Late last month, I posted to SSRN a draft of my forthcoming article, “Notice and Takedown in the Domain Name System: ICANN’s Ambivalent Drift into Online Content Regulation.” The article takes a close look at ICANN’s role in facilitating a new program of extrajudicial notice and takedown in the DNS for domain names associated with accused “pirate sites.” The program is a cooperative, private venture between Donuts, the registry operator for hundreds of new gTLDs in the DNS, and the Motion Picture Association of America (MPAA). Yesterday, Paul Vixie (Internet engineering legend, now CEO of Farsight Security) posted a critique of the article on CircleID. In the spirit of having a conversation about what we clearly agree is an important issue for the future of Internet governance and the DNS, I offer this response to Vixie’s post.
It’s obvious that Paul Vixie and I differ on whether the implementation of the MPAA/Donuts trusted notifier program represents a success or a failure of the private governance processes associated with administration of the DNS. A central question in this debate is whether a registry operator is a competent authority to pass judgment on the legality of online content and to intervene technically, using its ICANN-delegated control over DNS functions, to disable access to content that it has judged to be illegal or simply "abusive." Another important question is whether ICANN should be encouraging or facilitating private content regulation by DNS intermediaries. These are certainly points on which reasonable people of good faith can disagree.
I want to respond to a few specific points in Vixie’s reading of my article that I believe are mistaken or misguided:
(1) Vixie claims that I produced no support for my assertion that “copyright holders appear to be laying the groundwork for a broad program of DNS-based enforcement, with the long-term goal of implementing a UDRP-like procedure for claims of piracy and counterfeiting.” Vixie presents this claim as a “subjective declamation” on my part, with no proffered factual basis. In fact, the sentence Vixie quotes is footnoted, and the accompanying footnote text reads as follows: "See Meeting Transcript, MARRAKECH–Industry Best Practices–the DNA's Healthy Domains Initiative, at 13 ('We’re discussing and exploring the idea that there could be a clearinghouse that can include copyright, piracy, and counterfeiting, along with other potential online abusive behavior, and then perhaps developing a new dispute resolution model similar to UDRP.')."
Last week, the Public Interest Registry (PIR) abruptly pulled back from a plan called the "Systemic Copyright Infringement Alternative Dispute Resolution Policy” or SCDRP. At around the same time, the Domain Name Association dropped a proposal for copyright alternative dispute resolution from its “Healthy Domains” recommendations. I’m not sure what more or what else Vixie would hope to see in the way of proof that plans are being laid for a UDRP-like procedure for copyright infringement and counterfeiting.
(2) Vixie claims that by identifying the MPAA and its members as “corporate right holders,” I mean to cast an implicit aspersion on them (i.e., by pointing out that they are not “individual right holders”). This is simply untrue. I identify “corporate right holders” as such because they are the ones that have driven the initiative the article addresses, and they are the only right holders that are currently given “trusted” status under the MPAA/Donuts program. I believe the same exclusivity holds for other voluntary enforcement agreements that have been adopted by online intermediaries, including those with online advertising networks and payment processors. As far as I know, individual right holders do not have standing to bring complaints or request sanctions under those agreements.
(3) Vixie suggests that the trusted notifier program is actually intended to operate at scale: “Notice and takedown, at scale, without borders, requires mutual cooperation. And that's what the Trusted Notifier Program is meant to effect.” I’ll note that Donuts has repeatedly made the point that it does not want the program to operate at scale. For example, Donuts has said that it will not accept notices generated by robots, which are now the norm in the world of DMCA takedowns. Donuts has gone out of its way to point out how few takedowns it has executed under the agreement so far.
One of the concerns I raise in the article is what will happen, and what is likely to go wrong, if there are attempts to scale up enforcement in the DNS. To highlight the basis for my concerns, I point to a recent filing by Google with the United States Copyright Office, which stated that 99.95% (!) of the links identified as infringing by “trusted” partners in its “Trusted Content Removal Program” for search were fabricated and had never appeared in Google’s search index. So much for trust. Vixie portrays takedown at scale in the DNS as something to cheer; I think it’s something to fear. And my fear is empirically grounded in past and current experience with overbroad and abusive takedowns. In the article, I point to some specific historical examples in addition to Google’s recent filing.
Vixie expresses the view that the Internet’s “fish-bowl culture” will somehow prevent misbehavior or overreach by notifiers. I don’t share his optimism, particularly given that neither Donuts nor the MPAA has taken on any binding public reporting obligation with respect to the operation of their trusted notifier agreement. Although Donuts has reported on the number of referrals it received from MPAA and the number of times it took action on those referrals, it has not reported which specific domains were taken down. Nor has it stated that it will report its takedowns on a continuing, periodic basis.
(4) Vixie expresses discomfort at the prospect that I intended to imply or did imply “that ICANN might be actively trying to divert attention” from the fact that its contracts facilitate agreements like the MPAA/Donuts trusted notifier agreement. I don’t think it’s accurate to say that I implied any dishonesty on ICANN’s part. I do believe—and I explain why in the article—that ICANN’s actions on this front have not been consistent with its words. I don’t impute any nefarious intent with respect to that misalignment. ICANN is a complex and internally diverse organization with many moving parts.
What I actually wrote is that the Domain Name Association, of which Donuts is a member, misses the mark when it characterizes the trusted notifier program as a form of “self-governance” for registry operators. That’s because the obvious regulatory targets of the trusted notifier program are registrants, whose alleged bad behavior the program is aimed at sanctioning. It is true that Donuts came to its agreement with the MPAA voluntarily. The same cannot be said, however, for registrants who are ultimately subject to actions taken under that agreement. I stand by my conclusion that the trusted notifier program is not simply a form of voluntary self-governance by registries but is actually a form of DNS governance in which registries are as much governors of others as they are governors of themselves.