At the request of Ministers and Chief Advisors of the Carnegie
Group, an expert group examined the current situation of implementing
Internet and comparable international data networks, with a special
view to potential misuse. The expert group presented its report
to the Carnegie Group at their meeting at Montebello/Canada on
December 5-7, 1997.
The report
first of all emphazises the broad scale of the outstanding
benefits and promise of Internet for practically all sectors of
public, political and commercial processes of communication and
- not least - for the individual life of private persons and groups;
underlines, however, that the full use of benefits will depend
- to a great deal - on the avoidance or at least minimisation
of the various possibilities of misuse.
Analysing the situation, the report identifies two areas of misuse,
i.e.
illegal or harmful actions, where the Internet is used
in order to engage in illegal activities,
illegal or harmful contents, where the Internet is
used to transfer illegal information to users.
In order to find appropriate answers to these challenges, the
report clusters the potential solutions into four approaches of
activities, aiming at developing practical steps for improving
the proper use and overall acceptance of new communication technologies
and services. These four areas are:
(1) Awareness and Education
(2) Technology
(3) Information and Communications Industry
(4) Legal Measures
The report suggests to develop, as a first step, concise sets
of solutions along and across these four areas. Consequently,
the expert group submits a number of recommendations. Among these
recommendations the expert group estimates that especially the
following measures are ready for action:
improving multimedia competences by educating young people
(to avoid and where necessary to refuse harmful or illegal material)
improving multimedia competences through instruction of adult
or professional users (to keep up with the accelerated progress
of technology)
promoting technologies which enable users to distinguish between
wanted and unwanted information (to increase efficiency through
early selection on the one hand and to avoid unwanted confrontation
with illegal or harmful content on the other hand)
promoting technologies which enable users to identify the
authenticity and integrity of certain communication connections
(to guarantee the reliable and safe commercial exchange of information)
requesting information and communications industry to establish
appropriate codes of conduct (to develop and to implement a system
of self-regulation, based upon an agreed set of standards)
requesting national self-regulatory bodies to organize themselves
on an international level (to exchange information and experience
and, to the extent possible, to aim at jointly agreed standards)
building up a set of international minimum rules for illegal
action and contents (to fight e.g. hacking, computer espionage,
computer sabotage, computer fraud and copyright infringements;
hard core child pornography, bestiality, the glorification of
violence, hate speech as well as defamation of minorities and
persons)
building up a collaborative network of law enforcement agencies
(to improve transborder prosecution).
Beyond these patterns facing the present situation there is a
principal uncertainty coming from the ongoing speed of technology
development and from the methodology of assessing the impact of
using such new technologies. Therefore part of the required actions
have to be based on the results of further research so far partly
carried out on the national level. In order to make better use
of such experience the respective project designs and results
should be exchanged among the different partners. Starting from
such a point, the next step could be to define collaborative international
projects, bearing in mind that the findings of such projects have
to be checked against the various conditions of implementation
in the countries concerned. This would reduce the time-lag between
the appearance and the resolution of new problems.
Based on an initiative of the German Minister for Education, Science,
Research and Technology, Dr. Jürgen Rüttgers, the Expert
Group on "Misuse of International Data Networks"
was established by the Ministers and Advisors of Science of the
G7 States, Russia and the European Union (Carnegie Group) in 1996.
It consists of legal and technical experts of the member states
in the field of international computer networks. The Expert Group's
mandate was to evaluate the misuse of international data networks
and to suggest recommendations for potential solutions. The expert
group held three meetings: in Bonn from 27 to 29 November 1996,
in Paris from 26 to 27 June 1997, and in Rome from 16 to 17 October
1997 (see VI). After extensive discussions during those meetings,
the Expert Group reached the following conclusions below.
The Internet and other comparable international computer
networks are positive instruments. The Internet promotes the free
flow of information between citizens, brings together people across
the world regardless of geographical distance, promotes economic
development, stimulates education, and offers universal access
to ever wider and richer sources of digital information. At the
heart of the Global Information Society, open network technologies,
such as the Internet, have enormous potential to foster education
and research, facilitate business and enhance democracy on a global
scale.
The Internet offers significant social benefits. It provides
unprecedented opportunities for empowering citizens, and for connecting
them to ever richer sources of digital information.
In the field of education and research as exemplified
by the many innovative projects linking libraries, schools and
universities the Internet plays a central role in the creation
of a new "digital literacy". Having evolved from a research
and academic network, the Internet is a key tool for research
and the dissemination of knowledge on a world-wide scale, offering
access to resources beyond geographical boundaries. As primary
users of the Internet, educational and research institutions play
a crucial role in the future evolution of the "network of
networks" and in helping to ensure that the Internet is a
safe and secure environment for learning, work, and leisure.
In extending the reach and scope of (especially electronic)
commerce, the Internet plays a crucial role in the development
of new economic opportunities. The Internet is fostering a new
and vibrant "Internet core economy" of companies, large
and small, deriving their income directly from the Internet. Beyond
this "core economy", the Internet is currently transforming
and energizing existing economic sectors by lowering the barriers
of entry, reducing costs and improving customer service. Small
companies in particular, are eagerly capitalising on the new opportunities
of unprecedented access to world-wide markets. In addition to
linking global communities, the Internet provides citizens with
improved access to social services such as health care.
The Internet has considerable potential promise. As a new forum
for democracy, it can be an electronic town hall and an electronic
court house. As a new space for learning, it is already the most
powerful electronic research laboratory available today, as a
medium for teleworking, it helps to reconcile working and living.
As a forum for innovative new forms of electronic commerce, it
is already creating new wealth and new economic activities on
a global scale. However, to maximize the beneficial use of international
data networks, networks need to be safe, reliable and secure,
both in practice and in perception.
Like any new and powerful technical tool, the Internet can be
abused. The positive effects of the Internet as well as other
essential individual and social interests can be endangered by
the misuse of international computer networks. Such acts
can be committed via international telecommunication networks
in one country with results in another country. As a first step,
the Expert Group identified two areas of possible misuse:
Misuse related to actions, where the Internet is used
in harmful, and/or illegal activities.
Examples:
- Illegal access to and penetration of information systems (hacking),
- Manipulations and sabotage of computers and networks
- Espionage and divulgence of secrets
- Infringements of privacy and illegal collection, use, and divulgence
of personal data
- Copyright infringements and other intellectual property violations
- Consumer fraud
- Money laundering
- Drug dealing, illegal arms trade, terrorism, illegal gambling
and other criminal activities.
Misuse related to contents, where the Internet is used
to transmit harmful, and/or illegal information.
Examples:
- Child pornography and obscenity
- Hate speech
- Defamation
The protection of the integrity of international computer systems
against misuse concerns everyone, since computers and telecommunication
systems are the backbone of the modern information society: In
the business community, the majority of monetary transactions
are administered by computers in the form of deposit money. Balance
sheets are prepared with computer support. A company's entire
production often depends on the functioning of its data processing
system. Furthermore, many businesses store their most important
company secrets on computers. Modern governments rely on computer
technology and databases in a similar way. Sea, air, and space-control
systems, medical supervision as well as military defence also
depend widely on modern computer technology.
Protection against harmful, and/or illegal content in international
data networks is especially important since computers now play
an increasing role in the education and leisure of minors. Moreover,
it is essential that the new technologies are used in accordance
with our democratic community values and, in particular, with
fundamental human rights. If technology were to be blamed for
abuses, this could substantially lower its acceptance. The challenge
is therefore to ensure that the Internet is, remains, and is perceived
as a secure place to express opinions, to learn, to work, and
to play.
However, any preventive measures and restrictions relating to
the Internet should be in accordance with fundamental rights
and be balanced against the need to protect the Internet´s
tradition of free speech and privacy. Initiatives designed to
prevent misuse should not frustrate the potential of open network
technologies typified by the Internet, in particular their global,
decentralised character, their low barriers to entry, and the
free flow of information among all sectors of society. In principle,
information on the Internet should be allowed the same free flow
as paper-based information. It must also be recognised that, as
a result of the free flow of information across borders in international
computer networks, international cooperation and coordination
is fundamental to combatting misuse. Solutions based on blocking
information at national frontiers are neither technically feasible
nor socially desirable. Furthermore, it is essential to establish
an appropriate balance between solutions based on education, technology,
industry self-regulation, and legal or regulatory remedies.
The Expert Group on "Misuse of International Data Networks"
focused on the development of measures against illegal and harmful
content as well as on steps to be taken against other illegal
and harmful activities on the Internet. As a first step, the group
identified four areas of possible action:
(1) Awareness and Education
(2) Technology
(3) Information and Communications Industry
(4) Legal Measures
During discussion, the group listed a number of possible measures
that should be considered in a comprehensive framework. However,
the selection and combination of these actions requires difficult
policy and value choices. Some initiatives are complementary and
some contradict each other. For example, the campaign against
child pornography or fraud might be facilitated by implementing
reliable measures allowing the identification of the originator
(e.g., by prohibiting anonymity). Such measures would, however,
raise serious concerns about privacy issues; it is therefore the
abuse of anonymity, rather than anonymity itself, which must be
addressed. Some of the measures can prevent specific acts, others
are weaker and can only limit abuse, or render it more difficult.
Some measures might be introduced at a national level, whilst
others would require international cooperation. While international
uniformity or minimum standards may be desirable in some areas,
other matters should be reserved for national legislators, applying
the principles of subsidiarity and proportionality.
It is therefore essential to examine each possible measure and
its interrelation with others as a prerequisite for informed national
and international discussion. In addition to these discussions
among specialists and political leaders, the broadest and most
serious public dialogue possible should precede the adoption of
any new measures both at the national and international level.
Since promoting good use is the best way to minimize misuse, awareness
campaigns and educational measures should aim at broad multimedia
competences. This can be achieved for example by
advising political leaders on any new areas where new policies
may be appropriate with respect to the prevention of misuse in
data networks,
raising public awareness of the Internet as a valuable tool
for education and lifelong learning, as well as of the importance
of promoting the responsible use of this new medium,
developing increased access to computer networks, services
and contents for schools and universities,
creating a favourable environment for easy use of the Internet
for everybody, especially the younger generation, e.g. by linking
or creating "electronic townhalls", where students from
participating nations can share views and experience regarding
the Internet,
educating users on their rights, duties, and procedures for
safe use of the Internet, for example by:
promoting the use of filtering software,
informing users of regulations/laws concerning data protection,
intellectual property rights and related criminal laws,
providing information to help users select secure personal
devices and communication systems and on procedures for the use
of anonymity,
educating users on how to be well-informed consumers of new
electronic commerce services, for example the collection of transactional
records needed to resolve disputes,
providing educators with learning opportunities on the use
and potential danger of international data networks.
Technical solutions - which need legal, organizational and social
framing as well as future research - should especially promote
the development and use of
technologies that will authenticate the user to the service
and, conversely, authenticate the service to the user,
technologies that can enhance security of communications through
each link of the communications chain from the individual (personal
or company) user device all through the network (e.g. by minimum
security standards and security "audits"),
appropriate non-repudiation services, e.g., providing for
secure digital signatures by secure user devices, asymmetric cryptosystems
and certified public keys,
technologies for tracking Internet communications or, quite
the reverse for the use in other cases, anti-monitoring systems,
i.e., anti-tracking technology, to protect the privacy of users
by preventing unnecessary gathering and linking of data,
measures against the abuse of anonymity, e.g., non-repudiation
services based on certified pseudonyms where the certification
authority is able and obliged to furnish the name and address
of the holder of the pseudonym under clearly defined circumstances,
international frameworks to enable the use of effective encryption
world-wide,
technologies for effective monetary transactions (especially
anonymous digital cash) which are necessary for commerce in the
Internet and which have to be secure and protect the privacy of
users on the one hand, but - on the other hand - have provisions
to discourage their use for criminal purposes (e.g. money laundering),
technologies for content rating, e.g. voluntary labelling
and filtering technologies (e.g. PICS), including self-rating
for web sites and news group articles,
technologies for copyright protection, i.e. watermarking and
authentication technologies as well as a time stamping service
to protect intellectual property.
The information and communications industry plays a key role in
the provision of Internet and the national data communication
services and content. They can also play an important role in
the promotion of proper use and the prevention of misuse of these
services. Voluntary measures by industry could, for example,
improve security and the usability of security mechanisms,
advise users and providers on how to use security technologies
and procedures,
undertake to work with governments on educational issues,
establish codes of conduct, thereby setting an international
industrial norm for illegal contents and illegal actions as well
as reasonable action against illegal content/action,
consider methods to promote accurate voluntary labelling and
the development of "acceptable use policies", while
the use of labelling for censorship or discrimination against
competitors has to be prevented,
create an international network of contact points which can
react in cases of illegal contents, once made aware of them,
specify actions when alerted to the existence of illegal material
or activity, thereby limiting service providers´ liability
under the law,
define protocols for working with law-enforcement agencies,
foster electronic commerce and the free flow of information
by developing policies on anonymous digital cash and anonymous
electronic transactions that protect public safety without hindering
technological progress,
foster the development of trusted third parties (for authentication,
identification, and prevention of fraud).
With respect to legal measures and their interrelation with technical
and other solutions, it is especially essential to
strengthen international mechanisms for addressing illegal
actions, e.g. by creating a well-defined set of international
minimum rules for illegal actions, such as hacking (illegal access
to and penetration of information systems), computer espionage,
computer sabotage, computer fraud and copyright infringements,
strengthen international mechanisms for addressing illegal
contents, e.g. by creating a well-defined set of international
minimum rules for illegal contents to be prosecuted and punished
world-wide, especially with respect to hard core child pornography,
bestiality, the glorification of violence, hate speech as well
as defamation of minorities and persons,
encourage countries to define an adequate system of rules
for the responsibility of Internet service providers and access
providers, e.g. by creating a legal system so that in all countries
service providers must undertake reasonable efforts to erase illegal
contents on their servers when made aware of these contents, while
at the same time the free flow of data should not be hindered
by - generally unsuccessful - attempts to block access to other
servers and by holding access providers liable,
encourage countries to establish national laws for the effective
prosecution of computer crimes, especially with respect to search
and seizure of computer systems and international networks, duties
of witnesses (e.g., to provide passwords or to decrypt files),
wiretapping and accessing computer systems,
address possible abuses of anonymity, and install an international
system for lifting anonymity in cases of abuse, thereby requiring
adequate legal safeguards for privacy rights (e.g. by demanding
court orders as a prerequisite for transferring specific data
to the prosecuting authorities), thereby considering the fact
that lifting anonymity is only possible, if all countries cooperate,
which are crossed by the communication; (this means that as long
as there are countries which do not cooperate, anybody wishing
to hinder the lifting of his/her anonymity, merely has to provide
for routing through one of these countries),
develop an international information network and other information
systems with respect to the prosecution of illegal and harmful
practices detected on the Internet,
foster cooperation among law enforcement agencies, with special
respect to urgent measures for "freezing” data in international
search and seizure procedures,
clarify issues of jurisdiction,
educate and train law enforcement agencies about cyber crime
and its prosecution.
The findings and recommendations of this Expert Group are laid
out in this report and highlighted in the Executive Summary. In
conducting its analysis, the Expert Group drew upon, and may contribute
to, the work of other international bodies, such as the European
Union, Council of Europe, OECD, UN, WIPO and P8.
The Expert Group is well aware that the scope of the suggested
measures is broad and will require complementary efforts by many
organizations. Achieving the desired results would require cooperation
between governments and the private sector, among government departments
and administrations, and between countries. The work initiated
by the Carnegie Group is one step in that direction.
Responsible for the coordination and final editing of the report:
Prof. Dr. Sieber, Prof. Dr. Pfitzmann
Participants (in alphabetical order)
Canada
Konrad von Finckenstein, Assistant Deputy Minister, Business
Law, Department of Justice
David Waung, Director General, Strategic Information Branch,
Industry Canada
European Commission
Alain Dumort, Chef de Secteur nouvelle technologie et éducation,
GD XXII
Patrick Vittet-Philippe, Fonctionnaire-Expert, New Information
Technologies, GD XIII
France
Daniel Confland, Chef du départment de l'information
spécialisée, Ministere de l'Enseignement Superieur
et de la Recherche
Prof. Gautier, Université Paris II, Panthéon
Assas
Dominique Vallée, Chargée de mission, Ministère
de l'Enseignement Superieur et de la Recherche
Germany
Frithjof A. Maennel, Oberregierungsrat, Bundesministerium
für Bildung, Wissenschaft, Forschung und Technologie (BMBF)
Dr. Andreas Pfitzmann, Professor, Technische Universität
Dresden
Dr. Ulrich Sieber, Professor of Law and Legal Informatics,
University of Würzburg
Dr. Michael Széplábi, Ministerialrat, Bundesministerium
für Bildung, Wissenschaft, Forschung und Technologie (BMBF)
Italy
Dr. Stefano Barocci, Economics Section, Italian Embassy, Bonn
Ing. Luigi Lattanzi, Direttore dell'Uff. VII, Instituto Superiore
delle Poste e delle Telecommunicazioni, Ministero delle Poste
e Telecomunicazioni
Dottore Carlo Sarzana Di Sant'Ippolito, Presidente Aggiunto
della Sezione dei Giudici per le Indagini Preliminari, Tribunale
Penale di Roma
Japan
Yutaka Hishiyama, Japanese Embassy, Bonn
Masao Horibe, Professor of Law, Chuo University
Zen-ichi Kato, Japanese Embassy, Paris
Jun Matsukata, Associate Professor, National Center for Science
Information Systems
Yasuo Sakamoto, Director of the Office of Consumer's Affairs
on Telecommunications, Telecommunications Bureau, Ministry of
Posts and Telecommunications
Russia
Vladimir A. Goubanov, State Committee of the Russian Federation
for Science and Technology
Karl Z. Ibragimov, Department Head, Ministry of Science and
Technology
Alexander Sokolov, Department Head, Ministry of Science and
Technology
United Kingdom
Dr Monica Darnborough, British Embassy Paris
Elly Hardwick, UK Communications Policy Directorate, Department
of Trade and Industry
Eve Race, Legal Services, Telecommunications, Department of
Trade and Industry
USA
Richard O'Brien, Economics Section, Embassy of the United
States, Bonn
William W. Burrington, Esq., Director, Law and Public Policy,
Assistant General Counsel, America Online, Inc.
David Heyman, Senior Policy Advisor, National Security and
International Affairs, Office of Science and Technology Policy
Dr. Michael R. Nelson, Special Assistant for Information Technology,
Executive Office of the President, Office of Science and Technology
Policy
Henry H. Perrit, Professor of Law, Villanova University Philadelphia
Andrew Reynolds, Embassy of the United States, Rom
Michael A. Sussmann, Special Assistant to the Assistant Attorney
General, U.S. Department of Justice, Criminal Division
