Cyber-crime prosecution
Chairs: Blanca Torrubia

Police investigation in the field of cloud computing
Rubèn Mora, head of Technologies of Information Security Department, Mossos d’Esquadra [Catalan national police].

One of the problems of cybercrime in cloud computing might be that the actual regulation does not take into account especific illegal uses of the Internet. Thus, the police has always to catch up with both technology and the law.

On the other hand, in real life we are used to sue (or to complain after) someone whose actions hurt us, but when it happens online we just go and call the police: this is overwhelming for cybercrime prosecutors, as many times it is not their duty or it is not that clear that it is.

Nevertheless, it is understandable that the citizen goes to the police, as many times it is not that clear who is liable for you having been harmed. This ends up with the citizen, in general terms, being less secure in matters of who is liable. In the same way, the police is tied to geographical jurisdictions that are not always the same ones as the ones that affect the one that created the harm.

If that was already a problem in the first year of the Internet, with cloud computing it has been multiplied by orders of magnitude, as cloud computing works in three different layers (SaaS, PaaS, IaaS) that make reality much more complex. The creation of Certs has lightened bureaucracies, but their interaction is still slower than crime.

Some cloud computing cyber-crimes: password cracking (PaaS), anonymous transactions (SaaS), phishing hosting (PaaS), botnet renting (IaaS), CAPTCHA resolving (PaaS), credential credit card steal (SaaS), etc.

Francisco Hernández Guerrero, Prosecutor, Granada Prosecutor’s Office.

Law has to be practical, efficient. We have very nice laws and guarantees of rights that we never apply. There usually is a trade-off between efficiency and guaranteeing the citizens’ rights: the problem is finding the desired balance.

Against cloud computing, nowadays, there is no way to be efficient: prosecutors (police, courts) have no means of being efficient. Thus, should we give up to some guarantees? Cloud computing is about dematerializing everything: and, with dematerialization, the difficulty to trace and monitor. Cloud computing shifts the claim for ownership to availability (e.g. instead of downloading music, having it available through streaming). Cloud computing is also about delocalization: hardware and software are usually not where the user is.

The division of two concepts: the difference between being connected and being communicating. Your mobile phone might be on and connected and exchanging information with other devices, but you might not be communicating — strictly speaking — with anyone. And being so easy becoming a criminal — in full consciousness or unconsciously — the solution is to monitor and put surveillance on anyone.

Main characteristics of cloud computing:

• Economic: money aimed;
• Highly pro;
• Botnet: the infrastructure as system;
• Absolutely unbalanced: the bad guys are much more than the good ones, as the good ones’ computers are corrupted by the bad ones, thus becoming part of the crime network.

We definitely have to re-define the law.

• We need a set of measures to enable surveillance of the citizen but distinguishing connection and communication. e.g. RFID-based crime should fall onto the category of data protection, not onto the right of communications.
• Measures (legal and technical) have to be progressive: we have to distinguish an individual uploading photos of their ex-couple in a social networking site, from a terrorist network copying credit cards.
• We need a catalogue of cyber-crimes, especially those characterized as serious.
• And we need independence of the support or the holder of data: we need access to all data from a person wherever they are stored.

The model should, thus, split technicalities from guarantees: the police should lead the investigations, as they have the knowledge and the means; while prosecutors and courts should follow the processes to guarantee their righteousness.

Discussion

Jordi Vilanova: what is the liability of the owner of an infected device? Hernández Guerrero: Yes, in the same way that you are liable to a certain extent to do the maintenance of your car so that you don’t run over anyone, some knowledge of the power of a specific device and its maintenance (e.g. a PC and an anti-virus) should be a requisite and the owner liable for not acting according to that requisite.

Marcel Mateu: Right, we have to change the law. But how many policemen and prosecutors are able to work in the digital age? Mora: the resources of the police often depend on how the citizenry pushes their governments to fight this or that type of crime. If the priority is e.g. gender violence, then cyber-crime is less funded. Hernández: in general terms, agreed that cyber-crimes are not in the political agenda. Surely much of the “cyber-” is just crime done by electronic means, but maybe the politician needs an “e-Pearl Harbor” to realize that the world has changed.

Blanca Torrubia: what is the profile of the cyber-criminal? and what should be required to fight cyber-crime? Mora: the cyber-criminal is increasingly younger as years go by, astonishingly young. And the best way to fight cyber-crime is information and training. There is evidence that cyber-crime over minors drastically decreases if they are being informed and trained on the hazards of specific behaviours on the net.

See also

• Detectar a los ‘malos’ es más difícil en la nube, by Karma Peiró.

Cloud Computing: A New Dimension in Teleworking?
Chairs: Ignacio Beltrán de Heredia

Nomadic Workers
Javier Llinares, Autoritas Consulting.

Teleworking taken to the limit or “nomadic working”: it is not about having an office and from time to time staying home and telework, but your office is where you are, provided there’s connectivity to the Internet.

Autoritas Consulting has 12 employees all over Spain and customers all over the world. Four key decisions: to work from home, to use open source, be an open business and be based in Apple devices.

Pros: Total freedom of schedules; no commuting costs; no license costs; no office costs; work on a self-service principle (you want it, you use/do it).

Cons: Reluctance to change and have to learn to adapt to the new realities; if there is no office, there is no support; cost of ownership (licenses) shifts towards cost of use (customize, external support, etc.); is this a standardized society? what if you do not work with standards (i.e. Apple)?; is self-service / DIY an inconvenient where you have to do it by yourself?; this design only applies if you work goal-based.

Issues: miss meetings (e.g. we are disorganized, etc.); routines are difficult to break, change of systems, new ways of doing things; where are the limits? what is my working time? from flexible schedules to flexible life; where does personal life and work life begin and end? does it matter?; need to see hear each other, to ‘see’ each other, do we need personal touch?

Changes in the law: what means workplace security when you don’t have a workplace in a strict sense? What actually means workplace when everyone stays at home?

In the Internet you are connected with many people, but it’s you alone in front of the computer. The coffee break with the colleagues does not compare with a “twitter break”. New rules, new procedures.

Opportunities: more self-responsibility; self-management; “the consultant kit”; comfortability in the many solutions.

Inconvenients: responsibility, discipline, common sense; difficulty in tracing the limits.

The impact of technological decentralization at the workplace: teleworking
Javier Thibault Aranda, Complutense University of Madrid.

Several benefits:

• For the enterprise: flexibility, more possibilities of hiring (no geographic limits), decrease of costs, etc.
• For people: reduction of costs, more job market access for disabled people, etc.
• For the society: specific collectives more hireable, etc.

Several risks:

• Teleworking practices to hide actual outsourcing of jobs.
• Some social agreements at stake: separation of personal and professional life, the concept of “breaks” and resting times, etc.
• Limited impact of this working organization in Spain, huge reluctance at the corporate level, lack of explicit regulation.

Regarding the law, in Spain the Statute of the Worker has a 13^th where “working at home” is referred to, but in very different terms as what now teleworking is. On the other hand, collective action of workers is based in critical mass working together and in the same place (sort of), which does not apply to teleworking. At the European level there is an framework agreement on teleworking, but it has not been translated to Spanish law.

The European Framework agreement on telework states that telework:

• Is another way of doing the same thing: teleworking is about changing your location, not your job specificities.
• Physical externalization does not imply legal externalization.
• Teleworking is volunteer and cannot be imposed. Sometimes the inner conditions of the enterprise could force the shift, but acknowledgement of the worker is needed. This only applies to working from home: if there is a need to work at the customers’ offices, then no acknowledgement is needed.
• Teleworking can imply a technological control, which usually happens to be tighter than physical control. But, can the employer access the computer of the employee? It depends, but the employee must be aware of it, aware of any kind of control that will be put into practice.
• The worker has the same rights as any other worker, but not more rights that other workers do not have.

Cloud computing: a new dimension of teleworking?
Carmen Pérez Sánchez, Internet Interdisciplinary Institute.

Results of a survey about teleworking women: teleworking only adopted by 3-8% of people; most of them (in the sample) with dependants; and most of them working in great corporations, including some public administrations.

The definition of teleworking comes from Jack Nilles and has three requisites: work takes place in a different location from where it is intended to be delivered/used; intensive use of ICTs, a communicaton link from employer and employee.

More than 50% of teleworkers (of the previous sample) consider teleworking as a good option to be able to cope personal with professional life: take care of home and or kids and or other dependants, etc. The focal point is flexibility, and thus quality of life increases (or, at least, the perception of it).

Though positively evaluated, there are some drawbacks:

• Social and professional isolation.
• Longer working hours.
• Feeling of guilt: really depending on whether teleworking is taken as natural, as a core value of the firm, or whether teleworking is seen as a “favour” that your boss allows you to benefit from. Normalization of telework leads to enjoying it, otherwise arises feelings of guilt or feelings.
• Many times, telework is actually an extension of your working hours, not a change of workplace. You’re given the freedom to keep working from home. This is quite usual in many and many firms.
• Many times, too, staying at home means assuming all the home tasks naturally: the one that “already is at home” is the one that “naturally” goes shopping, cleaning, etc. It is rarely seen teleworkers locking themselves in their home-office and forgetting about what is not work during working hours.
• Sometimes too, the culture of “sitting at your desk” or remaining lots of hours home (definitely spread all over Spain) rewards the ones that do not telework. Thus, teleworking means less presence at work and giving up at being promoted. Most of the times it is a conscious choice — personal life or family vs. professional career — instead of a way to cope with both.

Summing up, the definition of telework and, over all, telling whether it is positive or negative depends on many variables that are by no means agreed or common ground among employees and employers. There is a need of a former and thorough planning, great transparency and agreement on the conditions, that teleworking is something for men and women (not only for “mothers”), and that teleworking is also an option for whatever level of the hierarchy.

Discussion

Ismael Peña-López: digital competences, are a pre-requisite of the worker that wants to telework, or an obligation of the firm to train them? And, related to training, what if the teleworker does any harm to a third party (e.g. online) or does any illegal activity (e.g. intellectual property right infringement). Thibault: the firm, as in the offline wold, it is the firm that is liable for any harm to third parties, at least when the employee is not an independent worker but dependent from the organization. Related to training, training is both an obligation (in Spanish law the employee has to keep up with the technical changes that happen in their workplace) and a right, the right to be trained by the firm. Pérez: The reality tells us that there is no or poor training and, most of the times, it is more about informing the employees (e.g. about some specific novelties) rather than explicit and planned training. Llinares: we have to take into account also the difference between switching to teleworking or directly joining a firm where teleworking is the norm. Same about being up-to-date: in some works (e.g. e-government consultancy) teleworking skills are not only a means or a tool, but also a goal, as it is part of the product being offered to the firm’s costumers.

See also

• Teletrabajar en la nube, by Karma Peiró
• European framework agreement on telework
• Nilles, J. (1998). Some Common —and Not So Common— Telework/Telecommuting Questions.

Round Table: Key Legal Aspects for Putting your Business in the Cloud
Chairs: Miquel Peguera

Controlling the provider
Xavier Ribas, Landwell Global.

Increasing trend to outsource services at the enterprise, including some belonging to the core business. With cloud computing, even risk management is shared with or outsourced to a third party.

But, are you then losing control and even putting your firm in the hands of your providers? You lose control of the confidence chain, control of data, of the quality of service, of the available preventive measures, of reputation risk management (and there actually is an increase of risk of reputation loss), control of secondary and non-consented outsourcing, international data transfer, etc.

How to solve this? How to regain control over these issues? Possible clauses:

• Confidentiality, security obligations, quality standards.
• Auditing, provider controls.
• Liability, insurances.

An obligations map should be drawn and agreed upon, including what happens once the relationship ends (e.g. what will happen to data in a blog once the service is discontinued?).

Manel Martínez Ribas, ID-LawPartners.

What is the difference amongst open source and open cloud? Is there any open source cloud?

The four freedoms of free software, do they still apply in cloud applications or services? More indeed: free software developers using cloud services, will they find their free code closed? This gives birth to new licenses where cloud service providers are able to use specific software, let it to the end user as software as a service (SaaS)… thus allowing for copyleft on one end and a sort of closeness on the other end.

Open cloud computing allows, as it happens with free software, to make modifications.

Fabrizio Capobianco: reasons to care about open cloud computing in the mobile arena:

• It is already a big issue.
• It is a necessity.
• It should be interoperable
• It normally depends of closed devices.

The Open Cloud Manifesto pretends to settle the debate and reach some agreement (equilibrium?) on how to respect the free software freedoms in cloud computing.

Principles:

• Avoid lock in.
• Use standards.
• Go on with initiatives according to the needs of the customer.
• Teamwork and network.

It seems that cloud computing will be the main entry point for institutions to (at last) use free software massively. Same with software providers, that will shift from proprietary software to free software.

Legal aspects to take your enterprise to the cloud
Ramon Miralles, Coordinator of Information Security and Auditing, Catalan Data Protection Agency.

It really does not matter to read or not the terms of reference of cloud services: their providers will change them unilaterally and many without notice. So…

The problem is neither (only) that we do not know where our data are, but nor we know where our data pass through, because they constantly change paths.

A Cloud computing solution: self-service, broad access in the Net, full of resources, fast and easy, measurable and supervised. A solution which might be the end of corporate computing.

As said, one of the big problems is not only that data are elsewhere, but that they circulate across borders and jurisdictions. The European Directive, in this sense, looks more at what is happening, rather than trying to typify each and every procedure that takes place on the Internet. It nevertheless needs some updating as cloud computing has really challenged web usage as we knew it.

Information self-determination: the right to control one’s own data, to know who has our data, what is done with them, etc. Information self-determination is at stake with cloud computing.

IDC Enterprise Panel (august 2008) states the following challenges/issues of cloud computing: security, performance, availability, hard to integrate with in-house IT, not enough ability to customize, doubts about cost, bring-back in-house might be difficult, not enough major suppliers, etc.

Main challenges of Cloud Computing:

• Decrease of control over information and services.
• Data treatment and processing.
• International movement of data.
• Applicable law.

Discussion

Q: The Catalan Government is to move its education community to Google Applications. How are citizen rights guaranteed? Miralles: The problem can “easily” be solved by signing a contract. The problem is usually not as much as in privacy, but in transparency and availability of information by the user, to recover their information, etc.

Ramon Miralles: it makes no sense the distinction whether it is a human or a machine who processes the information, as this only creates legal defencelessness and insecurity. Indeed, it is in the core of data processing that it is automatized. So, we have to look at the essence of the data processing process, at what will be the end use, rather than at the how.

Manel Martínez: we have to differentiate between consented usage (contextual adds after reading your e-mail, as you agreed to that by accepting the terms of reference) and non-consented usage of data. Ramon Miralles: right, but the problem comes when the conditions are change unilaterally and, even if you are made aware of this, you are locked in and have really hard times migrating your data in a service you’re having difficulties to leave.

Q: how do we measure the cost of loss of reputation because a third party service failed? Xavier Ribas: this is very difficult to measure. It might be not very difficult to measure the non-returning customers, but it is definitely difficult to know how many new/potential customers will not use our services/products for the very first time after a reputation crisis has been suffered.

Jordi Vilanova: should not the WTO coordinate cloud computing services (in a legal and economic sense)? Miralles: it is clear that the traditional instruments to regulate economic activities (national and international regulation, contracts, etc.) might not perfectly fit in such activities as cloud computing. So, yes, WTO or another platform might be used to update regulation and procedures to brand new activities.

See also

• Y las leyes, ¿qué dicen de los límites de la nube?, by Karma Peiró.
• Cloud Computing Use Case White Paper V4 source documents
• Ann Cavoukian: Privacy in the clouds (PDF)
• Modeling cloud computing architecture without compromising privacy: a private by design approach (PDF)
• Nicholas G. Carr: The end of corporate computing (alternate link, PDF)
• StateWatch, monitoring the state and civil liberties in Europe.
• Do You Know Where Your Data Is In The Cloud? by Forrester Research

Myths and Realities of Cloud Computing
Pau Garcia-Milà, EyeOS co-founder

What media says that cloud computing is:

• We do not need to install anything;
• we do not to perform any backups, including software;
• we have no more storage limitations, adding more storage room is quick and easy;
• ubiquity, all services are available from anywhere.

Some problems with cloud computing that media repeat over time:

• Closed applications that are difficult to expand or modify: you cannot change (add features, customize, etc.) Google Documents easily
• Availability outsourced: to access a single Google Document we rely on our PC, our web browser, our Internet provider, Google, the government regulation (e.g. you depend on the Chinese government to allow Google to operate in China), etc.

But, where are our data? Where is our privacy? Most of our data/privacy is on Google, Microsoft and Amazon, the later the biggest provider of cloud platforms.

Indeed, some service providers cannot only access our data, but do have control over our devices:

• What happened with Amazon’s Kindle and the novel “1984″ affair: erased a novel from all books, got sued (and lost), but doubled their sales of Kindles.
• Facebook will retain ownership of your photos: huge claims for intellectual property and privacy, but Facebook users in Spain almost tripled during the “scandal”.
• The case of the accountability service that showed that no one reads the terms of service.

All in all: people do not read the terms of service and accept whatever terms. But the thing is that most service providers require this free access to data to be able to let data to third parties, the basis of the business plan.

Open Cloud Computing / Open Cloud Compliant: the services are in the cloud, but the user can choose where the data will be stored. At least, this allows for the user to know where their data are. It also avoids conflicts of interest: the one that provides the service is not the same that provides the infrastructure: the service provider will ensure that data are safe, and the infrastructures provider will ensure that the infrastructure supports the service.

We should then differentiate between infrastructure cloud computing and services cloud computing. Open cloud computing means that these are separate and there’s a possibility of choice, and closed means that they all come together with a single provider: in this case, privacy risks arise.

The average user prefers ‘easy’ to ‘nice’, even if ‘easy’ means ‘ugly’. This creates de facto standards. People prefer applications to be fast and easy, even if it is less powerful or less nice.

About eyeOS

eyeOS is an open-source browser based web desktop, which means that it acts as a framework that, once the user is logged in, logs the user to whatever application runs on this desktop. Thus, the user does not need to remember where the applications are (what third parties’ services) and how to log in them.

(NOTE: here comes an interesting discussion about institutional and individual uses of open cloud services, the free software community, etc.)

See also

• ¿Dónde está nuestra privacidad?, by Karma Peiró
• Mites i realitats sobre el cloud computing, by Joan-Baptista Gavaldà i Moran
• Open Cloud Manifesto.

Opening: Pere Fabra, Agustí Cerrillo

Privacy in the Cloud, a Misty Topic?
Ronald Leenes, Universiteit van Tilburg

An introduction to Cloud Computing

What is the relationship between Cloud computing, Grid computing, service oriented architecture (SOA) and Web 2.0?

Increasingly, data and applications are stored and/or run on a web server that hosts what usually was on your local machine. The web browser becomes the usual platform. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources.

If we talk about “resources”, the definition becomes broader, as we can also speak about computing power or computing time. And these resources are shared by many users, instead of having a dedicated machine. This provide rapid elasticity that allows for easy and quick scaling (up or down).

Models

• Software as a Service (Saas): e.g. webmail, online office applications; etc.
• Platform as a Service (Paas): e.g. Amazon AWS platform;
• Infrastructure as a Service (IaaS): all the power you might have in our PC, in the cloud.

Advantages

• Price: many cloud services are reee.
• Reliability: redundancy of services and scalability makes the system more stable.
• Accessibility: your services, everywhere.
• No piracy.
• Multiple business models: fees, ads, etc.
• Always current version of the software, no needs to update.

Privacy and security issues

Privacy: bodily integrity, data protection, inviolability of the home, secrecy of communications. The later two are specially relevant for cloud computing.

Data protection goals aim at facilitating the free flow of information while providing a minimum level of data protection. Data aspects: confidentiality, integrity, availability. The three of them are (more or less) under control while data are stored in a PC. In the cloud it is certainly less so.

The first thing to state is that, in the cloud, you don’t know where your data exactly are. Indeed, those date are interlinkable by other services, which make them even more ubiquitous while difficult to locate.

Second is that, in “physical” life, one’s identity is made up of different and partial identities of one self. There is a certain control to segregate audiences according to what they can see of me. Not in the cloud. To a large extent, we’re evolving toward a world where you are who Google says that you are (JD Lassica).

As data travel from my browser (and through the Internet) to a cloud service, anyone can potentially intercept your travelling data. The way to avoid this is use encryption (HTTPS) but cloud services do not usually have the incentive to (unlike banks, that are liable for data loss or money stealing) and do have incentives not to (HTTPS requires much more server power and time to encrypt and decrypt, thus making it more expensive at the aggregate level).

Regulation

• In the European Union: Data Protection Directive (DPD).

Personal data: data that can lead to identification of a person (data subject). Thus, personal data can be taken very broadly as even an e-mail message can lead to identifiable individuals. A processor is a body that processes personal data. A data controller holds or stores personal data.

The DPD is applicable when the data controller is within the European Union jurisdiction, regardless of where the data processor is.

Thus, if Google just provides a platform where the user processes their data, then Google is not a controller, but a processor, which means it is being affected differently by the (European) law. But if data, after being processed, are stored in Google’s servers, then Google becomes a controller. So, cloud service providers can switch between data controlling and data processing or both at a time, with legal consequences.

DPD principles: transparency, legitimate purpose and proportionality.

Discussion

Jordi Vilanova: are there any legal differences in privacy between individuals and institutions? A: legally, in strict sense it only applies to individuals. In the case of companies, we would be talking about intellectual property, trade secrets, etc.

Mònica Vilasau: to balance unequal distribution of bargaining power between service providers and users, what should be done? More regulation? Better contracts? Is the data protection directive enough for cloud computing? A: Contracts should suffice, as they are a very powerful tool. The difference is that in the EU privacy is a public good that needs to be protected, so the law will always be above any contract; while in the US privacy is something that can be bargained between contractors. The DPD is not enough for cloud computing, because its purpose was to regulate over the data controller, a very identifiable agent at a time (e.g. a hospital having data of you). But now, who is a data controller or a processor is very difficult to identify.

Q: Is one of the problems that cloud services are based in the US? A: Yes, of course, if data controllers, processors and subjects were in the same jurisdiction that would make things much easier.

Mònica Vilasau: what about cookies? A: if you accept cookies, you get less of your privay. If you do not, the service provider is no more a data controller (it is not storing data from you, because you refused the cookie) and then you are no more under the DPD. This is an ironic dichotomy.

See also

• ¿Estás en la nube? Pues empieza a proteger tus datos…, by Karma Peiró
• Privacitat al núvol, un concepte difús?, by Joan-Baptista Gavaldà i Moran
• The Evolution of Privacy on Facebook, a graphic representation by Matt McKeon.

I am proud to announce the 6th Internet, Law and Politics Conference, this time dealing about Cloud Computing and the challenges it poses in the fields of Law and Politicals.

The event will take place in Barcelona, Spain, the 7^th and 8^th July, 2010. There will be translation in Spanish, Catalan and English and registration is open and free.

Programme

Wednesday 7 July 2010

8.30 am

• Accreditations

9.00 am

• Welcome
• Pere Fabra, UOC Vice President for Academic Organisation and Faculty.
• Agustí Cerrillo, Director of the UOC’s Law and Political Science department.

9.30 am

• Keynote speech: Privacy in the Cloud, a Misty Topic?
• Ronald Leenes, professor, Tilburg University.
  Moderator: Mònica Vilasau, UOC.

10.30 am

• Coffee break

11.00 am

• Myths and Realities of Cloud Computing
• EyeOS.
• Moderator: Ismael Peña (UOC).

12.00 pm

• Round table: Key Legal Aspects for Putting your Business in the Cloud.
• Xavier Ribas, lawyer, Landwell Global.
• Manel Martínez Ribas, lawyer, ID-LawPartners.
• Ramon Miralles, Coordinator of Information Security and Auditing, Catalan Data Protection Agency.
• Moderator: Miquel Peguera, UOC.

2.00 pm

• Lunch

4.00 pm

• Round table: Cloud Computing: A New Dimension in Teleworking?
• Javier Thibault Aranda, professor at the Complutense University of Madrid.
• Carmen Pérez Sánchez, IN3 researcher, UOC.
• Javier Llinares, Managing Director, Autoritas Consulting.
• Moderator: Ignasi Beltrán UOC.

6.00 pm

• Conclusions from the first day.
• Karma Peiró, Participation Manager, 3cat24.cat.

Thursday, 8 July 2010

9.30 am

• Keynote speech: The Cloud’s Shadow: The State of Freedom on the Net
• Karin Deutsch Karlekar, Senior Researcher and Managing Editor, Freedom of the Press Index, Freedom House.

10.30 am

• Coffee break

11.00 am

• From Electronic Administration to Cloud Administration
• Discussion with:
• Nagore de los Ríos, Director of Open Government and Internet Communication, Basque government.
• Joan Olivares, Managing Director of Catalonia’s Open Electronic Administration Consortium.
• Moderator: Agustí Cerrillo, UOC.

12.30 pm

• Round table: Cyber-crime prosecution
• Rubèn Mora, head of Technologies of Information Security Department, Mossos d’Esquadra.
• Francisco Hernández Guerrero, Prosecutor, Andalusia.

2.00 pm

• Lunch

4.00 pm

• Round table: Citizen Participation in the Cloud: Risk of Showers?
• Evgeny Morozov. Yahoo! fellow, Georgetown University’s E. A. Walsh School of Foreign Service.
• Albert Batlle, UOC.
• Moderator: Ismael Peña, UOC.

6.00 pm

• Conclusions from the second day.
• Karma Peiró, Participation Manager, 3cat24.cat.

Goverati: e-Aristocrats or the delusion of e-Democracy
Ismael Peña-López, Open University of Catalonia

Slides for my presentation:

• Bigliography
• Goverati: e-Aristocrats or the delusion of e-Democracy: Download ( 24.4 MB)

@parycek‘s tweets on the session:

• digital productive system – information is free and cheap and knowledge is easy to transmit = cost no more an issue
• but deliberation needs time to come together for deliberation, same to negotiation nut also these hurdels are vanishing
• weclome to real time politics without gatekeeping agencies
• example from spain: http://www.conmidinero.com/
• more complex example for eu polocies http://www.feseuropa.cat
• biggest problem digital divide! as we also discussed with @andy_williamson
• 1/3 doesn’t use 1/3 use it not regulary so tere is only 1/3 with which we could engage but only about 8% have the potential
• e-politics divide! all in all it leads to echo chamber – book: http://goo.gl/QS9s

Photo by John Heaven

Other reactions on this session

• EDem10 – Day 1 – #1
• Beware the Goverati: e-Democracy Processes in the Post-Industrial Age

Searching information on the Internet: legal implications
Julià Minguillón, Department of IT, Multimedia and Telecommunications Department

Tim Berners-Lee creates the World Wide Web, based on a structure and protocols that require linking to work. The URL or URI identify documents that can be found on the Internet, creating a directed graph: A points to B, but we (usually) cannot walk the inverse way, the link is not reversible (i.e. you need another link to go from B to A, the initial A to B link does not serve this purpose).

There are two main strategies to explore the Internet and find information within: browsing and searching.

Browsing

One of the “problems” of the Internet is that, as a graph, it’s got no centre: the Internet as no centre or place that can be considered as its begin.

There are some initiatives to map the Internet, to index it (like the Open Directory Project, but the speed of growth of the Internet have made them difficult to maintain… and even to use.

Searching

• a web crawler explores the Internet, retrieving information about the content and the structure of a web site;
• an index is created where the information is listed and categorized, and
• a query manager enables the user to ask the index and retrieve the desired information.

Web crawlers require that pages are linked to be able to visit them. Ways to prevent web crawlers to explore a web site (besides unlinking) is protection by username/password, use of CAPTCHAs, use of protocols of exclusion (e.g. in robots.txt files), etc.

Protocol of exclusion (robot.txt):

• Has to be public;
• Indication, not compulsory;
• Discloses sensible information;
• Google hack: intitle:index.of robots.txt

Problems

• Search engines find sensible information.
• Content and links are different things. A linked content might not be in the same place as the source content where the link is published.
• Users can link sensible information/contents.
• Broken links and permalinks: content might be moved but engines/users might track and re-link that content.
• Outdated versions (cache): to avoid repeated visiting, search engines save old versions of sites (caches), which stand for a specific time even if some content is deleted.
• Software vulnerabilities:
• Browsing patterns (case of AOL): what a user does on the Internet can be tracked and reveal personal information.

Nowadays, most ways to remain anonymous on the Internet is opting out of services like web crawling by search engines.

With the Web 2.0 things become more complicated. Initiallly, “all” content was originated by the “owner” of a website: you needed a hosting and to directly manage that site. When everyone can create or share content in a very easy and immediate way, the relationship server/hosting-manager-content is not as straightforward as it used to be.

Linking and tagging also complicate even more the landscape. And with the upcoming semantic web, cross-search and crossing data from different sources can make it easy to retrieve complex information and find out really sensible information.

Privacy?

• Users demand more and more services and are willing to give their privacy away for a handful of candies.
• Personalization is often on a trade-off relationship with privacy, and people demand more personalization.
• Opt-in should be the default, but it raises barriers to quick access to sites/services, hence opt-out is the default.
• An increased trend in egosurfing and aim for e-stardom is accompanied by an increasing trail of data left behind by users.

Liabilities:

• The creator of content
• The uploader
• The one who links
• The one who tags
• Search engines
• End users
• ISPs
• Aggregators
• Developers
• Social networking sites
• etc.

Discussion

Ramon Casas points at Google cache and, while being not strictly necessary to run the search engine, it represents an ilegal copy and/or access to content that (in many cases) was removed from its original website. In his example the museum closes at 20:00 but Google leaves the back door open until 22:00.

References

Bruce Kasanoff (2001). Making It Personal: How to Profit from Personalization without Invading Privacy. See a review by Julià Minguillón at UOC Papers.

Citrizen security in electronic environments. The case of electornic voting

Jordi Puiggalí, Scytl

Electronic voting is the natural evolution of the electronic count in elections. Two main kinds:

• Face to face: people still go to polling stations, but vote in polling machines
• Remote voting: you vote from home

Advantages

• Count of votes is faster and exact
• Cost saving in paper and printing (though there are added costs, especially in face to face electronic voting)
• Increase of accessibility for disabled people. Also avoids identifying who was the voter (e.g. there’s only one blind voter in town: the ballot-paper in Braille is theirs)
• Flexibility to include last-minute changes
• Support for multiple languages. This, at its turn, avoids errors and avoids identifying who was the voter (e.g. there’s only one voter in town that speaks arabic: the ballot-paper in arabic is theirs)
• Prevents involuntary errors that can end up in spoiled ballot-papers
• Economies of scale (specific of remote voting)
• Eases citizen participation (specific of remote voting)
• Increases the mobility of the voter, as they can vote from anywhere (specific of remote voting)
• Eases access to the voting process thus increasing participation (specific of remote voting)

Security threats

In traditional polling, the voter has a direct relationship with their vote and the polling station, committee, etc. Electronic voting adds an infrastructure layer that implies that the relationship between voter and vote becomes indirect/mediated. This mediation poses 4 security risks

• The digital nature of the votes means that they can be easily added, erased, manipulated, and the privacy of the voter compromised at large scale;
• The complexity of the systems at use, with the possibility of hardware functioning errors, bugs in the software, etc.;
• Lack of transparency, as the technological infrastructures are more difficult to audit (e.g. how can you tell whether someone cracked the system?);
• The introduction of new actors with privileges in the voting process, like system and platform administrators that can have privileged access to the voting process.

Side note: these threats can be extrapolated to the case of health records and many other cases.

How to address risks?

Physical measures

• Avoid physical access to the protected device
• This cannot be done in remote voting, at least not in the whole process

Organizational measures

• Who has access to what
• They necessarily have to be accompanied by monitoring measures (intensive log recording)
• Intensive monitoring can lead to knowing who’s voting what

Logic measures

• Automatic security measures
• Easier to audit
• Logic measures can, at their turn, be attacked themselves
• Logic measures must not interfere (or even alter) the normal voting process

Security services

• Information privacy: guarantee that no one knows what you did (e.g. your vote)
• Information integrity: guarantee that information is not altered
• Non-repudiation: avoid that you cannot deny having done something that you actually did
• Authentication: ensure that the person that claims to have done something is that person
• Authorization: you can do what you are allowed to do
• Auditability: be able to track the system and assess its performance
• Availability:

One of the big differences between circumventing security in off-line voting and online voting is that scalability of the attack is much higher in online environments. E.g. identity theft in the offline world can be easy to do once, but not several times in the same polling station, but if done once in the online world, it is very likely that it can be done again, and very quickly, ad infinitum.

Electronic voting can identify which votes are valid and which ones not. You need not invalidate the whole polling station, but only the invalid votes.

Below I’ve listed the bibliography that so far I’m using to structure and back my paper. Beyond the bibliography that follows, three events helped much in collecting insights, ideas and find many interesting references. My gratitude to the speakers at these events:

• 5th Internet, Law and Politics Conference: The Pros and Cons of Social Networking Sites
• Citizen Politics: Are the New Media Reshaping Political Engagement?
• 4th Internet, Law and Politics Congress: Towards citizenship 2.0?

Tag cloud of the bibliography

A bibliography on Spanish online politics and Politics 2.0

Deliberative democracy: religion in the public sphere. Deliberative obligations of the democratic citizenry
Cristina Lafont

Which has to be the role of Religion in the public sphere? Which one actually is? Which should it be?

Specially in a deliberative democracy, the fact that people have religious believes makes even more important exactly knowing what are the challenges for democracy of this issue.

The deliberative democracy is a fragile balance between the right to debate whatever subject under some few but strong coercive rules.

Jürgen Habermas: a process of deliberation has to be able to be justified and without coercion. Public deliberation has to include all information available; equality, symmetry and reciprocity to all contributions, independently of their source; absence of (external) coercion; communicative equality; and participants have to be sincere, critic, have no hidden goals, and be responsible for their own opinions.

But not only procedures have to be acceptable, but also the contents of the debate.

John Rawls tries to provide an answer this last question. Thus, contents have to be dealing with the public good (vs. the private). So, what happens with religion, normally out of the public sphere? According to Rawls, Religion has to be left outside, with some exceptions, e.g. values gathered in modern constitutions, basic justice, etc.

But some incompatibilities arise when some citizens might not accept coercive solutions that come from public values but not accepted in their own set of comprehensive beliefs. Indeed, the rawlsian thought could even exclude persons themselves from the public deliberation. Or ask them to forget about their beliefs when entering a deliberative process. Or give priority to public interests over personal beliefs.

Habermas “solves” this by dividing the agora in two: the informal deliberation, where citizens can bring in all kind of beliefs, and the institutional deliberation (parliaments, etc.) where these personal beliefs should be left aside or be translated into “secular” principles (e.g. the ones gathered in constitutions).

Habermas’s solution also has some problems, like treating secular citizens differently from religious ones, sometimes leaving them aside of this “translation” of their principles, for not being as explicit as the religious ones.

Lafont offers come comments. Instead of trying to translate them into general or public reasons, an interesting approach would be to take seriously religious proposals and assume they can be right. Thus, they should be debated as proposals of general or public reasons proposals. And hence be prepared to accept them or refute them, based on grounded arguments. The debate should, then, be more about the compatibility of specific beliefs with the common and acknowledged beliefs (again, e.g. the Constitution) and not whether these beliefs are right or wrong or better than others.

[a debate follows, too complex and rich to collect here]

Politics Track Gather Up
Daithí Mac Sithigh

Two major questions today: what will we do? how will we stay safe?

Innovation come not by using specific technology or platforms but on the effective uses we put into them.

The safety issue seems not to be approachable by the Law alone, being self-regulation and self-commitment a good share of it, and collaboration and co-operation another good share of it.

In a time of crisis, the international community turns its attention to the Information Society. But this is not about hardware, but about organizational change, institutional change. A major planning has to take place to deal with focal issues like e-commerce, network safety or e-Administration.

We’d do well to learn from sub-national or even local successes in open data initiatives, or data sharing initiatives. And what a different it makes to move from the “e-” Government to the “o-” Government.

And open data might be a necessary step to change not only government but also democracy and politics, to enable citizen participation and engagement.

We’re seeing times where political crisis and financial crisis is accompanied by a demand for transparency, openness, open data, etc. And it looks like broadly demanded political reforms could move towards this direction.

This is, for instance, how Politics 2.0 evolve from Politicians 2.0 towards Political Spaces 2.0.

Politics 2.0 can be presented as a virtuous circle, where everybody is part of that circle, and where the sense of “small” (as in a small issue) can have a brand new meaning (and not be small or irrelevant at all).

Will, hence, the unconventional ways of doing politics become the conventional or mainstream ones? Do we want that?

What is the right agenda? Does a creative use of public information (initially well intended) have bad consequences?

Next steps?

• W3C Access to Government interest group
• Pulic Services 2.0 declaration
• From “come back tomorrow” to “come back next year”?
• Social networks and social questions

More Information

• IDP2009: Day 2 Report (slides), Daithí Mac Sithigh’s slides of his presentation
• IDP2009: Written Report of Day 2, by Daithí Mac Sithigh
• El twitter del V Congrés d’IDP, Joan-Baptista Gavaldà i Moran’s compilation of all twitts tagged #idp2009

Political participation and Social Networking Sites
Chaired by Ana Sofía Cardenal

Marta Cantijoch, Assistant Professor at the Political Science Department of the Universitat Autonoma de Barcelona, PolNet research group.

The distinction amongst citizens is not only between people that participate and that do not participate, but also in how they participate when they do, distinguishing between conventional or unconventional political participation (Political Action Study, 1979), or representational and extra-representational participation (Teorell, Torcal and Montero, 2007): e.g. go to demonstrations, follow calls to boycott products or actions, etc. The latter group is acting outside institutions, thus his political action is not only about a specific position but forms also matter and are plenty of meaning.

In general, we’re seeing a change of attitude where conventional engagement is decreasing (i.e. less people being partisans in a political party) while unconventional politics are increasing. One of the reasons being dissatisfaction towards performance of representative democracy.

Combination of attitudes:

• Disaffected citizens: dissatisfaction + low involvement = apathy, non, participation
• Critical citizens: dissatisfaction + involvement = unconventional participation
• Institutionalized citizens: satisfaction + involvement = conventional participation

Social networking sites provide both a qualitative and a quantitative change: higher amount of available information combined with a higher diversity of discourses; contacts and exchanges in horizontals processes (citizen to citizen) made possible while the control of communication stays in the users’ hands; interactivity.

Social networking sites also represent an open gate towards unsolicited, though relevant, information that affects your peers, or your weak ties, but that (positively) reshapes one’s own context.

Consequences:

• Tools for citizen empowerment: processes of communication are citizen-initiated (vs. elite directed)
• Reinforcement / promotion of attitudinal change: non-hierarchical communication processes
• Impact on critical citizens but also on institutionalized profiles

Internet use fosters unconventional forms of participation, a hypothesis verified for the Spanish case.

New opportunity for formal institutions to reconnect to the public, to try and bring them back to the representative democracy arena. This will of course require an adaptation to web 2.0 technologies in the exchanges with the citizens: abandoning the top-down logic, certain degree of decentralization, and higher granularity of participation.

Nobody knows more than everyone together
José Antonio Donaire, Member of the Catalan Parliament, Catalan Socialist Party.

Politics 2.0 is not ICT-enhanced politics, or e-Politics. It’s a change of paradigm enabled by a technological change.

Change of paradigm:

• The crisis of the autoritas, in the case of representative democracy, the crisis of parties, where a minority sets the general agenda in contradiction with a supposed representative democracy. The change should be towards deliberative democracy, the collective intelligence, collaborative work. The more people debate on a subject, the lower the margin of error. But not only to decrease errors: the deliberative process is a goal in itself. Deliberative democracy negates the autoritas and brings the wisdom back to the collective.
• Adaptation from politics to policies, from the big politics to the policies of shades and the small details.
• The appearance of complexity, where the same person can have different opinions that not necessarily match the traditional division of left-wing, right-wing or a specific ideology. Multiple identities have to be acknowledged and hence spaces for contact need to be enabled.

How to put this into practice? Different models that can be understood as progressive stages:

• Politicians 2.0: the members of the Parliament, etc. have twitter or Facebook accounts, write on their blogs, etc. This provides transparency, interaction, a first person communication (despite the vertical discourse of the party), proximity. Politicians 2.0 are, nevertheless, a necessary but not sufficient step towards Politics 2.0
• Political means 2.0, that enable participation, the collective intelligence, managing the complex, rewarding or recognising meritocracy. A wiki, for instance, can allow most of these aspects. The network also generates autoritas, but it is a well deserved autoritas. The Catalan Parlament 2.0 could be an example of this.
• Politicized means 2.0, that enable the exchange of ideas, community building and creation of communities, cyberactivism, against particracy. The pros is that people debate seriously, the cons is that they might lead to quasi-parties.
• Political spaces 2.0: gathering spaces, dialogue and exchange, complex identities, against particracy.

A distinction between direct democracy and deliberative democracy. The Net to directly decide can lead to dangerous outcomes or problems as the NIMBY, lobbying or even taking the whole system as a joke (e.g. the Spanish “efecto Chikilicuatre”, where Spaniards chose a stand-up comedy actor to represent Spain at Eurovision).

But politics will be 2.0 or won’t be.

Ricard Espelt, Copons Town Councillor, in charge of Economic Promotion, New Technologies and Communication.

In a small town like Copons, problems are small but real ones, and the traditional solution would be that the citizen would shift the problem towards the city council, which might or might not solve the problem, given their limited resources.

Copons 2.0 aims at bringing the citizen back in the equation.

Problems should be able to be rephrased as alternatives, opportunities, requirements… In any case, a problem should be an excuse for a debate, for an encounter within the town and within citizens themselves.

The Administration is seen as a resource, but its limits are properly framed and known by everyone.

And the citizen is, again, no more a “whiner” but someone who can also contribute with solutions, or contributing to “the” solution.

Social networking sites put all these things together, making possible sharing, deliberation, participation, etc.

Far from corporativism, Copons opted for universal and socialized tools, in the cloud, for free: WordPress, Facebook, Flickr, etc. and everything licensed with Creative Commons. Notwithstanding, opinions were only accepted if backed with a real digital profile, even if they were popular or widely accepted.

Surprisingly, online administrative processes have been the less popular, being participative tools the most used. The major: There’s no opposition: it is the citizens who are watching us. Working on the net and in such a framework, the administration has to be transparent and the citizens ask for highest degrees of accountability, responsibility, etc.

What happens with the digital divide? Wifi areas and digital literacy workshops were created to help the laggards catch up with the rest. Training is made on a peer-to-peer basis, where initiated volunteers help their neighbours. Now, more people have digital profiles, there’s more broadband penetration, offline debate has been enriched and enhanced by online debate, people self-organize. A good pro: everybody knows who their representatives are and viceversa.

The Copons 2.0 project has been able to deal with quite complex problems, problems that came from a long tail of approaches, that gathered all the relevant agents (known and unknown) affected by the problem, etc. And sometimes, the identified solutions belonged not to the Government sphere, but to a shared set of responsibilities/responsibles. But, as monitoring is constant, solutions are temporal and they quickly enter a process of constant improvement… as in a permanent beta.

Q&A

Franck Dumortier: Where are the limits of conventional and unconventional? How is your digital identity affected by you participation conventionally or unconventionally? (e.g. a demonstration that ends up with you on jail because of some uncontrolled riots)

Ismael Peña-López: the impact of SNS on critical and institutionalized citizens, is it the same one? Is it more “2.0″ in the case of critical/grassroots and more “1.0″ in the case of institutionalized/top-down? José Antonio Donaire: we’ll most probably be seeing Politics 2.0 made up of the 4 stages mentioned below. On the other hand, it not about web 2.0 tools, or web 2.0 tools used the 1.0 or the 2.0 way, but whether there is a deliberative process, however it takes place. Marta Cantijoch: Agreed, it’s not about technology but processes and philosophy, a participatory one, despite whether it is made with web 1.0 or 2.0 applications.

Ismael Peña-López: does Politics 2.0 require a lot more effort/work or can it be mainstreamed in every day’s politics? Ricard Espelt: more than a matter of workload, is a matter of attitude, whether one wants to engage with the citizenry or wants to be pro-active in politics, or just sit on the City Council.

Q: How does participatory politics fit with a party system, closed, not really representative, power centred, top-down managed, etc.? Why should I speak with a politician, interact with them, if they are wired to/by the party? José Antonio Donaire: I’m absolutely for open lists in elections. But, but this radically change the scenario? It might make the individual politician more responsible, but the change of paradigm goes way beyond that. A representative system is efficient, but it does not necessarily require that it is the party/government who decides both the agenda and the results of the agenda setting. There is an urgent need to recover the debate, the collective finding of the truth, the enlightenment.

Albert Batlle: What happens with the profile of satisfied citizen but not active/engaged? Marta Cantijoch: this profile perfectly fits within the Institutionalized group.

Albert Batlle: How do we scale up the Copons 2.0 model? For instance, from the local to the national or the international level. How do we reach consensus there? Ricard Espelt: We have a low sense of the common good and of the community. The problem of scalability is most probably not a matter of size, but of consensus. Big participatory projects do not work not because they are big, but because they are top-down. José Antonio Donaire: Maybe what works is common interest. If Copons 2.0 works it might be because the small town is thematically coherent. We thus can build bigger communities that, notwithstanding, have a common thematic core. And the politician should have channels so that they can practice an active hearing, a way to gather knowledge in which to base their decisions.

Q: (to José Antonio Donaire) Why should a politician want to end up politics? What does it mean ending up conventional politics? How would you then become a Member of Parliament? A: I am aware that representative politics works, but it is a fragile one, and there’s evidence of disaffection and of loss of sense of community. When talking about politics outside politics, this means not without politics, but outside of (or without) conventional politics. The idea is not throwing politicians away, but working with the citizens to set up the agenda, to decide what’s to be decided, etc.

Mònica Vilasau: How do we connect engagement and a call for participation with results? How not to deceive people? Is it easier in smaller places? Are outcomes easier to achieve at smaller scales? José Antonio Donaire: It’s better a citizen association building up a website and imagining what they’d like, than the City Council asking for ideas. A good example could be Las 1001 Ideas.

Ana Sofía Cardenal: For a deliberative democracy, we need a genuine motivation. But there are demagogues that want to manipulate the public arena. What to do with them? José Antonio Donaire: On the Net, reputation is very transparent. In a network of people it is more difficult to be cynical.

More Information

• IDP2009: Political Participation, by Daithí Mac Sithigh
• #IDP_UOC: V Congrés Internet, Dret i Política: Participació política i xarxes socials, by Ricard Espelt
• II Congrés d’Internet, Política i Dret de la UOC (2na part), by Gemma Urgell
• La participación representativa y la extrarepresentativa, by Xavier Peytibí
• Ningú sap mes que tots plegats, by Xavier Peytibí
• Copons 2.0, by Xavier Peytibí
• Nadie sabe más que todos juntos, by Xavier Peytibí
• Usnownc en el V Congreso Internacional IDP de la Uoc: Cara y cruz de las redes sociales, 2a jornada, by Idoia Llano

Policies for a safer Internet
Chaired by Agustí Cerrillo

Óscar Martínez de la Torrre, Spanish Ministry of Industry, Tourism and Trade.

The Plan Avanza [the Spanish plan to foster the Information Society] had an important part in raising awareness on the risks of the Internet, but also on providing confidence to newcomers.

The Spanish Law for the Access to Electronic Public Services also included strong measures to provide these services with high levels of confidence, e.g. so that people felt equally secure e-invoicing as invoicing.

The Spanish government has issued several other initiatives to promote confidence and security on the Internet as accompanying measures to major stratetegies like the promotion of Internet in the classroom, G2B and B2B projects, etc.

One of the drawbacks that we usually find in security measures is that humans are the weakest link: technology can be prepared to face difficult challenges or strong security attacks, but humans — because of ignorance, lack of digital literacy or just because they forget to — quite often perform actions in most insecure ways.

Robustness of infrastructures, collaboration platforms or emergent IT models are strategic issues to develop safer Internet strategies at the telecoms level.

The ITU has developed a set of procedures on Internet security available at http://www.itu.int/ITU-D/cyb/cybersecurity/.

Catalonia National Information Security Plan
Nacho Alamillo, Director General Astrea La Infopista Jurídica S.L.

Surprisingly, there are few attacks in comparison to how poorly prepared are the Administrations, firms and citizens in matters of Internet security. And one of the problems of cybercrime is not only cybercrime itself, but that it is normally tied to other illegal actions such as laundry money, (forced) prostitution, etc.

Reasons why people and institutions are poorly protected: lack of awareness, bad code/software, speed of technological changes (e.g. anti-virus being obsolete in 10′), lack of resources (e.g. small towns with -500 inhabitants but holding their data).

Main drivers of safer Internet policies: Privacity, e-Administration and secure infrastructures.

Strategic goals of the Catalonia National Information Security Plan:

• Establishment of a nation-wide safety strategy: research, awareness, collaboration within Administrations, fostering existing initiatives, etc.
• Backing the protection of critical infrastructures, especially those obsolete (“old is easier to attack”): electronic communications, electronic systems for industry control (SCADA), priority lines, etc.
• Fostering of a business network that provides secure IT: industrial policy to promote secure IT, creation of a private sector that provides social benefits, community based on free software.
• Increasing confidence in the Information Society: fight against cybercrime, help lines to risk-prone collectives

Q&A

Ramon Codina: IPv6, which is known to be more secure, is going to be implemented in the short run at the Spanish level? Óscar Martínez: There are already “islands” that have implemented this protocol, but interoperability with other protocols is still a barrier. On the other hand, and as usual, the chain is as strong as its weaker link, which means that the implementation of the IPv6 should be made at the international level or, at least, at a European level. And this is still a far horizon.

Ismael Peña-López: After a first wave to put up content and handbooks and guidelines about security on a push-strategies basis, are we seeing a shift towards pull-strategies? Nacho Alamillo: We are trying to embed security procedures in each and every daily procedure in education, retail selling, etc. so that it becomes invisible and “normal” in everyone’s life. Óscar Martínez: We are trying too to create self-learning content instead of top-down training plans, so to give answers to people when they have the questions, and not the other way round. On the other hand, we’d rather focus on toolkits (again, answering specific questions) rather than generic handbooks, more how-to’s or what for’s instead of theoretical approaches.

Marc Tarrés: What’s the state of standards? Are they converging towards consensus? Nacho Alamillo: So far, there’s many of them and this poses a real coordination problem, though many efforts are being put in this subject.

More information

• IDP2009: A Safe Internet, by Daithí Mac Sithigh

Access to public information and Social Networking Sites
Chaired by Ismael Peña-López

e-Government at W3C
José Manuel Alonso, CTIC Foundation / World Wide Web Consortium (W3C).

There is an increasing trend demanding open public information, raw public information, instead of one stop shops to access public services or public information that has already been “treated” or “prepared” for the citizen. Why should administrations limit the interactions with their citizens?

Governments should shift from being owners of data to being curators of data.

Benefits of freeing data are many, arguably being the most relevant one the “Many minds principle”: there’ll always be someone that will find out a way to reuse data that you wouldn’t have even figured.

Three steps to reuse: identify relevant data, represent them so that they can be used, and expose them to the wider world.

The District of Columbia public data set, and and example of its reuse: CrimeinDC. These applications have been estimated to have a 4000% ROI. See also MySociety.org and the Sunlight Foundation.

Data.gov, the flagship of the US Government on open data.

If data are put in appropriate formats, they can be syndicated, aggregated, etc. And the costs of doing this, remixing, reshaping, etc. are almost zero to governments: once data are published, it’s private interests (for or not for profit) with do the rest.

Linked Data: its principle is to empower data so that they can be interlinked and enriched. The idea is to link a data set with another one, and that one yet with another one, etc. This should be able to be done automatically, so when applications accessed a data set, it “browsed” several data sets to build a new combined data set… and all of this made transparently for the user.

Challenges are many: alignment with the mission and strategy, there are some costs, inner capabilities of the administration, security, integrity, persistence of data (that data can always be found in the same place), licensing models and their compatibilities, legacy systems, standardization, etc.

Public data reutilization: Yes, we want
Alberto Ortiz de Zárate Tercero, Director of Citizen Service, Basque Government

In 1833 journalist Mariano José de Larra wrote Vuelva usted mañana (Please come back tomorrow) about the Administration’s inefficiency. Almost 200 years later, we’ve been adding technology to processes but the Administration remains the same. Our goal should be to make this statement obsolete by boosting efficiency and citizen satisfaction.

e-Government is somehow the same path of the modernization of the Administration but with an opposite approach, focussing on people and knowledge instead of processes and technology.

Usually, Administrations focus their e-Government strategies on the online availability of their public services, beginning with income-generating services. On the other hand, the stress has also been put more on G2B services rather than on the citizen.

And, do we know how much e-Government services are used?

What we do know is that a lot of money has been spent in government portals but the efficacy and the efficiency is yet to be made evident.

Shift from e-Government to Open Government (o-Government): services centred in the citizen and co-designed with the citizen; transparency and accountability; innovation fostering. And open data is a pre-requisite of o-Government, being a real exercise of transparency settling democracy. Open data reduce information asymmetry, firms get access to wealthy information and a new kind of citizen emerges: the infomediary.

If data is open, there is no need to agree (neither with the government, nor amongst citizens) on what services need to be set up: emergent initiatives will be able to set them up at their own will, as the resources are plainly available. For instance, Apps for Democracy.

Reusing public information for change
Jordi Graells, Deputy Director of Content and Innovation in the Catalan government’s (Presidential Department) Citizen Service Office.

Innovation should be aimed at creating value, to transform knowledge to create value.

Gary Hamel: (new) leadership is about enabling rather than doing, is about distributing power, about managing the collective intelligence. On a managing approach, professionals should be put first, then the customer and then the stakeholders… which can easily be translated into the field of the Administration.

But the abundance of barriers and constraints lead us to empowerment through open data. And one of the main enablers of open data is open licences, so that these data cannot only be accessed but also (re)used by anyone.

In 2007 the Catalan Government begins using Creative Commons licenses in their publications. In 2009 the Catalan Government agrees that all publications (whenever there are intellectual propertyh rights) will be using CC licenses — being the optimum in the long run putting all public content in the public domain.

Roadmap of the Catalan Government:

• Law 37/2007 for the reuse of public information, adding disclaimers to public information clarifying how it can be reused
• Put information into open data bases so that data can be reused, with several options depending of he kind of database (just data, access to collections of third parties’ materials, etc.)
• CC licensing for content with IP rights

But it’s not only about administrative change, but about citizen participation and engagement: the Catalan Government shares knowledge in social networking sites where people can participate and engage in collaborative work: communities of practice, social aggregators, etc..

The e-Catalunya project now holds +15,000 members in 54 big groups/categories and several dozen specific working groups.

Q&A

Idoia Llano: How is the Government of Catalonia’s blog going to be managed? Jordi Graells: It is not exactly the Government’s blog, but the “blog of the Internet experience of the Government”. It will be a corporate blog, not a blog (or a collection of blogs) of the members of the Government. So, it will be like any other communication channel.

Ricard Espelt: How is it, if open data and open platforms have such benefits, that Governments do not use them? Why Governments keep on using customized and closed applications instead of already existing “cloud” applications? Jordi Graells: Security is an issue. An other one is political show off (e.g. it’s “better” a good huge portal, rather than small spread applications that don’t even hold the institution’s logo).

Agustí Cerrillo: technologically speaking reuse of public information is possible and, increasingly, the law has also been updated this way. But it is not this way at the organizational level. So, what organizational change should take place? Jordi Graells: Communities of practice are proving to be a good driver for change. Alberto Ortiz de Zárate: it is very important to convince the leaders, and to do it through small successes and benchmarking others’ small successes. José Manuel Alonso: Act on a two-level basis: at the higher direction basis, agreeing on political strategies; and at the implementation and most operative basis, agreeing on the how-tos.

Ismael Peña-López: In a welfare state like ours, why should I participate and “work for the government”, if I already pay my taxes? Why should I if I won’t change the world? Alberto Ortiz de Zárate: It’s about small but really effective changes, especially in those places where resources are really scarce and small projects can have huge impact.

Marta Cantijoch: Aren’t we promoting a new digital divide — accompanied by a democratic divide — where people that can code, understand the new “sharing paradigm”, etc. can participate in this open society and the rest of the citizenry will be set aside? José Manuel Alonso: The idea is not the creation of a new elite of citizens, but to enable a new set of infomediaries that can provide more and better public services for the citizen. Jordi Graells: These new services that José Manuel Alonso refers to can be new cultural services, learning and research materials, weather data, more and better communication channels, etc.

Q: How can we encourage participation? Alberto Ortiz de Zárate: Historically, participation has been limited to sending out ideas and vote them, which is not really encouraging. If the Administration allows for a creation of new public services, new public value, the citizenry should be more eager to participate as their impact would be much higher.

Q: We should be aware of the risks of sharing information, especially private information. How do we avoid these risks? Jordi Graells: There seems to be an increasing trend towards a genuine change that needs to be managed, but that seems unstoppable.

More information

• IDP2009: Access to Public Information, by Daithí Mac Sithigh
• #IDP_UOC: V Congrés Internet, Dret i Política: Accés a la informació pública i xarxes socials, by Ricard Espelt
• V Congreso IDP – UOC: panel de acceso a la información pública y redes sociales, by Alberto Ortiz de Zárate Tercero
• II Congrés d’Internet, Política i Dret de la UOC, by Gemma Urgell
• Accés a la informació pública i xarxes socials, by Marc Garriga
• Acceso a la información pública y redes sociales, by Marc Garriga
• Usnownc en el V Congreso Internacional IDP de la Uoc: Cara y cruz de las redes sociales, 2a jornada, by Idoia Llano
• Government Data and the Invisible Hand.
• Putting data government online
• List of differences between government and web2 initiatives, by David Osimo