Time is up

In yesterday’s blog I suggested that by responding in the way it did to the arrival of the GDPR, ICANN, in effect, pressed the self-destruct button. ICANN is now set on a path which will eventually lead to its abolition or radical reform. The process will be long, painful and fraught, with many scares, twists and turns.  What comes out the other end need not, in every respect, be as good as what we have now.  But the ball is already rolling.

ICANN did what it did because it could do no other. It is thoroughly dominated by vested interests willing to slow down or obstruct potential changes to the status  quo  if they believe the changes threaten their profitability.  If change is, nevertheless, eventually to be forced upon them they will find a way to live with it but they would like that day to be as far distant as possible. Meanwhile bank balances continue to expand.

This strategy has been remarkably successful up to now.  To get away with it ICANN, the powers within it and their ideological fellow-travellers have relied on six key factors:

  1.  A willingness to portray and project themselves as defenders and champions of free speech, artistic expression and civil rights, fighting on behalf of “the little guy”, “the oppressed, unpopular  or misunderstood minority”,  “the  political dissident”,  the “whistleblower”,  warding off the improper,  even evil, predations of  national Governments, the police and security services.
  2. A willingness to project themselves as a wilful and determined engine of economic growth and technological innovation.
  3. Which in turn feeds on and encourages a belief that if Governments step into  any part of the internet space to regulate it high tech companies will not invest and this will harm national prosperity and impede human progress in various indeterminate ways
  4. The very real practical and political difficulties of getting  heterogeneous and geographically distant national Governments and  international institutions to agree on almost anything.
  5. A willingness to encourage and exploit the idea that the technical complexities of the internet  are immense. This intimidates  and scares off a great many politicians and civil servants in the Governments  and international institutions referred to above.
  6. It has a similar effect on mainstream journalists who would otherwise be a reliable ally in exposing cant and hypocrisy. Look how much (rare) effort went into getting Cambridge Analytica into the public domain. Any story that seems nerdy and remote will struggle to capture an editor’s attention and comprehension.

Yet the dominant forces within ICANN are businesses who sell domain names or derive income from their sale. It is not a very complicated idea.

The parallels with what has been happening within the UK over the  past few years are striking but, having written several blogs where the phrase ” drinking in the Last Chance Saloon” has appeared it was no surprise to hear the Secretary of State say in a Tweet,  “the era of asking nicely is over.” Matt Hancock, for it was he, was across all the  UK newspapers and current affairs programmes this morning promising legislation.  See the full announcement here.

The devil will be in the detail but the ball is already rolling. Where have I heard that before?


Posted in Age verification, Child abuse images, Default settings, E-commerce, Internet governance, Regulation, Self-regulation

Article 29, WHOIS and ICANN contd.

Join ICANN and see the world. Last Thursday in Vancouver the ICANN Board gave its response to Article 29’s and the Government Advisory Committee’s  representations about the GDPR, which comes into effect in less than one week. In essence ICANN stuck two fingers up at both of them:  Governments and privacy regulators.

In a world in which the internet plays such a central, even all-pervasive role, and driven as it is by the financial self-interest of Registries, Registrars and the co-dependent ICANN bureaucacy, ICANN has no authority or legitimacy to tell Governments and lawfully appointed regulators to get lost. But they just did.

So mark 17th  May 2018 in your diary.  It could turn out to be the day ICANN finally pressed the self-destruct button. Don’t ask me what the outcome will be as the whole edifice starts slowly to unfurl. “Messy” is the only word that springs to mind.  But unfurl it will. In the end democratic Governments will have their way, and undemocratic ones will fly in on their coat tails, grateful they didn’t have to do any of the heavy lifting.

So what was decided?

A “Temporary Specification” (TS) was approved by the ICANN Board and it will now be incorporated into all Registry Agreements.

It does not require the email of the Registrant to be visible to the public. That removes an important tool used hitherto on a large scale  by law enforcement and the wider internet security industry.

The TS does not require a distinction to be made between legal or natural persons i.e. between private individuals and companies or other organizations.

Here are  the main provisions

What will disappear from public view?

  • Registrant and technical/admin contact name
  • Registrant address
  • Registrant and technical/admin contact email address
  • Registrant and technical/admin fax and/or phone numbers

How do you get access to what will become non-public data?

To enable WHOIS users to contact Registrants:

  • Registries must direct users to the registrar for a method to contact the registrant.
  • Registrars must create an anonymised email or a web form to enable users to contact the registrant, and the technical and admin contacts. There is no requirement that a unique email address be attributed to each registrant, which would have enabled users to identify other domains registered by the same registrant.
  • Registrars must offer registrants an opt-in to have their data included in a public WHOIS, and they may (note “may) offer an opt-in for admin and technical contacts.

Registrars and registries are required to provide reasonable access to non-public data to third parties with legitimate interests, “except where overridden by interests or fundamental rights and freedoms of data subjects”.  Quite how “legitimate interests” will be defined and how they will be acknowledged as having one is yet to be defined.

Registrars are also required to provide access where “the Article 29 Working Party/European Data Protection Board (comprising the EU Member States’ data protection authorities), a relevant court, applicable legislation or regulation provides guidance that the provision of data to specified classes of users is lawful”.

There is no uniform or centralized mechanism at this time to get access to such data, though the ICANN Board is urging the  “ICANN community” to come up with a model expeditiously.  No deadline has been set. No one knows when this will happen.

Please can we have more time?

The US Government  has called for a ” short- term suspension” of  GDPR enforcement  and the Registrars  have made a similar request.

Although Article 29 has no authority to suspend anything, individual DPAs could, in practice, decide not to take out enforcement  proceedings.

I guess  deferment  or  suspension has a great deal of practical appeal although there is bound to be a degree of hesitation and scepticism because of ICANN’s behaviour so far. Everybody knows ICANN has a unique talent for making sure nothing happens quickly. The world must run at their pace and everybody else can whistle.  Yet hubris is charging at speed over the virtual hill.

Posted in Default settings, Internet governance, Regulation, Self-regulation, Uncategorized

Article 29, WHOIS and ICANN

In less than ten days time, on 25th May, the GDPR becomes law in every EU jurisdiction.  Officially, the GDPR began its journey towards this state of grace in 2012,  when the European Commission published its draft proposal, although to my certain knowledge informally the discussions about what it should say began in 2010. Probably they got going even earlier than that.  The GDPR completed the legislative processes in early 2016 although the final shape was clear before the end of 2015.

No surprises

It would therefore be hard for anyone to argue they were surprised to discover that a new set of rules was about to come into force. Yet only  hours away from the commencement huge arguments are going on about the proper meaning of the GDPR in relation to the WHOIS database. In fact only two days ago ICANN issued yet another note on the subject but it is a note with no conclusion as it insists various (vital) matters  have still to be discussed within “the community”.  By that they mean among themselves. This opens up the possibility that large parts of the database will “go dark” on or shortly after 25th May.

WHOIS should be up to date, accurate and accessible

From the very beginning  of the modern internet WHOIS was meant to be an up to date, accurate and publicly accessible database of who owns and operates web sites.

It long ago ceased to be that. Last time I checked only about a  quarter (23%) of WHOIS entries were fully accurate in the way they were meant to be. In other words accuracy was the exception rather than the rule.

I can see a case where, in exceptional circumstances, certain data for certain sites might be withheld from routine public scrutiny e.g. by allowing the use of privacy or proxy services, but the key word there is “exceptional” and even if withheld from public view the information that is stored should be accurate.

ICANN has shown zero interest in or sense of urgency about putting things right i.e. in improving the level of accuracy within WHOIS. On the contrary they have come up with a litany of excuses, essentially for delaying doing anything meaningful. For example, they go on about the “changing  nature of the internet” and how this requires them to “look again at the role and purpose of WHOIS.” OK. But accuracy is accuracy whichever way you cut it. One senses the major constituent parts of ICANN would be entirely content if the only information anyone needed to collect and keep was that which allowed them to receive payments and that should be privy only to them.

As long as the money keeps rolling in

If the Registries, Registrars, and ultimately ICANN, keep getting the money from the sale of domains why should they care? If bad guys do bad things with the sites they provide that’s a problem for the cops or someone else, not them. I exaggerate for effect, but not by very much.

The upshot? WHOIS has been getting ever more inaccurate.

Yet it remains an important source of information for law enforcement and the wider online security industry. Crooks and fraudsters of all kinds still have to register some details and these can often provide vital clues for investigators to follow.

Will WHOIS “go dark”?

As already mentioned, right now there is a severe risk that WHOIS will “go dark” on or about 25th May, certainly to the wider internet security industry but possibly also even to cops. Probably not all top level domains will be equally affected but a great many could be.

Just so we are clear what that means: a source of data previously available to law enforcement for the purposes of investigating crime will no longer be there. Why? Because ICANN did not think this was important enough to get everything sorted out in time.

ICANN has  come up with a proposed scheme which would provide what they call “layered” access  to various interests but this requires an accreditation scheme to be established and no one knows how long that would take. Even  a short hiatus could be a huge boon to wrongdoers.

Hello multistakeholderism 

Thus does ICANN’s arrogance stand out. Governments and legislatures can change whatever laws they like. Multistakeholderism means ICANN will consider how to respond as and when it suits them. And if it doesn’t suit them then that’s just tough. ICANN floats above us all.

Article 29 have not being playing it too cleverly either. For more on that please read the letter the UK’s children’s charities have sent to the Chair of Article 29. It will also be going to the UK’s Information Commissioner’s Office and I hope sympathisers in other EU Member States will consider writing to their DPA in a similar vein.

I will leave you with this thought.

WHOIS and ICANN were never discussed at political level

In the  original proposal for the GDPR ICANN and WHOIS were not mentioned.  Neither are they mentioned in the final text or in any of the Recitals. In fact I can find no record of ICANN or WHOIS being discussed or referred to at any point as the measure progressed through the legislative process.

I find it hard to believe any set of politicians in a democracy would deliberately vote to create or allow a system to continue that undermines people’s confidence in the internet and does so much harm to individuals and legitimate businesses.

Article 29 and the DPAs should be interpreting the GDPR in that light. Their failure so to do may well invite further, possibly urgent, corrective legislative action and undermine people’s confidence in DPAs for taking such a narrow and blinkered view.

Article 29 and the DPAs should have no hesitation in insisting that the identity and contact details of every web site are fully transparent and accessible, particularly to the police and the cyber security industry but the case for maintaining public access is also very strong. Children, parents and  indeed every internet user ought to have the option to check the credentials of a web site before they engage with it.

Finally, and I apologise for coming back to the point about accuracy,  it is imperative that all data within any and every  possible future version of WHOIS are accurate. Anything less will  only help criminals. Who voted for that? Nobody.

Posted in Internet governance, Location, Privacy, Regulation

Cherie Blair speaks out

In the pantheon of bad actors in the internet space there are two distinct classes. There are the criminals and fraudsters themselves.  Clearly they bear the greatest part of the burden of guilt for the harm their actions cause. However, there are also those with the power to  stop or at any rate reduce the scope of the malevolence but instead choose to look the other way. In this second category two stand head and shoulders above the rest.  One is ICANN, based in California, the other is Verisign based in Virginia. The relationship between ICANN and Verisign is symbiotic.

Child sex abuse materials

By common consent there are now billions of images of children being sexually abused circulating in cyberspace. The vast majority of these began their virtual life by being posted on the open internet.

If ICANN had done their  job properly this would never have happened or the size of the problem would have been much, much smaller. The volumes now defeat the best efforts of any and every law enforcement agency. It needn’t have been that way.

What is ICANN’s job? Simple.  To make sure everyone who buys and operates a web site provides truthful, accurate and up to date details of who they are and how they might be contacted. Last time I checked less than a quarter (23%)  of domains were accurately registered in the way ICANN’s rules say they are supposed to be. In other words accuracy is the exception rather than the rule. In this environment criminals thrive. Children suffer.

And it is not just children’s interests that are harmed by ICANN’s indifference and inaction. The  same pathway is exploited by every kind of scammer.

Verisign Inc

According to figures published by the Internet Watch Foundation around 70% of all child sex abuse materials  found on the internet in the UK are located in two domains: .com and .net. They are the market leaders by a country mile and have held that inglorious title for many years.  Who owns and operates them? Verisign.

Verisign is the biggest single contributor to ICANN’s finances. Does this explain why ICANN does not bear down on Verisign? Whatever the contractual details of the relationship might be between ICANN and Verisign, Verisign’s moral responsibility could not be clearer. Yet they ignore it. Seemingly with impunity.

To put things right would cost money. If there were more checks on a would-be purchaser’s real identity and contact details it would likely hit sales and therefore, ultimately, both Verisign’s and ICANN’s revenues could be threatened. Not good enough reasons for doing nothing.

Cherie Blair speaks out

Cherie Blair QC is a distinguished lawyer, a judge and someone who cares deeply about children. Following a request made by the  Children’s Charities’ Coalition on Internet Safety Ms Blair wrote to Mr Xavier Becerra, the Attorney General of California in the following terms:

Dear Mr Becerra,

You will, of course, be familiar with the powers and functions of the Internet Corporation for Assigned Names and Numbers (ICANN) which is domiciled and incorporated in California as a  501(c)(3) non-profit organization.

A coalition of British children’s organizations have drawn my attention to what they say are significant failings on the part of ICANN in relation to key issues which impact on children as internet users.

In the first instance they refer to the fact that for many years two domains  – .com and . net – both owned by Verisign Inc.,  have been the largest source of child pornography on the open internet. While one might have hoped  Verisign would themselves have chosen to introduce measures to reduce or eliminate the traffic in these appalling materials, they only act as Registry for the domains in question in the first place by virtue of a contract which they have with ICANN.

The suggestion I am hearing, therefore, is that ICANN is equally at fault, or perhaps is even more at fault, because it has consistently failed or refused to bear down on Verisign to improve the situation. In the last year for which figures are available (2016), .com and .net accounted for 70% of all child pornography reported to the UK’s Internet Watch Foundation, yet .com and .net between them represent only 44% of all domains.

The second matter concerns the creation of a .kids domain. Approximately six years after ICANN began the process of creating the domain in the English language the matter remains unresolved. Yet in Cyrillic script the domain was delegated to a Russian organization which, when asked, said ICANN had made no stipulations in the contract about, for example,  the importance of ensuring that any potential Registrants  did not employ or use persons with convictions for child sex offences.

The way .kids was handled contrasted sharply with the way .bank, .pharmaceuticals and .insurance ended up at the conclusion of the same process of establishing  new Generic Top Level Domains. The difference between banking, insurance and pharmaceuticals interests and children’s interests is fairly obvious. The former can afford to employ lawyers and lobbyists, the latter cannot. Yet precisely because that is the case one might have hoped that ICANN itself would have stepped in to ensure that children’s interest were properly safeguarded. They didn’t.

I have not yet had the opportunity to look further into these matters, but I am aware you have taken a great personal interest in child welfare as well as the wider issue of  online safety as it impacts children. For that reason it occurred to me that you may already be actively engaging with ICANN with regard to the points I have raised. Either way I would be very grateful to hear how you see ICANN’s responsibilities  vis-à-vis children and I would also like to ask if you are satisfied with the way they are discharging them?

Mr Becerra replied on 13th April. He assured Ms Blair he appreciated her concerns about

“how actions or non-actions taken by ICANN may affect the security of children. Keeping kids safe online is a multi-front battle, which comprises combatting exploitation, including child pornography, as well as creating protected spaces for children such as .kids domain. ICANN’s responsibility for managing the internet’s domain names places it squarely in the thick of this fight.

For these reasons, my office and I, including the Bureau of Children’s Justice, will continue to give scrutiny to the issues you raise. Protecting children remains central to what we do at the California  Department of Justice.”

A call to action

I trust colleagues in California and elsewhere will be encouraged by Mr Becerra’s response and will be keen to follow up with the Bureau of Children’s Justice to see how the project is moving along.

I wrote an extremely long (10 pages) background briefing on all this. You can find it here if you want to delve deeper.

Posted in Child abuse images, Default settings, ICANN, Internet governance, Regulation, Self-regulation

ECPAT USA steps up

I have written before about the negotiations currently taking place around the North American Free Trade Agreement (NAFTA). One of the clauses being proposed for inclusion by the US Administration would require Canada and Mexico to adopt a law which the US Congress and President Trump ditched last month. Go figure.

The law in question is (the now amended) s.230 of the Communications Decency Act, 1996 – one of the most inappropriately named pieces of legislation ever.

The old s.230 is the law that allowed Backpage and similar to make millions of dollars from the distribution of child sex abuse materials and from facilitating a wide range of sexual offences. This was possible because the old s.230 created such a strong level of immunity for internet intermediaries that law enforcement agencies and the courts were defeated in their efforts to bring the offending parties to book.

The fear is that if the clause makes it into the final version of NAFTA, not only would that be very bad news for Canada and Mexico, it would also set a terrible precedent. It could reappear in trade negotiations that will be held with other countries. Speaking as a Brit contemplating Britain after Brexit that scares me.

All over the world it is common for one bit of Government not to know about or agree with something another bit of the same Government is doing. Very often it is the lot of outsiders to point this out and, generally, not always, it leads to the matter being resolved.

So assuming the decision to follow this course of action is not being directed by the White House or some other powerful element in the core leadership of the Trump  Administration, civil society organizations are starting to speak out.

ECPAT USA is one of the first.  Yesterday they released  a copy of their letter to The Honorable Robert Lighthizer, the US Trade Representative.

NGOs in Canada and Mexico are also stirring. We are all stakeholders.

Posted in Child abuse images, E-commerce, Internet governance, Regulation, Self-regulation

The internet: to regulate or not?

The UK’s House of Lords is holding  an inquiry into whether or not the internet should be regulated.  The Children’s Charities’ Coalition on Internet Safety submitted evidence. Here is a link to the House of Lords web site where the text of the evidence is reproduced.

If you want the original pdf you can download it  from here.



Posted in Internet governance

Article 29 and children

In the UK our Data Protection Authority (DPA) – the Information Commissioner’s Office (ICO) – has shown a real and sustained interest in how the new data privacy regime – the GDPR -is likely to impact children.  ICO officials attended an all-day seminar organized by Professor Sonia Livingstone at the LSE. They shared their thoughts and interacted with a group of leading online child rights and child protection experts who came not just from the UK but also from other EU Member States. Several of the latter travelled to the LSE precisely because they knew the ICO would be represented.

The ICO subsequently issued a consultation paper  and draft guidance specifically addressing the position of children in respect of all relevant headings of the GDPR.

The Article 29 Working Party

Each DPA in every EU Member State remains a sovereign and independent body but they stay in touch and try to achieve a degree of consistency through something called the  Article 29 Working Party.  Article 29 has existed since the mid 1990s. It is being replaced by  the European Data Protection Supervisory Board.

Historically, Article 29 has not shown an excessive degree of interest in children as data subjects. One suspects they have a box marked “Very Difficult. Avoid If You Can. Only Open If You Absolutely Have To”. Children are in it.

In fact the only major Opinion Article 29 seems to have issued which concerns children dates from 2009 and it addresses children’s personal data held by schools. If you were to ask any randomly selected group of parents, children  or policy makers about their main worries in terms of what is happening to young people’s personal data in the internet age, I doubt  that how schools are handling it would be at the top of their list. It would be there, but not at the top. Silicon Valley meanwhile….


Once the GDPR became law Article 29  decided to organize a series of “FabLabs” to discuss what would happen next and get feedback from interested parties. I attended. There were three such meetings. One in July 2016,  one in April, 2017 and finally October, 2017.

In plenaries and working groups at the FabLabs a number of people suggested there should be a  specific session on  the position of children. On behalf of the European NGO Alliance for Child Safety Online and the UK’s Children’s Charities’ Coalition on Internet Safety I wrote to Article 29’s then Chairperson,  Isabelle Falque-Pierrotin of the French DPA, to support that suggestion.

Article 29 did not agree. Neither did they expressly disagree.  The request was just ignored. Thus, at an EU level there has been no open or extended engagement between the online child rights and child protection communities and the privacy community.

Since the GDPR was adopted Article 29 has published no letters about children. They have issued no press releases. No consultation documents or position papers on children  have been sent around. Article 29 have issued no guidelines on children although mentions of children are scattered among several of those that have appeared.

Save for the British texts nobody has tried to bring together or discuss all the parts of the GDPR which concern children. Such a publication would help a lot of people get a better take on or overview of the diverse ways the landscape is changing.

In the report of the first FabLab no mention of children or young people appears.

In the report of the second FabLab the following words appear

Minors  are  a  priority  but  resolution  lies  at  Member State  level  and  the  age verification  of  a  minor  is problematic. The verification of consent by the holder of parental responsibility is also problematic.

Interesting use of the word “priority”.

In the report of the final FabLab this appears

Practical challenges for (data) controllers are arising since, while the GDPR recognizes the need for extra protection for children, it was pointed out that there is no clear indication of how the different stages of the development of a child should be taken into account when providing information.

Amen to that.

What are EU-wide institutions for?

Isn’t one of the points of having EU-wide institutions that, for example as in this case, the larger DPAs and the Commission itself can help out the smaller ones and together they can help each other? Are we seriously expected to believe we are going to see 27 different attempts to sort this out?

Why this catalogue of moans?

Less than three weeks ago,  the pattern of neglect of children reasserted itself.  The new Chair of Article 29 published a letter that had been sent to Facebook on the question of facial recognition and how it might be deployed in the future.  No mention of children.

Facebook have said facial recognition will not be available to children, i.e. persons below the age of 18.  Good decision. That being so, why didn’t Article 29 ask about the steps the company is planning to take to ensure the policy works?

Apps or services which broadcast location data also raise safety and security issues for children. This is not just about Facebook. It’s about the whole social media space.

Article 29’s ear-shattering silence does not inspire confidence

I appreciate there are lots of things that need sorting out in relation to the GDPR. I appreciate also that many DPAs are still angry about the way the GDPR turned out in respect of children. It is clear the privacy community wanted a single age for the whole of the EU and they wanted that age to be 13, the then de facto status quo. Echoes of resentment can still be heard about how, at the last minute, politicians stepped in and “messed things up” by allowing multiple ages.

Of the many lawsuits that lie ahead where the scope and meaning of the GDPR will be clarified, there is unquestionably going to be one on children and in that lawsuit Article 29’s lack of leadership is bound to be noted and criticised.


Posted in Age verification, Facebook, Google, Location, Regulation, Self-regulation