What happens when ICANN's rules that require domain name registrars to publish domain owners' personal data in a public database, conflict with the data protection laws in countries where those registrars operate?
This question has come up at ICANN's 54th quarterly public meeting in Dublin, which EFF is attending this week. Although much of the meeting is looking forward to future accountability and oversight mechanisms for ICANN, our attention is focused on the here and now, pointing out the impacts of current ICANN policies and proposals on the privacy and free speech rights of ordinary Internet users. This means speaking out against law enforcement and trademark interests who aim to use the domain name system for tracking and censorship—all while sacrificing user privacy. We'll be reporting back throughout the week as we do just that.
EFF's return to ICANN this year was prompted by one such proposal, that would have gutted the ability for users to register domain names using a proxy registration service to keep their personal contact details private. Our concerns, echoed by thousands of others including a powerful coalition of public figures and experts, became ICANN's largest ever public consultation [PDF]. We'll be reiterating those views at a face to face meeting of ICANN's Privacy & Proxy Services Accreditation Issues PDP Working Group on Wednesday.
But there's a bigger story behind that particular proposal. The only reason why users even need to shelter behind a proxy registration service to protect the privacy of their personal data is that ICANN's policies requiring that data to be published in a publicly-available WHOIS database are woefully out of step with global best practices in personal data protection—and with the associated laws of many countries.
Another public consultation that is open until November 17 illustrates vividly the incoherence of ICANN's current policies on domain privacy in this context. The particular policy that is under review is on WHOIS Conflicts with Privacy Laws, and the policy essentially provides that ICANN may “allow” a registry or registrar whose obligations to publish WHOIS data are in breach of locally applicable data protection law, to be exempted from those obligations—but only once the local data protection authorities have initiated enforcement proceedings against it!
The working group reviewing this policy has suggested that this procedure, which actively encourages parties to breach data protection law (and which has never been invoked) is too narrow. They propose that ICANN should also be able to suspend a contracted party's WHOIS obligations if they can obtain written advice from the government that their WHOIS obligations are in contravention of local law (as if governments would ever do such a thing!). A minority view suggests that obtaining an opinion from a leading local law firm should also be sufficient, or perhaps that ICANN could launch an investigation and public enquiry into the merits of suspending the party's WHOIS obligations.
But even the minority view misconceives how completely backward ICANN's expectations are. It shouldn't be up to registries or registrars to prove their entitlement to comply with their own locally applicable data protection law. Rather it should be for ICANN to enforce its WHOIS obligations only if it can prove that those obligations are not in contravention of its contracted parties' data protection obligations. In other words, as we point out in our submission to the consultation, sent this week, the policy:
should simply affirm that contracted parties may, in good faith, self-assess their own obligations under applicable local law, and forbear from executing contractual provisions that are in breach of those obligations. … ICANN could [then] obtain a legal opinion as a precondition of taking any enforcement action against a contracted party alleged to be in non-compliance with its contractual requirements for reasons unconnected with local law.
ICANN's policy on WHOIS Conflicts with Law doesn't need to be amended, it needs to be thrown out and rewritten from scratch. But that is not enough, because even if the policy were rewritten as we suggest, that would only protect users in countries that already have enforceable data protection laws, leaving others (including Americans) out in the cold. Rather, ICANN also needs to accelerate the complete review of its WHOIS system, to bring it into line with internationally accepted data protection standards.
Keep reading Deeplinks throughout the week for more reports on how your privacy and free speech rights are on the line at ICANN, and what you can do to help preserve them.