3. How is the EU–US Relationship on Internet Governance Working?
Shared values and concerns
At a high level, the EU and US share core values in relation to the internet’s development, particularly when contrasted with the ambitions of authoritarian and non-democratic regimes. There is significant goodwill and willingness to work together to promote an open and free internet.
With few exceptions, a non-interventionist, private-sector led, free market approach to internet governance has had support on both sides of the Atlantic. The US approach has remained relatively consistent and has sustained bipartisan support for the past 20 years. The main topic of contention and differing approaches has been in relation to the historical US government role in the development of the DNS root (the IANA). The George W. Bush administration announced during the WSIS process that it was unwilling to give up its control over the IANA;38 the Obama administration triggered the process that led to the transition of the IANA to the ICANN community.39 The IANA transition took place prior to the US presidential election in 2016. The current US administration has indicated hostility to the IANA transition40 but has not attempted to reverse it so far.
The EU Council Conclusions on Internet Governance of 201441 provide positive examples of the common interests and values of the EU and US, including:
- An open, neutral environment in which freedom of expression and innovation can thrive, with an assumption that the network’s distributed architecture would mitigate against concentrations of economic or political power.
- Support for multi-stakeholder solutions for governing the internet’s core resources, including the transition of the IANA function to the global multi-stakeholder community.
- Support for the Internet Governance Forum.
- Avoiding fragmentation of the internet and strengthening cybersecurity within the context of a free and open internet.
The EU and US share objectives and values in core issues relating to cybersecurity. These include the prevention of cybercrime, responsible state behaviour in cyberspace, improving the resilience of critical infrastructure to withstand cyberattacks, all within a robust human rights framework. When discussing issues relating to cybersecurity, the EU tends to focus on specific topical areas of concern, such as cybercrime, disinformation or data protection. The US, on the other hand tends to talk in terms of technical cybersecurity located further down the internet stack – closer to the networks and protocols as opposed to the applications and services – using language such as interoperability, resilience, standards and security. This may in part reflect differing regulatory approaches between the EU and US. Developing common language and terminology presents an opportunity for closer cooperation between the EU and US in promoting enhanced cybersecurity within a free and open internet.
Both the EU and US have shared, defensive interests in preventing the rise of China and its authoritarian vision for the future of internet governance, which threatens to undermine the future of the single, free and open internet.
Both the EU and US are active in improving cybersecurity at numerous levels, including efforts to promote greater cooperation through the G7,42 strengthening the EU Agency for Cybersecurity (ENISA), implementing the Network Information Security (NIS) Directive, membership of the UN Group of Governmental Experts (GGE), engagement in national, regional, and industry-led standards bodies (e.g. NIST, ETSI and 3GPP), and opposing the ambitions of authoritarian states to implement a cybersecurity treaty.43 In October 2018, a group of NATO allies coordinated a series of public statements denouncing Russian activities in cyberspace,44 a show of strength and resolve by calling out irresponsible behaviour. One area where EU–US coordination on cybersecurity could be strengthened is the ICANN process, particularly as a number of forward-looking security initiatives are under way.
Furthermore, both the EU and US have shared, defensive interests in preventing the rise of China and its authoritarian vision for the future of internet governance, which threatens to undermine the future of the single, free and open internet. Both the EU and US have resisted calls for a UN ‘solution’ to internet governance.
While both the US and EU have struggled for resources since the global financial crisis, they also have strong institutions, a track record of rules-based governance, strong civil society organizations and – most important – the ideals and values on which both were founded.
Areas where the EU and US have worked effectively
The following section examines two case studies that illustrate examples of effective cooperation between the EU and US on internet governance issues. The examples are not intended to be exhaustive but illustrate activity across strategically important institutions and processes.
IANA transition
Shortly after the US National Telecommunications and Information Administration (NTIA) announced its intent to transition oversight of the IANA function to the global multi-stakeholder community, the EU Council endorsed the US decision. EU stakeholders, including the EU institutions, actively engaged in the two-year process within ICANN to define a multi-stakeholder future. Eventually, all segments of the ICANN community, including the GAC, unanimously endorsed the outcomes45 of the Cross-Community Working Group (CWG). Europeans comprised the second largest group of the 155 members and participants of the CWG (26 per cent, compared with 23 per cent from North America, and 33 per cent from Asia).46 European participants were drawn from multiple stakeholder groups and were among the most active attendees, including a European co-chair.47
The IANA transition showed that multi-stakeholder processes can be effective at solving complex problems quickly. The process also harnessed the capabilities of EU stakeholders (who tend to be most active in ccNSO and GAC, less so in GNSO) and brought them into cross-community working. However, the discussions were tightly scoped by the original NTIA announcement, which specifically tasked ICANN with finding a solution (rather than throwing the challenge open to the then imminent NETmundial meeting) and stipulated a multi-stakeholder outcome (thus vetoing an ITU solution).48
The European Dialogue on Internet Governance – an example of successful EU multi-stakeholderism
The European Dialogue on Internet Governance (EuroDIG) has become one of the most effective and best-known of the regional and national IGF projects. While EuroDIG is not particularly an example of successful EU–US coordination, it does demonstrate what can be achieved if the European institutions wholeheartedly participate in multi-stakeholder processes. European institutions have provided positive engagement and support for EuroDIG throughout its lifetime, which lends legitimacy and guarantees the participation of high-level speakers from all stakeholder groups (including from the European Commission and parliamentarians). These institutions have helped to sustain momentum through their participation in the bottom-up programme planning process, without ‘taking over’ or undermining EuroDIG’s distinctly multi-stakeholder character.
The European institutions have continued to support EuroDIG and the global IGF alongside other stakeholders, by contributing to the bottom-up programme planning process and being heavily involved in the event, for example by providing speakers both at EuroDIG49 and the IGF (the commissioner spoke at the 2017 and 2018 IGFs), and a delegation of MEPs to the global IGF.50
Some stakeholders question the effectiveness of the IGF, as high-level government and industry participation decreases while civil society participation increases. Additionally, the IGF has always struggled to achieve sustainable funding and requires the host country to foot the bill of IGF meetings; the IGF has been held in Europe at least three years in a row, which shows a downturn of wider commitment and resources for the forum. It is also important to note that the internet governance landscape – in terms of quantity and variety of internet forums – is profoundly different to what it was in 2006 when the IGF was founded. Stakeholders now acknowledge that it is time to modernize the forum in order to keep it relevant.
At the time of writing, the IGF Multistakeholder Advisory Group (MAG) is taking stock of IGF 2018 and setting expectations for 2019 following an open consultation. This moment affords those who value the IGF’s open, multi-stakeholder dialogue forum, such as the EU and US, opportunities to shape its future impact on internet governance. A joined-up European and American perspective and approach to updating the IGF to keep it current would provide a strong future vision for the forum that reflects shared values. Topics for cooperation include funding models, how the National and Regional Initiatives (NRIs) and wider-spectrum stakeholders interact with the international forum, identifying key focus areas, effectively attracting all relevant stakeholders to the table, and promoting wider international support (e.g. hosting).
Barriers to effectiveness
Despite a close alignment on the principles of multi-stakeholder internet governance, there are several factors that pose challenges to the effectiveness of EU–US cooperation on internet governance.
Different reasons to support multi-stakeholderism
Once discussions of the issues move beyond broad principles, differences of approach begin to emerge between the US and the EU. The following examples illustrate the EU and US’s differing interpretations of what multi-stakeholder internet governance comprises.
From the US perspective, there appears to be a genuine belief that multi-stakeholder processes are more effective and legitimate than the available alternatives for governing the internet. In the US, it is quite normal and natural for individuals to move between public and private sectors throughout their career,51 subject to rules on conflict of interest. While the same may be true in Northern Europe, it is more unusual in Southern Europe, or even in the European Institutions. This relatively trivial example of a difference in approach can be interpreted as one of self-interest from an EU perspective, which may assume that the actions of US officials are at risk of being influenced by the hope of gaining a lucrative private-sector role after leaving office. This has strengthened suspicion by some in the EU that multi-stakeholder processes favour the interests of corporations or lobbyists.
The EU publicly supports multi-stakeholder internet governance,52 and pays substantial financial contributions to the IGF, EuroDIG and the ICANN GAC secretariat. On 5 December 2018, a revised regulatory framework for the .eu top-level domain (TLD) was published. Changes to the framework bring it in line with international best practices on internet governance.53 The new regulatory framework will create a multi-stakeholder council, which will have a limited scope of ‘informing and advising the European Commission’ rather than adopting a pure multi-stakeholder policymaking process.
An EU perspective may assume that the actions of US officials are at risk of being influenced by the hope of gaining a lucrative private-sector role after leaving office. This has strengthened suspicion by some in the EU that multi-stakeholder processes favour the interests of corporations or lobbyists.
Internet governance gains from engagement with the diverse stakeholders that help to govern, provide and benefit from the global internet. Fostering participation of like-minded stakeholders in processes will result in better multi-stakeholder participation, and more robust internet governance.
Perceived lack of international influence/priority on IG (EU)
Interviewees for this paper all mentioned the high staff turnover at both the Commission and EU member state level on the internet governance portfolio. From the Commission’s perspective, the staff turnover reflects the Commission’s reorganization of responsibilities for internet governance bringing it closer to technical competence and line management. The Commission has also pushed through the .eu REFIT with the intention of opening up and modernizing internet governance policies across Europe.
However, the steep learning curve for this technical, complex policy area means that it takes at least a year for a new participant to become effective. Since the successful transition of the IANA function from US government oversight in 2016, there has been a sense that the EU has afforded a lower priority to internet governance.54 High staff turnover leads to a loss of continuity and institutional effectiveness and may contribute to a perception on the part of some stakeholders that internet governance is a low priority for the EU. Meanwhile, core staff at the US NTIA has remained consistent for the past 20 years. Whether the longevity of staff should be a source of concern or not, there is no doubt that at present (particularly within the introspective and conservative internet governance communities) US officials have more extensive experience and contacts, and that these contribute to greater institutional memory.
From some perspectives (including those interviewed for this paper), the practical impact, both at institutional and member-state level, is a difficulty in getting high-level input from the EU on internet governance issues. ‘The EU bubble can be very self-absorbed, and it is difficult to get a Commissioner to pay attention to things that don’t have obvious relevance to Commission priorities, such as the Digital Single Market’.55 The institutional structures, and dividing lines between the roles and responsibilities of institutions versus member states, require so much coordination that the ‘EU ends up with the lowest common denominator negotiating positions, which leave the Commission with no mandate to manoeuvre or be flexible’.56 At the member-state level, officials are not adequately supported either, with the result that they depend on Brussels for guidance and expertise.
High staff turnover leads to a loss of continuity and institutional effectiveness and may contribute to a perception on the part of some stakeholders that internet governance is a low priority for the EU.
Unlike the US and the Five Eyes, the EU does not engage in dedicated coordination across subject-matter boundaries. The US and Five Eyes bring together security professionals to discuss internet governance and sent representatives from their security communities to the ITU Plenipotentiary 2018, whereas EU attendees were mainly from trade or communications portfolios.
Outside the EU institutions, the participation of EU stakeholders in ICANN can be patchy, particularly in the GNSO. ‘Even if you have the numbers, the ones who are active and vocal are Americans’.57 Experience of trying to stimulate broader EU stakeholder participation in ICANN and IGF has also been disappointing, ‘European chambers of commerce don’t care’.58
These views are not shared from inside the Commission. The commissioner was at IGF Geneva and Paris, demonstrating a strong commitment to internet governance. The importance of internet governance is in her mission letter and has been stressed in several public statements (e.g. the EuroDIG message). Over the last two years the High Level group on Internet Governance (HLIG) process has been rejuvenated, with more frequent and rapid interactions and less committee-style meetings. The Commission more regularly coordinates in Council, as demonstrated by different EU lines, including NETmundial59 or more recently of WHOIS.60 From the EU institutional perspective, far from having no mandate to negotiate or be flexible, the Commission negotiates well within the GAC (e.g. on the WHOIS).
These differing perspectives reveal a communication gap, which if addressed could strengthen mutual trust and confidence between the EU and US. This could be particularly useful in addressing problematic issues or those that require a careful balance between stakeholder interests, such as WHOIS and GDPR.
Institutional weaknesses (ICANN/IGF)
ICANN’s multi-stakeholder community has been criticized for lacking in transparency and accountability, being US-centric, having high costs of participation, and being unable to reach timely conclusions on well understood policy issues (such as WHOIS: privacy issues and lawful access to data).61 For most stakeholders, there are low incentives to participate in long drawn-out policy processes, the outcomes of which have only tangential relevance to their lives or work.62
There are warnings since coming under the remit of the IANA, the ICANN community may not be robust enough to hold the board to account, as demonstrated by the board’s suspension of one of the specific reviews (on security, stability and resiliency) mandated by the post-IANA transition settlement.63 The ability of a single individual – the serving CEO – to flip the organization’s direction and strategy (contrast Fadi Chehadé’s expansionism, with Göran Marby’s conservatism) is also a sign that internal planning processes, checks and balances may be weak.
The IGF was designed as a forum for dialogue, rather than a decision-making body, and was deliberately kept separate from the UN bureaucratic machinery,64 as a consequence it has always struggled financially. While the IGF’s mandate was extended for a further 10 years in 2015,65 criticisms persist – it has not yet achieved the hoped-for policy influence and its MAG is sometimes criticized as inward-looking and self-absorbed.
The role of civil society
Both the US and EU approaches to multi-stakeholder internet governance lack consistent, constructive engagement with civil society. Where there is engagement with non-governmental stakeholders, industry is often viewed as a more natural partner. This is a missed opportunity. ICANN may not be the most productive environment in which to build such dialogue, due to the narrow range of issues and entrenched positioning from some civil society actors. However, there are civil society organizations that are more practical and willing to have a dialogue with governments and industry, for example, Article 19 and Access Now (including the #keepiton initiative to prevent internet shutdowns), which are both active in the standards and technology environment, including the ITU.
Complexity of the internet governance space
The internet governance space is becoming more confusing and complex as the definition of internet governance broadens and issues emerge that require urgent international coordination. For example, a perception that there was insufficient international attention on cybersecurity led to the creation of the Global Conference on Cyberspace (GCCS) in 2011 – drawing on the same small pool of global internet governance participants. Although designed as a forum for multi-stakeholder dialogue, only 5 per cent of participants at the 2017 GCCS meeting came from academia and civil society.66
The Internet Governance Forum 2018 was scheduled at the same time as the ITU Plenipotentiary. Both meetings are held under the UN umbrella, and there is a high degree of overlap in attendees – particularly from governments and the technology sector – so the scheduling conflict syphoned off already stretched government resources.
Cases highlighting tensions or failures in coordination
EU General Data Protection Regulation and WHOIS
The General Data Protection Regulation 2016 (GDPR), its long-arm jurisdiction, and its impact on WHOIS have exposed divisions between the EU and US.67 Domain name registration data, available through the public WHOIS service, has been widely relied upon by law enforcement and intellectual property owners to investigate and combat online crime and abuse. Despite the EU raising concerns and written advice relating to privacy aspects of WHOIS over a 14-year period,68 the US and the ICANN community failed to predict and prepare for the impact of GDPR on WHOIS, or to safeguard legitimate third-party interests.
Alarmed by the GDPR’s turnover-based fines, ICANN’s board imposed a Temporary Specification on gTLD Registration Data,69 which according to ICANN rules was required to expire on 25 May 2019. ICANN then set up an Expedited Policy Development Process (EPDP), tasked with crafting a permanent policy and defining access to WHOIS data.70 The EPDP completed its first phase in February 2019 and the ICANN community approved its work by establishing an Interim Registration Data Policy for gTLDs.71 The Interim Registration policy continues with the approach taken in the Temporary Specification and will remain in place until the EPDP has completed the second phase of its work. The Temporary Specification provides an overly conservative interpretation of GDPR by redacting key registration data, not just for natural persons, but for legal persons as well. The public WHOIS lost registrant names, addresses, email addresses and phone and fax numbers as a result of GDPR.72 This was not the result that the EU had pushed for.
In contrast, the European ccTLDs, including .eu, have worked successfully with European data protection authorities over a period of 20 years, to retain key aspects of the WHOIS output while also respecting individual rights to privacy.
WHOIS could become a trade issue between the EU and US if a workable solution that safeguards law enforcement access to data cannot be found.
The positions of the EU and US have evolved since the issue first came to light. The stakes are high. WHOIS could become a trade issue between the EU and US if a workable solution that safeguards law enforcement access to data cannot be found,73 and the EU may find itself blamed if its long-arm law (GDPR) results in the loss of tools for law enforcement.74 Initially, both the EU and US were defensive and staunch in their positions; now there is constructive dialogue aimed at resolving the issue. A Commission official is a member of the EPDP team, and the EU, US and ICANN are reported75 to be working effectively together to try to reach a workable outcome.
Improving cybersecurity within ICANN
Despite ‘security and stability’ being at the heart of ICANN’s mission, cybersecurity has played a relatively minor role in discussions in the ICANN community. Two processes – the second Security and Stability Review Team Review (SSR2) and the Security and Stability Advisory Committee (SSAC) – deserve greater attention.
SSR2
Key discussions on the security, stability and resilience of the DNS are currently taking place in the ICANN SSR2 review,76 one of the specific reviews on which the IANA transition was contingent.77 In a surprise move, the ICANN Board – the target of the independent review – suspended the SSR2 in October 2017 for a period of more than six months, for reasons which were not fully articulated. While Assistant Secretary David Redl placed on record the US concerns regarding the board’s action,78 reactions from the EU and the ICANN community were limited. There are three representatives from Europe currently on the SSR2 team79 (none from China), and the group’s fact-finding work continues. However, the suspension of a key review raises questions about ICANN’s accountability and commitment to cybersecurity.
SSAC
Within ICANN, the Security and Stability Advisory Committee (SSAC) is a key venue for discussions regarding cybersecurity. SSAC is a highly influential body within the ICANN ecosystem. SSAC’s advisory notes have been used by the ICANN board as the basis to make controversial decisions.80 The key actors participating in ICANN’s SSAC are from the US and Europe. Although the CEO of CNNIC (the Chinese ccTLD registry) is a member of SSAC.81 Unlike other ICANN bodies, membership of the SSAC is by invitation only, and many of its discussions take place behind closed doors. A recent independent review of SSAC recommended that the group take a more active role within the ICANN community, so that security concerns can be raised at an early stage.82