Consultant internet governance
Joined on November 8, 2010
Total Post Views: 572,114
About |
As a consultant I specialise in establishing new and different relationships between industry and governments. Complex internet governance challenges are brought forward either through projects, research and/or workshops towards forward looking, more consensual solutions.
Six years of experience in spam and malware enforcement and the setting up of and participation in national and international cooperation programs have made me an expert in building trust and relations.
Except where otherwise noted, all postings by Wout de Natris on CircleID are licensed under a Creative Commons License.
In the coming days, the Internet Governance Forum Dynamic Coalition on Internet Standards, Security and Safety will be announced on the IGF website. The following is an invitation to participate, share ideas and best practices, the willingness to take on a new approach towards mass deployment of internet standards and ICT best practices. Feel free to reach out to us and start working towards a kick-off meeting at the global, virtual Internet Governance Forum in November. more
Reading up on COVID-19 and Zoom/Boris Johnson outcry yesterday, an analogy struck me between the two: the lack of testing. In both cases, to truly know how safe and secure we are, testing needs to be stepped up considerably. This post focuses on cybersecurity. Over the past days and weeks, more and more organisations have switched to digital products and services to sustain working from home, to keep productivity up and to be connected. more
In 2019 under the aegis of the Internet Governance Forum, a pilot project was conducted into the causes of and solutions for the, in general, slow deployment of internet security standards. Standards that on mass deployment make the Internet and all its users safer, indiscriminately, immediately... Recently the report 'Setting the standard. For a more Secure and Trustworthy Internet. The Identification of Pressure Points in Society to Speed up Internet Standards Deployment', was published on the IGF website. more
At EuroDIG 2019 a workshop was organised around the topic of consolidation on the Internet. It was organised around four angles: technique, competition, society and human rights and; future research. One thing became extremely clear: no one contested that consolidation is taking place nor that this already has and will have an impact on the Internet and consecutively on society. more
Some years ago I wrote a post on the fact that I saw the world automate fast and did not see a lot of people worrying about the consequences for their lives. Nobody was smashing automated production lines. Smashing smartphones and laptops. In fact, embrace of new technology by the masses probably never before in history went this fast. Several and very different causes, including globalization, have led to a level of wealth that made these expensive tools and toys within reach of a vast number of people. more
In the winter of 2014 I wrote a blogpost under the title 'Luddites of the 21st century unite?' (read here). In the post I wondered where the 21st century Luddites were. ICT, automation, artificial intelligence all threatened jobs, yet all those affected embraced smartphones and the Internet in droves. It seems I found them, but what to do? Brexit and Luddites Fast forward to early summer 2016. more
For some years I hear people discuss that education needs to transform and adapt to the Digital Age. In one way education has: I am told that so called MOOCs, Massive Open Online Courses, are a huge success. Classes from lecturers at (top) universities are freely available online. But this is traditional education distributed and made accessible in a modern form. The debate ought to focus on education for the jobs and skills of the future. more
This post I've been pondering on for a long time, but never found the right angle and perhaps I still haven't. Basically I have these observations, thoughts, ideas and a truckload of questions. Where to start? With the future prospects of us all. Thomas Picketty showed us the rise of inequality. He was recently joined by Robert J. Gordon who not only joins Picketty, but adds that we live in a period of stagnation, for decades already. "All great inventions lie over 40 years and more behind us", he points out. more
Every day comes with another digital security breach, surveillance disclosure and what not. The world seems to have grown used to it and continues its business as usual. It doesn't seem to be bad enough to really act. Every day comes with new stories about the end of the Middle Class, IT taking over jobs in places where up to very recently that was inconceivable, not in people's wildest dreams would these jobs disappear. more
In the past few weeks doom and gloom stories about the future were printed, discussed and opined in the press. The down and out of the message of futurists is that the middle class is going to be swept away in the coming years because of software and robotic solutions (from here on: automated processes), making humans redundant... Do Luddites of the 21st century need to rise? I want to look at the topic from a few angles. more
Not long after the message that Microsoft will stop updating Windows XP from 8 April onwards, after extending it beyond the regular life cycle for over a year already, came the soothing message that malware will be monitored for another year. That may be good news to some, but the fact remains that this is not the same as patching. Remaining on XP leads to a vulnerable state of the desktop, lap top and any other machine running on XP; vulnerable to potential hacks, cyber crimes, becoming part of a botnet, etc. more
On Webwereld an article was published following a new Kaspersky malware report Q1-2013. Nothing new was mentioned here. The Netherlands remains the number 3 as far as sending malware from Dutch servers is concerned. At the same time Kaspersky writes that The Netherlands is one of the most safe countries as far as infections go. So what is going on here? more
Syracuse University professor Milton Mueller published a blog under the title "Will the GAC go away if the Board doesn't follow its advice?". Having been to a number of (very limited) ICANN meetings on behalf of law enforcement cooperation, I would like to share a few - probably thought provoking - observations. The GAC should not leave ICANN but it may be more efficient if its role changed and its efforts were aimed at a different form of output. more
In 2012 I wrote a blog on CircleID called State hacking: Do's and don'ts, pros and cons. In this post I give some thoughts to the concept of a government "hacking back" at criminals. The reason for this was an announcement by the Dutch government that it contemplated law along these lines. The proposed law is now here: the Act Computer Criminality III. more
"We need to break down silos", is a phrase often heard in national and international meetings around cyber security and enforcing cyber crime. So it is no coincidence that at the upcoming NLIGF (Netherlands Internet Governance Forum), the IGF, but also an EU driven event like ICT 2013 have "Breaking down silos" and "Building bridges" on the agenda. But what does it mean? And how to do so? more
This week bank costumers of The Netherlands were shocked when they realised that online banking may not be as safe as they thought. Perhaps some were surprised to hear that what they think is money, is nothing but digits, something that does not exist. Their money only exist because we all act as if it exists and accept transactions between each other aided by software run by banks, if they haven't outsourced that function. more
In a court case running since 2007 Australia's High Court judged Google not responsible for the content of paid ads it presented after an end user's search request. In the example Reuters gives a car sales company presented itself under the name of a car brand, thus misleading the end user. The Australian Competition and Consumer Commission (ACCC) deemed this misleading advertising by Google and stared a court case. The High Court judged differently. more
On his blog Bruce Schneier recently published a post called "Power and the Internet". An article that most people in the western world will agree with. Internet freedom against Internet safety and security, the powerful have a lot of power to wield and the rest is at best ad hoc organised or fairly powerless lobby organisations. So who is likely to win? Vested interests, he warns. more
On Friday 11 January 2013 the European Cybercrime Centre, EC3, officially opened its doors at Europol in The Hague. If something shone through from the speeches of the panel participants, it is that there are tight budget restraints and a strong wish to cooperate with the U.S., the Interpol centre in Singapore and Russia. Let me share my thoughts on expectations. more
Yesterday, in my post on three new threats in one day, I posed the question whether it was necessary to develop regulations that would set a minimum standard on cyber security for devices that connect to the Internet. I'm having second thoughts here, which I'll explain in this post, but also try to look at a way forward and ask you to engage. more
Internet crooks never cease to surprise me. The inventiveness in being bad is super. If these guys lent their thinking power to the economy, the economic crisis would be solved within a week. Today I ran into three brand new cyber security threats that were reported on. In one day. So I thought to share them with you. more
At the Internet Governance Forum in Baku, I made an intervention on behalf of NL IGF, reporting on the recommendations given by the participants of Workshop 87... I concluded that more regulatory and law enforcement bodies need to become part of the IGF discussions, as they are an integral part of governing the Internet from a safety and security perspective. Mr. Cerf responded with a one-liner: "I can't help observing, if we keep the regulatories confused, maybe they will leave us alone". more
Over the past days a lot has been said and written on counter hacking by enforcement agencies. The cause is a letter Dutch Minister I. Opstelten, Security & Justice, sent to parliament. Pros and cons were debated and exchanged. Despite the fact that I perfectly understand the frustration of enforcement agencies of having to find actionable data and evidence that gets criminals convicted in a borderless, amorphous environment, a line seems to be crossed with this idea presented to Dutch parliament. Where are we? more
In two recent debate events I participated in, on iFreedom and privacy in the online world, mistrust of government and government's intentions and motivations on and towards the Internet were abundantly present with more than just a few people in the audiences. The emotions were not new to me, no, it was the rationality that surprised and sometimes almost shocked me. Why? Well, should these sentiments get the support of the majority of people, it would undermine all legitimacy of a government to govern. Let's try and take a closer look. more
The Microsoft action against 3322.org, a Chinese company, started with the news that computers were infected during the production phase. Stepping away from the controversy surrounding the approach, there are important lessons that cyber security officials and upper management, deciding on the level of and budget for cyber security in organisations should learn and take into account. I'm writing this contribution from a premise: China uses the fact that most IT devices are built in China to its advantage. Allow me to start with an account from personal memory to set the stage. more
Today I released a report on 'National cyber crime and online threats reporting centres. A study into national and international cooperation'. Mitigating online threats and the subsequent enforcing of violations of laws often involves many different organisations and countries. Many countries are presently engaged in erecting national centres aimed at reporting cyber crime, spam or botnet mitigation. more
Reading Peter Olthoorn's book on Google (a link is found here), I ran into a passage on IP addresses. Where Google states that it does not see an IP address as privacy sensitive. An IP address could be used by more than one person, it claims. The Article 29 Working Party, the EU privacy commissioners, states that it is privacy sensitive as a unique identifier of a private person. It got me wondering whether it is this simple. Here is a blog post meant to give some food for thought and debate. I invite you to think about the question 'how private is an IP address'? more
Microsoft took down a Zeus botnet recently. Within days it was publicly accosted by Fox-IT's director Ronald Prins for obstructing ongoing investigations and having used Fox-IT's data. This was followed by the accusation that Microsoft obstructs criminal proceedings... On top of all this EU Commissioner Cecilia Malmström announced that cooperation between law enforcement and industry will be forged in the European Cyber Crime Centre as of 2013. Coincidences do not exist. Why? more
On Wednesday 22 February the United States and The Netherlands signed a "declaration of intent" on the cooperation on fighting cybercrime. This event was reported by the press as a treaty. At least that is what all Dutch postings I read wrote, with exception of the official website of the Dutch government. So what was actually signed? Reading the news reports some thoughts struck me. more
Over the last year the world has been virtually buried under news items describing hacks, insecure websites, servers and scada systems, etc. Each and every time people seem to be amazed and exclaim "How is this possible?" Politicians ask questions, there is a short lived uproar and soon after the world continues its business as usual. Till the next incident. In this blog post I take a step back and try to look at the cyber security issue from this angle... more
Recently ICANN published a report on inaccurate registration data in her own databases. Now the question is presented to the world how can we mitigate this problem? There seems to be a very easy solution. ... The question to this answer seems simple. To know who has registered with an organisation. This makes it possible to contact the registered person or organisation, to send bills and to discuss policy with the members. more
In a presentation EU Commissioner Viviane Reding gave a preview of the new Privacy regulation her DG is preparing. As she states, privacy rules need to be brought up to date and harmonized. With all 27 member states having the same rules and tools to enforce, a company only will deal with one privacy commissioner... So, what if we, for the sake of this blog, take this initiative towards spam and cyber crime. What would this do to spam enforcement? more
In an article on CSO.com.au a report from Sophos Australia is reported on. The anti-virus software company had bought 50 usb drives for analyses at a public transport auction of devices left on the Sydney trains. When they wrote that 66% was infected with malware, I presumed that they were left behind consciously, but were they? more
In a seemingly never-ending row of news on hacks of websites now the news in which 2.3 million individual cases of privacy sensitive data were accessible through a leak in the websites of most public broadcasting stations in the Netherlands. To make the news more cheerful, the accessible data was, if compiled, sufficient to successfully steal a complete identity. What were thoughts that came to my mind after hearing this news on Friday? more
"Smartphones (and tablets, WdN) are invading the battlefield", reports the Economist on its website of 8 October 2011. On the same day the hacking of U.S. drones is reported on by several news sites. ("They appear friendly". Keyloggers???) Is this a coincidence? more
At the Government Roundtable meeting in Amsterdam on 12 September RIPE NCC presented on her results on auditing Local Internet Registries (LIRs) and on the policy process concerning certification of her members. If this showed something to the world it is that cooperation with governments and law enforcement agencies (LEAs) pays off and self-governance can work. How did this come about? more
In an age where the world has gone global in many forms and guises, the political attention is more and more focussed on national, populist issues, that arise from fear for the unknown. I can't deny it: the future undoubtedly contains many uncertainties. This usually comes with a general public that's afraid and in fear of things they cannot oversee. Thus it is easily aroused by a populist leader who feeds on this fear and throws flammable material on the already smouldering fire. In a time where leadership is called for, it seems lacking. The Internet governance discussion demands visionary leadership on a cross border level and it needs it soon. more
Internet Security is a topic that has drawn a lot of attention over the past year. As awareness grows that cooperation is necessary, it dawns on people that there are many and very different stakeholders involved, stakeholders that may never have met before. Let alone have cooperated. An example of an approach is the National Cyber Security Council (NCSC) that was installed in The Netherlands on 30 June. This is a high level council that will give advice to public as well as private entities on how to better secure themselves and society at large against cyber attacks and how to become more resilient. However, without the right approach it is doomed to become a talking shop. more
At the annual Dutch "delegation" dinner at the Internet Governance Forum (IGF) in Vilnius, Lithuania, I voiced that it may be a good idea to start a Dutch IGF. This followed a discussion in which we discussed the possibilities of involving more people and organisations from the Netherlands in Internet governance. The, now, Ministry of Economic Affairs, Agriculture and Innovation followed this thought and made it possible for the ECP/EPN foundation to start the NL IGF. more
At the ENISA presentation on her botnet report at eco in Cologne, 9 and 10 March, one of the slots was dedicated to threats to the mobile environment. The message I was supposed to come home with was: we can still count the numbers of mobile viruses manually, <600; the problem will never be the same as on a fixed network as traffic is monitored and metered: We detect it straight away. We are studying the problem seriously. Are mobile operators really prepared for what is coming? more
In a tweet, EU commissioner for the Information Society Neelie Kroes congratulates OPTA on the spam fine for the golf ball printing company Backsound. Since 2004 the Dutch OPTA is the number one spam and malware fighter of the EU with a total of €1.9 million in fines. It made me ask two question to myself: How come that we seldom hear of other spam fines in the EU? And can the EU change this in any way? more
In her blog EU Commissioner Neelie Kroes blogs on her stance on cloud computing. In short: this is a good development which the EU will embrace and advocate, but may need regulation in order to ensure a safe environment for industry and individuals in the cloud. Here's some thoughts on that. more
On Wednesday 16 March the Serious Organised Crime Agency organised a meeting in London with the RIPE NCC. For the second time law enforcers from the whole world met with the RIPE NCC and RIPE community representatives to discuss cooperation. RIPE NCC staged several very interesting presentations that showed the LEAs the importance of the work done within RIPE and ARIN, the information RIPE NCC has and the relevance of all this to LEAs. Also issues were addressed that can potentially be harmful to future investigations. more
On 24 and 25 February 2011 the European Commission, DG Home Affairs, organised a meeting on cyber crime in cooperation with the US government, Department of Justice, with representatives of the law enforcement community, registries and registrars. The basis of the discussion was the RAA due diligence recommendations (hence: the recommendations) as presented by LEAs in the past years during ICANN meetings. The meeting was constructive, surprising and fruitful. I give some background, but what I would like to stress here is what, in my opinion, could be a way forward after the meeting. more
The gathering of coherent data on cybercrime is a problem most countries haven't found a solution for. So far. In 2011 it is a well known fact that spam, cybercrime and botnets are all interrelated. The French database Signal Spam may be a significant part of the solution to gather, analyse and distribute data on spam, phishing, cybercrimes and botnets, but also be a forum in which commercial mass e-mail senders and ISPs can work on trust. more
Recently I joined my son, who is in his final high school year, to visit the open day of the newly founded Leiden University College in The Hague. The school focuses on Liberal Arts & Science and offers a broad education on (international) politics, philosophy and economy. The idea is to prepare the next generation internationally oriented public servants and leaders of the future. Among others they have former Dutch Minister of Foreign affairs and Secretary General of NATO Jaap de Hoop Scheffer as a college professor. more
Over the past say six months there are trends and events on and around the Internet that made me come up with this bizarre sounding question. Still it may actually make sense if we look at some facts. I'll be honest up front. This is a contribution that is not totally thought over and more a compilation of ideas and impressions gathered over the past weeks and months. Still, it could well serve as the beginning of a discussion on giving the recent events a place. There's nothing better than a provocative question in that case! Let's start here. more
The latest Sophos Threat Report shows an upward trend in spam and identity theft through social networks. One of the examples Sophos gives is Facebook. In general Sophos claims that from 2009 to 2010 the spam, phishing and malware containing messages all doubled. more
On CircleID Jeremy Malcolm blogged in "Wikileaks and the Gaps in Internet Governance" that "For the Civil Society Internet Governance Caucus (IGC), this highlights the need for cross-border Internet governance issues to be made subject to a due process of law, informed by sound political frameworks, including those of human rights." A reaction, in which a network of the willing is suggested. more
eco, the German ISP association, mentions on its website today that the 100,000th PC was cleaned from infection through its PC cleaning program. Since 15 September, German account holders could visit the website to download tools to clean up computers from digital infections. Botfrei ("botfree", translation WdN) is a cooperation between eco and the German government. First figures seem to prove that this is a successful public-private partnership, worth looking into for other countries as a best practice. more
In this part I want to focus on the gathering of cyber crime data. Are there best practices in the world on how cyber crime data is reported to law enforcement and aggregated to show the impact of said crime? Previously the discussion focused on the fact that cyber crime = crime and on a basic cyber (crime) training for every police officer. From the reactions this received, it is clear that some people see this as a possible solution. more
Reading the policy proposal of Nominet, I get the feeling that something is overseen here. Putting all the jurisdictional hassle aside for a moment, cyber crime is international, cross-border. So what happens if a UK domain is used for criminal activity outside the UK only? more
Anti-spam and malware enforcement agency ACMA reports on this (shocking high?) figure. Keep this up and ca. 50% of the Australian population is infected within a year. I remember a presentation from Sweden only a few years ago, that there were only a little over a thousand infected pc's in Sweden. (Reactions were: that can't be correct. Too low) Do you know what the numbers are for your country and maybe more importantly what your government and/or Industry is/are doing about it? more
Cyber crime = crime. How do we make police forces understand this and how to get it prioritized? In this series of blogs I am looking into whether aggregating data can change the way cyber crime is approached and prioritized. At a seminar at the IT Security trade fair in Utrecht detective super intendant Charlie McMurdie, head of the cyber crime unit of the London Metropolitan police, said that cyber crime was recently prioritized by the UK government. She also said the following and I'm allowed to quote this... more