From the standpoint of a multistakeholder policy making institution, this approach is deeply flawed, because a substantial transformation of the

https://docs.google.com/document/d/1d6GT0zqLjU6e7Js-TE2Gjlm_-B5xvhE5CrRPZSV3... Best Alice -------------------------------- 14 May, 2013 The NCSG represents civil society groups and nonprofit organizations in the ICANN policy making process. Our two constituencies and 400 individual and organizational members appreciate the opportunity to comment on the GAC’s “Safeguards applicable to broad categories of new TLDs” (the Safeguards). We address the specific recommendations of the Safeguards in the second half of our comments. We begin, however, by expressing broader concerns about the role of the GAC in ICANN, of which this Advice is symptomatic. The GAC and the multi-stakeholder process The ICANN bylaws authorize GAC to “provide advice on the activities of ICANN as they relate to concerns of governments, particularly matters where there may be an interaction between ICANN's policies and various laws and international agreements or where they may affect public policy issues.” This mandate assumes that ICANN’s carefully balanced representational processes (the GNSO, ALAC, etc.) develop policies and GAC comments on them in a timely manner. When offered in a timely manner, such advice might prompt the board to instruct the Supporting Organizations to reconsider or modify their policies before implementation. The Beijing Communique does not appear to be the kind of “policy advice” contemplated by the ICANN bylaws. The GAC did not advise or comment on the actual ICANN policy, but seems to have attempted to take over the process of defining and implementing new gTLD policy at an impossibly late stage of the process. It was either unaware of or disliked the results of an open, transparent, multi-stakeholder process, and now seeks to change it dramatically. The GAC concocted categories for new gTLDs that were not contained in the Applicant Guidebook and, for each category, came up with new, extensive and often contradictory or ambiguous regulations that it now insists be included in the contracts governing registries, registrars and domain name users. policy was not made with the participation of the GNSO or with the civil society organizations and businesses affected. There were no public hearings at which these governments’ citizens could make their views known. Moreover, since this advice would have the effect of an international regulation, it is notable that there was no review of this work by GAC members’ national legislatures. This is not “policy advice,” therefore, but an illegitimate form of international legislation. Worse, because it is couched as “advice” and not formal law, its recommendations, if implemented by the board, might be exempt from important constitutional checks and balances. In short, the GAC’s Beijing Communique is positioned not as advice, but as a substitute for the policy work of the broader ICANN community. As such, it constitutes a threat not only to the implementation of the new gTLD program, but to ICANN’s status as a multi-stakeholder policy development institution. Unless this “advice” is rebuffed by the board, ICANN undermines its Supporting Organizations, its policy development process, and the Applicant Guidebook under which hundreds of companies applied for new domains. At a time when authoritarian governments and intergovernmental institutions are challenging the legitimacy and validity of open, bottom-up, nongovernmental global governance, allowing a group of governments to over-ride and negate ICANN’s policy development processes in this way would send a terrible signal to the world. Specific elements of the GAC advice 1. The Preamble to the ‘Safeguards’ While most of the Annex would impose very specific requirements upon registries and their users, the GAC begins its Annex with a free-floating dictum that all of its commands “be implemented in a manner that is fully respectful of human rights and fundamental freedoms” and consistent with all existing international treaties and conventions. As the ICANN stakeholder group most concerned with human rights and fundamental freedoms, we appreciate the GAC’s recognition of human rights and the protections of international law. But we have a difficult time believing that they will serve as real protections in this context. In deciding what to do with this Advice, we ask both the GAC and the Board to consider the following questions: What does it mean to be “respectful” of the UN Universal Declaration of Human Rights, which includes the right to free expression, while at the same time requiring registries for strings such as .FAIL, .SUCKS, .WTF, and .GRIPE to “develop policies and processes” that would regulate content and expression under those domains? Is the GAC declaring that domains set aside for critical content be subject to special, new kinds of content regulation? Would such a governmentally-imposed requirement be consistent with Article 19, the U.S. First Amendment, the European Convention on Human Rights or other constitutional protections? What does it mean to order registries to “comply with all applicable laws…related to privacy” while at the same time ramping up the WHOIS enforcement mechanisms and data accuracy requirements without any regard for whether the registrant is a legal person or a natural person (i.e., an individual with a stronger privacy claim)? How is a concern for privacy consistent with the GAC’s clear intention to transform the WHOIS into a tool of systematic user identification and surveillance, and to use WHOIS accuracy as a pretext for immediate takedowns? What does it mean to demand respect for international law in one phrase and then demand that Amazon and Patagonia, both holders of trademarks recognized under international law, be denied the right to use their trademark in a TLD simply because some governments don’t want them to? On what law is the GAC’s request to deny these applications based? What does it mean for a global registry to “comply with all applicable laws” regarding dozens of “regulated industries” when there are nearly 200 jurisdictions and the regulations applicable to specific industries in each one may differ? More to the point, why does the GAC expect ICANN contracts to apply and enforce these laws rather than the governments themselves? In democratic jurisdictions compliance with law includes due process requirements for policing. What does it mean for a registry to comply with all applicable laws while at the same time being required by GAC to suspend domain name registrations based on a vaguely defined criterion which the GAC calls “security risks that pose an actual risk of harm”? What, exactly, is the definition of “risks that pose an actual risk of harm?” Is it the same as actual harm? What is the applicable legal standard here? How will it be adjudicated? This aspect of the GAC communique founders on its own contradictions. It cannot be implemented and any attempt to do so will fail. 2. Regulations applicable to all gTLDs In this section of the Annex, the GAC shows that it does not trust or respect current international or national laws governing privacy, identity and cybercrime. It seeks to impose upon registries, via ICANN contracts, detailed technical regulations regarding Whois testing and surveillance mechanisms. Yet many of the activities “required” are already undertaken or required in various venues; e.g., by ICANN (Whois accuracy checks at the registrar level), national law enforcement authorities, Internet service providers, registries, and independent security services companies. For example, all registries we are aware of already have abuse notification mechanisms. Phishing, botnets, and various forms of spam are already illegal under national and international laws. It is likely that ICANN contracts for registries are the wrong place to situate additional, specific regulations regarding monitoring of botnets, spam, etc. The GAC wants to impose additional regulatory burdens without any plausible case that there will be an improvement in the results. As advocates of Internet freedom and individual rights, the NCSG looks with concern upon increasing efforts by GAC to make WHOIS an internet identity card with a “real-name” registration policy similar to the failed attempt in South Korea. 3. Regulations regarding Consumer Protection, Sensitive Strings, and Regulated Markets In this section the GAC claims that “Strings that are linked to regulated or professional sectors” must be regulated in advance of any harmful action, because “these strings are likely to invoke a level of implied trust from consumers, and carry higher levels of risk associated with consumer harm.” This argument fails on two counts. First, the concept of “linkage” is too vague and open-ended to serve as a basis for systematic domain name regulations of the sort the GAC contemplates. Food, for example, is subject to health and safety regulation in all countries. Does that mean that any word related to food in the domain name system should be subject to special regulation? If so, we suspect that there is literally no word in the dictionary in any language that could not somehow be “linked” to some kind of sector or trade that has governmental rules and regulations attached to it. Reinforcing these concerns, the GAC includes the words .CARE, GAME, GREEN, PICTURES, DATA and dozens of other innocent generic terms in its Safeguard list, indicating just how limitless their approach can get. Such an approach would make ICANN (or the GAC) the world’s word police. Second, the GAC has fallen prey to the fallacy that any and every form of consumer harm that might occur on the Internet can be eliminated by imposing ex ante regulations on the words that are assigned in the domain name system. This is simply false. Many names and words that might theoretically be “linked” to specific services, industries or professional sectors can and will be used in productive and legitimate ways without any consumer harm. Conversely, many strings that are not clearly linked semantically to regulated or professional sectors could be used in a way that defrauds or harms users. The only rational way to react to these kinds of risks is to enforce the law ex post, not ex ante. In other words, actual, provable harm must occur first and regulatory action based on due process and clear standards of evidence and law should only occur afterwards. Any attempt to substitute ex ante regulation for ex post law law enforcement will harm many innocent users while failing to provide improved protection from a large array of unforeseen and unknown harms. We find it incredible that the GAC proposes to make registrars and registries authoritative licensing validation entities for 200 jurisdictions and an innumerable number of sectors and professions. This is not feasible. The principle of ex post law enforcement is a more feasible, and more freedom-respecting method of safeguarding concerns about fraud and consumer protection. If service providers or web sites are using names which fraudulently imply some kind of legal status, it is not that difficult for local or international law enforcement to stop them from doing so. But the legality or illegality of uses cannot be determined in advance. It is not a good idea to make the global name registry system responsible for policing the world’s professions and sector regulations on an ex ante basis. 4. Restricted Registration Policies We find this area of the GAC advice confusing. On the one hand, the GAC demands that registries carefully vet registrants ex ante and apply numerous regulations regarding who can register in nominally open generic TLDs; but it then goes on to insist that all registries be open and demands pre-approval and justification from any registry that proposes to restrict registrations as part of an attempt to establish a clear reputation and identity for a top-level domain. Business model innovation was an important rationale for the new gTLD program. Yet the GAC seems to want to make the traditional registry-registrar model that rewards mass registration a requirement, even though the economic incentives for mass registration are what often causes the security and consumer protection problems associated with domains. While the NCSG differs on the merits of closed generics and on the proper policy response, we agree that these policy issues should be resolved through the bottom-up, multistakeholder process and not unilaterally by the GAC.