How two remote Arctic territories became the front line in the battle for internet privacy
Visit a Norwegian website and chances are you'll find it ends in .no – the top level domain for the country.
However, the country's domain name authority UNINETT Norid has two more country code top level domains (ccTLDs) up its sleeve. The pair are .sj, which represents two Norwegian territories in the Arctic called Svalbard and Jan Mayen, and .bv, which signifies Bouvet Island — a Norwegian dependent territory in the south Atlantic. Both of these ccTLDs have remained unused — until now.
Recently, it was proposed that the two ccTLDs should be used for 'safe harbour' web services, where users' privacy and data security is paramount. The idea is to ensure that any service provider registering a domain name on one of the ccTLDs signs a legally binding contract to abide by the strict privacy and security rules governing their use.
Pressure on privacy
It was Håkon Wium Lie, the CTO of Opera Software and champion of a neutral, free and open internet, that came up with the idea. Wium Lie is a council member of the Norwegian Board of Technology (NBT), an independent public organisation that advises the Norwegian government and parliament on questions of technology, and it was in this capacity Wium Lie put forward the proposal for .sj and .bv.
He set the idea in the context of society's increasing dependence on online services, the growing pressure on privacy, and the Snowden disclosures, which damaged public trust in internet companies.
Originally, the idea was proposed during a privacy seminar arranged by the Norwegian Data Protection Authority (NDPA) and NBT last January. Afterwards, Wium Lie elaborated on his proposal in an article titled A digital Svalbard treaty, published in one of Norway's largest newspapers in June.
In the article, he gave practical examples of where individuals' personal information is in jeopardy: "Several Norwegian municipalities have applied for — and got permission to — use cloud services from Microsoft and Google, which store data abroad. In light of Edward Snowden's disclosures, it seems reasonable that US intelligence agencies have easy access to personal data from the cities of Moss and Narvik [two local authorities that use such cloud services].
"Another type of data leak happens when Norwegian domain names are rented out to foreign organisations. Those who register their personal data in search of their dream partner on the dating site match.no may expect that their data is stored in Norway under Norwegian regulation. Not so. The domain name 'match.no' is registered by a Norwegian law firm, but the users are immediately sent through to 'match.com', which is an American company," he wrote.
Strict privacy rules
Under Wium Lie's proposal, the two unused ccTLDs could be used to establish privacy-friendly zones, and any company that want to use them must sign a legally binding contract with the registrar, guaranteeing the privacy of its services.
These rules, Wium Lie proposes, could stipulate for example that data must be stored in Norway, and so be subject to Norwegian legislation. Personal data would also have to be encrypted when stored, while web servers would have to offer encrypted connections with users to prevent eavesdropping on information in transit. The services could also establish procedures for users to erase personal data, and make sure it isn't possible to track users an ongoing basis. If the service uses cookies, they must be deleted after a certain amount of time, for instance, after one year.
The proposal from Wium Lie is not exhaustive offering a complete set of rules governing all eventualities. However, it's still clear the kinds of services he's envisioning: those where users' privacy comes first and foremost.
Immediate controversy
The Norwegian Technology Council has already started work on Wium Lie's idea. It arranged a public hearing on 10 September, and several bodies offered their reactions to the proposal. Both the hearing notes delivered beforehand and the meeting itself showed that Wium Lie has stirred up controversy: according to the minutes of the event, "the temperature rose" during the meeting.
The NDPA is upbeat about the idea. Bjørn Erik Thon, the data protection commissioner for Norway, wrote on the NDPS' blog that he is positive about the proposal, as "it forces the authorities to rethink things, and with any measures taken to increase people's privacy and information security, no stone can be left unturned in search of better solutions. I think we should do this now," he wrote.
He also wrote that the Ministry of Transportation and Communication has presented strong opposition to the proposal. Thon received a letter from the ministry in July which read: "The ministry does not back any process that has the aim of undermining the notion that .no is a safe and secure domain." NDPA has published the letter in its entirety (in Norwegian) on its blog.
According to Thon, it's an exceptional reaction from the ministry, which has typically proved hard to get involved in other such cases. "This is actually the first time I've ever seen the ministry come actively out in opposition to [this sort of] thinking aloud, without any form of contact beforehand," he wrote.
Valid objections
Others have also raised objections to the proposal. Several parties, including Norid, are worried that it could lead to a 'balkanisation' of the internet — a situation where the internet gets divided in many smaller fractions, with little or no communication across borders.
Others, like Gisle Hannemyr, a researcher and lecturer at Institute for informatics at University of Oslo, pointed out in notes submitted to the Norwegian Technology Council hearing that the existing domain name system (DNS) is a poor tool for security enforcement.
"DNS is one of the most insecure and easy to manipulate mechanisms in the internet's infrastructure. Therefore, it should be the last mechanism one should employ to secure anything that is related to information security and privacy," he wrote. Seen from a technical perspective, it's completely meaningless to connect anything that's based on DNS with any that's related to privacy, he added.
Hannemyr also discussed branding the issue of branding: by using the ccTLD, companies can brand their services as secure. Such initiatives have been unsuccessful in the past, mainly because quality assurance is very hard to maintain, and Hannemyr expressed concern that assurance in this case will become lacking or haphazard over time.
Commercial interests?
Norid's objections may not be entirely based on having the internet's best interests at heart. In a recent press release, Norid said it has been in negotiations with the Dutch domain name authority SIDN on a possible application for the .bv ccTLD.
In the Netherlands, the abbreviation 'bv' means the same as the English 'ltd' — an incorporated company. So, there would be an obvious application of the .bv domain for Dutch companies.
Norid said the talks have been ongoing for some time, and next steps will be decided once SIDN has conducted a market analysis on the potential use of the ccTLD in the Netherlands.
"This idea has also been discussed with Norwegian authorities, and they regard its use of an unexploited domain name resource as a positive addition to the existing domain name market", said Hilde Thunem, managing director of Norid, in a statement.
Top-level domains are scarce resources, and managing them comes with its own costs and overheads. As a state-owned management company rather than an enterprise, Norid may not be best placed to get the best value from the .bv and .sj.
Opening up the .bv ccTLD to Dutch businesses would need to be useful for all parties, not just as an easy cash-cow for Norid. However, Norid would get increased revenues anyway and the funds from .bv would become part of its income, used for the operation and development of Norwegian domain names system.
It is obvious that internet domain name management is a sensitive matter, even in the Arctic backwaters of the internet. Wium Lie's idea has drawn strong reactions; the only certainty in the fate of the .sj and .bv domains is that the last word on the matter has not been said.