[kictanet] Civil Society commentse on the Beijing GAC Communique

[Alice Munyua]

https://docs.google.com/document/d/1d6GT0zqLjU6e7Js-TE2Gjlm_-B5xvhE5CrRPZSV3oV4/edit?pli=1

Best
Alice
--------------------------------
14 May, 2013

The NCSG represents civil society groups and nonprofit organizations in
the ICANN policy making process. Our two constituencies and 400 individual
and organizational members appreciate the opportunity to comment on the
GAC’s “Safeguards applicable to broad categories of new TLDs” (the
Safeguards).

We address the specific recommendations of the Safeguards in the second
half of our comments. We begin, however, by expressing broader concerns
about the role of the GAC in ICANN, of which this Advice is symptomatic.

The GAC and the multi-stakeholder process
The ICANN bylaws authorize GAC to “provide advice on the activities of
ICANN as they relate to concerns of governments, particularly matters
where there may be an interaction between ICANN's policies and various
laws and international agreements or where they may affect public policy
issues.” This mandate assumes that ICANN’s carefully balanced
representational processes (the GNSO, ALAC, etc.) develop policies and GAC
comments on them in a timely manner. When offered in a timely manner, such
advice might prompt the board to instruct the Supporting Organizations to
reconsider or modify their policies before implementation.

The Beijing Communique does not appear to be the kind of “policy advice”
contemplated by the ICANN bylaws. The GAC did not advise or comment on the
actual ICANN policy, but seems to have attempted to take over the process
of defining and implementing new gTLD policy at an impossibly late stage
of the process.  It was either unaware of or disliked the results of an
open, transparent, multi-stakeholder process, and now seeks to change it
dramatically. The GAC concocted categories for new gTLDs that were not
contained in the Applicant Guidebook and, for each category, came up with
new, extensive and often contradictory or ambiguous regulations that it
now insists be included in the contracts governing registries, registrars
and domain name users.

>From the standpoint of a multistakeholder policy making institution, this
approach is deeply flawed, because a substantial transformation of the
policy was not made with the participation of the GNSO or with the civil
society organizations and businesses affected. There were no public
hearings at which these governments’ citizens could make their views
known. Moreover, since this advice would have the effect of an
international regulation, it is notable that there was no review of this
work by GAC members’ national legislatures. This is not “policy advice,”
therefore, but an illegitimate form of international legislation. Worse,
because it is couched as “advice” and not formal law, its recommendations,
if implemented by the board, might be exempt from important constitutional
checks and balances.

In short, the GAC’s Beijing Communique is positioned not as advice, but as
a substitute for the policy work of the broader ICANN community. As such,
it constitutes a threat not only to the implementation of the new gTLD
program, but to ICANN’s status as a multi-stakeholder policy development
institution. Unless this “advice” is rebuffed by the board, ICANN
undermines its Supporting Organizations, its policy development process,
and the Applicant Guidebook under which hundreds of companies applied for
new domains.

At a time when authoritarian governments and intergovernmental
institutions are challenging the legitimacy and validity of open,
bottom-up, nongovernmental global governance, allowing a group of
governments to over-ride and negate ICANN’s policy development processes
in this way would send a terrible signal to the world.

Specific elements of the GAC advice

1.      The Preamble to the ‘Safeguards’

While most of the Annex would impose very specific requirements upon
registries and their users, the GAC begins its Annex with a free-floating
dictum that all of its commands “be implemented in a manner that is fully
respectful of human rights and fundamental freedoms” and consistent with
all existing international treaties and conventions. As the ICANN
stakeholder group most concerned with human rights and fundamental
freedoms, we appreciate the GAC’s recognition of human rights and the
protections of international law. But we have a difficult time believing
that they will serve as real protections in this context.

In deciding what to do with this Advice, we ask both the GAC and the Board
to consider the following questions:

What does it mean to be “respectful” of the UN Universal Declaration of
Human Rights, which includes the right to free expression, while at the
same time requiring registries for strings such as .FAIL, .SUCKS, .WTF,
and .GRIPE to “develop policies and processes” that would regulate content
and expression under those domains? Is the GAC declaring that domains set
aside for critical content be subject to special, new kinds of content
regulation? Would such a governmentally-imposed requirement be consistent
with Article 19, the U.S. First Amendment, the European Convention on
Human Rights or other constitutional protections?

What does it mean to order registries to “comply with all applicable
laws…related to privacy” while at the same time ramping up the WHOIS
enforcement mechanisms and data accuracy requirements without any regard
for whether the registrant is a legal person or a natural person (i.e., an
individual with a stronger privacy claim)? How is a concern for privacy
consistent with the GAC’s clear intention to transform the WHOIS into a
tool of systematic user identification and surveillance, and to use WHOIS
accuracy as a pretext for immediate takedowns?

What does it mean to demand respect for international law in one phrase
and then demand that Amazon and Patagonia, both holders of trademarks
recognized under international law, be denied the right to use their
trademark in a TLD simply because some governments don’t want them to? On
what law is the GAC’s request to deny these applications based?

What does it mean for a global registry to “comply with all applicable
laws” regarding dozens of “regulated industries” when there are nearly 200
jurisdictions and the regulations applicable to specific industries in
each one may differ? More to the point, why does the GAC expect ICANN
contracts to apply and enforce these laws rather than the governments
themselves?

In democratic jurisdictions compliance with law includes due process
requirements for policing. What does it mean for a registry to comply with
all applicable laws while at the same time being required by GAC to
suspend domain name registrations based on a vaguely defined criterion
which the GAC calls “security risks that pose an actual risk of harm”?
What, exactly, is the definition of “risks that pose an actual risk of
harm?” Is it the same as actual harm? What is the applicable legal
standard here? How will it be adjudicated?

This aspect of the GAC communique founders on its own contradictions. It
cannot be implemented and any attempt to do so will fail.

2.      Regulations applicable to all gTLDs

In this section of the Annex, the GAC shows that it does not trust or
respect current international or national laws governing privacy, identity
and cybercrime. It seeks to impose upon registries, via ICANN contracts,
detailed technical regulations regarding Whois testing and surveillance
mechanisms. Yet many of the activities “required” are already undertaken
or required in various venues; e.g., by ICANN (Whois accuracy checks at
the registrar level), national law enforcement authorities, Internet
service providers, registries, and independent security services
companies. For example, all registries we are aware of already have abuse
notification mechanisms. Phishing, botnets, and various forms of spam are
already illegal under national and international laws. It is likely that
ICANN contracts for registries are the wrong place to situate additional,
specific regulations regarding monitoring of botnets, spam, etc. The GAC
wants to impose additional regulatory burdens without any plausible case
that there will be an improvement in the results.

As advocates of Internet freedom and individual rights, the NCSG looks
with concern upon increasing efforts by GAC to make WHOIS an internet
identity card with a “real-name” registration policy similar to the failed
attempt in South Korea.

3.      Regulations regarding Consumer Protection, Sensitive Strings, and
Regulated Markets
In this section the GAC claims that “Strings that are linked to regulated
or professional sectors” must be regulated in advance of any harmful
action, because “these strings are likely to invoke a level of implied
trust from consumers, and carry higher levels of risk associated with
consumer harm.”

This argument fails on two counts. First, the concept of “linkage” is too
vague and open-ended to serve as a basis for systematic domain name
regulations of the sort the GAC contemplates. Food, for example, is
subject to health and safety regulation in all countries. Does that mean
that any word related to food in the domain name system should be subject
to special regulation? If so, we suspect that there is literally no word
in the dictionary in any language that could not somehow be “linked” to
some kind of sector or trade that has governmental rules and regulations
attached to it. Reinforcing these concerns, the GAC includes the words
.CARE, GAME, GREEN, PICTURES, DATA and dozens of other innocent generic
terms in its Safeguard list, indicating just how limitless their approach
can get. Such an approach would make ICANN (or the GAC) the world’s word
police.

Second, the GAC has fallen prey to the fallacy that any and every form of
consumer harm that might occur on the Internet can be eliminated by
imposing ex ante regulations on the words that are assigned in the domain
name system. This is simply false. Many names and words that might
theoretically be “linked” to specific services, industries or professional
sectors can and will be used in productive and legitimate ways without any
consumer harm. Conversely, many strings that are not clearly linked
semantically to regulated or professional sectors could be used in a way
that defrauds or harms users. The only rational way to react to these
kinds of risks is to enforce the law ex post, not ex ante. In other words,
actual, provable harm must occur first and regulatory action based on due
process and clear standards of evidence and law should only occur
afterwards. Any attempt to substitute ex ante regulation for ex post law
law enforcement will harm many innocent users while failing to provide
improved protection from a large array of unforeseen and unknown harms.

We find it incredible that the GAC proposes to make registrars and
registries authoritative licensing validation entities for 200
jurisdictions and an innumerable number of sectors and professions. This
is not feasible. The principle of ex post law enforcement is a more
feasible, and more freedom-respecting method of safeguarding concerns
about fraud and consumer protection. If service providers or web sites are
using names which fraudulently imply some kind of legal status, it is not
that difficult for local or international law enforcement to stop them
from doing so. But the legality or illegality of uses cannot be determined
in advance. It is not a good idea to make the global name registry system
responsible for policing the world’s professions and sector regulations on
an ex ante basis.

4.      Restricted Registration Policies
We find this area of the GAC advice confusing. On the one hand, the GAC
demands that registries carefully vet registrants ex ante and apply
numerous regulations regarding who can register in nominally open generic
TLDs; but it then goes on to insist that all registries be open and
demands pre-approval and justification from any registry that proposes to
restrict registrations as part of an attempt to establish a clear
reputation and identity for a top-level domain. Business model innovation
was an important rationale for the new gTLD program. Yet the GAC seems to
want to make the traditional registry-registrar model that rewards mass
registration a requirement, even though the economic incentives for mass
registration are what often causes the security and consumer protection
problems associated with domains.

While the NCSG differs on the merits of closed generics and on the proper
policy response, we agree that these policy issues should be resolved
through the bottom-up, multistakeholder process and not unilaterally by
the GAC.