of these 400 probably 40 are hard and 4 are really really hard, so getting 100 is really hard, we don't ‑‑ we want to get 100, but for one self and only to get the packages reproduceable which one cares about. So it's no so bad.
And this is the number of bugs we filed, bugs about reproduceable issues, so we filed 1600 bugs in the last one‑and‑a‑half years. Part of these I think are 95% WHOIS patches. 1,000 patches have already been applied, that's the green stuff and 600 patches are still waiting. We also find many many other bugs, because we constantly build the software with the latest libraries, we also file five fails to build from source bugs per week, we find other bugs like software which behaves differently which you build with a /HREUFRPB locale, which are real bugs, we also find bugs like software which fails to build in the future, which is all side effect of our testing.
And the only thing that, what we did, which we could not fix, is we agreed on using a fix build pass, because many compilers embed the build location so we just agree to build in the fixed location. We couldn't fix, it we have now fixed it for C GG and C LAN, so that's pretty great but still O'Connell and other compilers still embed the build location so we just keep the fix build pass. And by now we only /PHOT identified four packages in the whole Debian archive and it's basically depackages which needs to be modified to get 85% or something and the rest is simple. Not simple...
But, one thing I already didn't explain so far that reproduceable builds demand a defined build environment, so we need to define the build environment and you need to be able to recreate it because AS rebuilding will only happen with sheer luck, a different compiler version might create the same results. The identical version will definitely create the same results.
For Debian, we have done this, K O J I for RPM was designed for it. /TKPWAOU IX does it. We have build info files, we have checked the generated binaries, sources and the packages used to build, and these can be used to create the same build environment and then hopefully recreate the same binary.
Elsewhere, we have not defined build info files. It's clear we need them. /WHRAOER what needs to be in there, it just needs to be done and it hasn't been done yet, but hopefully it will be done (clear) this year for at least RPMs.
We write weekly reports with our progress since May last year. We had a summit last December in Athens with 40 people from 16 projects. We plan to have another one this year. And last year we had 2 GSO C students and this year we have 4. Last year they were really great. I look forward to this year. We want to change Debian policy. This was where we want to be, and so that sources must be reproduceable. We hope this will happen after this release which we are working on now. So in 2016, we hope to just change policy to say source shall be reproduceable. We'll see.
And this is all a burden of proof of concept. Debian is zero% reproduceable at the moment because there is some bits missing and it's not done. And I hope that stretch will be partly reproduceable in a meaningful way so that we are some /SPWETS and people can take it I /SHOEP that /PWUPBT /AOU basically can take Debian after next release and make it /PWUPBT /AOU reproduceable. Ill be angry in a way but I will also be very happy.
For Debian it's not much to do. But, all the other parts, after being able to rebuild, they are still missing, we still need to distribute these build info files, we need user tools and this all still needs to be designed and coded and it's all not done.
Non Debian world. I only have very little time so I'm going very quick.
Sore boot is 99% reproduceable. There is two images out of 250 which are not reproduceable. Looks very good. Core boot just didn't distribute binaries.
Open PR, it is also going well.
Net BSD is now at 77%.
FreeBSD really started this before Debian even, they had 63% of their ports reproduceable in 2013, in their test framework.
Fedora, started discussions with them, we have got one patch in RPM to make RPM create reproduceable binaries. I will be at the conference this June in October and I'll give a talk about reproduceable builds in general and after that there is a talk about reproduceable /SAOUZ a, so /SAOUZ an is really working on it and making good progress and I get that Fedora can take the work then.
Arch Linux also working on it, F Android. And there is other projects which have non activities. Signal two weeks ago made a statement that their builds are now reproduceable which caused quite some news. And there is also commercial proprietary software which is pro produceable. Guess what it is? It's not Windows. Windows could be reproduceable, the source resource available. It's not a medical devices, not /ARPS, not cars, not power plants. Gambling machines are reproduceable. I hope there are other examples of software which is reproduceable because it's really important that you know what these bits are doing.
So, distributing these build info files is still a challenge because we have got a hundred thousand new files. I'm not sure how we do this. Also we need to deal with revoking signatures and all this fun stuff. We need to rebuilders, at the moment we do this test builds but we want to do the real world builds, and it might be that individual rebuilders could work, but also we could have large institution it is do rebuilding, all these companies, whoever rebuilds, we don't know. Fedora rebuilds Debian or whatever. And we need user tools. Do you really want to install this unreproduceable software? Do you want to build those packages which unconfirmed check sums. Do you want to be the one to reproduce them? How many signed check sums do you require to call it reproduceable? The other way around is easy but that's no so easy. And whom do you want to trust?
We have come a long way, but we are still not there yet. It's even not clear where we're going. It's technically possible to do this but we need to create policies and processes. We need projects to say we want this. And we need to keep doing this. There is some resources here which I will skip. How you can get involved. So merge or patches, etc. Do it yourself. Just build software twice, go to the website and see what the difference resource. It's really not that hard to fix the individual problems. It's just a lot of busy work. You could join our team. It's really nice.
MEREDITH WHITTAKER: Questions?
HOLGER LEVSEN: I will be here today and at the dinner.
AUDIENCE SPEAKER: It's a quick comment. I'm really glad to see such a presentation here in Cooperation Working Group. Because, well you are showing all this governance and cooperation people that's a matter of trust, it's not just trust towards the Government but trust is a technical matter and it may be done and maybe it should be done when you are talking about trust, it should be tech account verification methods for any trust matters, including real life, not Internet.
MEREDITH WHITTAKER: I second that comment and I think this is where technically verifiable trust can be merged with some of the policy mandates.
AUDIENCE SPEAKER: I don't see pen, RIPE NCC. You talked basically about the not so hard problems for to solve these, are there any real hard problems for packages, you mentioned like packages in Debian having difficult problems. Are there any systemic problems with some kind of software that makes structural changes necessary basically to them?
HOLGER LEVSEN: The hard problems are the one where we just have two chance of bits and we don't really know what they mean. So that time stamps and coded sometimes, or larger time stamps or the build ID is modified. So, these are the hard problems. But the hard problems only make up 5% of the problem space. So that we really need people working on the easy problems and also some on the hard problems. And the hard problems are really individual very different.
AUDIENCE SPEAKER: Thank you. I have a second question. What's up with open BSD? I saw a slide ‑‑
HOLGER LEVSEN: I have just never talked with anyone about that. I have set up all these tests after I set net BSD and FreeBSD, okay, open BSD somebody else can do that, I guess it's the same as the others. If somebody wants to set up open BSD I am happy to do it. I have the resources to set it up. Please come talk to me in you want to.
MEREDITH WHITTAKER: Anyone interested, he will be here today. We're still running. Chris is going to give a very abbreviated update on the IANA transition. As you know Chris will be here, and other CRISP members who can address this.
CHRIS BUCKRIDGE: This is not about the IANA transition in any way, shape or form. I'm usually the one standing between you and could have /AOEFPLT today I am standing between you and very exciting co‑chair discussion. So the pressure is on.
But, I wanted to talk a little bit about a process that is really pretty obscure but I think quite important, and to illustrate that importance, I will give a little bit of context and like so many things in Internet governance that context is WSIS. Basically the world society information society. A conference about ten years ago set up or sort of established this multistakeholder model that Jan was speaking about a bit and it has sort of perhaps tarnished a little in its use over the years, even from those who support it. But I think the one thing that really we need to take away from /TPR* that and that been a really significant victory for us and for everyone over that time, we now have a seat at the table in a lot of these discussions. And a lot of what the ones I'm talking about here particularly, some discussions that take place in the UN context and there's a lot of those. We have the IGF, the Internet Governance Forum, there's a multistakeholder advisory group that sort of steers that and decides the programme. There is a session that MAG has represented us from different Stakeholder groups and there are processes for selecting that. There are other UN venues where this is also the case. And these are quite high level sort of public policy venues. But the victory that we have had is we now have a seat at the table in these discussions. The question is who actually sits in that seat. And how does that person or persons get selected?
We have a seat. Now what do we do with it? I think to answer that, you sort of have to go back to what would be the role of that technical community person in this discussion. And I think this is a sort of the high level general role that we see for technical community in a multistakeholder context. It's to provide the perspective from those who design the, built, continue to /EFL do and continue to operate the Internet. And that sort of breaks down into a number of different areas. There is informing public policy discussion with specific technical information. So, it's sort of saying okay, you have this public policy goal, you see this as a possible solution, but actually that's not how the Internet works. So there's a reason that this doesn't work. That's sort of too often been absent from some public policy discussions. That sort of leads into the second one explaining the technical reasoning behind decisions that were made in the design and architect of the Internet. A question like why IP address is not distributed on a country basis like we have done with sort of telecommunications or with the ITU. There is a reason for that. Someone who has the experience and the knowledge of that needs to be in the room to add to that.
And then from the policy side there is a need for someone who can talk about the ways and the processes the technical community does thing. They can talk about the need for openness, transparency, bottom up if you want to use that term, processes, why those have been important to the Internet success. And what they can add and contribute value to public policy processes.
And so then finally, I think what we want from these people in these position Yours sincerely to influence that discussion, to influence it towards better public policy making but public policy that reflects and respects the technical realities of the Internet that we have.
So, over time, the process for selecting people for these positions has developed in a pretty ad hoc sort of way. And where we're at at the moment, is that this group, called the Internet collaboration group, which some of you I'm sure are aware of, others I'm sure are not aware of, is trusted or entrusted by a lot of UN organisations with selecting people from the technical community to be representative of that community.
Now this Internet collaboration group is not really an open forum. It's not something by design intended to be nefarious or sinister, but it began as a sort of a closed strategy discussion group for people in the industry and that sort of somehow seemed the easiest way for the UN to get a channel to this community and that sort of happened over time. It's not an ideal situation and it's something we need to change. There are challenges and one of those is the need for greater transparency here. And that transparency is particularly necessary for legitimacy of these choices and of the technical community in these discussions. This is again going back to what Jan was talking about in terms of legitimacy. It's also important and part of the reason we want to bring it out a bit more into the open today, is that there is a need to grow the talent pool. We need to actually get more people from our technical community who are able to engage in these discussions, able to take these seats and the lack of transparency and how it's been done I think has added to not growing that talent pool. So...
This comes to, Meredith put me in the agenda as annen treaty. This is then treaty part. What I'm here today to do is talk a bit about this. Illustrate a bit of the importance, but basically, say to you, as a community and community members, are you interested in having a greater role in this? And that can be from having a greater role in the discussion about who /REPLTS the technical community, what does that representation mean. To actually being one of the people who is entrusted by that community to take part in these processes and to take on that important role in a multistakeholder model. (Represents)
And yeah, I think part of what I'm saying is talk to me, talk to the RIPE NCC, this is not our game, our gift to give, our process to run. But, we're certainly part of that as should you as community members be part of that. So we're certainly happy to work with anyone to assist you if you would like to be more involved.
I think that's all I have. Any questions?
AUDIENCE SPEAKER: Alexander, open set registration, well, actually, about a month ago, or in this month sorry, I was at ‑‑ allocated I /TURBGS general owe a, I spent the whole week, it was a great impression for me, but what the most I noticed? That people from ICANN and ISOC who was also running workshop during the forum, something like that, I got the strange feeling that they are saying completely different things that that ICANN and ISOC saying in this community. It's not just rearrange it for governmental representatives words. This was a complete meaning. It's a real strange, I cannot formalise it but I have feeling that they are saying different things. So, to have technical representative or this community representative at that meetings is very important to verify does ICANN saying one thing. So, another point was, the whole session about CCG B accountability stream tool. There was a lot of people from this Working Group on the table, but I don't feel that they were ensuring that all stakeholders are presented well during this Working Group. They were telling just how cool they are working, how outcome is cool or something like this, but on a question I'm sure you are representing the whole community that wasn't able to answer.
So I think that the whole activity led by technical community in the RIPE NCC is user from, and I'm contacting you.
CHRIS BUCKRIDGE: I think one of the interesting things here is that a discussion of what is actually representative, and I think ‑‑ I think different Stakeholder groups I think that's different things. I don't think a technical community representative can represent the technical community in the way that a Government represents its people. But, it is important to have people who can raise specific expertise, can provide specific expertise into these discussions, so, it's a longer discussion though.
AUDIENCE SPEAKER: Peter Koch, first I'd like to make a remark to your slides. So, whereas, we, like, have developed new sensitivities in this community and whereas we like to take ourselves not too seriously, I would suggest that you reconsider using the term techie in these environments. It's a bit like the N word. It's good in the hood man, but not for town hall discussions. So that said, and since you had that nice teddy bear on the slides, how many ‑‑ can you just give a rough estimate of how many of the tech community representative really have a tech background?
CHRIS BUCKRIDGE: Well, no I mean this group, the discussion that we have, there are ‑‑ and this is talking about the Internet collaboration group here ‑‑ there are many people with very strong technical /PWROUPBDZ. There are also people with very strong policy or much more policy orientated backgrounds but I think value of this group is that it keeps the connection between those two sides of the technical community in contact with each other and talking. But there is certainly a discussion, and this is also a discussion that's ongoing, about what the ratio of that should be, and this is where I say that aware happy to assist where we can because I think there is a need, going into these sorts of discussions, for techie people who have some understanding of the news they are going into, the political issues involved but it's not enough to only have that knowledge. You also need people with that technical expertise. So finding that balance is another of the challenges.
PETER KOCH: And thank you by the way for being more trans apparent about that group that was otherwise a bit difficult to find. Thank you.
AUDIENCE SPEAKER: Nurani from NetNod. I think we need to solve three ‑‑ well, find models for three things. One we need to find a space for this open discussion so that people ‑‑ to foster people's ‑‑ to mentor people into these processes. It might be people with certain technical expertise but who don't understand the policy space, or it might be newcomers who need to sort of /HRERP its issues. So that's one. You need to have that open space with the open discussions. Then we also need to have the closed spaces, right, we need to be able to have closed spaces to discuss and strategy eyes. And then the third thing is you need to have processes for selecting representatives, and that can not be closed. It needs to be open, transparent, documented, clear, and accountable, you know, that it needs to be credible and it needs to be something that works so that we can select enough representatives for people to go in these other Internet governance groups. That's been a real challenge, a struggle in the past and I think in the past we have mixed these three things. We have wanted one space to do all these three things but they are separate things. We need to have open discussion, we need to be able to discuss in private as well, and we need to have clear documented transparent processes. So, it's not so much a comment to you actually, but it's a comment to this group, how do we find the formats for that?
CHRIS BUCKRIDGE: Well I think the other point that perhaps I didn't, I skipped over, is that the RIPE NCC is not the sort of /TPOPBLT of all knowledge here, there are people in this community rand this room who have been very involved in this process, and if you have an interest, they are also good people to talk to. (Font) chit.
MEREDITH WHITTAKER: Very quickly.
AUDIENCE SPEAKER: Thank you very much. I just want to say to Chris, it's a wonderful niche /TEUFP. It's extremely important. I have come from that other world, from politics and policy and the /TPHAOUPBTed nations. We are desperate for technical people and experts to come and talk about the facts. So even if you don't want to be involved in politics, just to be there and explain how things actually work makes a huge difference because you have a lot of politicians, I can say this because I am one, who talk about making decisions which are deeply affect the Internet but don't understand the technicalities. So you have a huge added value. The only thing is that when you do engage, you need to be really patient because we really don't understand any of it. So you have to have this capacity to take something very technical and explain it, so that politicians will actually understand it rather than be intimidated and then just fallback into the hands of corporate lobbyists or whoever wants to give them the other message. It's really important in this precarious power balance we have, that this voice is heard. Finally, I want to say from a procedural point of view within the ICANN board we have established a Working Group on Internet governance to see what role should ICANN have, how are we going to that I can that up? What is going to be the role of ISOC, what can we do? What was the community to do? Please come to me with your ideas, with your suggestions. We are going to be talking to people about how to go about it and we'd like to start developing a strategy, but in a very open and inclusive transparent ways. Thank you very much.
AUDIENCE SPEAKER: Jim Reid. Chris, I think this is probably something that the community does need to be involved in. But, I have got a couple of observations that I think need tomorrow clarification, not necessarily here right now. What sort of resource commitments would /KPHUPB be expected to commit to contribute to this and is it also going to be an ongoing thing or is it something that's got a clearly defined end goal? Is it going to last for a year or are people expected to go into a smoke filled room in Geneva and be locked in a basement for three weeks? Can it be done on a mailing list. Conference calls, go to ICANN meetings, some of this stuff needs clarification because if we you want technical experts to go to these meetings I think we need to know if those technical experts will need to know what sort of commitments they are going to have to provide. What they are going to have to do about travel, if that's going to be a part of the component as well.
CHRIS BUCKRIDGE: I'll answer because I can answer quickly. That answer is that it's a case by case basis, each of these is a different situation. For each of them there are different time commitments, different possibilities for funding from say the UN and so that's ‑‑ being engaged in the discussion, you will know what each specific one will require and you may be someone who can volunteer for one and not for another. So...
AUDIENCE SPEAKER: Fill I will Yilmaz. Thank you for opening this up, Chris, this is important. And I just want to make a link to the previous conversation about, from Jan art, about accountability part here. I think this is a good show of the accountability that we have to take on as the community ourselves. This is not about the RIPE NCC. RIPE NCC only can facilitate or whatever we call the I stars, but now it's up on to us, these techies or technical people, whatever we want to be called like, it's on us to go there and say I want to participate and not be passive and then complain or be resentful about how we were represented while we didn't take part when we were called out. So thanks for facilitating this. And I hope everybody will take on a bit of responsibility that now we have to step up and help you and help ourselves and be accountable for our own community as well. Thank you.
MEREDITH WHITTAKER: Thank you. So, we are eight minutes over time, and have a scheduled discussion of the appointment, I don't know what the word that's comfortable, it's not election I learned, of co‑chairs ‑‑ selection ‑‑. We have some nominees for co‑chair. I need a co‑chair because it's just me. And I'm happy to facilitate this discussion, but my understanding is that it's specifically interesting to a specific few individuals and maybe it would make more sense to let everyone go to coffee who is not interested in this discussion and then those who want to have this discussion can come upfront, or maybe not, I don't know, I'm looking at eyes trying to gauge the room here.
AUDIENCE SPEAKER: This is /SHEPB Kerr. I probably think it would be better to do it in full view of the whole group and not have just a small group go off in the corner and sort it out. That's just my opinion.
MEREDITH WHITTAKER: I am at your service.
AUDIENCE SPEAKER: Peter Koch, you can't be serious. Cannot have an intragovernance discussion in a governance related Working Group and you send the people out and do it over coffee somewhere.
MEREDITH WHITTAKER: I was saying anyone who wanted to get coffee who was not interested in this discussion could in be cognisant of time, and we are over time. And maybe what I'm doing ‑‑ I'm also here to have that discussion. So, I will wait as long as anyone wants. And if everyone is indeed invested in this discussion, I will absolutely have it. That's what I was trying to convey. Did that mitigate the outrage? Patrik.
PATRIK FALSTROM: I walk up to the microphone given that I'm one of the persons that have been speaking up on the mailing list. I was also, together with Maria, one of the two /K*EURS co‑chairs, one of the persons who took the initiative to this Working Group. As I have expressed on the mailing list, I find it being extremely important that the co‑chairs that we are using regardless of how many we are, can fulfil this task to be able to coach this group of people not so much to come up with sort of /S*UTS, and as we really happen to have that, but to help (consensus) and facilitate discussions and get presentations just like we just have heard and then encourage the participants in the work party to be able to engage with their respective whoever they have to engage with, politicians, other groups in their own country, whatever, so that we get a stronger voice from the technical community into the various discussions that are going on. Something that I think, just like Chris described, the technical community has done pretty well. So on top of that, facial work that the co‑chairs should do, it is also the case that the co‑chairs, together with the co‑chairs for other Working Groups in RIPE do have very formal role in the RIPE process and because that have it's really important that the co‑chairs are ‑‑ that the co‑chairs, at the same time, can take the responsibility that they have in that role that they know about the RIPE community, can participate as voices in those discussions.
So, having multiple co‑chairs, because that have, is something that has happened because cannot rely on one individual to be able to do that. On top of the fact that cannot only rely on one individual to have, to take on all the work that it is to be able to be a Chair by itself. And with that, I would like to end by thanking you Meredith for actually being able to stand up and taking on the load alone and I think you have done an excellent job and I hope that you are interested in continuing being the co‑chair together with the others. Thank you very much.
MEREDITH WHITTAKER: Thank you Patrik, I appreciate that. So, the purpose of this discussion, we have three, I guess three and a half nominees and one is tentatively put their name forward for co‑chair, these are people who came forward, expressed their interest, posted their relevant credentials to the cooperation mailing list and there has been some concern on the mailing lists that these might not be the candidates that the RIPE community would be right for this role. I think this is a place to have an open discussion about this. I think the practical reality of my life right now is that I need a co‑chair because this is a lot of work, it's unpaid and I need support from my employer to keep continuing it. So I don't feel comfortable being a single point of failure for a Working Group that is as integral to the RIPE community. So, I am requesting feedback from the community here and on the mailing list about what they would like to see going forward. But I will you know, I will assert again that I think we do need a co‑chair. I think that's the responsible action to take here. And I see somebody coming up to the mike. So, once we have this discussion, I will propose on the list my suggestions for moving forward. We also have the candidates here in the room and I think it might be nice for people to hear from them.
AUDIENCE SPEAKER: Rim reed. Meredith, there is no question that you need a co‑chair to assist you in the work that you are doing, like Patrik said you are doing a great job, please keep it going. I think it might help a little bit before we start looking at the potential candidates about but try to get a better understanding of what the Working Group feels of the criteria and requirements of a co‑chair, and also from your perspective, the sort of skill sets and experience that you particularly need to help you because you have got all these other demands on your time. And based on that kind of information then, we'd be in a better place to make a judgement about who would be the best fit to /PHAOES those kind of requirements and best deal with the concerns that have raised on the mailing list what have the Working Group think is going to be the best choice to make. At the moment I don't think we have in a.
MEREDITH WHITTAKER: Thank you. That's a great point Jim. I think, again, coming from a place of the practical reality, they need to be able to come to the RIPE meeting, which means they need to be able to afford to come to the RIPE meeting, they need to have support to come to the RIPE meeting. A.m. Tory and human and engaged, and my criteria is that they have some connection with the RIPE community. I think at least one of the co‑chairs should be able to you know be able to I can't have gate this space, to know people, to be engaged in the topics that RIPE and the numbers communities are engaged in. I also like the idea of stakeholders from other communities, from governments, from some of the other, civil society organisations, from some of the other groups that the /KO*ERPGS Working Group as I understand it was formed to (cooperation) facilitate collaboration and communication with. Beyond that, I think intelligence, enthusiasm and a willingness to learn and to innovate some of the processes and ideas that come out of the Cooperation Working Group is a third criteria. You know, I welcome eager learners who may not be expert over experts who don't have the time or the energy. I also welcome addition to say those criteria. Again I'm a Chair, I'm not a governor, I'm just trying to facilitate this process on /PWAFR of the community. (Behalf).
PATRIK FALTSTROM: I think the list you just laid out is good. I also think that we have seen other people sort of listing what they think are like proximate criteria. On the other hand, later on, agreeing on the co‑chairs, the ones that we trust to be able to carry this ship forward. Each one of us though might sort of prioritise and put different weight on each one of these criterias. Even though it looks like an objective thing that we're do in a selection, each one of us might actually think that one is more priorities than the other, it might look like in the end we are disagreeing on the valuation but I think that is fair and okay and that's why we are a group here not one individual. We will have different views.
MEREDITH WHITTAKER: That's one of the reasons I like the idea of multiple chairs, because they can embody some of those multiple qualities. Nil other comments, any other concerns? Anything that it would be (any)... so, I think at this point, it might make sense to hear from the three candidates who are here. Maybe a brief just, we're talking about wit err length because we are over time and I am conscious of that but I do want to make sure /TOEUT point earlier that we're doing it in front of the community in an open way. So, we have three candidates, we have, I am going to butcher your names, I apologise. I'm /PHAERP, achilles keep os, and if you want to take the mike and give a quick overview of ‑‑ I think the two things to address, what are your qualifications and what motivates to you nominate yourself for co‑chair.
AUDIENCE SPEAKER: Thank you Meredith. I am a programme officer for EU policies within the European Commission, the director ate general for communication networks content technology. I have been following RIPE since 2012, and in fact my first meeting was in Amsterdam and Maria hell and Patrik Falstrom from my meant Task Force together with Gordon Lennox, I have been working to try to bring together the policy aspect (men Task Force (meant /ORS) I have been organising the Hive level group on Internet governance for five years or so. I had a very good cooperation with the RIPE external relations and we set up many roundtables for governments and regulators and we had the idea of joining them together back‑to‑back to high level groups, and getting in a way a participation more than double. This that is been recognised by RIPE and you had acknowledged in a way the contribution to the European Commission. Also, bringing in a way also to have a joint events like centre RIPE in Brussels, and I think it was in 2013, so, with a big Government participation. So, my idea is always in a way to try to bring more in a way technical insight for our policy process. I can highlight the digitising European industry package that was out from the commission last month. There was a staff working do. On the Internet governance and it has been my work to specifically mention that the commission will take the expertise from the RIPE NCC on numbering issues. I want in a way to expand and ‑‑ there is in a way already a collaboration but I think it is much more, how to say, by being active in the group, I can even in a way deepen this and have better results. Thank you.
MEREDITH WHITTAKER: Thank you so much. So let's just go through right now. We have anon an as piss. Do we have a /TPHAL an as piece. Does not attending the meeting at which you have nominated yourself for co‑negate your nomination or not? That is a question for the oracle. We do not have her, but she was into it. So, let's move on. Collin Anderson.
Colin: I have been participating in the RIPE meetings for about three years now, sort of informally supporting and bringing out civil society. I have a network research background, mainly through measurement lab, but primarily the way that I have operated is independently working with civil society organises to bring that technical expertise. So that's where my relationships lie is in civil society and in some of the technical communities. That's what my interest is to act as a facilitator, to bring in I think interesting voices into these meetings in order to expose them, to essentially the technical community, but also in order to create those relationships. I was given a mandate of tweet length and I think that I cheated by giving the introduction. So, I'll stop there. I have written much more on the cooperation mailing list, although admittedly the first time I had written at that length, me a cul PA, but there's sufficiently more there, so please feel free to talk to me afterwards.
MEREDITH WHITTAKER: Thank you so much Colin. Definitely man who can follow direction. All right, then we have a half nominee, and I don't want to be too /PHREUP here, but there was a tentatively, has been hell sin /SKWRUS, put had his name forward /HEPBT /TEUFL, if he is here and feels comfortable, please stand up here and speak, otherwise...
PATRIK FALSTROM: I'm going to the microphone just to, because he told me yesterday that he is not here, and the reason for that was because he already had other engagement today. So that's why he is here. You don't have to wait for him. He will not walk up to the microphone.
MEREDITH WHITTAKER: All right we heard from two people. There is more stuff on the cooperation mailing list. If there are questions for these candidates now, let's do, it let's talk on those questions, these candidates are also going to be responsive to e‑mail and if other people would like to put their names forward...
All right, so here is what I propose. We have heard from these people. People need coffee, we need to clear the room. Let's take this discussion to the mailing list. I think a week from today, to have a community decision that I will try to distil for you on who the co‑chair should be. I would like to select two co‑chairs if I I can because I think that is a nice size and that does represent the diversity of skills that could be more beneficial to the community. So, let's take this to the mailing list. If anyone needs to hear anything else. If anyone has any questions for the candidates, and I will try ‑‑ I will commit to sending out an e‑mail that disstills the selection in a week if anyone has any /STRAOEU dent problems with that we can discuss that on the Internet. Thank you everyone for sustaining attending and thank you so much to our speakers, that was a really great session.
PATRIK FALSTROM: Thank you Meredith. I have one last question for you. Do you personally still ‑‑ are you personally still interested in staying as a co‑chair? I must say that that has not been really clear to me.
MEREDITH WHITTAKER: I am personally still interested and committed. I am also being ‑‑ my attention and energy is being fragmented in many directions. I have to work for a living and my employer sometimes has other ideas.
PATRIK FALSTROM: Okay. No excuses needed. I just needed to know. Thank you very much.
MEREDITH WHITTAKER: Thank you Patrik for clarifying and thank you everyone.