On February 7, ICANN released an initial report on the next step in the reform of Whois. The report will be open for public comment until March 23, 2020. In the analysis below, we make it clear what issues defenders of privacy and individual rights should address in their comments.
At stake in this report is a fundamental question: Are we recreating the old, unredacted Whois by allowing the parties who want private data to become accredited by ICANN and then gain automatic access to any data they request? Or are we truly restricting the disclosure of private data to cases in which it is legally justifiable? Data Protection Authorities, please take note.
Prior to the passage of the Europe’s General Data Protection Regulation (GDPR), ICANN ignored the world’s privacy laws, and required registrars and registries to publish personally identifiable information of any and all domain name registrants. All you had to do to get the name, address, email and phone number of a domain name registrant was to type the domain into your friendly local Whois server. A variety of surveillance interests benefited from the free availability of this data; some companies vacuumed it up and sold it in bulk.
The passage of the GDPR, with its heavy fines and renewed commitment to data protection, forced ICANN to put an end to that. ICANN responded by creating what it called an “Expedited Policy Development Process” (EPDP). The EPDP was mandated to quickly bring its Whois system into compliance with GDPR. In the first phase of that process, the EPDP moved to redact some of the most sensitive data from public access. We covered the results of Phase One in this blog.
Now that some data is redacted, the second phase of the process involves enabling parties to gain access to the redacted data when it is legally permissible. This involves setting up a system that accepts requests for data, screens them to determine whether they are justified, and imposes conditions on the receiving parties to ensure that the private data are not abused. This has come to be known as a “Standardized System of Access/Disclosure” (SSAD). SSAD would create a standardized, globalized method for parties to request disclosure of registrant data, followed by a uniform and (hopefully) legally compliant set of policies for deciding when to disclose it. In other words, an SSAD is a gatekeeper to the private data. Legitimate requestors of data might include law enforcement agencies, trademark and copyright holders policing their IPR, or business and government entities combating phishing and other cybersecurity threats. Currently, nothing stops these parties from requesting disclosure of registration data from the registrar servicing the domain. There is an efficiency problem, however. There are hundreds of registrars scattered across multiple jurisdictions and each of them might have different methods, formats, timelines or criteria for responding to these requests. It is perfectly legitimate for ICANN to try to standardized and expedite this process, as long as it respects data protection rights.
This is expedited? I’d hate to see slow
The EPDP, now in its second year, suffers from the usual stalemates afflicting ICANN’s bottom up consensual policy making. The report that was released February 7 was not even a complete set of recommendations, but a partial proposal leaving many questions undecided.
Part of the delay is attributable to the fact that we are setting the parameters for a complex global information system that will be used by diverse stakeholders. But the main reason is that it has been difficult to achieve consensus between the privacy advocates and contracted parties, on the one hand, and what we have called the surveillance caucus on the other. The surveillance caucus (led on the EPDP by Facebook and Mark Monitor representatives) wants to make the data as easy to access as possible. The privacy advocates want to restrict disclosure decisions to instances where it is clearly justified by GDPR. The contracted parties tend to side with the privacy advocates because they have an interest in protecting the data of their customers and are concerned about their legal liability as a data controller if they allow unwarranted disclosures.
The Hybrid model
The basic SSAD design set out in the initial report involves an accreditation process administered by ICANN, so that parties who want to request data via the SSAD can be authenticated, their requests audited and their claims (e.g., “I am a trademark holder”) verified. The EPDP agreed that it made sense, both from an efficiency and justice perspective, to centralize the accreditation and request process. A single centralized point for making disclosure requests makes it easier for requestors to know where to go, and allows requests to be logged, audited, standardized in format, and automatically acknowledged.
Some EPDP parties (the surveillance interests) wanted the disclosure decision to be centralized as well. This would mean that ICANN Inc., not the contracted parties, would be deciding to release their customers’ data. Some registrars and registries were tempted by this option, because it suggested that ICANN would assume liability for making wrongful disclosure decisions. This option foundered, however, when European Data Protection Authorities made it clear that legally the contracted parties are data controllers and could be held liable even if ICANN made the disclosure decision for them. Privacy advocates, for their part, do not trust ICANN to make the disclosure decision in conformance with privacy norms, given its 20-year history of ignoring or evading data protection law. So the EPDP pursued a hybrid model for the SSAD, in which accreditation and disclosure requests would be centralized, but disclosure decisions would be made by the contracted parties.
At this point, the issue of automation reared its ugly head. From the beginning, key members of the surveillance caucus made it clear that they favored automating disclosure decisions as much as possible. Automation means that there is no human review of the request, no balancing test; the requester simply puts a query into the SSAD and automatically gets the private data instantly. It should be clear that automated decision making is centralized decision making. The criteria for disclosure would be built into the SSAD gateway. Contracted parties would play no role in determining whether to disclose or not. And because there is no human review, anyone who wants instantaneous access to the protected data would quickly learn what inputs to enter into the system to receive an automatic result.
Advocates of automated decision making typically make their case by saying “well, given a request that meets conditions X, Y and Z, it is obvious that the data should be disclosed.” The fallacy in that argument is that if a query is automated, no one knows whether conditions X, Y and Z are actually met. The only way to find out is to engage in extensive ex post audits, long after the data has been disclosed, a weak and largely impractical safeguard.
The push for automation makes it clear that some stakeholders want the SSAD to reincarnate the old open-access Whois. Just as they used to be able to get domain registrants’ PII merely by submitting a query to a Whois server, they now want to get automatic access to PII merely by submitting a query to the SSAD. These same parties have insisted on being able to make multiple requests at the same time, and have fought hard against any financial model that would charge them a fee for each query. They want to be able to attach their software-driven data vacuums on to the SSAD and suck out whatever they want, whenever they want. The only difference between this and the old Whois is that requestors will have to first be accredited. But agreed policy makes it clear that accreditation should be available to anyone, so that is not much of a barrier. Certainly not to corporate behemoths like Facebook.
Enter the Chameleon
Having seemingly lost the struggle for centralized disclosure decisions, the surveillance caucus suddenly received a huge gift from EPDP chair Janis Karklins and ICANN staff. On January 21, a “new model” that had never been discussed in calls or proposed by any EPDP member was sent to the group’s email list by ICANN staff. Although it was called “SSAD hybrid model,” the proposal said it would “evolve to a centralized model.” Apparently, the hybrid model was now just an early larval stage of the centralized model. In the words of UK GAC representative Chris Lewis-Evans, who apparently was fully liberated from GDPR by the conclusion of Brexit, ICANN policy should “automate [disclosure decisions] to the greatest extent possible at the start and move towards automating a greater proportion of activities” going forward. So even though we thought we had come to an agreement to pursue a hybrid model, suddenly the staff were proposing a model that was committed to progressively automating and centralizing disclosure decisions. Without any apparent irony, the originators dubbed it “the chameleon” model.
To make matters worse, the chameleon model proposed the creation of a “Standing Committee” to guide the “evolutionary” process. The Committee would be able to modify the system and decide what decisions could be automated while “avoiding the need for a Policy Development process.” And, in a jaw-dropping expression of bias, the composition of the standing committee proposed by the staff did not allocate a single seat to the privacy/civil society representatives in the NCSG, while giving a dedicated seat to the trademark constituency, the business constituency, the GAC, and the SSAC – all of which are firmly committed to liberal and automated disclosure policies. The selections were carefully structured to ensure that the contracted parties did not have a majority, as well.
Watch out for lizards
The EPDP was quickly shamed into dropping the standing committee idea, but the mere fact that this was seriously proposed should be a clear warning to civil liberties advocates that they need to be on their guard. Automation is the Trojan horse that ICANN hopes will lead us back to the promised land of largely unrestricted access to registration data. Indeed, the report released for public comment still embodies an unresolved, fundamental conflict between advocates of automated/centralized decisions, and disclosure decisions that are reviewed to ensure compliance with privacy laws. All the reforms of Whois put into place in Phase 1 could easily be undone in Phase 2.
We recommend that privacy advocates take a careful look at preliminary Recommendation 7 and the last paragraph of Preliminary Recommendation 16. In their comments, we urge them to express strong opposition to any presumption that automation is desirable or required, or that the balancing tests mandated by privacy law can be automated. We also urge privacy advocates and DPAs to prepare to critically evaluate some of the “use cases” for automated decision making.
Whether it is legal to automate disclosure of domain registration data on a global basis is an issue with implications that go far beyond Whois and ICANN; in the age of artificial intelligence it could set precedents with wide-ranging implications.