Legality, Security & Ethics in the Digitalized World

DNS blocking turned out to be a major hot topic for many participants at the Internet Governance Forum 2019, which took place in Berlin in November. My own involvement in the IGF included a panel on DNS blocking, as well as panels on IoT security and ethics. Below are a few of the insights stemming from my involvement. 

DNS blocking – basically kills an entire domain name

Interestingly, the session on tackling illicit content was very well attended. The room was packed. And that was particularly interesting because there is no new development on that topic. So it looks like this is still getting an awful lot of attention with many attendees of the IGF. The panel consisted of various experts, primarily from the domain industry but also from the technical sector.

I spoke on behalf of the ISP community, because when looking at DNS blocking, it needs to be understood where blocking can take place. And for that, it's important to understand the respective roles of registries, registrars, and DNS operators/ISPs, because all of them can do things to corrupt the DNS and make sure that certain content or services are not accessible via the DNS.

The panelists each described actions they can take, and the limitations of these quite eloquently. We heard representatives from registries basically speaking about the fact that they only have a binary choice to make: either that the domain name resolves or the domain name does not resolve. But that doesn't allow for responses where only certain offerings made available under a given domain name are switched off, so to speak. You would basically kill an entire domain name, and that can lead to issues if a domain name is shared, or if only one aspect or one particular news article or other type of digital content is objectionable.

We then discussed the legal situation in various jurisdictions. I reported about developments in Europe with respect to web blocking requested of ISPs. I think that the main takeaway was that all the participants, including the representative from the government arena, agreed that DNS blocking is either not a good idea at all, or it should only be used in certain circumstances.

I gave the example that we need to take a more nuanced approach, that we need to understand what actions can be taken by the various actors, and that you should then try to go to the appropriate addressee for taking measures. So, ideally you would talk to the hosting company and make sure that the content isn't further publicly accessible, because if you take down the domain name, you can still go to the website if you know its IP address.

Illegal content, INHOPE and getting law enforcement involved

And we also need to take a look at the nature of the objectionable content or service, meaning that it is only proportionate to use DNS blocking for certain violations. Among the panelists, it was agreed that Child Sexual Abuse Material (CSAM) would be amongst the content where such measures can be required. But at the same time, just making certain content invisible, firstly, does not solve the root cause, and also much of that content is evidence of ongoing crime, and therefore it's important to also work with law enforcement or to work with the INHOPE hotlines to ensure that perpetrators are investigated and hopefully convicted, and that victims are freed in the case of ongoing abuse. 

One aspect of the panel session that I think was perhaps a little unfortunate was that we didn't really have anyone on the panel who was all for web blocks. I think it would have helped the discussion if we had had somebody on the panel who was fervently in favor of using those tactical blocks for whatever reason.  

Overall, I think the main takeaway for me would have been that whilst the various participants of the panel explained the limitations of what they can and can't do and spoke of the dangers and the downsides of using DNS blocking as a one-size-fits-all solution for tackling illegal content, there was broad acknowledgement that, by pushing back on DNS blocking, the players involved would not recognize that they have a responsibility to do something.  

And I guess that needs to be understood: that it's not just pushing the issue elsewhere, but that we were in agreement that the various players involved should take measures corresponding to their respective roles, given the alleged violation of applicable laws or standards. For example, when it comes to DNS abuse like phishing attacks and stuff like that, contracted parties do take action, but they feel out of their comfort zone when it comes to assessing the legality of content.  

Also, a lot of companies do kick out customers, not because there is any violation of applicable laws, but because their acceptable use policy or their terms and conditions are being infringed upon by the customer. So there are things that registries, registrars, and ISPs can do. But we just need to be very clear for whom it is advisable and appropriate to take what action.

IoT security and ethics

There was one block of three hours in total at the IGF dealing with IoT. This is an ongoing discussion by the Dynamic Coalition on IoT. The discussion was quite multifaceted, because we were discussing a multitude of aspects. Unfortunately, as a result, we couldn't really drill down to the nitty-gritty of any of them. But maybe that's also the beauty of the IGF: that all the participants from all of the various countries that they originate from can take back home an overview of issues and positions to stimulate the discussion at the local level or with their local or regional stakeholders.

So basically we heard views on IoT from the development side: what requirements (if any) there are both from an ethical and a security perspective, and what standards there should be for those who issue IoT products, and take them to the market. What about the issue of low-priced IoT devices, where the pricing already suggests that the software can't really have been tested thoroughly for security? How do we deal with such products? How do we deal with products that are no longer supported by the manufacturer, or where the manufacturer only predicts a lifetime of a limited number of years and therefore doesn't even bother to provide patches and updates for the software that is used with these devices?

Detaching IoT from the open Internet

And according to Gartner, with the predicted overall volume of 35 billion IoT devices in the market in 2021, that is going to be a challenge. So how do you make developers take responsibility for issuing safe products? How should the DNS community, if you wish, respond to security challenges? Because if, for example, you have IoT devices going rogue in your household, a likely remedy could be that your entire house is going to be switched off, because the vulnerability needs to be isolated.

So there's been talk about putting IoT devices into extra networks to sort of detach them from the open and free and accessible DNS / Internet. But if we did so, we would break one of the basic principles or one of the core values of the Internet: to be open and accessible. But for security reasons, it might be warranted to create some networks that basically have their own kill switches that you can easily switch off without disconnecting uncompromized devices.

Who should be responsible for security and ethics in the digitalized world?

We had suggestions on creating different classes of devices depending on the risk level involved with the products. We discussed who shall become active, if at all. And in that regard, I could proudly quote from the Ethics Compendium that was issued by eco recently. Not specifically on IoT, but on digitalization in general, a survey result was presented where the (German) respondents were asked who they think should be responsible for ethical rules in the digitalized world. And almost 40 percent of the respondents thought that the government should take care of this, while 6 percent thought that companies should take care of it. And roughly a third – thankfully – said that they think it's a shared responsibility of all those players. 

But I guess this clearly indicates that, when it comes to topics like IT and information security, the majority of users do not see a responsibility or a task for themselves to get educated in how to use devices securely, and to make sure the devices that they're using do not pose a security risk to others by checking what they buy, reacting to abnormal behavior, and taking the appropriate measures. So they're just calling for the lawmakers to fix things on their behalf.

And the other striking takeaway from that particular survey was that obviously more than 90 percent thought that the companies can't solve the issue. So there is very little trust in the manufacturers of these products to take care of ethics or security. I guess that tells quite a compelling story: that we need to educate all stakeholders involved that IoT security, firstly, will be an ever-growing factor of our day-to-day life, and that there are serious consequences if there are issues. And also that it is a shared responsibility to make sure that the risks involved with those devices are controllable.

Thomas Rickert, Attorney-at-law and owner of Rickert Rechtsanwaltsgesellschaft mbH, Bonn, Germany (rickert.net) chairs eco’s Names & Numbers Forum. He is one of three co-chairs of the CCWG-Accountability.