Internet Standards and Frontier Technologies: Lessons from the Past, Tasks for Today, Choices for the Future – WS 05 2026

Yeah. Hello. My name is Peter Thomassen from DSEC. I’m a member of the ICANN Security and Stability Advisory Committee. So I will be saying something on domain security, but also more generally on standardization and obstacles for that. So in my view, standard setting itself does not appear to be an area that needs urgent improvements in itself. The way that standards are set to the ITF and the W3C, for example, work well, as does the NIST competition for post -quantum cryptography and all these things. And as Elena has said, there is good coordination between these organizations. And in fact, we do have a working Internet now, and the Internet is using a lot of standards that, in fact, successfully were standardized.

But of course, deployment challenges remain. And that’s mainly, I think, because many technologies are complex. So, for example, if you look at HTTPS, which, is quite ubiquitous today, that wasn’t always the case. And if you consider how you turn it on, you first have to generate a. key, then you have to generate a certificate request, then you have to prove control of the domain name so that you actually own it to the certificate authority, and then they will produce the certificate, and you have to copy it on the web server. It’s quite a complex process. And you might observe that back in the day, maybe 10, 15 years ago, you often saw red warnings for connection errors, because there’s so many mistakes you can make in this process.

And that was before the Edward Snowden relevations, though. And since then, it is not really the case. And today, HTTPS is quite generally deployed. Back then, it was niche, like for banks. What has changed? So what has changed after Snowden is mainly that this is now all automated, right? Let’s Encrypt came around, and the ITF came around with a protocol that is called ACME. It doesn’t really matter how it works and what it’s called. The fact is HTTPS today is automated. You don’t need to do any of these things. You don’t need to do any of these things. You don’t need to do any of these things that are just named when you’re running a website, because it just happens.

And automation, therefore, has enabled new universal deployment. And that same thing we can also transfer, I think, to other technologies. And the lesson we have here is HTTPS was an incomplete protocol suite, if you want, without automation. And it didn’t really have a chance at all to be broadly adopted until the automation problem was solved. And now as we have it, it is quite a winning solution. So as a different example, I’d like to talk about the DNS for a minute. Of course, all connections depend on it, or almost all connections depend on it if you don’t type in an IP address, which nobody does. So when you access a domain name, for example, like gmail .com, the DNS tells you where you have to send your data.

So your device knows where to address the data based on DNS information. That step happens even before HTTPS. And if you fake information from the DNS, you can redirect traffic elsewhere. And if you can fake DNS information, you can also fake HTTPS. Because when you prove control of the domain name to the certificate agency that gives you the certificate, they actually check that you control the DNS. and yeah so the dns is really crucial and it also has security problems and therefore it has happened that people have redirected traffic that they got fake certificates they should not have gotten and all of that there is a solution to that which is called dns sec and it works by adding signatures to dns information so you cannot fake it but unfortunately turning turning it on is also complex like https used to be it requires multiple steps and coordination of different parties just like https and as a result it has less than 10 deployment today just like https used to and also just like https dns sec is incomplete without the automation and so i want to take a small like different thought here not all protocols need much automation for example rpki has much less um less involved parties.

RPKI is a routing security protocol, and it mainly involves the IRR that would then authorize certain keys to announce routes for certain things, and that doesn’t involve the domain holder or something. So that’s, in a way, easier. And even easier it is when the browser, for example, rolls out an update for a new feature or something. They don’t need to coordinate with anyone because they have automatic updates anyway. But for complex protocols like HTTPS and DNSSEC, automation is actually very important. And if you don’t have it, it’s actually actively harmful. DNSSEC has a bad image, despite of the great benefits that it delivers, and that is because 10 years ago, DNSSEC experts who came up with it were so convinced of it that they pushed for it everywhere, and people started using it, and then it was complex, and they made mistakes.

And the result is that the general perception of DNSSEC today sometimes is that it’s brittle, it’s dangerous, it doesn’t work. You can break things. It’s not worth it, and we have HTTPS anyway. But as I just told you, even if you have HTTPS, you can fake that if you can fake the DNS. So just because you have HTTPS, the necessity for DNSSEC doesn’t go away. So it’s dangerous to push for adoption of an incomplete technology because that will damage its reputation. And to make it complete, it’s necessary to have automation, not only for HTTPS, not only for DNSSEC, but in general, it’s a good idea. So the four things we need are avoid incomplete technology.

Whenever something’s standardized, it’s important to consider automation. And without it, it’s nearly impossible to reach broad adoption, and it’s very easy to get everyone frustrated. And the second thing is before the technology is mature, don’t push for it too much because there’s disappointment lurking in the corner. And the third thing is once it is mature because you have automation standardized, then it’s time to push for it. For example, in the case of DNSSEC last week, the ITF approved the last piece of the automation standard. It’s called Guidelines for DNSSEC Automation. It will be published soon. It’s in the final editing step as the best current practice document. And then it is the time to actually push more.

It’s worth TLD registries and DNS providers to support it. And lastly, the fourth part is make sure there are incentives at the time. Financial incentives, of course, work best. We’ve seen this for .nl, for example, and .se and .ch, which have discounts for domains that have DNSSEC, and they’ve reached broad adoption of 50 % to 70%. That’s ten times as many as the other TLDs often have. And, yeah, the availability of automation itself is also an incentive because it reduces the port load and errors. And so that sort of closes the circle. Start with the automation. Then when the technology is complete, start advertising it, and don’t forget the incentives. Thank you.

Thank you. Thank you very much. It’s always good not to be frustrated. That’s a great takeaway already. On our theme number three, we have an input by Suncica Rosic, inter -alien next generation ICANN fellow. It’s

a pleasure to be here, and thank you for the introduction, Suncica Rosic. I’m a master’s student in economics, data, and policy. At Central European University in Ghana, and also an ICANN fellow. Thank you. So when it comes to the topic of multi -stakeholderism and inclusion, particularly when we apply that to the standard setting, I would like to break this into three areas. So the first area would be multi -stakeholder participation, as proposed by Jeremy Malcolm. The second area would be technical infrastructure, using the example of DNSSEC, and Peter already gave a great introduction to that. And lastly, I want to touch upon cyber inequality in the broader internal governance space, hereafter referred to as AG.

So when it comes to the stakeholder participation, multi -stakeholderism is a term used very broadly, but it has also attracted criticism for how elastic this term has become. And to tackle this, Jeremy Malcolm proposes asking three questions. First, who is in the loop? Second one, who is included? Or how is participation balanced? And the third one. who is empowered. So when it comes to the who is in the loop question, it is not enough to say we have stakeholders in the room. The important question is whether the right stakeholders are included, not only those who implement policy, but also those who are the most affected by it and whose knowledge and resources are key to solving the problem.

And then the second question of how is the participation balanced, Malcolm discusses the so -called equal footing approach, where the perspectives of all stakeholders carry the same weight. And going back to fairness, this sounds just, but it is not always feasible. For example, when it comes to cross -border standards setting for consumer privacy data, of course, the voices of the companies that monetize consumer data should be heard. But it would be inappropriate for their perspectives to outrank those of the stakeholders. So I think that’s a good question. Public authorities or transnational civil society. And last but not least, quiz empowered. It is important to link multi -stakeholder participation to the places where authoritative decisions are actually being brought, rather than just being limited to discussion forums, even though those are equally important.

And then moving on to DNSSEC. As Petter already said, DNSSEC is a standard that adds digital signatures to the DNS records so that resolvers can verify their integrity and authenticity. For this to work end -to -end, we need delegation signer, or DS. And DS is essentially a hash of the child’s own DNS key. And this is a very important part of the process, because this is a very important part of the process. And this is a very important part of the process, because this is a very important part of the process. And this is a very important part of the process. And this is a very important part of the process. And this is a very important part of the process.

And this is a very important part of the process. Today, managing delegation signer records is mostly manual and also pushed to the domain owner or the registrant. And this registrant -centric design is fairly complex, prone to error, and does not scale. For example, roughly 40 % of DNSSEC deployment attempts using third -party DNS operators failed because the domain owner could not execute all the steps correctly. So we could already see exclusion, unintentional exclusion being baked into the design. And to tackle this, SEC -126, published by the Security and Stability Advisory Committee, proposes a different approach. Automate DNS management between registries, registrars, and DNS operators. So instead of assuming that the most fragile, security -critical steps are being implemented, performed by the…

registrant, so the least resourced actor in the chain. This is being shifted to the standardized machine -to -machine process, where the steps are actually performed by better resourced actors. And last, I think, you know, whenever we talk about inclusion, equality is a very complementary topic, and Nola Frey proposes a great framework to think about this, so she approaches cyber inequality

Thank you very much for your exemplary timekeeping. Thank you very much for your exemplary timekeeping, and if my peripheral vision isn’t wrong, I think Karen Mulberry has arrived? Are you? No? Then my vision is wrong, which doesn’t matter. then we can go to our next presenter Bruna Bruna Martins de Santos you have the word.

Thank you so much I’m going to dive into that from a slightly different perspective I’m representing WITNESS which is a civil society organization that exists for more than 32 years we have been working over the years with empowering citizens to use video to call out on human rights abuses and for the last 12 years we have been diving further into some of the challenges emerging from AI and how blurry the lines between reality and visual truth are becoming with the introduction of many tools how complicated it is to empower people to verify truth and to verify what’s going on in the world so I’ll start by saying that for civil society organizations a lot of the advocacy in standard spaces they allow us to set the right foundations they allow us to talk about specific things to introduce at least some pointers or signals on human rights for we to be able to serve communities at a later point, right?

And in many of these standardization processes, technical specifications are the main outcome, right? And they are the main product. And although they might not look as binding as regulations are, if you’re lawyers or anything like that, they can influence how companies will interpret some of these rules in the future and how the public engages with the standards or even how broader participation can be facilitated. I think one good example for everyone following AI -related discussions will be the AI Act and a lot of the discussions on AI standard setting processes that resulted in a postponement of the whole calendar for the AI Act in general. So maybe with this point on inclusion. So civil society can and should continue to play a role in ensuring that the diverse perspectives that are represented, the lived experiences of the harms are at the table.

And also, we should have a say on the implementation and design of those standards as a kind of an input to later regulation to, you know, shaping technology in the general sense. And now diving a little bit into AI, I think for us and looking into this intersection between standards and artificial intelligence, it’s important to acknowledge how central human rights need to be in standard setting efforts. And beyond that, we are no longer talking about artificial intelligence in a generic way. We have seen very concrete harms and very concrete examples about how, you know, scale is a relevant thing if we’re talking about AI. AI is love or even how the lack of transparency in AI generated and manipulated content can be a problem later on.

And for that matter, we have been engaging in a coalition called C2PA, the Coalition for Content Provenance and Authenticity, which is a multi -stakeholder initiative with companies like Microsoft, Adobe, Google, OpenAI, BBC, and civil society actors in trying to develop those standards and signals. So, last but not least, I will just highlight this. There’s a lot of space for diving deeper into AI -related standards, and perhaps some of the other topics besides transparency we can explore can be deep -take detection and protection of likeness with how hyped all of those classes are becoming and these technologies are becoming.

Wonderful. This brings us to the end of our interventions. We are now at exactly halfway. Mark? Because we were given an additional five minutes. So, we have 30 minutes of discussion in front of us. I’m very much looking forward to your inputs, your questions to the room or to the input speakers and key participants. Yes, please.

Okay. Hello, everyone. André Melancia Technical Community. So given what we’ve seen and given the concept that many of the people here might be technical, but we are speaking to non -technical people, especially politicians in this office and, you know, in the next few buildings, it is important to understand that technology exists because someone requests it. And then, you know, we feel a need to have some kind of technology. So someone technical will actually create it. However, we also have the opposite. We also have politicians, and we see this growing and growing, related to human rights, related to freedoms, to actually come up with technologies or at least expectations of technologies to block certain freedoms, to limit the access to the Internet, et cetera.

It is important to consider that. And all of the things that most technical people want to do is to actually improve the Internet, improve openness, let’s put it like that. But we are seeing the trends to do the exact opposite. So my feeling on this is that, just continuing the last talk, is that we need to keep an eye on these changes that are happening. And we need to kind of force, kind of insist on guaranteeing these kind of freedoms persist and no technologies are created that actually limit these kind of freedoms.

Chuck Picklinger from the Eurotech Board. May I just follow up on that? Well, in the morning, we heard about digital sovereignty. That is coming up next week, apparently. And. what should we non -technicians be watching out for when this package comes, when we are thinking about what we’re discussing here today, about keeping everything smooth running.

Colleague in white.

Hello, Francesco Vecchi from Humans. Humans is a political movement, so we represent civil society. And I don’t want to step too much into the technical discussion because definitely we’re not the right actor to say that, but I believe that in a moment where in general internal governance is changing face, especially after WSIS plus 20, still there is no clear definition of what is the role of civil society in internal governance. It is mentioned here and then that…

On that, in the morning, we heard about digital sovereignty. That is coming up next week, apparently. And what should we, non -technicians, be watching out for when this package comes, when we are thinking about what we’re discussing here today, about keeping everything smooth running?

the UN’s agenda is confirmed, but especially because we are discussing about protocols, I’m not saying that necessarily civil society must be engaged in every single discussion, but it is extremely important to map first and foremost what is a civil society, and second, to understand where and when it must be included and in what conversations. This is probably something that must still be discussed, and it can pass through technical discussions, but it is first and foremost a political one. Thank you.

Okay, we’ll take one more question, then we’ll have the first round of answers.

Lars Lehmann from Netnode. I would just like to comment what to look for when these packages come. In my view, things to look for are, first, look for a definition of digital society, sovereignty. I still haven’t seen one. So what does it mean? The second one is look for things that prevent people. to do things because that will create a tunnel into which you force people. And the thinner the tunnel is, the bigger the risk is that you create single points of failure. So by giving people a lot of opportunity to make their own decisions, that’s how you create a resilient system. I’ll stop there. Thanks.

Thank you very much. The last six decades of political science also hasn’t come up with one common definition of sovereignty. So digital sovereignty is even one step further. Bruno, would you like to come in on the civil society question?

Yes. So civil society, basically our role is defined on the witness agenda, but over the years I think we have been evolving towards, let’s say, monitoring, continuous monitoring efforts around policymaking processes, but also the way… I’m the one responsible for calling out abuses, disparities, discrepancies, and so on. But it’s also hard to pinpoint what is the role of civil society. For instance, I have been part of the non -promotional stakeholder group at ICANN for eight, nine years at this point. and each and every single year our world kind of changes. So one year is to call out the lack of accountability. On the next one might be the importance of including human rights into DNS abuse discussions.

So I would say it’s kind of a monitoring and, you know, watch the watchers kind of role in that sense because it’s just to make sure that the processes, they continue, they are stable, and they take into account all of the perspectives. But, I mean, I might be wrong at this point. I just think it’s an evolutionary position.

And, as always, you know, if you have a comment on any of the questions, you know, do raise your voice, sir.

Yes. My name is Wout de Natris from the board, the policy for my voice, but it’s already three weeks like this. I have two comments. The first is that we have the security standards that we’re talking about, like DNSSEC, RPKI, TLS, et cetera, et cetera, et cetera, for sometimes more than two decades. how is it possible that companies and governments are not procuring their services and devices and IoT, etc., secure by design? Why do they demand DNSSEC to be deployed? Otherwise, it would not be a customer. So that’s one. Two is we’re facing our, for the people a little bit older in this room, our upcoming Y2K moment and the moment that the first quantum computer is switched on somewhere in the world by somebody hopefully quite kind, but if we’re unlucky, very unkind.

So how are we going to prepare ourselves for that? And that’s the session we have at 1630, so you’re invited. But to end my question, how are we going to arrange that all standards are updated to PQC? All IT devices, all services, everything and everywhere that connects to the Internet needs a new standard. and if we underestimate that then our bank accounts are going to be empty or your ledgers are going to be worthless your devices will be doing things you never expected them to do it would be probably devastating the world as we know it and it will happen to all of us so that’s maybe the thing that’s a little bit of a consolation but how are we going to prepare for this tremendous task because it’s something you can’t underestimate enough, thanks

Thank you Perhaps on the DNSSEC question would you like to come in Thomas?

Almost, yeah Happens every day So about DNSSEC I think it’s mainly an incentive question and as I said before that the technology was incomplete without automation just like HTTPS was when it was just 5 % deployed 15 years ago so that is now being addressed I want to say a few more words about the post -quantum transition transition so I don’t think it is at all a year 2k like problem because if for a year 2k thing like I don’t know your laptop gets like hung up in a reboot loop or something and all worldwide laptops at the same time because they have the same bug then you can’t use the whole machinery anymore once a quantum computer comes around and breaks some of the encryption it’s not like the world stops working unlike what could have happened with a year 2k problem so I’m not saying it’s not an issue of course it is an issue but it is not that suddenly things will stop working and so you asked how we how we will make sure to upgrade all the standards I guess that is a task that the standardization organizations have taken on so I know for example from the ITF that the LAMS working group is specifying post quantum algorithms for the public key infrastructures and SMIME.

There is the OpenPGP working group doing that for PGP. There is a TLS working group which already has finished their standardization and it’s already rolled out to like 70 % I think at Cloudflare. The Plans working group is trying to figure out what happens with the difficult transparency because that PQC stuff has large storage requirements they want to fix. There is the SSH working group, IPSec has an RFC published for post -quantum. So I think that is all going sort of well. DNSec being an exception. And about upgrading the devices, I guess that’s also a problem but that is not a problem for the first time because there is old crypto that was used like MD5 20 years ago and if you have a chip that uses that, that’s also insecure and it was insecure for a few decades and eventually stuff is being upgraded.

I’m not saying it’s not a problem I’m just saying that it is being worked on and the problem of upgrading hardver is not new, either.

Thank you. We’ll definitely run into a problem of uptake, however, because last year the German Federal Information Security Office wrote an email to a lot of companies asking what are they doing to prepare for the PQC world. And a newspaper called them up afterwards and 100 % said, what is PQC? Which kind of raises a good question. Sir in white.

Yeah, Adrian Block from the technical community to address the question where where civil society is important or what’s the role of civil society in sanitization? We would like to take the example of HTTPS and the question of automatization. So the society has to make sure that people, individuals, non -commercial companies can participate in those technologies. When talking about. Um. PKI, we see that there has been an issue without using Let’s Encrypt because you cannot participate in using those technologies without paying money for getting a certificate that is trusted by default. So the civil society has to make sure that there are solutions to participate in those technologies without being a

Bruna, do you want to comment on that?

Yeah, maybe, but we also need support in that sense, right? Like a lot of the work that many of our organizations do is trying to partner up with the companies and trying to have early access to some of those products and to see, for instance, while we were working at C2PA and had the first Google Pixel phone implementing the content credentials technique to kind of flag AI -generated content, that was a… It was a trust -based partnership with the company to have access to the first… example of the phone and see how it works, to test it, take it to communities, and so on. But the reality is that a lot of our work is not supported as well, especially over the last years.

It has become much less supported than usual, just like I would just mention here as a last point, the cancellation of RightsCon and the kind of chilling effect that had over our sector, because the spaces are smaller, the access to governments and policymakers is reduced, and the conversations they intendedly exclude us from the table in many, many cases. So we also need you guys, technical community support, and TCCM is a good example in that, just to quote some of the friends in the room into how the coordination, as Alina mentioned earlier as well, is a good relevant example here.

Well, there’s a big willingness of civil society to engage in standard -setting processes. There’s often a huge epistemic gap, a knowledge gap, where civil society people are great, one of them partially, but we don’t know everything about all of the tech behind, so we might have to think about developing sort of, you know, low -level curricular area to be able to engage in these processes. Sir in blue.

I think with the technology I found the button. Thanks, Jamal Shaheen. I’m glad that we’re able to have a bit more of a debate here. Thank you very much. I wanted to add a couple of points to the discussion, maybe that would stimulate a bit of discussion. They’re not really questions yet, but by the time I finish, they might turn into questions. So the first thing on definitions of digital sovereignty. So, Matthias, you mentioned 60 years. I think it’s 460 years of fighting about this definition. But I’m also interested from the technical community, because you like working with rough consensus and running code, right? So, you know, the definition, the definitional aspect is something that… that I would question in a sense.

Can’t we just deal with what we’re doing with this and then go a bit beyond that? Another point that I wanted to kind of raise was we talk about the technical community or the civil society community, but within that, these are heterogeneous groups, right? There are huge diversities. And I was also just wondering maybe to the people who are speaking about Internet standards, there are different ways about making Internet standards, right? Right. And there are there are these top down approaches, bottom up approaches, working with technology that’s being rolled out, working with technology that has now been finally worked out. You know, how does that all fit into this debate as well? How do you actually you know, there is not one community response from the technical community that says this is how we should make Internet standards, which makes it therefore very interesting and difficult to talk to politicians.

Politicians who then say, wait a minute, which organization are we dealing with right now? I don’t know, just some

Thank you. And there I thought only lawyers always had one lawyer, two lawyers, five answers, and six bills. Alright, on the question of definition of serenity, does somebody want to start us off with a theory of Jean Boudin and the 500 years since then? Or if we keep that for a different session or the drink session afterwards, probably you wanted to come in on Internet standards.

Okay, so just to continue again, André Melancia technical community, just for a quick reply, I completely agree with you and Wout and many of the other people who are here in the room. Let me just clarify how some of these things become standard because it’s not always the same thing. You mentioned this, it’s useful for everyone to know how the process works. For some things, we have bodies like the IETF that will eventually approve something, but this takes years. But sometimes there are are the techniques for us to get to technology. One of them is for private companies, and I’ll just give you the example of Microsoft, Google, et cetera, that they come up with some kind of technology, and people, you know, eventually they adopt it, and later on it does become standard because it’s a de facto usage of something, and then it becomes standard.

Let me give you the specific example because this comes back to something that Walt also said. He said, for instance, in the case of IPv6, we’ve had it since the 90s, right? It has improved a lot of things, a lot of additions, but since the 90s it has been around. Why hasn’t it been adopted yet fully, right? Why are we still using IPv4? It doesn’t make sense. And the reality is there is a lot of financial reasons for that and delays associated with financials. but mostly because there is no big forcing into saying, look, this is the new version of the technology. We should be using this. It’s not a matter of tunneling like you mentioned just before and limiting the technology.

It’s the opposite. We have something better. We should be using it. Why aren’t we using it? And just to give you an idea how it is easy for us to force using a technology, about 10 years ago, roughly 10 years ago, Google actually forced every website to say, say, look, if you don’t have HTTPS, which is, you know, normal protocol, but encrypted connectivity to the websites, we’re going to lower your rating. You’re still going to be there, but we’re going to lower your rating, and good luck with that, okay? And suddenly all the websites felt like we need HTTPS, not because it’s more secure, but suddenly because someone was forcing you to do this. Now, this was a private company.

It’s not usually typical. It’s usually a government. The European Commission and the European Parliament forced GDPRs 10 years ago or 8 years ago. So I’m going to stop there, but I think you get the idea how some of these things

Thank you. Would you want to start off?

Yeah, absolutely. Well, may I just follow up on that? But you say, okay, this was Google. But coming back, sorry, for sovereignty, once again, could it be possible, well, I’m no tech guy, that in the course of this new train to foster sovereignty, the EU Commission might come up with something like that. Just say, well, we need an additional little layer protocol and so on and so forth, which then might slowly develop into breaking up of the Internet as you know it. Maybe, maybe not. For instance, one of the things I’ve been saying for over 10 years is that in this specific case, we would actually love that politicians would force people to use IPv6. I know this is not very easy because how can you force something like this?

But to at least create some incentives.

But you want to reply to that, so please go ahead.

so last thing from net note again I am in your camp for the same 10 years been trying to get my government to do something about it and they wouldn’t take up my solution which is that in Sweden we submit our tax reports over the network make it available only over IPv6 every person every company would have to deploy IPv6 to be able to submit their tax forms it’s It’s easy.

okay I’ll take the bait I have to apparently yeah I don’t know it’s you know I get what you’re saying but it’s not that easy I mean we’re talking about millions hundreds of millions billions of devices and we’re talking about that’s it it’s not somewhere in the world are forgotten or completely forgotten, and it’s not because everyone has IPv6 at home to do their taxes that all these devices will magically be able to switch to IPv6. So, yes, there is some commercial or financial incentive that is important here, but it’s not because, you know, you would say IPv4 won’t work anymore, that all these devices all of a sudden will magically upgrade or be upgraded.

So it’s not that easy, I would say. Although, as you know, I am in your camp. We should be using IPv6 far more than we’re currently doing, so we should try to give the right incentive. But being at a do -it -or -be -doomed is probably not the right way forward in my view. Thanks.

Nope, sorry. Can I work on the IKEA effect on IPv6 transition? So, Lars Niemann again, I think that another way to do it, I’m trying to look at my computer. Would it be to install it in this room? I don’t think there’s IPv6 enabled in the Wi -Fi system why not?

there’s not a rhetorical question I’m just a moderate I’m not really responsible for anything

thank you very much it’s extremely interesting to listen to the technical community I always learn a lot but let me go back to the title of the session it’s Interest Standards and Frontier Technologies which of course makes me think of the difference between Internet Governance and the emerging AI Governance I don’t want to bring anything too further but I would focus on choices for the future and I do believe that what is important to keep for the future is exactly this multistakeholder model of conversation and setting standards it is already eroded in the AI Governance model because it is emerging a mostly government -slash -private -sector -led Governance model where civil society and technical companies and community and others are already tokenized to be fair even within the European institutions and I do strongly believe that the multistakeholder model for all its flaws demonstrated that global technologies, as they both are, can be governed without sovereign monopolies.

If power is distributed among functional communities and accountability mechanisms are embedded in the system, my claim would be let’s keep this in mind for whatever choices for the future we have to make. Thank you.

Yeah, thank you for your contribution. I can try to address some of the issues that you have mentioned. And firstly, when it comes to the dichotomy between Internet governance and then the AI governance, I think that we need to use the term AI governance with caution because when you think about AI and what it consists of, it consists of the infrastructure, the models, and the data that is being fed into the AI. So the question that I would ask here is what are you exactly governing? So I’m not against the proposal of AI governance. I just think that we need to understand. More clearly, which part we want to tackle and how. But I think it’s still really great that you emphasize the importance of clarification between those two terms because they overlap, yet they are not the same.

And then, yeah, the tokenization that you mentioned, I think that is also adjacent to the topic of criteria for multistakeholder participation and also cyber equality or cyber inequality in certain cases. And I think to tackle this, rather than just changing attendance list in order to reduce tokenization, we actually need to change the institutional structures and the power structures that have brought us to this point at the first place by rethinking ideas such as access design and enjoyment of technologies. I hope that helps.

Yes, please. Thanks. On civil society still, I mean, the whole debate on governance and so on. And it’s also, it isn’t a tokenization to some point, I agree, but also it’s a new chance, right, for making things right to some extent. And maybe I just wanted to call the attention from folks to the AI, the global dialogue on AI that’s happening in July. That could be, if like provided the right tools and the right participation, that could be a way of framing the importance of multi -stakeholder participation into that space and into the regulation development, the standards discussion and so on. So I would maybe just highlight that as a good point. And just on sovereignty, otherwise I would have a nightmare tonight if I didn’t say that.

It would be much better if we were approaching this from a self -determination perspective instead of a solely, you know, sovereignty one, because then it would allow us to discuss. what are the business model and why are they harmful? And what are the human rights implications, the climate and environment implications from a lot of the things we are doing and advocating for? I hear Commission talking. I heard the session this morning, and somehow I had this vision of Europe being drawn in data centers, just like my beautiful Latin America is drawn in data centers. So I don’t really want this future, and really it is important for us to discuss the impacts before advocating blindly for a lot of those things.

So let’s build them in space then. We have one online question, and then it’s back to you. So the question is like, how do we embed resilience into AI standards to avoid repeating past mistakes of insecure Internet protocols? Okay, how to embed resilience into AI standards. Any takers?

I can be very mean and tell you a story so Vint Cerf many years ago actually shared this in a session where I was in and he was actually saying oh I’m really sorry that at the time we decided that IPv4 would only have 32 bits of addresses but now we have IPv6 and now we’re going to get things going very very quickly this was almost 20 years ago and this hasn’t happened yet so I’m not sure if there’s a way to come up with forcing those things okay thank you

thank you Matthias about the matters again my voice is not so good as I said when I asked my question I addressed a few stakeholders and I got a very technical answer back but thank you for that because it’s obvious that the technical world is very hard at solving problems Because Finster also said, I’m sorry that we did not make the IP standard secure because we thought it wasn’t necessary at the time. You could never imagine what would happen later. So I talked about procurement. So I’m going to give the people from industry or from government here in the room who are interested to address the question, why are not procurement secure by design? And the other one is, how are you going to prepare your company for the solutions that the technical world is going to provide or has already provided?

So I would like to hear other voices in the technical world because we know they’re doing the right work. Thanks.

Thank you. I mean, learning from mistakes of the past is always great. If you know Intel’s Ajay Bhatt and his big mistake, making the USB port non -reversible, how much time that cost? That’s.

So. yeah so jamal shaheen again from the very non -technical community um um but i was just thinking uh you mentioned vincef and that made me think um listen the the the internet was built in a different period right we’re now all talking we’re getting very nervous about geopolitical tensions and things like this but we are still building this global internet right that is open and resilient and all of these words and my question would be um when we look to choices for the future do we need to react to the moment or do we need to think back um to those technical considerations that were built when we built the internet so what’s not working about the internet today that needs to be changed um and how and what should how should those choices be influenced thank you thanks matthias um i would like to observe two things One is when we look at the principles of open standards, one of the principles is voluntary adoption of standards.

This is key not only to the adoption, but this is also key to the design. And the second observation is that I’ve been hearing that the new protocols are better, so how do we force them into the market? I think that, first of all, is incompatible with the first observation. And secondly, if they are better, why would we need to force them into

Thank you very much. We have one more online question. We haven’t used the online form a lot, so we’ll take that one again.

The question is like that. How do we make sure resilience things like authentication, testing, and audit trails is built into AI standards right from the start? Instead of adding it too late like DNS?

I think we’ll subsume that on our food for thought does that sound okay alright we are slowly moving towards the end of the input part we now have five minutes to talk a bit about the key lessons we can draw and we have Philip here Philip Lukacs who will suggest some preliminary summaries he’ll discuss with all of us and using the rough consensus methods it would be great if we could come up with or align ourselves with those we are still allowed to use the word align if we say it ourselves can you see it fantastic it’s sponsored by the optometrists of Brussels thank you

thank you so I was trying to I was trying to summarize the discussion, these four messages that you, if you have good eyesight, can see on the screens. The first message is, and sorry, before that, these messages reflect the summary of the session and then, indeed, by rough consensus, should be agreed upon. So the first statement is that European stakeholders should actively contribute to global standard -setting processes aligning regulatory approaches with open, interoperable, and multi -stakeholder -driven processes. The second message is bridging the gap between standards development and real -world deployment requires current actions across Europe and beyond, including market and non -market incentives to motivate deployment by different stakeholders. The third one, to facilitate successful adoption and deployment of standards, it is recommended to pair the standardization process with the lifecycle of the technology.

And the fourth one is strengthening participation in international standard bodies. calls for sustained investment

I like most of it. This is Peter Thomassen from the ESIC. I don’t quite understand the third one. What does it mean to pair the standardization?

I’m sorry, I accidentally pressed it. The idea was to refer to what you were saying about the automation of the NSSEC and the fact that there was the push for it before you noted that the technology might not have been mature enough to proceed in the deployment phase. How do we feel about adding for support for globally diverse stakeholder engagement? Thank you.

I like most of it. This is Peter Thomassen from the ESIC. I don’t quite understand the third one. What does it mean to pair the standardization?

I’m sorry. I accidentally pressed it ahead. The idea was to refer to what you were saying about the automation of the NSSEC and the fact that there was the push for it before. Before you noted that the technology might have not been mature enough to proceed in the deployment phase. How do we feel about adding at four support for globally diverse stakeholder engagement? So the word globally?

No. No. No. No. same comment basically for the four instead of international we proposed that it’s global standards bodies with regard to the third item I’m wondering if we are not losing something if we are just looking at technology it also has to do with what’s happening in society and what’s happening politically in a sense just starting with for example the need for data protection so we can just in a technological sense one can perfectly live without standards that do not allow for decent data protection but we need it so it’s not only technology it’s also society so perhaps we could add after the word technology technology and its societal implications?

Yes.

I was going to argue against it, not the point itself, but I think it’s good to have different numbers with focused statements. And the third one to me seems to be quite a specific statement about aligning the standardization process with the lifecycle of it. And I would add, and considering automatic deployment, right, because that is the point that you said was intended to be conveyed. And I completely subscribe to the privacy and societal impact part, but I don’t know if that really fits under number three. I think we still have number five left open, so maybe we should add a point for that.

I was going to go on the way of let’s add a number five about embedding human rights in standards developing processes. but I’m a little bit against the automation of being very specific on the third because the idea is for it to be a bit more generic in terms of text, just so it can stand the test of time. So not against having automation as a background for that, but perhaps I will leave it as it is right now. Otherwise, it will be a bit too specific. But I’m also a boring lawyer, so….

But number two, the comment that I usually hear is that, yes, we know everything about the deployment of a standard, but my boss is not allowing us to do it or finance it. So we’re bridging the gap between standards development and real -world deployment requires coordination, but it also needs convincing arguments. How would you phrase that?

Okay, perhaps you could yes with the note taker afterwards to finalize that but shall we slowly come towards the end? Can we agree that what we have now is roughly consensual does that sound okay? Nobody strongly against that? Fantastic So we applaud ourselves Thank you, thank you very much and I wish you a wonderful break and have a wonderful rest of the evening and rest of the sessions today. Thank you so much for joining us