The Secret Fight For Your Personal Information
Is Facebook using US courts to create a GDPR backdoor to your data?
Namecheap has a long history of advocating for and protecting our customers’ privacy. We were early champions for your rights, we embraced the GDPR, and we will continue to go above and beyond in fighting for your privacy rights. We refuse to hand over your private information unless the company requesting it has established a legal right to it. For many companies, this is good news and a standard they practice as well. A small group, however, believe they are entitled to your information just because of who they are and because they ask.
Today, we find ourselves in a battle for your privacy with one such company: Facebook.
In this battle, Facebook is fighting for the blanket right to access your information. Should it persuade a US court that it has this blanket right, it will create a backdoor to the GDPR and to your personal information. We cannot, in good conscience, be silent and allow this to happen. We will fight this fight and want to give you the information you may need to understand how Facebook’s arguments attempt to open a door to your personal information. To understand the significance and breadth of the proposed backdoor, you need some context on the GDPR. You also need a little info on the domain industry and ICANN.
GDPR
The General Data Protection Regulation (GDPR) went into effect across the European Union on May 28, 2018, and now covers countries in the EEA. The GDPR is held as one of the most comprehensive pieces of privacy legislation in existence. It grants a set of privacy rights to individuals that, among other things, provides you with protections that limit who collects your data, what they do with your data and who they share your data with. To be able to do any of these acts, a company must have one of six legal bases.
Most of the legal bases are obvious, like when you “consent” to let someone collect your data. It also covers when you enter into a “contract” (such as when you buy services) and collecting and processing your information is needed to provide the service to you. Another is when a company is “legally required” to do something that involves your data, such as retain it for a certain period of time when it is required by law. Two more bases include when processing is of “vital interest” to you (i.e. you were in an accident and your doctor needs to share your info) and when there is a “public interest” (which generally covers the collection of data by government agencies for research purposes).
The last legal basis is “legitimate interest.” Legitimate interest is a legal basis one company would use with another company to request your private information. A company cannot use legitimate interest (nor would they) if they could use another legal basis for obtaining your information. And, it is rightly known as the hardest standard to meet because to apply it loosely would have a significant impact on privacy rights and freedoms. That’s why, even if the asking company can meet the standard, it doesn’t give it a right to the data, it only gives a third-party company who has the data permission but not the obligation to share it with the asking party.
The GDPR applies globally. So, regardless of where a company is located, it must comply with the GDPR if it has a customer who is covered by the GDPR.
ICANN
The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit that, among other things, works with stakeholders in the domain industry to establish policies, procedures, and governing contracts between parties like registries and registrars. When the GDPR went live, it fell to ICANN and its community to create additional contractual terms to enable its community to comply with the GDPR. So, it put together what is called a Temporary Specification (like an addendum to a contract) that covered GDPR and incorporated GDPR language. For our purposes, that included the term “legitimate interest” as a basis for obtaining your personal information and it adopted the relevant “legitimate interest” GDPR language. Given that the Temporary Specification (Temp Spec) solely covers the GDPR and uses GDPR language, interpretation of any of its terms must be interpreted using GDPR related law. It also means that if Temp Spec language is interpreted wrong, it creates a large scale, global privacy risk (if not a violation).
Facebook + Privacy + GDPR
Facebook recently started a campaign where it seeks to market itself as a company striving to protect internet users against cybercriminals. In fact, it used this claim when it sued Namecheap because Namecheap refused to hand over its customers’ personal information to Facebook just because Facebook demanded it. In doing so, it is attacking the fundamental right of privacy by attempting to set a dangerous precedent that could expose anyone’s information.
Here’s an important quick aside: Facebook’s claim for a right to the information is based on alleged trademark violations and/or abuse activity related to the alleged trademark infringement.
However, trademark protection is a very specialized legal field. Whether a mark is protected and whether the use of something similar to the mark violates that protection depends on a multitude of factors. This inquiry is complicated by differing laws of differing jurisdictions, both U.S. and foreign. Because it is so specialized, we believe that only a court of law is the proper forum to make a legal determination on whether there has been a trademark infringement and Namecheap (or a similarly situated company) should not have to act as the arbiter of complex facts and laws every time someone claims infringement. And, as I’ll explain later, Facebook does not need your personal information to investigate, act on, and/or enforce an alleged trademark violation in a court of law.
What about a claim of using the alleged mark for abuse? We investigate every allegation of abuse. We believe it’s our responsibility to do so. We also believe in due process. So, if there isn’t evidence of abuse, the person should not be treated as though it was committed. It’s simple. If abuse is confirmed, services are suspended. The process of investigating an alleged abuse does not require the blanket release of a person’s personal information to Facebook, or any other complainant. It requires either evidence provided by Facebook and/or our ability to independently verify the abuse.
Facebook’s Position on Trademarks
In Facebook’s lawsuit, it repeatedly claims that Namecheap (plus all other registrars) “MUST” turn over your confidential information to them. Why? Because they have a “legitimate interest.”
In its stance that it has a right to your information, Facebook is asking the court to focus only on the language of ICANN’s Temp Spec for “legitimate interest.” Their argument does not include GDPR interpretations of what constitutes “legitimate interest”. It is simply a blanket statement: we have a “legitimate interest.” Yes, that’s it. On that statement alone, Facebook contends that your data should be turned over to it. No court order or subpoena required. Facebook filed its case and is making this argument in a US court.
But, remember, the Temp Spec is wholly based on the GDPR. Indeed, its language refers specifically to the GDPR. Yet, in Facebook’s court filings, it specifically omits the GDPR reference and also omits that the Temp Spec language includes that a company cannot provide the information to Facebook where Facebook’s “interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject…” (by the way, this is the GDPR language as well).
What Does This Mean?
It means that, when looking at the Temp Spec and what is considered a “legitimate interest,” parties are both contractually and legally required to follow the relative GDPR law. For “legitimate interest” that means that Facebook must: 1) have a specific purpose; 2) the data they request must be necessary for that purpose; and 3) there can’t be a less intrusive means to achieve the same purpose. It does not mean that Facebook meets the standard of ”legitimate interest” just because it says so. In fact, at least as it relates to a domain’s Registered Name Holder personal information — Facebook will always fail the “legitimate interest” standard.
Here’s why:
Facebook’s possible purposes for using the data (all related to its trademarks) are:
- To contact the Registered Name Holder directly
- To file a lawsuit (to enforce their trademark)
- To file a UDRP (which is like a lawsuit and used to enforce a trademark)
Facebook does not need your private information to accomplish any of these objectives. It is, thus, not “necessary.” There are established (anonymous) methods to directly reach a Registered Name Holder. And, Facebook can file a lawsuit or UDRP using a domain name/John Doe. Because there are ways to do these things without your data, it also means that there are clearly less intrusive means for Facebook to achieve the same result.
This bears repeating: Facebook does not need your private information to exercise any of these trademark actions.
Is This Important to Your Privacy? It’s Very Important.
If a court agreed with Facebook’s argument regarding the meaning of ICANN’s Temp Spec language for “legitimate interest,” the result would be that Facebook doesn’t have to meet the GDPR’s standards for disclosing your information and it means that companies (like Namecheap) are required to hand over your information to them.
Even if Facebook’s motives are altruistic, the motive is irrelevant because such a decision would open the door for everyone to make this same claim to your data. The implications of such a decision are astounding. First, it would be US law interpreting a contract that is meant to provide compliance with another country’s law. Meaning, ICANN covered companies would be required under the Temp Spec to turn over information to Facebook despite the fact that Facebook is prohibited by the GDPR from receiving that information. Second, it would have ramifications across the entire domain industry that is governed by ICANN. This means Facebook could demand information — without court order, without subpoena, without meeting any legal standard — just because it claimed to have a “legitimate interest.” And, so could anyone and everyone who makes this same claim.
Most importantly, this tactic would create an end-run on not only your privacy, but the GDPR itself. Instead of being the hardest legal standard to meet, “legitimate interest” becomes the free pass for anyone who wants to use it, in particular Facebook. And, it would break wide-open unrestrained access to your private information — whether you are covered by the GDPR or not. Such a decision would open the door to your data for basically anyone who requests it with a very limited burden of proof.
Does Facebook really care about protecting you from cybercrime or are their recent efforts their newest Trojan Horse to get personal data that Facebook doesn’t have a right to have? We think it is the latter. What do you think?
Firstly, Thank You very much for this detailed information.
Second: As You all see I use Facebook Oath to comment.
Third: That would be a very dangerous precedent. I don’t trust Zuckerberg from a long time. Recall Cambridge Analytica scandal – they announced it , not when they had found about it , but when it reached media.
Fourth: As a EU citizen and though you are an American company I think the EU court will definitely take a stand. However I don’t think it would have any influence over the pond.
Thank You once again!
Thanks for your comment and your support. Our comments section uses social media profiles for easy login options, and we will consider other options in addition to (or instead of) Facebook for the future. Thanks again!
Please add subscriber option while signup on this blog. Fighting against facebook using the facebook account is messy.
You can use subscriber option on WordPress engine..
Yes as the fact, i like to protect my data/information from Facebook, i personally think that all domain providers should join their hands on this issue.
I want my information/data to protected no matter what.
Hence i would like to say that Privacy is my birth right.
We are with you guys..
Yes, amusing that I had to log in with FB in order to comment on this issue. How do we help protect our privacy longterm? I would financially support legal efforts to stop them from accessing our information. I’m sure many would.
Many of us in the know do not call it Stasibook for nothing.
Hello Richard, thank you for informing us on the situations since the average person such as myself does not follow these type of things as closely as we’d like. Been a customer close to a decade, I came here because I was angry at Godaddy but stayed because of the great customer service. Cheers!
Thank You very much for these useful informations
..to be honest I suspected that FB was “preparing ” some others ways to get into our privacy more than it has done till now.
I’m Italian and I’m speaking for my side , FB at the moment is all except a Social Network
Loads of fake job pointing a selling sites too cheap to be real , advertising everywhere ..but you have to be careful what you type.
Most of things you could do in another place ( as editing profile , settings , preferences )are hidden or you have to try to gain access through loads of tiring steps ..
If they , now , are trying to get access to our personal informations asking directly to hosting providers I cant believe what they done before without any proclame.
ps ( if useful ) when trying to login with the login link I got a “forbidden” message on page Thx again !
Firstly, Thank You very much
Thanks for this article and informing us how facebook wants to control everything. They should stay in their lane. If there was such trademark infringements, go to the courts.
Facebook is free but makes business with free data.
Thanks Namecheap for bringing this into notice of everyone. They certainly have no right to access the data in the sack of saying “legitimate interest”. It’s a backdoor. We hope you will win this and will gain more users trust over the period of time.
Couldn’t this at least partially be solved by placing the accounts of EU- and perhaps all non-US residents in a subsidiary company incorporated in the EU? Of course it doesn’t address the possible implications for other users.
The notice about this is much appreciated, I had no idea about it.
I wanted to Login/Register naturally, but the page is broken 🙁 So I am forced to use FB, hopefully the other integrations (twitter, etc) come sooner rather than later 🙂
Thank you for the laying out some information and things Facebook has/is doing… I hardly use it and at this point share mostly useless things (in terms of my data). I may make one last big post trying to inform others as I have never agreed with Facebook (and try to avoid using their products in general)
I feel so ignorant. Facebook has been a headache for me. I had a page with them that helped to raise the consciousness of people. I had a lot of followers (thousands) and It was having a positive impact in their lives. One day Facebook considered it inappropriate and I wasn’t able to post information again.
The only have robots or computer systems to address costumer service, not humans to discuss these important matters. I want to know if there is a way, a legal way to address these type of injustices?
Ok but…how can we help? Is any option? We can’t simply waiting…we should do someting about it eh?
Thank you Richard and your team for the fight. Keep it up.
Facebook may have the power to fight and do a lot but can’t be allowed to play god over our private information.
At one point in my career, a number of projects required that I work with the APIs of a number of social media platforms. Of those I worked with, Facebook was willing to give API users the most information on its users with the least requirements. I didn’t really trust them before that, but I really haven’t trusted them since.
Facebook and Google are enemies of privacy all around. These companies have made billions exploiting us for this data. You don’t have to agree to anything, but then you can’t use their services. That can leave people highly disadvantaged in certain circumstances relative to their peers who can use Google and Facebook services because they were willing to forego their privacy.
Now they are trying to take your data without even giving you the option to deny access? We saw with the end of the last Presidency that tech companies are effectively higher than the US government. That was just the first of many examples to come. Let’s hope that the EU does get involved here in this case and sticks up for what’s right.