Recent efforts by Verisign at the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Engineering Task Force (IETF) in response to China’s new draft Internet Domain Name Management Rules present a serious threat to the right to privacy and freedom of expression online. By facilitating the implementation of real name policies for domain name registration in China, the rules risk seriously encroaching on Internet users’ rights, and Verisign’s technical and policy proposals to comply with them don’t include any consideration of potential human rights impacts. There is a whole constellation of actors involved in making this policy possible, all of whom have a responsibility to respect human rights.
In March 2016, the Chinese Ministry of Industry and Information Technology published a draft of its new Internet Domain Name Management Rules, which mandate that all Internet domain names in China must be registered through government-licensed service providers that have established a domestic presence in the country. This regulation would impose stringent regulations on the provision of domain name services. Under the rules, registrars issuing domain names must set up a management system from within Chinese borders, and collect personal information of domain name registrants. This means that all Chinese citizens will have to register their domain names inside China, with a real name verification model.
This type of regulation can cause self-censorship among internet users, due to fears of persecution by the state on the basis of how they express themselves online. The rules encourage the collection of information that can potentially be abused by authorities and become a tool of repression. This policy could also have a serious impact on freedom of association and assembly, as it strengthens the surveillance capabilities of the government.
The UN General Assembly, the UN Human Rights Council, and the UN Special Rapporteur on Freedom of Expression have recognised the importance of anonymity and the right to privacy, online as well as offline, in guaranteeing the right to freedom of expression.
The Internet increasingly mediates our capacity to exercise our human rights, in particular the right to freedom of expression, and Internet governance bodies and Internet infrastructure providers therefore have an enhanced role and responsibility in protecting human rights online.
It is therefore not just the Chinese government that should be held accountable for the negative impact of this policy on freedom of expression and other human rights. Verisign is the world’s biggest registry, back-end system provider for numerous Top Level Domains (TLDs), in addition to being the Root Zone Maintainer, a function associated with the Internet Assigned Numbers Authority (IANA). This makes it a very significant player in the domain name infrastructure. Verisign has designed and developed several technologies to service ‘Verification Service Providers‘ and has created the technology to fully comply with this new Chinese law. This technology is vulnerable to abuse and presents a clear risk to human rights, taking into account the draft legislation it is designed to comply with.
Western companies are often happy to develop, build and sell software, hardware and standards to facilitate repressive policies elsewhere. A recent example is the contribution of Cisco to the ‘Great Firewall of China’, also known as the Golden Shield, which allowed the Chinese government to conduct surveillance of its citizens. Just last week, news surfaced that Facebook had developed (but not implemented) censorship software to allow it to operate in China. Companies are often eager to profit, but unwilling to take responsibility for the human rights implications of their decisions. Justifications based on compliance with domestic law are not sufficient. Corporate actors, especially large and influential ones like Verisign, can and should do more to respect, protect and promote freedom of expression and human rights in general by implementing the UN Guiding Principles on Business and Human Rights.
In addition to the Chinese government and Verisign, Internet Governance bodies such as ICANN, which approved Verisign’s proposed practice, and the IETF, which is currently discussing Verisign’s proposed standard, should consider the human rights impact of approving these proposals. If neither the Chinese government, nor Internet Governance bodies, nor the companies involved in implementing this domain name policy take their responsibility seriously, all Internet users, and especially those in China, will pay the price for these companies’ profits.
This policy will however have impact beyond China. These types of data localisation efforts threaten the distributed nature of the global Internet, by fragmenting the Internet across national jurisdictions. The cooperation of ICANN, the IETF and Verisign on these draft measures also sets a dangerous political precedent that will threaten the rights of Internet citizens across the globe, as well as the technical resilience of the Internet.
We the undersigned offer the following recommendations:
- All companies should do more to consider the impact of their work on human rights, and develop strategies in line with the UN Guiding Principles on Business and Human Rights. They should not let their search for profits and access to the Chinese market blind them in their decision-making where the human rights of Chinese citizens and Internet users globally are at stake.
- ICANN should revoke its approval to Verisign’s proposed services. The ICANN community, particularly the various constituencies within ICANN, must explicitly outline how the Chinese Internet Domain Name Management Rules, in particular Article 37, are in contradiction with existing policies to manage TLDs. Moreover, ICANN should take human rights into account in all of their decision-making processes, including in approving Registry Service Evaluation Processes.
- The IETF, and the regext working group specifically, should avoid standardizing Verisign’s proposed Extensible Provisioning Protocol (EPP), which, if implemented, would threaten the rights of Chinese and other Internet users, especially without properly considering the serious potential real world security and privacy implications this might have.
- China should reconsider its Internet Domain Name Management Rules based on an assessment of their human rights impacts, especially on the rights to freedom of expression, freedom of association and assembly, and privacy.
Asociación por los Derechos Civiles (ADC)
Association for Progressive Communications (APC)
Bytes for all
The Centre for Internet and Society (CIS)
Digital Defenders Partnership (Hivos)
Internet Democracy Project
Reporters Without Borders
The Web Foundation