Centre for Internet and Society

Search Engine and Prenatal Sex Determination: Walking the Tight Rope of the Law

geetha — 2015-02-12T06:05:24Z

In Sabu George v. Union of India, the Supreme Court is looking at the constitutionality of sex-selection ads appearing on search engines, either as search results or ads placed on the search pages. Balaji Subramanian and Geetha Hariharan analyse the relevant provision of the Pre-Natal Diagnostic Techniques Act, 1994.

The Supreme Court, in Sabu George v. Union of India and Ors. (WP (C) 341/2008), is looking into the presence of material regarding pre-natal sex determination on search engines such as Google, Bing, and Yahoo!. The petitioner alleges that search engines have been displaying content that falls foul of §22 of the Pre-Natal Diagnostic Techniques Act, 1994, as amended in 2002 (“the Act”).

The relevant parts of §22 that search engines are alleged to have violated are as follows:

“22. Prohibition of advertisement relating to pre-natal determination of sex and punishment for contravention.-

No person, organization, Genetic Counselling Centre, Genetic Laboratory or Genetic Clinic, including clinic, laboratory or centre having ultrasound machine or imaging machine or scanner or any other technology capable of undertaking determination of sex of foetus or sex selection shall issue, publish, distribute, communicate or cause to be issued, published, distributed or communicated any advertisement, in any form, including internet, regarding facilities of pre-natal determination of sex or sex selection before conception available at such centre, laboratory, clinic or at any other place.
No person or organization including Genetic Counselling Centre, Genetic Laboratory or Genetic Clinic shall issue, publish, distribute, communicate or cause to be issued, published, distributed or communicated any advertisement in any manner regarding pre-natal determination or preconception selection of sex by any means whatsoever, scientific or otherwise” (emphasis supplied)

Explanation.- For the purposes of this section, ‘advertisement’ includes any notice, circular, label, wrapper or any other document including advertisement through internet or any other media in electronic or print form and also includes any visible representation made by means of any hoarding, wall-painting, signal, light, sound, smoke or gas.

From a cursory reading, it would appear that the section serves as a clear and unequivocal ban on advertisements for clinics or other laboratories that perform pre-natal sex determination. However, the Supreme Court seems to have landed itself into a mess by muddling the distinction between web/online advertisements (in the sense that the word has been used in the quoted provision) and organic search results. The court has received little assistance from the words of the statute, since the Act contains no exhaustive definition of ‘advertisement’. The closest thing to such a definition is the explanation to §22, which only specifies that the term is inclusive of some common forms of adverts – label wrappers, audiovisual representations, etc. This is not a definition, and does not expand the meaning of the word to include organic search results, which are commonly understood not to be advertisements (see here and here, for example). This distinction was pointed out to the court in the submission of the Group Coordinator, Cyber Laws Formulation and Enforcement Division, Department of Information Technology, as noted by the bench in its order dated the 4^th of December 2014.

It is our view that this distinction is of vital importance to the entire debate surrounding the PNDT Act, and therefore we have clearly differentiated between organic search results and “sponsored links”, or advertisements, wherever required.

In order to examine whether search engines were in compliance with the law, we systematically searched for terms most likely to trigger advertisements that would violate §22 of the Act. Further, we selected search engines across the market spectrum, from high-revenue organisations likely to have performed comprehensive due diligence (Google, Bing, etc.) to relatively low-revenue operators who did not have offices in India, or dedicated service offerings specific to India, and were therefore unlikely to have taken special measures to comply with the provisions of the PNDT Act (Yandex, DuckDuckGo, etc.). Further, where search engines had India-specific websites, we checked to see whether there was any difference in the advertising outputs of the India site and the US site.

Since the advertising systems work on a bidding mechanism, where the same keywords were likely to trigger different ads based on the rates selected by advertisers, our methodology also included making multiple (five, in most cases) iterations of searches that yielded advertisements, even if the ads displayed were not violative of the Act.

Online Advertisements

The results of this analysis (tabulated below) are surprising, to say the least. First, we found that major search engines such as Google, Yahoo and Bing (constituents of the advertising alliance, the Yahoo! Bing Network) did not display incriminating ads for many of the searches we attempted [see Table 1 below]. In searches for “sex selective abortion”, for example, Google even provided sponsored links to NGOs attempting to generate awareness against the practice. Nor were any non-compliant ads present on their US sites. No violative ads were observed on Yandex. DuckDuckGo did display a questionable advertisement for the term “prenatal sex determination”, but we shall discuss this in detail later.

However, there were some advertisements of questionable legal status. In Google, for instance, our searches for “Dubai indian pregnancy centre” and a litany of similar searches showed searches that featured international services. These services for sex-selection would, presumably, extend to India [see Table 2 below].

Table 1

Search Engine	"UAE pregnancy gender"	"Dubai Indian pregnancy gender"	"Pregnancy gender determination"	"Prenatal ultrasound India"	"Dubai India sex ultrasound"
Google (.com, .co.in)	Advertisements of fertility centres in the Middle East, that conduct sex determination tests. Some prominently feature assistance to international patients.	Advertisements of UK Laboratory that sells Prenatal Gender Test Kits. Prominently featured International shipping.	No ads.	Offers Pre-natal Ultrasound scans, does not conduct sex determination test.	Does not mention explicit sex determination or International Services.
Yahoo	No ads.	No ads.	Advertisements of Ultrasound Laboratory in the USA that conducts sex determination tests.	No ads.	No ads.
Bing	No ads.	No ads.	No ads.	No ads.	No ads.

Advertisements within Search Results

We also examined the search results themselves to check whether the links led to advertisements. On the basis of our searches we found that there are instances both in Google and Yahoo!, where, when we clicked on the search result, we were directed to advertisements. Bing and Rediff, in these searches, did not lead to any prohibited links. Our findings are tabulated below:

Search Engine	"Indian pregnancy gender"	"Foetal sex determination"	"Ultrasound pregnancy"	"Ultrasound screening"	"Is my baby boy or girl"	"Baby boy or girl"	"Pregnancy gender determination"
Google (.com, .co.in)	No ads.	Yes. Gender Predictor Kit (baby2see.com/gender/study_ultrasound.html).	No ads.	Yes. Gender Scan (ultrasound-direct.com/babybond-pregnancy-scans/gender-scan/).	No ads.	No ads.	No ads.
Yahoo	Potentially violative. Intelligender Gender Prediction Test (intelligender.com/gender-myths.html).	Yes. Gender Predictor Kit (baby2see.com/gender/study_ultrasound.html).	No ads.	No ads.	Potential violation. Gender Predictor (mybabyboyorgirl.com).	No ads.	No ads.
Bing	No ads.	No ads.	No ads.	Yes several results	No ads.	No ads.	No ads.
Rediff	No ads.	No ads.	No ads.	No ads.	No ads.	No ads.	No ads.

Given that some search results do indeed seem to violate §22, we then examined the advertising policies of those search engines alleged to display prohibited advertisements in Sabu George – Google, Yahoo! and Bing.

Advertising Policies of Search Engines

The Yahoo! Bing Network, in its advertising guidelines, has an entire section dedicated to ads for pharmacy and health care products and services. In it, there exists a comprehensive list of advertisements prohibited specifically due to the existence of Indian law – such as, for example, ads for miracle cures. Further, under the ‘Family Planning’ category on the same page, the Network acknowledges the existence of regulatory restrictions against advertisements for abortion services, paternity tests, and pre-natal sex determination in India. The consequences of non-compliance with the guidelines are laid out clearly on the same page – they include ad disapprovals, domain blocks, and account suspensions. Despite this, a search for “pregnancy gender determination” displayed an advertisement of an ultrasound lab in the United States that conducts sex determination tests [Table 2].

Google’s Adwords service has a similar policy statement, titled ‘Legal requirements & serving limitations’ for advertisements on its network. At the outset, Google asserts that the advertiser is responsible for the legality of the ad’s contents:

“As an advertiser, you're always responsible for ensuring that you comply with all applicable laws and regulations, in addition to Google's advertising policies, for all of the locations where your ads are showing. The guidelines below are intended to help highlight some areas where we've seen advertisers violate legal requirements in the past. However, this is not an exhaustive list of legal issues that you may need to consider, so we urge you to do your own research regarding appropriate advertising practices for the place where your business operates, as well as any other places where your ads are showing.”

Further, in its list of local legal requirements, under the head of ‘Regulated Products & Services’, Google clearly acknowledges that existing legal prohibitions shall be enforced against advertisements for, inter alia, infant food products and gender determination in India. Advertisements for infant food products are prohibited under §3(a) of the Infant Milk Substitutes Act, 2003. As with the Yahoo! Bing Network, the consequences for violating the advertising guidelines include disapproval of the ad, disabling of the domain from the ad network, and suspension of accounts. Despite these precautions, Google did show display some advertisements that would fall foul of §22, such as those we found in Table 2.

But it seems, at least, that in the case of major search engines, there exist concrete policies to back the relative lack of advertisements violating §22 of the PNDT Act. However, it is possible that these policies were evolved after the Writ Petition in Sabu George was filed in 2008.

Sources connected to the case indicate that the petitioner has alleged the presence of violative ads, and we have no data regarding 2008 advertising policies at either of these search engines. The Yahoo! Bing Network, however, does have an Editorial guidelines change log, stretching back all the way to the Network’s inception in 2012. The log does not detail any changes to the policy against ads for sex determination in India, so it follows that the Yahoo! Bing Network policy has existed at least from September 2012.

Interestingly, Yandex, the Russian search provider, appears to have prevented ads relating to pre-natal sex determination for different reasons. In its Advertising Requirements, Yandex mandates several restrictions on advertisements relating to medicines, medical products and medical services, which require licenses, registrations with Russian federal authorities, etc. to be produced to Yandex before an ad can be placed. Yandex has placed these restrictions in pursuance of Russian federal laws, but it appears that they have had the unintended consequence of keeping the site clear of advertisements that violate §22 of the PNDT Act, as well.

Finally, we come to the case of DuckDuckGo, which displayed questionable content in response to the term “prenatal sex determination” – an ad for ultrasound imaging services provided in the US. A similar ad was seen on Yahoo, as noted earlier. Even this, however, would not be a violation of the Act, since the service was located outside India, and the ad was placed by a foreign citizen residing in a foreign jurisdiction.

It is well-known that India is one of the few countries that has a ban on pre-natal sex determination, and it is a documented practice for couples to travel abroad and undergo diagnostic tests that enable them to discern the sex of the foetus – Thailand has been a destination of choice, if news reports are to be believed. Further, such non-Indian advertisements were seen on Google around 2009, and the argument made by Google’s counsel then stands today – that the situation was akin to an Indian library buying Thai magazines containing sex determination-related advertisements and making them available to the Indian public. Those ads are not targeted at Indians; the magazines were not meant for India. If the ad included invitations to foreigners (“Internationally famous for sex selection!”; “Sex of babies from around the world determined!”), and was published knowing that Indians would read it, then there is a greater likelihood that §22 of the Act stands violated. For instance, Google’s results for “UAE pregnancy gender” showed advertisements of fertility centres in the Middle East, some of which advertise for international patients.

In any event, since there exists no ban against the advertiser in his own jurisdiction, it would lead to an absurd result for search engines to be prosecuted for showing such ads to the Indian public, especially when the advertised service is not meant for or available in India. Displaying such a result would be especially detrimental to low-revenue search engines such as DuckDuckGo, who would be unable to conduct adequate due diligence to protect themselves from similar provisions in other Indian laws.

Organic Search Results

Having dealt with the issue of advertising against the provisions of §22, we now shift our focus to organic search results. At the outset, we must acknowledge the fact that the words of the statute specify “advertisement”, and it remains to be seen whether organic search results can be treated as advertisements if they are aimed at selling a product or service to prospective consumers for a price. If organic search results are to be treated as advertisements under §22, then it would amount to imposing an unnaturally high burden on search engines.

As intermediaries, search engines will be given the responsibility to scrutinise and curate the content that they display. Such a model is problematic on several levels. If intermediaries (search engines, in this case) were charged with the responsibility of policing their search results, a chilling effect will, in all likehood, befall online content – search engines, being profit-driven business institutions, will naturally choose to ‘err on the side of caution’, and would rather see some legitimate content taken down rather than risk the possibility of expensive, time-consuming litigation or penalties. In fact, when given the responsibility to take down data and curate organic search results, intermediaries are ham-handed.

Such an approach would necessitate the creation of large and complex structures, much like the means used by the DMCA in the US. Only large, reasonably high-revenue search engines will be able to put in place such mechanisms, so the law creates an undesriable entry barrier. Also, curating search results for content violative of §22 would be even more arduous than curating results for DMCA violations, since under DMCA, there is concrete private incentive for rights-holders to report DMCA violations to search engines. There exists no such incentive for individuals to petition search engines to remove §22 violations, and this affects its effectiveness. For these reasons, it is problematic to read organic search results within the ambit of §22.

Of course, the government can and should expect that online advertisements for sex selection services, inviting people to learn the sex of their foetus, are prohibited. It may do this for reasons of public health and safety, and in order to reduce female-selective abortions. But search results, unlike advertisements, contain medical information, links to anti-sex-selection campaigns and information about female foeticide. It would be unfortunate for the government to expect search providers to actively curate the content of a dynamic ecosystem such as the internet, while at the same time ensuring that legitimate content is preserved.

Sabu George and What Can Be Done

Lamentably, the Supreme Court does not appear to have entered this debate at all. In the latest arguments in Sabu George, the Solicitor General of India Mr. Ranjit Kumar offered the government’s hand in filtering and blocking sex-selection advertisements. Mr. Kumar stated that, “if the URL and the I.P. addresses are given along with other information by the respondents”, and also listing keywords, the Union of India can order website blocking under §69A of the Information Technology Act, 2000 (amended). The Union’s stance, it would seem, is that either the search engines should block offending ads by themselves, or block on the basis of directions issued by the government.

In its order of 28January 2015, the Supreme Court has directed that, as an interim measure, “Google, yahoo and Micro Soft [sic] shall not advertise or sponsor any advertisement which would violate Section 22 of the PCPNDT Act, 1994. If any advertise [sic] is there on any search engine, the same shall be withdrawn forthwith by the respondents”. The Court plans to hear arguments on the “total blocking of items that have been suggested by the Union of India” on the next hearing date, February 11, 2015.

Instead of hearing arguments on the feasibility of total blocking of offending online ads, the Supreme Court should ask whether organic search results constitute advertisements. These results are those that appear as the product of the search algorithm, and would take much time and expense to curate. It would also amount to time-consuming and disproportionate content inspection by the search engines. In any event, it seems that the major search engines do comply in large part with §22 of the PNDT Act. Where offending ads are found (like we did during our searches), the notice-and-takedown procedure under §79 of the Information Technology Act, 2000 can be put to intelligent use.

The second option noted by the Court, filtering or blocking on the basis of URLs or IP addresses, also stand the danger of overbreadth or overblocking. Such overblocking is routine across filtering regimes in many jurisdictions; for ex., see the Open Net Initiative’s note on filtering (“Filtering’s Inherent Flaws”). It is a danger better averted. In any event, a filtering regime would not affect organic search results, and so the doubt as to the scope of §22 remains.

Pranesh Prakash provided invaluable feedback. Balaji Subramanian and Pranav Bidare performed the searches on different engines. Balaji Subramanian is at NALSAR University of Law, Hyderabad, and is in his 2nd year of law. Pranav Bidare is in his 3rd year of law at the National Law School, Bangalore.

For more details visit https://cis-india.org/internet-governance/blog/search-engine-and-prenatal-sex-determination

Where Does ICANN’s Money Come From? We Asked; They Don’t Know

geetha — 2015-03-05T07:43:45Z

Just how transparent is ICANN? How responsive are they to requests for information? At CIS, we sent ICANN ten questions seeking information about, inter alia, their revenues, commitment to the NETmundial Principles, Globalisation Advisory Groups and organisational structure. Geetha Hariharan wonders at ICANN's reluctance to respond.

Why Is ICANN Here?

The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for critical backbones of the Internet. It manages the root server system, the global allocation of IP addresses, protocol registries and the domain name system (management of gTLDs, ccTLDs, as well as the newly rolled-out “new gTLDs”).

ICANN was incorporated in California in 1998, and was intended as the technical coordination body for the backbone of the Internet. That is, it was to administer the Internet’s domain names and IP addresses, and also manage the Internet root servers.

As a result of an agreement with the National Telecommunications and Information Administration (NTIA) in the US Department of Commerce, ICANN is the IANA functions operator. It carries out the IANA functions, which include making changes to the root zone file (the backbone of the domain name system), allocation of IP address blocks to the five Regional Internet Registries (RIRs), and maintaining protocol parameter registries in collaboration with the Internet Engineering Task Force (IETF). The RIRs are responsible for allocating IP addresses (IPv4 and IPv6) to national and local Internet registries. The IETF develops Internet standards and protocols, such as those within the TCP/IP suite. To be clear, ICANN does not make policy for the IP address or Internet standards/protocols; those are the domains of RIRs and the IETF, respectively.

ICANN, Domain Names and All That Buried Treasure

ICANN is the de facto policy-making body for domain names. Through ICANN’s community Supporting Organisations and Advisory Committees (SOACs) – largely a multi-stakeholder community – ICANN determines policies for dispute resolution (see, for instance, the UDRP for domain name disputes), maintaining the WHOIS database, etc. for domain names.

Under its contracts with Top Level Domain (TLD) Registries, ICANN receives payment for all registrations and/or renewals of domain names. For instance, under the .bharti Registry Agreement, ICANN receives a fixed annual registry free of US $6250. If there are more than 50,000 registrations or renewals of domain names under a TLD (say, .bharti) in a quarter, then ICANN also receives an amount equal to (No. of registrations or renewals X US $0.25). TLD Registries “own” TLDs like .com, and they maintain a list of all the domain names registered under that TLD. There are around 816 such Registry Agreements, and in FY14, ICANN received over US $47 million in Registry fees [see page 7].

Similar agreements exist between ICANN and domain name Registrars accredited by it, too. Domain name Registrars are entities like Go Daddy and Big Rock, from whom people like you and me (or companies) can register domain names. Only Registrars accredited by ICANN can register domain names that will be included in the ICANN DNS, the most frequently used DNS on the Web. Each Registrar pays a yearly accreditation fee of US $4000 to ICANN (see Clause 3.9). Each Registrar also pays to ICANN fees for every domain name registration or renewal. There are over 500 ICANN-accredited Registrars, and in FY14, ICANN received over US $34.5 million in Registrar fees [see page 7].

Now, apart from this, in its IANA operator role, ICANN is responsible for the global allocation of IP addresses (IPv4 and IPv6). From the global pool of IP addresses, ICANN allocates to the five Regional Internet Registries (RIRs), which then allocate to National Internet Registries like the National Internet Exchange of India (NIXI as IRINN), local Internet registries or ISPs. For this, ICANN receives a combined contribution of US $823,000 each year as revenue from RIRs [see, ex.: FY09 Financial Statements, page 3].

And this isn’t all of it! With its new gTLD program, ICANN is sitting on a large treasure trove. Each gTLD application cost US $185,000, and there were 1930 applications in the first round (that’s US $357 million). Where there arose disagreements as to the same or similar strings, ICANN initiated an auction process. Some new gTLDs were auctioned for as high as US $6 million.

So ICANN is sitting on a great deal of treasure (US $355 million in revenues in FY14 and growing). It accumulates revenue from a variety of quarters; the sources identified above are by no means the only revenue-sources. But ICANN is unaware of, or unwilling to disclose, all its sources of revenue.

ICANN's Troubling Scope-creep and Does Transparency Matter?

At CIS, we are concerned by ICANN’s unchecked influence and growing role in the Internet governance institutional space. For instance, under its CEO Fadi Chehade, ICANN was heavily involved backstage for NETmundial, and has set aside over US $200,000 for Mr. Chehade’s brainchild, the NETmundial Initiative. Coupled with its lack of transparency and vocal interests in furthering status quo (for instance, both the names and numbers communities’ proposals for IANA transition want ICANN to remain the IANA functions operator, without stringent safeguards), this makes for a dangerous combination.

The clearest indication lies in the money, one might say. As we have written before, ICANN budgets for less than US $10 million for providing core Internet functions out of a US $160 million strong budget (Budget FY15, page 17). It has budgeted, in comparison, US $13 million for travel and meetings alone, and spent over US $18 million on travel in FY14 (Budget FY15, page 11).

To its credit, ICANN makes public its financial statements (current and historic), and community discussions are generally open. However, given the understandably complex contractual arrangements that give ICANN its revenues, even ploughing through the financials does not give one a clear picture of where ICANN’s money comes from.

So one is left with questions such as the following: Which entities (and how many of them) pay ICANN for domain names? What are the vendor payments received by ICANN and who pays? Who all have paid ICANN under the new gTLD program, and for what purposes? Apart from application fees and auctions, what other heads of payment exist? How much does each RIR pay ICANN and what for, if IP addresses are not property to be sold? For how many persons (and whom all) does ICANN provide pay for, to travel to meetings and other events?

You may well ask why these questions matter, and whether we need greater transparency. To put it baldly: ICANN’s transparency is crucial. ICANN is today something of a monopoly; it manages the IANA functions, makes policy for domain names and is increasingly active in Internet governance. It is without greater (effective) accountability than a mere review by the NTIA, and some teething internal mechanisms like the Documentary Information Disclosure Policy (DIDP), Ombudsman, Reconsideration and Independent Review and the Accountability and Transparency Review (ATRT). I could elaborate on why these mechanisms are inadequate, but this post is already too long. Suffice it to say that by carefully defining these mechanisms and setting out their scope, ICANN has stifled their effectiveness. For instance, a Reconsideration Request can be filed if one is aggrieved by an action of ICANN’s Board or staff. Under ICANN’s By-laws (Article IV, Section 2), it is the Board Governance Committee, comprising ICANN Board members, that adjudicates Reconsideration Requests. This simply violates the principles of natural justice, wherein one may not be a judge in one’s own cause (nemo debet esse judex in propria causa).

Moreover, ICANN serves corporate interests, for it exists on account of contractual arrangements with Registries, Registrars, the NTIA and other sundry entities. ICANN has also troublingly reached into Internet governance domains to which it was previously closed, such as the NETmundial Initiative, the NETmundial, the IGF and its Support Association. It is unclear that ICANN was ever intended to overreach so, a point admitted by Mr. Chehade himself at the ICANN Open Forum in Istanbul (IGF 2014).

Finally, despite its professed adherence to multi-stakeholderism, there is evidence that ICANN’s policy-making and functioning revolve around small, cohesive groups with multiple professional inter-linkages with other I-Star organisations. For instance, a revolving door study by CIS of the IANA Coordination Group (ICG) found that 20 out of 30 ICG members had close and longterm ties with I-Star organisations. This surely creates concern as to the impartiality and fairness of the ICG’s decision-making. It may, for instance, make a pro-ICANN outcome inevitable – and that is definitely a serious worry.

But ICANN is intended to serve the public interest, to ensure smooth, stable and resilient running of the Internet. Transparency is crucial to this, and especially so during the IANA transition phase. As advisor Jan Scholte asked at ICANN52, what accountability will ICANN exercise after the transition, and to whom will it be accountable? What, indeed, does accountability mean? The CCWG-Accountability is still asking that question. But meanwhile, one among our cohorts at CIS has advocated transparency as a check-and-balance for power.

The DIDP process at ICANN may prove useful in the long run, but does it suffice as a transparency mechanism?

ICANN's Responses to CIS' DIDP Requests

Over December ’14 and January ’15, CIS sent 10 DIDP requests to ICANN. Our aim was to test and encourage transparency from ICANN, a process crucial given the CCWG-Accountability’s deliberations on ways to enhance ICANN’s accountability. We have received responses for 9 of our requests. We summarise ICANN’s responses in a table: please go here.

A glance at the table above will show that ICANN’s responses are largely negative. In 7 requests out of 9, ICANN provides very little new information. Though the responses are detailed, the majority of information they provide is already identified in CIS’ requests. For instance, in the response to the NETmundial Request, ICANN links us to blogposts written by CEO Fadi Chehade, where he notes the importance of translating the NETmundial Principles into action. They also link us to the Final Report of the Panel on Global Internet Cooperation and Governance Mechanism, and ICANN’s involvement in the NETmundial Initiative.

However, to the query on ICANN’s own measures of implementing the NETmundial Principles – principles that it has lauded and upheld for the entire Internet governance community – ICANN’s response is surprisingly evasive. Defending lack of action, they note that “ICANN is not the home for implementation of the NETmundial Principles”. But ICANN also responds that they already implement the NETmundial Principles: “Many of the NETmundial Principles are high-level statements that permeate through the work of any entity – particularly a multistakeholder entity like ICANN – that is interested in the upholding of the inclusive, multistakeholder process within the Internet governance framework” (emphasis provided). One wonders, then, at the insistence on creating documents involving such high-level principles; why create them if they’re already implemented?

Responses to other requests indicate that the DIDP is, in its current form, unable to provide the transparency necessary for ICANN’s functioning. For instance, in the response to the Ombudsman Request, ICANN cites confidentiality as a reason to decline providing information. Making Ombudsman Requests public would violate ICANN Bylaws, and topple the independence and integrity of the Ombudsman.

These are, perhaps, valid reasons to decline a DIDP request. But it is also important to investigate these reasons. ICANN’s Ombudsman is appointed by the ICANN Board for 2 year terms, under Clause V of ICANN’s Bylaws. The Ombudsman’s principal function is to “provide an independent internal evaluation of complaints by members of the ICANN community who believe that the ICANN staff, Board or an ICANN constituent body has treated them unfairly”. The Ombudsman reports only to the ICANN Board, and all matters before it are kept confidential, including the names of parties and the nature of complaints. The Ombudsman reports on the categories of complaints he receives, and statistics regarding decisions in his Annual Reports; no details are forthcoming for stated reasons of confidentiality and privacy.

This creates a closed circle in which the Ombudsman operates. The ICANN Board appoints the Ombudsman. He/she listens to complaints about unfair treatment by the ICANN Board, Staff or constituency. He/she reports to the ICANN Board alone. However, neither the names of parties, the nature of complaints, nor the decisions of the Ombudsman are publicly available. Such a lack of transparency throws doubt on the functioning of the Ombudsman himself – and on his independence, neutrality and the extent of ICANN’s influence on him/her. An amendment of ICANN’s Bylaws would then be imperative to rectify this problem; this matter is squarely within the CCWG-Accountability’s mandate and should be addressed.

As is clear from the above examples, ICANN’s DIDP is an inadequate tool to ensure transparency functioning. The Policy was crafted without community input, and requires substantial amendments to make it a sufficient transparency mechanism. CIS’ suggestions in this regard shall be available in our next post.

CIS' Annual Reports are here. Our audit is ongoing, and the Annual Report for 2013-14 will be up shortly. Pranav Bidare (3rd year) of the National Law School, Bangalore assisted with research for this post, and created the table of CIS' DIDP requests and responses.

For more details visit https://cis-india.org/internet-governance/blog/where-does-icann2019s-money-come-from-we-asked-they-don2019t-know

Preliminary Submission on "Internet Governance Issues" to the Associated Chambers of Commerce & Industry of India

geetha — 2015-02-12T14:52:04Z

On January 30, 2015, Associated Chambers of Commerce & Industry of India (ASSOCHAM) held a consultation on Internet governance. A committee was set up to draft a report on Internet governance, with a focus on issues relevant to India. The Centre for Internet and Society (CIS) is represented on the committee, and has provided its preliminary comments to ASSOCHAM.

ASSOCHAM convened a meeting of its members and other stakeholders, at which CIS was represented. At this meeting, inputs were sought on Internet governance issues relevant for India, on which the industry body proposed to make comments to the Ministry of External Affairs, Government of India. Such a discussion, proposing to consolidate the views of ASSOCHAM members in consultation with other stakeholders, is a commendable move. This submission presents preliminary comments from the Centre for Internet and Society (CIS) in light of ASSOCHAM's consultation on Internet governance.

I. About CIS

1. CIS is a non-profit research organization that works, inter alia, on issues relating to privacy, freedom of expression, intermediary liability and internet governance, access to knowledge, open data and open standards, intellectual property law, accessibility for persons with disabilities, and engages in academic research on the budding Indian disciplines of digital natives and digital humanities.

2. CIS engages in international and domestic forums for Internet governance. We are a Sector-D member of the International Telecommunications Union (ITU),[1] and participated in the World Conference on International Telecommunications (WCIT), 2012 (Dubai) [2] and the Plenipotentiary Conference, 2014 (Busan).[3] We have also participated in the WSIS+10 Multistakeholder Preparatory Platform (MPP)[4] and the WSIS+10 High Level Event, organized by the ITU.[5]

3. CIS is also a member of the Non-Commercial Users Constituency (NCUC) at ICANN. Pranesh Prakash, our Policy Director, held a position on the NCUC Executive Committee from December 2013 to November 2014.[6]

4. CIS has been engaging at the Internet Governance Forum (IGF) since 2008, and has organized and participated in over 60 panels to date.[7] We have also organized panels at the Asia-Pacific Regional IGF (APrIGF). [8] Our Executive Director Sunil Abraham is a member of the Multistakeholder Advisory Group (MAG) for the India-IGF, and has attended in its meetings.[9] We are also in the process of developing international principles for intermediary liability, in collaboration with international civil society organisations like EFF and Article19. [10]

II. Structure of Submission

5. In this submission, we identify issues in Internet governance where engagement from and within India is necessary. In particular, brief descriptions of issues such as freedom of expression and privacy online, cyber-security, critical Internet resources and ICANN, multistakeholderism and net neutrality are provided.

III. Internet Governance Issues

6. The history of the Internet is unique, in that it is not exclusively government-regulated. Though governments regulate the Internet in many ways (for instance, by ordering website blocking or filtering, licensing of ISPs, encryption controls, investment caps, etc.), the running of the Internet is largely in the hands of private businesses, technical organisations and end-users.

7. International processes like the World Summit on Information Society (WSIS), and forums such as ICANN, the ITU, the IGF and the UN are involved in governing in the Internet in many ways. Regional organisations like the OECD, APEC and the Shanghai Cooperation Organisation (SCO) are also involved (for instance, in cyber-security matters).

8. The issues surrounding Internet governance are many, and range from telecom infrastructure and technical coordination to human rights and access to information.

Rights Online

9. The status of 'human rights online' has come under discussion, with the NETmundial Outcome Document affirming that offline rights must also be protected online. These issues are important in the context of, among others, the large scale violations of privacy in light of the Snowden Revelations,[11] and increased instances of website blocking and takedowns in different parts of the world.[12]

10. Internationally, issues of freedom of speech, privacy and access or the digital divide (though it is debatable that the latter is a human right) are discussed at the UN Human Rights Council, such as the resolution on human rights and the Internet, and the UN Human Rights Commissioner's report on the right to privacy in the digital age , which discusses the need for checks and balances on digital mass surveillance. During the Universal Periodic Review of India in 2012, India noted a recommendation from Sweden to " ensure that measures limiting freedom of expression on the internet is based on clearly defined criteria in accordance with international human rights standard ".

11. Freedom of speech and privacy are also relevant for discussion at the ITU.[13] For instance, at the Plenipotentiary meeting in 2014 (Busan), India proposed a resolution that sought, among other things, complete traceability of all Internet communications. [14] This has implications for privacy that are not yet addressed by our domestic laws. A Privacy Bill and such other protections are only in the pipeline in India.[15]

12. At ICANN as well, the root zone management function may affect freedom of expression. If, for instance, a top level domain (TLD) such as .com is erased from the root zone file, hundreds of thousands of websites and their content can be wiped from the World Wide Web. A TLD can be erased by Verisign if a request to that effect is raised or accepted by ICANN, and signed off on by the National Telecommunications and Information Administration (NTIA) of the US government. Similarly,the WHOIS database, which contains information about the holders of domain names and IP addresses, has implications for privacy and anonymity.

13. In India, the judiciary is currently adjudicating the constitutionality of several provisions of the Information Technology Act, 2000 (as amended in 2008), including S. 66A, S. 69A and S. 79. A series of writ petitions filed, among others, by the Internet Service Providers Association of India (ISPAI) and Mouthshut.com, relate to the constitutionality of the nature of content controls on the Internet, as well as intermediary liability. [16]

14. A judgment on the constitutionality of Ss. 66A, 69A and 79 are crucial for end-users and citizens, as well as companies in the Internet ecosystem. For instance, an uncertain intermediary liability regime with penalties for intermediaries - S. 79, IT Act and Intermediaries Guidelines Rules, 2011 - disincentivises ISPs, online news websites and other content providers like Blogger, Youtube, etc. from allowing free speech to flourish online. [17] The ongoing cases of Kamlesh Vaswani v. UOI and Sabu George v. UOI also have consequences for ISPs and search engines, as well as for fundamental rights.[18] International and domestic engagement is desirable, including in consultations with the Law Commission of India (for instance, the consultation on media laws).

Critical Internet Resources

15. Critical Internet Resources form the backbone of the Internet, and include management of IP addresses, the domain name system (DNS) and the root zone. [19] ICANN, a global non-profit entity incorporated in California, manages the IANA functions (Internet Assigned Numbers Authority) for the global Internet. These functions include allocating the global pool of IP addresses (IPv4 and IPv6) to Regional Internet Registries (RIRs), administering the domain name system and maintaining a protocol registry.

16. At present, the IANA functions are performed under a contract with the NTIA. On March 14, 2014, the NTIA announced its intention to transition oversight of the IANA functions to an as-yet-undetermined "global multi-stakeholder body". The deadline for this transition is September 30, 2015, though the NTIA has expressed its willingness to renew the IANA contract and extend the deadline. ICANN was charged with convening the transition process, and set up the IANA Coordination Group (ICG), a team of 30 individuals who will consolidate community input to create a transition proposal. At the moment, thenames (CWG-Names),numbers (CRISP) and protocols (IETF) communities are debating existing draft proposals. A number of new entities with which ICANN will have contractual arrangements have been proposed. At ICANN's meetings in Singapore (February 7-12, 2015) and Buenos Aires (June 2015), these proposals will be discussed.

17. At the same time, a parallel track to examine ICANN's own transparency and accountability has been introduced. The CCWG-Accountability is considering ICANN's accountability in two Workstreams: first, in light of the IANA transition and second, a revision of ICANN's policies and by-laws to strengthen accountability. ICANN's accountability and transparency are crucial to its continued role in Internet governance.

18. Several issues arise here: Should ICANN continue to remain in the US? Should the IANA Functions Department be moved into a separate entity from ICANN? Ought ICANN's by-laws be amended to create oversight over the Board of Directors, which is now seen to have consolidated power? Ought ICANN be more transparent in its financial and operational matters, proactively and reactively?

19. It is, for instance, beneficial to the stability of the Internet and to India if the IANA department is separate from ICANN - this will ensure aseparation of powers. Second, stronger transparency and accountability mechanisms are necessary for ICANN; it is a growing corporate entity performing a globally Internet function. As such, granular information about ICANN's revenues and expenses should be made public. See, for ex.,CIS' request for ICANN's expenses for travel and meetings, and ICANN's response to the same.

20. The most ideal forum to engage in this is ICANN, and within India, working groups on Internet governance at the Ministry level. As such, ASSOCHAM may seek open, transparent and inclusive consultations with the relevant departments of the Government (the Ministry of External Affairs, DeitY, Department of Telecommunications). At ICANN, industry bodies can find representation in the Business Constituency or the Commercial Stakeholders Group. Additionally, comments and proposals can be made to the ICG and the CCWG-Accountability by anyone.

Cyber-security

21. Cyber-security is often used as an umbrella-term, covering issues ranging from network security (DNSSEC and the ICANN domain), cyber-crime, and cyber-incidents such as the Distributed Denial of Service attacks on Estonian public institutions and the Stuxnet virus that attacked Iran's nuclear programme. Within the ITU, spam and child safety online are also assessed as security issues (See Study Group 17 under ITU-T).

22. At the international level, the UN Group of Governmental Experts has published three reports to date, arguing also that in cyber-security incidents, international humanitarian law will apply. International humanitarian law applies during armed attacks on states, when special rules apply to the treatment of civilians, civilian and military buildings, hospitals, wounded soldiers, etc.

23. The ITU also launched a Global Cybersecurity Agenda in 2007, aiming at international cooperation. Such cooperative methods are also being employed at the OSCE, APEC and the SCO, which have developed drafts of Confidence Building Measures. The Global Conferences on Cyberspace (London 2011, Budapest 2012, Seoul 2013, The Hague 2015) resulted in, inter alia, the Budapest Convention on Cybercrime. India has not ratified the Convention, and remains tight-lipped about its security concerns.

24. Surveillance and monitoring of online communications is a crucial issue in this regard. In India, the surveillance power finds its source in S. 5, Telegraph Act, 1888, and the Rule 419A of the Telegraph Rules, 1951. Further, S. 69 of the Information Technology Act, 2000 and the Interception Rules, 2009 enable the government and authorized officers to intercept and monitor Internet traffic on certain grounds. Information regarding the implementation of these Rules is scant.

25. In any event, the applicability of targeted surveillance should be subject to judicial review , and a balance should be struck between fundamental rights such as freedom of speech and privacy and the needs of security. An accountability model such as that present in the UK for the Interception of Communications Commissioner may provide valuable insight.

26. In India, the government does not make public information regarding its policies in cyber-security and cybercrime. This would be welcome, as well as consultations with relevant stakeholders.

Models of Internet Governance

27. Multi-stakeholderism has emerged as one of the catchphrases in Internet governance. With the display of a multi-stakeholder model at NETmundial (April 2014), controversies and opinions regarding the meaning, substance and benefits of multi-stakeholderism have deepened.

28. The debates surrounding stakeholder-roles in Internet governance began with ¶49 of the Geneva Declaration of Principles and ¶35 of the Tunis Agenda, which delineated clear roles and responsibilities. It created a 'contributory' multi-stakeholder model, where states held sovereign authority over public policy issues, while business and civil society were contributed to 'important roles' at the 'technical and economic fields' and the 'community level', respectively.

29. As the WGEC meeting (April 30-May 2, 2014) demonstrated, there is as yet no consensus on stakeholder-roles. Certain governments remain strongly opposed to equal roles of other stakeholders, emphasizing their lack of accountability and responsibility. Civil society is similarly splintered, with a majority opposing the Tunis Agenda delineation of stakeholder-roles, while others remain dubious of permitting the private sector an equal footing in public policy-making.

30. The positions in India are similarly divided. While there is appears to be high-level acceptance of "multi-stakeholder models" across industry, academia and civil society, there exists no clarity as to what this means. In simple terms, does a multi-stakeholder model mean that the government should consult industry, civil society, academia and the technical community? Or should decision-making power be split among stakeholders? In fact, the debate is more specific.

31. In India, the Multistakeholder Advisory Group (MAG) for the India-IGF was established in February 2014, and some meetings were held. Unfortunately, neither the minutes of the meetings nor action points (if any) are publicly available.

32. The Indian government's position is more complex. At the 68^th UN General Assembly session in 2011, India argued for a (multilateral) 50-member UN Committee on Internet-related Policies (CIRP). However, the Ministry for Communications and Information Technology (MCIT) has, over the years, presented differing views at the IGF and ITU through its two departments: DeitY and DoT. Further, at the meetings of the Working Group on Enhanced Cooperation (WGEC), India has presented more nuanced views, suggesting that certain issues remain within the governmental domain (such as cyber-security and child online protection). At the 9^th IGF (Istanbul, September 2014), Mr. R.S. Sharma of the DeitY echoed such a view of delineated roles for stakeholders.

33. A clear message from the Indian government, on whether it favours multistakeholderism or governmental policy authority for specific issues, would be invaluable in shaping opinion and domestic processes. In any event, a transparent consultative procedure to take into account the views of all stakeholders is desirable.

Emerging Issues

Net Neutrality

34. In simple terms, net neutrality concerns differential treatment of packets of data by carriers such as ISPs, etc. over networks. The issue has gained international attention following the U.S. FCC's regulatory stance, and the U.S. Court of Appeal's 2014 decision in Verizon v. FCC. Though this decision turned on the interpretation of 'broadband providers' under the Communications Act, 1934, net neutrality has since been debated in the US, both by the FCC and other stakeholders. There is no international consensus in sight; the NETmundial Outcome Document recognized net neutrality as an emerging issue (page 11, no. IV).

35. In India, a TRAI consultation on Over-The-Top Services on August 5, 2014 brought concerns of telecom and cellular operators to light. OTTs were seen as hijacking a portion of telcos' revenues, and as lacking consumer protection and privacy safeguards. While these concerns are legitimate, net neutrality regulation is not yet the norm in India. In any event, any such regulation must take into account the consequences of regulation on innovation, competition, and consumer choice, as well as on the freedom of the medium (which may have detrimental impacts freedom of expression).

36. Though net neutrality regulation is being mooted, there is as yet anarray of definitions of 'net neutrality'. The views of telcos themselves differ in India. Further study on the methods of identifying and/or circumventing net neutrality is necessary before a policy position can be taken.

IV. Conclusions

37. CIS welcomes ASSOCHAM's initiative to study and develop industry-wide positions on Internet governance. This note provides brief descriptions of several issues in Internet governance where policy windows are open internationally and domestically. These issues include freedom of expression and privacy under Part III (Fundamental Rights) of the Constitution of India. The Supreme Court's hearing of a set of cases alleging unconstitutionality of Ss. 66A, 69, 69A and 79 (among others) of the IT Act, 2000, as well as consultations on issues such as pornography by the Rajya Sabha Parliamentary Committee and media laws by the Law Commission of India are important in this regard.

38. International and domestic engagement is necessary in the transition of stewardship of the IANA functions, as well as ICANN's own accountability and transparency measures. Similarly, in the area of cyber-security, though several initiatives are afoot internationally, India's engagement has been cursory until now. A concrete position from India's stakeholders, including the government, on these and the question of multi-stakeholderism in Internet governance would be of immense assistance.

39. Finally, net neutrality is an emerging issue of importance to industry's revenues and business models, and to users' rights such as access to information and freedom of expression.

[1] CIS gets ITU-D Sector Membership, goo.gl/PBGKWt (l.a. 8 Feb. 2015).

[2] Letter for Civil Society Involvement in WCIT, goo.gl/gXpYQD (l.a. 8 Feb. 2015).

[3] See, ex., Hariharan, What India's ITU Proposal May Mean for Internet Governance, goo.gl/hpWaZn (l.a. 8 Feb. 2015).

[4] Panday, WSIS +10 High Level Event: Open Consultation Process MPP: Phase Six: Fifth Physical Meeting, goo.gl/3XR24X (l.a. 8 Feb. 2015).

[5] Hariharan, WSIS+10 High Level Event: A Bird's Eye Report, goo.gl/8XkwyJ (l.a. 8 Feb. 2015).

[6] Pranesh Prakash elected as Asia-Pacific Representative to the Executive Committee of NonCommercial Users Constituency, goo.gl/iJM7C0 (l.a. 8 Feb. 2015).

[7] See, ex., CIS@IGF 2014, goo.gl/Werdiz (l.a. 8 Feb. 2015).

[8] Multi-stakeholder Internet Governance: The Way Ahead , goo.gl/NuktNi; Minimising legal risks of online Intermediaries while protecting user rights, goo.gl/mjQyww (l.a. 8 Feb. 2015).

[9] First Meeting of the Multistakeholder Advisory Group for India Internet Governance Forum, goo.gl/NCmKRp (l.a. 8 Feb. 2015).

[10] See Zero Draft of Content Removal Best Practices White Paper, goo.gl/RnAel8 (l.a. 8 Feb. 2015).

[11] See, ex., UK-US surveillance regime was unlawful 'for seven years', goo.gl/vG8W7i (l.a. 9 Feb. 2015).

[12] See, ex., Twitter: Turkey tops countries demanding content removal, goo.gl/ALyO3B (l.a. 9 Feb. 2015).

[13] See, ex., The ITU convenes a programme on Child Online Protection, goo.gl/qJ4Es7 (l.a. 9 Feb. 2015).

[14] Hariharan, Why India's Proposal at the ITU is Troubling for Internet Freedoms, goo.gl/Sxh5K8 (l.a. 9 Feb. 2015).

[15] Hickok, Report of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill, goo.gl/454qA6 (l.a. 9 Feb. 2015).

[16] See, Supreme Court Of India To Hear Eight IT Act Related Cases On 11th April 2014 - SFLC, goo.gl/XLWsSq (l.a. 9 Feb. 2015).

[17] See, Dara, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet, goo.gl/bwBT0x (l.a. 9 Feb. 2015).

[18] See, ex., Arun, Blocking online porn: who should make Constitutional decisions about freedom of speech?,goo.gl/NPdZcK; Hariharan & Subramanian, Search Engine and Prenatal Sex Determination: Walking the Tight Rope of the Law, goo.gl/xMj4Zw (l.a. 9 Feb. 2015).

[19] CSTD, The mapping of international Internet public policy issues, goo.gl/zUWdI1 (l.a. 9 Feb. 2015).

For more details visit https://cis-india.org/internet-governance/blog/preliminary-submission-on-internet-governance-issues-to-assocham

DIDP Request #2: Granular Revenue/Income Statements from ICANN

geetha — 2015-03-05T08:07:02Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking current and historical details of ICANN's income/revenue from its various sources. CIS' request and ICANN's response are detailed below.

CIS Request

22 December 2014

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Request for granular income/revenue statements of ICANN from 1999-2014

Earlier this month, on 3 December 2014, Mr. Samiran Gupta presented CIS with detailed and granular information regarding ICANN’s domain names income and revenues for the fiscal year ended June 30, 2014. This was in response to several requests made over a few months. The information we received is available on our website.[1]

The information mentioned above was, inter alia, extremely helpful in triangulating ICANN’s reported revenues, despite and in addition to certain inconsistencies between the Annual Report (FY14) and the information provided to us.

We recognize that ICANN makes public its current and historical financial information to a certain extent. Specifically, its Operating Plan and Budget, Audited Financial Statements, Annual Reports, Federal and State Tax Filings, Board Compensation Report and ccTLD Contributions Report are available on the website.[2]

However, a detailed report of ICANN’s income or revenue statement, listing all vendors and customers, is not available on ICANN’s website. Our research on accountability and transparency mechanisms in Internet governance, specifically of ICANN, requires information in such granularity. We request, therefore, historical data re: income and revenue from domain names (1999-2014), in a manner as detailed and granular as the information referenced in FN[1]. We would appreciate if such a report lists all legal entities and individuals who contribute to ICANN’s domain names income/ revenue.

We look forward to the receipt of this information within the stipulated period of 30 days. Please feel free to contact us in the event of any doubts regarding our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN's response to CIS's request can be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 2).

[1] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

[2] See Historical Financial Information for ICANN, https://www.icann.org/resources/pages/historical-2012-02-25-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-2

DIDP Request #3: Cyber-attacks on ICANN

geetha — 2015-03-05T08:16:26Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of cyber-attacks on ICANN, and ICANN's internal and external responses to the same. CIS' request and ICANN's response are detailed below.

CIS Request

24 December 2014

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Geoff Bickers, Team Lead, ICANN Computer Incident Response Team (CIRT) & Director of Security Operations

Mr. John Crain, Chief Security, Stability and Resiliency Officer

Members of the ICANN-CIRT & ICANN Security Team

Sub: Details of cyber-attacks on ICANN

We understand that ICANN recently suffered a spear-phishing attack that compromised contact details of several ICANN staff, including their email addresses; these credentials were used to gain access to ICANN’s Centralized Zone Data System (CZDS).[1] We are glad to note that ICANN’s critical functions and IANA-related systems were not affected.[2]

The incident has, however, raised concerns of the security of ICANN’s systems. In order to understand when, in the past, ICANN has suffered similar security breaches, we request details of all cyber-attacks suffered or thought/suspected to have been suffered by ICANN (and for which, therefore, investigation was carried out within and outside ICANN), from 1999 till date. This includes, naturally, the recent spear-phishing attack.

We request information regarding, inter alia,

(1) the date and nature of all attacks, as well as which ICANN systems were compromised,

(2) actions taken internally by ICANN upon being notified of the attacks,

(3) what departments or members of staff are responsible for security and their role in the event of cyber-attacks,

(4) the role and responsibility of the ICANN-CIRT in responding to cyber-attacks (and when policies or manuals exist for the same; if so, please share them),

(5) what entities external to ICANN are involved in the identification and investigation of cyber-attacks on ICANN (for instance, are the police in the jurisdiction notified and do they investigate? If so, we request copies of complaints or information reports),

(6) whether and when culprits behind the ICANN cyber-attacks were identified, and

(7) what actions were subsequently taken by ICANN (ex: liability of ICANN staff for security breaches should such a finding be made, lawsuits or complaints against perpetrators of attacks, etc.).

Finally, we also request information on the role of the ICANN Board and/or community in the event of such cyber-attacks on ICANN. Also, when was the ICANN-CIRT set up and how many incidents has it handled since its existence? Do there exist contingency procedures in the event of compromise of IANA systems (and if so, what)?

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN responded to our request by noting that it is vague and broad in both time and scope. In response, ICANN has provided information regarding certain cyber-incidents already in the public domain, while noting that the term "cyber-attack" is both wide and vague. While the information provided is undoubtedly useful, it is anecdotal at best, and does not provide a complete picture of ICANN's history of vulnerability to cyber-attacks or cyber-incidents, or the manner of its internal response to such incidents, or of the involvement of external law enforcement agencies or CIRTs in combating cyber-incidents on ICANN.

ICANN's response may be found here. A short summary our request and ICANN's response may be found in this table (Request S. no. 3).

[1] See ICANN targeted in spear-phishing attack, https://www.icann.org/news/announcement-2-2014-12-16-en.

[2] See IANA Systems not compromised, https://www.icann.org/news/announcement-2014-12-19-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-3-cyber-attacks-on-icann

DIDP Request #5: The Ombudsman and ICANN's Misleading Response to Our Request

geetha — 2015-03-06T11:11:31Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of the complaints received and resolved, parties involved and the nature of complaints under the Ombudsman process. CIS' request and ICANN's response are detailed below. ICANN's response is misleading in its insistence on confidentiality of all Ombudsman complaints and resolutions.

CIS Request

26 December 2014

To:
Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Chris LaHatte, Ombudsman, ICANN

Sub: Details regarding complaints submitted to the ICANN Ombudsman

We are very pleased to note that ICANN’s transparency and accountability mechanisms include maintaining a free, fair and impartial ombudsman. It is our understanding that any person with a complaint against the ICANN Board, staff or organization, may do so to the designated ombudsman.[1] We also understand that there are cases that the ICANN ombudsman does not have the authority to address.

In order to properly assess and study the efficiency and effectiveness of the ombudsman system, we request you to provide us with the following information:

(i) A compilation of all the cases that have been decided by ICANN ombudsmen in the history of the organization.

(ii) The details of the parties that are involved in the cases that have been decided by the ombudsmen.

(iii)A description of the proceedings of the case, along with the party that won in each instance.

Further, we hope you could provide us with an answer as to why there have been no ombudsman reports since the year 2010, on the ICANN website.[2] Additionally, we would like to bring to your notice that the link that provides the ombudsman report for the year 2010 does not work.

In order to properly assess the mechanism that ICANN uses for grievance redressal, it would be necessary to examine the details of all the cases that ICANN ombudsmen have presided over in the past. In this regard, kindly provide us with the above information.

We do hope that you will be able to furnish this information to us within the stipulated time period of 30 days. Do not hesitate to contact us if you have any doubts regarding our queries. Thank you so much.

Yours sincerely,
Lakshmi Venkataraman
NALSAR University of Law, Hyderabad, for Centre for Internet & Society
W: http://cis-india.org

ICANN Response

In its response, ICANN declines our request on grounds of confidentiality. It refers to the ICANN Bylaws on the office of the Ombudsman to argue that all matters brought before the Ombudsman "shall be treated as confidential" and the Ombudsman shall "take all reasonable steps necessary to preserve the privacy of, and to avoid harm to, those parties not involved in the complaint being investigated by the Ombudsman". ICANN states that the Ombudsman publishes Annual Reports, in which he/she provides a "consolidated analysis of the year's complaints and resolutions", including "a description of any trends or common elements of complaints received". In sum, ICANN states that making Ombudsman Requests public would violate ICANN Bylaws, and topple the independence and integrity of the Ombudsman.

These are, perhaps, valid reasons to decline our DIDP request. But it is important to investigate ICANN's reasons. The ICANN Board appoints the Ombudsman for 2 year terms, under Article V of ICANN’s Bylaws. As we note in an earlier post, the Ombudsman’s principal function is to receive and dispose of complaints about unfair treatment by the ICANN Board, Staff or constituency. He/she reports to the ICANN Board alone. He/she also reports on the categories of complaints he receives, and statistics regarding decisions in his Annual Reports; no details are forthcoming for stated reasons of confidentiality and privacy. It is clear, therefore, that the Ombudsman receives and disposes of complaints under a procedure that is inadequately transparent.

ICANN argues, however, that for reasons of confidentiality and integrity of the Ombudsman office, ICANN is unable to disclose details regarding Ombudsman complaints, the complainants/respondents and a description of the proceedings (including the decision/resolution). Indeed, ICANN states its "Bylaws and the Ombudsman Framework obligates the Ombudsman to treat all matters brought before him as confidential and 'to take reasonable steps necessary to preserve the privacy of, and to avoid harm to, those parties not involved in the complaint being investigated by the Ombudsman'.” For this reason, ICANN considers that "Disclosing details about the parties involved and the nature of the cases that have been decided by the Ombudsmen would not only compromise the confidentiality of the Ombudsman process but would also violate the ICANN Bylaws and the Ombudsman Framework."

While the privacy of parties both involved and "not involved in the complaint" can be preserved (by redacting names, email addresses and other personal identification), how valid is ICANN's dogged insistence on confidentiality and non-disclosure? Let's look at Article V of ICANN's Bylaws and the Ombudsman Framework both.

Do ICANN Bylaws bind the Ombudsman to Confidentiality?

Under Article V, Section 1(2) of ICANN's Bylaws, the Ombudsman is appointed by the ICANN Board for a 2 year term (renewable). As noted earlier, the Ombudsman's principal function is to “provide an independent internal evaluation of complaints by members of the ICANN community who believe that the ICANN staff, Board or an ICANN constituent body has treated them unfairly” or inappropriately (Art. V, Section 2). The Ombudsman is not a judge; his conflict resolution tools are "negotiation, facilitation, and 'shuttle diplomacy'.

According to Art. V, Section 3(3), the Ombudsman has access to "all necessary information and records from staff and constituent bodies" to evaluate complaints in an informed manner. While the Ombudsman can access these records, he may not "publish if otherwise confidential". When are these records confidential, then? Section 3(3) supplies the answer. The confidentiality obligations are as "imposed by the complainant or any generally applicable confidentiality policies adopted by ICANN". For instance, the complainant can waive its confidentiality by publishing the text of its complaint and the Ombudsman's response to the same (such as the Internet Commerce Association's complaint regarding the Implementation Review Team under the new gTLD program), or a complaint may be publicly available on a listserv. In any event, there is no blanket confidentiality obligation placed on the Ombudsman under ICANN's Bylaws.

Moreover, the Ombudsman also publishes Annual Reports, in which he/she provides a "consolidated analysis of the year's complaints and resolutions", including "a description of any trends or common elements of complaints received". That is, the Ombudsman's Annual Report showcases a graph comparing the increase in the number of complaints, categories of complaints (i.e., whether the complaints fall within or outside of the Ombudsman's jurisdiction), and a brief description of the Ombudsman's scope of resolution and response. The Annual Reports indicate that the mandate of the Ombudsman's office is extremely narrow. In 2014, for instance, 75 out of 467 complaints were within Mr. LaHatte's jurisdiction (page 5), but he notes that his ability to intervene is limited to "failures in procedure". As an input to the ATRT2 Report noted, the Office of the Ombudsman “appears so restrained and contained” (page 53). As the ATRT2 noted, "ICANN needs to reconsider the Ombudsman’s charter and the Office’s role as a symbol of good governance to be further incorporated in transparency processes"; the Office's transparency leaves much to be desired.

But I digress.

The Ombudsman is authorised to make reports on any complaint and its resolution (or lack thereof) to the ICANN Board, and unless the Ombudsman says so in his sole discretion, his reports are to be posted on the website (Art. V, Section 4(4)). The Ombudsman can also report on individual requests, such as Mr. LaHatte's response to a complaint regarding a DIDP denial (cached). Some reports are actually available on the Ombudsman page; the last published report dates back to 2012, though in 2013 and 2014, the Ombudsman dealt with more complaints within his jurisdiction than in 2012 or prior. So ICANN's argument that disclosing the information we ask for in our DIDP Request would violate ICANN Bylaws and the confidentiality of the Ombudsman is misleading.

Does the Ombudsman Framework Prohibit Public Reporting?

So if ICANN Bylaws do not ipso facto bind the Ombudsman's complaint and conflict resolution process to confidentiality, does the Ombudsman Framework do so?

The Ombudsman does indeed have confidentiality obligations under the Ombudsman Framework (page 4). All matters brought before the Ombudsman shall be treated as confidential, and the identities of parties not involved in the complaint are required to be protected. The Ombudsman may reveal the identity of the complainant to the ICANN Board or Staff only to further the resolution of a complaint (which seems fairly obvious); this obligation is extended to ICANN Board and Staff as well.

As the Framework makes crystal clear, the identity of complainants are to be kept confidential. Nothing whatsoever binds the Ombudsman from revealing the stakeholder group or affiliation of the complainants - and these are possibly of more importance. What stakeholders most often receive unfair or inappropriate treatment from ICANN Board, Staff or constituent bodies? Does business suffer more, or do non-commercial users, or indeed, governments? It is good to know what countries the complaints come from (page 4-5), but given ICANN's insistence on its multi-stakeholder model as a gold standard, it is important to know what stakeholders suffer the most in the ICANN system.

In fact, in the first page, the Ombudsman Framework says this: "The Ombudsman may post complaints and resolutions to a dedicated portion of the ICANN website (http://www.icann.org/ombudsman/): (i) in order to promote an understanding of the issues in the ICANN community; (ii) to raise awareness of administrative fairness; and (iii) to allow the community to see the results of similar previous cases. These postings will be done in a generic manner to protect the confidentiality and privilege of communicating with the Office of Ombudsman." But the ICANN website does not, in fact, host records of any Ombudsman complaints or resolutions; it links you only to the Annual Reports and Publications.

As I've written before, the Annual Reports provide no details regarding the nature of each complaint, their origins or resolution, and are useful if the only information we need is bare statistics of the number of complaints received. That is useful, but it's not enough. Given that the Ombudsman Framework does allow complaint/resolution reporting, it is baffling that ICANN's response to our DIDP request chooses to emphasise only the confidentiality obligations, while conveniently leaving out the parts enabling and encouring reporting.

Should ICANN Report the Ombudsman Complaints?

Of course it should. The Ombudsman is aimed at filling an integral gap in the ICANN system - he/she listens to complaints about treatment by the ICANN Board, Staff or constituent bodies. As the discussions surrounding the appeal procedures in the CWG-Names show, and as the ATRT2 recommendations on Reconsideration and Independent Review show, conflict resolution mechanisms are crucial in any environment, not least a multi-stakeholder one. And in an organisation that leaves much desired by way of accountability and transparency, not reporting on complaints against the Board, staff or constituencies seems a tad irresponsible.

If there are privacy concerns regarding the identities of complainants, their personal identifying information can be redacted. Actually, in the complaint form, adding a waiver-of-confidentiality tick-box would solve the problem, allowing the complainant to choose whether to keep his/her complaint unreportable. But the details of the respondents ought to be reported; as the entity responsible and accountable, ICANN should disclose whom complaints have been made against.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 5).

[1] See What the Ombudsman can do for you, https://www.icann.org/resources/pages/contact- 2012-02-25-en.

[2] See Annual Reports & Publications, https://www.icann.org/resources/pages/reports-96-2012- 02-25-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-5-the-ombudsman-and-icanns-misleading-response-to-our-request-1

DIDP Request #7: Globalisation Advisory Groups

geetha — 2015-03-17T10:07:26Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking information regarding the creation and dissolution of the President's Globalisation Advisory Groups. The GAGs were created to advise the ICANN Board on its globalisation efforts, and to address questions on Affirmation of Commitments (AOC), policy structures, legal structure, root server system, the IANA multistakeholder accountability, and Internet governance. CIS' request and ICANN's response are detailed below.

CIS Request

12 January 2015

To:
Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Ms. Theresa Swineheart, Senior Advisor to the President on Strategy

Mr. Samiran Gupta, ICANN India

Sub: Creation and dissolution of the President’s Globalisation Advisory Groups

On 17 February 2014, at a Special Meeting of the ICANN Board, the Board passed a resolution creating the President’s Globalisation Advisory Groups.1 Six Globalisation Advisory Groups were created, including on IANA globalization, legal structures, Internet governance, the Affirmation of Commitments, policy structures and the root server system.2 According to the minutes of the meeting, the Advisory Groups were to meet with the community at ICANN49 (Singapore, March 2014), make recommendations to the Board, and the Board would present their reports at ICANN50 (London, June 2014).3 Mr. Chehade was vested with the authority to change the Advisory Groups and their composition without the need for a further resolution, but the manner of dissolution was not laid out.

ICANN lists the Advisory Groups on its “Past Groups” page, with no further information.4 Presumably, the Groups remained in existence for at most one month. No explanation is provided for the reasons regarding the dissolution of all the Advisory Groups. There are no reports or transcripts of meetings with the community at ICANN49 or recommendations to Mr. Chehade or the Board.

The Globalisation Advisory Groups covered issues crucial for ICANN and the global Internet governance community, including its seat (“Legal Structures”), the Affirmation of Commitments (considered critical for ICANN’s accountability), the IANA stewardship transition, and ICANN’s (increasing) involvement in Internet governance. Given this, we request the following information:

Of the six Globalisation Advisory Groups created, is any Group active as of today (12 January 2015)?
When and how many times did any of the Groups meet?
On what date were the Groups dissolved? Were all Groups dissolved on the same date?
By what mechanism did the dissolution take place (oral statement, email)? If the dissolution occurred by way of email or statement, please provide a copy of the same.
Did any of the six Globalisation Advisory Groups present any report, advice, or recommendations to Mr. Chehade or any member(s) of the Board, prior to their dissolution? If yes, please provide the report/recommendations (if available) and/or information regarding the same.
Why were the Advisory Groups dissolved? Has any reason been recorded, and if not, please provide an explanation.

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,
Geetha Hariharan
Centre for Internet & Society

ICANN Response

ICANN's response to this request is positive. ICANN states that the Board did indeed set up the six Globalisation Advisory Groups (GAGs) on 17 February 2014 to tackle issues surrounding ICANN's globalisation efforts. The Affirmation of Commitments (AOC), policy structures, legal structure, root server system, the IANA multistakeholder accountability, and Internet governance were issues taken up by the GAGs. However, after the NTIA made its announcement regarding the IANA transition in March 2014, the GAGs were disbanded so as to avoid duplication of work on issues that "had a home in the global multistakeholder discussions". As a result, by a Board resolution dated 27 March 2014, the GAGs were dissolved.

This is an example of a good response to an information request. Some documentation regarding the creation and dissolution of the GAGs existed, such as the Board resolutions. The response points us to these documents, and summarises the reasons for the GAGs' creation and dissolution.

It is possible that this response is clear/comprehensive because the GAGs no longer exist, and in any event, did not perform any work worth writing about. Queries about ICANN's involvement in Internet governance (NETmundial, the NETmundial Initiative, etc.) garner responses that are, to say it informally, cage-y and surrounded by legalese.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 7).

[1] See Approved Board Resolutions | Special Meeting of the Board, https://www.icann.org/resources/board-material/resolutions-2014-02-17-en.

[2] See President’s Globalisation Advisory Groups, https://www.icann.org/en/system/files/files/globalization-19feb14-en.pdf.

[3] See Minutes | Special Meeting of the Board, https://www.icann.org/resources/board- material/minutes-2014-02-17-en.

[4] See Past Committees, Task Forces, and Other Groups, https://www.icann.org/resources/pages/past-2012-02-25-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-7-globalisation-advisory-groups

DIDP Request #8: ICANN Organogram

geetha — 2015-03-17T11:39:16Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of its oragnisational structure and headcount of all staff. CIS' request and ICANN's response are detailed below.

CIS Request

13 January 2015

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, President and CEO

Mr. Samiran Gupta, ICANN India

Sub: ICANN organogram

In order to understand ICANN’s organizational structure, decision-making and day-to-day functioning, may we request an organogram of ICANN. We request that the organogram include ICANN’s reporting hierarchy, mentioning positions held in all departments. Wherever possible (such as middle and senior management), we request names of the ICANN staff holding the positions as well. Along with this, could you also provide a count per department of the number of ICANN staff employed in all departments as of this date?

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN does not provide all the information we requested, but it responded with the following:

First, ICANN has responded that its current staff headcount is approx. 310. ICANN states that it already makes publicly available an organisational chart. This is immensely useful, for it sets out the reporting hierarchies at senior and mid-managerial levels. However, it doesn't tell us the organisational structure categorised by all departments and staff in the said departments. The webpages of some of ICANN's departments list out some of its staff; for instance, Contractual Compliance, Global Stakeholder Engagement and Policy Development (scroll down).

What you will notice is that ICANN provides us a list of staff, but we cannot be sure whether the team includes more persons than those mentioned. Second, a quick glance at the Policy Development staff makes clear that ICANN selects from outside this pool to coordinate the policy development. For instance, the IANA Stewardship Transition (the CWG-IANA) is supported by Ms. Grace Abuhamad, who is not a member of the policy support staff, but coordinates the IANA mailing list and F2F meetings anyway. What this means is that we're no longer certain who within ICANN is involved in policy development and support, whom they report to, and where the Chinese walls lie. This is why an organogram is necessary: the policy-making and implementation functions in ICANN may be closely linked because of staff interaction, and effective Chinese walls would benefit from public scrutiny.

Now, ICANN says that one may explore staff profiles on the Staff page. While short biographies/profiles are available for most staff on the Staff page, it's unclear what departments they work in, how many staff members work each in department, whom they report to, and what the broad range of their responsibilities include.

Privacy concerns do not preclude the disclosure of such information for two reasons. First, staff profiles imply a consent to making staff information public (at least their place in the organisational structure, if not their salaries, addresses, phone extension numbers, etc.). Second, such information is necessary and helpful to scrutinise the effectiveness of ICANN's functioning. Like the example of the policy-making process mentioned above, greater transparency in internal functioning will itself serve as a check against hazards like partisanism, public comment aggregation, drafting of charters for policy-making and determining scope, etc. While the functioning itself may or need not change, scrutiny can ensure responsibility from ICANN and its staff.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 8).

For more details visit https://cis-india.org/internet-governance/blog/didp-request-8-organogram

CIS@IGF 2014

geetha — 2014-10-08T10:31:47Z

The ninth Internet Governance Forum (“IGF2014”) was hosted by Turkey in Istanbul from September 2 to 5, 2014.

A BestBits pre-event, which saw robust discussions on renewal of the IGF mandate, the NETmundial Initiative and other live Internet governance processes, flagged off a week of many meetings and sessions. At IGF2014, the ICANN-led processes of IANA transition and ICANN accountability found strong presence. Human rights online, access and net neutrality were also widely discussed. Centre for Internet and Society, India participated in multiple workshops and panels.

Workshops and Panel Discussions

WS206: An evidence-based framework for intermediary liability
CIS organized a workshop on developing an evidence-based framework for intermediary liability in collaboration with the Stanford Center for Internet and Society. By connecting information producers and consumers, intermediaries serve as valuable tool for growth and innovation, and also a medium for realisation of human rights. The workshop looked to a concerted approach to understanding intermediaries’ impact on human rights demands our urgent attention. Jyoti Panday of CIS was contributed to the workshop’s background paper and organisation. Elonnai Hickok of CIS was a speaker. At this workshop, a zero-draft of international principles for intermediary liability was released. The zero-draft is the interim outcome of an ongoing, global intermediary liability project, undertaken by CIS in collaboration with Article 19 and Electronic Frontier Foundation. See the video.

WS112: Implications of post-Snowden Internet localization proposals
Organised by ISOC and Center for Democracy and Technology, this panel questioned the distinctions between Internet-harmful and Internet-beneficial Internet and data localization. As a speaker at this workshop, Sunil Abraham of CIS identified state imperatives for Internet localization, such as taxation, network efficiency and security. See video.

WS63: Preserving a universal Internet: Costs of fragmentation
Internet and Jurisdiction Project organized this workshop to explore potential harms to Internet architecture, universality and openness as a result of Internet balkanisation. Sunil Abraham was one of the speakers.

WS2: Mobile, trust and privacy
Organised by GSMA, this panel discussed methods, benefits and harms of use of mobile transaction generated information and data. Sunil Abraham was a speaker. See video.

WS188: Transparency reporting as a tool for Internet governance
This GNI workshop examined transparency reporting by Internet intermediaries and companies, and sought to identify its strengths and shortcomings as a tool for Internet governance. Pranesh Prakash of CIS was a speaker. See video.

WS149: Aligning ICANN policy with the privacy rights of users
This Yale ISP panel examined ICANN’s obligations for data protection, in light of international standards and best practices. This discussion is particularly relevant as ICANN’s WHOIS policy, Registrar Accreditation Agreement, and other policies have attained the status of a global standard for the handling of personal data. Pranesh Prakash moderated this panel.

Other Participation

Launch of the GISWatch Report

Association for Progressive Communications (APC) and the Humanist Institute for Cooperation with Developing Countries (Hivos) released the Global Information Society Watch Report (GISWatch) on national and global mass surveillance. The report “explores the surveillance of citizens in today's digital age by governments with the complicity of institutions and corporations”. Elonnai Hickok of CIS contributed a thematic chapter on Intermediary Liability and Surveillance to this report.

For more details visit https://cis-india.org/internet-governance/blog/cis-at-igf-2014

India Draft Resolution - ITU's Role in Securing Information Society

geetha — 2014-10-28T06:55:41Z

India's new draft resolution introduced at ITU PP14, Busan.

For more details visit https://cis-india.org/internet-governance/blog/india-draft-resolution-itus-role-in-securing-information-security

IANA Transition Recommendatory Brief

geetha — 2014-06-22T09:21:57Z

Policy brief with recommendations for process-design principles for IANA transition

For more details visit https://cis-india.org/internet-governance/blog/cis-policy-brief-ii-iana-transition-suggestions-for-process-design

TLD

geetha — 2014-07-01T12:38:26Z

Part of a web address

For more details visit https://cis-india.org/internet-governance/blog/TLD.jpg

FOEX Live

geetha — 2014-07-07T12:36:49Z

Selections of news on online freedom of expression and digital technology from across India (and some parts of the world)

For feedback, comments and any incidents of online free speech violation you are troubled or intrigued by, please email Geetha at geetha[at]cis-india.org or on Twitter at @covertlight.

For more details visit https://cis-india.org/internet-governance/blog/foex-live

Marco Civil da Internet: Brazil’s ‘Internet Constitution’

geetha — 2014-06-19T10:38:10Z

On March 25, 2014, Brazil's lower house of parliament passed bill no. 2126/2011, popularly known as Marco Civil da Internet. The Marco Civil is a charter of Internet user-rights and service provider responsibilities, committed to freedom of speech and expression, privacy, and accessibility and openness of the Internet. In this post, the author looks at the pros and cons of the bill.

Introduction:

Ten months ago, Edward Snowden’s revelations of the U.S. National Security Agency’s extensive, warrantless spying dawned on us. Citizens and presidents alike expressed their outrage at this sweeping violation of their privacy. While India’s position remained carefully neutral, or indeed, supportive of NSA’s surveillance, Germany, France and Brazil cut the U.S. no slack. Indeed, at the 68th session of the United Nations General Assembly, Brazilian President Dilma Rousseff (whose office the NSA had placed under surveillance) stated, “Tampering in such a manner in the affairs of other countries is a breach of International Law and is an affront to the principles that must guide the relations among them, especially among friendly nations.” Brazil, she said, would “redouble its efforts to adopt legislation, technologies and mechanisms to protect us from the illegal interception of communications and data.”

Some may say that Brazil has lived up to its word. Later this month, Brazil will be host to NETmundial, the Global Multi-stakeholder Meeting on the Future of Internet Governance, jointly organized by the Brazilian Internet Steering Committee (CGI.br) and the organization /1Net. The elephantine invisible presence of Snowden vests NETmundial with the hope and responsibility of laying the ground for a truly multi-stakeholder model for governing various aspects of the Internet; a model where governments are an integral part, but not the only decision-makers. The global Internet community, comprising users, corporations, governments, the technical community, and NGOs and think-tanks, is hoping devise a workable method to divest the U.S. Government of its de facto control over the Internet, which it wields through its contracts to manage the domain name system and the root zone.

But as Internet governance expert Dr. Jeremy Malcolm put it, these technical aspects do not make or break the Internet. The real questions in Internet governance underpin the rights of users, corporations and netizens worldwide. Sir Tim Berners-Lee, when he called for an Internet Bill of Rights, meant much the same. For Sir Tim, an open, neutral Internet is imperative if we are to keep our governments open, and foster “good democracy, healthcare, connected communities and diversity of culture”. Some countries agree. The Philippines envisaged a Magna Carta for Internet Freedom, though the Bill is pending in the Philippine parliament.

Marco Civil da Internet:

Last week, on March 25, 2014, the Brazilian Chamber of Deputies (the lower house of parliament) passed the Marco Civil da Internet, bill 2126/2011, a charter of Internet rights. The Marco Civil is considered by the global Internet community as a one-of-a-kind bill, with Sir Tim Berners-Lee hailing the “groundbreaking, inclusive and participatory process has resulted in a policy that balances the rights and responsibilities of the individuals, governments and corporations who use the Internet”.

The Marco Civil’s journey began with a two-stage public consultation process in October 2009, under the aegis of the Brazilian Ministry of Justice’s Department of Legislative Affairs, jointly with the Getulio Vargas Foundation’s Center for Technology and Society of the Law School of Rio de Janeiro (CTS-FGV). The collaborative process involved a 45-day consultation process in which over 800 comments were received, following which a second consultation in May 2010 received over 1200 comments from individuals, civil society organizations and corporations involved in the telecom and technology industries. Based on comments, the initial draft of the bill was revamped to include issues of popular, public importance, such as intermediary liability and online freedom of speech.

An official English translation of the Marco Civil is as yet unavailable. But an unofficial translation (please note that the file is uploaded on Google Drive), triangulated against online commentary on the bill, reveals that the following issues were of primary importance:

The fundamentals:

The fundamental principles of the Marco Civil reveal a commitment to openness, accessibility neutrality and democratic collaboration on the Internet. Art. 2 (see unofficial translation) sets out the fundamental principles that form the basis of the law. It pledges to adhere to freedom of speech and expression, along with an acknowledgement of the global scale of the network, its openness and collaborative nature, its plurality and diversity. It aims to foster free enterprise and competition on the Internet, while ensuring consumer protection and upholding human rights, personality development and citizenship exercise in the digital media in line with the network’s social purposes. Not only this, but Art. 4 of the bill pledges to promote universal access to the Internet, as well as “to information, knowledge and participation in cultural life and public affairs”. It aims to promote innovation and open technology standards, while ensuring interoperability.

The Marco Civil expands on its commitment to human rights and accessibility by laying down a “discipline of Internet use in Brazil”. Art. 3 of the bill guarantees freedom of expression, communication and expression of thoughts, under the terms of the Federal Constitution of Brazil, while at the same time guaranteeing privacy and protection of personal data, and preserving network neutrality. It also focuses on preserving network stability and security, by emphasizing accountability and adopting “technical measures consistent with international standards and by encouraging the implementation of best practices”.

These principles, however, are buttressed by rights assured to Internet users and responsibilities of and exceptions provided to service providers.

Rights and responsibilities of users and service providers:

Net neutrality:

Brazil becomes one of the few countries in the world (joining the likes of the Netherlands, Chile and Israel in part) to preserve network neutrality by legislation. Art. 9 of the Marco Civil requires all Internet providers to “to treat any data package with isonomy, regardless of content, origin and destination, service, terminal or application”. Not only this, but Internet providers are enjoined from blocking, monitoring or filtering content during any stage of transmission or routing of data. Deep packet inspection is also forbidden. Exceptions may be made to discriminate among network traffic only on the basis of essential technical requirements for services-provision, and for emergency services prioritization. Even this requires the Internet provider to inform users in advance of such traffic discrimination, and to act proportionately, transparently and with equal protection.

Data retention, privacy and data protection:

The Marco Civil includes provisions for the retention of personal data and communications by service providers, and access to the same by law enforcement authorities. However, record, retention and access to Internet connection records and applications access-logs, as well as any personal data and communication, are required to meet the standards for “the conservation of intimacy, private life, honor and image of the parties directly or indirectly involved” (Art. 10). Specifically, access to identifying information and contents of personal communication may be obtained only upon judicial authorization.

Moreover, where data is collected within Brazilian territory, processes of collection, storage, custody and treatment of the abovementioned data are required to comply with Brazilian laws, especially the right to privacy and confidentiality of personal data and private communications and records (Art. 11). Interestingly, this compliance requirement is applicable also to entities incorporated in foreign jurisdictions, which offer services to Brazilians, or where a subsidiary or associate entity of the corporation in question has establishments in Brazil. While this is undoubtedly a laudable protection for Brazilians or service providers located in Brazil, it is possible that conflicts may arise (with penal consequences) between standards and terms of data retention and access by authorities in other jurisdictions. In the predictable absence of harmonization of such laws, perhaps rules of conflicts of law may prove helpful.

While data retention remained a point of contention (Brazil initially sought to ensure a 5-year data retention period), under the Marco Civil, Internet providers are required to retain connection records for 1 year under rules of strict confidentiality; this responsibility cannot be delegated to third parties (Art. 13). Providers providing the Internet connection (such as Reliance or Airtel in India) are forbidden from retaining records of access to applications on the Internet (Art. 14). While law enforcement authorities may request a longer retention period, a court order (filed for by the authority within 60 days from the date of such request) is required to access the records themselves. In the event the authority fails to file for such court order within the stipulated period, or if court order is denied, the service provider must protect the confidentiality of the connection records.

Though initially excluded from the Marco Civil, the current draft passed by the Chamber of Deputies requires Internet application providers (such as Google or Facebook) to retain access-logs for their applications for 6 months (Art. 15). Logs for other applications may not be retained without previous consent of the owner, and in any case, the provider cannot retain personal data that is in excess of the purpose for which consent was given by the owner. As for connection records, law enforcement authorities may request a greater retention period, but require a court order to access the data itself.

These requirements must be understood in light of the rights that the Marco Civil guarantees to users. Art. 7, which enumerates these user-rights, does not however set forth their content; this is probably left to judicial interpretation of rights enshrined in the Federal Constitution. In any event, Art. 7 guarantees to all Internet users the “inviolability of intimacy and privacy”, including the confidentiality of all Internet communications, along with “compensation for material or moral damages resulting from violation”. In this regard, it assures that users are entitled to a guarantee that no personal data or communication shall be shared with third parties in the absence of express consent, and to “clear and complete information on the collection, use, storage, treatment and protection of their personal data”. Indeed, where contracts violate the requirements of inviolability and secrecy of private communications, or where a dispute resolution clause does not permit the user to approach Brazilian courts as an alternative, Art. 8 renders such contracts null and void.

Most importantly, Art. 7 states that users are entitled to clear and complete information about how connection records and access logs shall be stored and protected, and to publicity of terms/policies of use of service providers. Additionally, Art. 7 emphasizes quality of service and accessibility to the Internet, and forbids suspension of Internet connections except for failure of payments. Read comprehensively, therefore, Arts. 7-15 of the Marco Civil prima facie set down robust protections for private and personal data and communications.

An initial draft of the Marco Civil sought to mandate local storage of all Brazilians’ data within Brazilian territory. This came in response to Snowden’s revelations of NSA surveillance, and President Rousseff, in her statement to the United Nations, declared that Brazil sought to protect itself from “illegal interception of communications and data”. However, the implications of this local storage requirement was the creation of a geographically isolated Brazilian Internet, with repercussions for the Internet’s openness and interoperability that the Marco Civil itself sought to protect. Moreover, there are implications for efficiency and business; for instance, small businesses may be unable to source the money or capacity to comply with local storage requirements. Also, they lead to mandating storage on political grounds, and not on the basis of effective storage. Amid widespread protest from corporations and civil society, this requirement was then withdrawn which, some say, propelled the quick passage of the bill in the Chamber of Deputies.

Intermediary liability:

Laws of many countries make service providers liable for third party content that infringes copyright or that is otherwise against the law (such as pornography or other offensive content). For instance, Section 79 of the Indian Information Technology Act, 2000 (as amended in 2008) is such a provision where intermediaries (i.e., those who host user-generated content, but do not create the content themselves) may be held liable. However, stringent intermediary liability regimes create the possibility of private censorship, where intermediaries resort to blocking or filtering user-generated content that they fear may violate laws, sometimes even without intimating the creator of the infringing content. The Marco Civil addresses this possibility of censorship by creating a restricted intermediary liability provision. Please note, however, that the bill expressly excludes from its ambit copyright violations, which a copyright reforms bill seeks to address.

At first instance, the Marco Civil exempts service providers from civil liability for third party content (Art. 18). Moreover, intermediaries are liable for damages arising out of third party content only where such intermediaries do not comply with court orders (which may require removal of content, etc.) (Art. 19). This leaves questions of infringement and censorship to the judiciary, which the author believes is the right forum to adjudicate such issues. Moreover, wherever identifying information is available, Art. 20 mandates the intermediary to appraise the creator of infringing content of the reasons for removal of his/her content, with information that enables the creator to defend him- or herself in court. This measure of transparency is particularly laudable; for instance, in India, no such intimation is required by law, and you or I as journalists, bloggers or other creators of content may never know why our content is taken down, or be equipped to defend ourselves in court against the plaintiff or petitioner who sought removal of our content. Finally, a due diligence requirement is placed on the intermediary in circumstances where third party content discloses, “without consent of its participants, of photos, videos or other materials containing nudity or sexual acts of private character”. As per Art. 21, where the intermediary does not take down such content upon being intimated by the concerned participant, it may be held secondarily liable for infringement of privacy.

This restricted intermediary liability regime is further strengthened by a requirement of specific identification of infringing content, which both the court order issued under Art. 20 and the take-down request under Art. 21 must fulfill. This requirement is missing, for instance, under Section 79 of the Indian Information Technology Act, which creates a diligence and liability regime without requiring idenfiability of infringing content.

Conclusion:

Brazil’s ‘Internet Constitution’ has done much to add to the ongoing discussion on the rights and responsibilities of users and providers. By expressly adopting protections for net neutrality and online privacy and freedom of expression, the Marco Civil may be considered to set itself up as a model for Internet rights at the municipal level, barring a Utopian bill of rights. Indeed, in an effusive statement of support for the bill, Sir Tim Berners-Lee stated: “If Marco Civil is passed, without further delay or amendment, this would be the best possible birthday gift for Brazilian and global Web users.”

Of course, the Marco Civil is not without its failings. Authors say that the data retention requirements by connection and application providers, with leeway provided for law enforcement authorities to lengthen retention periods, is problematic. Moreover, the discussions surrounding data localization and a ‘walled-off’ Internet that protects against surveillance ignores the interoperability and openness that forms the core of the Internet.

On the whole, though, the Marco Civil may be considered a victory, on many counts. It is possibly the first successful example of a national legislation that is the outcome of a broad, consultative process with civil society and other affected entities. It expressly affirms Brazil’s commitment to the protection of privacy and freedom of expression, as well as to Internet accessibility and the openness of the network. It aims to eliminate the possibility of private censorship online, while upholding privacy rights of users. It seeks to reduce the potential for abuse of personal data and communication by government authorities, by requiring judicial authorization for the same. In a world where warrantless government spying extends across national border, such a provision is novel and desirable. One hopes that, when the global Internet community sits down at its various fora to identify and enumerate principles for Internet governance, it will look to the Marco Civil as an example of standards that governments may adhere to, and not necessarily resort to the lowest common denominator standards of international rights and protections.

For more details visit https://cis-india.org/internet-governance/blog/marco-civil-da-internet

Principles for Internet Governance: NETmundial 2014 — What do the Contributions Reveal?

geetha — 2014-04-23T04:01:21Z

The Global Multi-stakeholder Meeting on the Future of Internet Governance (NETmundial) is scheduled for April 23-24, 2014. Towards its stated end of establishing "strategic guidelines related to the use and development of the Internet in the world", NETmundial sought contributions from stakeholders around the world on two topics: (1) Set of Internet governance principles; (2) Roadmaps for the further evolution of the Internet governance system.

This post analyses the contributions of the academic community to draw out broad agreements and divergences concerning Internet governance principles.

I. Introduction

In two days, a large measure of the global Internet community – governments, the private sector, civil society, technical community and academia – gather in São Paulo, Brazil, for the Global Multi-stakeholder Meeting on the Future of Internet Governance. The NETmundial (April 23-24, 2014), touted as the World Cup of Internet governance, is a global conference convened and supported by the Brazilian president, Dilma Rousseff, and organized by the Brazilian Internet Steering Committee (CGI.br) and /1Net, a forum comprising various stakeholders involved and interested in Internet governance. It hopes, importantly, “to establish strategic guidelines related to the use and development of the Internet in the world”. To this end, it sought open-ended Contributions from interested stakeholders on the topics, “Set of Internet governance principles” and “Roadmaps for the further evolution of the Internet governance system”. The agenda for NETmundial may be found here.

To fully utilize the 2 short days available, knowledge of the stakeholder positions, especially their broad agreements and divergences on the two topics, is of immense help. Through a series of posts, I analyse the contributions to NETmundial on the question of Internet governance principles, seeking to dig deep into definitions and interpretations of suggested principles, such as management of Critical Internet Resources (such as the Domain Name System), human rights including freedom of expression and privacy, cyber-security, inclusiveness and participation in Internet governance, etc. In separate posts, I shall analyse contributions of each sector (governments, the private sector, civil society, technical community, academia and ‘Other’) and finally, present an overall analysis of the contributions pitted against the Draft Outcome Document, which is presently under discussion.

II. The Contributions

The NETmundial has received 187 contributions from 46 countries. Sector break-ups are given below:

Sector	Number of Contributions (187)
Academia	20
Governments	28
Private Sector	43
Civil Society	61
Technical Community	16
‘Other’ (such as UNESCO, the European Commission, etc.)	19

A quick look at the contributors indicates that contributions are primarily from North America, Europe, South and East Asia, and South America. No or very few contributions were made from large parts of Africa and South East Asia, Central and West Asia, Eastern Europe and Western South America. We present a graphical representation of contributing countries here.

Of the contributions, stakeholders from various sectors contributed to the two topics listed above in the following manner:

Sector	Set of Internet Governance Principles	Roadmaps for Further Evolution of the Internet Governance System	Combined: Internet Governance Principles & Roadmaps
Academia	7	7	6
Government	7	4	17
Private Sector	11	3	29
Civil Society	25	21	15
Technical Community	8	5	3
‘Other’	7	4	8

Despite the above classification, I focus on all 187 contributions for analysis. This is as some contributions expressly set out principles while others do not. Therefore, eliciting and analyzing principles from stakeholder contributions has involved a certain amount of subjective maneuvering. However, such elicitation has been restricted on the following bases:

The contribution is externally categorized as falling under either “Set of Internet governance principles” or “Combined – Internet governance principles & Roadmaps”.
Internally, the document places principles under rubrics of ‘Internet governance principles’.
Internally, the document makes references to Internet governance principles before setting out (without rubrics) principles.

With this caveat, I go on to discuss the NETmundial contributions from the academic community to Internet governance principles.

Part I: Academia

Of the academic contributions, the main contributors are Africa (Kenya – 1, Sudan – 3), Europe (Germany – 1, Poland – 1, Portugal – 1, Russia – 2, Ukraine – 1), South America (Argentina – 1, Brazil – 3) and the United States (8). No Asian country has made an academic contribution, and as evident from above, academia is geographically severely under-represented. Furthermore, only 4 out of 20 contributions expressly set out Internet governance principles. These four are:

Semantics aside, certain broad, high-level consensus emerges within the academic community. On substantive principles of governance on the Internet, the greatest support is found for freedom of express and access to information, with 6 contributions emphasizing this. Equally important is Internet universality and non-discriminatory (3 contributions), universal access to the Internet (6). Protection of privacy and permissible levels of surveillance come a close second, with 5 contributions referring to these. Cyber-security (5), respect for human rights (4) and support for net neutrality (3) and cultural and linguistic diversity on the Internet (3) also emerge as issues of concern for the academic community. The UNESCO and academics from Sudan emphasize training and education to use the Internet. Inter-operability (2) and a single, unfragmented Internet (2) also find a place in the academic community’s contributions.

With regard to processual principles for Internet governance, inclusiveness and participation are the most important concerns (5). The academic community asks for an open, transparent and multi-stakeholder Internet governance system (4), calling for international cooperation (2) among governments and other stakeholders. Interestingly, one contribution requires that the role of governments in the multi-stakeholder model be limited to “the facilitation of the participation of their domestic stakeholder communities in Internet governance processes”, while a Brazilian contribution advocates a multilateral model.

While no contribution expressly calls for these principles to underscore global Internet governance, the author believes that a high-level consensus may be gleaned in favour of respect for and protection of human rights, especially freedom of expression, access to information, privacy and protection from unwarranted domestic or extraterritorial surveillance. This is further supported by cyber-security concerns. The call for universal access to the Internet, alongside mention of net neutrality, emphasizes inclusiveness and non-discrimination. Processually as well, inclusiveness and participation (including equal participation) of all stakeholders finds the largest support, reflected in the calls for multi-stakeholder models of Internet governance.

No glaring divergences exist with regard to human rights or principles of governance on the Internet. The only major divergence amongst academia is the call for multilateral or multi-stakeholder models of Internet governance. While a majority of the contributions call for multi-stakeholder models, the Brazilian contribution (linked above) calls for “Open, multilateral and democratic governance, carried out with transparency by stimulating collective creativity and the participation of society, Governments and the private sector”, while at the same time supporting a “real multi-stakeholder governance model for the Internet based on the full involvement of all relevant actors and organizations”. Indeed, even this divergence is marked by a common emphasis on open, transparent and inclusive participation in Internet governance.

For more details visit https://cis-india.org/internet-governance/blog/principles-of-internet-governance-net-mundial-2014