Law enforcement agencies and transparency: the ICANN issue

The Internet Corporation for Assigned Names and Numbers (ICANN) has a narrow but important mandate: coordination of policy development for allocation of domain names. Domain names are important. They are people’s port of entry to the Internet . With the rise of social media their importance was likely diminished as the users did not directly have to register and operate their own domain names to have online presence. But still many do. With the increase in domain names as social media handles, they become much more important. 

Policy discussions at ICANN are of importance because they affect a range of technical and fundamental rights issues on the Internet. One of them is privacy. When a user registers a domain name, they give the registrar their sensitive and personal information. Historically, this sensitive data was public and accessible to everyone on the Internet and who could look up in a database called WHOIS. 

This had a lot of privacy implications for domain name registrants and some efforts were made to provide some domain name privacy but the only game changer was the enactment of the General Data Protection Regulation (GDPR). ICANN obliged registrars and registries to change how they handled domain name registrants personal sensitive information.  

However, GDPR also has provisions to give access to data for those with a legitimate purpose. So for years we have been discussing what that should look like, and the interested parties here are: intellectual property rights holders, law enforcement agencies, cybersecurity researchers to name a few. 

After years of debate, we are at a stage that ICANN wants to provide a disclosure system; however, it is very important to note that it is only a triage system. So the interested party requests to have access to a domain name registrant sensitive and private information, ICANN captures the request and passes it on to the respective registrar. 

In order not to abuse the system, the logs on what entity required how much data should be transparently reported on. But one interest group wants confidentiality: the law enforcement agencies that operate at ICANN through the public safety working group at the Government Advisory Committee (GAC). 

In an ICANN meeting in Cancun, GAC advised ICANN Board:

“To direct ICANN org to promptly engage with the PSWG to identify and advance solutions for confidentiality of law enforcement requests so as not to preclude participation by law enforcement requesters when measuring usage of the WHOIS Disclosure System.”

It then provided a rationale: 

“Law enforcement agencies investigations may be compromised if requests for domain registration data are not kept confidential. A lack of functionality in the proposed WHOIS Disclosure System to provide for such confidentiality will almost certainly deter usage of the system by law enforcement agencies which will in turn decrease the amount of data that the pilot program will be able to collect. The GAC highlights that further engagement between ICANN org and the PSWG is necessary to resolve this issue. A satisfactory approach to this concern is also consistent with the Board’s resolution “to encourage comprehensive System usage by data requestors.”

This request and advice can have human rights implications. Not all law enforcement agencies around the globe are legitimate and in some instances they are human rights violators themselves. They also do not follow the vigorous due process provisions that are followed in some other countries. Fortunately in this rare instance sanctions might actually be a good thing and law enforcement agencies located in sanctioned countries might not even have access to this system (which is up for debate). However oppressive regimes and nation states in conflict can actually abuse the system. Imagine if Russian law enforcement agencies continue asking for Ukrainian domain name registrants sensitive, private information. Do we not want to know how the system is being used? 

When talking about these issues at a global level, the dominant viewpoint is that if we cannot stop access to these law enforcement agencies and if we don’t actually have the right tools to do so, at least we can provide some transparency to the process. Transparency in law enforcement requests can show if this system is even used as much as GAC has been claiming all these years by public safety groups and it can also reveal abuse of the system. 

However, the public safety group at ICANN does not even want this simple minimum measure to at least monitor the abuse of the system. In the next blog post, I will analyze the ICANN Board’s response to the GAC advice and will hopefully do a mini-human rights impact assessment of the request for confidentiality.