The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
***
>> MODERATOR: Good morning. Thank you all for being here at 9:00. If you can sort of gently take your seats. I know it's still bright and early. Unfortunately some people can't be with us for the whole session. Also, by all means do come forward. This is a big room and it's really hard to reach out to the back. Let's wait until we have fixed that.
Okay. Hello. Good morning.
Yes, first session of IGF 2016. My name ‑‑ I'll be moderating with Chris Buckridge who also works for RIPE NCC. We have a floating mic around, we're going to try to make this session as interactive as possible. We have a key speakers that I'll be introducing in a bit.
What are we here to talk about? We gave it the wonderful title of the of network of things, finding the Internet in the IoT. What we would like to address here in the coming hour and a half is whether the current Internet governance structures and the current framework of multistakeholder open model is fit for purpose to accommodate what comes under the Iot. We've got a broad range and spectrum of speakers here that will that lead us in the discussion and ask questions. By all means if you're here, do chime in. We've also got a remote moderator. Which means that if you do ask a question, please use one of the microphones and state your name and affiliation. Also if you are listening and watching remotely, by all means do chime in via the web‑ex and we can relay your questions.
Introducing some of our key contributors to this session. Up here on my right is Corinne Cath who is working with the Oxford Internet institute. Next to her Dominique Lazanski. Next Anya Ogorkiewics, who is here on behalf of virtual workshop project. To my left here, who works for Erickson and in this capacity of chair of the internet engineering task force. And Paul Wilson from the Asian Pacific region. And remote we have Utameyer coming in from Germany and down there to the end is my co‑moderator Chris Buckridge.
With that, I think we don't have a real big opening statements. I do probably want to give Anya a bit of a chance to explain what virtual workshop is doing and why we're all here in terms of the challenges they're facing and hopefully we can address some of these questions during this session. So Anya, please.
>> Okay.
Hello? Hello, my name is Anya Ogorkiewics. Thank you very much for RIPE for inviting me here. Thank you very much for the other organizers for supporting this session.
We spoke about kind of in the beginning the idea that there are established technical and standardization kind of spaces, and those working in the evolving IoT space. I suppose I'll be one of those people and we are one of those people working evolving IoT space. For the last year we have been contracted to help the city of war saw gather in a first phase do an information gathering phase on how to implement IoT in the urban landscape. So this is implementation of a large IoT system by local authorities. We have had the good luck to be supported both politically and with a very strong administration body that is interesting in implementing this brand new brave new world of IoT. I've been in charge over the past year of working within a think tank, bringing together the top minds of the world today, from Singapore to Los Angeles to speak about how to implement IoT in this urban land scholarship from three large perspectives, one in terms of the public procurements of innovation, second in terms of the technology itself, and thirdly because we are talking about the local government opening innovation aspect and how to build an ecosystem around IoT and how to build a multistakeholder engagement model.
I've been asked to talk a little about the challenges that we had of the challenges of reaching out to the stakeholders and bringing them together to speak about what is possible. Both and through the technology and standardization. And I'm sure we're going to come back to it in later discussions, but we found that to find basically a work of a blueprint for local governments to implement IoT in this year, 2016, has proved extremely difficult. We are one of the only authorities which are implementing this as far as possible. We already have an RFP out for implementation for what we call it's a large 800‑acre zone. So geography, it's an RFP for the design, execution, testing, commissioning, service and guaranteeing an urban IoT system within the city of war saw. We have run up challenges in types of standardization, the suggestions which are put out, both by very different stakeholders and in terms of technology that can be used, and especially in terms of this technology which is feasible to be implemented on the ground level at this day and age. I'm sure we're going to come back to it in discussions.
>> MODERATOR: Thank you. Meanwhile a core contributor who is affiliated with another internet standard organization. Thank you for your introduction, Anya. We do have two speakers that have inclusion in their agenda so I want to go to them first. Yari needs to leave at 10:00 and I believe grace is here for a bit. So maybe Grace you want to kick off a bit and then sort of add to what Anya said in terms of starting ‑‑ no?
>> Sure, thank you Marco. My name is Grace I'm with NTIA which is part of the department of commerce in the United States. The department of commerce is recognized IoT as a huge cultural phenomenon and a big technology trend so we're working with our stakeholders. We put out an RFC, request for comments in March this year and we're working to develop sort of a department paper, which is expected by the end of this year, that takes into account the community's feedback. We've received about 130 comments when we published the RFC in March and we've since then hosted a workshop in September to bring together stakeholders in the United States. And we've started a multistakeholder process on the, on focusing on consumer IoT devices and the patchability and upgradeability of those devices and that's a process that we expect would will bring together not just American stakeholders but people from around the world. If you're interested in joining, please contact me after the session. But we're looking to have that lead a little bit and sort of foster the growth of IoT in the United States and also make sure that we're getting our stakeholders to focus on the consumer devices and security of the devices as well. Thank you.
>> MODERATOR: Thank you. Chris?
>> Chris Buckridge here and I thought I would take my stab at being the co‑moderator here. One thing Grace I wanted to follow up with you quickly while we have these first two speakers coming from a bit more the public sector side and the end‑user side, are you able to share any of the sort of themes you saw coming through in the RFC in the workshop and did they relate to the challenges that Anya was talking about in what she spoke about?
>> Sure, thanks Chris.
We did, one of the big themes in the request for comments was security of consumer devices, which is why we launched the multistakeholder process on that specific topic. The other big theme, standards is an issue. We believe in the private sector leading on that. We also availability of spectrum was raised as well a big issue. And in general, sort of education and making sure that there's ‑‑ that we foster the environment for successful IoT development. That that was a big theme as well.
>> Thank you.
So two speakers already both Anya and Grace sort of fostered Internet environments an open model including all the stakeholders. Maybe Paul? Paul? Maybe as both Grace and Anya already touched upon like the fostering the current environment and then sort of making the Internet of things sort of grow into the current Internet model. Maybe you can explain a little bit on what that would mean in sort of that multistakeholder environment and how that can be or how that would be adopted to the IoT if needed.
>> Sure. Marco, thanks very much.
Something about the IoT, the so‑called IoT that makes me uncomfortable is this idea that somehow the IoT is something, something different from the Internet. Now the Internet of Things is a nice new name for the Internet, because the Internet is becoming the Internet of Things but in a lot of discussions about the so‑called IoT, it's treated as something different, as though the IoT is identifiable, as though it can be subjected to new and different policies, as though it needs new and different policies. The Internet has been around for a long time now, and we've been connecting things to the Internet for a very long time. And the things that we've been connecting have been becoming more numerous and importantly steadily more and more diverse. More diverse in terms of the distinct models of devices which are coming along and the new manufacturers which are coming along. So there's certainly a very important, very rapid acceleration in what's happening on the Internet in terms of connected things. But I think it's really important to see a continuum of challenges.
We've had new security issues which have come about over the years in new operating system releases in new computer releases, in new phones and apps and so forth. So again, the challenges that we've had have been ‑‑ there are things that we know about. The IATF for instance has this is something Yari could speak about of course, but the IATF has been defining what they call host requirements for many years. That is, where in traditional Internet terms any device connected to the Internet was known as a host. So host requirements can be applied to devices or things connected to the Internet as well. And I'm sure that within the IATF there's work being done continually to actually refine in the reaction to what's going on on the Internet, to refine the host requirements that could become thing or device requirements in the future. But it really is a process of ongoing requirement and learning from the past that we're looking at here. So just as an opening remark, again, my position is there is no such thing as the Internet of Things. It is not identifiable, it is not distinct, it is not something that can have or should have a sort of separate consideration unless of course as I say the Internet itself is now the Internet of Things. Thanks.
>> Thanks for picking up and explaining what is changing on the Internet then.
>> Right, thank you. And I just want to quickly pull up on the host requirements questions. And it's starting to look like we actually need to write a document somewhere that says obvious things like you should not deploy minutes of devices with passwords. But it's starting to be maybe useful not for the sake of anybody in this room getting a surprise from that. But it might even be, if you write that ‑‑ the best current practice for doing IoT devices is this. That you at least have to fill these kinds of requirements, that may provide some leverage on who's doing things correctly and if you misbehave then perhaps that can be considered as well. But I also wanted to follow up just a little on this general concept of IoT versus the rest of the Internet. I agree with my colleague here that the IoT is just really a further evolution of the Internet. And a part of that that needs to be administered as part of that. And of course there's many further challenges there. But just to provide one further reason why we need to consider IoT as part of the Internet and more of the same kind of thing is that the IoT, don't think of the IoT as gadgets. Those are the easily seen things and it's kind of tangible. It's not the whole thing. It's usually a system that you have, the cloud handles the data, you have a user interface on your device. You have some web interface. You have interface some other systems billing or whatever and you have the gadget and it's the whole system that needs to work across the Internet and usually does on diverse locations. So that's my definition of the Internet of Things. And that's important that we cover that. Thank you.
>> Thank you, Yari. You also raised your hand.
>> It's an interesting discussion, whenever we talk about definitions, one of the beautiful thing about definitions there are so many to choose from. Even if you look at IoT definitions, people try to do so and I think there are about 200 of them floating around from various points. Whether or not the IoT is an evolutionary step for Internet, we should consider Internet as a technology, that's a big question indeed. Because when we talk about IoT one of the distinct elements that we need to consider is that IoT is really becoming something that forces us to think of semantic interpretability among not just devices. It raises the bar a little higher than what you thought about before. Host requirements are very important but if you think about applications residing and how those applications will interact with other applications that in other devices, that's what's really cutting into the heart of IoT. And to me that's the most important element that we need to figure out how to solve to date. It's how to create ‑‑ I'm proud to say that there is a lot of work going on in this dimension. You will see next weekend there is going to be press release talking about a joint white papers that was developed by the members of IEE ‑‑ a couple of other organizations. And it was a huge step because traditionally if you look at groups working in different silos, there is not a lot of interactions. And looking from the point of view of myself, I'm practitioner coming from the industry. That is a great challenge because when we start implementing something, not having a road map, a blueprint with semantic interpretability it makes choices difficult. As we all know, anybody in the industry, if there is a choice to be made, multiple decisions to be taken, well, it's better to wait out and see which one will become a predominant direction to follow. Any type of, I would say, uncertainty, throttles down the development of progress of Internet of Things or Internet as a whole. Whether or not we agree that it's an evolutionary step or one in the same. I don't really care. What I do care about is we need to figure out how to create a multistakeholder environment not only as a level of stakeholders, but also multitude of stakeholders organizations really becoming one and starting to work together. And as I said before, I'm very pleased to say that this work is under foot and my other hat is wearing a head of a chair of IEEEP2413 which is a standard for architectural framework for IoT. And we have put a lot of effort in bringing multitude of organizations together and encouraging everybody to do is the same because that is key enabler and key factor to the growth.
>> Thanks, Oleg. I think you touched on important points. Amongst the different standards organizations that exist already on the Internet and how that can be useful and necessary for people like Anya who are trying to develop within this area.
>> I would stay beyond that. Collaboration that. Not just coordination. We need to collaborate, not just coordinate.
>> Is that collaboration that hasn't happened in the past? Is that something we need more of today?
>> Traditionally if you look, one of the jokes as it goes around the industry is there are plenty of standards to choose from. Whenever you decide to implement something, you always have a choice of standards to be made. In some cases it's a good thing. Diversity helps. And by diversity in the industry is helpful. But in some cases it becomes a struggling factor. I'll give you a very positive example. As an example, we all know about the upcoming tidal wave of electric legals. It has been in talk for testimony years and now we're finally starting to see electric vehicles everywhere. What it took to happen was the solution of the charging of electric vehicles. That's a great example when the industry came together and created a standard which was adopted in Germany, in U.S., by IEEE as well and now it became a platform for across the main, across industry collaboration. Because if you think about electric vehicle charging, it's the motor industry, it's power industry, it's consumer, it's a multistakeholder environment. It's a great example when really the boundaries organizations were crashed or maybe merged, fused, whatever you choose to consider as a proper word here. And as a result we have an industry that is becoming to be a booming one.
>> So I think the other great thing about this workshop is we do have representatives from the different standard organizations. So I wanted to low to Dominique Lazanski who is with GSMA who I'm sure will have their perspective on this ecosystem and standardization going on.
>> Thanks. I'm going to follow up on some of the points you just made, if it's not too buzzy. I think when you think of IoT, in terms of the standards making and the collaboration that you just touched upon, you think about the ‑‑ sorry. Is this? Is it on? Maybe that's better. Okay.
You think about sort of the qualities that you want for the Internet of Things, right, and for things as you mentioned to be interoperable and sort of connected. And those are aspects or openness, interoperability and security, right? So then you start to think about those qualities from a standards point of view. And those are the things that you want to bring to collaboration, to be able to discuss different particular players on the different sort of layers of IoT as well. To be able to sort of see a framework, to communicate, to be multistakeholder. I think these are all qualities that are really, really important as we go forward. Obviously as Oleg said there's many different types of standards that tend to be quite siloed in their making process. There is also on the flip side the tendency for some governments in particular that some of our members are working with who want to define, pre‑define technical standards in their country frame works that would set mandates for sort of technical aspects which is something that we are advocating against the GSMA because you just don't know how the market is going to play out and that's a good thing. And also there are some quite large international organizations that are doing much the same and creating standards not from a multistakeholder process, but from a very much from a bilateral or multilateral process which we can talk about a little more in detail later.
Just to highlight two things that GSMA are doing with our members, and we have obviously mobile operators as well as sort of ecosystem players. Everyone from handset manufacturers to content providers, we have a program called connected living which is now just massive. I can't even keep up with everything that's going on. But we've put out two frameworks which are obviously nonbinding standards but adopted by a number of our members and worked on our by our members. One is on the embedded SIM and the other is the security framework for IoT that's just come out about a year ago. Those are living documents as well and they continue to grow and change as we get feedback from all the different players in this area. So I'll leave it there. And hopefully catch up later.
>> I think it will be interesting to come back later to that alternative model of standards making and whether that's been embraced and who's embracing that. But I think it would be nice to throw next to Corinne Cath, who's a researcher who's particularly done some work on human rights and standards development which I think is obviously a very relevant topic particularly when we're talking about standards for IoT and connected devices in sort of more and more in integrated in our lives.
>> Sure, thank you.
As much as I would like to be able to say that we're at a point where we can start talking about human rights in standards in IoT, I think one of the first things we need to address is security and privacy for all obvious reasons. It's always good to be the last one to speak because then I can just say whatever they said and pretty much wrap up. That being said, there's some things that have been mentioned briefly here that I would like to focus on again as being very important. What do we mean when we're talking about IoT? I think there's a lot of need for further categorization, especially when we're talking about how to include this in a multistakeholder model. So can we make sure that we make a difference when we're talking about IoT as in device to device, device to cloud, et cetera, et cetera, because we need that to be able to look at what are the privacy and security considerations that we need to look at. Another thing that I think is important to mention is that some of the things that we've referred to as being IoT are also industry control systems that have their own set of standards that need to be met.
As much as there's been a focus on IoT not necessarily being a new thing, I do think it has a lot of qualities that in combination with the fact that it's going to scale so quickly make very strong case for the fact that we need to be really more on top of the security and the privacy things. I mean, the scale of it, the fact that power and memory is limited, the direct interaction with the environments or humans are out of the loop. There's all these unique challenges. And I think for instance if you look at the mirror examples you see that there's a lag in security and the possibility to update. So pretty much we have all this stuff on the network that's going to be there for 30, 40 years and it's just not safe. And then sort of the last question of does the multistakeholder model cover everything or do we also need for instance more regulation. I think we need to also keep in mind that because this is not necessarily a new thing, the governments are doing a lot of things in terms of standardization, in terms of regulation. So I would focus on not trying to reinvent the wheel, but improve what we have.
>> Thank you, Corinne. Yes, you are the last speaker here. We do have somebody remote who I hope is on the line. One of the things that was raised by several people here is coordination. Coordination between standardization bodies, coordination between user groups, stakeholders there. The fundamental part of the Internet is coordination. But also I think part of that is, and that's sort of where Oleg touched upon this. It's very informal and openly Uta has been researching a bit on these relationships between Internet operators so maybe Uta if you are online.
>> I wanted to jump in quickly on a bit of more of an administrative matter and say yes, Uta is the last speaker we had planned here. You'll notice we're only half an hour into this and that's intentional. But I would like to encourage people to be thinking if you have any comments, we really want to throw the floor open and get the discussion going after this. So please think about that. So sorry. Please go on.
Can you hear me now? I can see myself now. Great. Thank you so much for having me.
So I would like as Marco just introduced, I would like to offer a point of view on this disconnect that we have between the network and the application service and if you will the IoT resides. So I would like to start with something that everybody probably is aware of, and that is the Internet architecture which separates character content but that has implementations but that means network operators and reachability and the transmission of data independently from the applications or services that cause these data flows. And on the other hand we all know that the providers are free to innovate as long as they comply with the features of the Internet protocol and the Internet of Things is a result of that. I would like to say that this design feature of the Internet has applications for Internet governance and specifically for the informal character of Internet governance at the core of the network. It creates good conditions for self‑regulation, but less so on the edges. So at the core of the network, some people may not be aware of it, but the network operators pricing those horizontal ties between the network. That's obviously what we call Internet interconnection and this is how connectivity is being manufactured and also repaired. And manufactured instead of just established, because interconnecting networks is just as much as a social process as it is an engineering task. And when network operators interconnect their networks, they enter into relationships that are ‑‑ but into dependence and uncertainty. They are competitors but if they don't work together, then none of have a product and uncertainty is caused by some of the Internet protocols that are used for Internet interconnection. So in a sense the network is a share system. And one result of it is that network engineers will collaborate. This is fostered by the RIRs and some of it is formalized too for instance in the form of current best practices. But very often these ties are personal. And so are the dos and don'ts of networking. They follow informal convention. And you can imagine like a social network. And what this amounts up to is a coordinative capacity at the core of the network. Let's call it governance capacity. Now looking at the content application, the Internet architecture does not induce the similar need for collaboration. The developers of applications have more freedom to innovate and they don't need to check back with network providers or other competitors. And so what's new here, I've heard this question being asked before, and I would like to say this configuration of course has always been a challenge. So that's not new. What I think may be different or changing on this continuum, I agree, is that this data authority is moving to the edge, less so on the service anymore. In the network. But to things in the material world. And that is an issue when we take into consideration that these devices are often autonomous and that they're constrained. So at a recent ITF meeting, it was pointed out that these devices are not pet devices, many of them. They are often distributed in the environment. So what I would like to pose as something that we probably should work on is that we should look at how to foster operational control that guarantees maintenance and repair of these devices, and also that we need to discuss about a way responsibility for when IoT devices go out of control. So in the beginning I've pointed out how the Internet arc effect tour conditions this collaboration and trust among network operators and similar conditions do not exist for app developers, at least naturally. So I think we should look at how we can build crutches to foster similar collaboration. This term has also been used before here. And how to engage in more capacity, but also community building among diverse set of new actors that enter the scene. I think that is fundamental. They come from various industries, we have to include them because they're not networking experts. They may not be web experts. They probably don't come to IATF meetings, they don't come to our meetings. So I think to bring these new set of actors aboard we should collaborate more what's happening now at IGF, collaborate with those where IoT vendors and developers have to go anyways. So we need to get the certification bodies aboard and the standardization bodies and collect the IoT people from there.
And in terms of responsibility, I think that also suggestion from the ITF meeting that we should think about helping make the business case for services for maintenance and repair of IoT. And that's my suggestions. I'm happy to discuss. Thanks.
>> Thank you, Uta. Collaboration at other layers of the Internet. I already saw you raise your finger, Yari, so you want to chime in on what part of Uta said and the collaboration factor at sort of the higher level that I would like to talk about?
>> Thank you. And very much with what Uta said. The fundamental issue is that the Internet allows the creation of new technology, new applications, new spaces basically without any limits. It's sort of infinite creation space. Anybody can do that and they get to decide how open their new things are and how they're administered or not. And that's actually a feature that the Internet allows this. But of course when something gets very big and widely deployed and has a big impact on the society, we start thinking about how well this is done and if there are areas where we could do better. I think around the table we have already found some consensus that we need more interoperability at all levels, not just being able to put them in the same mobile network or same Internet, but also at semantic interoperability level, Internet architecture board did a workshop earlier this year on this exact topic and it was start of some of this collaborations going on in the world today.
But it's really sort of a tussle and we're going back and forth in this battle of how far we have standardized things or not. And the basic example of that is that you buy a house with Microsoft light switches and you can't use the Apple light bulbs in the house. That's bad. That's bad for society. It might be good for some particular vendor in a very limited sense but we all win more if this thing is more widely interoperable or more widely useable. We who provide the networks can sell more networks and data gets transferred when this works better. So it is to our benefit to try and push this further in the standardization space. And I'm very much a believer in this informal collaboration and I just wanted to bring up the point that at the fundamental level, we can't around this table decide what particular application. We have to give them incentives to do that.
>> I saw you raise your hand.
>> I'm happy to contribute but also happy to leave you two open to the floor.
>> No, no. By all means we've got a good set going so feel free to chime in.
>> I'm going to wave the Internet flag again. We've been hearing about semantic interoperability and privacy and data protection and so forth. And these are all issues of application and usage of the Internet. And very, very important which to establish standards but again not to see them as special needs or new needs of the so‑called Internet of Things because the same challenge has existed for many years. And organizations like the W3C and talking about collaboration and understanding, who else is in the space. Organizations like W3C have made huge investments in interoperability at the web layer, at the applications layer. Payment systems, accessibility, media standards, encryption, authentication, all of this stuff is being really thoroughly covered. At the risk of not seeing this is manufacturers want to come along and become IoT companies without understanding that they may want to become Internet companies first, or at least at the same time. That they don't have to see themselves that way. They can do whatever they like, as Yari said. But there's a huge benefit in looking at what's gone on before over many, many years of Internet evolution. Because there's an ecosystem which a new manufacturer is getting into. I think there does need to be or there's a huge benefit where the existing manufacturing ecosystems, which are also very well established, to harmonize those and for them to be able to take advantage in both directions to what's come before. And very critically today, within the Internet ecosystem there's a security ecosystem as well that's getting to be pretty complex and pretty advanced in terms of the number of players and the amount of collaboration that's required to keep advancing Internet security.
So I haven't even mentioned multistakeholder aspects of the IoT here. Because if we will see the IoT as inseparable subset of the IoT, then the ecosystem already a multistakeholder ecosystem. We already accept that and we don't have to have a new argument about whether the IoT should be multistakeholder or not. It's already a given. Thanks.
>> I would like I'm going to take it back to the floor. So get your questions ready.
>> I would like to build on what Paul said. And gives you by definition it has to be multistakeholder. And I think one dimension that IoT really brings to the forefront, it's a fusion between operational technologies and ICT technologies. Because if you think about IoT, it's really an opportunity that hasn't exist before to connect physical world to the world that create in the digital domain. And all the sensors around our physical world, what does it mean to us. All the aspects what does it bring. I encourage everybody and this kind of promotion to join the session at 12:00 today when we with all talk about an IEEE opportunity to contribute to the space through our experts in technology and policy and our Internet initiative because we focus on issues of privacy and security and bringing technology developers and policy makers together. But back to the original point. If you think about additional elements, I recently was in a panel and one of the researchers was told about the gestures we use to get our smart phone out of our pocket could be used with a identifier of our personality with the same degree of accuracy as our fingerprint. That's fascinating. If you think about the world where devices that surround us and connect to Internet and transmit information about us can really create our persona based on secondary type of factors. It's a completely new dimension of privacy and security we need to consider. It didn't exist before. It goes way beyond our browsing history. It is something really you in and something that in my opinion creates this next step in the evolution of whatever we decided to call it. Internet, Internet of Things or if we decide to create our new name, but this is where our kids will be living in. This is a world that will be based on those type of informational flows.
>> Thanks, Oleg and thanks, everyone. I think it's good to throw to the rest of the room now. You had a point?
>> Hi, good morning. My name is Hannah and I'm managing an IG program and I'm currently doing research on the security considerations vis‑a‑vis the Internet of Things and maybe I'll take you back to basics here because it would be really nice if one of the speakers define the stakeholders that you're referring to so everybody who is in the room who is not familiar with the topic understands what we're talking about.
The second question is relating to a point that was made that some governments are trying to predefine rules of regulation. To my understanding, it's not going to work, because if a device from the U.S., for example, let's say the U.S. is a little bit ahead and they are trying to set up these regulations, if a device in the U.S. is connected to another one in China, for example, and we have manufacturers who are not respecting the security regulations that you predefined previously, it's not going to work. So I don't think that regulation is tied to jurisdiction and to geographic borders. How is that going to work? Are you going to go into agreements with manufacturers in China, for example? How are you going to make sure that whatever you stipulate is going to be enforced? Because one of the conclusions I made in my research is that it's not possible to force manufacturers from other countries to abide by local regulation.
>> So that ‑‑ I don't see any other questions straightaway, so I'm perhaps going to ‑‑ oh, we do.
>> I've got two questions. But maybe it's a good opportunity for Anya to respond and I'll get the mic for the next question.
>> Okay.
>> Hi. Thanks for this question.
I think Dominique will speak more about how national regulation can influence the choice of vendors in IoT.
So in terms of your first question about the stakeholders, that you wanted to ask us to kind of better target. This is a great question, especially in terms of the urban IoT system that we are working on. Because it's a system which is let out of a department within the city. So this is the ground level, right? And it's led out of what's called the social projects department and the department of social care, as it were. The welfare department. So this is basically an IoT system which is extremely focused on the most disadvantaged as it were amongst us, especially those which are the visually impaired and other handicapped, as it were, people. So what was interesting about is that we found it much more easier and much more clear to find standards for accessibility that were very easy to grasp. These were great frameworks which were written in a way that public authorities could easily implement this in the RFPs. For instance, I have some that I wrote down the famous ISO9241, the ergonomics of human system design, web usability, such as the guidelines 2.0, the 12 kind of large guidelines and the different levels, AAA, single A, AA, even a BBC mobile accessibility guidelines, all of these were put into our RFP, but we had incredibly difficulty finding the equivalent in technical standard bodies. So we knew exactly ‑‑ we knew our stakeholders very well. So our stakeholders are a population which we are basically targeting with our system, which is going to cover one of the largest geographical areas so far. Our challenges were quite on the side of the technical an standardization through the system itself, actually. So that's that.
And kind of a little bit before passing the mic to Dominique about the national government regulations and the manufacture of things, I'm sure we have seen this year arise a national regulations kind of forcing manufacturers to nuance their offerings in individual countries. Of course, I work in the EU in Poland, so this is obviously a different ball game than many other countries out there. But even in Poland we have an national interoperability framework which sets guidelines for the very minimal requirements for public bodies, for local government, public bodies, for the exchange of information, electronic form and for ITC systems. So there will always be a national kind of element, minimal kind of requirements. But I'm passing the mic to somebody who can explain what it's like on the international scene.
>> That's interesting. I didn't know that.
So you're absolutely right. So there's a couple of different aspects to this. One is the sort of consumer market choice. Vendors either participate or choose to participate in Etsy or IATF or other standards organizations where they can collaborate and ensure that they participate in the creation and hopefully adoption of standards. On the other side of it there are vendors and other different ecosystem players who choose to develop proprietary systems or closed systems as well. So you've got those two things which I this in a more general sense will kind of, it's early days and will kind of flush itself out and there will be different aspects to how that works. But on the other ‑‑ on the flip side, you've got different regulatory and policy framework. So we just heard yours from Poland, our colleague from the U.S. talked about what their approach is to creating an IoT framework, which is very much bottom‑up, multistakeholder‑driven, seeking contributions, doing workshops. And then we have seen some countries already start adopting very prescriptive frameworks for a variety of reasons. Whether it has to do with increasing tax income or choosing to adopt specific very technology oriented standards from places like the UTU or whatever it happens to be, where they create sort of heavy handed frameworks or starting to create heavy handed frameworks for IoT. And this is obviously a concern because there's usually tend to be a relationship between those countries that do that and the fact that those countries are underdeveloped or developing countries, emerging economies. In which case sort of that's one of the contradiction is that those countries tend to be the ones that probably could have huge explosive growth with IoT because they're so mobile focused to begin with. So what you're seeing is absolutely true and I think you're going to have a variety of different ways that that's going to flesh out in terms of competition adoption by consumers. But I would stress that from our point of view, you know, sort of having very baseline minimal regulation allows the ecosystem and the growth of IoT to happen and of course that means some companies and vendors will fail and others will flourish and it will change over time.
>> Thanks, Dominique and Anya. I think we've got a few questions from the floor so I'm going to let us do a few of those in a row before we come back to our speakers. I'll start with the gentleman at the back here.
>> Hello? I'm John Pedro, I'm from Portugal. I'm a newcomer. It's interesting from a youth perspective, we see how difficult it is to find solutions in a multistakeholder way. I would like to bring to the discussion that IoT is going to be a difficult thing to address when there is so many improvements to be done. I would like to mention and address the issue of IPV4 versus IPV6. We spoke about access and I know from being a youth ambassador, there's some issues people want to be able to access with so many different devices. I know there's network address translation, but personally is it just postponing an emerging problem? I would like to see your views on that problem. Because finding solution as I said is difficult. But if we can't really put forward something that is being already implemented but in the background, it's difficult, right? Thank you.
>> Thank you very much. I'm sure we'll have people up here who can speak to that issue.
I'd like to go to the next speaker down here.
>> Good morning. My name is Arturo I'm from Mexico and I'd would like to comment that I really agree with one of the presenters that she mentions that interconnectivity or interconnecting networks is more social than a technical endeavor. And I think we're talking here about human rights, community building, development and I am a technologist and I work in aspects of standards development and I work in development of instruments. I'm a technologist. But I think that we would be very careful in not losing or missing the opportunity to consider some kind of reflection. And also to raise the right questions in order to turn the Internet of Things into something that is very useful for the population. That is to say that there are questions that have to be raised that put the technical solutions in the context. In my humble view, that goes first. And I don't want to go ‑‑ I don't want to be disrespectful, but I think that I've seen a trend of basically a brutal technology push and marketing push before thinking of what is the context. And that would contribute in the qualities that we've seen in the world so we have to be careful that the standards is important, technology is important but the context is even more important. So let's not lose opportunity to turn the Internet of Things into something that really develops the world. And that's my view.
>> Thank you. The gentleman in the yellow shirt here?
>> Hi, I'm Barry. I work with Yari in the ITF. I also work in an organization called M3AAWG, the messaging mobile and malware anti abuse working group and at their recent meeting in Paris they started work on one thing that Yati mentioned, a best practices document recommending basic security for Internet of Things device manufacturers not using default passwords, not using open ports that aren't necessary and that sort of thing in an attempt to make devices more secure and private and less open to abuse.
>> Great. Thank you.
Okay. And the gentleman down the back there.
>> Hello. My name is ‑‑ I'm from Brazil. I'm representing ‑‑ an organization that advocate ‑‑ my question is related to privacy. And protection. Since Internet of Things can get enormous amount of information about this and our habiting, and one speaker raises the important points that the Internet of things must be ‑‑ mutate ‑‑ so I agree. The question is how to protect us in the case for example ‑‑ where [ indiscernible ] that for example too much butter, too much grass. And YouTube helps to increase your industries. That's a silly example that show the problem I try to raise.
>> Thank you very much.
I think we've got a few comments that some of our speakers wanted to make in response to those questions and comments. Paul? No? Corinne?
>> Yes. I would like to make a quick comment to the gentleman in the back who focused on IoT being used for the public good, for the good of society and focusing on human rights. I think that's a very good point, it's something we tend to glance over because there's so many more immediate problems that we see. That being said, I think it's easier said than done, as Yari, who had to go unfortunately just mentioned. There's a huge issue in getting people who are actually working on this to have a long‑term vision of what IoT can do. And you need that to be able to have this standardization that requires that. So I think there is a real need to continue this conversation and that's also why I think that having this multistakeholder kind of approach to IoT is so important. Because that allows for actors who don't necessarily sit at the table automatically to come together. So, for instance, human rights article 19 is doing a lot of work surrounding human rights in the IATF just bringing that particular perspective. And I think similar actions need to be taken when it comes to the IoT in the multistakeholder models to make sure those representing public interest, those having a clear understanding of specific contexts of specific countries are also there when we're discussing those issues. I think it's a good point but a lot of work needs to be done.
>> I think there's been a couple of comments that point to a bit of an issue of incentive here. I think you've talked about the sort of manufacturers not necessarily thinking about issues like human rights. We've talked about, I mean, there are manufacturers who are not necessarily feeling like they're part of an Internet operator, an Internet provider. Are there any thoughts on how you incentivize that? Obviously there's a regulatory model which can be a bit more of a heavy handed way of doing it. But looking at it from a more multistakeholder open way, are there ways that we can incentivize those new actors coming into this IoT space who maybe don't have the time, money, business interest to fully become part of the Internet community or feel like they're part of the Internet community. Is that one of the big challenges that we have?
>> I think a big incentive should be fear. For some bedtime reading you might like to have a look at a blog post by Jeff Houston which was entitled the Internet of Stupid Things. You can Google that and this is the first match. But what he showed is even established Internet companies can release bad devices on to the Internet. It's pretty easy to do. The new Internet companies, the new Internet IoT manufacturers are going to do so as well and there's going to be companies failing as a result. And if you think of Samsung and their bad batteries and the opportunities of failures which may not be random failures but triggered through Internet exploits and causing not only fires but also privacy violations and all of the sorts of fears, I think the potential for serious cost and failure is huge. So fear must be a big incentive. And the biggest culprit, and this is not a new one. The biggest culprit will be pressure on time to market. This is a curse not just for Samsung and Microsoft over the years, but for manufacturers that go back to car companies and almost anyone you could any about I think has rushed something to market too quickly and found it doesn't work. And in this new connected world, the impact of all rushing and minimizing time to market is going to be some bigger and more serious problems. So I don't think it will take too long for any serious manufacturer to get that if they haven't already. Thanks.
>> Brave new world inspired by fear. 2016 in a microcosm there.
I had a question from here.
>> Yeah. My name is Bishaka and I work with a non‑profit in India. I wanted to follow up on the privacy and data protection question and try and push the conversation around the Internet of Things towards the concept of consent. And when we are discussing standards, there tends to be more of a discussion about technical standards. And I'm wondering whether there's a way in which we can think about consent or proxies for consent before rather than sort of privacy and data protection only which is after. I mean, we need both. So I'm curious if people have any thoughts on that.
>> Oleg here next to me already said I want to respond to this.
>> I actually wanted to respond to Paul's point regarding motivation by fear. I don't believe fear is a good motivator because fear forces you to run and when you run scared you don't look around and make the right decisions. You're just trying to escape. I think there is a tremendous economic incentive in implementing proper policies and technologies around security and privacy. Because if you think about products that come into market, very much the same way that Samsung experienced the back lash of bad battery, bad privacy and security components will have even greater back lash. So when we start thinking about, and manufacturers already do, a lot of them do, think about security and privacy as a differentiator, as a future that is promoted and actually something that enlarges manufactures' footprint in the market, that's a great motivation. I would focus on how we can set up an environment in which differentiation privacy and security front can be a tremendous incentive for somebody to promote their products.
>> Thank you. I want to stick a bit at the fear. It's always a bear to market on fear but let's use it a little bit more. Several people we're just talking about privacy and privacy sense and a data protection sense, yes the big elephant in the room in my opinion is security. It's been mentioned various times. And then I want to take it back to sort of the question of incentive. Because as you said, in theory the market should do its job and sort of the better products will eventually triumph over the lesser safe products. But that will take probably a lot of collateral damage in the form of these incidents keep happening until people realize until something needs to be taken and that kind of remind me of sort of the book by Ralph Nader unsafe at any speed. You brought up the car companies before. It took quite a lot before they fitted seat belts. What's needed to get IoT people to fit seat belts to their devices. And what will it take for users to wear their seat belts.
>> I think there is a better analogy. Let's think about not seat belts, but ABS brakes and air bags. Because that's actually, I think, would be a very good parallel to what we're trying to analyze here. And I would encourage you today if you go to market and try to find a car as a example in most of the countries around the world, I doubt that you would find one without air bag and ABS brakes. Seat belt is more of a regulatory issue and I think cultural issues that needs to be overcome. And by the way that goes back to consumer choice, right? Some consumers may decide to not spend a lot of money and stay with the products that is cheap and doesn't implement any privacy. But I don't think this is not really a decision based on technology. It's a decision based on culture. Even if you look at different durations, right? As an example, I don't post where I go for dinner every day on Facebook. But if you look at the duration where my daughter belongs to, most of them do, right? Which to me is kind of a violation of your own privacy, but they do it consciously because they find some other benefits. So I think there is another dial to be turned around. The value proposition between somebody buying into the concept of products, enforcing and helping to preserve security and privacy and somebody who says well, I don't really care about privacy. I would like my information to be exposed. So this feature is not important to me.
>> Okay. And I have other speakers want to respond to other people in the room but I do have question for you.
We've seen issues on the Internet where devices connected to the Internet essentially attack the Internet itself. Yes in that case privacy is a choice but you put other people at risk. If you drive around with a car without ABS, at some point you're going to hit the brakes and you might skid out of control and hit somebody else. And so is there a responsibility for users to also protect other users from harm?
>> I think you're raising a very interesting concept that goes back to your research. What impact technology will have and what responsibility users will bear. I think we're entering a brand new terrain and frontier we haven't encountered before. What your actions could be considered as an honest mistake or malicious action when you decide to use an unsafe product. But I think we also need to consider the fact that yes we do need policies and regulations and we do need frameworks and we do need requirements and best practices to talk about if the device is considered to be a host and it's connected to Internet, what are the constraints and framework requirements that we can impose to essentially make a connectability device. Because also think about something else. If you would like to connect a device through Internet, I think we have to start thinking about at some point you have to start meeting certain requirements, otherwise it will not be authenticated. If you look at the clouds created today, there is a lot of work that has been done in that direction. Devices that are connected to the Internet, they are authenticatable devices. They are devices that can be proven to be, because they claim they are, and by the way using of SIM cards and trust components and so forth means this area is very important because that creates that ability to create the trust zone. So when you connect something and it doesn't have this trust zone, maybe the device should be rejected.
>> License to collect. Who wants to take that? I mean connection to the Internet a human right but only if you do it safely?
>> Actually ‑‑ I was going to say Andrew had a comment for a while now which might be relevant to this. And give you guys a chance to think about a response.
>> Hi, my name is Andrew Sullivan. I don't know if this is exactly relevant to that. But I think there are three things that we're circling a little bit here and I want to try to draw them together in order to see whether it gets us somewhere. And the first of these is whether you like the analogy of seat belts or air bags or antilock brakes or coffee cup holders in your car, the point is some of these things actually ended up in cars because of social mandates because the market didn't work. That is, the automotive companies refused to implement these things or they only implemented them in expensive cars until regulators came along and said you're going to do this and you're not going to get access to our roads. The difference there is roads are publicly owned. They have this property that the government can say you're not going to be allowed to go on this road if you don't immediate these sort of certifications. The Internet is not like that in two ways. First of all, it's not in a place, secondly it's not actually publicly owned. The networks are private. So we've got a bunch of incentives that we've have to work on and if we don't figure out how to make them positive ones, we encourage people to build things in as opposed to make the negative ones, we're not going to be able to do this. Keep in mind also that a regulatory response that says you're going to have to implement all of this stuff is not going to work for the simple fact that we're talking about the Internet of every single thing there is. We cannot possibly certify that many devices. We just don't have that much people in the world to do the auditing of this kind of stuff. We've got to set it up that customers have the incentive to make sure their stuff is safe otherwise we're going to connect stuff that's garbage otherwise there's too much incentive to doll otherwise. Finally, I want to come back to the question for framework of consent in advance. Trying to act on this defensively, we try to figure out how to do something so people can say hey, wait a minute. I'm willing to permit this stuff to go out, I'm not willing to permit that stuff to go out and have an effective way in which the devices respond to that kind of question. It seems to me that that sort of framework and the questions about security, like, for instance, should my thermostat be able to talk to random DNS servers on the other side of the planet are really the same kind of problem. That is, we need to create an inter‑like mechanism by which people who are running their network have the ability to do it. And the only problem that we have right now is that an enormous number of these networks are unmanaged. That is, they're networks that nobody ‑‑ your grandmother isn't going to manage her network. Frankly I don't manage my home network that well either and I do this for a living. Because I'm busy, I have a job to do so I'm not going to spend my entire life making sure that every light switch in my house has had its last flash update. So we have to find another way for me to be able to tell my network hey look this has got to be working and these are the kind of reliability constraints it's got to be under. I don't want the light going off when I'm calling the ambulance because I want the front porch light to be on, but I want to make sure that everything is up to date and things got to reboot and so on. All of that stuff has got to be something we figure out how to build. So there's a serious challenge to the technical community here that we figure out how to build those kinds of things and this is a serious challenge to the policy community, that to state what these policy problems are without reaching for the immediate solution of oh I'm going to write the rule that tells you how to do it, rather than tell you what it is we need done. Thanks.
>> Thanks, Andrew. I think perhaps one thing that jumps out at me a bit as we talked about regulation is whether that's maybe a dichotomous relationship with standardization. That if you can achieve something through standardization, perhaps including people ‑‑ you avoid the need for regulation down the line. So that's something that relates very much to this workshop and to the standard organizations here.
I think we had some comments over here.
>> Looking at the seat belt analogy, the fact that because the Internet is so different and because it's mostly privately owned, saying that the governments are less effective is ‑‑ I'm not sure it's true but it does increase responsibility of companies and technical actors and legal options exist there. The UN guiding principles for companies, the market principles are one thing that organizations could start looking at. So I think it's really important to do user empowerment. I think it's a great idea. However the practice of it shows is that people, as Andrew just said, even somebody whose job it is to do that, does not manage their own network. Let alone just regular end‑users who are interested in being able to switch on the lights before they come home. I think any kind of solution that leans on that is not going to solve that issue. I would rather see companies and corporations take the responsibility they have towards human rights towards security, towards privacy and security seriously and if it can be done through incentives ‑‑ we start to look at the possibility to lean on to make this happen.
>> I've got one more comment here but very, very last call if anyone from the floor has any final comment and we'll do a quick round with our speakers before we wrap it up here.
>> I am a consultant here on behalf of the Dutch IGF. I've got one comment to make and Andrew said most that I wanted to say so thank you for that and much more eloquently. The thing that I would like to say, all the analogies that we make up and that we have, they're just not adequate. Because when a car drives into another car, not taking anything away about the pain of losing a family member, but it's individuals. It's not acceptable that there is loss of life on the roads. The only sentence I'm going to say is whether we can afford to be as less active in this field as we are at this moment. The urgency to do something but the sort of attacks we're seeing this year is so huge is I don't think there's another opportunity to start acting. Chicken egg here but who's going to break it, break the circle and move forward instead of looking at each other. Thank you.
>> Thank you. And as Chris said we're nearing the end of the session and people already lining up to take over this room. I want to start the wrap‑up by making a last round to our speakers and any of them, give them the opportunity for any final comments based on what was said in the room.
>> I guess it's clear I'm on a personal campaign to abolish the term IoT or maybe to replace it with something like SC‑IoT, or the so‑called Internet of Things. But it's quite good to know it's an English language issue and there are some alternative in other languages. In Chinese it translates as connected things. In a meeting I heard IoT as expressed in Spanish translated back into English as Internet of stuff. I think that's a good alternative to leave you with. That's all I've got to say. Thanks.
>> I think it was a great discussion and we discussed a lot of stuff following Paul's suggestion. But I would like to create an actionable point out of that discussion. Collaboration is really important. It's not only collaboration among organizations and people, it's organizations and organizations, standard development bodies and such. And I'm pleased to see this effort is under way and people are working together, that I talked earlier about. I would like to call for participation. We have a tremendous opportunity to come together under the umbrella of initiative and IEE: It's simply Internet initiative and what we're trying to do, bring policy makers and technology developers together so we can actually create a paradigm shift from consequential development of policy reaction and technology of policy to a world where we can help to educate each other. Policy makers educating technology developers and policy makers. So we can have a synergy. You're welcome to join, if you're interested find me, I'll be happy to bring you in.
>> Thank you. Dominique? Or Anya? Corinne has to leave, unfortunately already.
>> Thank you all. This has been an amazing discussion. I think summarizing some of the things that I've emphasized is the multistakeholder model exists, it works, we should build upon it. Secondly we should look at the responsibility of private actors when it comes to this and make sure that a combination of soft and hard norms exists to make sure that the end‑users who are going to have this in their house have privacy, security and hopefully one day human rights too.
>> Thanks. I've also learned quite a lot just listening to everybody around the table and in the room. I think this is the beginning of an ongoing conversation. But one thing that I would say just to close is I think we need to be sort of agile and responsive, not just to collaboration and standards making, but to how we think about policy and sort of what the challenges are. And how that's going to change quickly and sort of dramatically over the next even the next year.
>> Okay. I'm last. This was a fascinating discussion. I want to also thank Uta for two things that she mentioned, which is really a great way of understanding things. That the state authorities are at the edge of Internet governance and that a new set of actors are emerging which are not plugged into this established technical and standardization space such as this forum here.
We, Oleg spoke about the current practice of let's wait and see what direction we should follow, what we should implement. This is sometimes a luxury that we don't have at local government. Often we have pressures in terms of today we have the funds to implement this within the next 12 months it has to go forward. We are very strongly aware of the idea of failure for a business failure is a question of writing it off at the end of the year. For us failure is creating a legacy systems of the next 5, 10, 15 years which will be there for a very long time. Forever. The question of consent is huge in terms of for local government, for strong democracy‑based, one of the closest to the people, love government. And the idea of a value proposition for positive economic incentives for privacy and security, yes, especially the number one is idea of steadiness and stability of regulatory framework and finally we are seeing the beginnings of some sort of trust emerging, trust in IoT emerging. As you know the EU is working on the trusted IoT label, the normalization power coming up and also I think in terms of this actionable point, make it easier for those who are doing ground level implementations to find this. I have to say I was really surprised that within the hyper cat specification, if you read through the whole specification that was about discovery and amplification of things within an environment, annex B I believe, at the very end of the document, annex B was a skeletal suggestions of security of policy security framework, which was amazing. The first time we actually saw what they would suggest for security for IoT system. So thank you very much.
>> Thank you, Anya. We've got 3 minutes left. I believe Uta is still on the line and wants to chime in with a few closing words.
>> Yes. Thank you. Am I on?
>> Yes, you are.
>> I see myself. Great.
So I just have two final remarks and that is I would like to pick up on something that Paul has mentioned that we need to bring together what he called manufacturing ecosystem and the networking world or networking ecosystem and I fully agree on that. And to make this more ‑‑ to say this in a more constructive way, I think where we could take off, for instance, would be what I would call obligory points of passage for manufacturers. Those are the places where they could be put in touch with the network and what they're causing to the network but also how the network can be serving them. Maybe also serving them better than we thought. That is the point of information and the point where capacity building can actually happen.
And the second remark, I'm a little more pessimistic about the market as known, as we don't ‑‑ as we as users of the Internet of Things or the Internet in general has a lack of insight into cause and effect when something happens in the network with the things. So as long as we do not create that, I think there is little chance that this blame and shame idea is actually going to work. Thank you.
>> Thank you, Uta. And with that, I would like to thank everybody for coming out here this early and for your lively participation. I think it was a wonderful session and as speakers mentioned before, this probably is only the start. And no matter what we're going to call it in the end, we do need to keep this discussion going and then collaborate and hopefully make this a safe option that includes everybody. Thank you all for coming out here. And I hope to see you soon.
(Session concluded at 10:27)