The 6th edition of SEEDIG, the Internet governance event for South East Europe, took place from 21 to 25 September 2020 online. Sessions covered governance challenges of the decentralised Internet, privacy and data protection, cybercrime and security of critical infrastructure, the interplay between digitisation and depopulation, post-COVID digital transformation and more. Here are some impressions and key takeaways.
Protecting the Values of the Internet
When we talk about governance or enforcement, we normally think of a triangle, where power is concentrated in fewer and fewer hands the higher you go. The ultimate decision making is reserved for the highest ranks and orders are handed down top to bottom.
The Internet, on the other hand, is the complete opposite – open and decentralised. That might have happened by a series of happy accidents, but it has since proven to be one of the Internet's main advantages. Indeed, this feature is key to making the Internet as resilient as it is. It's difficult to attack or destroy a system with no core. If one network goes down, packets take another path. Similarly, decisions about policies and standards are made by consensus and everyone is allowed to contribute to the process on an equal footing.
Today, however, some of these principles are being shaken. Governments are increasingly trying to exert power and control what happens on the Internet. The future of the current multistakeholder governance model looks uncertain. What can we do to make it suitable for the future without losing the benefit of a decentralised system? As the "multistakeholderism" is called into question by the recent rapid rise of influence and power of tech companies and governments, will Internet governance become nothing more than cooperation between these two stakeholder groups while marginalising the rest?
Some of the panelists raised fears that even pro-democratic states are closing off their own pieces of the Internet: the US, with its Clean Network program and pending bans on TikTok and other apps, and maybe even the EU with its efforts on digital sovereignty. These trends will certainly only justify similar requests by the governments in South East Europe, and other regions.
Some documentaries like The Social Dilemma are helping to open our eyes to some of the hidden dangers behind everyday technology. On the whole however, the general public does not understand many of the complex questions that Internet governance deals with. As a consequence, the discussion is taken over by partisan interests. Check out ISOC’s impact assessment toolkit that asks five questions to help analyse whether a proposed law, decision, or trend could harm the foundation of the Internet.
Having attended many Internet governance and tech conferences and meetings, I was pleasantly surprised by a new topic – that of depopulation and the way it influences and is influenced by digital technologies. This topic is so obviously important and relevant, yet somehow largely ignored, so kudos to SEEDIG 6 for addressing it.
We know that in South East Europe depopulation is a major challenge – villages are emptying as the young flock to cities or emigrate in search of a better future. Studies have shown that technology contributes to this gentrification. Paradoxically, the decentralised Internet has had a concentrating effect on people. And then COVID happened. It is slowly teaching us that remote work, something almost unheard of in South East Europe before, is a thing. It allows us to move back to the villages with a calmer life and lower cost of living, whilst still being productive and delivering a high-quality output. Will this continue in the future, or will we go back to the old ways, spending our lives in traffic jams? Let’s see. But I hope we don’t let this crisis go to waste.
Some panelists stressed that depopulation is not necessarily a bad thing. Instead of worrying about it, we should focus on maximising human potential and have a deliberate strategy to plan for this new demographic reality. For example, rather than try to prevent people from leaving, we should look at ways to connect with the diaspora. Instead of looking at the aging population as a burden, we should look at ways to engage with them. We should reach out to digital nomads to encourage them to return home and work remotely. But this cannot happen in a vacuum. We need to create an appropriate environment by supporting digital services and moving many offline services online.
Another point that was brought up several times during the panel is the persistent bias in parental policies in most South East European counties, basically focusing most or all parental care on the mother. With maternity leave of upwards than a year, and sometimes as high as two years, women are encouraged to shoulder childbearing at the expense of their careers. Rather than tax deductions or financial contributions, farer parental policies such as the ones in Estonia, where childcare and parental leave is shared between the two parents have given much better results in spurring population growth.
Cybercrime and the security of critical infrastructure
2020 saw a noticeable decrease of attacks on ICS.
Perhaps surprisingly, while the COVID pandemic has been rocking the world in 2020, attacks on Industrial Control Systems (ICS) have been decreasing. Statistics by Kaspersky show that both in the world and in South East Europe in particular, the percentage of ICS computers with detected malware is lower than the second half of 2019. What also changed in the nature of those attacks – moving from high volume to more local attacks with a precise target. In addition, attacks have become more complicated and less visible, remaining undiscovered for months on end. Some of the top reasons cited for leaving ICS exposed to vulnerabilities are postponing updates due to undesired production stoppages, approvals taking too long and having too many decision makers.
Some panelists observed that in the first two-three months of the pandemic there was an increase in botnet activities. Hijacking various low-security IoT devices for attacks on critical infrastructure is nothing new, as vulnerable devices proliferate in our markets and users lack the knowledge or motivation to secure them.
Moving to the general population, crimes using social engineering, especially ones focusing on the COVID crisis such as offering medical supplies or masks, are on the increase. Alarmingly, only 1% of reported cybercrimes end up being investigated and an even smaller number of investigations have a successful conclusion. Panelists called for continuous retraining of law enforcement officers so that they get the knowledge necessary to handle e-crime.
The audience acknowledged their fear of ransomware attacks.
Concluding the session, we discussed the somewhat philosophical, but nonetheless relevant question of what critical infrastructure is. Is our political system a critical infrastructure? Is the website of the political opposition a month before elections critical infrastructure? The discussion left us a lot of food for thought for sure.
Keeping local traffic local
South East Europe’s Internet market is slowly but surely maturing. However, the road is not straightforward and without setbacks. Panelists told us of the difficulties faced when trying to create Internet Exchange Points (IXPs) in Bosnia and Albania. In both countries, putting together the technical bits for an IXP is the smaller hurdle. The bigger obstacle is manoeuvring through the political situation and finding a host that is neutral enough to the satisfaction of all involved in the project. This task proved impossible once key people left, and so the vacuum in these countries now remains. We heard from Macedonia, where the newly founded (2018) IXP is gaining ground. The project leaders conceived the idea at the SEE 4 – the RIPE NCC regional meeting in Belgrade in 2014. After some years of coordination and support from international partners this young IXP seems to be doing well at securing peers. We also heard from Serbia, Romania and Slovenia, whose established IXPs are looking to further diversify their services. They underscored the importance of cooperation and including a diverse group of technical experts. All three countries have vibrant NOGs attracting network operators from the region and beyond. This cooperation is clearly paying off.
COVID-19 pandemic’s effect on privacy
The use of contact tracing apps to combat the spread of COVID-19 has thrown into the spotlight issues of privacy and data protection. Experts warned of the potential side effects from collecting so much personal data and called for the implementation of appropriate measures to prevent any risks.
The question of the apps in particular stands for a much broader issue. The panel recognised that if the general public does not trust the government in their overall response to the pandemic, they would be similarly suspicious of the contact tracing apps. An additional level of insecurity arises when a government puts this personal citizen information on servers in a company headquartered in a foreign country, which is then subject to the jurisdiction of said country. Governments who want to increase trust in, and by extension use of, such apps should focus on increased transparency and digital education. In addition, it is important to give control to the user for how much and what type of information they share. Not least, for governments to access, use and analyse this data there needs to be a strong legal reason. Some panelists pointed out that to be valid, consent is subject to a number of criteria. Being freely given and having the choice to withhold consent is an obvious one. In this year's inter-sessional activity SEEDIG developed a set of recommendations for governments, public health authorities and developers regarding a human rights-based approach to design and deployment of COVID-19 tracking apps.
Contact tracing apps are not as novel as most of us think. Singapore has experience with using them as far back as 2015, when they were dealing with MERS 2. Sadly, these apps were not properly evaluated either then or now – do they achieve what they are supposed to do? Panelists called for research into the effectiveness of such apps. Have countries with high rates of adoption, like Finland and Germany, seen a reduction of transmissions over time that is directly linked to the use of these apps? Hopefully we find out soon!
These are just some of my impressions of the sessions I attended. This year's SEEDIG, the first fully online, boasted a really interesting agenda and excellent speakers from a wide range of backgrounds. In addition to the regular sessions the program included a number of interactive and social events. Whether you attended or not, I'd be curious to read your thoughts in the comments below.