India and other Asian countries are asserting control over content on platforms. The European Commission tries to explain to the ICANN community how and why it is asserting jurisdiction over domain names. The Biden administration makes a clean break with the Trump Administration’s State Department on handling cyber issues.
India’s new rules for digital intermediaries
On 25 February, the Indian government unveiled the ‘Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules 2021′ that creates new rules for digital intermediaries, OTT platforms as well as digital news media and grants the Indian government sweeping powers over online speech. The new rules, created without any discussion in Parliament or a stakeholder consultation through a notification in the official gazette, are aimed at making global digital platforms “more responsive to directions and accountable to Indian laws”. A longer article about this will appear soon.
Is the European Commission trying to replace ICANN?
On February 26, ICANN’s Vice President for Government and IGO engagement, Elena Plexida, rounded up five staff members of the European Commission to explain and answer questions about its Digital Services Act (DSA), its Cybersecurity Strategy and its revised directive on Network and Information Security (NIS2). Europe’s attempt to regulate platforms, data and cybersecurity is overlapping, and potentially conflicting, with the mission of the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN engages in global governance of the domain name system (DNS) and coordinates the authoritative root zone. It is also in the process of setting policy for how the processing of domain name registration data by registration services can conform to privacy rights, including Europe’s own GDPR. Due to lobbying from commercial surveillance interests, the EC’s NIS2 initiative proposes to assert jurisdiction over the accuracy of registration data. More eye-opening was the EC’s blithe announcement that they were asserting jurisdiction over the two root servers located in Europe (the I and K root servers in Sweden and Amsterdam). The EC Policy Officers were unable to explain what problem they were trying to solve or what it meant to have jurisdiction over only 2 of the world’s 13 root servers. Could they order them to serve up a different root zone file? Use a different signing key for DNSSEC?
The Policy Officers did a good job of explaining how modifications to the EC’s liability regime for online services would affect registries and registrars. They also killed the hopes of Facebook and other Business Constituency participants that the NIS2’s data accuracy requirements could be used to shape ICANN’s Whois reform process. Not only was a finalization and implementation of these rules 2-3 years away, according to EC’s Benjamin Boegel, but “the negotiations have just started…no Commission proposal ever goes through Parliament and Council without any changes.”
USA: The return of the diplomats
The House Foreign Affairs Committee unanimously approved a bill that would create a Bureau of International Cyberspace Policy at the U.S. State Department. The bipartisan bill, known as the Cyber Diplomacy Act, was first introduced in 2019 as a reaction to the Trump Administration’s defunding and deprioritizing of cyber security activity within the State Department. The move turns the U.S. government away from a more military-oriented approach and emphasizes international diplomacy. Insofar as the Trump administration paid any attention to cybersecurity issues, they conceived of them as primarily military or saw security issues in cyberspace as separate from those of human rights, economics and democracy. But members of Congress, including members of the Cyberspace Solarium Commission, say such considerations cannot be divorced and that the legislation approved in a markup Thursday would break down the unhelpful silos. Just six weeks ago outgoing Secretary of State Pompeo tried to create a Bureau of Cyberspace Security and Emerging Technologies (CSET) in the State Department, which would have reported to the Under Secretary for Arms Control and International Security. This proposal drew a rebuke from the Government Accountability Office because of the lack of planning that went into it.
It’s too early to know yet, of course, but superficially this looks like a win for a less conflictual cyberspace. Meanwhile, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is also stumbling into international engagement, raising concerns about coordination and capacity among some State Department veterans. Though it is a domestic agency, CISA is emerging as an expansionist power center in cybersecurity, and since cyberspace is inherently transnational, it is difficult to keep a domestic agency confined to domestic issues.