 Welcome to the New America Foundation and the Open Technology Institute. I'm Rebecca McKinnon, I'm Director of the Ranking Digital Rights Program affiliated with OTI and I'm just going to introduce briefly and then hand it over to the experts here. Just want to say I mean this panel today is culmination or I guess the milestone of a real evolution in not only sort of export control policy but in policy thinking around internet freedom generally and we've seen the thinking and the understanding of the issues get a lot more sophisticated over the past decades since I started working on internet freedom and advocacy issues we sort of started out I think particularly amongst policymakers and in the media with kind of an attitude that well you know the good guys will route around the bad guys eventually so just put a lot of technology out there it'll sort itself out and then I then that kind of evolved into okay we need to help arm the good guys a little better so get more circumvention and anti-surveillance tools out there to the good guys so that they can fight the bad guys more effectively and and then we've we've kind of moved on in the mainstream policy discourse to a recognition that internet freedom starts at home and not only do we need to get our houses in order in the democratic world to really practice what we preach but also recognizing that corporations based in North America and Western Europe in some cases might be incentivized through other means to behave more responsibly but there are other companies that are basically arms dealers and they're selling technologies that are empowering bad people and and that are contributing to an internet that is not human rights compatible in much of the world and that something very concrete needs to be done and so there I think is coming to be a more I mean there's always been a community of people working on export control reform but but I think that there's a lot more kind of high-level serious attention coming to it now and what's really important with this panel is recognition that solutions are as complicated as the technologies that they relate to and as complicated as the global economic patterns of trade and economics and as complicated as the very complex geopolitical landscape that we're facing today and that that they're not sort of simple quick and dirty solutions and I think what we've also really learned is the important of research and fact-based policymaking and and really drawing upon expertise and and my colleague Tim Maher will introduce our panel which really represents the New America Foundation OTI Human Rights Watch which has also been doing some really great research in this space to contribute to our understanding of what the facts are what the problem really looks like so that we can have real-world solutions and Colin Anderson an independent technology analyst who has really been working on these issues and and and a politician Marica who who has really been drawing upon the good work and really working with civil society and with the research community to develop a fact-based policy and and that's very important as well that that all of that circle be connected and so with that I'll hand it over to my colleague Tim Maher who will introduce people a bit more formally thanks thanks a lot Rebecca thank you all for coming today to this event and many thanks to all the panelists here for joining us today here at the New America Foundation I'd like to introduce first Marica Shacker who is a member of the European Parliament and is currently visiting Washington DC. Marica has been in the Parliament since 2009 and has focused on digital freedom from the start and has actually been one of the leading brains behind this in the Parliament. She's a member of the Committee on Foreign Affairs as well as on the Committee of International Trade in the European Parliament and in addition to her interest in tech policy has an extensive experience in the United States having studied here as well as having been a Lantos Fellow in the House of Representatives so it's a particular pleasure to have Marica here with us today with this event which will also serve to launch the new report that we published today that I hope you were all able to pick up a copy outside and I'd like next to and I would like to introduce next Arvind Ganeshan from Human Rights Watch he leads the business and Human Rights Unit at Human Rights Watch has an extensive experience with regard to freedom of expression sanctions he was one of the founding members of GNI the Global Network Initiative he was the founder of the principles on security and human rights with regard to oil gas and the extractive industries and his work has covered many countries and we're particularly pleased to have him here today because Human Rights Watch is going to launch new report tomorrow which is titled they know everything we do telecom and internet surveillance in Ethiopia the report launch will take place in Berlin but I'm sure there will be lots of news coverage for those of you who are interested to follow that as well and with that I'd like to introduce Colin Anderson who is an independent researcher as Rebecca already mentioned and Colin has done some really interesting and groundbreaking research in many ways looking at the internet and using internet data to look into topic issues such as censorship with a specific focus on Iran and he is one of the few people that I know who's can speak both tech and policy fluently and policy including export control regulations which with those of you who are here who do this on a daily basis know and appreciate how challenging that can be from time to time so with that we will start out by actually focusing on what is the problem and what is the impact of surveillance technology around the world and for people and Arvind is going to start with that and we will then move over to look at some of the policy options that are available namely export controls and try to shed light on what has been happening both in Europe which Marietje will speak about and then the US which is where I will speak a little bit more about the report that we launched today and Colin can also add to what has been happening in the US in recent months and years so with that thanks again and Marietje sorry not Marietje but Arvind if you want to kick us off. Sure well thank you everybody for coming and thanks for allowing me to participate today what I thought I would do is just briefly describe the human rights issues that are related to export controls and technology and then turn it over to everybody else so basically from a human rights perspective we look at the internet and telephone communications and other types of technology as a medium for free expression and as an area where privacy needs to be protected so increasingly in today's world the internet mobile telephones and other things are the principle way people communicate and it's what allows everybody to become a human rights activist to mobilize and organize that's just where technology has taken us but at the same time those are the tools that many governments don't like and so increasingly we're seeing censorship around the world through these technologies and we're seeing not least of which in the United States use of these technologies is the backbone for surveillance in a number of circumstances and as a result of that it creates a multi-level problem there's the traditional human rights problem of what a government does which is something the human rights community has been dealing with for decades there is the second level problem which is these are largely private sector creations so they're as influenced by how the private sector behaves as they may be by how what a government does and then finally is the critical issue which is as a matter of principle we would like to see everybody have access to these technologies so the solution cannot be to ban them per se but rather to spread them in a way that respects human rights so this is the multi-level problem we're facing now within that the way we think about technology is kind of there's this there's the services side which is what you do online the Google's the Facebook's Twitter's and things like that then there's the backbone side which is the internet infrastructure the mobile telephony infrastructure that allows people to communicate and then there is a another subset altogether which is a specific set of technologies that allows principally governments to spy and censor on people and these this last set which has been a key focus of a number of people's work up here came to light largely during the Arab uprisings around the world when it was when it was discovered that one a number of governments like Libya Syria and Iran have been using these technologies to censor or spy on on individuals within the country more problematic is that much of the technology developed in the West and even more problematic is it's exported almost virtually unregulated and there's a fundamental problem that's created by this and that is that number one there is such technology out there that could be used for legitimate law enforcement or intelligence purposes but probably won't be for two reasons one is you can only sell to a government once and then you have to find another government customer and not every government is going to respect the rule of law or people's rights when they buy this technology and two it's inherently problematic because it's set up to spy and to censor so it's in that context where we confront the issue of export controls and I'll stop briefly and turn it over to others about what's being done but you understand the problem here is one there's technology that exists that isn't going anywhere to there's an imperative to see more and more people have access to certain types of technology to exercise free expression and to be able to do it in a way that they know their privacy won't be violated and three there are a number of companies out there that are selling things in an unregulated fashion and then for their number of governments who love this technology because it gives them a window of insight into their citizens that they may never have had before so with that I will turn it over to the others to talk about some of the specifics about how these issues are being addressed thanks in December 2012 you were one of the early vocal voices about this topic and you pointed out that this is also unregulated and you pushed put out a call for the you to do something could you tell us a little bit more what made you aware of the problem the first place and what has happened since yes thank you it's a great pleasure to be here I want to specifically thank the new America Foundation but also different partners who have really shown great leadership in this field from early on assembled people and congratulate congratulate you all with the report that came out today I really think it's a milestone it's going to be very important I haven't read it yet but I know a little bit of the work that went into it and beyond research to be such a active voice in the public debate which I think is very much needed also in this topic so that's why I very much welcome this discussion which is very technical but very relevant so I'll try my best to break it down to understandable terms a little bit of how I stumbled upon this topic when I was elected in 2009 it was not just Europeans electing the European Parliament there were also Iranians trying to elect a president and after the outcome did not seem to reflect their votes many of them took to the streets and asked where's my vote and we saw the now famous green movement expressing itself but also being shut down fairly effectively and without much violence in hindsight if we look at what later happened and continues to happen in countries like Syria but looking a little bit more deeply into what happened in Iran it was very clear that technology played a key role in both as Arvin said advancing people's ability to access information to organize to mobilize to share human rights abuses that were documented on mobile phones and instantly known to the rest of the world but it was also very clear and became increasingly clear mostly because of the very valuable work of investigative journalists that indeed Western technology could it immediately be traced back to individuals who had been dragged from their homes put into prisons after they for example turned on their phone after having had it off for three months four months it was clear in raids that laptops were the most interesting object to seize from from activists etc etc so it was very clear that technology played a potential role for good and a potential role for bad and that is why I started to look more deeply into that and of course this discussion remains relevant until today but has been in all of the uprisings whether we look today in the Ukraine in Crimea or whether we looked at Tunisia the world over we see that there's a real struggle here and I think the first sentence of this new report says says it all by just saying that the value of this industry of the surveillance industry went from virtually zero to around five billion dollars a year and what that what that indicates is not only that it's a thriving industry it also shows that the interests and the stakes are increasingly high while we know that the impact on human rights but also on our own strategic interests and I think that should not be forgotten are also increasingly high and all of this the sprawling and proliferation of this industry and these technologies are happening in a regulatory vacuum when I look at the European side there's virtually no transparency about what this market really is all that we know we know through the very very valuable work of privacy international and other NGOs and as a result of a lack of transparency there's virtually no accountability while the technologies that allow for surveillance hacking tracking tracing and monitoring are proliferating and getting faster cheaper and smaller every day and so it's kind of ironic I'm a member of the European Parliament and for those of you who don't follow European politics on a daily basis we are often accused of regulating everything over regulating everything from the height of ladders that window washers are allowed to stand on to water or children's toys and so it's somewhat ironic that there is hardly any regulation here and from experience I can tell it's very very difficult to get the regulation moving at all and the reason is that the the member states and states in general are major players in this market I think that has to be a part of this discussion that the incentives to regulate by states are probably hampered by the incentives to purchase on this market in the EU we have some more problems that is one that the existing policies are still very fragmented so different member states have different rules and for example we decide on sanctions on an EU level but then the enforcement of sanctions happens on the member state level that means 28 different eyes enforcing one law and all this kind of gives a patchwork of regulations that do impact the export of surveillance technologies somewhat I briefly mentioned sanctions it's the only area where we really have regulation in sanctions when it comes to Iran or Syria it is now forbidden to sell technologies that can be used for internal repression but when it's also forbidden to to sell food or to transport any goods to a country that's hardly surprising so it's it's on the one hand explicit because we pushed very hard to reference it in these sanctions on the other hand it comes in a total package and it's at a great gap with countries that are not so far like for example Bahrain or Azerbaijan or Ethiopia where people are similarly repressed where these goods are actually sold without any regulation so that gap I believe creates hypocrisy and undermines our credibility we sought to use the dual use regulation and its update to address some of these problems because really where to put the impact of these surveillance tools is still a question that remains to be answered the dual use regulation in in Europe stems from seeking to control the export of technologies that are potentially used in for example nuclear plants and that in that sense should be regulated but that could also be used in simple water clearing facility without doing harm so there are extra checks before these dual use items can be sold depending on which country they are sold to and I think that that is a hint at where we have to go with regulating surveillance technology and its export which is to look at on the one hand what the technologies are capable of but more specifically at the context within which you're going to be used and then regulate through the transactional part so really through the trade part to know what these technologies do we often don't have to look far companies market very effectively how you don't need to torture people but you can actually use their technologies to extract information from people how you can find needles in haystacks and well the list is long and often quite creative and amusing if it wasn't so dead serious what we're dealing with here so I would invite you all to look at for example privacy internationals database of what these technologies do we should also show leadership by reassessing our own standards EU regulation demands that telecom networks for example have lawful intercept capabilities and while the word lawful intercept reveals the intention of these back doors we don't have to have to be rocket scientists to understand what happens to these technologies when they're put in a context where the rule of law does not exist it sort of eliminates the notion of lawfulness nevertheless these standards apply also to exported goods and I think we should show leadership by having a deeper discussion about what it means to be a democracy in a hyper connected world that discussions should probably take place in this city more than anywhere else but I won't go into that more more deeply today just a few more comments and I'll end because I'm more interested in the discussion with you there has been a lot of criticism and skepticism I should say especially from the tech community about how to regulate technology and I understand this it is very difficult to get it right and it is a sensitive issue there are traumas one could say from the crypto wars and there are a lot of people who say that one cannot ever regulate speech and that that includes software but as Rebecca I think rightfully mentioned some of these companies are really modern day arms dealers and so in my opinion the status quo is unacceptable and by criticizing every potential regulation we're not getting much further so I think we have to be able to find a way to get this right and as I mentioned I believe the focus should be on the trade part of things so the transaction between companies and buyers who are often states or law enforcement agencies there and in between those two you can for example put a licensing requirement where it's clear for companies and governments alike what is being traded what the capacities are and whether this is in accordance with the law or not and this transparency would really add a lot to the level already and is lacking right now and in the European context but I won't bore you too much with that it would really be helpful if there is a level playing field between the states so that we don't have 28 different systems while some decisions are made on the EU level the implementation happens on the member state level this leads to a lack of a level playing field but also I think it's better to do the oversight and the regulation on the European level to avoid a conflict of interest for those of you who know what what ministries of the economy or trade ministries usually do it's they go on trade missions to third countries with national companies and it's it's not a great incentive to then have to regulate the same companies basically to ensure that that do use regulations are met or licensing requirements are met it's better to do that with a little bit more distance so in all this I don't think we have to reinvent the wheel we can learn a lot from existing export controls such as weapon embargoes such as licensing requirements and I hope and I think it is possible with more information and with a vibrant public debate to get relevant and unharmful but adequate regulation in place thanks a lot Rachel Colin do you want to say a little bit about the US context and what technologies we're talking about yeah so I want to really pick up on Rachel's point about decisions being made that strongly interact with strategic interest but happening in a vacuum with little due due diligence and I want to do so in the context of the United States I think that this is a particularly interesting point given that the flow of technologies that have the ability to say for example interfere with democratic movements or interfere with religious minorities ability to practice have strong implications for existing policies these things interact with the United States strategic objectives as well as moral obligations if you look for example in the case of of Egypt Iran both of which had provisioned telecommunications intercept equipment by EU and American companies these are instances in which very quickly the the foreign policy considerations of the host states changed in the midst of it the nature of these telecommunications equipment is you ship once and it is therefore a permanent part of the surveillance state you can't take that back and so this is a this is an export that has particular implications over the long term so I think that I think that what you've seen is this gradual growing of controls but but failures this is not the boss and our changes are not the first the first step in in export controls in fact you have for example the surreptitious listening controls in 2006 which were put in place primarily to prevent terrorist organizations or unlawful interceptions of communications over over the wire these things never quite interacted with for example internet communications intercepting equipment you also saw in 2002 and then implemented in 2013 the regulation of MC catchers MC catchers are our equipment that are are capable of for example pulling information off of cell phone devices by mirroring being a cell phone base station and so these these things are are all sort of in the natural is interest of the United States to regulate the export of not necessarily to prohibit but to require due diligence on the the foreign availability and so why is this if you take for example the countries that are designated under the International Religious Freedom Act as countries of particular concern if we look at it actually of the eight countries that are our CPCs two of which have been provided us surveillance or surreptitious listening devices equipment five of them Western and total so if we take for example Saudi Arabia which is a CPC Saudi Arabia has been proven by external external research there's no disclosure process and so this is this is we know about this through the work of of organization such as citizen lab the electronic frontier foundation or privacy international we know for example the citizen lab was provisioned Norris devices which are intelligence equipment for telecommunications traffic telecommunications traffic malware or spyware from hacking team network equipment useful for censorship purposes by blue coat more surveillance equipment by trove car core and more censorship equipment by smart filter three of those Norris blue coat and smart filters are manufactured by American companies Norris also so if we take also the 2013 recommendations for additional country listings for CPCs out of out of the seven that they recommended three of which were provisioned equipment by American companies and six of which American near and European and also Canada Canadian companies and so if we look at this list we find that actually these states that we have significant concerns are engaging in the repression of religious practices the majority of these countries have been given technology that is actually significantly useful for repressing these these religious practices so this is for one a moral objective if we see for example however in the case of of the UAE the UAE there are our instances in which American made malware was pushed to American blackberry devices this is a case again then where the business interests of the United States align with the the strategic objectives of export controls finally you know the problem is is is that while there's has been this regulation under the surreptitious listening devices it's it's not clear whether existing regulation has applied if we take for example the case of of IP fabrics that's a network intelligence equipment manufacturer IP fabric fabrics was found or disclosed to have engaged in in practices that attempted to basically whitewash what they were according to allegations from the CEO who is later pushed out because he attempted to classify his equipment as surreptitious listening devices when the CEO became became came to believe his holding company attempted to delay disclosure to the Department of Commerce and conceal foreign customers he then pressured that they then pressured the CEO to rename the product and apply under a more laxed export control number as well as misdescribed the the use of their powerful surveillance devices and so if we see we see this basically exactly what you spoke to equipment that have significant strategic and moral ramifications for the United States as well as as Europe being exported in a vacuum and these again like I say these are permitted decisions the Nokia Siemens networks devices that were were pushed to Iran will always be in Iran they will not be turned off and so future democratic participation future democratic movements will always be subject to this this one export decision. Thank you Colin which is a great transition to the situation that we found ourselves and when we started looking into this about a year ago now I think we when we started having first conversations about this that over the past few years there's been an increase in recognition that this is a problem and that in many ways it's a problem that did not exist before in terms of the technology that exists and the scale at which this is happening and the new market that has emerged. So you had investigative journalists you had researchers at the Citizen Lab writing and publishing reports about what kind of technology are we talking about and what kind of country what kind of countries should we be concerned about. Very few people did the next step in terms of what kind of policy analysis is needed to actually think about what kind of solution could we implement and the export control piece being one of the options that you that we looked into further and the challenge was we know that this is a potential policy option but it's actually really hard to find out how to implement this effectively and in a way that it actually makes sense and that's when we teamed up with privacy international in the United Kingdom and a German NGO called Digitaler Gesellschaft and engage in a joint project and this report is the culmination of this of this project to conduct in depth policy and technical analysis of what are we actually talking about what kind of precedents exist in the export control regimes in all three countries with regard to human rights with regard to surveillance technology and to summarize that in this report. The idea was also that we had to do this jointly with organizations in other countries because an export control regime is only effective if it's done across the board with different countries on board. There's obviously the argument to be made that even unilateral controls make sense if you want to align your export control regime with your foreign policy that's based on human rights and that promotes human rights and that if you're interested in making sure that you're not pursuing a hypocritical foreign policy you need to make sure that you have controls in place so that your own foreign policy is in line with your export control policies in line with what you're preaching while you abroad. So this report outlines an analysis of these three export control regimes. What then happened in December was that the VASNA regime which is a multilateral export control regime that currently consists of 41 member states including all of the EU members except for Cyprus but also countries in South America and Asia and this export control regime which was set up to focus both on arms and dual use technology adopted two new controls relating to surveillance technology in December. One relating to intrusion software and one relating to IP network surveillance systems and these two new controls were adopted in December by all 41 states and now need to be implemented by these governments in the 41 countries. They therefore open a window of opportunity to show that governments are taking this problem seriously and to think about how they can actually implement these controls and VASNA is a regime that focuses on regional and international security and stability so it's not a regime that focuses on human rights as such but as we hope this report shows is that there are precedents in the export control regimes in the three countries that provide a precedent to implement human rights provision into the changes that are necessary to implement the VASNA changes as well and there are a number of different options that are available which we don't go into great depth in the report. The report is meant to provide an overview of the three regimes, the VASNA regime, the EU level because that's particularly important for the UK and Germany and provides an analysis of how we interpret the VASNA changes because there's been a lot of debate of what do they actually mean so if you're interested in that that's at the end of the report. With that, I'd like to open this up for Q&A and look forward to a hopefully interesting discussion. There will be mics so if you could just raise your hand mics will be coming and if you could please first state your name and your affiliation and make sure it's a question. Thank you, I think. Thank you. Jim Berger from Washington, I just want to ask a question related to the last statement you made on the VASNA, who brought that to the VASNA table to discuss? Was it the Europeans or I assume it was in the US? So the language for the intrusion software goes back to a proposal by the UK government which now if you, the VASNA regime takes quite a while to process new proposals so it's been 18 months prior to the actual change happening in December and the IP networks surveillance system is as far as we know based on a proposal that was made by the French government. However, the 2013 National Defense Authorization Act there was actually a congressional mandated language having to do with employing export controls to limit the foreign availability of what was deemed cyber weapons without necessarily a strong definition of what that implied. And so there has been some concurrent regulation in the United States who at least intent to regulate. And to just briefly explain the process at VASNA, once the proposal has been made by one country you have a technical group that meets once a year and where essentially the technical experts come together, look at the language, refine the language, ultimately agree to a consensus language if they do which then becomes put in front of diplomats at the plenary in December who then give a thumbs up or thumbs down. And that's how the VASNA process works which is also why it takes 12 to 18 months from the initial proposal to an actual adoption. Joel Coulter with AUVSI but also with a video company I'm an entrepreneur, was part of the IPv6 transition team now that ICON is no longer their transitioning ownership of the internet to the global community. And I was part of the Tunis thing when China and Iran went into and everybody left with them and only one country stayed with the US. Part of the initial planning before the Arab Spring because we rely too much on social media and didn't realize that putting things on YouTube to stimulate instability was not a good thing to do within Egypt. You know when the Egyptian Google executive put all the barney things but the question I have given the fact that state capitalism we're a liberal capitalistic society and other communities are state capitalistic. So for example in Northern Afghanistan there's China and Germany. So the question is it's all about culture when it comes to internet and how it's used and the private sector is very interested in stability. Their core meaning of any private sector stability. So is it should be a private public partnership or a public private partnership? It's a little philosophical but you know let me try. I'm not, when I look at the private sector I'm not sure that they're all interested in stability necessarily. I think there is too often a lack of consideration of the impact abroad of what is done in the context closer to home. So I think we must look much more broadly at how we're gonna tackle this problem. I know this event is about export controls but I've made a plea before for doing human rights impact assessments in the R&D phase of technological development simply because engineers or hackers or other programmers coders are often focused very much on the possible or pushing the frontier of development which is very exciting and has created so many new opportunities. But if we do not anticipate the unintended consequences we can have a lot of surprises. So just an example, there was of course concern about the potential impact of facial recognition software but there is also companies who may think that they can up their profits with making it easier to tag your friends in a birthday picture. Had that been assessed a little bit earlier on I think it wouldn't have taken an expert to understand the impact of facial recognition software on Tahir Square in Egypt where one picture could trace back people months, years and later to that location. Thankfully there has been a civil society initiative to kind of counter this phenomenon which is developed by WITNESS which has worked with Google to create a face blurring tool to allow for the documentation of certain events without compromising the identities or making known the identities of people that for example are bystanders or in the background or whatever. So it's very much maybe action reaction is the appropriate word that we often see in the market but that doesn't, what do you call it? Doesn't prevent or shouldn't prevent governments from taking their core responsibilities and I think that's what we're talking about here. We're not talking about over regulating the internet for the sake of regulating the internet. I mean that should be no one's intention who cares about the economic, social potential of the open internet but governments still have responsibilities both in the field of security and in the field of ensuring competition in the market for example or in ensuring people's fundamental rights and freedoms are respected and the reality is that decisions of companies here and this country is particularly powerful when it comes to the digital economy have an enormous impact in other places in the world and I only wish that companies were interested in in what the impact could be abroad whether it leads to more or less stability but I frankly think that thinking often lacks of this global context and that is what I think we need in order to make these policies work. So I think towards that point though one of the things that you've seen to speak to actually the first thing that Rebecca brought up is that in the case of information technology companies such as Google such as Yahoo in 2006 there was this movement based off of the Shertau case especially that if we don't regulate ourselves or if we don't engage in sort of multi stakeholder processes that at least remove this public pressure the government is going to come down and if you look at these communications companies such as again Google there's a substantial ability for something like a consumer facing boycott there is a public brand that is damaged in violation of human rights or in bad press if you take however something like Norris which is a subsidiary of Boeing what are you going to boycott 777s because of Norris's activities there's very little consumer facing brand to hacking team there is no consumer facing brand and so if we look at things like democratic participation or consumer action there is very little interface and so the amount what we've seen is tech people are extremely adverse to governmental regulation you spoke to that point and I think that we can address that if that's of any interest to people so this is why people have grabbed at things they've looked for this form of self regulation they've looked for this form of peer pressure they've looked at court cases but if you look at for example the case of the Chinese lawsuit having to do with their participation with the Great Firewall a case in which Cisco explicitly was aware that they were going to engage in activities that would lead to the suppression of the fallen gong actually there's been no opportunity for recourse that case the Cisco case was thrown out last month I believe and if you look at this decision actually one of the things that the judge said is look in the case of China we have substantial export controls having to do with crime control technology these are bipartisan considerations we have this existing regulation but the fact that there is no regulation therefore implies that there's no intent to regulate the foreign availability of internet surveillance devices and because it's not the judicial branch's domain to start making foreign policy decisions and export decisions there's no recourse here and so again you see this process in which the tech community civil society human rights organizations more broadly have interfaced with all of the different forms of control or self control and export controls in some ways ends up being the least worse and most viable option let me try and answer kind of the philosophical part of your question which is in a sense it doesn't really matter what the nature of the business is whether it's purely private or state partnered or state controlled rather that in a way business is neutral and how it operates is really a reflection of what society expects of it and that's true of environmental laws it's true of anti bribery laws and it's true of these human rights issues so take Ethiopia for example because we have this report on this problem coming out tomorrow the problem of technology and how it was exported to Ethiopia and how it would be used was utterly predictable in so far as the government has set up a surveillance state where neighbors are supposed to spy on neighbors where even aid is monitored and distributed according to your political affiliations so the fact that a telecom company like France telecom or ZTE now can build up telephone infrastructure in the country should have come with the recognition that it was going to be used to spy on people however beneficial increasing the network was in the country and is right and secondly when a company like gamma international a German company offered and sold the government finfisher or hacking team did they had to have known because Ethiopia's history was completely unambiguous that it would end up on the computers of people the government considered dissident so you look at this and you say well all the government is doing is adopting new technology to its old pattern of spying and surveilling and harassing people so there are cases where people were detained because the phone numbers they dialed internationally on the mobile network were not already in the database the government had a phone numbers that people should or could have dialed right and so the way I look at that is say look if you look at this situation where it's utterly predictable and any reasonable degree of due diligence by a telecom company an internet company or more importantly a company that sells surveillance software or surveillance products would have told you where this might end up and yet it was still sold in part because there are no sanctions on it in the U.S. or anywhere else and in fact the Ethiopian government is a close ally of the U.S. and other Western governments and because there are no rules in place to look at this and say wait a minute the odds are actually quite good that this will be used to go after dissidents or political opponents just as much as it might be used to engage in legitimate law enforcement activity and therefore there need to be some controls on it so when I think of export controls I think of it the same way we might think about how lead in the environment or anti-corruption is something that at one point was unregulated but ultimately people realize the harms were greater than the benefits and got regulated. It didn't stop business for example but it did change the way business operates. Are you arguing to put all the data under Google or do you believe who owns the data matters and each country should have its own sovereignty of data? Well it's a separate question but I mean maybe if you want to... I just wanted to build on the other point that was made because I think what we'll also increasingly see is a conflict of interest between different companies in the digital economy and it will force companies also to take a more political role. They are put in a role that was previously usually only decisions for governments to make so for example when you look at the fallout of this clip on so-called quote-unquote innocence of Muslims you know this was supposed to be a movie but it was really kind of a patchy product that led to all kinds of demonstrations including where violence broke out and where people died and there was a discussion between the White House and the State Department on whether or not to apply pressure on Google to take down this information. There were different decisions by Google made in different countries on whether or not to take down this information. And now we see a whole discussion around American companies in Turkey where the government is shutting down Twitter on the one hand, where on the other hand Google is declining to take down some content while on the other hand having accepted to operate under Turkish law which is already heavily restricting speech in order to keep that market which I think is mostly a business interest. So I think what is interesting is to see how companies like Twitter where the business model is really to facilitate speech will speak out or not speak out against those companies who are selling surveillance technology, et cetera. I mean this could be a part of how the business community engages in this discussion is one that I believe is interesting. We should not forget in any case that there can be conflict of interest between American companies and this also will feed into decisions that the American government, for example, will make. If I can, next question. I think what is, we mentioned, we talked about how there are different companies and how some can be subject to public pressure and others can't. The similar approach I think needs to be applied with regard to the technology because it's really hard to identify what kind of technology are we talking about? Where is it being used and for what purpose? So that's where something that we, Richard and Colin have alluded to earlier. There is the experience of the crypto war and that there are crypto wars and there's this fine line to walk of how can you make this so that it's narrowly crafted and not overly broad, but clearly in a much better state than we are currently in because right now, as everybody has said, it's unregulated apart from a very few instances and there's a very strong argument to be made that we have a new technology that has simply outpaced the rate that regulation has been able to be updated. But with that, let's take a few more questions. I had Josh Ettinger, AAAS. So if a country implements regulatory controls or export controls, what is it to stop a private company from simply relocating or running their software through different channels, potentially secretive ones to these countries? Nothing. But what I think may well happen, what I hope will happen is that gradually a set of global norms will emerge or at least norms that open market economies or democracies will adopt. It depends who can be persuaded to join these norms but right now we're not even close to knowing what norms we're looking at and there was a day where nobody thought the death penalty was a strange kind of punishment that went too far and somebody started that discussion and now, at least in the European Union, thankfully, it is considered inhumane and it will never be applied. Hopefully one day this country will also be there but I'm trying to say that you have to start somewhere and of course you will lose some market to others but we have real strategic interests, real human rights concerns that are an integral part of our policies, our foreign policies that we're now allowing to be compromised by our own companies and that credibility problem is real. I mean, if you're trying to address a government in foreign policy and saying look, stop closing media outlets, stop censoring your people and the same company knows that it's signing a contract whenever it wants with a company that's located in the same country, it really harms your credibility and then on top of that, of course, harms the lives of people and the strategic interests but that problem needs to be addressed and that's why I think we're seeking smart regulations to make that happen. And if you, I mean, just on that, if you look at other instances where this has been an issue, particularly anti-corruption and sanctions law generally, you see over time that once the first level of rules are implemented, then later you see culpability for that. I mean, look at the multi-billion dollar fines that HSBC and others have paid, that it is exactly for this type of stuff, for subverting sanction through foreign subsidiaries and things like that. So you expect that once the first set of rules are in place, the second set will evolve to capture that problem as well. It won't solve everything but it will start getting at that issue. I'm glad you raised this question because I think it's the effectiveness of the regime overall and we've gotten this question several times since we've been working on this. Something that we've noticed is a lot of times the question comes in, can you stop a single company from exporting a specific item to another country? And there are arguments that this will be hard to enforce but that's not what determines the effectiveness of the export control regime overall because yes, you might have the few black sheep that don't care about human rights, that will export a technology to a specific country and end users from a human rights perspective, they should definitely not export it to. But as we've seen after the uprising, you had the archives opened up, you were able to find out what company had actually exported this technology and right now we're in a state where there's no law in place that would have actually allowed to sue a company and say, you should not have exported it to this country and to this end user. Now, if the laws become updated and the export controls become updated to reflect this new technological reality, you actually have a legal basis to do that. And what changes then is you might not be able to prevent the export of that single company but you might be able to find that company and through the find create a deterrent effect that will create a shadow of the future for the rest of the regime and entice other companies to adhere to the regime. So it's not so much about the single export of a single company, it's much more about the effectiveness of the regime overall. And I think even in that regard, export of the control of export of technology can lead to effective regime because of those shadow of the future effects. Yeah, and you can tie it with lots of other issues like procurement, like development. I mean, you can make it a conditionality also much more broadly, but you have to start somewhere. I mean, these are all implementable ideas. You could say to, I don't know, but I'm sure the aid by the EU to a country like Ethiopia is enormous. And you can say that's conditional upon and then a set of principles. That is only possible if we know where the limit is. Same with procurement, a lot of these companies are maybe also seeking government bids and tenders. Well, if you seek to violate a law in field A, then your products are not attractive anymore and potentially even out of line for government tenders on other lines of your business. So there are a lot of things we can do once we start putting a norm and a discussion somewhere and export controls are only one part of that. I just wanna emphasize, but we right now lack transparency and regulation and accountability. And so the starting point has to be created although we're very much aware that it will be imperfect. And of course, other players will take over the market, but they can be accountable for their own foreign policies and their own practices, which we have to be for ours. So actually to speak to one of those points, as far as conditionality on contracts, we actually have that in the United States under the comprehensive Iran sanctions and investment act, which debars companies from having government tenders if they've been found to have sold censorship or surveillance equipment to Iran. But I also wanna sort of speak to this question of whether this is a feudal venture because these things are portable. In fact, I think that we have this notion of surveillance by software being a childish act that somebody can cross a border into Malta and to start to produce. In fact, I don't think that that's the case and I don't think that's the case, especially with the network devices definition that was laid out under Vasinar. These are actually incredibly sophisticated pieces of equipment that require substantial research and development, require substantial manufacturing investments, and also have sort of tied with them long-term support contracts. So for example, Naros Insight, which is one of the most powerful devices, again, this is a subsidiary of Boeing. A subsidiary of Boeing is probably not going to start moving into third-party countries in order to circumvent export controls. I should hope not, and I should hope that our export control regime should be able to handle these sorts of things. There might also be additional recourse through mechanisms that exist in the United States, but not in Europe, such as notions of deemed exports, but I also know there are export control lawyers in the room and I'm really afraid of them, so I'm not going to venture into that. And so I think it's important to say that there is a friend of mine likes to make the difference between efficient versus sophisticated. And so you can sort of craft a malware interception kit or a network censorship kit that is effective because you're able to block all content. Actually, internet filtering is incredibly simple and I could teach you within a week how to filter the entirety of Syria. But what foreign countries get is they get sophisticated. They get, you aren't just going to be able to compromise this person or filter this person. They're getting, you can compromise any person out there and we're going to guarantee nearly 100% of the time that you're going to gain access or be able to disrupt access. And so this is the differentiation. The thing that is of most substantial concern when you start getting into sophisticated tracking, correlational analysis, these are intensive technologies that require investment that is not just portable against borders and not just something that you do in your sort of startup garage type venture. And oftentimes, just to add to that, in terms of identifying the appropriate actors in this market, it often also requires sharing of know-how. So teams of people going to third countries under difficult security circumstances, sitting there for a couple of months, getting R&R on top of their salary. I mean, this is like not always difficult to trace what's going on. And we've seen companies that have come to terms with their own practices and found themselves caught in situations that they really didn't want to be in. We've been asked by companies to apply sanctions so that they could breach contract without being liable. It's not a joke. I mean, so I believe that we have to also make an appeal without just waiting for law to the moral decisions that companies make. There is a way to do this in a more sort of appropriate, healthy way instead of at the cost of people's lives. I mean, really, I think that's also something we have to do. And that's why a public debate is so important, even though these are complicated technical issues. I mean, it really actually astonishes me that this has not erupted much more vividly as a debate in light of the NSA revelations, in light of everything that's happening. Because of course, clearly there's another kind of problem here. And that is, I think, the arrogance of some governments or some companies to think that they're always going to be the front runners in this market and that there will never be anyone faster to apply these technologies against them. In other words, the proliferation of these technologies. There's a real illusion also found in my own country that we're always going to be the fastest in this place and that we can keep a grip, that governments can allegedly keep a grip on these technologies. And even James Clapper said that US interests have been violated with lawful intercept technologies that have been exported from the United States. So these things come back as a boomerang and companies should rethink their interests very seriously. And just one point on why this is a regulatory issue is if you look at Syria, Libya, Ethiopia, and elsewhere, if you're seeing the same half dozen or less companies have the same problem and multiple jurisdictions, then you probably have a regulatory problem. So, I mean, it's just. I have Mike here in front and Sasha. Some of the questions I would have asked have been touched on, but I want to ask one about, we've talked, I think we've talked about aiming at the sort of software arms dealers, the particular companies that are providing technologies that are not generally available and they're selling particularly to governments and they're moving to every new government as they work under the Malfusion pressure of trying to find a market for their product. But the interesting question that remains to me are companies that are providing communications infrastructure itself because as European countries know, as the United States grapples with from time to time, telephone companies themselves and infrastructure providers themselves are mandated by their governments to put various kinds of surveillance technologies into what they offer. So if you take a country like South Sudan or Burma where foreign companies are being invited in not to provide surveillance software but to provide communications infrastructure itself which will typically be heavily mobile based which will typically be heavily digital in various ways or have various digital layers. What can we do to make sure that those companies which have the technology already, whether they're European companies or Australia or the United States that have the technology already to build surveillance capabilities into the communications infrastructures of developing countries do not in effect facilitate the kind of surveillance and human rights abuses that we're talking about here. So it's ironic you mentioned Burma since we did a report on this last year. And I think, I mean, you're touching on the most, one of the most complicated areas because this comes at the heart of wanting to promote the spread of technology but some technologies can be inherently problematic depending on who's using them. And so take the case of Burma. I mean, what we said to the telecom companies like Telenoor who is there, right, is that you need to do, there are two basic things you will need to do. One is to do diligence on your own operations and activities. And two is to understand that the current telecom laws are wholly set up to surveil, right. And until there's real reform of the telecom laws, you are going to run into trouble. So it's a twofold process of both being responsible as a company but also understanding the regulatory regime you're walking into. And even though the government is opening up, it is not revising or reforming laws fast enough to keep up with certain sectors to respect rights. So there are two issues. As a general matter, what we did not know in say 2006 when the telecom infrastructure of Ethiopia was first being developed that we do know in 2014 is that there should be a fundamental obligation for due diligence across sectors that at a minimum know the risk you're walking into and do things to mitigate them. In telecoms, it's a lot harder because government has overarching control of the sector more so than maybe an internet. But there's still things you can do. And a good example is what happened to Vodafone in Egypt and elsewhere where by failing to do that due diligence, they couldn't push back on over-broad requests by the Egyptian government and other things. They may not have prevented everything that happened but they could limit it. And one of the things we're seeing particularly in mobile telecommunications around the world is a regular pattern of governments of what they're trying to do. So what you see in domestic uprisings or protests or anything else, you see cutting off text and mobile phones in the direct area where protests are occurring which also could mean, and this is a real problem, cutting off of emergency services. So as people might be getting injured for demonstrating or exercising their right to free expression, they're also losing access to emergency services, 9-1-1 and things like that that could actually help them. Right, right. And then you're also seeing, and this happened in Kazakhstan where at least one of the companies uncritically took the government's request. They were told cut off all the services, cut off texts, cut off email and cut off mobile communications in the area where protests were occurring. But tell everybody you're having technical difficulties. So the second thing they can do is because often, particularly if you're a foreign subsidiary, notify the rest of the world of what's going on outside the country, right? So the biggest mistake they made is they didn't tell anybody this was what was going on and even the company's headquarters didn't find out until after the country manager had already done it. So there are small but limited steps to build on what are the more complicated things but in today's age, not doing the due diligence alone is a problematic, problematic thing. I think we should also look at more anticipation. I mean, what we've learned from, for example, the case of Vodafone in Egypt, but also the case of Nokia Siemens Networks in Iran is that when a company is confronted with such a decision, it's stressful, it's understandable. I've talked to people in these companies who share what they have learned from this. Of course, they're trying to defend the case but that's understandable from their point of view. But I think it could have made a difference if Vodafone would have been either in breach of European law, it's a UK company, one of the biggest telcos in Europe, or if it would have had simple and fast access to high level government officials to get their backing in declining this order, for example. So we can also anticipate that these cases will happen more and more often and somebody, I forget who, but mentioned the case of South Sudan. Yeah, sorry, you. When a new government is going to be established or after a transition, let us prioritize these issues more swiftly. Let us immediately address this problem and understand it to be as instrumental to the rule of law as free and fair elections, for example. In South Sudan, there was probably already a surveillance that before the first blogger had been able to put some words down. And I think we can also do things like work with regulators who can share their know-how about how the system works. Telecom regulations are often not the priority for the United States or the EU-informed policy when looking at transition. It is much more good governance, human rights, in a broader sense, a more abstract sense, and it's not very precise. And I think if we get this anticipation built into our own thinking and send the right players forward and reduce the distance between corporate actors in this space and governments and understand that some of the issues are of common concern, that we can also improve without even needing to change the laws necessarily. I hope that's right. I think in Burma, we know that the input on the telecom regulation is here setting up. The regulator, as they're letting foreign entrants in, had the primary drafters of the regs have been the phone companies themselves. And not necessarily human rights oriented, at least in the United States. I agree, that's a problem. So, I mean, just on that, I mean, just building on that, there are a couple of things. One is some of the telecom companies are already starting to deal with this kind of systemically with the Global Network Initiative and in the dialogue with that, which could be positive. Secondly, there are other actors involved. So for example, the World Bank is promoting telecom liberalization around the world, which is neither here nor there from a human rights standpoint, but it's problematic if they don't put in adequate due diligence requirements as they provide money to governments to liberalize those sectors. And then third, I mean, if you wanna see where due diligence and not doing things in the telecom sector can go the worst, look at 2006 when the US telecom companies argued for retroactive immunity in the revisions to the FISA regulations and everything else, and you get a surveillance infrastructure like we have today globally, all right? So there are plenty of lessons on why to do things different, and this may be an opportunity to do that. Hello, I'm Sasha Meinrath. I'm the director of the soon-to-publicly LaunchXLAB program here at New America. And I know we're in DC, so I wanna ask sort of maybe a more provocative question. So let's take all political pragmatics and stick them aside for just a moment, and we'll make you all the hyper-non-paradoxical human rights dictators of the globe. And the question is this, which is if you could do anything with all political economics aside and all of the limitations to what's possible aside, what would be the top one to maybe three things you would start with to create the kind of ethical or moral framework around these issues? I'd like to get sort of the high level, here's what we should be doing so we can see what filters out at the end of one's political pragmatics and what have you are put into the mix. So my temptation is to say I would have some being appear as a 50-foot waterfall speaking on about what the telecom industry should do if I could do anything I wanted. But I mean, I actually think the norms are there. So they're basically, I mean, in an ideal world, you can have completely open technology to where as of this minute, nothing is censored and everybody has privacy rights, right? But as a practical matter, the normative framework exists, whether you look at something like the UN guiding principles on business human rights, GNI, or any analytical framework, it's there. And it's just a question of finding a way to adapt them to the realities that institutions are facing. So I don't think, I mean, from a normative standpoint, it's not that big a lift. The challenge is putting that into technical practice, I think. There are lots of things that should be done, I think, but we should not underestimate the importance of this country and lawmakers in this country and the difference they can make. And I'm concerned about the intertwining of business interests and politics in this country. It makes it very, very difficult to find people that are mostly gonna be held accountable for what they do for the public cause, let alone the global public good, right? I mean, that's just, that's difficult. But by increasing the liability of violators, let me just put it that way, liability for violators, sorry, making it more difficult or more costly or bad for business to engage in these activities, whether it is through export controls, which is still, it's both preventive but also allows for reaction. That's one option. I think it is really important. I mean, in the scheme of things, it's really important. But also these human rights impact assessments. Some of the problems we're facing have potential technological solutions and they should be incentivized, invested in, required. And they're, in my opinion, very much two sides of the same coin, but if you don't identify explicitly what the problem is, then it's more difficult to also find a solution. And if we can do this with as few laws as possible, that would be great. So I think the business community itself can come up with competing solutions. Those would be some of my thoughts about it. This is an XLAB question, isn't it? That's what it means. So I think the first thing, and to start off in a constructive note, I would push for further liberalization of encryption controls and incentivize further adoption so that encryption is ubiquitous and at the norm on the internet. There is two strains as far as my second option of my wish because the activist in me wants to say, we should have, we should borrow substantially from the crime control classifications within the US export regime, which would incur substantial liabilities. I think that we should have stronger, that the things that have been done to the alien torts statute and that have removed standing for these sorts of human rights violations is incredibly non-constructive. And so I would throw everything as much as possible to create liabilities and to create due diligence standards in order to export certain types of devices. The pragmatist in me and the empathetic person in me also realizes though that there are these muddled issues having to do with, for example, lawful interception devices and recognizes that this is a substantial structural difficulty in which if there was over-regulation, we could quite honestly do significant damage to our ability to improve networks. We see this, for example, in Iran. Iran mandates 128k second connections by parliamentary proceedings. The assumption is, is the reason why is they can't censor fast enough. And so this creates this difficulty of if we want faster internet, they are fully willing to just repress their population's ability to access the internet because they don't have control over that process. And so I recognize, and I think that we should recognize, that there is a contention where we might have to deal with the fact that we might facilitate better surveillance and better control by giving better technology. And so this is the empathetic part of me, which hopes the process for these sorts of regulations is deliberative and engages in an honest conversation with vendors who have honest grievances and incorporates these sorts of very legitimate concerns. I mean, not to be, I mean, was being lived before, but there is one element that has to be part of it too, and that's real independent oversight because every system breaks down particularly in this area because it's inherently secret without oversight. And that's not just of the public sector but of the private sector as well. So if that element isn't there, then all the other things fall apart too. And that's why in Ethiopia or Syria or Libya is particularly placed to misuse technology because nobody's really going to stop the entities from doing it. So we have 10 more minutes. If you have more questions, please think of them. I will ask Arvin one question and I would like to let the other panelists know. Yeah, Mark. I will ask you for concluding remarks at the end or if you have anything to share. But before that, Marty, in the back. But maybe an outside Washington question. You've talked a bunch of times, you've talked a bunch of times about the need for regulations and due diligence. And I'd like to get the panel's reaction or their forecast about where are the likely hangups or bright spots as these regulatory instruments start to unfold as some of this gets implemented. I mean, as I look at this, we have a very complicated cross-national coordination problem to try to harmonize. I mean, yes, there's some unilateral payoff, non-hypocrotical foreign policy. We might get lucky. That would be great. But even then within states there are the, and we've heard also about EU harmonization of regulations as being an interesting cross-national problem. But then as I look inside these individual national bureaucracies, the regulatory scene is frightening. I mean, it's not entirely clear how all of these things are gonna work their way through a regulatory apparatus and come out in these happy ideal places that we were just speaking of. So are there places that would be good places to concentrate effort because these look like the bright spots on the regulatory landscape? Are there pits of despair that we should be concerned about that will likely be tar pits for certain kinds of regulatory efforts we might launch? So maybe I'll start with this one first because it relates to the report where the new controls that were adopted at Varsna in overview presents a window of opportunity to take the two controls, especially the IP network surveillance systems one which is very narrowly tailored and has a lot of ends in their relationships and not oars, as well as the intrusion software language to implement that with a strong human rights component and to see how this will be implemented and what the lessons learned from that will be. It's a very clear-cut case and it could provide the blueprint for including additional technology that we know are of concern that are currently not subject to the regulation. But the more you broaden that bucket, the more difficult it will become to draw the line between that dual use character of the technology. And in terms of the something I think that we talked about before the event, the government I think is facing a similar challenge that many human rights groups in terms of all of this new technology requires a lot more tech expertise in the bureaucracies as well as in NGOs and there's an increasing demand and as this demand is put on the government from the outside to reform these regulations, it will be easy for bureaucracy that does not have additional capacity and resources to address this to not spend the amount of time that's required to implement this in a sufficient way. I think here the Department of Commerce and BIS has these resources. They have technical experts but the question is how much more has their demand increased over the in recent years and how do we need to change bureaucracy to keep up with that? That's... I mean, I think there are two areas that I think there is going to be opportunities to regulate the worst of the worst of the most dangerous technologies. I don't think, because I don't think people disagree with the fact these are problematic but the second issue has to do with a broader trend that's happening in Europe and the United States which is in various bits and pieces due diligence is being regulated. So if you look at the Burma regulations that mandate some due diligence requirements for investments over half a million dollars, they're there. If you look at Dodd-Frank 1502 and conflict minerals they're there as well. The European Union is proposing new disclosure requirements and looking at conflict minerals. So we're seeing a pattern in Western governments to start enshrining the principle of due diligence. What you're not seeing yet is a penalty for not doing anything about it. You're seeing a penalty of sorts for not disclosing. So I see this as an evolution of where things are going. So you will see more and more of this. It won't be easy and it will be very hardly contested as it is in the US and elsewhere but that's the trajectory of things. So you could see over time this becoming more and more the norm rather than an anomaly of anyone. So two more questions. One, Ross, and then a second just before. I'm George Lyle from Internews. There's two questions I wanted to ask. Hopefully they'll be pretty short. One is I wanted to get your all's opinions on where you draw the line between lawful intercept on lawful intercept and intelligence gathering because it might seem just with a devil's advocate that from some of these countries' perspectives they would like to do some of the things that the US is able to do. But for various reasons the European governments and the US government doesn't want to allow them to do that. And actually the second question slips from my mind. So we'll just go with the first one. Who says that they're not already doing that? What I mean is I want to know where your opinions are on where the line is drawn between lawful interception and unlawful interception and intelligence gathering because lawful interception and intelligence gathering is something that we presume that all countries have the right to do. But from these discussions that I've attended from time to time it seems as if there are certain countries we want to do those and certain countries that we don't. I'm sure that's true also. No, I think the criterion for lawful intercept is that it is of someone who is of legitimate concern so that there is suspicion against him or her and not blanket and that it is after a court order and a review by a judge or what do you call it? Police investigate what do you call it in the United States. It has somewhat different name but in any way the appropriate authority which reviews the case and authorizes for a limited period of time where there is also checks and balances on the individual's case protecting the person from the state and I think that that notion of protecting the individual from the state is more built into the culture in Europe or appreciation among the population because in the very recent history we had the Stasi spying on Germans, Eastern Europeans feel this very, very strongly because of their experience in the Soviet Union. So it's about innocence until proven guilty so really targeted at individuals where there's legitimate concern or suspicion after review of the appropriate authorities for a limited period of time. That's in a criminal investigation. As far as the intelligence gathering I think there's a very important discussion to be held about the appropriate oversight and the limits within which these services can operate and clearly you cannot have that discussion if the mandate is secret, the courts are secret, the laws are secret. I mean then there is no such thing as oversight and I'll come back to that in my final remarks. I think these very core principles of what it means to be a democracy have to be reassessed and redefined in the context of these technologies that so easily allow for mass information gathering, mass surveillance. I think the question is really whether mass surveillance can ever be in line with respect for human rights. Where is the proportionality in mass surveillance? So we can really draw upon the fundamental principles of the rule of law and of the democratic states that at least we live in allegedly and seek to perfect them, seek to perfect them in light of what has been revealed recently. And I think that whether you see this as a crisis or whether you see this as an opportunity this is the moment to do it and to get it right. One last question, Ross. Each of you have talked about surveillance technologies as though we all understand exactly what that means. And I'd like to have a more detailed understanding of what you believe ought to be controlled that is not controlled for export today and why. For example, are the new controls on surveillance systems adopted by Vasanar last year adequate? Or are there other technologies which should be subject to similar requirements? And if so, what are they? So I think actually the report does a pretty good job. And I think that I think what we were surprised at was the extent to which the Vasanar changes were actually very technically precise and we feel constructive towards these ends. Privacy International has maintained a working list of potential other technologies. I don't know if it was included in any form in this. And I can't recall offhand what exactly constitutes that list other than things having to do with, for example, mass voice recognition. One of the things I want to backtrack and say is that the United States maintained unilateral controls on crime control technology, communications, intercepting devices. And so I think both some of the recommendations of PI and the recommendations that might come under the report are things that are already regulated in the United States but are not put under Vasanar any multilateral controls. So I think just to sort of reiterate, I think that the definition of IP network surveillance systems is as adequate as we could expect. I think that what will be interesting and necessary for any sort of future changes is to look at how these are implemented and then how bodies such as the technical advisory committees of this sort of play a role in making sure that these keep up to the evolving standards. One of the things, of course, that we should be concerned about is if we put a number, if we put a throughput rate, what does that throughput rate mean in five years from now? This is a substantial concern. And so how we shift these to meet the ever-evolving threat or ever-involving concern or even ever-evolving pragmatic decision to just abandon that low of a control, I think needs to happen before we start throwing other things at Vasanar. To just add to what Colin said, I've been looking at this list and because we are very concerned about making sure that the language that we propose and include in any report is very revised and well-crafted, we decided not to include it yet for this report. We wanted to make sure that this is out now because of the ongoing implementation of the Vasanar changes and to provide a blueprint of what are the precedents with regard to human rights and existing ECCNs that focus on this dual use technology that's already covered. But we are working on that and we can talk more about that offline, not yet in a public setting. But we are running out of time, so with that I wanna give everybody a chance for some final comments. Why don't we start with Colin? Oh, I'm the least prepared. I think actually everything that I've wanted to say has been said. I think that this is an interesting second engagement based off of the MC rules last year. I think that this is an interesting second engagement that warrants both the involvement of civil society as well as the professional sector in these processes in which especially civil society hasn't been previously engaged in. I don't think that enough of us go to, for example, the technical advisory committees that this so happily maintains. And I think that successful implementation and the use of export controls as a platform to impose due diligence on processes that have been seemingly, decisions that have been seemingly made in a vacuum, I think the success of that is going to be critical based off of civil society participation and stronger sort of consultation between civil society and private interests. And so I think I go into this hopeful that, like we said, like Rebecca said, that this is a maturing process that is going to come to fruition. And I think I'll just end on that. I think the whole reason why we're looking at regulation, even though as a classical liberal, not to be mistaken for the American connotation to the word liberal, I'm not in favor of over-regulating. But I think that we are at a point where we cannot practice what we preach, not even close. If we look at the technical abilities that are developing so fast and the regulatory vacuum that we're facing. And with every kind of measure that we're taking, whether it is around export controls or whether it is about redefining the relationship between the individual and his government or the services he or she uses online, we have to begin to build global norms and principles that we aspire to, understanding that these will not be accepted and adopted by everyone immediately. And for that to happen, we have to assess the global impact of what we may do in one context and how it may play out in another. I think we have to reassess our own standards in that sense, but also seek to develop standards and technological solutions that better respect people's human rights and empower the individual. And it's necessary for maintaining and increasing our own credibility on a policy level to protect the very principles that governments are still required to do despite all the changes that technology is bringing, which is to ensure security, to protect people's fundamental rights, as well as things like competition in the market. And so I think there is a very solid case for looking at export controls as one of the ways to have relevant policies in place in a hyper-connected environment. I mean, I look back and I think going back to 2006 and now eight years later, whether it's NGOs or companies or government, we've increasingly understood the multifaceted impacts that ICT technology has on human rights, both positive and negative. And now what you're seeing that even was not the case a year and a half or two years ago is an understanding that some things need to be dealt with in a certain way, like export controls for certain types of technologies and other things need to be dealt with in other ways, whether it's corporate conduct or greater oversight of the NSA or other governments or the like. And as we realize both the potential and the pitfalls of the technologies, this is an example of now we're getting a much more sophisticated and better understanding of how to deal with it. And hopefully what the export controls debate will show ultimately is how you can still harness the promise of technology while taking off some of its sharpest edges as well. And I think that's an evolving debate that's only getting going faster in light of what's happened in the last year even. With that, I thank all of you for coming today. I thank especially the panelists and Rebecca for joining us. If you are interested, continue to be interested in this topic, make sure to read the Human Rights Watch report that will come out tomorrow. And if you're interested, specifically with regard in the US context, please come and reach out to us later. The vast number of changes are an opportunity to effect change in this regard and to make at least some tiny steps. And with that, hopefully see you soon. Thank you. Thanks.