Developments in the Internet Governance Environment from July to September 2023:
In the third quarter of 2023, the global Internet governance discussion focussed on four central topics:
· Internet Governance in the Field of Tension of Geostrategic Conflicts
· Preparations for the Global Digital Compact
· Regulation of Artificial Intelligence
· Cyber Security Negotiations
Internet Governance in a Multipolar World
2. Internet governance is increasingly becoming an area of tension in the geostrategic world conflicts. The fragmentation of politics in the "multipolar world" and the emergence of new, controversially opposed "blocs" are reflected in the global discussion on Internet policy, cyber security and digital cooperation. The UN and its specialised agencies or the G20 as universal and global platforms are less and less successful in reaching a consensus on possible global arrangements for solving the core problems of the digital age. Without questioning the existence of the UN system or the G20, it is not only the major cyber powers that are looking for complementary or alternative platforms which they expect to be able to better assert their national interests. Everything is overshadowed by the American-Chinese cyber conflict, which is increasingly leading to a "camp formation". It cannot be overlooked that despite the continued existence of a uniform technical level (DNS, TCP/IP, BGP, HTTPS, etc.), a growing "division" of the Internet, an "Internet bifurcation", is progressing at the application level.
a. The more democratically oriented countries rely in particular on the G7, the OECD and the Freedom Online Coalition (FOC), new intergovernmental networks such as QUAD and AUCUS and bilateral bodies such as the US-EU Trade and Technology Council (TTC). The more autocratically oriented states rely on the Shanghai Cooperation Organisation (SCO), BRICS+ and new regional alliances such as the Digital Cooperation Organisation (DCO) initiated by Saudi Arabia. All these networks have cyber security, digital cooperation and Internet governance on their agenda. They have formed working groups that meet regularly and organise annual meetings of digital ministers, who, however, often draw completely contradictory conclusions from current global developments and make mutually exclusive recommendations.
b. In Q3 2023, in addition to the G20 summit and the UN summit on the Sustainable Development Goals (SDGs), there were summit and ministerial conferences of the SCO and the BRICS on the one hand, and the G7 and the FOC on the other. This shows that at the global level, reaching a consensus is becoming increasingly difficult and can best be achieved on a very general level and less controversial issues such as access to the Internet, overcoming the digital divide or digital education. On the "hard" political and economic issues - cyber security, digital human rights, e-commerce sanctions, hardware and software - the controversies between democratically and autocratically oriented governments are growing.
c. Almost all governments are still verbally committed to the "multistakeholder Internet governance model". De facto, however, this model is interpreted and, above all, practised very differently. The authoritarian states emphasise the role of the private sector, academia and civil society, and for them "multilateralism" has absolute priority. But even among democratic countries, there are different ideas on how "multistakeholderism" should be practised in day-to-day politics. Some governments already see the criteria for multistakeholder cooperation fulfilled "consultations" with stakeholders that often lead to nothing. Others seek graduated models of participation in policy development and decision-making.
d. Overall, Q3 2023 saw the long-standing trend becoming more pronounced that sees the influence and importance of multistakeholder platforms and non-governmental stakeholders from the private sector, academia, civil society and the technical community in political and economic decision-making in the global Internet governance ecosystem continuously declining. Even the large American private Internet companies are increasingly subject to state regulation. The age of "private sector self-regulation" seems to be over.
i. At the global level, the most important events in Q3 were the G20 summits in New Delhi in September 2023 and the UN SDG summits in New York at the end of September 2023:
1. At the G20 Summit on 6 September 2023 in New Delhi, the Indian Presidency focused primarily on cooperation in expanding digital infrastructure, overcoming the digital divide and digital education. The exclusion of politically controversial topics such as cyber security, responsibilities for the management of critical Internet resources or digital human rights enabled a more pragmatic consensus. This approach of focusing on topics of general interest with a more economic significance in order to make progress in concrete factual areas despite geopolitical contrasts was already successfully practised under the Indonesian G20 presidency with the so-called "Digital Bali Package". It will also be the guiding principle for 2024 when Brazil takes over the G20 presidency.
2. At the UN SDG Summit on 21 and 22 September 2023 in New York, a similar approach was observed. The focus was on how more economically oriented digital cooperation can contribute to achieving the UN's 16 Sustainable Development Goals (SDGs) by 2030. Cyber security or digital human rights were at best only marginally addressed and played no role in the final declaration. The controversial discussions around the Global Digital Compact (GDC) were also largely sidelined at the SDG Summit and postponed to the UN Summit of the Future planned for September 2024 (see Section 3).
ii. At the "bloc level", the BRICS summit in Johannesburg at the end of August 2023 and the Ministerial Meeting of the Freedom Online Coalition (FOC) in New York at the end of September 2023 were of particular importance in Q3 2023.
1. The more authoritarian states, led by Russia and China, are focusing more on "multilateralism" in their international Internet policy, i.e. strengthening the role of governments, state cyber sovereignty and national cyber security, as well as the development of a local digital economy. This leads to calls for binding treaties under international law in the field of cyber security, the rejection of sanctions and restrictions on the development of the digital economy and, albeit to varying degrees, proposals to subject the management of critical Internet resources to an intergovernmental regime. At the BRICS summit in Johannesburg at the end of August 2023, however, these proposals, put forward primarily by China and Russia and also found, for example, in documents of the Shanghai Cooperation Organisation (SCO), were toned down. India, Brazil and South Africa are trying to follow a more moderate course and keep the doors open for cooperation with Western countries. To what extent the admission of seven new members (BRICS+), including Saudi Arabia and Iran, will change the balance of power within the BRICS remains to be seen.
2. The more democratically oriented states formulated their ideas in the "Declaration for the Future of the Internet" (DFI) in Washington in April 2022, where more than 60 governments advocated for an "open, free, global, interoperable, trustworthy and secure Internet, based on the values of the UN Charter and the UN Declaration of Human Rights" as well as for the multistakeholder Internet governance model and against a fragmentation of the Internet. This declaration was supported by both the OECD and G7 digital ministers. In Q3 2023, the principles enshrined therein received further support from the annual Ministerial Meeting of the Freedom Online Coalition, held in New York on 20 September 2023 under the US presidency. The FOC now includes 38 governments and over 100 non-governmental stakeholders. Despite various efforts by the US government and the EU, however, the number of supporters for the DFI has not increased significantly. The majority of states in the Global South remain distant from the DFI.
3. It is interesting that the controversial topic of control over the Internet root has faded into the background in the geostrategic disputes. The experience with the IANA transition (2016) has apparently led to the conviction among the majority that changing the existing Internet root server system not only makes little sense but can rather harm own interests. Proposals by Russia and Saudi Arabia at the ITU Council in July 2023 to question the status quo of the management of domain names, IP addresses, root servers and internal protocols and to replace it with an intergovernmental mechanism did not find a majority. China does not make this request either. ICANN's decision not to comply with the request of the Ukrainian Minister of Communications Fedorov to remove the zone files of the top level domains .ru, .su and .rf (Cyrillic) from the root has strengthened ICANN's reputation as a neutral steward of the global Internet community.
4. It is also interesting to note that speculation about the formation of a "digital non-aligned movement" (digital NAM) has not materialised. India, as a possible leader of a "digital NAM", practices a kind of "digital seesaw policy". India seeks proximity to the G7, but also wants to play a leading role in BRICS and SCO. This approach is justified by Prime Minister Modi's "India First" concept. A similar development is becoming apparent for Brazil under the new President Lula. This will certainly have an impact on the Brazilian G20 presidency in 2024. A first signal in this direction is the Brazilian government's decision in September 2023 to commemorate the NetMundial conference held ten years ago in São Paulo with a new Internet World Conference in April 2024 (NetMundial+10).
GDC and the UN Policy Brief by António Guterres
3. Preparations for a Global Digital Compact (GDC) hit turbulence in Q3 2023. The roadmap for a GDC drafted by UN Tech Envoy Amandeep Singh Gil envisaged that the two co-facilitators of the Multistakeholder Deep Dive Consultations (January to July 2023), the governments of Sweden and Rwanda, would submit an "Issues Paper" at the end of August 2023. This Issues Paper should serve as the basis for a GDC Ministerial Conference on the margins of the UN SDG Summit in New York on 21 September 2023. This Ministerial Conference, in turn, should pave the way for the start of intergovernmental negotiations in order to be able to present a text ready for signature at the UN Summit of the Future in September 2024. (Further information)
a. The first irritations arose when, before the end of the multistakeholder Deep Dive consultations, the Office of the UN Tech Envoy published a "UN Policy Brief No. 5" signed by UN Secretary-General António Guterres. This Brief No. 5 gave the impression of an anticipated Issues Paper by the two GDC co-facilitators. However, besides many reasonable recommendations on the seven GDC issues, Brief No. 5 contained a number of controversial proposals that were not the subject of the Deep Dive Consultations. On the one hand, this concerned the idea of founding a new "Digital Cooperation Forum" (DCF) under the umbrella of the UN in New York in addition to the IGF. And on the other hand, it concerned the reduction of the multistakeholder Internet governance model to a "trilateralism" between government, the private sector and civil society, as practised, for example, in the International Labour Organisation (ILO). In this "new trilateralism", the stakeholder group of the technical community would be integrated in civil society.
i. The community quickly agreed that a new DCF would inevitably be at the expense of the existing IGF. There would be overlap, competition and waste of scarce resources. The new trilateralism was also heavily criticised. It was seen as an attempt to marginalise the technical community in political discussions. These and other formulations of the UN Policy Brief No. 5 brought back on stage those critics who have been warning for years against giving the UN a say in overseeing the Internet. Among the critics were David Ignatius with an article in the "Washington Post" and Fiona Alexander of the American University in Washington.The two leading IGF panels – MAG and Leadership Panel – also came forward with criticism. The chairs of the two panels, Vint Cerf and Paul Mitchell, addressed the UN Tech Envoy with a letter offering the IGF as a natural platform for a follow-up to the GDC. A new, more multilaterally oriented body based in New York was superfluous, they pointed out.
ii. The controversial discussion and the objections of the community did not remain without influence on the "Issues Paper" of the co-facilitators. The Issues Paper, in the form of a two-page letter to the UN Tech Envoy dated 1 September 2023, summarises the main content of the Deep Dive Consultations and formulates general guidelines for future negotiations at a more abstract level, without going into detail. However, the "Issues Paper" avoids taking up or commenting on the controversial proposals.
1. The DGF is not mentioned at all. On the other hand, the paper advocates strengthening the IGF. The paper remains neutral on the recommendations for a "follow-up" of the GDC and thus leaves a concrete design open.
2. The Issues Paper is also reticent about the "trilateral approach" to the multistakeholder Internet governance model. Trilateralism is not mentioned. Instead, the "technical community" is treated as a separate stakeholder group, as has been customary in UN practice for years.
iii. It was also surprising that the planned GDC ministerial conference on 21 September 2023 in New York was redesignated as a general ministerial conference for the UN Summit of the Future. There, the GDC was only mentioned in passing. There is no new roadmap for the elaboration of a GDC yet. Apparently, there are irritations between the office of the UN Tech Envoy, UNDESA (which is responsible for the IGF) and UN Secretary-General António Guterres, under whose responsibility the preparations for the UN Summit of the Future in September 2024 are being made. The issue of digital cooperation is on the agenda of the 2nd Committee of the UN General Assembly in October and November 2023. In December 2023, the 77th UN General Assembly is expected to adopt a UN resolution on the UN Summit of the Future, including guidelines for the start of formal negotiations on a GDC.
b. This delay puts the IGF to be held in Kyoto in October 2023 in a new position. The GDC is one of the focal points of the IGF discussion. At its meeting on 15 September 2023, the IGF WG Strategy proposed that the IGF in Kyoto send a "message" to the future government negotiators that, based on the Issues Paper of the two co-facilitators of 1 September 2023, makes concrete proposals on both the substance and the procedures for negotiating the GDC. This "message" (Multistakeholder Digital Kyoto Protocol) is to be sent directly to UN Secretary-General António Guterres in the form of another joint letter from the MAG and IGF Leadership Panel.
Artificial Intelligence and Proper Regulation – A Challenge
4. The discussion on the regulation of artificial intelligence (AI) reached a new level of intensity in Q3 2023. On 18 July 2023, the UN Security Council addressed the topic in a special session. At their summit in New Delhi in September 2023, the G20 reaffirmed their G20 AI principles already adopted in 2019. After their summit in May 2023, the G7 launched the so-called "G7 AI Hiroshima Process", which is to bundle previous Western initiatives. The OECD is expanding its Global Partnership for Artificial Intelligence (GPAI) and is preparing a Future of AI World Summit initiated by the British government for mid-November 2023 in London. The Council of Europe presented a consolidated draft for an AI Framework Convention in July 2023. All leading countries are now discussing more or less mature national laws to regulate the development and use of AI. Again and again, there are also proposals for the creation of new global institutions and supervisory authorities.
a. There is an overarching consensus regarding the development of standards for the development and use of AI, which is to minimise AI risks and maximise AI benefits. However, the differences and controversies lie in the details, both in terms of the general approach – more non-binding frameworks or legally binding laws – and the depth of specific individual regulations. Ideally, the emerging regulations at global, regional and national levels will complement each other, there will be a stable worldwide legal framework with corresponding supervisory authorities and dispute resolution bodies, special courts or a new UN organisation. In worst case, however, there is a high risk that a regulatory patchwork will emerge in which the new rules are not compatible with each other, and loopholes emerge that enable precisely the kind of abuse that the desired AI regulation is intended to prevent.
i. At the global level, regardless of the geo-strategic conflicts and profound differences over the dimension of individual regulations, there is a global consensus that has been codified in two (albeit non-binding) framework guidelines: On the one hand, there is the AI Declaration of Principles adopted by the OECD since 2019, which was endorsed verbatim by the G20 countries under the Japanese G20 presidency in October 2029. The second universal instrument is the UNESCO Declaration on Ethics and AI, which was adopted by acclamation by all UNESCO Member States in 2021. In addition, the annual "ITU AI for Good Summit" has produced a large number of "best practice" recommendations that can claim universal validity.
ii. At the regional level, the Council of Europe has been negotiating a "Framework AI Convention" for two years. Based on the recommendation character of the OECD/G20 Principles of 2019, the convention is to create a legally binding framework that is to be open to all states. It is expected that the Council of Europe Convention will be ready for signature by mid-2024. In June 2023, ASEAN members agreed to develop "AI Guardrails" by summer 2024 for the Asian region. The OAS for Latin America and the African Union (AU) for Africa have also discussed the issue but have not yet worked on concrete draft treaties.
iii. The Council of Europe Convention is being developed in close consultation with the European Union's plan to adopt an "EU AI Act". The European draft act on AI, which has been discussed for more than four years, is based on the so-called "risk-based approach". AI applications are divided into four categories.
1. AI applications that violate human dignity are to be banned in principle;
2. AI applications with high-risk potential shall be subject to strict rules and comprehensive supervision;
3. AI applications with a lower risk must be certified and shall be subject to more general regulations;
4. Applications whose risk is assessed as negligible are not subject to any restrictions.
In this way, a balance is to be struck that, on the one hand, promotes innovation, research and development and thus allows the benefits of AI opportunities to be maximised and, on the other hand, minimises the risks associated with AI for individuals and society. The EU AI Act was discussed in the European Parliament in September 2023. Currently, it is in the "trialogue" phase (European Council, European Commission and European Parliament). The adoption of the EU AI Act is expected for spring 2024.
iv. In the USA, both the executive and the legislature have dealt extensively with AI. Whereas with previous technological innovations, such as the Internet or the smartphone, there was a basic consensus between the White House and both houses of Congress to largely forego regulation in order not to stifle innovation, this time there is a broad consensus to subject the potential risks associated with AI to a regulatory mechanism. This approach is not only accepted by the leading US technology companies, but it is explicitly demanded.
1. In autumn 2023, the White House published a "Blueprint for an AI Bill of Rights", which received bipartisan support and was also welcomed by the private sector and civil society. Since then, there have been several AI summits at the White House between US President Joe Biden and leaders of US Internet companies, as well as hearings in the US Congress with experts from all stakeholder groups. After the last White House Summit in early September 2023, US President Joe Biden announced a new "Executive Order". At the same time, several bills are being discussed in various committees in the US Congress.
2. The main topic of discussion is the basic approach to national AI regulation. While some senators propose a more fundamental regulation – inspired also by the "EU AI Act" – others are more in favour of an iterative process in which, based on the non-binding "Blueprint for an AI Bill of Rights", individual sectors are regulated with special "minor" laws", which are to be defined when possible problems can be specified more precisely.
3. The different approaches between the USA and the European Union are the subject of discussions in the EU-US Trade and Technology Council. The G7 has also addressed the issue. At the G7 summit in Hiroshima in May 2023, a so-called "AI Hiroshima Process" was agreed upon, which aims to prevent the emergence of so-called patchwork legislation and to make the emerging national and regional AI legal systems largely compatible. On 7 September 2023, the G7 Digital Ministers met again in Hiroshima to coordinate the next steps of the AI Hiroshima Process. The British government has invited to a "Future of AI World Summit" in London on 15 and 16 November 2023, where concrete recommendations for further practical actions are to be developed in four workstreams "Technology and Commercialisation, People and Processes, Strategy, Leadership and Governance as well as Collaboration, Partnerships and Innovation". (Further information)
b. In the discussion on the creation of a new global institution for artificial intelligence several proposals are now on the table. UN Secretary-General António Guterres proposed the creation of a new independent UN organisation based on the model of the International Atomic Energy Agency (IAEA) in Vienna, both in his "Policy Brief on Information Integrity on Digital Platforms" in June 2023 and in his statement at the AI session of the UN Security Council in August 2023. EU Commission President Ursula von der Leyen proposed a global AI institution more along the lines of the Intergovernmental Panel on Climate Change (IPCC) at the G20 Summit in New Delhi in early September 2023 and in her State of the Union address in Brussels on 13 September 2023. Proposals for the creation of new institutions are also being discussed at the regional level. The Paris-based secretariat of the Global Partnership for Artificial Intelligence (GPAI) has also offered its services. Both the American and the Chinese governments have so far been reticent to make proposals for the creation of a new global AI institution. It is expected that the World Summit of the Future of Artificial Intelligence scheduled for mid-November in London will also take a position on this issue.
Cyber Security Negotiations – East versus West
5. In Q3 2023, two major rounds of conferences were scheduled in the international cyber security negotiations. At the end of July 2023, the Open Ended Working Group (OEWG) met in New York. At the end of August 2023, the Ad Hoc Committee (AHC) for the elaboration of a UN convention against cyber crime also met in New York. Progress was limited. More or less, all cyber security negotiations have been treading water for years. NATO has continued to develop its cyber security strategy.
a. The Open Ended Working Group (OEWG) was able to agree on a consensus report to the 78th UN General Assembly at its meeting at the end of July 2023. The report, dubbed a progress report, does not actually contain progress. However, the fact that it was possible to agree on the text of such a report despite the geo-political rifts is seen as progress.
i. The report to the 78th UN General Assembly summarises the status of the discussion on the application of international law in the digital space, the elaboration of new norms of responsible state behaviour in cyberspace, confidence- and capacity-building measures, and the creation of a sustainable institutional framework for future cyber security negotiations.
ii. The only concrete result of progress was the agreement on the creation of a so-called "Point of Contacts" (PoC) system as a confidence-building measure. This PoC system has already been in practice for years among the 52 states of the Organisation for Security and Cooperation in Europe (OSCE). The globalisation of this mechanism – which is practically a kind of "red phone" for cyber conflicts – was considered as positive by all groups of states.
iii. Notwithstanding the agreement on the PoC mechanism, there was no movement regarding the fundamental conflict. The Western countries want to adopt a so-called "Programme of Action" (POA) that makes the implementation of the eleven norms of responsible state behaviour in cyberspace dating from 2015 the central issue of the OEWG, with annual reports and review conferences. China and Russia are pushing for the negotiation of new norms and want to see the eleven old norms and the new ones enshrined in a new legally binding UN cyber security convention.
iv. There is also no consensus on capacity-building measures. The offer to commission the Global Forum on Cyber Expertise (GFCE), initiated by the Netherlands a few years ago, with the implementation of cyber capacity-building measures failed due to Russia's resistance. Russia refused to grant the GFCE accreditation with the OEWG. The GFCE then announced that it would organise a separate world conference on capacity-building measures in cyberspace in Ghana at the end of November 2023.
v. Neither is there agreement on the extent to which non-state actors, representatives of the private sector, civil society and the technical and academic community can be involved in the OEWG negotiations. Ukraine rejects all pro-Russia NGOs and academic institutions, and Russia has denied accreditation to 29 Western non-governmental groups. Some Western delegations have responded by including representatives of the excluded NGOs as members of their government delegations. The German government, for example, included an expert from the Foundation for Science and Politics (SWP), which was rejected by Russia, in its government delegation.
vi. The report of the OEWG Chair, Ambassador Burhan Gafoor from Singapore, will be discussed in the 1st Committee of the 78th UN General Assembly in early October 2024. Two further OEWG negotiation rounds have been announced for 2024, as well as several informal consultations with non-state stakeholders.
b. The sixth and penultimate round of negotiations of the Ad-Hoc Committee (AHC) for the elaboration of a UN Convention against Cybercrime took place in New York at the end of August 2023. The subject of the discussion was the second revised version of a further consolidated draft treaty, which has shrunk from formerly 100 pages to now just under 40 pages. The two-week negotiations proceeded in a constructive spirit. Final agreement has already been reached on many articles. However, no progress was made on the two fundamental conflicts, i.e. the definition of cyber crimes and the application of rule of law procedures in international cooperation,
i. When it comes to defining cyber crimes, the front lines still run between the Western states and a group of states led by China and Russia. The Western states want a convention that is as short and clear as possible and limited to the core areas of cyber crime – i.e. the illegal intrusion into networks and the stealing or manipulation of data. China and Russia want a very detailed treaty that includes as many crimes as possible that can be committed on the internet. This concerns in particular so-called content-based crimes such as the dissemination of illegal content, racism, terrorism, extremism, fake news and dis- and misinformation. Western states reject such inclusion. They see it as a possible legitimisation for the introduction of widespread Internet censorship.
ii. The conflict in the area of international cooperation primarily concerns the depth of safeguards for rule of law procedures in cross-border investigation and subsequent extradition proceedings. Western countries are pushing for a high level of protection of individual human rights, especially in freedom of expression and privacy. China and Russia emphasise national sovereignty in law enforcement in cyberspace.
iii. In contrast to the OEWG, the participation of non-governmental organisations in the AHC is more openly regulated. Contributions from the International Chamber of Commerce (ICC), the Digital Peace Institute, Electronic Frontier Foundation (EEF) and Interpol were included in proposals from member states.
iv. The next and last formal round of negotiations is scheduled for the end of January 2024. The AHC chairperson, Algerian Ambassador Faouzia Boumaiza Mebarki, has announced a further consolidated treaty text by November 2023. External observers differ in their assessment of whether the open points of contention can then be resolved. A large group of states from the global South have so far avoided clearly assigning themselves to one camp. According to the procedural rules of the AHC, every single article can be voted on. Western conference participants do not want to rule out that, should majority decisions be taken that are incompatible with their fundamental values, they will not sign the final draft convention...
c. At the NATO summit in Vilnius in early July 2023, cyber security was a key topic on the agenda. The war in Ukraine has increasingly become a "cyber war" in which Internet-based weapon systems – especially drones – play a crucial role, particularly in reconnaissance and attacks on specific identified targets.
i. The Vilnius Communiqué states in paragraph 66:"Cyberspace is contested at all times as threat actors increasingly seek to destabilise the Alliance by employing malicious cyber activities and campaigns. Russia's war of aggression against Ukraine has highlighted the extent to which cyber is a feature of modern conflict. We are countering the substantial, continuous, and increasing cyber threats, including to our democratic systems and our critical infrastructure, as well as where they are part of hybrid campaigns. We are determined to employ the full range of capabilities in order to deter, defend against and counter the full spectrum of cyber threats, including by considering collective responses. A single or cumulative set of malicious cyber activities could reach the level of armed attack and could lead the North Atlantic Council to invoke Article 5 of the Washington Treaty, on a case-by-case basis. We remain committed to act in accordance with international law, including the UN Charter, international humanitarian law, and international human rights law as applicable. We continue to promote a free, open, peaceful, and secure cyberspace, and further pursue efforts to enhance stability and reduce the risk of conflict, by ensuring that international law is respected and by supporting voluntary norms of responsible state behaviour in cyberspace." (Further information)
ii. On 22 September 2023, there was a joint meeting of senior NATO and EU officials on expanded cooperation in strengthening cyber security. NATO Deputy Secretary General David van Weel said after the meeting: "Greater synergies between NATO and the EU cyber initiatives enhance the wellbeing and security for our citizens, our economies, including protection of critical infrastructure, as well as our cyber defences." (Further information)