The ICANN Working Group that was trying to reconcile data protection and privacy principles with the domain name system’s legacy Whois directory, which publishes the name and full contact details of all domain name registrants, was finished today. “Finished off” might be a better term. Despite flirting with the kind of compromises and reforms that might actually reconcile privacy rights with identification needs, in the final weeks of the process trust and agreement among the parties broke down completely. The WG report has zero chance of gaining the 2/3 majority required to become an approved policy of the GNSO Council in its current form. It is unclear what the Board will make of it.
The battle between human rights advocates, who want to shield certain kinds of data from indiscriminate public access, and corporate and law enforcement interests, who want to use the Whois service as a free, open-access method for identification and surveillance of Internet users, has been going on for seven years now. Registrars are in the thick of this fight, since they are the entities whose customer data is exposed for anyone in the world to see, the ones who are obligated to operate the current Whois service, and the ones who stand to bear most of the cost burdens of certain proposed reforms. It was the registrar constituency that proposed the “Operational Point of Contact” (OPoC) reform that formed the basis of the Group’s work. OPoC would have shielded the registrant’s street address from public view, putting in its place a contact person that consolidated the role of administrative and technical contact in the old system. An OPoC would relay requests for information to the registrant. All the information contained in the current Whois service would have remained in place except for one thing: the street address of the registrant. That’s all. Even the real name and national and state (provincial) jurisdiction of the registrant would have been exposed.
It is hard to believe that such a miniscule change could generate three months of contentious work by nearly 60 people, ranging from representatives of each GNSO constituency to law enforcement agencies from the US, the Netherlands, and Canada; representatives of the banking and real estate industry; 5 or 6 intellectual property, hoteliers and software producers associations; not to mention a few companies that literally make their living collecting and selling Whois data. But it did.
The problem was that the intellectual property owners and to some extent also the LEAs wanted to offer a minimal amount of data protection with one hand, and then take most of it away with the other. The intellectual property lawyers tried to make the OPoC into an entity formally accredited and regulated by ICANN; they tried to make it into a third party with the authority to reveal the private data on demand and even to take down web sites or disable domains; they insisted on obtaining some kind of verification of the OPoC’s consent to be an OPoC; all activities that, however, potentially useful in theory, would increase the cost and complexity of registering domains and massively increase the risk that users would lose a domain for not responding to inquiries from trademark lawyers. They tried to whittle down the shielding of data to natural persons whose internet activities were completely noncommercial in nature. Along with the law enforcement and banking interests, they wanted backdoor access procedures enabling almost any private company to gain unlimited access to the shielded data of any domain merely by asserting that they needed it to pursue bad actors.
At some point in the process, the registrars decided that the additional costs of the Frankenstein-monster OPoC emerging from the WG was not worth the gains it would produce. If there is no reform they can continue to sell privacy to their users using proxy registrations, making profits that far exceed those they make on normal domain name registrations. They bailed out. It’s not clear yet whether the registry representatives are also giving up on the process.
Most of the really bad ideas failed to gain consensus, and the report recognizes that. On the critical issue of granting access to the shielded data outside the open public Whois service, however, the Chair of the Working Group, Philip Shepherd, who represents a European trademark lobbying group, played fast and loose with the definition of “Agreement.” The final draft of the report claims that certain highly contested views about access to data have reached “AGREEMENT.” What it doesn’t tell you is that the definition of the term Agreement was changed at the last minute, without permission agreement or even notice. If you look at the earlier versions of the report, AGREEMENT is defined very clearly as: “there is broad agreement within the Working Group (largely equivalent to “rough consensus” as used in the IETF).” This means that all but a couple of holdouts have converged on a common position. In the final report, Shepherd failed to obtain agreement on points he considered to be the desired policy. So the definition of agreement was changed. The definition now reads:
“there is broad agreement expressed by the contributing members of the working group though not necessarily unanimity. (This agreement is majority based and no attempt has been made to categorise agreement by interest group because participation had not been solicited nor organised by interest group)”
What this means in practice is that if 6 trademark lawyers and companies who profit from the sale of Whois data showed up for a conference call (and they often did) and only 5 people representing the rest of the world showed up, then the chair could describe as “agreed” and “broadly supported” whatever the surveillance party wanted. Not only has the WG abandoned consensus decision-making in favor of majority rule, but it does not even bother to balance representation when taking majority votes. It is just a matter of which group puts the most people on a conference call. In fact, it’s not even that fair; I am sure that if Noncommercial users managed to put 16 people on the call the definition of “agreement” would be modified again. So-called “rough consensus” decision making is always susceptible to this kind of abuse, but rarely is it done so blatantly.
In reality, on most of the key issues there was no agreement, just the same division of opinion between registries, registrars and civil society on the one hand, and trademark and law enforcement interests on the other.
This latest Working Group started out well. New participants were brought into the process and agreement around certain new ideas were forged. An important idea — a distinction between legal and natural persons — coul have formed the basis of an important compromise and move forward, but the registrars thought it would be too expensive to make that distinction at the point of registration. As time wore on, the trust and credibility of the group deteriorated rapidly as the most intransigent corporate and LEA interests came face to face with the fact that reforms might actually restrict access to data they wanted, and the registrars realized that reforms might cost them money.