Author: SC Leung A Chinese version of this published in IT Pro 2013-02 A stone was thrown in Dubai in December 2012, starting a ripple of impacts to the governance of the Internet. The ripple will reach us latest by 1 Jan 2015.
The International Telecommunication Union (ITU) discussed and passed the new International Telecommunication Regulations (ITR) in the World Conference on International Telecommunications (WCIT-2012). This has far-reaching impact on Internet governance and Internet freedom, and the balance of cyber security. ITU is an international telecommunications standard body with member states representing the governments of various countries. The previous amendment of the International Telecommunications Regulations (ITR) dated back to year 1988. So ITR is failing to keep up with the times (for example, the development of the mobile communications) and an amendment is inevitable. The Dubai meeting became a hotspot because some member states tabled very controversial proposals. They include: 1. Extending ITU’s regulatory authority from telecommunication to include the Internet. Some African member states even proposed to expand further to anything relating “ICT”. 2. Requiring the member states to address cyber security and anti-spam issues 3. Permitting member states to impose restrictions on the routing of Internet traffic and collect subscriber identity information These proposals raised controversy on the openness and freedom of the Internet, tried to change the underlying infrastructure of the Internet. The ITU expansion could seriously impact the current Internet governance model and might undermine other ongoing efforts by institutions better suited to Internet governance and security. Internet Governance Model The Internet population has exceeded 2 billion. The Internet is a globally distributed network, including many voluntarily interconnected networks. It does not have a central governing body. The governance model has a decentralized and multi-stakeholder characteristic. Internet Corporation for Assigned Names and Numbers (ICANN) oversees the assignment of globally domain names, IP addresses, transport application port numbers. The Internet Engineering Task Force (IETF) develops and promotes Internet standards. The Internet Governance Forum (IGF) provides a platform for non-binding conversation among multiple stakeholders about the future of Internet governance. (See Figure 1)
In network security and anti-abuse area, the IETF and the Messaging Anti-Abuse Working Group (MAAWG) are responsible for the network security policy, the formulation of safety standards and best practice, and to respond to the emerging information abuse and network attacks. The Global Computer Emergency Response Team Coordination Organization Forum (FIRST) and Asia Pacific Computer Emergency Response Team (APCERT) and other regional CERT organizations provide collaboration platform for CERT of various economies, institutions concerning network security and service providers to coordinate network security incidents and to prevent abuse of network resources. Governments and semi-government organizations participated. In addition, ICANN established Conficker Working Group to tackle the problem of the Conficker botnet. This working group has participation of governments but they did not take leadership nor intervene the process. The governance of the Internet is a multi-stakeholder model, including civil society, the private sector, academic and research institutions, government and international organizations. In their respective roles, these organizations work together in the public interest to create shared policies and standards, maintain Internet global interoperability. The governments do not dominate and the meeting is open to the public in a free, open, mutually trusted and more democratic way. On the other hand, ITU is a national government centric model, with member states negotiating national interests through closed-door meetings. The transparency is low and there is little involvement of the civil society. Applying the ITU mode of operation will introduce more influence due to national politics to the Internet. This is incompatible to the existing multi-stakeholder governance model. Formation of Two Camps in the Dubai Meeting The Dubai meeting is akin to the Cold War. One camp included Russia, China, some Arab and African countries who proposed to regulate the Internet. The other camp including United States, Canada, EU countries and their allies insisted to maintain a multi-stakeholder governance model for open and free Internet. The two camps stalled in a tug-of-war. In the eve of the meeting, several Internet organizations, human rights organizations and global network providers rallied together to oppose the proposal of the ITU regulating the Internet. Google launched a petition with Vint Cerf, one of the Fathers of the Internet as an advocate of the movement. The petition was signed by more than one million Internet users. Many signatories were from developed countries, but citizens from developing countries (including China) also participated in the petition. Currently the petition accumulated to over 3 million people (Figure 2).
The Final Acts After wrestling through several rounds of negotiations, the Dubai meeting came to the following results:
1. Internet traffic route control proposal Because IP network is to designed to determine the optimal route to reach the destination autonomously, the implementation of route control is impractical. Furthermore it violates the liberalization of the telecommunications market in which carriers set up commercial agreements on routing to maximize effectiveness and minimize cost. This proposal was struck off. 2. Expansion of regulation scope to ICT Because the definition is too vague and the impact too far reaching, it was rejected. 3. Expansion of regulation scope to the Internet The final proposal have this on paper. To address the concerns on Internet freedom, the Preamble of the final proposal had added “Member States affirm their commitment to implement these Regulations in a manner that respects and upholds their human rights obligations.” However, in other provisions of the ITR, the phrase “subject to national law" is commonly used to empower member state to take actions. The ITR did not deal with the priority when “human rights obligations” and “state law” are in conflict. Moreover, there was no definition of “human rights obligations” and they are not referenced to the “The Universal Declaration of Human Rights” or the “International Covenant on Civil and Political Rights”. This leaves a lot of room for Member States to interpret. 4. Addressing cyber security and anti-spam The final proposal added articles “5A Security and robustness of networks” and “5B Unsolicited Bulk electronic communications". To address the concerns about misuse of network security and anti-spam to violate right of expression, Article 1 added “These Regulations do not address the content-related aspects of telecommunication.” to balance. However, “Unsolicited bulk electronic communication" actually involves content of communications. It was reported that Russia and other countries have given up some sensitive topics in the Dubai meeting, had been willing to revise the proposed wording to make them easier to pass. ITU also tried the open portion of the meeting to non-governmental personnel to attend. However, once the door to regulate Internet is opened, no one can control if member states revert to the sensitive issue in the future. ITU also did not commit to change its mode of governance permanently. So, even after the above changes, the camp led by the United States (including Canada, the United Kingdom, Australia, New Zealand, Japan, Italy, the Netherlands, Denmark, Sweden, the Czech Republic, etc.) contended that the revised ITR draft still gave member states too much freedom to justify the behaviors that damage the free flow of information, and the destruction of the multi-stakeholder model of Internet governance. They refused to sign. Stalled in the debate, the Chairman of meeting resorted to voting. 89 countries including China, Russia, Turkey, Indonesia, Singapore, Brazil, Nigeria, Saudi Arabia voted to pass the new ITR. The Chairman then announced the new regulations with effect on January 1, 2015. Some member states shall reply after consultation with the government. But eventually most EU countries would refuse to sign, making as many as 55 countries non-signatories of the new regulations.  (Figure 3)
The Aftermath of the Dubai Meeting The Dubai meeting had both symbolic and actual significance. (1) The new ITR expanded the scope regulation to include the Internet, opened a door for heavier regulation in the future, increasing the uncertainties in Internet governance. (2) ITU was originally a venue to discuss telecommunications development, open markets and charging platform. After the Dubai meeting, it will become the venue for contention of ideology, with member states splitting into camps like in the UN Security Council. (3) ITU changed its decision process from consensus building to majority voting in the Dubai meeting. Will ITU adopt similar approach in the future? Internet Society published the report of “Global Internet User Survey 2012” . The survey interviewed more than 10,000 people in 20 countries around the world on their usage, attitudes and behavior towards the Internet. Some of the data worth our attention, indicating people are extremely concerned very much about Internet freedom and do not want too much government intervention:
- 83% of respondents agreed or agreed strongly that access to the Internet should be considered a basic human right.
- 89% agreed or agreed strongly that Internet access allows freedom of expression on all subjects, and 86% agreed or agreed strongly that freedom of expression should be guaranteed.
- 60% of respondents agreed or agreed strongly that Internet access has contributed significantly to civil action and political awareness in their country.
- 66% of respondents agreed or agreed strongly that governments in countries with no Internet censorship have a responsibility to prevent Internet censorship in countries where the Internet is being censored.
- More than 70% of users agreed or agreed strongly that more government involvement would make the Internet too controlled or would limit content they can access.
- More than two-thirds agreed or agreed strongly that increased government control would inhibit the growth of the Internet and/or stifle innovation.
Having experienced the Arab Spring democratic movement, some governments are wary of the power of the Internet and want to suppress the oppositional voice on the Internet. Some other countries who want to strengthen enforcement to combat cyber crime, may also want to have heavier regulation on the Internet. On the other hand, US, Europe and many countries who largely relies on the Internet in terms of political, social and economic life and innovation take a very different approach. They are very clear to safeguard Internet freedom and multi-stakeholders governance mode. The European Union published the Cyber Security Strategy in February 2013 . The strategy outlines the vision and principles on applying the EU core values and fundamental rights in cyberspace. Human Rights should also apply online and we will promote cyberspace as an area of freedom and fundamental rights. Expanding access to the Internet should promote democratic reform worldwide. The EU believes that increased global connectivity should not be accompanied by censorship or mass surveillance. The ideologies of the two camps on Internet governance poles apart. Will it cause the Internet to be fragmented? Will it threaten the openness, freedom, integrity and sharing of the Internet? Will it impact the multi-stakeholder Internet governance model? Hong Kong is a special administrative region of China and implements one country, two systems. China is a signatory state of the new ITR. Will the government launch a new Internet policy in 2015? Whether you are Internet users, media, businesses with online presence, online service providers, network management or information security practitioners, this issues matters to you. Clearly, different state governments are preparing for the next action to meet the future challenge. I believe that the shock wave of ITR may arrive well before year 2015. [Note 1] Take Action: A free and open world depends on a free and open web https://www.google.com/intl/en/takeaction/ http://www.freeandopenweb.com/ [Note 2] Final Act, World Conference on International Telecommunications (WCIT-12), Dubai December 2012 http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12.pdf [Note 3] WCIT-12 Final Act Signatories http://www.itu.int/osg/wcit-12/highlights/signatories.html [Note 4] Global Internet User Survey 2012 https://www.internetsociety.org/internet/global-internet-user-survey-2012 [Note 5] EU Cyber Security Strategy – open, safe and secure http://www.eeas.europa.eu/top_stories/2013/070213_cybersecurity_en.htm
作者: 梁兆昌 刊於 《IT Pro 2013年2月》 國際電信聯盟（ITU）在2012年12月的國際電信世界會議（WCIT-12迪拜會議），通過新修訂的國際電信條例，一石激起千層浪，對網絡自由和互聯網管治影響深遠，衝擊波將在2015年到達，大家不可不知。
ITU是一個協調國際電信標準的機構，各會員國代表國家的政府。國際電信條例自1988年以來沒有修訂過，未能追上時代（例如流動通訊）的發展，修例是在所難免，不過，因為一些成員國在迪拜會議提出了非常具爭議性的建議，使該次會議成為一個熱點。其中幾個建議包括 (1)擴展ITU的監管範圍至包括互聯網，一些非洲會員國甚至提出要進一步擴大至任何涉及資訊科技的環節；(2)要求會員國合作應對網絡安全和垃圾郵件；(3)允許會員國對互聯網交通的路徑實施控制，並收集用戶身份的信息。這些建議影響互聯網的開放自由，網絡基礎結構，也可能會嚴重沖擊現時的互聯網管治模式，與其他正在負責互聯網管治和網絡安全的機構重叠和沖突。 現時的互聯網的管治模式 目前全球上網人數已突破二十億大關，互聯網是一個全球分佈式的網絡，包括許多自願相互連接的網絡，它沒有一個中央管理機構，治理模式具有分散式、多持份者的特色。其中，互聯網名稱與數字地址分配公司（ICANN）負責全球的域名、IP地址、傳輸應用程序端口號的分配；互聯網工程任務組（IETF）負責開發和推廣互聯網標準；互聯網管治論壇（IGF）提供一個不具約束力的對話平台，讓多持份者討論未來的互聯網管治。
網絡安全和反信息濫用方面，IETF和反信息濫用工作組（MAAWG）負責制訂網絡安全政策、安全標準和最佳實務守則，應對新興的信息濫用、網絡攻擊問題。全球電腦保安事故協調組織論壇（FIRST）、亞太區電腦保安事故協調組織 （APCERT）和其他地區性電腦保安事故協調組織提供合作平台，讓各個經濟體的保安事故協調組織、關注網絡保安的機構和主要服務供應商協調網絡安全事故和防止濫用網絡資源，當中有政府和半政府機構參與。此外，ICANN為解決Conficker殭屍網絡問題，成立Conficker工作小組，有政府參與該工作小組，但採取不領導、不干預的方式。 現時互聯網管治的多持份者的模式，包含民間社會、私營機構、學術和研究機構、政府和國際組織，他們從各自的角色，為公眾利益協同工作、創建共享的政策和標準，保持互聯網的全球互操作性，政府並不主導，而且會議公開進行，是比較自由、開放、民主和互信的方式。 相反，ITU採用國家政府主導模式，透過閉門會議就國家利益談判，透明度較低，民間社會的也參與也很少。以ITU的運作模式管治互聯網，將使互聯網更受國家政治角力的影響，和現時的多持份者的管治模式格格不入。 新的國際電信條例 迪拜會議儼如冷戰，壁壘分明，一方是俄羅斯、中國、阿拉伯和非洲國家的陣營，他們推動規管互聯網的建議，另一方則是美國、加拿大、歐洲國家和盟友，堅持維持多持分者的互聯網管治模式，兩方相持難下。 在會議前夕，多個互聯網組織、人權組織和網絡供應商群起反對ITU規管互聯網的建議。谷歌發起聯署，互聯網之父Vint Cerf是抗議運動的重要倡導者，最後超過三百萬網民簽署了請願書，許多簽署者來自發達國家，但也有來自發展中國家（包括中國大陸）的公民參加聯署。 [圖1] [註1]
- 為了解決對網絡自由的關注，在序言部分增加了會員國「履行其人權義務」等抽象字眼，可是，在其它很多條文中又有「依據國家法律」 等字眼，沒有處理孰為優先；而且，沒有界定入權義務，亦沒有參考「國際人權宣言」或「公民權利和政治權利國際公約」，給會員國很大的詮釋空間。
據報導，俄羅斯等國家已經放棄在迪拜會議提出某些更敏感的議題，又願意修改建議的字眼讓它們更容易通過，ITU亦嘗試開放部分會議讓非政府人員列席。可是，一旦規管互聯網的缺口打開了，無人可控制某些會員國不重提敏感議題，而ITU亦無承諾永久改變其管治模式。所以，縱使經過以上的修改，以美國為首的陣營（包括加拿大、英國、澳洲、新西蘭、日本、意大利、荷蘭、丹麥、瑞典、捷克等）認為經修改後的條約，仍然賦予會員國很大空間去合理化損害信息自由流通的行為，和破壞互聯網的多持份者管治模式，拒絕簽署。會議主席在辯論僵持不下時點票，有89個國家，包括中國、俄羅斯、土耳其、印尼、新加坡、巴西、尼日利亞、沙特願意簽署這一條約，主席隨即宣布新條例通過，於2015年1月1日生效。[註2] [圖2] 部分會員國表示須諮詢政府後回覆，但相信歐盟國家大多會拒絕簽署，最後可能有多達55個國家拒絕簽署新條例，祇同意執行原有的國際電信條例。[圖3]
餘波未了 這個會議有重要的象徵意義，首先，新的國際電信條例擴大ITU的規管範圍到包括互聯網，為日後加強監管打開了缺口，增加互聯網管治的不定因素。第二，ITU本來是討論電信發展、開放市場和收費的平台，從此加入了意識型態的對抗，猶如聯合國安理會，壁壘分明。第三，向來強調共識的ITU，在意見強烈分歧下以多數決拍板新的電信條例，是否預示ITU以後用投票代替共識？ 互聯網協會的「2012年全球互聯網用戶調查」訪問了全球20個國家超過10,000人，問及他們對互聯網的態度，[註3]，其中有關世界的網民對網絡自由，政府干預的意見十分清晰：
經歷阿拉伯之春民主運動，有些國家對互聯網的威力十分忌諱，希望壓抑網絡的反對聲音，亦有國家想加強打擊網絡犯罪的力度，由是想規管互聯網。另—方面，在政治、經濟、民生和創新方面極度依賴互聯網，同樣要面對網絡攻擊的歐美國家和盟友卻堅決維護互聯網自由和的多持份者管治模式。歐盟在2013年2月提出的「歐盟網絡安全策略」開宗明義說：「人權也應該適用在網絡上，我們將促進網絡空間的自由和基本權利，網絡連接的擴闊應該推動全球的民主改革。歐盟認為增加全球連接，不應該伴隨審查和大規模的監察。」 [註4] 兩個陣營對的互聯網管治的想法南轅北轍，最終會不會使互聯網割裂？更多國家政府介入互聯網管治，對互聯網的開放、自由、共享和安全，有甚麼影響？ 香港是中國的特別行政區，實行一國兩制，中國又簽署了新的國際電信條例，究竟在2015年政府會否推出新的互聯網政策？無論你是網民、媒體、擁有網上平台的商戶、網上服務提供者、網管人員或資訊保安從業員，這個問題對你都關乎重要。明顯地，各國政府已步署下一階段的行動，迎接兩年後的挑戰。相信不用到 2015年，國際電信條例的餘波可能已經來臨，大家拭目以待。 [註 1] Take Action: A free and open world depends on a free and open web https://www.google.com/intl/en/takeaction/ http://www.freeandopenweb.com/ [註 2] Final Act, World Conference on International Telecommunications (WCIT-12), Dubai December 2012 http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12.pdf [註 3] WCIT-12 Final Act Signatories http://www.itu.int/osg/wcit-12/highlights/signatories.html [註 4] Global Internet User Survey 2012 https://www.internetsociety.org/internet/global-internet-user-survey-2012 [註 5] EU Cyber Security Strategy – open, safe and secure http://www.eeas.europa.eu/top_stories/2013/070213_cybersecurity_en.htm