The conflict between ICANN’s contracts and data protection law is dominating discourse and policy making at the ICANN 61 meeting in San Juan Puerto Rico. ICANN requires registries and registrars to provide a public directory service, known as Whois, that gives anyone in the world immediate access to personal data about domain registrants if they type in the domain. ICANN has ignored warnings about the illegality of this for nearly two decades. The implementation of Europe’s General Data Protection Regulation (GDPR) in May of this year has prompted it to start throwing together some reforms. This is the last big public meeting before GDPR comes into force. ICANN has a chance, or rather had a chance, to bring the community together to forge a path towards compliance.
Unfortunately, after several days on the ground in Puerto Rico we have to report that ICANN org is in all likelihood going to blow this opportunity. Key members of ICANN’s board and staff, and certain stakeholder constituencies, simply are not prepared to make the changes required to ensure GDPR compliance. The “stakeholders” who are driving ICANN’s decision making on Whois reform are still in denial; they are not talking about how to comply with the law; they are still talking about how important and beneficial the old Whois was. They want to retain as much of the old Whois as possible, while draping it with GDPR-compliant clothes. Insofar as they consider compliance or legal risk it is only to find lame rationalizations and procedural loopholes that will allow them to keep on doing what they are already doing. ICANN’s community, in short, is asking for lawsuits and fines.
The thesis of this blog is that we should give them exactly what they are asking for. Let us prepare for litigation, not as a possibility but as a virtual certainty. Let us calmly and carefully document the ways in which ICANN’s reforms fail basic GDPR tests. Let us make it clear to ICANN’s contracting parties that they, too, are at risk and that they will be sued. Let us make it clear that we will be cheering the litigants on, supporting them and even funding them, unless ICANN stops playing games and makes the simple reforms needed to respect basic data protection principles.
What accounts for this pessimistic appraisal?
Several things. First, On March 8 ICANN released its proposed interim model for GDPR compliance. If one looks at Attachment 3 of this model (page 56), one sees a drastic reduction in the data that will be displayed publicly in Whois. Before one celebrates, however, one must go down to Attachment 4 on page 58. ICANN is trying to escape the lash of data protection law by means of “tiered” access, which means that most of the data will not be available to anyone who queries a domain, but it will be made available to certain “accredited” parties. Who will be accredited then, and how will this be decided? That is the crucial issue – and on this topic the so-called reforms turn into a bad joke.
ICANN’s whole approach to tiered access is to let in all the special interest groups who have been using Whois data in the past simply by accrediting them. Worse, instead of using its own vaunted multistakeholder policy development process to develop criteria for layered access, ICANN has chosen to outsource all critical decisions to the Governmental Advisory Committee (GAC). It abandons multistakeholder decision making and makes GAC the legislature, judiciary and executive all in one. The comment of the Noncommercial Stakeholders Group made it clear why this is a bad idea:
The GAC can take on the role of identifying legitimate law enforcement agencies and developing single point of contact approaches for those law enforcement agencies. However, we do not believe they are sufficiently versed in community needs to develop accreditation standards for other organizations. The GAC has frequently complained about the speed of policy development in the GNSO because they have difficulty devoting the time to follow the activities of the Policy Development Process Working Groups; we cannot imagine how it could cope with the difficult task of determining who should get access, and for what data. If the notion is to hand the whole process development over to law enforcement via the GAC’s Public Safety Working Group, we strongly object. The GAC’s Public Safety Working Group has not included data protection authorities or experts among its members. It operates in secret. Given the constant tension that exists between law enforcement agencies and human rights advocates, including government-appointed officials tasked with the responsibility to protect citizens’ rights, such as data protection authorities and the judiciary, it is completely unacceptable to rely on the GAC or the Public Safety Working Group to do this task.
But even the NCSG criticism understates the problem with this proposal. This is actually a revolutionary change in ICANN’s mode of operation; by empowering the GAC to take on the role of rule maker, arbiter of access claims and enforcer of terms and conditions, it nudges ICANN away from multistakeholder governance and towards intergovernmental governance.
This proposal is so outrageously inconsistent with ICANN’s purported multistakeholder ethos that it cannot have been made in good faith. ICANN org knows full well that the GAC is captured by law enforcement and intellectual property interests and largely excludes privacy and data protection advocates from consideration. It knows that if civil society and registrars were included in the development of the criteria that the outcome would be radically different. To put the GAC in such a powerful role is clearly an attempt to bias the outcome in favor of continued open access to the data.
Another alarming aspect of ICANN’s approach to tiered access is that it does not address what happens on and immediately after May 18, when the GDPR goes into effect. Even if we gave the GAC unilateral power to define such criteria, there is no way it will be finished two months from now. So will ICANN just retain the status quo and force its contracted parties to be blatantly out of conformity with European law? Or will the staff of ICANN throw together some rough criteria for access without any community input – criteria that will likely become the de facto standard for years? Neither option is acceptable. The only choice ensuring GDPR compliance is to not have layered access at all until a robust consensus policy for criteria and methods is developed.
ICANN’s interim proposal falls fatally short in another way: it does not even try to develop a purpose for the Whois service, which we have already flagged as the most critical issue. In its interim model document, ICANN stated that it convened a meeting on
“how best to capture the various uses of the current WHOIS services. After receiving submissions from members of the ad hoc group and others, a Personal Data “Use” Matrix was published for community input in July 2017. This document was instrumental in helping to establish the purposes of processing defined in the Interim Compliance Model.”
In other words, existing uses are being used to determine the “purpose” of Whois. This is completely backwards and wrong-headed. If you throw open a source of free data to anyone in the world, the world will develop a multiplicity of uses for that data, and all of those uses will gain a constituency that will agitate to retain them. What needs to be done, as many registrars, registries, noncommercial users and data protection authorities have argued, is define the purpose of data collection for Whois in narrow terms based on ICANN’s mission, which is only to protect the global interoperability, stability and security of the domain name system.
But ICANN insists on basing purpose on use cases. Its interim proposal even goes so far as to say that public comment “did not object to the draft purpose description included in the ICANN Proposal.” This is a bald-faced lie. Among other objectors, here is a selection from the letter from the International Working Group on Data Protection in Telecommunications (Berlin Group) that was just sent to ICANN last week:
“Although the privacy issues have been brought up and contested over the many years that WHOIS has been studied and discussed at ICANN, there has not been a de novo review that looks at the original purpose of the directory. Many “use cases” have sprung up because the data in the registrant directory is useful for marketing, research, rights protection, consumer protection, law enforcement, and other purposes. This has led to increasing demands for data from different stakeholders who are organized in the ICANN community, that have found their way to some extent into the 2013 RAA. This was in the view of the Article 29 Working Party in contradiction of European data protection law in several respects. The Article 29 Working Party has shared extensive comments on this in the past.” (emphasis added)
And here are the comments of the Noncommercial Stakeholders Group:
“[ICANN’s] attempt to make serving the ‘global public interest’ a legal basis for processing is fundamentally flawed, particularly when processing means providing full access to personal data for stakeholders who have assembled at ICANN but whose core activities are not fundamental to the DNS. Value added service providers, intellectual property lawyers, and domain name marketers may have considerable financial interests in getting easy access to data, but that does not mean that ICANN should facilitate that, nor that these uses of registrant data are in the public interest or vital to the stability and security of the DNS.”
In its interim proposal, ICANN has nevertheless stated that it “takes on board the comments from the community that the purpose description should be revised to include registration data processing activities beyond operating a WHOIS system.” This is not the consensus of the community and it does not comply with GDPR.
ICANN calls its interim draft a “Working Draft for Continued Discussion.” There will be lots of discussion, we guarantee that. But the model is so overtly biased and so redolent of ICANN’s historic tendency to ignore privacy advocates that we are not hopeful it will be improved. CEO Goran Marby is studiously going through the motions of listening to everyone, but it’s abundantly clear who gets tuned out and who gets tuned in. It was the threat of legal action that got us this far; it is likely that only real legal action will take us any farther.