A human rights impact assessment: GAC advises ICANN to keep law enforcement requests for access to domain name registrants’ personal, private data, confidential

Digital Medusa carried out an experimental and quick human rights impact assessment on Government Advisory Committee (GAC) communique to ICANN. Hopefully, this will become something periodic that Noncommercial Stakeholder Group at ICANN can do as well.

GAC communique is the governments’ advice to ICANN. Note that this advice over the years has gained a lot of weight and importance to the point that it might have changed its advisory nature.

In its Cancun communique, GAC advised the ICANN Board:

“i. To direct ICANN org to promptly engage with the PSWG to identify and advance solutions for confidentiality of law enforcement requests so as not to preclude participation by law enforcement requesters when measuring usage of the WHOIS Disclosure System.”
Governmental Advisory Committee/ Cancun, Mexico, 2023
Digital Medusa did a rapid impact assessment, inspired by the Business Social Responsibility BSR Rapid Human Rights Assessment framework.

Rapid human rights impact assessment:

The situation: WHOIS is the directory that includes the domain name registrants private, personal, sensitive data such as phone numbers, physical addresses and email addresses. Domain name owners can set up websites around the world. This database was public and accessible for years until General Data Protection Regulation came into effect which required redaction of data. However, GDPR also had provisions for disclosing the private data to third parties with a legitimate purpose. GDPR is vague on how such disclosure can take place.

Rightsholders: Rightsholders in this situation are domain name registrants, especially those who belong to marginalized and vulnerable communities.

Impacted vulnerable communities: potential impacted communities can be minority groups that discuss sensitive issues on their websites that are unfairly illegal in their countries. For example LGBTQI materials or political speech. These groups include minority religious groups, minority political oppositions and others.

What is the severity of the actual or potential human rights impact?
Prosecution, Surveillance, Unfair arrest, potential imprisonment, illegal house raids, cruel punishments

What are the potential long-term implications of the situation?
Decrease in use of domain names and public websites for exercising fundamental rights
Inaccuracy of the database

Peer companies that are taking action that the company can consult with directly?
Regional Internet Registries that have similar WHOIS databases do not make the requests confidential, they report on which countries asked for the data in their transparency reports (See RIPE NCC)

What can ICANN do to avoid, prevent, or mitigate the actual or potential human rights impacts?
ICANN should not grant law enforcement agencies the option to seek disclosure of data confidentially from the registrars.