IGF 2017 - Day 4 - Room XXVI - WS 69 A Net of Rights: Human Rights Impact Assessments for the Future of the Internet

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MEHWISH ANSARI:  Okay.  I think we can get started.  Wow, that was louder than I intended.  All right.  Thanks everyone for joining us today especially so close to the end of IGF.  My name is Mehwish Ansari and I'm part of the digital program at Article 19 which is an international human rights organization that focuses on freedom of expression. 

The title of our workshop is A Net of Rights:  Human Rights Impact Assessments for the Future of the Internet.  So we will be discussing the development and implementation of Human Rights Impact Assessments or HRIAs.  However, we will be focusing specifically on Internet infrastructure.

And so over the course of this week we have I think all been to several workshops and sessions that have reinforced the relevance of infrastructure for our lives but certainly for the exercise of Human Rights online.  So to ensure there are stronger Human Rights considerations among the non‑state actors that own, operate, manage and insure the interoperability of the global Internet infrastructure, we identified two categories of actors that formed the basis of the way this workshop is structured. 

We have infrastructure providers which include Internet registries, domain name registrars and technical communities which develop the standards or policies that determine the interoperability of the Internet. 

So working within that very broad taxonomy the question is how do we develop concrete mechanisms through which these actors can identify and consider their impacts on Human Rights.  And so our response to the question is to consider Human Rights and fact assessments or HRIAs so that's going to be the focus of this workshop.

We have got quite a busy program here.  The nature of the discussion will be very much focused on implementation and not just on the theory of HRIAs.  We are going to kick off with two case studies.  And so then at the end of the two case studies we are going to bring the panelists together for a short moderated discussion.  I suspect that may be all we have time for.  If there's any time left over, we are definitely going to hand it over to the audience for questions.

So before I dive in to the case studies, I'll introduce our panelists.  We have Catherine Bloch Veiberg, senior advisor for corporate engagement and program manager for human rights and development at the Danish Institute for Human Rights, or DIHR; we have Maarten Simon, senior counsel for SIDN which is an Internet registry that manages country code top level domain for the Netherlands.  And we have got Beth Goldberg, a graduate researcher from Yale Graduate School of Management whose work focuses on evolving modules of regulation for transnational technology companies.  To my right we have got Dr. Alissa Cooper, fellow at Cisco Systems and current chair of the internet engineering task force, or IETF; and Niels ten Oever, current head of digital at Article 19 and PhD candidate at the University of Amsterdam, and current co‑chair of the Human Rights protocol considerations research group in the Internet research task force or IRTF.

So we are going to start with the case of SIDN.  Earlier this year we at Article 19 teamed up with DIHR and SIDN to develop a complete HRIA‑SIDN.  We are going to talk about the implementation and results of that.  I think I'll start with Catherine.  Can you give us an overview of what exactly HRIAs are and how SIDN fit into the taxonomy?

>> CATHERINE BLOCH VEIBERG:  Just a little bit about the Danish institute for Human Rights.  We have as a specific mandate to work with not only the Danish government to advance Human Rights in Denmark but also to work with other countries around the world and to work with the private sector advising them how they should be having Human Rights throughout their options and in their business relationships.

So this project that we have embarked upon together with Article 19 and SIDN feeds in specifically to that area of work which is the direct corporate engagement that we do.

And we do so on the basis of the set of principles by the UN called the UN guiding principles on business and Human Rights which focus on both the states responsibility to protect against Human Rights abuses and the respect of Human Rights and the remedy for corporate Human Rights abuses.  Narrowing specifically on the corporate responsibility to respect one of the key elements is for corporations to identify, assess and address their Human Rights impact.  So essentially conducting Human Rights impact assessments. 

And to further explain what this means in practice the Danish institute for Human Rights developed a toolbox for Human Rights impact assessment which is basically based on our experience of conducting these types of assessments with companies to identify and assess and address their Human Rights impacts specifically within physical company activities, so focusing on food and beverage sector, textile sector, as well as electronics experiences we put together this toolbox which describes through five phases how to connect the Human Rights impact assessment, how to take a Human Rights based approach to that assessment both in terms of doing the assessment as well as using Human Rights as a benchmark to measure corporate conduct against.

If you go to the next slide, please.  Now in our experience there are several different levels of Human Rights impact assessments so the toolbox that I mentioned before focuses very much on-site level impact assessments, but I wanted to touch upon some of the different levels and some of the ways in which the ICT sector has been working on conducting Human Rights impact assessments. 

So we have what we would call the integrated approaches to Human Rights impact assessment which is basically companies taking Human Rights into their already existing impact assessment measures so speaking specifically from the experience of extractives that would be to include Human Rights into environmental social health impact assessments as well as looking at integrating a specific Human Rights issues areas of concerns into assessments performed by the company so that could be specifically around children's rights, around forced labor, et cetera. 

Then we have the stand alone Human Rights impact assessments.  Those can consist of company level assessments so the companies themselves conducting assessments of their own operations often with the support of third parties as well as community‑led impact assessments where it's actually the community around the company operations that conducts the assessment. 

And then we have what we would call kind of issue‑specific impact assessments focusing on specific areas of concern as well as product‑specific or service‑specific impact assessments.  And this is where we have seen maybe more of the examples from within the ICT sector specifically with telecos, looking at their specific impacts in various countries, looking at everything from their more physical type activities so the cables, the trench diggings, et cetera, to their relationships with governments in relation to take‑downs.

Then we have what we call sector‑wide impact assessments.  Just to give an example of Myanmar the Danish institute have conducted a sector wide impact assessment for the ICT sector in Myanmar which covers the more physical types of the sector as well as the governance and relationship with government there. 

And then finally we have kind of a more not as well-defined area which is multistakeholder Human Rights impact assessment where there are limited examples, but the idea would be to bring together both government, Civil Society, the companies themselves, as well as the rights holders to collectively conduct an impact assessment.  So that approach is still to be seen. 

Now, as you can hear we have a lot of experience around Human Rights assessment.  There are a lot of cases out there.  Also for ICT.  So how do we go about looking specifically at the context of the registry which is not a type of ICT sector activity that we have looked at in the past.  So what we basically did was together with SIDN look at what are the particular types of operations of SIDN and how do these actually or positionally intersect with various Human Rights?  

So basically what we did was try to understand the business so both the physical parts of the business so how SIDN relates to its employees, to its suppliers, communities, et cetera, as well as what we would call the non‑physical or infrastructure development elements of their role as a registry. 

And we looked at different guidance and standard sources, we also look at the EU sector guidance, we looked at global network initiatives and freedom of expression and privacy.  And we also looked at the ranking digital rights corporate accountability index as some of the more sector specific sources to assess SIDN against.  So if you go to the next slide you can see some of the dimensions of focus for our work with SIDN through the tool.  Next slide, please.

So what we basically did was to look at the different ways in which SIDN interacts with rights holders so that is as I mentioned before both by being an employer of people by being a procurer of goods and services that also employ people and engage with communities, by being a part of communities or a member of the local community where there could be potential impact as well as providing TLDN domain services.  Also in their innovations and extra services.

So those were the areas we looked at.  Actually today Article 19 also put out the tool kind of the benchmarking tool that we used for this analysis into the public domain so that link can be found through their website. 

>> MEHWISH ANSARI:  Thanks for the overview.  So I mean basically what you're saying is that there's been a growing body of work on HRIA model development for the ICT sector in general but when it come to the registry it wasn't a matter of copying and pasting the toolbox, right? 

So could you give us an idea of what was developed to address the Internet registries in particular, do you have an example?

>> CATHERINE BLOCK VEIBERG:  Well, the whole section about their role as a registry was something that we had to really kind of think about and adjust according to the role that SIDN plays in relation to the registrars in setting expectations there.  Their engagement with the government as well as with ICANN. 

So that was an area where there was limited guidance already available.  Some of it we could apply with regard to take downs et cetera.  There was some guidance to use including also on freedom of expression and privacy, but we also found that needed to be adjusted and tweaked to the realities of the business of the registry. 

>> MEHWISH ANSARI:  That's really interesting.  Maarten, turning to you, how did SIDN become interested in implementing a mobile to good with? 

>> MAARTEN SIMON:  Good question.  I must admit as a domain name registry it's not so much a daily thing to think about Human Rights and Human Rights respects.  And doing an impact assessment is not something that came up to us like that, but we have luckily Niels from Article 19 has been in the accountability stream of ICANN together with a colleague of mine and they have been discussing it.  And when Niels proposed it to us it was sort of okay, Human Rights, yeah.  That shouldn't be a problem.  We will be compliant, and we will do everything as must be in line with that.  So why not?  Let's just try and see if we can work on a model and that was the beginning of it. 

And then he reluctantly looked at me and said Maarten could you please undo it and that was my role.

>> MEHWISH ANSARI:  Catherine talked about model development so moving from development implementation.  Maarten, can you briefly walk us through how the model was actually implemented with SIDN? 

>> MAARTEN SIMON:  Yeah, but maybe it's better to go back to okay what did we do to get to the model?  Because first of all we had a few over the year, last year, I think we had two physical meetings and 3 or 4 goals from a few hours.  And for us as the registry, well, of course we said we will ‑‑ Human Rights shouldn't be an issue for us.  But at the other hand it's a concept that is also not really clear.  I'm a lawyer, I work as a lawyer for SIDN but if you ask me to give me a list of all the Human Rights that are there, out there, and where should I find the list of things I should comply with, then it's really okay, I don't know.

So one of the things we did was an introduction of okay from well you gave it Catherine and Niels also, what are we talking about was one issue.  And there was the other one, what does a registry do?  So we had a long conversation about what is the role, what are we doing, what is relevant in this matter.  And I think there are of course a number of ‑‑ there are big differences between country codes and GTLDs as we are not under the rule of ICANN, we can sort of set our own policies around rules while others are not.

So we had a lot of discussion to get to the right model.  And, well, we got far, I think. 

>> MEHWISH ANSARI:  So it was discussion based, through questionnaires.  I mean what were some of the challenges you encountered during implementation? 

>> MAARTEN SIMON:  First of all, time.  One of the difficulties for us was that we are ‑‑ well domain name industry mainly has small players, so our organization consists of around 100 people and of that I think 60% are technicians.  There's a lot of people that support and all kinds of stuff. 

But if you look at the questionnaire, then there's two people that only could answer 95% of the questions and one was someone from HRIA who was really knowledgeable about those questions and then it was me as a lawyer because all questions have sort of legal policy aspect.  And we are a small company. 

So I was the only one who had to answer most of the questions and that takes time.  So that's difficult because in the end it takes time to try and figure out okay it's not only I know the answer to the question, okay, but where did we write that down?  Is there something that proves that we really do what we say we do?  And that's not always so easy because that took a bit. 

>> MEHWISH ANSARI:  So definitely addressing the challenge of time in the model itself, right, making sure that's accounted for.  Were you surprised by any of the findings following the completion of the assessment? 

>> MAARTEN SIMON:  That's difficult to say.  If you work at something for a few months, then you're not surprised.  But if you go back to it, I think there were a few things that for example we had on India HRIA we had a lot of procedures and rules designed to protect our employees.  Well, I couldn't find them myself on our internal website.  So yes, the procedures are there but where are they?  I couldn't find them.  Stupid things like that.

But if you look at the specific things for domain names, our industry I don't think was really surprised with that. 

>> MEHWISH ANSARI:  Thank you.  I'm going to turn to Beth for a little bit because I wanted to zoom out.  Case studies are only as valuable as their application.  I wanted to look at the broader landscape of infrastructure providers.  Looking into Maarten's thoughts about how they got interested in HRIAs and thinking about some of the challenges that might come up with other infrastructure providers can you talk about the findings of your research on adoption drivers?  What did you find were the reasons why infrastructure providers interested in the principals on Human Rights or HRIAs in particular?

>> BETH:  Thanks for having me on this panel.  In collaboration with Article 19 for the last couple months I've been looking at the why.  When you don't have a Niels to be introduced to Maarten.  What are the other drivers out there for adoption of not only rhetorically adopting something but actually really embedding and implementing things like Human Rights assessments.  A quick note on methodology and then I'm going to share two drivers of adoption as well as two barriers to adoption that I found.

So I spoke with over a dozen transnational corporations and I chose them for the geographical distribution as well as the size affected by the services and I was looking at three different layers of the infrastructure stack.  I was looking at equipment providers, content delivery networks and some of the really major ISPs that chunk infrastructure providers.

I conducted interviews but also did process tracing where I wanted to understand if they published something like a Human Rights impact assessment, published a policy or transparency report what were some of the major driving events that might have preceded that such as a scandal or Internet shut down.  I'll start with two of the barriers to the adoption.  These are when infrastructure companies did not adopt something like a Human Rights impact assessment but thought about it, they often cited local law. 

So generally law enforcement and requirements to access user data was cited as the number one reason that companies would not adopt UN guiding principles because they said we cannot live up to the privacy standards.  A second barrier was perceived loss of availability.  By adopting Human Rights impact assessment even if was to remain private, that the company themselves would lose this autonomy in being able to have a case by case response to Human Rights scandals.  They didn't want to be bound by what they perceived as a very rigid set of rules.

What were some of the positive drivers?  Why did some of these market leaders focuses like Maarten adopt?  I found a correlation between some sort of public scandal and public attention.  This was true for companies that had higher visible, so tell cos and ISPs and this was less significant of a driver where businesses have other businesses as their consumers. 

Just to give you a concrete example in 2009 it was exposed that Nokia's network infrastructure in Iran was being used to surveil activists during the Greene revolution, so Nokia developed a response after that, the steps that it takes to ensure that it's technologies are not used for dual use and not used negatively by governments and its consumers. 

A second factor related is global public scrutiny.  If Civil Society are playing the role of watch dogs and publishing what happens, that does have an impact on the production of things like Human Rights policies and on conducting Human Rights impact assessments. 

>> MEHWISH ANSARI:  Thanks so much.  And you've kind of scooped up my next question for you which was on barriers so that's great.  Maarten, just coming back to you quickly, what Beth was saying in terms of barriers particularly when it comes to local law or the perceived inflexibility did any of that concern in internally within SIDN during implementation? 

>> MAARTEN SIMON:  No.  One of the conclusions we overall had was we were safe in a number of things by our local law.  And I think it's in the Netherlands I think we implemented a lot of laws that use Human Rights as a basics.  So I think in our case there was not ‑‑ there were no barriers.  Barriers ‑‑ we didn't have a trigger.  I can't remember that we did something wrong that we now have to make up for by being public.  For example, we were thinking about transparency reports on things.  What we now do is really reconsider and will grow the information that we will share so that's one of the things that I want to highlight as something that came out of it which is for us quite helpful. 

>> MEHWISH ANSARI:  I guess maybe moving forward when it comes the adoption breaking down the idea between perception and reality, the barriers may not be real barriers.  Great.  I'm going to literally turn now to my other two panelists, to talk a little bit about the IETF.  We are not talking about specific instance of a concluded HRIA and not talking about an infrastructure provider so rather we are going to explore where we have come in terms of Human Rights considerations within the IETF and the position for how we can progress these considerations so it's a bit more of a top-level discussion. 

So Alissa, would you mind starting us off with an overview of what the IETF is and the relationship between the IETF and the IRTF. 

>> ALISSA COOPER:  The IETF works on the technical standards needed for all the devices that are connected to the Internet to be able to interoperate.  Some of the ones you might have heard about, the Internet protocol IP, also the domain name stem, many of the technical standards needed to make the Internet function as it does today were originally developed within the IETF.  It's a 31-year-old organization. 

When we published our standards they're published in a request for comment, the RFC series.  There are over 8,000 RFC's in publication today.  The mission of the IETF is to make the Internet work better, literally, that's the mission.  And we tend to think of it as engineers who come and participate in the IETF processes, we think of that very functionally. 

So when we are tackling a new problem in the standard space it's often about some aspect of betterment from an engineering perspective, whether that be improving a performance of the Internet, making it faster, more reliable, improving its security, making the manageability of the network simpler or more agile, those were the kinds of things we tend to conceptualize as problems where standards can help create a solution in addition to wanting to make things more interoperate and allow for systems to be able to connect to each other. 

We also focus across the whole Internet.  If you have new technology or standards you want to propose but it's really targeted at only a particular network on used privately within your own network that's not the kind of work we take up in the IETF or we try to reconceptualize what you're proposing.  And one of the implications is that what we end up building most often are building blocks for specifying things from an architectural perspective as opposed to building complete systems.  That's not what we do in the IETF.  I work at Cisco, we take lots of different pieces of what gets built in IETF and stitch them into a product that we then sell on the market.

The result of this is that many of the things that we build in IETF are extremely generic.  So if you look at IP, it gets used all over the place.  But this is important when thinking through some of the Human Rights considerations that we understand the level of generality at which we are operating.  So that's kind of a brief intro to the IETF.  As was mentioned we have a sister organization which is the Internet research tasks for, the IRTF. 

And the IRTF operates quite differently, has potential to have a much more expansive focus, can look at work that is much more experimental from the research realm.  And the IRTF doesn't specify Internet protocol standards at all so it's a place where we can develop ideas where we have good contact with the research community and academic community but in the IRTF there's more of the nature of the exploratory work as opposed to the IETF where we go towards developing and supporting documents that you need.

>> MEHWISH ANSARI:  Thank you.  So I mean, you've brought up some really interesting pieces.  And so I want to bring that together into how you've seen the conversation on Human Rights manifest in the IETF, whatever thoughts you have on that.

>> ALISSA COOPER:  Sure.  Maybe from the brief intro as Maarten said Human Rights is not a daily topic in the IETF.  It's not something that they deal with much at all in their day‑to‑day work.

And yet if you look at some of the latent values and tradeoffs that have been built into it, there's a pretty strong culture in terms of wanting to make those tradeoffs in favor of designs that actually are very much promoting Human Rights even though we don't talk about it, it's often there implicitly. 

I can give you examples.  One has been the focus on security.  There's a very strong security culture in the IETF, Internet security, going way back to the '90s.  The early '90s was when we first wrote down that every IETF document needed to be a security consideration section where the authors need to describe what the security implications are of the protocol that they're standardizing. 

In the early '90s it was a paragraph that says you need to have a section in your document which doesn't give people a lot of guidance but over the years we built up the detail required in that guidance and developed a culture where people think immediately as their offering some new standard to the IETF about things like confidential and integrity. 

Again, these building blocks that on their own those words likely don't appear in many people's list of Human Rights protections, but they are drivers that help people create systems that are promoting Human Rights, so security is one example.  I think another example lies in user control, the notion of pushing functionality out to the end of the network, decentralization, another strong value implicit in many of the designs of the protocol. 

There's an RFC3935 that talks about how we embrace the concept of end user empowerment and that this is on purpose, it's not a byproduct of how we decided to design things, it was affirmatively chosen that we were going to design things this way. 

The last example I'll give is around privacy.  Around privacy we have become more explicit so it's less implicit consideration and we have gotten a little bit more rigorous how we tried to approach it.  Going back to 2013 we published an RFC which specifies guidelines for authors to incorporate guidelines into their protocols.  It doesn't tell people what they have to do but it gives them a long list of considerations that they can take into account as they're doing their designs.  And it focuses really on things like data minimization and users have control over their systems, setting what the defaults are for a new kind of protocol.  That's a place we have gotten more creates recently but it's not binding in anyway.

>> MEHWISH ANSARI:  I want to come back to you in just a moment for your thoughts on potentiality or possibilities, but I really want to contextual lies Alissa's work, so I want to turn to Niels for a bit.  Can you tell us what the research group has been doing and what you see the aim of this work to be in the context of the IETF?

>> NIELS TEN OEVER:  Thanks, so much.  What we have been trying to do is at three groups that like very different things try to talk to each other.  So Civil Society loves big ideas.  Layers love risk assessments and procedures and compliance.  And engineers love really well-defined problems.  So how to get these different groups to talk to each other and to make it work has been quintessential with what we have been doing with these different groups.  And that is both exploring and translating and going down avenues that work and some that don't work. 

And that's the work we have been doing for a while.  And luckily we are not reinventing the wheel whatsoever.  I think what Alissa said and Sandra Braman (phonetic) has shown in her academic work is since the first RFC's there have been discussions about policies, rights and civil liberties as part of the discussion.  And the way the IETF defined DNS resulted in many of the problems that Maarten had to think over and as a result of many of the discussions in ICANN as well. 

So we are also trying to trace where the problems are.  And we can't find the problem at once.  And that's also the strength of the Internet.  But if we want to fix it we need to fix it in many different places.  To work with SIDN is very different from the work in ICANN which is different from the work in IETF and there's not one place we can fix it all.  Within the IRTF we have been trying to understand what is the Human Rights impact of protocols.  And trying to understand that. 

So whereas the need with SIDN case was very physical, here the impact was much more high level, so we started reading RFCs and quickly found out this is too much because there are over a thousand, so we started interviewing engineers like what are the shared values, what are the thoughts about rights in the community.  And then started to design case studies together with Corinne Cath, and increasingly we managed to translate what we were interested in and managed to get interest in a lot of contribution from the engineers in the IETF and IRTF. 

Without them that work would not have been possible, so collaboration is key.  And the work that came out of this which is captured in RFC8280 the model that comes out is great, but the fruit of the work is in the process of working together and create that can awareness that people want to implement new things start to think about.  We get to implement the promise that we made here in 2003 where we said that Internet governance should be based on Human Rights.  Only now we are drilling it down.  Only now it's hitting the metal. 

It took us 30 years to understand how to do that.  There's the discussion of the Internet getting more important.  And you see organizations like the IETF has a lesser focus on security, grew into taking security more seriously than developed much better ideas about privacy but it's not obligatory to think about it yet and now thinking about other human rights.  So much you see evolution and how they think about their responsibilities. 

>> MEHWISH ANSARI:  Thanks.  So I mean, in terms of ‑‑ and I want to talk to both of you about this, where do you think the possibilities are for this discussion that's happening in the IRTF to go in the IETF?  Is there potential to look for more concrete mechanisms which we can explore Human Rights considerations in the IETF?  And I'll pose this to both of you, so I would love for you to start.

>> ALISSA COOPER:  The IETF is very much a bottom up organization.  It's very, very true in the IETF.  The way that we work is that anybody can participate, you need an e‑mail address because that's essentially the barrier to entry. 

And if you want to make a new contribution, you write a draft, send an e‑mail, chat with other folks involved to see if anybody is interested in your idea and then you propose it.  So the path forward for penal who want the see more detailed consideration of Human Rights on the IETF side is to start doing that, is to make proposals about how do we fit this set of design considerations into the overall design set of the considerations when taking into account standardizing new technologies in the IETF. 

I would say as one of the authors of the privacy guidelines and spending a long time working in that area, I think there's a couple of important things to keep in mind for people who want to be successful on that endeavor.  One is an alignment with other objectives.  We did a lot of work in many years in IETF, then there were the Snowden disclosures and a ground swell of interest and work in the years since then has been dramatic.  So to the extent that people are incentivized to do the thing that you want them to do, if you're building a little bit more on top of that, that can be a really nice thing for getting by in the IETF community.

The other thing is that I think one of the draw backs even of the way that we went about with the privacy considerations is it appears to be heavyweight.  And if anybody goes around to different standards organizations to see what their work is like and list tone what people talk about, one thing you will hear is standards are slow. 

This is all relative and I don't think that characterization is really true the cross the board in any sense, but anything perceived to make a process slower is going to have a harder time getting direction rather than oh here is how we are going to help you or do the reviews so that everybody in the community understands what are the benchmarks that we are comparing against.  Those things are necessary, so people don't feel that you're putting up a barrier in their case, whether they're trying to hit a deadline or something like that.  So trying to align to the rest of the objectives of the work and not be perceived as slowing things down I think will be incredibly important going forward.

>> MEHWISH ANSARI:  That's excellent.  That's a great map for a path forward.  Niels, can we consider HRIAs, and where you see the potential for developing models, what would be the next steps for this kind of work?

>> NIELS TEN OEVER:  Always, work, work, work, work, work.  We have two Human Rights considerations on going on HTP status codes 451 and we are expecting to do many more, so we are thinking about doing ones that are early in the Internet process.  When you start commenting, you should comment when it's an Internet draft.

So we are testing the model that is developed in RFC8280.  And I really would like everyone to read a couple of RFCs because they really make you understand how the Internet works.  And then work with within the IETF community you learn a lot because people really know how it works so it's also really a pleasure to work alongside so many people who have developed many of the protocols that are the Internet, so it gets really, really concrete. 

And then trying to understand how to make that better if you're able to really define a problem well then often you jointly can find a solution and that is extremely fulfilling and it's making the Internet better. 

>> MEHWISH ANSARI:  Thank you.  We have got a little less than ten minutes left so I want to bring the panelists together because it seems like we have been hearing people talk about similar things.  Alissa basically talked about adoption and drivers and barriers in her discussion much like Beth discussed.  I'd like to bring the panel together.  We talked about actually implementing an HRIA and talked about the possibilities, the potentiality for making Human Rights considerations more concrete in the IETF but infrastructure providers and standards organizations are just very different types of actors, so I want to ask the dais being participants in both types of actors and communities.  We will start with Catherine. 

How do we need to approach HRIA development in general when it comes the infrastructure providers, the gap that exists that we touched on and the flexible for that to apply to organizations? 

>> CATHERINE BLOCH VEIBERG:  That's a difficult question to answer and does require quite a bit of additional research and understanding of the exact activities of the various actors.  One of the key challenges is that when looking at the Human Rights impact assessments based more generally, how it's been developed and how it's being applied is on the very physical activities of companies in other sectors that do have more physical footprint on the ground and more of a direct connection engagement with the rights holders, where what I see as the main implementation challenges when talking about infrastructure providers around the Internet is really the way in which those activities are removed from the direct rights holders but at the same time having a huge effect on their ability to enjoy their rights. 

So that I think that kind of ‑‑ kind of building more into the policy space of how different measures, activities, impact rights holders more in the long‑term is something that need to be further kind of explored and developed in order to better conduct impact assessments at that level of analysis. 

>> ALISSA COOPER:  It strikes me there's a bit of a graduation here.  As you were saying when you conceptualize this in physical space at least from my perspective it's pretty straightforward.  You can understand what you're grappling with and you can evaluate what the Human Rights are and then you go up the chain to infrastructure providers or other kinds of companies that Beth is studying.  In that case it might not be something physical but it's a product being sold.  You take the content down or you leave it up, there's a decision the business makes and a corresponding implication. 

And you continue going to the place where I am, where the IETF is where we are building these generic building blocks and we have no idea how they will be used.  If you ask anybody who was there when HTTP was first designed that it would be used in all the ways that it is today probably nobody would be able to predict that.  There's a challenge at the point of standardization when you really have no idea of how this thing is going to operate once it gets out into the world and people start using it and combining it with other technologies.  It's an observation the level of difficulty seems to go up within the level of what you're working on expands.

>> NIELS TEN OEVER:  Building on what Alissa said I do think we can get a better understanding of the potential impacts of standards with diversified actors thinking on them because often discussions are limited to a relatively small group of stakeholders and we could think that through better. 

We should not say leave the ethics to the lawyers, but we should help try to translate ethical questions and think about them with the engineers, not just shout it to the engineers do it, do it!  It's such a bad way to motivate people by screaming at them.  It's not the best way of doing it.  Creating these discourses of trying to understand the impact, not only understand the impact but also imagine new futures.  By that both groups can actually win from that.  I think that's a possibility.  And thinking about it at the standards level also helps because there is really where you have the overview of the architecture.  And that's much harder to think about that at the end point where we are at a whole different part of the stack.

So it has merit to think about this in all places, just don't try to think about everything in one place because that's simply not how the Internet works thankfully.

>> I would like to emphasize one comment that Niels made earlier and offer a concrete recommendation and maybe some optimization for Civil Society.  Niels mentioned that the fruit of the labor in building collaboration with Human Rights.  They really are eager to avoid reputational damage and implement whatever frame works and assessments are necessary to comply with Human Rights standards, but they don't all necessarily have the in‑house expertise so it's a desire to collaborate and self‑society needs to think about what carrots we can use, not just stocks. 

The watchdog level is still important but also to reach out proactively and say would you be interested in conducting a Human Rights impact assessment, we have this model, we would be really happy to collaborate with you because there really is interest there.

>> I just had a quick reflection or so at the standards level at what you mentioned Alissa is that you do have some experience from the past.  The past standard actually having that negative affect in the future.  That strikes me as an opportunity to also look at well how are they developed and what do you do in order to kind of better foresee those issues going forward in the future?  So that kind of, yeah.

>> ALISSA COOPER:  Yeah, I think in focus areas this is something we actually do all the time, so we discover security bugs and say let's not ever do that again.  I think it's a matter of potentially ‑‑ but I think part of the reason why we have focused more on security and privacy and manageability is because it's more easy to operationalize them from an engineering perspective and it's been a little harder sometimes as Niels says you can't just come in and say do free expression, it doesn't work. 

So making the link between how this specific design decision that we are sitting here debating today in the IETF is going to have this particular impact on things like free expression or freedom of association.  It's a lot harder for people to have to grasp.

>> MEHWISH ANSARI:  Okay.  So we are right out of time but it might be a little rebellious.  Are there any questions?  We will just try to briefly answer questions because I realize we have eaten up the time.

>> AUDIENCE:  I came in late, so it might have been answered.  I wanted to take the spotlight off the IETF and wonder about the W3C.  And also with this thought given to the non‑standardized areas which are huge, for instance in instant messaging where there are instant messaging clients all over the place, many colors, shapes, sizes which perform a very important function. 

It's a bit catastrophic actually that area but it's important.  Were it to be standardized in a way that was widely accepted would actually have these Human Rights considerations attached to it and yet maybe it doesn't at all because it's an area that's not standardized. 

>> ALISSA COOPER:  I do think that the W3C has had something of a similar journey to the extent that I understand it.  They do face slightly different set of considerations.  Obviously, they had a whole big body around accessibility which has had less play in the IETF, but I think it's the same thing that's going on there. 

Honestly, I think the IEEE is having similar conversations, perhaps not with the Human Rights framing but around particular rights, around privacy and that kind of thing.  It's an active topic in little corners of each of the standards organizations.  To your point about standardization, instant messaging, there are standards for instant messaging.  Anyone who wants to come and bring their non‑standardized IETF is welcome to do so.  Not only do you get interoperability, but you get a broad review from people who have expertise in other areas of Internet protocol who have thought much more deeply about internationalization or security, what have you, and that can be an aside method that we get from standardization and that's a similar flavor to what we have been talking about with Human Rights consideration.

>> NIELS TEN OEVER:  I think centralization in many parts of the Internet stack is a sad fact that we did not predict.  And that is very sad to see.  And what we have been working on is translating legal concepts to the technological environment and vice versa.  I think we need to start taking economical analysis way more into account to really understand the problem and come up with solutions because it is hampering freedom of expression, it is creating new bottle next and creating huge problems when it comes to platform responsibility. 

And at the last IETF in Singapore there was talk of the quantum pendulum that the Internet is the same time distributed and now centralized.  That is a program we should address.  And I think we should think about what the consequences it has for a network and particularly for the infrastructure and the risks for Human Rights because it is a risk for interoperability and the standards and the process that the Internet has been built on. 

>> MEHWISH ANSARI:  Okay.  Any other very, very, very, very quick questions?  No?  Okay.  So I think we'll wrap up and chalk up being four minutes over to the fact that we got the room late if anyone asks.  That's it for us.  I would like to conclude with a round of applause for our amazing panelists. 

(Applause)

And we appreciate all of you taking the time on the last day to join us for the workshop.  We hope you enjoy the rest of what is left of the IGF.  Thank you. 

>> NIELS TEN OEVER:  And please comment on the model.  The model is tweeted out.  You can find it on the Article 19 website.  We would like to continue to improve it because we probably didn't get it right at one time.  Please work with us. 

(Session concluded at 13:25 p.m. CET)