Year: 2016

The Internet Technical Advisory Committee (ITAC) to the OECD brings together the counsel and expertise of technically focused organizations, in a decentralized and networked approach to policy formulation for the Internet economy.  The main purpose of ITAC is to contribute constructively to Internet-related policies developed in the OECD. It mostly contributes to the work of the OECD Committee on Digital Economy Policy (CDEP) and its specific working parties such as the Working Party on Communications and Infrastructure Services Policy (CISP) and the Working Party on Security and Privacy in the Digital Economy (WPSDE).

Table of Contents

 

Editorial: Towards an Internet for social and economic progress

By Constance Bommelaer Senior Director, Global Policy Partnerships, and Carl Gahnberg, Policy Advisor, The Internet Society

Guest article: OECD 2016 Ministerial: Meeting the policy challenges of tomorrow’s digital economy

By Josie Brocca, Policy Research and Advice, OECD

Building Blocks for Informing Data Public Policies to Enhance Privacy

By Karen McCabe, Senior Director Technology Policy and International Affairs, IEEE Standards Association

ICANN launches the Domain Name Systems Entrepreneurship Center (DNS-EC) to build capacity in Africa and the Middle East

By Nigel Hickson, Vice President for Europe, ICANN

Identification: A Critical Enabler of Societally Beneficial Economic Growth

By Kenneth Dagg, Chair Identity Assurance Work Group, Kantara Initiative

Taking stock of privacy in APEC

By Christine Runnegar, Director of Public Policy, The Internet Society

Previous Newsletters

Newsletter N°1
Newsletter N°2
Newsletter N°3
Newsletter N°4
Newsletter N°5

About This Newsletter

ITAC provides an avenue for new technical insights to contribute to the work of the OECD. ITAC is open to any Internet technical and research organization that meets the membership criteria listed in the Committee’s Charter.

ITAC encourages Policymakers, members of Civil Society and Businesses to submit queries regarding any of our work to [email protected]

If your organization is interested in joining ITAC and contributing with technically informed advice to the OECD’s development of Internet-related policies, we invite you to visit our website: http://www.internetac.org, to read the “Criteria for Membership” in ITAC’s Charter (Section III).

For further information on ITAC, please contact us at [email protected]

By Josie Brocca, Policy Research and Advice, OECD

Few aspects of our lives remain untouched by digitalisation. The digital economy permeates the world economy, and has profound implications on how individuals and societies interact, live and work.

Putting in place the right policy and regulatory frameworks to support the digital environment and prepare for the economic and social changes ahead is essential. From 21-23 June 2016, Ministers, the business community, civil society, labour and the Internet technical community will gather in Cancún, Mexico, for an OECD Ministerial Meeting on the Digital Economy: Innovation, Growth and Social Prosperity.

Governments and policymakers must look at the digital economy as part of all economic and social policy development and approach it in a more holistic manner if the benefits are to be maximized in the future. Together, they will discuss better policies on a range of issues, including:

• Internet openness – global data flows, which are at the core of the digital economy, have a significant impact on innovation, trade, global value chains and society as a whole. This innovation is driving economic growth and creating new industries – an Internet of Things is emerging.
• Global connectivity – as more of the world moves onto broadband networks, both fixed and mobile, striking the right balance between innovation, consumer demand for products and services and infrastructure investments to meet these growing demands is important to the future growth of the digital economy.
• Trust and digital risk management – trust is also foundational to the on-going development of the digital economy. It underpins business, institutional and personal relationships and is particularly important in a global online environment. Protecting and securing the digital environment in an age of billions of connected devices that continuously collect personal information is a complex task that goes beyond technical and legal challenges.
• Jobs and skills – the increasing use of digital technologies is raising the demand for new skills including non-technical ones that are equally necessary to be able to use these technologies efficiently. These skills mixes are also required outside of work to ensure people are equipped to make use of digital technology in their day to day lives.

The upcoming Ministerial meeting builds on previous OECD Ministerial meetings on the digital economy – the 1998 OECD Ministerial Conference on Electronic Commerce in Ottawa and the 2008 Ministerial Meeting on the Future of the Internet Economy in Seoul.

Ottawa resulted in a global action plan for the development of e-commerce that targeted important policy areas such as privacy and consumer protection. Seoul recognised the essential nature and function of the Internet as a platform for growth and the need for governments to work with all stakeholders to guide its development particularly in the areas of Convergence, Confidence and Creativity.

Cancún will mark another pivotal point in the evolution of the digital economy, one in which digitalisation is increasingly pervading all economic sectors, providing huge benefits for all actors but also effecting social interactions, business and government processes, laws and regulations, and jobs and skills.

For more information on the Ministerial and participation please visit: http://oe.cd/cancun2016

Back to Table of Contents

By Karen McCabe, Senior Director Technology Policy and International Affairs, IEEE Standards Association

One of the four themes of the OECD Ministerial Meeting on the Digital Economy in June 2016 is building global connectivity and how to leverage the economic and social benefits from convergence to the Internet of Everything. In the context of the Internet of Things (or Everything) anything that happens, moves or changes produces data. Security and privacy are intimately linked. The link between data and ability to shape the lives of world citizens is stronger that ever with the use of evolving and new technologies and overall data driven innovation. The impact on the economy and society is tremendous. The impact on privacy and identity is concerning.

With this, there is a need for an inter-connected, informed collection of policies, standards and best practice so that data ownership, security and privacy concerns are holistically addressed and the business and societal benefits of data driven innovation is not hindered. Innovation in collaboration and engagement frameworks that are rooted in common values and principles will be critical—as will be embracing and accepting the geographical and cultural differences around privacy and identity. Global policies that promote responsible data use and data driven innovation, and that take into account identify management issues and practices, should be considered. Bridging industry, technical and policy communities across boarders will be essential to establishing building blocks for good data public policy.

So what are the building blocks?

First, we must consider that data alone do not possess inherent value. Instead it is the processing of data in innovative ways that brings new economic and social benefits, and this value creates a circle to feed into increased use of data-based decision making and analysis. In other words, it is the use of data that matters. With the rise of IoT, we are facing a data revolution. This data extends beyond a result of technology development or advancement and represents a new framework for understanding and interacting in the global economy.

To capitalize on opportunities for economic growth via innovation, flexible and adaptable policies are needed. Stakeholders should focus on using datasets responsibly and work to ensure that personally identifiable information is accessible only by those who are authorized to do so, without limiting innovation. In other words, privacy protection frameworks need to support secure and reliable data flows while enhancing responsible, risk-reducing behavior regarding the use of personal data.

The building blocks will be a combination of tools, processes and paradigms that need to work together to create policies to promote responsible innovation while safe guarding against harmful practices and actors. Building blocks include programs that help stakeholders comprehend, coordinate and integrate principles of privacy, identity management and technology and standards development. This will identify commonalities and differences, and set the stage for how stakeholders may address gaps. Working in a paradigm that embraces openness, transparency and inclusiveness and where there is respectful cooperation, due process and broad consensus will generate synergies, which can lead to an open path for global expertise and insight to be shared and innovated upon.

A core building block will connecting technology experts with policy experts. A current challenge is that those in the technical community are not intimately involved in the technology policy sphere—and those in the policy community are not necessarily fully engaged in the technology sphere. There is a gap between the technical community and policy community that is expected to grow as technology continues to rapidly advance. Today we are increasingly seeing new technology policy challenges coming onto the already complex IG, cyber-security and privacy scene, with the Internet of Things (IoT), smart grid, smart cities, intelligent transportation, eHealth, etc. – and all experiencing the issues of privacy and identity management.

The technical community can bring to bear values used in technology development—values of transparency, open discussion, protection of privacy, bottom-up development, transnational cooperation and consensus standards. It is critical for technology experts to become engaged in IG policy discussions since their expertise and insight could have significant impact to policy discussions, decisions and execution on a global scale. It is critical for those in the policy community to be informed by technologists about the state of technology.

Back to Table of Contents

By Nigel Hickson, Vice President for Europe, ICANN

Over the past couple of years, ICANN has been working with community leaders on various programs tailored to raise awareness on the potential of the domain name industry and foster the development of new domain names related businesses in Africa and the Middle East. ICANN stakeholders in both regions have come together to develop the local expertise in the domain name sector to help facilitate the growth of this industry and strategically position them for business success.

This is one of the strategic areas ICANN has been focusing on. Building capacity is critical for this development, and so last year ICANN signed an agreement with Egypt’s National Telecommunication Regulatory Authority (NTRA) at the ICANN London Public meeting last June, to establish a Domain Name System Entrepreneurship Center (DNS-EC) for developing the domain name industry in Africa and the Middle East. The DNS-EC aims to develop local capacities and engage interested parties from across both regions in the global domain name industry ecosystem.

Initial investment for the project is from both ICANN and the NTRA; ICANN, through partnerships with business and technical experts, provides the training and mentoring programs, and the NTRA incubates the Center for the first three years hiring a small team for operations.

A three-year project, it kicked off over the past eight months, with six workshops organised in four countries (Egypt, Tunisia, UAE, Qatar) covering business development, policy and technical best practices in the DNS sector. More than 100 participants from over a dozen countries (Egypt, Tunisia, Sudan, Iraq, Jordan, Lebanon, UAE, Qatar, Pakistan, Kenya, Nigeria, Benin, Burkina Faso and Djibouti) attended. Participants’ backgrounds varied from technical, to policy and business development professionals coming from ccTLD registries, registrars, hosting companies, government agencies and academic networks. Several community experts have already contributed to the project by providing the program with material and taking the time to travel and conduct the trainings. The project is already displaying success with some of the trainees of the DNS technical track recently participating as co-trainers in some programs.

Looking ahead, the NTRA is currently in the process of hiring a dedicated program manager to oversee the Center’s activities and develop its business. We will also see the launch of a legal track very soon. The legal track will specifically focus on legal issues pertaining to domains and domain name disputes.

Cognisant of the importance of this project at this time, ICANN will continue to build the network of experts in Africa and the Middle East and seek to capatilise on it where relevant in both regions. Additionally, we will facilitate internship opportunities for members of registries and registrars to work alongside DNS sector experts, in our continuous efforts to build sustainable capacity on the ground in both regions.

Back to Table of Contents

By Kenneth Dagg, Chair Identity Assurance Work Group, Kantara Initiative

With more and more online purchases, consumers and businesses are rapidly moving into the digital economy. There is also a demand from citizens and businesses that governments digitally deliver more and more of their services.

Work is ongoing in federations such as the Digital Identification and Authentication Council of Canada (DIACC), the National Strategy for Trusted Identities in Cyberspace (NSTIC), the United Kingdom Identity Assurance Program (UK IDAP) and the European Union Electronic identification and trust services (eIDAS) to address these demands. As well, the Organisation for Economic Co-operation and Development (OECD) has established “Trust in the Digital Economy” as one of their four themes that will improve the economic and social well-being of people around the world.

Reports from these groups – Moving Canada into the Digital Age[1], A Digital Single Market Strategy for Europe[2], Building Canada’s Digital Future[3] and Enhancing Online Choice, Efficiency, Security, and Privacy[4] – indicate that national governments realize that there are significant economic growth opportunities when economies move into the digital age. As stated in Moving Canada into the Digital Age1, the case is compelling: “separate research has shown that savings for large enterprises under a digital payments system are estimated at $5 billion per year in Canada with small- and medium-sized enterprises and financial institutions capturing $700 and $600 million, respectively.” Realizing savings such as these will enable businesses to innovate the new socially responsible solutions they require to remain competitive and deliver more and better services to their clients. However, these studies identified that a critical requirement to make this growth possible was an ability to undertake digital identification and authentication.

The Kantara Initiative was established in June 2009, as a program of IEEE-ISTO, to foster identity community harmonization, interoperability, innovation, and broad adoption through the development criteria for operational trust frameworks and deployment / usage best practices for privacy-respecting, secure access to trusted online services.

A key component of the Kantara Initiative is its Identity Assurance Framework (IAF). This framework specifies the criteria against which Credential Service Providers (CSPs) are assessed to become approved by the Kantara Initiative. Enterprises, governments, verticals, and communities can trust credentials proofed and issued by Kantara Initiative approved CSPs as if they had performed the approval themselves.

As an example, the United States Government’s Federal Identity, Credential and Access Management (FICAM) Program approved the Kantara Initiative as a Trust Framework Supplier. With that approval federal agencies in the government of the United States are able to trust CSPs that Kantara Initiative approves for credentials at Levels of Assurance 1, 2, and 3 (non-PKI).

As national economies require this trust, the global economy requires inter-jurisdictional trust. A soon to be released study conducted by Kantara Initiative for the Cabinet Office of the United Kingdom indicated, identified that, with a few enhancements to both frameworks, the UK could trust US FICAM approved CSPs. This study indicates that inter-jurisdictional trust of identification is feasible and should provide an impetus to international fora to begin the work needed to make this possible. To aid in this effort Kantara Initiative will be undertaking work to evolve its IAF to more easily enable the mapping of other trust frameworks.

This work, along with the efforts underway in many nations, is moving the world along the roadway to having a viable digital economy that can be trusted by governments, consumers and businesses.

Kantara Initiative is a participating Member of the OECD-ITAC. If you would like to learn more about its IAF and how your organization can use it or contribute to its growth please contact us using https://kantarainitiative.org/contact-us/

[1]
http://www.paymentsystemreview.ca/wp-content/themes/psr-esp-hub/documents/rf_eng.pdf

[2]
http://goo.gl/vTmDVb

[3]
http://www.diacc.ca/wp-content/uploads/2015/05/DIACC-Building-Canadas-Digital-Future-May5-2015.pdf

[4]
https://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf

 

Back to Table of Contents

By Christine Runnegar, Director of Public Policy, The Internet Society

APEC has been leading the way with an innovative approach to privacy protection for cross border transfers of personal data: an approach that has also attracted the attention of the EU.

While other countries and regions are still focusing on the differences between their privacy laws, APEC economies, having agreed on a set of general privacy principles (the APEC Privacy Framework), found a way to bridge their diverse legal environments to enable privacy-respecting cross border personal data flows. Additionally, they shifted the principal resource burden from enforcement (public authorities) to compliance (data controllers, processors, and those who certify them). The result is the APEC Cross Border Privacy Rules (CBPR) system and the APEC Privacy Recognition for Processors (PRP). (Please see www.cbprs.org.)

Participation in both systems is voluntary. Economies choose whether they wish to participate, accountability agents (i.e. those who certify that organisations are compliant with the APEC CBPR program requirements) choose to be recognised, and organisations choose to be certified as APEC CBPR system and/or PRP compliant. The foundational feature of both systems is accountability for personal data collection and handling. Organisations wishing to be certified must demonstrate that their privacy policies and practices meet the required standard, accountability agents must verify and monitor compliance, and economies must provide the necessary “backstop” enforcement.

There are currently:

• 4 participating economies: USA, Mexico, Japan and Canada
• 1 accountability agent: TRUSTe (with another entity’s application currently pending)
• 12 certified organisations

It’s still early days, but the EU has also taken an interest in this work. In 2014, the APEC Data Privacy Subgroup and the EU Article 29 Working Party published a common referential on the APEC CBPR system and the European Binding Corporate Rules (BCRs). Politically, this is an important step forward towards privacy framework interoperability between APEC and the EU. Next steps include the development of a common application form for dual certification.

But, the work does not stop there …

2015 marks the 10 year anniversary of the APEC Privacy Framework – a good time to take stock of the privacy landscape and see whether any updates are needed. The APEC Data Privacy Subgroup is currently reviewing the APEC Privacy Framework, using the revisions to the OECD Privacy Guidelines as a starting point, and finalising some proposed amendments. Spoiler alert! The core privacy principles are likely to remain unchanged. As for the other changes, you’ll have to wait until they are published next year.

Back to Table of Contents