March 2020 - Ethics in Digitalization | Email Best Practices | Self-regulation

“This has been a tremendous experience” – Interview with Thomas Rickert

In the eco Association’s 25th anniversary year, Lars Steffen speaks to Thomas Rickert about the initiation of the eco Complaints Office, the CSA, and further initiatives for an Internet with Responsibility.

eco 25 Years composite Thomas Rickert

Lars Steffen: Thomas, how did you first get involved with eco and what was it like back then? 

Thomas Rickert: I was looking for a job when I was a law trainee and I was looking for law firms where I could be engaged in media law. And I happened to write an application to a guy named Michael Schneider – who was a lawyer, and who actually offered me a job – and he was Chairman of the Board at eco at the time. And during my work for Michael, he asked me to take on a couple of jobs on behalf of eco. Actually, during that phase – that was in 1998 – eco was quite a small organization. It was virtually operated out of a small flat. So there were only a handful of people that were working for the association, and at that time the organization was incredibly agile.

I think it was a fascinating time, because in 1997 the German lawmakers had adopted a package of laws called the Information and Communication Services Act (IUKDG is the acronym), and it included laws on the digital signature, teleservices, and things like that. That basically became the role model in part for what actually was entered into law by the European Commission with the e-Commerce Directive, and the German lawmakers were interested to hear from the industry how these laws had kicked in – whether they worked, or whether something should be changed. And I had the privilege of representing eco during the evaluation of this Information and Communication Services Act package at the time.

Steffen: What led to the initiative of the eco Complaints Office?

Rickert: The eco Complaints Office was quite an interesting species at the time. You have to remember that back in those days, a lot of law enforcement authorities didn't have computers on their desks. In the second half of the 90s, basically when the Internet started getting attractive to end users, it also attracted people doing bad stuff on the Internet. And since law enforcement wasn't well equipped in many cases to deal with the downside issues on the Internet, private initiatives kicked in. And I think that the first complaints office in Europe was actually Meldpunkt Kinderporno in the Netherlands. 

At the time, eco was running a project called ICTF, which is the Internet Content Task Force, which was put in place a little bit before I got involved with eco, and that dealt with monitoring newsgroups. The Usenet was actually a big thing at the time where information was shared, and a several newsgroups carried illegal material, and Internet service providers that were offering the Usenet to their customers were extremely cautious not to get involved in censorship and taking moral decisions over what their customers should be seeing and what not. So they basically outsourced this function to eco. They could subscribe to this ICTF service, and eco staff members would then take a look at newsgroups that were reported and did a legal assessment of the content. And then if it was illegal content, eco would recommend to the Internet service providers not to carry those newsgroups or individual articles. There was also early interaction with German law enforcement on these matters, in order to reduce the distribution or visibility of really bad stuff on the Internet. 

That was basically where it started. It was a service to eco members. And the European Commission knew that they needed to do something to make the Internet safer for users and to take action to counter bad stuff that was happening on the Internet. So they adopted a multi-annual plan called the Safer Internet Action Plan, which had different action lines, one of which was the work on awareness campaigns. But there was also one action line dealing with reporting points or hotlines to which members of the general public could turn when they found something that they thought was illegal on the Internet. eco basically took this opportunity and opened up its ICTF service to be able to participate in the program.

And since the European Commission wanted to have a European-wide approach, they were looking for a European network of these reporting points or hotlines – they were called differently in different countries throughout Europe – and that led to the inauguration of the INHOPE Association, at the time called the Internet Hotlines in Europe Association. That association was incorporated in 1999, and I happened to be at the founding meeting of INHOPE – I was involved in INHOPE's preparation way back then. 

And that was quite an interesting and unprecedented approach, because hotlines had to provide evidence that they have good cooperation with the Internet industry, with law enforcement, with child's rights organizations, and with their governments, in order to be able to become a member of the association. And having started as a European initiative, it quickly turned out that these counter-measures were number one, very efficient, but number two, the efficiency of this network was dependent on its global reach. And soon after INHOPE's incorporation and even during that phase, international members outside Europe were approaching the association to ask to participate. And they did so, so that today INHOPE is not only a European association, but is actually a global organization as a response to primarily CSAM, or child sexual abuse material.

Steffen: Against the background of the political landscape that the industry faced in those days, can you tell us why was self-regulation so important in the early days of the industry?

Rickert: I think it was important in the early days, but it's still important today. Technical developments are always, by their nature, by their dynamics, faster than what lawmakers could ever achieve. And also the Internet is borderless. It's a global tool that can be deployed by almost everyone around the globe, while legal initiatives by lawmakers typically just have national reach. If you're lucky, they have regional reach, but there are almost no legal initiatives that actually are binding at the global level. And therefore, it's always good for an industry to come up with ideas on how to craft measured responses to the challenges that are posed to that industry. There is the risk of being held accountable for what your users are doing, and then there is also the risk of lawmakers stepping in – potentially with the best intentions – but nonetheless stepping in with legal tools, laws, and regulations that overreach or that have side effects that are detrimental to the economic development and the use of the technology.

And when I got involved with all this, there were actually cases where CEOs of companies were being held accountable for content that their users were accessing or distributing, just because they didn't really know how to deal with it or they didn't respond rapidly enough. As a result, they were happy to get support from an association such as eco. Also, there was no real legal response to many of the things that we now take for granted. So some governments took a harsh approach and tried to regulate things. Other countries counted on self-regulation by the industry. 

And what we found in Germany – and that only came a couple of years later, and I think that the response that we saw from the German lawmakers was sort of mild because industry self-regulatory initiatives were already underway – was sort of a “regulated self-regulatory approach”, where the government acknowledged that private initiatives could do certain things, and the government would only step in if the industry players do not play by the rules imposed on them by the self-regulatory measures. But that was something basically to prevent harsher regulation by the lawmakers. And that is an evolutionary process. So we've seen the attempt to come up with technological measures to filter content for children and adolescents. 

The original approach taken by the lawmakers and the German Interstate Treaty on the Protection of Minors in the Media (JMStV) had an approach which didn't really work out in practice, at least at the beginning. But that's an evolutionary process – this is new territory for almost everybody, and therefore it's important for the industry to be ahead of the game and propose things so that the lawmakers feel less of a need to react to public pressures to regulate the Internet. And I think that there's a recent example where you see this working out pretty nicely, and that is the industry coming up with responses to DNS abuse. There is a DNS abuse framework that has recently been crafted and subscribed to by a lot of companies in the industry, again, to avoid regulators stepping in and coming up with harsh measures that might be overreaching. 

Steffen: You've also been involved in setting up another service in the eco association: the Certified Senders Alliance (CSA). Can you tell us a little bit about this initiative and what triggered your involvement in whitelisting?

Rickert: Well, what we saw when we were working in the Internet Content Taskforce and later also in the framework of  INHOPE, was that we were dealing with a lot of unsolicited communication. We had quite a good view of what was happening in the area of spam. So, what we wanted to do was take countermeasures to tackle spam, and we knew that a lot of service providers were actually doing things against spam. They were sometimes taking harsh measures against spam that led to filtering out even legitimate emails, so that actually legal communication from companies to their customers would be filtered out and not reached the customer inboxes. And we thought that it's not enough just to try to shield customers from unsolicited emails, but we should also make sure that legitimate communication actually reaches the designated recipient. Because that's good for economic growth, that's going to stimulate e-commerce, and all that.

But what we found was that a lot of providers were also trying to do that, but there was a lot of duplication of efforts. So, senders would go to each provider and ask to be whitelisted so that their communication would bypass the filtering mechanisms. And all these companies had different standards for whitelisting. As a result, we thought that it would be a good idea to take a look at those criteria for whitelisting and put ourselves in the middle so that we would basically be the central clearinghouse for legal bulk email communication. We would require the senders to provide evidence to us and subscribe to standards that are sort of the highest common denominator of what the whitelisting criteria in the industry were. And we would then make this whitelist available to Internet service providers offering email services, so that they knew that the bulk senders that had subscribed to our criteria and our code of conduct would actually be good players. And that helps them save their own resources and helps with the delivery of legitimate communication. And since we drafted a code of conduct, we had the possibility to impose sanctions if folks were not playing by the rules. So, I also happened to be on a committee for quite a while that dealt with reports about breaches of our code of conduct. If a breach was determined to be present, we could either temporarily or permanently ban bad actors from the Certified Senders Alliance system.

We also had the opportunity to publish information on breaches. I think that's something that proved very efficient because in the case of a lot of bulk senders that were not playing by the rules all the time, if they just got a cease and desist letter, they would take remedial action and nobody would learn about it. We actually came up with something new by making it public, and that's something that the senders were and still are afraid of. That was a groundbreaking approach at the time. We presented that at an APWG or M3AWWG meeting (I can't exactly remember which one), and because we were working with bulk email senders, folks were approaching us and saying: Why are you talking to the devil? But actually, when they learned about what we were trying to achieve and that we actually set it up very robustly and solidly, they sort of liked the idea that we were trying offer a space for legal email communication.

And another thing that we did at the time, which was also unprecedented, was actually that we would bring together the abuse departments of ISPs. Back in the day, in the early 2000s, every ISP had their own abuse department, but apart from the random personal contact that they had with abuse folks from their competitors, there was no structured approach to bring them to the table and make them talk to each other and exchange best practices, make friends, and meet each other so that they could take action more expediently than just writing tickets to each other. We were the first ones to bring together and host meetings of abuse folks. And this is still taking place, and today this is a competence group dealing with abuse and email. So I think we helped the industry come closer together and develop joint approaches to fight bad things on the Internet.

Steffen: And taking a look at the current status of the CSA, I think you did a fantastic job to kick this off. And nowadays you're involved in the domain sector of eco. So how did that come about?

Rickert: As a lawyer, I've always advised in the area of domain law. And what I found is that eco had a lot of members at the time – a subset of which was offering domain names, either as a registry, as a registrar, or a reseller – but eco itself did not have any particular offering for the companies working in the domain industry.

And since I had a lot of clients working in that area, I suggested to the eco board at the time that it could be a good idea to be the first industry association with a particular offering for the domain industry, which didn't really have a representation at the time apart from maybe dedicated organizations dealing only with domain trade and stuff like that. There was no overarching association dealing with the needs of the domain industry. And Harald Summa agreed that it was a good idea, and gave me the go-ahead.

So I tried to do it. In the first couple of years, I was pretty much on my own. But we tried to build up a reputation, went to industry events, did a lot of presentations, tried to win additional registries and registrars to come and join eco. And today I think we have quite a strong membership base from the domain industry and I think we have a very good offering as an association for these members to support them with what they're doing. And particularly since since you, Lars, entered the scene, and Judith is also helping with a lot of things in that the area, I think we have both the bandwidth in addition to the solid staff base of eco to be a great representation and vehicle to transport the domain industry interests at the ICANN level, or at the lawmakers’ levels.

Steffen: Lastly, Thomas, because this interview is part of a flashback series covering the 25 years of eco, and taking into account that you have a very intense and broad history with the association, tell us: what has been one of your highlights of working with eco over the past decades?

Rickert: I think some of the highlights for me – I mean, I can only talk about the things that I have experienced firsthand – is having been involved in so many initiatives that actually became relevant. This was fascinating. When I started getting involved with eco, ICANN was incorporated. So I knew the names a lot of the founding fathers of ICANN, because I was doing back office for the previous eco Chairman of the Board at the time. And ICANN became huge. ICRA, the Internet Content Rating Association – an approach that attempted to allow for content filtering based on a user-autonomous approach by self-labeling – was kicked off at that time. It had some impact as one component to user-autonomous filtering systems. The CSA, which we started in the area of abuse, certainly also the enormous growth of DE-CIX over time. Not to forget INHOPE – I had the privilege of being INHOPE's president from 2002 to 2005.

Seeing these initiatives grow over time, seeing eco grow so enormously, was a privilege, and I still enjoy being with the association and helping it hopefully thrive more in the future. It's great! So I think this has been a tremendous experience. I think eco's leadership did a great job navigating the organization over the years, and Harald certainly is the person ensuring conceptual continuity there. It's very agile – if you have an idea, you can bring it to life. Everybody has been very dedicated and worked on things at full throttle. And it's good to see that things actually came to fruition in so many, many areas.

Steffen: Thank you very much, Thomas.

Rickert: You're most welcome.

 

Thomas Rickert, Attorney-at-law and owner of Rickert Rechtsanwaltsgesellschaft mbH, Bonn, Germany (rickert.net) chairs eco’s Names & Numbers Forum. He is one of three co-chairs of the CCWG-Accountability.

Lars Steffen is Director International at eco – Association of the Internet Industry (international.eco.de), the largest Internet industry association in Europe. At eco, he coordinates all international activities of the association and takes care of the members from the domain name industry and the blockchain community. He further represents the industry as Community Outreach Co-Coordinator of the Universal Acceptance Steering Group at the Internet Corporation for Assigned Names and Numbers (icann.org), to facilitate the support of internationalized domain names and email address internationalization.


Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.