FINISHED TRANSCRIPT

EIGHTH INTERNET GOVERNANCE FORUM

BALI, INDONESIA

BUILDING BRIDGES – ENHANCING MULTI-STAKEHOLDER COOPERATION FOR GROWTH AND SUSTAINABLE DEVELOPMENT

OCTOBER 22, 2013

9:00 AM

WS19

SECURITY AND GOVERNANACE OF IDENTITY ON THE INTERNET

* * *

    This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.

* * *

>> LOUISE BENNETT: Thanks to all of you that actually made it for 9:00. We’ll give it a couple minutes because there are still quite a few people coming in. That’s the trouble with being the first session on the first day. So we’ll start in probably five minutes.

(Pause)

Good morning, welcome to this workshop on identity and trust on the Internet. I’m Louise Bennett. I chair the BCS Working Group on identity assurance over the Internet. I’m very much looking forward to chairing this discussion. I am joined today by Andy Smith, a security specialist and another member of the BCS Working Group and he’s done all the arduous work of pulling this workshop together. We also have Professor Keechang Kim from OpenNet Korea, joint organiser of the workshop; Sarah Wynn-Williams from Facebook and we’ll be joined about halfway through the workshop by Professor Hong Xue, Professor of Law from Beijing Normal University. Unfortunately, she’s on two panels and the two panels have been arranged at 9:00 on the first day. She’s speaking there first and when finished she’ll come join us. She’ll be here for the discussion.

We also have Ian Fish and the BCS Working Group who will be acting as our experienced remote moderator. The agenda, I’ll give a very brief introduction to the work we’ve done over the last three years on this very vital topic as we see it. Then we’ll break the workshop into two discussion periods of 40 minutes each, introduced by short inputs from the panel members to stimulate the debate.

The first one will cover the use of identity as currency on the Internet and how to protect the naive from themselves in preventing digital exclusion.

The second will cover the balance of security, privacy and anonymity and we’ve left that topic to the second one because we know if you bring it up right at the beginning everyone talks about that and we can’t talk about anything else! So that’s how we’re doing it.

Finally I’ll try to summarize the key points of agreement and dissent so we can take these topics forward in the wider Internet Governance debate.

We also hope to follow them through with a Dynamic Coalition.

For those who don’t know the BCS it’s an international professional body for IT with over 80,000 members. It is both a training and professional standards company and a charity to promote the benefits of the information society. Andy, Ian and myself represent the charity as volunteers and professionals from the industry.      On your places, you have some notes if you want to become a professional member of the Institute.

Three years ago, the professional membership of the Institute were asked what they thought the key issues they wanted the BCS to bring to the attention of governments worldwide and one of those was identity assurance on the Internet.

We have been developing views on identity assurance at workshops since then in the UK, in Europe, EuroDIG, European dialogue and Internet Governance that pulls together thoughts from European countries; European e-identity management association and at the UN Internet Governance Forum.

This work has been published in two yearbooks and again at your places you have a card that shows you how to link up to those yearbooks should you wish to see them.

Our aim is very much to assure we develop practical measures for improving identity governments in e-commerce and service delivery both from the public and private sectors and feed these thoughts in to government bodies.

Moving on now to our first discussion section, I want to outline some thoughts on the use of identity as currency on the Internet and its implications.

Now, identity assurance of individuals, organisations, and increasingly things is a key issue for a successful digital economy. We need to acknowledge many contradictions and strongly held opposing views that exist on the topic of identity on the Internet and work out how to resolve them.

We want to consider how to develop valid incentive models that would make the various stakeholders exist or want to participate in an identity governance framework. Finally we need to understand how this might work across very different jurisdictions because the Internet is global.

Now, there are many models operating in the digital economy. By models I mean business models and one of the most contentious is the monetization of personal data attributes on the Internet. We all of us here know that some services are free or low cost. There are many reasons for this as far as companies are concerned. A common one is because the common decides they want to build market share by attracting customers to either useful or enjoyable, free cost or low services. There is value, though, in the data that you as a customer give when you use those sites or services. In return, you are often targeted with advertising or you may be sold add-ons to, say, an online gaming experience and I think this is quite common in Asian countries. This is really step 1 in monetization of your identity.

Since organizations are collecting and aggregating our data in this way, it’s very important that we all recognize that truth and I’m always surprised how many people don’t believe that is really happening.

On the cautionary side, some people will say, if you are using a free service, you are not a customer; you are a product. So we could call the aggregation of personal data the productization of people. Identity becomes currency. On the left-hand side of the slide, we have what I would call the onion rings of data and information. That may be associated with an individual. Starting on the inside, we have what I would call what you are. These are your biological attributes, your fingerprints, your face, your voice, and so on. Now, these are fairly immutably bound to you and using these biometrics is pretty good proof that you are linked to your biological identity. Such data is frequently collected for government IDs and their associated entitlements because governments need to know that you are a citizen of their country.

In the next ring we have perhaps what you could loosely call what you have. It includes things like your passport and its number. In the online context, for secure activities, you may use your credit card, an ID card or a company card, and you may have to present this token, what you have, via device to pick up a one-time code for a financial transaction over the Internet. That’s fairly secure. The person who has the token is probably, maybe, the person who is entitled to use it.

Now, in the outer ring, this is really where I want to focus, there are much less concrete things. They are what I would loosely call what you know. But more importantly, for this discussion, it is what is known about you. It is your biographical footprint, your school and your social history, knowing these attributes you can answer questions to supposedly verify your identity like what is your favorite sport?

However, lots of people and organisations can know your by demographical footprint. They may be your friends and family but increasingly strangers can find out your biographical data from social networks, and by tracing your online history.

All the things you have told companies in order to get those lovely freebies to read their magazines, in online searches or in your tweets add up to your electronic biographical footprint. This means that strangers, corporations, governments, and criminals, can discover your identity through your personal data attributes. You can actually easily legally observe where someone who does not turn off geolocation tweets from, you can deduce from that their workplace, home, favorite football club, restaurants, children’s schools and so on, enormous amount of data.

Most of us give this attribute data information away when we interact on the Internet without even realizing it. Companies are storing that data and monetizing it to give us superficially free services. Be they access to social networks or search company algorithms or money. By and large we want these apparently free or subsidized services and are prepared to put up with sometimes invasive advertising that might be associated with them.

The Internet, though, is not a free resource. It costs money to build and maintain it. The question is: Are you happy to help fund the Internet with your identity attributes? You need to realize you are doing so and accept that if that’s what you want.

Now, many of these free services are harvesting and using your identity attributes as currency and these free services are often people’s incentives to go online in the first place. I recall talking to several young people at the UNIGF two years ago in Nairobi and they all told me that they use most of their disposable income

On their mobile phones. Such things as money service and Peza and social networks were actually their key incentives to have a phone and if costs were kept low because the suppliers use their personal data and tracked them, they weren’t concerned about it at all. That’s fine.

For other people the incentive to go online may be to buy and sell things. Many individuals are very happy to build up a reputation score on an auction site like eBay to ensure they have a reputation as trustworthy person to do business with, irrespective of whether they are using their root identity or anonymous eBay identity. That is their own choice under their own control.

I would suggest to you that this is quite different from such organisations as Google and maybe there’s someone from Google in the room analyzing so called BigData without the explicit knowledge admissions of the individual and making judgments on the individual’s part in the mistaken belief perhaps they want to visit a restaurant they’ve been to before, they want to meet some social networking friends in some site because the search company knows they are somewhere nearby. We all of us need to make our own informed decisions about whether we find this acceptable and these are going to be culturally and contextually different for all of us, at any point in time and over time. No one owns the Internet. No one organisation or country can control it. We all need to understand how it works, including the business models of suppliers and the use they will make of our identity.

This includes most importantly the role that our identity, biographical attributes are going to play in the activities we do online and we need to decide whether we’re happy about that.

Andy will now say a few words about saving the naive from themselves.

>> ANDY SMITH: How many people have put personal information up on the Internet on social networking sites or various other places and then regretted having done so? And also find out that having put the information up on the Internet, it is virtually impossible to remove it again.

I find it quite scary. If you know my e-mail address from 1986, you can actually find postings I did on newsnetnews in 1986 and 1987. They are still there! If you search for my e-mail address on Google you can still find them. You can’t delete stuff on the Internet.

Time and again we’re seeing people who have done things like put up wonderful pictures from bachelor parties or other things that they have done that are quite embarrassing, then they go to find a career or get a job and they suddenly find that it’s a little bit more difficult than they thought, because — I’ve actually worked with a couple Personnel Departments in large organisations who look on the social networking sites about employees and they find very interesting things sometimes.

We are entering a period, and I think over the last few years it’s become more and more of a problem, where data aggregation, some people call it BigData, but really it’s the aggregation of multiple data sets that is the problem.

You have fantastic search tools being developed. Google are doing brilliant work in heuristic mapping and search algorithms, but you have now got a lot of publicly available information in the UK we have the electoral roll which is your right to vote and unless you tick the little box to say you don’t want the information made public, all the information about who you are, where you live, all ends up getting sold off to marketing organisations and other organisations.

We have got the post office address file, we have got various other websites that hold personal information. If you know what to do and how to search, you can find so much information about individuals. It’s everything. People who are looking for jobs will put cv’s up on sites like monster.com, and so you can get someone’s address details and that from 192.com, their career information from monster.com and you can start bringing this all together and aggregating it and mining it. It’s quite amazing how much you can find out about individuals.

In the last role I was doing, we had subscription to a lot of these services. We actually showed how you could take a lady driving a little red Golf, take the registration number from the car, use that against the DVLA registration database to find out who she was, where she lived, what her name was, used the information, attributes we got from that to do other searches on other databases and we worked out that she got two kids, where they went to school, who her husband was, where he worked, we built up a whole profile of her life just from information that was available on the Internet.

It’s getting scary. It’s scary in a couple ways. The biggest one is identity theft. In previous things, we have seen people filling in forms online and this can be anything from applying for a tax rebate to applying for a passport to signing up for social network. If you have a keyboard logger on your machine all that personal information our typing in goes straight to the criminals and they can use it to steal your identity, misuse your identity.

People just don’t realize this is happening. You still get people who are going to a cybercafe or a local library and will fill in forms online and give away all of their personal information. People don’t understand what the risks are and don’t understand how the risks come about, this is why we’re all about protecting the naive from themselves. It’s people who want to use the Internet, want to take advantage of all the benefits on the Internet but are not tech-savvy. They don’t understand what the risks are. We need to find a way of helping these people to understand the risks better. Not with fear, uncertainty, and doubt. We don’t want to stop people using the Internet, we don’t want to put people off. What we want to do is make sure they are using the Internet securely.

And, you know, all of the things that I hear are actual scams, actual frauds that have taken place. Trying to stop people from being taken in by these things is extremely difficult. We need to find ways of doing it better. That is something that we’re interested in your input on. So on that, I shall — we shall start the first discussion.

>> LOUISE BENNETT: Are there any questions? From the audience? Can I pose a question to you and get some — there’s a question over there.

>> Michael Nelson with Microsoft and Georgetown University. I have been working on internet issues for about 25 years and 15 years ago I was convinced that we should have the online identity problem tackled in four or five years. Do the panelists have any idea on why that hasn’t happened and any advice for Microsoft and other companies who are trying to figure out how to make a user-friendly, privacy-enhancing, free, easy-to-use, interoperable infrastructure?

>> LOUISE BENNETT: That’s a really good set of questions. I think there are many examples where companies, Microsoft included, particularly the banks, have made online identity work but they usually only work in very specific circumstances and in circumstances where the user realizes that they’re at risk and that’s why I think they’re particularly strong in financial transactions. I know in the UK, when online banking started, fraud just went up and up and up. Then a product called PinSentry came in, a device where you could put your credit card in, get a run-time code and do your financial transaction. That brought initially the online fraud from about 10 or 15% down to nothing.

People were prepared to take that trouble because they didn’t want to lose money and they didn’t want the hassle of getting a new bank card. So I think that if people really understand the risk in a particular situation, they are prepared to follow good procedures that people can produce for them. The big problem is that for most interactions on social network sites and so on, say, buying a Microsoft product, you want the instant gratification of getting the upgrade and you do that without thinking about those privacy issues, but I’m sure the others have thoughts on that.

>> I just wanted to pick up on this, because this has always been a problem and is always going to be a problem.

>> ANDY SMITH: I was involved in the development of the new UK passport as part of the European EEA passport. Your problem there is you need something that will work with the whole population. It’s not a bunch of white men in lab coats; it’s every ethnicity, every creed, every religion, you have 28 languages, so many different parameters you have to deal with, and it’s incredibly difficult.

Biometrics will work for a lot of people, not everybody.

Passwords will work for a lot of people, not everybody.

Things like static credentials just don’t work when you are dealing with organised crime and people who can record static credentials.

Unfortunately, in some circumstances fingerprints and irises can also be treated as static credentials, once you have the actual fingerprint you are — you can’t replace it, you can’t change it.

Trying to tailor for every nuance of the world we live in is just going to be an insurmountable problem.

>> I was going to cover the question of identity, a little bit in more detail in the second half of this session.

>> KEECHANG KIM: But now that the question has already arisen, I would only like to point out that perhaps the problem is to distinguish what we need identity for. In other words, depending on what kind of service we are talking about, if it is just some kind of entertainment purpose or some sort of social interaction or does it involve money being taken out of your bank account or does it involve some kind of very valuable resources or benefits where entitlements needs to be very securely or reliably determined. And the context varies very much and then depending on context the very notion of identity must differ and I think the problem is simply because we might have this preconceived notion of one size fits all kind of identity and I think that approach is not going to work and we need to accept that there could be many different types of identity which are simply being floated around and it seems in my view the situation would be quite fluid for some more period of time.

>> LOUISE BENNETT: Do you yourself have an answer to your question?

>> I have another question for you, which is about the Indian approach. They’re now on the way to having 600 million biometric IDs and they’ll use that for online services as well as for voting and realtime, real-life applications. Have you looked at that example? Is that something that other countries, particularly developing countries, should follow?

>> LOUISE BENNETT: I think that’s a very interesting example and we talked about it quite a bit last year with some Indian Delegates at Baku. It is biometrics in my opinion are a very good way of setting identity, for instance, I use my fingerprint to get into my laptop, I feel it’s quicker, safer, more secure way than just typing in a password.

They are having problems with that because as probably most of you are aware, it was initially brought in for doing more secure rural payments and making sure they got to the right recipients but a fingerprint is not necessarily a very good thing with the farming community who may not have very good fingerprints, may be cutting their hands and it doesn’t necessarily work all the time.

But it has apparently improved the flow of money to the intended recipients so I think it’s very good. In New Zealand they are now taking DNA of people when they are born to associate it with their identity.

Now, that is a very secure way of associating with your identity. But again, how you use it really depends on what you are trying to achieve.

I think governments in particular want to make sure particularly money they are giving to their citizens goes to the right person and so they want a very great certainty of identity. In other situations, you don’t actually need to know that it’s the biological person; you need to know it’s the person you saw before or the person who deposited the money in the bank, although banks internationally have a requirement to know their customer and we all know various banks have been fined a lot of money because people have suggested they are channeling money to terrorists because they apparently didn’t know their customer. It can be very different.

I think as Keechang says, it’s a question of the rights, identity provision for the right service.

>> KEECHANG KIM: I would like to say one thing about using biometric data for identity purpose.

I feel that one should approach with great deal of caution regarding state-managed identity being used in the Internet. That is one thing I want to say. Another thing is particularly using biometric data. If your password is used to identify you, and your password is somehow leaked, you can simply reset your password. But biometric data, when it is leaked and it is in the bad hands, it’s going to be very difficult to reset it! Maybe fingerprint, I don’t know, you have ten fingers so you use second finger. If you use DNA, I think it’s going to be even more difficult to reset. I think people tend to have overconfidence about biometric being very secure but I would like to give a word of warning that it will create far more difficult problem if you just jump at biometric data.

>> ANDY SMITH: I have to agree with Keechang own this completely. With the European passport we now have biometrics and fingerprints in the European passport. We did a lot of research on this, and the trouble is that companies and governments keep trying to do things on the cheap. They don’t do things properly the first time.

Now, India has done a really good job with their system. They didn’t expect it to be perfect. They wanted it to improve the situation and it’s gone a long way to improving the situation. Storage and protection of biometrics is fundamentally important to making sure systems work.

Now, use of things like ID cards on the Internet and if you use the Indian model, it’s a very good model to work from. One example we had was in the UK at the moment if you want to get into a nightclub, we have got people showing their passports, driving licenses, and on average, we get about 300 passports a month that are left in nightclubs because people forget to take them home or lose them. But you have got this real problem that the UK driving license has your address and date of birth and your name. So you have got young girls trying to prove they are over 21, showing their driving license to bouncers and the bouncer now knows their name, date of birth and their address.        If you have got a secure form of identity like an identity card, they can put it into the reader, put their fingerprint on, green light, they are over 21; red light, they are under 21.

Bouncer has no other information other than what he needs to let them through the door.

It’s the same on the Internet. If you can have electronic identity in some form of token using PKI and I’m sure this is something Keechang and I will get on to, if you have a properly implemented PKI, you can have secure online identity and you can only reveal the personal information necessary to do a particular transaction. I think that’s the way we need to go is actually having some form of secure online identity that does not use static credentials.

>> SARAH WYNN-WILLIAMS: I think what we are seeing in services like Facebook — and Apple is probably leading the way on this with their fingerprint IDs — how you merge the technologies with biometric data and safeguards that need to go on top of use of biometric data.

And I was talking with our security team when the Apple announcement was made and their vision was quite different, they said a fingerprint is great, great innovation but that you should think of that as your user name, not your password. And I think immediately after Apple announced that, there was a group of researchers who showed you could have effectively faked fingerprints or utilized insecure data to get access.

I think part of, there’s a lot of caution before we start to integrate the two. I also think once you start sharing biometric data the responsibilities on providers like Facebook and others for that type of data has to be significant, that the bar has to be very high.

>> LOUISE BENNETT: Thank you. Yes?

>> Hi, I’m the Chair of the web payments group at the World Wide Web Consortium, we deal quite a bit with identity and secure. I work with Mozilla Persona, building a new mechanism directly in the browser, 425 million will have access to that. And one thing that really concerns us is that we don’t have a lot of government involvement, meaning if you look down the participant list at the IGF, very few if any of the folks at the IGF are actually involved in the creation of these standards. So the question is: How do we get more of these stakeholders involved with the technology companies that are actually building these solutions?

>> LOUISE BENNETT: I wish I had an answer to that, because certainly since we have been coming to the IGF we have been saying that there’s not necessarily the right balance of stakeholders here to deal with all the different problems but I do think my own personal view is that there’s never going to be some big universal solution. We’re going to have appropriate solutions for different classes of transactions and people will have different identities, different levels of security that they need for doing different things.

I think there are already some quite good federated ID schemes, particularly in international banking, there are increasingly some used by the mobile phone companies, there are others used internationally by social networks and so on.

By companies buying and selling on the Internet because these people have needed to reduce fraud so I think there’s a great driver there and I don’t think government involvement is necessarily helpful because not every citizen wants their government to also know everything else that they are doing online. Do others have other views?

>> I guess my concern was a bit more specific than that. There are — I agree with the whole multi-level security, multi-level identity thing. That is a lot of technology we’re building. The concern here is that this technology is being built right now, it is going into devices, Mozilla will build it into their web browser and once that’s done 425 million people at the very least will have access to it. Mozilla’s next version, their next generation mobile phone called Firefox OS will have identity built in from the core, so the concern here is that the concerns that you are raising while the group pays attention to them and is trying to build an identity solution that takes those things into account we don’t have anybody else in the group kind of beating the drum on the multi-level identity security aspects of it, government-issued ID aspects.

I chair the web payments group so, know your customer information is really important, AML is really important. While I do agree there will be multiple different types of solutions, the concern here is that the general solution for the public, the thing that you are going to use to log into a website in the future, we are not getting very much input from governments or other organisations like that and really we need that kind of input. We need someone looking out for citizens, saying you know we need multi-level security in the general solution.

>> ANDY SMITH: I would agree and you tend to find like with the International Standards Organization, British Standards Institution, et cetera, you do have government representation on all Working Groups. So all stuff, I’m the BCS representative on the ISO panel that does 27,000 and security standards. On that we also have representatives from different government departments and on the Working Group 5 which is identity and privacy, we even have like GCHQ, Home Office, we have got a lot of government representation. There’s government representation in the Oasis group and others but you are right, there are certain areas where government involvement is lacking and I — it’s — we’re trying to come to things like this, to improve that.

>> LOUISE BENNETT: Actually at this point I’d like to go on to the second half of our discussion because I know Keechang is going to cover that in what he’s about to speak about and then take further questions after the next two short presentations.

>> KEECHANG KIM: Yes. That very question was something I want to talk about today.

I am from OpenNet Korea. Actually after this session in the second segment of sessions we have an open forum where what OpenNet Korea does.

South Korea has had an experience of enforcing state-managed offline identity regime on online. In 2007 South Korean government introduced legislation which required Internet users to identify themselves if they want to put a posting on the website, certain websites. Certain very popular websites. So if you want to reply to some kinds of newspapers article on the Internet, you have to identify yourself. So what kind of — government wanted to use something familiar to them which is national identity regime. Citizens registration number. So that’s a very cautious attempt to use and enforce identity in the Internet that created a huge problem and I want to take this opportunity to warn the dangers involved in jumping at identity regime in a very light-hearted manner.

The first topic is national identity regime in the Internet. Does that really make sense?

What happens to Korea when government required Internet users to — using Korean national identity regime that basically insulated Internet in Korea as some sort of Intranet wherefore remember ners had enormous difficulty using Korean website. Of course, foreigners resident in Korea can use their alien registration number to identify themselves but then what about foreigners not living in Korea who who know Korean language and who want to reply to some of the discussions about Korean issues. They simply cannot use the website. Do you really want that? Do you want your Internet to be kind of walled off and insulated from the rest of the world?

Then, secondly, you need to have more nuanced approach about the whole identity issue. This is not a game where one stakeholders can give authoritative identity tokens, give out identity tokens and then things will be resolved.

No, it will not be resolved. There are many stakeholders and players like governments, service providers and users and I think you need to have far more careful approach. You should not be quick-tempered. You should have patience and you should allow a bit of messiness there, if you want to tidy up the whole matter in a very drastic measure, I think you will encounter intractable problem in no time.

One needs to think, rethink and perhaps think from a completely different starting point regarding online identity. In the offline world, the structure about identity is there is some entity which verifies your identity. Then the users or parties of online transaction use that information. That is the usual model.

So the verification is some sort of one-point action, one-off action. So if a government agency verifies your identity or your birth certificate or driving license, whatever is considered to be reliable or authoritative information, you just take that and then the rest is how to ensure safe continuity in online. That is perhaps the habitual way of thinking and I think it is going to be very difficult to use that model in very wide range of service. There are many areas of services which that is where — that sort of approach simply does not work. Then we perhaps need to think and accept online identity growing over time or forming over time or accumulating over time purely from the Internet where no authoritative verifier exerts any power or any special privileged position but just a number of service providers just using users’ identity or whatever personal information for their own service but then over time many such service providers, information can accumulate and there can be born your true online identity.

It might be very different from your offline identity but it could be workable formed over time.

One example. Age verification would be very important issue but very difficult issue. Because for services like Facebook or service which aims at global market, you cannot rely on one particular government’s authoritative statement about a user’s age, right? But then how are you going to come up with this age verification?

But maybe in ten years’ time we can use how long you have been using a particular or a series of online services. How long you have been a member of Yahoo!, for example, if Yahoo! is still in business in 10 years’ time. But anyway, regarding you can make use of a number of identity providers and then a particular user’s activities, online activities and aggregate them and that could give you a quite workable indication of your age without knowing your offline identity.

Just one example.

Then another issue is that you need to, we need to, distinguish when identity matters and for why it matters and where it matters. We should not assume that identity is just one unilateral, monolithic concept. It can be very diverse, fluid concept and depending on whether you talk about prevention of crime, prevention of online fraud, whether you talk about protection of a minor from adult-oriented material, the goals are different and the level of assurance is bound to be different and the context of use is also going to be different.

Therefore, the identity regime or identity management structure, that should also be different and we should be very wary of using offline and especially government-managed identity regime on the online world. And South Korean experiment which was started in 2007 has been fiercely challenged by human rights group because we felt first in order to use an identity regime which is workable for every citizen, it has to be very easy to use.

You cannot think about using PKI, for example, for just posting some kind of — some replies on the Internet. It would be too cumbersome and elaborate. It would be just overkill.

(Skype lost, captioner standing by)

— That has the effect of censorship. At the same time for those who are bound to do some bad things, they can so easily get hold of someone else’s fake identity and then use it, so it does not contribute anything towards law enforcement, but is simply to oppress people’s free expression so OpenNet Korea challenged this law and last year in 2012 constitutional court of South Korea declared that legislation unconstitutional. It invades, it infringes upon the basic right of anonymous expression and that legislation is now scrapped.

That I hope can give some good example about using government-managed or government-endorsed identity regime online.

>> SARAH WYNN-WILLIAMS: I think the title of the session — when you work for Facebook we’ve obviously made a value judgment around whether anonymity is desired so before — if you can cast your mind back not that long ago — and I work for a company that’s not even 10 years old — but when you are interacting on the Internet, I mean we think of it as prior to Facebook you would interact as unicorn92 or blueteddy33 and one thing that we think is fundamental to Facebook having over a billion members is our real-name culture and part of that is that there seems to be a desire that wasn’t there for people to interact as their authentic selves on the Internet.

And when we look at Facebook as a community, this real-name policy is actually essential to creating an environment where people feel comfortable and secure because they know who they are interacting with.

There are some issues on the margins of that but the vast majority of our users are who they say they are, they are interacting, their online world mirrors their offline world and we believe that this is something that is very much desired and a need that wasn’t previously being addressed.

I think there are challenges when you operate under a real name policy and benefit. I’ll start with the positive before going to the negative but there was a recent study out of the University of Kent that found that compared comments on similar news articles that were posting on the “Washington Post” website or posted on Facebook and the study basically found that less than half of those comments on Facebook were as uncivil as comments on the “Washington Post.” I think part of that is when you create a real-name culture, when you are not operating anonymously, there is a layer of accountability that is not — that is not there when you are anonymous.

And we have tried to innovate on that concept so a few years ago we convened a group of academics to talk to us about how we can improve the site, particularly around the issues of cyberbullying and protection of minors. And what these academics recommended is using this real-name culture to address cyberbullying issues so previously the way we were operating is that if there was content on Facebook that you found personally offensive, not something so terrible that it violated our statement of rights and responsibilities but if someone said something that you the not want on Facebook, it wasn’t something you had posted so you had direct control, you could report that, that would go to our team, it would be assessed according to the statement of rights and responsibilities and our community standards and effectively a third party, a Facebook third party would sit in judgment of that content.

What the academics recommended is why aren’t you utilizing these real people, these real — that are using the site to resolve these issues themselves? We developed a social reporting, not sure how many of you are on Facebook or use it but basically on every page on every piece of content there’s the built to report content. You can report it for whatever reason. What this innovation did was it then you have the choice it can either continue to go to the back-end Facebook user operations team. But it also gave you the ability to contact the real person who had posted that information and essentially made them accountable for it. We found that, tested this a lot and found that people didn’t want to just broach the issue themselves. They didn’t want to say, I really think that photo makes me look ugly or that it’s offensive to be seen with your cat or whatever it is that was the issue.

And so we gave — we developed a series of prompts, you can still write your own message directly but there’s a series of five or six things so essentially takes a box and then that goes to the other real person and what we found — and we were startled by the success of it — in around 80% of the time, the person on receiving the social reporting notification would remove that content. They were unaware it was offensive, they never thought about it from the other person’s perspective or when someone raised the issue as a real person, they felt compelled to take it down.

I think part of the reason I discussed that is because once you are operating in a real-name basis, once you are not anonymous, that accountability has real impact and it lifts the community that you are part of.

I’m happy to talk about other facets of real-name culture versus anonymity but I wanted to give a few tangible examples of how we think about it at Facebook and where we are trying to innovate. I’m sure other people on the panel can address the benefits of anonymity and we see those and certainly think it’s not a case that in all situations real-name culture is desired or there are definitely still places for anonymity. But the important thing is having a choice and choice of platform and making sure when you make that choice not only are you accountable but also the systems that Facebook or Google, whatever else is put in place, they also mirror that.

So we have a responsibility to be accountable, to be transparent, and give users control.

>> LOUISE BENNETT: Thank you very much, Sarah.

I’d like to introduce Professor Hong Xue, Professor of Law at Beijing Normal University who has joined us from her other panel now.

So, hello.

>> HONG XUE: Thank you so much.

Well, this is really a nice thing to — Korea and Facebook. What I talk about is relevant to both of them. I want to give a very short talk on the real name system in China, since we talk about identity on the Internet.

It is nice to know that Korean constitutional court rule that real name law is unconstitutional in 2012, but the real name system in China is very much legitimate and expanding its implementation. Well, let’s look at real name system from two perspectives. One for those Internet information service provider. This we called double IS. This is definition defined by law, and enacted in 2000 by state Council. Still the most fundamental law on all information services offered an on the Internet. If you want to offer any public information services on the Internet in China you have to provide your real name information that is absolute, uncompromisable. If you want to register the website you must provide a photo ID and take a photo actually of the government agency required. So there is one perspective.

The logic behind this is that you are making information available to the public; you should make yourself available to the government and very much viable. This is one perspective.         Another is Internet use, more controversial and — to the Korean system. China learned very much from the Korean real-name system. And used that as example. This is an international practices and not alone in China. But the China’s real-name system, there is two parts. They are relevant but not really the same. One part is really the real-name registration. It is applying in telecom industry and also Internet access services. For example, you want to apply for fixed line telephone or apply for mobile phone services. You must provide your passport ID card, your real identity. You want to apply for Internet access. You need for register your ID card with your access provider. That is strict requirements and must be complied with.

There are other circumstances that has become interesting. How to handle Internet content provider. For example, the blogging and microblogging in China, but Internet is really the paradise of information flow. Very hard to filter, control, censor, so there is really these services very much developing in China. Well, I guess Facebook, there’s no — not accessible in China at all!

(Laughter)

Right. And well, to my understanding, this is not very strict real name system, you want to open a card for — microblog, since Twitter is also blocked you have to register with your real name but the real name could not be showed on your account. You could use a pseudo-name, but it must be very viable so the issue for the content service provider, they must verify the real identity of all their users. This is their legal obligation. Real name verification system as a service provider. If the service provider fail to verify the user, they will be subject to liability. In the summer very much keyword on all Chinese media is (?), not we for — it’s we for verification, it is verifying account holders, they in big trouble if they are posting something that’s really not complying with the law.

So they are being subject to legal punishment. Things with verify is easy to identify, though. Now the question this is my final remarks, I know in Europe, this recent court decision from the (?) court that is anonymous posting or anonymous poster should be allowed so these people won’t be feared for the crime of defamation.

I guess that’s very important for the information flow and free expression. So we put a question mark of this real name system and look at it in the whole international perspective. Thanks.

>> LOUISE BENNETT: Thank you very much, Hong. I know that Keechang would like to come back on that.

>> KEECHANG KIM: There was a slide on anonymity and, Andy, could I go back two slide sections? Yes, that one.

It seems that Facebook does and what Chinese government does on a super official level more or less is the same. They require, well, Facebook does not require, but uses almost always voluntarily put up there photo and then many Facebook users use their real name so you have real name and your photo all available. Chinese government perhaps require and you have your photo somehow available. Your real name available. But I think they are two drastically different situations and big difference is Facebook, in the case of Facebook, it is voluntary whereas in Chinese government case, it is mandatory.

But that is lawyers’ talk and I think service like Facebook, is it really voluntary and how long can we realistically maintain that it is voluntary?

If you don’t want to use Facebook, Twitter or whatever of these very prevalent social networking services, you have a choice not to use it. But how long would that choice be truly viable choice for young generation?

So I think sooner or later we might have some converging issues about these two. Currently they are very different but I want to talk a little bit about anonymity because both participants recognize the need for anonymity, but at the same time, they emphasize the benefits of real identity.

But I want to point out that there is a certain amount of ambiguity about the notion of anonymity itself and in many cases, the very notion of anonymity is deceptive and misleading because technically, it is, I don’t think it is possible. Internet is not an anonymous medium of communication. Technically it has always been possible to identify where is the other end, unless the other end applies very sophisticated technology of faking its whereabouts. Then the data is always accessible anyway unless you encrypt, but then encryption also there is a great deal of possible ways of entry if, you know, if you look at NSA scandal.

So what is really important is to educate people that you are really not anonymous! You cannot be truly anonymous. You are being watched and especially by government and also by industry. The companies have motivations to watch you and get as much information from you. Government, if you are doing some naughty things, they have equally strong desire to look at what you are doing and study and learn about you.

So Internet just opens that possibility to you and you are very vulnerable to it. And how to educate it, to wider public I think we must be very, how should I say, honest about using the word “anonymous” or “anonymity” because Internet is not anonymous. How to propagate the knowledge? But then at the same time we should not give up the notion of privacy because in my view privacy is something which is entirely compatible with the situation where your identity is known. You don’t need anonymity to have privacy.

Just one simple example. You know, at home, English homes, at home, the individual bedroom never seems to have lock, right. It’s always open. There is no lock. And you know the identity of your son or your daughter or whatever, you know. There is no anonymity there. It is — everybody’s identity is perfectly clear. Your parents, your two kids living in a house, no door has any lock but you can have privacy. You observe certain rules, you knock, and before if someone in the room says, just a second, you wait for just a second. That is how you achieve privacy.

Where everybody’s identity is perfectly clearly known, still, privacy is possible by observing certain rules and conventions and restraining exercise of your power.

So I think we should never give up the idea of privacy, simply because Internet does not technically offer you anonymity. The real key about privacy is two things, I think. How to ensure robust control of power, control over power, those — power can be either exercised by government or by industry. Big service providers like Facebook or Google or whatever, they are in my view equally powerful and their exercise of power should also be under control, obviously different type of control, but government’s power should also be under control. Then secondly transparency. Of how that power is exercised. So as long as we can somehow find ways to achieve control and transparency about the exercise of power, I think we can still have privacy in a world where everybody’s identity is disclosed.

That is what I believe.

>> LOUISE BENNETT: Thank you very much. Are there any questions that people would like to ask or points people would like to make?

>> From (?) international, I would like to comment on something the professor said about anonymity not being possible and I completely agree that from a governmental perspective, you are not anonymous online because so much data can be found out about you but from the perspective of young people, using services like Twitter which don’t require your real name, it’s not always possible to sort of — for you to find out who the person is that might be — who you are receiving anonymous things from, and it’s easier to see on a government level that anonymity doesn’t exist but for us it does when there are services like “askfm” where they use anonymity to work as it were. On just one other point. We — international and — we conducted a survey since the summer 1,382 participants from across 68 countries and from the people that we surveyed 86% said it was important that people are able to be anonymous online if they want to.

59% said they are more likely to say what they want online if they are anonymous. You can pick up a leaflet from us if you are interested.

What I’d like to ask the panel is: Do you think there’s a risk that although using online services like Facebook which require real name do you think there’s a risk it limits our freedom of expression because we are scared of the accountability? Because young people like to experiment, we all know it’s true, we have probably all done it at one point in our lives. Do you think it’s a risk our expression is limited? Thank you.

>> LOUISE BENNETT: Sarah, would you like to answer that first?

>> SARAH WYNN-WILLIAMS: I think it comes back to having a choice of platform and also the point that was made at the beginning of the session that identity is being used in different ways and different forms so it may be that for the things you don’t want to have a legacy that you are going to use snapchat or if it may be that for something that where you perceive there’s some risk if you use Twitter under a false name but it may be where you want to interact with friends and family you use Facebook.

So I don’t think there’s one right platform or one right mechanism. What hopefully will happen is that there will be continued innovation and continued choice and continued options and people will get more savvy about their choices and their choice of forum and become more deliberate about what they are doing. Part of that is education responsibility on some platforms to explain the risks and the benefits of sharing and sharing information either anonymously or in your own name.

But I don’t think there’s one right answer that will fit for everyone.

>> KEECHANG KIM: Technically Internet is not anonymous. Highly sophisticated traffic analysts could get a lot of the information about you and in analyzing IP address will give you a lot of information. That technical impossibility of hiding from the scrutinizing eyes is one thing. But then by observing rules, you can remain reasonably anonymous and remain — you can have your privacy.

Technically it is very easy to tear apart and tear open an envelope. Anyone can technically just tear it open and read it but by sticking to rules you don’t open the envelope and then you give that envelope to the person destined and who has the right to open it.

So Internet you can remain and you can have — enjoy anonymous — anonymity, to some degree but to be aware that you cannot remain anonymous in the eyes of the authorities or in the eyes of industry, that is important I think.

Another point about Internet and this sense of anonymity is the vastly extended reachability of the Internet. That user who uses an interesting user name in Twitter who just tweeted something very offensive to you, that user might be at the other end of the globe, you simply don’t know, in the traditional communication technology you would have no reason to hear something being spoken by someone who is that far removed from you. Okay?

But Internet allows that. So that means the power of reaching to a much vast audience, that is somehow, that gives you the sense of anonymity, although technically you are not anonymous. You are very far removed and that other person’s identity doesn’t really matter to the listener so this sense of anonymity is provided by the reachability of the Internet.

>> LOUISE BENNETT: Thank you.

Are there any questions from remote participants?

>> IAN FISH: No, Louise, there is a remote participant who has been chatting to me a lot about what’s being said. But no intervention.

>> LOUISE BENNETT: Okay. Are there other questions from — thank you.

>> Australian Taxation Office, Melbourne, we have talked a lot —

>> LOUISE BENNETT: Can you speak up.

>> Sure, we’ve talked about strengths of credentials and technology that supports that strengthening. The I think elephant may be in the room for us a little bit is the strengths of the process that is required to register that credential in the first place. So we talked a little about three-factor authentication, who you are, what you are, what you know. How do you — how does the panel see those factors coming into a digital environment where the provision of a passport, for example, is not something that is able to be matched with a facial recognition identity in a really secure manner?

How do we start to progress in that thinking and start linking up third-party credentials and utilizing the strengths of those and linking them to an identity?

>> ANDY SMITH: I think that’s going to be one of the big problems. Today most online identities are still based on a real world identity. So if you want an assured online identity, it’s based on registrations through using passport or driving license or some government-issued identity or identity document. It’s incredibly difficult to do remote verification and registration of identity. A lot of people have tried it. There have been various schemes on the Internet but unless you’ve got some way of verifying the attributes someone claims and corroborating the evidence they give you, it is really difficult to have any assurance in the identity and that identity belonging to the person that is claiming it.

Identity theft is a real problem when it comes to things like that.

I think until we get to a stage where we have trusted government documents that can be queried and read online, we won’t get to a situation where we can move away from using government-registered identities to underpin online identities. We will see in the future at some point, once we get better use of PKI, more secure PKIs put in place. And the ability for industry and third parties to query those PKIs and have trust in the certificates issued by governments but I think that’s still a ways away.

>> KEECHANG KIM: I would like to add one more word regarding PKI which Andy just mentioned. South Korea, again, experimented and actually enforced nationwide PKI, mandatory PKI system where every user who intends to do financial transaction, online, online banking and shopping, must have         government-endorsed PKI certificate, digital certificate issued to you, and government thought that would provide a very secure, very reliable identity verification for critically important transactions, online transactions.

It started in 2003, between 2003, 2002 and 2003, so we have over 10 years of experiments where every user is required to present their digital certificate. In my view in Korea there are still a large number of enthusiasts who advocate and who firmly believe it works but in my view, it is a miserable failure because it is very difficult to ensure that every user maintains that digital certificate securely.

It is just a tiny file. Most don’t know what is computer security. And government used again a very weak system where once you’re computer is breached, any attacker can just immediately copy the file and that is it. So that is huge problem of leak and fake identity and at the same time, policy-makers still are convinced that this is very secure so users who don’t know why and how their PKI digital certificate has been leaked they are the victim because policy-makers, bankers, even judges, believe that this is a very secure system so it must be your fault. So this is very tricky issue.

>> LOUISE BENNETT: Thank you.

I see we have an input from remote participant.

>> Thank you very much. I’m not going to get this name right but from Iceland, a political scientist, Netizen and — which has three members of Parliament and a journalist he was wondering whether he could get the opinion of the rest of the panel on what Keechang Kim said when it was to be expected the government would be tracking us online. He wondered whether the rest of the panel had any opinions on this because he didn’t feel this was necessarily a view we would all hold.

>> LOUISE BENNETT: Okay. Who wants to start? Do you want to start up that end?

>> SARAH WYNN-WILLIAMS: I think it’s an incredibly topical question.

>> LOUISE BENNETT: Remote participant won’t know who you are.

>> SARAH WYNN-WILLIAMS: Sarah Wynn-Williams from Facebook. One of the issues that Prism NSA, expectations around privacy and security, how those should be managed particularly with governments. I think this is going to be an incredibly dynamic area. I know our companies has joined a number of others to try and in a court action to try to request that the U.S. government is more transparent about the actions it takes. But I think it’s very topical and I think we should make sure we’re talking about what our expectations are and communicating those expectations and I actually hope that’s part of the IGF more broadly.

It’s come up in this panel but that topic alone could be a very long panel by itself.

>> HONG XUE: My comment is that being anonymous and being traceable are two things. You could presume you are anonymous but you are highly traceable by the governments or the other technical capable people. But what my real concern is that once our identity has been identified on the Internet we enter into a scary world. Can we leave the system? Stop being identified? Can I erase my identity apart from the facial identity? And there may be other things that make us identifiable. How to make these identification devices silent on that. And how can, for example, data subject like me, to get a — being forgotten. If it can’t be forgotten, can I be forgiven?

>> KEECHANG KIM: I think government, if they narrow down their focus on certain individuals basically there is no way you can hide. That is why in my view it is important to educate people and propagate this technical effect you cannot hide. Internet is not a — does not give you a comfortable layer of cover, protection. Internet does not protect you. Internet reveals you. We are basically experiencing the gradual removal of our ignorance or innocence about the true nature of the Internet and that puts us in a uncomfortable and uneasy situation. I think we are just learning, and this learning process will go on for some more time.

>> ANDY SMITH: I think the truth is that governments do monitor the Internet. They monitor all usage on the Internet and they will continue to do that. There are very, very good reasons, law enforcement, national security, for doing that. But you can correlate — an example would be cc TV. If you take London, you have well over 6,000 cameras in London that are under police watch. Whole lot more but there’s about 6,000 police.           There are 20 people that look at those cameras. They are not looking at all 6,000 cameras. They only look at the ones and the footage that is related to incidents or problems like traffic jams or what have you. There is a lot of information that’s recorded and never looked at. It’s just thrown away after a time.

It’s the same on the Internet. Governments may be monitoring and recording lots of information but they look at it reactively. They only look at it when there is a problem or something they need to investigate. They don’t have the time, resources, or the inclination to look at every thing and track people. It is just not viable.

>> LOUISE BENNETT: Because we’ve come to the end of our time, I will answer that question and then very briefly sum up. Those of you who have not had time to ask questions, please do come and talk to us at the end. I think that we have to realize that as Keechang said, the Internet reveals rather than hides. It is an illusion if people really think that they can be anonymous. If you take the group, they were anonymous to each other. But when the authorities needed and wanted to find out who they were, they could find out and reach out to that anonymous group who all those people really were.

(Captioning concluded at 10:37 AM to give captioner a break; captioning will resume at the start of the next session)