Ever since the GDPR thwacked it on the side of its head, ICANN has been trying to bring its registry of domain names into compliance with basic privacy principles. The good news is that ICANN has largely succeeded in doing that. Go to this URL, enter our domain name, internetgovernance.org, and see what you get. The PII is all redacted (even though it doesn’t need to be: you can get our email, address and office phone from our website).
Contrary to the expectations of some alarmists, the Internet has not collapsed. There is no noticeable increase in cybercrime. There are lots of cybersecurity incidents, like SolarWinds and Hafnium, but they were neither caused by the absence of open access to whois records, nor would open access have helped to solve them. There may even be a decline in certain forms of DNS abuse.
The bad news is that many powerful interests are not very happy about the new regime and are still looking for ways to erode it. Interestingly, the European Commission is now one of those stakeholders. Yes, the very same European Commission that passed the GDPR and provoked the reforms in the first place.
In the name of “cybersecurity,” the EC’s December 2020 proposal to amend the Network and Information Security Directive (NIS2), asserts EU jurisdiction over domain name registration in ways that threaten the global nature of DNS. In the words of Roberto Viola. Director-General of EC’s Communications Networks, Content and Technology Department, the NIS2 proposal:
“introduces new obligations for TLD registries and registrars providing services in the European Union, namely to: i) collect and maintain accurate and complete domain name registration data; ii) publish non-personal domain name registration data (i.e. concerning legal entities), iii) provide access to specific personal domain name registration data upon lawful and duly justified requests of legitimate access seekers, and iv) reply without undue delay to all requests for access.”
With one interesting exception (publishing only legal person data), this is almost exactly the same agenda as the legislative proposal pushed by American surveillance interests in the U.S. Congress. It’s almost as if the text of NIS2 was dictated by the same lobbyists who are not getting what they want from ICANN. Sadly, NIS2’s policy prescriptions are little more than forum shopping.
The attempt by the EU to intervene in an ICANN policymaking process is unjustified and unacceptable. Every DNS-related cybersecurity or policy problem NIS2 purports to address is already being handled within ICANN. ICANN already has accuracy requirements for DNS registration data, and is in a much better position that the EC to balance the interests of registrants, registrars and third parties on that issue. After redacting the PII from all DNS records to comply with privacy requirements, ICANN is currently considering whether to provide easier access to the registration data of legal persons (companies, corporations, businesses). ICANN has also developed a process for disclosing the redacted data upon the receipt of “lawful and duly justified requests” (the so-called SSAD). All stakeholder groups in the world, not just in Europe, are involved in ICANN processes.
The EC loses a lot of credibility by allowing itself to be gamed by lobbyists. The threat by the EC to intervene in this process, to impose the will of unelected bureaucrats and lobbyists over a global multistakeholder process, is illegitimate and should be resisted by European civil society.
But there is one more piece of bad news. Rather than rising to embrace the reform challenge, ICANN’s CEO seems to be utterly confused about its role in all this. In an interview with the European Internet Forum, Goran Marby notes that the controversy around disclosure of registration data is “like a balancing act between the right to privacy and the need for information.” Correct. But then, at 25:49 he says,
“I believe that the answer to that question belongs to the legislature, it belongs to the [European] parliament. ICANN as a technical organization has a problem coming up with that answer.”
No, Mr Marby. ICANN is the entity that must answer that question. As the policy maker for domain name registries and registrars, ICANN’s policy and implementation procedures will govern the balance between privacy and disclosure for legitimate purposes. ICANN is, in fact, a policy development organization, not a technical organization. It does not produce technical standards, it does not design, manufacture or operate technologies. Its ancillary technical functions account for a tiny portion of its staff and budget. ICANN is the global governance organization for a global DNS.
The ICANN CEO’s confusion is most evident when he refers to “the legislature.” May we ask, to which one of the thousand or so national, supranational, or subnational legislatures is he referring? There is no world legislature. To turn these issues over to governments is to fragment the rules governing DNS. This undermines the prime directive of ICANN, which is to maintain the consistency and compatibility of the global Internet’s unique identifiers.
“There are lots of cybersecurity incidents, like SolarWinds and Hafnium, but they were neither caused by the absence of open access to whois records, nor would open access have helped to solve them.”
The nation-state attacks on Microsoft Exchange servers known as HAFNIUM was launched exclusively from a small number of IP addresses, and did not leverage domain names in any way, so it is irrelevant to speculate about whether access to whois data would have helped or not in this case.
I believe you just corroborated Milton’s point.