the GovCert.NL SymposiumGovCert.NL Symposium This week I attended the GovCert.NL Symposium in the Netherlands. This is the 6th annual gathering of "Computer Emergency Response Teams (CERTs) and other experts in Internet security and privacy. About 50% of the participants were Dutch, I would guess, and maybe 85% from Europe, although there were attendees from as far away as the USA, Japan and Australia. There were some fascinating presentations, including an analysis of the role of money mules in phishing scams, analysis of a new "man in the middle"-style attack on banks, attempts by governments to implement digital identity systems, a detailed recounting of the Estonian "cyber riot" that temporarily crippled the Internet in that country, advocacy for Bitfrost, a new operating system platform based on new privacy/security assumptions, and, oh, a very interesting discussion of the Whois-privacy problem in ICANN. ;-)

There were two take-away messages. One is the astounding degree to which Europeans take privacy more seriously than people in the US. Coming into an environment heavily laden with law enforcement agencies, spam fighters and government identification bureaus, I expected to be in a hostile climate. I wasn't. The people in this community are, by a large majority, overhwelmingly in favor of strong privacy and consider data protection to be as important as -- indeed an extension of -- internet security. Which is as it should be. To illustrate, at a plenary session we had a public debate on whether the European Union is doing enough to protect privacy." Electronic votes were taken of the audience before and after the debate. Before we began discussing it, the breakdown was 25% yes, 75% no. After our debating exchanges, the vote was 16% yes, 84% no.

The other takeaway was the degree to which CERTs constitute an informal "network form" of global governance, which melds academic, governmental, industry and advocacy stakeholders. There was much discussion of the future of CERTs, most of which I missed due to attending other sessions. The role of this international community in coming to the aid of Estonia was particularly instructive. There is a recognition from both the (largely but not entirely) private sector CERTs and the traditional hierarchical governments of their limits and their need to cooperate.