Draft submission to the NTIA

Below is the first draft of a letter I am working on for several children’s groups. It is in response to the US Government’s request for “comments and recommendations” on its international internet policies and priorities.

If you think I have missed anything or can suggest how the letter might be improved please let me know. And of course please feel free to use any or all bits in whatever submissions you might decide to make.  The closing date is 17th July.

Dear NTIA

Thank you for this opportunity to submit comments and recommendations on the future of the US Government’s  International Internet Policies and Priorities. We apologise for the length of our response but you have identified a set of issues which are immensely important to children all over the world.

One in three human internet users is a child

One in three human internet users is a child. In parts of the developing world this can rise to around one in two. Thus, whatever else one might believe, imagine or want the internet to be it is unquestionably a medium for children.

Multistakeholderism has failed children

Multistakeholderism has egregiously failed to ensure children’s interests are fully and properly taken into account in international bodies and at gatherings where internet policies are discussed or decided. Here we single out in particular the IGF and ICANN. Both were specifically mentioned by  you in your call.

The IGF failed children

NETmundial was an IGF sponsored initiative of considerable importance.  It took place in Brazil in 2014.  In the final communiqué  there are references to three international treaties:  the Covenant on Civil and Political Rights, the Covenant on Economic, Social and Cultural Rights, and the Convention on the Rights of Persons with Disabilities. The Convention on the Rights of the Child was overlooked or ignored. There is not one word about children in NETmundial. Not one.

There were not enough children’s voices at NETmundial to press for their rights to be recognised and while doubtless no one present in São Paulo wished any harm to come  to children when they go online, neither were children’s interests front and centre of why anyone made the trip. Why were there not enough children’s voices? Partly for a very practical reason: money. Or rather the lack of it.

Multistakeholderism is a slogan not a policy

Multistakeholderism is a wonderful idea that has simply not worked, at least not for  kids.

Corporate interests with a business reason for being involved in the affairs of ICANN and the IGF have no trouble being fully engaged stakeholders. Typically they send lawyers, accountants, lobbyists, Government relations staffers , or all of the above, to watch over or advance their  interests or deal with the mountain of correspondence, conference calls and papers which the associated processes generate.

The ICANN bureaucracy now also constitutes an interest in these matters and, self-evidently, they are very well placed to preserve and extend their institutional perquisites.

Few can match the resources available to the corporates. Even national Governments, law enforcement agencies and long-established international bodies  have difficulty finding the funds and the people to enable them to keep up.

While children’s organizations recognize the importance of the internet in young people’s lives, it is grotesque, in effect,  to ask them to choose between spending their hard-earned and scarce cash helping an abused child in the here and now or providing a training programme for parents or teachers on how to help their children stay safe online, and flying to the other side of the world to sit in a swanky conference centre for a week surrounded by diplomats, civil servants and individuals representing some of the richest and most powerful companies on Earth who are having a discussion which might produce something three years down the road. Or it might not.

Something must be done  to create a more level playing field.

The lack of resources available to children’s organizations  to participate in NETmundial and similar is simply a reflection of a lack of serious interest on the part of those with the power to change things. Lip service costs nothing. Effective action does.

Remote participation is a poor substitute for being in the room

Remote participation  at events such as NETmundial may give the appearance of engagement, someone somewhere can tick a box,  but it is a very poor substitute for being physically present when complex, often quite nuanced issues of policy are being debated  by people who don’t already know each other in one way or another.

And how, realistically, does anyone get meaningfully involved in negotiating  the wording of a final communiqué or stay on top its iterations if they are eight thousand miles and five time zones away?

But it is not just attending meetings that matters. There is also the enormously time-consuming, labyrinthine “intersessional” procedures linked with bodies such as ICANN and the IGF.

ICANN is failing children

One of ICANN’s key self-declared tasks is “keeping the internet secure”. It has definitely not been keeping the internet secure for children. In that respect it is suggested ICANN is in breach of  its obligations under international law as well as under US Federal and California state laws requiring any and every organization to have regard to the best interests of children in any and all decisions affecting children.

The .kids saga

In 2012 ICANN decided to expand the number of available generic Top Level Domains (gTLDs). This resulted in the creation of over 1,000.  ICANN agreed “.kids” would be  one of them. For .kids in the English language there were three bidders: Amazon, Google and the .Kids Foundation. Six years later a decision on who should be awarded the contract to be the Registry for .kids in English has still not been taken. This gives some indication of the priority attached to children’s interests within ICANN.

Yet .kids has been let in Cyrillic script. Upon learning this the Moscow-based entity that won the contract to be the Registry was contacted. The following questions were put. The entirety of the relevant text follows:

  • Do you make any stipulations about who may buy a .kids domain name e.g. nobody with criminal convictions, or convictions for child sex offences? And if you do, do you carry out any checks to make sure the people meet those criteria?

Answer: No.

  • Do you make any stipulations about who may work for a business or organization operating a .kids domain name e.g. nobody with criminal convictions, or convictions for child sex offences? And if you do, do you carry out any checks to make sure the people meet those criteria?

Answer: No.

At the time of writing there is no information suggesting anything untoward has happened with any Cyrillic .kids websites, but it should be noted that the volume of sales so far has been low (1,500 at the last known count).

Concerns of the kind alluded to in the questions above should never have been left open in the way they were. This is because a domain such as .kids is guaranteed, sooner or later, to attract the attention of paedophiles. They go where children go. That being  so  ICANN’s  failure  to  insist  on  and insert in the Registry Agreement even  the  most  rudimentary safeguards, commonly found elsewhere and not infrequently required by law, is tantamount to criminal negligence.

And even if it is not that, it is clearly at odds with an overriding duty to have regard to the best interests of children.

Moreover, stipulations  about  ownership  and  operations  have nothing at all to do with the nature of any content that might appear on a website. No free speech concerns arise.

ICANN typically responds by saying its key policy is only to require relevant entities to abide by applicable national laws in the jurisdictions concerned. That is not a tenable position. It is a breach of direct and unavoidable obligations to children which cannot be delegated or left to chance.

Not to put too fine a point on it ICANN is, in reality, inciting paedophiles and other criminals to look for a jurisdiction with the fewest limitations on what they can do or a jurisdiction or Registry where enforcement is known to be non-existent.

ICANN has consistently argued it will not concern itself with the content of web sites.  But they should enforce their own contracts. However, is it anyway not beyond the powers of ICANN to declare, as an inflexible policy, that it will disregard or deliberately fail to act within the scope of its ostensible powers to curb or bear down on persistent conduct which it knows leads to illegal outcomes?

No advice about children’s best interests was sought or obtained.

In correspondence ICANN has acknowledged that when it came to deciding who would be awarded the contract to be a .kids Registry, and on what terms, they did not seek, obtain or consider any expert advice in relation to what might be in the best interests of children.

Neither were any  extra or specific requirements  imposed within the application or assessment processes used to decide who might become the .kids Registry. In effect .kids was looked at in the same way as .grocery, .London, .cruise, .baseball and so on.

GAC advice ignored

ICANN’s Governmental Advisory Committee offered quite specific advice on children’s interests in respect of the new gTLDs being created.  This was ignored. True enough it was issued after the  creation process had started but it was nevertheless still well within a timescale that would have allowed ICANN to act, were it so minded.

Ignoring GAC advice appears to have become, for some elements within ICANN,  something to take pride in, a way to demonstrate ICANN’s independence from “political interference”. In so doing they assert that they are the best judges of the public interest whereas, in reality, what they are reflecting is their own view about what they think is in their own  business or institutional interests.

It was different for . bank, .pharmacy and .insurance

As part of the same process that created .kids, .pharmacy, .bank and .insurance also became new gTLDs. However, here, fearful of the consequences of bad actors being able to buy and run websites which implied a link to legitimate pharmaceutical, banking or insurance related activities, interested businesses combined to establish what are now known as “Verified Top Level Domains”.

To buy a domain within any of these categories, individuals or entities must first go through a pre-approval process to determine they are fit and proper.

How did the banks, pharmacies and insurance companies manage this?

It happened because the banking, insurance and pharmaceuticals industries had an established presence within ICANN and therefore knew what was going on, what the deadlines were etc. and had the financial wherewithal to employ the necessary lawyers, lobbyists and staffers to deliver this highly desirable outcome.

The children’s organizations had and have no similarly endowed or entrenched interlocutors but that does not give ICANN permission to put children at risk or disregard their best interests.

It is truly shocking no one within ICANN accepted they had an obligation to ensure children’s interests were properly safeguarded. They could have insisted .kids be created as a  Verified Top Level Domain. They didn’t.

Child sex abuse material

Down the years the lion’s share of child sex abuse material (csam – aka child pornography) on the internet has been found within just two domains: .com and .net.

In 2018 the IWF reported that around 70% of all CSAM reported to it in 2017 was found within .com and .net. Those proportions were pretty much identical to 2016 and many years  previous to that. .com and .net are both owned by the same company, Verisign, based in Virginia. Verisign is the largest single contributor to ICANN’s funds.

Astonishingly, among the new gTLDs established under the 2012 process the IWF also discovered that over 1,000 domains  appeared to have been created solely to distribute csam. This was up from 272 the year before. These are relatively small numbers but any one of these domains could be responsible for distributing millions of illegal child sex abuse images.

ICANN chose money over safety and security

It was open to ICANN to decline to expand the number of available domains under the new gTLD process until they were satisfied they could not be misused in precisely the way they have been. They didn’t choose that route. They chose to bring in more cash and in so doing added to the already existing and well known problem of csam being distributed over the internet.

If only WHOIS worked as it was meant to

Accurate data about the identity and contact details of persons who own or operate web sites are meant to be contained in the WHOIS database, but they aren’t and the volume of crime which has resulted has now overwhelmed the capacity of police services around the world. In the UK the police won’t even look at an online fraud case if the amount involved is less than £100,000 and we have lost count of the number of times law enforcement has said they cannot arrest everyone suspected of committing online crimes against children.

Yet it is hard to believe, for example, that even one web site would be engaged in distributing csam if the  identities and contact details of the persons buying the domains in the first place, or registering them later, had been robustly verified.  This is what is supposed to happen under the Registry and Registrar agreements ICANN issues but does nothing to enforce.  By turning a blind eye ICANN helps crooks and harms children.

It  seems that among Registries, Registrars and ICANN staff  it is widely believed that effective measures to reduce the scope for criminal abuse of domains e.g.  by properly checking who people are, would would cost too much money and put off would-be purchasers of new domain names. This would reduce the volume of sales, therefore hit revenues, eat into profit margins and therefore also threaten ICANN’s revenues.

The thing Registries and Registrars care about most is  simple: having systems in place to ensure they get paid. Everything else is, as they see it, an  “unnecessary”overhead cost, an administrative annoyance.  Not their problem. Perhaps, in cahoots with ICANN, they hoped by stealth and over time WHOIS would  quietly fade away and die.

This is one reason why the current debacle over the GDPR is so unfortunate. The EU and the European Data Protection Authorities,  through the Article 29 Working Party, have not covered themselves in glory. By their lack of understanding of what is at stake they have played straight into the hands of those elements within ICANN who would happily get rid of WHOIS completely.

By the way, although this is nothing to do with ICANN, the same principle  – know your customer – should also apply to anyone providing hosting or any form of online storage or publishing service.

ICANN duped the Feds

Last time it was checked only about 23% of entries were  correctly entered. In other words accuracy was the exception rather than the rule.

The  minute ICANN was free of the Affirmation of Commitments it took steps to downgrade WHOIS. They never had any intention of honouring the solemn promise they gave in the Affirmation. They signed the  Affirmation agreement quite cynically, solely to get out from under. They duped the Feds.

It is happening again right now. People are investigating how to remove ICANN from the potentially troubling clutches of the courts of California and the USA by establishing ICANN’s global HQ in a non-US jurisdiction. Doubtless they will hunt for the jurisdiction which presents the least likelihood of ever “interfering”.

With such a low level of trust and confidence in ICANN there will be a great deal of apprehension attaching to anything as large and fundamental as changing the entire legal basis on which it operates.

The offer of a PDP

In correspondence and discussions ICANN officials would not accept they had any specific or particular responsibilities towards children. They merely suggested children’s organizations should try to initiate a “Policy Development Process” (PDP) within which our ideas could be discussed by the ICANN “community”.

PDPs are the traditional way in which policies are aired and debated within ICANN prior to the ICANN Board reaching a determination.

An ICANN PDP can last several years. It was pointed out the children’s organizations simply do not have the resources that would allow them to engage in one. ICANN appeared unmoved.

More importantly, the implication of a PDP is ICANN believes it has a discretion in relation to the position of children. The contrary view, advanced here, is ICANN has a legal obligation to act.

Ball of confusion

George Bernard Shaw famously said all professions are a conspiracy against the laity. ICANN has taken this to new heights.

It has erected a redoubt of obscure, expensive and protracted processes all of which combine to discourage new entrants, preserve the status quo or slow down the rate of change to the greatest extent possible, always in favour of the financial interests of Registries, Registrars and ICANN itself.

As if to prove the point about their arcane ways, in a press statement issued to The Times of London on 4th April 2017 ICANN said the following

“ICANN is a unique institution that is governed via a bottom up, consensus-driven multistakeholder model. As a result, ICANN staff cannot unilaterally impose guidelines or requirements on registries, registrars  or other stakeholders in a topdown manner. Policy recommendations are developed and refined… in a “bottomup” multistakeholder, open and transparent  process…”

“Bottom up, consensus-driven multi-stakeholder model” might mean something to the initiated but in the end it is simply a method of working that counts for nothing if all it produces is mayhem or evil.

Speaking of the “ICANN community” is an attempt to give an undeserved democratic patina to what is, in reality, a collection of entities with a material interest in the affairs of ICANN. And not being part of one of those insider groups means ICANN can and will trample on your rights or concerns.

The ICANN “community” should include stakeholders without loud voices, deep pockets, big muscles and time to fly around the world to attend ICANN gatherings. Equally, it should include many more people whose livelihoods are not likely to be affected by the outcome of decisions ICANN might make.

There is nothing wrong, and a great deal that is right about ICANN wanting to talk to as many people as possible before making a decision, but ICANN is not a modern-day Pontius Pilate, able to dodge any responsibility for its own actions by referring to a “community” that only exists within their own self- constructed and self-serving bubble.

Finally, isn’t the rather palpable point that ICANN is in a position to make the internet safer or less safe for children? So far, they have failed to do everything they reasonably could to protect children.

Principal recommendation

The US Government should use its influence to ensure multistakeholderism works as originally envisaged and in ways which guarantee children’s interests are fully represented and supported at all relevant stages and levels in key internet governance institutions. Alternatively, if the US Government concludes that that is not possible within current frameworks,  it should look for and promote an alternative model.

 

 

About John Carr

John Carr is a member of the Executive Board of the UK Council on Child Internet Safety, the British Government's principal advisory body for online safety and security for children and young people. In the summer of 2013 he was appointed as an adviser to Bangkok-based ECPAT International. Amongst other things John is or has been a Senior Expert Adviser to the United Nations, ITU, the European Union, a member of the Executive Board of the European NGO Alliance for Child Safety Online, Secretary of the UK's Children's Charities' Coalition on Internet Safety. John has advised many of the world's largest internet companies on online child safety. In June, 2012, John was appointed a Visiting Senior Fellow at the London School of Economics and Political Science. More: http://johncarrcv.blogspot.com
This entry was posted in Internet governance, Regulation, Self-regulation. Bookmark the permalink.