Geneva, 19 September 2003. The governments' working group on security issues resumed its negotiations without a consensus. There was some agreement on minor formulations, but fundamental questions remained open. Especially Russia and China blocked the broad consensus of the other participating delegations in implicitly insisting on national security language.
The working group, chaired by the EU, had been set up in Paris during the intersessional conference in July. There the participants had already reached a consensus. Then the Russian delegate showed up late and insisted on having two more paragraphs included. Because of their "military", "terrorist" and "souvereignty" language, they were informally called the "Chechnya paragraphs". No consensus could be reached in Paris, and the group continued here in Geneva.
On the first two days, some progress was made, as the Russians agreed to moving a redrafted part of their proposal that dealt with souvereignty issues to the action plan. But they insisted on mentioning the danger that ICT technologies can potentially be used "for purposes that may adversely affect the (...) security in both the civil and military fields". The EU and the US delegations, in line with many others, were strongly opposed to mentioning military matters in the contect of WSIS. No agreement could be reached.
"Information Security" contested
In addition, Russia insisted on the term "information security". As the civil society working group on privacy and security stated in their intervention at the first meetings, this can and will be read by some countries as a legitimisation for censorship and state control of information access. While the German delegation after some discussions with civil society strongly supported this assessment, the rest of the EU countries and the US delegation finally joined them after China also supported the Russian proposal. The western countries and a number of others like Lebanon would prefer the more technology-related term "network security". At the moment, the whole term "network and information security" therefore is in square brackets, i.e. not agreed upon.
The danger of the Russian/Chinese proposal on "information security" became even more clear in the discussions on the last sentence that deals with the prevention of "criminal and terrorist use of ICTs". The European Union insisted on adding language that makes clear that any efforts to this effect must be "consistent with the need to preserve the free flow of information". At the end of the last meeting, China suggested to replace this with "in accordance with the legal system of each country" and again gained support from Russia. This is clearly a threat to free speech and made it more obvious to the other delegations that they have to oppose it. In the end, the whole paragraph 34 and the revised version of 35 were put into square brackets, with the contested parts in more brackets inside. A way out of this is not foreseeable at the moment.
Concerns of Privacy and Security Caucus
The members of the civil society caucus on privacy and security in their interventions in the working group and in plenary made clear that here they supported the position of the EU in regard to the free flow of information. They raised a number of other problems, though. The overall concern was the strong focus on security in the whole text. Security by the civil society delegates is seen a political goal which can be higher or lower on the agenda, while privacy and other human rights are fundamentals that must not be violated in the sake (or, as often is the case, under the guise) of security.
Civil society therefore asked for the insertion of a new paragraph only on privacy at the beginning of the section. It would make clear that privacy is the priority. It "must be protected online, offline, in public spaces, at home, and in the workplace", and everyone "must have the possibility of communicating anonymously". In the view of civil society, the fundamental idea of privacy must still be protected in the information society: "The collection, retention, use and disclosure of personal data, no matter by whom, should remain under the control of and determined by the individual concerned."
On the concrete language, they asked for the replacement of "security" with "dependability", as the term security is vague and ambiguous and creates the potential for misuse. "Dependability" on the other hand is the established technical terminology for reliable ICT systems (used i.e. in EU DDSI initiative).
The privacy and security caucus also asked to replace "trust" with "transparency", as "trust" is currently associated with immature industry initiatives like the "Trusted Computing Group" consortium or Microsoft's "trustworthy computing" campaign. The WSIS, in the view of civil society, must not raise the impression of being a marketing measure for these contested technologies. Rather than blind trust in vendors' marketing slogans, security is best achieved by being able to check how the systems really work. To experts in the field of cryptology and network security, this old wisdom is nicely framed in the proverb "no security through obscurity".
Spam paragraph reduced to one sentence
One success of the working group, besides all conflicts, was shortening paragraph 44B of the draft declaration. This paragraph had dealt at length with the growing problem of spam. To all delegates, it seemed inappropriate for the level of heads of state and government to deal with these kinds of things in detail, if at all. The group after some discussion was able to reduce the 18 lines to one single sentence that only calls for dealing with spam and cybersecurity "at appropriate national and international levels". The only remaining question could be if the heads of state know the rather colloqial term "spam" or if it should instead be called "unsolicited electronic mail".