Cooperation Working Group Minutes RIPE 82

Tuesday, 18 May 2021, 16:00-17:00
Chairs: Desiree Milosevic, Johan (Julf) Helsingius, Achilleas Kemos
Scribe: Gergana Petrova
Status: Draft

Achilleas welcomed attendees to the session and introduced the newly elected Chair Desiree. During RIPE 83, they will start the procedure to elect the two Chairs of the WG - the positions of Achilleas and Julf, who started their terms at the same time. He asked the audience to approve the minutes from RIPE 81 as well as the agenda for the session. Then he invited Desiree to chair the session.

1. The Digital Services Act Overview

Agne Kaarlep, European Commission

This presentation is available at
https://ripe82.ripe.net/wp-content/uploads/presentations/54-DSA_RIPE.18.05.21.pdf 

Brett Carr, Nominet UK, asked whether a service provider who is not located in a member state but provides services to people in a member state is still subject to the Digital Service Act (DSA) and if so, who enforces the act should they not comply.

Agne answered that all providers with a substantial connection to the EU (providing services or targeting users in the EU) will have to appoint a legal representative in a member state of their choosing. There are similar provisions in other regulations such as GDPR and proposals such as e-evidence. The member state where the representative is based will be responsible for ensuring compliance to the rules.

Desiree commented that there was a lively discussion in the chat and encouraged everyone to continue the dialogue on the mailing list.

Sia Saatpoor, Loguis, asked what the penalties are for companies that do not comply with the obligations.

Agne said that the DSA provides an extensive enforcement mechanism. Chapters 4 and 5 outline the fines, the maximum amount of which is 6% of the global turnover of the company.

Nigel Hickson, DCMS UK Government, asked whether a site selling "widgets" in the UK would be covered if it does not specifically target EU customers.

Agne answered that the assessment will always be case-by-case. If there is no specific targeting but there are still many EU citizens that use the service, members states could argue for the DSA to apply. A very UK-centric platform, where you can only pay in pounds and that has no real connection to the EU might not be covered, but the determination will be made case-by-case.

Andrew Campling, 419 Consulting, said that some large tech companies maintain that the Internet should have its own jurisdiction outside of the reach of national legislation and asked Agne if she agreed.

Agne disagreed. She explained that the EU creates its own rules and these need to be implemented online by everyone offering services in the union. The E-commerce directive is only applicable to companies established in the EU, while the DSA has a different approach, namely: if a company offers services in the union, then they have to comply.

Jim Reid, independent, asked who would make the case-by-case judgment for a non-EU provider.

Agne answered that the as one member starts noticing problems with a certain provider who is not established in the union, the member state can exercise its jurisdiction via already existing international agreements.

Later in the chat Agne highlighted that the DSA goes beyond takedown approach but only for very large online platforms where it obliges these to assess the risks their systems pose to the spread of illegal content, the risks to fundamental rights and intentional manipulation of their service. More information can be found on the European Commission website.

Andrew Campling, 419 Consulting, commented that legislative requirements vary significantly across member states, complicating compliance and asked if there is a way towards convergence.

Agne explained that the DSA does not legislate what is illegal, rather the procedures and requirements of how a request can be made for content to be taken down. A harmonized set of rules will explain how content can be removed. This includes a language regime and other provisions which will ensure uniformity of how companies can be approached. This will also ensure that different national rules will not hinder the offering of services in the single market. Defining illegal or hate speech is not in the scope of the act.

2. The Digital Services Act

Polina Malaja, Policy Advisor at CENTR

This presentation is available at
https://ripe82.ripe.net/wp-content/uploads/presentations/54-DSA_RIPE.18.05.21.pdf 

Andrew Campling, 419 Consulting, asked how operators can comply with the often conflicting requirements of individual Member States, given that it is possible to obscure the geographic origin of a query to a DNS resolver.

Polina answered that this is difficult to enforce, and that it depends on the Digital Service Coordinators. The action taken will depend on the TLD, rather than the source of the traffic.

Desiree asked Polina to explain next steps for the DSA.

Polina explained that the text is now with co-legislators in the EU Parliament and the EU Council. She encouraged everyone to share concerns and insights with their respective parliamentarians and authorities at the national level to make sure the voice of the technical community is taken into consideration.

Niall O'Reilly, RIPE Vice Chair, asked if there was a boundary of scope between DSA and NIS2, or if they overlapped.

Polina answered that the overlap is not evident. NIS provides a definition of a DNS service provider and a TLD registry, while the DSA is focused on the service and not so much on the operator. However, EU legislations don’t exist on their own and definitions from the NIS2 can be taken when applying the DSA.

3. Disposable Identities, the Solution to Privacy, Security and Infrastructure in an #IoT World

Rob van Kranenburg, Founder of #Iot Council and #iotoday

This presentation is available at:
https://ripe82.ripe.net/wp-content/uploads/presentations/11-RobvankRIPE.pdf

Desiree asked what the next steps are within the groups with which he works to have a pilot programme.

Rob answered that he was part of the IoT expert group in 2009 and 2010 which focused on object infrastructure and 5G. The group realised that traffic would mostly be machine to machine and personally related things would not be that relevant. We see new protocols emerging and new developments creating new roles and identities. The role of the new ISP will be to issue (viable) credentials. Microsoft is pushing the issue of credentialing. For the past 50-60 years we’ve been developing speed and resilience, but we have not worked on an identity layer, which was done deliberately.

Because of the rapid development of crypto technology Rob predicts that a lot of the functions and actors of today’s Internet will change, and they will be tied to the notion of a self-sovereign identity. There are proposals in the EU Commission that aim to bring identity into the Internet layer. At the moment, there are commercial identity providers like itsme.be in Belgium, who have two million people in their system. Self sovereign identity is the only way for national states to hide their legacy in verifiable claims and credentials. Once there is a kind of wallet, we may have a new protocol and a fully centralised system.

End of session.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum