They both got it wrong

Child abuse images, Privacy, Regulation, Self-regulation, Uncategorized 9 Minutes

Post-GDPR the principal focus of recent discussions between ICANN and the European Data Protection Board (EDPB) has been on how entities that previously had access to WHOIS, and used it a lot, will be able to do so in the future.  ICANN has issued what it calls a  “temporary specification” reflecting its self-interested reading of the law.

Under the temporary specification some parties may, in fact,  no longer be able to access WHOIS at all or will only be able to do so after a lot of potentially time consuming and possibly expensive faff and faddle.

ICANN is also proposing that a system of “layered access” is put together to allow certain designated and accredited interests e.g. law enforcement, to retrieve data they think they need for their investigations. Good luck with that.  I wonder how many law enforcement bodies there are in the world? These days we usually replace complex systems with simpler ones. Here ICANN is proposing the exact opposite. I doubt it will work.

These discussions about access rights are clearly important and I will return to them, but first I want to argue that just as much attention needs to be given to ensuring WHOIS is accurate.  “Accurate” includes being up to date!

In the beginning….

From the very beginning of the internet its developers and “the community” had agreed that all the registrations of what would become known as web sites or domains had to contain the name, address and contact details of the individual or entity who owned or was responsible for the management of the site or service. These details had to be accessible to every internet user.

Largely this was to ensure if any problems arose it would be easy for other people on the network speedily to alert whoever needed to take action to put things right.  Clearly it was therefore important that this information was accurate and ICANN’s contracts with Registrars and Registries always had an accuracy requirement built in.

The aforementioned bits of contact data had to be entered in a prescribed form in a database we now know as “WHOIS”. As late as 2009 ICANN gave an ostensibly solemn undertaking confirming it accepted WHOIS should continue to run on the original lines. The fact that WHOIS had by then long since ceased to be accurate was conveniently overlooked but nevertheless the principle was retained as an objective. Solemnly.

The decline in accuracy

If there is one thing privacy law has always been clear about it is about the importance of stored personal data being accurate. However, the last time anybody looked, in 2012, only 23% of all WHOIS entries were fully accurate and maintained in the way they were supposed to be. In other words accuracy was the exception rather than the rule.

Law enforcement and rights holders say that access even to an inaccurate WHOIS can often provide valuable investigative leads, which is why they are keen not to lose what they previously had. My point is if WHOIS was accurate there would likely be less need to investigate anything or such investigations as might still be needed would probably be a lot easier, quicker and cheaper to complete.

Getting back to or creating an accurate WHOIS may now seem like a gargantuan challenge, but that is no reason to give up on it. Domain names are too cheap anyway. Some are being given away free. Hats off to the genius who allowed that to happen.

If prices have to rise by a few dollars to cover the cost of the extra checking involved, to confirm that the ownership and management information rendered to Registries and Registrars is accurate, the internet will not collapse. Innovation will not come to an end. Yes it would probably hit sales or renewals of domains. Some CEOs of Registries and  Registrars may need to postpone the purchase of their second yachts, but that is not a calamity. ICANN could still continue in all its pomp but the world would benefit hugely because there would almost certainly be a lot less online crime. Read on.

So what’s the issue with access rights?

The first internet domain was registered in 1985.  By the end of 1994 there was a grand total of 2,700.  They were slow to catch on at first.  Apparently, there are nearly two billion today, since you asked.

In October 1995 the EU adopted the first Data Privacy Directive.  It was a response to the growth in the automated processing of personal data linked to the arrival of large, commercial computer systems. Here there was rarely any doubt about where or how data had originated and who managed it.

In the early to mid-1990s, as the Directive was being prepared and passed, the internet in general and domains/web sites in particular barely existed in the public consciousness or in the consciousness of the European policy making class. They did not feature in any of the discussions which led up to the adoption of the Directive. It would be another year before Nominet, the UK ‘s ccTLD Registry, was established and three years before ICANN was founded following the death of Jon Postel.

Looks like things started going wrong around 2002/3

The 1995 EU Directive prompted the UK Parliament to adopt our Data Protection Act, 1998, more or less as it came out of Brussels. We were well behaved in those days.

Nominet had a think about the Act’s meaning and impact on their business. Similar discussions were taking place among other EU-based ccTLDs.

It appears that, internally, Nominet’s geeks wanted to comply fully with what they believed were the extant WHOIS conventions, namely to display the name, street address, email address, telephone and fax numbers of every .UK registrant, businesses and natural persons alike, plus those of their first cousins and next door neighbours.

Against that and about the same time a number of .UK registrants had started complaining to Nominet about the amount of unsolicited items they were receiving,  as spam and snail mail, some of which, they suspected, had been generated by scam artists who had been raiding WHOIS. The same people also complained to the ICO who came sniffing around in 2002/3.

Cursed by the narrow myopia of the specialist and perhaps feeling hemmed in by the context-free letter of the law, the ICO advised Nominet to modify its position, so it did. In this way WHOIS was fatally diluted,“blown over by a side wind” as English lawyers like to say. A new version of WHOIS emerged because of a legal accident.

I gather that, elsewhere and earlier, there had been some marginal experiments at concealing WHOIS data. These were now given a major boost, seemingly backed or mandated by law rather than mere profit-seeking whimsy.

On the face of it, it is hard to argue that information about someone’s name, address and email are not “personal data” but the public interest in preserving WHOIS  as an accurate and accessible database should have been accorded a great deal more weight. I am reminded of the excesses of “health and safety” zealots who take imaginative leaps on the most slender of pretexts, sometimes to disguise an undeclared motive.

True enough,  spam  and unsolicited snail mail were a pain particularly then for private individuals but, at least in respect of the online component, today almost every hosting package and email service, both personal and corporate, includes increasingly sophisticated anti-spamming tools. Thus, avoiding spam alone cannot have been, or should not have been, a sufficient justification for the radical, long term, wide ranging step Nominet, the ICO  and their confrères ushered in. It was completely disproportionate.

Nowadays, with so many alternative ways of publishing that do not need an individual to own or manage a domain, there is even  less justification for allowing the current state of inaccurate play to continue. I have never been wholly convinced there is a significant free speech element attaching to the “right” to hide your contact details but accepting there could be a small or residual one I would not be against the idea of allowing certain classes of sites to shield their contact information, at any rate from unrestricted public view. How such a system would be managed could be tricky but not impossible.

The fundamental point, surely, is that if you choose to establish a web site, you are stepping into a public space and certain things unavoidably follow, a fortiori where it is known that hiding contact details is likely to harm the public interest.

A Cambridge study

In his ground-breaking study published in 2014 Cambridge Computer Scientist Richard Clayton showed, inter alia, even among registrants that went to the trouble of using privacy and proxy services (as opposed to just lying directly to the Registrar)

“A significant percentage of the domain names used to conduct illegal or harmful Internet activities are registered via privacy or proxy services to obscure the perpetrator’s identity.”

Clayton commented that even the identity and contact data given over to the privacy and proxy services were often inaccurate anyway. He also says it is usually possible to curtail unlawful behaviour on web sites without having to contact the web site owner or manager and who am I to argue with that? But equally there can be little doubt that verifying the accuracy of the contact data in the first place would reduce the volume of bad behaviour thus obviating the need to get in touch with anyone  at all.

An unexpected gift from the gods

So not only did  WHOIS accuracy appear not to matter any more  – ICANN was doing nothing to enforce its rules – now you didn’t even have to publish some of the data.

Here was an unexpected gift from the gods. By establishing privacy and proxy services Registries and Registrars could, for the first time, turn WHOIS into a revenue stream. Instead of it being a dead weight, costing them money and causing them grief to maintain,  now they could make some cash out of it.  The skids were under WHOIS. Big time.

ICANN, the Registries and Registrars created this scandalous state of affairs. Would it be corrected when the GDPR came along?

And so to the GDPR

In 2012, when the GDPR began its less than stately, extended progress through the European institutions nobody thought to raise or even mention WHOIS and the way Registries, Registrars and ICANN were by then behaving in relation to it.

Nowhere in the initial draft GDPR or in any of its later iterations, including the adopted final legal text,  do the words or acronyms  “ICANN”, “WHOIS”, “Registry”, “Registrar” or “registrant” appear. At no point in any  of the Committees of the European Parliament, or in any of the plenary sessions that were held in Brussels or Strasbourg to discuss the GDPR do any of those words  or acronyms appear. This is because they were never discussed. Never.

Neither  did any of those words pass the lips of anyone who attended any meetings of the Council of Ministers or the Trialogue (I asked people who were in the room). Zip. Nada. Niente. Wala. Nolla.  When the GDPR was adopted by the UK Parliament the story was repeated and I believe the same is true in every Parliament in all 28 Member States.

Where was law enforcement and where were the rights holders when all this was going on? Why weren’t they laying down in the roads outside the Berlaymont building? Where was the vast army of privacy and administrative lawyers? Why did they fail to ensure that, in reaching a decision, all relevant factors were being taken into account by those charged with the responsibility of making the law?

A question

If the ownership and contact details of everyone who owned or controlled a web site had been robustly verified and kept up to date in a database that was open to public inspection, how many web sites do you think there would be that engaged in (a) the distribution of child sex abuse materials, (b) the sale of fake pharmaceuticals or (c) you get the point?

Do you think the answer would be (a) about the same as now, (b) a great many more than now or (c) a lot closer to zero? I’m going to give you a clue. The answer is very unlikely to be (a) or (b).

Is it possible that if European Parliamentarians, national Governments or national Parliaments had had the matter put squarely before them they might have said they were happy with the new status quo? I don’t think so.

Was any publicly accountable policy maker asked to weigh in the balance preserving what was now being assumed to be the  status quo against the reality of what secrecy and inaccuracy had produced? No they were not. Policy makers could have said

“Enough already. For the avoidance of doubt we choose to insist that in future in the public interest openness and accuracy are required by law.”

Or they could have said

We are fully aware of how the privacy laws are being interpreted and acted upon by ICANN, the Registries and Registrars and we are entirely content with the  status quo.”

I’m guessing they would have opted for the first one but they didn’t do either because they were never given the chance. Shame on those officials who allowed that to happen.

We have been badly let down

Here is my summary: EU privacy interests,  which in this instance includes Commission staff, Article 29 and all its successors and associates, have seriously failed EU citizens and Member State Governments.

I acknowledge that the GDPR was an enormous and extremely complex legislative instrument, but that hardly excuses what happened. And once the deed was done ICANN and its cronies – Registrars and gTLD Registries – jumped in and did what they always do. They exploited the situation to their financial advantage with the public interest being relegated to second or third place. In this they have erred in law.

So both sets of key players got it wrong.

We must be able to do better than this.

Published by John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), UNODC, the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised. http://johncarrcv.blogspot.com

Published