ICANN Threatens Civil Rights of Website Owners: Intellectual Property Interests Govern Use of Personal Information

[It] protects unpopular individuals from retaliation – and their ideas from suppression – a the hand of an intolerant society.” Id.

In Watchtower Bible & Tract Society of New York, Inc. v. Village of Stratton, 122 S. Ct. 2080, 2090 (2002), the US Supreme Court ruled that a municipal ordinance requiring pamphleteers to disclose names implicates “anonymity interests” rooted in the First Amendment’s freedom of expression guarantees. The US Supreme Court also struck down a law requiring citizens to wear identification badges because it violated citizens’ First Amendment right to anonymity. (Buckley v. Am. Constitutional Law Foun., Inc., 525 U.S. 182 (1992).

Lower federal courts have specifically extended the right to publish anonymously to the Internet, ruling that “the constitutional rights of Internet users, including the right to speak anonymously, must be carefully safeguarded,” (Doe v. 2TheMart.com, Inc., 140 F. Supp.2d at 1097). The First Amendment right communicate anonymously over the Internet was also upheld in ACLU v. Johnson, 4 F. Supp.2d 1029, 1033 (D.N.M. 1998), aff’d, 194 F.3d 1149 (10^th Cir. 1999) and in ACLU of Georgia v. Miller, 977 F. Supp. 1228, 1230 (N.D. Ga 1997), which additionally recognized the constitutional right to communicate pseudonymously on the Internet.

Canadian courts have likewise extended the right to speak anonymously to the Internet.

“Some degree of privacy or confidentiality with respect to the identity of the Internet protocol address of the originator of message has significant safety value and is in keeping with what should be perceived as being good public policy.” Wilkins J. in Irwin Toy v. Doe (2000), 12 C.P.C. (5^th) 103 (Ont. S.C.J.)

ICANN’s policies require full disclosure of a domain name registrant’s personal contact information and do not allow people to anonymously register a domain name, even though there are numerous legitimate reasons why a person would need to keep their identity confidential. Human rights workers, religious minorities, political dissidents and other unpopular or controversial speakers risk persecution, even death, for publishing their views and opinions, and have legitimate reasons for maintaining their anonymity.

By preventing anonymous website ownership and publication, ICANN’s policies have the harmful widespread societal effect of preventing Internet publishers’ freedom of expression rights. As explained by US Supreme Court Justice Hugo Black in 1960, “there can be no doubt that such an identification requirement would tend to restrict freedom to distribute information and thereby freedom of expression.” Talley v. California 362 U.S. 60, 64 (1960). ICANN should amend its Whois database policies to permit the anonymous registration of an Internet domain name in order to ensure the historical tradition of the right to anonymous publishing continues into cyberspace.

2. Right to Freedom of Association Jeopardized

Closely related to an individual’s right to freedom of expression and anonymity, is the fundamental right to freedom of association. The right to freedom of association forbids the forced disclosure of an individual’s affiliation with advocacy groups.

Citizens of most countries are guaranteed freedom of association rights in their national constitutions or other instruments. Additionally, a fundamental right to freedom of association is guaranteed in most international treaties and agreements that deal with civil rights. For example, Article 20 of the Universal Declaration of Human Rights proclaims that everyone has the right to freedom of association.

Similar guarantees of freedom to associate are contained in Article 21 of the International Covenant on Civil and Political Rights; Article 12 of the European Union Charter on Fundamental Rights; Article 11 of the European Convention for Protection of Human Rights and Fundamental Freedoms.

In NAACP v. Alabama 357 U.S. 449, 462 (1958) the US Supreme Court noted that revealing the names and addresses of NAACP members could have resulted in beatings and lynchings in 1958. The Court ruled that, “compelled disclosure of affiliation with groups engaged in advocacy may constitute [an] effective restraint on freedom of association.”

Because ICANN does not allow for the anonymous registration of a website, registrants are forced to disclose their affiliation with a controversial domain name that engages in advocacy. An anonymous person is simply not permitted to register an Internet domain name, forcing public disclosure and preventing the exercise of freedom of association rights. Under ICANN’s policies, a human rights worker in China cannot register a website without the Chinese government having access to this information, including the activist’s home address and telephone number.

Without freedom of expression and association rights in cyberspace, Internet citizens have less protection to engage in political speech online than they have traditionally enjoyed, causing the quality of debate to suffer. As a quasi-governmental organization undertaking key Internet governance roles, ICANN should abide by international and national legal principles. It should change its Whois database polices to respect freedom of association rights by permitting anonymous domain name registrations. ICANN continues to call its own legitimacy to govern into question by imposing polices that no government would be permitted to get away with.

B. Individual Privacy Rights Disregarded

ICANN’s Whois database policies disregard a vast array of well-established legal protections for an individual’s right to privacy. International agreements such as Article 7 of the European Union Charter on Fundamental Rights and Article 8 of the European Convention for Protection of Human Rights and Fundamental Freedoms guarantee that, “Everyone has the right to respect for his private and family life, his home and his correspondence.”

By forcing the disclosure and publication of every website owner’s name, home address, home telephone number and email address, ICANN intrudes upon the privacy rights of Internet users around the world with its Whois database policy decisions. ICANN should respect the privacy rights of individuals and change its policies to provide for optional disclosure and to prohibit any use of the information without the subject’s explicit consent.

C. Personal Data Privacy Protection Laws Violated

1. European Laws

ICANN’s policies for the collection and management of website owners’ personal information also violate a number of international laws designed to protect the privacy of personal data. For example, Article 8 of the EU Charter on Fundamental Rights guarantees Europeans with the right to the protection of personal data concerning him or her. It only permits the use of personal information that was obtained with the consent of the subject or by law, and only for the specified purposes consented to. Article 8 of the European Convention on Privacy provides consumers with similar data privacy protections

Important privacy protections guaranteed to European Union citizens from a 1995 and 2002 EU Data Protection Directive are also infringed by ICANN’s policies over the Whois database of personal information. Article 12.2 of EU Directive 2002/58/EC makes it illegal to publish personal information on subscribers of directories (such as ICANN’s Whois database) without the subscriber’s consent. It also guarantees EU citizens with an opportunity to verify, correct, or withdraw the personal data free of charge. ICANN forces its Registrars and Registries to violate this EU directive when it compels the publication of European website owners’ personal information in the Whois database.

According to the Article 29 Working Group’s “Opinion 2/2003 on the Application of the Data Protection Principles to the WHOIS Directories” published on 13 June 2003 by the independent EU Advisory Body on Data Protection and Privacy:

“In the case where an individual registers a domain name, … while it is clear that the identity and contact information should be known to his/her service provider, there is no legal ground justifying the mandatory publication of personal data referring to this person. Such a publication of the personal data of individuals, for instance their address and their telephone number, would conflict with their right to determine whether their personal data are included in a public directory and if so which.”

ICANN also undermines Article 5 of European Convention on Privacy, which guarantees that information “must be stored for specified purposes and not used in ways incompatible with those purposes.” ICANN officially collects registrants’ personal information under the claim that it is needed for “technical purposes”. But since the Whois database is frequently used by intellectual property claimants, direct marketers, law enforcement agents, and stalkers to obtain personal information on consumers, ICANN’s permitted use of the data vastly exceeds the specified purpose for which it was collected.

2. International Guidelines

ICANN Internet governance policies further erode the public’s privacy protections by ignoring guidelines outlined in key international documents such as the OECD Privacy Guidelines and the UN Guidelines for Personal Data Files.

These international privacy policy guidelines recommend a path to database privacy protection based on a number of widely accepted fundamental principles. Unfortunately, ICANN’s Whois database policies systematically flout the consumer protections recommended in the privacy guidelines.

For example, ICANN’s policies regulating the Whois database ignores the “Collection Limitation Principle” which states that there should be limits on the collection of personal data and that any such data should be obtained by lawful means and with the consent of the data subject, where appropriate. The massive cross-purposes to which the Whois database information is put, also demonstrates a disregard for the “Purpose Specification Principle”, which requires the specific purposes of collected personal data be made clear at the time of collection. The universally accepted “Use Limitation Principle” is also ignored by ICANN’s policy choices regarding the Whois database. This privacy protection principle states the use or disclosure of personal data should be limited to specific purposes stated at the time of collection and that data obtained for one purpose cannot be used for other purposes.

Despite its efforts to function in an Internet governance role, ICANN remains unwilling to provide consumers with the same level of civil liberties and consumer protections that governments would be required to provide, if a government were managing the domain name system.

3. National Privacy Laws Violated

1. Canada

Nations have enacted legislation protecting the privacy of database information that ICANN Whois policies routinely violate. In 2000, Canada passed the Canadian Personal Information protection and Electronic Documents Act (PIPEDA), which requires that a consumer be provided with Internet services even if she refuses to consent to the disclosure of her personal information. If Registrars obey this Canadian law and give Canadian website owners the right to decide if their personal information will be published, Registrars will be breach of the contractual obligations to ICANN.

In March 2004, an Ottawa court ruled against the Canadian recording industry in its legal bid to obtain personal information on dozens of Peer-2-Peer (P2P) file-sharers. In balancing the interests of intellectual property claimants to personal data against the privacy rights of consumers, Justice von Finckenstein found that “the privacy concerns outweigh the public interest concerns in favour of disclosure.” BMG Canada v. Doe, 2004 FC 488.

Because ICANN mandates the publication of a website owner’s personal information, its policies violate the consumer privacy protections found in the national laws of Canada. And ICANN’s Whois database policies put Registrars and Registries in the untenable position of having to choose between either violating their customers’ privacy rights or their own contractual obligations to ICANN.

     2.  Argentina

Argentina also contains strong privacy protection laws regarding personal data that ICANN Whois database policies violate as a regular course of business. The Argentine Constitution creates a special remedy for the protection of personal data, known as “habeas data”. In Argentina, the protection of personal data is considered a fundamental right.

Section 16 of the Argentina Personal Data Protection Act No. 25.326 (Decree No. 1558/2001) grants citizens of Argentina the right to suppress or correct their Whois personal information. Yet ICANN’s polices do not recognize these rights. Section 5 of the Argentine law requires express consent from a person to use or disclose of their personal information. Yet ICANN does not even given consumers a choice to keep their personal information confidential.

Section 11 of the Argentine Law guarantees that personal information may only be communicated upon the previous consent of the data subject. It also provides consumers with a right to be informed about who their personal information has been disclosed to and its purpose. Yet ICANN’s policies make no accounting for these rights under Argentine law either, continuing in its path of lawlessness and political unaccountability. In order to respect the privacy rights of Internet users worldwide and to avoid violating various privacy and consumer protection laws, ICANN should substantially redraft its Whois database policies.

II. Commentary on Specific Whois Task Force Preliminary Reports

A. Task Force 1: Limit Use of Personal Data to Only Consented Uses

ICANN must discontinue its illegal and irresponsible practice of using Whois personal data for multiple cross-purposes, in violation of well established privacy protection principles that limit data’s use to only those purposes consented to at the time of its collection.

Since its inception, ICANN has told domain name registrants that Whois personal information was being collected solely for technical reasons. But once collected, it has become an irresistible “honey-pot” for law enforcement and large intellectual property holders to obtain personally identifiable information on masses of consumers, skirting traditional due process legal

protections. ICANN must learn to respect the rights of Internet users and resist the temptation to use personal data for purposes other than those specifically consented to or otherwise provided for by national laws.

Furthermore, ICANN should implement a policy of granting individuals a right to immediate notice when and by whom their Whois personal information is accessed.

IP Justice agrees with the Whois Task Force 1 Preliminary Report in suggesting that it should be more difficult for third parties to obtain access to “sensitive data” about domain name holders than to obtain non-sensitive data.

B. Task Force 2: Permit Anonymous Website Ownership

IP Justice agrees with the Preliminary Report of Whois Task Force 2 that recognizes current ICANN policies force Registries and Registrars to violate national privacy and freedom of expression laws in order to meet their contractual obligations in the collection and processing of individuals’ personal data.

As an organization that is taking-on Internet governance roles, ICANN must be held to the same standard as any government would be required. ICANN should not be permitted to hide behind the fact that it is a private corporation in order to avoid providing the public with traditional due process protections in the administration of Internet domain names.

In order to adequately protect the privacy and freedom of expression rights of website publishers, IP Justice agrees with WTF2 in recommending that disclosures of Whois personal data must only be made with the consent of the individual concerned.

C. Task Force 3: Extreme Proposal Invades Privacy and Chills Expression

IP Justice strongly disagrees with the Preliminary Report published by Whois Task Force 3 (WTF3), which basically adopts the position advocated by the intellectual property holders lobby. The May 28, 2004 Preliminary Report proposes shifting the expense and burden of obtaining accurate personal information away from those requesting it and over to the Registrars and Registries. It advocates for requiring Registrars to draft plans to improve the accuracy of personal data and the rightholders’ access to the data. The Whois Task Force 3 Report ignores the reality that may rightsholders regularly abuse this data and overstate their intellectual property rights in order to prosecute or harass individuals for publishing critical or controversial information on the Internet.

Another fundamental flaw with Whois Task Force 3 is that it conflates “inaccurate” information with “false” information, when the two are substantially different in intentionality. IP Justice would like to draw attention to the recommendations of the At Large Advisory Committee (ALAC), which distinguished differing circumstances under which personal data is inaccurate. ICANN should not treat people who make mistakes while providing information or who provide inaccurate information in order to protect their privacy with the same heavy-handed response that people who provide inaccurate data to commit fraud or other illegal activity deserve. ICANN should not assume inaccurate information is evidence of fraud and unilaterally cancel all of a person’s domain names as WTF3 proposes.

IP Justice strongly disagrees with the Preliminary Report’s “Proposed Best Practices” Nos. 8-10 which require Registrars to verify at least two or three data elements (phone, fax, email) to obtain a website and all three to reconnect a domain name. No justification is provided for such an extremist position as to require this degree of verified information and intrusion of privacy. The proposals even recommend canceling all of a person’s domain names because her contact data becomes outdated on a single registration, even though the registrations are fully paid for and no illegal activity has taken place.

Domain name registrants must be given an opportunity to correct inaccurate information, suppress personal information disclosures, and have a right to be immediately told when their personal information is disclosed to third parties in accordance with national privacy and consumer protection laws.

Fundamental freedoms, such as privacy, anonymity, and freedom of expression are severely undermined by ICANN’s policy decision to require personally identifiable information before a webpage can be published. IP Justice strongly identifies with the WTF3 NCUC position, which recognizes that the accuracy of Whois data is not unconditionally desirable and that database protections are necessary to ensure fundamental freedom of expression values.

Recognizing the numerous legitimate reasons a person might have for providing inaccurate personal information when registering a domain name and in order to protect the freedom of expression and privacy rights of Internet users, IP Justice strongly agrees with the NCUC position that the submission of personally identifiable Whois contact data should be made optional. We second ALAC’s recommendation that no further action should be taken to compel unwilling individuals to provide accurate personal data and ALAC’s position that registrants should not directly or indirectly bear the costs of any data verification service primarily required by third-party data users.

We agree with WTF3 NCUC position that the best way to achieve accuracy and quality in personal information, is to guarantee the public’s privacy protections. When ICANN demonstrates that it can prevent over-zealous intellectual property owners, unscrupulous law enforcement agents, spammers, and others from abusing the Whois database, Internet users will feel more comfortable in submitting their personal data to ICANN and maintaining its accuracy.

If you have any questions regarding this commentary, or if IP Justice can provide the task force with any additional information, please do not hesitate to contact me at [xxxx] or [xxxx]. Thank you.

Very truly,

Robin Gross, Esq.

Executive Director, IP Justice

 

Via email to: whois-tf1-report-comments@gnso.icann.org

whois-tf2-report-comments@gnso.icann.org

whois-tf3-report-comments@gnso.icann.org