More than a year ago, ICANN adopted a policy that redacted sensitive domain name registration data from public view to bring Whois into compliance with GDPR. The key data elements shielded were registrant email addresses and street addresses. The loss of free, unrestricted access to all DNS registration data was a shock to the intellectual property interests, who used it constantly and at high scale to identify domain name holders they accused of trademark infringement.
Phase 1 of the ICANN’s “Expedited Policy Development Process” (EPDP) determined which data elements would be redacted and which would be public. Some vital policy issues were left unresolved, such as whether data would be redacted for organizations as well as natural persons, and whether applicable policies would be “geographically differentiated” (to allow IPR interests to avoid European jurisdiction). But for the most part Phase 1 put a new, GDPR-compliant Whois into place.
What the law taketh away…ICANN giveth
Almost as soon as GDPR was put on a collision course with its Whois policy, ICANN Org made it clear that it wanted to “maintain the global WHOIS in its current form” as much as possible. So in Phase 2, the EPDP was tasked to develop a new mechanism to allow parties with a legitimate interest to gain access to the redacted data. The mechanism is known internally as the Standardized System for Access/Disclosure (SSAD). If it is ever implemented, SSAD would be an ICANN-administered information system that centralizes and automates the process of sending disclosure requests to registrars and registries and, after they have made a decision, returns the requested data. Disclosure would be governed by ICANN policies that are GDPR compliant.
Facebook v NameCheap
Facebook is suing NameCheap under the Anti-cybersquatting Consumer Protection Act (ACPA), an American law. The dispute, filed in late March of 2020, concerns customers who have registered domains such as “facebo0k-login.com,” “instagramlogin.org” and 43 other suspicious names. All are using NameCheap’s proxy service, known as WhoisGuard, to shield their registration data (but, post-GDPR, that data would be shielded anyway). Both WhoisGuard and NameCheap have refused to disclose the private data when Facebook requested it. These obviously suspicious domains, however, are only a small portion of the many disclosure requests Facebook’s lawyers have made of this registrar.
In its lawsuit, Facebook claims that NameCheap’s refusal to disclose data makes NameCheap a cybersquatter. It claims that ICANN’s Registrar Accreditation Agreement section 126.96.36.199, makes registrars legally responsible for acts conducted by its customers if they fail to disclose the name and contact info of the user (licensee) of a domain name within 7 days. (Or to be more precise, but possibly confusing, this part of the RAA tells registrars to put something like that into their contracts with their customers.)
So ICANN’s accreditation contract implies that if Registrars fail to disclose contact details to a requestor within 7 days, they are legally responsible for all the bad stuff that customers does. This is not pure intermediary liability: registrars can avoid liability by disclosing the registration data within a week. If they don’t, they can be charged with breaking the laws that their customers are breaking. And if a registrar is deemed a cybersquatter, then ICANN can withdraw its accreditation and poof, their business is dead.
NameCheap refused the disclosure request because their service is intended to protect privacy and because they believe they are not in a position to make judgments on the substantive allegations of the complaint. NameCheap also responds that the RAA contains a “No third party beneficiaries” clause, and Facebook is asserting a third party right. (The lack of any 3rd party beneficiary in a similar disclosure case was upheld by a US court in Balsam vs Tucows 627 F. 3d. 1158 in 2010.) More importantly, they contend that Facebook doesn’t need the data to reclaim or disable the domains. They could file a Doe lawsuit and discover the registrant’s contact details in court, or they could file a UDRP claim. In some ways, then, NameCheap is implying that we don’t really need a SSAD at all. They will disclose private data, but only if the requestor is a judge to which the case has been taken in a proceeding under national law.
If Facebook can sue the malfeasors without the private data, why is it suing NameCheap? Is it trying to punish registrars who refuse to disclose? Some speculate that it wants to de-accredit NameCheap, and that such de-accreditation will serve as a signal or warning to other registrars. Kill the chicken to scare the monkey.
Implications for the SSAD
That leads to an important question. What is the difference between a request for disclosure that comes from a court order and a request for disclosure that comes through an ICANN-administered SSAD? In the future, if the SSAD is implemented, will registrars treat SSAD requests as part of a quasi-judicial process governed by ICANN policies, or will they still insist on disclosure only in the case of court orders? Or will they fall somewhere in between – granting some requests and refusing others, based on their judgments of the legitimacy of the interest asserted and their own legal risk?
The process of developing an SSAD and structuring the way it will disclose private data while remaining compliant with data protection principles and norms has been a long and agonizing one. The SSAD design has many moving parts, and the projected costs of sustaining all these parts is looking to be bigger and bigger. The question of how we will pay for it and how the costs are distributed becomes more important. If we don’t intend to use this thing, why build it?
Negotiations over the SSAD are slowing down to a crawl because the trademark holders and the contracted parties don’t trust each other. Facebook and its allies are afraid that their requests for disclosure via the SSAD will be ignored or refused, as in the NameCheap case. The contracted parties on the other hand believe Facebook and its allies want guaranteed access to their customers’ data on request, creating a risk that the contracted parties will be subject to fines under the GDPR or other relevant privacy laws. Privacy advocates, who for the most part align with the contracted parties on these issues, are wary that the SSAD will just turn into a very expensive recreation of the old Whois, with most disclosure automated.
The governance model
Less obvious, however, are the broader global governance questions raised by the conflict. If this issue must be resolved in a national court, does it mean that ICANN’s contractual governance regime has failed or fallen short? If ICANN-mediated self-governance cannot create an efficient, privacy-compliant registration data disclosure regime, one that is trusted and has legitimacy among the key actors, why are we wasting our time with it? Why not just keep the temporary specification in place and allow organizations requesting data to do so under their own national laws, or use MLATs or international treaties when multiple jurisdictions are involved?
The problems with letting national law fill the vacuum created by a lack of consensus, however, are many. Transaction costs will skyrocket. There will be jurisdictional fragmentation of DNS governance – the very problem that ICANN’s creation was supposed to overcome in the first place. Instead of a globally harmonized, technically interoperable system of rules and policies, we would end up with a patchwork quilt of dozens of different laws and regulations. Which raises the question: why do we need ICANN?
Both the contracted parties and the intellectual property interests are threatening the viability of global DNS governance, in their own ways. The IPR interests are undermining it most dramatically. Some of them have lobbied the U.S. Congress to pass a law that will effectively create an American Whois policy that differs from ICANN’s or the European Union’s. Within ICANN, they are pushing strongly for a geographically differentiated application of the policy, so that registrants outside the GDPR’s scope will not be protected by its standards. And as the NameCheap litigation hints, they may also be using American courts to shape registrars’ incentives to disclose data under SSAD, by using ACPA as a backstop.
But the contracted parties are also contributing to the stalemate. From the perspective of the IPR interests, the refusal to disclose the registration data of the suspicious domains in this case raises doubts about the viability of the SSAD model.
We conclude that the major requestors of private Whois data and the contracted parties need to get their expectations aligned. Not all requests will be or should be granted. Things will not be like the old, pre-GDPR Whois, ever. By the same token, not all requests should be refused. The contracted parties need to retain control of the final decision, to be sure, but they don’t want to make requestors believe that they are going to stonewall any and all requests. If they do, and we have to rely on national courts to resolve disputes, we are back in the pre-ICANN land of fragmented jurisdiction. Is that what we want?