2.3.1. Internet-related public policy issues

The Tunis Agenda itself identifies numerous public policy issues for consideration of the IGF, but nowhere are these itemised in clear terms. The report of WGIG to WSIS had however earlier identified thirteen Internet-related public policy issues in more concrete terms,[1] most of which can be traced forward to one or more paragraphs of the section on Internet governance in the Tunis Agenda. Figure 2-2 itemises the thirteen public policy issues identified by WGIG by paragraph and brief description, and their equivalent paragraphs in the relevant section of the Tunis Agenda, if any.

Figure 2-2. Public policy issues

WGIG para

WGIG description

Agenda paras


Administration of the root zone files and system


Interconnection costs

49, 50


Internet stability, security and cybercrime

40, 43, 44, 45





Meaningful participation in global policy development






Allocation of domain names

63, 64


IP addressing



Intellectual property rights (IPR)


Freedom of expression



Data protection and privacy rights

39, 46


Consumer rights




49, 53

The omissions from the Internet governance section of the Tunis Agenda that are present in the WGIG report call for comment. The subject of paragraph 15 of the WGIG Report, relating to administration of the DNS root servers, is conspicuous in its absence from the Tunis Agenda. As will be explained in greater detail in Chapter 5, this is because the United States had made it quite clear that it was not willing to divest its control of the DNS root,[2] and during the negotiations that preceded the final meeting of WSIS, this position was conceded. Accordingly, save for the observation that “Countries should not be involved in decisions regarding another country’s country-code Top-Level Domain (ccTLD),” and the vague promise of “enhanced cooperation” in future,[3] the Tunis Agenda specified that the IGF “would have no involvement in day-to-day or technical operations of the Internet.”[4]

Thus paragraphs 21 and 22 from the WGIG report on domain names and IP addressing were included in the Tunis Agenda only in respect of their public policy rather than their technical dimension (namely the assertion that national oversight of these activities was needed). These items requires no further consideration here as domain name and IP address allocation have already been considered as functions of technical coordination, rather than of public policy governance. The policy issue of governmental oversight of these activities will however be revisited in Chapter 5.[5]

The omission of the topic of paragraph 23 of the WGIG report relating to intellectual property rights from the Tunis Agenda (save for a fleeting reference to software licensing in paragraph 49), and the omission of trade issues from both the WGIG list and the Tunis Agenda, is more obscure—or perhaps not. One commentator states:

In the preparatory process of the Geneva phase it soon became clear that developed country governments (the United States and European Union in particular) would do everything in their power to avoid broadening out the WSIS agenda to include ... the policies promoted by developed countries within such bodies as the WTO and the World Intellectual Property Organisation (WIPO) with respect to international trade or intellectual property rights (IPRs).[6]

In less conspiratorial terms, this is confirmed by a background paper released by WGIG along with its report.[7] Although trade—or in the Internet context, e-commerce—is not included, e-government forms the subject of paragraph 48 of the Tunis Agenda (though it is absent from the WGIG list), and it raises many of the same issues.

Finally, there are a number of issues described separately in the Tunis Agenda that can be usefully combined for present purposes. These are paragraphs 16, 19, 20 and 27 of the WGIG Report; interconnection costs, meaningful participation in global policy development, IT capacity building and multilingualism, which can be combined under the heading of “development,” in that they all concern the development of Internet architecture to support uniformity of access to the Internet and participation in Internet public policy governance, particularly by users from disadvantaged economies.

Taking the public policy issues from the WGIG report with the items from paragraphs 16, 19, 20 and 27 combined, removing DNS and IP addressing issues that fall outside the scope of this section, adding e-government from the Tunis Agenda and combining it with e-commerce, and adding back the notably omitted issue of intellectual property, leaves the following list of Internet-related public policy issues for discussion:

It is not contended that this is an exhaustive list, and some of the categories are rather broad (though as will be seen, less so than the four categories upon which the IGF eventually settled). However the list does provide a useful indication of the topics that might be expected to find a place on the IGF’s work programme. Internet stability, security and cybercrime

The Internet has provided fertile ground for the commission of old crimes in new ways, such as the use of P2P file sharing services to distribute child pornography, and the use of encrypted email to plan terrorist attacks. It has also enabled the commission of new crimes more peculiar to the Internet, that involve the subversion of its architecture. One example of the second class of crimes is the Distributed Denial of Service (DDoS) attack, by which the criminal typically causes a distributed network of home computers to be infected with a virus that covertly places them under the criminal’s control, and then uses that control to cause each computer to bombard a victim’s Internet server with data until the server’s capacity to respond to legitimate requests is overwhelmed.

This second class of new offences is normally termed “cybercrime,” and it has been the main focus of bodies involved in Internet public policy governance. There are no fully international instruments addressing this topic, apart from a non-binding UN General Assembly Resolution on a Global Culture of Security,[8] which was based on an earlier OECD (Organization for Economic Cooperation and Development) document.[9] However the most notable regional activity, which now has global reach, is the Convention on Cybercrime passed by the Council of Europe in 2001[10] dealing with computer fraud, information security, and the content regulatory issues of child pornography and copyright. This convention has also been acceded to by other non-European countries such as South Africa, Canada, the USA and Japan. Although Australia has not ratified the convention, its Cybercrime Act 2001 (Cth) was based on it in part.

Public policy governance by the executive arms of international, regional and domestic governmental bodies in the area of cybercrime has been at least as significant as that of their legislatures. The G8 Group (the United States, the United Kingdom, France, Germany, Italy, Germany, Japan and Russia), formed a High-tech Crime Subgroup in 1997 which has established a network of cybercrime points of contact in each country.[11] The European Union in 2004 formed an agency of its own, the European Network and Information Security Agency (ENISA), which aims to provide assistance to the European Commission and Member States in addressing security issues in hardware and software, and to promote standards and activities to minimise information security risks.[12]

In Australia’s region, the Telecommunications and Information Working Group (TEL) of APEC (Asia-Pacific Economic Cooperation) has drafted a cybersecurity strategy for its member states,[13] and there is an Australian High Tech Crime Centre to provide a nationally coordinated approach to high tech crime across all Australian jurisdictions.[14]

The war against cybercrime is also waged in non-governmental fora. National computer emergency response teams such as the eponymous CERT®[15] and Australia’s AusCERT,[16] some of which are government-linked and others of which are private sector or civil society organisations, join together in the Forum of Incident Response and Security Teams (FIRST).[17] They provide services and support, some voluntary and some for-fee, to those whose computer systems or networks are attacked by cyber-criminals and those investigating such attacks.

The CA/Browser Forum[18] provides another example of a purely private approach to combatting cybercrime; specifically phishing, a “social engineering” attack in which victims are induced (usually through spam email) to provide confidential details to a bogus Web site masquerading as that of a legitimate online business such as a bank. The CA/Browser Forum contains no governmental members, but is simply a consortium of CAs and vendors of Web browser software. Their approach to the problem is based on architecture: the introduction of a new type of SSL certificate that requires more rigorous verification by the issuing CA, and is flagged as such by the user’s Web browser.

As for crimes that are not Internet-specific but which are committed by use of Internet services, there are of course a number of relevant but general international instruments such as conventions on drug trafficking and organised crime,[19] and a number of active executive bodies such as Interpol. These fall outside the scope of this thesis, though some will be alluded to later at Section 3.4.2.

However mention should at least be made of the Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution and child pornography,[20] which was passed in recognition of “the growing availability of child pornography on the Internet,” and of the Virtual Global Taskforce (VGT), which is a transnational network of police services combatting online child exploitation.[21] Spam

Of all the public policy issues examined here, spam provides one of the best illustrations of the necessity of taking an international approach. As the reach of Internet email is international, spam can effectively be sent from whichever corner of the globe restricts it the least, rendering domestic prohibitions on the sending of spam next to ineffectual.

There is no international instrument on spam; the closest perhaps being the European Union’s e-Privacy Directive prohibiting the sending of spam,[22] which all member states were required to implement by 31 October 2003. A Contact Network of Anti-Spam Enforcement Authorities (CNSA) has been formed by 13 of the EU’s national anti-spam regulatory authorities.[23]

This has however been eclipsed by a broader international network of 38 anti-spam regulators, and 25 private sector members, in a forum formed in 2004 known as the London Action Plan (LAP).[24] The activities of the LAP are based around an agreement for cooperation in international enforcement of domestic anti-spam laws, and education of users and businesses.

Remaining on the international front, the OECD has formed an ad hoc Spam Task Force which has contributed usefully to international coordination of anti-spam enforcement by compiling a variety of reports on spam, and an online anti-spam Toolkit.[25] The ITU has also sought to become involved by releasing a survey of spam legislation and hosting thematic meetings on spam and network security.[26]

Australia’s activities in anti-spam networks include the ACMA’s and the ACC’s membership of the LAP, a multilateral Seoul–Melbourne Multilateral Anti-Spam Agreement signed by twelve regional agencies, and additional bilateral agreements concluded between the ACMA and agencies from Taiwan, South Korea, Thailand, the United States and the United Kingdom, by which the respective parties agreed to exchange information about anti-spam policies and strategies, and security issues.[27]

Australia can also boast a strong domestic legislative response to the spam problem. The Spam Act 2003 (Cth) prohibits the sending of spam (or, in the legislation’s terms, unsolicited commercial electronic messages) on pain of penalties of up to $220 000 per day, or up to $1.1 million for repeated infringements. There is no specific minimum number of messages that must be sent before they are qualified as spam; a single message can be caught by the legislation. The Act also prohibits the use of address harvesting software or harvested address lists.

Equivalent legislation from Australia’s partners in LAP varies markedly. In contrast to the Australian and EU legislation which requires users to have opted in before receiving commercial email, the United States CAN-SPAM Act which came into force in 2004[28] allows spam to be sent in the first instance so long as an “opt-out” facility is provided. It does however require spammers to provide their street address in any communications they send.

Initiatives in the war against spam are also being taken within the private sector and civil society. The Anti-Spam Technical Alliance, whose founding members include America Online, British Telecom, Comcast, EarthLink, Microsoft, and Yahoo!, released a proposal containing a range of technical recommendations for the control of spam.[29] MAWWG (the Messaging Anti-Abuse Working Group) is another similar group.[30] Developments within the IETF of course included SPF and SenderID, and in 2003 the IRTF also chartered an Anti-Spam Research Group (ASRG) which has an active mailing list.[31]

Spam filtering software and services, both open source[32] and proprietary,[33] have proliferated. Amongst these are services known as DNS blocklists. These are lists of IP addresses known to have been used by, or to be open to abuse by spammers. Third parties such as ISPs and knowledgeable individual users can use these lists within their mail server or spam filter software to automatically refuse the receipt of email emanating from those same IP addresses.[34]

Conversely, there are services that will assure receipients of the bona fides of email sent from a given domain. The Domain Assurance Council,[35] formed in 2006, is an association of such assurance providers, which is promoting the use of an IETF standards-track specification called DKIM (Domain Keys Identified Mail)[36] as a standard protocol for the provision of domain assurance services. Intellectual property rights (IPR)

As noted above, IPR issues on the Internet were excluded from the Tunis Agenda, on the grounds that they fall within the purview of other existing international organisations such as WIPO and the WTO (World Trade Organization). In practice however, it will be seen that this has not altogether excluded them from consideration by the IGF.

WIPO administers the principal intellectual property conventions, which include the Berne Convention regarding copyright,[37] the Paris Convention regarding patents, trademarks and registered designs,[38] and the Rome Convention also regarding copyright.[39] The WIPO Copyright Treaty (WCT)[40] and the WIPO Performances & Phonograms Treaty (WPPT),[41] both of which came into force in 2002, update these earlier instruments in light of new digital technologies including the Internet. Australia is not a signatory to these WIPO treaties, but its Copyright Amendment (Digital Agenda) Act 2000 (Cth) amendments to the Copyright Act 1968 (Cth) are consistent with them.

Amongst the changes introduced by the Copyright Amendment (Digital Agenda) Act most relevant to the Internet were to bestow on copyright owners a new exclusive right to communicate works to the public (eg by making electronic copies or uploading them to an online repository), and allowing temporary reproductions of copyright works made automatically in the course of accessing them online (for example, when a user’s Web browser caches a copy of a site it accesses to disk).

WIPO was also of course instrumental in drafting the UDRP by which trademark rights could more easily be enforced against domain name registrants (this was backed up in the United States by domestic legislation[42] that enhanced trademark owners’ rights against domain name registrants still further). It is less commonly known that in 2001 WIPO proposed new rights to domain names, such as extending protection to the names and acronyms of intergovernmental organisations and to the official long and short names of countries.[43] It is fair to say that these recommendations were in advance of public or political consensus on the issues raised, and no country has adopted them into law.

The other intergovernmental organisation referred to above in respect of its contribution to IPR law is the WTO, whose TRIPS convention[44] covers copyright and industrial property (eg patents, trademarks and registered designs). It largely incorporates the substantive content of the WIPO-administered conventions, but with the important difference that it treats non-compliance as a barrier to trade, and allows the WTO to impose sanctions on member countries in breach. It also provides for the resolution of disputes between nations through the WTO.

Numerous private sector and civil society organisations have played a significant role in public policy governance of IPR on the Internet. Perhaps the most significant has been that of the music industry as often represented by the RIAA (and in Australia by APRA, the Australian Performers Rights Association), and the motion picture industry as often represented by the Motion Picture Association of America (MPAA).

One of the biggest challenges posed to these IPR owners by the Internet has been the prevalence of the exchange of copyright music, software and video, often using P2P technology. The music and motion picture industries have used the force of domestic law against those involved at all levels: the authors of file sharing software,[45] those who publish cracks for DRM (Digital Rights Management) or copy-protection technologies,[46] Internet Service Providers,[47] and end users.[48]

The same industries were also strong campaigners for the passage of the United States Digital Millennium Copyright Act (DMCA)[49] which provides a streamlined process for the resolution of disputes between those who are (or claim to be) copyright owners, and ISPs who host allegedly infringing content. They also campaigned for the extension of that regime to Australia through the Australia–United States Fair Trade Agreement (FTA),[50] pursuant to which further reforms to the Copyright Act 1968 were passed in 2004. In addition to providing a DMCA-like safe harbour scheme for ISPs, these amendments also extended the term of copyright protection from 50 years from the date of the author’s death (or from the date of first publication in the case of a corporate author), to at least 70 years.[51]

On the other side of the coin, there are bodies which oppose the extension of IPRs over Internet activities, such as the EFF[52] and its Australian counterpart, the EFA.[53] There are also organisations such as Creative Commons, and the FSF that seek to subvert the dominance of the IPR paradigm, through facilitating the release of copyright works on the Internet under free licences, some of which licences are designed to be “viral” or self-perpetuating in adaptations of the works.[54]

These interests have also sought to build representation within WIPO, through their adoption in September 2007 of a “Development Agenda” for the organisation, which includes amongst its recommendations the preservation of the public domain and the exchange of experiences on open collaborative projects.[55] Freedom of expression

The United Nations High Commissioner for Human Rights (OHCHR) has addressed the issue of freedom of expression on the Internet by calling on all states to:

refrain from imposing restrictions which are not consistent with the provisions of article 19, paragraph 3, of the International Covenant on Civil and Political Rights, including on: ... (c) Access to or use of modern telecommunications technologies, including radio, television and the Internet.[56]

This resolution is vague and aspirational, but little more can be expected of an intergovernmental statement in one of the most naturally contentious areas of public policy governance of the Internet.[57]

The converse of freedom of expression on the Internet is content regulation, and the approaches taken domestically on this issue range from the almost laissez faire approach of countries such as the United States which has established a Global Internet Freedom Task Force (GIFT) to promote online freedom of expression internationally,[58] to the very strict censorship exercised by countries such as Burma, China, Cuba, Laos, Saudi Arabia, Syria, Tunisia, Vietnam and Yemen which route all Internet connections through government-controlled filters.[59]

In between are the approaches of countries such as France, the United Kingdom, Canada and Australia, which prohibit certain types of content online. For example in November 2000 French courts gave US-based Yahoo! Inc three months to prevent French citizens from accessing Nazi memorabilia available using Yahoo!’s auction service, although the sale of such material is legal in the United States. Yahoo! in response sought a declaration that Yahoo!’s French court order could not be enforced in the United States.

This eventually failed on appeal in 2006, partly on the basis that Yahoo! had already in large measure complied with the French court order by localising the content presented to French visitors.[60] Even those visitors who did not specifically access Yahoo!’s French portal could be identified as French by tracking the IP addresses from which they accessed the site back to the networks of French ISPs (a technique known as geolocation which is discussed at Section 3.4.2).

It should be noted that legal guarantees of the freedom of expression, even in the United States which strongly protects this freedom through the First Amendment to its Constitution, do not extend to the private sector. Thus Google, one of whose corporate principles is “Don’t be evil,” also used geolocation technology when it recently bowed to demands of the Chinese government in applying content restrictions to the Chinese version of its search engine,[61] as had Yahoo!, Cisco and Microsoft before it.[62]

Similarly, the UK’s largest (and former government monopoly) telecommunications provider and ISP, British Telecom, applies a filter called Cleanfeed to its wholesale and retail Internet service. The selection of content to be blocked, currently limited to child pornography, is undertaken by the Internet Watch Foundation (IWF), a non-profit self-regulatory Internet industry body.[63] In 2006 the government put other UK ISPs on notice to expect a regulatory response if they did not also filter their Internet services by the following year.[64] Canada’s ISPs have recently adopted a similar voluntary filtering scheme, with a network called C-CAICE,[65] that also includes governmental representatives, acting in the place of the IWF.

Australia’s content regulation regime is found in the Broadcasting Services Act 1992 (Cth). Since the passage of amendments to that Act in 1999 which commenced the following year, Australian Internet content is subject to the same rating criteria as motion pictures, save that content is only rated ex post facto once a complaint is made. If Internet content were to be rated R if it were a film, it may only be hosted on the Web in Australia subject to an age verification system. If it would be rated X or refused classification, it may not be hosted in Australia at all.

The Federal government has also claimed an election mandate to introduce a compulsory programme of ISP-side filtering of Internet content in 2008, akin to the voluntary programmes of the UK and Canada, and building upon the previous government’s programme introduced in 2007 to offer free client-side Internet filtering software to all Australian Internet users.[66]

The PICS content labelling standard developed by the W3C, criticism notwithstanding, is still in use, though it has to a large degree been supplanted by a newer XML-based W3C standard called RDF (Resource Description Framework). The most popular RDF-based schema for rating Internet content, based on its suitability for children, is that of the UK-based Internet Content Rating Association (ICRA).[67] The ICRA is comprised of nine large corporate members, mostly ISPs and software companies such as America Online (AOL) and Microsoft, and a much larger number of associate members ranging from the proprietors of adult Web sites, to regional self-regulatory associations.

Before moving on from the topic of content regulation, brief mention should be made of defamation law, which also falls within that field. Australian defamation law made an international mark on the Internet with the decision in Dow Jones v Gutnick.[68] This was a case in which noted Australian businessman Joseph Gutnick sued Dow Jones for publishing an article, which he alleged to be defamatory of him, in the online version of Barron’s magazine.

Although Dow Jones and its Web site were based in the United States, the High Court ruled that the case could be heard in Australia, on the ground that a sufficient link to the jurisdiction was established by Gutnick’s residence and established reputation here, and the availability of the magazine in Australia via the Internet, and in a few printed copies. The result was that Dow Jones was required to defend itself in a jurisdiction much friendlier to defamation plaintiffs than the United States. Data protection and privacy rights

There is no international standard of privacy in the form of an international legal instrument, although the right to privacy is recognised in general terms in Article 12 of the Universal Declaration of Human Rights, and Article 17 of the International Covenant on Civil and Political Rights. The United Nations has also recognised the particular importance of maintaining the privacy of those whose personal information is contained in electronic records, through guidelines on this topic that were the subject of a General Assembly resolution in 1990.[69]

Absent a more formal agreement on privacy, the leading intergovernmental document is a set of guidelines of the OECD adopted in 1980.[70] These informed the drafting of the APEC Privacy Framework released by its Electronic Commerce Steering Group (ECSG) in 2004, that is designed to promote consistency in information privacy protection across APEC member economies. In 2007, Google called for the multi-stakeholder development of a new transnational privacy standard based upon the APEC Framework.[71] The OECD guidelines also provided the basis for the eleven Information Privacy Principles set out in Australia’s Privacy Act 1988 (Cth), which was extended to apply to the private sector in 2001.

The other regional privacy regime that is of significant international importance is the EU Data Protection Directive.[72] The most controversial provision of the directive provides that personal data of EU citizens may not be transferred to “third countries” (ie countries outside the EU) unless those countries have adequate levels of privacy protection of their own. The United States, which offers no broad protection for the privacy of personal data, did not meet this criterion, with the result that trade between the US and the EU was in danger of being significantly disrupted when the directive took effect.

The compromise that the two parties reached was to negotiate a special “Safe Harbor” for US businesses whereby they could individually certify their own compliance with EU data protection standards as codified in the Safe Harbor principles, rather than simply adhering to the lesser privacy standards of US law.[73]

Another area of controversy occasioned by the disparity in privacy standards between Europe and the United States is seen in the case of the ICANN WHOIS database. WHOIS is a database containing contact information of domain name registrants maintained by TLD registries. The content of ccTLD WHOIS registries is subject to the policy of the ccTLD in question, and in auDA’s case, since 2002 it has omitted the registrant’s address, telephone and fax number, providing only an email address.[74]

However the WHOIS policies for certain of the gTLDs are less stringent. They not only include personal address, telephone and fax details of the registrant, but also allow bulk access to WHOIS data to be purchased. Registrants have found themselves in receipt of direct marketing material directed to their WHOIS contact details, and some have fallen victim to cyber-stalking and identity theft. In response, many registrants have taken to supplying false WHOIS data, in breach of their registration agreements. Following much criticism of this situation, ICANN’s GNSO Council formed a WHOIS Task Force in 2005 to review the WHOIS policy that should apply to gTLDs in future. Its final report of 2007 recommended an overall restriction of publically available WHOIS data, but the GNSO Council rejected these recommendations in November that year.[75]

Two privacy protection initiatives from the private sector and civil society are worthy of note. The first are private sector privacy certification schemes, the best known of which is that of TRUSTe,[76] a private non-profit organisation founded by the EFF and Commerce.Net, that certifies online business for their adherence to privacy standards. TRUSTe also certifies online businesses for compliance with the EU Safe Harbor scheme. There are over 1500 TRUSTe member Web sites, most of which display a seal as a sign of their compliance with TRUSTe’s standards. BBBOnline is a similar programme restricted to North American members, with almost 700 Web sites bearing its Privacy Seal,[77] and WebTrust is a much smaller programme with fewer than 30 members whose adherence to privacy standards has been audited by a Certified Public Accountant (CPA).[78]

The second non-governmental privacy initiative is the P3P (Platform for Privacy Preferences) recommendation of the W3C. P3P is an XML-based language in which a Web site’s privacy policy can be expressed in computer-readable form. This can be automatically read by an access device that supports P3P (such as a compliant Web browser or mobile phone) in order to regulate a user’s Internet usage in accordance with their expressed privacy preferences in an automated way.

P3P was initiated by the Internet Privacy Working Group, established by the CDT in 1996 and counting amongst its members ISPs such as AOL, hardware and software manufacturers such as IBM and Microsoft, and civil society representatives such as the EFF. P3P was subsequently taken up by the W3C the following year and became a Recommendation in 2002.[79]

P3P has not yet come into wide use and seems unlikely to in the future. One factor in this may be that P3P software is not simple and transparent enough that users are attracted to use it, particularly in that only a comparatively small number of Web sites have published P3P-compatible privacy policies. The limitations of the protocol itself should also not be overlooked. In particular, there is nothing in the protocol to verify that a Web site actually complies with the policy it advertises.

Both P3P[80] and the various private sector privacy certification schemes described above[81] have been criticised by privacy advocates for being too solicitous to the interests of business, by allowing businesses to easily derogate from consumers’ privacy rights so long as the consumers’ consent can be obtained. Consumer rights

There is no international instrument protecting consumer rights. The European Union passed a Distance Sales Directive in 1997[82] to protect EU consumers in transactions made online, for example by providing consumers with a cooling off period and requiring them to be provided with detailed information about the transaction. This was followed by a similar Directive on distance marketing of financial services in 2002.[83]

In the absence of an international agreement on consumer rights, the OECD is again at the forefront of international governance on this issue through the OECD Guidelines for Consumer Protection in the Context of Electronic Commerce[84] developed by its Consumer Policy Committee and formally adopted by the OECD Council in December 1999.

These formed the basis for the Australian Federal Government’s Building Consumer Sovereignty in Electronic Commerce: A best practice model for business,[85] a voluntary resource designed to foster a self-regulatory approach to consumer protection in e-commerce by Australian business. The process by which this was drafted incorporated public comment from the private sector, civil society and academia, as well as member government representatives. Whilst the best practice model has no force of law, businesses adhering to it are entitled to display a logo to indicate their compliance.

More recently in 2003 the OECD also released its OECD Guidelines for Protecting Consumers from Fraudulent and Deceptive Commercial Practices Across Borders,[86] which focuses on the issue of cross-border fraud, particularly on the Internet, and is intended to provide a framework for international cooperation in tackling this problem through coordination of the activities of national agencies and private sector bodies such as financial institutions and domain name registrars.

This dovetails with the work of the International Consumer Protection and Enforcement Network (ICPEN),[87] an organisation that brings together the consumer protection bodies of 33 countries, including the United States Federal Trade Commission (FTC) and Australia’s ACCC.

One example of cooperation between such regional executive agencies is seen in the prosecution of a stock tout operating through the use of unsolicited email, both in Australia at the instigation of the Australian Securities and Investments Commission (ASIC)[88] and in the United States through its Securities Exchange Commission (SEC).[89]

Finally in Australia’s region, APEC drafted Voluntary Consumer Protection Guidelines for the Online Environment in 2003, though these saw no domestic adoption and now regrettably appear to have disappeared from the Web.[90] There is however an Australasian Consumer Fraud Taskforce formed in 2005, which brings together Australian State, Commonwealth and New Zealand authorities to address consumer fraud both on and offline.[91] Development

The “digital divide” between the developed and the developing world (or between “North” and “South”) is an aspect of a much broader social problem than falls within the scope of Internet governance. The United Nations’ Millennium Development Goals (MDG) are an umbrella programme for addressing such issues at the broadest level,[92] including the need for investment in Internet infrastructure and services in regions suffering from the digital divide. Within the broader field of ICTs for development, there are a few discrete issues that more directly raise questions of Internet-related public policy, and hence fall within the ambit of Internet governance.

The first of these isolated by the WGIG Report and Tunis Agenda is that of interconnection costs. By way of background to this issue, in traditional telephony each country’s telecommunications provider raises its own connection charges for initiating or receiving a call, and the charges are divided between them when financial settlements between providers are calculated. This does not occur on Internet networks, where typically a smaller network—such as that of a developing nation—will pay the whole cost of its connection to a larger backbone network. The larger network thereby receives access to any Internet content available on the smaller network effectively for free.

This issue formed the subject of Recommendation D.50 from ITU’s Study Group 3, which sought to establish a more equitable settlements regime between Internet network operators, but for commercial reasons this has proved highly controversial and is unlikely to be implemented in its current form.[93]

A second development issue is that of capacity building. This is an ill-defined term which in the present context refers to the development of institutional and individual capacity for the governance and application of Internet infrastructure.[94] This is more of an operational than a governance issue, which fits more comfortably within the existing intergovernmental structures for international aid and development work.[95]

The development agency with particular responsibility for telecommunications networks is the ITU-D, the development arm of the ITU. However infrastructure development for ICT is also supported by such bodies as the World Bank,[96] UNESCO (the United Nations Educational, Scientific and Cultural Organization),[97] the United Nations Conference on Trade and Development (UNCTAD),[98] and UNDP (the United Nations Development Programme).[99] On a regional level, the G8’s Digital Opportunities Task Force (DOT Force)[100] and the EU’s eEurope programmes[101] are both notable for having taken a multi-stakeholder approach to capacity building, foreshadowing the similar approach of WSIS.[102] In the private sector, the Global Information Infrastructure Comission (GIIC) formed in 1995 is a confederation of executives notable for its work in this area,[103] as in civil society is the Association for Progressive Communications (APC).[104]

A third issue of equity is that of meaningful participation in global policy development. The prominence of this issue was raised in 2002 by a report of the Panos Institute which demonstrated how poorly developing countries are represented in global ICT governance.[105] The conclusions of this Louder Voices report were presented to the third meeting of the United Nations ICT Task Force (UNICTTF),[106] a multi-stakeholder body formed in 2001 at the request of UNESCO to play a coordinating role amongst stakeholders working in the area of ICT for development.[107]

The final equity issue raised by the WGIG Report and the Tunis Agenda is multinationalisation (more commonly known as internationalisation, or I18N[108]) of the Internet. The two principal sub-issues involved here are the support of multilingual content by Internet services, and the ability to both access and represent that content using multilingual character sets. This issue was pressed by UNESCO in 2003 when its member States adopted a Recommendation concerning the Promotion and Use of Multilingualism and Universal Access to Cyberspace.[109]

Although internationalisation is just as much a development issue as interconnection and capacity building, it can unlike those latter issues be addressed within the technical rather than the economic arena. Most work in this area has been the province of standards organisations such as the IETF and the Unicode consortium[110] (which defines a universal character set capable of displaying typographical symbols from all human languages). Internationalisation is also an Activity of the W3C.[111] Additionally, the W3C has produced a related recommendation on making Web content accessible to those with disabilities.[112]

The current focus of multinationalisation efforts is on the support of multilingual domain names, which allows other character sets such as Arabic and Chinese to be used to access Internet addresses using the DNS. The IETF and ICANN have been principally responsible respectively for the development and implementation of this technology, with support from another civil society organisation, the Multilingual Internet Names Consortium (MINC),[113] in delivering advocacy and education. In recent years slow but steady progress has been made towards resolving some final implementation issues for multilingual domain names, with one of the most recent developments being the testing of eleven multilingual TLDs in October 2007.[114]

For some countries, progress has been too slow; leading China for example to establish its own DNS root in 2005 to serve the Chinese-character equivalents of the com and net gTLDs.[115] e-commerce and e-government

The final public policy issue under consideration is that of e-commerce, which is simply the conduct of business over electronic networks, relevantly the Internet, and is closely related to e-government, which is the relation of government and its citizens over such networks using the same sorts of technologies. Here the focus is to be on e-commerce, but e-government will be discussed again at Section

UNCITRAL, the United Nations Commission on International Trade Law,[116] is the intergovernmental body which regulates international trade in conjunction with the WTO. UNCITRAL’s particular focus is on the modernisation and harmonisation of laws bearing on international business. To this end, it released in 1996 a Model Law on Electronic Commerce,[117] followed in 2001 by a Model Law on Electronic Signatures.[118] Both model laws prescribe a technology-neutral model for the treatment of electronic contracts and signatures as legally equivalent to their paper-based equivalents. Australia’s Electronic Transactions Act 2001 (Cth) and its State counterparts were based on the Model Law on Electronic Commerce.

UNCITRAL has also developed a convention, not yet adopted by Australia,[119] which aims to clarify for legal purposes such matters as the location of a party to a contract formed electronically, the time and place that that contract will be taken to have been formed, the use of automated message systems in forming contracts, and the criteria to be used in establishing functional equivalence between electronic and paper communications.

This convention, once adopted, will help to resolve the long-obscure question of whether the “postal acceptance rule” applies to electronic contracts; that is to say, whether a contract concluded by email, where the offer is emailed say from Australia to a recipient overseas, is governed by Australian or overseas law, and at what time the contract is formed.

Along similar lines, the Hague Conference on Private International Law, an intergovernmental organisation of sixty member states, finalised in 2005 an international convention on choice of law agreements,[120] to establish rules for the enforcement of contracts that specify that the law of a particular jurisdiction is to apply, and the circumstances in which other countries must recognize the judgments of courts of that jurisdiction. The convention is not yet in force.



WGIG, Report of the Working Group on Internet Governance (2005), 5


See NTIA, US Principles on the Internet’s Domain Name and Addressing System (2005).


See Section


WSIS, Tunis Agenda for the Information Society (2005), paras 63 and 77.


But see Section


Accuosto, Pablo, WSIS Wraps Up With Mixed Emotions (2005)


WGIG, Background Report (2005), 3


General Assembly of the United Nations, Creation of a Global Culture of Cybersecurity: Resolution (2003)


OECD, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002)


Council of Europe Cybercrime Convention, 23 Nov 2001, 2003 S Treaty Doc No 108-11


See http://www.cybercrime.gov/g82004/g8_background.html.


See http://enisa.europa.eu/.


APEC, Recommendation by the APEC TELWG to SOM for an APEC Cybersecurity Strategy (2002)


See http://www.ahtcc.gov.au/.


See http://www.cert.org/, though CERT now disavows the origin of its name.


See http://www.auscert.org.au/.


See http://www.first.org/.


See http://www.cabforum.org/.


See Wyngaert, Christine V d, International Criminal Law: A Collection of International & European Instruments (2000).


Optional Protocol to the Convention on the Rights of the Child, 25 May 2000, 2007 ATS No 6 (entry into force for Australia 8 Feb 2007)


See http://www.virtualglobaltaskforce.com/.


European Commission, Directive on Privacy and Electronic Communications (2002)


European Commission, European Countries Launch Joint Drive to Combat “Spam" (2005)


European Commission, Directive on Privacy and Electronic Communications (2002), and see http://www.londonactionplan.org/. The membership numbers given are as at 2008.


See http://www.oecd-antispam.org/.


See http://www.itu.int/osg/spu/spam/.


See http://www.acma.gov.au/WEB/STANDARD/pc=PC_310313.


Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003 117 Stat 2699 Public Law 108-187


ASTA, Technology and Policy Proposal (2004)


See http://www.maawg.org/.


See http://www.irtf.org/charter?gtype=rg&group=asrg.


The most popular being Spam Assassin, see http://spamassassin.apache.org/.


The most popular being Symantec Brightmail, see http://www.symantec.com/business/products/overview.jsp?pcid=2242&pvid=835_1.


For a list, see http://www.spambouncer.org/reference/blocklists.shtml.


See http://www.domain-assurance.org/.


See http://www.ietf.org/html.charters/dkim-charter.html.


Berne Convention for the Protection of Literary and Artistic Works, 9 Sep 1886, as revised 13 Nov 1908, completed 20 Mar 1914, revised 2 Jun 1928 and revised 26 Jun 1948, 1969 ATS No 13 (entry into force for Australia 1 Jun 1969)


Paris Convention for the Protection of Industrial Property, 20 Mar 1883, as revised 14 Dec 1900, 2 Jun 1911, 6 Nov 1925, 2 Jun 1934, 31 Oct 1958, and 14 Jul 1967, 1972 ATS No 12 (entry into force for Australia of substantive provisions 27 Sep 1975)


International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations, 26 Oct 1961, 1992 ATS No 29 (Rome Convention) (entry into force for Australia 30 Sep 1992)


WIPO Copyright Treaty, 20 Dec 1996


WIPO Performances and Phonograms Treaty, 20 Dec 1996


Anticybersquatting Protection Act 1999 (US) 113 Stat 1501, Public Law 106-113


WIPO, Joint Recommendation Concerning the Protection of Marks and Other Industrial Property Rights in Signs on the Internet (2001)


Agreement on Trade-Related Aspects of Intellectual Property Rights, 15 Apr 1994, 1995 ATS No 38 (entry into force for Australia 19 May 1995)


MGM v Grokster (2004) 380 F 3d 1154


The most celebrated being the DeCSS crack for the Content Scrambling System (CSS) used on DVD (Digital Versatile Discs): Universal City Studios Inc v Reimerdes (2000) 111 F.Supp.2d 294. Taken to an extreme, in 2007 the licensor of the Advanced Access Content System (AACS) began to issue take-down demands to those publishing a hexadecimal number—09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0—which with the appropriate software could be used to circumvent copy protection on high definition DVDs: see http://www.chillingeffects.org/notice.cgi?sID=3218.


RIAA v Verizon Internet Services (2003) 351 F 3d 1229, and for an early perspective see Malcolm, Jeremy M, Opinion: APRA v Telstra (1998).


Cassavoy, Liane, Music Labels Declare War on File Swappers (2003)


Digital Millennium Copyright Act 1998 (US) 112 Stat 2860, Public Law 105-304


See eg the submission of ARIA (the Australian Recording Industry Association) submission to the Senate enquiry on the FTA at http://www.aph.gov.au/Senate/committee/freetrade_ctte/submissions/sub133.pdf.


See Malcolm, Jeremy M, Dark Shadows of the Australia-United States Free Trade Agreement (2004).


See http://www.eff.org/.


See http://www.efa.org.au/.


See Section


WIPO, Member States Adopt a Development Agenda for WIPO (2007)


OHCHR, The Right to Freedom of Opinion and Expression (2002)


See Section


See http://www.state.gov/g/drl/rls/78340.htm.


Cox, Christopher, Establishing Global Internet Freedom: Tear Down This Firewall (2003)


Yahoo! Inc v La Ligue Contre le Racisme (2006) 433 F3d 1199


Auchard, Eric, Google Agrees to Censor Service to Enter China (2006)


Goldsmith, Jack L & Wu, Tim, Who Controls the Internet?: Illusions of a Borderless World (2006), 1–10, 93–96


See http://www.iwf.org.uk/.


Edwards, Lilian, From Child Porn to China, in one Cleanfeed (2006)


Canadian Coalition Against Internet Child Exploitation; see http://www.cybertip.ca/app/en/projects_overview.


See Heywood, Lachlan, Onus on Providers to Clean Up Web Content (2007).


See http://www.icra.org/vocabulary/.


Dow Jones & Company, Inc v Gutnick (2002) 194 ALR 433


General Assembly of the United Nations, Guidelines for the Regulation of Computerized Personal Data Files (1990)


OECD, Guidelines for the Protection of Privacy and Transborder Flows of Personal Data (1980)


Fleischer, Peter, Call for Global Privacy Standards (2007)


European Commission, Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (1995)


See http://www.export.gov/safeharbor/.


auDA, WHOIS Policy (2003)


GNSO Council, Recent GNSO Policy Development Activities on WHOIS (2007)


See http://www.truste.org/.


See http://www.bbbonline.com/.


See http://www.cpawebtrust.org/.


Cranor, Lorrie F, The Role of Data Protection Authorities in the Design and Deployment of the Platform for Privacy Preferences (2001)


Agrawal, Ruchika, Why is P3P Not a PET? (2002)


Clarke, Roger, Meta-Brands (2001)


European Commission, Directive on the Protection of Consumers in Respect of Distance Contracts (1997)


European Commission, Directive Concerning the Distance Marketing of Consumer Financial Services (2002)


OECD, OECD Guidelines for Consumer Protection in the Context of Electronic Commerce (2000)


See http://www.treasury.gov.au/contentitem.asp?NavId=014&ContentID=1083.


OECD, OECD Guidelines for Protecting Consumers from Fraudulent and Deceptive Commercial Practices Across Borders (2003)


See http://www.icpen.org/.


R v Hourmouzis (unreported Victorian County Court, decided 30 October 2000)


SEC v Hourmouzis (unreported, District Court of Colorado, no 00-N-905, decided 1 May 2000)


See http://web.archive.org/web/20050204094737/http://www.export.gov/apececommerce/consumer_protection.html for the former content.


See http://www.scamwatch.gov.au/.


See http://www.un.org/millenniumgoals/.


European Commission, Internet Network Issues (2000)


See Section


See Section 6.2.3.


See http://www.worldbank.org/.


See http://www.unesco.org/.


See http://www.unctad.org/.


See http://www.undp.org/.


DOT Force, Digital Opportunities for All: Meeting the Challenge (2001)


See http://ec.europa.eu/information_society/eeurope/.


See Section 5.1.


See http://www.giic.org/.


See http://www.apc.org/.


MacLean, Don, Souter, David, Deane, James, & Lilley, Sarah, Louder Voices: Strengthening Developing Country Participation in International ICT Decision-Making (2002)


See http://www.unicttaskforce.org/.


See http://www.unicttaskforce.org/thirdmeeting/openpage.html.


So called because there are 18 letters between the “i” and the “n” in “internationalisation.”


UNESCO, Recommendation Concerning the Promotion and Use of Multilingualism and Universal Access to Cyberspace (2003)


See http://www.unicode.org/.


See http://www.w3.org/International/.


W3C, Web Content Accessibility Guidelines 1.0 (1999)


See http://www.minc.org/.


ICANN, IDN Status Report (2007)


i-DNSnet, PRC Government Approves Chinese Character Internet Domain Names (2005). An Arabic root has also been established by Saudi Arabia, and there have been reports of Russia having similar plans for a Cyrillic root: Rampell, Catherine, A Script for Every Surfer (2007) .


See http://www.uncitral.org/.


UNCITRAL, UNCITRAL Model Law on Electronic Commerce (1996)


UNCITRAL, UNCITRAL Model Law on Electronic Signatures (2001)


UN Convention on the Use of Electronic Communications in International Contracts, 23 Nov 2005; see http://www.uncitral.org/uncitral/en/uncitral_texts/electronic_commerce/2005Convention.html.


Hague Convention on Choice of Law Agreements, 30 Jun 2005; see http://www.hcch.net/index_en.php?act=conventions.pdf&cid=98.