Facebook did not have a good 2018. Treating its customers’ personal information as a commodity, it was revealed by New York Times that “For years, Facebook gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules, according to internal records and interviews.”
But Facebook’s approach to privacy goes beyond mere disregard, and it’s not only limited to its customers. Facebook has an anti-privacy public policy approach. To shed light on that, we will explain Facebook’s approach to the privacy of domain name registrants and the protection of their data in a directory called WHOIS, which has never been covered before.
During the ICANN WHOIS policy meetings, the chair sets an agenda which can be amended or added to by the request of the policy group members. The Facebook representative has never missed a chance to add issues to the meeting’s agenda that would weaken the data protection of domain name registrants and help with maintaining a public WHOIS. For example, the Facebook representative has pushed to require additional contacts (admin/tech) to consent to publish their data rather than be redacted; She has insisted on trying to force registrars to differentiate natural and legal domain name registrants and hence not protecting the legal person’s data; she has attempted to put the burden of the accuracy of data on domain name registrars; and she has pushed to make ICANN fragment its policies by differentiating domain name registrants geographically so that we do not provide protection for those not subject to European jurisdiction.
Facebook and accuracy argument
Facebook continuously brought up the issue of accuracy of domain name registrants personal information and multiple times been advocating for accuracy but not in favor of data subject but in favor of rights of the “others” (meaning third parties such as Facebook itself). Facebook never acknowledges that accuracy in GDPR is about protecting the data subject and the right to correct mistakes in personal information and shielding the data subject from abuse of inaccurate data by the controller.
Even when the Facebook representative quotes UK Information Commission Organization, her interpretation of guidelines is self-serving, This wrong interpretation appears in almost all of intellectual property lawyers public comments submitted with this regard.
The argument is based on Article 5 of GDPR which states that personal data shall be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
Accuracy is a data subject right. It is in GDPR to give a chance to the data subject to correct an inaccurate personal data element about herself and to prevent the controller from using the inaccurate data against her. It is not about the right of a third party to accurate personal information. It has nothing to do with the required accuracy in ICANN policies which is all about protecting third party “interest” by obliging the registrants and registrar to keep the data accurate.
Fight to limit data protection globally
Facebook does not want domain name registrants to enjoy data protection globally. On 20 December 2018 during an EPDP meeting (a policy meeting at ICANN) the Facebook representative supported an approach that would treat domain name registrants data differently based on jurisdiction. She stated:
“…I know it’s called a rules engine [an engine that decides what law applies] but I believe that it’s more of a – essentially a flow chart concept of, you know, factoring in different elements that relates to the jurisdiction and then making a determination on what rules would apply. And as I look at it, I think it’s something that – and I think we asked this question or someone asked this question on the – maybe the last call – that really should be done by ICANN, you know, in consultation with legal counsel.”
So in effect, Facebook is asking to try as much as possible not to protect domain name registrants’ data if it is found that they are not subject to GDPR and treat data protection of domain name registrants differently based on their jurisdiction. With the implied intent that since GDPR has a high bar for data protection, they would not have to provide such high bar for other domain name registrants around the world.
Milton Mueller responded to this suggestion as below:
“I’m really kind of shocked because this is supposed to be an ICANN meeting, and the reason we have ICANN was to have a global policy and governance for the domain name system. And I hear people talking about instituting essentially making ICANN differentiate between different national jurisdictions. And may I remind everybody that there are 50 state-level jurisdictions in the United States alone and each of them can be – does have for example different data protection – or data breach regulations and I can only imagine what happens when you start extending this into developing country provinces and regions. The only solution to this issue is to have a global policy that sets the bar high enough that it’s not in any risk of contravening the laws of any jurisdiction and it’s actually not that hard to do. The kind of data that is in the Whois is fairly basic and we have some very common threads as to how not to run afoul of basic concepts of privacy. So ICANN’s job is to create a global mechanism for governance of the domain name system and this false promise that we can somehow implement artificial intelligence that automatically applies the proper jurisdiction to any of 300 million domain name registrations is just pointless.”
Facebook anti-data protection advocacy in the name of security
Facebook also tries to justify its suggestions that could weaken data protection in the name of security. For example, FB was arguing that ICANN might need to have access to personal information of domain name registrants to bring about security in DNS. It suggested to ask ICANN: “did OCTO (office of chief technology officer) use WHOIS in its law enforcement training and outreach activities, or engagement with the cybersecurity community, or to facilitate or respond to large scale botnet attacks, such as Conficker or Avalanche”. OCTO clarified that they do not need access to personal information for their security work and if they need personal information, it can be pseudonymized (or hashed). It was a failed attempt by Facebook to advocate for granting access to personal information of people when it’s not needed!
Advocating for data mining
Facebook has been advocating for data mining to be allowed in WHOIS policy. This means that Facebook will be able to find all the domain names that are related to one potentially trademark infringing domain name registrant. This function was known as reverse WHOIS and was used by security researchers to establish a malicious pattern of registration and mitigate botnets. But this function has also been used and abused by some intellectual property owners to challenge domain name registrants and not allow them to have access to due process as much as possible. Reverse WHOIS can also identify the domain name registrant or expose their personal data where it is not protected by GDPR or privacy and proxy service.
A final reminder
Facebook’s policy approaches matter to the global Internet governance and our rights. In the case of domain name registrants data protection, Facebook has even inspired and led other actors to argue for less data protection. Facebook has an agenda which has not backed off from: it is vigorously advocating and lobbying for minimal individual rights on the Internet. Facebook’s approach is bad for the Internet, its anti-rights and anti-privacy advocacy positions should be revealed and its actions in policy forums should be scrutinized.