Strasbourg, 8 June 2011
AD HOC ADVISORY GROUP ON CROSS-BORDER INTERNET
Draft explanatory memorandum of the draft recommendation to member states on the protection and promotion of the universality, integrity and openness of the Internet
1. The Internet plays an increasingly important role in people’s lives and in all aspects of human society. It is continually evolving in technology and providing citizens with possibilities to access information and services, to connect, and to communicate as well as to share ideas and knowledge globally. The impact of the Internet on social, economic and cultural activities is also growing. Internet services and uses affect both Internet users and non-users. Moreover, as the events in certain Northern African countries in the beginning of 2011 have demonstrated “online connectivity can result in positive real-life change.”1
2. Internet accessibility and openness have become pre-conditions for most people’s enjoyment of fundamental rights and freedoms, notably freedom of expression and the right to impart and receive information. Internet access also has increasing importance for the enjoyment of freedom of association. In some European countries, such as Finland and Switzerland, access to broadband Internet connection has been recognised as a legal right. Albeit not articulated as an enforceable right, universal broadband access is also a formally adopted policy in other countries such as Iceland.
3. Peoples’ ability to have access to the Internet depends on the continuous and stable functioning of Internet’s infrastructure. Given the interconnectedness and interdependencies of the Internet infrastructure disruptions which may involve technical failures or incidents as well as interference with infrastructure may affect Internet access and the free flow of information across borders. Moreover, decisions made in the framework of the technical co-ordination and management of critical Internet resources by non-governmental entities with a regional or international remit may have a direct bearing on the exercise of freedom of expression and the right to impart and receive information of people in the global Internet community. The events at the end of 2010 in respect of hosting the whistleblower website WikiLeaks showed that Internet service providers are not immune from influence which may have an impact on availability of information on the web.
4. The risks affecting the integrity of the Internet and the concomitant challenges to freedom of expression and access to information cannot be addressed through technical measures or private sector action alone. In addition, coordination of national approaches to network resilience and stability, which at the present stage is based on professional trust of technical bodies such as computer emergency response teams, does not extend to all European countries, and cross-border co-operation remains a challenge. Solutions should be based on strategies that prioritise the protection of peoples’ rights and freedoms and the public interest. While technology and technical and professional solidarity are fundamental considerations, strategy development involves political commitment and resolve. European countries such as France, Germany, the Netherlands and the United Kingdom have developed comprehensive cybersecurity strategies. The United States of America has also recently launched its international strategy for cyberspace.
5. The Internet has no national boundaries and the threats that affect it are not limited to national borders either. Internet disruptions in one country may have an impact on Internet access in another. States have legitimate mutual expectations that they will exert their best efforts to ensure the universality, integrity and openness of the Internet. In the absence of an internationally agreed policy framework, national action on these important goals is tributary to the subjective understanding and gauging of cross-border risks to and consequences for the stability and resilience of the Internet. This may result in uncoordinated approaches as well as subjective interpretations of responsibilities and duties vis-à-vis other countries.
6. The solutions to these challenges should be addressed internationally, which necessitates the adoption of co-operation policy frameworks. This recommendation proposes responses to these challenges with due regard for the protection of fundamental rights and freedoms and the multi-stakeholder nature of Internet governance. The desirability of reinforcing the normative framework in relation to cross-border Internet should be considered in due course.
II. The preparatory work
7. The Steering Committee on the Media and New Communication Service (CDMC) proposed, at its 10th meeting on 27 May 2009, to set up an Ad-hoc Advisory Group on Cross-border Internet (MC-S-CI) and agreed its draft terms of reference. The CDMC’s decision was taken having regard to the 1st Council of Europe Conference of Ministers responsible for the Media and New Communication Services “A new notion of media?” which took place in Reykjavik, on 28 and 29 May 2009.
8. In the Resolution on Internet governance and critical Internet resources, the Ministers participating in the conference:
”Call[ed] on all state and non-state actors to explore ways, building upon current arrangements, to ensure that critical Internet resources are managed in the public interest and as a public asset, ensuring the delivery of public service value, in full respect of international law, including human rights law;
Call[ed] also on these actors to ensure full compatibility and interoperability of TCP/IP so as to guarantee the ongoing universal nature and integrity of the Internet;
Invit[ed] the Council of Europe to explore the feasibility of elaborating an instrument designed to preserve or reinforce the protection of the cross-border flow of Internet traffic;"
Undert[ook] to explore further the relevance of Council of Europe values and, if necessary, ways in which to provide advice to the various corporations, agencies and entities that manage critical Internet resources that have a trans-national function in order for decisions to take full account of international law including international human rights law and, if appropriate, to promote international supervision and accountability of the management of those resources.”2
9. According to its terms of reference, the MC-S-CI was asked to:
“i. continue to examine the shared or mutual responsibilities of states in ensuring that critical Internet resources are managed in the public interest and as a public asset, ensuring delivery of the public service value to which all persons under their jurisdiction are entitled. Make proposals, in particular, relating to the prevention and management of events, including malicious acts, falling within member states’ jurisdictions or territories, which could block or significantly impede Internet access to or within fellow members of the international community with the objective of guaranteeing the ongoing functioning and universal nature and integrity of the Internet;
ii. explore the feasibility of drafting an instrument designed to preserve or reinforce the protection of cross-border flow of Internet traffic openness and neutrality.”
10. Further to the CDMC’s decisions, the Committee of Ministers approved the Terms of Reference at the 1063rd meeting of the Ministers’ Deputies on 8 and 9 July 20093. At their 1068th meeting on 20 and 21 October 2009, the Ministers’ Deputies “invited, in particular, the CDMC to seek to ensure multistakeholder participation in the implementation of relevant parts of its terms of reference and to give priority attention in that work to the elaboration of legal instruments designed (i) to preserve or reinforce the protection of the cross-border flow of Internet traffic and (ii) to protect resources which are critical for the ongoing functioning and borderless nature and integrity of the Internet (i.e. critical internet resources).” 4
11. The MC-S-CI started its work in January 2010. During the same year it had two formal meetings and organised consultations with stakeholders at the European Dialogue on Internet Governance (EuroDIG, 29 and 30 April 2010 in Madrid) and the Internet Governance Forum (IGF, 14 to 17 September 2010 in Vilnius). In its report of activities for 2010 the MC-S-CI proposed to the CDMC to adopt, as a first step, a soft law approach while noting that the desirability of reinforcing standard-setting action in relation to cross-border Internet should be considered in due course. 5 The MC-S-CI’s initial terms of reference expired on 31 December 2010 but were extended until 31 December 2011 by decision of the Ministers’ Deputies at their 1099th meeting on 23 November 2010.6
12. In 2011, the MC-S-CI had its third formal meeting on 21 and 22 February. It discussed its working proposals on Internet governance principles and state commitments on the universality, integrity and openness of the Internet with over 150 representatives of governments, the private sector, civil society and the technical community in a Council of Europe conference on Internet freedom which took place in Strasbourg on 18 and 19 April 2011. On the basis of its working proposals and taking into account the comments received from various stakeholder groups during and after the conference, the MC-S-CI agreed to propose to the CDMC a Committee of Ministers draft declaration on Internet governance principles and a Committee of Ministers draft recommendation to member states on the protection and promotion of the universality, integrity and openness of the Internet.
13. The CDMC, at its 14th meeting which was held from 14 to 17 June 2011, finalised a draft declaration on Internet governance principles and a draft recommendation to member states on the protection and promotion of the universality, integrity and openness of the Internet and decided to submit them to the Committee of Ministers for possible adoption.
III. The Recommendation
14. The aim of this Recommendation is to establish and foster co-operation among the member states of the Council of Europe in respect of the preservation of the Internet as a means of safeguarding freedom of expression and the right to impart and receive information regardless of frontiers, thus contributing to the delivery of the public service value of the Internet to citizens.
15. The Recommendation sets out the general principles of inter-state co-operation for the protection and promotion of the universality, integrity and openness of the Internet. In that regard, it provides for specific commitments of states in the areas of prevention, management and response to significant transboundary disruptions to, and interference with, the infrastructure of the Internet as well as in connection with the management of critical Internet resources. The fulfilment of these commitments is intrinsically linked to the respect of the principles included in the [draft] Committee of Ministers declaration on Internet governance principles [adopted on …].
IV. Commentary on the Recommendation
16. The preamble sets out the reasons that have led the Committee of Ministers to make the recommendation to governments of member states.
17. The Committee of Ministers notes that Internet access and use are exposed to risks of disruption to the stable and ongoing functioning of the network due to technical failures and is vulnerable to other acts of interference with the Internet’s infrastructure. There is considerable specialised expertise on the question of challenges to the stability and resilience of the Internet7 and how that affects the accessibility and openness of the Internet.8
18. It further notes that decisions taken in the context of the technical coordination and management of resources that are critical for the functioning of the Internet, notably domain names and Internet protocol addresses, may have a direct bearing on users’ access to information and on the protection of personal data. These resources are distributed in different jurisdictions and are managed by various non-governmental entities with a regional or global remit.
19. The Committee of Ministers recognises that states have the responsibility to preserve the public interest in national and international Internet-related public policy. They also have mutual expectations towards each other that they will exert their best efforts to preserve and promote the public service value of the Internet. In Recommendation CM/Rec(2007)16 of the Committee of Ministers to member states on measures to promote the public service value of the Internet, this is understood as people’s significant reliance on the Internet as an essential tool for their everyday activities (communication, information, knowledge, commercial transactions) and the resulting legitimate expectation that Internet services be accessible and affordable, secure, reliable and ongoing. In this context, states should acknowledge their shared and mutual responsibilities to take reasonable measures to protect and promote the universality, integrity and openness of the Internet.
The operational part
20. The question of the type of legal instrument that could define states’ roles and responsibilities in respect of the protection of resources which are critical for the ongoing functioning and borderless nature and integrity of the Internet as required under the mandate of the MC-S-CI was analysed during the preparation of this recommendation and discussed extensively in consultations held with stakeholders on numerous occasions.
21. Cross-border co-operation on the security and stability of the Internet currently takes place in some countries as part of the co-operation among technical bodies such as computer emergency teams or within diplomatic circles. This has contributed to starting to build professional and trust-based relationships. However, fostering a greater and deeper level of co-operation, which could lead to sharing of information and best practice in such a way as to facilitate action at a national level remains a challenge.
22. A country’s assessment of risks and threats to the Internet, involving transboundary effects, can be objective and respond to other countries legitimate expectations in relation to the security, stability, resilience and robustness of the Internet only if it is based on a mutually agreed framework that defines these expectations. In the absence of such a framework, definitions of risks and consequences involve subjective interpretations with regard to the roles and responsibilities of states. Therefore, an international regime on the universality, integrity and openness of the Internet should be rooted in explicit recognition of states’ reciprocal legitimate expectations and commonly-accepted norms.
23. During consultations with representatives of different stakeholders it emerged that, given the multi-stakeholder nature of Internet governance, a determination of states’ responsibilities on these matters should carefully preserve the balance of roles and responsibilities of all stakeholders. Defining the scope of state responsibility with regard to the universality, integrity and openness of the Internet as well as identifying supervisory mechanisms as part of an international legally binding framework is a complex exercise given the multi-stakeholder environment of the Internet. In the future, this may entail the elaboration of legal instruments with multi-stakeholder components.
24. Against this background, it is considered that, at this stage, a soft law approach is the best option for state action. This recommendation provides an explicit recognition of states’ legitimate mutual expectations in relation to the universality, integrity and openness of the Internet through setting out a commitment which should help to develop an international regime of co-operation.
25. Public-private partnerships are essential venues for the implementation of this recommendation. Consequently, the Committee of Ministers asks Council of Europe member states to disseminate the provisions of the commitment contained in the recommendation not only to public authorities but also to private entities, in particular those dealing with the management of resources that are critical for the functioning of the Internet as well as to civil society organisations. Member states should also encourage these actors to support and promote the implementation of the principles included in this commitment.
26. The exercise of states’ responsibilities with respect to the universality, integrity and openness of the Internet should be inspired by the basic principles of Internet governance. The commonly-accepted definition of Internet governance is “the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.”9 Because Internet governance is wider in scope than the question of states’ mutual expectations, relationships and responsibilities, it was decided to address the latter in a separate document, namely the above-mentioned Committee of Ministers Declaration on Internet governance principles.
27. The Declaration builds on principles and guidelines on different aspects of Internet governance that have been elaborated by various international organisations, Internet communities and other actors. The Declaration of Principles: Building the Information Society: a global challenge in the new Millennium which was adopted at the first phase of the World Summit on the Information Society, which took place in Geneva from 10 to 12 December 2003 (the Geneva Declaration of Principles) is a key document.10 The European Union (EU) promotes a set of Internet governance principles which it considers as enablers of the success of the Internet.11 In the context of a high level meeting on the Internet economy of the Organisation for Economic Co-operation and Development (OECD) which took place on 28 and 29 June 201, the representatives of the OECD members, Egypt, and of stakeholders, including the Business and Advisory Committee of the OECD (BIAC) and the Technical Internet Community (ITAC) agreed on a number of basic principles for Internet policy-making .12
28. In a national context, examples of principle-based approaches to Internet governance matters include the Norwegian principles of network neutrality drawn up by the Norwegian Post and Telecommunications Authority13 and Principles for the Governance and Use of the Internet developed by the Brazilian Internet Steering Committee.14 Other stakeholders have engaged in bottom-up processes such as the Internet Rights and Principles Dynamic Coalition which has put together 10 Rights and Principles15 and fleshed-out a Charter of Human Rights and Principles for the Internet16. The Association for Progressive Communications has also developed the Internet Rights Charter.17 The Council of Europe, the United Nations Economic Commission for Europe and the Association for Progressive Communications have developed the Code of Good Practice on Information, Participation and Transparency in Internet Governance.18
29. In order to ensure a sustainable, people-centred and rights-based approach to the Internet it is necessary to affirm in a Council of Europe context, while building on the initiatives mentioned above, the core values of the organisation as well as the basic tenets of the Internet communities. These principles should provide guidance to Council of Europe member states and be considered as basic constraints of governance in the context of developing national and international Internet-related policies. Given their importance for this recommendation an account thereof is included below.
Internet governance principles
Principle 1: Human rights, democracy and rule of law
30. This principle draws inspiration from key instruments of international human rights law, notably the Universal Declaration on Human Rights and the European Convention on Human Rights. Its purpose is to affirm that human rights and fundamental freedoms, democracy and rule of law are non-derogable values and basic constraints of Internet governance. They apply equally to offline and online activities and are regardless of frontiers in accordance with international law.
31. The Committee of Ministers has affirmed in numerous instruments that fundamental rights and Council of Europe standards and values apply to online information and communication services as much as they do to the offline world. This stems, inter alia, from Article 1 of the European Convention on Human Rights which lays out the obligation of the contracting parties to “secure to everyone within their jurisdiction” the rights and freedoms protected by the Convention (without the online/offline distinction).19
32. All actors, whether public or private, should make sure that their activities and operations ensure respect for fundamental rights and freedoms in accordance with international human rights law. In this context, it should be recalled that Article 4 of the Articles of Incorporation of the Internet Corporation for Assigned Names and Numbers (ICANN) states that “The Corporation shall operate for the benefit of the Internet community as a whole, carrying out its activities in conformity with relevant principles of international law and applicable international conventions and local law and, to the extent appropriate and consistent with these Articles and its Bylaws, through open and transparent processes that enable competition and open entry in Internet-related markets. To this effect, the Corporation shall co-operate as appropriate with relevant international organizations.”20 Broadly speaking, the private sector should ensure that new technologies, services and applications uphold fundamental rights and freedoms.
33. In particular, there should be an increased awareness and full participation of all actors in efforts related to recognising newly-emerging rights. There are discussions in academic and other fora on rights such as the right to anonymity, the right to be forgotten and the right to virtual identity. The Charter of Human Rights and Principles for the Internet that is being drafted by the Rights and Principles Dynamic Coalition, a group of stakeholders’ representatives which was created within the framework of the IGF, states that everyone has a right to digital identity and that the virtual personality of human persons needs to be respected.21 Although there is no recognition at present of these rights in international law, Internet governance principles should adopt a future-looking approach.
Principle 2: Multi-stakeholder governance
34. Building on the definition of Internet governance, this principle affirms the multi-stakeholder nature of Internet environments. It reflects the understanding of the Geneva Declaration of Principles which states that “[g]overnments, as well as private sector, civil society and the United Nations and other international organizations have an important role and responsibility in the development of the Information Society and, as appropriate, in decision-making processes. Building a people-centred Information Society is a joint effort which requires co-operation and partnership among all stakeholders.”22 It also underlines that the “[i]nternational management of the Internet should be multilateral, transparent and democratic, with the full involvement of governments, the private sector, civil society and international organizations”.23
35. A similar reflection can be found in the EU context. The European Commission has stated that “[t]he multi-stakeholder process on Internet governance continues to provide an inclusive and effective mechanism for promoting global co-operation and needs to be further encouraged.”24
36. The Working Group on Internet Governance (WGIG), which was composed of stakeholders’ representatives, has analysed issues related to the scope of multi-stakeholder participation. The WGIG “[…] came to the conclusion that from an operational point of view, the WSIS criteria of multilateralism, transparency, democracy and full involvement of all stakeholder groups have somewhat different meanings, possibilities, and limits in relation to different types of governance mechanisms. They may therefore be regarded as having different shades of meaning in different contexts. For example, the WGIG recognised that “full involvement of all stakeholders” would not necessarily mean that every stakeholder group should have the same role in the development of policies, the preparation of decisions, the actual decisions and then the implementation of decisions.”25
37. In order to ensure the full participation of stakeholders in Internet governance arrangements it is necessary to ensure that such participation takes place in an open, transparent and accountable manner. According to this principle, inclusiveness means not only participation of all countries in international Internet-related public policies and Internet governance arrangements but also participation of all stakeholders from all countries.
Principle 3: Responsibilities of states
38. This principle is closely linked to the incumbent recommendation. It builds on the affirmations of the Tunis Agenda with regards to the roles of states in Internet governance. In this context, it was recognised that “[p]olicy authority for Internet-related public policy issues is the sovereign right of States. They have rights and responsibilities for international Internet-related public policy issues.”26 Governments should consult with all stakeholders in the development of public policy.27 A similar affirmation on the role of states in Internet governance is noted in the EU contexts. The relevant principle states that “[g]overnments need to fully interact with such multi-stakeholder processes, with stakeholders accepting that it is governments alone who are ultimately responsible for the definition and implementation of public policies.”28
39. The exercise of sovereign rights should take account of the global nature of the Internet. Actions in one country may affect the rights and interests of persons and entities in another. States have legitimate expectations vis-à-vis each other that they will make their best efforts to ensure that actions which may harm the rights and interests of persons or entities outside their jurisdictions will be avoided or, in case of need, that remedial action will be taken promptly. The Council of Europe ministers responsible for media and new communication services have affirmed that “Council of Europe member states share the responsibility to take reasonable measures to ensure the ongoing functioning of the Internet and, in consequence, of the delivery of the public service value to which all persons under their jurisdiction are entitled. Interstate co-operation and solidarity is of paramount importance to the proper functioning, stability and universality of the Internet.”29
40. The principle on responsibilities of states is thus important for guiding the relationship between, on the one hand, local Internet-related policies and Internet management action and, on the other hand, the global Internet. It is in line with the Tunis Agenda which recognised “the need for enhanced cooperation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues.”30 The Tunis Agenda also affirmed that “[u]sing relevant international organizations, such cooperation should include the development of globally-applicable principles on public policy issues associated with the coordination and management of critical Internet resources.” 31
41. The exercise of states rights and responsibilities should be in full compliance with international legal obligations. In a Council of Europe context, states have the duty to secure to everyone within their jurisdictions the rights and freedoms protected by the European Convention on Human Rights. Consequently, any action that amounts to a restriction of fundamental rights and freedoms should meet the conditions set out in the Convention as interpreted in the case law of the European Court of Human Rights; more particularly, any restriction must be based on law, necessary in a democratic society and proportionate. The necessary legal and due process safeguards should be in place.
Principle 4: Empowerment of Internet users
42. The empowerment of Internet users is essential for a free and open Internet and is considered important for promoting innovation. This principle affirms the role that users can and should play in Internet governance as well as in the realisation of their rights and freedoms in online environments and with regards to new communication technologies.
43. Internet and information society technologies increasingly create opportunities for data storage, processing, communication and pervasiveness in people’s private lives. Therefore, users should have the information necessary to make informed decisions and the tools and knowledge to interact with new technologies. They should be able to design their privacy and participate in online activities in full confidence and freedom and according to their own values.
44. Users should be able not only to find the information they wish but also to block contents they do not wish to have access to; to disconnect from the online world, to make their political, commercial or other decisions, and to participate in the development of user-centred governance mechanisms. In this regard, the enhancement of users’ capabilities such as computer and information literacy and the development and promotion of technologies of user empowerment are essential.
45. Everyone should be entitled to take advantage of the public service value of the Internet. The Committee of Ministers has recommended to member states to develop, in co-operation with the private sector and civil society, strategies which promote the integration of Information and Communication Technologies (ICTs) into education, media and information literacy and training in formal and non-formal education sectors for children and adults in order to empower them to use media technologies, to encourage them to exercise their democratic rights and civic responsibilities effectively as well as to make informed choices when using the Internet and other ICTs32. In addition, the Council of Europe has developed a number of standards on media literacy, ongoing and lifelong education as well as on the protection and empowerment of children in online environments.33
Principle 5: Universality of the Internet
46. The Internet enables people to have access to information and services, and to connect and communicate, as well as to share ideas and knowledge on a global scale. Thus, the Internet has developed into a space of freedom for the Internet community worldwide. As a platform for the free flow of information, the Internet has become one of the driving forces for economic growth and innovation in our modern society.
47. The principle of universality of the Internet affirms this understanding. It recognises the global nature of the Internet and constitutes the basic premise for the free flow of information over the Internet and universal access. Also, it builds on the undertaking of the Council of Europe ministers participating in the ministerial conference in Reykjavik (28 and 29 May 2009) to “[c]ontinue to develop the notion of the public service value of the Internet. In this context, explore the extent to which universal access to the Internet should be developed as part of member states’ provision of public services. This may include policies for redressing market failure where market forces are unable to satisfy all legitimate needs or aspirations, both in terms of infrastructure and the range and quality of available content and services.”34
48. The Internet infrastructure located within the jurisdiction of any country is part of the transnational communication network and it supports the free flows of Internet traffic across borders. Interference with the free flow of information may have transboundary effects on people’s access to information. To this extent, it can also engage member states’ responsibility under Article 10 of the European Convention on Human Rights. In this connection, it is necessary to ensure that national Internet-related policies are developed in a manner that recognises the global nature of the Internet and in full respect for international human rights law. The Committee of Ministers, while acknowledging the public service value of the Internet, called on its member states to “affirm freedom of expression and the free circulation of information on the Internet, balancing them, where necessary, with other legitimate rights and interests, in accordance with Article 10, paragraph 2, of the European Convention on Human Rights as interpreted by the European Court of Human Rights [inter alia] by promoting freedom of communication and creation on the Internet, regardless of frontiers.35
49. It is generally accepted that the free flow of information is essential for the global economy. The Seoul Declaration on the Future of the Internet Economy adopted at the OECD Ministerial Meeting on the Future of the Internet Economy, 17 and 18 June 2008, incorporates a commitment of the 39 signatory states and the European Community to “[f]oster creativity in the development, use and application of the Internet, through policies that, inter alia, maintain an open environment that supports the free flow of information, research, innovation, entrepreneurship and business transformation”.36 Also, as mentioned above the representatives of OECD members and other stakeholders agreed on principles for Internet policy-making in June 2011.37
Principle 6: Integrity of the Internet
50. Security, stability, robustness and resilience are essential aspects of the integrity of the Internet. The security and stability of the Internet relate to the ability of the network not to be frequently affected by network failure as well as timely action taken to detect and adjust to network failure. In the Internet interconnection system, resilience is understood as “the ability to provide and maintain an acceptable level of service in the face of various faults and challenges to normal operation. That is the ability to adapt itself to recover from a serious failure, or more generally to its ability to survive in the face of threats.”38 Robustness is considered to be an important aspect of resilience. “A robust system will have the ability to resist assaults and insults, so that whatever some event is throwing at it, it will be unaffected, and no resilient response is required. While resilience is to do with coping with the impact of events, robustness is to do with reducing the impact in the first place.39
51. The integrity of the Internet is a pre-condition for people’s ability to exercise their rights and freedoms online, preserving their trust and reliance on the Internet as well as for promoting their participation in online environments. On a broader scale, the Internet is a critical resource for people, business enterprises, public administrations and society as a whole. Consequently, the integrity of the Internet, including key components such security, stability, robustness and resilience, is an essential objective of Internet governance.
52. The cross-border interconnectedness and interdependencies of the Internet infrastructure are essential factors to be considered in efforts to ensure the integrity of the Internet. The management of critical resources which are distributed in different jurisdictions and are managed by various entities with a global or regional remit is also important in this context. It is therefore necessary to promote international and multi-stakeholder co-operation.
53. States have a duty to live up to people’s legitimate expectation that Internet policy will reflect the public interest and deliver on the public service value of the Internet, which, as mentioned above, is understood as people’s significant reliance on the Internet as an essential tool for their everyday activities and the resulting legitimate expectation that Internet services be accessible and affordable, secure, reliable and ongoing.40 States should play an active role in preserving peoples’ trust and reliance on the Internet stability and ongoing functioning. The Tunis Agenda recognised that the Internet has evolved into a global facility available to the public included a commitment to the stability and security of the Internet.41 It further acknowledged “that all governments should have an equal role and responsibility for international Internet governance and for ensuring the stability, security and continuity of the Internet” as well as “the need for development of public policy by governments in consultation with all stakeholders.”42
54. The integrity of the Internet is not a matter of exclusive state or any other stakeholder competence. The technical community, Internet management entities and the private sector in general should make efforts to preserve the security, stability, robustness and resilience of the Internet and to preserve the global public interest in the management of critical Internet resources. It is nevertheless understood that in international law the legally binding obligation to guarantee the protection of human rights, including freedom of expression and the right to receive and impart information regardless of frontiers, lies with states only (cf. Article 1 and Article 10 of the European Convention on Human Rights).
Principle 7: Decentralised management
55. The Internet is a distributed network of networks which are owned and administered by private entities, including telecommunication companies, Internet service providers and other enterprises. The core standards and practices for the networking protocols are developed by an open and broad technical community which involves both organisational forms such as the Internet Architecture Board, the Internet Engineering Task Force, the World Wide Web Consortium as well as numerous technical experts working independently in the profit and non-for-profit sectors. Critical Internet resources are administered by non-governmental entities with global remit such as ICANN in respect of domain names or with regional remit such as the Regional Internet Registries in respect of Internet protocol addresses.
56. As a result, there is decentralised responsibility for management of networks, software applications, services and content. This model has been successful in enabling communication, public access to information, adaptation to changing conditions, and making efficient use of available infrastructure. Its preservation should therefore be a guiding principle for Internet-related policy making.
57. The principle of decentralised management affirms that states have a limited role to play in the day-to-day management of the Internet. This is in line with the Tunis Agenda which affirms the need for enhanced co-operation among governments on international public policy issues pertaining to the Internet but not in the day-to-day technical and operational matters.43
58. However, this principle does not exclude entirely states’ involvement in processes or decisions related to the management and evolution of the Internet. The private sector should acknowledge that the global public interest needs to be preserved in Internet governance with states having the main responsibility in this regard.
59. As the Committee of Ministers has stated in its Recommendation on the public service value of the Internet, people rely on the Internet for their every day activities and have a legitimate expectation that Internet services should be accessible and affordable, secure, reliable and ongoing.44 These expectations concern general public interests and hence give rise to state responsibility to preserve such interests in Internet-related policy-making and Internet governance in general. In order to enable states to discharge their responsibilities, it is necessary to ensure transparency and accountability of the private sector for its actions that have an impact on public policy. Nonetheless, this may entail positive obligations for member states to the extent that the enjoyment of human rights may be affected, notably as regards freedom of expression and the right to receive and impart information regardless of frontiers.
60. Transparency is a central feature of many of the affirmations of the Tunis Agenda. It is described as a basic premise of the governance of the Internet in general45 and is embodied in a number of other affirmations on specific topics and issues such as the development of strategies for global connectivity and equitable access,46 multilingualism47 and development of regulatory frameworks.48
Principle 8: Architectural principles
61. The Internet architecture is based on open, non-proprietary and globally applicable standards which can be used by anyone.49 They are developed in the framework of pluralistic, transparent and co-ordinated collaborative processes involving a widely distributed community of technical experts. A key architectural principle of the Internet is its end-to-end nature which refers to a function of the network in which “the intelligence is at the endpoints rather than hidden in the network.”50 In other words, the network provides basic data transport only while leaving applications and other forms of information processing to devices or hardware of users, application operators and service providers standing at the endpoints of the network.51
62. These design principles have contributed to the current success of the Internet; a platform for access to information, services and applications as well as for innovation, competition and economic growth. These principles should serve as normative guides for Internet-related policy making.
63. The architecture of the Internet and its governance evolve as technological innovation emerges. The number of Internet uses also increases by the day, including mobile Internet and diverse terminals and devices. These provide new opportunities for people, society and economy. It is therefore necessary that there are no barriers to entry for both new users and uses of the Internet or unnecessary burdens which could affect the potential for innovation in respect of technologies and services.
Principle 9: Open network
64. The network provides the inter-networking layer that enables communication of diverse devices and hardware. It is not optimised for any particular use, service or application but serves as an open, neutral and transparent platform for a wide variety of services and applications including new unforeseen ones.
65. Certain network and traffic management practices may involve blocking access to Internet resources in order to achieve a competitive advantage or blocking or filtering access to Internet content in order to implement governmental policy, thus affecting users’ capacity to access information, content, service or application of his or her choice. To deal with these issues the concept of network neutrality has been advanced in different contexts and by different communities and actors. The Brazilian Principles for the Governance and Use of the Internet give the following formulation in respect of the principle of neutrality of the network -“[f]iltering or traffic privileges must meet ethical and technical criteria only, excluding any political, commercial, religious and cultural factors or any other form of discrimination or preferential treatment.”52
66. Principle nine adopts an access-oriented and openness-based approach to open network. Its purpose is to preserve the ability of all Internet users to connect to the network and have access to any lawful content, services or applications. This principle is not concerned with specific methods of network or traffic management or different business models for the offering of services in the supply chain but with preserving universal and non-discriminatory access. It builds on the Committee of Ministers’ Declaration on network neutrality which states that “users should have the greatest possible access to Internet-based content, applications and services of their choice, whether or not they are offered free of charge, using suitable devices of their choice. Such a general principle, commonly referred to as network neutrality, should apply irrespective of the infra-structure or the network used for Internet connectivity. Access to infrastructure is a prerequisite for the realisation of this objective.” 53
67. The Declaration also states that “traffic management should not be seen as a departure from the principle of network neutrality. However, exceptions to this principle should be considered with great circumspection and need to be justified by overriding public interests.”
68. In addition, ‘[u]sers and service, application or content providers should be able to gauge the impact of network management measures on the enjoyment of fundamental rights and freedoms, in particular the rights to freedom of expression and to impart or receive information regardless of frontiers, as well as the right to respect for private life. Those measures should be proportionate, appropriate and avoid unjustified discrimination; they should be subject to periodic review and not be maintained longer than strictly necessary. Users and service providers should be adequately informed about any network management measures that affect in a significant way access to content, applications or services. As regards procedural safeguards, there should be adequate avenues, respectful of rule of law requirements, to challenge network management decisions and, where appropriate, there should be adequate avenues to seek redress.”
Principle 10: Cultural and linguistic diversity
69. The preservation of cultural and linguistic diversity is central to the full realisation of the public service value of the Internet on a global level. In particular, multilingualism in cyberspace is a basic condition for cultural diversity and participation of all linguistic groups in the information society. The Internet should be a space for expression, exchange and interaction of all cultures and languages. The ability of Internet users to have access to websites, which offer content in their own language, is an important element of access to the Internet and user empowerment. Internet-related public policies should promote and facilitate capacity building on the production of local language content and availability of translation technology.
70. International standards, notably the UNESCO Convention on the Protection and Promotion of the Diversity of Cultural Expressions of 20 October 200554, provide guidance on the protection of multilingualism and cultural diversity. The protection of the common cultural heritage of Europe as well as the promotion of inter-cultural dialogue are part of Council of Europe conventional and other standards.55
Commentary on the provisions of the Recommendation
71. The principles included in this part of the recommendation are intended to provide the basic foundation for the other proposed state commitments in respect of the preservation of Internet’s infrastructure and the cross-border flow of the Internet traffic.
1.1 No harm
72. This provision lays down a commitment for member states not to cause harm to access and use of the Internet beyond their own jurisdictions. The exercise of this commitment is subject to ensuring compliance with international standards on the protection of human rights and freedoms, notably the European Convention on Human Rights, as well as principles of international law.
73. During the preparation of this recommendation, it was deemed necessary to affirm this principle as a basic foundation of an international framework of co-operation and collaboration on the universality, integrity and openness of the Internet. The no-harm principle is based on customary and international law according to which states are under an obligation not to inflict damage on or violate the rights of other states.56
74. The no-harm customary law principle has entered international law and extends to almost all inter-state relationships, with a more explicit articulation in the field of environment protection.57 The United Nations Framework Convention on Climate Change says in its preamble that “[s]tates have, in accordance with the Charter of the United Nations and the principles of international law, the sovereign right to exploit their own resources pursuant to their environmental and developmental policies, and the responsibility to ensure that activities within their jurisdiction or control do not cause damage to the environment of other States or of areas beyond the limits of national jurisdiction.”58
75. It was also deemed necessary that, in the context of ensuring the openness and universality of the Internet, states should ensure that their actions within their jurisdictions do not interfere with access to content outside their territorial boundaries or negatively impact the transboundary flow of Internet traffic.
76. This principle sets forth a general requirement of co-operation among states and stakeholders at all stages of policy development and implementation of Internet-related policies to the extent that this is necessary to avoid any adverse transboundary impact on access to, and use of, the Internet. The modalities of co-operation are stated more specifically in the subsequent sections of the recommendation. They envisage co-operation of states in the prevention and management of, as well as response to, risks and threats to critical Internet resources. A multi-stakeholder approach is considered crucial to the success of such action.
77. Under this principle, states are required to co-operate in good faith. This requirement is in line with international law. The Vienna Convention on the Law of Treaties, 23 May 1969, declares that the principle of good faith is universally recognised and affirms its central importance in respect of the observance, application and interpretation of the treaties.59
78. This principle states that, within the limits of non-involvement in the day-to-day technical and operational matters, states should, in co-operation with each other and with all relevant stakeholders, take all necessary measures to prevent, manage and respond to significant transboundary disruptions to, and interferences with, the infrastructure of the Internet, or at any event minimise the risk and consequences arising from such events.
79. It is understood that “significant” in this context involves detrimental consequences for people’s or other actors’ ability to have access to Internet information, services, applications or resources. Whether a particular disruption or interference with the Internet should be considered as significant or not should be subject to factual assessment to be made in each specific case. A specification of a list of cases or situations of disruptions or interferences that would fall under this category does not seem to be feasible in the light of the scale, complexity and dynamic nature of the interconnection system, the multitude uses of Internet services and applications’ uses or when considering the speed with which technology evolves. The most important element that would determine whether certain situations would fall within the scope of this recommendation is the transboundary effect on the the security, stability, robustness and resilience of the Internet, to which preventive and response measures and policies should be applicable.
80. This principle sets forth a standard of care or due diligence for the protection and promotion of integrity and universality of the Internet which is integrated in the specific commitments contained in the other provisions of the recommendation. Under such a standard, states are required to take reasonable measures to prevent, manage and respond to significant transboundary disruptions to or interferences with the infrastructure or critical resources of the Internet. Where this is not fully possible, a state is required to exert best efforts to minimise the risks and consequences arising from such events.
81. In international law, a requirement to act with due care or an obligation of due diligence imposes on a state a duty to exert its best possible efforts to prevent and minimise foreseeable significant transboundary harm.60 The standard of due diligence is a standard of conduct rather than a standard of result; it is the conduct of the state in question that would determine whether a state has fulfilled its commitment by means of taking reasonable measures. Moreover, the response has to be measured against actual possibilities or means available rather than against an ideal situation.
82. In the context of the universality and integrity of the Internet, due diligence would be manifested in reasonable efforts by a state to inform itself of factual and legal elements that involve risks of transboundary disruptions to or interferences with the Internet’s infrastructure and to take reasonable measures in a timely fashion to address these issues. Such measures may include development and implementation of policies to promote enhanced awareness in the public and private sectors about network vulnerabilities and incidents, facilitate multi-stakeholder co-operation and provide incentives for research in various aspects of Internet integrity.
83. The required degree of care should be proportional to the degree of risk involved and the consequences incurred. The disruption and interference should be foreseeable and the state concerned must know or should have known under the circumstances specific to each case that there was a risk of significant transboundary consequences. A state should not bear the risk of unforeseeable consequences vis-à-vis states likely to be affected by activities taking place within its jurisdiction. The commitment “to take all reasonable measures” to prevent and respond to disruptions or interference, or to minimise risks and consequences thereof, should be of a continuous nature. It is understood that the implementation of those measures should be commensurate to the overall capabilities of the country concerned to address the risks to the integrity of the Internet.
84. In the exercise of due diligence commitments states should not be involved in day-to-day technical and operational matters. This is fully in line with the Tunis Agenda which recognised “the need for enhanced cooperation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues.”61
Integrity of the Internet
85. The commitments set out in this part of the recommendation are concerned with risk management with regard to the universality, integrity and openness of the Internet. States should engage in co-operation with each other in enabling the creation of a system of prevention, management and response to commonly shared risks by means of information sharing, consultation and mutual assistance. The commitments included in this recommendation are different from rules dealing with responsibility for internationally wrongful acts. Therefore, they should be considered as primary in nature.62
86. An effective system for dealing with disruptions to and interference with the network necessitates emergency planning and preparedness in view of the limited time available to deliberate, co-ordinate and act upon threats when they emerge. Thus, it is important that such action be based on strategies of anticipatory action and not left only to technologies or reactive technical measures. The development of such strategies involves policy decisions on priorities, resources and other matters.
87. Because of the cross-border interconnectedness and interdependencies of the network, national strategic approaches should be co-ordinated. The recommendation, therefore, provides that states should jointly and in consultation with relevant stakeholders develop and implement emergency plans for managing and responding to disruptions to, and interferences with, the infrastructure of the Internet.
88. In the context of preparedness, it is important to have in place standards, rules and practices on Internet security, stability, resilience and robustness, such as those on information sharing and incident reporting. States should play an enabling role in respect of their development and implementation in the public and private sector. For instance, in conjunction with the private sector, states can promote and facilitate the development of common standards on Internet resilience or practices for deploying relevant technologies. States also have the possibility to provide market incentives for wide take-up of resilience technologies as well as to fund and promote research in this context. The cross-border nature of risks of and threats to the integrity of the Internet calls for close co-operation among public authorities.
89. States’ enabling role should extend beyond support for standard development. Co-ordination, co-operation and confidence-building among stakeholders are key to the identification and assessment of vulnerabilities of or threats to the integrity of the Internet. A major obstacle in creating resilient networks is the reluctance of certain operators to disclose and share data about vulnerabilities of information systems due to concerns about protection of reputation or for competitive advantage reasons. The European Network of Information Security Agencies states “[t]here remains a lack of a clear framework for effective and timely exchange of information on critical infra-structure protection including responsible and timely disclosure of vulnerabilities.”63
90. It is therefore important that states create an environment that facilitates risk management and response co-ordination among stakeholders with regards to vulnerabilities and threats to the integrity of the Internet. States should promote an enhanced awareness on society’s dependencies on the Internet. In this connection, they should facilitate the identification of critical sectors benefiting from Internet infrastructures (e.g. energy, health, security) or other dependencies of the society on the Internet.
91. More particularly, states should play an active role in creating public-private co-operation platforms with regard to awareness-raising, information sharing, incident investigation and reporting as well as management and response. In this context states should promote the identification, collection and sharing of data and information on risks to the security, stability, robustness and resilience of the network as well as risks emerging from technologies and applications.
92. Risk management and response co-ordination entails a common understanding of the roles and responsibilities of stakeholders in relation to the consequences of their actions on the security, stability, robustness and resilience of the Internet. In this regard, states should engage in dialogue with private sector and civil society stakeholders with a view to building closer relationships.
93. This section sets forth specific actions that are expected of a state to implement the due diligence principle which requires continuous efforts. These actions include notification, information sharing, consultation and mutual assistance.
94. States should provide timely notification of risks of transboundary disruption or interference with the Internet’s infrastructure to potentially affected states. This is an indispensable part of any system of preparedness, prevention of and response to transboundary harm. Comparable notification duties are embodied in a number of international agreements, decisions of international courts and tribunals, and declarations and resolutions adopted by intergovernmental organisations.64 According to the present recommendation, states should act “without delay” when providing notification of an emergency which, in practice, means immediately upon a state becomes aware of a risk or a situation of emergency so that there will be sufficient time for the states concerned to consult on appropriate management measures and to take appropriate remedial action.
95. A requirement of notification incorporates a precautionary approach. It entails identification of risks to the security, stability, robustness and resilience of the Internet that may have transboundary effects as well as an assessment thereof. Furthermore, the exchange of information that is relevant to responding to these effects in a timely manner is essential for the management of emergency situations. The information that is required to be exchanged is whatever would be deemed useful for the purpose of responding to a significant disruption to or interference with the Internet’s infrastructure. States should be free to choose or construct the means of communication in the spirit of co-operation.
96. States should also engage in mutual consultation in order to agree on measures to manage or respond to situations of significant transboundary disruption or interference with the Internet’s infrastructure. Such consultation is needed in order to maintain a balance between the legitimate interests of the states concerned as regards the utilisation of Internet infrastructure and resources located in their particular jurisdictions. The purpose of this is to enable the states concerned to achieve mutually acceptable solutions regarding response measures, which means those measures that are accepted by those states and based on an equitable balance of interests.
97. With a view to mitigating adverse consequences on the integrity of the Internet, states should engage in mutual assistance. Generally, in international law, as for example in the field of environment protection, obligations of prevention, management and mitigation go hand-in-hand,. In the context of the Internet, commitments on these matters are considered to be mutually reinforcing with regards to the preservation of the integrity and universality of the Internet. The requirements of solidarity and good faith are an integral part of any international co-operation procedure, and are therefore included in this part of the recommendation.
98. The level or degree of care that is expected in providing assistance to countries affected by disruptions to or interferences with the Internet’s infrastructure is understood as being proportional to and commensurate with the capabilities of each country.
99. This provision may, at first sight, be considered as redundant as it states in general terms the specific commitments detailed in the previous provisions. However, during the preparation of this recommendation it was deemed necessary in order to stress the continuous character of the due diligence commitments contained in this recommendation.
100. Legislative and administrative measures are mentioned specifically with a view to providing guidance to member states in respect of the implementation of this recommendation. However, the purpose of this recommendation is not to restrict states’ possibilities for action but to enable them to pursue the ways, and utilise the means, that they deem appropriate for implementing this recommendation. This explains the use of the expression ‘other measures’. Depending on the specific situation, legislative action may be necessary in order to overcome barriers to international co-operation. Such barriers may flow from differences in legal environments, operational standards and practices or levels of organisational, political or financial support for computer emergency teams. Although not specifically provided for in this recommendation, other measures may include the mechanisms that are suitable for monitoring the implementation of their preparedness and prevention commitments in respect of disruptions to and interference with the Internet’s infrastructure.
101. The provision on implementation should not be interpreted as an assertion of exclusive competence by state authorities in dealing with the integrity of the Internet. The specific actions set out in almost all the provisions of this recommendation require close co-operation with stakeholders either in the context of public-private partnerships or otherwise. The requirement of non-involvement of states in the day-to-day administration of the network or operational matters also sets an important limit for the implementation measures. This is fully in line with the Tunis Agenda which affirms that the private sector takes the lead in the day-to-day operations of the Internet65 and “recognise[s] the need for enhanced co-operation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues.”66
102. As specified in the commentaries to the due diligence principle, the commitments included in this recommendation are primary in nature. It is clear from the provision on responsibility that it is not the purpose of the recommendation to establish secondary rules on liability and reparation in respect of adverse consequences for or damage to the stability, security and resilience of the Internet or to address the issue of settlement of disputes arising from the interpretation or implementation of the commitments on international co-operation.
103. While a regime of liability for adverse consequences to the universality and integrity of the Internet may have a deterrent effect on disruptions to or interferences with the stability, security, resilience and robustness of the Internet, it is considered that a preparedness and response approach can have an even more direct and effective deterrent effect. Consequently, the focus of this recommendation is on co-operation in the prevention of and response to disruptions of and interference with the Internet.
104. This thinking mirrors the legal concepts underlying international law on environmental protection. Because of inherent limitations of compensatory liability regimes, mostly related to litigation and dispute settlement, the international regulation on common natural resources, including that on marine, international rivers and lakes and atmospheric pollution as well as on protection and conservation of fauna and flora, places emphasis on preventive, management and mitigation measures rather than reparation.
105. States nevertheless should engage in dialogue to develop further international standards relating to the responsibility and liability for the assessment of and compensation for damage as well as the settlement of related disputes. The use of the term ‘further’ is intended to refer to existing principles of international law which provide guidance on the responsibilities of states for internationally wrongful acts, notably those included in the International Law Commission Articles on State Responsibility67.
106. This recommendation is not concerned with determining whether activities which involve disruption to or interference with the Internet’s infrastructure constitute breaches of obligations recognised in international law, particularly those in respect of the maintenance of peace which are set forth in the United Nations Charter. It is also understood that commitments on prevention, management and response to Internet disruptions or interferences should not have any bearing upon international co-operation to fight cybercrime in accordance with the Budapest Convention. Indeed, the implementation of the Budapest convention is one means for states to fulfil certain commitments under this recommendation.
Resources that are critical for the functioning of the Internet
107. Decisions made in the framework of the technical co-ordination and management of critical Internet resources, such as the Internet Protocol addresses resources and the domain name space, may have a direct bearing on access to information and freedom of expression as well as respect for data protection. In a recent decision, the French Constitutional Council acknowledged that freedom of expression may be at stake in the context of the management of the French domain name system and that the relevant regulatory framework should include safeguards for freedom of expression.68
108. Policy development and implementation in the context of non-governmental entities with a global or regional remit should also include safeguards for freedom of expression and data protection. As bearers of the duty to ensure the protection of human rights and fundamental freedoms under article 1 of the European Convention on Human Rights, Council of Europe member states should take all reasonable measures to ensure that the development and application of standards, policies, procedures or practices in connection with the management of resources that are critical for the functioning of the Internet incorporate protections for the human rights and fundamental freedoms of Internet users in compliance with the standards recognised in international human rights law.
109. This commitment applies to policy-making and implementation on critical Internet resources both at the national and international level. With regards to the latter, one of the ways in which member states can fulfil this commitment is by participating actively in the Governmental Advisory Committee of ICANN. As recalled earlier, article 4 of ICANN’s Articles of Incorporation states that “The Corporation shall operate for the benefit of the Internet community as a whole, carrying out its activities in conformity with relevant principles of international law and applicable international conventions and local law and, to the extent appropriate and consistent with these Articles and its Bylaws, through open and transparent processes that enable competition and open entry in Internet-related markets. To this effect, the Corporation shall co-operate as appropriate with relevant international organizations.”69
110. Similar to other commitments provided for in this recommendation, this is a due diligence standard. Member states are required to exert their best possible efforts to ensure that activities conducted by non-governmental entities respect human rights and fundamental freedoms in accordance with international standards. Council of Europe member states are under an obligation not only to refrain from acts violating the rights and freedoms guaranteed by the European Convention on Human Rights but also to take positive action to protect these rights and freedoms. The notion of positive obligations, requiring that the state concerned adopt reasonable measures to prevent, or provide effective remedies for, violations of rights and freedoms guaranteed by the European Convention on Human Rights has been articulated clearly in the case-law of the European Court of Human Rights; such positive obligations arise irrespective of whether the violation is committed by state or non-state actors.70