Building Trust Privacy Reports

Transparency, Fairness, and Respect: The Policy Brief on Responsible Data Handling

It’s been a little over a year since the European Union’s General Data Protection Regulation (GDPR) was implemented, but almost immediately, people noticed its impact. First, there was the flurry of emails seeking users’ consent to the collection and use of their data. Since then, there’s also been an increase in the number of sites that invite the user to consent to tracking by clicking “Yes to everything,” or to reject them by going through a laborious process of clicking “No” for each individual category. (Though some non-EU sites simply broadcast “if we think you’re visiting from the EU, we can’t let you access our content.”) There was also the headline-grabbing €50 million fine imposed on Google by the French supervisory authority.

In its summary of the year, the EU Data Protection Board (EDPB) reported an increase in the number of complaints received under GDPR, compared to the previous year, and a “perceived rise in awareness about data protection rights among individuals.” Users are more informed and want more control over the collection and use of their personal data.

They’re probably irritated by the current crop of consent panels, and either ignore, bypass, or click through them as fast as possible – undermining the concept of informed, freely-given consent. They’re limited in the signals they can send about consent, and what they do signal may be meaningless. And if their access is blocked because of the geographic location of their IP address, they aren’t sending any consent signals at all. Whatever the motivation for this kind of blocking, it leads to a “fragmentation” of the Internet, in which information is freely available to some people, but inaccessible to others just because of where they seem to be located.

Nevertheless, because people are better-informed than they were, they are more motivated to complain.

If individuals’ complaints prove justified, organizations that collect personal data face the prospect of much bigger financial penalties than before for data protection offenses. The risk of penalties is independent of geographical location. It applies across national and jurisdictional boundaries, and therefore in contexts where the idea of “personal data” could have widely different cultural interpretations. When data controllers are faced with risks arising from laws outside their own jurisdiction, they are likely to need ways of setting themselves a high benchmark that reduces their exposure to compliance-related and reputational risk.

In short, everyone ends up relying on better behavior by data controllers.

If “improving behavior” involves setting a higher bar than legal compliance, it takes us into the realm of ethics, which can be a daunting prospect for the average business, so we wanted to develop something more approachable and practical: The Policy Brief on Responsible Data Handling. The policy brief looks at the issue from the data controller’s perspective, and identifies three principles to help them decide how to collect and process personal data in a responsible way: Transparency, Fairness, and Respect.

We developed each of these principles into specific guidelines. For example:

  • If what you are doing with personal data comes as a surprise to the individual, you probably shouldn’t be doing it. If you can’t , or don’t, explain the uses you make of personal data, you’re probably failing on transparency.
  • If what you do with personal data means you get the benefit, but the risk is offloaded onto the individual, your product or service probably hasn’t been designed with fairness as a key objective. Similarly, f you lock users in to your platform by making it impossible for them to retrieve their data and move it elsewhere, you’re failing on fairness.
  • If you share personal data with third parties but don’t check that they treat it properly, you may be failing to respect the individual and their rights and interests.

The Policy Brief on Responsible Data Handling includes more examples for each principle and a short list of recommendations for policymakers and data controllers, whether private or public sector. Thanks to GDPR, we know that people want more control over their data. The policy brief is a step towards protecting privacy and building trust in the Internet itself. If you have comments or suggestions about how to continue that process, please let us know.

Building Trust Events Reports

Webinar: Can Consumers Trust Retailers’ Email? Findings from OTA’s Email Marketing & Unsubscribe Audit

Next Tuesday, 18 December, at 2PM ET (1900 UTC), we’ll be holding a webinar to discuss the results of the Online Trust Alliance’s 5th annual Email Marketing & Unsubscribe Audit.
Two Internet Society organization members from Yes Marketing and Endurance/Constant Contact will co-present with the Internet Society’s Jeff Wilbur, and it should be an interesting discussion that touches on various aspects of email authentication and best practices, online trust, and consumer confidence.
Please register at It will be recorded if you can’t make it on Tuesday.
The fifth annual Email Marketing & Unsubscribe Audit analyzed the email marketing practices of 200 of North America’s top online retailers and offered advice on providing choice and control to their consumers as well as technical best practices for retailers and marketers to follow. You can read more about it in Kenneth Olmstead’s recap blog post or view the infographic with key findings.
As always, you can follow along with us on TwitterFacebook, or LinkedIn. We also have a Facebook event for this webinar at
I hope you’ll register and join us on Tuesday, and invite you to share this with anyone you think may be interested.
Economy Internet Governance Privacy Public Policy Reports Shaping the Internet's Future

Future Thinking: Orla Lynskey on Data in the Age of Consolidation

Last year, the Internet Society unveiled the 2017 Global Internet Report: Paths to Our Digital Future. The interactive report identifies the drivers affecting tomorrow’s Internet and their impact on Media & Society, Digital Divides, and Personal Rights & Freedoms. We interviewed Orla Lynskey to hear her perspective on the forces shaping the Internet’s future.

Orla Lynskey is an associate professor of law at the London School of Economics and Political Science. Her primary area of research interest is European Union data protection law. Her monograph, The Foundations of EU Data Protection Law (Oxford University Press, 2015), explores the potential and limits of individual control over personal data, or “informational self-determination’” in the data protection framework. More recently, her work has focused on collective approaches to data protection rights and mechanisms to counterbalance asymmetries of power in the online environment. Lynskey is an editor of International Data Privacy Law and the Modern Law Review and is a member of the EU Commission’s multistakeholder expert group on GDPR. She holds an LLB from Trinity College, Dublin, an LLM from the College of Europe (Bruges) and a PhD from the University of Cambridge. Before entering academia, she worked as a competition lawyer in Brussels and as a teaching assistant at the College of Europe.

The Internet Society: You recently edited a symposium edition of International Data Privacy Law (IDPL) in which you argue that the interplay of law related to data protection, competition, and consumer protection is at a crucial crossroads. Why, and how does this play out in the Internet domain?

Orla Lynskey: These areas of law are at a crossroads in two senses. The first is that there has now been increasing recognition from regulators that they do overlap in some circumstances. A good example of this is the reference in the Microsoft/LinkedIn merger decision to data protection as a parameter on which firms compete, or the claim that Facebook is abusing its position of market power by making access to its service conditional on excessive data collection on various third-party websites being investigated by the German Competition Authority. However, we are also now at a crossroad in a second sense: having recognised that these areas of law need to be applied in a holistic manner, we now need to consider from a practical, procedural perspective how this overlap can be managed.

You’ve written elsewhere that digital consolidation can have an effect on digital inequality by giving platforms not just market power, but also the “power of providence.” What do you mean by this and how does it impact marginalised communities in particular?

Providence is defined in various ways, including as a form of non-human influence that controls people’s lives. I argue in the paper that dominant digital platforms have a “power of providence,” as they are – like the eye of providence – all-seeing: they have the ability to link and analyse diverse datasets in a way that provides a comprehensive overview of the lives of individuals, rendering them transparent in the process. Furthermore, they can use this unique vantage point in order to influence individuals in ways that we might until now have viewed as dystopian, for instance through personalised political advertising. Finally, the Internet’s architecture and the terms used to describe its processes (for instance, “machine learning”) give the false impression that the way in which our data is used to influence us online and nudge us in particular directions is untethered from human input, or is “neutral.” In this sense, it is given a quasi-divine status.

I suggest that this power of providence can have the particularly pernicious effect of exacerbating existing societal inequalities. I argue in the paper that this ability to use data to influence people can be used to discriminate, to differentiate and also to create perceptions. For instance, I was able to draw on the work of other scholars to indicate that data mining facilitates differentiation on the basis of socioeconomic status, which is not something that discrimination law prohibits. This research suggests that the poor are subject to more surveillance with higher stakes and are particularly vulnerable to data mining processes as a result of the devices used to connect to the Internet (notably, mobile phones which are less secure than other devices). While differentiation via data mining is not the sole purview of platforms which such power, their privileged position gives them superior data-mining capacity and means the existing information and power asymmetries are exacerbated.

Can competition law challenge the power of providence? What about data protection law? How can these work together to protect digital rights?

Competition law provisions are the only legal provisions explicitly designed to constrain the exercise of private power and so it makes sense to consider whether they can be of assistance in challenging this power of providence. I believe that, at a minimum, competition law should not make matters worse by, for instance, facilitating data-driven mergers that further consolidate our data in the hands of a very limited number of private actors. However, in some circumstances competition law could also limit abusive behaviour – for instance, exploitative terms and conditions for data usage – by firms with market power.

That said, competition law has its own limits and should only ever be a part of the overall jigsaw puzzle, with data protection law playing a leading role in regulating how our personal data can be used. To date, EU data protection law has not been robustly enforced, but I am one of those who remain optimistic that with stronger enforcement this system could be really effective.

If data protection, consumer protection, and competition law are all important in challenging harmful digital dominance, how do the different regulatory agencies responsible for dealing with these respective issues work together without encroaching on each other’s domains? Is there a need for better multistakeholder collaboration in this regard?

It is this question – of the division of labour between regulatory authorities – that has yet to be really ironed out. Ideally, as the European Data Protection Supervisor has proposed, these agencies would collaborate with one another under the auspices of a “Digital Clearing House,” or something similar.

Germany recently announced plans to try to curb digital dominance using competition law. Have you noticed any trends when it comes to other competition authorities’ responses to tech dominance around the world, and particularly how they are defining relevant markets?

There is definitely a growing recognition of the power of technology companies amongst regulators, and the wider public. This may be where competition law hits its limits, however: competition law provisions do not prevent a company from acquiring a position of market power, they simply make it unlawful for that company to abuse that position of market power in a way that is exploitative or that would exclude equally efficient competitors from the market. Economic regulation could, for instance, force tech companies to ensure structural separation between various operations (e,g., a structural separation between Facebook and WhatsApp). However, this would require legislative intervention.

The exception to this is in the context of mergers, where competition authorities get to look at the potential future impact of a transaction on the market. Here, I have argued in the past that data-driven mergers should be treated in an analogous way to media mergers and subject not only to an economic assessment but also to a broader non-competition assessment to gauge their impact on data protection and privacy. This is one of the ideas being considered in Germany and I think it is likely other competition authorities will introduce similar measures in due course.

What do you think of the idea that user data should be given digital property rights (i.e., that platforms should pay users for their data)?

Property rights in personal data are a terrible idea: they offer no real advantages compared to the current legal framework and risk exacerbating information and power asymmetries while undermining data protection as a fundamental right. Giving property rights in data would not strengthen our hand when it comes to negotiating with the tech giants, rather it would simply mean that we would lose all rights over that data once we entered into contracts with these companies. I also worry that going down this route would make data protection a luxury that can be enjoyed by those who could afford not to have their data processed, even perhaps creating the skewed incentive to reveal more data, or more sensitive data to profit from it. This is incompatible with the EU Charter right to data protection. I discuss this issue in my book on the foundations of EU data protection law. 

Is there hope in data portability as a way of countering data effects and addressing consolidation concerns?

Potentially. One explanation for the GDPR right to data portability is that it may empower consumers to switch service providers if they are unhappy with a service (for instance, to switch from Facebook to a mythical alternative if you are unsatisfied with the quality of the data protection offered). However, as I discuss in my research, the impact of this right on competition and innovation is ambiguous. It could, for instance, deter innovation by locking in the standards used by incumbent companies or increasing the costs of startups. This is all the more so as it does not require interoperability. However, whether interoperability is desirable from a data protection perspective is equally contestable. I would suggest that portability should be viewed through the lens of individual control over personal data rather than simply as a market tool, given these ambiguous effects.

What are your fears for the future of the Internet?

My main fear about the Internet is that a medium which promised so much for the advancement of rights – such as freedom of expression and of association – may end up having corrosive and divisive real world effects. One of the advantages of the Internet was that it offered people the opportunity to connect with those with similar niche interests (the Eric Cantona Appreciation Society, for example) but the personalisation of all content, including for instance political content, may push this to an extreme. That is not to say that personalisation is the only factor feeding into this concern, needless to say.

What are your hopes for the future of the Internet?

I think the Internet at present is based on a data bubble that needs bursting. The primary example of this is the excessive data processing that online behavioural advertising entails. Even if we could argue that processing of personal data is the quid pro quo for access to online services and content that are free at the point of access, the amount of personal data processed for that exchange is clearly disproportionate. Regulators have not yet gotten to grips with this but data protection law provides a potential ground on which to challenge this processing: when considering whether consent is freely given, utmost account needs to be taken of whether the service is made conditional on consent to unnecessary processing. I have not yet seen any empirical evidence that convinces me that online behavioural advertising is so much more effective than contextual advertising that it justifies this excessive incursion into our rights.

We’re getting ready to launch the next Global Internet Report! Read the concept note and learn how the Internet Economy might shape our future.

Building Trust Privacy Reports

The Future of Online Privacy and Personal Data Protection in Africa

African experts are gathered for two days (19-20 February 2018) in Addis Ababa, Ethiopia to contribute to the development of the African Privacy and Personal Data Protection Guidelines. The meeting, facilitated by the African Union Commission (AUC) and supported by Internet Society, explored the future of privacy and data protection and provided some practical suggestions that African states can consider in implementing the Malabo convention provisions related to online privacy. The guidelines are aimed at empowering citizens, as well as establishing legal certainty for stakeholders through clear and uniform personal data protection rules for the region.

The expert meeting comes amidst growing concern across the world on the need to prepare for the EU General Data Protection Regulation (GDPR), which will be enforced on 25 May 2018. The expert meeting is rather focused on creating general principles for African member states in developing good practices now and in the future. The project, a partnership of the AUC and the Internet Society, comes as a follow up to the recommendations of the Africa Infrastructure Security Guidelines, developed in 2017 to assist speed up their adoption and subsequent ratification of the Malabo Convention.

Both the Heads of States Summit in January 2018 and Specialized Technical Committee Ministerial meeting endorsed the development of these guidelines as a way to strengthen the capacity of African states to deal with emerging issues in the digital space.

The African privacy and data protection landscape is still nascent with only 16 of the 55 countries having adopted comprehensive privacy laws regulating the collection and use of personal information (C Fichet, 2015). The African Union Convention on Cyber Security and Personal Data Protection  is considered an important first step aimed at creating a uniform system of data processing and determining a common set of rules to govern cross-border transfer of personal data at the continental (African) level to avoid divergent regulatory approaches between the Member States of the African Union. Now that a continental framework is in place, there is a need for more detailed best practice guidelines on personal data protection to assist countries in the process of domesticating the Malabo Convention into the national laws.

Improving Technical Security Privacy Reports

Join forces to eliminate spam – read the new report from the CRTC

What are the best ways to reduce spam? How can we work together to reduce this threat and create a more trusted Internet?

Last October, in the vibrant city of Bangkok, the Internet Society joined regulators for an in-depth conversation about how to eliminate spam and its harmful effects. Our kind hosts were the Canadian Radio-television and Telecommunications Commission (CRTC) and the International Institute of Communications (ICC).

The CRTC has published a comprehensive and insightful report on the workshop, capturing the key issues, observations, and ways forward. We encourage you to read it carefully. First and foremost, take note of the answer to “why act now?” – it’s a shared responsibility.

This principle lies at the heart of the Internet Society’s Collaborative Security approach. We have a collective responsibility to care for the Internet for everyone.

Spam is not just a nuisance: it’s a vector for malware, fraud and attack. Gone are the days when spam was just an unwanted email. Today, spam is big business.

Spammers are continually adapting their activities to find new ways to: exploit users; maximize their profits; and avoid law enforcement. Two areas of increasing concern are botnets and ransomware, both of which are propagated by spam. Europol’s Serious and Organised Crime Threat Assesssment for 2017 states that ransomware has become “… the leading malware in terms of threat and impact”. And, one only has to look about to the 2016 Mirai botnet DDoS attacks to understand the risk they pose to the stability of the Internet.

Eliminating spam requires efforts on all fronts: legal, technical, economic and social. It’s a problem that will need a collection of solutions, carried out through collaboration across borders and across disciplines.

What can governments do? Governments can contribute to combatting spam and its harmful effects by:

  • deterring bad actors through law and enforcement
  • empowering citizens to avoid the dangers of spam
  • fostering cross-discipline anti-spam efforts
  • encouraging anti-spam best practices
  • supporting anti-spam research.

What can you do? Join the fight against spam. Go to our anti-spam toolkit to find out what you can do to protect yourself and others.


Growing the Internet Improving Technical Security Internet Governance Privacy Reports Women in Tech

My personal highlights of 2016 for the Asia-Pacific Bureau and what’s coming up in 2017

The year 2016 was indeed a successful year for the Internet Society (ISOC) Asia-Pacific (APAC) Team. We were able to leverage many opportunities throughout the year across the region, and together with our members, chapters and partners, we worked towards ensuring that the Internet kept growing and evolving.

For me personally, there were a couple of things that stood out. One was InterCommunity 2016 where we had 11 nodes located throughout the region engaged in robust intra-regional discussions on topical issues.

Another was ISOC’s first Regional Internet and Development Dialogue that brought together a wide range of stakeholders to discuss Internet development issues. At the event, we were able to bring the gender perspective into discussions, and the regional gender and ICT workshop we convened just prior was a valuable initiative that helped shape some of the outcomes.

In November, Kathy and I had the opportunity to visit one of the Wireless for Communities (W4C) sites in Tilonia, India. We observed first-hand the transformative nature of the Internet and what it can do for people at the local community level. The visit was a very fulfilling experience that left us even more committed to connect the unconnected.

So here we are, well into 2017, and its certainly shaping up to be a busy year regionally and globally.

On the policy front, we have WTDC scheduled in Argentina in Q4 that will consider a range of development-related issues as they apply to Telecom/ICTs and the Internet. Linked to that will be a number of regional preparatory meetings that we will be closely following in APAC. The first of these took place in Papua New Guinea in February, and the ITU Regional Preparatory Meeting was held in Bali late last month.

Also in Q4, India will host the next edition of the Global Conference on Cyberspace. The Asia-Pacific Regional IGF (APrIGF) will be held in Bangkok in July, and there will be a sprinkling of regional inter-governmental meetings throughout the year organised by APT and others covering cybersecurity, access, development and ICT-related issues.

On the technical front, APRICOT was held in Ho Chi Minh City, Viet Nam in late February, and we are happy to have again supported its fellowship programme. This year we further reinforced our focus on gender, with two-thirds of ISOC fellows at the event being women from developing countries. You can read more about our activities in and around APRICOT in this blog post.

In November, Singapore will host the 100th meeting of the IETF, and we hope that can be further encouragement for participation from Southeast Asia in the IETF. Our IETF Outreach initiative in 2016 was focused on Southeast Asia, and this year we are focusing on South Asia with the programme already underway in Bangladesh, Pakistan and Sri Lanka.

Towards the end of 2016, we added a new team member in APAC focused on technical engagement – Aftab Siddiqui. He will be working on deepening our engagement with the regional technical community. In March, we held a very useful bilateral meeting with APNIC so that we can better coordinate and collaborate on technical activities in the region.

In line with ISOC’s 2017 Action Plan, our regional programmes this year will focus on Trust- and Access-related issues that enable economic, social and human development. The year 2017 is also our 25th anniversary, and we intend to highlight this milestone throughout the year. You can read more about some of the planned activities here.

The fourth edition of our regional policy survey, which will close today, has thus far elicited close to 2,100 responses from participants in 39 economies across the region. Please consider responding to that and share your views on regional Internet issues. You can read the findings from the 2016 survey here and participate in the 2017 survey here.

We are looking at convening a series of workshops on online privacy issues and how that impacts on trust and confidence in the Internet; as well as a couple on digital accessibility following our work in Pakistan on the topic in 2016. The first accessibility workshop was held in Sri Lanka last month, and the first privacy workshop is scheduled for Vanuatu in May.

We also expect to organise a couple of editions of our highly regarded Asia Internet Symposium series that have helped provide a forum to discuss Internet issues of local importance.

InterCommunity 2017 is scheduled for the 19th of September, and will include the presentation of a new class of Internet Hall of Fame inductees and the 25 under 25 who are using the Internet to make a significant impact on society. We hope you can be part of one of our regional nodes – or join us online – as we celebrate 25 years of the Internet Society.

We are also pleased to present our ‘2016: The Year That Was Report‘ that provides a snapshot of what we did over the course of 2016. The report includes some activities as reported by our chapters in the region.

To keep up-to-date with where we are and what we are doing throughout the year, please follow us on Twitter @ISOCapac, connect with us on Facebook and subscribe to our monthly newsletter.

Deploy360 Domain Name System Security Extensions (DNSSEC) Reports

New report: “State of DNSSEC Deployment 2016”

State of DNSSEC Deployment 2016

What is the current state of deployment of the DNS Security Extensions? (DNSSEC) How many domains are secured with DNSSEC? What actual usage are we seeing on the Internet? What software is available to help?

For years there have been many statistics about DNSSEC available, but it’s been hard to get an overall picture of deployment. To help with this, we’ve worked over the past few months to pull together as much information as possible into one document:

We encourage you to please read the document – and share it widely with people who need to understand more about the security of the Domain Name System.

We also welcome feedback on questions such as:

  • How helpful did you find the report?
  • What sections were particularly helpful? (or not?)
  • Is there additional information you’d like to see included in a future report?

You can post the feedback here as a comment – or send it to me directly via email.

Our intent is that this will be the first in an ongoing annual series of reports for at least the next few years until DNSSEC is more widely deployed.  Our goal is for the “State of DNSSEC Deployment 2017” report to be ready in time for the ICANN 60 DNSSEC Workshop happening in early November 2017 in Abu Dhabi.

I’d like to thank Chip Sharp for all his hard work assembling this report and incorporating feedback. I also want to thank the group of people who provided a quick final review and proofreading in the last weeks of December (noted in the final Acknowledgements section). And I want to thank everyone within the larger DNSSEC community who continue to share their information, statistics and more.

Please do share this State of DNSSEC Deployment 2016 report with others – and if you haven’t done anything with DNSSEC on your own networks or domains, please visit our Start Here pages to learn how you can begin! Together we can make the DNS – and through that the wider Internet – a bit more secure and trusted.

Building Trust Deploy360 Domain Name System Security Extensions (DNSSEC) Improving Technical Security Reports

NIST Publishes New Guide: “DNS-Based Email Security” about DANE and DNSSEC

NIST Report on DANE for email

How can we make email more secure and trusted? How can we encrypt all email between mail servers? And how can we use DANE and DNSSEC to provide that added layer of security?

Today the U.S. National Cybersecurity Center of Excellence (NCCoE)  and the National Institute of Standards and Technology released a “draft practice guide” exploring those exact questions. Titled “Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6)” the document offers guidance to enterprises and others into “how commercially available technologies can meet an organization’s needs to improve email security and defend against email-based attacks such as phishing and man-in-the-middle types of attacks.”  Specifically it gets into how DNSSEC and DANE can be used to authenticate server addresses and the Transport Layer Security (TLS) certificates used for confidentiality.

As NIST states on their web page, the goal of the project around this publication is:

  • Encrypt emails between mail servers
  • Allow individual email users to digitally sign and/or encrypt email messages
  • Allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages

You can download the guide or sections of it from that web page.

NIST is seeking public comments on this new guide from today through December 19, 2016.

It’s great to see NIST publishing this document and we hope everyone reading this post will take a look and spread the word.

And if you are interested in getting started with DNSSEC and DANE, please visit our Start Here page to find resources to help.

Deploy360 Reports Securing Border Gateway Protocol (BGP) To archive

ENISA Report On Secure Routing And Network Resiliency

What is the state of our routing infrastructure and what can be done to make it more secure and resilient?

In July 2010, the European Network and Information Security Agency (ENISA) published a report on this topic called:

It begins with a paragraph that I think will resonate with most of us:

Reliable communications networks and services are now critical for public welfare and economic stability. Intentional attacks on the Internet, disruptions due to physical phenomena, software and hardware failures, and human mistakes all affect the proper functioning of public communications networks. Such disruptions reveal the increased dependence of our society on these networks and their services. A vital part of reliable communication networks is the routing infrastructure.

The report goes on at great length to report on the result of a survey of network operators within the European Union about the use of – or plans to use – secure routing technologies within their networks.  The report is quite useful in the background that it first provides around routing security concerns and some of the proposed solutions.  It then goes into a detailed analysis of the survey results.

While the data is now close to three years old (the interviews were in March/April 2010), many of the points are quite similar to more recent analyses.  A key point I noticed was this:

Overall, the lack of available knowledge and skills in routing security is recognised as a major barrier hindering further improvements in routing security, as became clear both from the online survey and the interviews.

Addressing this point by helping promote more awareness and education around routing security / resiliency is a primary aspect of our new Routing section here on Deploy360!

Overall the report makes for good reading if you are looking to understand more about the topic or “routing resiliency / security.”  There has been a good bit of progress made within some of the working groups mentioned since the time of the report, but the report still provides a solid foundation and background.

Building Trust Deploy360 Improving Technical Security Reports To archive

Report: Routing Resiliency Measurements – Where We Are And What Needs To Be Done

What are the actual frequency of routing security incidents? And what are the operational and economic impacts of such security incidents?

We all know that “routing security” incidents happen, but it’s hard to get a grasp on exactly what the situation is.  To that end, our colleagues in the Internet Society Standards and Technology team organized a “Routing Resiliency Measurements Workshop” in November 2012 to bring together participants from network operators, research labs, universities and vendors to explore what we can measure now – and what we need to do to start collecting more accurate measurements.  The team has now published a report:

and our colleague Andrei Robachevsky has published some observations about the workshop.  As Andrei notes, the point of the workshop was to address three main questions:

  1. What level of attack has there been in the past – to what extent do security incidents happen, but go unnoticed, or get dealt with inside a single network, possibly introducing collateral damage?
  2. Are the number and impact of service disruptions and malicious activity stable, increasing, or decreasing?
  3. Can we understand why, and track it collectively?

The report goes into some detail on what was discussed in the workshop and some of the approaches that were outlined.  As Andrei relays in his post, the workshop didn’t magically produce answers to all these questions… but it did lay the foundation for where more work needs to occur.

As we open up the new topic area of Routing Resiliency / Security here on Deploy360, we intend to bring you more information from workshops such as these… and ultimately more of the solutions and best operational practices that can lead to a more resilient and secure Internet.