Although few people are aware of it, ICANN and the domain name system are on the front lines of the transnational data governance issues raised by the clash between European privacy law and American (and eventually Chinese and Indian) information industries. Prompted by Europe’s General Data Protection Regulation (GDPR), ICANN is on the cusp of reforming access to domain name registration data (commonly known as Whois) to conform to privacy principles. It has just finished its policy development process and the result is awaiting approval from the GNSO Council, and then the ICANN board.
In the next few weeks, we will find out whether ICANN’s global, multistakeholder governance regime can meet this challenge, or whether it, like so many other Internet-related things, will break apart under the pressure of conflicts of interest that exploit nationalism and sovereignty.
The growth and development of the digital economy implies a need to facilitate the free flow of information, while protecting the privacy and security of data subjects. That means data protection laws and regulations need to be globalized and interoperable to work effectively. Without this harmonization, hundreds of roadblocks to valuable exchanges of information are erected, creating an ugly patchwork of data localization laws, complicated differences in rules, and the possibility to arbitrage away real data protection by taking advantage of architectural or legal loopholes.
In theory, the ICANN regime should have no problem with a globally harmonized approach to data protection. After all, ICANN was created to provide global governance of the domain name system. Indeed, its greatest early success was a globalized dispute resolution system for domain name – trademark conflicts. ICANN’s Uniform Domain Name Dispute Resolution policy overcame the nightmare of a trademark owner in, say, Germany having to litigate in Korean, Brazilian or Australian courts, spending tens of thousands of dollars in formal court proceedings over long time periods. It set up a lightweight, relatively fast, globalized arbitration system for challenging and recovering infringing domains.
But while many powerful players in ICANN’s policy process had an interest in globally harmonized trademark dispute resolution, they had no such interest in data protection. Quite the contrary. Trademark owners, and later law enforcement agencies, wanted free and immediate access to the PII of every domain name registrant in the world. From the beginning, ICANN’s Domain Name Supporting Organization, and its board, were captured by these interests. Consequently, ICANN used its contractual governance regime to force registrars to publish the name, street address, email address, and phone number of all their customers. All you had to do to get the contact information of a domain name registrant was type the domain name into a search field. Domain name registrars were contractually obligated to return the PII. It didn’t matter whether you were a spammer or a law enforcement agency, a stalker or a consumer protection advocate. Access was open and indiscriminate.
Enter the GDPR
From 2000 to 2018, ICANN was warned repeatedly that its publication of domain name registration data was not compliant with data protection laws in Europe and many other states. They didn’t care. The warnings not only were ignored, but efforts to remedy the situation through the GNSO’s policy process were literally sabotaged by the U.S. government and the interest groups it was acting for.
That captured process was disrupted when the GDPR went into effect. ICANN and its contracted parties could no longer ignore noncompliance, as they would be liable for large penalties if they continued to violate the law.
In response, ICANN’s board adopted some temporary policies to redact sensitive registration data on an “emergency” basis. It then initiated an expedited policy development process (EPDP) to allow its bottom up multistakeholder process to formally enact a policy that would bring the Whois regime into compliance with GDPR. Sounds good, but as is typical for ICANN org, the composition of the EPDP was stacked. Interest groups opposing privacy protections were deliberately given an inflated level of representation.
The redaction of data was greeted with howls of pain from those who had been using (and profiting from) the private data. Lurid predictions of an impending cybersecurity/DNS abuse holocaust were made. It never happened. After more than two years there is no discernable difference in patterns of spam and cybercrime.
In the meantime, the EPDP embarked on a long reform process. It occurred in two phases. Phase 1 basically decided which data elements would be redacted from public display, among other things. We covered the results of Phase 1 here.
In Phase 2, as a quid pro quo for redacting data, and in recognition of legitimate reasons for some third parties to gain access to private data at times, the EPDP developed policy for a system for third parties to request disclosure of the redacted data elements from domain name registrars. The proposed system came to be known as the Standardized System for Access/Disclosure (SSAD). Without a standardized system, those needing the data would have to approach each registrar individually, where different procedures and different systems of law might prevail. It would be inefficient and unpredictable. An SSAD, similar to a UDRP, was a textbook case for why global governance via ICANN would be useful.
Developing an SSAD was a long, hard slog. It was a mashup of law, economics, privacy norms, information system design and divergent business interests. Policy was hammered out in mind-numbing twice-weekly conference calls and two or three weeks of face to face meetings over 18 months. As in Phase 1, the positions taken by the EPDP participants reliably divided into two opposing factions, which came to be known as the surveillance caucus and the privacy caucus.
The surveillance caucus, led by Facebook and MarkMonitor, wanted the SSAD to be a centralized, automated system in which requestors who had been accredited would get unlimited access to the redacted data on demand. They wanted responses to requests for disclosure to be automatically granted, and if they were not automated, they wanted ICANN or whoever ICANN authorized to run the gateway, to make the decision. They also wanted the SSAD to make hard, binding commitments to respond to requests in a short time frame. And, as is typical of this bunch, they didn’t want to pay for running it. They wanted others (i.e., registrars and their customers) to pay for it. In essence, they wanted the SSAD to recreate the old Whois system, with some form of accreditation being the only new barrier to access.
The privacy caucus was an alliance of the privacy advocates in the Noncommercial Stakeholders Group (NCSG) and the contracted parties (registries and registrars). The contracted parties calculated that they would be classified as the data controllers, or as joint controllers with ICANN, and thus would be legally responsible for any disclosure decisions that could be challenged under GDPR. Consequently, they wanted to control their own destiny by being the decision maker about disclosing their customers’ data. They insisted on the right to refuse a disclosure request if they thought it was not compliant with GDPR. NCSG of course was primarily concerned with making sure that the disclosure process respected basic privacy principles. They opposed automated disclosure as not being consistent with the application of legal balancing tests. Registrars and registries also did not want to be saddled with the costs of running the system. Likewise, the NCSG participants insisted that data subjects should not be saddled with the costs of a system whose primary purpose was to undermine their privacy, so they pushed for usage-based fees on requestors.
The SSAD as proposed by the EPDP reflected a host of detailed compromises between the factions. The most important was the adoption of a hybrid model. As noted before, the surveillance caucus wanted a fully centralized system, whereas the privacy caucus wanted registrars, who are accountable to their customers, to make disclosure decisions. The group reached a reasonable middle ground on a “hybrid” model. The hybrid model centralized and standardized accreditation and the submission of requests, while leaving most disclosure decisions in the hands of the registrars and registries. Parties using the system to make requests to disclose data would have to be accredited, and pay a cost-based fee for the initial accreditation and periodic renewal. Accreditation could be withdrawn for abuse of the disclosure process.
On July 31, 2020, the ICANN Policy Development Process for Phase two finally completed its report. This in itself was a remarkable achievement. The report made 22 recommendations to the ICANN board covering the accreditation of requestors, the criteria and content of requests, response requirements, automation of responses, and implementation reviews, among other things. All but two of these recommendations commanded rough or full consensus. The resulting proposal was complex, as one might expect of a system that satisfied such a diverse set of stakeholders. ICANN’s GNSO staff and its chairs, Janis Karklins and Rafik Dammak, deserve credit for herding these contentious cats into some kind of a coherent proposal.
The politics of adoption
But what happens next? Here, the legitimacy and efficacy of ICANN itself is at stake. We have learned again and again that the intellectual property and business (Facebook) interests who constitute the backbone of the surveillance caucus do not participate in the ICANN process in good faith. They demand concession after concession from other stakeholder groups but in the end game, they will vote against the final result because it does not give them exactly what they wanted. Instead of negotiating and accepting a reasonable middle ground, they threaten to circumvent the policy process by shifting to national legislation or private negotiations with the ICANN board.
The good news is that the final report as a whole will definitely have consensus in the GNSO Council. It was only the artificial magnification of surveillance interests in the EPDP that made consensus difficult to achieve. In the GNSO Council, the Phase 2 report should readily obtain the needed supermajority across all four Stakeholder Groups. The NCSG will support it, the Registry Stakeholder Group will support it, the Registrar Stakeholder Group will support it, and one of the three constituencies in the Commercial Stakeholder Group – the Internet Service Providers – will support it.
The threat of fragmentation
But it is not clear whether this equilibrium will hold. The surveillance interests are lobbying the US government for a legislative intervention. Passing a law about this is unlikely, given the chaos surrounding an election year. But it is remarkable that some participants in ICANN would even think about doing that. A US law that forced ICANN to apply different rules to registrars and registries in US jurisdiction would be the end of ICANN as a global governance institution for the DNS. It would use national government to supersede ICANN’s policy development process. It would ratify all the suspicions of other countries, from Europe to Brazil to China and Russia, that ICANN’s incorporation in the US makes it susceptible to political interference by one national government. Not only that, but it would encourage every other government in the world to do the same. Yet the Trump administration is no friend of global Internet governance. It might relish the thought of further splintering the Internet along jurisdictional lines by applying different rules to the domain name system.
Another disturbing scenario is that the board (under pressure from Facebook and the surveillance caucus) might refuse to adopt the policy because of the divergence on minor issues in two of the 22 recommendations. The ICANN board might sacrifice its legitimacy to appease some powerful interests by abandoning its policy development process and entering into private negotiations with the GAC and the brand protection interests about how to modify the policy more to their liking, in a backroom where those pesky privacy advocates are not around.
The possibility of an abandonment of the grand bargain by the surveillance caucus might in turn encourage the contracted parties, who have wrestled with them for months and made many concessions that they don’t like, to abandon it as well. They would ask, “if the surveillance caucus doesn’t want to create an SSAD, why should we? The whole SSAD monster was created to benefit parties who want an efficient and standardized method of gaining access to the data. That system serves their interests, not ours and not our customers. If Facebook and MarkMonitor can’t accept what they got from the multistakeholder process, why should we ratify all these concessions we made?” In theory, if there is no support for a policy in ICANN’s regime, there is not supposed to be a policy at all; the market and private agreements should rule. But in reality, the board often fills the gap with unilateral action.
The GNSO Council is supposed to vote on the EPDP final report in September. After that, the ICANN board takes it up. Keep an eye on what happens.
 ICANN’s policy development processes for domain names is organized around stakeholder groups (SGs). Their representation in the GNSO is deliberately balanced: there are 4 of them, a Commercial user SG, and Noncommercial user SG, a SG for ICANN-accredited Registrars, and an SG for Domain name registries such as Verisign or Donuts. Each SG has equal representation in the policy development process, and supermajorities with support drawing from all SGs is necessary to pass a policy. Yet the EPDP did not follow the GNSO’s representational model; instead, it was structured to multiply the representation of anti-privacy interests. The Commercial SG was counted as three distinct groups, each with the same voting power as an SG. Advisory Committees, which are only supposed to advise ICANN on policies that are made by the GNSO, were suddenly included in the policy process. This was because all three of them would be reliable opponents of privacy: the Security and Stability Advisory Committee (SSAC), which is now dominated by people from the brand protection industry, the Governmental Advisory Committee (GAC), whose representatives tend to favor law enforcement over data protection interests, and the At Large Advisory Committee (ALAC), which is notorious for supporting ICANN board positions and whose leadership positions are now occupied by former IPR and BC people.