The Struggle for WHOIS Privacy: Understanding the Standoff Between ICANN and the World’S Data Protection Authorities

The Struggle for WHOIS Privacy: Understanding the Standoff Between ICANN and the World’s Data Protection Authorities

Stephanie E. Perrin

A thesis submitted in conformity with the requirements for the degree of degree of Doctor of Philosophy Faculty of Information University of Toronto

The Struggle for WHOIS Privacy: Understanding the Standoff Between ICANN and the World’s Data Protection Authorities

Stephanie E. Perrin

Doctor of Philosophy

Faculty of Information University of Toronto

2018

Abstract

This dissertation examines the struggle over privacy rights in WHOIS, the public directory of registrants of Internet domain names. ICANN, the Internet Corporation for Assigned Names and

Numbers, is the non-profit corporation established by the U.S. government to run the Domain

Name System and the Internet Assigned Numbers Authority, functions essential for Internet operations. Through contractual obligation, ICANN requires registrars to collect and publish personal data in the WHOIS directory, contravening many national data protection laws.

My research first asked how ICANN managed to avoid the demands of authorities mandated to enforce data protection laws. Analyzing extensive documentary records maintained by ICANN, I demonstrate that the organization refused to effectively accommodate privacy concerns in their policies. I found that, since its inception, ICANN rebuffed repeated complaints by data protection authorities that WHOIS requirements violate national laws and continue to avoid privacy compliance. I provide evidence of a clash of values in the emerging commercial Internet.

Business enterprises with strong intellectual property interests, supported by the U.S. ii government, initiated the focus on an open WHOIS policy to ensure they could identify suspected copyright and trademark violators. Law enforcement agencies represented at ICANN’s

Governmental Advisory Committee also demanded open access to registrant data. A growing information services industry depended on the sale of this data to domain businesses and cybercrime fighters in both the public and private sectors. In combination, these stakeholders have prevented privacy advocates from gaining a foothold. Data Protection Authorities have also declined to exercise their powers, and they have remained outsiders and unsuccessful interveners in ICANN’s multi-stakeholder process.

The dissertation then explores the implications of this failure of privacy law from the perspectives of Internet privacy scholarship and accountability issues in multi-stakeholder governance. Establishing WHOIS as a wide-open information resource not only erodes legitimate expectations of privacy in telecommunications directories, it undermines our ability to negotiate personal space and speech on the Internet. This research contributes to understanding challenges to Internet privacy, law enforcement access to personal data, and the prospects for developing international Internet governance regimes that promote the public interest while protecting the rights of individuals.

iii

Acknowledgements

I could not have completed this project without the enthusiastic support of my advisors, Andrew Clement and David Phillips. Leslie Shade, besides being the graduate coordinator during a critical period of this research, has also been a terrific committee member and supporter of my work. Straddling the rift between privacy advocate, government employee, and doctoral student has been challenging and I thank these three for helping me to navigate this transition effectively. Thanks also to Professor Colin Bennett, whose encouragement was greatly appreciated, and to the many other professors and colleagues who supported me and provided advice. Had I listened to Professor Lee Bygrave’s excellent advice to quit volunteering at ICANN for six months to finish writing, the dissertation would have been done earlier.

In terms of my research and writing, I must thank my sons Matthew Purcell, Jesse Purcell, Joe Rochon, and Marco Rochon for their unflagging support. Special thanks to my friends Heather Black for her insight into privacy compliance issues, and Bob Gellman in Washington for reading versions of the document and providing valuable feedback. Thanks also to Theo Geurts of Realtime Register for reading the draft and providing valuable feedback from a technical and business perspective. To all my other friends and relatives who have put up with me, listened to me discuss ICANN, and encouraged me to finish, my thanks to you all. My cohort at the Faculty of Information, Glen Farrelly, Michael Jones, Rebecca Sheffield, and Rhon Teruelle have been great supporters and colleagues. And finally to my many colleagues at ICANN, particularly in the Noncommercial Users Constituency and the Noncommercial Stakeholders Group, my thanks for all their support, information, and collaboration.

This is a small contribution to the literature on how privacy protection fails in one specific application. I hope to contribute solutions to the problems and to raising the support required to achieve that end.

Table of Contents

Acknowledgements ...... iv

Table of Contents ...... v

List of Tables ...... xii

List of Figures ...... xiii

List of Appendices ...... xiv

Chapter 1 The Failure of WHOIS Privacy at ICANN: What is at Stake? ...... 1

1.1 Development of the WHOIS Directory of Domain Registrants ...... 2

1.1.1 Establishment of ICANN ...... 3

1.1.2 The Domain Name System is fundamental to Internet operations ...... 6

1.2 Who Wants WHOIS Data and Why? ...... 7

1.2.1 Three leading stakeholders: intellectual property owners, law enforcement, and the value-added services providers ...... 8

1.3 What Does Privacy Mean in this Context? ...... 9

1.3.1 Risks of releasing personal information and privacy rights ...... 11

1.4 Who Cares About WHOIS Privacy and Why? ...... 12

1.4.1 Civil society and their allies ...... 12

1.5 Data Protection Authorities ...... 14

1.5.1 My involvement with ICANN and choice of this case study as a research focus ...... 14

1.6 ICANN Stymies WHOIS Data Privacy Since 1998 ...... 16

1.6.1 ICANN’s failure to respond ...... 17

1.7 WHOIS Conflicts with Law Policy—ICANN’s Only Concession to Privacy Demands . 18

1.8 Research Questions ...... 19

1.9 The Importance of These Questions and Prospective Research Contributions to Privacy Scholarship (and Advocacy) ...... 20

1.9.1 Implications for Internet governance ...... 27

1.9.2 Implications for the Domain Name System industry ...... 28

1.10 Thesis Outline ...... 29

Chapter 2 Personal Background and Methodological Approach ...... 32

2.1 Researcher, Privacy Expert and Advocate ...... 32

2.2 Why I Worked with ICANN Documents ...... 34

2.3 Selecting Documents ...... 37

2.3.1 Selecting documents relevant to a process and decision...... 40

2.4 Possible Explanations for ICANN’s Lack of Response to Privacy Claims ...... 43

2.4.1 Political and governmental issues ...... 43

2.4.2 Legal and practical issues affecting data commissioners ...... 44

2.4.3 Economic issues facing stakeholders ...... 46

2.4.4 Internal ICANN issues management ...... 47

Chapter 3 Privacy Scholarship Relevant to WHOIS Privacy ...... 50

3.1 A Brief History of the Development of Privacy and Data Protection Law ...... 51

3.1.1 Tracing the evolution of U.S. Privacy from Fair Information Practices to the Federal Trade Commission as a data protection authority ...... 51

3.1.2 The development of Fair Information Practices ...... 53

3.2 Evolution of EU Privacy from Convention 108 to Directive 95/46, and the 2012 Draft Regulation on Data Protection ...... 57

3.2.1 Rejection of Safe Harbor ...... 61

3.2.2 Data protection and law enforcement issues ...... 63

3.2.3 Tensions between protecting privacy, anonymous free speech, and the freedom of assembly ...... 65

3.2.4 Participation of data protection experts and academics at ICANN ...... 66

3.3 Data Protection Legal Issues Relevant to the Domain Name System ...... 68

3.4 Technology Issues and Solutions ...... 85

3.5 Implications for the Multi-stakeholder Model ...... 88

3.6 Conclusions ...... 89

Chapter 4 How ICANN Manages the Domain Name System and Registration Data ...... 92

4.1 Structure of a Domain Name ...... 93

4.2 How the DNS Works Within Internet Architecture ...... 94

4.3 The Birth of ICANN ...... 95

4.4 How ICANN Functions: The Actors, Structure, Process, and Policy ...... 100

4.4.1 Actors ...... 100

4.4.2 Structure and process ...... 103

4.4.3 Process and policy ...... 108

4.4.4 Information management and transparency ...... 113

4.4.5 How the work gets done ...... 114

4.4.6 Documentation and access to information ...... 117

4.4.7 Metrics ...... 119

4.4.8 Accountability and appeal mechanisms ...... 119

4.4.9 The rise of intellectual property and trademark interests ...... 121

4.4.10 Law enforcement interests at ICANN ...... 123

4.4.11 The value-added services industry and the DNS industry ...... 126

4.5 Conclusions ...... 127

Chapter 5 The WHOIS Privacy Struggle Within ICANN ...... 129

5.1 Who Controls WHOIS—The Registrar Accreditation Agreement and the WHOIS Protocol ...... 132

vii

5.1.1 Registrant obligations ...... 144

5.1.2 Data escrow ...... 145

5.2 A Brief History of WHOIS Reviews and Policy Development ...... 148

5.2.1 2000: WHOIS Committee convened ...... 152

5.2.2 2001: WHOIS Committee recommends standardizing output ...... 153

5.2.3 2001: The second Registrar Accreditation Agreement ...... 154

5.2.4 2001–2003: The first WHOIS Task force ...... 154

5.2.5 2003: The Second WHOIS Task force ...... 155

5.2.6 2005: The GNSO Council passes the WHOIS Conflicts with Law policy ...... 159

5.2.7 2006: The Preliminary Task Force report on the purpose of WHOIS and WHOIS contacts ...... 160

5.2.8 2007: The GNSO Council creates new WHOIS Working Group ...... 162

5.2.9 2008: The WHOIS study group forms ...... 164

5.2.10 2010–2012: The WHOIS Policy Review Team ...... 165

5.2.11 2011–2013: Thick WHOIS PDP ...... 170

5.2.12 2012–2014: Four WHOIS studies ...... 173

5.2.13 2012: The Expert Working Group on RDS initiated ...... 174

5.2.14 2014–2015: The privacy/proxy services accreditation issues policy development process ...... 175

5.2.15 How do WHOIS working groups reach consensus and work through contestation? ...... 179

5.2.16 Accountability and review mechanisms ...... 182

5.3 ICANN Procedure for Handling WHOIS Conflicts with Privacy Law ...... 183

5.4 Conclusions ...... 187

Chapter 6 The Standoff Between European Data Commissioners and ICANN ...... 190

6.1 Interventions by Data Commissioners on ICANN Data Protection Practices ...... 196

viii

6.1.1 1996–2000: First comments ...... 201

6.1.2 Opinion 5/2000 by the Article 29 Working Party on reverse directories ...... 203

6.1.3 The 2000 Berlin Group common position on WHOIS ...... 205

6.1.4 The 2003 Berlin Group letter to ICANN ...... 207

6.1.5 Opinion 2/2003 of the Article 29 Working Party on the application of the data protection principles to WHOIS directories ...... 207

6.1.6 2005: Berlin Group to International Working Group on Internet Governance letter ...... 209

6.1.7 2006–2007: Article 29 Working Party letters to ICANN’s Chairman Cerf ...... 209

6.1.8 2012–13: Revision of the Registrar Accreditation Agreement ...... 211

6.1.9 The 2014 letter from the European data protection supervisor to John Jeffrey on data retention ...... 213

6.1.10 Privacy/proxy services accreditation issues ...... 215

6.2 What More Can Data Protection Authorities Do? ...... 215

6.3 The Principal Components of Personal Data Protection Rights in Registration Data .... 218

6.3.1 Proportionality ...... 220

6.3.2 Purpose ...... 222

6.3.3 Consent ...... 225

6.3.4 Data limitation ...... 226

6.3.5 Accuracy ...... 226

6.3.6 Data retention ...... 228

6.3.7 Accessibility ...... 228

6.3.8 Data elements ...... 229

6.3.9 Uniformity ...... 230

6.3.10 Automated processing and bulk access to data ...... 230

6.3.11 Transfer to other jurisdictions ...... 231

6.4 Efforts to Marginalize Data Protection Authorities: Law Enforcement Agencies Versus Enforcement of Data Protection Law ...... 232

6.5 Conclusions ...... 238

Chapter 7 Conclusions ...... 242

7.1 Principal Findings ...... 243

7.1.1 ICANN’s response ...... 243

7.1.2 Stakeholder response: Interests and interactions ...... 247

7.1.3 The failure of the data protection commissioners to enforce the law ...... 251

7.1.4 What are the implications of the failure to address privacy demands in registration data? ...... 253

7.1.5 Prospects for change in privacy outcomes ...... 256

7.1.6 Outsider status ...... 258

7.1.7 Differences in style of law: Data protection versus intellectual property law ... 259

7.1.8 Competitive and economic issues ...... 262

7.2 Research Contributions ...... 262

7.2.1 Privacy scholarship ...... 262

7.2.2 Internet governance ...... 265

7.3 Actions That Privacy Advocates Could Take to Change the Outcomes ...... 269

7.3.1 Practical solutions to a big problem ...... 269

7.3.2 Enforcement action ...... 271

7.3.3 The empowered community ...... 273

APPENDICES ...... 274

Appendix A Abbreviations ...... 274

Appendix B Internet Engineering Task Force Request for Comments 3912: the WHOIS Protocol ...... 280

Appendix C Use Cases for WHOIS Data ...... 284

Appendix D ICANN History of WHOIS ...... 291

Appendix E Selected ICANN Documents ...... 296

Appendix F Documents of the International Working Group on Data Protection in Telecommunications and Media ...... 303

Appendix G Documents of the Article 29 Working Party on Data Protection ...... 307

Appendix H Data Requirements: Section 3 of the Registrar Accreditation Agreement (2013) ...... 314

Appendix I Government Advisory Committee Communiques and Documents Related to WHOIS ...... 330

Appendix J Biographical Note on the Author and her Engagement with ICANN ...... 333

Appendix K Excerpt from the Trans-Pacific Partnership Agreement on Trade ...... 335

Appendix L Letter from European Registrars to ICANN Regarding Escrow Costs Required by the 2013 Registrar Accreditation Agreement ...... 337

Appendix M ICANN Procedure for Handling WHOIS Conflicts with Privacy Law ...... 340

Appendix N Letter from Peter Hustinx, European Data Protection Supervisor, on Data Retention Consultation ...... 346

Appendix O Relevant Legislation and Jurisprudence ...... 351

Appendix P Government Advisory Committee Principles Regarding Generic Top-Level Domain WHOIS Services ...... 353

Appendix Q Law Enforcement Recommendations for Registrar Accreditation Agreement Amendments and ICANN Due Diligence ...... 356

References ...... 362

List of Tables

Table 1. Timeline of WHOIS Studies and Implementation Activities…………….…. 151

Table 2. Interventions by Data Protection Authorities on Registration Data Issues…. 199

Table 3. Privacy Issues Related to Registration Data as Raised by Data Protection Authorities...……………………………………………………………...…. 219

xii

List of Figures

Figure 1. Structure of ICANN...………………………………………………………. 104

Figure 2. Structure of the Generic Names Supporting Organization (GNSO).….……. 107

Figure 3. Format of a WHOIS Query from the Registrar Accreditation Agreement (2013) ………………………………………………………………………………. 140

xiii

List of Appendices

A List of Abbreviations

B Internet Engineering Task Force Request for Comments 3912: The WHOIS Protocol

C Use Cases for WHOIS Data

D ICANN History of WHOIS

E Selected ICANN documents

F Documents of the International Working Group on Data Protection in Telecommunications and Media

G Documents of the Article 29 Working Party on Data Protection

H Data Requirements, Section 3 of the Registrar Accreditation Agreement (2013)

I Government Advisory Committee Communiqués and Documents Related to WHOIS

J Biographical Note on the Author and her Engagement with ICANN

K Excerpt from the Trans-Pacific Partnership Agreement on Trade

L Letter from European Registers to ICANN Regarding Costs of Escrow Required by the 2013 Registrar Accreditation Agreement

M ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

N Letter from Peter Hustinx, European Data Protection Supervisor, on Data Retention Consultation

O Relevant Legislation and Jurisprudence

xiv

P Governmental Advisory Committee Principles Regarding Generic Top-Level Domain Names WHOIS Services

Q Law Enforcement Recommendations for Registrar Accreditation Agreement Amendments and ICANN Due Diligence

Chapter 1 The Failure of WHOIS Privacy at ICANN: What is at Stake?

This dissertation focuses on the contestation within the Internet Corporation for Assigned Names and Numbers (ICANN 1) and its multi-stakeholder community, and the international data protection commissioners, over the protection of the personal information of domain name owners or registrants. The focus of contention is a public directory, WHOIS (not an acronym) that is available on the Internet and lists the name, address, phone number, and other data pertaining to the registrants of domain names. While there are strong arguments for being able to find out who owns domain names and associated websites on the Internet, there are also arguments to not list the confidential information of registrants in a global public directory.

In 1998, the United States (U.S.) Department of Commerce empowered ICANN through contract to run the Domain Name System and the Internet Assigned Numbers Authority (IANA). This involves managing and setting policy for the registration of unique domain names on the Internet, and the assignment of numbers that route Internet traffic. ICANN inherited many of the structures that had enabled the Internet to function since its early formation when it was an experimental communications network. One of those structures was the public directory of registrants of domain names called WHOIS, and this directory—and the lack of registrant privacy—is the focus of this dissertation.

Global data commissioners, led by the Europeans, responded to the birth of ICANN and the creation of the public directory in WHOIS very quickly, advising ICANN leaders that the publishing of personal addresses, emails, and phone numbers was a violation of

1 ICANN uses acronyms quite extensively and most of their documents contain acronyms in their titles. I have utilized the full definition throughout the text wherever possible but I have shortened some select titles for readability. Hereafter, I refer to the Internet Corporation for Assigned Names and Numbers as ICANN. A glossary of acronyms appears in Appendix A. 1

European data protection law. They followed up repeatedly with detailed discussion of various elements of data protection relevant to the collection, use, retention, and public disclosure of data related to domain name registrants but their concerns have yet to result in substantive WHOIS privacy protections. While it is not unusual for the data commissioners of the world to encounter resistance to the protection of personal information, the kind of intransigence that ICANN has demonstrated over the past 19 years in response to their interventions demanding privacy protection is in many ways unique.

1.1 Development of the WHOIS Directory of Domain Registrants

WHOIS originated as a tool for the early researchers and developers of the Internet to know who had a presence on the Internet, primarily so that they could keep it functioning. It soon grew in importance as a way for third parties, trademark holders, speculators, business owners, and even criminals to know which domain names had been registered, and who had registered them. Contention began early on, before the Internet was opened up for electronic commerce, as each of these stakeholder groups had different ideas about the potential uses for such a directory, and how data collection and distribution should be managed. Some groups have been more successful than others, but stakeholders representing end users have been quite unsuccessful in defending privacy rights in policy.

The WHOIS directory began at a time when there were only a few hundred users, as a listing of the name, contact information, and registration details for every node on the Internet. The first technical protocol for WHOIS, then called “Finger,” was released in 1977 2 to guide the growing number of parties participating in expanding the Internet. Researchers working for either government or universities operated most of the nodes.

2 For a brief history of the various Internet Engineering Task Force efforts to solve the problems with the WHOIS protocol, and to see the current protocol in use, Request for Comments (RFC) 3912, refer to Appendix B. 2

The WHOIS protocol was thus designed for people to know the contact details of colleagues who were managing a fledgling Internet in their work capacity; in this context, telephone numbers and addresses were not personal. The directory became more controversial in the late 1990s, when businesses, and then ordinary citizens, started registering domain names in the millions, bringing into question their rights under data protection law (International Working Group on Data Protection in Telecommunications, 2000).

1.1.1 Establishment of ICANN

The U.S. government opened up the Internet to commercial use in 1992 through a decision of the National Science Foundation, who had taken over from the Advanced Research Projects Agency Network (ARPAnet) that originated in the U.S. Defense Department. By 1998, the Internet had grown rapidly and it was no longer exclusively an academic and research network controlled by the U.S. government; many voices called for the U.S. government to relinquish some control, and open up the sale of domain names to greater competition. The U.S. Commerce Department issued two papers on the potential release of its control of the Domain Name System, known as the “Green Paper” and the “White Paper.”3 The papers proposed a consortium of various stakeholders to provide governance, using a non-governmental approach. Existing Internet stakeholders such as the Internet Society (ISOC) and the Internet Architecture Board (IAB) then put in a proposal for a new non-profit corporation to be created, with international participation on a Board of Directors. Internet scholars Michael Froomkin (2000b) and Milton Mueller (2002) describe how this proposal was accepted while others were rejected. The incorporation of ICANN as a non-governmental organization (NGO) with a Board of selected international members, as well as a number of supporting organizations or stakeholder groups and advisory bodies, followed in 1998. As Froomkin, Mueller, and

3 See Appendix E for a list of key ICANN documents related to the establishment of ICANN. 3

other scholars have described, this establishment of ICANN as a “multi-stakeholder organization” in charge of a key Internet resource set the stage for controversy about governance and accountability of the Domain Name System (DNS) that persists to this day. This concept of “multi-stakeholderism” relies on the belief that the parties directly involved in the management of technical systems are the best able to run the system while democratically sorting out differences and arriving at solutions. This concept—as ICANN instantiates—relies on the principle of “rough consensus,” which originated in the Internet Engineering Task Force, who describe themselves as managing the Internet through “rough consensus and running code” (Hoffmann, 2012). Rather than voting, rough consensus is achieved through arguing to reach agreement, and running code relies on testing protocols to see if they work. This system may work in a more homogeneous group, but the heterogeneity of the ICANN stakeholders has contributed to a challenging multi-stakeholder environment, in which consensus can be elusive. This is described further in Chapter 4 (see also Weinberg, 2001).

ICANN manages the functions it is responsible for through contract. The registrars accredited to sell domain registrations, and the registries who managed the top-level domains (e.g., .com, .org) became members of the Contracted Party House (CPH), as stakeholders who had contracts with ICANN that enabled them to do business. Intellectual property owners, business representatives, and the Internet service providers formed the Commercial Stakeholder Group (CSG), and the At Large Advisory Committee, composed of various end users organized regionally, represented end users. A new group was formed at the instigation of civil society, the Non-Commercial Domain Name Holders Constituency (NCDNHC) (later called the Noncommercial Users Constituency [NCUC]) to be a counterbalance to the Commercial Stakeholders, and this later became the Noncommercial Stakeholders Group (Mueller, 2017a).

Government representatives were included in a Governmental Advisory Committee (GAC), which provided its advice directly to the Board. Some governments such as

China and Russia believe that the Domain Name System, including the number resources, would be better managed by governments, but the U.S. government insisted on private sector controls. Many other governments were reluctant to see the obvious candidate, the United Nations’ International Telecommunication Union (ITU), take control of the Internet (Mueller 2002). ICANN has continued developing for the past 19 years, making modest improvements in accountability and globalization and attracting attention as an instrument of governance that at least is functioning and has facilitated the rapid growth of the Internet, one of the key goals in its establishment. Nevertheless, the debate over its effectiveness continues (Brown, I. 2013a; Hoffman, J. 2016; Kleinwachter, W. 2004).

The initial concept of ICANN required a commitment to make WHOIS information freely available. The Department of Commerce stated the following policy intent in its Management of Internet Names and Addresses (hereafter referred to as the White Paper):

To this end, we anticipate that the policies established by the new corporation would provide that [sic] following information would be included in all registry databases and available to anyone with access to the Internet:

• up-to-date registration and contact information;

• up-to-date and historical chain of registration information for the domain name;

• a mail address for service of process;

• the date of domain name registration;

• the date that any objection to the registration of the domain name is filed; and

• any other information determined by the new corporation to be reasonably necessary to resolve disputes between domain name registrants and trademark holders expeditiously. (1998b, p. 25)

This preliminary sketch of ICANN demonstrates two points that I believe are important to an understanding of the contention over WHOIS: first, that the institution itself was a rather precarious experiment in multi-stakeholder operation of a key dimension (the

Domain Name System) of what rapidly developed into the most critical information infrastructure for the global economy. Secondly, the Department of Commerce made considerable effort to set the policy parameters for privacy into the construction of this fledgling organization, parameters that depending on the interpretation of information needed to make “contact” or “resolve disputes,” could be directly at odds with conventional understandings of data protection.

1.1.2 The Domain Name System is fundamental to Internet operations

The Internet is a distributed, decentralized network of networks, famously designed to work around any network failure because of duplication of resources and redundancy of routing options. The Domain Name System (DNS) is a hierarchical decentralized naming system for the resources connected to the Internet, and it also functions in a way to withstand network failure. The one thing that must be managed without any duplication is the unique assignment of names and numbers (i.e. Internet Protocol [IP] addresses of individual devices; for instance, example.com cannot exist in two places with two separate registrants on the Internet.) Some registration data therefore has to be available to all users, for what are basically technical, operational reasons tied to the registration process.

It is clear that the requirements cited above from the White Paper address the concerns of trademark holders regarding a public directory, but the major function of registration data (not WHOIS, but the data itself) is to provide information necessary to resolve a query and permit the transmission of Internet communications. The DNS is often described as being like a phone book, in that it acts as an interface between the human user-friendly domain names that we can remember (e.g., Microsoft.com) with the actual numerical Internet Protocol (IP) addresses (e.g., 123.123.123.123) needed for locating and identifying computer services and devices, enabling traffic to be directed in accordance with Internet protocols. Those registering a name, the registrars and the registries, need to

know whether that name has already been assigned, they need to assign a name server to that domain, so that the other name servers will know where to send traffic, and there are other technical items such as zone files (describing a subset of the hierarchical DNS structure) that need to be shared. Most registrars only use WHOIS for commercial purposes, such as when they transfer domains and need to look up current registrations.

1.2 Who Wants WHOIS Data and Why?

There are basically two streams of data usage for registrant data, technical and policy, and each attracts multiple stakeholder interests. Technical requirements focus on ensuring a name resolves to the correct IP address, and that it is not doing anything to interfere with the stability and security of the Internet, a key aspect of ICANN’s mission.

Policy needs for registrant data are more complex, and are the grounds for most of the contention surrounding the Registrant Directory Service (RDS). Registrars and registries refer to WHOIS when, for instance, they transfer domains among registrars, or contact registrants that are not their own customers. As we can see from the list of data cited from the White Paper of 1998, while minimal data suffices to direct an Internet transmission (i.e. the main technical use), the DNS has since its commercialization been required to also support policy needs for data. Trademark owners want to be able to find out who has registered a domain that they believe violates their trademarks. Law enforcement officials want to find out who is associated with an offending website that is engaged in criminal activity, and while the domain name may not be registered by the operator of the website, it is nevertheless an important clue. It is necessary for technical reasons to know who the registrar is to resolve technical problems, report abuse, and—in the case of egregious criminal activity—have the domain disabled or taken down, rapidly. There is almost no contestation over the use of technical data and the technical processes of registration, but policy uses are problematic for many reasons, mostly because the data is personal information in the case of individuals, and may be confidential data in the case of businesses and organizations.

Because of the inherent complexity of the distributed DNS—with thousands of registrars and resellers operating globally, and each operating their own WHOIS lookup following the required Internet Engineering Task Force (IETF) protocols—there grew to be a demand for one-stop-shopping for WHOIS data. Value-added service providers found a market niche, gathering up-to-date WHOIS data globally and assembling it in one database. This facilitates the monitoring of trademark abuse and cybercrime attacks, since the moment nefarious activity is detected, one database search will yield information useful for taking down a website or blocking an email address.

1.2.1 Three leading stakeholders: intellectual property owners, law enforcement, and the value-added services providers

The three examples of policy usage of WHOIS data described above, identify three key stakeholder groups who have participated actively at ICANN and have largely been successful in the endeavour to keep WHOIS data freely available.

First, the Intellectual Property Constituency is composed of intellectual property lawyers, large entertainment companies (such as Time Warner and Disney), and trademark owners like big brands (e.g., Procter and Gamble, Ford, and McDonalds). Second, the law enforcement community includes law enforcement agencies, such as the U.S. Federal Bureau of Investigation (FBI), Royal Canadian Mounted Police (RCMP) and Interpol, and the private sector security companies and associations who actually do much of the policing of cyberspace (like Symantec, McAfee, and the Anti-Phishing Working Group [APWG]). These organizations are interested in getting information to enable them to investigate a broad range of crimes or to stop cyber-attacks.

The third group of stakeholders includes a variety of valued-added service providers and companies engaged in DNS commerce. This group is engaged in the buying, selling, and registration of domains, including registrars, associated resellers who operate in conjunction with the accredited registrars, and so-called “domainers.” This group is more formally known as the domain investment community, some of whom belong to the non- 8

profit trade association, the Internet Commerce Association.4 Many in this group register names to then resell them at a profit, others want access to information either so they can resell that information as a service to clients, or so they can invest in domains or market their services as registrars. Much trademark abuse is monitored by companies like Mark Monitor, one of the first companies to collect large amounts of WHOIS data and operate a trademark violation monitoring service for companies. Many cyber-investigators use such services, and much of the monitoring is now done by machines and “bots” or automated programs which operate as close to real time as possible.

The boundaries between these groups are fluid, as companies like Mark Monitor may run an information services company and also do security enforcement, bringing down sites which are suspected to be abusing trademarks or committing cybercrimes like phishing attacks. Companies may have their own security services internally or contract out fraud detection and enforcement to specialists. Much of the policing of cyberspace has grown and developed in an unregulated fashion in the private sector, with the support of governments (UN Report on Cybercrime 2013, Tropina, 2015, p. 12). The government representatives who come to ICANN meetings and participate in the government stakeholder group called the Governmental Advisory Committee (GAC) tend to be representatives from the departments responsible for e-commerce and telecommunications, or from law enforcement agencies, and the GAC has historically been very supportive of an open, freely, and anonymously available WHOIS, largely in order to fight cybercrime (see Appendices P and Q for their detailed data requirements).

1.3 What Does Privacy Mean in this Context?

Clearly, all of these stakeholders have good reasons to want access to WHOIS data, but not all Internet stakeholders are in favour of such unfettered openness. Those interested in

4 Internet Commerce Association: https://www.internetcommerce.org/ 9

protecting the privacy of Internet users, including the confidentiality of private groups and associations, resisted. There are several reasons why the WHOIS directory is important, from a privacy perspective. The actual personal information that is collected and disclosed in the directory is non-sensitive in comparison to medical or financial data. There is a contact email, phone number, address, name of registrant, and domain name, along with technical data about the domain itself and date of registration. In a world where Facebook profiles are commonplace, data brokers hold records on millions of individuals, and health information is a commercial commodity shared broadly, it may seem to some that the fight over WHOIS is out of proportion to the registration data actually at stake. However, address, phone number, and email address are certainly personal data elements that are still well recognized as worthy of protection, and publishing them in a global directory, when it is easy to contact that person by email, raises privacy concerns. Some Internet users can be significantly harmed by the abuse of this information and more generally, it flies in the face of long-standing data protection principles designed to guard individual privacy as well as hold custodians of personal information accountable for their data handling activities.

Beyond the protection of personal information relating to the individual, there are privacy issues relating to freedom of expression and association that are important and are usually protected in the charters of rights or constitutions of nation states, or of regional entities such as the European Union. The registration of a particular domain, which is associated with certain types of content, may lead to conclusions about an individual’s health, religious or political views, or family life. These particular issues are protected as sensitive data under the European Data Protection Directive 95/46 (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, O.J. I. 281, 23 November 1995, p. 31ff, hereafter Directive 95/46). Over the years, concerns about the safety of speakers on the Internet have proven justified and, in particular, journalists and political activists have been tracked down and killed using

information obtained from the Internet. Protection of free speech has long been a top priority of civil society in its policy struggles at ICANN (Mueller 2010), with privacy considered as a facilitator of freedom of expression and freedom of assembly as much as it is viewed as a human right in itself.

1.3.1 Risks of releasing personal information and privacy rights

Over the course of Internet development, the risks to end users have grown. The first phenomenon to receive attention was spam, the harvesting of name, address, and email address to send marketing information. Abuse and phishing attacks soon followed. Civil society advocates and registrars argued that individuals must not be exposed to this abuse, and a workaround solution of providing privacy/proxy services was accepted early on in the debates. Registrars offered this service to their customers, putting their own contact information in the WHOIS, usually for a modest fee. “WHOIS privacy” became synonymous with proxy services, particularly in the United States where there is no comprehensive privacy law with a data protection supervisor to enforce privacy.

However, in this context data protection entails a lot more than not disclosing personal information in a public directory. With respect to registration data in the DNS as administered by ICANN, and in the light of widely accepted privacy norms (OECD Guidelines, 1980; EU Data Protection Directive 95/46; Article 29 Working Party, 2003), there are five major issues:

• The purpose of data collection, mandated by the 2013 RAA, has not been stated succinctly and authoritatively.

• Data collected is excessive and disproportionate, and released without stated purpose or identification of recipient.

• Data retention may not be lawful or proportionate, particularly as many data elements seem to be processed solely for the possible future use of law enforcement.

• Data is exported to the U.S. both for escrow and further processing, and protection in the U.S. may not be adequate.

• Information available to individuals concerning privacy rights and implications of consent to collection and use, including further processing, is insufficient.

1.4 Who Cares About WHOIS Privacy and Why?

Given that ICANN was incorporated with an explicit requirement from the U.S. Commerce Department to facilitate free access to registration data, it is important to understand who opposed this method of operation. The argument over WHOIS data started very early on in the life of this multi-stakeholder experiment.

1.4.1 Civil society and their allies

Civil society, organized in various constituencies and advisory groups at ICANN, has been vocal about the privacy and free speech implications of being identified on the Internet. Internet users include various kinds of groups and associations: religious, journalistic, and political organizations who might not be protected by data protection legislation directly, but may also wish to remain anonymous on the Internet in order to protect their freedom of association and free speech rights. These rights are protected under many national documents such as the U.S. Constitution (U.S. Const. amend. I), the Canadian Charter of Rights and Freedoms (Canadian Charter, 1982, s 6(2)(b)), and internationally through the European Charter of Human Rights (Charter of Fundamental Rights of the European Union OJ C 326, 26.10.2012, p. 391–407). For a detailed list of relevant legislation, see Appendix O.

The basic argument of privacy proponents at ICANN is that the disclosure of their personal data, especially name, phone number, and address, to anyone with access to the Internet, is unnecessary for the management of the Domain Name System (DNS). It is not required for the assurance of the stability and security of the DNS, which is ICANN’s core mandate. Individuals and organizations alike are exposed to spam, harassment, and potentially more serious repercussions, both in western democracies with protection for free speech and freedom of assembly, but especially if they are operating in countries where civil liberties are not protected by law. This is a very important issue for civil society, who since the inception of ICANN regarded the development and expansion of the Internet as a powerful force for development and creative expression, including political expression (WSIS, 2003).

Registrars themselves have become increasingly concerned in recent years, as the reality of data protection enforcement raises awareness of the issues. Registrars have little to gain from the WHOIS, except perhaps the avoidance of inquiries about abuse, and are reluctant to put information in the WHOIS if they are going to upset their customers. However, they have not been the ones campaigning for privacy; that task has fallen to civil society, predominantly within ICANN through the Noncommercial Users Constituency (NCUC).

It is worth noting here that there are two observers to the Governmental Advisory Committee who have advanced the cause of privacy and thus been allies of civil society: the European Commission, and the Council of Europe. Their voices, however, have been overshadowed in the Governmental Advisory Committee by the more prominent proponents of law enforcement issues. As of 2015, for example, there is a Public Safety Working Group subcommittee, committed to advancing law enforcement access to data among other matters.

1.5 Data Protection Authorities

Turning to the support for privacy outside of the ICANN multi-stakeholder organization, most relevant are the data commissioners or data protection authorities. As of 2015, the close of my research period, there were 109 data protection laws in place, and a number of regional associations of data commissioners and officials charged with responsibilities for data protection (Greenleaf, 2015). In 1998 there were far fewer. This dissertation deals primarily with the interventions of the Article 29 Working Party, the official committee of the European Data Commissioners designated by the 1995 Data Protection Directive 95/46 (EU, 1995) to coordinate the interpretation of their national laws, and the International Working Group on Data Protection in Telecommunications (IWGDPT), a voluntary association of data commissioners and their staff, founded in 1983 to collaborate on common approaches to technical issues which were arising. This group is also known as the “Berlin Group,” since it was founded and chaired by the Berlin Data Commissioner of the time, and I will refer to it as such hereafter.

In their various interventions to ICANN on WHOIS, the commissioners have responded to calls for comment issued by ICANN, expressed views on contractual negotiations with the registrars, visited ICANN meetings and presented their views in group meetings and special events sponsored by civil society, prepared common positions on the WHOIS directory, and provided general guidance to ICANN on the privacy implications of registrant data. The documents related to these interventions are listed in Appendices F and G. The data protection authorities have not, however, joined ICANN working groups and participated in the policy development process.

1.5.1 My involvement with ICANN and choice of this case study as a research focus

I am interested in WHOIS privacy for several reasons. I joined ICANN in 2013, invited to participate as a privacy expert in a volunteer group, the Experts Working Group on a New Registration Data Service (Experts Working Group or EWG hereafter), tasked to try 14

once again to study the WHOIS problem and recommend a replacement for the current system. I had some familiarity with the WHOIS issue, having worked on other projects with the European Commission staff when they were dealing with it (2003), and I had been asked to speak at an ICANN meeting on the topic when I was the Director of Research and Policy at the Office of the Privacy Commissioner of Canada (2005). Also, while working previously as a privacy consultant in the private sector, I crafted the first privacy policy for the Canadian Internet Registration Authority (CIRA) in 2004, so while hardly an ICANN expert, I was interested in, and familiar with, the WHOIS problem.

This Experts Working Group was supposed to be a part-time four months project, but it lasted a year and a half. Participating in that group meant going to five of ICANN’s five- day international meetings, eight of the three-day meetings of the working group, in addition to weekly or biweekly conference calls, and further drafting work in subgroups. This work involved several briefing sessions on the issues at each of the multi- stakeholder meetings, and it gave me an excellent opportunity to meet the stakeholders, learn about the technical details of the system, and hear at first hand the intractable policy positions and differing human reactions. Participating in this high-level committee gave me an inside look at how ICANN operates. I also became fascinated with the way ICANN was responding to the data commissioners. I had worked for years with data commissioners, and I had never witnessed such a headstrong refusal to cooperate with legal obligations. I became intrigued by what might lay behind this intransigence. My research questions thus emerged from that experience.

More broadly, in my view the issue of enforcement of data protection law is critical at this particular juncture, if there is to be any privacy in the coming years. We are familiar with the problem of technology racing ahead of law (Brin, 1998; Bygrave, 2014b; Froomkin, 2000a; Solove, 2015) but it is important for the Internet to catch up with human norms. At its essence, this debate is about something I care about: the ability of

global citizens to engage in speech on the Internet without being subject to surveillance, tracking, and harassment.

1.6 ICANN Stymies WHOIS Data Privacy Since 1998

The data commissioners have commented specifically on WHOIS since 2000, and I will describe these interventions in detail in Chapter 6. In recent years, they have written directly to the Board and the Chief Executive Officer to protest developments in data collection, disclosure, and retention. One of the latest examples of such protest helps illustrate the persistent pattern of interaction between ICANN and the world’s data commissioners.

When ICANN was developing the 2013 Registrar Accreditation Agreement (RAA), adding additional requirements including data retention requirements, the Article 29 Working Party wrote to ICANN insisting that the draft agreement would require the registrars in Europe to violate data protection law, and that all European registrars would need a waiver from certain of the requirements. One of those requirements is a data retention obligation which ICANN appears to have introduced solely for the benefit of law enforcement. It would require registrars to retain customer financial data—related to their Internet correspondence with the registrants such as timestamps, IP addresses, and other technical data (metadata), including credit card (i.e., payment) data—for two years after the last transaction with the customer, even if the customer transfers the domain to another registrar. This is a particularly objectionable requirement to the data commissioners, who wrote ICANN sternly:

introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on Civil and Political Rights (Kohnstamm to Crocker and Atallah, 26 September 2012).

This quote from the Article 29 Working Party letter illustrates the tone of the relationship that is the focus of my research, and raises one of the fundamental questions to address as I examine the actual functioning of the organization in the matter of respect for human rights and national law. Can a multi-stakeholder organization, tasked with performing a function essential to the operation of a global public resource (the DNS) and required to act in the public interest actually disregard national law, and the independent officers charged to enforce it?

1.6.1 ICANN’s failure to respond

Thus far, ICANN has responded that the Governmental Advisory Committee of ICANN (GAC) has instructed them that it (the GAC) is the organization qualified to determine the balance between data protection legal requirements and the need to maintain data to facilitate law enforcement and consumer protection (Chehade to Kohnstamm, October 8 2012). This exemplifies the long-running standoff between the Data Protection Authorities and ICANN which is central to my research project and which I will analyse in detail throughout this dissertation, particularly in Chapter 6. To put the matter simply, ICANN, a multi-stakeholder non-profit corporation headquartered in California, has told the independent Data Protection Authorities of 28 European member states (including the European Data Protection Supervisor, who is responsible for supervising the data protection practices of the European Commission and European Parliament) that they are not going to accept that the commissioners, nor the Article 29 Working Party, have the authority to advise in the matter of the protection of personal information of domain name registrants. There are many other instances of non-response, which I document in Chapter 6.

1.7 WHOIS Conflicts with Law Policy—ICANN’s Only Concession to Privacy Demands

During the early days of the first WHOIS task forces 1 and 2 (2002-2006), which I describe in detail in Chapter 5, the issue of privacy became prominent, and the ICANN Board accepted that they must recognize the fact that European registrars in particular had to comply with data protection law. They promulgated the only policy that exists for WHOIS privacy, the WHOIS Conflicts with Law Policy (see Appendix M for the procedure). Basically, that policy specifies a procedure that a registrar must follow if he decides that the organization is subject to a regional data protection law that is in conflict with their WHOIS obligations. The registrar must provide evidence of this to ICANN, in the form of an enforcement action from the authority responsible for enforcing that law. This essentially puts the registrar in the unenviable situation of having to break the law to get such an enforcement action from the data protection commissioner, or get a letter from the commissioner assuring ICANN that indeed the WHOIS requirements violate the local laws.

The Article 29 Working Party sent a series of letters to ICANN informing them that they were the authorized body who could decide that the WHOIS requirements conflicted with E.U. data protection law, and all E.U. registrars would require an exemption. ICANN rejected this, since such a letter from the Article 29 Working Party did not meet the threshold of ICANN’s procedure. This particular procedure lies at the heart of the standoff that I describe between the Data Protection Authorities and ICANN.

Since the promulgation of this procedure in 2006, the privacy advocates in this contention have attempted to get the WHOIS privacy issues back on the agenda with no success. The data commissioners have written repeatedly to ICANN, expressing their concerns. When the WHOIS Review Team was established in 2010 to review ICANN’s commitments on WHOIS data, another standoff ensued with no progress on privacy. Then, when the Expert Working Group reported on its 18-month effort to develop a concept to replace

WHOIS, the only privacy expert on the group issued a dissenting report because of the failure to properly address privacy issues. 5

The majority of the members of a volunteer group established to find another “trigger” for the WHOIS Conflicts with Law Procedure in 2015 expressed the view that the procedure did not work and could not be improved because of fatal flaws in the policy (links to the transcripts for these discussions are in Appendix E).

Nevertheless, the enabling documents for the businesses which are delegated and empowered to administer the Domain Name System, still contain requirements that are not, in the view of privacy advocates and global data protection authorities, in compliance with data protection law.

1.8 Research Questions

Given that ICANN has consistently failed to respond substantively to the repeated requests of data protection authorities that basic privacy rights be accommodated in the WHOIS directory and in the Registrar Accreditation Agreement, my primary research question is:

How has ICANN managed since 1998 to avoid privacy demands in the Registrar Accreditation Agreement (RAA) and in WHOIS policy more generally?

Flowing from this, my secondary research question is:

5 I was the only privacy expert in the Experts Working Group. For more on the composition and biographies of group members, see the press release at https://www.icann.org/resources/pages/gtld- directory-services-members-2014-06-24-en). In my opinion, various recommendations of the report did not comply with data protection law nor best practice, so I could not support them. (https://www.icann.org/en/system/files/files/perrin-statement-24jun14-en.pdf and https://www.stephanieperrin.com/) 19

What are the implications of ICANN’s WHOIS failure for global data protection in the context of the Internet and of Internet governance or regulation?

In examining the evidence of ICANN’s persistent avoidance of addressing privacy rights, I look for the reasons that decision makers at ICANN have put forward to justify not complying with data protection laws, and consider what possible reasons might remain unspoken. Several scholars have examined the question of who effectively controls ICANN, notably Froomkin (2000 b), Weinberg (2000), Komaitis (2010) and Mueller (2002), and they have all concluded that ICANN has favoured the rights of trademark and intellectual property holders, over the commercial interests of the registries and registrars, and the human rights of end users. I agree, and examine the factors which enable trademark and intellectual property holders to keep/maintain that control, and the changes in the current privacy environment that may lead to change in terms of greater enforcement of data protection law. The question this dissertation seeks to understand, is why the global data commissioners, who have expressed concerns about this practice since 1998, have failed to influence ICANN, and whether there are structural issues within the institution and its policies that will continue to produce this result, despite overall progress internationally in implementing data protection law and improving compliance with it since 1998.

1.9 The Importance of These Questions and Prospective Research Contributions to Privacy Scholarship (and Advocacy)

What is at stake, when ICANN dismisses privacy claims, especially when made by the responsible oversight authorities, the data protection authorities? My primary research question is a simple one, but it is important for a number of reasons. The Internet is an important focus area for privacy scholars, as compliance and enforcement of data protection law proves to be as difficult as was predicted in the early days of the development of data protection legislation. ICANN not only lies at the heart of an

important branch of Internet governance and activity, it also impacts potentially every individual in the world who wants a domain name by listing them in a global, public directory. Demands for greater accuracy of that data, and greater authentication, and identification of individuals who want to have a domain name may drive a global directory of human beings with a presence on the Internet, potentially linked to biometric identifiers.6 WHOIS is an important directory and the rules governing who has access to registry data, and on what terms, potentially affects millions of people.

If data protection authorities are unsuccessful in using moral suasion or the “softlaw” approach to persuading ICANN to comply with law, they may need to take enforcement action. If they fail in that attempt, this will have important impacts on the enforceability of data protection law across borders, more generally. Legal scholars will be interested in this, in the cases that may ensue, and in the actors who will bring the cases.

This research provides an analysis of a case study in the apparent failure of data protection law implementation and enforcement. In particular, it examines how a major institution in multi-stakeholder Internet governance arguably fails to act in the public interest, and avoids a discussion of what actually constitutes the public interest in the matter of data protection and the associated human rights which depend on confidentiality of groups and associations engaged in free speech, political association, and religious observance.

The examination of how ICANN has ignored the data protection authorities from their first interventions in 2000 to today, and how other actors have effectively influenced the organization to resist compliance with law, is a valuable contribution to the understanding of enforcement problems and potential solutions. It is important to our understanding of

6 CNNIC, the Chinese registrar, tested biometric identifiers for identification of individuals wishing to register domains in 2012. http://english.cnic.cas.cn/rp/201303/U020130315372496792878.pdf. China Internet Network Information Center, 2012 Social Responsibility Report, p. 20. 21

the prospects for the future health of data protection law enforcement, because the Internet is one of the most difficult areas of enforcement, particularly as it relates to the much-proclaimed Internet of Things (IOT). The Internet of Things refers to networking devices and commonplace articles, which will have Internet Protocol (IP) addresses, and thus be connected to the Internet. The role of the Domain Name System in the IOT is by no means clear at this point, but it is quite likely that some kinds of linked items will have a web presence with a domain name, to facilitate addressability. ICANN’s continued intransigence towards privacy does not augur well for privacy in IOT. Failure to observe basic data protection in the much simpler matter of a registrant directory may be setting in motion a series of related policy choices that have profound implications for freedom and autonomy as the Internet reaches ever deeper into our lives.

In this dissertation, I examine a number of key reasons why I think the ICANN intransigence on privacy is extremely important and merits further research. I discuss them briefly below, and they relate largely to the lack of respect for the rule of law, and the human rights of Internet users. If ICANN is a model for Internet governance institutions that are non-governmental, it matters if the corporation does not consider the protection of end user rights to be part of its public interest commitments. Rules surrounding the provision of end user information in criminal procedures are admittedly under stress on the Internet, but facilitating informal mechanisms undermines fundamental protections for global citizens.

First, it is important for the privacy rights and human rights of Internet users, whether or not a key player in Internet governance recognizes human rights and data protection law. ICANN has acknowledged that data protection law exists, but makes it extremely difficult to comply with it. It would be different if ICANN had argued the matter out, either in working groups or in the courts, resulting in a determination that there was a prevailing public interest in requiring certain elements of personal information be made readily available. These sorts of compromise happen in every country that has data

protection law; privacy advocates might not be happy with the results, but at least the argument gets a hearing and a decision is made. But I argue that this is not what has gone on at ICANN. The overseers of data protection are simply being ignored, and if the situation persists, they will have to take enforcement action, as they have threatened to do in the letter that I cited earlier in this chapter, from the Chairman of the Article 29 Working Party. Until ICANN addresses the privacy issues the data protection authorities have raised, it is ignoring the rights of its end users or registrants. It shows a lack of respect for the legal systems of countries and regions, which does not augur well for private sector multi-stakeholder governance models that are in many aspects vital to Internet governance, notably the investigation and imposition of penalties on cybercrime.

Secondly, as an instrument of Internet governance, ICANN has been instructed through its bylaws to act in the public interest 7 and, while that term has yet to be defined, it is reasonable to question whether non-compliance with data protection law is in the public interest, however defined. Certainly, the claim is made often enough at ICANN that compliance with data protection law with respect to the Registration Data Services or WHOIS is not in the public interest. Nevertheless, when ICANN was created in 1998 it might have been possible to argue that data protection law was a European peculiarity, but one cannot argue that today when 120 countries have data protection laws (Greenleaf, 2017). This has serious implications for privacy on the Internet, as ICANN sets the tone for other Internet governance institutions, raising expectations of various stakeholders, notably law enforcement, private sector security firms, and IP rights holders, that they are

7 ICANN was bound by its 2009 Affirmation of Commitments (AOC) with the U.S. Department of Commerce (DOC) to do a number of things in the public interest. Thus far, that term has been undefined, but the outgoing Chief Executive Officer Fadi Chehade had put defining it in the strategic plan for 2016 and work is proceeding slowly to sketch out the parameters of what “public interest” means. In the meantime, after the successful Internet Assigned Numbers Authority transition was concluded in October 2016—releasing ICANN from its contractual obligations to the DOC and giving it authority over the assignment of numbers or Internet Protocol blocks of addresses—ICANN’s Chairman of the Board and the Assistant Secretary of the DOC exchanged letters retiring the Articles of Commitment, recognizing that its principles had been grandfathered in the bylaws of the new organization (https://www.icann.org/en/system/files/correspondence/strickling-to-crocker-06jan17-en.pdf). 23

entitled to get personal data quickly and easily without a warrant or other instrument of due process.

Thirdly, ICANN in December 2015 commenced yet another WHOIS policy development process, in hopes of settling previous disagreements, and creating a new, expanded directory service. This process will address again the issue of the purpose of collecting registrant data. If through this next process, the policy development group decides that the purpose of the directory is to serve as an informal mechanism to get the information, including personal information, of everyone who has a domain on the Internet, ICANN will have effectively bypassed the laws of many countries and paved a path to its door for law enforcement, cyber-investigators, and IP holders. Civil society and the registrars themselves argue that putting registrants’ data in the public domain puts them at risk of the very cybercrime and even physical assault that the investigators purport to prevent, and despite plenty of evidence of this and a history of similar risks coming to fruition in other privacy struggles regarding public directories (e.g., telephone caller number display or Caller ID, the publication of motor vehicle licence registries), this argument has not been successful.

Fourth, the limited remit of ICANN to manage the assignment of domain names and numbers is arguably being pushed to make it more helpful in policing content on the Internet. ICANN is not responsible for the content of Internet sites, and has stated that, yet it is under pressure to put some responsibility for oversight on the contracted parties. Intellectual property owners policing brand abuse, businesses trying to fight domain hijacking, and law enforcement fighting crimes as varied as child trafficking, fake pharmaceuticals, and malware distribution are somewhat united in their view that a one- stop shop for information about domains is essential for the evolving Internet. Already ICANN asks registrars to retain information (e.g., metadata, credit card information, last known IP address) longer than is usually required for domain management because it is useful for investigation of other crimes. It would be only a few short steps further to

require the WHOIS to contain all hosting information, contracted parties for financial transactions, etc. This puts even more potential law enforcement activity outside the purview of nation states and applicable constitutional protections for individuals, and into the ambit of this new multi-stakeholder organization, ICANN.

Fifth, a fundamental issue has arisen occasionally since the first World Summit on the Information Society (WSIS, 2003). At the two World Summits on the Information Society, sponsored by the International Telecommunication Union in 2003 and 2005, civil society and many other stakeholders involved in the development of the Internet gathered to discuss its future promise and how to maximize that potential. Issues such as whether the ability to connect to the Internet should be considered a basic human right were discussed, and certainly at the Internet Governance Forum (IGF) which continues to meet annually under the sponsorship of the United Nations, civil society presses for human rights so that all citizens can benefit from the Internet. The question that arises in the context of ICANN and the Domain Name System, is whether every individual has a right to a domain space on the Internet. Some private corporations would respond that since anyone can interact over the Internet by getting a space on Facebook or one of the other social media platforms, there is no obligation to facilitate every person having their own domain name. Internet traffic is exploding today but development has arguably changed from the concept of an open Internet of empowered users to an oligarchy of competing platforms and applications. Traffic analysis reports by Cisco document trends in growth 8 that show exponential growth of video sharing and gaming. Combined with the popularity of applications-based processing via mobile phones, these trends are having an impact on Domain Name System forecasting. Some scholars writing on these

8 See https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/vni- hyperconnectivity-wp.html. 25

trends are predicting an end to the open Internet (Tufecki, 2016). If true, this has important implications for competition, human rights, free speech, and the rule of law.9

Refusing to permit individuals and groups to have privacy rights at ICANN may be a deterrent to them exercising their right to control their own space on the Internet, and it adds pressure that may induce them into the arms of private actors who may, when pressured, censor their behaviour. This would be a serious outcome for free speech, and imperil the future of the Internet as a democratizing resource for people, rather than one which favours only large Internet-based corporations.

A sixth issue is the fundamental transformation of how we think about privacy. Konstantinos Komaitis, Director of Policy Development at the Internet Society and a former Chairman of the Noncommercial Users Constituency at ICANN contends that ICANN’s dispute resolutions process, the Uniform Domain-Name Dispute-Resolution Policy (UDRP), is fundamentally biased in favour of trademark holders and has changed the concept of what a trademark is (2010). I contend that while the erosion of privacy rights that has taken place at ICANN is not as significant a change as the transformation of trademark law, a similar pattern has been followed in order to reduce expectations of privacy among participants in the DNS. This has had an impact on privacy rights with respect to the Internet, accelerating the expectation that if you participate at all on the Internet, you must expect no anonymity.

I discuss these important issues raised in my research in Chapter 7. The contestation between stakeholders at ICANN over what to do with this directory is a debate familiar to both law enforcement and data protection officials and advocates. However, the importance of this battle lies also in what the directory demands, and what it represents,

9 Cisco traffic analysis reports document trends in growth https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/vni- hyperconnectivity-wp.html. 26

in the still undefined and rapidly evolving Internet world. This is a philosophical question as well as a practical one. Can I operate anonymously in cyberspace? Is the Internet a series of storefronts and private content theatres, or a means of speech? Does everyone on the Internet have the right to know where I live, my phone number, when I registered my domain and when it is going to expire? How do we configure the self on the Internet, and is anyone telling us what we can or cannot do? How do I maintain my autonomy, my freedom to create, socialize, be political, trade, and learn? Who is policing wrongdoing in this global society, and what checks and balances are there on the abuse of power and the enforcement of rights? These are broader and more important questions, and I will demonstrate how this is actually what is behind much of the debate.

1.9.1 Implications for Internet governance

For Internet governance scholars, how ICANN complies with international norms, particularly in the area of human rights where privacy is a well-accepted human right, is important. Privacy as an enabler of freedom of expression, political speech, and freedom of assembly is well understood. The institutional mechanisms, which ICANN has employed to stymie privacy policy development, are of interest to those examining multi- stakeholder organizations and their potential for global governance of critical resources.

Whether “multi-stakeholderism” actually works is a question of great interest to Internet governance scholars, as well as those examining multi-stakeholderism as an international normative mechanism (Hofmann, 2017). The ways in which ICANN handles both compliance with national laws as well as fair and equitable policy development are important for those watching ICANN as it develops into an accountable new entity not under contract to the U.S. government, following the Internet Assigned Numbers Authority transfer 10 (announced in 2014 and completed in 2016).

10 Until 2016, the U.S. government had retained control of the Internet Assigned Numbers Authority functions, or IANA. ICANN managed the numbers but under contract with the Commerce Department. The 27

1.9.2 Implications for the Domain Name System industry

The Domain Name System industry will find itself on different sides of this issue, as it has already. If data commissioners take enforcement action against registrars, or civil society registrants organize and take action to demand privacy rights in court, it will hurt E.U. registrars and U.S. registrars and registries with a presence in Europe. The European Union passed its new General Data Protection Regulation just at the close of the timeframe I have chosen for this research (1998-2015) and the prospects of greater enforcement of law and potential fines of 4% of annual revenues have already caused a change in the attitudes of registrars and registries at ICANN (see Chapter 3 for a more detailed discussion of the implications of the new regulation). The other members of the DNS industry—the value-added service providers, private security investigators, and enforcement contractors for the IP and trademark holders—have expressed alarm at the prospect of increased enforcement of data protection laws and have joined the current WHOIS Policy Development Procedure in unprecedented numbers, threatening calamitous results if they cannot continue to access WHOIS data anonymously (Schwartzman, 2017). For these businesses, there may be drastic implications for their revenues if access to free data is cut off. For Internet governance scholars, the examination of conditions that can cause realignment of stakeholders, which I discuss in my conclusions, is useful in examining the effectiveness of multi-stakeholder approaches to complex governance of finite resources.

release of U.S. control means that ICANN is now a fully independent multi-stakeholder organization. See https://www.ntia.doc.gov/blog/2016/update-iana-transition. 28

1.10 Thesis Outline

The remainder of this dissertation is structured in the following manner. In Chapter 2 I describe my research methods, the timeframe for the research, and what I bring to this scholarship from my previous career as a privacy advocate and consultant, as well as one of the key public servants responsible for the development of private sector data protection law in Canada at the federal level. In this chapter, I discuss how I worked with the extensive documentation that ICANN preserves and makes available, and how I selected and analyzed relevant material.

Chapter 3 introduces the privacy scholarship and Internet governance studies relevant to WHOIS. I highlight scholarship which touches upon the failure to enact privacy law in the United States, and more generally on the challenges in developing privacy policy (Bennett, 1992; Regan, 1995; Westin, 1967). While there is very little written on privacy issues within Internet governance and particularly ICANN, some have written detailed discussions of the WHOIS debate (Agrawal, 2003; Cojarescu, 2009; Mueller and Chango, 2008). Researchers have paid more attention to critiques of the intellectual property and governance issues, some of which helps to inform this research. I review some of the scholarship on the struggles over Internet governance, including the legal issues at ICANN (Bing, 2009; Bygrave, 2014 b, 2015; Froomkin, 2000 b), privacy issues and the failures of privacy law to effect change on the Internet more broadly (Brown, 2013; Cohen, 2012; Korff, 2010), the intellectual property issues (Froomkin, 2000 b; Komaitis, 2010), the perspectives of economists and telecom/trade policy scholars (Braman, 2010, 2011; Hofmann, 2016; Mueller, 2002, 2010;), and human rights issues (Korff, 2013; Zalniurute & Schneider, 2014). The discussion of Internet governance as shaped at the World Summit on the Information Society (WSIS) in 2003 and 2005, at the Netmundial conference of 2014 and the annual Internet Governance Forum (IGF) has raised policy perspectives regarding WHOIS, but my focus in this dissertation is

primarily on the impact on privacy law, implementation, and policy rather than Internet Governance scholarship.

Chapter 4 examines how ICANN manages the Domain Name System and registration data. I discuss ICANN as an institution, how it functions from a structural and procedural perspective, the stakeholders themselves, and how they interact in all the committees and working groups. I highlight the main stakeholders in the WHOIS debate, to provide the background needed to analyse their interplay in the following chapter.

Chapter 5 begins to address the first research question directly: How has ICANN managed since 1998 to avoid privacy demands in the Registrar Accreditation Agreement (RAA) and in WHOIS policy more generally? It opens by examining the detailed history of the WHOIS struggle, from the perspective of the stakeholders who were involved in the contention from the inception of ICANN up to the creation of the current Registration Data Services Policy Development Process, which started in late 2015. I review the policy initiatives, the compromises reached, and the outstanding issues that were passed on to the next participants in the WHOIS policy process. Relying on the extensive documentary record, including recordings and transcripts of meetings, interim and final reports, comments to those reports, and the charters of the various groups and processes—I look for the causes of the failure to reach consensus and for preliminary responses to the research questions.

Chapter 6 focuses on the standoff between the world’s data commissioners and ICANN. Although the data commissioners were clearly watching what ICANN was doing, I contend that this standoff can be viewed as an inside-outside situation, where the data commissioners are not necessarily viewed as voices to take seriously within the ICANN multi-stakeholder process described in the previous chapter. I go into further detail about the legal and policy issues which the national data commissioners in concert have raised regarding ICANN and its various instruments. Using the particular interventions at ICANN, I analyze the inability of the data commissioners to influence policy at ICANN, 30

and possible reasons for this failure in the application of data protection law. I also discuss briefly the support the data protection authorities have received from civil society, and the relationships civil society and other actors have developed on this issue. I analyze the response of ICANN, and the interactions it has had with the stakeholders affected by the policies, such as the WHOIS Conflicts with Law Policy. By this point it is clear that ICANN has managed to avoid privacy demands in the Registrar Accreditation Agreement and in WHOIS policy more generally, mainly due to ICANN’s success in avoiding the development and implementation of a privacy policy, the provision of a “pressure valve” release for privacy demands in the form of privacy/proxy services, and the lack of enforcement action on the part of the data protection authorities.

Finally, in Chapter 7 I conclude by summarizing my findings regarding the central research questions and the contributions this research makes. I argue that ICANN as an institution has behaved more like a U.S. corporation than a global multi-stakeholder entity charged with a public responsibility, the management of the DNS, and has blocked data protection demands exactly as many other Internet corporations in the private sector have done. I conclude that the stakeholders are partially responsible for the failure to comply with data protection law in many respects, and will be determinative in any prospects for change. I also discuss the potential strategies that civil society and its allies might take in reforming the WHOIS policies and structures. Based on the historical record of WHOIS debates thus far, I outline some of the risks that appear to be on the horizon, and identify changes that need to occur. As ICANN is now immersed in yet another WHOIS redevelopment process, and the European Union is in the process of implementing the new General Data Protection Directive, the question must be asked: is it possible to change ICANN’s approach to privacy, both the stated and unstated policies? This research sheds new light on this issue, and offers promising ways to achieve positive changes in terms of compliance with data protection law.

Chapter 2 Personal Background and Methodological Approach

In this chapter, I briefly discuss what I bring to this research project in terms of my understanding of privacy contention, my active participation at ICANN from 2013 to 2017, and in registration data privacy issues in the past, and how I engaged with the documentary evidence to conduct my research. While I discuss how ICANN manages its mandate and role in running the DNS in Chapter 4, including its information management practices, in this chapter I will introduce the main types of documentation available, how I decided what to examine and how I analyzed the documents selected.

2.1 Researcher, Privacy Expert and Advocate

As discussed above, I was invited to join the Experts Working Group (EWG) that studied replacing WHOIS from February 2013 to June 2014. I then joined the Noncommercial Users Constituency (NCUC) as a volunteer, and was elected as a councillor to the Generic Names Supporting Organization or GNSO Council, the group tasked with developing and recommending policy to the ICANN Board. I am therefore an active participant at ICANN, representing civil society and advocating for the privacy interests of end users or registrants. I bring considerable privacy expertise to this role, having spent a full career in the Canadian government working on various aspects of privacy, notably the drafting of the Canadian private sector data protection law, the Personal Information Protection and Electronic Documents Act, or PIPEDA. I have worked with data protection authorities throughout my career in various capacities (see Appendix J), and bring to this case study a thorough understanding of the law, its enforcement challenges, and the various arguments that take place in settling on information policies.

As a policy expert working for many years in the development of privacy law, policy, and technologies, I am interested in the broad question of why, despite very high public concern about privacy, a profusion of national laws to protect privacy, and explicit 32

recognition in a number of international instruments, it is often the case that information and communications systems are built without consideration for the protection of personal privacy or personal information. There are many obvious reasons for this: gathering personal information and using it has many economic and governance uses; acknowledging privacy as a human right may foreclose the abilities of business or government to pursue their interests; vigilance to protect personal information costs money; the individuals or data subjects themselves have many priorities and the protection of personal information may not be perceived by them as a high priority as compared to the convenience of simply providing their data and getting a service; privacy regulators and privacy advocates may not participate effectively in international fora, to name a few.

The research questions could be addressed in a number of ways. Because ICANN maintains complete recordings and transcripts of all meetings, most teleconference calls, email traffic, drafts of policies and other documents, and comments received on draft documents, it is possible to examine the records and look for evidence of how policy decisions such as the ones affecting WHOIS and data protection are made. Indeed, I have examined much of the historical documentation on the WHOIS debates and task forces that I was able to locate in ICANN archives.

Given the openness of ICANN meetings, it is also quite easy to attend meetings, meet participants and interview key players for their views on how ICANN has managed this standoff with the data commissioners. Certainly, I have spoken informally to a great many key individuals in this way and have had many conversations, gathering partial insights into what has transpired.

While it would have been possible for me, as an active member of the ICANN community, to do participant observation, or to take an ethnographic approach to the study, I reached the conclusion that this would be problematic on a number of levels.

First, as a prominent privacy expert and advocate I might never be trusted by many stakeholders. This could produce gaps in the analysis of responses to the privacy questions. Secondly, despite much experience during my government career in representing all stakeholders fairly and neutrally in various negotiations, consultations, and policy exercises, it would be difficult to persuade some of the highly confrontational participants at ICANN that I was maintaining a stance of neutrality in my research, especially given my vocal advocacy within discussions at ICANN. I observed that my mere knowledge of the facts of data protection law and its implementation, facts that rarely got an airing at ICANN, appeared to many stakeholders to represent a bias. Thirdly, at the end of the Expert Working Group’s study period, I felt compelled to issue a dissenting report. As a privacy expert, I had to address certain recommendations in the final report that would be considered unacceptable by anyone with knowledge of data protection law and practice. Given that I was the only privacy expert on the group, and I had basically blocked consensus on yet another WHOIS study/review, I was (correctly) perceived in some quarters as the privacy expert that stopped WHOIS replacement from moving forward. In my view, this is a bit like blaming the biologist for reporting on excessive mercury levels in a river and causing the fishery to be shut down….but the perception of bias is important and I felt it might confound an interview based approach.

The documents, and the transcripts of the various processes, speak eloquently in themselves of the problems I have described in Chapter 1. Given the vast amount of material available, I decided to study the research questions by analyzing the documentary record, informed by my long participation in data protection debates and contention, and my direct experience within several relevant ICANN bodies and working groups.

2.2 Why I Worked with ICANN Documents

ICANN has a massive archive of material publicly available that tracks its decision- making processes. In the early days, there were few staff and resources, so document

management systems were not a priority, but transcripts and recordings were kept of most meetings from the beginning, no doubt in an effort to demonstrate the transparency and accountability of the new multi-stakeholder organization. This includes recordings and transcripts of the policy development process (PDP) meetings and GNSO Council meetings, of some stakeholder meetings, email archives of the email lists of working groups and stakeholder groups, records of public comments, recordings and transcripts of all the public meetings which have been held (57 by the end of the research period in 2015), correspondence with groups and key individuals, and minutes of Board meetings.

It is therefore relatively straightforward to access the records and look for evidence of how policy decisions are made. Indeed, I have examined much of the historical documentation on the WHOIS debates and task forces located in ICANN archives.

There are some lacunae in these records. Commercial stakeholders and contracted parties hold closed meetings where they discuss strategy and issues. The contracts which actually bind the registries and registrars to become “data processers” and “data controllers,” to use the terms of E.U. law, are negotiated in private between ICANN and the contracted parties. Board discussions and meetings are not public, and the minutes of meetings are somewhat perfunctory. Board email lists are not public, and nothing prevents other groups from setting up a separate, private email list if they wish to administer it themselves. In the case of the Experts Working Group which I joined in 2013, the meetings were not transcribed, the email lists are not accessible to non-members, and meetings with stakeholder groups such as law enforcement organizations were not recorded. This is often the case with review teams, as much discussion may be off the record.

It became apparent to me early on that much of the activity at ICANN happens “backstage,” (Goffman, 1957) despite the apparent openness of the institution. “Backstage” includes a 24-hour, seven-day-a-week multi-channel Skype (or other social media tools) chatter about ICANN that goes on, apparently, in all working groups and 35

constituencies. These stakeholder groups operate in relative isolation from other groups, leading to a “siloed” situation where groups with similar motivations and incentives tend to talk among themselves, discussing policy positions and agreeing on practical matters such as which representatives to send to each of the many simultaneous policy and implementation working groups. This is of course not unusual but it belies the rhetoric about ICANN openness, and consensus.

There are several online trade journals which follow ICANN closely, and I have occasionally cited them (DomainIncite, CircleID, The Register). They follow the decisions and meetings, and they work to unearth the stories behind some of the announcements, including the money and competitive interests involved in ICANN decision-making, and the gossip behind some of the closed-door meetings.

Nevertheless, all parties make a concerted effort to get their views on the record, either orally at the public microphone in face-to-face meetings, on the Adobe conference system used for working group calls, using text chat, or orally during the calls, which appears in transcripts, or in the email discussion between calls, and in the official comments to documents. It is therefore possible to get a very reliable perspective on how policy decisions have been reached, by studying the documentary records, particularly when that study is informed by participation in the actual work that goes on at ICANN.

In examining the research questions, I have chosen to study the period stretching from the creation of ICANN in 1998, including the Green and White Papers released by the U.S. Commerce Department in 1998, and the earlier 1996 World Intellectual Property Office (WIPO) report on issues with domain names, and ending with the creation of the new policy development process to study the Registration Data Service afresh, in December 2015. The earlier date is easy to set, as the first interventions of the data commissioners on the topic of domain names really started with the WIPO papers, and the requests for input from the European Commission on the ICANN proposals.

The closing date is based on the status of the contestation with the data commissioners. As discussed in Chapter 6, the documents show that the Article 29 Working Party had a series of correspondence with ICANN during the consultations over the 2013 Registrar Accreditation Agreement and after it had been signed. There was no satisfactory resolution of their complaints. They stopped writing in 2014, and when the Experts Working Group (EWG) report resulted in a dissenting report from the only privacy expert on the group, myself, ICANN reappeared on the agenda of the International Working Group on Data Protection in Telecommunications (Berlin Group). Representatives of the data protection authorities came to a privacy session organized by the Noncommercial Users Constituency (NCUC) in London in July 2014, when the EWG report was released. A hiatus ensued afterwards and, until the Board proceeded with an instruction to commence the next policy development process, there was no further progress in resolving the issues. Ending the research period there encompasses what is basically a 17- year impasse in reaching consensus on respect for data protection law.

I am an active member on that new PDP, and while the work is proceeding very slowly and with what appears to be a predictable degree of strife and contention, there are quite a few grounds to believe that change will occur, which I discuss in Chapter 7. The debate over what to do is very current, and therefore since the passage of the General Data Protection Regulation happened to coincide with the incubation of the new RDS policy development process, I have framed the research to the end of 2015. Recent developments are important to understanding challenges in data protection implementation and enforcement, and give both my research questions pertinence in the context of prospects for future change.

2.3 Selecting Documents

My work has been informed by the early scholarship on ICANN, notably Froomkin (2000b, 2002); Kleinwachter (2000) and Mueller (2002, 2008, 2010). Their work has pointed me to the important battles and processes which went on very early at ICANN,

and which set the parameters for data protection. In examining the records of these early processes, I have assembled a collection of documents that reflected the available documentary records of events these scholars considered important, which then led me to the key protagonists in the discussions and the documents that they presented or considered important. I then examined the comments filed on those proceedings, and have found additional comments and reports from interested stakeholders who may have strongly held influential views on ICANN decisions, yet rarely appeared at ICANN meetings or participated in stakeholder groups.

A second path to the determination of relevant documentation has been my own participation at ICANN, which dates back to the Montreal meeting in 2003, but became active in 2013 when I joined the RDS Experts Working Group. I received a good briefing package at that time, prepared by staff, of relevant materials that explained the history of the various previous attempts to settle the contention over WHOIS. Like most corporate documents, staff-prepared reports and summaries are written neutrally or even with a positive spin. Sometimes they are based on a partial, even self-interested selection of the documentation available. In this context, my participation in the actual working groups gave me many clues as to where to look for a more fulsome account of what happened.

My general method has been as follows: 1. I reviewed all of the archived documents of each policy process related to WHOIS, including the instructions from the authorizing body (e.g., GNSO and the Board), the Charter for the Working Group, interim reports, the summary of comments prepared by staff, comments submitted by key stakeholder groups (and other important actors), and the final reports and comments. I have described in some detail in Chapter 4 one of the policy development processes, the Privacy/Proxy Services Accreditation Issues PDP, and this case illustrates how I assembled and treated the policy process documents relevant to my research more generally.

2. Where there have been references to key decisions at meetings, I have listened to the recordings of the meetings, and/or read the transcripts and chats of both meetings and teleconferences. 3. Using a snowball technique, this has then often led me to look up the archived email discussions and check for follow-up on points raised in the discussion, including additional documents. 4. Where there have been key meetings and special presentations on WHOIS or privacy issues at the face-to-face meetings, I have listened to the relevant recordings, examined materials presented (e.g., PowerPoint presentations) and checked the public forum, where stakeholders tend to make statements for the record about issues that concern them. 5. Stakeholder groups at ICANN and key industry associations also have their own websites (e.g., Registrars Stakeholder Group—www.icannregistrars.org; Noncommercial Users Constituency—www.ncuc.org; International Trademark Association—www.inta.org), which I have reviewed looking for postings of relevant material on the key issues of the day and important archival documents.

With respect to the records relating to the data protection authorities, I have researched all of the relevant opinions and letters of the Article 29 Working Party that appear on their website (see Appendix G), and the relevant documents and correspondence of the European Data Protection Supervisor (EDPS; see Appendix N) and the Berlin Group (Appendix F). The European Commission has a website related to data protection (http://ec.europa.eu/justice/data-protection/), where it has hosted 11 the Article 29 Working Party materials, as well as its own reports and documents related to data protection issues.

11 Due to preparations for the coming into force of the General Data Protection Regulation, and the transformation of the Article 29 Working Party into the European Data Protection Board, the document archive of Article 29 documents and Opinions was in transition at the time of writing. 39

I have done my best to track down all of the relevant arguments and data that has been put forward to justify the actions and inactions with respect to the WHOIS contention. Given the almost 20-year history, and the wealth of material and documentation that each of the key stakeholders might hold in their own right (e.g., World Intellectual Property Organization, the community of law enforcement agencies who are active in Interpol, Europol, and the Cybercrime Treaty discussions, International Trademark Association, etc.), I have had to focus more on what has been brought to ICANN rather than the discussions that have gone on in the separate communities.

Clearly with this large quantity of documentation, the challenge is often finding the documentation and determining what is relevant. The search tools on the ICANN website are not particularly useful, and they cannot be relied upon to retrieve materials. This is a well-known problem at ICANN, but it has yet to be addressed. Documents move and disappear; researchers are well-advised to keep their own personal repository of relevant documents. Often the fastest way to find materials in ICANN archives is by using common search tools (e.g., Google, Bing) and sometimes, better records can be found outside ICANN. For example, the easiest way to find out which public meetings were held, as well as their location and dates, is via a helpful table on Wikipedia, rather than via ICANN’s archives of public meetings. 12

2.3.1 Selecting documents relevant to a process and decision

To illustrate the method that I followed in searching for relevant documents, I will focus on a short period of time in 2003, when the WHOIS Task Force was working on the very difficult privacy issues that had caused the Task Force to split into three groups. The Article 29 Working Party had released its key document, the Opinion 2/2003 on the WHOIS directory (see Appendix G for Article 29 Working Party Documents), so naturally I was curious to see if there was any reaction from ICANN, since there was

12 https://en.wikipedia.org/wiki/List_of_ICANN_meetings 40

nothing mentioned about this in the official correspondence listed for that year. The three public meetings that year were in Rio de Janeiro March 23-27, Montreal June 22-26, and Carthage Tunisia October 27-31. The Article 29 Working Party had released their Opinion just in time for the Montreal meeting, so I checked the following records for signs of a reaction, mention of other documents prepared by other stakeholders, etc. • Agenda, transcripts and recordings of all relevant meetings and sessions at the public meeting June 22-26, including listening to the audio recording of a two-day session on privacy issues, and reading all presentations (retrieved from the archives of that meeting, https://archive.icann.org/en/meetings/montreal/); • Reading the transcript of the Open Forum at the end of this meeting, where the Chief Executive Officer Paul Twomey gave a briefing of what was going on, I found the following interesting item:

The final point that I will report at this briefing is, you may recall that in Rio, the board asked the President to establish a standing committee on privacy. And the charter for that committee was to monitor the implications of existing and proposed ICANN policies on the handling of personal data. Now, the President was quite conscious that this was a request that was being received at the same time that the community was spending a lot of time talking about Whois, where there were privacy issues in Whois. And talking to members of a group for the standing committee, we've decided that it's probably best to ensure we have a small work group, small committee at this stage , which is working just basically focusing on definition of the issues and on potential work program such that there's not a sense that we have a competing parallel process to the work program being done on Whois.

So I wanted to explain that carefully. Andy Mueller-Maguhn is the chair of the standing committee, and I'm pleased to state that Becky Burr and Liz Williams have agreed to be members of that standing committee. So we've got three people from three different parts of the world. And the focus is very much on defining the issues for the standing committee, defining a work program, and potentially identifying a list of key people who need to be further engaged.

The standing committee is quite concerned that they do this work going up to Carthage but not in any way to be seen as a competing or parallel process to the Whois process that we talked about before the break. (Open Forum transcript, Wednesday June 23, 2003, unpaginated approx. p. 2, emphasis added.) 41

As I have mentioned earlier in this chapter, some of the most interesting and important discussions are not on the public record. This speech during the public forum makes no mention of the fact that there were representatives of the Article 29 Working Party at the meeting, and that the Working Party had just published a formal Opinion on WHOIS (Article 29 Working Party, 2003). This particular decision raises many questions, such as how did the stakeholders react to the decision to task three individuals with a job that the Board had asked be done in a standing committee? Are there now two groups, the original potential standing committee, and the three individuals selected to figure out the scope and work program? I know that Becky Burr was the Commerce Department lawyer who had drafted the incorporation documents of ICANN in 1998, so she was closely tied to the U.S. government. What roles were the others in? This line of questioning led me to the archived mailing lists of the Generic Names Supporting Organization, the next communiqué of the Government Advisory Committee, and to digging for any correspondence from the Noncommercial Users Constituency. It also led to the GNSO Council meeting which was held at the next public meeting in Carthage, on October 2003, when the restructuring and reprioritizing of the WHOIS Task Force was discussed. I observe that it is important to actually read the discussion, because the record-keeping or summaries of how this debate moves forward (or sideways, in this case, because privacy was not prioritized) will not give indications of how procedural mechanisms were used to delay action, rename processes, and basically avoid dealing with issues where there was no consensus.

This serves to illustrate how I searched for documents which would illuminate the decision-making process at ICANN, and explain how direct interventions from the data protection authorities, such as the explicit advice that was prepared and made public in advance of this meeting, could be ignored. I include in Appendix D the history of WHOIS which appears on the ICANN website, as an example of how bland and incomplete the official history can be. There are a great many regular participants at ICANN who, over the years, have participated in various segments of the WHOIS

struggles. Based on my numerous conversations with these ICANN regulars, I must say that a great many will report that they never want to get involved in the argument again; once was enough. Reading the transcripts or listening to recordings of meetings and conference calls gives a far better flavour of the reality of this struggle, than reading staff- prepared final reports and web histories.

2.4 Possible Explanations for ICANN’s Lack of Response to Privacy Claims

There are several possible ways to explain ICANN’s lack of response to privacy claims and to the interventions of the data commissioners. Based on my experience as a privacy expert, and as I became familiar with ICANN, I developed a series of conjectures to account for the privacy standoff at ICANN. In this dissertation, I examine those I found most relevant in greater detail. Here is a brief summary of my preliminary issue analysis, sorted into broad categories of political and governmental issues, legal and practical issues, economic issues facing stakeholders, and internal issues management at ICANN.

2.4.1 Political and governmental issues

• ICANN, as a U.S.-controlled institution, has been fighting a battle over data protection law in general, continuing a tradition of self-regulation which the United States has pursued quite consistently since the promulgation of the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Personal Information in the context of Transborder Dataflow in 1980. Given this background, it has been unlikely that the Commerce Department would adopt more privacy-friendly positions. (See privacy history in Chapter 3.)

• It was tacitly acknowledged when the Internet was opened up for electronic commerce, that widespread cheap use of the medium depended on advertising revenue (OECD Ministerial meeting on Electronic Commerce, Ottawa 1998).

Advertising rapidly became dependent on the use of personal data and profiles collected from Internet users, and this trend continues to this day, mitigating against any change in U.S. privacy policy. Control of information has been seen to be essential in the new information economy. (See discussion of the value- added services industry in Chapter 4.)

• Intellectual property interests drive the U.S. agenda in Internet governance, and have had an overwhelming influence on the development of the domain name industry. Intellectual property owners want to know who has registered every domain, so that they can protect their own brands, and buy up other interesting words before they need them and before the price escalates. (See discussion of U.S. intellectual property dominance in the Information Society, Chapter 4).

2.4.2 Legal and practical issues affecting data commissioners

• The data protection commissioners around the world have no direct jurisdiction over ICANN, insofar as it is a California corporation.13 It seems clear that all registrars are acting under a contract that obliges them to violate data protection law. In the terms of European data protection law that means that ICANN is actually the data controller, through its role in enforcing data collection, use, retention, and disclosure through contractual requirements, despite the fact that it is not the primary holder of the registrant information. This makes ICANN responsible, yet up to the time of writing (June 2017), I can find no evidence that any data protection authorities have taken legal action against ICANN. I discuss

13 This oversimplifies the situation somewhat, in that certainly the European Union and other jurisdictions have legislation that explicitly or implicitly applies to all data controllers who act within their jurisdictions to collect, use, or disclose the personal information of their citizens, regardless of where they reside. Enforcement of these laws is a well-known problem, and may be a deterrent to the data protection commissioners taking enforcement action against ICANN. A further issue is that ICANN is not in possession of the data, except through their escrow agent Iron Mountain, where they certainly have guaranteed access to the data because they are named in the contracts as having the right to access the data. 44

the problems in cross-jurisdictional enforcement in this context in Chapter 6. Registrars collect the data from registrants and maintain it. They may also be considered to be data controllers, or both controllers and data processors. Data protection authorities may have been reluctant to take enforcement action against local registrars, penalizing their own national registrars for a policy emanating from the data controller 14 in the United States.

• There has never been a complaint or case that forced the commissioners to address the issue, while there were so many other compelling privacy issues demanding their attention. I discuss the potential for such a case under the new European General Data Protection Regulation in Chapter 7.

• The style and language of data protection law, based as it is on Fair Information Practices and concepts of rights that seem overreaching in the context of the Internet, set up an instant confrontation with the technical community that gathers at ICANN to push the development of the Domain Name System forward rapidly. I discuss this problem of language and framing in Chapters 3 and 7.

• The personalities present at ICANN were more forceful and influential than the data protection authorities. Data protection authorities have been criticized by

14 It is worth noting here that ICANN had not accepted that it is a data controller under the definitions that are used in European data protection law, during the research period 1998–2015. By these definitions, the controller is the party that sets the policy or conditions for data collection, use, and disclosure, and the data processor is the party that does the actual data processing (Article 29 Data Protection Working Party 00264/10/EN WP 169 Opinion 1/2010 on the concepts of "controller" and "processor," February 2010, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2010/wp169_en.pdf; and Article 29 Data Protection Working Party 16/EN WP 244, Guidelines for identifying a controller or processor’s lead supervisory authority, December 2016, http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf). In the case of ICANN, it is in my view that it is the controller and the registrars are either processors, or hybrids (both processors and controllers). This was recently confirmed by Giovanni Buttarelli, EDPS, in his remarks to the ICANN58 meeting in Copenhagen, March 13 2017. 45

some scholars and advocates as not being aggressive in their enforcement of data protection law (Korff, 1998, 2013). I discuss this issue in Chapter 3.

• The Governmental Advisory Committee of ICANN (GAC) was comprised from its inception of government representatives whose mandate concerned telecommunications, trade, business and industry, intellectual property and trademark protection, and law enforcement agencies who were worried about their inability to keep up with cybercrime. While there are observers to this committee, (e.g., the Council of Europe [COE] and the European Commission [EC]) who have a mandate to support data protection, they are in a minority. I discuss the composition and positioning of the Governmental Advisory Committee in Chapter 5.

2.4.3 Economic issues facing stakeholders

• Domain registrars, who are the ones required by the Registrar Accreditation Agreement to be the data collectors and processors, operate on tight financial margins, since domain names are not expensive and the industry is very competitive. They take the path of least resistance, as they want to minimize operational costs. Early on, civil society and registrars fought for the ability to provide a “privacy/proxy” service where another party, usually the registrar or its affiliate, puts their name and contact information into the WHOIS. This, while hardly a substitute for data protection rights, has relieved the pressure, and arguably inhibited individuals from complaining and forcing ICANN to change its policies. Many registrars charge for this service, which helps to cover the additional costs associated with responding to queries about domains registered by proxy. I discuss the struggle over the accreditation of these services in Chapter 5.

• Filing a claim under the Uniform Dispute-Resolution Process (UDRP) comes with costs to the requestor, usually a stakeholder claiming intellectual property or trademark rights. Looking up the data about registrants in a free directory does not cost anything but labour costs (or even just software costs, as processes become automated), so many potential litigants prefer to contact registrants directly via email or an address retrieved from the WHOIS and make their copyright claims directly rather than file under a formal process. This has proven effective, as unsophisticated domain holders will give up their registered domains when contacted and pressured (Komaitis, 2010).

2.4.4 Internal ICANN issues management

• There is a fundamental difference in approach between data protection law and intellectual property and contract law, which makes a compromise between the two approaches to personal information problematic. Trademark protection is a litigious process, where cases are won or lost on time-stamping the first use of a name. Data protection is more of a “soft law” approach, where there is interpretation of what is reasonable and proportionate, and where evaluation of the invasion of privacy can be subjective and culturally situated. I argue that these differences in how the different laws are written, interpreted, and enforced make co-operation difficult. There is also an argument that if there is little case law, there should be nothing stopping the users of WHOIS from engaging in data use until there is. I discuss the frailty of the “rough consensus” approach that ICANN uses to develop policy with stakeholders from such different frames of reference in Chapters 4 and 5.

• Because data collection and disclosure requirements were established as necessities for the new organization at its inception, and legal constraints on these requirements were disregarded in the early formative period of ICANN to the advantage of powerful actors, change is now much more difficult. Mueller and

Chango discuss this problem in their 2008 article, identifying “path dependency” as the major obstacle to change in WHOIS policy. I discuss their conclusions in Chapter 3, and my thoughts on a potential major disruption to that pattern, in Chapter 7.

• Policy and issues management by the ICANN Board has been the subject of much debate and criticism by stakeholders within ICANN, notably from the Noncommercial Stakeholders Group who have argued the most strenuously for privacy rights. There are significant differences in the attention paid by the Board to some issues as compared to others, and the difference arguably depends on who wants a particular issue addressed. There is evidence to suggest that the ICANN Board does not look, in an independent manner, at what policy is needed, but rather they respond to pressure from powerful actors.15 This is another aspect of the multi-stakeholder approach that merits further research. Some policy issues have gone unaddressed for many years, notably the WHOIS Conflicts with Law Policy which did not change during my research period since promulgation in 2006 (see Chapter 5) even though it has been shown to be inadequate, whereas others are revisited regularly. Some are less likely to receive public comments, notably the Registrar Accreditation Agreement, which registrars argue is their enabling contract to do business, not an instrument of ICANN policy. 16 I examine

15 It is certainly the case that the Noncommercial Users Constituency (NCUC) makes their views known loudly and regularly, but I argue in Chapter 5 that they are usually ignored. The track record of success is spotty and disappointing, despite the fact that some of the world’s leading civil liberties organizations belong to the NCUC (e.g. American Civil Liberties Union (ACLU), Electronic Privacy Information Center (EPIC), Electronic Frontier Foundation (EFF), Association for Progressive Communications (APC) etc.) 16 Analysis of the way ICANN manages public policy issues that are important in Internet governance through contract is an area that merits future research. Lee Bygrave has done a useful analysis in his 2015 book Internet governance through contract , as well as an earlier article in Brown (2010). Judging from my observations during work on the Privacy/Proxy Accreditation Working Group (2014-2016) and the WHOIS Conflicts with Law implementation group (2015), registrars have become somewhat more aware that they need to move some of the policy issues which increasingly burden their compliance requirements and are introduced primarily by law enforcement and intellectual property interests behind closed doors, into a 48

the actions of the ICANN Board with respect to some of these policies, in Chapter 5.

broader public forum where they can receive support from other stakeholders. I consider this an interesting development in terms of the maturity of the multi-stakeholder model. Use of contract as a policy enforcement mechanism is a matter that also would reward further research, and is extremely important if the multi-stakeholder model of Internet governance is to continue. 49

Chapter 3 Privacy Scholarship Relevant to WHOIS Privacy

In this chapter, I examine the principal relevant scholarship on ICANN, privacy and data protection, and Internet governance more generally, as well as some of the privacy scholarship in surveillance studies which is helpful to the understanding of the impasse in getting ICANN to address registrant privacy. There has been surprisingly little written to date about WHOIS specifically. ICANN has attracted a lot of interest in terms of its role as a multi-stakeholder organization (Froomkin, 2000b; Mueller, 2010), its use of contract to govern critical infrastructure (Bygrave, 2015), its position as a key organization in terms of international regulation (Brown, 2013 a; Hofmann 2016, Mueller 2010). Privacy scholars have rarely focused on how ICANN has managed the personal information of domain name registrants, although this issue represents an interesting challenge in harmonization of policy, trans-border data flow issues, and jurisdictional questions.

Because of the inherently cross-disciplinary nature of the WHOIS problem—being at the same time a question of law, privacy and surveillance, technology policy, and Internet governance—I touch on various areas of scholarship that are relevant to my research questions. The key issues I have investigated here include the following: • Legal and policy issues that may have prevented the data commissioners from acting, or from being effective in prompting change at ICANN; • Interpretation of the law as it applies to WHOIS, in the view of other scholars; • Perspectives of privacy scholars on privacy in Internet studies and Internet governance more broadly; • Analysis of the importance and the framing of the WHOIS standoff, from a privacy and surveillance perspective; • Analysis of the struggle over WHOIS from the perspective of Internet governance and the accountability of ICANN the institution, and what this

means for the multi-stakeholder model and for the effectiveness of civil society participation; • Open questions in the literature about the embedding of values into the Internet architecture.

I begin however with a brief history of the development of data protection law in the United States and Europe, to paint the necessary background for the struggle over data protection which took place at ICANN. I conclude the chapter by summarizing a few of the questions that remain open which I address in my research.

3.1 A Brief History of the Development of Privacy and Data Protection Law

3.1.1 Tracing the evolution of U.S. Privacy from Fair Information Practices to the Federal Trade Commission as a data protection authority

Behind ICANN and its apparent intransigence regarding privacy is an important backdrop of the history of data protection law. A brief sketch of this history is necessary to illuminate the impasse between the predominantly European data protection commissioners who have attempted to engage with ICANN, and the U.S. Commerce Department and predominantly U.S. corporate attorneys who, I argue, define the response. These lawyers are ICANN’s chief counsel, their outside counsel, and the many intellectual property and trademark lawyers who attend ICANN and/or lobby the U.S. Commerce Department regarding approaches to privacy protection. Some operate individually, either for individual clients, or trade and trademark associations, while others act as part of organizations like the International Trademark Association (INTA) and the Recording Industry Association of America (RIAA).

While the discussion which follows on the history of U.S. data protection may appear to be well-trodden ground in terms of the development of data protection law, I argue that it

is very relevant to ICANN. The development of the WHOIS privacy struggle has not kept up to the spread of data protection law, but appears in my view to be locked in the past; the discussion and even the policy reference points are to the OECD Guidelines, not the laws of the majority of developed economies. While I will touch upon some important recent research to illuminate what I view as reasons for the blockages in enacting data protection, as well as my own conclusions about the way ICANN might move forward, I argue that the rhetoric at ICANN is very similar to what data protection experts heard during the 1990s, when the European Union was attempting to move its Data Protection Directive forward. This in itself is very odd, given that during the time that I have been engaged at ICANN and hearing this discourse, the new European General Data Protection Regulation was introduced in January 2012, and after a great deal of discussion and lobbying from stakeholders around the world, agreed by the European Parliament, the Council, and the Commission in December 2015. It was adopted along with the new Directive on data protection in policing in April 2016 as:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation [GDPR])

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (hereafter Directive 2016/680 on data protection and policing).

Much debate transpired over the proposals in the draft regulation, including the right to be forgotten, and other ways to improve data protection law and make it more relevant to 52

the Internet. However, in my experience one did not hear this discussion within the bubble at ICANN; I was very active at the Experts Working Group from 2013-2014 and was continually countered in discussion with proposals of voluntary adherence to the OECD Guidelines, a data protection strategy that the Canadian federal government had realized, in the mid-1990s, was not going to work.

3.1.2 The development of Fair Information Practices

In 1974, the United States passed its federal Privacy Act to protect personal information held by the federal government. This Act basically incorporated the Fair Information Practices (FIPs), which had been developed in 1973 by a study commission established by the Health and Human Services Department, (then called Health Education and Welfare) and chaired by Willis Ware (Gellman, 2015). . Their report Records, Computers and the Rights of Citizens has had a significant impact on information privacy for 40 years. The FIPs enumerate five basic points: • No secret record systems • Individuals must be able to find out how their information is used • Individuals must be able to prevent data reuse for another purpose without consent • Rights of correction must exist • Organizations must assure reliability of records and take precautions to prevent misuse

The U.S. government took these FIPs to the Organisation for Economic Co-operation and Development (OECD) during the 1970s, in an attempt to influence the developing field of data protection practice, and protect the free flow of data. In 1974 the Privacy Protection Study Commission was established to investigate privacy matters in depth, and despite the many risks identified, the United States adopted a non-regulatory approach to data protection in the private sector, encouraging self-regulation instead. The words of the introduction to their 1977 report were predictive of what has happened to the Internet 53

today as they enumerate five key issues. First they acknowledge that records about individuals are often kept to document the actions of others, and enable others to monitor actions of individuals. Secondly, records are holding more personal data. Third, more records systems are evolving wherein the individual has no direct contact with the organization maintaining them but they impact his or her life. Fourth, there is a great deal of data verification between organizations, and “Fifth, neither law nor technology now gives an individual the tools he needs to protect his legitimate interests in the records organizations keep about him” (Privacy Protection Study Commission, 1977, p.8).

The WHOIS appears to have followed the pattern described above. It is certainly not the case that U.S. policy makers have been unaware of the impact on individual rights and liberty that trends in information management have precipitated, but there has been a reluctance to take regulatory action to correct the trend.

When the Internet was promoted to the broader population in the late 1990s, the approach to privacy and data protection chosen by the U.S. government was to encourage companies and organizations operating on the Internet to offer “notice and choice,” or the disclosure of a limited amount of information regarding the collection and use of personal information, and to offer individuals the opportunity to opt out of the service or goods being offered. Essentially, this is a take-it-or-leave-it approach to data protection. This non-regulatory approach was not generally supported by U.S. civil society and consumer groups, many of whom had campaigned for data protection law enforced by independent data commissioners. (Bennett, 1992; Flaherty, 1989; Regan, 1995).

In the early days of the commercial Internet, many U.S. companies active on the Internet became interested in privacy only from the perspective of “notice and choice.” (Schwartz and Reidenberg, 1996, 388-390). As we will see in the next section, the standards the firms adopted in terms of what they were required to tell consumers or end users about

their collection of personal information, and what kind of opportunity they provided end users were much different than the standard in Europe.17 As the legal privacy scholars Schwartz and Reidenberg point out, U.S. companies regarded their customer data as proprietary commercial information, particularly at this time when lists of which consumers were active and buying on the Internet were quite valuable. In 1999, the United States passed legislation in the financial sector, the Gramm Leach Bliley Act (Financial Services Modernization Act of 1999, Pub.L. 106–102, 113 Stat. 1338, enacted November 12, 1999). This legislation ostensibly tried to codify the requirements for disclosure, but according to privacy advocates was a remarkable failure in its approach to “notice and choice” (Mierzwinski, 2002). Most of the bill was focused on the real purpose of the legislation, which was to repeal parts of the 1933 Glass-Steagall Act (Public Law 73-66, 73d Congress, H.R. 5661, Banking Act of 1933) and permit the merger of banks, investment companies, and insurance companies. The privacy provisions, while not actually preventing the merger of personal data in these situations, required that a company must send out privacy “notices” annually, to inform the consumer/customer of what the organization was doing with their data. While this sounds like good data protection, unfortunately the notices were almost universally criticized for being too complex, and a consumer rights organization reviewing them for readability declared that most would require a third- to fourth-year university level of reading proficiency to understand them. 18 In the wake of Gramm Leach Bliley in the United

17 Bamberger and Mulligan have published recent research that exposes the gaps between the standards and the actual practice (2010, 2011, 2013), arguing that the United States has robust enforcement of sound privacy practices. It has been argued for many years that E.U. laws in particular are not enforced in any real way, and the enactment of the General Data Protection Regulation in May 2018 promises to bring an interesting transformation of actual practices. This is based on new requirements affecting data protection authorities and the ability of individuals to sue the data protection authorities for not protecting their rights. 18 Discussed in a personal conversation with Beth Givens, Director of Privacy Rights Clearing-House, 2001. Completed in 2001, the readability studies were based on a sample of 60 notices. (Lost in the Fine Print: Readability of Financial Privacy Notices (Hochhauser), retrieved from https://www.privacyrights.org/blog/lost-fine-print-readability-financial-privacy-notices-hochhauser). On February 2004, the Privacy Rights Clearing-House and Consumers Union testified before the Interagency meeting prior to the proposed rule-making to fix reported problems with the notices and gave a history of 55

States, much effort was expended on trying to come up with short notices and abbreviated privacy policies to fulfill the requirements of the notice and choice approach to data protection. Nevertheless, these efforts appear to have produced mixed results; some websites will have a minimal notice informing users that the organization “gathers personal information to maximize your user experience, or serve you better” while most software notices are in the dozens of pages, and provide little to no options to users. Given this trend in the United States, it is not surprising to find that ICANN did not develop detailed notices of its practices and provide the information to the end user.

During this period, the U.S. government and global corporations, through a variety of industry associations and the International Chamber of Commerce, campaigned aggressively against data protection law. However, there was a focus on tools to supplement the self-regulatory approach, such as privacy policies, notice and choice, and industry “seals” to designate acceptable websites where surveillance was not practiced or personal data not sold. These efforts produced many practical tools that were useful. The U.S. approach to data protection law remained both sectoral and de-centralized, with many states introducing laws in areas where they had competency. This was not helpful in terms of grappling with issues in a global environment, and the Internet governance issues were becoming increasingly cross-jurisdictional. It was difficult to predict in 1998 just how fast the Internet economy would grow, including the revenue generated through the DNS, but given the history of arguing against the EU Directive 95/46, privacy experts at that time would most likely have been surprised if the U.S. government through the

their experiences dealing with confused consumers, as well as references to academic studies of the effectiveness of the notices. (Financial Privacy Notices: Shorter is Better, retrieved from https://www.privacyrights.org/blog/financial-privacy-notices-shorter-better). 56

Department of Commerce had pursued a different approach to negotiations regarding privacy at ICANN.19

3.2 Evolution of EU Privacy from Convention 108 to Directive 95/46, and the 2012 Draft Regulation on Data Protection

From the late 1970s on in Europe, a number of countries were passing data protection law, and the Council of Europe (COE) was attempting to coordinate and harmonize that law, in furtherance of the one internal market. The COE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) was passed in 1981 after the French, Swedish, and Hessian laws were introduced. Convention 108 recognized privacy as a human right, and countries that signed the Convention, which was open to non-member states, were committing to implement law that met the standard in the Convention. Briefly, it was a binding model of Fair Information Practices that was very similar to the OECD Guidelines.

The European Community, however, realized by 1990 that the Council of Europe Convention was not producing the harmonized results that they had expected. Some countries would sign the Convention but not enact law, while others were not signing the Convention. With the ongoing development of one internal market, and growing information flow across borders, further effort in harmonization of law was required to avoid anti-competitive activity and trade blockages. Trade in services was growing, including banking and information processing, and differences in data protection requirements might lead companies to establish in states with lower standards. The draft

19 In 1998, during the creation of ICANN, I was working in the Canadian Department of Industry, as Director of Privacy Policy, directing the drafting of the Personal Information Protection and Electronic Documents Act (PIPEDA). I was in regular contact with officials at the Commerce Department who were leading the initiative to develop the Safe Harbor Arrangement, notably the late Barbara Wellbery who led the initiative. Self-regulation and a non-legislative approach to privacy was definitely the U.S. approach, as it has been for the past decade. 57

Directive on data protection was presented in 1991, in an effort to compel a harmonized approach to the development of data protection law, and to regulate the transfer of the personal data of Europeans outside the borders of Europe to jurisdictions where data protection was not enforced.

A fierce debate ensued throughout the early 1990s, largely over the requirement in the Directive for data protection commissioners to deny the flow of data to jurisdictions that lacked adequate data protection law. The Directive passed in 1995, as Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data . Member states had three years to pass legislation that met the standard of the Directive, but by the end of 1998 several states had still not done this, threatening the free movement of data inside the EU. Importantly, the Directive also established a Working Party on Data Protection, known as the Article 29 Working Party, composed of all data protection commissioners in the EU and supported by a secretariat from the European Commission. By the time ICANN was created, therefore, an official international Working Party of European data protection authorities was discussing common approaches to data protection issues. One of their primary roles was to agree on whether a data protection regime provided “adequate” privacy rights for individuals, enabling transfer of the data of European citizens to that country.

The original draft Directive had contained a clause that restricted the transfer of data to countries that did not have “equivalent” data protection, prompting great concern in the United States and among global business interests. This language was eventually changed to “adequate” after considerable negotiation. 20 Although the struggle over the Directive was primarily fought out in Brussels and at the different fora where data protection issues were discussed (e.g., the OECD, the annual Data Protection Commissioners’

20 Briefly, this debate centred on whether other nations had to adopt legislation that was “equivalent,” a very difficult standard to achieve given the differing legal traditions. “Adequate” meant ensuring protections that met the same level of protection, but possibly through different means. 58

Conference 21 ) the issue of trans-border data flow was of huge importance and influenced the General Agreement on Tariffs and Trade (GATT) negotiations over trade in telecom services, the North American Free Trade Agreement (NAFTA), and other trade discussions. The struggle over the data export provision in the Directive is often described as reflecting a fundamental difference in the way Europe and the United States see data protection. In Europe data protection is a human right, whereas in the United States, it is regarded as a management practice, to be assessed and regulated (if at all) on a sectoral basis. In an early article on the need for international standards, however, Professor Spiro Simitis, who was the first Data Protection Commissioner of the State of Hesse (Germany) in 1970, dismissed this argument, claiming instead that societies who understood the price they had to pay in IT-enabled societies to maintain individual participation will embrace enforceable data protection rights (Simitis, 1987).

U.S. privacy expert Robert Gellman, a veteran of legislative battles in the U.S. Congress to expand privacy protections, echoed the concerns that Simitis expressed about the need to address privacy matters with international rules in 1996:

The question presented is a simple one, although the answer is complex and uncertain. Is it possible to provide effective privacy protections on a national level, or will it be necessary to have international rules to have meaningful protections? Framed more precisely, are modern information technology and multinational business activities combining to outstrip the ability of individual

21 The French data protection authority, the CNIL, hosted the first data protection commissioners conference in 1979; the conference has grown significantly since then. The U.S. was not invited to participate with the data commissioners at their closed sessions during the International Data Protection and Privacy Commissioners Conference until after Safe Harbor was in place, and the Federal Trade Commission Privacy Officer was finally accepted as an independent commissioner and thus eligible to join in 2010. The conference was held that year in Israel, and it is interesting that a keynote address to the conference noting the acceptance into the group (after being rejected the previous year in the Spanish conference) was given by Lawrence Strickling of the NTIA (https://www.ntia.doc.gov/speechtestimony/2010/remarks-assistant-secretary-strickling-32nd-international- conference-data-prote ). Strickling was the Assistant Secretary of Commerce, also responsible for the NTIA activities related to ICANN and the IANA contract. He noted in this speech, “While the privacy policy framework we have in the United States has been great for innovation, we still have more to do to build consumer trust and provide legal certainty for all.” 59

countries to regulate the use of personal information about their citizens? (Gellman, 1996, p. 130)

Gellman prefaces his discussion with three caveats that have proved prophetic. First, the United States lagged its international partners in enacting data protection law; this is even more emphatically the case in 2017 although the Federal Trade Commission has stepped up to play the role of a data commissioner in the International Conference of Data Commissioners, despite the limitations of its legislative mandate, jurisdiction, and enforcement powers. Second, he notes that the first flush of enthusiasm in the establishment of data commissioners and their staffs is over, bringing the possibility that bureaucracy will set in and interfere with the boldness required to deal with complex problems, an issue which is extremely relevant to my research questions, and thirdly, he notes that information technology (IT) is advancing so rapidly that we may lose the will to stay ahead of it, particularly in a “borderless” information society (p.132).

This assessment of the appetite, or lack thereof, to enforce privacy protection, is important in the context of ICANN. I argue that the concept of a public directory of everyone in the world with a domain registration being up on the Internet, with their address and phone numbers is a very basic one. If there is no will to enforce data protection law to protect those registrants, there is a big problem with enforcement, and the lack of will to pursue it. I note that International Regulation scholar Dorothee Heisenberg says the same thing from an economic and regulatory perspective (2005, pp. 159–161).

Examining the Safe Harbor Agreement, which was negotiated by Ambassador David Aaron for the Clinton administration at the time that ICANN was being formed, we see a minimalist approach that was accepted by the EU to avoid political confrontation. The Safe Harbor Agreement was a proposal to the European Commission, to recognize that despite the fact that the United States did not have comprehensive data protection legislation, they had a variety of sectoral protections, and the Federal Trade Commission

(FTC) was empowered to enforce the commitments that a company makes in its stated privacy policy (notably notice and choice). Under this scheme, companies would sign up to the Agreement, develop privacy commitments that fulfilled the Safe Harbor principles, which were similar to the OECD Guidelines, and the FTC would take action if complaints indicated they were not fulfilling their commitments. The Federal Trade Commission has powers to investigate and fine, under their authority to investigate false advertising and unfair trade practices (Federal Trade Commission Act, s. 5). In 2000, the Article 29 Working Group accepted the Safe Harbor Agreement as being adequate under the Directive 95/46,22 and companies began signing on to the commitments it entailed, thus guaranteeing that they would safeguard privacy rights as indicated in their privacy policies. Importantly, this approach to enforcement of privacy rights is not human rights based, because the right to complain is based on the company’s commitments, not on an individual’s intrinsic rights. Where a company failed to sign on to the Safe Harbor Agreement, the individual would have no rights. There is also very little scope to complain that a company is being unreasonable or disproportionate in its collection, use, and disclosure of the information—a key feature of most data protection laws (Greenleaf, 2014).

3.2.1 Rejection of Safe Harbor

The reluctance to have meaningful discussions about adherence to privacy law at ICANN is all the more remarkable, given numerous important High Court decisions that have appeared in various countries during this period, some of which have sought to resolve long-standing issues in jurisdiction, trans-border data flow, and expectations regarding the ability of consumers to look after themselves in terms of dataflow (e.g., Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos

22 Opinion 4/2000 on the level of protection provided by the “Safe Harbor Principles” http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2000/wp32en.pdf 61

(AEPD), Mario Costeja González, 13 May 2014 ; Case C-362/14 Maximillian Schrems v Data Protection Commissioner, October 2015 ).

The Google Spain case is very important because it deals with the right of an individual to have records about himself or herself which are no longer accurate, removed from search results. The Court established that Google, as the operators of a search engine, had a responsibility to respect data protection rights. This is part of an important development in data protection law known as the “right to be forgotten” which now appears in the new EU General Data Protection Regulation.

The Schrems decision, commonly referred to as Schrems v. Facebook is very important because the Court not only found that Facebook violated the privacy of the individual, but also cancelled the Safe Harbor Agreement between the United States and the European Union. As mentioned above, this Agreement had permitted the transfer of the personal data of Europeans to the United States, following a determination by the Article 29 Working Party that the United States would protect the data in an “adequate” manner. The Court determined that the Article 29 Working Party erred in that decision; the United States did not have adequate data protection.

The case is instructive for a number of reasons. First, Max Schrems was at the time he took the case, a second-year law student, doing a class project. Astounded when he received over a thousand pages in response to his request for personal information from Facebook, he complained to the Austrian Data Protection Office, who relayed the case to the Irish Data Protection Commissioner, because Facebook operates from Ireland in Europe. His complaint was rejected, and the case then went to appeal in the Irish Courts, and from there to the European Court of Justice. It is somewhat shocking that it took a second-year law student to get the Safe Harbor Agreement thrown out; there had been ample criticism of it over the years. Chris Pounder of Amberhawk, a long-time data protection expert and trainer, has summarized the reasons for the decision:

(a) There is no general privacy law or other measures enacted in the USA that shows the USA offers ‘an adequate level of protection’ for personal data relating to European data subjects;

(b) Public law enforcement authorities which obtain personal data from organisations in Safe Harbor are not obliged to follow the Safe Harbor rules after disclosure;

(c) Some USA law enforcement agencies can gain access to personal data in Safe Harbor without having any law that legitimises their access; and

(d) The European Commission knew all the above and knew that personal data were being possibly used for incompatible and disproportionate purposes by law enforcement agencies (Pounder, C. October 2015 Hawktalk).

We shall see that these reasons are important in the context of ICANN, since a great deal of personal information is required to be escrowed or archived with ICANN’s escrow agent of choice, Iron Mountain, who store the data in the United States. The original purpose of escrow was to protect registrants from the possibility that a registrar might go bankrupt and disappear suddenly; this was a risk with start-up companies in the early days of electronic commerce, and it was important to protect the registrants of domain names and ensure continuity. However, the amount of data is considered to be excessive from a data protection perspective, as we shall see in Chapter 6.

3.2.2 Data protection and law enforcement issues

There are two more issues that are important with respect to the backdrop of international privacy regulation. The first is that at the time of the passage of the Directive 95/46, the European Union did not have competency or authority over law enforcement and national security, so the activities of law enforcement agencies and the privacy protection accorded in the individual constitutions varied by member state. Law enforcement access to personal data was not something that the data protection authorities of the Article 29 Working Party were inclined or authorized to tackle immediately. This does not mean that they did not agree on a view with respect to data retention and law enforcement access, but they were not authorized as a body, mandated by the Directive 95/46, to reach

decisions on these matters. That will change in May 2018 when the Directive 2016/680 on data protection and policing comes into force.

The second is that the European Charter of Fundamental Rights, while proclaimed in 2000, was not actually enforced until it was ratified in the Treaty of Lisbon, 2009. This regional framework of fundamental rights has ensured enforcement of privacy rights, and has even permitted the consideration of surveillance and data retention. In 2014 the European Court of Justice threw out the Data Retention Directive on the grounds that it violated the Charter of Rights, notably in respect of the fundamental right of respect for private life, and the fundamental right of respect for personal data (commonly known as the Digital Rights Ireland case, Joined Cases C-293/12 and C-594/12 OJ C 258, 25.8.2012. and OJ C 79, 16.3.2013.)

As we shall see in investigating the interactions of the data commissioners with ICANN, they have indicated to ICANN for many years that it was their view that both these rights were being violated with respect to registrant data, but their case has certainly been strengthened very recently by the ability to take a case to the European Court of Justice on the matter.

As is evident from this brief history, much was changing during the period that ICANN was born and developing as an institution of Internet Governance. Without going into detail about the extent of data protection law development around the world from 1996 to 2015, suffice to say that Graham Greenleaf reported in his 2014 book that there were then 101 national laws, and the rate of introduction of laws is accelerating, so much so that an updated article in February 2017 has the number at 120 (Greenleaf 2014 pp. 6–7, 2017). While ICANN could have made the argument in 1998 that data protection law was an exception that could be more or less ignored, the same argument did not hold in 2015.

3.2.3 Tensions between protecting privacy, anonymous free speech, and the freedom of assembly

There is an important issue affecting the concepts of privacy as a policy issue that may also have had an influence on the failure to respect data protection law at ICANN. One of the issues that also stems from the reality that ICANN is U.S.-centric, is the protection of anonymous free speech. Many of the U.S. based civil liberties advocates who participate at ICANN are primarily concerned with protection of free speech and political activity. This is also extremely important for human rights activists globally. The development of human rights groups who focus on the Internet, that has been fostered by the Internet Governance Forum (IGF) which grew out of the World Summit for the Information Society (WSIS), has reinforced the need for the scope of interpretation of privacy rights at ICANN to include the privacy rights of groups and organizations. Organizations which are active in human rights, particularly political and religious rights, may need to have domain names that are not attributable to particular individuals or addresses. It is arguable that a focus on the right of privacy as provided in data protection law not only excludes U.S. citizens who have a patchwork of rights but no generic data protection law enforced by a data commissioner, but it also vitiates the efforts to protect the right of privacy as it pertains to the right under the U.S. Constitution for anonymous free speech. Given the lack of sustained participation at ICANN of legal experts on data protection or international human rights, and the preponderance of U.S. based civil society in the NCUC at ICANN, this tension between privacy as a human right pertaining to an individual and privacy as a guarantee of anonymous free speech and freedom of assembly is an important one.

The right of free speech, as defined in Article 19 of the Universal Declaration of Human Rights, was guaranteed by the U.S. Constitution to U.S. citizens but many other nations had lower levels of protection. This changed in Europe when the EU Charter of Rights was ratified in 2009. Prior to this, many states had ratified the International Covenant on Civil and Political Rights (ICCPR, 1976) but this instrument was not as powerful as 65

either the EU Charter of Rights or the U.S. Constitution in terms of practical enforcement. However, U.S. Constitutional protection for privacy and autonomy of the individual is what is called a “negative” right; it does not impose a duty on the state to protect the right, it provides a right to reject state action when it interferes with the individual’s autonomy. It does not provide such a right against private sector actors, notably ICANN (Schwartz and Reidenberg, 1996, pp. 32–38).

3.2.4 Participation of data protection experts and academics at ICANN

There are very few privacy experts who stay active at ICANN, and they tend to appear episodically. Diana Alonso Blass, a lawyer from the Dutch Data Protection Authority who worked in the secretariat of the Article 29 Working Party, wrote a major report on privacy and the Internet for the group and also researched the WHOIS issue.23 She came to the ICANN meeting in Montreal in 2003, and participated in a two day privacy workshop. The late Jon Bing (founder of the Computer Science and Law Center at the University of Oslo and a member of the Norwegian Data Protection Board) participated at ICANN and was a member of the policy-making body—the Generic Names Supporting Organization Council—in 2008. He was appointed for a two-year term by the Nominating Committee or NomCom,24 a multi-stakeholder committee of ICANN tasked with evaluating applications from external and internal experts, for positions on the GNSO Council and the Board. His colleague Lee Bygrave has written about ICANN (Bygrave 2015, Bygrave and Bing 2009), and occasionally attended meetings, but he does not participate as a stakeholder. Marc Rotenberg, founder of the Electronic Privacy Information Center (EPIC), also participated from 2002-2004 and Michael Froomkin,

23 http://archive.icann.org/en/meetings/montreal/video.htm 24 The NomCom is discussed more in Chapter 4, in the section, “How ICANN Functions.” Its role is to appoint individuals from outside the ICANN community to the Board and GNSO Council, to invigorate the organization with different perspectives. 66

noted legal scholar and privacy advocate at the University of Miami, was engaged as an evaluator of the Uniform Domain-Name Dispute-Resolution Policy (UDRP) and wrote numerous articles on ICANN after its creation (Froomkin, 2000b, 2002, 2003). Froomkin also started a blog called ICANN Watch, which operated from 2001 to today, although its last post was dated November 2010.25

Milton Mueller has been participating actively at ICANN since its inception, and was a co-creator of the Noncommercial Users Constituency (NCUC) whose members have argued consistently for the protection of privacy. Mueller has authored many articles and books that discuss ICANN and its institutions, notably Ruling the Root (2002) and Networks and States (2010) as well as a well-read blog on the Internet Governance Project 26 . Mueller has weighed in on privacy issues from time to time, and co-authored an important article on the early WHOIS struggles (2008) but his primary focus is on Internet Governance and international regulation, not privacy. However, there are very few aspects of ICANN’s governance that he has not investigated, including the concepts of “the commons” and “the market,” where he identifies the address and names spaces, but not WHOIS (2007). I will touch on these two articles later in this chapter.

While data commissioners have written to ICANN and occasionally spoken at meetings, they do not as a rule participate. Recently, some of the European delegations to the Government Advisory Committee have included privacy experts from their data protection authorities, but this is a rarity, and they have not played major roles. The International Conference of the Data Protection and Privacy Commissioners (ICDPPC), the organization of international data protection authorities that has held an annual conference since 1978, declared in 2009 that they ought to find volunteers among them to monitor ICANN and attend meetings (ICDPPC, 2009), but they have not acted on this although it may have prompted some authorities to send their staff along with their

25 http://www.icannwatch.org 26 http://www.internetgovernance.org 67

country’s Governmental Advisory Committee delegation. Civil society has been very vocal since the beginning of ICANN about the need to respect privacy, but there has nevertheless been a deficit in privacy expertise at the practical and implementation level.

3.3 Data Protection Legal Issues Relevant to the Domain Name System

The Norwegian Research Center for Computers and Law, led by the late Jon Bing, has had an active role at ICANN and published interesting insights into the privacy problems. During the 1980s Bing authored research for the OECD on transborder data-flows; this was an area on which he spoke at data protection events, noting the lack of progress in continuing the difficult jurisdictional work that the OECD had left unsolved (Bing, 1999). Clearly the ICANN jurisdictional issues are complex and interesting, but Bing also focused a great deal on the copyright and trademark issues, and the rights protection mechanisms which ICANN set in place, as others have also done (Froomkin, Lemley, Post). Bing and Bygrave edited and were principal authors of Internet Governance and Institutions (2009), which examines ICANN as well as the Internet Governance Forum (IGF) and the Internet Engineering Task Force (IETF). Bing did not directly address the ICANN privacy struggle, even though he happened to be on the GNSO Council immediately following the first WHOIS Task Force reports, which were generally regarded as a failure.

The Norwegian Research Center did however sponsor a report by Dana Cojocarasu (2009) which examined the WHOIS in some detail, comparing three top-level domains: .no, .eu and .com. This gave insight into the differing rules which applied to these top- level domains, .no being the country code top-level domain for Norway, .eu being the supranational top-level domain for the European Union, and .com being the extremely large and important generic top-level domain administered by Verisign, under ICANN policy. The report was completed in 2009, which was after the WHOIS Task Force had

issued its final report, and prior to the establishment of the first WHOIS Review Team, mandated by the signing of the Affirmation of Commitments (2009).

Cojocarasu reaches the following conclusions: • She identifies a great disparity in the identification of purposes cited as the basis for WHOIS policies. • The country code top-level domains (ccTLDs), not being bound by ICANN policy, can take—and are taking—leadership in developing better solutions to the directory problems. She identifies potential best practice models based on the ccTLDs. • Her assessment of the interpretation of the Directive basically matches that of the Article 29 Working Party and the Berlin Group. • She identifies the cost problem for registrars, and the fact that they must pass on costs of nuanced data access and enhanced accuracy to the registrants, which is a competitive disadvantage. • She supports tiered access as a promising method of achieving better accuracy and data protection. • She identifies the lack of a clear definition of the purpose of data collection, “rather than an identification of the individuals who may benefit from the data once they are made publicly available” (p. 150) as fundamental to creating effective policies.

In this, she is restating what the Security and Stability Advisory Committee (SSAC) of ICANN, and the data protection authorities have been repeating for several years.27

27 I discuss the Security and Stability Advisory Committee reports which support limits on data collection and clear purpose statements in Chapter 5, noting that SAC 55 explicitly asks what the purpose of WHOIS is and identifies ICANN’s failure to define that purpose as a root cause of the perpetual argument over WHOIS. 69

Lee Bygrave has written extensively on data protection law, including a critical analysis of some of the inherent problems in data protection law ( Data Privacy Law, an International Perspective , 2014a). Bygrave is somewhat pessimistic about the difficulties that confront data protection law and its overseers in an increasingly global dataflow environment, in the face of the long-standing rift between U.S. approaches to privacy regulation and those of Europe and the many countries who follow the Directive. He also expresses reservations about the effectiveness of the oversight, which he analyses in some depth (pp. 190–203), and in particular points out the problems with regulatory overreach in the interjurisdictional context. Douwe Korff, an international legal scholar who has written extensively on data protection, law enforcement agency access to data, and surveillance, raises many concerns similar to Bygrave’s in his report to the European Commission (2010). Bygrave focuses on the Internet in his article “Data Privacy Law and the Internet: Policy Challenges” (in Witzleb, Lindsay, Paterson, Rodrick, 2014b), where he appears to be even more pessimistic: “All up, the Internet’s pervasiveness, combined with its multifaceted yet loose governance structure, means that it transcends ready capture by any single established regulatory model” (p. 271).

He identifies a number of regulatory challenges that are important in the context of ICANN, in my view. First is one of semantics, and whether the terminology of data protection law embraces the Internet and is thus understandable in the context of how data is managed on the Internet. Even before the challenges presented by cloud-based computing, the disaggregation of data and the unpredictable nature of some kinds of dataflow make the concepts of data transfer, data processing, onward transfer, and files seem archaic in an Internet context. We speak of the WHOIS “database,” but it is not a database; it would be more accurately described as a data display or protocol. It may be indeed that this terminology problem has interfered with the ability of stakeholders in ICANN to grasp and respect the data protection rights of end users.

Bygrave’s second point is that in general privacy law “struggles to provide adequate prescriptive guidance for behaviour in the online world” (p. 261). While it is not the job of data protection authorities to go into an organization and tell it precisely how it should manage its data, it may be that more prescriptive advice would have been useful at various points in the history of the WHOIS struggle. I note some lost opportunities in this respect in Chapters 6 and 7. However, as I describe in Chapter 6, the data protection authorities have been quite specific and detailed in their guidance, short of going through each data element in a WHOIS query.

The third point Bygrave posits, which I find useful is that the trajectory of data protection law “is at loggerheads” (p. 261) with the way the Internet is developing and being used, rendering it increasingly symbolic. I argue that this is the way data protection law has been treated at ICANN, respect for it being a symbolic gesture in the face of global personal dataflow that continues uninterrupted, and is not well understood by the average individual. He identifies two main points. The first is that data protection law stifles innovation or the generativity of the Internet, including the facilitation of free speech. This is certainly an argument that we see at ICANN, and indeed the inability to see free speech and privacy as non-contradictory goals may be a factor in the failure to respect data protection law. It is an argument that the opponents of data protection have fastened on, as we can see from the quotation from Assistant Commissioner Strickling’s speech to the Conference of Data Commissioners earlier in this chapter. His second point with respect to the apparent regulatory overreach of data protection law is that it is given such broad application that there is very little chance of effective enforcement. Some parties argue this at ICANN; however, I respond that nobody has really tried to effectively enforce data protection law at ICANN, and I discuss some approaches to doing so in Chapter 7. Bygrave further suggests this has resulted in disrespect for the law (Bygrave 2014b, p. 261), and I have certainly witnessed a great deal of disrespect for data protection law at ICANN, which I believe may have unfortunate consequences in terms of respect for the law in general. As long as the discourse remains abstract, there tends to 71

be a great deal of misunderstanding and dismissal of privacy concerns; I would summarize the attitude at ICANN as putting data protection and cross-border enforcement of privacy law in the “too hard” bucket. When an actual dataflow map is produced and data elements mapped to users and their legitimate purposes for the collection, use and disclosure of data, the ability to find a way forward will clarify both requirements and the frame of reference from which civil society and data protection authorities view the matter.

Bygrave makes serious charges regarding the enforceability of data protection law in the Internet context, charges that are worth considering as we examine the impasse at ICANN. However, we must remember that he is examining the broad range of Internet related issues, including search engines, social media platforms such as Facebook, collection of personal information through advertising, electronic commerce, etc. ICANN looks relatively simple compared to these nested, deeply content-related issues. WHOIS is a directory, first and foremost. However, the suppression of innovation, restrictions on free speech, overly broad application of the law (i.e. endless arguments about how much information generated by a domain registration should be considered personal) and lack of enforcement, are familiar issues that have been raised on a regular basis in the WHOIS debates. I think Bygrave’s concerns are valid for applications like search engines and geo-location applications, but I think they are surmountable for what ICANN sets as policy for registration data.

Bygrave goes on to express his concern about giving law an extraterritorial dimension that remains “dormant” (2014b, p. 277), and this he identifies as a central problem in the application of data protection law. By “dormant,” he means unenforced, and he discusses the possibility of overreach of the previous EU Directive, and the new EU General Data Protection Directive, draft at the time this article was written. This is in my view one of the key problems at ICANN. As I will discuss in greater depth in Chapter 5, instead of tackling the issue, it is my observation that ICANN has shrugged, and simply put cross-

jurisdictional enforcement of privacy law, and dealing with the variance in data protection law in the “too hard” bucket. Given that intellectual property law suffers from similar global enforcement challenges, it is important to reflect on the comparison in treatment of these enforcement problems; nobody has thrown trademark violation concerns in that bucket.

The data protection authorities have asserted their views, but as I discuss in Chapter 6, as of December 2015 the data protection authorities have not taken an enforcement action against ICANN, even though they are well aware that they have the power to block a dataflow, seize the registrars’ servers, or initiate complaints for disproportionate collection, disclosure, and illegal data retention. I discuss this inaction in Chapter 6, but I agree with Bygrave that the latency or dormancy of this power is doing nothing to develop practices and procedures in a rapidly developing Internet ecosystem, leading to a view on the part of otherwise willing technologists that the genie is out of the bottle and not coming back.

In summary, while I am somewhat more optimistic than Bygrave, I think his conclusions about the regulatory challenges do underscore why it is important that the data protection authorities or the courts succeed in enforcing both data protection law and criminal procedure at ICANN. If it cannot be done in a relatively simple registration process for domain names, which is managed by a non-profit organization established to act in the public interest and to support free and open competition, can we reasonably expect powerful Internet companies with shareholders and competitive interests at stake to do better?

The tension between the United States and the European Union over their different approaches to privacy has been a topic in privacy scholarship for many years (Bennett, 1992; Bennett and Raab, 2009; Reidenberg and Schwarz, 1996; Schwarz, 2013; Simitis, 1987). Colin Bennett and Charles Raab, both political scientists, have written extensively over the years on the challenges in data protection law enforcement (Bennett 1992, 2008; 73

Raab 2006). They collaborated on an exhaustive examination of privacy policy instruments in global perspective in 2006, guided by the central research question: Is this a race to the top, or a race to the bottom? Their conclusion, based in part on the examination of privacy in the context of the risk society (pp. 289-295) is that the matter is far too complex to be summarized in this way; there are many races, in a dynamic environment. I will discuss how I see ICANN in this context in Chapter 7.

Dorothee Heisenberg (2005)—a political scientist and international regulation scholar who has written extensively on the EU and its regulatory challenges—has discussed the negotiations over the Directive 95/46 in Negotiating Privacy: The European Union, the United States and Personal Data Protection (2005). In this book she analyses the role that the U.S. Information Technology (IT) lobbyists played in negotiating both the stance towards the European negotiators, and ultimately the Safe Harbor Agreement, informing the analysis of how the contemporaneous creation of ICANN was influenced in terms of privacy policy. The negotiations of the United States over Safe Harbor marked, in Heisenberg’s view, the beginning of their decline in influence over data protection. While the European Commission insisted on endorsing the Safe Harbor Arrangement as “adequate” under the EU Directive, despite evidence that it certainly offered inferior data protection (Heisenberg, 2005; Bennett and Raab, 2006), it was not surprising when the Schrems decision in the European Court of Justice (ECJ, 2015) resulted in the nullification of the Article 29 Working Party decision regarding adequacy, and the EC decision. Safe Harbor was a political compromise that could not, in the end, stand up in the courts, although it lasted for 15 years. Whether or not the United States has lost its influence over the text of data protection regulation, the companies which are leading the U.S. information economy appear not to have lost their influence over the enforcement of that law. It required a second year law student to overturn the status quo by taking a case to court.

Paul Schwartz canvasses this question of the confrontation of U.S.-E.U. visions of data protection in his 2013 article, wherein he compares the potential impact of the new draft General Data Protection Regulation as it stood at the time of writing. As he points out, international data transfers were able to continue after the 1995 Data Protection Directive because of concerted work in drafting other tools beyond Safe Harbor, namely contractual clauses, and binding corporate rules. Agreeing with political scientist Anne- Marie Slaughter (citing her 2004 A New World Order , pp. 59-61), Schwarz points out (2013, pp. 1985-1992) that a lot of negotiation and collaboration went on after the implementation of Directive 95/46 to ensure that trade continued and privacy requirements were accommodated. He has recommendations for how to avoid a similar potential collision when the General Data Protection Regulation becomes law. I consider this article particularly interesting because it draws into sharp contrast the situation that has occurred at ICANN, where there has been little or no negotiation and “deal-making” over registration data requirements.

In the context of Safe Harbor, the question arises as to whether the next political compromise, the Privacy Shield which was agreed in 2016 will survive in the courts. The privacy group Digital Rights Ireland, who succeeded in getting the European Data Retention Directive 2006/24 28 thrown out, lost no time in filing a legal challenge to the new deal, so it will likely be settled faster than the last case was. As many scholars have pointed out (Bennett and Raab, 2006; Mueller, 2010), the dataflow between Europe and the United States is just too important to be cut off by data protection rules; it will be interesting to see if the outcome with this new, more robust arrangement might be different.

28 Data Retention Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (OJ 2006 L 105, p. 54). 75

Priscilla Regan’s Legislating Privacy (1995) remains one of the more thorough analyses of why the U.S. Congress has never passed comprehensive privacy legislation, despite the fact that it was written in 1995. She examines three key areas of privacy and technology: information, communications, and psychological privacy (e.g., polygraph and the chilling effects of technologies and tests which can interpret or detect behaviour, thoughts, etc.). She identifies the importance of framing the issues and identifies ideas, interests, policy communities, and policy entrepreneurs as key factors in the analysis of Congressional inaction. She concludes that in each of the areas examined, privacy became defined as an individual, rather than collective interest, and one in conflict with societal interests. Government efficiency, law enforcement, and an honest work force were compelling societal values that she describes in her case studies. I believe this concept of individual rights being in conflict with societal benefit is an important one to keep in mind when examining how privacy and data protection became framed at ICANN. Analysis of the apparently interminable arguments of the current 2017 RDS PDP over data protection rights demonstrates that many of the actors in the working group prefer to frame the contention in this way, individual rights versus the public good in fighting cybercrime. “One World, One Internet” is ICANN’s slogan, and the collectivity embraced in that concept does not seem to leave much room for the concept of autonomy and individual rights.

Regan goes on to propose a new way of framing privacy as a societal or common good, important to the broader societal interest, and this concept offers promise as a way to break the logjam at ICANN in terms of privacy policy, were it not for the fact that the proponents of public safety have already claimed the concept for the investigation of crime. She points out that emphasis on the definitions of privacy developed by Warren and Brandeis (1890) and Westin (1967) tend to reinforce an individualist approach to defining privacy rights. Samuel Warren and Louis Brandeis wrote an extremely important article, The Right to Privacy , (Solove & Rotenberg, 2003, pp. 3–19) which set the parameters for how a right to privacy might be understood, and Alan Westin developed

this concept further in his book Privacy and Freedom (1967). Westin, indeed, defined privacy as a voluntary separation from society (p. 7); since his work has had such a profound effect on the understanding of privacy in the United States, it is worth quoting his definition:

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others. Viewed in terms of the relation of the individual to social participation, privacy is the voluntary and temporary withdrawal of a person from the general society through physical or psychological means, either in a state of solitude of small-group intimacy or, when among larger groups, in a condition of anonymity or reserve. The individual’s desire for privacy is never absolute, since participation in society is an equally powerful desire. Thus each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communications of himself to others in light of the environmental conditions and social norms set by the society in which he lives. The individual does so in the face of pressures from the curiosity of others and from the processes of surveillance that every society sets in order to enforce its social norms. (1967, p. 7)

It is an interesting explanation of the concept of privacy, but note that nowhere in this entire definition is there discussion of the inherent good of privacy, in fact the social norms of the society in which the individual acts are set up as pressures against privacy. The person claiming privacy is withdrawing from society. It is therefore not surprising when other scholars, abbreviating Westin in discussions of U.S. privacy requirements, arrive at conclusions such as those of Fred Cate (1997), an information law scholar who has been firmly in support of self-regulation for privacy in the United States, and finding the “privacy balance”:

An important part of that balance is recognizing that protecting privacy imposes real costs. It facilitates the dissemination of false and misleading information, increases the cost of providing products and services, and interferes with meaningful evaluation of students and employees. Privacy conflicts with other important values within the society, such as society’s interest in free expression, preventing and punishing crime, protection of private property, and the efficient operation of government….

Another important part of the context in which information privacy issues must be addressed are the other concerns raised by digital information, including enforcing intellectual property rights, protecting free expression, facilitating the economic stability of information networks, harmonizing divergent regulatory schemes, resolving the role of on-line anonymity, and ensuring the security of electronic transactions. No protection for information privacy is workable or desirable if it fails to take into account the variety and importance of contextual factors and the existence of competing values and concerns. (1997, p. 102)

If we were to substitute “domain name registrants” for students and employees in the second sentence above, I think this comment from Cate on finding the privacy balance sums up the attitudes to privacy that are prevalent in the working groups at ICANN. I therefore find Reagan’s ideas about how to reclaim the concept of privacy as a societal good very important. Her solutions are prescient, particularly as we have now by 2017 created a world where “expectations of privacy” are extremely low, in part due to the failure of regulatory action, and the “balancing” of the many interests listed above at the expense of data protection. There appears to be looming a much broader sense of the collapse of the societal importance of privacy as we contemplate the failure of current models of legislation and enforcement. Certainly I argue that at ICANN, discussion appears to be locked in the kind of failure of the policy community and entrepreneurs to establish a framework which emphasizes the need for society to exercise privacy rights in a more harmonized fashion, for the common good. As Regan summarizes in her conclusions:

The problems that have been identified here regarding the conceptualization of privacy as a value and as a goal of public policy are problems that generally occur within liberal interest-group pluralism. Within pluralism, difficulties exist in conceptualizing the public interest in shared terms; instead, the public interest is viewed as the outcome of the policy-making process or the sum of interest-group demands. These “ethical limitations of pluralism” [citing McCollough, The Moral Imagination and Public Life , pp. 69–70] reduce values and principles to interests in large part because of the lack of development of other normative criteria in American political thinking. When this occurs, values that draw their support from the importance to the individual are particularly threatened if the competing interest is one that derives support from both particular interests and public interests. (1995, p. 242) 78

I think this is a useful insight into what has happened at ICANN, and the framing of the issues may indeed be exacerbated by the overwhelming interest on the part of both civil society and the technologists in embracing the values of free speech and an open Internet. In the absence of an alternative frame of reference that situates privacy as a value important to the broader interests of society and community, the individual’s rights would lose. Regan returns to this idea in 2002, suggesting that if personal information were viewed as a “common pool resource” in ways similar to how the environmental movement has examined the use of the commons, it might provide different approaches to policy intervention. She identifies three characteristics of the current overabundance of personal information online that are similar to environmental concerns over the commons: the first is that the common pool resource is overloaded, through too much information being collected, it is polluted through inaccurate and outdated data proliferating, and it is overharvested by too many users taking the data in an uncontrolled manner. These are complaints that I have heard all too often about the current state of WHOIS data, and in particular the second issue—the pollution of the WHOIS data with fake and inaccurate data—has been driving much of the recent WHOIS studies and further accuracy requirements in the 2013 RAA. Regan points out that if the pool of personal data were to be treated as a commons, the remedies which Elinor Ostrom (1990) suggests might well be used to formulate policy solutions:

Support by higher authorities in applying sanctions; establishment of clear definitions regarding access to the resource system; establishment of clear boundaries; participation by resource users in devising rules; creation of graduated sanctions for offenders; and low-cost conflict resolution mechanisms. (2002, p. 401)

Indeed, this is an interesting approach to the shared resource of the registration data, and many stakeholders already regard it as a “commons” to which they are entitled to turn for certain information needs. Given that the multi-stakeholder model already affords resource users the opportunity to devise the rules, it is a way of looking at the problem of the WHOIS impasse that might be fruitful. The question arises: Why has this not worked

in the ICANN multi-stakeholder situation thus far? I would suggest we are missing the first element in that list, support in applying sanctions, which I discuss further in Chapter 6.

Mueller has also examined the issue of “the commons” in Internet governance more generally, and applies his thinking to two restricted public resources which ICANN manages: IP addresses, and the name space or Domain Name System. In seeking to explain the dynamic nature of the interdependence of the concepts of the commons and the market, he identifies two key factors which ground his thinking: transaction costs and physical characteristics of resources, but he goes on to say that neither can explain the phenomenon completely:

Both identify important considerations but, I will argue, neither is sufficient to explain empirically either the political demand for a given commons/market complex, or the actual results that are implemented. The most important factor determining where commons are located in relation to exclusively owned resources in a specific historical context, I will maintain, is interest group contention. (2007, p. 5)

I think it is arguable that the very set up of the other two phenomena which he examines as case studies (names and IP addresses) may have set the frame for the contention over WHOIS. Many clearly regard it as a commons, where they have unlimited grazing rights. The concept of all domain registrants participating in a new kind of society, (the Internet) where their information would be public as a common good for all to access seems to be a prevalent one at ICANN. This is an area which should be of interest to scholars of Internet governance and the multi-stakeholder model, particularly in the context of the failure to respect national data protection law. Data protection failure and failure to establish fair market rules are significant critiques of the multi-stakeholder model, and as Milton points out, interest group contention may be the driving factor.

Turning to a much more recent book which examines the privacy theme, Julie Cohen’s 2012 Configuring the Networked Self has a useful chapter on “Reimagining Privacy” in which she discusses many of the current theories on surveillance and self-exposure. A

key thought, which I find useful to understanding the ICANN privacy standoff, is summarized in the statement, “Privacy exemplifies a culture’s normative, collective commitments regarding the scope of movement, both literal and metaphorical, accorded to its members” (p. 149). Bearing in mind that Cohen is canvassing a much broader field of the implications of networked technologies for our legal understanding of privacy and intellectual property rights (among others), this speaks to what Regan is addressing in her discussion of a framework for the common good. Cohen refers to the necessary conceptualization of privacy as a set of boundary-management practices, which operate along spatial, material, and information dimensions:

As in the case of copyright, the law of privacy must balance a type of fixity against a type of mobility, and the nature of that balance is widely misunderstood…. But a society that wishes to remain democratic, vibrant and innovative cannot hope to do so based solely on practices and architectures directed toward transparency and exposure.

Choices about privacy are choices about the scope for self-articulation. They are, therefore, choices about room to pursue the (unattainable, yet vitally important) liberal ideals of autonomy and critical independence. By this, I do not intend either to romanticize privacy or to readmit the liberal conception of privacy for fixed, autonomous selves through the back door. I mean only to make a narrower claim about the importance of liberalism’s cultural and political aspirations. In a society committed at least to the desirability of the liberal ideal of self- determination, pervasive transparency and exposure are troubling because they constrain the range of motion for the development of subjectivity through both criticism and performance, and these conditions do not automatically cease to be troubling when the subjects of surveillance have indicated their willing surrender. Such a society values neither the docile bodies of Foucauldian theory, nor the fragmentary, infinitely Protean selves posited by performance theorists. (p. 149)

Cohen’s compares the impact on creativity of both copyright law, and privacy/transparency laws. Her central focus on configuring the self relies on the creative and dynamic interplay of the opposing values. Returning to what I have described as a rather simple problem at ICANN, the WHOIS directory, I make the following points about Cohen’s conclusions on privacy.

First, I think this is an interesting update on the concept of the common good that Regan initially presented in 1995, and elaborated upon in 2002. It corresponds to an often- expressed desire at ICANN not to suppress the innovation and dynamic expansion inherent in the Internet, yet it recognizes the value of boundaries in the context of the configuration of the self in a networked world. I think boundary management is a concept that may have resonance with the technologists and entrepreneurs who participate in this struggle for a new RDS policy at ICANN, and it could map to Regan’s concept of the common pool resource. Rather than accept the prevailing norms, that possession of a domain name on the Internet demands transparency of a set of data elements to all other constituents in that commons, can we negotiate boundaries, providing information only as necessary?

Second, Cohen’s work canvasses these concepts as a legal scholar in the U.S. She discusses the constraints of the U.S. concepts of privacy as Regan does citing Westin’s concept and definition of privacy, and one cannot understate the impact that Alan Westin’s work had on the U.S. development of privacy thought during the 1990s in particular (Westin, 1967). The sectoral approach to privacy legislation that took place during that period, producing narrow pieces of legislation which addressed issues that could be balanced on the basis of the interests of the stakeholders who were part of the particular policy community of interest did not help to advance a broader, more dynamic concept of how to address privacy. This may help explain how ICANN got locked into a framework of analysis that it cannot seem to shed.

Third, she points out that “there are good reasons that privacy is so resistant to the abstractions of rights theories; it cannot be separated from the contexts and places that give it meaning” (p. 152). Declaring “privacy” a potentially dangerous abstraction, she says: “The protections necessary to safeguard processes of boundary management within the systematic, rhizomatic architectures of the surveillance society need to be conceptualized systemically and concretely if they are to be effective” (p. 152).

I think this points to the idea of privacy by design in terms of the structure of the DNS and its registration data systems. Privacy by design, a concept promoted by the former Ontario Information and Privacy Commissioner Ann Cavoukian (Office of the Information and Privacy Commissioner of Ontario, 2009), and now accepted as a principle in the new EU General Data Protection Regulation, refers to building technologies with the capacity for adherence to data protection into the system, as opposed to adding protections on afterwards. For instance, where a technology collects all data generated, an additional step must be added to delete it to comply with data minimization requirements, as opposed to a privacy by design system where the data is not collected in the first place. The problem of course is that having built the WHOIS and the other protocols upon a platform that did not recognize privacy as a value that required systemic protection, there are some systems that may not easily be rebuilt. Following Cohen’s logic though, I think the most resilient problem that must be faced in changing the attitude to privacy in the Domain Name System is reimagining what privacy is, shedding the notion that societal benefits are forfeited when individuals are permitted to negotiate their boundaries. The concepts of dynamic, systemic boundary management, in the context of the contention regarding rights as previously described, is useful to bring to the debate.

I would add a fourth point here: the interpretation of privacy rights as dynamic in context is anathema to some of the WHOIS stakeholders who want to build a static system where things are public, or not. Costs figure prominently in the reasons for that static system; dynamically managed privacy rights would raise concerns in the Registrars Stakeholder Group, as someone has to make decisions in any tiered system; even the current privacy/proxy services regime prompts the question: What does a privacy/proxy service provider reveal about the beneficial owner of the domain name when asked, and what proof is required before the personal data is revealed? Interpretation of privacy rights is always contextual, and it is somewhat labour intensive. Automating this part of the task of building a tiered system (i.e. the dynamic part) is difficult and probably expensive.

Before leaving this discussion, I should mention that Helen Nissenbaum’s concept of privacy in context, based on the theory of contextual integrity, (2002, 2011) is useful in this respect, bearing in mind that the availability of RDS data is a much simpler problem than the online tracking and commercial environment which she describes in 2011. Recognizing that the notice and consent model is broken, she discusses the need for rules, working back from the somewhat chaotic situation which has developed on the net. This maps to the situation we have with WHOIS, given the lack of enforcement of data protection law.

Importantly for reimagining how WHOIS fits in the Domain Name System, she refutes the idea of the Internet as a new geography:

However exhilarating the vision of cyberspace as a new frontier, experience reveals no insulated domain divorced from “real life” and deserving distinctive regulation. The Net does not constitute (drawing on the terminology of contextual integrity) a discrete context…. Activities online, mediated by the Net (“on” the Web), are deeply integrated into social life: they may be continuous with brick- and-mortar correlates or, at the very least, have the power to affect communications, transactions, interactions, and activities in those realms (and vice versa). (2011, p. 38)

I think this is an important perspective with which to view the odd way that ICANN and its management of the Domain Name System is being treated with respect to fraud, crime, and intellectual property abuse. While it is certainly true that the Internet has brought important changes to how such fraud and abuse can be perpetrated, it is not a different universe or dimension where agreed social norms (in this case, privacy and human rights) no longer pertain. While those who seek to investigate abuse would like there to be a one-stop shopping for information they could use, data protection authorities, as I discuss in Chapter 6, have definitely pointed out the clash with data protection law inherent in treating ICANN as this kind of information repository.

In summary, the concepts of privacy and the commons described briefly above may be useful to employ, as the privacy advocates in the ICANN stakeholder community try to

move the directory services model to a more nuanced one that has been facilitated by new developments in technology and Internet protocols, such as Registration Data Access Protocol (RDAP) developed by the IETF to solve current problems with WHOIS. Employing it to its fullest, in furtherance of policy objectives that recognize privacy as a social good deserving security protection will require turning the current information commons into a different type of information resource. This will require successful interest group contention, which Mueller identifies as a key predictor of the emergence of a commons.

3.4 Technology Issues and Solutions

Scholars from Internet Governance studies (Braman, 2013; DeNardis, 2009) have examined the discourse in the Internet Engineering Task Force (IETF) and concluded that the technologists who continue to work on protocols and networks both understand the concepts of privacy and anonymity, and are committed to integrating them in Internet design. I discuss in Chapter 5 how the Registration Data Access Protocol (RDAP), a protocol designed to replace WHOIS and enable tiered or differentiated access based on authenticated identities, could respond to the demands of the data protection authorities to stop unfiltered global access to personal data.

Sandra Braman is a media studies scholar who has written extensively on the implications of new forms of global information policy (2004, 2006). While I am interested in this from the perspective of developing new global Internet governance structures, I am also interested in the particular study she did of the Requests for Comments issued by the ARPAnet developers back in 1969-1979 (2010, 2011). In this key piece of research, she examined the RFCs and comments to determine how aware the early technologists who were working on the Internet were of the social impacts of their work.

Laura de Nardis is a technology scholar active in Internet governance studies and in the Centre for International Governance Innovation (CIGI), who has been writing on

ICANN’s accountability challenges in the context of the 2016 Internet Assigned Numbers Authority transfer, the transition from contracting with the U.S. government to run the numbering system, to full autonomy of ICANN. De Nardis (2009, pp. 191–192) also looked at the Requests for Comments (RFCs) of the IETF in earlier years, and identified the concern for both privacy and constitutional protections (anonymity) that the developers of Internet protocols and standards expressed. Anonymity potential has been consistently built in to the protocols. It is the case that we do hear at ICANN, from both the Intellectual Property Constituency and law enforcement officials, that if the engineers had built this thing correctly in the first place, they would not be struggling to identify misfeasors. This tension between the three stakeholder groups is one that is useful to those wishing to promote better privacy outcomes on working groups. On the law enforcement side of that argument, a great deal of private sector data, particularly in mobile networks, is already being accessed and is effective in tracing traffic to an identifiable user (Brown, 2012; Brown, Wright and Erdos, 2013). WHOIS is not necessary, as the technologists point out.

In Laying the path: Governance in early Internet design (2013), Braman argues that the governance issues were identified early on in Internet development. Using a variety of lenses to analyse the work, she concludes that the RFCs provide at least three histories: that which was intended, that which appears self-reflexively, and that which appears when a theoretical lens is applied. The conclusion she reaches is that the early researchers were very aware of the policy implications the Internet would bring, and they were also aware that they were participating in a sociotechnical enterprise. She identifies the roots of future governance structures in her analysis of this technical community, and cites Edelman et al (2010) on “Law, Organizations and Social Movements” who claim it is rare for more than two of these three to be present in an interdisciplinary group. Applying this to sociotechnical construction, she notes:

So too, with the study of large-scale sociotechnical infrastructure. Two subjects have dominated the subject of Internet governance broadly writ:

1. Interactions between network development and efforts by geopolitically recognized entities (states, regional governments, and international organizations) to regulate that network; and 2. Development of the formal decision-making procedures and entities that comprise the constellations of governance via internet-specific organizations and efforts. As is demonstrated in this and other analyses of discourse among Internet designers presented by the RFCs, however there is at least one more issue–i.e. the growth, maturation, and perhaps, politicization of a network-based community as it moves through the stages of legalization in general (acceptance of, in general, the rule of law) and its specifics (compliance with technical protocols and community norms). (p. 79) These observations are relevant to determining what factors have interfered with the acceptance of privacy protection norms at ICANN. If there is, simply put, a maturational issue in progressing to acceptance of legal norms (and Braman also goes into the reliance on contract to determine rules-based conduct in this article) then applying her insights and those of socio-legal studies may help explain some very curious situations at ICANN, such as the refusal to recognize existing data protection law requirements as a constraint on data collection requirements in the accreditation of registrars.

In this article Braman recognizes the development of a network of people who are self aware, as a community of folk working on what she would describe as sociotechnical construction. They might describe it as the network of the future.

In her 2011 article on the same RFC research, she looks at whether or not the members of the technical team were aware of potential privacy issues. The conclusion, again, is that indeed they were acutely aware of the potential for mass surveillance in the new networks, depending on how the technology was designed. Braman has also written a chapter on privacy from a communications and sociotechnical perspective in Change of State (2006), which provides a somewhat different perspective on how attitudes to privacy have developed. Braman’s work provides different perspectives to view the contestation at ICANN, and insight into the technical experts who were less conspicuous as stakeholders in this struggle over registration data.

Brown, Clark, and Trossen (2010) have challenged the concept of embedding societal values in Internet architecture in their paper “Should Specific Values be Embedded in the Internet Architecture?” Citing the Universal Declaration of Human Rights (UDHR) as the most easily agreed set of common values, they discuss the arguments for and against this proposition. Basically, core values such as openness, privacy, and network neutrality are baked in to the architectural choices, or there is flexibility built in, to provide for tailoring of responses. The argument for the latter position is that the values of the UDHR are in many cases not absolute, (e.g., hate speech laws exist and privacy is forfeited in the interests of the protection of children). Given the debates at ICANN over this issue, safety versus individual autonomy and privacy, I find the description of the debate interesting, although the question of whether it is worthwhile to pursue such an approach at ICANN remains open.

3.5 Implications for the Multi-stakeholder Model As discussed in Chapter 1, Internet governance and international regulation scholars have explored the development of ICANN as an exemplar of a new kind of international regulatory mechanism since its birth (Drake & Wilson, 2008; Froomkin, 2000b; Mueller, 2002; Weinberg, 2001). The failure to solve a rather basic privacy problem, namely the inclusion of every individual who gets a domain name in a public global directory strikes those who value privacy and the rule of law as a serious failure in the model. Numerous scholars have examined what is expected of the multi-stakeholder model (Hofmann, 2016; Hofmann, Katzenbach & Gollatz, 2016; Bostrum and Hallstrom, 2010). Roxana Radu, Jean-Marie Chenou and Rolf Weber have edited a volume in 2013 which provides a critical analysis of the situation in Internet governance, summarizing the many challenges to the multi-stakeholder model, particularly after the World Conference on International Telecommunications (WCIT) held in 2012. At the WCIT 2012, 89 of the 144 delegations present voted for a return to increased ITU activity in Internet governance (Radu et al, p. 14). The revision of the International Telecommunications Regulations (ITRs), not the Internet, was supposed to the be the focus of the vote and 88

discussion, but the desire of many parties who had felt marginalized by the U.S. in its support for multi-stakeholder models of Internet governance certainly erupted at this forum, continues today, and can be witnessed at ICANN.

Radu and Chenou point out in their conclusions to the volume, that it is important to focus on concrete interactions:

As noted by Sylvan in the first chapter of this volume, the Internet governance scholarship has spent a lot of time focusing on institutions and frameworks rather than on everyday interactions. This focus has contributed to reproducing abstract dichotomies like bottom-up vs. top-down, public vs. private, state vs. market etc. These dichotomies reflect the often antagonistic nature of Internet governance debates… Drawing on their diverse backgrounds, the contributors investigate developments in the post-WCIT environment, as well as broader trends in particular sub- domains of Internet governance, such as Internet security. Their conclusions are varied, yet they all insist on some basic features of democratic Internet governance: legitimacy, cooperation, participation, and accountability . These principles echo the changes that are increasingly demanded in current Internet governance debates, notably through the design of an institutional architecture that is inclusive, transparent and effective. (p.192, emphasis added)

This dissertation provides a critical analysis of ICANN’s privacy failures, demonstrating concrete failures in the multi-stakeholder process at ICANN across those four key features of democratic governance, legitimacy, cooperation, participation, and accountability. It is, as they suggest, important to focus on everyday transactions to measure the success of the model.

3.6 Conclusions The problems I have sketched which stem from the different approaches to data protection taken by the United States and the EU are, I fear, growing bigger rather than smaller. This is particularly evident in the light of the more active European Court of Justice and the two important cases Google v. Spain and the right to be forgotten and Schrems v Facebook and the rejection of the Safe Harbor Agreement. It is as if there had

been an uneasy truce on the matter of transborder data flow for 15 years, and then somebody fired a couple of cannons. While Bamberger and Mulligan (2010) have demonstrated much good practice on the ground in the United States, there remains, as they admit, a deficit in the rule of law in the United States, with no sign of comprehensive privacy law coming in the current administration. Meanwhile, the EU continues to develop its regulatory regime with the new General Data Protection Regulation and the promise of much greater enforcement activity after May 2018, including sizeable fines. What this means for the contention over WHOIS, and the “path dependency” that Mueller & Chango describe as the outcome in their 2008 article, I return to in Chapter 7 after discussing the contours of this contention.

From the perspective of legal privacy scholarship on the WHOIS, it is fair to say that no one contests the notion that ICANN is not adhering to privacy norms or law in its policies and contractual requirements. Several scholars, notably Bygrave and Gellman, are pessimistic about the possibilities of enforcement of data protection law on the Internet, for a number of reasons which could be summed up as follows:

• Jurisdictional issues make taking a case difficult; • Bureaucracy has set in with the data protection authorities, who may lack the will and resources to take on a rather unusual international not-for-profit institution; • The issues of over-collection, use, retention, and disclosure will be argued as being for the public benefit, to facilitate the prevention of cybercrime, and much bigger battles are being lost on those grounds (see also Korff and Brown 2010).

The framing of privacy as an individual right rather than as a public good has in my view definitely had an impact on progress towards the implementation of law. The conceptual framework that ICANN appears to be working in is that the registration data space should be more of a “commons”, where everyone knows what everyone else is doing there. This

of course is a myth when business and insiders hide their activities by using lawyers as proxy services, but this is the concept.

Using the concept of a common pool resource of personal information, perhaps could provide a way forward to discuss the concept of data protection as a common good. Can we change the concept of this common pool of personal data, into one where boundaries are negotiated? This happens already, as privacy proxy/services have been accepted. Can information users accept the concept of data protection as a right deserving of protection in context? Could this bridge the divide between European and U.S. concepts of data protection? Cohen’s framing of privacy as boundary management may be useful in encompassing all these different methods and standards of data disclosure, as they may be peculiar to the circumstances and needs of each registrant, be they individual, small business, religious group, or large corporation.

Finally in the matter of the social construction of technology, while we may accept the evidence that the engineers have thought about the values that are included in the Universal Declaration of Human Rights, it is not clear that they will win the argument in the construction of Registration Data Services (RDS). So far, law enforcement and the intellectual property rights owners are winning the battle over how to construct the RDS. This raises the much larger question of whether the multi-stakeholder model is actually working as a mechanism of global regulation, because those who purport to represent the end user or citizen appear to be losing.

In terms of my research questions, these contributions provide possible new ways to approach the WHOIS deadlock, and ways to assess the implications of continued failure to enforce the rules.

The next chapter will discuss how ICANN is organized and manages its various stakeholders.

Chapter 4 How ICANN Manages the Domain Name System and Registration Data

In order to understand how decisions have been reached with respect to privacy and confidentiality as defensible values in the design of the registration services essential to the Domain Name System (DNS), it is important to examine the structure of this multi- stakeholder organization and how its various bodies operate to develop policy. In this chapter, I describe briefly the history of how ICANN came to control the names and numbers of the DNS, and how the organization was constituted in 2016 at the time of the transition of IANA from formal U.S. control to a new “empowered community” structure operating in conjunction with ICANN the non-profit corporation. I focus on the relevant structures and groups that participate in the policy-making process. The role of the United States in launching ICANN, and the requirements for the disclosure of WHOIS data which accompanied that launch are critical to understanding the confrontation with data protection authorities. WHOIS and privacy issues remain the focus, so this is a limited sketch of the relevant sectors of ICANN. I also provide a short description of the rising importance of intellectual property and law enforcement issues, as the stakeholders concerned with these matters had a strong impact on the WHOIS issues. I explore how the tensions between the fundamental openness and transparency of the Internet as it was then became entrenched, almost as an ideological confrontation with data protection rights. I also describe the important role that law enforcement agencies have had, and the growth of the private sector security and investigation companies that combat cybercrime. A third and very important stakeholder group is the value-added services industry, who serve the domain industry (notably name speculators) and the intellectual property sector, by aggregating data from WHOIS and other sources and making it available for research and investigations.

I use the example of the 2014-15 Privacy Proxy Services Accreditation Issues policy development process, to demonstrate the steps in policy resolution, and describe how this development process works to resolve an issue where there is significant tension, in the “rough consensus” manner.

4.1 Structure of a Domain Name

Understanding the history of the development of the DNS depends fundamentally on the anatomy of a domain name. A domain name has the general format of www.example.com, where .com is the top-level domain (TLD), representing a registry, and .example the secondary level (SL) or registered name assigned within that registry. Domains read from right to left in terms of hierarchy. ICANN manages these two parts of the system by contract; it authorizes the registries , who run the top-level domains according to their contracts (e.g., Verisign is the registry that operates .com, Donuts operates .world), and it authorizes registrars to sell second level domains within the available top-level domains, through their contracts and accreditation agreements (eg. Tucows is a registrar who can sell a secondary level or registered name, digitaldiscretion.com). The registrars may pass these responsibilities on to resellers, but the accredited registrar remains accountable to ICANN. ICANN administers only the generic top-level domains or gTLDs, while the country code top-level domains (ccTLDs) such as .ca (Canada) or .fr (France), are available to nation states. The relevant countries manage the operations and set policy for their own ccTLD registries. ISO standard 3166 sets out the two letter codes for United Nations (U.N.) recognized countries listed in Terminology Bulletin Country Names and the Country and Region Codes for Statistical Use Maintained by the United Nations Statistics Divisions . ICANN facilitates meetings of the ccTLD authorities and receives some financial contributions from them on a voluntary basis, but they do not prescribe policy for them. Individuals may register their desired domain names in the generic top-level domains, or the country code top-level

domains, or both to the extent they are permitted; many ccTLDs have residency requirements in order to register a name under their country code.

The number of top-level domains has expanded over the years. Prior to the establishment of ICANN there were only seven: .com, .net, .org, .int, .edu, .mil, and .gov. In 2000 and 2008, ICANN opened up applications for new top-level domains to reduce the pressure on .com and .net, and provide for greater competition in the sale of domain names. The application process which commenced in 2008 has resulted in over 2000 applications for new gTLDs, which have been coming on stream as they are approved and licenced as registries. By the end of 2015 there were 1257 generic top-level domains listed.

4.2 How the DNS Works Within Internet Architecture

Janet Abbate (1999) has detailed the history of the development of the Internet, and Mueller (2002) has described in detail the creation of ICANN, and the politics of its operation. While experimentation in the inter-networking of computer systems was being done in the U.S. Department of Defense during the 1960s and 1970s, it was not until the standardization of the Internet Protocol Suite (TCP/IP) in 1982 that inter-networking became a reality. The naming of networks, to avoid referring to the growing collection of connected systems by their numbers, appeared by 1982 (Leiner et al, 1982) and the concept of the Domain Name System or DNS was launched with RFC 882 authored by Paul Mockapetris in 1983, although it took 6 years to develop (Mueller 2002, p. 78). The problems the Internet was facing in non-standard naming practices are well described by Mockapetris in RFC 882, and the solution proposed created the domain name space, name servers, and resolvers. This first step created a hierarchy to facilitate the growing directory; resolvers would indicate which were the authoritative name servers for a given name space.

This eventually required the maintenance of root name servers, to respond to queries about where domains were maintained and which servers were the authoritative ones to

query about the growing number of top-level domains. Internet traffic itself does not pass through the root name servers; rather, they perform a directory function. A number of organizations arose to run these root servers, which are scattered around the world and are not under the control of any single organization.

By 1990, Tim Berners-Lee had developed the protocols behind the World Wide Web, notably the Hypertext Transfer Protocol (HTTP) and the Hypertext Markup Language (HTML). The popularity of the World Wide Web accelerated the use of the Internet by individuals and business alike, and it became apparent to many stakeholders who were aware of the potential of the Internet, that control of the fundamental resources by the U.S. government and the National Science Foundation was not a long term option (Kleinwachter, 2000; Mueller, 2002).

4.3 The Birth of ICANN

The National Science Foundation had led the networking of educational institutions in the U.S., in part by organizing and providing partial funding for a backbone linking a number of networks. Mueller has detailed the history of the property and governance conflicts which arose as the Internet became commercial after 1991, and the strife he documents, along with the naiveté of the engineering community when faced with the arrival of marketplace competition over names is worth noting as a backdrop to the birth of ICANN (Mueller, 2002, p. 308).

In November 1995, the first Internet governance conference was held, followed by several more in 1996. In December 1996, the U.S. Patent and Trademark Office opened a Notice of Inquiry on trademarks and domain names. Ira Magaziner, who was the presidential policy advisor on Global Electronic Commerce on the Internet to President Clinton, became concerned about the risk to commerce by the somewhat rudderless DNS at that time, and formed an Interagency Working Group on domain names in March 1997. After a great deal of consultation, NTIA opened a public proceeding on DNS

policy issues and, in January1998, released the Green Paper, a notice of proposed rulemaking proposing privatization, internationalization, and a board structure. Many stakeholders opposed the options presented in the Green Paper, and the White House responded with a White Paper in June 1998, proposing an interim board, stakeholder representation, and a breakup of the monopoly of the U.S. company Network Solutions, who were running the top-level domains. Importantly, it deferred to the World Intellectual Property Office to develop dispute-resolution mechanisms for trademark holders, and develop policies to protect trademarks (Mueller, 2002, 174).

The White Paper was also contentious, resulting in a number of proposals, and a further round of comments on those proposals yielded a great deal of criticism and little consensus. Nevertheless, the government chose the ICANN model, which had been put forward by a consortium of those engaged in the fledgling Internet industry. Scholars have commented variously on the birth of ICANN as either a flawed endeavour or a bold experiment (Froomkin, 2000 b; Kleinwachter, 2000; Weinberg, 2000) but many stakeholders were willing to work with it, possibly in the absence of any better idea and in recognition that the kind of strife they had been experiencing was not sustainable if the Internet was to grow and flourish quickly. The basic principles of ICANN’s operation were:

• Set up as a not-for-profit corporation in the State of California.

• The Board (which had been chosen already in a non-public, non-consultative process) had the mandate to set up a stakeholder system, and a membership structure.

• The Internet Assigned Numbering Administration (IANA) functions were assumed by the University of Southern California, where researcher Jon Postel was already performing the function.

The Secretary of Commerce signed the Memorandum of Understanding with ICANN on November 25, 1998.

As of 2016, ICANN has grown into a forum where over a dozen different stakeholder groups meet in person three times a year, in a conference of usually over 2,000 people. It is supported by over 350 staff in three hubs and numerous secondary offices around the world, with an annual budget of $113 million USD in 2016. Proponents regard ICANN as one of the most successful, non-regulatory, multi-stakeholder governance bodies. There are, however, many opposing views. Some countries (e.g., Russia, China) feel that nation states should run the Internet, possibly through the International Telecommunications Union (ITU) or through a new, different type of organization at the international level (Kleinwachter, 2004).

Anyone can attend an ICANN meeting and participate, for free. Public meetings operate in the six United Nations languages but ICANN conducts its business in English, using teleconferences and working groups that operate around the globe and around the clock. It sponsors outreach to developing countries, youth, and minorities to participate fully in its activities. ICANN was originally constituted in principal stakeholder groups or constituencies, and a few have been added to that original set. The Generic Names Supporting Organization (GNSO) was originally called the Domain Names Supporting Organization (DNSO) and was comprised of the Contracted Party House (CPH) and the Non-Contracted Party House (NCPH). The Contracted Parties are the Registries and the Registrars (RySG and RrSG ), and the Non-Contracted Parties are, first, the Commercial Stakeholders Group (CSG), which is then comprised of the Intellectual Property Constituency (IPC), the Commercial Business Users Constituency (BC), and the Internet Service Provider and Connectivity Provider Constituency (ISPCPC). Second, the Noncommercial Stakeholders Group (NCSG) is comprised of the Noncommercial Users Constituency and the recently created Not-for-profit Operational Concerns (NPOC). Advisory groups are the Security and Stability Advisory Committee (SSAC), the

Governmental Advisory Group (GAC) and the At Large Advisory Committee (ALAC). This latter organization is comprised of the actual advisory committee, ALAC, to which individuals from the regional At Large constituencies are elected. The At Large is comprised of organizations and individual Internet users around the world, divided into five regions.

ICANN is formally committed to being a bottom-up, consensus-based, open, and participatory governance body. In the context of my research questions, however, I question whether there are flaws in the model and in its institutional practices that make this more aspirational than actual. This goal would be ambitious for democratic processes in a small relatively homogenous country, but can it actually work in a global multi- stakeholder community with huge disparities in resources and in the level of ICT development? Many scholars have questioned the legitimacy of the ICANN model in terms of democracy, consensus, the failure to shake U.S. dominance over the Internet, and its legal basis. (Froomkin, 2000b, 2002; Froomkin and Lemley, 2003; Mueller, 1999; Weinberg, 2000, 2001). How ICANN exerts its power to minimize data protection is my focus, and all of these authors provide ample arguments to substantiate my principle points about the governance of registration data. I return to this question in Chapters 5 and 7.

The organization has moved forward in recent years to establish itself as a genuinely global multi-stakeholder organization, but it continues to have difficulty shaking the criticism it attracted at the time of its creation, as a bid by the United States to control the Internet. Even after the IANA transition in 2016, this remains a problem, primarily because it is headquartered in California, operates under California law, is dominated by U.S. players, operates in English, and has always had active involvement of the U.S. government in its committees and structures (Bygrave, 2014; Froomkin, 2000; Kuerbis, 2011). In the debate about governance of the Internet and its technical structures, developing countries and many actors in civil society are calling for change (Netmundial

Statement, 2014). The pressure this criticism puts on ICANN drives constant change, making it more challenging to study for reasons other than its inherent complexity, increasingly global reach, and rapidly expanding cast of actors, operating in diverse policy frames.

This is only a brief sketch of the history of ICANN; much could be said about the evolution of the DNS from the early research days to today’s expansion of top-level and secondary level domains. When ICANN was formed in 1998, there were very few top- level domains but there was already pressure to expand the number of TLDs. They expanded the gTLDs by adding an additional seven in 2000, and six more in 2004. In 2008 ICANN approved the establishment of more top-level domains and in 2010 they opened a round of auctions to compete for new domains (.book, .paris, etc.). This has brought in a considerable amount of money for ICANN, to the point where the auction proceeds fund stood at $240 million USD after the sale of .web in August 2016 for the record sum of $135 million USD. This profusion of new domain possibilities has created new stresses among the stakeholders. Registrars are happy to sell more domains, speculators and new registries are investing significant amounts to develop and apply for different gTLDs in the hopes that their words will have resonance with Internet users and shoppers. Governments are expressing concerns about whether a secondary string which matches their two letter country code will be confusing and therefore be reserved for them (eg. should in.love belong to India, whose country code is .in?) Trademark owners complain that they now have to defensively register any number of new domains just to protect their brands (eg. dummies.book, dummies.com, dummies.shop, dummies.biz etc.) Importantly for our focus on WHOIS, technical experts have been predicting for some time that the WHOIS protocol was not designed for this massive infusion of addresses, and would fail. I describe the new WHOIS protocols that the IETF have developed to respond to known and anticipated problems later in this chapter, but the explosion in top- level domains has brought many other stresses to bear.

4.4 How ICANN Functions: The Actors, Structure, Process, and Policy

4.4.1 Actors

ICANN does not have a membership structure, as a standards organization might. Anyone can come and participate. This makes membership in working groups quite fluid, as new people come and go, but there are many individuals participating regularly at ICANN who have been there from the beginning. This raises questions as to who exercises power, and how that works in an organization that is supposed to run on consensus, bottom-up decision-making. Briefly, here are some of the key players, and my observations on how they interact and express their views at ICANN: • Registrars are businesses who were empowered by the creation of ICANN and the establishment in 1999 of the first Registrar Accreditation Agreement (RAA) to manage registration of all kinds of domain names for a fee. They operate on lean pricing models, are fiercely competitive, and are dominated by a handful of global giants who manage most of the world’s registrations.29 They frequently operate through resellers, and may also provide service as website managers and Internet service providers. • Registries, including the new generic top-level domain registries, operate under contracts with ICANN to manage the top levels of the DNS (eg. .com, .Paris, .org) and may or may not have requirements to collect personal data depending on their status. The original registry was operated by Network Solutions Inc., a company which was later acquired by Verisign in 2000 for $21 billion USD (Froomkin, 2000b). The role of the registries is changing,

29 Murphy, K. “Shakeup coming as Google becomes a registrar,” in Domain Incite, June 23, 2014. http://domainincite.com/16952-shakeup-coming-as-google-becomes-a-registrar-sells-names-at-12-with- free-privacy-and-email. This article in one of the main industry newsletters describes how Google, who received accreditation as a registrar ten years earlier, is now moving to undercut GoDaddy, the biggest player in the game who already undercuts most of the others. 100

with new protocols such as the recently released Registration Data Access Protocol (RDAP) created by the Internet Engineering Task Force (IETF), and a transition from the requirement to maintain very little registration data to a requirement for much more data, as required by ICANN’s recent “Thick WHOIS” policy. (For lists of relevant IETF documents and ICANN policies and documents, please refer to Appendices D and E). New requirements or “public interest commitments” (PICs) are also being added to their responsibilities with new top-level domains (e.g., verifying if applicants to .bank actually are credentialed as banks, etc.) • Lawyers and intellectual property associations who represent intellectual property and trademark owners, defend their interests by ensuring that those who seek to control domains that may threaten their brands and intellectual property are quickly and effectively prevented from doing so. As I argue in Chapter 5, the intellectual property community are the most successful actors in the WHOIS policy sphere as they have managed to get ICANN to create a great number of policies, procedures, and data requirements that facilitate their policing of trademark and copyright abuse at minimal costs to their owners. • Business stakeholders are dominated by large corporations and brand owners, and therefore have much in common with the Intellectual Property Constituency, although they also represent Internet service providers (ISPs) and small business. • “Value-added” Service providers are a diverse group of information and security organizations, such as Mark Monitor 30 , a company which arose to

30 Mark Monitor was acquired by Thomson Reuters in 2012 for an undisclosed sum, and divested to Ones and Baring Asia in 2016 for an undisclosed sum (https://www.thomsonreuters.com/en/press- releases/2016/july/thomson-reuters-announces-definitive-agreement-to-sell-its-intellectual-property- science-business.html). 101

perform constant surveillance of the Internet and the DNS in order to protect intellectual property owners, alerting them as potential trademark violation and fraudulent activity arises. There are also organizations which are permitted to capture bulk WHOIS data, and sell services such as WHOWAS, a historical record of how domains have changed hands or discontinued. These domain tools are purchased by private sector investigation and security companies, as well as brand owners, law enforcement organizations, and criminals. • Private cyber-security organizations detect and police cybercrime activities (e.g., domain hijacking, spam and malware distribution, etc.) • The domain investment community, more commonly known as “domainers,” companies or individuals who register domains in hopes of reselling them at a profit. • Civil society, who represent the interests of end users. This is a disparate group of global volunteers, scattered across two constituencies in the Noncommercial Stakeholder Group (Noncommercial Users Constituency or NCUC and the Not-for-Profit Operational Concerns Constituency or NPOC) and one advisory group (At Large Advisory Council [ALAC]). Members of these organizations may represent NGOs, or academia, or themselves as individuals, and ALAC will accept those representing companies as well. • The Governmental Advisory Committee (GAC) is a group of government representatives who provide advice to the Board and whose members rarely participate in working groups. The ICANN Board is bound in its bylaws to respond to the advice of the Governmental Advisory Committee, although the Committee itself has few if any restrictions on its advice. The functioning of this government advisory body is critical to the analysis of law enforcement and privacy issues, and I examine the role that it has played with respect to data protection further in Chapter 5.

102

These are the stakeholders, broadly speaking, who are active in the WHOIS policy debate.

4.4.2 Structure and process

ICANN operates as a three-headed entity, which I describe in this section. At the top, there is an elected Board of Directors, who make the final decisions on many issues. Reporting up to this Board are the stakeholders, organized in the various groups discussed above. Thirdly, there is a professional, full-time staff, situated about the globe in regional offices but primarily in Los Angeles, California, reporting to a Chief Executive Officer hired by and reporting to the Board. Given the complexity of the work, and the fact that stakeholders for the most part are not working full time on ICANN matters, the staff who support the policy work, perform compliance operations, and manage the budget and outreach of ICANN, exercise a significant influence on what happens at ICANN.

An elected Chairman heads the Board of Directors. There are 15 members of the Board, of whom seven are elected by the various stakeholder groups, and eight are nominated by an independent nominating committee (NomCom) whose members are chosen by the stakeholder groups. The purpose of the NomCom is to find valuable members of the Board and the Generic Names Supporting Organization (GNSO) Council, which is responsible for developing policy for the generic top-level domains such as .com, .net, .org, and now the myriad of new top-level domains that are being released. The NomCom seeks candidates from outside the existing stakeholder community to bring fresh ideas and expertise to ICANN. There are also liaisons from the advisory committees and the IETF (Internet Engineering Task Force, Government Advisory Committee, Security and Stability Advisory Committee, Root Server System Advisory Committee) on the Board.

103

Figure 1. Schematic of the structure at ICANN. ICANN = Internet Corporation for Assigned Names and Numbers; ASO = Address Supporting Organization; AfriNIC = Africa Network Information Center ; APNIC= Asia Pacific Network Information Centre ARIN = American Registry for Internet Numbers; LACNIC = Latin American and Caribbean Network Information Centre; RIPE NCC = Réseaux IP Européens Network Coordination Centre; ccNSO = Country code Name Supporting Organization; ccTLD = Country code top-level domain; gTLD = Generic top level domain; IP = Internet Protocol; ISPs = Internet Service Provider; RALOs = Regional At-large Organizations. Chart retrieved from https://www.icann.org/sites/default/files/assets/org-chart-1800x1000- 04mar14-en.png

The groups supporting the Board of Directors differ somewhat in status:

Advisory bodies 31 : • SSAC, the Security and Stability Advisory Committee, provides advice on matters relating to the security and integrity of the naming and address

31 These descriptions have been condensed from the description of how to participate at ICANN which was available on the ICANN website at https://www.icann.org/resources/pages/groups-2012-02-06-en, accessed on November 30, 2015. 104

allocation systems, engaging in ongoing threat assessment and risk analysis. Volunteer membership is by invitation-only and terms last for one year. • RSSAC, the Root Server Systems Advisory Committee, advises the ICANN community and Board on matters relating to the operation, administration, security, and integrity of the Internet's root server system. Current RSSAC members nominate new members, subject to approval by ICANN’s Board of Directors. • The NomCom is an independent committee tasked with selecting key ICANN members including the Board of Directors and some members of the ALAC, the ccNSO Council, and the GNSO Council. The NomCom is designed to function independently from the Board, supporting organizations, and advisory committees. • The Governmental Advisory Committee (GAC) provides advice to ICANN on issues of public policy, and especially when there may be an interaction between ICANN’s activities or policies and national laws or international agreements. The GAC represents governments and includes some governmental organizations such as the Council of Europe (COE) and Interpol, who have observer status. • At Large Advisory Committee (ALAC) is a community for individual Internet users who participate in the policy development work of ICANN. There are hundreds of constituencies, organized by region.

Supporting Organizations • ccNSO is the Country Code Name Supporting Organization, providing a forum for country code Top-Level Domain (ccTLD) managers to discuss issues of concern to ccTLDs from a global perspective. It is also responsible for developing and recommending global policies to the ICANN Board for a limited set of issues relating to ccTLDs, such as the introduction of International Domain Name ccTLDs (IDN ccTLDs). The ccTLDs are not 105

bound by all ICANN policy, and this is important for this research, as many ccTLDs have implemented proper procedures to respect data protection law, and may serve as models for better compliance (Cojocarasu, 2008). • ASO is the Address Supporting Organization (ASO) that develops recommendations on Internet Protocol (IP) address policy and advises the Board on number resource allocation policy, in conjunction with the following Regional Internet Registry (RIR) communities: AFRINIC (Africa Network Information Center), APNIC (Asia Pacific Network Information Centre), ARIN (American Registry for Internet Numbers), LACNIC (Latin American and Caribbean Network Information Centre), and RIPENCC (Réseaux IP Européens Network Coordination Centre) serving Europe, Middle East, and Central Asia.

The GNSO is the Generic Names Supporting Organization. The GNSO Council has a key function in developing policy for the generic top-level domains, and is comprised of elected representatives from the stakeholder groups, and candidates chosen by the nominating committee. Composition is as illustrated below in Figure 2. The GNSO is a key focus for this research, as it is responsible for the development of policy, and the main protagonists during the prolonged WHOIS debates are members of the group. It is divided into the contracted parties house and the non-contracted parties house where the contracted parties are the Registries and Registrars Stakeholder Groups (RySG and RrSG) and the non-contracted parties are the Commercial and Noncommercial stakeholder groups (CSG and NCSG). As described previously, each of these latter groups are subdivided into constituencies, who may have slightly differing viewpoints, just as the registries and registrars may have different perspectives on policy issues. There are three GNSO councillors named by the NomCom, two voting and one non- voting councillor.

106

Figure 2. Structure of the Generic Names Supporting Organization (GNSO). ICANN = Internet Corporation for Assigned Names and Numbers; ALAC = At Large Advisory Committee; ccNSO = Country code Name Supporting Organization; NCA = Nomcom Appointee; ISPCP = Internet Service Provider and Connectivity Provider Constituency; NCUC = Noncommercial Users Constituency; NPOC = Not-for-profit Operational Concerns Constituency. Retrieved from https://gnso.icann.org/en/about/gnso-council.htm Note: the code below the diagram (voting/non-voting) refers only to the 3 NomCom representatives.

The ICANN website states that the goal of this structure is to ensure that no one group can control the policy process, yet large companies can be members of several groups, and that enables them to magnify their influence. For example, Google is a business member, an Internet service provider (ISP), a registry, and a registrar. The company is also a member of the Intellectual Property Constituency, since they have trademark and copyright issues, and they have security expertise so have staff attending the SSAC. By supporting civil society through grants, contracts, and contributions independent of 107

ICANN activities, Google also has considerable influence in civil society. Stakeholder influence is important in understanding the outcomes of policy development processes, and the way certain players operate at ICANN is an interesting area for further research in how this multi-stakeholder model actually functions.

4.4.3 Process and policy

Anyone can attend an ICANN meeting and participate, for free. There are three big public meetings annually, which operate in English but whose main sessions are translated into the six United Nations languages, and the meetings alternate between the Americas, Europe and Asia/Africa. ICANN conducts its business in English, using teleconferences and through working groups that operate around the globe and around the clock. It sponsors outreach to developing countries, youth and minorities to participate fully in its activities. The work is actually done through working groups, supported by ICANN staff, who develop the documents based on working group inputs.

Staff also perform compliance checks and investigations, to ensure that the contracts which enable the management of the DNS are being followed. Individuals and companies can complain to ICANN Compliance (ICANN Contractual Compliance Division) about difficulties in their domain name registrations or transfers, inaccurate WHOIS information, and other abuse, and it is their job to investigate matters.

A policy development process (PDP) was developed in the early days of ICANN, when the DNSO became the GNSO, to provide more structure and predictability to the decision-making process, which ostensibly operates on the basis of rough consensus. Rough consensus is a term that originated with the Internet Engineering Task Force, and is usually found in the expression “rough consensus and running code” (Hoffman, 2012, Section 4.2), which describes the way the IETF sorts out its standards development processes. At ICANN, the concept of rough consensus is used to explain how working groups and policy development processes agree on outcomes. Votes are taken regarding

108

motions at the GNSO Council and at the Board, but agreement on documents is usually achieved through rough consensus, which basically means arguing about the matter until the majority feel that the issues have been discussed enough, and they have failed to be persuaded of the alternate view. Internet scholars have questioned how well this actually works, given the dominance of the English-speaking world, notably the United States, and the difficulty experienced by non-experts in participating in discussions and policy development processes. (Hofmann, 2017; Mueller, 2002; Weinberg, 2001).

The GNSO can institute a policy development process if it considers that one is necessary, if the Board directs it to do so, or if it is required to do so by a community- wide review process. Each PDP starts with a charter, which is usually drafted by staff with comments from the volunteers, and agreed to prior to the start of the PDP. The charter defines the scope, and sets out the authority to embark on the procedure. When ready, an interim report is tabled for public comments on the ICANN website 32 and the resulting comments are integrated into the report. The draft final report is released again for public comments, and finalized after the comments are reviewed. The final report goes to the GNSO for approval. There was until recently a reply comments phase, where groups or individuals could reply/respond to the public comments, but that phase was eliminated. It is, in practice, rather difficult to make changes in a final report, so the GNSO usually approves, although there are mechanisms to accommodate alternative opinions.

If a report has achieved rough consensus but an individual or minority group disagrees, the dissenters can submit a minority report at the draft stage, or the final report stage. Dissenting councillors can also issue a minority opinion if they are unable to change the vote at the GNSO. I have issued two since I started to participate at ICANN, and despite my determined efforts to label my comments a minority report, staff have included the

32 https://www.icann.org/public-comments 109

reports as either appendices or “blogs” (Perrin 2014, 2015). In my opinion, ICANN prefers to declare consensus, even when there is none, and this is worthy of future research and analysis, because it is important in evaluating the success of this multi- stakeholder model.

Once passed by the GNSO, policies go to the Board, and normally they are approved. Once again, minority reports or dissents can be tabled there at the Board level. 33 The policy then proceeds to the implementation phase, and a smaller working group proceeds to develop the procedures with ICANN staff responsible for the given area.

The success of ICANN as a multi-stakeholder model with integrity was the subject of great international debate in 2015-2016 during the work on the Internet Assigned Numbers Authority (IANA) transition. This debate involved foreign governments, the Congress of the United States, civil society, and the growing number of Internet governance scholars. Questions of stakeholder balance, motivations of actors, and the methods to achieve rough consensus have been around since ICANN’s inception, but the debate about how much accountability the organization needs to demonstrate now—in order to successfully separate from the control of the U.S. Department of Commerce and prove its integrity and dedication to the public interest—raised many issues afresh 34 .

Anyone can volunteer to join a working group, following a call for participation that is put up on the ICANN website. Anyone can apply to join one of the constituencies if they meet the criteria. These criteria vary by constituency. To join the Registrars Group you need to be an ICANN-accredited registrar, to join the Business Constituency you need to

33 For a good example of a controversial decision that resulted in a dissent, see Kevin Murphy in Domain Incite, 2011. Murphy discusses how the Board disregarded the Governmental Advisory Committee advice and the dissent of Director George Sadowsky over the granting of the .xxx top-level domain) 34 For a brief discussion of the challenges experienced by the Cross-Community Working Group (CCWG) on accountability and the IANA transition, refer to Milton Mueller’s blog post, http://www.internetgovernance.org/2015/12/15/the-risky-end-game-of-the-icann-enhanced-accountability- process/ 110

establish your credentials as an operating business, to join the Not-for-Profit Operational Concerns Constituency you need to demonstrate that you represent a non-profit organization, etc. Anyone can apply to the NomCom for a position on the Board or on the GNSO Council. A great deal of contention surrounds the balance of voices in the group structures, and constituencies strive to ensure their positions have sufficient voting power. The only positions that carry remuneration are the Board positions, and the compensation is modest ($45,000 USD in 2015), commensurate with other NGO Board positions.

Stakeholders engaged in the industry—either working for, or owning, businesses impacted by the Domain Name System—may have a keen and vested interest in attending ICANN meetings and volunteering for the working groups. Participating involves a lot of work, attending conference calls which are generally staggered around global time differences, reading and commenting on documents, preparing detailed comments during public comment periods, and keeping up with detailed email threads where many of the finer points of drafting are sorted out. A GNSO councillor is expected to do 20-30 hours of work per month, minimum, just for Council activities. Attendance at the required face-to-face meetings takes an additional 21 days per year, without counting travel time. ICANN reimburses travel (airfare) and accommodation, with a modest allowance for meals. Most active members of ICANN, however, are participating in several working groups or policy development processes, involving weekly conference calls, preparation of draft reports, review of materials, research, and lengthy discussions of contentious issues on email lists.

Most security specialists, registrars, and registry staff receive support from their companies. Business representatives are also supported by their companies. Independent consultants and lawyers may be supported by specific clients, or they may pay their own way because ICANN expertise and participation is beneficial to their reputation and marketability. Civil society representatives cover a wide range of both individuals and organizations, including academia. Few civil society organizations have sufficient

111

funding to send representatives to ICANN on a regular basis, although they may elect to send someone if a meeting is in their region. Academics who have grants may fund their participation at ICANN through those grants, or through regular research funding. They may also have consultancy funding. Individuals who volunteer their time but are not affiliated with an organization either are self-funded or have clients to cover their work. Some members have relationships with business, and receive funding from them, although this is not permitted in the NCUC and is a bone of contention between the NCUC and other representatives of end users in NPOC and ALAC. There is limited transparency about how some participants at ICANN actually make their living and acquire their travel funding, despite requirements to post on the web a statement of interest (SOI) if they participate in any working group. Those SOIs are somewhat thin, but members are required to report any potential conflicts of interest. 35 While some business participants provide detail regarding their clients or role in their organization, others do not. If an individual has a business relationship with a company other than the one they work for, this might not be disclosed. At all GNSO meetings and policy development processes (PDPs) authorized by the GNSO, the Chairs are required to ask participants if there are any changes to SOIs at the beginning of the meeting, but rarely are changes announced. Examples of such a change include a change in companies, participation as an expert witness in a case involving ICANN business such as an appeal of a decision regarding the award of a top-level domain, etc. Importantly, staff members at ICANN go from being senior staff, to working for stakeholders at ICANN with no “drying out” period and vice versa, so questions do arise as to neutrality and privileged information.

35 E.g., see the repository of GNSO Statements of Interest at https://community.icann.org/display/gnsosoi/New+SOIs where each group, such as NomCom and the Board, have separate listings. 112

4.4.4 Information management and transparency

ICANN shows a commendable commitment to transparency and openness in conducting its own affairs. Meetings are largely public, and simultaneously webcast. Recordings are kept and available on the website. Most committee meetings are also open to listeners who are not in the group, and the transcripts and recordings are available to the public online. Unlike standards organizations or other NGOs and not-for-profits, ICANN does not have a concept of “membership” to participate. If you join a policy development committee, you must have a statement of interest, but most committees accept members of the public or unaffiliated persons.

ICANN staff activities are much less transparent than the activities of stakeholders, and it is staff who supervise the large number of contractors engaged by ICANN. Many functions are outsourced, including the review of certain processes and groups, enforcement, risk assessment, accuracy reviews, support for policy development, and legal advice. The procurement and evaluation of bids is not as transparent as it is in the processes of western democratic governments, leading to a certain lack of trust in some quarters, and it is usually hard to get financial breakdowns for contracted work.

The process for getting access to internal documents such as contracts, internal memos and planning documents is called a Documentary Information Disclosure Policy (DIDP), 36 and a recent study by Sarah Clayton examines some of the patterns in ICANN’s response to requests for information (Clayton, 2016). As of January 2016, there had only been 91 requests for information during the nine years that the policy had been in place, and the high rate of information denial or severe redaction has prompted the Noncommercial Stakeholder Group to form a working group to study the process and push for change. Review of denial is by the Board, who approved the decisions in the first place, so it seems clear that an independent review is required for this process to be

36 https://www.icann.org/resources/pages/didp-2012-02-25-en 113

meaningful. The Workstream II activities related to accountability, initiated during the Internet Assigned Numbers Authority transfer period, are reviewing transparency and published a report in 2017 calling for comments on transparency in general (see Appendix E).

4.4.5 How the work gets done

As an experiment in multi-stakeholder governance at the global level, ICANN is unique. Different stakeholder groups and functions have different competitive forces, levels of trust, and work habits, depending on their professional milieu, the function they perform, and in some cases the characters who participate. After briefly describing how the work gets done from a logistical perspective, I will focus only on the key areas where the WHOIS directory has been influenced. In that respect, the work of the Generic Names Supporting Organization (GNSO)—and its policy development processes (PDPs)—is critical.

Work is done in groups that range in size from a dozen or so to over 120, as is the case with the most recent PDP on WHOIS that was struck at the end of 2015. Weekly or biweekly calls of one to one and a half hours are the norm, and the interface which ICANN uses at the time of this research is Adobe Connect, which provides computer audio connection, an interactive workspace, audio recording, transcription, and chat both in group and in private messaging. Dial-in capability is available for those with low bandwidth. During the calls, most groups are also chatting on back-channels using Skype or other instant chat platforms, so participating in a working group is a multi-tasking activity to say the least. Many constituencies also have pre-meetings so that they can agree the strategy prior to meetings. For the monthly GNSO Council meetings, most stakeholder groups except the Noncommercial Stakeholders Group (NCSG) agree on common positions and instruct their councillors how to vote, so there are meetings prior to the actual Council meeting. NCSG councillors are allowed to vote their own

114

conscience, but there is a monthly policy call where the items on the Council agenda are discussed during the week before the meeting.

At the time of this research, and certainly since the inception of ICANN, the community has been marked by a predominance of North American and European players. They are also mostly male,37 and must be English speakers. Translation into the six United Nations languages only takes place at the three face-to-face meetings, and in final documents; all working groups participate in English. Some key working documents are translated but not in sufficient time to permit constituents to participate equally in comments in the language of their choice. While some effort is made in the working groups to accommodate the time zones of all participants, the majority rules and this means calls are usually planned to correspond to the working days of Europeans and North Americans, resulting in mostly 01:00 AM calls for Asia Pacific participants.

Face-to-face meetings are designed to take place in the different regions, three times a year. The regions are Africa (AF), Asia/Australia/Pacific (AP), Europe (EUR), Latin America/Caribbean (LAC) and North America (NA). Obviously, travel to faraway locations—whether those living in North America are travelling to Singapore and Marrakech, or those living in Asia are travelling to Los Angeles and Toronto—carries a heavy cost, even for those in that region, so the reality in my experience is that despite the rotation, Americans and Europeans employed by companies are disproportionately represented at these meetings. Funding for new entrants has been provided, in the form of up to three fellowships for travel to meetings, and a great deal of outreach activity is now being sponsored by ICANN. However, once a new recruit has competed for, won, and

37 In March 2016, the NCSG attempted to determine their numbers of male and female members, based on common gender association with names in different countries. Even civil society, where women are represented more heavily, still has only one third of members that were identified as female. Certainly, the registrars and registries are more likely to be represented by males, and the fall 2015 election of GNSO councillors resulted in 10 women and 16 men (NCSG having 3 of each, improving the female numbers from 30% to 38%). 115

used their three fellowships, they must either try to qualify as coaches (which nets them three more travel opportunities) or find funding on their own. This is difficult for civil society and small business, particularly in developing countries. I would reiterate that even if travel costs are covered, this is a labour-intensive exercise, and many stakeholders simply cannot afford to take the time to participate and gain the knowledge necessary to be effective in working groups.

Besides costing money, face-to-face participation at the public meetings involves a great deal of effort and extra expense for travellers from countries whose citizens have difficulty obtaining visas. This includes many African and Middle Eastern countries, the Caribbean, and others. Travelling to capitals to have visa interviews can significantly add to the already steep costs and often delegates are unable to attend because of denial of visas.

Culturally, there are a number of obstacles to effective dialogue and interpersonal communications in the working groups. Factors include language, and cultural differences among persons from different countries and backgrounds. The North Americans and Europeans in the technology and intellectual property law business tend to share an aggressive and straightforward form of speech or discourse, which can be intimidating or discomforting for stakeholders from countries which are culturally distinct in this disregard, e.g. China and Japan. It can also be intimidating for women, in particular due to the disparity in the numbers. Newcomers who do not understand all the details of how the Domain Name System actually works at the technical level, or how registrars, registries, and resellers function in the marketplace, let alone the intricacies of trademark law, can be reticent about speaking up lest they make a mistake. This is a built- in disincentive for policy experts in different disciplines (such as data protection) to participate, as there is a very steep learning curve for one to effectively engage in discussions. There is, on the other hand, a widespread lack of understanding of public policy issues and regulatory responses among stakeholders who do participate, and these

116

participants tend to be less interested in fields that they do not consider particularly relevant to ICANN or their business interests. This leads to a different kind of language barrier: participants frame the issues very differently. Even the order in which issues are addressed can be completely different from the perspective of an engineer (looking for engineering requirements), a policy analyst (looking for policy goals and impact assessment before thinking about requirements) and a business person (looking for protection of market opportunities or trademarks and brands).

This “framing problem” was partially recognized by ICANN in 2013 when they struck a cross-community working group to address complaints about policy and implementation confusion. It is rather common to hear arguments about whether something is a policy issue or an implementation issue, even though engineers and especially the security experts in the Security and Stability Advisory Committee do recognize that architectural design that appears to be implementation can in fact be creating policy, not implementing it. However, this was the first time a group set out to determine how to frame the discussions, recognizing that arguing about the definitions and distinctions between policy and what constituted implementation was perhaps not as fruitful an approach as developing a process to deal with the divergence of views when they occurred. That guidance document 38 is now incorporated in ICANN’s bylaws, but possibly not well understood yet by all the stakeholders.

4.4.6 Documentation and access to information

ICANN makes an enormous volume of information publicly available but it is not summarized or digested in a way that makes it easy for newcomers to absorb. ICANN keeps transcripts and audio recordings of almost every teleconference as well as the records of public meetings, but it can be difficult to find them. Those who miss meetings

38 GNSO Policy and Implementation Working Group Final Recommendations and Report . (2015) Retrieved from https://gnso.icann.org/en/drafts/policy-implementation-recommendations-01jun15-en.pdf 117

are expected to listen to the audio recording, read the chat from the Adobe Connect platform, and catch up. The website provides access to email lists as well and participants are expected to refer back to historical discussions on the list when required. This is a heavy research obligation, particularly when working parties go on for months and even years. Staff draft most documents but only as agreed by the consensus of the group. Those who wish to make sure that the record is accurate and no mistakes slip in must read every line of every version of the documents, and compare with the transcript of the most recent discussion. Public comments are posted with the call for comments as they arrive and they are kept indefinitely. These public comments are usually reviewed by the PDPs but often are summarized by staff, particularly in instances where there is a high volume of comments. Errors do creep in from time to time, leading to distrust of leaders or staff. Occasionally documents disappear from the website, as happens in all large organizations, and this can lead to suspicion of tampering with the record. Given the enormous volume of documentation, the complexity for newcomers, and the need to maintain trust in the accuracy of the records, it would be advisable for ICANN to staff librarians and archivists to maintain a neutral, professional approach to research service and maintenance of archives.39

Because of the importance of the neutrality of transcription, drafting, and incorporation of comments, the role of ICANN staff is critically important. The number of staff has risen dramatically in recent years, particularly as the 2012-2016 CEO Fadi Chehade opened new regional offices and expanded into a truly global organization. Staff are well paid, 40 particularly as compared to public servants who are arguably their closest equivalents, but the argument is made that ICANN must be able to attract the best talent, and must

39 ICANN did hire a librarian in 2015 but did not advertise that person’s location nor their research assistance capability. The position has now been deleted. 40 An examination of the 501 3(c) filings for recent years reveals a number of staff earning in excess of $250,000 USD; available here https://www.icann.org/en/system/files/files/fy-2016-form-990-15mar17- en.pdf. 118

benchmark against private sector salaries. In terms of background and expertise, I would observe that there is a high number of intellectual property lawyers and practitioners, but the hiring process, management framework, and strategic priorities of the various divisions are quite opaque. Given the size of the organization at this point, accountability pressures may force greater transparency on how the staff are directed, measured, and compensated; a working group has been struck to examine these issues in the context of accountability after the IANA transfer.

In this respect, it is worth noting here that the multi-stakeholder model is somewhat unique. Volunteers do the actual work developing policy, and are supposed to be supported in that work by staff. Staff who are highly paid do not report to them, nor are there any metrics for verifying client satisfaction, leaving a gap in accountability.

4.4.7 Metrics

ICANN has done a series of accountability and transparency (ATRT) reviews, starting in 2010, and following its Affirmation of Commitments to the U.S. Department of Commerce in late 2009. In accordance with those reviews, it has dedicated resources to measuring various aspects of its operations, and the DNS market. Significantly for this research, the emphasis has been on accuracy and completeness of registration data, not on any of the possible metrics of data protection including number of end-user complaints, data minimization, transparency regarding legal rights, data breach notifications, and timely destruction of data no longer necessary for operational requirements.

4.4.8 Accountability and appeal mechanisms

119

on their trademarks. Trademark holders and others can file a claim with the appropriate registrar, and the case goes to one of a number of independent dispute-resolution providers, who decides the case with the concerned parties paying costs. The UDRP is scheduled for cyclic review in 2016, but it appears to have functioned to the satisfaction of most parties, with the exception of civil society. It is the view of the Noncommercial Stakeholders Group (of ICANN) that, among other things, rapid transfer of a domain to the complainant, with no right of appeal, is an abuse of due process and acts in favour of trademark owners (Komaitis, 2010).

However, this has not stopped the proliferation of other kinds of dispute mechanisms. At this point, I count more than ten separate dispute-resolution policies, from eligibility reconsiderations for those denied the ability to register names in some of the new Generic top-level domains (gTLDs), to the more generic Transfer Dispute Resolution Policy which applies to transactions in which a domain-name holder transfers or attempts to transfer a domain name to a new registrar. 41

My point is simply that all of these dispute mechanisms and policies (including separate rules for each policy) exist to manage the finer points of registering names. This promises to become ever more complex in the future as more top-level domains are granted in the next round of new gTLDs. Note that many of these dispute mechanisms serve the interests of rights holders. However, a similar attention to detail with respect to the WHOIS Conflicts with Law Policy/Procedure has never been developed to serve the interests of end users. There are no procedures for complaining about breach of privacy; providing information about how to complain about potential breach of personal data is a requirement under most data protection laws.

41 Retrieved from ICANN website, https://www.icann.org/resources/pages/dndr-2012-02-25-en 28 February, 2016). 120

In Chapter 5, I examine the WHOIS Conflicts with Law Procedure and the failure of ICANN to improve the process for registrars who attempt to comply with data protection law in their jurisdictions. While it is hardly an appeal mechanism as such, it is a very odd procedure to basically petition the organization for permission to comply with law. It is central to my research questions, as the failure of that mechanism not only results in registrants not benefitting from national data protection legislation, but it exposes registrars to legal risk.

4.4.9 The rise of intellectual property and trademark interests

As noted in the discussion of the White Paper, the intellectual property community had realized that the Internet would be a disruptive force impacting the entertainment, software, and media industries, by virtue of its potential to facilitate unlimited copying and distribution of electronic products. (Congressional testimony, WIPO letter to the US Commerce Department, 1997). They also understood its importance for expanded future markets and global trade. The United States explicitly embraced the information industries as key to the future competitiveness of the nation (NTIA, 1997; NAS, 1994) and the World Intellectual Property Office (WIPO) had a significant U.S. constituency and influence.

The U.S. government proposed to WIPO that it conduct its own study of the impact of domain names, which it started after consultation with member states, in July 1998. The final report was delivered in April 1999 and contains extensive recommendations to ICANN, including on the WHOIS directory. These observations and demands in terms of property rights and process are relatively well-developed, as compared with the somewhat chaotic situation at the newly created ICANN. Mueller has described, in theoretical terms, what was taking place as property rights were being assigned to this new technical resource (2002, pp. 66–69) and he identifies three key reasons for the considerable turmoil that ensued:

121

• There was no established, formal organization with clear authority over the root; • Attempts to define property rights in domain names suffered from major conflicts over the distribution of wealth; • Contracting proved to be difficult because of the extreme heterogeneity of the groups involved.

Mueller identifies the following parties, all of whom were attempting to stake a claim in the organization of the new entity or at least the policy process established by the new entity: the U.S. government, the principal contractor Network Solutions (who, at that point, was not even necessarily collecting revenues from sales of registrations), the formally and informally organized Internet technical community, domain name and address registries outside the United States, prospective registries and registrars seeking entrance to the market, trademark and intellectual property interest groups, Internet service providers, other telecom and e-commerce companies, civil liberties organizations concerned with freedom of expression and opposed to the expansion of IP rights, international intergovernmental organizations seeking a role in Internet governance, and government actors in a few key nation states (p. 69).

An examination of the Final Report of the WIPO Internet Domain Name Process (1999) provides ample evidence that the intellectual property interests were well organized, and knew what they wanted. The new entrants to the field of licensing domain names were not organized, in fact they barely existed. Network Solutions was the monopoly provider of Generic Top-level Domain registrations, and while it was not a money-making business at the time, it was clear it would be. New entrants to this business were not in all likelihood focused on privacy concerns.

WIPO (World Intellectual Property Organization) is an observer on the Government Advisory Committee, and although certainly the intellectual property stakeholders had been making their views known to Congress and the National Telecommunications and 122

Information Agency for several years, when they arrived at ICANN to discuss the Domain Name System, the trusted network of technical insiders who were more used to interacting at the IETF was somewhat disrupted. (Froomkin, 2000b; Mueller, 2002). Additionally, the intellectual property community brought different priorities, areas of expertise, and ways of conducting business to the insiders who developed and controlled the Internet at the beginning. Intellectual property lawyers operate in the theatre of litigation, not an area that evokes trust and comfort in the engineering community. That difference in culture between the intellectual property lawyers and the engineers engendered a certain distrust, which I observe, in working group style and behaviour, still exists today. It creates a tension between the various stakeholder groups, especially given that the Intellectual Property Constituency was soon to be dictating the business requirements of many of the systems that the engineers were developing.

When registrars were enfranchised to sell domain names, and were taxed to support ICANN and all its burgeoning enforcement mechanisms, the registrars’ stakeholder group was also recognized as having different priorities and incentives; as such, they were not necessarily trusted by either the IP lawyers or the technical experts. The very birth of ICANN brought with it a change of state in the power relationships in the community, and forced stakeholders from entirely different work cultures to cooperate together in a multi-stakeholder environment where they had to achieve rough consensus. Rough consensus, I observe, is unsurprisingly easier to achieve among the like-minded. Several Internet governance scholars have noted that the construction of the stakeholder groups, as opposed to a broad membership model at ICANN, has cemented in place a siloed, uncooperative structure that cannot achieve the rough consensus or bottom-up decision- making it was supposed to achieve (Hofmann, 2016, Weinberg, 2001).

4.4.10 Law enforcement interests at ICANN

The first Government Advisory Committee that was established when ICANN was initiated, was comprised of only 17 countries and six regional/international organizations:

123

Argentina, Australia, Bhutan, Brazil, Canada, China, France, Germany, Japan, South Korea, Mexico, Peru, Singapore, Spain, Sri Lanka, Tuvalu, and the United States, Asia – Pacific Telecommunications, the European Commission, the Presidency of the European Union, the International Telecommunications Union, Organisation for International Co- operation and Development (OECD), and the World Intellectual Property Organization (WIPO).

Gradually more countries joined, but the membership of the delegations was primarily from departments concerned with telecommunications, trade and foreign affairs. In the first meetings, there was a focus on getting the country code top-level domains organized, but it is also clear that the WIPO observers were successful in getting their issues onto the Governmental Advisory Committee (GAC) agendas. Eventually, law enforcement agencies were also active in getting their issues onto the government agendas. With the rapid advances in electronic commerce, law enforcement was facing real problems in catching up with new criminal activity. The list of requirements for this transition to fighting crime facilitated by the Internet included the following: • Drafting new legislation to make sure that crime on the Internet (or using electronic means) could be prosecuted; • Training investigators in how to do computer forensics, secure evidence, and investigate crime; • Improving cross-border law enforcement collaboration, given the transborder nature of cybercrime; • Assisting in public education initiatives; and • Securing their own networks and operations.42

It is not surprising that beleaguered law enforcement agencies soon presented their requirements for access to accurate WHOIS information to ICANN, usually through the

42 Personal notes from attendance at G8 Cybercrime meetings in Paris and Berlin during 2000-2003. 124

GAC communiqués (see Appendix I). However, the first one appeared in 2007, significantly later than the demands of the WIPO stakeholders who had a clear view of their needs, and demanded them in 1996. The GAC advice arrived well after the data protection commissioners had presented their views on data protection requirements. It would be an interesting area of future research, to track when and how the law enforcement community started to organize and coordinate its participation at ICANN more systematically, and what prompted that effort. The U.S. government delegation may have led this initiative and communicated its needs directly through the Commerce Department. While the law enforcement agenda is often presented as being at odds with the privacy agenda, there can be no doubt that law enforcement needs for data are very real, and the extent of crime on the Internet is a concern for end users. Law enforcement agencies represented at ICANN have complained that the mutual legal assistance treaties (MLATs) between countries are failing them in terms of rapid response to accessing data domiciled in other countries, and some complain that required warrants and court documents even in their own jurisdictions are an impediment to rapid action, especially given the often-transient nature of scams on the Internet. However, another important problem that is less discussed is that the policing of cyberspace resides mostly in the hands of the private sector. I discuss this issue in the next section.

In any event, the data retention requirements which appeared in the 2013 Registrar Accreditation Agreement (RAA) prompted a negative response from the Article 29 Working Party, which I will discuss more fully in Chapter 6. Certainly, in the investigation of crime on the Internet, the payment mechanism for the domain name, and the IP address of the individual contracting for that domain name, are useful information elements that are difficult for the alleged criminal to obscure. Capturing that data early in the investigation helps narrow the search significantly, given the global nature of crime on the Internet, and it is logical to ask the registrars, who have the direct contact with the individual, electronically if not physically, to retain the data. However, this is not consistent with permissible data retention requirements, about which there was

125

considerable debate in most western democracies and certainly in Europe, where the Data Retention Directive 2006/24/EC was declared to be in violation of the E.U. Charter of Fundamental Rights in 2014 (see letter from European Data Protection Supervisor attached in Appendix N, where he informs ICANN of the ECJ judgment of 8 April 2014, Joined cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and others).

This does raise an important issue that I return to in Chapter 7: In order to be granted the ability to compete in the registration market for domain names, can ICANN require its contracted parties to become a repository for data useful to unrelated investigations? Bear in mind that rarely would these investigations be about financial matters relating to the DNS, so the data preservation requirements are to investigate crime not related to ICANN’s limited remit.

4.4.11 The value-added services industry and the DNS industry

Because access to WHOIS data is provided by individual registrars, and there is no master database at present, value-added services have sprung up to fill this gap, as discussed earlier. Companies, like Domain Tools and Mark Monitor, provide a more organized approach to getting all global domain registration information, including added information and historical data. Law enforcement and intellectual property rights holders are heavily reliant on the scanning capability of these companies, and the requirement for up-to-date information to combat fake websites and scams of all kinds has driven demands for constantly refreshed WHOIS data on the part of the registrars and registries, and address change information, from the registrants. To the average end user, the demand to update new addresses within a week seems extreme (one gets one to three months in Canada for motor vehicle licence changes; who is thinking about their domain registrations when moving house?) However, in the context of Internet scams that pop up and harvest personal data or sell fake goods for very short time periods, a week is logical.

126

With respect to the WHOIS debate, it is important to remember that, in general, the information services industry, the cybercrime fighters, and security companies have no official relationship with law enforcement; no powers of search and seizure have been delegated to them. Cutting off free information access would cause serious financial and operational harm, if not put them out of business. While they are certainly subject to data protection laws, I have been unable to find an instance of enforcement action against them, as evidenced in ICANN documents.

These companies and organizations are represented in the Commercial Stakeholders Group (CSG), both as businesses and as participants in intellectual property rights management. They are also influential in discussions of abuse, as investigators. In this capacity, they are represented on the Security and Stability Advisory Committee, because of the key role of groups like the Anti-Phishing Working Group in fighting spam and cyber-attacks. Some participate as well with law enforcement on the Public Safety Working Group.

Domain speculators are also represented in the Commercial Stakeholder Group and in the Intellectual Property Constituency, often on the opposite side of the argument with big brands, because many domain speculators are trading on names that the big brands do not want owned by anyone but themselves. Whether or not domain speculation will continue to be as lucrative as it was in the early days of ICANN, it remains a reality in the Generic Top-level Domain marketplace.

4.5 Conclusions

This chapter has focused on the structure of ICANN, the history of how the institution became established, and how it functions. In describing the various stakeholder groups, I have highlighted the roles played by three key stakeholder groups who have strong interests in maintaining their unfettered access to WHOIS data. This sets the stage for understanding how the structures, the siloed nature of the stakeholders, the balance of

127

voting in the Generic Names Supporting Organization Council, and the power exercised by bodies such as the Governmental Advisory Committee and the Board have influenced outcomes in the ongoing WHOIS privacy contestation. In the next two chapters, as I discuss the debate from both inside ICANN and outside looking in—as the data commissioners do—I will examine how the adherence to law was stymied in part by adherence to process and structures within ICANN.

128

Chapter 5 The WHOIS Privacy Struggle Within ICANN

In this chapter, I discuss the history of the contention within ICANN over the WHOIS and registration data requirements more broadly. I go into detail with respect to the requirements of the Registrar Accreditation Agreements, which have changed gradually since the first one in 1999, and which specify the collection, use, disclosure, and retention requirements for personal data of registrants. This is the key document, from a data protection perspective, if one wishes to analyse whether ICANN is in compliance with data protection law.

I discuss the WHOIS task forces and policy development procedures historically, noting important areas of contention, dissenting reports, and comments from stakeholders about the progress or lack thereof that has been achieved in each successive process. My goal is to answer my primary research question by analyzing the documentary evidence to explain how ICANN has responded to the challenge to comply with data protection in its policies and procedures, and the reasons why it has not complied. I am also exploring the answers to my second research question:

What are the implications of ICANN’s WHOIS failure for global data protection in the context of the Internet and of Internet governance or regulation?

I outlined in the previous chapter the various stakeholders, and in this chapter, I will elaborate on some of their concerns and their arguments in the WHOIS contention: the intellectual property holders and their concerns; the law enforcement community and their concerns; and the domain industry and value-added services, and their concerns. Each of these stakeholder groups is a major user of WHOIS, and they have needs that appear to have trumped the end users’ privacy rights and desires. As I examine other documentation and scholarship, these three users of WHOIS data help illuminate that

129

second research question and the potential answers. Arguably, each of these groups represents third parties who want access to other organizations’ or individuals’ data.

The actual parties who are involved in the business relationship that produces the data associated with the registration of domains are the registrars, the registries, and the registrants (i.e., individuals or organizations). As the domain name becomes active data is collected from the registrant, assigned by the registrars or registries, and generated by the system. It is useful to remember that much of the debate centres around third party demand for data, because it is a term that one does not hear at ICANN, the users of the data are “stakeholders.” In normal data protection discussions, it would be unusual to think of third party requestors of data as “stakeholders.”

One of the key roles for the new multi-stakeholder organization in 1998 as set out by the Department of Commerce, was to find a fair and equitable way for many companies to start selling domain names (Froomkin, 2000b; Mueller, 2002). At the time of its creation, the market was dominated by a small number of market players who had been chosen by the ARPAnet developers, notably Network Solutions Inc. who were bought by Verisign in 2000.

The Registrar Accreditation Agreements are the basis of the contractual relationship between ICANN and a company that wishes to register domain names. Only accredited registrars are permitted access to the root. These are cornerstone documents that were developed as soon as ICANN was born, and there have been four of them: 1999, 2001, 2009, and 2013. The current agreement (relevant portions attached in Appendix H) has a projected lifespan of five years, but the new policy development process which has been struck to examine WHOIS afresh can override and make changes to any requirements within the scope of the working group’s mandate.

Registrars are accredited to sell different kinds of domains including both generic top level domains and the country code top-level domains (ccTLDs; e.g., .ca, .de). The rules

130

are different, however, as the ccTLDs do not have to follow ICANN policy. Many ccTLD registrars have tighter policies in terms of who can register a domain (e.g., only residents of the country) and they may have better privacy protection, following their data protection laws. In Canada, registering a .ca domain is a two-step process, involving direct contact with the registry (CIRA, the Canadian Internet Registration Authority) to verify compliance and identification. Smaller countries occasionally hire established Internet organizations in other countries to run their top-level domains for them.

The data elements required in the ICANN RAA, and the obligations of registrars to verify the data that they are given for WHOIS, have risen over the years. Note that registrars are obliged to run this service at their expense, they provide access to the data for their own registrants. While the RAAs prohibited bulk access to WHOIS data for marketing purposes, registrars may look at the data to prospect for new customers and more effectively target their advertising.

Later in this chapter, I describe the various task forces and study groups that have looked at the WHOIS debate in an effort to stabilize a policy. To date, there has only been consensus on a handful of items. The principal issues that are in contention are listed below and will be described further in the section in this chapter on the RAA.

• Privacy and the publishing of personal data in a public directory

• Spam, bulk data collection for abuse, and phishing attacks

• Trademark abuse, fraudulent websites, and how to stop them

• Investigation of crime and lack of resources of law enforcement agencies

• Data retention for the purposes of law enforcement

• Accuracy of data in the WHOIS and who should be responsible for fixing inaccuracies and verifying data. 131

• Registrant rights and responsibilities

• Use of privacy proxy services

• Standardization of formats

• Allocation of costs to fix all of the above

I discuss the privacy analysis in Chapter 6. For the purposes of following the WHOIS studies and the requirements of the RAA, according to privacy proponents there are five main elements in ICANN’s policies regarding registrant data that are problematic from a data protection perspective:

• The purpose of data collection, use, and disclosure has never been agreed;

• Registrars are collecting and retaining more data than necessary;

• WHOIS discloses personal data to everyone on the Internet, not just those who have a legitimate need, and that disclosure is anonymous;

• Registrars are obliged to retain data for law enforcement purposes alone, a violation of the laws on data retention, notably in the E.U.;

• Registrars are obliged to escrow data with ICANN’s accredited escrow agent in the United States because ICANN does not usually accept local escrow agents. Sensitive data thus travels to the United States and may not be adequately protected under law, notably E.U. law.

5.1 Who Controls WHOIS—The Registrar Accreditation Agreement and the WHOIS Protocol

The Registrar Accreditation Agreement (RAA) sets out the obligations of the registrars, and is a legally binding contract. No one can sell (i.e., register) a domain name unless

132

they are an accredited registrar. The RAA document comprises 76 pages, of which the first 41 pages are the Agreement itself. The entire document contains the following 12 sections:

1. Registrar Accreditation Agreement 2. WHOIS Accuracy Program Specification 3. Registration Data Directory Service (WHOIS) Specification 4. Consensus and Temporary Policy Specification 5. Specification on Privacy and Proxy Registrations 6. Data Retention Specification 7. Registrar Information Specification 8. Additional Registrar Operation Specification 9. Registrants' Benefits and Responsibilities 10. Logo License Specification 11. Compliance Certificate 12. Transition Addendum

I focus primarily on Section 3 of the Agreement, referring to the registrant data obligations that are included in Appendix C. Section 6 is also important because it specifies the data retention obligations of the registrars, and Section 9 because it details the benefits and responsibilities of the registrants.

Failure to comply with the contract is investigated by ICANN Compliance, and registrars can be de-accredited and their domains (customers) reassigned to another registrar. Because ICANN is in control of this contract and the registrars have no choice in the matter of compliance, ICANN is arguably the “data controller” (in the terms of E.U. data protection legislation). The registrars become “data processors” in this relationship, because they are acting in accordance with ICANN’s directions, under contract. In terms of their own customer relationships, the registrars are the controllers but—for the purposes of WHOIS, data retention, and data escrow—in my view, they are either data processors or joint controllers.

There are also contracts between ICANN and the registries, and between the registries and the registrars. These contracts pass on obligations between the two contracted parties,

133

but during the period of my research the focus has rested entirely on the registrars as the key data controller/processor. It is important to note here that most accredited registrars operate through resellers, sometimes multiple resellers, and they are expected to pass on the obligations of their contracts to the resellers. This is often not at all transparent to the registrant, and ICANN does not list or keep track of the resellers, nor oblige registrars to list resellers in the WHOIS data.

Two key terms are defined in the RAA: “Personal Data” refers to data about any identified or identifiable natural person and “Registered Name Holder” means the holder of a “Registered Name” (Sections 1.14 and 1.16). The definition of personal data is reasonable in terms of data protection policy. The common expression “domain name” is not used or defined here, it is rather the term “registered name” and “registered name holder” which is used throughout. The definition provided is tautological and not particularly helpful. The first section that relates to data collected and transmitted is Section 3.2 and it refers to data that must be submitted by the registrars to the operators of the registries. The registrar has to provide to registry operators, such as the new top- level names (e.g., .paris, .book), the old top-level domains (e.g., .com, .net) and the country code top-level domains (e.g., .ca, .br), data which will ensure the name functions. At the moment, different registries have different types of registrant data that is referred to as “thick” or “thin.” “Thick” registries have a lot more available data about end users than “thin” registries. This is expected to soon change with the implementation of the new Thick WHOIS policy, whereby all registries will have thick data. 43

43 The Thick WHOIS policy was concluded in 2015, and the implementation is supposed to proceed for the two key implementation phases: 1) consistent labelling in August 2017 and 2) the transition of .com, .net and .jobs by February 2019. These are projected dates and, given the number of issues which continue to arise, including the implications of any changes to WHOIS data resulting from the current comprehensive PDP on registration data services policy, the policy implementation may be deferred again. Full report on Thick WHOIS available at https://www.icann.org/resources/pages/thick-whois-2016-06-27-en, accessed December 13, 2016. 134

The following section is important because it sets out the requirement to collect and disclose registrant personal data in WHOIS.

3.3.1 At its expense, Registrar shall provide an interactive web page and, with respect to any [Generic Top-level Domain, gTLD] operating a "thin" registry, a port 43 WHOIS service (each accessible via both IPv4 and IPv6) providing free public query-based access to up-to-date (i.e., updated at least daily) data concerning all active Registered Names sponsored by Registrar in any gTLD. Until otherwise specified by a Consensus Policy,44 such data shall consist of the following elements as contained in Registrar's database:

3.3.1.1 The name of the Registered Name;

3.3.1.2 The names of the primary nameserver and secondary nameserver(s) for the Registered Name;

3.3.1.3 The identity of Registrar (which may be provided through Registrar's website);

3.3.1.4 The original creation date of the registration;

3.3.1.5 The expiration date of the registration;

3.3.1.6 The name and postal address of the Registered Name Holder;

3.3.1.7 The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the technical contact for the Registered Name; and

3.3.1.8 The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the administrative contact for the Registered Name.

The agreement between the Registry Operator of a gTLD and Registrar may, if approved by ICANN in writing, state alternative required data elements applicable to that gTLD, in which event, the alternative required data elements shall replace and supersede Subsections 3.3.1.1 through 3.3.1.8 stated above for all purposes under this Agreement but only with respect to that particular gTLD.

44 This refers to ongoing efforts to replace WHOIS with a new directory service, and signals the possibility of change in the listed data elements. The new policy development process for that effort started in December 2015 and the workspace is available here https://gnso.icann.org/en/group-activities/active/rds. 135

From the perspective of privacy advocates and the data protection supervisors, this is an extensive list of sensitive information. First, it must be remembered that a domain name is not equivalent to a website. An individual may have registered many names for future use, for personal use, for email, or on behalf of other people such as relatives or community groups. The fact is, the registration of a name is intrinsically personal information, as it often implies personal or financial interest, and may include information related to association with others that is now revealed in a globally accessible directory. This can lead to harm to the individual, and over many years the Noncommercial Users Constituency (NCUC) has brought up examples of such harm. For instance, in a country where maternal health issues, family planning or girls’ education is controversial, a woman who registers a website for an organization providing such information could be subject to harassment and physical harm. Often this kind of registration would not be considered personal, since it is for an organization, but the individual whose name appears may still be entitled to the legal protection of her personal information. The name, address, phone, fax number, and email address all may be considered personal information, as particularly true in the case of individuals, small businesses, and community groups.

Anriette Esterhausen, a member of the NCUC and a leader of the Association for Progressive Communications (APC), had a chilling experience of such potential harm after she had registered APC domains using her home address in Johannesburg, South Africa. Unbeknownst to her, a member of the APC had been active in Columbia in the Revolutionary Armed Forces of Colombia—People’s Army (FARC). She received a short note in a letter delivered by postal mail to her home address, telling her that they (unknown persons) knew where she lived and that they were going to kill her. She changed the registration details, but her story serves to illustrate how vulnerable human rights organizations can be, and the fact that individuals who work for them, whether entitled to protection under local data protection law or not, can be put at risk.

136

While the NCUC has argued for the protection of groups and individuals threatened by exposure for many years, actual data to support this argument about risk through polling, surveys or study of journalistic accounts—was not available. After the campaign run by the registrars—during the Privacy Proxy Services Accreditation Issues policy development process that garnered 20,000 signatures demanding that they be permitted to continue to use privacy/proxy services—NCUC compiled a spreadsheet with all of the comments from concerned registrants, and they conducted interviews with concerned women’s groups in the United States. This research provides a number of examples where individuals have been hunted down through their WHOIS data.

Under data protection law, the registrar would also be responsible to ensure that data transferred to a third party for processing would be protected under the law to an equivalent level, but there is no mention of this requirement in this section.

Four later sections detail provisions that are problematic from various perspectives. Section 3.3.4 provides that registrars must abide by any consensus policy that might be developed, to “cooperatively implement a distributed capability that provides query- based Whois search functionality across all registrars.” This section goes on to provide that in the event the existing protocol fails to provide “robust, reliable and convenient access to accurate and up-to-date data,” ICANN can specify how the WHOIS access will be remedied in a central manner, and the registrar must provide the data necessary. This paragraph reflects a growing realization that while the policy for WHOIS appears to be mired in controversy, the actual technical functioning is being stretched thin. Security and Stability Advisory Committee (SSAC) reports comment on the fact that the existing protocol can barely support current demand (SSAC 55, 2012; SSAC 58, 2013).

Section 3.3.5 specifies that the registrar may not impose any terms and conditions on the public access, except as permitted by ICANN policy. The only two prohibitions on use of data are as follows:

137

[to] (a) allow, enable, or otherwise support the transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or

(b) enable high volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations.

It is fundamental to data protection law that access to personal data be limited to that which is specifically required for the stated, limited, and specific purpose. Here we see that the only purpose which is forbidden is the sending of spam or unsolicited emails to registrants, or the sending of unnecessary automated queries to the registrars. Furthermore, how would a registrar prevent such access? While they can put limits on access (throttling) methods of access have advanced over the years and this kind of abuse has become more difficult to track or prevent.

In Section 3.3.6, ICANN sets out the situations where registrars are obliged to provide bulk access to third parties for value-added services. This is meant to restrict unfair market competition due to an individual or entity’s ability to exercise market power with respect to registrations, so it sets out that registrars must provide data at least once a week where parties have entered into a bulk access agreement, and may not charge more than $10,000 USD for this data.

Here, we can see that ICANN is actually permitting the sale of personal information to eliminate anti-competitive situations. However, there is no recognition of the rights of the data subjects whose information is being sold. Sections 3.3.6.3 to 3.3.6.5 provide further detail about the conditions of resale of the data, and it is clear that the only banned practices would be use of the data for marketing, or analysis of the registrar’s data. This illustrates the degree to which the Registrar Accreditation Agreement (RAA) is geared to ensuring an open and competitive marketplace for registrant data, with little, or no, recognition of the responsibility to protect the privacy of the end user. The data protection authorities have repeatedly pointed out that technical means need to be put in place to 138

restrict further searches of the data, and it is clear that ICANN has taken pains to restrict certain types of further processing (where it affected competition among registrars and spamming each other’s customers) but not that which would affect personal data rights. These paragraphs are there to allow competition through the provision of value-added services which package registrant data. Note that by the time of the first World Intellectual Property Organization domain report in 1999, intellectual property holders were complaining about the inconvenience of the decentralized WHOIS, and they point to the utility of value-added service providers who can aggregate all the WHOIS data into one place for them (e.g., UWHOIS.com). Trademark and copyright owners are keen consumers of such value-added services, as are “domainers” who engage in speculative procurement and resale of valuable names.

The next section of the Agreement is the important one for data protection rights:

3.3.7 To comply with applicable statutes and regulations and for other reasons, ICANN may adopt a Consensus Policy establishing limits (a) on the Personal Data concerning Registered Names that Registrar may make available to the public through a public-access service described in this Subsection 3.3 and (b) on the manner in which Registrar may make such data available. Registrar shall comply with any such Consensus Policy.

This Agreement was made while the Experts Working Group (EWG) was developing its recommendations for a replacement Registration Data Service, and this paragraph appears to hold out hope that a new WHOIS Consensus Policy would have emerged from either the EWG, which was working at the time and did not report until 2014, or a new policy development process, in which case the Registrar Accreditation Agreement will be amended. However, note that the paragraph only mentions disclosure; it does not reference over-collection, use, or retention.

In response to considerable pressure from civil society and from some registrars, ICANN indeed had developed the 2006 WHOIS Conflicts with Law Policy, which specifies what a registrar must do to obtain a waiver of the WHOIS requirements with respect to the

139

publication of personal information; but this policy is not mentioned here. It is, unfortunately from a privacy perspective, very difficult to get such waivers, and that has attracted the attention of the data commissioners. I will discuss this policy later in this chapter with commentary from the registrars who have complained about the length of time that it takes to get waivers. Figure 3 below shows the expected format of the results of a WHOIS inquiry, as provided in Section 3 of the Agreement.

While the focus of my analysis rests on data protection law and individual privacy rights, it is clear that such queries reveal a great deal of potentially sensitive information about organizations and companies as well. A name that has been registered by a company for future use can easily be related to a product in development and may reveal confidential commercial information. (Imagine, for example, I am a small hardware manufacturing company and I register www.jiffyshovel.com for my revolutionary new folding shovel. I don’t want competitors to find out either that I have a new product, or my new name for it.) Large brand owners tend to use their lawyers, or proxy services, to register speculative names but small, new entrants to the Internet commercial world are less likely to realize what they must do to protect their commercial interests. This is also true for small charitable organizations, human rights organizations, and religious groups.

RAA SECTION 3: EXPECTED FORMAT OF A WHOIS QUERY

Domain Name: EXAMPLE.TLD Admin Street: 123 EXAMPLE STREET Registry Domain ID: D1234567-TLD Admin City: ANYTOWN Registrar WHOIS Server: whois.example- Admin State/Province: AP registrar.tld Admin Postal Code: A1A1A1 Registrar URL: http://www.example-registrar.tld Admin Country: AA Updated Date: 2009-05-29T20:13:00Z Admin Phone: +1.5555551212 Creation Date: 2000-10-08T00:45:00Z Admin Phone Ext: 1234 Registrar Registration Expiration Date: 2010-10- Admin Fax: +1.5555551213 08T00:44:59Z Admin Fax Ext: 1234 Registrar: EXAMPLE REGISTRAR LLC Admin Email: [email protected]

140

RAA SECTION 3: EXPECTED FORMAT OF A WHOIS QUERY

Registrar IANA ID: 5555555 Registry Tech ID: 5372811-ERL 9Tech Name: EXAMPLE Registrar Abuse Contact Email: REGISTRANT TECHNICAL [email protected] Tech Organization: EXAMPLE REGISTRANT LLC Registrar Abuse Contact Phone: +1.1235551234 Tech Street: 123 EXAMPLE STREET Reseller: EXAMPLE RESELLER 1 Tech City: ANYTOWN Domain Status: clientDeleteProhibited 2 Tech State/Province: AP Domain Status: clientRenewProhibited Tech Postal Code: A1A1A1 Domain Status: clientTransferProhibited Tech Country: AA Registry Registrant ID: 5372808-ERL 3 Tech Phone: +1.1235551234 Registrant Name: EXAMPLE REGISTRANT 4 Tech Phone Ext: 1234 Registrant Organization: EXAMPLE Tech Fax: +1.5555551213 ORGANIZATION Tech Fax Ext: 93 Registrant Street: 123 EXAMPLE STREET Tech Email: [email protected] Registrant City: ANYTOWN Name Server: NS01.EXAMPLE-REGISTRAR.TLD 10 Registrant State/Province: AP 5 Name Server: NS02.EXAMPLE-REGISTRAR.TLD Registrant Postal Code: A1A1A1 6 DNSSEC: signedDelegation Registrant Country: AA URL of the ICANN WHOIS Data Problem Reporting System:

Registrant Phone: +1.5555551212 http://wdprs.internic.net/ Registrant Phone Ext: 1234 7 Last update of WHOIS database: 2009-05-29T20:15:00Z Registrant Fax: +1.5555551213 Registrant Fax Ext: 4321

Registrant Email: [email protected] Registry Admin ID: 5372809-ERL 8 Admin Name: EXAMPLE REGISTRANT ADMINISTRATIVE Admin Organization: EXAMPLE REGISTRANT ORGANIZATION Figure 3. Format of a WHOIS Query from the Registrar Accreditation Agreement (2013). ICANN = Internet Corporation for Assigned Names and Numbers; RAA = Registrar Accreditation Agreement (ICANN); URL = Uniform Resource Locator. Adapted from Section 3 RAA, retrieved from ICANN website at https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en.

The escrow provisions that are contained in Section 3.6 arose partly from a need to protect registrants: for example, in the event that a registrar suddenly went out of business and disappeared, a distinct possibility in a young industry that is not a bricks and mortar type of enterprise, the data relating to who owned what domain names certainly needed to be reliably backed up.

141

However, the data elements specified to be maintained by the registrars in Section 3.4 were to fulfill other purposes, notably law enforcement agency (LEA) access. The Governmental Advisory Committee (GAC) has, in a number of communiqués (listed in Appendix I), made their views on the availability of registration data very clear to the ICANN Board. Most specifically, the GAC forwarded the Law Enforcement Recommended RAA Amendments and ICANN Due Diligence document (see Appendix Q for the complete document) prior to the negotiations over the 2013 RAA. (Appendix P contains an earlier document, the GAC Principles Regarding gTLD WHOIS Services , which is considerably less detailed and intrusive). Correspondence with the Board shows, however, that the GAC was becoming quite impatient with the lack of progress in improving the accuracy and completeness of WHOIS data for law enforcement purposes.

The data commissioners, as discussed in the next chapter, have given their views on the excessive data retention, and the constitutionality of the requirement. Section 3.4 stipulates the data that must be retained by the Registrar, in their own database, including that listed above in 3.3.1.1 to 3.3.1.8; any data listed in the attached data retention specifications; the name, postal address, email, voice telephone, fax number of the billing contact; and other data submitted to the Registry. It also provides for the retention of data relating to any proxy services used.

The data retained also includes all written communications with the registered name holder, including contracts and all data sent to registries. Data must be kept for two years after the last transaction with the client (i.e. deletion or transfer away to another registrar), and must be provided to ICANN upon reasonable notice, at registrar’s expense.

The data required for data retention at the registrar is a greater set than that which is required for escrow. Most is required to be held for two years after the last interaction with the customer but metadata relating to payment and communications information only has to be maintained for 180 days:

142

1.2.1. Information regarding the means and source of payment reasonably necessary for the Registrar to process the Registration transaction, or a transaction number provided by a third party payment processor;

1.2.2. Log files, billing records and, to the extent collection and maintenance of such records is commercially practicable or consistent with industry-wide generally accepted standard practices within the industries in which Registrar operates, other records containing communications source and destination information, including, depending on the method of transmission and without limitation: (1) Source IP address, HTTP headers, (2) the telephone, text, or fax number; and (3) email address, Skype handle, or instant messaging identifier, associated with communications between Registrar and the registrant about the Registration; and

1.2.3. Log files and, to the extent collection and maintenance of such records is commercially practicable or consistent with industry-wide generally accepted standard practices within the industries in which Registrar operates, other records associated with the Registration containing dates, times, and time zones of communications and sessions, including initial registration.

This is remarkably intrusive and one must question, why is there so little trust on the part of ICANN or whoever might be the ultimate recipient of this information (e.g., law enforcement) in the registrant or the registration process? Is there any equivalent consumer experience where so much metadata is required to be stored?

At the risk of being repetitive, note that the rights of the name owner or end user are not discussed in the above sections, nor elsewhere in the RAA, including any rights to be informed of an investigation (a right which appears in many data protection laws) or to object to the sale of personal information for value-added services that benefit trademark and copyright owners who wish to harvest names at best prices. Few registrants are aware of the economy that operates in the domain name business, and I would argue that all these agreements and arrangements favour the dominant players and act to dispossess the individual and small groups, who have much to gain from active participation on the Internet. There is, to be sure, a general caveat in the RAA that states that the collection of data must be in accordance with applicable law: “3.7.2 Registrar shall abide by applicable laws and governmental regulations” but the onus shifts to the registrar to get a legal 143

opinion as to whether the rights of the individual in question have been abrogated by the RAA requirements. We will see how difficult that burden is on the registrar in the discussion of the WHOIS Conflicts with Law Procedure later in this chapter.

5.1.1 Registrant obligations

The RAA also details the nature of the contract that the registrars must enter into with the registrant, including the following key requirements with respect to data accuracy and protection obligations:

3.7.7.2 A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure to update information provided to Registrar within seven (7) days of any change, or its failure to respond for over fifteen (15) days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for suspension and/or cancellation of the Registered Name registration.

The RAA contains many requirements for the end user, in a document to which the user is not a party, that are onerous from a consumer protection perspective. Most other retail arrangements do not require data updates within a week of a change, upon pain of losing the good or service. If a domain name was to be suspended, it is probable that it may be registered by another entity; and once that domain name is gone, it is probably impossible or expensive to get it back. Further requirements with respect to data protection, however, do include a requirement (3.7.7.4.1) to provide notice to the registrant of the purposes of the collection of personal information. Given that there is still no agreed statement of

144

purpose for the collection of registration data, I am curious about how the registrars are satisfying this requirement. Further information includes:

3.7.7.4.2 The intended recipients or categories of recipients of the data (including the Registry Operator and others who will receive the data from Registry Operator);

3.7.7.4.3 Which data are obligatory and which data, if any, are voluntary; and

3.7.7.4.4 How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them.

3.7.7.5 The Registered Name Holder shall consent to the data processing referred to in Subsection 3.7.7.4. [emphasis added]

This is not a free, enlightened, informed consent, as required by most data protection law.

3.7.7.6 The Registered Name Holder shall represent that notice has been provided equivalent to that described in Subsection 3.7.7.4 to any third-party individuals whose Personal Data are supplied to Registrar by the Registered Name Holder, and that the Registered Name Holder has obtained consent equivalent to that referred to in Subsection 3.7.7.5 of any such third-party individuals.

This section requires the registrant to obtain consent from others such as technical staff, whose personal data has been submitted as technical contact. In some jurisdictions, particularly with respect to small business or home workers, the data could be personal since using your home phone number in the context of employment does not disqualify it as personal data in some situations. And in some jurisdictions, worker rights would include not requiring them to consent to having their names in a public directory. In short, it is overly simplistic to just demand the collection of consent.

5.1.2 Data escrow

ICANN requires registrars, in Section 3.6 of the RAA, to submit an electronic copy of all the data described in Section 3.4, at the registrar’s expense, to a reputable escrow agent approved by ICANN. ICANN is to be a party to the escrow agreement (i.e. this is a tri- partite contract) and the schedule, terms, and format are stipulated by ICANN.

145

ICANN uses Iron Mountain, a reputable U.S. escrow agent. In discussions about the ability to retain data locally, European registrars have indicated that they experience difficulty in finding escrow agents that ICANN will approve, despite the language in Section 3.6. And it is important to note that a registrar who chooses to use his own agent has to pay for the data storage. Several European registrars wrote to ICANN in October 2015 (see Appendix L) to protest ICANN’s requirement to transfer data to the United States after the significant E.U. Court of Justice decision in Schrems v. Facebook, and they requested the same reimbursement provisions as others who were able to use Iron Mountain in the United States.

In this contract between the registrars and ICANN, the end user or registrants have very few rights. Furthermore, ICANN has deputized the registrars to, in essence, violate data protection law and constitutional protections unless they can prove to ICANN that they are in legal jeopardy. There is a brief statement of registrant rights in the contract but it focuses on what the registrar is obliged to provide to the registrant, including information about any privacy services they offer and the pricing of those services. It makes no mention of any possible statutory data protection that might apply or the rights under that legislation.

The RAA has to be considered the collection instrument or protocol for personal registrant data that ICANN, as data controller, requires registrars to implement. Registrars are dual actors, in terms of European data protection law, as with respect to ICANN requirements they are data processors, and with respect to their own client relations and reseller arrangements, they become data controllers. The RAA defines the use, retention, and disclosure of data, both publicly in the WHOIS and privately to law enforcement and other actors.

Further information about the deliberations that led to the 2013 RAA can be found in the Final Report on Proposals for Improvements to the Registrar Accreditation Agreement , (2010). A joint drafting team from the Generic Names Supporting Organization (GNSO) 146

and At Large Advisory Committee (ALAC) met for approximately a year, attempting to draft a code of registrants’ rights (subteam A), and a series of amendments to the 2009 RAA (subteam B). This 179-page document gives useful background to the struggles that lay behind the 2013 RAA, and demonstrates the rising pressure from law enforcement (see Annex G of the report, entitled “Communications Received Regarding the Law Enforcement RAA Proposals”, including:

• Law Enforcement Due Diligence Recommendations for ICANN-Seoul (see Appendix Q of this dissertation)

• Correspondence from Janis Karklins, Chair of the Government Advisory Committee (GAC), to Peter Dengate Thrush, Chairman of ICANN, including expressions of support for the Law Enforcement Due Diligence Recommendations

• The GAC Communiqué from Nairobi, endorsing the Due Diligence recommendations again

• A letter of support from the G8 Lyon-Rome Group on High Tech Crime

• A letter of support from Interpol

• A letter of support from the Project on Cybercrime at the Council of Europe

The report itself cited media reaction to the open pressure from the law enforcement community, noting an article in PC World entitled “Law Enforcement Push for Stricter Domain Name Rules” (Kirk, March 17, 2010). The GAC Communiqués which led up to the Board instruction to revise the RAA in 2011 (see Appendix I) make it clear that law enforcement has been pushing this agenda.

I will now examine the history of the various WHOIS task forces and reviews. This is an abbreviated summary of what was a protracted discussion, marked by increasing 147

demands over many years for more data, more accurate data, and fewer options for data protection. While the focus of this dissertation is on personal data, data protection law and individuals, it is important to remember that the demands for disclosure would unmask political, religious, and environmental groups who are engaging in free speech. I will focus on how the key issues in data protection were raised and discussed, and how decisions were made not to proceed with a more robust policy.

5.2 A Brief History of WHOIS Reviews and Policy Development

Milton Mueller and Mawaki Chango have provided a good history of WHOIS reviews and studies at ICANN (2008), and divide WHOIS development into four phases:

1982–1990 Phase 1: WHOIS established as part of the Internet

1991–1998 Phase 2: WHOIS default remains in place during transition from closed to open, public network

1999–2001 Phase 3: WHOIS institutionalized by ICANN regime

2001–2007 Phase 4: Political contention over WHOIS: identification tool vs. data protection laws and norms (p. 306)

Since publication of their article, the contention has continued. As the Registry Stakeholder Group remarked in the following statement attached to the 2007 report, (where there was consensus on only one recommendation, which was not implemented):

The lofty goal of policy making by consensus has been subverted by constituencies that have a vested interested in preservation of the status quo in the WHOIS. The proceedings of this task force and its predecessors have dragged on over the years mainly because of procedural maneuvering [sic] with little or no connection to the substantive issues. These tactics were designed to avoid recognition of the simple fact that there is no consensus on the fundamental

148

question of how to reconcile the WHOIS function with protection of personal privacy. (WHOIS Final Task Force Report, Section 13.4, no pagination)

Since I joined this debate in 2013, I cannot remark on the above from personal observation. But my participation in discussions of WHOIS from 2013-2017 leads me to have very little expectation that this debate will be resolved, short of drastic action on the part of some players. I discuss these prospects in Chapter 7. Importantly, the Governmental Advisory Committee (GAC) weighed in during 2007, when there seemed a risk that the Generic Names Supporting Organization (GNSO) would develop an “Operational Point of Contact” (OPoC) which would restrict the open access to WHOIS. While there was a stalemate in the votes on the GNSO that precluded moving forward with rough consensus, in essence, the GAC views added additional weight to the arguments of the Business Constituency, the Intellectual Property Constituency, and the Internet Service Providers. Some might term the actions of the GAC as a trump card or joker because the Board was obliged to consider the advice of the GAC; and they appear to have done so.

I would add the following phases to Mueller and Chango’s summary:

2008–2012 Phase 5: WHOIS follows whose advice? GAC, Security and Stability Advisory Committee (SSAC), or the data commissioners?

2013–2014 Phase 6: The Expert Working Group on Registration Data Service (RDS). Attempting to solve the stalemate with an appointed, high- level group.

2015–2017 Phase 7: GNSO-RDS. A full policy development process to examine whether a new RDS is needed, and set the policy for it if it is. Establishment of a policy on accreditation of privacy/proxy services, and transition from thin to thick WHOIS.

149

2018 Phase 8: Implementation of the E.U. General Data Protection Regulation (GDPR). Will the threat of fines of 4% of annual revenue force a change in ICANN policy?

In this chapter, I focus only on my period of research, from 1998 to 2016.

This struggle over WHOIS is complex. From a civil liberties perspective, it is a struggle over the empowerment of individual users to achieve autonomy, anonymous free speech, and fundamental rights in the information society. I hold the view that it has serious implications for the configuration of the self in the information society. From a governmental perspective, there is a responsibility to protect the end user, facilitate national economic interests, support law enforcement in fighting crime, and, protect intellectual property and trademark interests. From the perspective of those in the domain industry, there are reasons to have a great deal of data available, and competitive reasons to have data protected as well. Registrars and registries, who are tasked to process, manage, and display the data, as well as respond to requests for access to additional data, also have conflicting needs to control costs, avoid costly human intervention in favour of technical solutions, and protect their own competitive interests. This is not a binary, clear-cut issue for most of the stakeholders.

Advice received from the GAC in 2007 was to “comply with applicable national laws and regulations” yet “facilitate continuous, timely, and worldwide access.” This is squaring the circle indeed, and in my view, it is impossible to achieve both of these goals. The endless contention has resulted in none of the sides giving ground, yet clinging to the illusion that in not conceding, they have achieved their goals. In the case of law enforcement, they are getting access to poor data that is only marginally useful. In the case of the data protection advocates, while there is lip service to data protection law, there is not compliance. It is not, therefore, surprising that as of the end of 2015, only the following policies exist to protect personal data in the Generic Top-level Domains:

150

• If a registrar offers a privacy/proxy service, they must give notice to the customer and describe pricing (2013 RAA);

• If a registrar can prove that there is a conflict with local data protection law to the satisfaction of ICANN legal department, they can get a waiver from two aspects of registrant data processing: disclosure in WHOIS and data escrow in the United States (WHOIS Conflicts with Law Procedure, which I will describe later in the chapter).

Referring to Table 1, we can see very little progress in terms of solving the intractable battle over individual rights despite considerable time and effort spent on WHOIS studies, task forces, and reviews. Keeping in mind the first research question, let us examine the various activities.

Table l. Timeline of WHOIS Studies and Implementation Activities

Date Activity Results

1999 First Registrars Accreditation Requires WHOIS data and access; Agreement (RAA) Registrars pay

1999 WIPO Internet Domain Name Process Recommends contacts made public

2000 WHOIS Committee convened Registrar competition issues addressed

2001 WHOIS Committee recommends Uniformity issues arise standardizing output

2001 Second RAA Increased emphasis on accuracy of data, compliance, fees increased

2001 First WHOIS Task Force Data Marketing restriction policy

2003 Second WHOIS Task Force Privacy issues debated

2005 GNSO Council passes WHOIS Procedure recommended to deal with Conflicts with Law Policy data protection law requirements

2006 Preliminary Task Force Report Narrow, technical definition of purpose of WHOIS 151

Date Activity Results

2007 Final Task Force Report Operational point of contact proposal, no consensus, GAC principles introduced

2007 GNSO Council creates new WHOIS Focus on which data elements should be WG public to respond to GAC

2008 WHOIS study group formed Focus on what issues needed independent study, no consensus

2012 – Four WHOIS Studies Misuse, Registrant ID, Privacy/Proxy 2014 services abuse, Privacy/Proxy reveal

2010 – WHOIS Policy Review Team 16 recommendations, 1 item with 2012 consensus, Privacy/Proxy accreditation

2012 – Expert Working Group on RDS Call for volunteers, 2/2013 start, 6/2014 2014 final report, dissent on privacy issues

2016 New PDP on RDS started Over 129 volunteers, fractious debate Note . WIPO = World Intellectual Property Organization (United Nations); ICANN = Internet Corporation for Assigned Names and Numbers; GNSO = Generic Names Supporting Organization (ICANN); GAC = Governmental Advisory Committee (ICANN); WG = Working Group; RDS = Registration Data Service; and PDP = policy development process (ICANN).

5.2.1 2000: WHOIS Committee convened

ICANN staff instigated the formation of this committee, to consider problems in the lack of consistency in WHOIS lookups and response, now that there was commercial competition among registrars. Each registrar was responsible for providing access to the data through port 43, and there was no capacity for search across all registrars’ holdings. 45 Note that while the emphasis was on solving technical access problems, the deeper issues behind WHOIS had already emerged, as demonstrated in the following comments of Karl Auerbach, At Large Director, stated on Dec 13, 2000:

45 See letter from Louis Touton to the Committee, December 1 2000, http://archive.icann.org/en/committees/whois/touton-letter-01dec00.htm 152

Positions from Karl Auerbach, At-Large Board Director The whois, [sic] particularly, when unified, will be viewed by many as one of the net's largest potential privacy exposures. As one who has spent many years dealing with privacy and security technology, I am very concerned about the difficulty— difficulty often approaching impossibility—of layering on patches after the basic architecture has been cast in stone. ….Again, as the issues are viewed not as a set of registrars meeting their contractual requirements, but rather as something that establishes policy for DNS in general, or has the likelyhood [sic] of establishing such policy by becoming a model that others will copy, then I think that the scope must necessarily expand to address these, admittedly difficult but nevertheless important, issues (as appearing in an email from Teresa Swineheart to Y.G. Park, who presented the report to the group, http://www.dnso.org/clubpublic/council/Arc04/msg00584.html).

Auerbach was deeply concerned about the policy choices being made at the time, and he became one of ICANN’s fiercest critics, joining with Michael Froomkin in developing the ICANN Watch blog. 46 Already, there was dissension as to the proposed scope of the committee’s work, and the representation within the committee. In the brief from Touton (who was the head of legal services at this time) to the committee, he alluded to the fact that some within the community already felt that the WHOIS protocol was broken and a new protocol should be developed.

5.2.2 2001: WHOIS Committee recommends standardizing output

The committee responded to two of the 11 questions posed by Touton in a letter:

Question 1: Should registrars provide Whois replies in a standard format? Currently, registrars use a wide variety of formats for Whois responses. If a standard format were employed, it would simplify the efforts of registrars to provide a seamless, TLD-wide, domain-name-lookup capability. While this would not satisfy the long-delayed goal of restoring full TLD-wide Whois service, it would at least ameliorate the delay in achieving that goal.

Question 2: If a standard format is to be encouraged, what should it be?

46 http://icannwatch.org/ 153

They recommended that registrars provide WHOIS replies in a standard format, and they recommended dropping TCP port 43 access in favour of a newer protocol which the IETF was working on, possibly XML based (Recommendations of the .com/.net/.org WHOIS Committee on Questions 1 and 2, 6 March 2001).47

The DNSO Council voted on 19 February 2001, to set up a WHOIS committee to study the policy issues that had arisen during this work. They recommended setting up a website and mailing list to gather comments and position papers from the community. The committee committed to summarizing the position papers and identifying areas of convergence and recommending further work where there was no convergence, and they proposed to develop a charter for any working group that might be struck to deal with further work.

5.2.3 2001: The second Registrar Accreditation Agreement

The second RAA brought in significantly higher application fees for the registrar’s accreditation process, greater oversight of the contracts on the part of ICANN Compliance, and greater detail about the use of resellers. There were no significant changes to the WHOIS requirements.

5.2.4 2001–2003: The first WHOIS Task force

The task force was formed in early 2001, co-chaired by Tony Harris of the Registry Stakeholder Group, still active in 2016 at ICANN and Marilyn Cade of American Telephone and Telegraph (AT&T), a member of the Business Constituency and also still active. ICANN sent out a survey on WHOIS in July 2001, asking questions remarkably similar to those which were being examined in the RDS working group in 2016, and a

47 http://archive.icann.org/en/committees/whois/committee-recommendations-06mar01.htm

154

first activity of the group was to examine the 3035 public responses 48 An interim report on the survey was discussed at the ICANN public meeting in Accra, Ghana, in March 2002. 49

The group divided the work into privacy issues and data accuracy issues. An interim policy report focused on data accuracy and bulk access recommendations was published November 30, 2002, with comments accepted until January 9, 2003.

The final report, which was published February 6, 2003, contained a minority report by Ruchika Agrawal of the Electronic Privacy Information Center and the Noncommercial Users Constituency expressing considerable disagreement about going forward to implement data accuracy requirements without giving due attention to the many concerns expressed about privacy. 50 Other issues, which appear to include the privacy and legal rights issues, were deferred to the Rio de Janeiro meeting scheduled for March 2003 with the note that it “may or may not be taken up by this group or another group constituted to deal with them.”

5.2.5 2003: The Second WHOIS Task force

Representing the Noncommercial Users Constituency (NCUC), Agrawal and the Electronic Privacy Information Center presented a full report to the Generic Names Supporting Organization (GNSO) Council on March 10, 2003, detailing why a new task force needed to be established to address pressing issues, including privacy. Rather than criticizing the previous actions of Task Force I, this report provided a detailed analysis of WHOIS based on the Organisation for International Co-operation and Development (OECD) Guidelines for the Protection of Privacy. It also described the risk that a public directory poses to constitutionally protected free speech.

48 The survey is available here http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00201.html 49 http://www.does-not-exist.org/whois-ghana-020310-web/whois-ghana-020310-6-fixed.html. 50 https://archive.icann.org/en/gnso/whois-tf/report-19feb03.htm#MinorityReports 155

Marlyn Cade, co-chair of the first task force, also produced a report that was sent to the GNSO on March 11. At its meeting on March 25, the GNSO decided to task ICANN staff with preparing a report on privacy issues, drawing on these two rather different source documents. This staff report was presented on May 13, and recommended that the task force embark on a period of fact finding for the following reasons:

A. There are many issues involved, not just a single issue.

B. There is a stark divergence of views held by different segments of the community about many, if not all, of the issues.

C. In many cases, the divergence of views appears to be based on the lack of a common understanding of various facts and circumstances relevant to the issues.

D. There also appears to be an imperfect general understanding regarding the requirements concerning Whois currently established in (a) ICANN agreements and policies and (b) legal requirements established by laws and other governmental requirements.

E. The multiple issues have not been crisply defined, and different segments of the community prefer to define them in different ways. (See point F immediately below.)

F. Many segments of the community discern linkages between various of the issues, so that their view of what resolutions of one issue are acceptable are dependent on how another issue is resolved. Different segments of the community discern different linkages.

G. ICANN entities other than the GNSO have constituents with a stake, and thus an interest, in how the issues are resolved.

(ICANN, Staff Manager's Issues Report on Privacy Issues Related to Whois 13 May, 2003 51 )

In sum, there was no agreement and, allegedly, the facts were not clear. Given that the data commissioners had made their views known by this point (see Chapter 6, Figure 5, and the comment made by the Berlin Group to the previous Final Task Force Report,

51 https://archive.icann.org/en/gnso/issue-reports/whois-privacy-report-13may03.htm 156

Gartska to Lynne, January 15, 2003), it may be that ICANN was unwilling to state the privacy debate more clearly, but preferred to treat the data protection authorities, at best, as one voice among many. The report recommended to engage in a further fact-finding initiative.

The draft terms of reference of a new task force were posted for public comment on October 29, 2003 52 . In this new work, the task force would be divided into three separate initiatives: (a) restricting access to WHOIS data for marketing purposes; (b) reviewing data collected and displayed; and (c) improving accuracy of collected data. What follows are the tasks for the second unit of this activity, labelled somewhat confusingly as “Task Force 2”:

Tasks/Milestones

1. Examine the current methods by which registrars and their resellers inform registrants of the purpose for which contact data is collected, and how that data will be released to the public. Examine whether policy changes (or published guidelines) are necessary to improve how this information is provided to registrants.

2. Conduct an analysis of the existing uses of the registrant data elements currently captured as part of the domain name registration process. Develop a list of data elements about registrants and their domains that must be collected at the time of registration to achieve an acceptable balance between the interests of those seeking contact-ability, and those seeking privacy protection. The intent is to determine whether all of the data elements now collected are necessary for current and foreseeable needs of the community, determine which elements can be acquired accurately at low cost, whether any of the current elements should be made voluntary, whether any different elements should be added or substituted to improve the balance between contact-ability and privacy, and how the data may be acquired in compliance with applicable privacy, security, and stability considerations.

52 Although the call for comments appears to be missing, the final report is available at https://gnso.icann.org/mailing-lists/…docwAv077mMaU.doc 157

3. Consider options for limiting the amount of data made available for public access, if any.

4. Document existing methods by which registrants can maintain anonymity and assess their adequacy. Document examples of existing local privacy laws in regard to display/transmittal of data. Decide what options if any will be given to registrants to remove data elements from public access and what contractual changes (if any) are required to enable this.

5. Taking into account the outcomes in 2 and 3, re-examine the methods by which registrars inform registrants of the use of their contact data by third parties and the options registrants might have to remove data elements from public view.

Item 1 could be considered as a response to the legal requirement, where data protection law applies, to inform individuals of the purpose of collection and what uses and disclosures will be made of it. Items 2 and 3 provide necessary input to understanding legal requirements and limits to data collection, particularly when balanced against the promulgation of a reasonable purpose for the collection, use, and disclosure of registrant data. Item 4 holds the greatest promise, in terms of accommodating the requirements of data protection law, and Item 5 appears to be a commitment to changing the notice to reflect changes in policy.

There were a number of activities undertaken by this task force in an effort to gather input from the various stakeholders who wanted to provide input to the privacy discussion, including the data commissioners, who participated at meetings and submitted comments to various calls for comment. The Article 29 Working Party Common Position on WHOIS was adopted on June 13, 2003, and Diana Alonso Blass, who was working for the Directorate General of the Internal Market of the European Commission and functioned as part of the Secretariat to the Working Party, came to the Montreal meeting on June 24–25, 2003, and contributed to the WHOIS workshop.

158

The Task Force II preliminary report was presented for comment in June 2004. 53 During the ensuing months, there was discussion as to how to reconcile the conflicting aspects of the three reports (see GNSO Council call of June 16, where the apparent problems and possible solutions were discussed by the three Chairs of the task forces who were invited to present an update to the GNSO).54 Over the winter, the three task forces were combined and a preliminary report appeared for comments on September 5, 2005, as the Combined WHOIS Task Force of the GNSO Council . This report contained a recommendation for a “Conflicts with Law procedure,” that required Registrars to get an exemption from their obligations, under the RAA and ICANN policy, in order to comply with data protection law. The final report appeared on October 25, 2005. This report contains an appendix from the NCUC detailing all the views expressed by data commissioners and authorities such as the Directorate General of the Internal Market of the European Commission, including a synopsis of the documents thus far released by the Article 29 Working Party and the Berlin Group.

5.2.6 2005: The GNSO Council passes the WHOIS Conflicts with Law policy

The recommendations of the Combined Task Force Report were accepted by the Generic Names Supporting Organization (GNSO) in January 2006, and it became the WHOIS Conflicts with Law Policy. The work of the Task Force, now a combined task force, continued.

53 https://gnso.icann.org/en/issues/whois-privacy/Whois-tf2-preliminary.html 54 http://audio.icann.org/gnso/GNSO-Council-20040616.mp3

159

5.2.7 2006: The Preliminary Task Force report on the purpose of WHOIS and WHOIS contacts

This report is a detailed discussion of the differing views on the purpose of the WHOIS and contact data. The terms of reference were agreed by the Generic Names Supporting Organization (GNSO) at a meeting on June 2 2005, and the key tasks were:

1. Define the purpose of the WHOIS service in the context of ICANN's mission and relevant core values, international and national laws protecting privacy of natural persons, international and national laws that relate specifically to the WHOIS service, and the changing nature of Registered Name Holders.

2. Define the purpose of the Registered Name Holder, technical, and administrative contacts, in the context of the purpose of WHOIS, and the purpose for which the data was collected.

3. Determine what data collected should be available for public access in the context of the purpose of WHOIS. Determine how to access data that is not available for public access.

4. Determine how to improve the process for notifying a registrar of inaccurate WHOIS data, and the process for investigating and correcting inaccurate data.

5. Determine how to resolve differences between a Registered Name Holder's, [Generic Top-level Domain (gTLD)] Registrar's, or gTLD Registry's obligation to abide by all applicable laws and governmental regulations that relate to the WHOIS service, as well as the obligation to abide by the terms of the agreements with ICANN that relate to the WHOIS service. (summarized

160

from the Preliminary task force report on the purpose of Whois and of the Whois contacts 55 )

The report addresses task one and two and provides stakeholder and constituency opinions on the issues. It is clear from this preliminary report, that there is very little agreement on which of two formulations of the purpose of WHOIS is acceptable. The first formulation was:

The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a [Domain Name System] name server.

This purpose, limited in scope, was supported by the Registries, the Registrars, and the Noncommercial Users Constituency.

The second formulation was:

The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party or parties for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, technical, legal or other issues related to the registration or use of a domain name.

This purpose, clearly broader in scope, was supported by the Intellectual Property Constituency, the Internet Service Providers and Connectivity Providers, and the Business Constituency. The GNSO voted on the matter on April 6, 2006 and a supermajority was obtained for the first definition. The Chair of the GNSO at the time, Bruce Tonkin, nevertheless yielded to pressure 56 following this decision, and the first

55 Retrieved from https://gnso.icann.org/en/issues/whois-privacy/prelim-tf-rpt-18jan06.pdf

56 Pressure came from various parties (see the email transcripts of the GNSO for the period following the vote, but a letter from the American Property Law Association outlines most of the arguments, available at https://gnso.icann.org/mailing-lists/archives/council/msg02561.html) 161

definition was adopted only as an interim measure for the purposes of the current report. Further comments were gathered, and a Final Task Force Report on Whois Services released in 2007.

5.2.8 2007: The GNSO Council creates new WHOIS Working Group

There was only one recommendation that achieved consensus in the Final Task Force Report and the outcome of votes was as follows: Those who voted in support of the recommendation included the Registries, Registrars, Noncommercial Users Constituency (NCUC), the Nominating Committee appointee to the Generic Names Supporting Organization (GNSO), and the At Large Advisory Committee liaison to the GNSO. Not supporting were the Commercial and Business Constituency, the Intellectual Property Constituency, the Internet Service Providers and Connectivity Providers Constituency.

The [Operational Point of Contact (OPoC)] proposal envisages requiring registrants to use an OPoC in place of the current administrative and technical contact details in the published Whois. This would allow registrants to only publish the contact details of the OPoC, rather than the administrative and technical contact details. In the case of an issue with the domain name, the OPoC would contact the registrant. (Final Task Force Report on WHOIS Services , 12 March 2007.)

When the Final Task Force Report was released, the Governmental Advisory Committee (GAC) was not happy. It responded almost immediately (March 28, 2007) with the GAC Principles on WHOIS Service (see Appendix P) and, in a meeting with the GNSO Council, GAC demanded that GNSO address their concerns. A working group was established to respond to this criticism and in October, the GNSO rejected the OPoC proposal. In the history of WHOIS studies created by staff (available on the ICANN website, and attached as Appendix D) this was described as follows:

2007 (12 March)—Final Task Force Report on Whois Services—In the course of deliberation, several Registrars offered an "Operational Point of Contact (OPOC)" proposal, in which every registrant would identify an operational contact who would be identified in WHOIS in lieu of the registrant's information currently displayed. In case of an issue with the domain name, the OPOC would contact the 162

registrant to resolve, or to reliably pass on data to resolve, operational issues relating to a domain name. When the GNSO Council met on 28 March 2007, it created a WHOIS Working Group to further examine the OPOC proposal. The Council considered the results of that report on 31 October 2007, and opted to pursue further studies of Whois rather than recommend to the Board that the OPOC proposal be adopted 57 (ICANN Website, WHOIS Background Information, January 19, 2011).

The Task Force Report described this recommendation as the only one that received consensus. The fact that it was abandoned pursuant to pressure from the GAC is important. When asked 58 about the vote in October that allowed the issue to be dropped, an NCUC representative indicated that the Registrars dropped it, possibly due to costs associated with the measure, which they would have to absorb. The final report of the working group indicates that there was quite a bit of focus on the costs, and the implications for users of the data who would have to request further data directly from the registrars, and also identify themselves 59 (Final Outcomes Report of the WHOIS Working Group, 2007 ). When the matter came before Council on August 30, 2007, there were three proposals for Council to consider: 1) from Noncommercial Users Constituency, the proposal to obtain comments and vote in November; 2) from the Commercial Stakeholders Group the proposal to reject the OPoC proposal on the basis of cost benefit analysis and do further studies on the merits of authentication; and 3) the Registrars Stakeholder Group (RrSG) proposal to reject the OPoC proposal and remove any requirements from the Registrar Accreditation Agreement that are not consensus policy, recognizing that there is no consensus policy on WHOIS. 60

In examining the history cited above, provided by ICANN staff, there is no mention of either privacy, or the interventions of the data commissioners. It is easy to understand how the civil society representatives who had been fighting hard for privacy over several

57 Retrieved from https://community.icann.org/display/WHO/WHOIS+Background+Information 58 Conversation with Avri Doria, former GNSO Council chairman, 07/07/2017. 59 https://gnso.icann.org/en/drafts/icann-whois-wg-report-final-1-9.pdf 60 https://gnso.icann.org/en/meetings/minutes-gnso-30aug07.html 163

years by this point became convinced that the struggle was not managed in a fair, multi- stakeholder manner. At the same meeting where the OPoC recommendation was dropped, the Board held a meeting to discuss GNSO council reform that leading business stakeholder Marilyn Cade then protested, viewing it as an attempt of the Board to secure more control of the policy-making process and weaken the multi-stakeholder process. 61 Was pressure being exerted by the Board to conform to GAC advice?

5.2.9 2008: The WHOIS study group forms

The 2007 Task Force was disbanded with no further action taken except to call for suggestions for more WHOIS studies. The community suggested 25 different studies 62 with the Governmental Advisory Committee writing to the CEO of ICANN proposing 15 questions of its own that were formulated into study recommendations. The WHOIS Study Hypothesis group was formed and reported on their work to Council in August 2008. 63 The WHOIS Study group itself was divided, with a significant number of the volunteers being of the view that no further studies were needed at this time. The Noncommercial Users Constituency, Registrars and Registries made the following statement in the report 64 :

WHOIS has been the subject of consensus policy work for over seven years, and it is painfully clear that consensus on the majority of issues does not exist. We object to spending any of ICANN's registrant-derived funds on WHOIS studies without clear evidence that these studies will (i) advance the policymaking process, and (ii) contribute something to the creation of a consensus on the fundamental issue of protection of personal privacy. So long as there is no universal acceptance of the fundamental principle that personal privacy is a value to be protected by ICANN policy, it is futile to commission further studies. The primary barrier to resolving WHOIS/privacy issues is not lack of data, but lack of political will. Any results of the proposed studies will simply be accepted by those whose agendas they further, and criticized by those on the other side. Even well

61 https://archive.icann.org/en/topics/gnso-improvements/la-gnso-improvements-29oct07.pdf 62 http://forum.icann.org/lists/whois-comments-2008/ 63 https://gnso.icann.org/en/issues/whois/whois-study-hypothesis-group-report-to-council-26aug08.pdf 64 https://gnso.icann.org/en/issues/whois/gnso-whois-study-group-report-to-council-22may08.pdf 164

engineered studies with strong conclusions have no compelling force against the interest group politics that have been going on for more than seven years so far.

The demand for studies appears to be fueled [sic] by a realization, on the part of those previously satisfied with the status quo of full published access to registrants' identifying information, that their status quo is threatened by proxy registrations. Indeed, at this time, there is not even consensus on the status quo. Requesting further studies is a way of appearing to move forward while avoiding the lack of consensus on the fundamental principle—personal privacy. (WHOIS Study Group Report to Council , May 22 2008, p. 4)

Nevertheless, the Council decided to commission four studies: 1) WHOIS misuse, to determine the extent to which data displayed is misused; 2) registrant identification, to see how commercial users were identified and correlate with privacy/proxy use; 3) privacy and proxy abuse to determine if these services were being used for abusive or criminal behaviour; and 4) privacy/proxy reveal, to determine practices for revealing the actual identity of users upon request. 65 However, ICANN did not initiate these studies until later.

5.2.10 2010–2012: The WHOIS Policy Review Team

Review teams were established under the terms of the Articles of Commitment between ICANN and the U.S. Commerce Department, and these reviews must be held every three years. Participation on review teams is more formal than in working groups, where anyone can join, and the review teams require representation from the Governmental Advisory Committee, the ICANN Board, Generic Names Supporting Organization, advisory groups such as At Large Advisory Committee, and so on. The WHOIS policy review team extensively studied the stalemate in WHOIS policy and made the following 16 recommendations 66 (summarized from the WHOIS Policy Review Team Final Report, pp. 7–18).

65 https://gnso.icann.org/en/correspondence/presentation-whois-studies-oct10-en.pdf 66 https://www.icann.org/en/system/files/files/final-report-11may12-en.pdf 165

1. WHOIS, in all its aspects, should be a strategic priority for ICANN

2. ICANN's WHOIS policy is poorly defined and decentralized. The ICANN Board should oversee the creation of a single WHOIS policy document, and reference it in subsequent versions of agreements with Contracted Parties.

3. ICANN should ensure that WHOIS policy issues are accompanied by cross- community outreach, including outreach to the communities outside of ICANN with a specific interest in the issues, and an ongoing program for consumer awareness.

4. ICANN should act to ensure that its compliance function is managed in accordance with best practice principles.

5. ICANN should ensure that the requirements for accurate WHOIS data are widely and proactively communicated, including to current and prospective Registrants, and should use all means available to progress WHOIS accuracy, including any internationalized WHOIS data, as an organizational objective. As part of this effort, ICANN should ensure that its Registrant Rights and Responsibilities document is proactively and prominently circulated to all new and renewing registrants.

6. ICANN should take appropriate measures to reduce the number of WHOIS registrations that fall into the accuracy groups Substantial Failure and Full Failure (as defined by the NORC Data Accuracy Study, 2009/10) by 50% within 12 months and by 50% again over the following 12 months.

7. ICANN shall produce and publish an accuracy report focused on measured reduction in WHOIS registrations that fall into the accuracy groups Substantial Failure and Full Failure, on an annual basis.

166

8. ICANN should ensure that there is a clear, unambiguous, and enforceable chain of contractual agreements with registries, registrars, and registrants to require the provision and maintenance of accurate WHOIS data. As part of these agreements, ICANN should ensure that clear, enforceable, and graduated sanctions apply to registries, registrars, and registrants that do not comply with its WHOIS policies. These sanctions should include de- registration and/or de-accreditation as appropriate in cases of serious or serial non-compliance.

9. The ICANN Board should ensure that the Compliance Team develop, in consultation with relevant contracted parties, metrics to track the impact of the annual WHOIS Data Reminder Policy notices to registrants. Such metrics should be used to develop and publish performance targets, to improve data accuracy over time. If this is unfeasible with the current system, the Board should ensure that an alternative, effective policy is developed (in accordance with ICANN’s existing processes) and implemented in consultation with registrars that achieves the objective of improving data quality, in a measurable way.

10. The Review Team recommends that ICANN should initiate processes to regulate, and oversee, privacy and proxy service providers.

11. It is recommended that the Internic Service is overhauled to provide enhanced usability for consumers, including the display of full registrant data for all Generic Top-level Domain (gTLD) names (whether those gTLDs operate thin or thick WHOIS services) to create a one-stop shop, from a trusted provider, for consumers and other users of WHOIS services.

12. ICANN should task a working group within six months of publication of this report, to determine appropriate internationalized domain name registration

167

data requirements and evaluate available solutions (including solutions being implemented by country code top-level domains [ccTLDs]).

13. The final data model, including (any) requirements for the translation or transliteration of the registration data, should be incorporated in the relevant Registrar and Registry agreements within 6 months of adoption of the working group’s recommendations by the ICANN Board.

14. In addition, metrics should be developed to maintain and measure the accuracy of the internationalized registration data and corresponding data in ASCII (American Standard Code for Information Interchange ) with clearly defined compliance methods and targets.

15. ICANN should provide a detailed and comprehensive plan, within 3 months after the submission of the Final WHOIS Review Team report, that outlines how ICANN will move forward in implementing these recommendations.

16. ICANN should provide at least annual written status reports on its progress towards implementing the recommendations of this WHOIS Review Team.

It is worth emphasizing that—despite a great deal of language in this report about the important disagreements over WHOIS policy and the importance of consulting privacy experts—not one of these recommendations addresses the problem of compliance with data protection law. The registrant’s rights and responsibilities document does not require the registrars to inform the registrant that they have enforceable rights under data protection law, nor that they do not have to consent to the collection, use, and disclosure of their personal information. It is worth noting—in keeping with what I regard as a general trend to downplay the registrant’s rights—that this earlier document entitled the “Registrant Rights and Responsibilities Under the 2009 Agreement,” dated on the website June 2011, was lengthy and detailed. The later version “Registrants' Benefits and

168

Responsibilities” is much shorter and less explicit. And again, there is no mention of registrant rights under data protection law.

ICANN signed the Affirmation of Commitments (AOC) with the U.S. Department of Commerce in September 2009. Section 9.3.1 of the document states that

ICANN additionally commits to enforcing its existing policy relating to WHOIS, subject to applicable laws. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information [emphasis added]. 67

Clearly the only hook to apply data protection law in here is the bolded language. Just to make sure that the review team got off to the right start in their deliberations in London in January 2011, the team consulted the drafters of the AOC, including the Assistant Secretary of Commerce Larry Strickling, and produced a scope focused on the AOC,

To assess the extent to which its existing WHOIS policy and its implementation:

• is effective;

• meets the legitimate needs of law enforcement; and

• promotes consumer trust;

• in accordance with the principles set out in the Affirmation, in particular paragraph 9.3. (WHOIS Review team terms of reference, 2011)

One can be generous and assume that law enforcement includes data protection law here, but it is noteworthy that despite a considerable amount of discussion and intervention by data commissioners by this point in the history of the WHOIS contention, there is no

67 http://www.icann.org/en/documents/affirmation-of-commitments-30sep09

169

explicit reference to data protection law, nor a single WHOIS policy document, as noted in the Review Team’s Recommendation 2. The Review Team noted with concern that it was impossible to figure out the WHOIS policy, since there was no policy per se, as requirements were buried in the Registrars’ and Registries’ standard contracts, as well as the Affirmation of Commitments. The Procedure for Handling Conflicts with Law was just that—a procedure rather than a real policy. By this point, there were three full policies that were developed for WHOIS: the WHOIS Data Reminder Policy (2003), the Restored Name Accuracy Policy (2004), and the WHOIS Marketing Restriction Policy (2004), the latter of which contained the results of two separate recommendations to bar use of the WHOIS data for marketing and reuse.

Shortly after the release of this report, ICANN went ahead with the Thick WHOIS migration policy development process.

5.2.11 2011–2013: Thick WHOIS PDP

When ICANN was created, the top-level domains (e.g., .com, net) were operated by Network Solutions, a legacy operator designated by the United States to operate the Root. Early registries (e.g., .com and .net) did not hold much data about registrants because one of the goals of the establishment of ICANN was to remove Network Solutions’ practical monopoly over registrations in the most popular top-level domains. Retaining detailed customer data at the level of the registrars, rather than in the registry itself, was useful to break that dominant player role. These legacy registries were described as “thin”,” to differentiate them from the country code registries that held more data about the registrants. “Thin” data, while associated with the individual who has registered the domain, is not identifiable personal data and is best described as data about the domain. Thin data includes the domain name, registrar, WHOIS Server, referral URL, name servers, status, updated date, creation date, and expiration date. It is the bare minimum needed to resolve the name, and direct traffic. “Thick” data contains much more data about the registrant, such as a name, address, email, and phone number.

170

Here is a snapshot of what that would look like, in terms of a WHOIS lookup:

Thin Registries: .COM and .NET – Sample Thin Registry WHOIS Response Domain Name: IBM.COM Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE Whois Server: whois.melbourneit.com Referral URL: http://www.melbourneit.com Name Server: INTERNET-SERVER.ZURICH.IBM.COM Name Server: NS.ALMADEN.IBM.COM Name Server: NS.AUSTIN.IBM.COM Name Server: NS.WATSON.IBM.COM Status: clientTransferProhibited Updated Date: 31–aug–2011 Creation Date: 19–mar–1986 Expiration Date: 20–mar–2019 >>> Last update of WHOIS database: Thu, 24 Nov 2011 00:50:33 UTC <<< The Referral URL, http://www.melbourneit.com, provides a link to Registrar Melbourne IT which, in turn, provides the full, or “thick,” WHOIS response with the full Registrant WHOIS contact data: Domain Name...... ibm.com Creation Date...... 1986–03–19 Registration Date.... 2011–08–31 Expiry Date...... 2019–03–21 Organisation Name.... International Business Machines Corporation Organisation Address. New Orchard Road Organisation Address. Organisation Address. Armonk Organisation Address. 10504 Organisation Address. NY Organisation Address. UNITED STATES Admin Name...... IBM DNS Admin 171

Admin Address...... New Orchard Road Admin Address...... Admin Address...... Armonk Admin Address...... 10504 Admin Address...... NY Admin Address...... UNITED STATES Admin Email...... [email protected] Admin Phone...... +1.9147654227 Admin Fax...... +1.9147654370 Tech Name...... IBM DNS Technical Tech Address...... New Orchard Road Tech Address...... Tech Address...... Armonk Tech Address...... 10504 Tech Address...... NY Tec h Address...... UNITED STATES Tech Email...... [email protected] Tech Phone...... +1.9192544441 Tech Fax...... +1.9147654370 Name Server...... NS.AUSTIN.IBM.COM Name Server...... INTERNET-SERVER.ZURICH.IBM.COM Name Server...... NS.WATSON.IBM.COM Name Server...... NS.ALMADEN.IBM.COM

Given the passage of time, and the fact that there were 900 accredited registrars at the time of the WHOIS Review, it was decided that there was no longer a need to insist on a thin registry for .com and .net. At that time, .com was still the biggest registry, consisting of over 100 million domain names.

While this committee completed its work, by 2017 there was considerable resistance to going forward with the migration to thick WHOIS. This was largely due to concerns from 172

European registrars about sending the personal information of their customers to Verisign in Virginia, United States, in the wake of the Schrems v. Facebook decision. Given the appeal launched by the Irish NGO, Digital Rights Ireland, regarding the “adequacy” of Privacy Shield, the replacement for Safe Harbor (Fortune, 2016), the uncertainty persists. This situation is now exacerbated by the coming into force of the new General Data Protection Directive in May 2018.

5.2.12 2012–2014: Four WHOIS studies

One of the recommendations of the Review Team was to launch the studies of WHOIS issues; four studies were then initiated, followed by an online survey of service requirements 68 :

• WHOIS misuse study

• WHOIS registrant identification

• WHOIS privacy and proxy services abuse

• WHOIS privacy and proxy reveal study

• WHOIS service requirements survey

These studies were an attempt to gather data on the extent of abuse taking place, as well as the actual nature of registrants (natural or legal persons) and the operations of privacy/proxy services (e.g., who uses them, how requests to relay emails or reveal true identity are handled, etc.). Unfortunately, due to low sample sizes (participation) in some cases, these studies are not reliable, but they provide more data than ICANN had before, as much of the contestation about WHOIS risks and abuse was based upon the accounts of participants in the ecosystem.

68 https://gnso.icann.org/en/group-activities/other/whois/studies 173

5.2.13 2012: The Expert Working Group on RDS initiated

In December 2012, Fadi Chehade, the new CEO of ICANN, announced the creation of an Experts Working Group (EWG) on Generic Top-level Domain (gTLD) Directory Services and solicited application from inside and outside the community. According to the ICANN website 69 :

The objectives of the working group were to 1) define the purpose of collecting and maintaining gTLD registration data, and consider how to safeguard the data, and 2) provide a proposed model for managing gTLD directory services that addresses related data accuracy and access issues, while taking into account safeguards for protecting data. This output will feed into a Board-initiated GNSO policy development process to serve as a foundation for the GNSO's creation of new consensus policy, and requisite contract changes, as appropriate (ICANN News Release, December 13, 2012).

I was recruited in February 2013 to join this group, as a candidate representing data protection or civil society interests had yet to be selected. The group was unusual in that the meetings were conducted in private and the email archives were not made available. While interim reports were presented for comments, the final report which was significantly larger and different than earlier reports, was presented directly to the Board with no opportunity for the community to comment on the new material and recommendations. This was a Board-initiated project and a part of the response to the WHOIS Review Report, as decided in November 2012 (ICANN Board Submission No. 2012 ‐11 ‐08 ‐01). Furthermore, two Board members were in the EWG, including the Chairman of the Board. Clearly, this was a high priority.

The group started by going through a series of use cases for WHOIS data (see Appendix C for the list of use cases that appear in the final report). Discussing potential uses of data by third parties is not the same as identifying the purpose of collecting and maintaining

69 https://www.icann.org/news/announcement-2-2012-12-14-en

174

registration data, and in the end the group did not satisfactorily identify the purpose. Similarly, although the group was struck to try to break the deadlock and move forward, “taking into account safeguards for protecting data,” that is certainly not the same as respecting data protection principles, which might require not collecting the data in the first place. However, this group was operating on a confidential basis, and the deliberations and discussions are not made public.

There was quite a bit of community resistance to the EWG, and when the final report was submitted to the Board in June 2014 (with a dissenting report from myself on grounds of failing to respect basic privacy concerns) the issue was parked for over a year, A group was struck to study how to establish the next policy development process as required by Board instructions in October 2014.

5.2.14 2014–2015: The privacy/proxy services accreditation issues policy development process

While the joint ICANN Board and Generic Names Supporting Organization (GNSO) working group was deciding how to design the charter for the new Registration Data Service policy development process (RDS PDP) that would start at the end of 2015, there was no shortage of other WHOIS-related work going on. The WHOIS Review Report included a recommendation to accredit the providers of privacy/proxy services, so a group was struck in the fall of 2014 to develop an accreditation policy. This was also a quite fractious debate. Law enforcement and intellectual property stakeholders had been complaining that privacy/proxy service providers were basically protecting malfeasant actors, and that they were not complying with requests to relay email or reveal the identities of beneficial registrants (i.e., the people who actually used the domain). A range of options exist here in terms of the provision of proxy services because accredited registrars often use resellers of all kinds to sell domains. They may run hosting companies themselves, have arrangements with web design brokers, or have arrangements with Internet service providers. There are many options and sometimes the

175

registrant is simply asked, “Do you want your data in WHOIS? Or, “Do you want WHOIS privacy?” In the latter case, the provider, or one of their partners, would sell the customer the privacy/proxy service. Sometimes, it may not be clear to the registrant whether or not they are actually the registrant or whether the proxy has those rights.

As I have stressed several times, there is a lot more to data protection with respect to registration data than the WHOIS. The study on relay and reveal mentioned above, was really a feasibility survey of requestors of relay and reveal, registrars, and privacy/proxy providers, to see if they would participate in a study. But the final study has not actually been done, due to many complications, such as the requirements for confidentiality, etc. This means that we do not have good data on what actually happens when a privacy/proxy service provider receives a request for a “reveal,” or disclosure, of the client data. The feasibility study documented a great deal of concern about cost and administrative burden. If a proxy service simply reveals the true data upon receiving a request, without ensuring that the requestor has a legitimate purpose for the data, it would be a violation of data protection principles.

I have used this particular PDP to illustrate how the typical working group functions, as I was a member and observed the process from when the meetings began, to the final report and approval by the GNSO Council. This provided me with insight into some of the flaws in ICANN’s apparently transparent and open process, and how it sometimes fails. Putting that aside for the moment, let us focus on the mechanics of the process. Here is the way this typical working group started and functioned.

Policy Initiation: • In this case, a Board resolution: “Resolved (2011.10.28.33), the Board also requests the creation of an Issue Report to undertake a Generic Names Supporting Organization (GNSO) policy development process (PDP) as quickly as possible to address remaining items suited for a PDP.” This Board resolution was one of the only recommendations to emerge from the WHOIS Review team which reported 176

that year, as the group was only able to reach consensus on the one issue, that privacy/proxy services should be accredited, implying the development of policies and procedures to regulate their behaviour.

Preliminary Issues Report December 2011 70 • Preliminary issues reports are developed by staff and sent out for comment.

Public Comment Period: • 30 days until 13 January 2012. • The comments are summarized by staff, and a report published. 71

Final Issue Report: • two studies 72 on Privacy Proxy Services Accreditation Issues (PPSAI) abuse and feasibility of a full study on relay and reveal mechanisms recommended (p. 27). PDP put on hold (by the GNSO) until 2013 Registrar Accreditation Agreement negotiations concluded.

2013 RAA Concluded on June 23: • PDP on PPSAI requested by Board, approved by GNSO.

Call for Volunteers: • Announcement on ICANN website with call for volunteers 73 November 6, 2013, citing Charter prepared by staff. 74 • Charter prepared by staff later approved by GNSO.

70 http://gnso.icann.org/en/issues/raa/prelim-issue-report-raa-amendments-12dec11-en.pdf 71 https://www.icann.org/en/system/files/files/report-comments-raa-amendments-prelim-issue-report- 10feb12-en.pdf 72 http://gnso.icann.org/en/issues/raa/fInal-issue-report-raa-06mar12-en.pdf 73 http://gnso.icann.org/en/announcements/announcement-06nov13-en.htm 74 http://gnso.icann.org/en/drafts/raa-pp-charter-22oct13-en.pdf 177

First Meeting: • December 3, 2013, weekly meetings established. 75 There were 81 members, and I attended 55 of the 77 meetings. Attendance at meetings is logged and the records are available online.76 I suspect that many participants logged in using Adobe Connect, the software used to provide members with the audio and shared screens, and then went back to what they are doing in their home or office—many members who logged a high attendance record with this interface did not speak, raise their hands, vote in the informal polls, nor participate in any other meaningful way.

Initial Report: • Posted May 4, 2015, public comment period ending July 7. 77 • Over 20,000 comments received (largest volume in ICANN history) mostly due to successful campaigns launched by registrar and proxy services coalition petitions. 78

Public comments: • Compiled on October 2015. 79 Regarding the Save Domain Privacy campaigns, the comments were so interesting and the outpouring of support for privacy/proxy services was so extraordinary, that the Noncommercial Users Constituency (NCUC) compiled their own spreadsheet of comments from concerned registrants. I would note that the Intellectual Property Constituency referred to it

75 https://community.icann.org/display/gnsopnpsrvaccrdtwg/WG+Meetings 76 https://community.icann.org/display/gnsopnpsrvaccrdtwg/Attendance+Log+PPSAI 77 https://community.icann.org/display/gnsopnpsrvaccrdtwg/Initial+Report+as+published+for+public+com ment 78 https://www.savedomainprivacy.org/about-us/ and https://www.respectourprivacy.com/ (by Namecheap). 79 https://community.icann.org/display/gnsopnpsrvaccrdtwg/Documents%2C+Responses+and+Public+Com ments+on+the+WG's+Initial+Report

178

as “astro-turfing” but was unsuccessful in getting the 20,000 comments counted as only two comments. Final Report: • Released January 2016. 80

Next Steps: • Acceptance by GNSO and referral to the Board as policy recommendations; • Posted for public comments before adoption by the Board; • Adoption by the Board with instructions to implement; and the • Formation of Implementation Committee, with smaller number of volunteers.

As can be seen from the list above, even a narrowly scoped initiative such as this one can be an exhausting process, demanding hundreds of hours of calls, reading email, and reviewing hundreds of pages of background documents linked in various reports that I have not listed above (see Appendix E).

5.2.15 How do WHOIS working groups reach consensus and work through contestation?

ICANN works on the basis of “rough consensus” and voting in the Generic Names Supporting Organization (GNSO) and the Board. Achieving consensus can be a slow process. In the Privacy Proxy Services Accreditation Issues (PPSAI) working group, there was contention among group members about a number of issues, including whether lawyers who acted for their clients in registering domains ought to be accredited, and whether organizations that conduct financial transactions on the Internet should be entitled to use privacy services. The Intellectual Property Constituency (IPC) contended that only individuals should be entitled to use proxy services, and an IPC lawyer in that

80 https://gnso.icann.org/en/issues/raa/ppsai-final-07dec15-en.pdf 179

constituency compiled a study of a few selected jurisdictions, attempting to prove that most jurisdictions insisted on transparency for businesses through business registration.

Since many at-risk non-governmental organizations—including churches, mosques, and synagogues in hostile regions—also conduct financial transactions on the web, whether through subscriptions to newsletters or charitable donations, this proposal met with vigorous objections from civil society. However, the IPC decided to table their legal study at the last minute (when the draft report was being sent out for comment) as an input to the committee, even through the working group had dropped the study a year previously. This gave it a status that the registrars and the civil society representatives felt was totally unjustified. These are common practices in many multilateral organizations; last minute tactics such as producing a document at the end of the process, exhaustion through prolonged procedures and forcing agreement through hard deadlines—these are all mechanisms for achieving consensus, and it appears they are employed at ICANN.

At ICANN, there is a very clear avoidance of actual votes, which obviates the necessity to examine the fairness of representation. Given the openness of working groups, it is possible to “pack the group” with, for instance, several lawyers from one boutique law firm who represent IP stakeholders, or an entire women’s group representing women who have been stalked on the Internet. It is possible for these persons to participate at a very peripheral level, expressing support in last minute decisions such as the one described above, or swamping email lists with questions, protests, etc. Civil society has tried repeatedly to get national data commissioners to sign up for policy development processes but, due to the nature of their work, resources, and public accountability, commissioners are most reluctant to sign up (or send staff) unless they can actually devote the time required to participate in an accountable manner. Furthermore, many are unable to participate in policy development processes that they might be called upon to adjudicate.

180

During the debate about whether financial activities on a website was relevant to our discussion, participants repeatedly pointed out that activity on websites is outside the remit of ICANN. From the perspective of civil society, and the registrars, monitoring websites is not within ICANN’s remit. Once a lawful investigation has concluded that a website is engaged in illegal activity, a registrar will respond to a lawful request to take it down, but registrars certainly do not want to regularly monitor registrants of a $15 domain— nor is this within ICANN’s remit. Asking a potential registrant to declare her potential use of a domain is also problematic, and of course a criminal is unlikely to tell the truth anyway. However, these arguments fell largely on deaf ears, and the legal paper which demonstrated the insistence of some countries for the public registration of companies was accepted as an “input” to the process and tabled on the ICANN website.

There were excellent co-chairs for this committee, who acted with neutrality and professionalism, but there appeared a clear reluctance to cut off discussion which may be off-topic, outside the remit, or even disrespectful to other members. I base this judgment on my experience on several working groups. Furthermore, in the past, the current policy development process on registration data services (which started in early 2016) became so fractious—with frequent instances of rude or bullying behaviour—that the Ombudsman joined the list in order to sanction members immediately, without waiting for a complaint to be filed to him.

Once a draft report has been completed to address key items in the charter, it is put up on the ICANN website for public comment. While ICANN is commendably transparent in its activities, it is fair to say that only insiders check the ICANN website on a regular basis, or sign up for a regular update on opportunities to comment. Of course, this is true for most public comments; the average Canadian is not likely to sign up to receive the Canada Gazette in order to check on regulatory events and comment on new government initiatives. As a result, the number of comments received is often very small, although it is usual for the ICANN stakeholder groups to put in comments on issues they care about.

181

For civil society, this can be quite a burden, as many members are not native English speakers, and reports are frequently over a hundred pages long, and can be very technical. Comment periods are usually quite short (e.g., 30 days) although the Privacy Proxy Services Accreditation Issues comment period was from May 5, 2015, to July 7, 2015.

In this instance, as indicated above, the registrars decided to go to their customers in search of support for privacy/proxy services. One of the two petitions actually focused on the issue of whether the service should be restricted to individuals who were not engaged in “commercial” activity. The petitions produced interesting anecdotal evidence of potential harms from a failure to protect privacy and shored up support for privacy. The only other time a petition resulted in such a flood of comments was when ICANN debated the .xxx top-level domain and church groups campaigned against its acceptance as a registry for pornography.

5.2.16 Accountability and review mechanisms

ICANN has instituted a number of appeal mechanisms, where organizations can appeal for action to reverse a decision to award a domain name, or stop illegal activity such as trademark violation. The first of these, established in 1999, is the Uniform Domain-Name Dispute-Resolution Policy (UDRP), set up to ensure that trademark holders could receive speedy resolution of issues in the event that someone established a domain that infringed on their trademarks. Trademark holders and others can file a claim with the appropriate registrar, and the case goes to one of a number of independent dispute-resolution providers, who decides the case with the concerned parties paying costs. The UDRP was scheduled for cyclic review in 2016, but it appears to have functioned to the satisfaction of most parties, with the exception of civil society. It is the view of the NCSG that, among other things, rapid transfer of a domain to the complainant, with no right of appeal, is an abuse of due process and acts in favour of trademark owners (Komaitis, 2010).

182

However, this has not stopped the proliferation of other kinds of dispute mechanisms. There are no fewer that 11 policies which deal with specific kinds of disagreements in top-level domains, yet no policy for privacy or data protection disputes. 81

All of these dispute mechanisms and policies illustrate the care and detail (including separate rules for each policy) that go into the finer points of registering names. This promises to become ever more complex in the future as more top-level domains are granted in the next round of new gTLDs. Most of these dispute mechanisms serve the interests of rights holders. However, a similar attention to detail with respect to the WHOIS Conflicts with Law Policy has never been developed. There are no procedures for complaining about breach of privacy. Let us next examine this policy, and the failure of ICANN to improve the process for registrars who attempt to comply with data protection law in their jurisdictions.

5.3 ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

The Procedure for Handling WHOIS conflicts with Privacy Law is a key document for the purpose of this research, and is attached as Appendix M. It has been in place since January 2008, and efforts to have it reviewed are proceeding as of December 2016. 82

During the WHOIS Task Force 2 started under the auspices of the GNSO, there was considerable participation of the data commissioners and their staff. Diana Alonso Blass, who was part of the secretariat of the Article 29 Working Party, and a lawyer in the

81 https://www.icann.org/resources/pages/dndr-2012-02-25-en accessed February 28, 2016. 82 Revisions to the implementation of this policy, with respect to the “triggers” and evidence which ICANN would accept to allow a registrar to get a waiver from WHOIS obligations, were rejected by the registrars and registries at GNSO Council in October 2016. I moved to review the policy; this motion has not been accepted, but it is not clear how the item will move forward, as registrars are refusing to accept the status quo and there is little appetite for yet another PDP on WHOIS-related issues at the moment. The document was released for public comments on May 3 2017 (https://www.icann.org/en/system/files/files/whois- privacy-conflicts-procedure-03may17-en.pdf). 183

Dutch Data Protection Commission at the time assigned to work in the Data Protection unit of the European Commission, came to the Montreal meeting in 2003 to present the Working Party’s views on the matter during the two-day workshop which the WHOIS Task Force held, and the Article 29 Working Party also released an Opinion (Opinion 2/2003). Civil society held a privacy day during the Vancouver meeting in 2005, at which I reiterated these views from a Canadian perspective, as Director of Research and Policy at the Office of the Privacy Commissioner of Canada.

In November 2005, the GNSO concluded a policy development process to allow gTLD registry/registrars to demonstrate when they are prevented by local laws from fully complying with the provisions of ICANN contracts regarding personal data in WHOIS. In May 2006, the ICANN Board adopted the policy and directed ICANN staff to develop and publicly document a conflicts procedure. This procedure has the following steps:

• Upon notice of enforcement action, a registrar/registry should provide ICANN staff with a description of the action and possible outcomes, contact information for the contracted party and if possible the state authority, the text of the applicable law if the authority has cited it, and a description of how the contracted party has attempted to meet legal requirements and ICANN contractual requirements.

• Pursuant to advice from the GAC, ICANN will consult with the relevant government to see if they consider the action warrants a deviation from WHOIS requirements. Note the following section, which has been particularly irritating to contracted parties: “2.3 If the registrar/registry is required by local law enforcement authorities or a court to make changes in its practices affecting compliance with WHOIS-related contractual obligations before any consultation process can occur, the registrar/registry should promptly notify ICANN of the changes made and the law/regulation upon which the action was based.” Basically the contracted parties are forced into a situation where 184

ICANN consults the local government (who are often engaged in disputes with their independent data protection authorities, particularly over law enforcement matters) instead of the data protection authorities, and the registrar/registry may only comply with law upon production of a court order, at which point they are usually in a fine/seizure of assets situation.

• Step three involves ICANN’s legal counsel reviewing the matter and preparing a report for the Board, determining if a deviation is required. This report will be made public and contracted parties can request redactions, but bear in mind that there is no public exposure of privacy issues that is likely to improve business prospects for the contracted party in question. Meanwhile, his domestic competitors are not suffering because ICANN insists on dealing with each case separately. Foreign competitors may be getting away with no compliance with privacy law in his jurisdiction, given the difficulties of cross- jurisdictional enforcement. Counsel will make recommendations as to whether or not ICANN Compliance should take enforcement action against the contracted parties because they are not in compliance with their contracts; in the case of the registrars this is the RAA. Clearly, the contracted parties are in a situation of double jeopardy.

• Step four involves the Board’s response to the Counsel report; they may approve or reject, seek further information, schedule a public comment period, or refer the matter to the GNSO for review.

• Step five involves public disclosure of the results of the procedure. As of December 2016, there were no such disclosures on the public record, because no one had used the procedure.

This procedure was reviewed by a group of volunteers led by senior staff. This was not a regular policy development procedure, but rather an implementation review, which is not

185

a policy development process but instead a very narrowly scoped committee that determines how to implement a policy. In this case, the committee was called an Implementation Advisory Group, and was tasked to try to come up with an alternative to the required letter from a competent authority. The committee was only mandated to discuss implementation matters; the policy could not be changed, nor could they make a recommendation to change the policy. Most of my interventions on this committee were dismissed or ignored because they constituted recommendations to change the policy because it failed to account for how data protection law works in practice. For roughly a year, the group argued about whether a new trigger needed to be found, and it was agreed that a letter from a government agency which provided evidence of how the relevant law conflicted with WHOIS requirements could be accepted instead (WHOIS Conflicts IAG Final Report, 2016) 83 . The registrars would have preferred a letter from a nationally recognized law firm that could be substituted for an enforcement action, but this did not achieve rough consensus. However, when the document arrived at the GNSO Council for approval, it looked like the registrars had accepted the compromise only to reject the entire procedure at the GNSO, where they have sufficient votes to overrule the Intellectual Property Constituency even without the support of the Noncommercial Stakeholders Group.

I have pointed out many times in my activities at ICANN, that this procedure does not actually map to how data protection law works. In many jurisdictions, the data commissioners do not have binding powers, and they have to take the issue to a court for a court order. Under the required definition, they would not be considered a competent authority—the Court would. Courts do not issue letters instructing potential litigants or defendents as to whether or not they are breaking a law. Neither, in most cases, do Data Protection Authorities who have the status of a judge. Some Data Protection Authorities would find it easiest to just go in and seize the registrar’s servers, which of course would

83 https://gnso.icann.org/en/drafts/iag-review-whois-conflicts-procedure-23may16-en.pdf 186

put that business out of operation and seriously disrupt the affairs of all registrants. Those in the Noncommercial Users Constituency who were around at the time the provision was introduced have told me that just getting ICANN to acknowledge that data protection law existed was a major accomplishment 84 . I do not doubt this, but this is still a rather dramatic case of a private sector organization insisting that its contracted partners ignore data protection law, and the rights of their customers, unless threatened with enforcement action. Furthermore, it is not much of a procedure if it doesn’t actually result in the party requesting a waiver receiving one.

5.4 Conclusions

There are many interesting attributes of ICANN as a multi-stakeholder model. Its openness to anyone interested in the DNS is commendable. The recent efforts to globalize operations and outreach have been instrumental in broadening its focus to become a more truly international body. The commitment to transparency in its stakeholder operations has been useful from a public policy perspective, and has quelled allegations of anti-competitive activity. There are many excellent, qualified leaders in the community who have dedicated enormous amounts of time and labour to improve ICANN and the operation of the DNS. Doubtless ICANN has made a significant contribution to Internet governance systems by proving that a multi-stakeholder organization can work, at least in managing a key resource without stifling innovation, and can adapt rapidly. This is not the focus of this research, however, and the purpose of this chapter is limited to examining ICANN’s structures and processes to understand how privacy protection and data protection law have been accommodated or not, and how ICANN as a community and an institution has actually thwarted the development of privacy policies and procedures for registration data. Here are a few of my conclusions, responding to the first research question.

84 Conversations with Avri Doria, Kathy Kleiman, and Milton Mueller on a number of occasions during 2014-15. 187

1. Structural Constraints: Can civil society actually exert an influence in the GNSO, given that they are bound to the stakeholder group with whom they are most in contention, the Commercial Stakeholder Group, as the “non- contracted parties”? It is questionable, and noteworthy that when the London School of Economics reviewed the GNSO they recommended scrapping the elaborate structure in favour of three groups: contracted parties, business and civil society (LSE Public Policy Group and Enterprise LSE, 2006).

2. Path dependency: Given that the organization was set up with WHOIS transparency as one of the ground rules, later confirmed by the Affirmation of Commitments with the U.S. Department of Commerce, it seems that Mueller and Chango (2008) are correct. Absent a major external force, the system that has been set in place will continue.

3. Strategic Intransigence: As noted in the comments of the three stakeholder groups (the registrars, registries, and the noncommercial users) who were not in favour of the status quo for WHOIS data, all the other parties have to do in a WHOIS policy development process or review is refuse to compromise, and the status quo remains. Endless study of the issue ensues.

4. GAC override: In case there is any risk that the tie will be broken and progress ensues, as of 2007 the GAC is now weighing in on results of the PDPs and reviews. The Board has been required to either take GAC advice or explain why not, and until the IANA transfer happened, it was clear that the Board listened to the GAC advice on WHOIS. However after the IANA transition, the Empowered Community (basically the stakeholder groups) has more power over the Board, so there may be change in terms of how the Board responds. With respect to the issue of data protection however, it would appear that the Board is well aligned with the GAC position on data protection, judging from results thus far. 188

5. Market freedom over individual rights: There has been a heavy reliance on the power of market actors in the structuring of the RAA and the WHOIS studies. Emphasis on opening up the domain registration market to fair competition favoured unfettered access to registrant data, rather than data protection rights for individual registrants. Rights of the individuals concerned were not factored into this market analysis, and this helps explain the ideological confrontation with the data commissioners which we shall see in the next chapter.

6. Ineffective accommodation of rights: The WHOIS Conflicts with Law Procedure represents a striking example of a bureaucratic response to irrefutable evidence of a clash of values that cannot be ignored. It seems to me that the remedy was designed to fail, and the bureaucratic response to that failure was also a demonstration of a failure/refusal to communicate.

I will return to these issues in the final chapter. The next chapter examines the interventions of the data commissioners, their inability to establish a satisfactory dialogue with ICANN, and the failure to effectively enforce data protection law.

189

Chapter 6 The Standoff Between European Data Commissioners and ICANN

In the last two chapters, I have focused on the dynamics within ICANN over the WHOIS registry, and how stakeholder representatives who participate in this complex organization have so far thwarted multiple efforts to reform the Registrar Accreditation Agreement in terms of offering substantive privacy protections to domain name registrants. The principal external actors – the data protection authorities – appeared repeatedly throughout that account, but in the background as a minor or secondary player. In this chapter, I turn the focus much more directly on them and examine in detail their frustrated initiatives to induce ICANN to comply with international data protection law.

I have explained in Chapter 5 how ICANN has not made substantive efforts to apply the European data protection laws with respect to WHOIS, but in fact has erected barriers to registrars who have attempted to comply with law, as described in the section on the WHOIS Conflicts with Law policy, and its implementing procedures. Specifically, as described in that chapter in ICANN’s contractual agreements with the registrars (the RAA), ICANN is ignoring data protection law by insisting on:

• Collection, use and disclosure of personal information in violation of data protection law requirements in Europe and other countries;

• Publication of a directory containing personal information including name, address, phone number, and by association with a domain, personal interests;

• Retention of purchase data and metadata by the registrars, beyond their own needs, solely for the potential purposes of law enforcement;

190

• Escrow requirements of registration data, including detailed financial information that exceeds the data that is necessary to ensure continuity of the DNS and protection of registrants, with a U.S. escrow agent.

I have examined the history of the struggle to assert data protection rights, particularly with respect to the Internet, in Chapter 3. I discussed some of the participants in the ICANN multi-stakeholder ecosystem in Chapter 4, and how they interact as an institution. In Chapter 5, I discussed how the WHOIS struggle has developed over the period from 1998 to the end of 2015, and the failure to achieve consensus. In this chapter, I examine the precise nature of the confrontation between the data commissioners and their allies, and ICANN. The ways in which the organization has managed to continue on a course of paying little or no attention to data protection law, insisting on the publication of the personal data of all registrants, have implications for the enforcement of data protection law on the Internet. The fact that ICANN as the exemplar of the multi- stakeholder model in Internet governance is succeeding in this course of action has serious implications for the multi-stakeholder model, and for the many civil society groups who gather at the Internet Governance Forum (IGF) to promote human rights and development on the Internet. If they cannot exert any influence in the multi-stakeholder model in drawing attention to human rights and civil liberties issues, why would they continue to contribute their time and energies? How real is the commitment to including civil society in that model?

Throughout the 1990s, as the European Union worked to get the data protection Directive passed and then transposed into law by the member states, there was a very active group of data protection experts who worked in the European Commission in DG15, the Internal Market Directorate, which was responsible for the harmonization efforts. It is noteworthy that the data protection initiatives, while based on a human rights perspective, emanated from the division responsible for reducing trade barriers and enabling the internal market. There were powerful drivers for data protection to be harmonized across

191

the union, to avoid trade barriers, and avoid unfair competition in the burgeoning data management, banking, and telecommunications sectors. Since some key players such as France and Germany already had data protection law that ensconced human and constitutional rights, a high bar had to be met or the initiative would fail.

The structure of the working groups and collaborative arrangements among European and international data commissioners has evolved over the years, as new countries passed data protection laws and established independent oversight mechanisms. France had one of the earliest laws, and held the first international data protection authorities conference in 1979, a now annual event that has grown over the years to become established as the International Conference of Data Protection and Privacy Commissioners (ICDPPC). This organization fostered relationships, collaboration and harmonization of views, and in 1983 a group of the commissioners formed the International Working Group on Data Protection in Telecommunications and Media (Berlin Group). This group was comprised of commissioners and their staff, some with technical backgrounds, and was focused on keeping up with developments in information technology and their impact on privacy. It included many representatives from outside Europe. Gradually others with interest in these subjects were allowed to join, such as representatives from civil society. This group has been publishing its documents since 1983. Appendix F lists documents relevant to ICANN and WHOIS.

Article 29 of the EU Directive 95/46 on data protection required the formation of a committee or working party, comprised of all the independent data protection authorities in the member states. The resulting Article 29 Working Party was tasked with harmonizing their views on policy and legal interpretations and issued its first common position in 1996. Surprisingly quickly they addressed the rather arcane issues of the directory at ICANN, given that the group was new, they were busy implementing law to comply with the directive in their own states, as well as developing methodologies for

192

determining the adequacy of national law for the purposes of onward transfers of data. They published a common position on WHOIS data in 2003.

As of December 2015, it may well be said that there was a standoff between the European data commissioners and ICANN. In a clear illustration of this, the Article 29 Working Party on data protection wrote to ICANN and told them that the then proposed 2013 Registration Accreditation Agreement would be illegal (Kohnstamm to Crocker, 2012). ICANN’s response (Chehade to Kohnstamm, 2012) was that the Governmental Advisory Committee (GAC) told them to do it, so the data commissioners should take up their issue with the GAC. Since data commissioners in Europe are appointed by national governments, have a range of independent powers including the right to enter premises, seize equipment, and award substantial fines, this is a remarkable response that puts the European registrars at substantial risk of enforcement action on the part of the data commissioners. This is why I have described this as a standoff, and I would note that it is not likely that ICANN itself, as a corporation headquartered in California, believes that it carries a great deal of risk. It is the registrars based in Europe who are most at risk in this standoff. It would not appear to put the beneficiaries of open access to personal data at risk, namely the Intellectual Property Constituency, the law enforcement community, and the value-added services industry.

In this chapter, I go into some detail about the history of the interventions of the data commissioners at ICANN and the response, or lack thereof, of ICANN to those communications. I describe the many attempts of the data commissioners to engage with the debate over privacy of registrants described in the last chapter, and the lack of response from ICANN. I believe there is an insider/outsider problem which is a peculiarity of the way ICANN interprets its multi-stakeholder model, and that the data commissioners have been regarded as “outside the tent.” In terms of my research questions, we see here in the limited response to these interventions from the data protection authorities a clear attempt on the part of ICANN as an institution to simply

193

ignore the issue and hope it goes away. The longer the open access to WHOIS data continues, the harder it is to undo, as new use cases arise regularly, and its importance in the ever-increasing fight against cybercrime justifies intrusion into privacy rights in the name of public safety. That appears to be the narrative on the pro-disclosure side of the argument.

It is clear that by 2017, the data commissioners of the world are numerous and well networked. Greenleaf (2015) lists the various associations of data commissioners in his summary of global data protection law, as follows:

• International Conference of Data Protection and Privacy Commissioners

• Article 29 Working Party

• International Working Group on Data Protection in Telecommunications (Berlin Group)

• Global Privacy Enforcement Network (GPEN)

• Association of Francophone Data Protection Authorities

• Latin American Network (Redi–PD)

• Central and Eastern Europe Data Protection Authorities (CEEDPA)

• Nordic Data Protection Authorities (NDPA)

• European Data Protection Authorities (EDPA)

• British, Irish, and Islands Data Protection Authorities (BIIDPA)

• APEC Cross-border Privacy Enforcement Arrangement (APEC CPEA)

• Other European states, including European Economic Area (EEA)

194

• Common Thread Network (CTN, Commonwealth)

• Members of the Council of Europe who have ratified the Convention 108

However, the bulk of the leadership during the early days of ICANN, in harmonizing views on the application of data protection law has been done by just three groups: the Article 29 Working Party, the International Working Group on Data Protection in Telecommunications (Berlin Group), and the International Conference of Data Protection and Privacy Commissioners (ICDPPC).

Both the Berlin Group and the Article 29 Working Party have been active in making their views about WHOIS known to ICANN over the years (see Table 2), and when the International Conference of Privacy and Data Commissioners, which is basically an annual gathering of all data commissioners accredited to the group, issued a recommendation in 2009 to investigate whether someone should be assigned the task of representing them at ICANN and following developments, it was clear that the privacy issues at ICANN had reached the attention of many data commissioners. Given the vast scope of data protection issues that the data protection authorities are responsible for in their immediate jurisdictions, it is noteworthy that they have paid this much attention to ICANN.

Often, the Berlin Group and the Article 29 Working Party collaborated on their comments on issues. The way this has sometimes worked in the past has been that the Berlin Group studies an issue and produces a report. In recent years, the Berlin Group has been sending its final drafts to the ICDPPC for their comments. The Article 29 Working Party may, if they agree with the document and consider it to be important, publish an official opinion based on that work. The Berlin Group has many members from around the world, and we can see from the networks that Greenleaf lists (reproduced above) that there are many regional networks which can be reached easily by the data protection authorities.

195

6.1 Interventions by Data Commissioners on ICANN Data Protection Practices

In this section, I examine chronologically the various opinions, letters, and outreach that the data commissioners have attempted in their engagement with ICANN. Although one often hears at ICANN the narrative that data commissioners exist in their own bubble and do not understand the Internet and issues that are important to ICANN, in fact the European Commissioners were watching closely developments in the emerging Internet.

In their third annual report dealing with events in 1998, the Article 29 Working Party notes that the European Commission responded to a call for comments put out by the World Intellectual Property Organization (WIPO). WIPO had issued a Request for Comments on Issues Addressed in the WIPO Internet Domain Name Process (WIPO RFC-2) on which the Commission services commented. The Article 29 Working Party provided input, and they note in their annual report:

The recommendations resulting from this WIPO Internet Domain Name Process will be made available to the new organization that will be formed to manage the technical and policy aspects of the Internet domain name system and will be reported to WIPO’s member States.

… As regards data protection aspects (such as the kind of data to become public and the kind of research allowed), the comments emphasised the need for a balanced approach between the legitimate interests of intellectual property rights holders and the fundamental right to privacy of persons involved in the Internet Domain Name Process. (Article 29 Working Party Annual Report, 1998, p. 59)

We can see here a recognition of the contention between the market and the fundamental rights of end users. It has been my observation from participating in several working groups at ICANN, that participants who have been at ICANN since its inception will remark that the data protection commissioners have not engaged with ICANN.85 Clearly

85 For instance, Steve Metalitz, then head of the Intellectual Property Constituency, commented in June 2014 at the ICANN meeting in London, during a meeting which the NCUC held to discuss privacy issues 196

the record indicates otherwise, they were engaging even before ICANN had been established. It may be that “engagement” in the understanding of some ICANN participants, requires coming to meetings, joining working groups, and generally becoming a “stakeholder” in this novel multi-stakeholder experiment. However, the data commissioners had their own novel experiment going on in the Article 29 Working Party, where for the first time the independent data protection authorities from sovereign states were attempting to harmonize their views. They were also expanding their networks through the ICDPPC, as new countries passed data protection laws to meet the adequacy requirements of the Directive 95/46, and both of these collaborative activities required a lot of their time and energy. Countries were obliged to obtain an “adequacy determination” under the terms of the Directive 95/46 to ensure that trade was not interrupted. This led to the growth of the data protection commissioners’ annual conference, a more rigorous attention to the conditions of joining the organization known as the International Conference of Data Protection and Privacy Commissioners, and the growing importance of their resolutions.

It is important to remember that the European Union has been growing in members steadily during the development of ICANN, and the Working Party was a new project designed to further coordination of the different national authorities, a difficult task made more tense because of member state reaction to the growing regulatory control exerted by the European Commission. Given the tensions over the European Commission and its

in the WHOIS database and the final Experts Working Group report, that it was good but unusual to see representatives of the data commissioners participating at an ICANN meeting. At the privacy meeting, we had two representatives of the U.K. Information Commissioner, and the technical expert from the European Data Protection Supervisor. I would note that in the time that I have participated at ICANN, Metalitz has attended every human rights and privacy meeting that the civil society groups have held. Since he was also on the first WHOIS Task Force, I expect that he has been following the issues and who attends ICANN meetings rather closely, and must have known that we have had numerous visits, speeches, and letters from the commissioners. 197

“intrusions” into member state affairs and the harmonization of national laws, this committee did well to produce the material they were producing at the turn of the century, in my view. The control of the data protection policy and implementation has also, during the period of ICANN’s growth and development, passed from the Internal Market Directorate, responsible for trade matters, to the Justice directorate, who were concerned with all aspects of law including human rights law and criminal law.

Table 2 shows the history of the interventions of the data commissioners and the European Commission who supported the Article 29 Working Party, DG 15 or Internal Market Directorate, and later the Justice Director General when the transition for data protection responsibility was moved to them. In the next section, I provide further detail on each of these documents and interventions, and any response received from ICANN. Correspondence and documents are listed in Appendices E, F, and G.

Table 2. Interventions by Data Protection Authorities on Registration Data Issues

INTERVENTIONS OF THE INTERNATIONAL DATA COMMISSIONERS ON REGISTRANT DATA (Source: Correspondence, Reports, Common positions)

DATE AUTHOR TITLE KEY ISSUES RAISED ICANN REPLY

1998 Berlin Common position on Consent and None. Group Reverse Directories transparency required While this report Referenced in Art 29 was referenced comments in later documents, it was not sent to ICANN

2000 Article 29 5/2000 The Use of New purpose not None; as above Public Directories for compatible with original Reverse or Multi-Criteria Searching Services Data minimization per 95/46/EC, consent, prevention of bulk processing

198

INTERVENTIONS OF THE INTERNATIONAL DATA COMMISSIONERS ON REGISTRANT DATA (Source: Correspondence, Reports, Common positions)

DATE AUTHOR TITLE KEY ISSUES RAISED ICANN REPLY

2000 Berlin Common position on State purpose, restrict None Group WHOIS data published, restrict marketing, and secondary use

2000 Berlin Ten commandments for Virtual right to be let None Group privacy on the Internet alone restricts directory listings

Right to review by DPA with transborder authority

2001 Article 29 Comments to European EC requested None from Commission (EC) on comments on WIPO ICANN WHOIS issues and WHOIS EC comments noted the input

2003 EC DG15 Comments on WHOIS Notes reverse None directories, defines purpose, proportionality

2003 Berlin Letter to ICANN Notes earlier None Group regarding Names interventions, defines Council WHOIS Task purpose, objection to Force searching by name

2003 Article 29 Opinion 2/2003 on Summary of views None WHOIS expressed so far; response to WHOIS task force

2005 Berlin Letter to International Explains who they are None Group Working Group on & their interest in Internet Governance to co-operation express interest in cooperation 199

INTERVENTIONS OF THE INTERNATIONAL DATA COMMISSIONERS ON REGISTRANT DATA (Source: Correspondence, Reports, Common positions)

DATE AUTHOR TITLE KEY ISSUES RAISED ICANN REPLY

2006 Article 29 Letter to ICANN 22/06 Notes ongoing Cerf to Schaar Schaar to Cerf WHOIS discussion; discussions 27/06 Purpose not defined, data must be limited;

Notes IWGDPT and Art 29 WHOIS papers

2007 Article 29 Letter to ICANN 12/03 Expresses same Cerf to Schaar Schaar to Cerf re concerns as earlier WHOIS Task Force 15/03 Notes concern with WHOIS conflicts with law policy

2012 Article 29 Letter to ICANN Accuracy requirements Chehade to excessive, Data Kohnstamm 26/9 Schaar to Crocker retention unlawful 9/10

Comments on Impact of 2013 RAA

2013 Article 29 Letter to ICANN 06/06 All 27 data Jeffrey to commissioners agree Kohnstamm Kohnstamm to Crocker that their registrars will advice not re 2013 RAA & waivers require a waiver of RAA corresponding requirements to policy requirements

2014 Article 29 Letter to ICANN 08/01 Reaffirms that Article 29 Namazi to Kohnstamm to Jeffrey re group has authority; all Kohnstamm their status and 2013 Data Protection RAA Authorities represented Purposes differ and can sign by country

2014 EDPS Letter to ICANN 17/04 Data retention practices None Hustinx to Jeffrey required by RAA are not regarding data retention in compliance with E.U. Inclusion of consultation and recent Charter of Rights comments in decision of EC consultation 200

INTERVENTIONS OF THE INTERNATIONAL DATA COMMISSIONERS ON REGISTRANT DATA (Source: Correspondence, Reports, Common positions)

DATE AUTHOR TITLE KEY ISSUES RAISED ICANN REPLY

summary See earlier letters

2015 Australian Letter to PPSAI policy Do not attempt to deny None DPA staff regarding call for PP services to users comments on PPSAI who do financial interim report transactions on web Note . Article 29 = The Article 29 Working Party; Berlin Group = International Working Group on Data Protection in Telecommunications and Media; EDPS = European Data Protection Supervisor; DPA = Data Protection Authority ICANN = Internet Corporation for Assigned Names and Numbers; ECJ = European Court of Justice; PPSAI = Privacy Proxy Services Accreditation Issues; PP = Privacy Proxy; RAA = Registrar Accreditation Agreement.

6.1.1 1996–2000: First comments

In 1996 the Italian Data Protection Commissioner and professor of law Stefano Rodota hosted a meeting in Toma, on the topic of the regulation of the Internet to protect privacy. Professor Rodota was later the Chairman of the Article 29 Working Party and host of the International Conference of Data Protection Supervisors in 2000 in Venice, where Internet issues were prominent on the agenda.86 In the Sixth Annual Report of the Article 29 Working Party (in 2001) submitted by Chairman Rodota to the European Commission, he reported on a study that the Working Party had completed at the request of the European Commission to provide comments to the DNSO Names Council WHOIS survey launched by ICANN to get input on WHOIS issues from the previous year.

86 Links to the recordings of the sessions were not available online as of 2015. The conference was called “One World One Privacy” and the motto of the conference was “Towards and Electronic Citizenship.” Reference papers have been published, see Garante per la protezione dei dati personli, 2000. 201

Rodota summarizes the paper 87 as highlighting the practical and legal difficulties stemming from the conflicts of data protection and the desire to standardize formats, to achieve transparency in the sense of being able to know who one is dealing with on the Internet, and to establish uniformity in identification data. The report that Rodota summarized appears on the Justice website of the European Commission but it had not been submitted to ICANN in that form. The Commission submitted a report 88 that contained a synopsis of the views of the data commissioners, and encouraged ICANN to examine another of the Article 29 Working Party papers, the Reverse Directory paper which appeared in 2000.

Here is the list of policy questions Rodota raises in their report to the Commission, strikingly similar to those current today: • Which categories of the data collected for the purposes of registration of domain names should be publicly available and for what purposes. • Whether the data is accurate, reliable and up-to-date. There are indications that this is not generally so. Errors, whether accidental or deliberate, prejudice any authorized use of the data. • Whether the purposes and use of registration data, including cross-border transmission of data, is consistent with national data protection and privacy laws. ICANN has an obligation to take account of applicable local and international laws in its policies and activities. In principle these obligations extend to Registries and Registrars operating under contract from ICANN and should be expressed in their contractual agreements, where necessary. • The precise purposes for which data is collected and the use that can be made of it by the public, are not only a matter of technical and administrative policies, but are also the subject of national laws.

87 The first study was actually in 1999, published in 2000: “5.3 World Intellectual Property Organization (WIPO) In the context of the development of the Internet Domain Name System, Commission services made comments to ICANN (Internet Corporation for Assigned Names and Numbers) on the new registration process for the Internet Domain Name allocation, in particular on the ICANN model agreement between Registrars and Second Level Domain Name applicants. Commission services also commented to WIPO on its proposals on trade mark protection and the allocation of domain names. Commission services started preparing a draft communication on the whole issue including the data protection aspects and a proposal for an EU top-level domain.” 41COM(2000) 202 final; adopted on 11 April 2000.

202

• Whether the data subjects have been informed and/or have agreed to the purposes for which their data may be used or can be based on other legitimate grounds.

Finally, he raises two questions: 1. What is the objective of the Whois search facility? 2. Under what conditions personal data collected in the EU can be transferred to the US. (Sixth Annual Report, pp. 74–75, footnote removed)

It is significant that the ICANN Board has specifically asked, in the 2015 Registration Directory Services issues report that ICANN submitted for public comment on July 15, 2015, that the new policy development group address the issue of the purpose of the WHOIS or RDS. This remains an unresolved conflict. Also timely is the last question (b), in the light of the Schrems v. Facebook decision and subsequent rejection of the Safe Harbor Agreement, and the ongoing challenge to its successor, the Privacy Shield.

6.1.2 Opinion 5/2000 by the Article 29 Working Party on reverse directories

The “Opinion 5/2000 on Reverse Directories” is a generic opinion on reverse directories which were beginning to proliferate on the Internet, and it is not directed at ICANN in particular, but is cited in later work. The WHOIS directory, however, had certainly been considered by the Working Party earlier and we may assume was considered as one example of the phenomenon they were addressing. The European Commission had passed Directive 97/66/EC concerning the processing of personal data in the telecommunications sector, which provided for limited data to be published in directories, and only with consent could further data be published. Removal from the directory was to be free of charge, and address and sex (where applicable) removed. Direct marketing could be blocked.

Importantly, they applied Directive 95/46/EC as well with respect to purpose, and noted that the purpose of a telephone directory is not to find out other personal data about an

203

individual (such as address) and that further processing was incompatible with the initial purpose. In summary, they noted that: • Specific informed consent must be obtained prior to including personal data in all kinds of public directories; • Controller must inform the subscriber whether it will be included in such directories and what kind of searches are possible; • His right to modify free of charge his decision to allow each specific data processing; • Technical and organizational measures must be in place to protect against bulk access and processing.

It is quite clear this applies to the WHOIS directory, but it was not sent to ICANN. These were early days of the Article 29 Working Party, and the practice of putting their opinions up on the European Commission website was established. Anyone interested in following data protection developments was watching that website, and the data protection press and academics would comment on new papers. The Working Party did not, as a rule, send its work out to relevant parties.

The pace of Internet commercial use and expansion was becoming dramatic in the late 1990s, and by the time the WHOIS policy and the new ICANN Registrar Accreditation Agreement had been implemented in 1999, spammers and cyber criminals were already harvesting WHOIS data to target their victims and becoming a nuisance to Internet users. The first attempt to bring data protection requirements to the attention of ICANN came from the International Working Group on Data Protection in Telecommunications (IWGDPT), also known as the Berlin Group, in 2000 when they issued a common position on WHOIS data.

204

6.1.3 The 2000 Berlin Group common position on WHOIS

In 2000, the Berlin Group issued their common position on “Privacy and Data Protection Aspects of the Registration of Domain Names on the Internet.” They note that while the original purpose of WHOIS was for technical stability, the “development of the net towards the technical backbone of the emerging ‘Information Society’ [had] created new interests of different parties in the use of these data.” Listed as users of the system were law enforcement, World Intellectual Property Office and copyright holders, and individuals enforcing their own privacy rights to prevent publication of their data on websites. They single out the first Registrar Accreditation Agreement (1999) as not sufficiently protecting personal data, and recommend that future versions address the following issues: • Specify the purposes of collection and publication; • Restrict the data collected and disclosed to what is essential, noting that they have reservations about all data exceeding name, telephone numbers being especially problematic; • Secondary use must be only with informed consent; • Technical means of accessing data in bulk must ensure purpose limitation and no secondary use; • Registries should develop a uniform standard on data protection, and adherence to that standard should be ensured through certification procedures; • Registrars operating within the jurisdiction of existing data protection laws are subject to existing legislation and the control by existing national data protection and privacy commissioners.

This is a brief document, just over two pages, but it is clear and identifies the RAA as the important instrument which forces collection and disclosure.

In 2000 the Berlin Group also issued a “ten commandments” for protecting privacy on the Internet. In that document, three principles are of particular interest: 205

• Right to Anonymity: Network and Service Providers have to offer to any user the option to use the network or to access the services anonymously or using a pseudonym. Pseudonyms which are used for this reason must not be revealed except where explicit law requires it. • Virtual Right to be Alone: Nobody must be forced to let his or her personal data be published in directories or other indices. Every user has to be given the right to object to his or her data being collected by a search engine or other agents. Every user has to be given the right and the technical means to prevent the intrusion of external software into his own device. • International Complaints Resolution: Facing the international aspects of all network and service activities every user has to be given the right to complain to an authority with transborder powers of investigation and enforcement if national legislation is not sufficient to guarantee his or her rights.

This chapter will make it clear that these three commandments have not been observed by ICANN during the past 17 years. Early on, Robin Gross, Marc Rotenberg, and Kathy Kleiman, among others in the Noncommercial Users Constituency (NCUC) made a concerted effort to reach out to the Commissioners to get their input and advice, and civil society sponsored meetings with them and invited them to appear at workshops in ICANN meetings 89 . ICANN, itself, has not done this.

89 The Electronic Privacy Information Center (EPIC) has a history of its interventions on WHOIS both as a member of the Noncommercial Users Constituency (NCUC) and in its own right, (https://epic.org/privacy/whois/). Their report of 2003 is particularly comprehensive. The NCUC invited Giovanni Buttarelli (then Secretary General of the Italian Data Protection Authority, now the European Data Protection Supervisor replacing Peter Hustinx) to speak at the ICANN meeting in Rome, March 8 2004.

206

6.1.4 The 2003 Berlin Group letter to ICANN

In 2003, the Chair of the Berlin Group, Hans-Jurgen Gartska wrote to ICANN with concerns about the “Interim Report of the Names Council's WHOIS Task Force of October 14, 2002.” The Names Council was the predecessor of the Generic Names Supporting Organization (GNSO), responsible for policy development at ICANN. In this letter, the Commissioners pointed out that they have reaffirmed the views expressed in the Berlin Group’s common position of 2000. In particular, they note their concerns about extending the search capability on WHOIS to include searches by the name of the registrant. ICANN did not respond.

6.1.5 Opinion 2/2003 of the Article 29 Working Party on the application of the data protection principles to WHOIS directories

The Article 29 Working Party also issued an opinion on WHOIS (2/2003) in 2003, entitled. “Opinion 2/2003 on the application of the data protection principles to the Whois directories.” In the annual report for that year, Chairman Rodota sums up this contribution as follows:

On 13 June 2003, the Working Party adopted Opinion 2/2003 on the application of the data protection principles to the Whois directories. In this opinion, the Working Party gives some guidelines to the Internet Corporation for Assigned Names and Numbers (ICANN) about the application of data protection principles to the Whois directories as well as to other registries of domain names and IP addresses. Amongst others, the opinion establishes that the publication in Whois registers of the identity and contact information of individuals without their consent violates the data protection directive in so far as there are no legal grounds justifying the mandatory publication of personal data referring to the individual. The opinion explains that such a publication of the personal data of individuals, for instance their addresses and their telephone numbers, would conflict with their right to determine whether their personal data are included in a public directory and if so which. The opinion also stresses that the processing of personal data in reverse directories or multi-criteria searching services without unambiguous and informed consent by the individual is unfair and unlawful. (pp. 24–25)

207

The annual report of the Article 29 Working Party is addressed to the European Commission, and represents the views of the lawful authorities for the supervision of data protection in the countries in Europe. As of 2000, the European Charter of Human Rights included article 7 that explicitly provides the right of having data protection rights overseen by an independent data protection supervisor. These are those supervisors, and it is clear from the cited paragraph that they expected their guidelines provided to ICANN to be taken seriously. This opinion was released in time to provide information for the ICANN meeting to be held in Montreal in June 2003, and as input to the discussions of the first WHOIS task force, it notes the following key issues:

• Individuals were increasingly registering domain names, raising different issues than the previous registrations by organizations and legal persons; • The reports of the WHOIS task force have failed to address the question of purpose, and they point out that extending use of the data for other purposes, such as self-policing of digital rights, is not compatible and therefore a violation of data protection law; • Article 6c of the Directive limits collection and processing to only relevant data for the purpose; this should be considered in the matter of “uniformity” of the diverse WHOIS directories; • They note the differences in treatment of individuals and companies or organizations, including that sometimes company data is required to be published by law, but it does not follow that the data of relevant employees must be published as contacts, and they have the right to object; • The proportionality principle requires that less intrusive methods than a completely open WHOIS be put in place;

208

• Even once data have been made public, referring to their opinion 3/99 on public sector information, the data subject still has rights to restrict further processing; • Proposals regarding more searchability in the WHOIS functions is a cause of concern, see the Opinion 5/2000 on public directories. Multi-criteria searches without consent are unfair and unlawful; • They support the proposed restrictions on bulk data access for direct marketing.

6.1.6 2005: Berlin Group to International Working Group on Internet Governance letter

In 2005 the Berlin Group wrote to the International Working Group on Internet Governance (IWGIG), a group which had arisen in the context of the World Summit on the Information Society (WSIS) and which contained many ICANN stakeholders, to let them know that the two groups of data commissioners exist and are interested in Internet privacy issues and further co-operation. Note that the 2009 resolution of the International Conference of Data Protection and Privacy Commissioners recommended investigating acquiring observer status to the Internet Governance Forum, another forum that arose from the World Summit for the Information Society (WSIS). It is clear from this resolution that the data commissioners had realized by 2009 that they might actually have to send observers to these Internet related fora in order for their views to get attention.

6.1.7 2006–2007: Article 29 Working Party letters to ICANN’s Chairman Cerf

In 2006 Peter Schaar, the German Data Commissioner who was then head of the Article 29 Working Party, wrote to the ICANN Chairman of the Board, Vint Cerf, with concerns about the ongoing WHOIS review and the persistent failure to identify the purpose of data collection. He noted the following key points:

209

• Data Commissioners had received complaints about improper use of WHOIS data in several countries, from a growing number of registrants who are individuals; • Purpose must be specified and further purposes must be “legitimate and compatible” with the original purpose; • Repeating the point made in the 2003 Opinion, data collection must be relevant and not excessive for the specific purpose; this poses barriers to increasing uniformity across the system as some data collection is not relevant and therefore sets of data will be smaller or larger depending on the specific purposes; • Registration by individuals and companies raises different legal questions, but employees of companies are entitled to protection under the law also and have a right to object to their data being published; • The proportionality principle requires that less intrusive means than publication of all data to everyone must be found to serve the original purpose; • Even after data have been made public they are still personal, so reuse for other purposes is not allowed; • A layered approach could serve the original purpose of WHOIS, and sensitive information restricted to law enforcement agencies with adequate authority; • Reminds them of the Article 29 Opinion 2/2003 and the Berlin Group common position dated 2000 as well.

Cerf responded to this immediately with thanks and the comment that the WHOIS review was only at the interim report stage, requiring no Board action (therefore he was not involved). The Belgian and Canadian data commissioners also wrote to ICANN during this timeframe, stressing the need to limit data collection and disclosure and find privacy enhancing ways to run WHOIS. The next period, the WHOIS Review Team activities,

210

did not produce more letters from the data protection authorities, who next wrote to ICANN when the Registrar Accreditation Agreement was being negotiated in 2012.

6.1.8 2012–13: Revision of the Registrar Accreditation Agreement

In September 2012, Jacob Kohnstamm, head of the Article 29 Working Party wrote to Chairman Steve Crocker noting two key concerns with the proposed new Registrar Accreditation Agreement. The first was that the annual verification of personal data accuracy was excessive, and failed to address the problem that individuals were providing inaccurate data to protect themselves from spamming and other intrusions resulting from the wholesale public access to WHOIS data. The second issue concerned the proposed data retention period, which was expressly for the benefit of law enforcement. The following paragraph is quite explicit on this point:

The Working Party strongly objects to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement. If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on Civil and Political Rights. (p. 3, footnote omitted)

The new Chief Executive Officer Fadi Chehade responded on October 9, indicating that these provisions were added at the request of law enforcement officials from around the globe, including from the EU. He goes on to state, “In the ICANN meeting in Prague in June 2012, the GAC stated that it is uniquely qualified to provide guidance to ICANN as it attempts to balance the issues of privacy concerns versus the needs of law enforcement.” Note the language: privacy “concerns,” not legal rights, and law enforcement “needs,” not requests or even issues. The “ICANN Procedure for handling WHOIS conflicts with privacy law,” which he proposes as a solution to deal with this impasse, was later reviewed in 2015 with respect to its implementation, because it clearly was not solving the problem of WHOIS conflicts with law, either in terms of permitting

211

waivers of data retention requirements, or waivers because WHOIS publication violated data protection law. As described in Chapter 5, this procedure remains in contention, although a report was submitted to the Generic Names Supporting Organizations Council, and was sent out for public comment in 2017.

In June 2013, Jacob Kohnstamm wrote back to Crocker and Chehade, reiterating his concerns about the 2013 Registrar Accreditation Agreement and indicating that all European registrars would require a “waiver” according to the proposed conflicts with law procedure. He offered this as a way of simplifying procedures and avoiding duplication of work. This prompted a response from ICANN’s General Counsel, John Jeffrey, on September 20, 2013, that in fact the Working Party was not a legal entity capable of a finding, and thus ICANN was not considering their guidance to be enforceable. In January 2014, Kohnstamm wrote to Jeffrey, reiterating the Article 29 Working Party’s concerns about the 2013 Registrar Accreditation Agreement, and reaffirming its own authority to represent the now 28 members of the group in a common position. They had met in December and confirmed that in fact the common statement represented the interpretation of law in each of the member states. Here is a section of the letter that demonstrates how difficult this discussion had become:

The Working Party’s objection to the Data Retention Requirement in the 2013 RAA arises because the requirement is not compatible with Article 6(e) of the European Data Protection Directive 95/46/EC which states that personal data must be: “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected.”

The 2013 RAA fails to specify a legitimate purpose which is compatible with the purpose for which the data was collected, for the retention of personal data of a period of two years after the life of a domain registration or six months from the relevant transaction respectively. In order to support Registrars operating within the jurisdiction of the European Data Protection Directive 95/46/EC, the Working Party would request that ICANN accepts the Working Party’s position as appropriate written guidance which can accompany a Registrar’s Data Retention Waiver Request. (p. 2)

212

Note that this letter only deals with one aspect of the waivers permissible under the WHOIS Conflicts with Law Procedure. On March 25, 2014, Cyrus Namazi, the Vice President of Domain Services, Global Domains, responded to Jacob Kohnstamm that while they appreciated their input and advice, in the process of handling the waiver requests that they have received, they noted that there were differences in terms of what was a valid purpose for retention in the different member states. Accordingly, they opened a public comment on the issues, from March 23 to April 23 2014, and received five comments which are available, with summary, on the ICANN website 90 . Further to this, he thanked Kohnstamm for arranging a meeting in Germany, to which Nigel Hickson, a Vice President in the ICANN Brussels office was sent.

6.1.9 The 2014 letter from the European data protection supervisor to John Jeffrey on data retention

The letter from Peter Hustinx, the European Data Protection Supervisor (EDPS) dated April 17 2014, was one of five comments received in response to the public consultation on the data retention requirements of the 2013 Registrars Accreditation Agreement (see Appendix N). These comments ranged as usual from those which said that ICANN was not paying enough attention to the European data protection requirements, to the formal response from the Coalition for Online Accountability, a coalition of rights holders and intellectual property associations, who requested assurance from ICANN that the purpose of data collection was not being questioned. The substance of Hustinx’ letter is as follows: • He is responding to the formal consultation. • He reminds ICANN of previous letters from the Article 29 group dated September 26, 2012, June 6, 2013, and January 8, 2014, which he supports.

90 https://www.icann.org/en/system/files/files/report-comments-raa-data-retention-spec-08jun15-en.pdf. 213

• The approved 2013 Registrar Accreditation Agreement does not address their concerns, nor does the draft specification of data to be collected and retained. • Only data necessary for the performance of the contract between the registrar and the registrant should be collected, and it should only be retained for those purposes and only for as long as necessary for those purposes. It is not acceptable to retain the data “for other, incompatible purposes, such as law enforcement purposes or to enforce copyright.” • He cites three key principles of the Directive 95/46 that are not being observed: purpose limitation, appropriate legal ground for processing, and proportionality including not retaining data for longer than is necessary. • He cites articles 7 and 8 of the Charter of Fundamental Rights of the European Union. • He discusses the recent judgment of the European Court of Justice which overturned Directive 2006/24/EC as an unjustified interference with those rights. • He mentions the anticipated Data Protection Regulation, which will lead to more scrutiny.

The registrars in Europe have been extremely frustrated with this waiver process, and have expressed this repeatedly at ICANN meetings and on their blogs. As the letter from Namazi in March 2014 indicated, 15 waivers had been requested, and only one granted at that point. Not only were the registrars frustrated by the fact that each registrar had to apply and provide evidence that the waiver was necessary even if they were all subject to the same laws, but ICANN had a very lengthy process (roughly a year) to grant the waivers. EuroDNS from Luxembourg applied in December 2013, and as of December

214

2016, still had not received their waiver even though they provided written guidance from their data protection supervisor 91 .

As of December 15, 2016, 35 waivers had been granted, and are listed on the ICANN website 92 . Now, it is worth noting that there are 50 registrars based in Germany, France, Finland and Denmark alone 93 . Other registrars such as those based in the United States or Australia might also sell to customers in Europe, and the transfer of data out of Europe for data retention purposes would be equally illegal according to the laws protecting European registrants. There are many troubling issues associated with this process, not the least of which is that registrars who pay attention and comply with data protection law are penalized, both in legal costs, energy, and publicity, while non-compliant competitors are not.

6.1.10 Privacy/proxy services accreditation issues

In 2015, in response to the call for comments on the interim report of the Privacy/Proxy Services Accreditation Issues working group, Timothy Pilgrim (the Australian Information Commissioner) wrote to ICANN to indicate his view that denying the use of Privacy/Proxy services to registrants conducting financial transactions on the web— including payments for advertising—would affect individuals and thus fall under the data protection law.

6.2 What More Can Data Protection Authorities Do?

In April 2015, I participated with Monika Zalniurute (who was on contract to the Council of Europe to write a report on human rights at ICANN) in the meeting of the Berlin

91 Conversation with Luc Seufer, EuroDNS, December 15, 2016. 92 https://www.icann.org/resources/pages/retention-2013-09-13-en 93 Accredited registrars are listed on the internic website: https://www.internic.net/origin.html, accessed December 15, 2016. 215

Group in Seoul Korea to brief them on the situation at ICANN, with respect to privacy and human rights. Zalniurute and Schneider are the authors of the recent Council of Europe (COE) document on human rights at ICANN, “ICANN’s Procedures and Policies in the Light of Human Rights, Fundamental Freedoms and Democratic Values.” There is significant interest in ICANN, despite its rather technical mission and the complexity of its activities, because the data protection commissioners have long realized that as a key player in Internet governance and development, their policies set the tone for the entire Internet. In the 2014 letter on data retention, Hustinx wrote,

We would also encourage ICANN, being at the heart of the future of Internet evolution, and in view of its mandate to serve the public interest on a global scale, to take a lead in ensuring that privacy and data protection are embedded by default, when new tools and instruments or new internet policies are designed, for the benefit of all—not just European—Internet users. (p. 3)

One of the principal irritants with ICANN’s intransigence is that the logical response in terms of enforcement action would be to sanction European registrars who release information in WHOIS, or who are continuing to retain excessive amounts of personal data. However, this mainly benefits U.S. based registrars, who are their principal competition. Taking an enforcement action against a U.S. based registrar is inherently more complex, but it may be the only way to get the attention of ICANN’s senior management. I would note here that enforcement of contracts and investigation of abuse falls to ICANN Compliance. In the description of the policy-making process provided in Chapter 4, I focused on how ICANN is structured from the perspective of the multi-stakeholder operations. I have not focused on how the organization functions as a bureaucracy, although that would be an interesting area to research, particularly in the light of enhanced accountability commitments made in the IANA transfer which occurred in 2016. Suffice to say that there is significant friction between the compliance branch and the contracted parties, who are basically regulated according to their contracts, and the Registrars express their views regularly at ICANN public meetings and in their closed

216

sessions with law enforcement agencies, the Intellectual Property Constituency, and with ICANN senior management and the Board. I have asked about whether the compliance branch has audited to verify whether there is unofficial bulk data collection, an issue that affects end users, and received an answer in April of 2017 that indeed there had been no such audits.

It is one thing to ignore a letter, but it is quite another thing to ignore a range of actors saying the same thing, each in his or her own “dialect” as it were (e.g., engineering, security, civil liberties, regional government, etc). In the implementation committee’s 2015 discussion of the Registrar Accreditation Agreement and the WHOIS Conflicts with Law Procedure, there were several registrars from Europe on the committee, complaining loudly that no one in Europe had managed to get a waiver, and yet the 2013 procedure was then two years old. They demanded a remedy for the situation which did not involve them breaking the law, getting fined, or having their servers seized; but ICANN staff insisted on doggedly repeating that all data protection laws were different, each situation was different, and therefore just because one registrar could prove they would be breaking the law, it did not mean that the next registrar in the same country could also get a waiver. I repeatedly asked staff why they did not simply ask the Data Protection Commissioners what they thought, or at least answer their letter, but this remark was simply ignored. 94

What more can the Data Protection Authorities do? I have reached the conclusion that ICANN will only respond to legal action, and the Data Protection Authorities would be well-advised to take enforcement action against ICANN as the data controller which requires non-compliance with data protection law as a condition of doing business.

94 Transcripts of the conference calls for this implementation review group are available at https://community.icann.org/display/WNLCI/WHOIS+and+national+law+conflicts+IAG+Home. 217

6.3 The Principal Components of Personal Data Protection Rights in Registration Data

The following analysis expands on the correspondence in Table 2 above, and summarizes the key elements of data protection that the Data Protection Authorities have been raising since the WHOIS privacy issues arose.

Table 3. Privacy Issues Related to Registration Data as Raised by Data Protection Authorities

PRIVACY ISSUES RELATED TO REGISTRATION DATA RAISED BY DATA PROTECTION AUTHORITIES

TOPIC ISSUE FIRST DESCRIPTION OF ISSUE RAISED

Purpose 2000 ICANN needs to state the purpose of the WHOIS directory, and the permissible uses that flow from that purpose. This issue has been raised repeatedly since then.

Data Limitation 2000 Only those elements required for the purpose should be collected (repeated).

Consent 2000 Registrants must not have data disclosed without consent. Employee rights are not to be included in a public directory are important in this context (repeated).

Proportionality 2000 Disclosure must be proportionate, where benefits outweigh harm to innocent rights holders (also repeated, since all actions must be proportionate).

Accuracy 2000 Data must be accurate as fit for purpose but the burden of verification must be proportionate.

Data retention 2012 RAA retention for potential use by law enforcement is not acceptable. 218

PRIVACY ISSUES RELATED TO REGISTRATION DATA RAISED BY DATA PROTECTION AUTHORITIES

TOPIC ISSUE FIRST DESCRIPTION OF ISSUE RAISED

Retention by many registrars is too high a security risk, particularly with respect to sensitive data such as financial, IP address.

Data retention 2014 RAA retention not constitutional because of ECJ ruling on the Data Retention Directive.

Figure 1.

Accessibility 2000 Access should not be universal, it should be based on a showing of need and authority

Access should not be anonymous, users must identify themselves and their reasons

Tiered access is supported (all issues repeated)

Data Elements 1998 Only the name needs to be public, the rest can reside with the registrar

Telephone numbers and address are particularly sensitive

Uniformity 2003 While ICANN desires uniformity in its processes and databases, data protection law is specific that data collection, use, and disclosure be determined on a case by case basis. Bulk collection is generally unacceptable, and particularly so in the case of data retention.

Automated 2000 Search capability in directories needs to be restricted to Processing legitimate purposes. This is a key element in reverse directories (i.e., search by domain name, not name of individual; repeated).

Bulk Access 2000 Technical measures need to prevent bulk access.

Marketing must be prevented.

219

PRIVACY ISSUES RELATED TO REGISTRATION DATA RAISED BY DATA PROTECTION AUTHORITIES

TOPIC ISSUE FIRST DESCRIPTION OF ISSUE RAISED

Data Transfer 2006 Registrant’s DP rights still apply. Note . ICANN = Internet Corporation for Assigned Names and Numbers; RAA = Registrars Accreditation Agreement (ICANN); ECJ = European Court of Justice European Court of Justice; DP = Data Protection.

As is evident from even this brief summary, the data protection authorities have raised many issues in their commentaries on registrant data from ICANN’s earliest days and they are usually raised again (repeated) in later interventions. I will examine these issues in further detail in the next section and discuss the support received from other stakeholders at ICANN, as well as the reaction from others who responded either negatively or not at all.

6.3.1 Proportionality

The proportionality principle is fundamental to the interpretation of European data protection law, although it does not appear in the Directive itself. The usual four-part test is:

• there must be a legitimate aim for a measure; • the measure must be suitable to achieve the aim (potentially with a requirement of evidence to show it will have that effect); • the measure must be necessary to achieve the aim, that there cannot be any less onerous way of doing it; and • the measure must be reasonable, considering the competing interests of different groups at hand. (Craig and de Burca, 2011)

220

The proportionality concept usually appears in some form in most other data protection law or the interpretation thereof. In Canada, it is expressed in the reasonable person test 5(3) in The Personal Information Protection and Electronic Documents Act (PIPEDA), which states:

The purpose of this Part [of the Act] is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the rights of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances [emphasis added].

The Article 29 Working Party issued a number of recent opinions elaborating on some of the principles in the Directive 95/46, and their collective interpretation of them, for the purpose of illuminating the negotiations over the new General Data Protection Regulation. Of particular interest is their “Opinion 06/2014 on the Notion of Legitimate Interest of the Data Controller under Article 7 of Directive 95/46/EC” wherein they explain in some detail how a balancing test can be applied in interpreting the legitimate interests of the data controller, and the rights of the data subject. In particular they point out that the text of 7(f) means that all relevant interests of the data subject should be taken into account, including but not limited to their fundamental rights. The following paragraphs underscore the importance of this section, and are particularly applicable to the WHOIS service:

At a time when increasing imbalance in ‘informational power,’ when governments and business organizations alike amass hitherto unprecedented amounts of data about individuals, and are increasingly in the position to compile detailed profiles that will predict their behavior (reinforcing informational imbalance and reducing their autonomy), it is ever more important to ensure that the interests of the individuals to preserve their privacy and autonomy be protected.

Finally, it is important to note that unlike the case of the controller’s interests, the adjective ‘legitimate’ is not used here to precede the ‘interests’ of the data subjects. This implies a wider scope to the protection of individuals’ interests and 221

rights. Even individuals engaged in illegal activities should not be subject to disproportionate interference with their rights and interests. For example, an individual who may have perpetrated theft in a supermarket could still see his interests prevailing against the publication of his picture and private address on the walls of the supermarket and/or on the Internet by the owner of the shop. (p. 30)

I contend that ICANN has adopted policies that demonstrate that the interests of those engaged in questionable activity are not respected, and that the interests of all innocent registrants are then sacrificed in a presumption of guilt rather than innocence. ICANN does so in order to justify taking a broad approach that should be considered surveillance.

6.3.2 Purpose

From their first interventions in 2000, the Article 29 Working Group and the Berlin Group asked for a clear statement of the purpose of the directory. George Papapavlou of the European Commission’s Data Protection Division repeated this priority when he spoke at the Rome meeting in 2004. 95 The requirement to state the purpose has also been picked up by the Security and Stability Advisory Committee (SSAC) of ICANN, who included it as a major issue in their “SAC 055 Blind Men and an Elephant Report” (2012), which was their comment on the most recent final report by the WHOIS Review Team. They state:

The SSAC believes that the foundational problem facing all “WHOIS” discussions is understanding the purpose of domain name registration data. The lack of progress in the “WHOIS” debate is not surprising, given this fundamental disconnect on what problem is being solved….

The SSAC believes that there is a critical need for a policy defining the purpose of collecting and maintaining registration data. This policy should address the operational concerns of the parties who collect, maintain, or use this data as it

95 See Electronic Privacy Information Center history, retrieved from http://www.epic.org/privacy/whois, and link to E.U. Commission slides presented at the Rome meeting at https://www.icann.org/en/system/files/files/papapavlou-whois-rome-03mar04-en.pdf 222

relates to ICANN’s remit. The policy should address at least the following questions:

•Why are data collected?

•What purpose will the data serve?

•Who collects the data?

•Where is the data stored and how long is it stored?

•Where is the data escrowed and how long is it escrowed?

•Who needs the data and why?

•Who needs access to logs of access to the data and why? (p. 4)

These questions are the same kinds of questions that the Data Protection Authorities have been asking. The SSAC also produced a report that maps dataflow in the Registration Data process, “SAC 054, Report on the Domain Name Registration Data Model” (2012), a very useful report that describes the data used by the various actors in the registration process (e.g., registrars, Top-Level Domain registry, WHOIS, etc.)

The issues report released by the ICANN Board in 2015 which set out the mission of the next Registration Data Services Policy Development Process also explicitly requested that the group address the unresolved problem of what the purpose of the WHOIS directory is, as well as related concerns (Preliminary Issue Report on a Next-Generation gTLD RDS to Replace WHOIS, 2015, p. 4). This is a good example of how an issues report can continue to perpetuate a problematic situation: while it would be useful to have an agreed purpose for the publication of data in the public directory (WHOIS) to solve the related concerns about data protection, we need to understand and agree to the purpose for the collection, use, retention, and disclosure of all of the data that is set out in the Registrar Accreditation Agreement. WHOIS is merely the disclosure instrument in a much larger set of nested data protection issues.

223

As mentioned in the previous chapter, the Generic Names Sponsoring Organizations (GNSO) Council had instructed the 2006 Task Force on WHOIS to use the more limited definition of purpose, because the issue of the definition had become a stalemate and the GNSO recognized the inability to move forward without an agreed definition (WHOIS Task Force Preliminary Report, 2006 p. 4). Nevertheless, that definition has not been accepted as the permanent definition, because it was not the product of a consensus process. It becomes clear when we examine the failure to deal with an issue, that there can be a tremendous amount of behind the scenes activity revolving around the issues, and yet a conclusive decision or solution may not be reached. I will discuss my conclusions concerning the reasons behind the way that the multi-stakeholder model facilitates a never-ending dialogue without resolution on issues that are anathema to powerful actors in Chapter 7, but the history in the preceding chapter demonstrated that participants in the multi-stakeholder process are aware of—and frustrated by—the futility of working for change.

Given the lack of attention to the efforts of the Security and Stability Advisory Committee to clarify the actual technical needs for data, I conclude that there must be a strategic reason for this. As we know from the history discussed in Chapter 5, the Task Force in 2006 had to break the tie on the disagreement over the purpose of WHOIS, and came up with a narrow technical one as an interim measure. There may be an incentive on the part of the beneficiaries of open access to data to avoid clarifying certain key concepts, and purpose of the collection of data, within the limited remit of ICANN, would be one of those concepts. If facilitating law enforcement access to data about websites on the Internet is not a legitimate purpose (and it clearly is not, because website content is not within ICANN’s remit) then much of the data management now enforced at ICANN can be stopped.

Komaitis discusses a similar problem related to the reluctance to define what a domain is, which has had a significant impact on trademark law development, and I believe there are

224

parallels here to the ineffectiveness of data protection law enforcement. Defining the purpose of data collection is the first step in any data protection analysis.

It is worth noting also, that the Security and Stability Advisory Committee Chair complained at a recent briefing of the GNSO Council (October 2015) that while the SSAC has a key role in advising the ICANN Board on security and stability (ICANN’s central mission), they often have a hard time getting the attention of the Board. There are several members of SSAC participating in the 2015 Registration Data Services Policy Development Process, although they are not doing so as representatives of SSAC.

6.3.3 Consent

The issue of consent of the registrant was raised in the 2000 Berlin Group document, and appears in several other subsequent documents. There are numerous problems with the concept of consent, because over the years that we have been living with data protection law, it has become clear that getting clear, unambiguous, informed consent to multiple actions involving personal information (collection, use, disclosure, resale, reprocessing, analytics, retention etc.) is almost impossible. Furthermore, the concept of “notice and choice” has degraded the concept in that individuals have been asked to read—and agree with—80-pages of privacy policies to utilize a website, accept a security upgrade, or download an application they need for their work or school. Nissenbaum made these claims in her work on contextual privacy (2002, 2011). Nevertheless, consent remains a key concept, particularly for further processing which a registrant may not have anticipated. The data commissioners have pointed out that while in principle commercial registrants are not subject to the same restrictions with respect to data protection, their employees have data protection rights and they should be asked for free and unambiguous consent before their names and phone numbers are listed in a public directory.

Regardless of whether consent is truly informed and free, under E.U. data protection law, it is not permissible to ask individuals to consent to something that is not fair or

225

proportionate, nor where the purpose has not been defined. The Experts Working Group on a New Registration Data Service report (2014) foundered precisely because, despite much rhetoric about including privacy and tiered access in the RDS, the recommendation was to make it mandatory that individuals be given the opportunity to consent to the disclosure of their registration data (Perrin, 2014). The Article 29 Working Party has published an extensive document on how to interpret consent, “01197/11/EN WP187 Opinion 15/2011 on the definition of consent” (2011). It seems very clear that the average individual in the global Internet community would not be able to imagine exactly how far his name, address, and cellphone number could travel.

6.3.4 Data limitation

Article 6(1)(c) of Directive 95/46 states that data should be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.” This of course leads back to the as yet undefined purpose of WHOIS, but also raises the question of whether the information gathered in response to the 2013 Registrations’ Accreditation Agreement is excessive. The Commissioners raised this question in the 5/2000 Opinion on reverse directories, the 2/2003 Opinion on WHOIS, and in their subsequent interventions on the WHOIS task force and Review. Demand for new data elements continues to grow, however, with the 2014 Experts Working Group report introducing a new and enlarged set of recommended data elements.

6.3.5 Accuracy

The accuracy of WHOIS data has been a huge issue since its inception. Users who resented the requirement to have their data made public gave false address and telephone data. Criminals did the same. Intellectual property interests and law enforcement agencies have demanded more accurate data, and numerous studies have been commissioned over the years, to determine accuracy rates. Registrars have resisted proposals in their contracts that they be responsible for checking, validating, and verifying the contact data of registrants given that it is expensive and they cannot be held responsible for behaviour 226

of registrants. Address, phone number, and email changes occur all the time. Governments rarely check the address data of their citizens for other purposes such as health benefits or driver’s licences, they simply apply sanctions if data is not kept accurate by the individual.96 Under data protection law, demands for continual checking of the accuracy of data must be proportional to the purpose of such accuracy, and if there is no real reason for it, the demand is considered to be excessive. While data protection commissioners have indicated that obviously individuals should be required to provide accurate data, they do not support continual verification of data of innocent individuals, for potential use by either law enforcement authorities or intellectual property interests. Furthermore, the purpose of retention of data needs to be relevant. My registrar does not actually need to know where I live, since I pay automatically by credit card monthly and all communications operates over the Internet. Intellectual property interests argue that they need addresses in order to serve legal notices, but it is not clear that their convenience is enough of a reason to permit WHOIS to collect and display this information. The contracted parties have argued that accuracy demands are really a shifting of the economic burden of investigating intellectual property violations from the intellectual property stakeholders, to the registrars, as it costs them time and money to verify and validate data supplied by registrants.

96 I make this observation based on many years working in the federal government of Canada, both in my work in data protection and access to information, where accuracy of data is an issue, and in the social services department (Service Canada, as it was designated from 2007-2012) where I worked on data accuracy and data sharing agreements. Cost is the principal reason to not verify data as government departments are intensely aware of both the response burden on the public and the cost of verification borne by taxpayers. ICANN, in the view of the registrars and registries who are being asked to assume the responsibility for data verification, is somewhat cavalier about these issues. Intellectual property rights holders also act similarly as they have an interest in accurate data but are not responsible for paying to ensure data accuracy. Nor do they take any fiduciary responsibilities towards the vast majority of innocent domain name registrants who suffer from having their domains cut off if they fail to report a change in address. 227

6.3.6 Data retention

There are two aspects of data retention required by ICANN for registrant data, as explained in the section on the Registrar Accreditation Agreement in Chapter 5. The first is the requirement for the registrars to escrow data with ICANN’s escrow agent to ensure that records of the registration are available in the event of a catastrophic data loss at the registrar, either from breach or from the registrar abruptly going out of business. The second, is the requirement for the registrars to retain data past the date when they need it for business purposes, for the use of law enforcement. The data protection authorities have pointed out that this data retention is excessive. It is important to note that both the data retention demanded of the registrars, and the data escrow required by ICANN with an escrow agent, have been determined to be excessive.

6.3.7 Accessibility

The data that is made public in the WHOIS directory is accessed anonymously anywhere in the world. The data protection authorities have pointed out that this violates a fundamental principle in data protection law, that exceptions to protection should be limited, specific, and related to a justifiable purpose. They have expressed the view that this can be achieved by having the registrars hold the personal information, and respond to requests for further information on a case by case basis, and only to named recipients. ICANN has not responded to this, but recent policy development processes to abandon so-called “thin” registries for some gTLDs (e.g., .com) in favour of “thick” registries have proceeded. This is in the name of uniformity and increased availability of data, but it removes the site of potential data access from the original collector or processor (the registrars) to a secondary processor (the registries), depending on how data access for the WHOIS function is configured. In either case, the response burden increases when less information about the domain name registration is publicly available for all three parties, the requestor (which in many cases now is an automated web crawler or bot), the registrar with the relationship to the registrant, and the registry.

228

One of the principal arguments against the idea of a central repository for all registration data, proposed by the Experts Working Group in 2013, was the fundamental insecurity of such a solution. The Security and Stability Advisory Committee of ICANN (SSAC) advised against this option in their comments to the initial draft report of the Experts Working Group:

The ARDS [Aggregated Registration Data Service] is proposed as the sole source of generic Top-Level Domain (gTLD) registration data to the global Internet community. Reliance on a single system or provider carries a significant risk. There are ways to manage these risks, such as measures to prevent distributed denial of service (DDoS) attacks and directed attacks to gain unauthorized access to the information, but such measures have costs associated with them. Those costs for an ARDS would be high giving the unforgiving 100 percent uptime requirement and large load (at least 10 billion queries per month and possibly much more). It is self-evident that the ARDS would be an attractive target for miscreants, and therefore a thorough and complete assessment of those risks is essential. (SAC061 p. 10, footnotes omitted)

It is one of the more interesting aspects of the multi-stakeholder examination of these rather complex information issues, that the legal experts reach the same conclusion about the fundamental insecurity of a solution as the technical experts do, but from a different perspective. The same is true in the reverse, as Braman (2010, 2011) and De Nardis (2009) have pointed out, as the technical experts have an appreciation for the rights of the individual, although they may be unaware of the details of data protection and human rights law. Security concerns include the protection of the end user.

6.3.8 Data elements

The demand for data elements has grown over the years, with the recommendations of the RDS Experts Working Group representing the largest list of desired data to date. The group recommended that there be a series of contacts, including the administrative contact, the technical contact, and a new one, the legal contact. This works well for large corporations, who have legal staff looking after brand protection. It is difficult for small

229

organizations or individuals, who are not likely to put a lawyer on retainer so that they will put their data into the WHOIS instead of the beneficial owner’s.

Data Protection Authorities have questioned the need for the collection and retention of all the data elements, and their disclosure in the public directory. They have suggested that tiered access be adopted, and that only basic information be provided in the WHOIS, with sensitive data such as address and phone number to be made available only with proper authority, and only from the registrars.

6.3.9 Uniformity

The data protection authorities have pointed out that individuals and legal persons are entitled to protection of their data under the law, and that decisions regarding disclosure must be made on a case by case basis, with the default set on protection. Some disclosures may include more elements than others, depending on the circumstances. They have also noted that, while they have reached common decisions on WHOIS, the actual nuances of each nation’s legislation may differ.

ICANN, on the other hand, claims the need to treat all parties the same, always with a view to making more data public. They also want, for technical reasons, a standard set of data and protocols. This is reasonable; the complexity of the systems, as they introduce more languages and scripts in a rapidly expanding DNS, is making data management difficult. Engineers at ICANN have demonstrated a willingness to tackle the complexity of these problems, although it must be said that contracted parties (registries and registrars) are keen on keeping systems simple and cheap, unless they are going to be paid to manage the additional complexity.

6.3.10 Automated processing and bulk access to data

Article 15 of the Directive 95/46 provides that an individual must have human intervention in decision-making about them, and refers back to Article 12 that provides that they must be told the logic of automated decision-making. Although the data 230

protection supervisors have not focused on this point, I raise it here because of the amount of processing of Domain Name System transactions that goes on unbeknownst to the registrant and their data protection supervisors. As in so many other aspects of personal information flow, one finds out about a use of data when a source or data element is cut off, and the arguments to have it replaced commence. This, I argue, has not really happened at ICANN because the data flow appears not to have been cut off, despite what appears to be significant use of proxy services, and also because so much of the debate is focused on such basic issues as over-collection, retention, and a public directory.

The Directive itself reflects the preoccupation of the day, namely direct marketing (see Article 14). However, big data and data analytics are the preoccupations of today (soon to be outstripped by preoccupations with smart things, surveillance objects and spaces under surveillance, many of which will utilize the Domain Name System). Spam emerged as an issue around the time of ICANN’s creation, and as discussed in Chapter 5, early concerns about bulk data were related to direct marketing attempts (spam) to other registrars’ customers. The data protection authorities noted this in their early work, but it has been less of an issue in recent correspondence.

6.3.11 Transfer to other jurisdictions

I summarized quickly the trans-border dataflow issues in Chapter 3 and the impact that the Schrems v. Facebook decision is having on data transfers (citing Pounder, 2015). The Data Protection Authorities have brought it up in their documents, but it is an issue that has not received enough attention given the recent criticism surrounding intelligence agency access to offshore data after the Snowden revelations.97 European registrars are

97 In 2013, Edward Snowden leaked a large number of secret documents to a group of reporters concerning the activities of the U.S. government, notably the National Security Agency where he worked as an intelligence analyst. The gradual revelations of U.S. practices in accessing communications data have 231

now focused on it though, and given the difficulty that they have experienced getting permission from ICANN to use European escrow agents, wrote to ICANN to demand recognition of their need to escrow their data in Europe in the light of this decision, and to fairness in compensation of escrow costs (see Appendix L.) ICANN’s policy was to pay the escrow agent if a registrar used Iron Mountain, but if another agent was chosen (and accepted by ICANN, a process that apparently was also very lengthy), the registrar would have to pay costs.

6.4 Efforts to Marginalize Data Protection Authorities: Law Enforcement Agencies Versus Enforcement of Data Protection Law

What can we make of this peculiar intransigence? The data commissioners in most countries are either independent ombudsmen, tribunals, or officers of their parliaments, some with powers to fine, seize information and computer equipment, block a data flow, recommend or impose criminal charges, take cases to higher courts for enforcement, and report to Parliaments. In Europe, individuals now have a Charter right to have their data protected under the supervision of a data protection authority. While ICANN relies on the interventions of the Governmental Advisory Committee, rarely are those individuals who participate at ICANN the most senior managers in their governments, let alone independent legal authorities with the status and salary of a judge. It is not clear that all Governmental Advisory Committee representatives have briefed their data protection authorities and legal experts on the positions which they are taking at ICANN; there is a wide disparity in the kinds of delegations that various governments which attend ICANN usually send, and understandably different departments have different priorities.

caused many countries to consider keeping their sensitive data, and the personal data of their citizens, at home. (Greenwald, MacAskill, & Poitras, 2013; Lyon, 2015) 232

As I pointed out when participating in the working group that was trying to develop new triggers for the WHOIS Conflicts with Law Procedure, it is often the case that governments are in contention with their data protection authorities or the courts over their own treatment of personal information of citizens, particularly with respect to law enforcement use of personal data. This is why data protection authorities are supposed to be independent of the government. Many data protection authorities, particularly in Europe, are members of the judiciary, a point which Giovanni Buttarelli made when he spoke at the ICANN meeting in Copenhagen in March 2017. This is an important point, but one possibly lost on an American audience whose data commissioner (accepted in the body of data commissioners at the International Conference of Privacy and Data Protection Commissioners) is actually a member of the Federal Trade Commission. 98 In the determination of “adequacy” under the EU Directive 95/46, independence of the oversight body was an important factor to be considered (European Commission, 1998).

It is not appropriate for members of the judiciary, or officers of parliament (in the case of parliamentary democracies such as Canada and New Zealand whose commissioners are independent Officers of Parliament) to participate in drafting teams, or the giving of advice to the Board as the Governmental Advisory Committee does. The advice that the data protection authorities have given to ICANN has been described as guidance, and it is noteworthy that the documents are careful in providing general principles, not specific examples

Nevertheless, as we can see in the response to Jacob Kohnstamm from Fadi Chehade, ICANN persists in taking direction from the Governmental Advisory Committee to gather personal data and provide it to law enforcement.

98 Independence from government of the data protection oversight body is/was one of the criteria that the Article 29 Working Party used to determine whether a data protection regime could be considered adequate. https://publications.europa.eu/en/publication-detail/-/publication/3e6d43d1-9af7-40c3-8407- 93b1ed239bca/language-en 233

Law enforcement officials do not usually participate as stakeholders at ICANN,99 meaning they do not participate in the policy development processes and working groups. Europol and Interpol have observer status at the GAC, and the Federal Bureau of Investigation has representatives who are part of the U.S. delegation, along with Drug Enforcement Agency officials. The Governmental Advisory Committee has in 2015 created an additional Public Safety Advisory Committee, with representatives from law enforcement agencies. Advice arrives at the ICANN Board either in letters or in the official communiqués which are produced at the end of each public meeting (see Appendix I for a list of relevant documents). Historically, civil society representatives and the registrars and registries have complained that the Governmental Advisory Committee advice has had a heavy influence on data protection practices. Sometimes matters are discussed during the meeting between the Board and the Governmental Advisory Committee at the public meetings, but often advice has been delivered in an informal, non-public manner, and stakeholders such as the Registrars Stakeholder Group and the Noncommercial Stakeholders Group assert that these demands are largely unsupported by research and facts. This new public safety committee does not appear likely to be more transparent; the stated purpose of this committee is to provide confidential advice to the Governmental Advisory Committee.

The Governmental Advisory Committee website has limited information available.100 It communicates to ICANN through a communiqué to the Board, after every ICANN public meeting, and much of the Committee’s time is taken up during ICANN public meetings, in reaching a consensus position on advice to the Board. Unlike other stakeholder groups and advisory committees at ICANN, the Governmental Advisory Committee does not meet between the three public ICANN meetings, and it frequently complains to the

99 It is perhaps noteworthy that numerous law enforcement officials and private sector security agencies are participating at the latest WHOIS policy development group, the GNSO/RDS PDP. 104 https://gacweb.icann.org/display/gacweb/Governmental+Advisory+Committee 234

Generic Names Supporting Organization Council, that it cannot keep up with policy development. This is hardly surprising, given the hours of work each volunteer in a Policy Development Process puts in every week as they develop consensus policy positions.

ICANN, through its bylaws, is required to take account of GAC advice. Article I Section 11 states of the mission: “While remaining rooted in the private sector, recognizing that governments and public authorities are responsible for public policy and duly taking into account governments’ or public authorities’ recommendations.” Article III Section c states, “in those cases where the policy action affects public policy concerns, to request the opinion of the Governmental Advisory Committee and take duly into account any advice timely presented by the Governmental Advisory Committee on its own initiative or at the Board's request.” Article XI sets out the parameters for the GAC as an advisory body.

Before leaving this discussion of law enforcement, here is an excerpt from the issues report that the Board requested, to respond to Governmental Advisory Committee demands to act on improving access to and accuracy of registrant data. It is clear that the wish list of the law enforcement agencies represented in this issues report, enforced through the Governmental Advisory Committee, became the driving force behind the 2013 Registrar Accreditation Agreement, which is a source of data protection authorities’ complaints. The 2012 Final Issues Report on the Registrar Accreditation Agreement Amendments illustrates how this was achieved:

In Dakar, the Board conveyed its sense of urgency on this issue, noting that law enforcement agencies and a GNSO working group have developed a list of specific recommendations for amending the RAA to provide greater protections for registrants and reduce abuses. Observing that no action has been taken on these recommendations, the Board stated that it “requires action” on these RAA initiatives and directed the commencement of immediate negotiations between ICANN and the contracted parties to rapidly develop a set of amendments for consideration at ICANN’s meeting in Costa Rica in March 2012. (2012, p. 3)

235

And on page 15 of the same report:

To address these urgent problems, in 2009 law enforcement agencies made 12 concrete recommendations to reduce the risk of criminal abuse of the domain name system. These recommendations were informally socialized with the registrar community, the GAC, and with ICANN compliance staff over the course of several months, before the GAC advised the Board in its Brussels communiqué that it formally endorsed the recommendations.

These 12 recommendations are listed in Appendix Q; but in brief, they require ICANN to do more due diligence in accrediting the registrars themselves, including criminal record checks and compliance audits; and they insist on open WHOIS access:

The proposed amendments take account of existing EU, US, Canadian and Australian legislation, and those countries commitment to preserving individual’s rights to privacy. These amendments would maintain these protections whilst facilitating effective investigation of Internet related crime. (Law Enforcement Recommended RAA Amendments, 2009)

This claim seems to be unsubstantiated by consultation with the appropriate data commissioners in these territories, a point worthy of future research. The document starts at item 1 by rejecting the entire concept of privacy/proxy registrations, claiming that it violates ICANN’s 2006 commitment to the U.S. government:

ICANN shall continue to enforce existing (Whois) policy,” i.e., totally open and public WHOIS, and the September 30, 2009, Affirmation of Commitments, paragraph 9.3.1 which states “ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information.

The document goes on to list specific required data elements, measures to ensure human (as opposed to automated) registration, data verification techniques, etc. This is very detailed information and, given the absolute impasse experienced in Policy Development Processes in resolving what data must be provided and how data protection is to be implemented, it seems as though law enforcement agencies have reached out through the GAC to determine policy outcomes. Only the Five Eyes countries—the United States,

236

United Kingdom, Canada, Australia, and New Zealand—are listed as authors of this document.

As a member of the Experts Working Group, I note that we had a briefing in August 2013 from a delegation of law enforcement agencies. This meeting was off the record, and I presume this kind of intervention is what is meant by the term “informally socialized.” The registrars regularly have closed-door meetings with the Public Safety Working Group (and prior to its inception in 2015, with a less formal group of law enforcement officials who regularly attend ICANN meetings) to discuss abuse issues.

As Milton Mueller put it in his 2012 comments on the “Interim GNSO Issues report on the RAA amendments”:

I and many others in the broader ICANN community were troubled by the way in which the Board seems to have been stampeded into RAA amendments by a few GAC members. It is important to keep in mind that the resolutions or "decisions" made by the GAC's governmental members are not subject to ratification by their national legislatures, or to review by their national courts. Thus, the GAC has no legitimacy as a policy-making organ and no authority to demand changes to the RAA. As an Advisory Committee, they can and should make us aware of certain concerns, but they are in no position to bypass ICANN's own policy development processes. Furthermore, we continue to be troubled by the failure or refusal of the law enforcement agencies making these demands to liaise with non-commercial users or civil liberties groups. (Mueller, 2012)

Mueller pinpoints the problem of the Governmental Advisory Committee apparently having undue influence over the Board. Furthermore, it is ICANN staff who negotiate the agreements with the registrars themselves, behind closed doors. While some issues surface, and the final document is sent for public comments, it is quite clear that there are many policy issues wrapped into these agreements, and they are not developed through a policy development process. Where does the direction to staff emanate from: ICANN legal counsel, the Board, or the Governmental Advisory Committee? How often are the law enforcement representatives in actual consultation with the Registrars Stakeholder Group? Clearly, ICANN is not working well as a multi-stakeholder organization if a

237

group of observers (the Law Enforcement Agencies), reporting to an advisory committee (the GAC) can dictate the outcomes of such important documents, absent a policy development process. To anyone approaching ICANN from the data protection community or with a legal background, it becomes apparent that the multi-stakeholder experiment is a different world where the rule of law and constitutional rights are not the framework for their policy development.

6.5 Conclusions

Throughout this chapter, I have shown chronologically how the data protection authorities have attempted to engage with ICANN and with little success. In summary, here are my conclusions on that engagement process:

1. Despite rhetoric to the contrary at ICANN, the data protection authorities were interested very early, even before the creation of ICANN, and made their views known through the European Commission, through their annual reports to the Commission, and through their own websites.

2. The data protection authorities started attending ICANN meetings at the invitation of civil society, not ICANN.

3. This activity escalated to putting in comments to ICANN’s processes, and then further to writing directly to the President and Chairman of the Board.

4. While the data protection authorities passed a resolution on investigating potential observer status at ICANN, they do not appear to have acted on that resolution. However, Peter Kimpian (a member of the Hungarian Data Protection Office) is currently on assignment to the Council of Europe and he has been participating in the RDS working group and at face-to-face meetings since ICANN 56 in Marrakech, March 2016.

238

5. The basic legal issues have not really changed since the first opinion of the Berlin Group in 2000, but they have worsened in terms of scope and depth of data.

In answering the first research question, I would identify the following techniques that ICANN has employed to avoid compliance with data protection law and engagement with the commissioners:

1. ICANN has treated its own procedures and processes as if they were law and regulation. The WHOIS requirements as ensconced in the first iteration of the institution, after the White Paper, were regarded as requirements that could not be changed. This is odd for a multi-stakeholder organization that professes to work via consensus processes. Furthermore, in an organization that was extremely dynamic and changing with the rapid expansion of the Internet, the WHOIS has remained immutable.

2. The procedures that were finally developed (to comply with law) were remarkably difficult to invoke. It took registrars a tremendous amount of time and effort to escrow data in Europe and it was much easier to send it to Iron Mountain, in the United States. The fact that ICANN, at their insistence and by their refusal to pay for any other escrow company, succeeded in securing a U.S. company seems to me to be remarkably unfair and anti-competitive. The WHOIS Conflicts with Law Procedure, ostensibly developed to accommodate registrars in Europe who could not publish customer data in the WHOIS, is extremely difficult to invoke because it does not map onto existing laws, nor the way in which oversight authorities actually operate. Nevertheless, ICANN’s procedure continues to trump the E.U. laws.

3. ICANN insists that their lawyer review the legal material received from an independent data protection authority to determine whether that material is

239

acceptable in order to grant a waiver. Then, they publish a call for comments to review that decision, which places their multi-stakeholder system above national law. (And from my experience with the organization and the comments that I reviewed on this subject, it is clear that amateurs in this area have little understanding in matters of data protection.) This places ICANN’s procedures above the judgment of members of the judiciary (or, in some cases, independent officers of parliaments depending on the jurisdiction) appointed to administer that law. The provisions of the WHOIS Conflicts with Law Procedure cannot possibly be viewed as anything less than a repudiation of the authority of the data protection commissioners. My experience on the committee, which sought to find alternative triggers for the procedure in 2015, was that everything I said about the requirements of the law was ignored, just like the letters from the data protection authorities. While my submissions were not as authoritative as those of the data protection authorities, they were well-informed; and yet they were consistently ignored and deemed out of scope. 101 If the WHOIS Conflicts with Law Policy is a concession to the reality of data protection law, it was a concession that could never work, and designedly so.

In the face of this intransigence, and failure to respond to letters and interventions, why did the data protection authorities do nothing? In my view, their failure to react is more inexplicable than ICANN’s failure to engage. Possible explanations, which answer in part my second research question, concerning the implications for data protection law and its enforcement, include the following:

101 For the transcripts and recordings of the meetings, see https://community.icann.org/display/WNLCI/IAG-WHOIS+and+Conflicts+Conference+Call+Schedule The final report of the Implementation Advisory Group is here https://gnso.icann.org/en/drafts/iag-review- whois-conflicts-procedure-23may16-en.pdf 240

1. The data protection authorities may not have wanted to go against the wishes of their governments after the Governmental Advisory Committee had made its views quite clear in 2007. They were engaged in many other fights (e.g., Passenger Name Records or PNR, the SWIFT banking information system, the right to be forgotten) and, as the stakes were lower for this fight, it was possible that it was not worth opening up another front.

2. They did not see how they could sue ICANN; they were focused on their own national registrars and did not want to pursue them, and leave the global giants (from the United States) untouched.

3. There was not enough pressure from the public, and the matter just kept falling off everyone’s list of priorities, always longer than available resources could properly address.

4. As time passed and negotiations started over the new General Data Protection Regulation and the Directive on processing of personal data by police authorities 2016/680 in Europe, it may not have been strategically wise to start this particular fight until both instruments had been enacted.

Whatever the reasons, I believe that failure to act and enforce the law over such a long period of time does bring the law into disrespect, as both Bygrave (2014a, 2014b) and Gellman (1996) have indicated. I discuss this further in my concluding chapter.

241

Chapter 7 Conclusions

In this chapter, I discuss my findings in response to the research questions, and the conclusions I have reached within this dissertation. I summarize my contribution to the scholarship on privacy and data protection, exploring some of the open questions that other scholars have not yet answered, in this context. As a case study in the avoidance of compliance with data protection law, my findings with respect to how ICANN as an institution has responded to its obligations to respect human rights and act in the public interest make a useful contribution to understanding in detail how organizations manage to avoid privacy. As a not-for-profit corporation and multi-stakeholder organization established with a mandate to act in the public interest, ICANN is quite different from the usual Internet corporations that have been accused of avoiding privacy compliance (e.g., Microsoft, Google, and Facebook). However, I argue that ICANN shares a tactic used by those types of corporations when it takes advantage of the newness of the Internet, and the inexorable speed of technological development, to avoid tackling problems of basic compliance with human rights.

My findings with respect to the relationship of ICANN as an instrument of Internet governance, to the law enforcement community, contribute to our understanding of the challenges we face in managing cyber-security issues while safeguarding human rights. I believe this research is of particular interest as the European Union moves forward with its new European General Data Protection Regulation (GDPR) and with the Directive (EU) 2016/680 on data protection and police data.

In this chapter, I examine a few of the factors in the policy ecosystem that might favour a change in direction at ICANN when the new General Data Protection Regulation comes into force in May 2018. Given the importance of this new regulation and the enhanced rights it grants to individuals, as well as repercussions for data controllers who fail to respect the new regulation, it is easy to overlook other signs of change in policy drivers

242

that—in my view—are also important. I discuss recent developments at ICANN in response to the new regulation, which, while out of the temporal scope of this research, confirm some of my conclusions about the exercise of power at ICANN.

Finally, I enumerate a number of interesting issues for future research and follow up. ICANN is a complex organization and there are many factors and phenomena that I was unable to explore in depth in this dissertation. I discuss possible strategies for those in favour of privacy and data protection rights at ICANN to pursue in the near future.

7.1 Principal Findings

In Chapter 2 I listed several themes I explored in my research, as I investigated my first research question:

How has ICANN managed since 1998 to avoid privacy demands in the Registrars Accreditation Agreement (RAA) and in WHOIS policy more generally?

I grouped these themes into broad categories: political and governmental issues, legal and practical issues, economic issues facing stakeholders, and internal ICANN issues management. I think many of these guiding questions help us understand ICANN’s response, which I outline in the next section.

7.1.1 ICANN’s response

I have shown in Chapters 5 and 6 that there is a long history of ICANN politely (and sometimes less politely) ignoring the interventions of the commissioners responsible for the oversight of data protection. Although the commissioners are appointed under statutory authority, ICANN has preferred taking advice from the Governmental Advisory Committee (GAC) and the U.S. Department of Commerce. These parties have repeatedly demanded free and open access to WHOIS data, in the White Paper (1998) that preceded ICANN’s creation, and in the Articles of Commitment (2009) that reinforces the relationship between ICANN and the U.S. Department of Commerce. The law 243

enforcement community made their demands explicit in the document presented by the GAC on their behalf in 2007, the Law Enforcement Recommended RAA Amendments and ICANN Due Diligence (Appendix Q). Less obviously, ICANN has responded to pressure from other stakeholders with a vested interest in easy access to registrant data, notably the security community engaged in fighting cybercrime, the value-added service providers who process and package registrant data, and the trademark and intellectual property communities. My first and most obvious finding is that ICANN has systematically avoided engagement with data protection authorities and rebuffed their communications and warnings while continuing to develop policy that violates data protection law. In these respects, ICANN is acting in many ways just like numerous other corporations engaged in global electronic commerce. The difference, of course, is that ICANN is a non-profit organization, set up to manage a monopoly resource, the Domain Name System, and it is required to act in the public interest. I will return to this point later, in the discussion on multi-stakeholder aspects of the response.

I identify some of the specific actions that ICANN has taken to manage the issue of privacy without complying with data protection law or the demands of the data protection authorities: • Providing privacy/proxy services gave registrars a paid service to offer, and provided an “out” for the data protection law requirements with respect to WHOIS. • Privacy issues arose afresh in the policy development process for accreditation of privacy/proxy services, but the registrars and civil society won a key battle over narrowing the eligibility to use the service. However, the GAC objected to the decision to allow any registrant to use the service, and the compromise reached was to sort this matter out in the implementation committee. Since this was clearly a policy decision, we must ask, will we see another example of ICANN (through its staff who develop the implementation language) working around multi-stakeholder decisions after the fact?

244

• Articulating the WHOIS Conflicts with Law policy acknowledged the existence of data protection law but ICANN made the triggers and mechanisms unworkable, thus preventing actual compliance with law. As discussed in Chapters 5 and 6, unsuccessful attempts by the data protection authorities to be heard may be viewed as treating them as external voices, outside the community. • ICANN has effectively stonewalled compliance with data protection law through a series of overly bureaucratic procedures, slow action in performing their own part of the review of applications, and refusal to engage with the complaints by data commissioners that their procedure is unworkable. The new trigger that had been the output of the 2015 effort to fix the WHOIS Conflicts with Law Procedure was posted for public comments in spring of 2017. Data protection authorities commented via the Council of Europe, saying that the WHOIS Conflicts with Law Procedure was simply not an acceptable way to comply with data protection law (Council of Europe, Comments on WHOIS Conflicts with law procedure 2017). • Requirements for accurate WHOIS information to be collected and disclosed were articulated by the U.S. Commerce Department in the 1998 White Paper, repeated in the Articles of Commitment in 2009, and enforced by the Compliance Department of ICANN. Requirements for compliance with data protection law, and disclosures regarding privacy rights were not followed up by the Compliance Department. • Further demands for accurate, timely, and complete WHOIS data came from the GAC (Appendix I). In 2007, GAC intervened by advising the Board not to proceed with the Operational Point of Contact (OPoC). They also released their GAC Principles Regarding gTLD WHOIS Services (March 2007; Appendix P). In 2009 and 2010, under the auspices of GAC, a group of law enforcement agencies presented their Law Enforcement Recommended RAA Amendments and ICANN

245

Due Diligence (Appendix Q). GAC then pressed the Board to insist on respecting these requirements in the 2013 Registrar Accreditation Agreement.

There are other examples of how ICANN has made it almost impossible to comply with data protection law, but let us move on to how they succeeded in these procedural manoeuvres. First, there seems to be a heavy reliance on the interventions of the Governmental Advisory Committee who respond after the fact to policy developed by the multi-stakeholder community. As Mueller pointed out in his intervention concerning the Registrar Accreditation Agreement amendments (see Chapter 5), responding to the complaints of the GAC after the fact—or behind closed doors—demonstrates that the multi-stakeholder model is not being used effectively to develop policy. In this case, the Board intervened and staff was directed to negotiate the contract in the GAC’s interests, ignoring work in the previous cross-community working group on the Registrar Accreditation Agreement. In other examples, such as we see in the exchanges between the Article 29 Working Party and ICANN, corporate leadership will point to the multi- stakeholder process that is in progress, or the terms of policies developed by that process, as being more authoritative than the law. I have not been able to find a single instance of ICANN corporate leadership intervening to favour the privacy advocates’ side of this struggle.

As mentioned, in May 2018, the registrars will face the General Data Protection Regulation coming into effect. They have realized that, absent an effective way to invoke the WHOIS Conflicts with Law Procedure—and recognizing that the current policy development process for a new registration data service is mired in disagreement and will take years to finalize—they will have to turn off WHOIS or face potentially large fines. The registrars and registries have made that clear to ICANN, and yet when the registrars and registries were in negotiations, in July 2017, to find a solution in the 2013 Registrar Accreditation Agreement (and all the Registries contracts) to permit registrars to effectively comply with the new regulation, ICANN staff opened these discussions up to

246

“the community.” Since the contracted parties consider their contracts with ICANN to be their business, not policy, they were not pleased to have the process slowed down, when they had less than a year to comply with the new GDPR. The Noncommercial Stakeholder Group fought hard to get a seat at the table and succeeded in getting three, but this ad hoc group was suddenly full of Governmental Advisory Committee representatives, business representatives, and intellectual property constituency members. I suspect that civil society were given three seats, simply to justify the presence of so many other stakeholders. None of these parties would be facing fines through the registration data directly.

This recent example to me demonstrates that when it comes to data protection law compliance, ICANN selectively uses the “community” to serve its purpose. Sometimes, they will do things in big committees (like the current Registration Data Services policy development process, with over120 members) and other times they will do things in private (such as the example Mueller pointed to in the negotiation of the Registrar Accreditation Agreement, or the Experts Working Group on which I served). There are numerous other examples of these kinds of bureaucratic actions.

Earlier, I raised the question, what will it take to change this pattern? Simply put, there have been no negative repercussions for ICANN to date. ICANN is an organization that responds to pressure, lawsuits, and stakeholders who they regard as important, such as the GAC. Absent pressure from a key stakeholder group, or forceful intervention from outside the community, they will not change course. As Mueller and Chango pointed out in 2008, nothing will happen without a strong force impacting the current policy trajectory.

7.1.2 Stakeholder response: Interests and interactions

This brings us to the matter of which stakeholder groups are satisfied with WHOIS in its current state of privacy compliance, and which groups are not. In Chapter 6, I

247

demonstrated that data commissioners are becoming increasingly frustrated with the situation, are aware that they have not been able to influence ICANN, but they have not given up.

The Noncommercial Stakeholder Group continues to fight for data protection compliance but other stakeholder groups have been complacent. Does this mean that ICANN as a multi-stakeholder community really does not take civil society and the non-commercial users seriously? It is certainly evident from the analysis of the various WHOIS studies that the Noncommercial Stakeholders have been active in every study and task force, and have attempted to bring the views of the data commissioners (and indeed the Commissioners themselves) into the discussion. With the support of the three “winning” stakeholder groups—the intellectual property constituency, the law enforcement stakeholders, and the value-added services providers and their clients—ICANN has simply ignored the Noncommercial Stakeholders Group. They alone cannot push to reach a “rough consensus” when so many of the other stakeholders oppose them.

At times during this long argument, the Noncommercial Stakeholders Group have had considerable support from the Contracted Parties House, the registries and registrars. Customer-facing parties do not like to annoy their customers, particularly to benefit third parties who want to pursue those customers for various purposes. They are entirely sympathetic to deterring criminal activity, but most of the requests for customer data are not related to actual criminal activity. However, registries are not usually customer- facing, and many accredited registrars operate mostly through resellers such as web developers and Internet service providers, thus removing them from the customer interface. As discussed in Chapter 5, the first really strong response regarding privacy concerns from actual consumers on the privacy argument was in 2015, during the Privacy/Proxy Services Accreditation Issues call for comments, when a few registrars organized a public campaign. This, I think, was a turning point.

248

In many instances before this, the contracted parties have caved in to pressure, the proposal for the Operational Point of Contact (OPoC) in 2007 being a case in point. If told that they and they alone will be paying for the extra work data protection entails, it is understandable that the contracted parties would give in to the parties who want continued access to free data.

If privacy advocates have lost the argument with ICANN over data protection thus far, we must ask, why? While examining the three winners, intellectual property holders, law enforcement representatives, and value-added service providers) I looked for the answer to the simple question, why does privacy lose here? This brings me to the findings in response to my second question:

What are the implications of ICANN’s WHOIS failure for global data protection in the context of the Internet and of Internet governance or regulation?

In exploring why the privacy advocates and the data protection authorities failed in their arguments, I established the following:

• Clearly, the U.S. government set up ICANN with specific instructions to protect the interests of trademark and intellectual property owners by making data about registrants freely available. Building on that base, the Intellectual Property Constituency and business stakeholders have carried on pushing for more data, greater accuracy, and significant increases in both time and staffing resources in the ICANN’s Compliance Department to protect their interests.

• Cybercrime has blossomed throughout the period that ICANN has been expanding and most, if not all, countries and companies are highly dependent on private sector cybercrime investigation and enforcement to deal with the problem. Data protection interferes most with private sector investigation, whether it be phishing and pharming attacks, or intellectual property violation, because, unlike law enforcement, they do not have the ability to get a subpoena or other legal instrument

249

easily. Furthermore, the extremely high volume of attacks and the common use of recently-minted, throw-away domains registered with false data make fast, bulk data access extremely desirable in fighting phishing and malware.

• Information services have sprung up to serve law enforcement, cybercrime investigators, intellectual property interests, and “domainers” (the domain investment community). Those services are now in the hands of powerful information aggregators (e.g., Thomson Reuters) and those players will be difficult to dislodge from the marketplace. The balance that Mueller (2007) describes between the market and the commons has been tilted to favour the big global corporations; disrupting that market now might prove difficult.

• The economic reasons to support business and IP interests, as well as the information services industry who now have a major stake in some of the value added services products and businesses appear to be overwhelming. Small business is not well represented at ICANN or in GAC delegations, and while their privacy interests are similar to those of the individual, they have not presented themselves and their economic arguments at ICANN.

• American companies and their needs are well represented in the ranks of all three groups; this includes law enforcement as U.S. law enforcement focuses on protecting the big U.S. companies against Internet fraud and theft. The U.S. government and U.S. businesses still have a dominant influence at ICANN and over the Internet more broadly (Hill, 2014, p. 81; Mueller, 2017).

Before leaving this discussion of the stakeholders, I have noted in Chapters 5 and 6 that the Security and Stability Advisory Committee (SSAC), while not coming out strongly in support of compliance with data protection law, have detailed many concerns about the failure to identify the purpose of the collection, over-collection of data, the risks of un- authenticated or anonymous access, etc. These technical and security concerns map to

250

privacy concerns. While the SSAC is not a stakeholder group per se, their members are drawn from across the spectrum of stakeholder groups represented at ICANN. Their increasing participation in WHOIS discussions, and their members’ continued work through the Internet Engineering Task Force (IETF) on better protocols that would permit tiered, authenticated access could be a force for change.

7.1.3 The failure of the data protection commissioners to enforce the law

One of my major conclusions in this dissertation, is that if the data protection authorities are not prepared to enforce the law, data protection is following the course that Bennett and Raab (2006) have described as a “race to the bottom.” Importantly, there have been no negative effects on ICANN for not complying with data protection law. No civil liberties group has taken a registrar or registry to court; the data protection authorities have not taken an enforcement action against ICANN, nor against a member of the contracted parties community at ICANN. No contracted party has sued ICANN for forcing them to break the law, thus putting them at risk of seizure of equipment or jeopardizing customer relations. This may change when the European General Data Protection Regulation comes into effect in 2018 but the lack of change in policy during my research time frame, in my view, is directly attributable to the lack of repercussions for maintaining open access to WHOIS data, and steadily increasing the data collection, retention, and disclosure. In general, the country code top-level domains have demonstrated better compliance with data protection law (Cojocarasu, 2008) and it appears that data protection authorities have focused their efforts on them, since they are squarely within their jurisdiction. I base this observation on recent discussions with several legal counsels from various commissioners’ offices, and my own work experience at the Office of the Privacy Commissioner of Canada. Focusing on the ccTLD registries avoids dealing with ICANN and offshore registries because ICANN does not direct the policy of the ccTLDs. Given resource constraints, it is possible that data protection authorities simply decided to deal with what was squarely their jurisdiction, and ignore 251

the much riskier prospect of pursuing a California non-profit corporation that would surely argue in court that it was not the controller of the personal information.

I have discussed the fact that the data protection commissioners, in general, avoid enforcement actions and prefer to discuss their views with data processors and controllers. Although this does not automatically lead to compliance, most businesses are reluctant to be seen in the court of public opinion as scofflaws, so they will make reasonable efforts to meet the data protection authorities halfway. It seems to me, that ICANN’s promulgation of the WHOIS Conflicts with Law Procedure was that kind of gesture, albeit an empty one, to meet the data protection authorities halfway, and to claim to civil society advocates that the privacy problem was solved. I have demonstrated several key points about that procedure in Chapters 5 and 6:

• Various responses to the data protection authorities point to that procedure as an ICANN privacy policy or remedy (e.g., Letter from Cerf to Schaar, March 2007).

• The procedure was not successfully invoked until 2015; yet no enforcement action was taken.

• ICANN deliberately obstructed the Article 29 Working Party’s attempts to get European registrars in compliance with E.U. law rather than the Registrar Accreditation Agreement contract; yet again there was no enforcement action (see Chapter 6 for a discussion of the Kohnstamm attempts to get waivers for registrars in all member states).

• The data protection authorities were aware that the procedure was not working but they apparently made no attempt to influence the outcome of discussions by joining the Governmental Advisory Committee delegations to ICANN meetings. Nor did they send their own representatives to attend ICANN meetings as announced in the 2009 resolution of the International Conferences of Data

252

Protection and Privacy Commissioners to explore sending representatives to ICANN.

• No stakeholders forced the issue by complaining or launching a court action of any kind. In particular, none of the registrars stood up to ICANN and violated the terms of their contracts, they appear to have gambled that the law would not be enforced, but the contract would.

The failure to enforce the law is understandable but regrettable, and adds to the impression that data protection law is not enforced.

7.1.4 What are the implications of the failure to address privacy demands in registration data?

In addressing the second research question, the implications of this failure to address privacy demands in registration data, I have explored in this dissertation a number of key issues. • Public interest: The public interest is not being served by ICANN, a multi- stakeholder organization bound by its commitments to, first, the U.S. Commerce Department and now to the Empowered Community mandated in its new, post- IANA (Internet Assigned Numbers Authority) transition bylaws, to serve the public interest. 102 Ignoring national data protection law is not serving the public interest. • Human rights and the “bottom-up process”: The privacy and human rights of Internet users are being ignored, which is a contradiction of the ethic of “bottom- up policy development.” This ethic of “bottom-up policy development” was part

102 After the Commerce Department transferred the responsibility of managing the Internet Assigned Numbers Authority to ICANN in October 2016, a new entity called the Empowered Community became responsible for the enforcement of the Articles of Commitment and the other ICANN bylaws, which were updated to comply with the new structure. 253

of the rationale for the creation of the stakeholder groups at ICANN and the procedures for developing consensus policy (see Weinberg, 2001, for a full discussion of whether the mechanisms of rough consensus and bottom-up decision making are actually working at ICANN in comparison with the Internet Engineering Task Force). Those who purport to represent the bottom, that is the global end users, include the Noncommercial Stakeholder Group and the At-Large Advisory Committee but they have not been able to represent the desire of end users to have their privacy and legal rights protected in a way that has found traction at ICANN. • What the GAC protects: I would point out that the Governmental Advisory Committee (GAC) also claims to represent the citizens, but the country delegations rarely bring those members of government whose task is the protection of privacy or human rights to the meetings, so the particular aspects of protecting the citizen which GAC discusses are criminal law, cyber-law (e.g., anti-spam), and the rights of consumers to look up websites and find out who registered the domain (consumer protection). Certainly, end users want protection from cybercrime and spam, and the entirely separate issue of web e-commerce is also well understood as a consumer concern, but privacy is a concern of consumers everywhere and yet the GAC rarely if ever addresses it explicitly with concrete recommendations. The Federal Trade Commission (FTC) is prominent at the GAC and they have a broad consumer mandate which includes privacy, but the arguments for consumer protection made at ICANN reflect a concern regarding cybercrime, not privacy rights. The FTC has a very mixed mandate, unlike the data commissioners. Investigating why and how GAC representation is as currently constituted is worthy of further research, focused on the individuals and organizations who have participated in privacy discussions, and their actions, and policy positions.

254

• Due process and constitutional protections: In the absence of a formal, agreed definition of the purpose of WHOIS and more broadly the collection, use, disclosure and retention of registration data, the door has been left open to some stakeholders implicitly defining the purpose of WHOIS as serving law enforcement agencies and private sector cybercrime investigators. This is dangerous, as it facilitates law enforcement and private sector actors bypassing due process and the constitutional protections of nation states. ICANN is a corporation, with very imperfect public access to information rights, no privacy policy or rights, and it operates outside the reach of constitutional protections that would govern the actions of a government agency. • Content regulation: Informal mechanisms for obtaining personal registrant information and the precedent set by allowing trademark enforcement through informal means facilitates ICANN getting further into content regulation, which is outside its remit and exacerbates the problem of due process. • Owning a piece of the Internet: Privacy facilitates participation on the web and failure to provide it may force groups and individuals to use platforms such as Facebook instead. The argument is frequently raised by those who argue against embedding privacy for individuals within the RAA, that no one needs a domain name to participate in the Internet. They can use a proprietary platform, and scholars have pointed to a transition in use of the Internet from the original conception of individual participation, to one of users of platforms and social media interfaces (Tufekci, 2016). Forcing individuals to resort to platforms decreases the democratic, open participation of all individuals in the Internet and contributes to the growing oligopoly of certain key multinational companies who exert undue influence and power over this vital communications network. • The ICANN Commons: Names, numbers, and registrant information. Failure to establish reasonable boundaries on what is acceptable use of personal data in the context of what Regan describes as the “common pool resource” (2002) decreases

255

the inherent value of that “commons,” disrupting what Mueller (2007) has described as the balance between the market and the commons. For example, failure to enforce the restrictions on bulk data access which ICANN has put in the RAA has resulted in many value-added services vacuuming up the personal data of individuals and distorting the market by allowing some actors to just grab the data without paying for it (as specified in Article 3.3.6 of the RAA). Services which sell historical data from WHOIS charge end users annual fees to continually remove their personal data from the listings. End users who made the mistake of listing their phone numbers or address will not be able to expunge the records, because of the inability to follow the data trails. Continued failure to enact a privacy policy and enforce it makes negotiation of boundaries in the information commons increasingly difficult as dominant actors become more consolidated.

This is a long list of implications arising from the failure to respect data protection and the needs of the end user, underscoring the need for change.

7.1.5 Prospects for change in privacy outcomes

The enforcement of data protection law has been discouraging for all the reasons Bennett and Raab (2006), Bygrave (2015), Korff and Brown (2010) discuss. Certainly, the development of the Internet has been rapid and ICANN, as an institution, has been developing equally rapidly, even if its organizational maturity level in terms of human rights and adherence to the rule of law has not kept up, this does not mean that this lag is a permanent situation. It may, however, take a major force to accelerate its adoption of better practices.

I summarize some of the reasons that privacy has lost thus far:

• Once established, change will require a major opposing force to enter the system, as Mueller concluded in 2008. As I have discussed, as a corporate entity, ICANN 256

has been able to keep the data protection authorities outside the system and manage the stakeholders within the ecosystem. Their risk assessment of the chances of privacy compliance action appears to have been that the likelihood is low. If they are correct, and the data protection authorities do not enforce compliance, change will depend on other actors, and the confidence in the data protection regime with data commissioners as responsible for oversight will diminish.

• Faith in the multi-stakeholder model has kept civil society within the “ICANN bubble.” A better tactic may have been to launch a global campaign of complaints to the data commissioners of the world. In this respect, is it relevant that civil society at ICANN is overwhelmingly represented by Americans, and they have no data protection authority to whom they might complain? ICANN has made no claims for privacy that I can identify that might result in a successful complaint to the Federal Trade Commission.

• End users themselves have not complained in sufficient numbers to attract a champion or “policy entrepreneur,” as Bennett (1992) and Regan (1995) both describe it, among government authorities. Awareness of this issue and its importance is very low, partly because of the lack of public awareness of ICANN and how it functions. Readers of this dissertation will note that ICANN is an opaque organization, replete with acronyms and obscure discussions of the inner workings of the Domain Name System, and the organization makes very little effort to explain its data protection practices (or lack thereof) to a broader public. Nevertheless, the campaign run by the registrars during the Privacy/Proxy Services Accreditation Issues consultation period illustrated that registrants understand the loss of their privacy at a basic level and can be motivated to protest in the many thousands.

257

• The language and concepts of data protection law may seem impractical, extreme, and out of touch with concepts of privacy on the Internet, particularly among those who are motivated to register a domain name. While the proxy services example shows that the urge for protection from intrusion is still real, the privacy rights of end users need to be reframed and explained more fully to end users.

7.1.6 Outsider status

I have examined how the civil society stakeholders inside ICANN attempted to point to the advice of the data protection authorities, invited senior officials to meetings, repeated their arguments and cited their opinions and letters in the various task forces and comments, and yet the Noncommercial Stakeholders Group were still unsuccessful in advancing the privacy arguments. Data protection authorities have not participated as stakeholders in ICANN and their input is often treated as correspondence, not as official comment requiring official response. This may have important implications for the multi-stakeholder model. It should not be necessary for a party to attend ICANN meetings and participate for their interests or views to be taken into consideration at ICANN. This is particularly true when we are talking about enforcement of national laws and compliance with broadly accepted human rights requirements, such as the Universal Declaration of Human Rights. Understanding how the data commissioners regard the response of ICANN to their concerns is an interesting matter, worthy of further research.

It may also be the case that civil society actors, as represented in the Noncommercial Stakeholder Group, and the Regional At-Large Organizations, are also outsiders. The lack of effective conclusions to the broad range of activities and efforts that civil society has made at ICANN in an attempt to protect user rights is discouraging, and worthy of further research. If civil society is not regarded as an equal stakeholder, the multi- stakeholder model has serious flaws.

258

7.1.7 Differences in style of law: Data protection versus intellectual property law

While it is certainly true that data protection law develops on a global level through Court decisions, data protection commissioners are not usually litigious or inclined to take parties to Court, or impose fines and sanctions where they have binding powers and the ability to impose sanctions themselves. Usually, the data protection commissioners have had more success by making their views known, publishing the findings in response to complaints, and getting the behaviour of the data controllers and processors to improve (Bennett and Raab, 2006; Schwartz, 2013). Even in some of the more longstanding dialogues (e.g., Microsoft passport and automatic updates, the Passenger Name Record data discussion, or the Facebook privacy policies), the data protection authorities have established a dialogue and discussed the matter rather than sued a data controller. They have showed a sustained interest in ICANN over many years, and yet have failed to establish an effective dialogue. There could be many reasons for this failure, as I describe in Chapter 6. I speculate that this could stem from the following factors: • Data commissioners are more used to dealing with governments or companies. Governments usually are required to negotiate following the rule of law, and companies are cognizant of the court of public opinion. ICANN is a different kind of organization. • The data commissioners may be unwilling to get involved in the strange multi- stakeholder politics at ICANN. I can testify from personal experience that effective participation requires a very significant workload and research commitment. Even from the earliest days, the data protection authorities could see this. Participation in meeting locales around the world requires international travel, difficult to obtain in most under-resourced data protection offices. • They were aware that their governments were on side with ICANN and supporting law enforcement and intellectual property interests. In the case of European commissioners, at least after 2012, the new draft General Data

259

Protection Regulation had been made public, and outcomes were uncertain. They may not have wished to undertake a battle with ICANN which could be described by adversaries as interfering with the growth and development of the Internet, or the efforts of law enforcement to fight crime. The politics of this, after the show of support from international law enforcement authorities during the study of proposed changes to the RAA, would have been challenging for data protection leaders (see the letters from law enforcement authorities included in the Initial Drafting Team Report on Improvements to the RAA , 2010 pp.143-146) • There were not enough complaints from citizens to warrant escalation, or perhaps data protection authorities felt the legal case might be weak or difficult to enforce because of the efforts ICANN had made to mitigate their non-response to legal requirements (e.g. the WHOIS Conflicts with Law Policy, and the acceptance of privacy/proxy services).

However, ICANN has been singularly unresponsive to the attempts of the data protection authorities to strike up a dialogue. The most recent attempt occurred during ICANN 58 in Copenhagen in March 2017 with the visit of the European Data Protection Supervisor Giovanni Buttarelli, the United Nations Special Rapporteur for Privacy Joseph Cannataci, the Data Protection Officer for Interpol Caroline Goemanns, and the Article 29 Working Party Vice-Chair Wilbert Tomesen. The Council of Europe strenuously tried to get a panel discussion of data protection requirements in the light of the upcoming General Data Protection Regulation on the agenda for this meeting, supported by the Noncommercial Stakeholders Group. This event very nearly failed to take place, because of mysterious bureaucratic foot-dragging and failures in communication on the part of ICANN staff. The event happened, but without the fanfare that might have been expected for such an important group of dignitaries. There has been very little follow-up to this event, and no pictures were taken, which is unusual for an ICANN public meeting, characterized by all kinds of photo opportunities when dignitaries visit. It is hard not to get the impression that ICANN is trying to downplay the significance of this visit, just as

260

they have done to the significance of the extensive correspondence with the data protection authorities. Nevertheless, the visit and discussion had a significant impact, particularly on registrars and registries, who asked many questions in the open sessions and Registration Data Services working group meeting. The contracted parties have become deeply concerned about the risk of fines that ICANN is forcing them to take if they comply with their contractual obligations.

A final thought while discussing this topic of the differences in style of law, is that one frequently hears complaints at ICANN that data protection law is not harmonized, jurisdiction issues are difficult, and trans-border dataflow realities make compliance in one state but not another a waste of time when dealing with the realities of a global Internet. In response, I argue that these problems are equally challenging in criminal law, intellectual property law, and trade agreements. As I have detailed in earlier chapters, there is a desire to disregard the privacy problems associated with the global reality of ICANN’s ambit, the multi-jurisdictional problem, and the interpretation of privacy law as impractical or impossible to attempt to solve, while focusing on solving similar problems in criminal law and intellectual property law enforcement. This is despite the fact that the data protection authorities have repeatedly written clear, plain language, short papers explaining the data protection issues. They have sent a joint letter from all European data protection authorities, explaining that all European registrars will need an exemption from the WHOIS and escrow requirements. It is certainly the case, as Korf (2010) and Bygrave (2015) have pointed out, that jurisdiction is a crucial issue and harmonization of laws could be improved, but the data protection authorities have really tried to make this easy, and have been more or less ignored. A privacy policy, backed with a privacy impact assessment, would make this matter quite simple, but during the period covered by this research ICANN has refused to consider this. As Schwarz has pointed out (2013) the avoidance of a collision between the United States and Europe over their differing approaches to data protection in the 1990s was achieved through negotiation of three instruments to provide alternative means of protection: the Safe Harbor Agreement,

261

binding corporate rules, and negotiated contractual clauses. In the efforts to get those alternative mechanisms, the global corporate community took leadership roles, as Schwarz has detailed. This has not happened with respect to ICANN’s issues, there has been a concerted attempt to ignore the issues.

7.1.8 Competitive and economic issues

Chapter 5 discusses compromises that have been made in policy and implementation struggles, and how most WHOIS policy processes have failed to reach satisfactory conclusions. This failure to reach conclusions favours early participants from the World Intellectual Property Organization (WIPO), who achieved their goals and demands stated in the 1996 WIPO paper through the U.S. Commerce Department embedding them in policy at the birth of ICANN. I have identified the intellectual property stakeholders, value-added services providers, and business clients of law enforcement agencies as the “winners” in the WHOIS argument and note here that these stakeholders are extremely important to the new economy. It is not clear that enforcing data protection law for individuals is a high enough priority to risk any interference with business and law enforcement interests.

7.2 Research Contributions

7.2.1 Privacy scholarship

This case study of ICANN demonstrates how difficult enforcement of data protection law can be in a particular situation that is at the core of running the Internet. Bygrave (2014b) and Cohen (2012) each discuss the generative power of the new technologies, and there is no question that the appetite to slow down the globalization and expansion of the Domain Name System (DNS) is not yet there. Because this system is the backbone of electronic commerce, obstructing the growth and development of the DNS would be construed as unhelpful in many circles, notably within ICANN itself, but also in the electronic commerce and telecommunications branches of government.

262

Is this a factor in the reluctance of the data protection authorities to take enforcement action? The rhetoric of east coast code slowing down west coast innovation (Lessig, 1999) is prevalent in Internet audiences such as at ICANN. It is not the technology experts in the Security and Stability Advisory Committee who are advancing this argument (or rhetoric), however, they have instead been asking for the requirements to build a better system. I believe that technologists, even those working for the corporate giants, realize it matters a lot when the management of the DNS does not respect privacy law. If data protection authorities were to publicize the problems they have faced, much as the registrars advertised the potential loss of privacy/proxy services to their clients, there could be a significant consumer reaction.

The interplay between the development of the DNS systems and protocols, with their potential for privacy by design (Braman, 2011; Denardis, 2009), and the development of the DNS policy through ICANN, demonstrates a lost opportunity. I pointed out in Chapter 5 that the Security and Stability Advisory Committee (SSAC) documents demonstrate that the engineers and technical experts are very often asking the same questions as the data protection authorities; privacy and security as goals in system design, are often well-aligned. If civil society and the data protection authorities are frustrated by the lack of progress in WHOIS, so are many engineers who have been designing protocols that have been not been fully utilized, awaiting implementation, and that could do much to assist in the implementation of data protection requirements. As I have indicated in Chapter 5, there were a great many SSAC representatives at the new registration data services policy development process, and they are more aligned with the Noncommercial privacy advocates than the representatives of the three winning stakeholders. This constitutes a shift in the representation on WHOIS task forces, although it has certainly been the case that prominent technologists like Karl Auerbach (1999, 2002) spoke out on privacy from the earliest days.

263

Although the privacy community has discussed privacy enhancing technologies (PETS) since 1994, and “privacy by design” since 2000, 103 the standardization work to implement privacy by design has been slow. Just as privacy law lags technology development, it is difficult to produce privacy standards in all areas of technological development when there is a race to meet market imperatives on the part of innovators. One important aspect of the multi-stakeholder model, as demonstrated at ICANN, is that if stakeholder groups could break out of their siloed isolation (that I describe in Chapter 4) there is a potential to find common interest in developing better solutions. This is unlikely to come from the intellectual property, law enforcement, and value-added services groups who are currently relatively satisfied with the status quo. However, SSAC members, the registries, and the registrars have a common interest in building better systems and avoiding data protection enforcement action. A few civil society representatives at ICANN are also active at the Internet Engineering Task Force and SSAC; studying how they interact and whether there is indeed common interest in cooperation would be a useful area for further research (see also Doria, 2014).

This research also presents a case study in the failure to respect national privacy law in an international context where there are complex trans-border dataflow issues. Domain names operate globally, despite many national restrictions on Internet access, and may be bought freely from multiple registrars and resellers. Writers who addressed trans-border dataflow challenges have been pointing to this kind of jurisdictional problem for decades (Schwartz and Reidenberg 1997; Bennett and Raab, 2006); this case study clearly demonstrates that the problem is a current reality in the management of the DNS.

103 The concept of Privacy Enhancing Technologies (PETS) was prominently showcased to data commissioners in the 1994 International Conference of Privacy and Data Commissioners, hosted in the Hague by the then Dutch Data Protection Commissioner Peter Hustinx. Zero Knowledge Systems held an important conference entitled “Privacy by Design” in Montebello, Quebec, in November 2000, but the term was coined at an earlier Computers Freedom and Privacy Conference. See Roger Clarke, Notes for the Workshop on Freedom and Privacy by Design, 2000. http://www.anu.edu.au/people/Roger.Clarke/DV/CFP2000.html. 264

Bygrave dissects the problems carefully but is not optimistic about solving them (2014b). While I agree that the problems have been intractable thus far, we are accumulating a number of Court decisions that indicate a willingness on the part of the judiciary and the data protection authorities to tackle these difficult problems (e.g., Schrems v. Facebook, 2014; Common Statement 104 by the Contact Group of the Data Protection Authorities of the Netherlands, France, Spain, Hamburg and Belgium, 2017). It is crucially important for the future of data protection law, in my view, that data protection authorities demonstrate an invigorated appetite to enforce across borders after the new General Data Protection Regulation comes into effect in May 2018. Again, the WHOIS Directory is a relatively simple issue compared to many others, and once it is recognized that ICANN is the controller, there is a large, very visible target. If the data protection authorities do not act, I would be surprised if a civil society organization does not take a complaint to them and/or sue the data commissioners for inaction.

7.2.2 Internet governance

As I have mentioned throughout this dissertation, while I am not focused on Internet Governance Scholarship in general, this privacy case study is important as a contribution to the understanding of ICANN’s accountability and implementation of basic human rights. Throughout the discussions of the Internet Assigned Numbers Authority (IANA) transition, there has been a working party 105 attempting to get the concept of human rights compliance accepted in the ICANN bylaws. The Council of Europe sponsored a paper on this topic (Zalniurute and Schneider, 2015) and there has been much discussion of the potential to adapt the “Ruggie principles” for ICANN. The Ruggie principles refer to

104 https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/common_statement_16_may_2017.pdf 105 At ICANN, a working party is not the same as a policy development process, it is basically a cross- community discussion group. In order for recommendations to move forward, another group (usually the GNSO) has to take the initiative to start a formal policy development process, with the results of the working party as input to the terms of reference. 265

principles of corporate responsibility first requested by the United Nations Secretary General and then developed by an international team of experts led by John G. Ruggie, an eminent political scientist and Harvard professor. Intended as a guide for the investment industry, these principles were then adapted for broader business activities in order to promote interests such as human rights and environmental protection (UN, 2011).

I would argue that ICANN should first comply with law; this case study presents a compelling argument that it is time for ICANN to respond to existing, well-known, and enforceable data protection law. This is not to say that the human rights initiative is not important, it certainly is, but it is infinitely more complex than data protection compliance in a public directory available globally on the Internet.

What does failure in enforcement of law mean then, in terms of the success or failure of the multi-stakeholder model of Internet governance? One has to evaluate that issue fairly, in comparison with the many failures in data protection compliance elsewhere, both on the Internet and in more human-to-human transactions. In September 2017, for instance, the world learned of the breach of detailed credit information of 143 million individuals at Equifax, through what appears to be shockingly negligent security standards. Credit reporting is one of the oldest, most well-known privacy issues, that have been debated and legislated since the 1970s. Data breach notification standards have been improving steadily since the famous Choicepoint breach in 2004 (Perrin et al, 2005); in other words, Equifax should have behaved better. Briefly, ICANN is not the first nor the worst actor in terms of non-compliance with privacy norms and legislation. However, the metrics on data protection compliance are not easy to find, and this is an interesting area for further research as well. 106

106 As discussed in Chapter 5, Bamberger and Mulligan (2010, 2013) have been doing interesting work on measuring actual compliance, but there is much work to do in this field of research. My favourite example to cite is a 2013 research project done at the University of Toronto Faculty of Information (funded by the grants and contributions program of the Office of the Privacy Commissioner) that studied signage on video surveillance cameras in downtown Toronto. The study found that some commercial establishments did not 266

In 2017, the status quo embodies a policy position that is becoming all the more glaring as a denial of rights when there are 120 countries with data protection law, and the alleviating measures introduced are not working (e.g., WHOIS Conflicts with Law Policy, alternative escrow agents). This adds an important element to current discussions about accountability at ICANN in the wake of the October 2016 IANA transfer, when ICANN left the oversight of the U.S. Commerce Department and became a truly independent multi-stakeholder organization. However, these are not new questions. Many scholars questioned ICANN’s accountability at its birth (Froomkin, 2000b, 2002; Palfrey, 2004; Weinberg, 2001). Froomkin (2002) wrote a withering rebuttal to Joe Sims and Cynthia Bauerly’s attack (2002) on his article, “Wrong turn in cyberspace” (2000b), in which he summarizes:

The DOC [Department of Commerce] relies on ICANN to advise it, and to take decisions that the White Paper suggested the DOC desires, but that the DOC does not choose to take directly. When the DOC allows ICANN's decisions to go forward without countermand, and most clearly when the DOC itself acts on ICANN's advice, the DOC commits the sort of agency action that the APA [Administrative Procedure Act] and the Constitution exist to constrain. And if the DOC's attitude is so completely hands-off that it defers to ICANN without considering the substance of ICANN's decisions, then we have reached a point where there is cause to reawaken the slumbering nondelegation-to-private-parties doctrine. Or, if we allow agencies to contract with ICANN-like bodies to make de facto regulations for them, we should at least embark on an open discussion of the implications for democratic accountability in the modern administrative state. (Froomkin, 2002, p. 123)

realize there is a law, many were not aware that security cameras were covered by the law, and the notices were all adequate. No one has yet claimed the $100 reward for finding a minimally compliant surveillance camera installation that meets the private sector privacy legislation (PIPEDA) requirements, but there has been no enforcement action taken on any of the installations. Standards are low, when it comes to privacy compliance metrics. http://surveillancerights.ca/watching-about.html 267

Can ICANN be said to be acting in the public interest, in fulfillment of its requirements under the accountability framework put in place subsequent to the IANA transfer? If not, will measures be taken to comply with law? Now that the contractual link to the U.S. Department of Commerce has been severed, will the multi-stakeholder community act to change its contracts to reflect global data protection legislation, or remain with the current policy position, requiring an open registry of everyone who rents a spot on the Internet?

From a policy perspective, this case study is interesting quite apart from its implications for the failure of data protection law enforcement. In establishing ICANN, the U.S. Commerce Department essentially delegated the management and the policy development for the Domain Name System to ICANN. ICANN itself has ostensibly delegated policy development to the stakeholders through the Generic Names Supporting Organization (formerly the Domain Name Supporting Organization) and thus the Board is able to deny management of the policy debate, although they ultimately must accept policy recommendations and therefore still have management responsibility. Numerous scholars have questioned whether the multi-stakeholder system is working, or if it even resembles a democratic institution (Froomkin, 2000b, 2002; Palfrey, 2003; Weinberg, 2000, 2001). Furthermore, civil society has long argued, and I agree, that compliance with Governmental Advisory Committee advice, however it has been described over the years, amounts to policy-making outside the official policy development process that ICANN professes to espouse. Since Froomkin (2000b, 2002) essentially asked these same questions seventeen years ago, it is important to demonstrate concretely, as I have done in this dissertation, that the multi-stakeholder model is actually serving the interests of the U.S. government that it professes to be avoiding.

268

7.3 Actions That Privacy Advocates Could Take to Change the Outcomes

7.3.1 Practical solutions to a big problem

As discussed above, since the coming into force of the European Directive in 1998 and the commercial expansion of the Internet, there have been many who have argued that the battle is lost and we have no privacy (Brin, 1999; Froomkin, 2000a). Bygrave (2014b) argued that while it appears that law may be in its usual stance of “catching up” to technology, in fact the jurisdictional issues may be too complex and difficult to manage through data protection law enforcement. A special edition of the American Association for the Advancement of Science (AAAS) journal Science (Jan 30, 2015) entitled The End of Privacy sums up the reasons for pessimism in articles ranging from the threat of ubiquitous drones, facial and voice recognition, breach of trust through the Snowden revelations about secret surveillance, and so on. It is a list familiar to privacy scholars and advocates but it is not surprising that non-specialists may read such articles and believe that there is no possibility of privacy.

Just as we had permitted lead, mercury, and asbestos to contaminate the environment before we realized the risks, we have permitted personal data to flow unchecked without adequate risk assessment. Even though the concept of privacy impact assessments became a policy requirement for the federal government in Canada in 2001, it takes a long time for policy changes to spread. ICANN is not required to conduct privacy impact assessments, although the U.S. government agencies are. A realistic policy goal for the current Registration Data Services policy development process (PDP), which started early 2016, would be to establish a requirement for a privacy impact assessment in future PDPs dealing with registration data, and to start now in order to comply with the new General Data Protection Regulation. This could then produce a precedent for human rights impact assessments that could be incorporated in procedures. Could this make a difference? Privacy impact assessments are useful tools in that they examine legal,

269

security, and policy requirements. They examine risk. In their best form, they encourage privacy by design. They support strong management practices and take the emphasis off legal compliance, which admittedly looks rather forbidding and somewhat old-fashioned in the Internet context. If ICANN wants to prove itself as an accountable multi- stakeholder organization worthy of trust, this could be an attractive, low-risk option. It would help in setting precedents for Internet governance and it would also force the examination of data maps, which has not yet happened in the context of registration data flows. Mapping the flow of data in the context of Internet governance is a necessary first step in increasing accountability and adherence to data protection principles, just as testing our watercourses for lead and mercury were necessary first steps in rectifying our collective disregard for the flow of dangerous substances in the environment.

A second concrete action would be to develop a set of binding corporate rules. I proposed this option repeatedly during the Experts Working Group; it was always rejected. This would not stop civil society from writing such a set of rules in collaboration with other stakeholders and tabling it in the Registration Data Services policy development process as an input.

As I described in Chapter 1, the failure to achieve better privacy outcomes at ICANN could be studied from a variety of perspectives, including the study of the stakeholders themselves and their actions (or inaction). It is my view that a focus on practical solutions that are affordable and a process whereby all stakeholders equally share costs has not yet been sufficiently employed. Instead, there has been a focus on rhetoric to stop further action. Substantiating this point would require further research but it is my observation from working on the current PDP on WHOIS that the rhetoric has not changed from that which was used during early, heated debates. Rhetoric alone will not stop the development of a final policy on registration data services, as too many stakeholders are not willing to be delayed further for a variety of legal, economic, and technical reasons. It is time to see if stakeholder action can be mustered to produce a workable solution to

270

protect privacy. This is a challenge for privacy entrepreneurship and for the multi- stakeholder model to demonstrate its flexibility and collaborative work processes.

7.3.2 Enforcement action

The Schrems decision was a wake-up call for privacy law enforcement. After years of discussions between the data protection authorities and Facebook over their privacy policy, and dissatisfaction with the political compromise on the adequacy of U.S. privacy protection, suddenly both were thrown out by the court due to the actions of a young Austrian university student. If this is what it takes to get past logjams in achieving real privacy protection, is it time to launch a case against ICANN? Certainly, the timing of the new 2018 General Data Protection Regulation (GDPR) is appropriate.

This thought has dawned on the registrars and registries. At the Global Domains Division meeting in Madrid in May 2017, some of the registrars and registries told ICANN that they will cut off WHOIS if ICANN does not let them out of their contractual obligations to violate the law. The success of the data protection authorities at the Copenhagen meeting in March 2017 did much to change opinion but, since everyone around the world has been scrambling to be ready for GDPR compliance, it is also likely that some registrars and registries shared a digest of their legal opinions on GDPR compliance and realized that they are liable for fines of 4% of annual revenues. Since there is a 19-year record of ICANN ignoring the advice of the data protection commissioners, I think this would be an excellent case to pursue. With the added potential of being able to sue the data commissioners themselves for not protecting registrant rights, it is hard to imagine that civil society will not take up such a case. I pointed this out to the Board and the data protection authorities during a private luncheon at the Copenhagen meeting. During the past four years, ICANN has successfully ignored my advice on data protection compliance, as much as any previous advice provided by civil society advocates, let alone the far more authoritative responses by data protection authorities. Nevertheless, ICANN has now started to move; there is a task force that has been struck at the Johannesburg

271

meeting in June 2017 to examine the GDPR issues for the contracted parties and for ICANN itself as data controller. ICANN also named a long serving legal counsel as Privacy Officer. It is remarkable how a capacity to award fines of 4% of annual revenues focuses attention, in a market situation. As Mueller (2007) points out, costs are the key variable in the tension between the market and the commons as economic mechanisms and this promises to provide the drastic jolt that will alter the imbalance that has been maintained over the WHOIS commons for so many years.

Simultaneous to the somewhat fractious and unproductive discussion on the new registration data service policy development process, this GDPR task force is also examining the actual data elements involved in the registration data service. This group will seek legal advice regarding whether the collection, use, and disclosure of these elements will be acceptable under the GDPR and if not, what needs to be done. The Governmental Advisory Committee (GAC) is participating in this task force but it is too early to tell if change has permeated any thinking on the many other work groups. A mandatory review of the implementation of the recommendations of the previous 2012 WHOIS review has just been struck, and there is a clear attempt to set the parameters of that review to avoid any discussion of data protection compliance and focus instead on increased accuracy measurements. I am on both committees and I anticipate being able to do further research and analysis of what I consider will be a significant alteration of stakeholder positions. Parts of ICANN continue to persist in the path set previously, but a serious disruption may be about to occur.

In the meantime, civil society can move much more quickly. This is an ideal case to take to court as it demonstrates a failure in the current data protection enforcement model, the need for nimbler trans-border dataflow compliance solutions, and serious flaws in the multi-stakeholder model with respect to its observance of fundamental human rights and the rule of law.

272

With respect to the broader political struggles over ICANN, as the body that controls the Domain Name System (DNS), my conclusions are of interest to scholars assessing ICANN’s readiness to be such an important global player in the Internet ecosystem. There is a significant body of research on this political struggle and many have suggested that it will be difficult to counter the influence of states like China, who now have a very large presence on the Internet and believe in controlling their citizens’ access to free speech and freedom of access to content. ICANNs decision-making processes must be assessed in the light of this very real struggle that looms over the openness of the Internet. There may be limited time left to correct the protection of privacy and human rights in the DNS.

7.3.3 The empowered community

ICANN has successfully cut its ties to the U.S. Department of Commerce. The body which is able to appeal a Board decision and enforce the multi-stakeholder model (however flawed that model of policy development and decision-making might be), is the new Empowered Community. I am optimistic that those who helped create this concept of governance are going to ensure that ICANN follows processes, adheres to the bylaws, and acts in the public interest. In this regard, it is heartening to see that the cross- community working party on human rights (which has no policy making authority) has had sufficient success promoting the concept of a human rights impact assessment, and that ICANN has issued a call for proposals for a contractor to conduct such an impact assessment (ICANN, August 2017). If the ICANN community can continue collaborative actions that support human rights in this regard, particularly if it can start doing this in the actual policy development working groups, there are grounds for optimism.

273

APPENDICES Appendix A

List of Abbreviations

AfriNIC Africa Network Information Center

AEPD Agencia Española de Protección de Datos

AOC Affirmation of Commitments (between ICANN and the U.S. Department of Commerce)

ALAC At Large Advisory Committee (ICANN)

AP Australia/Pacific

APEC Asia-Pacific Economic Cooperation

APNIC Asia Pacific Network Information Centre

APWG Anti-Phishing Working Group

ARDS Aggregated Registration Data Service

ARIN American Registry for Internet Numbers

ARPAnet Advanced Research Projects Agency Network

Article 29 Article 29 Working Party

ASCII American Standard Code for Information Interchange

ASO Address Supporting Organization

274

ATT American Telephone and Telegraph (also AT&T)

BC Business Users Constituency ccNSO Country code Name Supporting Organization (ICANN) ccTLD Country code top-level domain (ICANN)

CCWG Cross-community working group (ICANN)

CEN/ISSS European Centre for Standardization/Information Society Standardisation System

CIGI Centre for International Governance Innovation

CIRA Canadian Internet Registration Authority

CNIL Commission Nationale de l'Informatique et des Liberté

CNNIC China Internet Network Information Centre

COE Council of Europe

CORE Council of Registrars

CPH Contracted Party House

DDoS Distributed denial of service

DEA Drug Enforcement Agency (United States)

DG Directorate General

DNS Domain Name System

DNSO Domain Name Supporting Organization

DOC Department of Commerce (United States)

DP Data Protection

DPA Data Protection Authority

EC European Commission

275

ECJ European Court of Justice

EDPS European Data Protection Supervisor

EEA European Economic Area

EPIC Electronic Privacy Information Center

EU European Union

EWG Experts Working Group on Registration Data Services (ICANN)

FBI Federal Bureau of Investigation (United States)

FTC Federal Trade Commission (United States)

GAC Government Advisory Committee (ICANN)

GATS General Agreement on Trade in Services

GATT General Agreement on Tariffs and Trade

GDPR General Data Protection Regulation (European Union)

GNSO Generic Names Supporting Organization (ICANN) gTLD Generic Top-level domain

HEW Department of Health and Human Services (United States)

HTML

HTTP

IAB Internet Architecture Board

IANA Internet Assigned Numbers Authority

ICANN Internet Corporation for Assigned Names and Numbers

ICDPPC International Conference of Data Protection and Privacy Commissioners

IETF Internet Engineering Task Force

IGF Internet Governance Forum (WSIS)

276

INTA International Trademark Association

IOT Internet of Things

IP Internet Protocol

IPv4, IPv6 Internet Protocols Version 4, Version 6

IPC Intellectual Property Constituency (ICANN)

ISO International Organization for Standardization

ISOC Internet Society

ISP Internet Service Provider

ISPCP Internet Service Providers and Connectivity Providers (ICANN)

IT Information technology

ITU International Telecommunications Union (United Nations)

IWGDPT International Working Group on Data Protection in Telecommunications and Media (Berlin Group)

LACNIC Latin American and Caribbean Network Information Centre

LEA Law Enforcement Agency

NA North America

NAFTA North American Free Trade Agreement

NCDNHC Non-Commercial Domain Name Holders Constituency

NCUC Noncommercial Users Constituency (ICANN)

NCSG Noncommercial Stakeholders Group (ICANN)

NCPH Non-contracted Party House

NGO Non-governmental Organization

NomCom Nominating Committee (ICANN)

277

NPOC Not-for-profit Operational Concerns Constituency (ICANN)

NTIA National Telecommunications and Information Agency (U.S. Department of Commerce)

NSF National Science Foundation (United States)

OECD Organisation for International Co-operation and Development

OPoC Operational Point of Contact

OpSec Operational Security

PDP Policy Development Process (ICANN)

PICS Public Interest Commitments (in new gTLDs)

PIPEDA Personal Information Protection and Electronic Documents Act

PNR Passenger Name Records

PPSAI Privacy Proxy Services Accreditation Issues

RAA Registrar Accreditation Agreement (ICANN)

RALO Regional At-large Organization

RCMP Royal Canadian Mounted Police

RDAP Registration Data Access Protocol (IETF)

RDS Registration Data Service

RFC Request for Comment

RIAA Recording Industry Association of America

RIPE Reseaux IP Europeens

RIPE NCC Réseaux IP Européens Network Coordination Centre

RIR Regional Internet Registry

RrSG Registrars Stakeholder Group (ICANN)

278

RSSAC Root Server System Advisory Committee

RySG Registries Stakeholder Group (ICANN)

SL Secondary level

SLD Second-level Domain

SO Supporting Organization (ICANN)

SOI Statement of Interest

SSAC Security and Stability Advisory Committee (ICANN)

SSL Secure Socket Layer

TDRP Transfer Dispute Resolution Policy

TLD Top-level Domain

TPP Trans-Pacific Partnership

UDHR Universal Declaration of Human Rights

UDRP Uniform Domain Name Dispute Resolution Policy

URL Uniform Resource Locator

USTR United States Trade Representative

W3C World Wide Web Consortium

WCIT World Conference on International Telecommunications (ITU)

WG Working Group

WIERDS Web Extensible Registration Data Service (IETF)

WGIG Working Group on Internet Governance (WSIS)

WIPO World Intellectual Property Organization (United Nations)

WSIS World Summit on the Information Society (ITU)

WTO World Trade Organization

279

Appendix B Internet Engineering Task Force Request for Comments

3912: The WHOIS Protocol

The first protocol for searching for domain registrations was developed during the ARPANET period and was called the NICNAME protocol and was based on the NAME/FINGER Protocol, described in Request for Comments (RFC) 742 (1977). The NICNAME/WHOIS protocol was first described in RFC 812 in 1982 by Ken Harrenstien and Vic White of the Network Information Center at Stanford Research Institute International. It permitted wildcard type searches, looking for registrations based on keywords. By the time ICANN was created and took over the management of the key top level domains .com, .net and .org in 1999, it was clear that new protocols would need to be developed by the Internet Engineering Task Force (IETF) to cope with the growing complexity of the Internet. In 2003, the Cross Registry Information Service Protocol (CRISP) was initiated to work on this problem, and this group developed a series of protocols, all based on the original protocol and expanding its capability to deal with the growing Internet. In early 2006, this was changed to the Internet Registration Information Service (IRIS) and this group continued issuing RFCs until 2009.

In 2013 the IETF acknowledged that IRIS had not solved the many technical problems arising with WHOIS, and started a new project called the Web Extensible Internet Registration Data Service (WEIRDS) Working Group. A key output from this group has been the new Registration Data Access Protocol (RDAP) which promises to provide much more nuanced access to registration data, allowing e.g., authentication of users to different levels of access, definition of purpose of access, and generally much more precision.

The protocol currently in use for WHOIS is RFC 3912, reproduced below.

280

Network Working Group

L. Daigle Request for Comments: 3912 VeriSign, Inc. Obsoletes: 954, 812 September 2004

Category: Standards Track WHOIS Protocol Specification

Status of this Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2004).

Abstract

This document updates the specification of the WHOIS protocol, thereby obsoleting RFC 954. The update is intended to remove the material from RFC 954 that does not have to do with the on-the-wire protocol, and is no longer applicable in today's Internet. This document does not attempt to change or update the protocol per se, or document other uses of the protocol that have come into existence since the publication of RFC 954.

1. Introduction

WHOIS is a TCP-based transaction-oriented query/response protocol that is widely used to provide information services to Internet users. While originally used to provide "white pages" services and information about registered domain names, current deployments cover a much broader range of information services. The protocol delivers its content in a human-readable format. This document updates the specification of the WHOIS protocol, thereby obsoleting RFC 954 [1]. For historic reasons, WHOIS lacks many of the protocol design attributes, for example internationalisation and strong security, that would be expected from any recently-designed IETF protocol. This document does not attempt to rectify any of those shortcomings. Instead, this memo documents the WHOIS protocol as it is. In some areas, this document does document particular well known shortcomings of the WHOIS protocol. The discussion of possible protocols to carry out these functions, with updated capabilities to address the shortcomings, is being addressed in a separate IETF activity (CRISP Working Group).

2. Protocol Specification

A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF. The response 281

might contain more than one line of text, so the presence of ASCII CR or ASCII LF characters does not indicate the end of the response. The WHOIS server closes its connection as soon as the output is finished. The closed TCP connection is the indication to the client that the response has been received.

3. Protocol Example

If one places a request of the WHOIS server located at whois.nic.mil or information about "Smith", the packets on the wire will look like: client server at whois.nic.mil open TCP ---- (SYN) ------> <---- (SYN+ACK) ------send query ---- "Smith" ------> get answer <---- "Info about Smith" ------<---- "More info about Smith" ---- close <---- (FIN) ------(FIN) ------>

4. Internationalisation

The WHOIS protocol has not been internationalised. The WHOIS protocol has no mechanism for indicating the character set in use. Originally, the predominant text encoding in use was US-ASCII. In practice, some WHOIS servers, particularly those outside the USA, might be using some other character set either for requests, replies, or both. This inability to predict or express text encoding has adversely impacted the interoperability (and, therefore, usefulness) of the WHOIS protocol.

5. Security Considerations

The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, integrity, and confidentiality. Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone. The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing.

6. Acknowledgements

Ran Atkinson created an earlier version of this document. Ken Harrenstien, Mary Stahl, and Elizabeth Feinler were the authors of the original Draft Standard for WHOIS.

7. References

7.1. Normative References [1] Harrenstien, K., Stahl, M., and E. Feinler, "NICNAME/WHOIS", RFC 954, October 1985.

Author's Address Leslie Daigle VeriSign, Inc. 21355 Ridgetop Circle Dulles, VA 20166 US EMail: [email protected]; [email protected] Daigle Standards Track [Page 3] RFC 3912 WHOIS Protocol Specification September 2004 Full Copyright 282

Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and at www.rfc-editor.org, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the ISOC's procedures with respect to rights in ISOC Documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- [email protected]. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.

Daigle, L. (2004, September). WHOIS protocol specification (RFC 3912). Retrieved from IETF Datatracker website: https://datatracker.ietf.org/doc/rfc3912/?include_text=1

283

Appendix C

Use Cases for WHOIS Data

Use Cases for Registrant Data from the Final Report by the Experts Working Group on New Registration Data Services

User Purpose Example Use Cases Rationale For Registration Data Access

All Domain Name Domain Name Enable registration of domain names by Registrants Control Registration any kind of Registrant by creating a new Account Creation account with a Registrar (e.g., natural persons, legal persons, accredited Domain Name Detect accidental, uninformed, or Privacy/Proxy Data Modification unauthorized modification of a domain providers) Monitoring name’s registration data, either current or historical (using WhoWas)

Domain Name Facilitate update of all domain name Portfolio Management registration data (e.g., designated contacts, addresses) to maintain a domain name portfolio

Domain Name Enable Registrant-initiated transfer of a Transfer Initiation domain name to another Registrar

Domain Name Enable deletion of an expired domain Deletions name

Domain Name Enable Registrant-initiated change of DNS Updates DNS for a domain name

Domain Name Enable renewal of a registered domain

284

User Purpose Example Use Cases Rationale For Registration Data Access Renewals name by the domain name’s Registrant

Domain Name Facilitate initial and on-going validation Contact Validation of domain name registration data (e.g., designated contacts, addresses) by Registrant

Protected Personal Data Contact Privacy/Proxy Enable contact with accredited privacy Registrants Protection Provider or proxy providers offering registration services used by any Registrant seeking (e.g., to minimize public access to personal customers of names and addresses accredited Privacy/Proxy services that need to be Contact Secure Enable contact with accredited Secure contacted) Credential Approver Credential Approvers offering registration services used by individuals or groups under threat, using secure credentials relayed via trusted third party

Internet Technical Issue Contact with Domain Facilitate contact with technical staff Technical Resolution Name Technical Staff (individual, role or entity) who can help Staff resolve technical or operational issues with Domain Names (e.g., DNS (e.g., DNS resolution failures, email delivery admins, mail issues, website functional issues) admins, web admins, ISPs)

Certification Domain Name Domain Name Help a certification authority (CA) Authorities Certification Certification Issuance identify the Registrant of a domain name to be bound to an SSL/TLS certificate

285

User Purpose Example Use Cases Rationale For Registration Data Access

Individual Individual Real World Contact Help consumers obtain non-Internet Internet Internet Use contact information for domain name Users Registrant (e.g., business address)

(e.g., consumers) Consumer Protection Afford a lightweight mechanism for consumers to contact domain name Registrant-designated Business Contact (e.g., on-line [sic] retailer customer service) to resolve issues quickly, without LEA/OpSec intervention

Business Business Domain Name Enable due diligence in connection with Internet Domain Name Brokered Sale purchasing a domain name Users Purchase or Sale

(e.g., brand holders, Domain Name Enable identification of domain name brokers, Trademark Clearance Registrants to support trademark agents) clearance (risk analysis) when establishing new brands

Domain Name Facilitate acquisition of a domain name Acquisition that was previously registered by enabling contact with Registrant

Domain Name Enable determination of domain name Purchase Inquiry availability and current Registrant and Admin Contact (if any)

Domain Name Provide domain name registration Registration History history to identify past Registrants and dates using WhoWas

286

User Purpose Example Use Cases Rationale For Registration Data Access

Domain Names for Enable determination of all domain Specified Registrant names registered by a specified entity (Reverse Query) as part of merger/spinoff asset verification

Internet Academic/ Domain Name Enable historical research about a Researchers Public Interest Registration History domain name registration (WhoWas) DNS Research during academic/public interest DNS research

Domain Names for Enable identification of all domains Specified Contact registered with a given name, address, name server, registration date, etc. (Reverse Query) during academic public interest DNS research

Survey Domain Name Enable surveys of domain name Registrant or Registrants or their designated contacts Designated Contact

Intellectual Legal Actions Domain Name Enable contact with party using a Property User Contact domain name that is being investigated Owners for TM[trade mark]/brand infringement or IP theft (e.g., brand holders, trademark owners, IP Combat Fraudulent Use Facilitate identification of and response owners) of Registrant Data to fraudulent use of legitimate data (e.g., address) for domain names belonging to another Registrant by using Reverse Query on identity-validated data

Domain Name Enable historical research about a Registration History domain name registration (WhoWas) during IP infringement research

Domain Names for Enable identification of all domains Specified Registrant registered with a given name or address (Reverse Query) during IP infringement

287

User Purpose Example Use Cases Rationale For Registration Data Access research

Non-LEA Regulatory and Online Tax Facilitate by national, state, province, or Investigators Contractual Investigation local tax authority identification of Enforcement contacts for domain name engaged in (e.g., Tax on-line sales Authorities, UDRP Providers, ICANN UDRP Proceedings Let UDRP Providers confirm the correct Compliance) respondent for a domain name, perform compliance checks, determine legal process requirements and protect against cyberflight

RDS Ecosystem Let ICANN audit and respond to Contractual complaints about non-compliance by Compliance contracted parties (e.g., data inaccuracy or unavailability, UDRP decision implementation, transfer complaints, data escrow and retention)

LEA/OpSec Criminal Investigate Abusive Enable effective investigation and Investigators Investigation Domain Name evidence gathering by LEA/OpSec & DNS Abuse personnel responding to an alleged (e.g., law Mitigation maliciously-registered domain name, enforcement including examination of historical data agencies, incident response teams) Investigate Offline Enable effective investigation and Criminal Activity evidence gathering by LEA/OpSec personnel responding to offline criminal activity by providing detailed registration data and/or searching for domain names registered to suspect (Reverse Query)

Domain Name Enable domain name white/black list

288

User Purpose Example Use Cases Rationale For Registration Data Access Reputation Services analysis by reputation service providers

Investigate Online Help victims or their legal counsel Criminal Activity identify the domain name Registrant involved in potentially illegal activity to enable further investigation by LEA/OpSec

Abuse Contact for Assist in remediation of compromised Compromised domain names by helping LEA/OpSec Domain Name personnel contact the Registrant or designated Abuse Contact

General DNS Public Registration Identify the organization “behind” a Public Transparency Data Access domain name, as commonly desired by a wide variety of Internet users not (e.g., bloggers, otherwise reflected in more specific use media, cases political activists)

Miscreants Malicious Domain Name Hijack Harvest domain name registration data Internet to gain unlawful access to Registrant’s (e.g., those Activities account and hijacking that Registrant’s engaged in domain name(s) spam, DDoS, phishing, identity theft, domain hijack) Malicious Domain Use an existing/compromised domain Name Registration name registration account to register new names to support criminal, fraudulent or abusive activities

Registration Data Harvest domain name Registrant data Mining for for malicious use by spammers, Spam/Scams scammers and other criminals (miscreants)

289

Note. DNS = Domain Name System; IP = Internet Protocol; UDRP = Uniform Domain Name Dispute Resolution Policy; ICANN = Internet Corporation for Assigned Names and Numbers; RDS = Registration Data Service; LEA = Law Enforcement Agency; OpSec = Operational Security; DDoS = Distributed denial of service; SSL = Secure Socket Layer . Adapted from Expert Working Group. (2014, June 6). Final report from the Expert Working Group on gTLD Directory Services: A next-generation Registration Directory Service (RDS). Retrieved from Internet Corporation for Assigned Names & Numbers website: https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf

290

Appendix D

ICANN History of WHOIS

WHOIS traces its roots to 1982, when the Internet Engineering Task Force published a protocol for a directory service for ARPANET users. Initially, the directory simply listed the contact information that was requested of anyone transmitting data across the ARPANET.

As the Internet grew, WHOIS began to serve the needs of different stakeholders such as domain name registrants, law enforcement agents, intellectual property and trademark owners, businesses and individual users. But the protocol remained fundamentally based on those original IETF standards. This is the WHOIS protocol that ICANN organization inherited when it was established in 1998.

On 30 September 2009, ICANN and the U.S. Department of Commerce signed an Affirmation of Commitments (AOC) which recognized ICANN as an independent, private and non-profit organization. With the transition to new ICANN Bylaws in 2016, the WHOIS obligations originally established by the expired AOC were replaced with new gTLD Registration Directory Service (RDS) obligations.

Based on existing consensus policies and contracts, ICANN remains committed to "enforcing its existing policy relating to WHOIS, subject to applicable laws. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including domain name registrant, technical, billing, and administrative contact information." In addition, specific provisions for periodic reviews of WHOIS policy continue under the new ICANN Bylaws.

In 1999, ICANN began allowing other entities to offer domain name registration services. Registries are responsible for maintaining registries of top-level domain names.

Over the years, ICANN has used its agreements with registrars and registries to modify the WHOIS service requirements. These agreements set up the basic framework that dictates how the WHOIS service is operated. In addition, ICANN has adopted and implemented several consensus policies aimed at improving the WHOIS service:

WHOIS Data Reminder Policy (2003): at least once a year, registrars must email all domain name registrants and remind them to review and update their WHOIS data; for example, in case of a new cell phone number or changed business address.

291

The Restored Name Accuracy Policy (2004): If a domain name is deleted because it contained incorrect contact data, or there was no response to requests for information, the domain name must remain on hold until the domain name registrant provides updated and accurate WHOIS data.

WHOIS Marketing Restriction Policy (2004): This policy creates two changes to the Registrar Accreditation Agreement to try to bar use of the WHOIS data for marketing and re-use. Registrars must require third parties to "to agree not to use the [WHOIS] data to allow, enable, or otherwise support any marketing activities," and "not to sell or redistribute the [WHOIS] data" (with some exceptions).

In addition, ICANN continues to adopt new consensus policies to improve existing WHOIS services. Policies now undergoing implementation include:

Thick RDDS (WHOIS) Transition Policy for .COM, .NET and .JOBS (2014): This policy addresses differences between "thin" and "thick" WHOIS registries, requiring transition of remaining "thin" registries to a "thick" data model.

Additional WHOIS Information Policy (2014): This policy requires registrars and registries to include information in WHOIS output to help users better identify a domain name registration's sponsoring registrar and understand the domain name registration's status codes.

Privacy and Proxy Services Accreditation Policy (2015): This policy addresses issues relating to accreditation of the privacy and proxy services used by some domain name registrants to keep certain information about them from being published in WHOIS.

Translation and Transliteration of Contact Information Policy (2015): This policy is concerned with how internationalized registration data collected and displayed in registration data directory services to enable translation and/or transliteration of those data into other languages and/or scripts.

Registry Registration Data Directory Services Consistent Labeling and Display Policy (updated 2017): This policy requires consistency in the WHOIS output displayed by different registries.

Finally, ICANN organization works with registries and registrars to review and update as appropriate procedures related to WHOIS policy implementation, such as:

Review of Existing ICANN Procedure for Handling Whois Conflicts with Privacy Laws (2016), and the

WHOIS Data Retention Specification Waiver (2013)

292

WHOIS is at the center of long-running debate and study at ICANN, among other Internet governance institutions, and in the global Internet community. The evolution of the Internet ecosystem has created challenges for WHOIS in every area: accuracy, access, compliance, privacy, abuse and fraud, cost and policing. Questions have arisen about the fundamental design of WHOIS, which many believe is inadequate to meet the needs of today's Internet, much less the Internet of the future. Concerns about WHOIS obsolescence are equaled by concerns about the costs involved in changing or replacing WHOIS.

WHOIS faces these challenges because its use has expanded beyond what was envisaged when its founding protocol was designed. Many more stakeholders make use of it in legitimate ways not foreseen by its creators. So ICANN has had to modify WHOIS over the years; the consensus policies on accuracy are a prime example, as well as the introduction of validation and verification requirements in the new form of Registrar Accreditation Agreement (2013 RAA).

There are other challenges to WHOIS, as well. As domain names have become an important weapon to combat fraud and abuse, ICANN's Security and Stability Advisory Committee recommended in SAC 38: Registrar Abuse Point of Contact that registrars and registries publish abuse point of contact information. This abuse contact would be responsible for addressing and providing timely response to abuse complaints received from recognized parties, such as other registries, registrars, law enforcement organizations and recognized members of the anti-abuse community. In 2014, registrars under the 2013 RAA were required to publish WHOIS data that includes registrar abuse contacts.

Even with these modifications, there are calls in the community for improvements to the current WHOIS model. ICANN's Generic Names Supporting Organization (GNSO) explores these areas and works to develop new policies to address each issue, as appropriate. Over the last decade, the GNSO has undertaken a series of activities to reevaluate the current WHOIS system, and has sought to collect data examining the importance of WHOIS to stakeholders. At the request of the Council, ICANN organization initiated a series of WHOIS studies:

WHOIS Privacy and Proxy Services Abuse – This study examined the extent to which gTLD domain names used to conduct alleged illegal or harmful Internet activities are registered via Privacy or proxy services to obscure the perpetrator's identity. The National Physical Laboratory performed this study and delivered its results in March 2014.

WHOIS Registrant Identification – This study used WHOIS data and content associated with domain names to classify entities that register gTLD domain names, including natural persons, legal persons, and Privacy and proxy service providers. Using associated Internet content; it then classified entities using those domain names and potentially

293

commercial activities. NORC at the University of Chicago performed this study and delivered its results in May 2013.

WHOIS Misuse [PDF, 1.2 MB] -- This study examined the extent to which public WHOIS data is misused to address harmful communications such a phishing or identity theft. The Carnegie Mellon University Cylab in Pittsburgh, PA, USA performed this study and delivered its results in December 2013.

WHOIS Privacy and Proxy Relay and Reveal [PDF, 1.23 MB] – This study assessed the feasibility of conducting an in-depth study into communication Relay and identity Reveal requests sent for gTLD domain names registered using proxy and privacy services. The Interisle Consulting Group in Boston, MA, USA performed this study and delivered its results in June 2012.

WHOIS Service Requirements Survey [PDF, 633 KB] – This study surveyed community members to estimate the level of agreement on WHOIS service requirements. A GNSO Working Group was assembled to create a survey and delivered its results in July of 2010.

Report on Domain Name WHOIS Terminology and Structure [PDF, 236 KB] – To clear up the confusion regarding the various meanings of WHOIS terminology, the SSAC conducted this study. The report, delivered in September 2011, recommended that ICANN transition to adopting new terminology to designate the different aspects of WHOIS. As a result, ICANN adopted new terminology to refer to aspects of the WHOIS system, including:

Domain Name Registration Data – Refers to the information that domain name registrants provide when registering a domain name and that registrars or registries collect.

Domain Name Registration Data Access Protocol – Refers to the elements of a communications exchange—queries and responses—that make access to registration data possible. For example, the WHOIS protocol (RFC 3912) and Hypertext Transfer Protocol (HTTP) (RFC 2616 and its updates) are commonly used to provide public access.

Domain Name Registration Data Directory Service – refers to the service offered by registries and registrars to provide access to the domain name registration data. This term is now often used interchangeably with Registration Directory Service (RDS).

In 2013, a series of recommendations were made by the first WHOIS Review Team (WHOIS RT) to improve the manner in which the WHOIS system at that time was being overseen by ICANN organization. Those improvements included development of a new Accuracy Reporting System (ARS) to proactively identify inaccurate WHOIS records

294

and forward them to registrars for follow-up, to increase data accuracy, and to create accuracy metrics.

Also in 2013, ICANN formed an Expert Working Group (EWG) on gTLD Directory Services charged with finding ways to break the deadlock in the ICANN community over the usefulness and fate of the WHOIS system. In its Final Report (2014), the EWG recommended a paradigm shift to "a next-generation RDS that collects, validates and discloses gTLD registration data for permissible purposes only. While basic data would remain publicly available, the rest would be accessible only to accredited requestors who identify themselves, state their purpose, and agree to be held accountable for appropriate use." To learn more, see What's On The Horizon.

Internet Corporation for Assigned Names & Numbers. (2017, July). History of WHOIS [Web page]. Retrieved from

295

Appendix E Selected ICANN documents

Given the vast collection of documents and correspondence accessed, these examples are for illustrative purposes as references. Correspondence with the data protection authorities is listed in Appendices F and G. Correspondence

Atallah, A. (2017, March 31). Re: GNSO Council Motion 20170216-1 Confirmation that modification to procedure that implements the Whois conflicts with privacy law policy recommendation is consistent with the intent of the policy recommendation. [Letter to James Bladel]. Retrieved from Internet Corporation for Assigned Names & Numbers, GNSO website: https://gnso.icann.org/en/correspondence/atallah-to-bladel-31mar17-en.pdf

Atallah, A. (2017, June 9). Re: GNSO Council Motion 20170216-1 Confirmation that modification to procedure that implements the Whois conflicts with privacy law policy recommendation is consistent with the intent of the policy recommendation. [Letter to James Bladel]. Retrieved from Internet Corporation for Assigned Names & Numbers, GNSO website: https://gnso.icann.org/en/correspondence/atallah-to-bladel-09jun17-en.pdf

Atallah, A. (2017, August 1). Re: Reviews of the revised ICANN procedure for handling Whois conflicts with privacy law. [Letter to Donna Austin, Heather Forrest, & James Bladel]. Retrieved from Internet Corporation for Assigned Names & Numbers website: https://www.icann.org/en/system/files/correspondence/atallah- to-bladel-et-al-01aug17-en.pdf

Crocker, S. (2013, February 8). Re: GAC Communiqué from ICANN 45 Meeting in Toronto, Canada – Enforcing Applicant Commitments [Letter to Heather Dryden]. Retrieved from Internet Corporation for Assigned Names & Numbers, link disappeared, Perrin respository of documents. A related letter is here 296

https://www.icann.org/en/system/files/correspondence/crocker-to-dryden- 16jan13-en.pdf

Crocker S. (2014, September 2). Re: Implementation of GAC Safeguard Advice [Letter to Heather Dryden]. Retrieved from Internet Corporation for Assigned Names & Numbers, https://www.icann.org/en/system/files/correspondence/crocker-to- dryden-02sep14-en.pdf

Crocker, S. (2014, December 16). Re: New gTLD Program Safeguards . [Letter to Thomas Schneider]. Retrieved from Internet Corporation for Assigned Names & Numbers, GAC website:

Crocker, S. (2016, February 19). Re: Privacy and Proxy Services Accreditation Issues Policy Development Process. [Letter to Thomas Schneider]. Retrieved from Internet Corporation for Assigned Names & Numbers, GAC website: https://gacweb.icann.org/display/gacweb/GAC+Correspondence?preview=/27492 514/41943699/2016-02-19-Steve-Crocker-to-Thomas-Schneider-GNSO-PDP.pdf

Dryden, H. (2014, September 23). Re: New gTLD Program Safeguards . [Letter to Schneider, T.] Retrieved from Internet Corporation for Assigned Names & Numbers, GAC website, link has disappeared, Perrin repository.

Karklins, J. (2008, April 16). Re: GAC Recommendations for WHOIS Studies . [Letter to Peter Dengate Thrush]. Retrieved from Internet Corporation for Assigned Names & Numbers website: https://www.icann.org/en/system/files/files/karlins-to-thrush- 16apr08-en.pdf

Schneider, T. (2014, December 9). Re: gTLDs Safeguards . [Letter to Stephen Crocker]. Retrieved from Internet Corporation for Assigned Names & Numbers, GAC website: https://gacweb.icann.org/display/gacweb/GAC+Correspondence?preview=/27492 514/38764631/schneider-to-crocker-09dec14-en.pdf

297

Schneider, T. (2016, June 10). [Letter to ICANN Board of Directors, GNSO Councillors, & Co-chairs of the GNSO PDP Working Group on Privacy and Proxy Services Accreditation Issues.] Retrieved from Internet Corporation for Assigned Names & Numbers website: https://www.icann.org/en/system/files/correspondence/schneider-to-icann-board- et-al-10jun16-en.pdf

Thick WHOIS Implementation Review team. (2016, December 15). Re: Privacy Issues in Thick Whois Implementation . [Letter to the GNSO Council]. Retrieved from Internet Corporation for Assigned Names & Numbers website: https://gnso.icann.org/en/correspondence/irt-to-gnso-council-15dec16-en.pdf

Thrush, P.D., (2008, May 23). Re: GAC Recommendations for WHOIS Studies [Letter to Janis Karklins]. Retrieved from Internet Corporation for Assigned Names & Numbers website: https://www.icann.org/en/system/files/files/dengate-thrush-to- karklins-23may08-en.pdf

Thrush, P.D. to Dryden, H. (June 22, 2011). Letter Board to GAC notifying the approval of four gTLD WHOIS Studies. Retrieved from https://www.icann.org/en/system/files/files/dengate-thrush-beckstrom-to-dryden- 22jun11-en.pdf

Twomey, P. (2008, May 19). [Letter to Janis Karklins] Re: Response to questions raised in the GAC – ICANN Board Open Session in New Delhi regarding the Implementation of the Policy for Handling WHOIS Conflicts with Privacy Law .. Retrieved from Internet Corporation for Assigned Names & Numbers website: https://www.icann.org/en/system/files/files/twomey-to-karlin-19may08-en.pdf

Twomey, P. (2009, February 24). [Letter to Janis Karklins], Re: Update on WHOIS data research and analysis. Retrieved from Internet Corporation for Assigned Names & Numbers website: https://www.icann.org/en/system/files/files/karklins-to- twomey-24feb09-en.pdf

298

ICANN Structural and Non-WHOIS Related Documents

Internet Corporation for Assigned Names & Numbers. (2015). GNSO Policy & Implementation Working Group Final Recommendations Report . Retrieved from http://gnso.icann.org/en/group-activities/active/policy-implementation

Presentations

Internet Corporation for Assigned Names and Numbers. (2005, December 2). WHOIS Task Force [Presentation to GNSO Public Forum at Vancouver meeting.] Retrieved from ICANN, GNSO website: https://gnso.icann.org/en/issues/whois- privacy/gnso-whois-tf-rpt-02dec05.pdf

Internet Corporation for Assigned Names and Numbers (2015, February 9). Presentation on All things WHOIS . Retrieved from https://www.slideshare.net/icannpresentations/all-things-whois-icann52

Internet Corporation for Assigned Names and Numbers. (2016, February 16). GNSO Briefing on the migration to RDAP. [Presentation]. Retrieved from ICANN, GNSO website: https://gnso.icann.org/en/correspondence/presentation-migration- rdap-briefing-paper-16feb16-en.pdf

Security and Stability Advisory Committee Reports

Retrieved from the SSAC Website https://www.icann.org/groups/ssac/documents

SAC 023 (23 October 2007). Is the WHOIS Service a Source for email Addresses for Spammers? SAC 027 (7 February 2008). SSAC Comment to GNSO regarding WHOIS studies SAC 033 (20 June 2008). Domain Name Registration Information and Directory Services

299

SAC 037 (21 April 2009). Display and usage of Internationalized Registration Data: Support for characters from local languages or scripts SAC 038 (25 February 2009). Registrar Abuse Point of Contact SAC 051 (19 September 2011). SSAC Report on WHOIS Terminology and Structure SAC 054 (11 June 2012). SSAC Report on the Domain Name Registration Data Model SAC 055 (14 September 2012). SAC Comment on the WHOIS Review Team Final Report SAC 058 (27 March 2013). SSAC Report on Domain Name Registration Data Validation SAC 061 (06 September 2013). SSAC Comment on ICANN¹s Initial Report from the Expert Working Group on gTLD Directory Services SAC 081 (25 May 2016). SSAC Response to Request for Input on Next Generation gTLD RDS to Replace WHOIS Policy Development Process (PDP)

WHOIS Historical and Policy Documents

Gasster, L. (2010, March). Initial report to the GNSO Council on WHOIS studies—for further discussion and action. Retrieved from Internet Corporation for Assigned Names & Numbers website: https://gnso.icann.org/en/issues/whois/whois-studies- report-for-gnso-23mar10-en.pdf

Internet Corporation for Assigned Names & Numbers. (2010). Final report on

proposals for improvements to the Registrar Accreditation Agreement. Retrieved from https://gnso.icann.org/en/issues/raa/raa-improvements-proposal-final-report- 18oct10-en.pdf

Internet Corporation for Assigned Names & Numbers. (2012). Staff summary of comments on WHOIS review team final report. Retrieved from https://www.icann.org/en/system/files/files/summary-comments-whois-rt-final- report-11jul12-en.pdf

300

Internet Corporation for Assigned Names & Numbers. (2012). Whois policy review team final report. Retrieved from https://www.icann.org/en/system/files/files/final- report-11may12-en.pdf

Internet Corporation for Assigned Names & Numbers. (2012). WHOIS policy review team report recommendations (ICANN Board Submission No. 2012-11-08-0). Retrieved from https://www.icann.org/en/system/files/bm/briefing-materials-1- 08nov12-en.pdf

Internet Corporation for Assigned Names & Numbers. (2013). Initial report from the expert working group on gTLD Directory Services: A next-generation Registration Directory Service (RDS). Retrieved from https://www.icann.org/en/system/files/files/initial-report-24jun13-en.pdf

Internet Corporation for Assigned Names & Numbers. (2013, November 11). Status update from the Expert Working Group on gTLD directory services (Announcement). Retrieved from https://www.icann.org/en/news/announcements/announcement-11nov13-en.htm

Internet Corporation for Assigned Names & Numbers. (2014). Final report from the Expert Working Group on gTLD Directory Services: A next-generation Registration Directory Service (RDS). Retrieved from https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf

Internet Corporation for Assigned Names & Numbers. (2015, June 5). Advisory Concerning Registrar Obligations to Provide Data to ICANN Pursuant to Section 3.4.3 of the 2013

RAA (Announcement). Retrieved from https://www.icann.org/news/announcement-2015- 06-05-en

Internet Corporation for Assigned Names & Numbers. (2015, Dec. 1). Registrar Data Escrow program. Retrieved from https://www.icann.org/resources/pages/registrar-data-escrow-2015-12-01-en 301

Internet Corporation for Assigned Names & Numbers. (2017, May 16). Registrar Data Escrow Agreement, Iron Mountain . Retrieved from https://www.icann.org/en/system/files/files/iron-mountain-rde-template-16may17- en.pdf

National Opinion Research Center at the University of Chicago. (2010). Draft Report for the Study of the Accuracy of WHOIS Registrant Contact Information (Project Reference No. 6558, 6636) . Retrieved from Internet Corporation for Assigned Names & Numbers website: https://www.icann.org/en/system/files/newsletters/whois-accuracy-study-17jan10- en.pdf

Sullivan, A. (2012). Comments received on WHOIS policy review team report. Retrieved from Internet Corporation for Assigned Names & Numbers website: http://forum.icann.org/lists/whois-rt-final-report/

302

Appendix F Documents of the International Working Group on Data Protection in Telecommunications and Media

International Working Group on Data Protection in Telecommunications. (2015). Working paper on Transparency Reporting: Promoting accountability when governments access personal data held by companies. 675.50.14. Retrieved from https://datenschutz-berlin.de/content/europa-international/international-working- group-on-data-protection-in-telecommunications-iwgdpt/working-papers-and- common-positions-adopted-by-the-working-group

International Working Group on Data Protection in Telecommunications. (2014). International Documents on data protection in telecommunications and media, 1983 - 2013. Berliner Beauftragter fur Datenchutz und Informationsfreiheit: Berlin, DE.

International Working Group on Data Protection in Telecommunications. (2014). Working Paper on Big Data and Privacy: Privacy principles under pressure in the age of Big Data analytics. 675.48.12 Retrieved from

https://datenschutz-berlin.de/content/europa-international/international-working- group-on-data-protection-in-telecommunications-iwgdpt/working-papers-and- common-positions-adopted-by-the-working-group

International Working Group on Data Protection in Telecommunications. (2013). Working Paper On the Human Right to Telecommunications Secrecy. 675.47.12. Retrieved from https://datenschutz-berlin.de/content/europa- international/international-working-group-on-data-protection-in- telecommunications-iwgdpt/working-papers-and-common-positions-adopted-by- the-working-group 303

International Working Group on Data Protection in Telecommunications. (2012). Working Paper on Cloud Computing - Privacy and data protection issues “Sopot Memorandum” 675.44.8 24. Retrieved from https://datenschutz- berlin.de/content/europa-international/international-working-group-on-data- protection-in-telecommunications-iwgdpt/working-papers-and-common- positions-adopted-by-the-working-group

International Working Group on Data Protection in Telecommunications. (2010). The Granada Charter of Privacy in a Digital World . 675.40.11. Retrieved from https://datenschutz-berlin.de/content/europa-international/international-working- group-on-data-protection-in-telecommunications-iwgdpt/working-papers-and- common-positions-adopted-by-the-working-group

International Working Group on Data Protection in Telecommunications. (2008). Recommendation on the Implementation and Application of the Council of Europe Convention No. 185 on Cybercrime (a.k.a. “Budapest Convention”) 675.36.9. Retrieved from https://datenschutz-berlin.de/content/europa- international/international-working-group-on-data-protection-in- telecommunications-iwgdpt/working-papers-and-common-positions-adopted-by- the-working-group

International Working Group on Data Protection in Telecommunications. (2000). Common Position on Privacy and Data Protection aspects of the Registration of Domain Names on the Internet . Retrieved from https://datenschutz- berlin.de/content/europa-international/international-working-group-on-data- protection-in-telecommunications-iwgdpt/working-papers-and-common- positions-adopted-by-the-working-group

International Working Group on Data Protection in Telecommunications. (2000). Common Position on Privacy and Data Protection Aspects of the Publication of Personal Data contained in publicly available Documents on the Internet .

304

Retrieved from https://datenschutz-berlin.de/content/europa- international/international-working-group-on-data-protection-in- telecommunications-iwgdpt/working-papers-and-common-positions-adopted-by- the-working-group

International Working Group on Data Protection in Telecommunications. (1998). Report and Guidance on Data Protection and Privacy on the Internet: "Budapest - Berlin Memorandum" . Retrieved from https://datenschutz-berlin.de/content/europa- international/international-working-group-on-data-protection-in- telecommunications-iwgdpt/working-papers-and-common-positions-adopted-by- the-working-group

International Working Group on Data Protection in Telecommunications. (1998). Common Position relating to Reverse Directories. Retrieved from https://datenschutz-berlin.de/content/europa-international/international-working- group-on-data-protection-in-telecommunications-iwgdpt/working-papers-and- common-positions-adopted-by-the-working-group

International Working Group on Data Protection in Telecommunications. (1998). Common Position on Privacy and Copyright Management. Retrieved from https://datenschutz-berlin.de/content/europa-international/international-working- group-on-data-protection-in-telecommunications-iwgdpt/working-papers-and- common-positions-adopted-by-the-working-group

International Working Group on Data Protection in Telecommunications. (1996). Report and Guidance on Data Protection and Privacy on the Internet: "Budapest - Berlin Memorandum." Retrieved from https://datenschutz-berlin.de/content/europa- international/international-working-group-on-data-protection-in- telecommunications-iwgdpt/working-papers-and-common-positions-adopted-by- the-working-group

305

Correspondence

Gartska, H.-J. Interim Report Of The Names Council's WHOIS Task Force Of October 14, 2002 [Letter to Stuart Lynne, Jan 3, 2003] https://www.icann.org/resources/pages/garstka-to-lynn-2003-01-15-en

Gartska, H.-J. Draft Issues Paper on Consumer, User Protection and Privacy. [Letter to N. Desai, 12 April 2005

Dix, A. Report of the Working Group on Internet Governance (June 2005) [Letter to N. Desai, 10 August 2005]. http://www.itu.int/net/wsis/docs2/pc3/contributions/misc/iwg- data-protection.pdf

306

Appendix G Documents of the Article 29 Working Party on Data Protection

Article 29 Working Party on Data Protection. (1997, December 3). Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Recommendation 3/97: Anonymity on the Internet (XV D/5022/97 Final WP 6). Retrieved from European Commission website: http://ec.europa.eu/justice/data- protection/article-29/documentation/opinion- recommendation/files/1997/wp6_en.pdf

Article 29 Working Party on Data Protection. (2000, May 16). Opinion 3/2000 On the EU/US dialogue concerning the "Safe harbor" arrangement (5019/00/EN/FINAL WP 31). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2000/wp31_en.pdf

Article 29 Working Party on Data Protection. (2000, July 13). Opinion 5/2000 on The Use of Public Directories for Reverse or Multi-criteria Searching Services (Reverse Directories) (5058/00/EN/FINAL WP 33). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2000/wp33_en.pdf

Article 29 Working Party on Data Protection. (2000, November 21). Working Document Privacy on the Internet : An integrated EU Approach to On-line Data Protection (5063/00/EN/FINAL WP 37). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2000/wp37_en.pdf

Article 29 Working Party on Data Protection. (2001, March 22). Opinion 4/2001 On the Council of Europe’s Draft Convention on Cyber-crime (5001/01/EN/Final WP

307

41). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2001/wp41_en.pdf

Article 29 Working Party on Data Protection. (2002, May 30). Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites (5035/01/EN/Final WP 56). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2002/wp56_en.pdf

Article 29 Working Party on Data Protection. (2003, June 13). Opinion 2/2003 on the application of the data protection principles to the Whois directories (10972/03/EN final WP 76). Retrieved from European Commission website: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp76_en.pdf

Article 29 Working Party on Data Protection. (2003, December 12). Opinion 7/2003 on the re-use of public sector information and the protection of personal data: Striking the balance (10936/03/EN WP 83). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2003/wp83_en.pdf

Article 29 Working Party on Data Protection. (2004, November 25). Declaration of the Article 29 Working Party on enforcement (12067/04/EN WP 101). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2004/wp101_en.pdf

Article 29 Working Party on Data Protection. (2007, June 20). Opinion 4/2007 on the concept of personal data (01248/07/EN WP 136). Retrieved from European Commission website: http://ec. europa .eu/justice/data-protection/article- 29/documentation/opinion- recommendation/files/2007/wp136_en.pdf

308

Article 29 Working Party on Data Protection. (2008, April 4). Opinion 1/2008 on data protection issues related to search engines (00737/EN WP 148). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/ opinion -recommendation/files/2008/wp148_en.pdf

Article 29 Working Party on Data Protection. (2010, February 16). Opinion 1/2010 on the concepts of "controller" and "processor" (00264/10/EN WP 169). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/ opinion -recommendation/files/2010/wp169_en.pdf

Article 29 Working Party on Data Protection. (2010, July 13). Opinion 3/2010 on the principle of accountability (00062/10/EN WP 173). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2010/wp173_en.pdf

Article 29 Working Party on Data Protection. (2011, July 13) Opinion 15/2011 on the definition of consent (01197/11/EN WP187). Retrieved from European Commission website: http://ec. europa .eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2011/wp187_en.pdf

Article 29 Working Party on Data Protection. (2013, April 2) Opinion 03/2013on purpose limitation (00569/13/ EN WP 203). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

Article 29 Working Party on Data Protection. (2014, February 27). Opinion 01/2014 on the application of necessity and proportionality concepts and data protection within the law enforcement sector (536/14/EN WP211). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2014/wp211_en.pdf

Article 29 Working Party on Data Protection. (2014, April 9). Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 309

95/46/EC (844/14/EN WP 217). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2014/wp217_en.pdf

Article 29 Working Party on Data Protection. (2014, April 10). Opinion 04/2014 on surveillance of electronic communications for intelligence and national security purposes (819/14/EN WP 215). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2014/wp215_en.pdf

Article 29 Working Party on Data Protection. (2014, August 1) Statement on the ruling of the Court of Justice of the European Union (CJEU) which invalidates the Data Retention Directive (14/EN WP 220). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2014/wp220_en.pdf

Article 29 Working Party on Data Protection. (2014, November 26). Guidelines on the implementation of the Court of Justice of the European Union judgement on “Google Spain and Inc. v. Agencia Espanola de Proteccion de datos (AEPD) and Mario Costija Gonzalez”C-131/12 (14/EN WP 225). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2014/wp225_en.pdf

Article 29 Working Party on Data Protection. (2014, November 26). Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on “Contractual clauses”: Considered as compliant with the EC Model Clauses (14/EN WP 226). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2014/wp226_en.pdf

Article 29 Working Party on Data Protection. (2014, December 5). Working document on surveillance of electronic communications for intelligence and national security

310

purposes (14/EN WP 228). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2014/wp228_en.pdf

Article 29 Working Party on Data Protection. (2015, October 16). Statement of the Article 29 Working Party [on the judgement of the Court of Justice of the European Union of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-36214)] (14/EN WP 226). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/press- material/press- release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judg ement.pdf

Article 29 Working Party on Data Protection. (2015, December 1). Opinion 03/2015 on the draft directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (3211/15/EN WP 233). Retrieved from European Commission website: http://ec.europa.eu/justice/data- protection/article-29/documentation/opinion- recommendation/files/2015/wp233_en.pdf

Article 29 Working Party on Data Protection. (2015, December 16). Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain (176/16/EN WP 179 update). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2015/wp179_en_update.pdf Article 29 Working Party on Data Protection. (2016, April 13). Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision (16/EN WP 238). Retrieved from European Commission website: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2016/wp238_en.pdf 311

Article 29 Working Party on Data Protection. (2016, May 30). Opinion 4/2016: Opinion on the EU-U.S. Privacy Shield draft adequacy decision. Retrieved from European Commission website: https://edps.europa.eu/sites/edp/files/publication/16-05- 30_privacy_shield_en.pdf

Correspondence

Chehade, F. (2012, October 9). Response to Kohnstamm letter of September 26. https://www.icann.org/en/system/files/correspondence/chehade-to-kohnstamm- 09oct12-en.pdf

Jeffrey, J. (2013, September 20). Response to Kohnstamm letter of June 6, 2013. https://www.icann.org/en/system/files/correspondence/jeffrey-to-kohnstamm- 20sep13-en.pdf

Kohnstamm, J. (2012, September 26). Comments on the data protection impact of the revision of the ICANN RAA concerning accuracy and data retention of WHOIS data. Letter to S. Crocker & A. Atallah, ICANN. http://ec.europa.eu/justice/data-protection/article-29/documentation/other- document/files/2012/20120926_letter_to_icann_en.pdf

Kohnstamm, J. (2013, June 6). Statement on the data protection impact of the revision of the ICANN RAA. Letter to S. Crocker and F. Chehade, ICANN. http://ec.europa.eu/justice/data-protection/article-29/documentation/other- document/files/2013/20130606_letter_to_icann_en.pdf

Kohnstamm, J. (2014, January 8). Re Data retention waiver requests. Letter to J. Jeffrey, ICANN. https://www.icann.org/en/system/files/correspondence/kohnstamm-to- jeffrey-08jan14-en.pdf

312

Namazi, C. (2014, March 25). Re Data retention waivers and public comments. Response to J. Kohnstamm letter of January 8, 2014. https://www.icann.org/en/system/files/correspondence/namazi-to-kohnstamm- 25mar14-en.pdf

Schaar, P. (2006, June 22). Re Upcoming discussions on WHOIS privacy. Letter to V. Cerf, ICANN. https://www.icann.org/en/system/files/files/schaar-to-cerf-22jun06- en.pdf

Schaar, P. (2007, March 12). Comments on the GNSO Whois Task Force preliminary task force report on Whois services of 22 November 2006; and on the draft ICANN procedure for handling Whois Conflicts with Privacy Law of 3 December 2006 . Letter to V. Cerf, ICANN. https://www.icann.org/en/system/files/files/schaar-to-cerf-12mar07-en.pdf

Schaar, P. (2007, October 24). ICANN procedure for handling WHOIS conflicts with privacy law. Letter to V. Cerf, ICANN. https://gnso.icann.org/en/correspondence/cerf-to-schaar-24oct07.pdf

313

Appendix H Data Requirements, Section 3 of the Registrar Accreditation Agreement (2013)

Approved by the ICANN Board on 27 June 2013 Page 6–17 of 41

3. REGISTRAR OBLIGATIONS.

3.1 Obligations to Provide Registrar Services. During the Term of this Agreement, Registrar agrees that it will operate as a registrar for one or more gTLDs in accordance with this Agreement.

3.2 Submission of Registered Name Holder Data to Registry. During the Term of this Agreement:

3.2.1 As part of its registration of Registered Names in a gTLD, Registrar shall submit to, or shall place in the Registry Database operated by, the Registry Operator for the gTLD the following data elements:

3.2.1.1 The name of the Registered Name being registered;

3.2.1.2 The IP addresses of the primary nameserver and secondary nameserver(s) for the Registered Name;

3.2.1.3 The corresponding names of those nameservers;

3.2.1.4 Unless automatically generated by the registry system, the identity of the Registrar;

3.2.1.5 Unless automatically generated by the registry system, the expiration date of the registration; and

314

3.2.1.6 Any other data the Registry Operator requires be submitted to it. The agreement between the Registry Operator of a gTLD and Registrar may, if approved by ICANN in writing, state alternative required data elements applicable to that gTLD, in which event, the alternative required data elements shall replace and supersede Subsections 3.2.1.1 through 3.2.1.6 stated above for all purposes under this Agreement but only with respect to that particular gTLD. When seeking approval for alternative required data elements, the data elements set forth in Subsections 3.2.1.1 through 3.2.1.6 should be considered suggested minimum requirements.

3.2.2 Within seven (7) days after receiving any updates from the Registered Name Holder to the data elements listed in Subsections 3.2.1.2, 3.1.2.3, and 3.2.1.6 for any Registered Name that Registrar sponsors, Registrar shall submit the updated data elements to, or shall place those elements in the Registry Database operated by, the relevant Registry Operator.

3.2.3 In order to allow reconstitution of the Registry Database in the event of an otherwise unrecoverable technical failure or a change in the designated Registry Operator, within ten (10) days of any such request by ICANN, Registrar shall submit an electronic database containing the data elements listed in Subsections 3.2.1.1 through 3.2.1.6 for all active records in the registry sponsored by Registrar, in a format specified by ICANN, to the Registry Operator for the appropriate gTLD.

3.3 Public Access to Data on Registered Names. During the Term of this Agreement:

3.3.1 At its expense, Registrar shall provide an interactive web page and, with respect to any gTLD operating a “thin” registry, a port 43 Whois service (each accessible via both IPv4 and IPv6) providing free public query-based access to up-to-date (i.e., updated at least daily) data concerning all active Registered Names sponsored by Registrar in any gTLD. Until otherwise specified by a Consensus Policy, such data shall consist of the following elements as contained in Registrar's database:

315

3.3.1.1 The name of the Registered Name;

3.3.1.2 The names of the primary nameserver and secondary nameserver(s) for the Registered Name;

3.3.1.3 The identity of Registrar (which may be provided through Registrar's website);

3.3.1.4 The original creation date of the registration;

3.3.1.5 The expiration date of the registration;

3.3.1.6 The name and postal address of the Registered Name Holder;

3.3.1.7 The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the technical contact for the Registered Name; and

3.3.1.8 The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the administrative contact for the Registered Name.The agreement between the Registry Operator of a gTLD and Registrar may, if approved by ICANN in writing, state alternative required data elements applicable to that gTLD, in which event, the alternative required data elements shall replace and supersede Subsections 3.3.1.1 through 3.3.1.8 stated above for all purposes under this Agreement but only with respect to that particular gTLD.

3.3.2 Upon receiving any updates to the data elements listed in Subsections 3.3.1.2, 3.3.1.3, and 3.3.1.5 through 3.3.1.8 from the Registered Name Holder, Registrar shall promptly update its database used to provide the public access described in Subsection 3.3.1.

3.3.3 Registrar may subcontract its obligation to provide the public access described in Subsection 3.3.1 and the updating described in Subsection 3.3.2, provided that Registrar shall remain fully responsible for the proper provision of the access and updating.

316

3.3.4 Registrar shall abide by any Consensus Policy that requires registrars to cooperatively implement a distributed capability that provides query-based Whois search functionality across all registrars. If the Whois service implemented by registrars does not in a reasonable time provide reasonably robust, reliable, and convenient access to accurate and up-to-date data, the Registrar shall abide by any Consensus Policy requiring Registrar, if reasonably determined by ICANN to be necessary (considering such possibilities as remedial action by specific registrars), to supply data from Registrar's database to facilitate the development of a centralized Whois database for the purpose of providing comprehensive Registrar Whois search capability.

3.3.5 In providing query-based public access to registration data as required by Subsections 3.3.1 and 3.3.4, Registrar shall not impose terms and conditions on use ofthe data provided, except as permitted by any Specification or Policy established by ICANN. Unless and until ICANN establishes a different Consensus Policy, Registrar shall permit use of data it provides in response to queries for any lawful purposes except to:

(a) allow, enable, or otherwise support the transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or

3.3.6 In the event that ICANN determines, following analysis of economic data by an economist(s) retained by ICANN (which data has been made available to Registrar), that an individual or entity is able to exercise market power with respect to registrations or with respect to registration data used for development of value-added products and services by third parties, Registrar shall provide third-party bulk access to the data subject to public access under Subsection 3.3.1 under the following terms and conditions:

317

3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one (1) time per week for download by third parties who have entered into a bulk access agreement with Registrar.

3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.

3.3.6.3 Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts.

3.3.6.4 Registrar's access agreement shall require the third party to agree not to use the data to enable high-volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations.

3.3.6.5 Registrar's access agreement must require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.

3.3.7 To comply with applicable statutes and regulations and for other reasons, ICANN may adopt a Consensus Policy establishing limits (a) on the Personal Data concerning Registered Names that Registrar may make available to the public through a public- access service described in this Subsection 3.3 and (b) on the manner in which Registrar may make such data available. Registrar shall comply with any such Consensus Policy.

3.3.8 Registrar shall meet or exceed the requirements set forth in the Whois Specification.

318

3.4 Retention of Registered Name Holder and Registration Data.

3.4.1 For each Registered Name sponsored by Registrar within a gTLD, Registrar shall collect and securely maintain, in its own electronic database, as updated from time to time:

3.4.1.1the data specified in the Data Retention Specification attached hereto for the period specified therein;

3.4.1.2 The data elements listed in Subsections 3.3.1.1 through 3.3.1.8;

3.4.1.3 the name and (where available) postal address, e-mail address, voice telephone number, and fax number of the billing contact;

3.4.1.4 any other Registry Data that Registrar has submitted to the Registry Operator or placed in the Registry Database under Subsection 3.2; and

3.4.1.5 the name, postal address, e-mail address, and voice telephone number provided by the customer of any privacy service or licensee of any proxy registration service, in each case, offered or made available by Registrar or its Affiliates in connection with each registration. Effective on the date that ICANN fully implements a Proxy Accreditation Program established in accordance with Section 3.14, the obligations under this Section 3.4.1.5 will cease to apply as to any specific category of data (such as postal address) that is expressly required to be retained by another party in accordance with such Proxy Accreditation Program.

3.4.2 During the Term of this Agreement and for two (2) years thereafter, Registrar (itself or by its agent(s)) shall maintain the following records relating to its dealings with the Registry Operator(s) and Registered Name Holders:

319

3.4.2.1 In electronic form, the submission date and time, and the content, of all registration data (including updates) submitted in electronic form to the Registry Operator(s);

3.4.2.2 In electronic, paper, or microfilm form, all written communications constituting registration applications, confirmations, modifications, or terminations and related correspondence with Registered Name Holders, including registration contracts; and

3.4.2.3 In electronic form, records of the accounts of all Registered Name Holders with Registrar.

3.4.3 During the Term of this Agreement and for two (2) years thereafter, Registrar shall make the data, information and records specified in this Section 3.4 available for inspection and copying by ICANN upon reasonable notice. In addition, upon reasonable notice and request from ICANN, Registrar shall deliver copies of such data, information and records to ICANN in respect to limited transactions or circumstances that may be the subject of a compliance-related inquiry; provided, however, that such obligation shall not apply to requests for copies of the Registrar’s entire database or transaction history. Such copies are to be provided at Registrar’s expense. In responding to ICANN’s request for delivery of electronic data, information and records, Registrar may submit such information in a format reasonably convenient to Registrar and acceptable to ICANN so as to minimize disruption to the Registrar’s business. In the event Registrar believes that the provision of any such data, information or records to ICANN would violate applicable law or any legal proceedings, ICANN and Registrar agree to discuss in good faith whether appropriate limitations, protections, or alternative solutions can be identified to allow the production of such data, information or records in complete or redacted form, as appropriate. ICANN shall not disclose the content of such data, information or records except as expressly required by applicable law, any legal proceeding or Specification or Policy.

320

3.4.4 Notwithstanding any other requirement in this Agreement or the Data Retention Specification, Registrar shall not be obligated to maintain records relating to a domain registration beginning on the date two (2) years following the domain registration's deletion or transfer away to a different registrar.

3.5 Rights in Data. Registrar disclaims all rights to exclusive ownership or use of the data elements listed in Subsections 3.2.1.1 through 3.2.1.3 for all Registered Names submitted by Registrar to the Registry Database for, or sponsored by Registrar in, each gTLD for which it is Accredited. Registrar does not disclaim rights in the data elements listed in Subsections 3.2.1.4 through 3.2.1.6 and Subsections 3.3.1.3 through 3.3.1.8 concerning active Registered Names sponsored by it in each gTLD for which it is Accredited, and agrees to grant non-exclusive, irrevocable, royalty-free licenses to make use of and disclose the data elements listed in Subsections 3.2.1.4 through 3.2.1.6 and 3.3.1.3 through 3.3.1.8 for the purpose of providing a service or services (such as a Whois service under Subsection 3.3.4) providing interactive, query-based public access. Upon a change in sponsorship from Registrar of any Registered Name in each gTLD for which it is Accredited, Registrar acknowledges that the registrar gaining sponsorship shall have the rights of an owner to the data elements listed in Subsections 3.2.1.4 through 3.2.1.6 and 3.3.1.3 through 3.3.1.8 concerning that Registered Name, with Registrar also retaining the rights of an owner in that data. Nothing in this Subsection prohibits Registrar from (1) restricting bulk public access to data elements in a manner consistent with this Agreement and any Specifications or Policies or (2) transferring rights it claims in data elements subject to the provisions of this Subsection 3.5.

3.6 Data Escrow. During the Term of this Agreement, on a schedule, under the terms, and in the format specified by ICANN, Registrar shall submit an electronic copy of the data described in Subsections 3.4.1.2 through 3.4.1.5 to ICANN or, at

Registrar's election and at its expense, to a reputable escrow agent mutually approved by Registrar and ICANN, such approval also not to be unreasonably withheld by either 321

party. The data shall be held under an agreement among Registrar, ICANN, and the escrow agent (if any) providing that (1) the data shall be received and held in escrow, with no use other than verification that the deposited data is complete, consistent, and in proper format, until released to ICANN; (2) the data shall be released from escrow upon expiration without renewal or termination of this Agreement; and (3) ICANN's rights under the escrow agreement shall be assigned with any assignment of this Agreement. The escrow shall provide that in the event the escrow is released under this Subsection, ICANN (or its assignee) shall have a non-exclusive, irrevocable, royalty-free license to exercise (only for transitional purposes) or have exercised all rights necessary to provide Registrar Services.

3.7 Business Dealings, Including with Registered Name Holders.

3.7.1 In the event ICANN adopts a Specification or Policy that is supported by a consensus of ICANN-Accredited registrars as reflected in the Registrar Stakeholder Group (or any successor group), establishing or approving a Code of Conduct for ICANN-Accredited registrars, Registrar shall abide by that Code of Conduct.

3.7.2 Registrar shall abide by applicable laws and governmental regulations.

3.7.3 Registrar shall not represent to any actual or potential Registered Name Holder that Registrar enjoys access to a registry for which Registrar is Accredited that is superior to that of any other registrar Accredited for that registry.

3.7.4 Registrar shall not activate any Registered Name unless and until it is satisfied that it has received a reasonable assurance of payment of its registration fee. For this purpose, a charge to a credit card, general commercial terms extended to creditworthy customers, or other mechanism providing a similar level of assurance of payment shall be sufficient, provided that the obligation to pay becomes final and non-revocable by the Registered Name Holder upon activation of the registration.

322

3.7.5 At the conclusion of the registration period, failure by or on behalf of the Registered Name Holder to consent that the registration be renewed within the time specified in a second notice or reminder shall, in the absence of extenuating circumstances, result in cancellation of the registration by the end of the auto-renew grace period (although Registrar may choose to cancel the name earlier).

3.7.5.1 Extenuating circumstances are defined as: UDRP action, valid court order, failure of a Registrar's renewal process (which does not include failure of a registrant to respond), the domain name is used by a nameserver that provides DNS service to third- parties (additional time may be required to migrate the records managed by the nameserver), the registrant is subject to bankruptcy proceedings, payment dispute (where a registrant claims to have paid for a renewal, or a discrepancy in the amount paid), billing dispute (where a registrant disputes the amount on a bill), domain name subject to litigation in a court of competent jurisdiction, or other circumstance as approved specifically by ICANN.

3.7.5.2 Where Registrar chooses, under extenuating circumstances, to renew a domain name without the explicit consent of the registrant, the registrar must maintain a record of the extenuating circumstances associated with renewing that specific domain name for inspection by ICANN consistent with clauses 3.4.2 and 3.4.3 of this agreement.

3.7.5.3 In the absence of extenuating circumstances (as defined in Section 3.7.5.1 above), a domain name must be deleted within 45 days of either the registrar or the registrant terminating a registration agreement.

3.7.5.4 Registrar shall provide notice to each new registrant describing the details of their deletion and auto-renewal policy including the expected time at which a non-renewed domain name would be deleted relative to the domain's expiration date, or a date range not to exceed ten (10) days in length. If a registrar makes any material changes to its deletion policy during the period of the registration agreement, it must make at least the

323

same effort to inform the registrant of the changes as it would to inform the registrant of other material changes to the registration agreement (as defined in clause 3.7.7 of the registrars accreditation agreement).

3.7.5.5 If Registrar operates a website for domain name registration or renewal, details of Registrar's deletion and auto-renewal policies must be clearly displayed on the website.

3.7.5.6 If Registrar operates a website for domain registration or renewal, it should state, both at the time of registration and in a clear place on its website, any fee charged for the recovery of a domain name during the Redemption Grace Period. 3.7.5.7 In the event that a domain which is the subject of a UDRP dispute is deleted or expires during the course of the dispute, the complainant in the UDRP dispute will have the option to renew or restore the name under the same commercial terms as the registrant. If the complainant renews or restores the name, the name will be placed in Registrar HOLD and Registrar LOCK status, the WHOIS contact information for the registrant will be removed, and the WHOIS entry will indicate that the name is subject to dispute. If the complaint is terminated, or the UDRP dispute finds against the complainant, the name will be deleted within 45 days. The registrant retains the right under the existing redemption grace period provisions to recover the name at any time during the Redemption Grace Period, and retains the right to renew the name before it is deleted.

3.7.6 Registrar shall not insert or renew any Registered Name in any gTLD registry in a manner contrary to (i) any Consensus Policy stating a list or specification of excluded Registered Names that is in effect at the time of insertion or renewal, or (ii) any list of names to be reserved from registration as required by the specific Registry Operator for which the Registrar is providing Registrar Services.

3.7.7 Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar including at least the provisions set forth in Subsections 3.7.7.1 through 3.7.7.12, and which agreement shall otherwise set forth the

324

terms and conditions applicable to the registration of a domain name sponsored by Registrar. The Registered Name Holder with whom Registrar enters into a registration agreement must be a person or legal entity other than the Registrar, provided that Registrar may be the Registered Name Holder for domains registered for the purpose of conducting its Registrar Services, in which case the Registrar shall submit to the provisions set forth in Subsections 3.7.7.1 through 3.7.7.12 and shall be responsible to ICANN for compliance with all obligations of the Registered Name Holder as set forth in this Agreement and Specifications and Policies. Registrar shall use commercially reasonable efforts to enforce compliance with the provisions of the registration agreement between Registrar and any Registered Name Holder that relate to implementing the requirements of Subsections 3.7.7.1 through 3.7.7.12 or any Consensus Policy.

3.7.7.1 The Registered Name Holder shall provide to Registrar accurate and reliable contact details and correct and update them within seven (7) days of any change during the term of the Registered Name registration, including: the full name, postal address, e- mail address, voice telephone number, and fax number if available of the Registered Name Holder; name of authorized person for contact purposes in the case of an Registered Name Holder that is an organization, association, or corporation; and the data elements listed in Subsections 3.3.1.2, 3.3.1.7 and 3.3.1.8., 3.7.7.2 A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure to update information provided to Registrar within seven (7) days of any change, or its failure to respond for over fifteen (15) days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for suspension and/or cancellation of the Registered Name registration.

3.7.7.3 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate

325

technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it discloses the current contact information provided by the licensee and the identity of the licensee within seven (7) days to a party providing the Registered Name Holder reasonable evidence of actionable harm.

3.7.7.4 Registrar shall provide notice to each new or renewed Registered Name Holder stating:

3.7.7.4.1 The purposes for which any Personal Data collected from the applicant are intended;

3.7.7.4.2 The intended recipients or categories of recipients of the data (including the Registry Operator and others who will receive the data from Registry Operator);

3.7.7.4.3 Which data are obligatory and which data, if any, are voluntary; and

3.7.7.4.4 How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them.

3.7.7.5 The Registered Name Holder shall consent to the data processing referred to in Subsection 3.7.7.4.

326

3.7.7.7 Registrar shall agree that it will not process the Personal Data collected from the Registered Name Holder in a way incompatible with the purposes and other limitations about which it has provided notice to the Registered Name Holder in accordance with Subsection 3.7.7.4 above.

3.7.7.8 Registrar shall agree that it will take reasonable precautions to protect Personal Data from loss, misuse, unauthorized access or disclosure, alteration, or destruction.

3.7.7.9 The Registered Name Holder shall represent that, to the best of the Registered Name Holder's knowledge and belief, neither the registration of the Registered Name nor the manner in which it is directly or indirectly used infringes the legal rights of any third party.

3.7.7.10 For the adjudication of disputes concerning or arising from use of the Registered Name, the Registered Name Holder shall submit, without prejudice to other potentially applicable jurisdictions, to the jurisdiction of the courts (1) of the Registered Name Holder's domicile and (2) where Registrar is located.

3.7.7.11 The Registered Name Holder shall agree that its registration of the Registered Name shall be subject to suspension, cancellation, or transfer pursuant to any Specification or Policy, or pursuant to any registrar or registry procedure not inconsistent with any Specification or Policy, (1) to correct mistakes by Registrar or the Registry Operator in registering the name or (2) for the resolution of disputes concerning the Registered Name.

3.7.7.12 The Registered Name Holder shall indemnify and hold harmless the Registry Operator and its directors, officers, employees, and agents from and against any and all claims, damages, liabilities, costs, and expenses (including reasonable legal fees and expenses) arising out of or related to the Registered Name Holder's domain name registration.

327

3.7.8 Registrar shall comply with the obligations specified in the Whois Accuracy Program Specification. In addition, notwithstanding anything in the Whois Accuracy Program Specification to the contrary, Registrar shall abide by any Consensus Policy requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information. Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.

3.7.9 Registrar shall abide by any Consensus Policy prohibiting or restricting warehousing of or speculation in domain names by registrars.

3.7.10 Registrar shall publish on its website(s) and/or provide a link to the Registrants’ Benefits and Responsibilities Specification attached hereto and shall not take any action inconsistent with the corresponding provisions of this Agreement or applicable law.

3.7.11 Registrar shall make available a description of the customer service handling processes available to Registered Name Holders regarding Registrar Services, including a description of the processes for submitting complaints and resolving disputes regarding the Registrar Services.

3.7.12 Nothing in this Agreement prescribes or limits the amount Registrar may charge Registered Name Holders for registration of Registered Names.

3.8 Domain-Name Dispute Resolution. During the Term of this Agreement, Registrar shall have in place a policy and procedures for resolution of disputes concerning Registered Names. Until ICANN adopts an alternative Consensus Policy or other Specification or Policy with respect to the resolution of disputes concerning Registered 328

Names, Registrar shall comply with the Uniform Domain Name Dispute Resolution Policy (“UDRP”) identified on ICANN's website (www.icann.org/general/consensus- policies.htm), as may be modified from time to time. Registrar shall also comply with the Uniform Rapid Suspension (“URS”) procedure or its replacement, as well as with any other applicable dispute resolution procedure as required by a Registry Operator for which Registrar is providing Registrar Services.

Internet Corporation for Assigned Names & Numbers. (2013). Section 3. Registrar Accreditation Agreement, 6-17. Retrieved from https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

329

Appendix I Government Advisory Committee

Communiqués and Documents Related to WHOIS

GAC Communiqués Internet Corporation for Assigned Names & Numbers, Governmental Advisory Committee. (2013, April 11). GAC Communiqué—Beijing, People’s Republic of China. Retrieved from https://gacweb.icann.org/display/GACADV/WHOIS

Internet Corporation for Assigned Names & Numbers, Governmental Advisory Committee. (2014, March 27). GAC Communiqué—Singapore. Retrieved from https://gacweb.icann.org/display/GACADV/WHOIS

Internet Corporation for Assigned Names & Numbers, Governmental Advisory Committee. (2014, June 25). GAC Communiqué—London, United Kingdom. Retrieved from https://gacweb.icann.org/display/GACADV/WHOIS

Internet Corporation for Assigned Names & Numbers, Governmental Advisory Committee. (2014, October 16). GAC Communiqué—Los Angeles, CA, USA . Retrieved from https://gacweb.icann.org/display/GACADV/WHOIS

Internet Corporation for Assigned Names & Numbers, Governmental Advisory Committee. (2015, February 11). GAC Communiqué—Singapore. Retrieved from https://gacweb.icann.org/display/GACADV/WHOIS

Internet Corporation for Assigned Names & Numbers, Governmental Advisory Committee. (2016, March 9). GAC Communiqué—Marrakech, Kingdom of Morocco . Retrieved from https://gacweb.icann.org/display/GACADV/WHOIS

330

GAC Documents Governmental Advisory Committee. (2007, March 28). GAC Principles Regarding gTLD WHOIS Services . Retrieved from Internet Corporation for Assigned Names & Numbers, WHOIS website: https://whois.icann.org/en/link/gac-principles- regarding-gtld-whois-services

Governmental Advisory Committee Public Safety Working Group. (2016, May 19). Comments to “New gTLD Program Safeguards Against DNS Abuse” Report. Retrieved from Internet Corporation for Assigned Names & Numbers, Governmental Advisory Committee website: https://gacweb.icann.org/download/attachments/27132037/GAC_comments_DNS -%20Abuse-Report-CORRECTED.pdf

Governmental Advisory Committee Public Safety Working Group. (2015, September 15). GAC Public Safety Working Group (PSWG) Comments to Initial Report on the Privacy & Proxy Services Accreditation Issues Policy Development Process . Retrieved from Internet Corporation for Assigned Names & Numbers, Governmental Advisory Committee website: https://gacweb.icann.org/display/gacweb/GAC+Public+Safety+Working+Group? preview=/27132037/39944522/PSWG%2BGAC%20comments%20proxy%20pri vacy%20accreditation%20issues%5B1%5D.pdf

Governmental Advisory Committee. 2015, August 13). GAC Public Comments to “2013 RAA WHOIS Accuracy Specification Review.” Retrieved from Internet Corporation for Assigned Names & Numbers, Governmental Advisory Committee website: https://gacweb.icann.org/display/gacweb/GAC+Public+Safety+Working+Group#

331

Law Enforcement Documents [Governmental Advisory Committee]. (2009, October). Summary of “Law Enforcement Due Diligence Recommendations for ICANN—Seoul.” Retrieved from Internet Corporation for Assigned Names & Numbers, Country Code Names Supporting Organisation website: http://ccnso.icann.org/meetings/seoul/law-enforcement- recommendations-oct09-en.pdf

332

Appendix J Biographical Note on the Author and her Engagement with ICANN

In 2013, Kathy Kleiman, who had been the Vice-chair of the WHOIS Policy Review Team that studied the issue from 2010 to 2012, asked me to join as a volunteer to the Experts Working Group (EWG), which was being established to study the WHOIS directory problem afresh, and to recommend a replacement. My name was put forward to the Board, and I served on that Experts Group from February 2013 to October 2014 when it concluded its deliberations.

I decided to join the Noncommercial Users Constituency (NCUC), one of two civil society constituencies in the Noncommercial Stakeholders Group (NCSG), and I was elected to represent them as a councillor on the Generic Names Supporting Organization (GNSO) Council in fall 2014. I also participated in six working groups: WHOIS conflicts with law (WHOIS-IAG), Privacy Proxy Services Accreditation Issues (GNSO-PPSAI), GNSO Review, Policy/Implementation working group, Non-commercial Stakeholders Group Policy Committee (NCSG-pol), and the Cross-community Human Rights Working Party during the research timeframe (i.e. until the end of 2015). I monitor several other groups and processes. I am thus an engaged researcher, motivated to advance the cause of human rights and the protection of privacy and anonymous free speech, and actively participating in the multi-stakeholder decision-making process.

I have 30 years of experience in government, during which I participated in many multi- stakeholder activities such as standards development, legislative consultations, and international policy work at the OECD, all activities that gave me considerable experience in exploring, analyzing and negotiating widely divergent interests in a neutral fashion. While on a five-year leave of absence from government, I worked for an internationally recognized Canadian software company, Zero Knowledge Systems, as 333

their Chief Privacy Officer. I am familiar with the field of anonymity and cryptography, since I defended the company’s anonymity software to international law enforcement agencies. My standpoint is as an advocate for human rights and freedom of speech and association, but I have diverse experience in representing many stakeholders in international and domestic regulatory environments.

My career in government was spent mostly in the federal Department of Communications and later Industry, working on information policy issues. I worked in communications trade policy as liaison with the United States, was a chair and vice chair of the OECD committee looking at privacy, security and cryptography policy throughout the 1990s while the United States was moving forward with its information society policy. I am thus familiar with government perspectives on what was happening behind the scenes among countries with mature IT economies, at the time that ICANN was developing.

From 1991-1996 I worked on the Canadian Standard for privacy, the Model Code for the Protection of Personal Information, CAN/CSA-Q830-96. I also was researching possibilities for private sector privacy legislation at the federal level in Canada, and from 1997 to 2000 was the Director of Privacy Policy at Industry Canada, supervising the drafting of privacy legislation, the Personal Information Protection and Electronic Documents Act, or PIPEDA. Following a five year leave of absence from the public sector, I returned to be the Director of Research and Policy in the Office of the Privacy Commissioner of Canada. I therefore have considerable experience in discussions relating to the drafting, effectiveness, implementation, and oversight of data protection law.

334

Appendix K Excerpt from the Trans-Pacific Partnership Agreement on

Trade

The Trans-Pacific Partnership (TPP) is a free trade agreement that will liberalise trade and investment between 12 Pacific-rim countries: New Zealand, Australia, Brunei Darussalam, Canada, Chile, Japan, Malaysia, Mexico, Peru, Singapore, the United States and Vietnam.

Article 18.28:

Domain Names

1. In connection with each Party’s system for the management of its country-code top-level domain (ccTLD) domain names, the following shall be available:

(a) an appropriate procedure for the settlement of disputes, based on, or modelled along the same lines as, the principles established in the Uniform Domain-Name Dispute-Resolution Policy , as approved by the Internet Corporation for Assigned Names and Numbers (ICANN) or that:

(i) is designed to resolve disputes expeditiously and at low cost;

(ii) is fair and equitable;

(iii) is not overly burdensome; and

(iv) does not preclude resort to judicial proceedings; and

(b) online public access to a reliable and accurate database of contact information concerning domain name registrants, in accordance with each Party’s law and, if applicable, relevant administrator policies regarding protection of privacy and personal data.

2. In connection with each Party’s system for the management of ccTLD domain names, appropriate remedies shall be available at least in cases in which a person registers or holds, with a bad faith intent to profit, a domain name that is

335 identical or confusingly similar to a trademark.

Trans-Pacific Partnership Agreement on Trade, Feb. 4, 2016, 18.28 T.P.P.

336

Appendix L Letter from European Registers to ICANN Regarding Escrow Costs Required by the 2013 Registrar Accreditation Agreement

Mr. Mike Zupke, Registrar

Director Service ICANN,

Dr. Steve Crocker, Chair, ICANN Board

Mr. Fadi Chehadé, President & CEO, ICANN

Mr. Allen Grogan, Chief Contract Compliance Officer ICANN,

October 30, 2015

Dear Sirs,

We are glad that data privacy protection and its implications for the domain name industry are now central on ICANN’s agenda. As informally discussed with several members of the GDD department in the past, European based registrars have always been conscious of the legal consequences stemming from the transfer of personal data of their customers outside the European Economical Area. While these concerns were more of a theoretical nature, a recent justice decision has transformed this concern to a pressing issue that may not bear with ICANN regular pace. Indeed, the European Court of Justice has rendered a decision on October 6, 2015 which invalidated the 2000 Safe Harbour Principles which allowed US companies to comply with EU laws when processing personal data. 1

This invalidation has for direct consequence to render transfers of private data from European based Registrars to entities established within the United States of America illegal, if the

1 http://curia.europa.eu/juris/documents.jsf?num=C-362/14

337 latter did not agree to enter into an agreement including a set of clauses developed by the European Commission. As such, the daily transfers that numerous EU based registrars are currently operating to Iron Mountain Inc. within the scope of the Registrar Data Escrow program 1, are operated in breach of Directive 95/46/EC and its transposition under national laws. Fortunately, the Article 29 working party - which is composed of representatives from every national data protection agency in the EU - released a communiqué 2 stating that the national data protection agencies would only enforce this decision starting from January 2016 3. As a reminder, a breach of such laws is considered a felony and punished by imprisonment and heavy fines. Time is therefore of the essence.

Whilst ICANN has approved other RDE service providers than Iron Mountain, some of those established within the European Economic Area, the service fees of those providers are not being supported by ICANN. Thus, the only solution for EU based registrars to comply with their local laws is to support this extra cost.

We are sure, you will agree this clearly constitutes an unfair disadvantage to a given category of a registrars. This is why we ask ICANN to offer the same terms as it currently does to Iron Mountain to other RDE providers established in the European Economical Area to ensure a level playing field for registrars globally. Please bear in mind that operating a change of RDE provider will require certain technical adaptation and development from registrars and as such your timely action is highly appreciated.

Thank you,

Signatories

Euro DNS S.A., Luc Seufer

NetEarth One Inc., Chris Pelling

Astutium Ltd, Rob Golding

1 https://www.icann.org/en/system/files/files/rde-specs-09nov07-en.pdf 2 http://ec.europa.eu/justice/data-protection/article-29/press-material/press- release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf 3 http://ec.europa.eu/justice/data-protection/article-29/press-material/press- release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf

338 ingenit GmbH & Co.KG, Thomas Klute

Key-Systems GmbH, Alexander Siffrin

Blacknight Solutions Inc. Michele Neylon,

Realtime Register B.V, Theo Geurts

Safebrands SAS, Frederic Guillemaut

Mesh Digital Limited, Pete Osmond

Paragon Internet Group Ltd, Dan Rodgers

Hostserver GmbH, Marcus Schäfer

1API GmbH, Robbie Birkner,

One.com A/S, Rieke Poppe

RegistryGate GmbH, Fritz Diekmann

1&1 Internet AG, Thomas Keller

Hosting Concepts B.V., Arno Vis united-domains AG, Tobias Sattler

Nordreg AB, Benny Corehub S.R.L., liya Bazlyankov

Netistrar Ltd, Andrew Bennett

Seufer et al. (2015, October 30). [Letter to Allen Grogen, Fadi Chehadé, Mike Zupke, & Steve Crocker]. Retrieved from Internet Corporation for Assigned Names & Numbers website: https://www.icann.org/en/system/files/correspondence/eurodns-et-al-to-zupke-et-al- 30oct15-en.pdf

339

Appendix M ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

Effective Date: 17 January 2008

Introduction and background

0.1 In December 2003, [1] the WHOIS Task Force 2 of the GNSO recommended the development of a procedure to allow gTLD registry/registrars to demonstrate when they are prevented by local laws from fully complying with the provisions of ICANN contracts regarding personal data in WHOIS.

0.2 In November 2005 [2], the GNSO concluded a policy development process on establishing such a procedure. It follows the 'well-developed advice on a procedure' recommended by the WHOIS Task Force and approved by the GNSO Council. [3] In May 2006, the ICANN Board [4] adopted the policy and directed ICANN staff to develop and publicly document a conflicts procedure.

0.3 On 3 December 2006, ICANN staff published the Draft ICANN Procedure for Handling WHOIS Conflicts with Privacy Law [insert footnote, http://gnso.icann.org/issues/whois- privacy/whois_national_laws_procedure.htm]. ICANN sought input on the draft procedure from the Governmental Advisory Committee (GAC). Revised language has been incorporated into 1.4 below.

0.4 The procedure outlined below details how ICANN will respond to a situation where a registrar/registry [5] indicates that it is legally prevented by local/national privacy laws or regulations from complying with the provisions of its ICANN contract regarding the collection, display and distribution of personal data via WHOIS. The procedure is for use by ICANN staff. While it includes possible actions for the affected gTLD registry/registrar, this procedure does not impose any new obligations on registries/registrars or third parties. It aims to inform registries/registrars and other parties of the steps that will be taken when a possible conflict between other legal obligations and the ICANN contractual requirements regarding WHOIS is reported to ICANN.

340

Step One: Notification of Whois Proceeding

1.1 At the earliest appropriate juncture on receiving notification of an investigation, litigation, regulatory proceeding or other government or civil action that might affect its compliance with the provisions of the Agreement ("RAA") or other contractual agreement with ICANN dealing with the collection, display or distribution of personally identifiable data via WHOIS ("WHOIS Proceeding"), a registrar/registry should provide ICANN staff with the following:

• Summary description of the nature and status of the action (e.g., inquiry, investigation, litigation, threat of sanctions, etc.) and a range of possible outcomes.

• Contact information for the responsible official of the registrar/registry for resolving the problem.

• If appropriate, contact information for the responsible territorial government agency or other claimant and a statement from the registrar/registry authorizing ICANN to communicate with those officials or claimants on the matter. If the registrar/registry is prevented by applicable law from granting such authorization, the notification should document this.

• The text of the applicable law or regulations upon which the local government or other claimant is basing its action or investigation, if such information has been indicated by the government or other claimant.

• Description of efforts undertaken to meet the requirements of both local law and obligations to ICANN.

1.2 Meeting the notification requirement permits registrars/registries to participate in investigations and respond to court orders, regulations, or enforcement authorities in a manner and course deemed best by their counsel.

1.3 Depending on the specific circumstances of the WHOIS Proceeding, the registrar/registry may request that ICANN keep all correspondence between the parties confidential pending the outcome of the WHOIS Proceeding. ICANN will ordinarily respond favorably to such requests to the extent that they can be accommodated with other legal responsibilities and basic principles of transparency applicable to ICANN operations.

341

1.4 A registrar or registry that is subject to a WHOIS proceeding should work cooperatively with the relevant national government to ensure that the registrar or registry operates in conformity with domestic laws and regulations, and international law and applicable international conventions.

Step Two: Consultation

2.1 The goal of the consultation process should be to seek to resolve the problem in a manner that preserves the ability of the registrar/registry to comply with its contractual WHOIS obligations to the greatest extent possible.

2.1.1 Unless impractical under the circumstances, upon receipt and review of the notification, ICANN will consult with the registrar/registry. Where appropriate under the circumstances, ICANN will consult with the local/national enforcement authorities or other claimant together with the registrar/registry.

2.1.2 Pursuant to advice from ICANN's Governmental Advisory Committee, ICANN will request advice from the relevant national government on the authority of the request for derogation from the ICANN WHOIS requirements.

2.2 If the WHOIS Proceeding ends without requiring any changes or the required changes in registrar/registry practice do not, in the opinion of ICANN, constitute a deviation from the RAA or other contractual obligation, then ICANN and the registrar/registry need to take no further action.

2.3 If the registrar/registry is required by local law enforcement authorities or a court to make changes in its practices affecting compliance with WHOIS-related contractual obligations before any consultation process can occur, the registrar/registry should promptly notify ICANN of the changes made and the law/regulation upon which the action was based.

2.4 The registrar/registry may request that ICANN keep all correspondence between the parties confidential pending the outcome of the WHOIS Proceeding. ICANN will ordinarily respond favorably to such requests to the extent that they can be accommodated with other legal responsibilities and basic principles of transparency applicable to ICANN operations.

Step Three: General Counsel Analysis and Recommendation

342

3.1 If the WHOIS Proceeding requires changes (whether before, during or after the consultation process described above) that, in the opinion of the Office of ICANN's General Counsel, prevent compliance with contractual WHOIS obligations, ICANN staff may refrain, on a provisional basis, from taking enforcement action against the registrar/registry for non- compliance, while ICANN prepares a public report and recommendation and submits it to the ICANN Board for a decision. Prior to release of the report to the public, the registry/registrar may request that certain information (including, but not limited to, communications between the registry/registrar and ICANN, or other privileged/confidential information) be redacted from the report. The General Counsel may redact such advice or information from any published version of the report that relates to legal advice to ICANN or advice from ICANN's counsel that in the view of the General Counsel should be restricted due to privileges or possible liability to ICANN. Such a report may contain:

1. A summary of the law or regulation involved in the conflict;

2. Specification of the part of the registry or registrar's contractual WHOIS obligations with which full compliance if being prevented;

3. Summary of the consultation process if any under step two; and

4. Recommendation of how the issue should be resolved, which may include whether ICANN should provide an exception for those registrars/registries to which the specific conflict applies from one or more identified WHOIS contractual provisions. The report should include a detailed justification of its recommendation, including the anticipated impact on the operational stability, reliability, security, or global interoperability of the Internet's unique identifier systems if the recommendation were to be approved or denied.

3.2 The registrar/registry will be provided a reasonable opportunity to comment to the Board. The Registrar/Registry may request that ICANN keep such report confidential prior to any resolution of the Board. ICANN will ordinarily respond favorably to such requests to the extent that they can be accommodated with other legal responsibilities and basic principles of transparency applicable to ICANN operations.

Step Four: Resolution

343

4.1 Keeping in the mind the anticipated impact on the operational stability, reliability, security, or global interoperability of the Internet's unique identifier systems, the Board will consider and take appropriate action on the recommendations contained in the General Counsel's report as soon as practicable. Actions could include, but are not limited to:

• Approving or rejecting the report's recommendations, with or without modifications;

• Seeking additional information from the affected registrar/registry or third parties;

• Scheduling a public comment period on the report; or

• Referring the report to GNSO for its review and comment by a date certain.

Step Five: Public Notice

5.1 The Board's resolution of the issue, together with the General Counsel's report, will ordinarily be made public and be archived on ICANN's website (along with other related materials) for future research. Prior to release of such information to the public, the registry/registrar may request that certain information (including, but not limited to, communications between the registry/registrar and ICANN, or other privileged/confidential information) be redacted from the public notice. The General Counsel may redact such advice or information from any published version of the report that relates to legal advice to ICANN or advice from ICANN's counsel that in the view of the General Counsel should be restricted due to privileges or possible liability to ICANN. In the event that any redactions make it difficult to convey to the public the nature of the actions being taken by the registry/registrar, ICANN will work to provide appropriate notice to the public describing the actions being taken and the justification for such actions, as may be practicable under the circumstances.

5.2 Unless the Board decides otherwise, if the result of its resolution of the issue is that data elements in the registry/registrar's WHOIS output will be removed or made less accessible, ICANN will issue an appropriate notice to the public of the resolution and of the reasons for ICANN's forbearance from enforcement of full compliance with the contractual provision in question.

Step Six: Ongoing Review

344

6.1 With substantial input from the relevant registries or registrars, together with all constituencies, ICANN will review the effectiveness of the process annually.

[1] Whois Task Force 2, Preliminary Report, June 2004; http://gnso.icann.org/issues/whois- privacy/Whois-tf2-preliminary.html

[2] GNSO Council minutes, 28 November 2005; http://gnso.icann.org/meetings/minutes- gnso-28nov05.shtml

[3] Final Task Force Report 25 October, 2005 of the GNSO Whois Task Force; http://gnso.icann.org/issues/tf-final-rpt-25oct05.htm

[4] Board minutes, 10 May, 2006; http://www.icann.org/minutes/minutes-10may06.htm

[5] Reference to 'registries' in this document includes registry operators and sponsoring organizations.

Internet Corporation for Assigned Names & Numbers. (2017, April 18). Revised ICANN Procedure for Handling WHOIS Conflicts with Privacy Law [Redline Version]. Retrieved from https://www.icann.org/en/system/files/files/whois-privacy-conflicts-procedure-redline- 18apr17-en.pdf

345

Appendix N Letter from Peter Hustinx, European Data Protection Supervisor, on Data Retention Consultation

PETER HUSTINX

SUPERVISOR

Mr John O. JEFFREY General Counsel and Secretary ICANN Office of the General Counsel 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094-2536 E-mail: [email protected] and [email protected]

Brussels, 17 April 2014 PH/ZB/mk D(2014)0958 C2014-0449 Please use [email protected] for all correspondence

Subject: ICANN's public consultation on 2013 RAA Data Retention Specification Data Elements and Legitimate Purposes for Collection and Retention 1

Dear Mr Jeffrey,

As the European Data Protection Supervisor, I am writing to you in response to the public consultation on 2013 RAA Data Retention Specification Data Elements and Legitimate Purposes for Collection and Retention(2)

1 See consultation notice at http://www.icann.org/en/news/announcements/announcement-3-21mar14-en.htm

346

(referred to in this letter as 'the Draft Specification').

In this respect, I also want to refer to the letters sent to you by the Article 29 Data Protection Working Party on 26 September 2012, 6 June 2013 and 8 January 2014 in connection with the Data Retention Specification 3 in ICANN's 2013 Agreement (2013 RAA). As a member of the Working Party, I have fully supported those letters.

Whilst we duly acknowledge ICANN's efforts regarding data protection and privacy and its openness to continued dialogue, regrettably, neither the 2013 RAA approved by the ICANN Board on 27 June 2013 nor the Draft Specification addresses sufficiently our concerns which were raised in this correspondence between the Working Party and ICANN on the retention periods and data collection.

The Draft Specification defines in more detail the data to be collected, the purposes for which they may be used and the retention periods for which the data are to be kept under the 2013 RAA. This is welcome in that it would offer more transparency. Nevertheless, the 2013 RAA and the Draft Specification continue to fall short of compliance with European data protection law.

The Draft Specification should only require collection of personal data, which is genuinely necessary for the performance of the contract between the Registrar and the Registrant (e.g. billing) or for other compatible purposessuch [sic] as fighting fraud related to domain name registration. This data should be retained for no longer than is necessary for these purposes. It would not be acceptable for the data to be retained for longer periods or for other, incompatible purposes, such as law enforcement purposes or to enforce copyright.

______

2 http://www.icann.org/en/resources/registrars/raa/draft-data-retention-spec-elements-21mar14-en.pdf 3 See Section 6 of the 2013 RAA at http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13- en.htm#data-retention

347

Processing contrary to these recommendations would be contrary to three key principles of European data protection law set forth in Directive 95/46/EC. It would violate the principle of purpose limitation under Article 6(1)(b) of Directive 95/46/EC, which prohibits the processing of personal data for incompatible purposes (4), the requirement under Article 7 of the Directive to have an appropriate legal ground for the processing of data, such as contract, consent or the legitimate interest of the controller (5), and the requirement of proportionality, including the requirement not to retain data 'longer than is necessary for the purposes for which the data were collected or for which they are further processed' (Article 6(1)(e)). These provisions are specifications of the fundamental rights to privacy and the protection of personal data laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

Retention of personal data originally collected for commercial purposes, and subsequently retained for law enforcement purposes, has been the subject of a recent landmark ruling by the European Court of Justice, which held Directive 2006/24/EC to be invalid, as an unjustified interference with those rights. (6) The Court recognised that the retention of personal data might be considered appropriate for the purposes of the detection, investigation and prosecution of serious crime, but judged that the Directive 'exceeded the limits imposed by compliance with the principle of proportionality'. (7) It is reasonable to expect requirements for retaining personal data to be subject to increasing scrutiny and legal challenges in the EU.

Further, as you are aware, the current European data protection legislation is under reform. The European Parliament voted on 12 March2014 overwhelmingly in favour of a new General Data Protection Regulation which is designed to replace Directive 95/46/EC and be directly applicable in each of the twenty-eight EU Member States. There is therefore now a more compelling need than ever before for ICANN to apply the waiver of the retention period under the 2013 RAA Data Retention Specification uniformly to all EU Member States as requested in the 'harmonised statement' of the Working Party issued by letter of 6 June 2013.

348

On these grounds, we reiterate our recommendations to reduce the data collection and retention requirements in the 2013 RAA 'by default' to what is genuinely necessary for the performance of the contract between the Registrar and the Registrant (e.g. billing), and to limit processing of this data to compatible purposes, such as proportionate measures to fight fraud related to domain name registration. It is possible that the Working Party may wish to provide more details at a later stage.

Yours sincerely,

(signed)

Peter HUSTINX

Cc: Isabelle FALQUE-PIERROTIN, Chair, Article 29 Data Protection Working Party

______4 See the Working Party Opinion 3/2013 on purpose limitation, adopted on 03.04.2013 (WP203). 5 See the Working Party Opinion 6/2014 on legitimate interest, adopted on 09.04.2014 (WP217). 6 ECJ judgment of 8 April 2014, Joined cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others. 7 See para 69 of the judgment.

349

Hustinx, P. (2014, April 17). ICANN's public consultation on 2013 RAA Data Retention Specification Data Elements and Legitimate Purposes for Collection and Retention. [Letter to John O. Jeffrey]. Retrieved from European Data Protection Supervisor website: https://edps.europa.eu/sites/edp/files/publication/14-04-17_edps_letter_to_icann_en.pdf

350

Appendix O Relevant Legislation and Jurisprudence

Legislation and regulation

Council of Europe.

COE. European Convention on Human Rights, CETS No. 005, 1950

COE. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, CETS No. 108, 1981.

COE. Committee of Ministers (2001). Convention on Cybercrime, CETS No. 185, Budapest, 23 November 2001.

European Union.

Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, (Data Protection Directive) OJ 1995, L281.

EU (2012). Charter of Fundamental Rights of the European Union, OJ 2012, C326.

Data Retention Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (OJ 2006 L 105, p. 54).

Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

United States. 351

Federal Trade Commission Act, s. 5 15 U.S.C. § 45(a)(2)

Financial Services Modernization Act of 1999, Pub.L. 106–102, 113 Stat. 1338, enacted November 12, 1999

Privacy Act of 1974, 5 U.S.C. Prelim. § 552a (2012 Ed. Supp. I, 2013)

Jurisprudence

European Union.

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, Case C-131/12, 13 May 2014

Digital Rights Ireland and Seitling and others , Joined Cases C-293/12 and C-594/12 OJ C 258, 25.8.2012. and OJ C 79, 16.3.2013

Maximillian Schrems v Data Protection Commissioner, Case C-362/14, October 2015 .

352

Appendix P Government Advisory Committee Principles Regarding Generic Top-Level Domain WHOIS Services

1.1 The purpose of this document is to identify a set of general public policy issues and to propose principles related to generic top level domain (gTLD) WHOIS services, in line with the recommendations of the Tunis Agenda of the World Summit on the Information Society in November, 2005.

1.2 These principles are intended to guide the work within ICANN and to inform the ICANN Board of the consensus views of the GAC regarding the range of public policy issues associated with WHOIS services.

Public Policy Aspects of WHOIS Data

2.1 The GAC recognizes that the original function of the gTLD WHOIS service is to provide a look up service to Internet users. As the Internet has evolved, WHOIS data is now used in support of a number of other legitimate activities, including:

1.Supporting the security and stability of the Internet by providing contact points for network operators and administrators, including ISPs, and certified computer incident response teams;

2.Allowing users to determine the availability of domain names;

3.Assisting law enforcement authorities in investigations, in enforcing national and international laws, including, for example, countering terrorism-related criminal offences and in supporting international cooperation procedures. In some countries, specialized non-governmental entities may be involved in this work;

4.Assisting in combating against abusive uses of ICTs, such as illegal activities and other acts motivated by racism, racial discrimination, xenophobia, and related intolerance,

353

hatred, violence, all forms of child abuse, including paedophilia and child pornography, and trafficking in, and exploitation of, human beings.

5.Facilitating enquiries and subsequent steps to conduct trademark clearances and to help counter intellectual property infringement, misuse and theft in accordance with applicable national laws and international treaties;

6.Contributing to user confidence in the Internet as a reliable and efficient means of information and communication and as an important tool for promoting digital inclusion, e-commerce and other legitimate uses by helping users identify persons or entities responsible for content and services online; and

7.Assisting businesses, other organizations, and users in combating fraud, complying with relevant laws, and safeguarding the interests of the public.

2.2 The GAC recognizes that there are also legitimate concerns about:

1.the misuse of WHOIS data, and

2.Conflicts with national laws and regulations, in particular applicable privacy and data protection laws.

Principles Applicable to WHOIS Services

3.1 The definition, purpose, and operation of gTLD WHOIS services should reflect and respect the different interests and concerns outlined in Section 2 above.

3.2. gTLD WHOIS services must comply with applicable national laws and regulations.

3.3gTLD WHOIS services should provide sufficient and accurate data about domain name registrations and registrants subject to national safeguards for individuals' privacy in a manner that:

1.Supports the stability, reliability, security, and global interoperability of the Internet, from both a technical and public trust perspective; and 354

2. Facilitates continuous, timely, and world-wide access.

3.4 Ongoing collaboration among all relevant stakeholders who are users of, affected by, or responsible for, maintaining WHOIS data and services is essential to the effective implementation of these principles.

Recommendations for Action

4.1 Consistent with the above principles, stakeholders should work to improve the accuracy of WHOIS data, and in particular, to reduce the incidence of deliberately false WHOIS data.

4.2 The ICANN community, working with other stakeholders, should gather information on gTLD domain name registrations and registrants and how WHOIS data is used and misused. This information should be publicized and used to inform future debate on this issue.

Government Advisory Committee Principles Regarding Generic Top-Level Domain WHOIS Services

[Presented by the Governmental Advisory Committee March 28, 2007]

355

Appendix Q Law Enforcement Recommendations for Registrar Accreditation Agreement Amendments and ICANN Due Diligence

Detailed Version

Introduction: Below are:

1) suggested amendments to the RAA and;

2) due diligence recommendations for ICANN to adopt in accrediting registrars and registries. Both are supported by the following international law enforcement agencies:

• Australian Federal Police

• Department of Justice (US);

• Federal Bureau of Investigation (US);

• New Zealand Police;

• Royal Canadian Mounted Police;

• Serious Organised Crime Agency (UK)[.]

The amendments are considered to be required in order to aid the prevention and disruption of efforts to exploit domain registration procedures by Criminal Groups for criminal purposes. The proposed amendments take account of existing EU, US, Canadian and Australian legislation and those countries commitment to preserving individual’s rights to privacy. These amendments would maintain these protections whilst facilitating effective investigation of Internet related crime.

I. Proposed Amendments to the RAA (May 21, 2009 version)

1) The RAA should not explicitly condone or encourage the use of Proxy Registrations or Privacy Services, as it appears in paragraphs 3.4.1 and 3.12.4. This goes directly against the Joint Project Agreement (JPA) ICANN signed with the United States Department of Commerceon September 25, 2006 which specifically states “ICANN shall continue to enforce existing (Whois) policy,” i.e., totally open and public WHOIS, and the September 30, 2009, Affirmation of Commitments, paragraph 9.3.1 which states “ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information.” Lastly, proxy and privacy

356

registrations contravene the 2007 GAC Principles on WHOIS. If there are proxy and/or privacy domain name registrations, the following is recommended concerning their use: a. Registrars are to accept proxy/privacy registrations only from ICANN accredited Proxy Registration Services; 13 b. Registrants using privacy/proxy registration services will have authentic WHOIS information immediately published by the Registrar when registrant is found to be violating terms of service, including but not limited to the use of false data, fraudulent use, spamming and/or criminal activity.

2) To RAA paragraph 5.3.2.1, languages should be added to the effect “or knowingly and/or through gross negligence permit criminal activity in the registration of domain names or provision of domain name WHOIS information...”

3) All Accredited Registrars must submit to ICANN accurate and verifiable contact details of their main operational and physical office location, including country, phone number (with international prefix), street address, city, and region, to be publicly disclosed in ICANN web directory. Address must also be posted clearly on the Registrar's main website. Post Office boxes, incorporation addresses, mail-drop, and mail-forwarding locations will not be acceptable. In addition, Registrar must submit URL and location of Port 43 WHOIS server.

4) Registrars must publicly display of the name of CEO, President, and/or other responsible officer(s).

5) Registrars with multiple accreditations must disclose and publicly display on their website parent ownership or corporate relationship, i.e., identify controlling interests.

6) Registrar must notify ICANN immediately of the following and concurrently update Registrar website:

a. any and all changes to a Registrar’s location;

b. changes to presiding officer(s);

c. bankruptcy filing;

d. change of ownership;

e. criminal convictions;

f. legal/civil actions.

7) Registrar should be legal entity within the country of operation, and should provide ICANN with official certification of business registration or license.

357

8) Resellers must be held completely accountable to ALL provisions of the RAA. Registrars must contractually obligate all its Resellers to comply and enforce all RAA provisions. The Registrar will be held directly liable for any breach of the RAA a Reseller commits in which the Registrar does not remediate immediately. All Registrar resellers and third-party beneficiaries should be listed and reported to ICANN who shall maintain accurate and updated records.

9) Registrars and all associated third-party beneficiaries to Registrars are required to collect and securely maintain the following data. 14

(i) Source IP address

(ii) HTTP Request Headers

(a) From

(b) Accept

(d) Accept ‐Language

(e) User ‐Agent

(f) Referrer

(g) Authorization

(h) Charge ‐To

(i) If ‐Modified ‐Since

(iii) Collect and store the following data from registrants:

(a) First Name:

(b) Last Name:

(d) Alternate E ‐mail address

(e) Company Name:

(f) Position:

(g) Address 1:

(h) Address 2: 358

(i) City:

(j) Country:

(k) State:

(l) Enter State:

(m) Zip:

(n) Phone Number:

(o) Additional Phone:

(p) Fax:

(q) Alternative Contact First Name:

(r) Alternative Contact Last Name:

(s) Alternative Contact E ‐mail:

(t) Alternative Contact Phone:

(iv) Collect data on all additional add ‐on services purchased during the registration process.

(v) All financial transactions, including, but not limited to credit card, payment information.

10) Each registrar is required to validate the following data upon receipt from a registrant 15 :

(1) Technical Data

(a) IP addresses used to register domain names.

(b) E‐mail Address

(i) Verify that registration e ‐mail address(es)are valid.

(2) Billing Data

(a) Validate billing data based on the payment card industry (PCI standards), at a minimum, the latest version of the PCI Data Security Standard (DSS).

(3) Contact Data

(a) Validate data is being provided by a human by using some anti ‐automatic form submission technology (such as dynamic imaging) to ensure registrations are done by humans. 359

(b) Validate current address WHOIS data and correlate with in ‐house fraudulent data for domain contact information and registrant’s IP address.

(4) Phone Numbers

(i) Confirm that point of contact phone numbers are valid using an automated system.

(ii) Cross validate the phone number area code with the provided address and credit card billing address.

11) Registrar must provide abuse contact information, including the SSAC SAC 038 recommendations below 16 :

• Registrars must prominently publish abuse contact information on their website and WHOIS.

1.The registrar identified in the sponsoring registrar field of a Whois entry should have an abuse contact listed prominently on its web page. To assist the community in locating this page, registrars should use uniform naming convention to facilitate (automated and rapid) discovery of this page, i.e., http://www../abuse.html.

2. Registrars should provide ICANN with their abuse contact information and ICANN should publish this information at http://www.internic.net/regist.html

• The information a registrar publishes for the abuse point of contact should be consistent with contact details currently proposed as an amendment to Section 3.16 of the RAA. Each contact method (telephone, email, postal address) should reach an individual at the Registrar who will be able to promptly and competently attend to an abuse claim; for example, no contact should intentionally reject postal or email submissions.

• Registrars should provide complainants with a well-defined, auditable way to track abuse complaints (e.g., a ticketing or similar tracking system).

12) ICANN should require Registrars to have a Service Level Agreement for their Port 43 servers.

II. Proposed ICANN Due Diligence on current and new gTLD Registrars and Registries a. ICANN to conduct enhanced due diligence on all Registrars and Registries (including but not limited to owners, officers, board of directors) ICANN accredits, or has accredited, to include, but not limited to:

• criminal checks;

• credit checks;

• financial history and solvency; 360

• corporate/company structure and ownership. For example: Dunn and Bradstreet, Lexis- Nexis, Clear, World-Check, etc. b. Such due diligence shall be documented by ICANN, in detail, in a written Report that can be provided upon request to appropriate auditors. c. ICANN should provide complainants with well-defined and auditable way to track complaints against Registrars and Registries.

i. ICANN should publish annual detailed reports of reported complaints. d. ICANN should conduct WHOIS compliance audits, at least once a year, and publish results on:

i.Port 43

ii.WHOIS accuracy

13 ICANN to implement accreditation system for Proxy Services using the same stringent checks and assurances as provided in these points, to ensure that all proxy services used are traceable and can supply correct details of registrant to relevant authorities. 14 Anti-Phishing Working Group (AGWG) “Anti-Phishing Best Practices Recommendations for Registrars,” 15 Anti-Phishing Working Group (AGWG) “Anti=Phishing Best Practices Recommendations for Registrars,” 16 ICANN SSAC SAC 038: Registrar Abuse Point of Contact, 25 February 2009

Citation

Internet Corporation for Assigned Names & Numbers. (2010). Law Enforcement Recommendations for Registrar Accreditation Agreement Amendments and ICANN Due Diligence. Final Report on Proposals for Improvements to the Registrar Accreditation Agreement, October 18 2010: Annex G Communications Received Regarding the Law Enforcement RAA Proposals pp. 130-139. Retrieved from https://gnso.icann.org/en/issues/raa/raa-improvements-proposal-final-report-18oct10-en.pdf

361

References

Abbate, J. (1999). Inventing the Internet . Cambridge, Mass: MIT Press.

Abbate J. (2010) Privatizing the Internet: Competing visions and chaotic events, 1987-1995. IEEE annals of the history of computing . Agrawal, R. & Electronic Privacy Information Center (2003). Privacy issues report: The creation of a new task force is necessary for an adequate resolution of the privacy issues associated with whois . Washington DC: Electronic Privacy Information Center (EPIC). https://epic.org/privacy/whois/privacy_issues_report.pdf Bamberger, K.A., & Mulligan, D.K. (2010). Privacy on the Books and on the Ground, 63 Stan. L. Rev. 247 (2010) . Benkler, Y. (2006). The wealth of networks: How social production transforms markets and freedom . New Haven: Yale University Press. Bennett, C. J. (1992). Regulating privacy: Data protection and public policy in Europe and the United States . Ithaca: Cornell University Press. Bennett, C. J. (2008). The privacy advocates: Resisting the spread of surveillance . Cambridge, Mass.: MIT Press. Bennett, C. J., & Raab, C. D. (2006). The governance of privacy: Policy instruments in global perspective . Cambridge, Mass.: MIT Press. Bing, J. (1999). Data protection, jurisdiction and the choice of law. Privacy Law & Policy Reporter , PrivLawPRpr 65; (1999) 6(6) Privacy Law & Policy Reporter 92. Bing J., Bygrave L. A. (Eds.). (2009). Internet governance: Infrastructure and institutions. Oxford, UK: Oxford University Press. Braman, S. (2013). Laying the path: Governance in early internet design. Info: The Journal of Policy, Regulation and Strategy for Telecommunications, Information and Media, 15 (6), 63-83. doi: http://dx.doi.org/10.1108/info-07-2013-0043 Braman, S. (2011). Privacy by design: Networked computing, 1969-1979. New Media and Society, Sage 2011 0(0) 1-17. Braman, S. (2002). Posthuman law: Information policy and the machinic world. First Monday , [S.l.], Dec. 2002. ISSN 13960466. Retrieved from http://firstmonday.org/ojs/index.php/fm/article/view/1011/932. Date accessed: 01 Dec. 2013. doi:10.5210/fm.v7i12.1011 Braman, S. (2005). Information technology, national identity, & social cohesion: A report of the project on technology futures and global power, wealth, and conflict . Washington, DC: CSIS Press. Braman, S. (2006). Change of state: Information, policy, and power. Cambridge, Mass.: MIT Press.

362

Braman, S. (2010). The interpenetration of technical and legal decision-making for the Internet. Information, Communication & Society Vol. 13, No. 3, April 2010, pp. 309–324, ISSN 1369-118X print/ISSN 1468-4462 online # 2010 Taylor & Francis http://www.tandf.co.uk/journals doi: 10.1080/13691180903473814. Braman, S. (2011). Privacy by design: Networked computing, 1969-1979. New Media and Society, Sage 2011 0(0) 1-17. Braman, S. (2012). Internationalization of the Internet by design: The first decade. Global Media and Communication , 2012, 8, 1, 27-45, SAGE Publications. Braman, S. (Ed.). (2003). Communications researchers and policy-making . Cambridge, Mass.: MIT Press. Braman, S. (Ed.). (2004). The emergent global information policy regime . Houndmills, Basingstoke, Hampshire: Palgrave Macmillan. Brin, D. (1998). The transparent society. Reading, Mass.: Perseus. Brown, I. (2010). Communications data retention in an evolving internet. International Journal of Law and Information Technology , 19(2), 95-109. Brown, I. (2012). Government access to private-sector data in the United Kingdom, International Data Privacy Law , 2012, Vol. 2, No. 4. Brown, I. (Ed.). (2013a). Research handbook on governance of the Internet . Cheltenham, UK: Edward Elgar Pub. Inc. Brown, I. (2013b). Will NSA revelations lead to the Balkanisation of the internet? The Guardian , retrieved from http://www.theguardian.com/world/2013/nov/01/nsa-revelations- balkanisation-internet Brown, I., & D. Clark, D. Trossen. (2010). Should specific values be embedded in the internet architecture? In Proceedings of the Re-Architecting the Internet Workshop . ACM, New York, NY, USA. Brown, I. (2013). In Regulating code: good governance and better regulation in the information age . Ed. Marsden, C. T. MIT Press: Cambridge, Mass. Bygrave, L. A. (2002). Data protection law: Approaching its rationale, logic and limits. The Hague, Netherlands: Kluwer Law. Bygrave, L. A. (2013). Contract vs. statute in Internet governance. In Brown, I. (Ed.). Research handbook on governance of the Internet . Cheltenham, UK: Edward Elgar Pub. Inc. Bygrave, L.A. (2014a). Data privacy law: An international perspective. Oxford, UK: Oxford University Press. Bygrave, L.A. (2014b) Data privacy law and the Internet: policy challenges. In Witzleb, N., Lindsay, D., Paterson, M., & Rodrick, S. (Eds.). (2014). Emerging challenges in privacy law: Comparative perspectives (Cambridge Intellectual Property and Information Law). Cambridge: Cambridge University Press. doi:10.1017/CBO9781107300491 Bygrave, L.A. (2015) Internet governance by contract. Oxford, UK: Oxford University Press.

363

Calo, Ryan. (2014). Robotics and the new cyberlaw . Available at SSRN: http://ssrn.com/abstract=2402972 Campbell, M. L. & Gregor F. M. (2002). Mapping social relations: A primer in doing institutional ethnography . Aurora, ON: Garamond Press.

Cate, F. H. (1995). The EU data protection directive, information privacy, and the public interest 8o Iowa L. Rev . 431, 439 (1995). Cate, F.H. (1997). Privacy in the information age. Washington, D.C.: Brookings. Clayton, R. et al (2013). A Study of Whois privacy and proxy service abuse . National Physical Laboratory: Teddington, UK. Retrieved from https://www.icann.org/en/news/public- comment/whois-pp-abuse-study-24sep13-en.htm Clayton, S. (2016). Draft paper presented at XXXVI Sunbelt Social Networks Conference of the International Network for Social Network Analysis (INSNA), 5-10 April 2016, in Newport Beach, California. Clinton, W. J., & Gore, A. Jr. (1997). A framework for global electronic commerce. Washington, DC: The White House. Cohen, J. E. (2012). Configuring the networked self: Law, code, and the play of everyday practice. New Haven, Conn.: Yale U. Press. Cojocarasu, D.I. (2009). Legal issues regarding WHOIS databases. Oslo, Norway: Norwegian Research Centre for Computers and Law. Accessed at http://www.complexserien.net/sites/complexserien/files/Complex%202009-02.pdf September 13, 2016. Council of Europe. (2017). Comment regarding the review of ICANN’s procedure for handling WHOIS conflicts with privacy law . Retrieved from https://mm.icann.org/pipermail/comments-whois-privacy-law- 03may17/2017q2/000002.html. Craig, P. and deBurca, G. (2011). EU law: Text, cases, and materials . Oxford UK: Oxford U Press. DeNardis, L. (2009). Protocol politics: The globalization of Internet governance . Cambridge, Mass.: MIT Press. DeNardis, L. (Ed. 2010). Opening standards: The global politics of interoperability . Cambridge, Mass.: MIT Press. DeNardis, L. (2013). Internet points of control as global governance. [S.l.]: Centre for International Governance Innovation and strategy for Telecommunications Information and Media , vol.3 no.4, August, 2001, pp. 313-332.Toronto, ON: McLelland &Stewart. Doria, Avri. (2013). Use [and abuse] of multistakeholderism in the Internet. In Radu, R., Chenou, J.-M., & Weber, R. (Eds.). License edition 2014. The Evolution of Internet governance: Principles and policy in the making. Springer-Verlag: Berlin. Drake, W. J., & Wilson, E. J. (2008). Governing global electronic networks: International perspectives on policy and power . Cambridge, Mass: MIT Press. 364

Dyson, E. (1997). Release 2.0: A design for living in the digital age. New York: Broadway Books. Electronic Privacy Information Center. (2006). Comments on the preliminary task force report on the purpose of Whois and of the Whois contacts, 18 January, 2006 . Retrieved from http://forum.icann.org/lists/whois-comments/msg00042.html Electronic Privacy Information Center. (2006). Prepared testimony and statement for the record of Marc Rotenberg, President, EPIC, hearing on “ICANN and the WHOIS database: Providing access to protect consumers from phishing” IC US Congressional Testimony on WHOIS. Retrieved from http://www.epic.org/privacy/whois/phishing_test.pdf Electronic Privacy Information Center. (2017). EPIC WHOIS page. Retrieved from http://www.epic.org/privacy/whois/ Flaherty, D. H. (1989). Protecting privacy in surveillance societies: the Federal Republic of Germany, Sweden, France, Canada, and the United States. Chapel Hill: University of North Carolina Press. Froomkin, A. Michael, The death of privacy? (2000a). 52 Stan. L. Rev. 1461 (2000) . Available at SSRN: https://ssrn.com/abstract=2715617. Froomkin, A. M. (2000b). Wrong turn in cyberspace: Using ICANN to route around the APA and the Constitution. Duke Law Journal , 50 (17-184). Froomkin, A. M. (2002). Form and substance in Cyberspace. Journal of Small and Emerging Business Law. Froomkin, A. M. (2013). ICANN and the domain name system after the “Affirmation of Commitments” in Brown, I. (ed.) Research handbook on governance of the Internet . (27- 51) Cheltenham, UK: Edward Elgar. Froomkin, A. M., & Lemley, M. A. (2003). ICANN and anti-trust. 2003 University of Illinois Law Review, 1-76 . Garante per la protezione dei dati personali. (2000). One World, one privacy: Reference paper. Roma: Garante per la protezione dei dati personali. Gellman, R. (1996). Can privacy be regulated effectively on a national level? Thoughts on the possible need for international privacy rules . Villanova Law Review 41 129 1996. Gellman, R. (2017). Fair information practices: A basic history (April 10, 2017). Retrieved from SSRN: https://ssrn.com/abstract=2415020 http://dx.doi.org/10.2139/ssrn.2415020 Global Multistakeholder Meeting on the Future of Internet Governance. (2014). Netmundial multistakeholder statement, April 24 th , 2014. Retrieved from http://netmundial.br/wp- content/uploads/2014/04/NETmundial-Multistakeholder-Document.pdf Goffman, E. (1959). The Presentation of self in everyday life . New York: Anchor Books. Greenleaf, G. (2014). Asian data privacy laws: Trade and human rights perspectives . Oxford, UK: Oxford University Press.

365

Greenleaf, G. (2015). Global tables of data privacy laws and bills (4rd Ed, January 2016). (2015) 133 Privacy Laws & Business International Report , 18-28; UNSW Law Research Paper No. 2015-28. Retrieved from SSRN: http://ssrn.com/abstract=2603502 Greenleaf, G. (2016). International data privacy agreements after the GDPR and Schrems. (2016) 139 Privacy Laws & Business International Report pp.12-15. Retrieved from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2764864 Greenleaf, G. (2017). Global tables of data privacy laws and bills (5th Ed, January 2017). (2017)145 Privacy Laws & Business International Report , 14-26. Retrieved from SSRN: https://ssrn.com/abstract=2992986 Greenwald, G., MacAskill, E. & Poitras, L. (2013). Edward Snowden: The whistleblower behind the NSA revelations. The Guardian June 11, 2013. Retrieved from https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower- surveillance Harding, S. G. (1992). Whose science? Whose knowledge? Thinking from women's lives . Ithaca, N.Y.: Cornell University Press. Heisenberg, D. (2005). Negotiating Privacy: The European Union, the United States and Personal Data Protection . Boulder, CO: Lynne Rienner Hill, R. (2014). Internet governance: The last gasp of colonialism, or imperialism by other means? In In Radu, R., Chenou, J.-M., & Weber, R. (Eds.). License edition 2014. The Evolution of Internet governance: Principles and policy in the making. Springer-Verlag: Berlin. Hofmann, J. (2015). Constellations of Trust and Distrust in Internet Governance. GigaNet: Global Internet Governance Academic Network, Annual Symposium 2015. Retrieved from SSRN: https://ssrn.com/abstract=2608414 Hofmann, J. (2016). Multi-stakeholderism in Internet governance: putting a fiction into practice, Journal of Cyber Policy , 1:1, 29-49, DOI:10.1080/23738871.2016.1158303 Hofmann, J., Katzenbach, C. & Gollatz, K. (2016). Between coordination and regulation: Finding the governance in Internet governance. New Media and Society, vol. 19, 9: pp. 1406-1423, DOI: 10.1177/1461444816639975 Hoffman, P. (2012). The tao of IETF: A novice’s guide to the Internet Engineering Task Force. Retrieved from https://www.ietf.org/tao.html Information Infrastructure Task Force (1993). The national information infrastructure: Agenda for action . Washington, DC: Information Infrastructure Task Force. International Conference of Data Protection and Privacy Commissioners. (2009). Resolution giving directions to the steering group to consider seeking observer representation before Internet Governance Forum, London Action Plan and ICANN , 31 st International Conference of Data Protection and Privacy Commissioners, Madrid, Spain 4 – 6 November 2009. Retrieved from https://icdppc.org/wp-content/uploads/2015/02/pdf

366

International Organization for Standardization, ISO 3166-1 Terminology bulletin country names and the country and region codes for statistical use maintained by the United Nations Statistics Divisions. Retrieved from https://www.iso.org/obp/ui/#search Kahin, B., Wilson, E. J., & Global Information Infrastructure Commission. (1997). National information infrastructure initiatives: Vision and policy design. Cambridge, Mass: MIT Press. Karrenberg, D. (2005). DNS root name servers frequently asked questions: Internet Society member briefing #20. Retrieved from http://www.internetsociety.org/sites/default/files/DNS%20Root%20Name%20S rvers%20Frequently%20Asked%20Questions.doc.pdf Kirk, J. (2010). Law enforcement push for stricter domain name rules. PCWorld. March 17, 2010. Retrieved from www.pcworld.com/article/191735/article.html Kleinwächter, W. (2000). Icann as the United Nations of the global information society? The long road towards self-regulation of the Internet. International Communication Gazette , 62.6 , 451–476. Kleinwächter, W. (2004). Internet governance: ICANN vs. ITU? Intermedia, 32 (1), 18. Retrieved from http://search.proquest.com/docview/229300588?accountid=14771 Knorr-Cetina, K.D. (1983). New developments in science studies: The ethnographic challenge. The Canadian Journal of Sociology / Cahiers Canadiens de Sociologie , Vol. 8, No. 2 (Spring, 1983), pp. 153-177. Komaitis, K. (2010). The current state of domain name regulation: Domain names as second- class citizens in a mark-dominated world . (Paperback Ed. 2012). New York: Routledge. Korff, D. (2002). EC study on implementation of Data Protection Directive 95/46/EC (2002). Available at SSRN: https://ssrn.com/abstract=1287667 or http://dx.doi.org/10.2139/ssrn.1287667 Korff, D. (2013). The use of the Internet & related services, private life & data protection: trends & technologies, threats & implications . Strasbourg: Council of Europe Korff, D. (2014). The rule of law on the Internet and in the wider digital world. Strasbourg: Council of Europe. Korff, D. and Brown, I. (2010). New challenges to data protection - Final report (January 20, 2010). European Commission DG Justice, Freedom and Security Report. Available at SSRN: https://ssrn.com/abstract=1636706 Kuerbis, B., 2011. Securing critical Internet resources: Influencing Internet governance through social networks and delegation (doctoral dissertation) . Syracuse University. http://surface.syr.edu/it_etd/68 Latour, B. (2010). The making of law: An ethnography of the conseil d'etat . Trans. Brilman, M. & Pottage, A. Malden, MA: Polity Press. Leiner, B., Cerf, V., Clark, D., Kahn, R., Kleinrock, L., Lynch, D., Postel, J., Roberts, L. and Wolff, S. (1997). Brief history of the Internet. Internet Society. Retrieved from . 367

http://www.internetsociety.org/internet/what-internet/history-internet/brief-history- internet

Lessig, L. (1999). Code and other laws of cyberspace . New York: Basic Books.

Lessig, L. (2004). Free culture: How big media uses technology and the law to lock down culture and control creativity . New York: Penguin Press. Lyon, D. (2015). Surveillance after Snowden. Cambridge, U.K.: Polity Press. Markoff, J. (2005). What the dormouse said: How the sixties counter-culture shaped the personal computer industry . New York: Penguin. Morozov, E. (2011). The Net delusion: The dark side of internet freedom (1st ed.). New York: Public Affairs. Mueller, M. L. (1999). Rough justice: An analysis of ICANN’s uniform dispute resolution policy . Retrieved from http://ccent.syr.edu/wp-content/uploads/2014/05/roughjustice.pdf Mueller, M. L. (2002). Ruling the root: Internet governance and the taming of cyberspace . Cambridge, Mass.: MIT Press. Mueller, M.L. (2007). Property and commons in Internet governance (October 1, 2007). Available at SSRN: https://ssrn.com/abstract=1828102 or http://dx.doi.org/10.2139/ssrn.1828102 Mueller, M. L. (2010). Networks and states: The global politics of Internet Governance . Cambridge, Mass.: MIT Press. Mueller, M. L. (2012). Comments on the Preliminary GNSO Issue Report on the RAA Amendments, Milton L Mueller mueller@xxxxxxx, Fri, 13 Jan 2012 17:52:16 +0000, Retrieved from raa-amendments-prelim-issue-report@xxxxxxxxx Mueller, M. L. (2014). ICANN suppresses a privacy advocate’s dissent. IGP blog June 7, 2014 . http://www.internetgovernance.org/2014/06/07/icann-suppresses-a-privacy-advocates- dissent/ Mueller, M. L. (2017a). Brief history of NCUC. NCUC Noncommercial Users Constituency website , ncuc.org. Retrieved from https://www.ncuc.org/get-involved/our-story/ Mueller, M. L. (2017b). Will the Internet fragment? Sovereignty, globalization and cyberspace. Cambridge, UK: Polity Press. Mueller, M. L. & Chango, M. (2008). Disrupting global governance: The Internet Whois service, ICANN, and privacy in Journal of Information Technology & Politics (October 2008), 5 (3), pg. 303-325. Murphy, K. (2011). How ICANN overruled governments on .XXX. Domain Incite , retrieved from http://domainincite.com/3886-how-icann-overruled-governments-on-xxx Nissenbaum, H. (2011). A contextual approach to privacy online . Daedalus, Vol. 140, No. 4, Protecting the Internet as a Public Commons (Fall 2011), pp. 32-48. MIT Press on behalf

368

of American Academy of Arts & Sciences.Stable URL: http://www.jstor.org/stable/23046912 Office of the High Commissioner on Human Rights. (2011). Guiding Principles on business and human rights: Implementing the United Nations “Protect, respect, and remedy” framework . New York and Geneva: UN. N., Pinch T. J. (Eds.). (2005). How users matter: The co-construction of users and technology. Cambridge, Mass.: MIT Press. Perrin, S.E., Black, H., Flaherty, D.H., Rankin, T.M. (2001). The personal information protection and electronic documents act: An annotated guide. Toronto, ON: Irwin Law. Perrin, S. E., Lawson, P. & Gellman, R. (2005). PIPEDA and identity theft: Solutions for protecting Canadians, a report for the BC Freedom of Information and Privacy Association. Vancouver BC: BCFIPA. Pounder, C. (2015). Understanding safe harbor, Schrems v Facebook in less than 300 words . Retrieved from http://amberhawk.typepad.com/amberhawk/2015/10/understanding-safe- harbor-schrems-v-facebook-in-less-than-300-words.html Raab, C. (2006). Beyond activism: Research perspectives on privacy. Tilburg, NL: TILT Law and Technology Working Papers. Retrieved from http://ssrn.com/abstract=1096562 Radu, R., Chenou, J.-M., & Weber, R. (Eds.). License edition 2014. The evolution of Internet governance: Principles and policy in the making. Springer-Verlag: Berlin. Raymond, M. & DeNardis, L. (2016). Multi-stakeholderism: Anatomy of an inchoate global institution. Waterloo, ON: Centre for International Governance Innovation & Chatham House. Regan, P. (1995). Legislating privacy: Technology, social values and public policy . Chapel Hill, NC: University of North Carolina Press. Regan, P. (2002). Privacy as a common good in the digital world, Information, Communication & Society , 5:3, 382-405, DOI: 10.1080/13691180210159328 Schlozman, K.L., Sidney Verba, S. & Brady, H.E. (2011). Who speaks? Citizen political voice on the Internet commons. Daedalus, Vol. 140, No. 4, Protecting the Internet as a Public Commons (Fall 2011), pp. 121-139. The MIT Press on behalf of American Academy of Arts & Sciences, retrieved from http://www.jstor.org/stable/23046918 Schwartz, P.M. (2013). The EU-U.S. privacy collision: A turn to institutions and procedures. 126 Harv. L. Rev . 1966 2012-2013. Schwartz, P.M. & Reidenberg, J.R. (1996). Data privacy law: A study of United States data protection. Charlottesville, Virginia: Michie. Simitis, S. (1987). Reviewing privacy in an information society . University of Pennsylvania. Law. Review. 707 1986-1987 p. 746. Smith, D.E. (2005). Institutional ethnography: A sociology for people . Lanham, MD: AltaMira Press.

369

Smith, D. E. (Ed.). (2006). Institutional ethnography as practice . Lanham, MD: Rowman & Littlefield Publishers. Smith, D. E. (1999) Writing the social: Critique, theory, and investigations . Toronto, ON: University of Toronto Press. Solove, D.J. (2004). The digital person: Technology and privacy in the information age . New York, NY: New York University Press. Solove, D. J. & Rotenberg, M. (2003). Information Privacy Law. New York: Aspen Law. Star, S. L. (1999). The ethnography of infrastructure. American Behavioral Scientist , 43, 377- 391. Tamm Hallström, K. & Boström, M. (2010). Transnational multi-stakeholder standardization: Organizing fragile non-state authority. Cheltenham: Edward Elgar. Tropina, T. (2015). Public–private collaboration: Cybercrime, cybersecurity and national security in T. Tropina and C. Callanan, Self- and co-regulation in cybercrime, cybersecurity and national security , pp. 1-41. Springer Briefs in Cybersecurity DOI 10.1007/978-3-319-16447-2_1 Tufekci, Z. (2016). As the pirates become CEOS: The closing of the open Internet. Daedalus doi:10.1162/DAED _a_00366 Turkle, S. (2011). Alone together: Why we expect more from technology and less from each other . New York: Basic Books. United Nations. (2013). Third committee approves text titled ‘Right to privacy in the digital age’ . Sixty-eighth General Assembly Third Committee, 51st & 52nd meetings. Retrieved from https://www.un.org/News/Press/docs/2013/gashc4094.doc.htm United Nations Office on Drugs and Crime (2013). Comprehensive study on cybercrime draft— February 2013. Retrieved from https://www.unodc.org/documents/organized- crime/UNODC_CCPCJ_EG.4_2013/ CYBERCRIME_STUDY_210213.pdf United States Department of Commerce. (1997). Privacy and self-regulation in the information age. Washington, DC: NTIA. United States Department of Commerce. (1998a). Improvement of Technical Management of Internet Names and Addresses . Proposed Rule 63 Fed. Reg. 34 February 20, 1998, pp. 8825-8833. United States Department of Commerce. (1998b). Management of Internet names and addresses , 63 Fed. Reg. 31,741. June 10,1998. Waldo J., Lin H., Millett L. I. & National Research Council (U.S.). (Eds.). (2007). Engaging privacy and information technology in a digital age. Washington, D.C.: National Academies Press. Weinberg, J. (2000). ICANN and the problem of legitimacy. Duke Law Journal, Vol. 50, No. 1, October 2000, 187-260.

370

Weinberg, J. (2001). Geeks and Greeks . Info, the Journal of Policy, Regulation and Strategy for Telecommunications Information and Media , vol.3 no.4 August, 2001 pp. 313-332. Westin, A. (1967). Privacy and freedom. New York: Atheneum. World Intellectual Property Organization. (1999). The management of Internet names and addresses: Intellectual property issues, Final report of the WIPO Internet Domain Name Process,WIPO Publication No. 439(E). Retrieved from http://www.wipo.int/amc/en/processes/process1/report/index.html World Intellectual Property Organization. (2000). Request for comments on issues addressed in the WIPO Internet domain name process (WIPO RFC-2) . Retrieved from http://www.wipo.int/amc/en/processes/process1/rfc/2/index.html World Intellectual Property Organization. (2001). The Recognition of rights and the use of names in the Internet domain name system: Report of the second WIPO Internet domain name process. Retrieved from http://wipo2.wipo.int Zalnieriute, M. & Schneider, T. (2014). ICANN's Procedures and policies in the light of human rights, fundamental freedoms and democratic values (October 8, 2014). Council of Europe, DGI(2014)12. Retrieved from SSRN: https://ssrn.com/abstract=2667478 Zevenbergen, B., Brown, I., Wright, J., & Erdos, D. (2013). Ethical Privacy Guidelines for mobile connectivity measurements (November 7, 2013). Retrieved from SSRN: https://ssrn.com/abstract=2356824 or http://dx.doi.org/10.2139/ssrn.2356824

371