Monday 29th Aug 2016

Online privacy: Big Brother plans from ICANN


Online Privacy Cartoon of ICANN's proposed Accreditation Department
ICANN Accreditation (Stasi Concept by Patrick Taylor)

Buy a domain and your personal details will be held in a giant database by a controversial nonprofit in California. And this is the same time that the world of domains is being hugely expanded. The Internet itself works and has worked because it is decentralised. The only component that isn’t – ICANN – naturally enough thinks everything should be centralized and given to it.  But the problems are obvious and huge.

In June 2014, a year after Edward Snowden’s revelations of mass surveillance, a group of experts proposed to fix ICANN’s WHOIS policy by centralising all the data in a single, über-database. It is a measure of how insular the world of ICANN has become, that this grim anniversary was marked with so little sense of irony.

The limitations of consent-based online privacy models

This week, the New Yorker’s article on the Right to be Forgotten quotes from Oxford Professor Viktor Mayer-Schönberger, and his prescient book “Delete: the Virtue of Forgetting in the Digital Age”, to describe how big, centralised, accurate databases can be repurposed in sinister ways.  This is not simply a theoretical risk. 70 years before the NSA and Snowden, the Dutch government set up a registry, which sounds a little bit like the WHOIS – quite bland, just a list of names and addresses, and religion of every citizen. When the Nazis invaded, they used it to track down Jews and Gypsies.

“the burden for managing online privacy falls heavily on the consumer, who is usually unable to understand legalese privacy policies” 

The EWG shows unswerving faith in “purpose based contacts” to guarantee online privacy.  This reflects privacy law’s reliance on the data subject’s prior consent for data processing, for legitimate purposes.  The trouble is, the concept doesn’t work in practice. Consumers don’t understand legalese privacy policies, and have no alternative but to click “I accept” and trade their internet privacy in return for services.

The Dutch example shows how innocent data repositories can be repurposed in ways that no one foresaw.  Never more so than now, in the era of big data.  How do you get a blanket, upfront consent from someone, if no one knows how the data will be processed in the future?

WHOIS Review, smoke and mirrors

The WHOIS is a decentralised directory giving contact details and technical information about every single registered domain name.  So, when you register a domain name, your name, addresss, phone, fax and email address are published to the world at large.

Ever since ICANN has existed, WHOIS policy has been a thorny issue, pitting online privacy advocates against law enforcement – with industry caught in the middle.

The US Government requires, as part of the Affirmation of Commitments, that ICANN review the effectiveness of WHOIS policy and enforcement.  The first such review, which I chaired from 2010-2012 delivered consensus recommendations on WHOIS for the first time in ICANN’s history.  The WHOIS Review Team’s final report recommendations were practical, reasonable and implementable.  The basic thrust was – the policy is OK, but ICANN should do better in compliance.

Wrong answer.

In 2012, ICANN’s leadership decided that it couldn’t possibly know how to implement the WHOIS Review Team’s recommendations without first understanding what the purpose of WHOIS is.  It controversially appointed a group of experts to determine these questions from scratch, with a blank canvas.  The result is the “Expert Working Group Final Report on Registration Directory Services”, or EWG for short.

How will the EWG boost online privacy?

The EWG proposes that:

  • WHOIS data will be held in a single, centralised database.
  • Online privacy will be guaranteed by having gated data, only be accessible to accredited users.
  • Accredited users will have to state the purpose for which they require access to data
  • WHOIS data will be validated by third party Validators.
  • The centralised database will provide historic and reverse searching for all records.

“WHOIS data will be held in a single, centralised database”

Online privacy: what the EWG did well

The EWG report advances the debate on WHOIS, echoing findings of the WHOIS Review Team.  For example:

  • Recognition that privacy and proxy services should be accredited, with minimum standards for relay, reveal and contact details.
  • Recognition that individuals and some organisations have legitimate expectations of online privacy and legitimate reasons to hide their details from the public directory (eg, suppression of religious or ethnic minorities, freedom of expression etc).

It provides a thorough (if over-complex) analysis of the different purposes for which various stakeholders need to access registration data.  It also explores concepts of accountability for access to registration data, and of the registrant giving permission for processing of personal data for stated purposes. Although, how these could be enforced is less clear.

…and now, the bad news

The report is lengthy, confusing, fussily over-detailed, turgid and boring beyond belief. Few people will read it.

The EWG report seems to drop from the skies, without reference to previous work or studies.  The WHOIS Review Team report recommendations are not referenced or acknowledged.  Evidence based research (such as NPL’s study on privacy and proxy abuse) is not referenced.  They may have informed EWG thinking.  We just don’t know. What is the point of spending time and money on studying WHOIS and online privacy – or any other complex policy issue – if each study is done in isolation, without building on what went before?

The EWG report gives rise to numerous online privacy concerns, but none more so than the proposed centralised database.

“The EWG report gives rise to numerous online privacy concerns, but none more so than the proposed centralised database”

Currently, WHOIS data is distributed across hundreds of databases.  The WHOIS Review Team Final Report explains:

“At the outset, there was deep concern that registrar competition could not flourish if Network Solutions, still in the registry and registrar businesses, held a full set of customer data of all gTLD registrants. ICANN agreed and .COM became a “Thin Registry,”holding only limited data about a domain name, and providing a link to the Registrar’s database when someone seeks WHOIS data.”

The Thin WHOIS model does cause problems in practice: it’s difficult for newcomers to understand where to find key information, and data quality is poor.  To re-centralise the data seems an attractive option in terms of data quality, and ease of use.  But, leaving aside the competition issues that drove the original decentralisation, in the wake of Snowden’s revelations, shouldn’t we be asking – do the benefits outweigh the risks?

Despite all its detail, the report omits discussion of two key areas: the online privacy implications of reverse look ups and analysis of the EWG’s risk survey results.

Historic and reverse searching is disproportionate

The EWG mandates historic and reverse WHOIS searches as standard.  Reverse searching tells you what other domain names a particular registrant holds, and can provide compelling evidence of a pattern of cybersquatting.  Historic searching shows how ownership of a domain has changed over time.  At  the moment, there are a few commercial services that provide historic and reverse searching capacity, but such services are likely to raise legal issues in jurisdictions with strong privacy protections (eg the sort of jurisdiction where the EWG envisions this huge database to be housed).

There can be legitimate reasons for compromising an individual’s online privacy, if it’s proportionate and necessary.  These proposals are disproportionate – even EWG’s own expert (IBM) reckons historic and reverse searches will only comprise 1% of total lookups.  The majority of registrants don’t cause problems to anyone – so why should their data also be kept forever, on the off-chance that it might one day be relevant in an investigation?

In recent years, the European courts have become more sensitised to intrusions on fundamental rights including online privacy.  In 2011, the European Court of Justice observed that intellectual property rights were not absolute, and must be balanced with other fundamental rights, such as protection of personal data.  Where an obligation requires monitoring of all customers, for an unlimited period, it is likely to be unlawful.

The Expert Working Group contained privacy specialists, and one registrar who has been a vocal critic of ICANN’s data retention requirements. Yet, the EWG report has almost no discussion of the online privacy risks of requiring retention of all historic WHOIS data, on everyone, everywhere.  This is an extraordinary omission.  The failure to discuss the implications raises serious questions about the credibility of the report as a whole.

Risk survey reveals concerns over online privacy.

Another curious omission from the EWG report is any analysis of a “Risk Survey” that the expert group commissioned.  Launched in March 2014, there were 180 partial, and 100 complete, responses by the EWG publication date.  In ICANN terms, that’s a big response.

Why didn’t the EWG analyse the results?

The Risk Survey is referred to only on a single page of the EWG report (p120), which states “To enable broad community input on this topic, the EWG has decided to leave the RDS Risk Survey open through July 2014.”  Really?

I went through the summary report, and produced some charts (below).  No wonder the EWG didn’t analyse it, because they would not have liked what “the community” was telling them. The survey results were negative across the board, with more people identifying risks than benefits. For example, 104 comments highlighted technical risks (compared with 89 benefits), 102 legal risks (compared with 69 benefits), 87 operational risks (compared with 61 benefits), and 70 security and privacy risks (compared with 55 benefits).

online privacy and RDS risks

In addition, thirty free-text responses detailed “unavoidable risks” of the EWG proposals. 40% cited concerns related to the centralised database, and another 10% cited online privacy risks:

RDS Risk pie

People said that centralisation of data:

    • “increases exposure to data breaches”
    • “will be a magnet for those wishing to hack databases”
    • “breaks a fundamental tenet of the Internet – devolution of power and control”
    • “creates an unavoidable risk of monopoly”
    • “its very purpose is to expose individual registrants to investigation by foreign agencies”
  • Responses also cited operational/compliance risks (27%) including bottlenecks, slow accreditation processes, and “ICANN’s dreadful track record in operations and compliance”.

Where now with online privacy and WHOIS?

Back in 2006, a British data protection official warned that we are in danger of “sleep walking into a surveillance society”.  If the Brits are warning you might have a privacy problem, you’re already screwed.

A year on from Snowden, for ICANN experts to propose the creation of a centralised data repository seems strangely out of touch. That the community is not up in arms suggests that few have read the EWG report. Hopefully, ICANN’s policy making process will carefully dissect and evaluate the various aspects of the EWG proposals in the coming months.

5 responses to “Online privacy: Big Brother plans from ICANN

Leave a Reply

Your email address will not be published. Required fields are marked *