Four Guardrails for Voluntary Public Interest Commitments (VPICs) and Registry Voluntary Commitments (RVCs) in the New gTLDs

ICANN’s Bylaws wisely bar the organization from regulating content. Upfront, section 1.1 declares: “ICANN shall not regulate (i.e., impose rules and restrictions on) services that use the Internet's unique identifiers or the content that such services carry or provide.” ICANN regulates (or quasi-regulates) layers of the Internet Infrastructure before the content layer; we leave the content to the world regulators, content providers and platforms.

But in 2013 and 2014, ICANN’s CEO made a good choice and a bad choice. Then-CEO Fadi Chehadé wanted a place in the registry agreement (the contract between ICANN and a registry) to put promises made by applicants who want to operate new registries to the Government Advisory Committee (GAC) – that was a good choice. But Fadi chose to create a dumping ground for anything registries wanted to commit to for any reason–a bad choice. The name chosen was just as bad: Private or Voluntary Public Interest Commitments.

These “Private PICs” gave registries unprecedented powers, absent any review or veto by the Generic Names Supporting Organization (GNSO, the entity responsible at ICANN for gTLD policy). Most registries restrained themselves – they know ICANN has GNSO-created policies for the registration, transfer, dispute and revocation of domain names. But some registries gave themselves unlimited power to abuse and censor their registrants. Without due process or even reason or rationale, some registries in their “private PICs” gave themselves the power to suspend domain names with no notice and no clear reason (thereby potentially removing hundreds of webpages of speech and commerce, and thousands of email addresses in active use).

Because these PICs appeared in ICANN contracts, ICANN became the enforcer of these self-selected, arbitrary policies through the PIC Dispute Resolution Process (PICDRP), which was similarly created without a GNSO policy development process as opposed to the UDRP, URS, and PDDRP mechanisms (created and under review within ICANN’s GNSO framework). Fortunately, ICANN has engaged little with the PICDRP and private PICs to date. Who wants to run a court with no rules and no reason? But this dangerous arrangement remains, and threatens to embroil ICANN in questions of speech regulation.

A Fresh Look by the ICANN Board

Fortunately, the ICANN Board raised the issue last month and wrote an open letter to the ICANN working group known as “Subsequent Procedures Policy Development Process Working Group” expressing concern about private PICs that might entangle ICANN in issues that were “outside of ICANN’s technical mission.” It bears repeating that the one thing explicitly called out in ICANN’s Bylaws as being outside of ICANN’s mission is to “regulate” Internet services “or the content that such services carry or provide.” The Board asked the working group for “guidance on how to utilize PICs and RVCs without the need for ICANN to assess and pass judgment on content.” The questions are good and we think the answers are easy and straightforward: let’s agree to curb abuse and recommit to ICANN’s narrow mission of managing the DNS by placing limits on so-called VPICs:

A Solution: Guardrails for Voluntary PICs/RVCs by ICANN and New gTLD Registries

1. PICs/RVCs can only address issues with domain names themselves, including eligibility criteria consistent with point 2 below - not the contents of websites or apps that use domain names

Basically, no Voluntary PICs about content regulation. Registries would continue to be free to use their own judgment about when to suspend the domain name of a website that violates local law or the registry owners’ conscience, but we encourage registries, and all providers of Internet infrastructure, to stay out of the content-regulation business as much as possible.

This saves ICANN from the horrible position of enforcing rules completely outside its mission, mandate and conscience, e.g., a possible future .WHITESUPREMACY gTLD in which “Voluntary PICs” require ICANN to suspend all registrants who use their domain names to post content about equity, systemic bias, and Black Lives Matter rallies.

Not through ICANN, and not through a third party administered by ICANN, should such clearly content-oriented (and offensive) rules be enforced. Happily, we all agreed in 2016, that the Internet’s domain name system is not the place to police speech. ICANN, the organization that regulates that system, is legally bound not to act as the Internet’s speech police. Let’s step away from this landmine quickly.

2. Commitments need to be consistent with the human rights core value established in the ICANN Bylaws

This one is exceptional straightforward: we agreed to the ICANN Core Value of “respecting recognized human right as required by applicable law” in the 2016 ICANN Bylaws. How could we not include or reference as a guidepost or principle as to what is allowed or not allowed in the contracts ICANN is signing?

ICANN Bylaws, Section 1.2(b) CORE VALUES

“In performing its Mission, the following ‘Core Values’ should also guide the decisions and actions of ICANN:

***

(viii) Subject to the limitations set forth in Section 27.2, within the scope of its Mission and other Core Values, respecting internationally recognized human rights as required by applicable law. This Core Value does not create, and shall not be interpreted to create, any obligation on ICANN outside its Mission, or beyond obligations found in applicable law. This Core Value does not obligate ICANN to enforce its human rights obligations, or the human rights obligations of other parties, against other parties.”

3. PICs/RVCs should not give registries unbounded discretion to suspend domain names

Simply put, let’s have no absolute monarch with uncontrolled power over the life and death of a domain name. Believe it or not, one registry applicant gave itself the power “at its sole discretion and at any time and without limitation, to deny, suspend, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status” for vague and undefined reasons. This currently affects hundreds of gTLDs and potentially millions of registrations! But we have spent two decades at ICANN coming up with fair and balanced rules for the creation, revocation and transfer of domain names, along with the handling of domain name disputes. The idea that someone, for example, within the term of a domain name might offer the registry more money, and thus the registry orders the registrar to unilaterally terminate the domain name contract, is unacceptable.

How can ICANN fathom enforcing Voluntary PICs with no limits? It is an absurd thought: ICANN can’t – not through its own mechanisms or those of third parties – so these provisions simply should not exist in future voluntary PICs. Absolute monarchs went by the wayside in the last century.

4. And PICs/RVCs should not be used to create new policies that didn’t come through ICANN processes

The GNSO makes the policies for gTLDs with the advice of Advisory Committees (including GAC and ALAC) and the approval of the Board. If registries want to go above and beyond by creating protections for the environment, for political speech, for intellectual property, for white supremacists, let them do it in their own terms of use, and subject to other forms of review and opposition, and to market forces, but not enforced by ICANN or delegated by ICANN to a third party for enforcement.

***

Overall, voluntary PICs were designed to allow reasonable accommodation of Government Advisory Committee Early Warnings and Advice – a place to confirm that a .HOSPITAL registry may review the authorizations, charters and licenses of this applicant of a “highly-sensitive” string and have the right, on complaint, to consult with the registrant and appropriate supervisory authorities about its authenticity. A .hospital registration should be a hospital registration.

We don’t want to see ICANN become another content moderation battleground. They will also help registry operators to resist calls for censorship by certain governments and indeed from anyone who wants to arbitrarily impose rules on the DNS outside our ICANN processes.

-------------- CircleID Posting by Mitch Stoltz, November 23, 2020 -------------------------------------------

ICANN Should Keep Content Regulation and Other Arbitrary Rules Out of Registry Contracts

By Mitch Stoltz Senior Staff Attorney at the Electronic Frontier Foundation

The domain name system is not the place to police speech. ICANN is legally bound not to act as the Internet's speech police, but its legal commitments are riddled with exceptions, and aspiring censors have already used those exceptions in harmful ways. This was one factor that made the failed takeover of the .ORG registry such a dangerous situation. But now, ICANN has an opportunity to curb this abuse and recommit to its narrow mission of keeping the DNS running, by placing firm limits on so-called "voluntary public interest commitments" (PICs, recently renamed Registry Voluntary Commitments, or RVCs).

For many years, ICANN and the domain name registries it oversees have given mixed messages about their commitments to free speech and to staying within their mission. ICANN's bylaws declare that "ICANN shall not regulate (i.e., impose rules and restrictions on) services that use the Internet's unique identifiers or the content that such services carry or provide." ICANN's mission, according to its bylaws, "is to ensure the stable and secure operation of the Internet's unique identifier systems." And ICANN, by its own commitment, "shall not act outside its Mission."

But… there's always a but. The bylaws go on to say that ICANN's agreements with registries and registrars automatically fall within ICANN's legal authority, and are immune from challenge, if they were in place in 2016, or if they "do not vary materially" from the 2016 versions.

Therein lies the mischief. Since 2013, registries have been allowed to make any commitments they like and write them into their contracts with ICANN. Once they're written into the contract, they become enforceable by ICANN. These "voluntary public interest commitments" have included many promises made to powerful business interests that work against the rights of domain name users. For example, one registry operator puts the interests of major brands over those of its actual customers by allowing trademark holders to stop anyone else from registering domains that contain common words they claim as brands.

Further, at least one registry has granted itself "sole discretion and at any time and without limitation, to deny, suspend, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status" for vague and undefined reasons, without notice to the registrant and without any opportunity to respond. This rule applies across potentially millions of domain names. How can anyone feel secure that the domain name they use for their website or app won't suddenly be shut down? With such arbitrary policies in place, why would anyone trust the domain name system with their valued speech, expression, education, research, and commerce?

Voluntary PICs even played a role in the failed takeover of the .ORG registry earlier this year by the private equity firm Ethos Capital, which is run by former ICANN insiders. When EFF and thousands of other organizations sounded the alarm over private investors' bid for control over the speech of nonprofit organizations, Ethos Capital proposed to write PICs that, according to them, would prevent censorship. Of course, because the clauses Ethos proposed to add to its contract were written by the firm alone, without any meaningful community input, they had more holes than Swiss cheese. If the sale had succeeded, ICANN would have been bound to enforce Ethos's weak and self-serving version of anti-censorship.

A Fresh Look by the ICANN Board?

The issue of PICs is now up for review by an ICANN working group known as "Subsequent Procedures." Last month, the ICANN Board wrote an open letter to that group expressing concern about PICs that might entangle ICANN in issues that fall "outside of ICANN's technical mission." It bears repeating that the one thing explicitly called out in ICANN's bylaws as being outside of ICANN's mission is to "regulate" Internet services "or the content that such services carry or provide." The Board asked the working group [pdf] for "guidance on how to utilize PICs and RVCs without the need for ICANN to assess and pass judgment on content."

A Solution: Three Guardrails on PICs/RVCs

[Note from Kathy, 12/16, in consultation with Jorge Concio, we added the 4^th guardrail/principle: “Commitments need to be consistent with the human rights core value established in the ICANN Bylaws” – previous posted to this WG]

There's a simple, three-part solution that the Subsequent Procedures working group can propose:

- PICs/RVCs can only address issues with domain names themselves — not the contents of websites or apps that use domain names;

- PICs/RVCs should not give registries unbounded discretion to suspend domain names;

- and PICs/RVCs should not be used to create new domain name policies that didn't come through ICANN processes.

In short, while registries can run their businesses as they see fit, ICANN's contracts and enforcement systems should have no role in content regulation, or any other rules and policies beyond the ones the ICANN Community has made together.

Guardrails on the PIC/RVC process will keep ICANN true to its promise not to regulate Internet services and content. It will help avoid another situation like the failed .ORG takeover, by sending a message that censorship-for-profit is against ICANN's principles. It will also help registry operators to resist calls for censorship by governments (for example, calls to suppress truthful information about the importation of prescription medicines). This will preserve Internet users' trust in the domain name system.