Warning: proposed sale of the TLD puts .ORG registrant data at risk

UPDATE: (1 May, 2020) Following widespread community calls, ICANN’s board voted to reject the proposed sale of the .ORG domain to private equity firm Ethos Capital.

The proposed sale of the .ORG top-level domain (TLD) presents a risk of governance over sensitive data that society cannot afford to take. Prior to the adoption and implementation of the General Data Protection Regulation (GDPR) in Europe, information related to the registration of domains, including the personal details, names, phone numbers, and addresses of individuals, was published online in the WHOIS database. It was generally agreed at the time that such information should not be publicly available, although there was considerable disagreement over how much information should, or could, remain public.

Through the use of registrant data  — which includes personal information of journalists, activists, and human rights defenders who have registered .ORG domains — it is possible to conduct many forms of harassment online, and that harassment can of course become physical off the internet. As is often the case, members of civil society are particularly vulnerable in this regard. The human rights protection work many of us perform can put us at odds with nation states.                 

After the GDPR entered into force, civil society organizations have been better protected. The sensitive personal contact information is no longer publicly available online, and the registration database itself has been securely retained within civil society, controlled by the Public Interest Registry (PIR) under the Internet Society (ISOC). To have ongoing access to the sensitive personal registration data of .ORG domain registrants, an adversary would either have to have a mole in the employ of ISOC, or convince ISOC to sell them the TLD.        

This is one of the reasons why I am opposed to the sale by ISOC of the .ORG TLD to Ethos Capital. I am concerned about the misuse of this registration information. In this age of user data serving as the fundamental currency traded by tech companies as the basis of their business models, it is not a stretch to imagine Ethos Capital planning to sell the data to third parties, whether companies like data brokers or even governments. There are certainly entities that would pay for such information, which is arguably some of the most detailed relating to online civic space. 

There are several scenarios that could play out, which I briefly outline below. Ethos or future owners could:

Map civil society for targeting, repression, or censorship. Using the data, it would be possible to map online civic space for nefarious purposes. Given the importance of an online presence for civil society organizations, this directory would likely be more accurate than others that could be made from alternative information sources. A regime that wants to implement a police state would be able to map all the civil society organizations within its borders, and use it to quickly round up the staff, to add all the domains to their network censorship mechanisms, and so on.

Sell information about .ORG registrants to repressive governments. Ethos Capital could do deals with certain nation states to provide information on registrants, or to implement extreme vetting for registrants of that country, to increase the difficulty for citizens to register .ORG domains.

Raise prices to make it harder for civil society to speak and organize online. They could also raise the prices for .ORG domains, particularly in certain countries, perhaps on request from nation states, to price citizens out of the market for free expression. Civil society in the developing world is particularly vulnerable to increases in domain pricing.                         

Censor .ORG en masse. Then there is the ability to interfere with or even take the TLD offline completely. This might seem like an extreme measure, but with internet shutdowns on the increase globally, we should consider blunt and disproportionate censorship a real threat, and another reason to keep the management of the .ORG TLD in trusted civil society hands.      

Sell .ORG to those who would make these threats real. Even if Ethos Capital did not themselves do these things, there is no guarantee they would not onsell the TLD to another party, even to a nation state or pro-state entity. Would perhaps the Chinese government be prepared to pay handsomely to manage the TLD? Would Ethos Capital resist an offer from them?

I am not saying these threats will necessarily materialize. I am saying that we should not choose to open these risks at all.  

It is irrelevant whether the TLD was previously in the hands of private enterprise. What is important here is to do the best thing for healthy societies across the globe. That is to ensure a strong civil society, and that entails making sure that the services that civil society organizations provide are as widely available as possible, to all populations. That is why we need the .ORG TLD to remain in trusted civil society hands, with the kinds of measures in place, such as a cap on the prices, to ensure the greatest participation possible. This is what we have had under the stewardship of ISOC, and it is what we need going forward.

If ISOC itself does not want to manage the .ORG TLD, or is not able to do so, then it should transfer that responsibility to another trusted civil society organization, through an inclusive and open process. If they need to know which organizations would assume that role, let’s convene to discuss that. For now, for the security and health of our civil societies, we must immediately halt this sale.