Putting Privacy on the Agenda at ICANN
The Internet’s Domain Name System is a critical piece of Internet infrastructure that underpins the entire global digital economy. The Internet Corporation for Assigned Names and Numbers (ICANN) is the body which manages these ‘names’ and ‘numbers’ that ultimately allow the Internet to operate as one global, interconnected network.
You could say that ICANN is analogous to a private Federal Communications Commission. And the policies that ICANN develops and enforces directly impact our ability to exercise human rights online such as the right to privacy and freedom of expression.
One of the things ICANN manages is the Internet’s Whois service, which is a web-based interface that historically allowed any Internet user to type in a domain name like Mozilla.org and to be immediately returned with the contact details of the domain name registrant. As part of a working group looking at reforming Whois, I have been urging that ICANN move forward with a new set of provisions that explicitly address the deep concerns that political speakers, home-based businesses, bloggers, and individuals have when their home address and telephone number are published to the world.
Something has become clear to me along the way. Privacy, and our understanding of it, is not only wildly misunderstood. It is polarizing along important, but opposing, fundamental principles. Decisions are made on an emotional level and not always a factual one. Privacy becomes conflated with secrecy, with security, with trust. Concerns are raised about it by business, by law enforcement, by civil society — because privacy means different things to different people. The complexity almost becomes an excuse for inaction, which was the case with Whois, which was a problem left unresolved for some two decades. Every stakeholder group had concerns with the status quo — for some, the data set was inaccurate, for others, it was dangerously accurate — but nothing could break the stalemate. Until recently.
What changed? Invariably, we must thank the European Union for the General Data Protection Regulation (GDPR). The GDPR, and the prospect of real enforcement and fines for non-compliance with the law brought about a sudden and dramatic need for change in policy and practice. One lesson I learned here is that fines are very effective at incentivizing change in bureaucratic organizations. ICANN, after all, had a 20-year history of rejecting accepted international conventions in data protection law. Until recently Europe’s Data Protection Authorities had no real power, so ICANN simply ignored their correspondence.
The GDPR sought to address the crisis in trust that had emerged as the Internet grew in social and economic importance. It certainly provided the catalyst for Whois reform to take place. I enjoyed working alongside representatives of Facebook, Godaddy, Microsoft, the US government, and the European Commission, among others, over the past nine months in this small working group to collaboratively and intelligently address shared concerns and anxieties. And, if I dare say so, I think we have done so successfully.
We have now reached consensus on a set of 29 recommendations that, once fully implemented across 150 million domain names, will have fundamentally changed Whois for the better. We changed the mindset from ‘we should collect personal information because third parties want to use that data’ to ‘we should collect only that data which needs to be collected in order to make sure the Domain Name System functions.’ That outcome might sound intuitively obvious at first, but it was far from a certain one and it is a victory that was not effortlessly achieved. We live in a world where too much of our personal information is routinely collected, particularly when our national intelligence apparatus’ want it. And so this is an important victory that as a Mozilla Fellow I am proud to have been a part of, because we are talking here about real issues of personal privacy. Real lives faced real danger because of Whois.
There was always a reason for Whois, or something like it, to exist. Law enforcement, intellectual property attorneys, and others have a legitimate need to be able to identify who is behind a website. But, this registration data never needed to be public. I have been calling for a more balanced ecosystem that simplifies data processing practices and reduces the complexity for individuals, while providing good actors with necessary and proportionate access to this personal information. This balance is important, because domain names are our homes on the Internet — they are ultimately where we express speech, form political movements, and communicate with others. If these concerns seem abstract, they are not. I can not only point to people who have received death threats because they exercised political speech online and were identified through Whois. I know people who have been victims here.
When it comes to online privacy, we always need to think about who has our data. Why is it being used? Where is it being stored? And as individuals, we often are at a distance from where the decisions are being made about how our data is used. It is hard to empower people, because most data processing practices cannot be made accountable, relevant, or interesting to most individuals. That is why I believe that privacy’s biggest institutional failure is its desire to put individuals at the center of decision making. Throughout my work as a Mozilla Fellow I have been challenging the status quo in that regard. I try to work where technology and public policy intersect and do my best to craft public interest-oriented solutions to challenging problems. In doing so, I have argued that individuals are ill-equipped to make decisions about how their personal data is used. I have instead called for data controllers to have a duty of care to safeguard our personal information.
But talk is cheap. My participation in the Whois reform process was one way in which I have sought to drive public policy in a direction which respects human rights, protects privacy, and promotes consumer choice and competition. It was also a unique opportunity for me to highlight some of the problems in how we operationalize online privacy protections — and to provide pragmatic and economical solutions to these problems. While the arc of traditional multilateral policymaking is often long, in the self-regulatory space, of which ICANN falls as a private corporation serving a quasi-governmental function, policies can more often than not be written by those who turn up to the table and take the pen.
That’s what I did, and that’s what I hope more representatives of civil society will do. There is no shortage of opportunities for people with public interest-oriented perspectives to engage in developing policy which ultimately governs key Internet infrastructure, both at ICANN and at other fora. We need more people driven by conviction, and persuaded by evidence, to join in and to call for stronger, privacy-enhancing data processing practices.
