ICANN’s attempt to reconcile privacy law with its collection and disclosure of domain name registration data appears to have run into a snag.
The surveillance interests wanted a centralized and standardized system for requesting redacted Whois data. They got one. But they are now pretending to reject it. “The value and benefits of the SSAD do not come anywhere close to justifying the costs to build it and maintain it,” says one IPC representative. Others in that group are saying no one will use the SSAD if we build it. It’s just not worth it.
What arguments are being made to support these claims? Here is what they are saying:
- The data disclosed will often be “inaccurate”
- Data disclosure will not be timely
- Data disclosure will not be automatic
- Data disclosure will not be predictable
- The value of the SSAD is not worth the costs
Let’s take these arguments one by one, and then put things together into a complete picture of what is actually going on. As will become clear, it is all about economics; or to be more precise, about the value of disclosing private Whois data, and how the costs of delivering that value will be distributed among stakeholders.
Not all of the data in the Whois is accurate. Some registrants make mistakes, some forget to update, and some lie. As an argument against the particular SSAD model devised by the EPDP, however, this complaint lacks any merit. The SSAD does not make domain registration data any more, or any less, accurate than it was before.
The EPDP process decided which data elements will be redacted from public view, and how third parties can request and obtain disclosure of the redacted data in a way that is compliant with data protection law. The accuracy of the data was completely outside its remit. Indeed, designing a system for requesting and disclosing data cannot magically alter the quality or accuracy of the data in it.
ICANN already has fairly strong policies designed to ensure the accuracy of Whois data. It can suspend domains if inaccurate data is found. If its accuracy policies are not working, they can be changed. But here’s the real problem with this argument: if Whois data is so lousy, then why are Facebook and its allies so eager to get their hands on it? Why have they been telling us from day one that restricting access to that data threatens the security and stability of the internet? Here we come face to face with the basic value proposition underlying this debate.
The next three “problems” have to be evaluated and answered as a group, because they all are different ways of saying the same thing.
Following due process to disclose the data will take too long, the critics claim, because the registrars are evaluating the legality of each individual request. They say that consumer protection and cybersecurity needs require disclosure of the data within hours. The SSAD only guarantees responses within a number of business days, unless they are life-threatening emergencies.
3. Automatic disclosure
The critics claim that the SSAD is worthless because it “lacks automated or centralized disclosure decision making.” In other words, they want disclosure of PII to be granted automatically whenever they make a request, and they want that decision to be made by a central authority, not by the registrars who are legally responsible for controlling the data.
The critics say that the results of their requests will be “unpredictable” because the decisions will be made by many different registrars and registries who “will review each request manually and make their own individual decisions to disclose or not disclose.” However, each registrar is supposed to make the decision based on a common legal standard (ICANN policy and the GDPR). While it is true that individual interpretations of the law might vary, the legal standards will not, and over time things should become more predictable.
5. It’s not worth it
Here the surveillance interests make their most potent threat. They claim that:
[the SSAD’s] financial sustainability recommendations will result in a funding model that is designed to fail. An SSAD that has little value to requestors will lead to a situation where individuals and organizations don’t sign up to use it (or decide to stop using it) which … will ultimately lead to a situation where ICANN will have no choice but to close it down. (Deacon, CircleID)
According to a very rough, back-of-the-envelope estimate made by ICANN Org, the SSAD would cost about $9 million to build and around $9 million a year to operate. What could be worse than the prospect of spending tens of millions to create an information system that no one will use? This argument is cleverly designed to scare the ICANN board into voting down the proposal.
The Value Proposition
But if it is taken seriously, the value proposition argument backfires on the surveillance interests, big time. By all means, let’s think about how much Whois data is worth, and to whom.
The rough, back-of-the-envelope cost estimate for the SSAD performed by ICANN Org proposed $9 million in set up costs and a surprisingly high $8.9 million in annual operating costs. Many people in the industry think those estimates are high, but let’s err on the safe side and assume they are near the target. The ICANN Org report also roughly estimated the number of SSAD accreditations at 20,000.
Using those numbers, the average cost per user of sustaining the SSAD will be about $445 a year. And the one time setup costs would be about $450 per user.
This is pocket change for most internet businesses. If the surveillance interests don’t think access to redacted PII is worth paying $500 a year for, then their whole policy stance for the past 20 years has been a bald-faced lie, because they have made it seem as if any impediment to access to Whois threatens the viability of the entire internet, if not all of human life. Surely the stability, security and resilience of the Internet is worth coughing up a few hundred bucks?
But they are not lying. They do, in fact, value access to the data highly. The claim that SSAD isn’t worth it is a bluff. Let’s look at some obvious facts about the value of the data.
Facebook and Mark Monitor ordered highly-placed staff lawyers to spend 4-5 hours a week attending EPDP conference calls for two years, and a least another 2-3 hours per week preparing for them. At some point in the process they spent 8-10 hour days in ICANN meetings for three or four days in a row. Their mandate: get as much easy access to Whois data as possible. If we value those lawyers’ time at only $200/hour then we are looking at a minimum of 800 hours of work in two years, totaling to an expenditure of around $160,000 per lawyer.
Yeah, I think they value access to Whois data more than $500/year.
But that’s not all. Some of the stakeholders who are telling us they can’t afford the SSAD or don’t think it will have any value are already paying thousands of dollars per year for commercial services such as Domain Tools (DT). Many Law Enforcement Agencies told the European Commission’s Cathrin Bauer-Bulst’s survey of police agencies that they were using DT or similar tools. Domain Tools does not publish its prices; it wants you to be contacted by a representative, which is a good indication that whatever they charge is going to be a lot more than $500 per year.
So tell us what you really want
What do we have here? Aside from the accuracy issue, which is irrelevant to the SSAD, arguments 2, 3 and 4 state that the SSAD does not yield instantaneous, automatic and predictable disclosure of the PII behind a domain name registration, and for all those reasons, argument 5 concludes that disclosure of the redacted data is not going to be worth the price of accreditation and use.
Hmm, so what kind of an SSAD would make them happy?
Oh, I know! It’s the old, open, Whois. Unlimited queries, instant results, automatic and predictable disclosure of all the registration data, no cost to the user. All the boxes are ticked.
What this means is that mentally, the surveillance caucus and its supporters are still back in 2017, if not 2001. Their bottom line is: WE WANT THE OLD WHOIS BACK. Nothing short of that is going to satisfy them. Two years after GDPR enlarged the legal and economic risks of noncompliance, and provoked two years of protracted negotiations over which data should be redacted, the interpretation of the GDPR, and the procedures and mechanisms of an SSAD, they haven’t yet come to grips with the simple reality that the GDPR rendered their old paradise legally impossible. And the new California Consumer Privacy Act, which in some respects is tougher than GDPR, makes the return of old Whois impossible in the United States as well as Europe. It simply isn’t an option.
Surely the ICANN board knows that the surveillance interests can’t be given what they want. Daddy has to say No. So what are they going to do?
Calling the bluff
If they are not going to use the system, what are they going to use? The only alternative to the SSAD is to approach each registrar individually and ask them nicely for disclosure, based on whatever idiosyncratic procedures or formats that registrar happens to use. That doesn’t sound like something they would like to do. In fact, they have already told us that a totally decentralized system such as this is completely unacceptable. It would probably be more costly to them than the hybrid system proposed by the EPDP. It would probably be more costly for larger registrars, too.
Are they going to use the courts, to compel disclosure? One lawsuit will cost 100 times more than any conceivable SSAD fees. (And yet, we do see Facebook going to the courts sometimes.)
Maybe they will find that they don’t need that much disclosure at all; the redacted Whois provides plenty of clues and various kinds of legal and cybersecurity actions can be taken without seeing the redacted PII. That might be a serious dark horse in the race to a solution.
Or maybe they will subscribe to Domain Tools. It seems that DT is still archiving historical Whois data and selling access to it, with no legal consequences. Perhaps ICANN can just outsource the whole operation to DT, and let them take on the legal liability, since it seems to have a special immunity, and avoid all the accreditation, auditing, setup and operational costs.
Stated vs. Revealed Preference
Now for a brief lesson about economics. Economists have two methods to estimate how much people value something: stated preference and revealed preference.
Stated preference establishes valuations by asking subjects how much they value something. When spokespersons for the surveillance interests tell us they don’t value the SSAD, we are dealing with stated preference.
Revealed preference looks at actual choices made by the subject. By selecting some options and rejecting others, we see what people really value through their behavior. When the surveillance interests spend hundreds of thousands of dollars paying lawyers and lobbyists to gain or protect access to redacted Whois data, when they subscribe to expensive services to gain access to that data, we are dealing with revealed preference.
It’s well known that stated preferences can be distorted for strategic reasons. Since revealed preference is grounded in actual behavior, it is generally considered to be a much more accurate measure of valuation.