20 April 2018

UK Artificial Intelligence

The House of Lords has released a report on artificial intelligence in the UK, titled AI in the UK: Reading, Willing and Able?.

The report features a useful discussion of concerns regarding provision by the  Royal Free London Hospital Trust (ie a NHS unit) of bulk patient data to Alphabet (Google's parent).

The summary states
Our inquiry has concluded that the UK is in a strong position to be among the world leaders in the development of artificial intelligence during the twentyfirst century. Britain contains leading AI companies, a dynamic academic research culture, a vigorous start-up ecosystem and a constellation of legal, ethical, financial and linguistic strengths located in close proximity to each other. Artificial intelligence, handled carefully, could be a great opportunity for the British economy. In addition, AI presents a significant opportunity to solve complex problems and potentially improve productivity, which the UK is right to embrace. Our recommendations are designed to support the Government and the UK in realising the potential of AI for our society and our economy, and to protect society from potential threats and risks.
Artificial intelligence has been developing for years, but it is entering a crucial stage in its development and adoption. The last decade has seen a confluence of factors—in particular, improved techniques such as deep learning, and the growth in available data and computer processing power—enable this technology to be deployed far more extensively. This brings with it a host of opportunities, but also risks and challenges, and how the UK chooses to respond to these, will have widespread implications for many years to come. The Government has already made welcome advances in tackling these challenges, and our conclusions and recommendations are aimed at strengthening and extending this work.
AI is a tool which is already deeply embedded in our lives. The prejudices of the past must not be unwittingly built into automated systems, and such systems must be carefully designed from the beginning. Access to large quantities of data is one of the factors fuelling the current AI boom. We have heard considerable evidence that the ways in which data is gathered and accessed needs to change, so that innovative companies, big and small, as well as academia, have fair and reasonable access to data, while citizens and consumers can protect their privacy and personal agency in this rapidly evolving world.
To do this means not only using established concepts, such as open data and data protection legislation, but also the development of new frameworks and mechanisms, such as data portability and data trusts. Large companies which have control over vast quantities of data must be prevented from becoming overly powerful within this landscape. We call on the Government, with the Competition and Markets Authority, to review proactively the use and potential monopolisation of data by big technology companies operating in the UK.
Companies and organisations need to improve the intelligibility of their AI systems. Without this, regulators may need to step in and prohibit the use of opaque technology in significant and sensitive areas of life and society. To ensure that our use of AI does not inadvertently prejudice the treatment of particular groups in society, we call for the Government to incentivise the development of new approaches to the auditing of datasets used in AI, and to encourage greater diversity in the training and recruitment of AI specialists.
The UK currently enjoys a position as one of the best countries in the world in which to develop artificial intelligence, but this should not be taken for granted. We recommend the creation of a growth fund for UK SMEs working with AI to help them scale their businesses; a PhD matching scheme with the costs shared between the private sector; and the standardisation of mechanisms for spinning out AI start-ups from the excellent research being done within UK universities. We also recognise the importance of overseas workers to the UK’s AI success, and recommend an increase in visas for those with valuable skills in AI-related areas. We are also clear that the UK needs to look beyond the current dataintensive focus on deep learning, and ensure that investment is made in less researched areas of AI in order to maintain innovation.
Many of the hopes and the fears presently associated with AI are out of kilter with reality. While we have discussed the possibilities of a world without work, and the prospects of superintelligent machines which far surpass our own cognitive abilities, we believe the real opportunities and risks of AI are of a far more mundane, yet still pressing, nature. The public and policymakers alike have a responsibility to understand the capabilities and limitations of this technology as it becomes an increasing part of our daily lives. This will require an awareness of when and where this technology is being deployed. We recommend that industry, via the AI Council, establish a voluntary mechanism to inform consumers when artificial intelligence is being used to make significant or sensitive decisions.
AI will have significant implications for the ways in which society lives and works. AI may accelerate the digital disruption in the jobs market. Many jobs will be enhanced by AI, many will disappear and many new, as yet unknown jobs, will be created. A significant Government investment in skills and training is imperative if this disruption is to be navigated successfully and to the benefit of the working population and national productivity growth. This growth is not guaranteed: more work needs to be done to consider how AI can be used to raise productivity, and it should not be viewed as a general panacea for the UK’s wider economic issues.
As AI decreases demand for some jobs but creates demand for others, retraining will become a lifelong necessity and pilot initiatives, like the Government’s National Retraining Scheme, could become a vital part of our economy. This will need to be developed in partnership with industry, and lessons must be learned from the apprenticeships scheme. At earlier stages of education, children need to be adequately prepared for working with, and using, AI. For a proportion, this will mean a thorough education in AI-related subjects, requiring adequate resourcing of the computing curriculum and support for teachers. For all children, the basic knowledge and understanding necessary to navigate an AIdriven world will be essential. In particular, we recommend that the ethical design and use of technology becomes an integral part of the curriculum.
In order to encourage adoption across the UK, the public sector should use targeted procurement to provide a boost to AI development and deployment In particular, given the impressive advances of AI in healthcare, and its potential, we considered the health sector as a case study. The NHS should look to capitalise on AI for the public good, and we outline steps to overcome the barriers and mitigate the risks around widespread use of this technology in medicine.
Within the optimism about the potential of AI to benefit the UK, we received evidence of some distinct areas of uncertainty. There is no consensus regarding the adequacy of existing legislation should AI systems malfunction, underperform or otherwise make erroneous decisions which cause harm. We ask the Law Commission to provide clarity. We also urge AI researchers and developers to be alive to the potential ethical implications of their work and the risk of their work being used for malicious purposes. We recommend that the bodies providing grants and funding to AI researchers insist that applications for such funding demonstrate an awareness of the implications of their research and how it might be misused. We also recommend that the Cabinet Office’s final Cyber Security & Technology Strategy consider the risks and opportunities of using AI in cybersecurity applications, and conduct further research as how to protect datasets from any attempts at data sabotage.
The UK must seek to actively shape AI’s development and utilisation, or risk passively acquiescing to its many likely consequences. There is already a welcome and lively debate between the Government, industry and the research community about how best to achieve this. But for the time being, there is still a lack of clarity as to how AI can best be used to benefit individuals and society. We propose five principles that could become the basis for a shared ethical AI framework. While AI-specific regulation is not appropriate at this stage, such a framework provides clarity in the short term, and could underpin regulation, should it prove to be necessary, in the future. Existing regulators are best placed to regulate AI in their respective sectors. They must be provided with adequate resources and powers to do so.
By establishing these principles, the UK can lead by example in the international community. There is an opportunity for the UK to shape the development and use of AI worldwide, and we recommend that the Government work with Government-sponsored AI organisations in other leading AI countries to convene a global summit to establish international norms for the design, development, regulation and deployment of artificial intelligence.

18 April 2018

Reforming auDA and the dot au ccTLD

As a member of several auDA working parties in a past life I expressed concerns regarding regulatory capture. Those substantive nature of those concerns is evident in the Commonwealth government's Review of the .au Domain Administration report released today.

The report states
On 19 October 2017, the Minister for Communications, Senator the Hon Mitch Fifield, announced a review of Australia’s management of the .au domain (the Review). The not-for-profit .au Domain Administration (auDA) oversees the operation and management framework of the .au domain of the internet. auDA is endorsed by the Australian Government as the appropriate entity to administer Australia’s country code Top-Level Domain (ccTLD)—the .au domain—on behalf of Australian internet users.
The digital landscape has changed significantly since auDA was endorsed by the Australian Government in 2000. The internet has become all-pervasive and a critical enabler of the digital economy. The .au namespace plays an important role in supporting the digital economy, allowing entities and organisations to register domain names. As of late September 2017, over 3 million .au domain names had been registered in Australia.
While internet usage continues to grow, the overall communications environment is changing. Australians are accessing the internet in different ways and cyber security threats are increasingly prevalent. Future trends may have an impact on the domain space and it is important Australia has an effective .au administrator that is able to ensure the ongoing availability of .au domains while navigating future uncertainty.
auDA’s governance arrangements have not changed significantly since it was first established, with its structure and approach to governance set at a point in time when the internet and the domain industry was still in its infancy. The Review has found that reforms to auDA’s governance arrangements are necessary if the company is to perform effectively and meet the needs of Australia’s internet community.
In undertaking the Review, the Department has reflected on three principles:
• The Australian Government is committed to strengthening multi-stakeholder mechanisms for internet governance, noting the diversity of auDA’s stakeholders. 
• The .au namespace is a public asset given its increasing importance to the daily lives of Australians and should be governed with community interests in mind. 
• auDA has a monopoly position in administering the .au namespace and should be subject to stringent oversight requirements.
Importantly, the review acknowledges that auDA has overseen a significant ramp up in the number of domain names and has introduced many important policy and security initiatives. auDA has contributed to .au being seen globally as a secure and trusted namespace.
The government's Findings are -
The central finding of the Review is the current management and governance framework for auDA is no longer fit-for-purpose and that reform is necessary if the company is to perform effectively and meet the needs of Australia’s internet community.
In particular, the current membership model, and its relationship to corporate governance, is impeding auDA’s decision making and is contributing to ongoing organisational instability. The membership class structure is not reflective of Australia’s internet community nor auDA’s stakeholders. The current process where the majority of directors are appointed from the membership does not support effective governance outcomes.
Further, directors can be elected to the board with little regard to the skills required to effectively govern a modern domain administrator. Directors are also not required to meet probity, security or conflict of interest checks.
Ultimately, current governance and management framework arrangements are not satisfactory given the importance of the .au namespace to the Australian community. In considering stakeholder feedback and better practice guidelines, the Review identifies a range of reforms to improve stakeholder engagement, transparency and accountability, and mechanisms to promote trust and confidence in the .au domain name.
The Review considers that significant and urgent reforms are necessary to ensure that the .au namespace is administered in line with community and the Australian Government’s expectations.
To achieve this, the Review has made recommendations focusing on:
• clarifying the role of the .au domain administrator to ensure its activities are aligned with its responsibilities 
• reforming the management framework to support improved transparency, consultation and accountability by providing greater guidance on performance and reporting requirements 
• supporting effective stakeholder engagement and better representation of the Australian internet community, by acknowledging the .au DNS as a public asset and the multi-stakeholder approach to internet governance 
• outlining the role and expectations of the Australian Government 
• fostering greater trust and confidence in the .au namespace by enhancing security best practice and coordination of DNS administration.
... Reforming auDA will be a substantial process. Changes to its governance and membership arrangements involves significant constitutional reform, which requires the support of the membership base. The extent to which the membership supports reform is unclear.
The Review proposes two options to implement recommendations. The first option would see the Minister for Communications issuing revised terms of endorsement to auDA supported by an implementation plan with clearly identified milestones for reform. This plan would see a clear pathway for reform in place by three months, significant progress by 12 months, and the full reform package implemented within 24 months.
Alternatively, the Government could consider issuing an expression of interest to assess whether an alternative provider is able to perform the .au domain administration function in line with the revised terms of endorsement. This option may identify a viable alternative provider for the administration of the .au namespace mitigating the risk that constitutional reform of auDA cannot be achieved.
The stability, resilience and security of the .au namespace is paramount to the Government. The review recommends that auDA be given the opportunity to conduct the necessary reforms. However, the Government is committed to implementation of timely reform and will take action to ensure that Australia’s domain name is administered effectively and in the interest of all Australians. This includes transitioning the delegation for management of .au to another provider if auDA is unable to achieve necessary outcomes.
On that basis the report features the following recommendations
Purpose of the .au domain administrator
1. While auDA has an ongoing role in the security and stability of the .au space including as part of the critical infrastructure sector, this should not in the foreseeable future alter auDA’s role and purpose. 
2. That auDA continue to operate as a not-for-profit entity and does not seek to maximise profit. 
3. Consideration of commercial strategies relevant to the sustainability of the domain administrator should not detract from the domain administrator’s core function as described in the terms of endorsement and core purpose.
Management framework
4. That auDA provide an annual Strategic Plan covering at least a four-year-period and with the Strategic Plan reflecting company purpose and terms of endorsement. The auDA Board and management should present progress against the organisation’s purpose and its strategic objectives at auDA’s Annual General Meeting and in its Annual Report. 
5. That auDA develop a KPI framework to: a. measure its performance against its stated objectives in its terms of endorsement b. report against in its Annual Report and at its Annual General Meeting. 
6. As part of its Strategic Plan, that auDA outline how it intends to discharge its functions as a not-for-profit company and report on its effectiveness in its Annual Report and at its Annual General Meeting.
Transparency and consultation
7. That auDA reform its governance arrangements to ensure: 
a. that the nomination of all Board positions is undertaken by a Nomination Committee comprised of representatives from industry, the business sector, consumers, an auDA member representative, and the Commonwealth, represented by the Department
i. in establishing the Nomination Committee, the auDA Board will undertake a consultative merit-based process to identify members, with a Department representative as a panellist, and the Department to select the committee members from this process 
ii. the Nomination Committee will undertake probity and disclosure assessments and develop a skills matrix to ensure new directors have an appropriate mix of technical and corporate skills and industry experience 
iii. the Nomination Committee will shortlist: member candidates to stand for election by members; and independent candidates to stand for election by the Board 
iv. however, the first Board, following the reform of auDA’s governance arrangements will be selected according to the skills mix identified by the Nomination Committee with shortlisted nominees agreed with the Department 
b. length of terms directors can serve is capped at three years with directors appointed for no more than two consecutive terms 
c. the Board is structured so that the majority of the Board is independent of auDA’s membership 
d. that within 12 months the Board is reconstituted to ensure all appointments meet this criteria.
8. That auDA establish a Board Charter:
a. to set out the respective roles and responsibilities of the Board, Chair and CEO 
b. to set out the basis for appointment of the Chair 
c. that requires the Board to report on an annual basis to stakeholders publicly on its performance against this charter. 
9. That auDA:
a. formalise its transparency and accountability framework, consistent with recommendations in the Westlake review 
b. report annually on its performance against the framework in its Annual Report and at its Annual General Meeting.
Membership
10. That auDA reforms its existing membership model by creating a single member class or a functional constituency model and that membership reform is non-discriminatory and supported with transparent membership guidelines. 
11. That auDA diversify its member base in the short-term with a focus on extending membership to stakeholders that are underrepresented. 
12. That auDA report annually on its initiatives for growing its membership, and their effectiveness at diversifying the membership in its Annual Report and at its Annual General Meeting. 
13. That auDA review its assessment process for new members, in conjunction with the implementation of Recommendations 10, 11 and 12. 
Expectations and role of the Government 
14. That the Minister for Communications issue new terms of endorsement, setting out the Government’s expectations for .au domain administration and that auDA respond by publishing a statement on how it will deliver on these expectations. 
15. That the Government review these terms of endorsement within two years from when they are issued to ensure they remain fit-for-purpose, with reviews scheduled every three years going forward. 
16. That the Department of Communications and the Arts adopts a more formal oversight role of auDA, including that:
a. auDA report quarterly to the Department on its implementation of reforms, work agenda and key work priorities 
b. the Department conducts independent verification of some or all of auDA’s reporting provided through its Annual Report, including those requirements identified as part of the review 
c. a senior executive officer from the Department continue as a non-voting observer at auDA Board meetings and is present for all decisions taken by the Board. 
17. That the oversight role of the Department of Communications and the Arts is reviewed periodically by Government to ensure it is fit-for-purpose. 
Stakeholder engagement 
18. That auDA develops a public stakeholder engagement strategy and implementation plan to articulate how it will engage with stakeholders in all levels of operation and decision making. 
19. Through its Annual Report and at its Annual General Meeting, auDA should report on its performance against its stakeholder engagement strategy. 
20. That auDA publish conclusions from its review on its community activities and publish an implementation plan on future community activities. 
21. That auDA continue to engage with ICANN and other international bodies to represent Australian interests. 
22. That auDA’s stakeholder engagement strategy (Recommendation 18) include ICANN and other relevant international fora and bodies. 
23. As part of its Strategic Plan (Recommendation 4), auDA publishes a forward-looking international travel schedule and describes in its Annual Report the effectiveness of its international activity.
Trust and confidence in .au
24. As part of its international engagement (Recommendations 21, 22 and 23), auDA engage with key international security fora including ICANN’s Security and Stability Advisory Committee to ensure that it is kept updated on international security developments. 
25. That auDA develop and implements an enterprise security strategy based on domestic and international best practice in consultation with all relevant stakeholders. 
26. That auDA publishes a public facing version of its enterprise security strategy, having regard to relevant sensitivities. 
27. As part of its stakeholder engagement plan (Recommendation 18), that auDA maps its relationship with Australian Government security agencies and the internet industry and community on security of the .au namespace. 
28. That the Department of Communications and the Arts facilitate partnerships between auDA and relevant cyber security agencies. 
29. As part of its quarterly reports to Government (Recommendation 16) that auDA report on its security activities.
The report identifies  new terms of endorsement
Preamble
Australia’s country-code Top Level Domain (ccTLD) is an important resource, given the growing reliance of Australians on the .au namespace for economic and social activities. Noting there is a diversity of stakeholders in this namespace, the management of the .au domain must support multi-stakeholder engagement and be administered in the public interest. Responsibility for the administration of .au is ultimately derived from, and is subject to, the authority of the Commonwealth. The Australian Government can delegate the responsibility for managing the .au namespace to an appropriate entity or organisation. However, endorsement from Government is contingent on the entity satisfying a number of conditions. The Government provides the following terms of endorsement to auDA, as the .au domain administrator.
Core functions
The .au domain administrator will undertake the following core functions: • ensure stable, secure and reliable operation of the .au domain space • respond quickly to matters that compromise DNS security • promote principles of competition, fair trading and consumer protection • operate as a fully self-funding and not-for-profit organisation • actively participate in national and international technical and policy namespace fora to ensure that Australia’s interests are represented and to identify trends and developments relevant to the administration of the .au namespace • establish appropriate dispute resolution mechanisms.
Emerging domain issues such as commercial opportunities should not detract from the domain administrator performing its core functions.
Conditional requirements
In undertaking these functions, the .au domain administrator will uphold the following requirements and conditions: Effective governance arrangements for the .au namespace Good governance practices provide the foundation for the effective management of the .au ccTLD. The .au domain administrator must implement a governance structure that supports effective decision-making and represents the interests of stakeholders in a transparent and accountable manner.
Conditions:
That the .au domain administrator has:
• a governance structure which includes the following characteristics: 
• an independent process that can provide assurances of the suitability of candidates considered for board appointments, such as a Nomination Committee 
• a board that has the collective mix of technical and corporate skills, and industry experience, to effectively administer the .au namespace 
• a board that appoints a majority of directors who are independent of the organisation, including the Chair 
• appointment terms that support ongoing board renewal 
• a Board Charter that outlines the roles and responsibilities of the board, Chair and CEO and the basis for appointment of the Chair.
Facilitate effective stakeholder engagement
Noting that the .au namespace has a diversity of stakeholders, the .au domain administrator must engage and consult widely to ensure it can effectively represent the views of its stakeholders.
Conditions: 
That the .au domain administrator:
• consults with stakeholders on deliberations and decisions that will impact on the Australian internet community 
• develop a comprehensive stakeholder engagement plan, including how it will engage with key stakeholders such as industry, members of the community, Government and relevant international bodies and organisations  
• consistent with this stakeholder engagement plan, participate in international fora and relevant community activities 
• has a clearly defined membership structure that can represent the views of the Australian internet community 
• initiate activities that engage the internet community and support the diversification of its member base 
• establish an effective process for assessing and processing new members.
Support accountability and transparency
In managing a public asset, the .au domain administrator will be accountable to its stakeholders, including the Australian Government. Improved transparency and accountability is necessary to provide the assurance that the .au namespace is being managed consistent with Government and community expectations.
Conditions:
That the .au domain administrator has:
• an annual strategic plan that reflects these Terms of Endorsement and the company’s purpose with reference to how it will discharge its functions as a not-for-profit entity 
• a transparency and accountability framework 
• an effective reporting framework which would include reporting through its Annual Report and at its Annual General Meeting on performance against: 
• these terms of endorsement, supported by a key performance indicator framework • board performance against its charter 
• its strategic plan • the transparency and accountability framework 
• stakeholder engagement activities including international and community activities and initiatives that aim to expand the member base.
Engagement with the Australian Government
In providing its endorsement for an entity to administer what is a public asset, the Government has a strong interest in the management of Australia’s ccTLD. 
Conditions: 
That the .au domain administrator:
• provide quarterly updates on performance and work priorities to the Department 
• acknowledge that the Government reserves the right to independently review auDA’s reporting and reporting processes at any time 
• ensure that a senior officer from the Department is included in all relevant auDA governance processes, including, but not limited to, non-voting observer status at board meetings for all decisions 
• develop a strategy to enable an orderly transition to an alternative domain administrator in the event that endorsement is withdrawn by the Government.
Support trust and confidence in .au
Confidence in the .au namespace will be critical to the growth of Australia’s economy. In addition to the Department of Communications and the Arts, there are a number of other Australian Government agencies that have a role in supporting the security and stability of .au.
Conditions:
That the .au domain administrator:
• engage with key international security fora to ensure it is aware of international security developments and best practice 
• develop, maintain and, to the greatest extent possible, publish an enterprise security strategy which is informed by domestic and international best practice 
• work with the Department of Communications and the Arts to facilitate partnerships between auDA and relevant cyber security agencies
Commencement of these terms of endorsement
In agreeing to the terms of endorsement, the .au domain administrator is required to respond in writing within three months, providing an implementation plan on how it will meet these terms. The Australian Government will conduct a review within two years to assess the performance of the .au domain administrator and consider whether these terms of endorsement remain fit-for-purpose.

17 April 2018

Big Data

The Use of Big Data Analytics by the IRS: What Tax Practitioners Need to Know' by Kimberly Houser and Debra Sanders in (2018) 128(2) Journal of Taxation comments
With the budget reductions and losses in staff over the past several years, the IRS has been forced to do more with less. In turn, the IRS has turned to big data analytics make up for its loss of personal and the impact of the budget reductions. In 2011, the IRS created the Office of Compliance Analytics in order to create analytics programs that could identify potential refund fraud, detect taxpayer identity theft, and become more efficient in handling noncompliance issues. The IRS uses a wide range of analytic methods to mine public and commercial data including social media sites such as Twitter, Facebook, and Instagram. The data collected from this mining is combined with IRS’s own proprietary information and analyzed using pattern recognition algorithms, which help to identify potential noncompliant taxpayers. The current ability to continuous monitor financial and personal behavior facilitates the building of exhaustive histories of individuals. Knowing that the IRS is utilizing public internet data from websites such as Facebook, taxpayers should consider that their posts could impact their probability of audit.
‘Data Science, Data Crime and the Law’ by Maria Grazia Porcedda and David S. Wall in Research Handbook on Data Science and Law (Edward Elgar, 2018) comments
This chapter explores the relationship between data science, data crimes and the law. It illustrates how big data is responsible for big data crimes, but that data science and law could mutually help each other by identifying the ethical and legal devices necessary to enable big data analytic techniques to identify the key stages at which data crimes take place and also prevent them. The first part looks at the strengths and weaknesses of data science (big data analytics). The second part explores the data crimes created by Big Data to understand their risks, threats, and harms. The third part discusses the opportunities and limitations of the use of data science in surveillance and criminal prosecution to consider whether the predictive (anticipatory) qualities of Big Data analytics could be applied to identify Big Data Crime.

Plagiarism

The New York Times features an article on controversy about potential expulsion of Eric K. Noji from the US National Academy of Medicine.
 Here is how Dr. Noji’s work is described on one of his LinkedIn pages: “So much has been said and written about the life and work of Eric Noji, a story so mythic in its epic sweep and inspirational in its chronology of service and unrelenting self-sacrifice on behalf of those who suffer that it is difficult to summarize.” Dr. Noji also, until recently, listed impressive honors: the Ordre des Palmes Academiques, presented by President Hollande of France; nomination to the Royal College of Physicians of London; the Antarctica Medal of Honor for Scientific Exploration; and an M.B.A. from Stanford. 
But the French never bestowed that award on Dr. Noji. The Royal College didn’t nominate him. There is no such prize as the Antarctica Medal of Honor for Scientific Exploration. Stanford Business School says it has no record of his existence. And some of his papers plus a book chapter were copied from former colleagues at the Centers for Disease Control and Prevention and the Agency for International Development, according to a complaint filed with the academy by Dr. Arthur Kellermann, dean of the nation’s military medical school. 
It's an echo of inventions such as that noted here, here and here ... and the debunking of CV creativity involving IT executive Jeff Papows
So he's not an orphan, his parents are alive and well. 
He wasn't a Marine Corps captain, he was a lieutenant. 
He didn't save a buddy by throwing a live grenade out of a trench. 
He didn't burst an eardrum when ejecting from a Phantom F4, which didn't crash, not killing his co-pilot. 
He's not a tae kwon do black belt, and he doesn't have a PhD from Pepperdine University.

13 April 2018

Domains

The AIC research report by Tony Krone and Russell Smith on Criminal misuse of the Domain Name System comments
The DNS is a naming system for resources, such as personal computers or other devices, that connect to the internet via the World Wide Web. It coordinates internet addresses and domain names—the two kinds of unique identifiers that make internet connection possible. The study was funded by the auDA Foundation, which was established by the .au Domain Administration (auDA), the policy authority and industry self-regulatory body for the .au domain space in Australia. The aim was to support the objective of the Foundation by ‘promoting and encouraging educational and research activities that will enhance the utility of the Internet for the benefit of the Australian community’ (auDA Foundation 2015).
Methodology
Public source, non-technical literature was comprehensively reviewed to identify instances of DNS misuse, the risks that led to the commission of these instances, and the crime prevention and regulatory measures available to address the problem. The study was particularly focused on exploring existing legal and criminological frameworks that could be used to conceptualise the problem of DNS misuse and provide a framework for developing effective control strategies.
The literature review was international and examined English-language resources including academic sources, legal databases and relevant policy documents. The review primarily focused on the risks of misuse of the DNS from an Australian perspective although, due to the global nature of the internet, all legitimate users would benefit in many ways from a more secure and trusted domain name system, both as domain name owners and consumers.
Scope
The results address current identified risks, but they could also inform further and more detailed cross-disciplinary research into the nature of the problem and appropriate solutions. The research was not intended to be an overly technical examination of the problem and does not address the architectural or programming features of particular examples of misuse. Rather, it explores the issue from a policy perspective that will be beneficial in devising appropriate legal and policy responses.
The research looks at the connections that exist between various forms of misuse and DNS governance. The discussion explores the internet as a network of networks based on an addressing system known as the Internet Protocol (IPv4 and IPv6), which creates IP addresses for resources within the DNS and is focused on what might be called the ‘open web’ or the World Wide Web (the public internet) most users commonly access when using the DNS. Resources which are accessed via the public internet, but located behind a barrier such as a paywall or an account login for hosted services, are included in the research. These hosted resources are from the DNS core and so are not directly subject to DNS regulation, but rather are immediately subject to any regulation the host imposes or any conditions imposed on the hosting service. Regulation at the level of a hosting service varies, and debate about whether service providers are responsible for the online activities of those who use their services continues. The report deals briefly with resources that are essentially invisible to or hidden from the open internet, or that cannot be accessed directly from the public internet. While these parts of the internet present the majority of regulatory challenges and are of significant concern for law enforcement, they are not analysed in detail in this report as they are too far removed from the limited scope of regulation through the operation and governance of the DNS.
Research questions
These questions formed the basis of the current research.
• What is the DNS and how does it operate within the framework of internet governance?
• How has the DNS been misused for criminal purposes?
• What is known about perpetrators of DNS misuse? That is: –– What are their motivations and what benefits did they obtain? –– What are their countries of origin? –– Do they operate alone or with others? –– Why did they select the targeted domain name? –– How have instances of DNS misuse been dealt with and what were the outcomes of any investigations?
• What crime prevention strategies do domain name owners, DNS server owners and registrars currently use to prevent DNS misuse?
• What other crime reduction strategies could be implemented to prevent misuse of the DNS?
Findings
Background
This section explains the internet’s development and operation and reviews the environment in which criminal misuse of the DNS has emerged. It explains the internet’s infrastructure and discusses the operation and governance of the DNS, highlights weaknesses in the regulatory framework that increase the potential for misuse, and identifies the strengths that may help prevent misuse. The internet’s nature and its governance structures result in weak regulatory responses to misuse of the DNS.
Criminal misuse of the DNS
This section explores criminal misuse of the DNS by firstly considering illegal acts that do not amount to cybercrime offences, including property offences like the theft of hardware and domain names, and, secondly, misuse that falls within the general classification of cybercrime. It presents a tentative analytical model that relates forms of misuse to particular aspects of the DNS, namely to:
• the DNS architecture;
• domain names (or domains);
• domains as virtual spaces; and
• other layers at some remove from the DNS.
This model helps to explain misuse occurring within the architecture of the internet (software engineering) as well as misuse facilitated through human interaction (social engineering). The section then examines opportunities for misuse in terms of the DNS’ primary purpose, which is to overcome restrictions created by the internal architecture of the early internet. This misuse concerns how machines use internet addressing to make connections between resources. Misuse through software engineering is further classified according to whether the DNS is itself the target of misuse or is used to facilitate other offending; facilitating other offending may involve misusing the DNS as a mechanism to do harm, a vector to transmit harm or a platform from which to commit harm.
The outward appearance and presentation of internet for human users is then considered. A division can be drawn between misuse intended to manipulate machines through software engineering and misuse intended to manipulate people through social engineering. To distinguish between abuses of the DNS and abuses that exploit applications layered above the DNS, DNS misuse may also be categorised according to the architecture of the internet. This helps identify who could potentially prevent misuse and potential points for regulatory intervention.
Perpetrators of misuse
The many and varied forms of DNS misuse identified in this study make it difficult to describe a typical offender or criminal justice response, particularly given the absence of criminological research in this area. The limited research so far conducted has found a high incidence of organised crime activity. This often involves loose groups of people, usually young men with limited technical abilities who rely on online guidance. Perpetrator profiles also differ according to the extent of the perpetrator’s involvement in the darkweb. There is limited evidence to indicate where those misusing the DNS are located.
Legal responses to DNS misuse
Although some instances of misuse can be addressed through the criminal justice system, there are many impediments to harnessing the criminal courts as a regulatory response. Few conventional crime categories are relevant apart from, arguably, some property crime offices such as theft of domain names, or the criminal infringement of intellectual property rights. Of greater relevance are specific offences created under cybercrime legislation that governs unauthorised access to networks, data interference and acts of online dishonesty associated with domain name misuse. There are also criminal offences arising from social engineering, including identity misuse, misleading and deceptive conduct, and fraud. To date, these have not been used due to problems of evidence and proof, jurisdiction, and the limits of law enforcement resources in identifying suspects, seeking mutual legal assistance and mounting prosecutions. Over time, as the jurisprudence of DNS criminality develops, criminal proceedings may be more successful. Whether this would deter criminals from committing DNS crime remains conjectural.
In addition to criminal justice responses to DNS misuse, there are a number of avenues for redress through the use of the civil laws relating to obligations and intellectual property. ‘Webjacking’, and disputes about the registration of domain names that could lead to legal action about ‘cybersquatting’ or ‘domain name squatting’, can be resolved by taking action under the Uniform Domain-Name Dispute-Resolution Policy (UDRP) adopted by domain name registrars. In appropriate cases of infringement of contractual rights or intellectual property related to registered names, where economic loss can be quantified and proved, civil action can be taken in relation. Where business interests are at stake, injunctive relief can also be useful.
Preventing misuse of the DNS
A number of environmental crime prevention strategies could be used to reduce the harms associated with DNS misuse, including routine activities theory, crime pattern theory and rational choice theory. Crime prevention is considered by reference to various regulatory touchpoints within DNS regulation. Importantly, these regulatory touchpoints often lie outside the scope of national laws, which creates opportunities for exploiting regulatory weaknesses for criminal purposes. Some strategies to reduce the risk of DNS abuse include:
• enhancing identification checks when registering domain names;
• using Domain Name System Security Extensions;
• making DNS abuse less profitable by coordinating reporting mechanisms and controlling online profit centres;
• neutralising offender rationalisations; and
• improving user education on the risks of DNS misuse.
Conclusions
The DNS is fundamental to the functioning of the internet, and its potential for misuse is one of the most important legal and regulatory challenges facing internet governance in the years ahead. A failure of the DNS would impede machine-to-machine communication, and make it difficult for users to navigate the internet.
However, the capacity to regulate possible misuse of the DNS is limited. While the DNS requires centralised authority, no single global entity is responsible for the regulation of all its aspects. This is because regulation of the DNS, like other aspects of the internet, occurs under a multistakeholder model of governance and a distributed administration model. It is also a result of the fact that much of what happens on the internet is beyond the jurisdictional reach of the criminal law of individual nations.
Nonetheless, regulating DNS registration and addressing the security weaknesses of internet architecture would provide some limited means of controlling the environment to prevent criminal misuse of the DNS and the internet. Although there will always be a place for criminal justice responses to internet abuse, in the global regulatory environment in which the DNS operates prosecution of DNS misuse will be difficult, and is likely to be reserved for the most serious and obvious infringements. As with other online crime, enacting a uniform set of policies to prevent misuse before it arises is likely to be the most effective strategy.

09 April 2018

Designs and the Hague Agreement

IP Australia has released an economic analysis of the costs and benefits to Australia of joining the Hague Agreement Concerning the Registration of Industrial Designs.

The report states
The report assesses the impacts with reference to the Productivity Commission’s (PC) guiding principles of effectiveness, efficiency, adaptability and accountability. This report is intended to form part of the evidence base in relation to whether Australia should join the Hague Agreement. In addition to feedback on this report, we are seeking feedback on any unquantified impacts, not limited to those acknowledged in the report, and welcome case studies and any experience users of the Hague system, or applicants for design overseas have had. Joining the Hague Agreement would enable Australian designers easier access to international markets by allowing them to file a single design application to gain protection in 68 countries and regions. Joining would also require Australia to increase its maximum term of protection for designs from 10 to 15 years, at a minimum. Both the former Advisory Council on Intellectual Property (ACIP) and the PC considered that a cost-benefit analysis should be conducted before the Australian Government decides whether to join the Hague Agreement. In their final report, the PC urged caution - advising a “wait and be convinced” approach.
Under the proposed methodology, it appears that the economic costs to Australia of joining the Hague Agreement outweigh the benefits. The net benefits to Australian applicants are outweighed by significant net costs to Australian consumers (with IP professionals and the Australian Government being subject to smaller net costs). Some costs and benefits are not as easily assessed, and were not quantified in the current analysis, but could affect the net outcome over time. The objective of providing a fertile ground for innovators that is adequately balanced with costs to consumers is an issue requiring careful and ongoing calibration. Realistically, these costs and benefits might only be assessed and quantified at a later date should Australia join the Hague Agreement. Furthermore, we acknowledge that there may be additional evidence gathered in the future which will necessitate further analysis of the potential impacts.
The results are driven by the fact that non-residents currently file almost three times more designs into Australia than resident Australians file abroad, and non-residents maintain these registrations longer on average. Based on the cost-benefit methodology adopted in this report, joining the Hague Agreement could increase this disparity. The report takes account of the fact that accession to the Hague Agreement should also make it easier for Australian residents to file abroad into multiple jurisdictions. The methodology tries to forecast the impact on Australia based on the experience of other Hague accession countries, taking the most positive and negative experiences of other accession countries and using these as the upper and lower bound of what might occur if Australia joined the Hague Agreement.
ACIP concluded that “a significant uplift in international usage would support Australia joining” the Hague Agreement. Despite the United States of America, Japan, and Republic of Korea recently joining, less than 10 per cent of global non-resident design applications were filed through the Hague Agreement in 2016. A number of countries are expected to join in the future, including the People’s Republic of China, Canada and Thailand. These accessions will impact upon any future cost-benefit analysis and may make it more beneficial for Australia to join. This report notes that under certain circumstances, Australian applicants can file design applications through the Hague Agreement already, despite Australia not being a signatory. This pathway is available to Australian applicants that have a residence or an establishment in a member country. Increased awareness of this existing avenue may hold additional benefits to Australia and designers alike.
The report argues -
Net cost to Australia of joining the Hague Agreement at present 
The net present cost to Australia is estimated to be between approximately $25 million and $124 million over ten years, with $61 million being the best estimate. Ten year impacts by stakeholder group are:

  • Australian designers: a potential net benefit of approximately $0.03 million to $6 million, with a best estimate of $1.7 million. This is due to increased savings on international applications and increased profits from taking new designs overseas. 

  • Australian consumers: a net cost of approximately $23 million to $114 million, with a best estimate of $58 million. This is due to income flowing overseas from Australian consumers paying higher prices to non-resident designers over a longer term of design protection. 

  • Australian IP professionals: impacts estimated as between a benefit of approximately $0.3 million and a cost of $12 million, with the best estimate being a cost of $2.5 million. Australian IP professionals will receive some extra business from non-residents at the examination stage, but will likely lose more business at the filing stage as non-residents go through the Hague system. 

  • Australian Government: a net cost of approximately $2.3 to $3.4 million, with a best estimate of $2.8 million. This is due to Information Technology system changes that will be required to process applications filed via the Hague Agreement. 
It concludes
We estimate there is a net cost to Australia of joining the Hague Agreement (see Tables 7.1, 7.2, and 7.3 in Appendix 4).
• The most optimistic show an annual net cost starting at just under $1m in the accession year, growing to an annual net cost of $2.5m in the tenth year. The cost over 10 years would be $25.5m in net present value terms under an average 10% annual discount rate.
• The best case show an annual net cost starting at $2.2m in the accession year, growing to an annual cost of $7.1m in the tenth year. The cost over 10 years would be $61.5m in net present value terms.
• The worst show an annual net cost starting at $3.9m in the accession year, and growing to $17.3 m in the tenth year. The cost (over 10 years) would be $123m in net present value terms.
The costs outweigh the benefits, presently
Both ACIP and the PC recommended that Australia should take a “wait and be convinced” approach to joining the Hague Agreement. Most Hague member countries considered similar to Australia) have more incoming registered designs than they do outgoing registered designs, so the benefits to using the Hague system to go overseas are small. While there are some savings to Australian applicants filing overseas, the costs to Australian consumers of the extension of term from 10 to 15 years are estimated to outweigh these benefits by a significant margin under all scenarios.
While we note that some benefits could not be quantified, we also note that there are also costs (for example, social welfare costs) that we have been unable to quantify. We particularly welcome feedback on this aspect.
Applying the PC’s suggested framework for assessing IP policy changes (effective, efficient, adaptable and accountable) we have been unable to find compelling evidence that joining the Hague Agreement would be a net benefit to Australia at the present moment.
We have been unable to find reliable evidence that a longer term of protection would be effective in stimulating additional design innovation. We have found that the efficiency benefits to Australians going overseas are outweighed by the negative income flows (and possibly also the economic inefficiency due to the unquantified social welfare costs) arising from the longer monopoly period. Locking Australia into the Hague Agreement would limit our ability to adapt our IP system in the future. And the above analysis is accountable because it seeks to provide a transparent evidentiary basis to inform a decision to join the Hague Agreement.
8.2 The Hague Agreement landscape will change
A number of countries will join the Hague Agreement in the near future, including China, Canada and Thailand.
The size of the Chinese economy and the volume of its design applications make it a candidate for a country whose accession to the Hague Agreement could represent a ‘tipping point’ that could substantially increase global usage of the Hague system. While China is by far the largest filer of designs globally, China is also Australia’s largest trading partner. Easier access for Australian designers to this significant market, facilitated by the Hague system, might tip the balance for Australia to the point where we had more outgoing applications than incoming applications, which would increase the benefits and reduce the costs to Australia of joining the Hague Agreement.
Canada’s accession is unlikely to be a tipping point in the same way as China. However, their experience could provide a valuable comparison for Australia to re-evaluate the cost and benefits in the future. Canada is similar to Australia in size and population; has a resource-dependent economy; and has a similar legal system. More importantly, Canada, like Australia, would also be moving from a 10 to 15 year design term in order to accede. Canada is set to join the Hague Agreement no earlier than 2018 based on public accounts. We are not aware of any detailed cost benefit analysis performed by Canada. Information from Canada’s experience, once they have joined, would be extremely valuable to assessing the costs and benefits to Australia.
Thailand has previously indicated its intention to join the Hague Agreement in 2015. While that timetable has been delayed, it may be expected to join at some point in the near future. Again, Thailand may provide a useful comparison for Australia when it joins: it is one of the few countries that will have to move from a 10 to 15 year term and is closely linked to many of the same regional markets as Australia.

Enforcement

The national Attorney-General's Department has released a consultation paper regarding recognition and enforcement of foreign judgments.

The paper states
Through the Hague Conference on Private International Law, the Australian Attorney-General’s Department (AGD) is currently engaged in negotiations on behalf of Australia for a draft Convention that is intended to establish uniform rules for the recognition and enforcement of foreign judgments in civil or commercial matters (the Hague Conference Judgments Project).
The draft Convention aims to provide parties to litigation with a simple and predictable framework that will govern how a judgment in one Contracting State (a State that signs up to the Convention) can be recognised and enforced in another Contracting State.
To inform Australia’s negotiating position, this consultation paper seeks public comment on law and policy matters raised in the draft Convention of November 2017..... The draft Convention may also be downloaded from the Hague Conference website (www.hcch.net).
AGD is seeking both general and specific comments on the proposed text of the draft Convention ahead of a fourth, and possibly final, meeting of a Hague Special Commission from 24 29 May 2018. The purpose of the Special Commission meeting is to develop an appropriate text that can be submitted to a Diplomatic Conference for final negotiations and agreement. The Special Commission, set up by the Hague Conference in 2016, has met three times over the past two years to prepare the current draft Convention.
The fourth meeting of the Special Commission will focus on a limited number of outstanding issues. This includes contentious issues such as the extent to which intellectual property and privacy should fall within the scope of the draft Convention. Some members of the Special Commission propose that matters relating to intellectual property should be excluded from the draft Convention completely, while others seek its general inclusion, or inclusion on a restricted basis (see Part 5 for further discussion on intellectual property).
Any text in the draft articles in square brackets is not yet settled. That text includes intellectual property and privacy matters. Square brackets represent proposals, alternatives and options that are the subject of ongoing consideration by members of the Hague Conference.
It is intended that a draft Convention will be put to a Diplomatic Conference of the Hague Conference for consideration and conclusion no earlier than 12 months after the final meeting of the Special Commission (on current timing that is mid-2019 at the earliest). Until it has been concluded at a Diplomatic Conference, the text in the draft Convention is not finalised.
If the draft Convention is concluded at a Diplomatic Conference of the Hague Conference, and Australia determines that it is appropriate to sign the Convention, its implementation in Australia will be subject to the usual government processes and Joint Standing Committee on Treaties processes and review. Implementation is likely to require subsequent amendments to Australian domestic legislation.
The paper features several questions -
Q1 Have you experienced any problems with seeking to recognise or enforce a foreign judgment? If so, what have the main problems been? What are the benefits for Australian parties in the recognition and enforcement of foreign judgments abroad, and what are the risks for Australian parties if foreign judgments are recognised and enforced in Australia or overseas?
Q2 Have you encountered issues and/or inconsistencies with the current regimes for recognition and enforcement of either Australian judgments in foreign countries or foreign judgments in Australia? If so, please provide details. Issues may encompass increased costs and timeframes associated with obtaining recognition and enforcement of judgments, including through duplicative proceedings in more than one jurisdiction, or an inability to obtain meaningful relief. Information on types of judgments and jurisdictions relevant to your experience is appreciated.
Q3 What are your views on the scope of the draft Convention? Are there any civil or commercial matters that are currently in scope that raise concerns? In particular, do you have any views on those matters in bracketed text, ie privacy/unauthorised public disclosure of information relating to private life; and/or intellectual property [and analogous matters]?
Q4 What are your views on the jurisdictional bases for recognition and enforcement? Do any of the currently proposed bases cause concern?
Q5 What are your views on the grounds for refusing recognition or enforcement? Do any of the currently proposed grounds cause concern?
Q6 What are your views on damages, costs and/or other provisions in the draft Convention?
Q7 Should intellectual property matters be included or excluded in the draft Convention (see Article 5(3) and Article 2, respectively)? To what extent should the circulation of intellectual property judgments be treated differently to that of other judgments under the draft Convention?
Q8 If included in the draft Convention, what are your views on the scope of intellectual property rights as currently defined/categorised?
Q9 Are the suggested discretionary safeguards in the draft convention adequate for intellectual property matters?
Q10 What are your views on the recognition and enforcement of monetary vs non-monetary judgments for infringement in intellectual property matters? Are there any other issues relating to intellectual property that should be addressed by the draft Convention?