Policy and regulation perspective: Privacy and beyond

Event report

Cybersecurity and privacy represent two interconnected aspects. Legal frameworks are mandatory in any cyber context because of the amount of personal information that needs to be protected while keeping up with the speedy evolution of technologies. Data is essential for Internet of Things (IoT) devices; indeed, by 2025, there will be over 20 billion connected devices. The session was moderated by Mr Marcin Cichy (President of the Office of Electronic Communications (UKE) of Poland). It focused on privacy considerations within the context of artificial intelligence (AI) and IoT, including references to the General Data Protection Regulation (GDPR).

The first speaker was Mr Mohammad N. Azizi (Chairman of the Afghanistan Telecom Regulatory Authority (ATRA)). He explained how the information technology landscape is in constant evolution and how most of data is generated from online and offline platforms. Thus, IoT will further transform the way we think about data and the way we use it. With the application of AI to IoT devices, the cybersecurity aspect becomes a crucial one. As a result, law enforcement agencies and regulators cannot work in silos, they need to work together. Regulators need to focus on how data is collected, while law enforcement should focus on how the data is used. Collaboration is necessary for going forward.

The second speaker, Mr Giampiero Nanni (Government Affairs of Symantec) talked about the impact of privacy in the context of Shadow IT, defined as information technology systems that live inside an organisation without explicit organisational approval. Thus, privacy issues are raised when dealing with data put into the cloud through these applications. Finally, he further argued that IoT is a ‘time bomb’ because it does not have provisions in terms of security.

The third speaker, Mr Aaron Kleiner (Director, Industry Assurance & Policy Advocacy at Microsoft) spoke from a deep industrial perspective explaining how technology companies think about security and adding Microsoft’s experience as an example. He argued that a change in people’s mindset is needed: approaches need to move from a security bolt at the end of production – to putting security in the core of production. In addition to that, an operational assurance framework should be put into consideration. Over the years, societal technology reliance reached policymakers. From the technology sector’s perspective, it is up to them to understand how to improve cybersecurity. In regards to this, he recalled Microsoft’s publication, The Future Computed: Artificial Intelligence and Its Role in Society. He finished his argument by stating that there is a need for time to identify and articulate the key principles of making AI, and enabling people to achieve more. The tech industry is collaboratively looking at AI. To this extent, a public-private dialogue should be fostered. With regards to the GDPR, he argued that it has a significant impact on the private sector, arguing that privacy represents the foundation for trust between the private sector and consumers.

The fourth speaker, Mr Luigi Rebuffi (Secretary-General of the European Cybersecurity Organization (ECSO)) argued that a right balance between monitoring activities and cybersecurity does not exist. It depends on various aspects, such as the cultural environment. Recently, surveillance has switched from physical surveillance to digital surveillance of data and information. He stated that it is a kind of surveillance that we, as citizens, are providing to society. Moreover, society will evolve with the increase of connected devices. With regards to privacy, a recurrent, still open question is: does privacy still exist? There is a need to find a pathway for the balance between the increase of security and the correct use of data. Furthermore, there is a need to educate both protectionists and also, citizens.

The fifth speaker, Ms Raquel Gatto (Regional Policy Advisor of the Internet Society (ISOC)) recalled ISOC’s publication the 2017 Internet Society Global Internet Report: Paths to Our Digital Future. She explained that the research identified six different drivers: cyber threats; AI; IoT; the role of governments; network standards; and Internet economy. Despite the apocalyptic view about jobs that will be lost, there is room to be optimistic: technological evolution can be used for better social development. With regards to cybersecurity, it has to be considered during the first stages of development, and it is up to regulators to change this mindset. She argued that this is already happening in the case of the IoT framework of the Online Trust Alliance (OTA). However, work should also be done on the prevention side. Finally, she concluded her speech by trying to answer the question ‘does privacy still exist?’ She argued that yes, it does, and it is about being aware of your data. Thus, no law will bring a definitive solution, but an efficient way to achieve privacy is to a collaborative by all stakeholders.

The sixth speaker was Mr Ivo Lõhmus, Vice President Public Sector of the Guardtime AS, who talked about the use of blockchain in the implementation of the use of data. He explained how blockchain technology works and explained that one important feature of blockchain is the immutability of data. As a result, this can have negative implications with regard to human rights such as the right to be forgotten.

The final speaker was Mr Vincenzo Lobianco (Chief Technology and Innovation Officer
(Autorità per le Garanzie nelle Comunicazioni) of Italy). He talked about the Italian experience in terms of a best practice example. There is a new paradigm in place: the use of IoT means that several different actors are involved in the collection and elaboration of data. They all have a common feature: they need a communications infrastructure to send data directly to the centre, to the cloud. The telecom regulator has to understand the need for working with different sectors. In conclusion, he gave three main examples of collaboration: the energy sector with smart metering; the transportation authority; and finally, the large investigation of big data and economy.