RE: From Christian -- Re: [gnso-ff-pdp-may08] Meta: Strawman - Process vs. Policy

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Christian mentioned (via Mike) that:

>     Democratic governments have certain safe-guards in place to 
> prevent those entrusted with power from running rough-shod over 
> personal freedoms we consider important.  One of these protections 
> is the electoral process itself, which ensures that those who 
> create the policies of the state and those who wield its power are 
> ultimately accountable to the citizenry at large.  Other 
> protections include separation of powers, access to courts, and the 
> constitutional enshrinement of certain fundamental liberties.

And those are all certainly very important democratic values, values
which I (and I'm sure everyone else on this working group) 
certainly share.

However, private entities (including ICANN, the registries and
the registrars) are not without checks and balances of their own,
rooted in things like:

-- management being balanced by boards of directors and (in some 
   cases) stockholders; 

-- alternatives provided by a free marketplace; 

-- constraints enshrined in contracts, articles of incorporation, 
   and corporate bylaws, and, of course, let's not forget

-- government regulation.
 
>     Professor Setlzer commented that she gets very nervous when 
> private entities start to act like governments.  Both I and the 
> NCUC, share this concern.  Private entities like registries, 
> registrars and ICANN are not encumbered by the same 
> liberty-preserving safeguards as governments.  For example, the 
> U.S. constitution protects its citizens from certain invasive or 
> unjust conduct by the government.  It places little, if any, 
> similar restrictions on similar conduct by private parties.

I'd respectfully disagree that citizens are left to fend for
themselves when it comes to invasive or unjust conduct perpetrated
upon them by corporations or other private parties.

http://www.ftc.gov/privacy/ , for example, recounts both multiple 
legal frameworks which have been imposed on corporations to protect
private citizens, and examples of litigation which the FTC has 
undertaken to enforce compliance. (And other agencies have their
own privacy protecting statutes, such as HIIPA in the health area,
or FERPA in higher education)

Unjust conduct is similarly subject both to regulation, litigation
and, more importantly, to market forces. If one TLD adopts an 
unconscienable practice, or a registrar treats its customers badly, 
there are other TLDs and other registrars, and the market can vote 
with its wallet, thereby rewarding well run enterprises and starving
poor ones.

On the other hand, if a registry tolerates rampant abuse, the
market also can shun that registry's "product," domains which may
be disproportionately associated with miscreant activity, thereby 
decreasing the value of those "damaged goods."

Given those realities, most economically rational commercial entities 
will attempt to steer a safe middle ground somewhere between those 
opposing shoals.

>    Any discussion about combating illegal activity at ICANN 
> inherently raises these problems.  

I find it hard to believe that ICANN would be in favor of illegal 
activity! Assuming ICANN is not, the only question that remains is
what, if anything ICANN is willing to voluntarily do beyond what
it may be required to do by law, at its own discretion.

> There is a distinct danger that 
> remedies at this level could transform private parties into a sort 
> of 'speech cop' charged with determining what content is 
> permissible and what is not.

Let's talk about content a little.

A variety of content has been found by the courts to not enjoy absolute
protection under things like the US Constitution and Bill of Rights
(obviously other jurisdictions will have other legal frameworks).

For example, child pornography is not protected by the 1st Amendment.

Commercial speech likewise enjoys only limited protection, and as a 
result, we see things like government restrictions on cigarette and
liquor advertising, or the limitations that the CAN-SPAM Act imposes 
on commercial speech delivered by email. 

But we need not even *consider* content in order to dispose of fastflux.

Recall the example I provided whereby all that would be provided by
a complainant might be a fully qualified domain name.

Considering content not one whit, one might inspect the FQDN's
mapping to IP addresses, and solely as a result of technical
criteria, one could get a pretty darn good idea of whether or not
that FQDN is fastfluxing.

And if you follow that evaluation up with an attempt at contacting 
the domain owner to get "their side of the story," my belief is that 
in virtually every case you will hear only silence, since these 
fastflux domains are "throw away" commodities of no long term value
(for example, once they get listed on the SURBL or URIBL, their 
practical value is dramatically diminished).

Another reason why you are likely to hear only silence from fastflux
domain owners is that defending one's allegedly fastflux domain would 
require the registrant to identify him or herself, if only via counsel, 
and it is well known that at least some domain owner are effectively 
reachable only by herculean methods, even when it comes to things as 
important as WIPO UDRP actions! (c.f., "F. Hoffmann-La Roche AG v. 
PrivacyProtect.org, Domain Admin and Mark Sergijenko," Case No. D2007-1854,
http://www.wipo.int/amc/en/domains/decisions/html/2007/d2007-1854.html )

> As the debacle with Dynadot and 
> Wikileaks demonstrates, it may well be in the best interests of a 
> registrar to ignore the free speech interests of its customer in 
> the face of a powerful angry party.

Would you truly suggest that registrars should defy court orders issued 
by courts of competent jurisdiction, perhaps as a matter of civil
disobedience? That is a courageous position to adopt, and an unusual
one for a public concern, in part because of the risk of contempt 
proceedings....

But let's consider another example, namely the Spamhaus Project case 
(see http://www.spamhaus.org/organization/statement.lasso?ref=3 ).
In that case, the free speech interests of the domain owner *have* 
been upheld, and for that matter, Wikileaks also remains online.

So from my point of view, at a certain level, being part of a 
democratic society means trusting that the checks and balances 
which we've both been talking about, including judicial review, 
*will* ultimately function as intended, although sometimes the 
wheels of that machinery may seem to turn slowly and emit howling 
squeals while doing so.

If one has more faith in the fairness or efficiency of the legal 
system of the EU, or <fill in a location here>,  there are registrars and 
TLDs that operate in those environments, and I'm sure they'd be happy to 
have folks business.

> Thrusting registrars, 
> registries or ICANN into this role creates the danger that they 
> could be pushed to implement more restrictive or arbitrary controls 
> than the government can.

In reality, each entity, ICANN, registry or registrar, is subject
to the laws of the land where it exists and chooses to do business.

Beyond that, each entity and the market are ultimately masters of what they
choose to do or not do, subject to the corporate "checks and balances"
we've already talked about, including their corporate bylaws.

What I would be loathe to see would be a sort of decision making paralysis
where inaction is the only attainable output from the policy formulation
process. 

>     Though I respect Mike's comments about compromise generally, I 
> do not believe that it is appropriate with regards to this 
> issue.  ICANN does not exist to balance the policies of protecting 
> civil liberties and combatting crime.  ICANN exists to coordinate 
> the Internet.  

Actually, checking ICANN's bylaws, ICANN exists to

   "coordinate, at the overall level, the global Internet's systems 
   of unique identifiers, and in particular to ensure the stable and 
   secure operation of the Internet's unique identifier systems."

See ICANN's Bylaws at Article I, Section 1. 

I do not see tolerating fastflux as something which would further the 
stability and secure operation of the Internet's unique identifier 
systems, but I would genuinely be interested in understanding how
this might, in some way, be so.

Regards,

Joe

Disclaimer: all opinions strictly my own.