BARCELONA, Spain — The Internet Corporation for Assigned Names and Numbers (ICANN) is struggling over Europe’s privacy legislation. Is there a data “war” in the making?
the potential start of new TLDs and the hot topic of GDPR and Whois.
It is exactly 20 years since the founding of ICANN and two years after being finally fully privatized, and the self-regulatory internet domain name body has been named a “practical peace project underway” by its President and CEO Göran Marby. But it is now struggling with an old issue: privacy and access to personal information in the Whois database.
Since the European General Data Protection Regulation became effective, ICANN has closed down access to personal information about domain registrants based on a temporary policy specification. Whois, GDPR and future models to balance privacy and security in the domain name industry are the top issue once again at the ICANN63 meeting in Barcelona (20-25 October).
Negative and Positive Effects of GDPR Implementation
Law enforcement officials and ICANN’s Intellectual Property Constituency and Business Constituency are up in arms over negative effects of being forced to present their requests for data to registrars and registries on each individual case.
Steven Wilson from the European Cybercrime Center (E3C) at Europol said Europol’s investigations in non-cash fraud, child-sexual exploitation and terrorism “all are affected by Whois,” adding that while privacy is a fundamental right, the rights of victims, serious threat to life on a daily basis, and the exploitation of people online makes that balance “a really difficult one to strike.”
Vicky Sheckler, deputy general counsel at the Recording Industry of America Association and vice president of the IP Constituency in ICANN, said “in terms of the harms that we have seen since the changes in the structure to Whois data, we see a degradation of access and data transparency.” It is not about “indiscriminate access,” Sheckler argued in a session with governments. RIAA’s concerns are trademark and copyright infringement claims, harm to consumers and cybersecurity.
A joint survey by the Anti-Phishing Working Group and the Messaging, Malware and Mobile-Anti-Abuse Group complains that the Temporary Specification of the EU GDPR is “significantly impeding cyber applications and forensic investigations and allowing more harm to victims.” More data was added by MarkMonitor.
A lot of back and forth on some of the data presented by the rights owners has been going on since even before the ICANN meeting. Elliot Noss, CEO of Canadian Registrar Tucows, in a brief letter to the ICANN Board denounced a report sent by brand protection company Appdetex before the ICANN meeting. Requesting over 1200 data sets from Tucows, Appdetex waited until days before the ICANN meeting before it answered requests for additional information on their claims, Noss explained in the letter.
“It is apparent to us that the concern here is not for the trademarks of Facebook or any other customer, but for generating baseless noise and attempting to shift public and government perception of registrars,” he charged.
ICANN registrars also point to positive effects of the closed Whois database. Spam email has gone down, according to them, since email addresses of domain name registrants are no longer published. Some, like Tucows, have prepared dedicated portals to manage access requests.
Governments Support Rights Owners Access
Intellectual property rights owners, meanwhile, see themselves well-supported in their endeavour by governments represented in the ICANN Government Advisory Committee (GAC). The rights owners’ request for easy access to data is included in the list that governments have made up for legitimate and necessary third-party access.
Spanish data protection official Enrique Factor, who spoke during a “high-level meeting” of governments said: “I reckon there are other databases like Whois which are of paramount importance in cyberspace, but all of them must comply with the law.” Acknowledging the need to balance conflicting rights, Factor said, “We’ll fight for the defence of our rights, but this cannot be at the expense of transparency, fairness and compliance with the law.”
The US government has been one of the most vocal supporters to restore access to Whois data for law enforcement, IP owners, as well as security researchers. David Redl head of the US National Telecommunications and Information Administration (NTIA), underlined the US position once more at the high-level meeting of governments (HLM) organised by the Spanish government on the first day of ICANN63.
“For us it all starts with security,” Redl explained in the HLM session on future technologies. “Our security-focused mindset is also a big reason why the US is adamant that ICANN and the community develop a universal mechanism that permits lawful access to Whois information. Whois is a vital tool for cybersecurity, law enforcement, consumer protection, and the enforcement of intellectual property rights.”
Other governments questioned the data protection focus as well, for a variety of reasons. India in a letter ahead of the meeting warned that GDPR would pose serious threat to security and integrity of the internet, be a setback to bridging the digital divide and even result in protectionism and bureaucratic hurdles to accessing Whois data.
Thiago Braz Jardim Oliveira said during the HLM that it is “unacceptable” to Brazil “that ICANN continues to be subject to the laws and tribunals and to the enforcement of one single country where ICANN is legally incorporated.” While no longer linked by contract to the United States, ICANN remains incorporated in California, where the US originally established it.
Referring to Europe’s GDPR, Oliveira said it is “also unacceptable to us that ICANN feels compelled to adopt its policies to the laws of just a handful of states, but not to the laws of all the others.” ICANN has to evolve to make sure to be accountable to all countries, the Brazilian official from the Ministry of External Relations added, thereby reviving an old issue of contention for ICANN which had died down since the transition of IANA from US to ICANN and multi-stakeholder oversight (IPW, ITU/ICANN, 17 August 2016).
Fight over Unified Access Model
Jointly with governments, IP rights owners and Business Constituency members strongly welcomed the initiative of ICANN CEO Marby to develop a Unified Access Model (UAM) for access that would make ICANN a central data controller, taking on liability while validating requests from law enforcement, IP owners and security researchers to handle access requests then answered by domain name registries and registrars.
Steve del Bianco, president of the NetChoice Coalition, a US-based trade association of ecommerce businesses and member of the Business Constituency, during the first public forum of ICANN in Barcelona called support for this Uniform Access Model a highly welcomed alternative to other options the IP and business constituencies saw, namely filing a possible community reconsideration process against ICANN according to new bylaws.
Registrars seem to find the idea of having ICANN as a “sole data controller” quite attractive, with ICANN verifying and credentialing prospective data users with legitimate and proportionate interests in registration data consistent with the qualifications, requirements and safeguards of the policy, a code of conduct, and/or rules.
But the Non-Commercial Stakeholder Group, which had asked ICANN to address data privacy in domain registration on data privacy for well over 10 years, long before the GDPR, sharply rejected the idea, warning especially not to undermine ongoing policy work on the fundamental reform of Whois.
“The process of defining an access mechanism is the second step in the EPDP [expedited policy development] process,” warned Milton Mueller, professor at Georgia Institute of Technology, said during a meeting of the Non-Commercial Stakeholder Group with the GAC.
Talking about access is making step two before the ongoing bottom-up policy process on what data ICANN can collect in the first place has been finalised, he argued. “We don’t understand why the board is initiating a discussion on access model much less they are saying it has to be unified model,” said Mueller.
External support for some caution comes from the Data Protection Unit of the Council of Europe. Peter Kimpian, data protection expert at the 47 member state organisation told Intellectual Property Watch that a database which was set up for one purpose – business or in ICANN’s case, the management and safety of the internet – could not just be repurposed for other things.
“Access to those data by somebody else for another purpose which has not been defined before, that needs much bigger interest,” Kimpian said. “We think only public interest can justify the interference. One should not forget that the data held with ICANN is for one purpose, and law enforcement has another purpose, whereas all the other parties have civil law interests.”
For other interests, another structure has to be considered, Kimpian said, built like the UN World Intellectual Property Organization, he argued. “It cannot be the same because the level of importance would not be the same,” he said. The Council of Europe just published guidelines for privacy in ICANN’s work.
The dedicated expedited policy development process (EPDP) addresses these very questions. It has been tasked to create the official new ICANN policy on Whois and working since August to replace the current temporary specification which the ICANN management introduced at the twelfth hour, just before 25 May, when the GDPR took effect.
While progressing methodically through the legal questions about what the purposes for the data collection for the Whois data are, and what processing activities are performed by the various parties in domain registration process, the EDPD is slow, Ashley Heineman from NTIA noted in her report to the GAC.
Purpose and legal bases for processing have to be dealt first, Heinemann said, “before an access model and associated issues can be dealt with. That was bit of hard pill for us GAC members to deal with as that was primarily our largest concern.”
While Heinemann said government members in the EPDP have come to terms with the step-by-step approach, the GAC nevertheless clearly applauded ICANN and asked Marby to go ahead with exploring the Unified Access Model (UAM).
Technical Working Group?
ICANN President Marby defended his course to put the UAM proposal for a uniform access model on the table, even entertaining the idea that ICANN itself could be the central data controller vetting and handling access by law enforcement from around the world and third parties like IP lawyers.
Marby during the Public Forum suggested work on the UAM could also be undertaken in the form of a technical working group which explores the feasibility with participants from the community. Policy development for access in the end has to be taken on by the community, he assured.
Tucows CEO Noss, while saying the UAM might be an interesting idea, also warned: “I have some fear, not with the idea, it is a good idea. It is also an incredibly difficult idea that may not succeed, much like the EPDP itself. My fear is that a singular focus on it can take significant energy and time away from that good work.”
A solution for the privacy tussle on an international level could give proof that the multi-stakeholder model is in fact the best model for internet governance, Noss said. But for now, GDPR remains the biggest test for the practical peace project ICANN.
Image Credits: Monika Ermert