Internet overseer continues wall-punching legal campaign
ICANN appeals its appeal and tells German courts yet again that they're wrong
The organization that oversees the internet's naming and numbering systems is continuing its embarrassing European legal campaign, insisting for a third time that the German courts have got it wrong.
On Friday, ICANN appealed [PDF] the latest court decision against it, this time insisting that the Appellate Court of Cologne, Germany made a mistake when it ruled the organization had not "sufficiently explained" nor provided a "credible reason" for seeking an injunction against German domain registrar EPAG.
It was the third time in a row that ICANN has lost a legal effort to force EPAG to gather additional personal information on anyone that registers a domain name. EPAG says that requirement breaks GDPR privacy legislation and so it would be breaking the law by doing so. ICANN insists the law is unclear and so EPAG has to keep requiring and storing the information if it wants to continue to sell internet addresses.
ICANN's legal campaign is an effort to re-impose its authority over contracts that cover the sale and registration of internet addresses, but its approach, attitude and increasing string of failures is starting to have the opposite effect.
Despite years of warnings, the organization failed spectacularly to update its contracts in the face of GDPR, leading to the extraordinary situation where it pleaded with data regulators to give it a special one-year exemption from the law: a request that they noted they were in no position to grant.
As a result, just before the new law kicked in, ICANN imposed an emergency temporary policy that had been rejected just months earlier, which in turn prompted many internet registries and registrars to go their own route.
ICANN's response was to seek an emergency injunction against one registrar – German registrar EPAG – in an effort to set a precedent. But the courts have consistently found that the issue is not an emergency and so have refused to entertain ICANN's arguments.
When it lost the first time, ICANN appealed and insisted it was essential that a decision be made over how GDPR is interpreted when it comes to the Whois system. As such it told a regional court that it either had to decide on the legal interpretation or send it to the European Court of Justice to decide.
The court was unpersuaded and threw ICANN's case out again, noting that it didn't feel any need to refer the case to the ECJ because ICANN's interpretation of the law "was not material to the decision."
And so, given yet another opportunity to rethink its failed legal strategy, ICANN has responded by… appealing again. This time it insists that the regional court had also got it wrong. The arguments in its "Plea of Remonstrance" are, broadly, two fold:
First, that the court decided against ICANN on the grounds that its injunction was lodged out of concern for the impact it would have on the proper functioning of the domain name system. The court found there would be no impact, so rejected the injunction.
ICANN claims this reasoning was a mistake – that it had applied for a cease and desist injunction, not a functional injunction - and that it should have been warned that the court would view it in these terms.
"Nothing in the course of the proceedings enabled the Applicant to foresee the Appellate Court's reasoning," ICANN whines in its official appeal. "To the contrary, prior to the Appellate Court's decision, the Regional Court rendered two decisions in which the legal aspects that the Appellate Court now relies on have played no role at all."
In other words, ICANN felt blindsided by the fact that it lost on a different legal standard to the one it has already lost twice.
Its second broad argument is that the court's reasoning is wrong when it comes to the impact of not granting it an injunction.
ICANN says the court wrongly assumes that the data it wants gathered could be acquired at a later date (assuming of course that the legal system does subsequently decide that the data does not break GDPR). ICANN argues that if a domain is only registered for a year, by the time a legal decision in its favor kicks in, the information would be lost forever.
On a related note, ICANN argues that the court erred when it decided that the non-gathering of that information represented only an "abstract danger" i.e. ICANN was making a big fuss over nothing.
ICANN argues that even if the lack of data represents an abstract danger it should still get it anyway. "In particular, the legally protected interests involved in case of abusive practices in the present case are of such high significance that also abstract dangers justify a preliminary injunction."
What is extraordinary about those claims is that they demonstrate that ICANN is clearly not listening to what the German courts have repeatedly said in clear terms: that the Whois service is not as important as ICANN insists.
The data at the heart of the dispute is contact details for an administrative and technical contact for a domain name. Back when Whois was first introduced – in the early days of the internet – websites were relatively rare and required a lot of effort and knowledge to create. As a result, they often had named people to contact if someone had a problem.
But in 2018 – and, in fact, for the past decade – this situation simply doesn't exist. People can set up a website using a content management system like Wordpress within minutes. And they don't need special contacts: a fact confirmed by EPAG when it said in an early filing that "in the vast majority of gTLD registrations, the Registrant (Owner), Admin, and Tech contacts are the same. As such, collection of Admin and Tech contacts is meaningless, as the data belongs to the Registrant."
The inclusion of the Admin and Tech contacts are just one sign of how hopelessly outdated the Whois service has become – which is precisely the point. But ICANN continues to insist, against its own industry, that it is vital those contacts be requested and stored. Why?
Put simply, it's because intellectual property interests see the Admin and Tech contacts as a way to bypass GDPR requirements. They recognize that they may not be given direct access to domain registrant details, due to GDPR, so argue that these more technical functions should be made accessible. They know all too well that in almost every case the details will be the same as the information they will be prevented from accessing.
That ICANN continues to push this line despite knowing the reality is just one more indication of how the organization continues to serve American intellectual property interests beyond its own industry and internet users.
The other argument – that the lack of such data will result in some kind of larger danger to the DNS – is precisely what the Regional Court looked into and dismissed. It specifically pointed out that ICANN had failed to make its case when it came to how important the Whois was.
And there's good reason for that. Because, despite a range of actors insisting that the lack of a Whois service – where people's personal contact details are posted publicly online – will cause an uptick in online crime, no one has yet to provide any evidence that that is the case.
Law enforcement continues to be able to access full Whois data by simply requesting that registries and registrars provide it to them. So the issue is really large American corporations who want full Whois access in order to chase down anyone potentially infringing their trademarks; access they are at risk of losing thanks to GDPR.
To such corporate minds, the loss of Whois data is a disaster. But few others agree, especially given the huge privacy implications for everybody else on the internet of having their name, phone number, and email and physical address posted online.
More importantly, Europe's data protections regulators have been extremely clear that they don't consider corporate interests as overriding citizen's privacy rights. In person and in writing, they have repeatedly warned ICANN that "purposes pursued by other interested third parties should not determine the purposes pursued by ICANN" and that ICANN should "not conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case."
Literally everybody within the DNS industry knows that that means American corporate interests should not be granted access to all domain name registrant information. But those same interests are not giving up and continue to try to find a way around the law. And US-based ICANN is doing everything in its power to assist them.
One way to get around the law is to require domain registrants to provide the obsolete technical and administrative contact details by pretending they are relevant to the functioning of the DNS. That is the fantasy that ICANN is still trying, and failing, to foist on the European court system.
The second main way around the law is to device an "access program" for specific groups to be granted access to Whois data and then devise the system in such a way that corporate interests are effectively viewed as equivalent to law enforcement.
That effort is being strongly pushed within ICANN's policy process and in a new working group that has been setup to develop a new Whois approach. But, as with every other previous effort, the likelihood of success is minimal.
The big difference this time around is that the powerful property interests that many blame for having undermined 20 years of efforts to update Whois want to change rather than retain the status quo.
We understand that internally ICANN is pitching its continued legal action as a way to appease such intellectual property concerns by showing the organization is supporting their interests, while holding on to the belief that the European court system will ultimately resolve the question of how GDPR relates to Whois - so it doesn't have to.
At some point, however, failed legal argument after failed legal argument starts to point to something much more concerning: that the organization in charge of overseeing the internet's naming and numbering systems is not capable of doing its job. ®
Sponsored: Becoming a Pragmatic Security Leader