AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

Comment Close
Date		Statement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number
 IAG Initial Report and Proposed Revisions to the ICANN Procedure for Whois Conflicts with Privacy Laws

No Statement

(The ALT decided that Holly Raiche would submit a personal Statement on this topic)

Main penholders:

Holly Raiche Carlton Samuels

Assisted by:

Christopher Wilkinson

n/an/an/an/an/a
Jamie Hedlund jamie.hedlund@icann.org
n/a

For information about this Public Comment, please click here 

Brief Overview

Purpose: Public comment is sought on Implementation Advisory Group's proposals to improve the current Whois Conflicts Procedure.

Current Status: The Implementation Advisory Group seeks public comment on its proposed revisions to the existing Whois Conflicts Procedure.

Next Steps: The Implementation Advisory Group will incorporate public comments into its preliminary report and submit a final report to GNSO Council for its consideration.

Section I: Description, Explanation, and Purpose

In November 2005, the Generic Names Supporting Organization (GNSO) concluded a policy development process (PDP) on Whois conflicts with privacy law, which recommended the creation of a procedure to address conflicts between a contracted party's Whois obligations and local/national privacy laws or regulations.  A contracted party that credibly demonstrates that it is legally prevented from complying with its Whois obligations can invoke the procedure, which became effective in January 2008. The procedure defines a credible demonstration as one in which the contracted party has received "notification of an investigation, litigation, regulatory proceeding or other government or civil action that might affect its compliance." The procedure has never been invoked. ICANN launched a review of the procedure in May 2014. An Implementation Advisory Group (IAG) was formed and began its work in January 2015. The IAG devoted most of its time discussing whether additional triggers to invoke the procedure should be incorporated and if so how to ensure that they remain consistent with the existing policy. The IAG now submits its initial report for public comment and to the GNSO Council.

Section II: Background

In November 2005, the Generic Names Supporting Organization (GNSO) concluded a policy development process (PDP) on Whois conflicts with privacy law which recommended that, "In order to facilitate reconciliation of any conflicts between local/national mandatory privacy laws or regulations and applicable provisions of the ICANN contract regarding the collection, display and distribution of personal data via the gTLD Whois service, ICANN should:

  • Develop and publicly document a procedure for dealing with the situation in which a registrar or registry can credibly demonstrate that it is legally prevented by local/national privacy laws or regulations from fully complying with applicable provisions of its ICANNcontract regarding the collection, display and distribution of personal data via Whois.
  • Create goals for the procedure which include:
    • Ensuring that ICANN staff is informed of a conflict at the earliest appropriate juncture;
    • Resolving the conflict, if possible, in a manner conducive to ICANN's Mission, applicable Core Values, and the stability and uniformity of the Whois system;
    • Providing a mechanism for the recognition, if appropriate, in circumstances where the conflict cannot be otherwise resolved, of an exception to contractual obligations to those registries/registrars to which the specific conflict applies with regard to collection, display and distribution of personally identifiable data via Whois; and
    • Preserving sufficient flexibility for ICANN staff to respond to particular factual situations as they arise."

The ICANN Board of Directors adopted the recommendations in May 2006 and the final procedure was made effective in January 2008. Although to date no registrar or registry operator has formally invoked the Procedure, concerns have been expressed both by public authorities as well as registrars and registry operators concerning potential conflicts between Whois contractual obligations and local law.

Given that the Whois Procedure has not been invoked and yet numerous concerns have arisen from contracted parties and the wider community, ICANN launched a review as provided for in Step Six of the Procedure, which calls for an annual review of the Procedure's effectiveness. Thereview was launched with the publication of a paper for public comment on 22 May 2014. The paper outlined the Procedure's steps and invited public comments on a series of questions. Following review of the public comments received, this Implementation Advisory Group (IAG) was formed to consider the need for changes to how the Procedure is invoked and used. A few common themes were discerned from some of the suggestions in the public comments, which may allow for changes to implementation of the Procedure in line with the underlying policy.

Section III: Relevant Resources

Section IV: Additional Information

Section V: Reports

Staff Contact

Jamie Hedlund
jamie.hedlund@icann.org

 

FINAL VERSION TO BE SUBMITTED IF RATIFIED

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 


FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

 

FIRST DRAFT SUBMITTED

The ALAC does not support  the Implementation Advisory Group’s proposed alternative ‘triggers'.  The whole policy framework on which the 'triggers' are based is contrary to the growing body of  inernational law on data protection. Instead, the ALAC supports the “Minority Views’ of Stephanie Perrin and Christopher Wilkinson and their alternative proposals to address the Whois conflicts issues.

The original goal of this policy (concluded by the GNSO in November 2005) was to develop procedures that could reconcile mandatory laws on data protection with the requirements on registries and registrars under contract with ICANN for the collection, display and distribution of WHOIS personal information.   

Unfortunately, the Task Force charged with implementing the policy adopted a ‘solution’ that is virtually unworkable and has never been used.  Under the ‘solution’ the registrar/registry should notify ICANN within 30 days of situations (an inquiry, litigation or threat of sanctions) when the registry/registrar can demonstrate that it cannot comply with WHOIS obligations due to local or national data protection laws. 

There are two fundamental reasons why the policy is unworkable. The first is the bizarre  requirement that registrars and registries must seek ICANN permission to comply with their applicable local laws.  The second obvious flaw is that it means registrars/registries must wait until there is an ‘inquiry or investigation' etc of some sort before the process can be triggered.

This Implementation Working Group (IWG) was formed to ‘ consider the need for changes to how the procedure is invoked and used’.  The difficulty with that approach is that it does not address the basic flaws in the processes proposed: it still assumes that ICANN has a role in determining registry/registrar compliance with applicable local law and it still believes that solution lies in legal events that ‘trigger’ a resolution process.

The IWG report proposes an “Alternative Trigger’ (Appendix 1) or a Written Legal Opinion (Dual Trigger) (Appendix 2).  Of the two proposals, the Alternative Trigger process is far simpler and preferable.  Indeed, the language suggests that the process might be used to reconcile ICANN WHOIS requirements with relevant data protection law more generally, and not on just on a case by case basis. 

There are, however, difficulties with the Alternative Trigger proposal, as follows.

  • It relies on advice from law firms (whose advice would not bind the relevant data protection agency), or on data protection agencies themselves (who are most often reluctant to provide such advice)
  • The onus is on individual registries/registrars to invoke the process.  There are many smaller registries/registrars that would not have the resources to fund such advice, particularly if it is needed on a case by case basis
  • Because laws/regulations on the handling of personal information vary from area to area (whether national or regional), different registries/registrars will be bound by different sets of requirements – in order to comply with the same contractual terms
  • It is also not clear why GAC advice is included in both proposed ‘triggers’. The expertise of individual GAC members relates to ICANN’s remit: domain names, IP addresses and protocols - not data protection laws.

The ALAC supports both of the proposals made by Christopher Wilkinson (Appendix 4) which address the issues raised .  His first proposal is – at the least – a ‘block exemption’ for all registries/registrars in the relevant jurisdiction.  This would eliminate the ‘case by case’ approach to the issue and provide certainty for all registries/registrars (whether large or small) in that area. 

His second proposal - a better approach - is his call for a ‘best practice’ policy on the collection, retention and revealing of WHOIS information.  This would ensure that, regardless of the jurisdiction of the registrar/registries – and registrants – all would receive the same privacy protection.

  • No labels

8 Comments

  1. Ariel Liang

    Comment from Carlton Samuels sent to the penholder group on 9 October 2015 at15:03 UTC 

    ==

    CW:

    Here's my idea of a statement:

    ----------------------------------------------------------------------

    The ALAC remains troubled by the facts of this IAG-WHOIS Conflicts process and their implications.

     

    On principle, we cannot accept this insistence that on its face, members of the community are obliged to become scofflaws and violate national privacy laws under colour of contract. 

     

    These procedures result in users in some places being stripped of rights and dragooned into regimes of unequal protection, market distortions, service degradation and, eventually, disconnection from the ICANN community. In fact, the procedures being adopted have the potential to create unequal market conditions in a single country, depending on the registrar and their connections in contract. 

     

    The time has come for this procedure to see the sunset.  Recent developments on the Safe Harbour arrangements [add link here to recent EU Supreme Court ruling] between the European Union and the United States screams guidance. We strongly advise ICANN to move with deliberate speed to a new regime where privacy rights of all users are equally protected and recognized in contract and practice.

    ---------------------------------------------------------------------------------

     

    -Carlton

  2. Holly Raiche

    I agree with Carlton's sentiments: the IWG was being asked to improve a procedure that is basically flawed.  My suggestion below is to explain why the whole premise on which the IWG works was flawed and why both of the 'solutions' are flawed. Instead, we should step back and come up with something that comes closer to recognising the basic contradiction between privacy laws and WHOIS requirements. 

     

    My suggested text:

    The ALAC has deep concerns with the Implementation Advisory Group’s proposed alternative ‘triggers’ and supports the “Minority Views’ of Stephanie Perrin and Christopher Wilkinson.

     

    The original goal of this policy (concluded by the GNSO in November 2005) was to develop procedures that could reconcile mandatory laws on privacy with the requirements on registries and registrars under contract with ICANN for the collection, display and distribution of WHOIS personal information.   

     

    Unfortunately, the Task Force charged with implementing the policy adopted a ‘solution’ that is virtually unworkable and has never been used.  Under the ‘solution’ the registrar/registry should notify ICANN within 30 days of situations (an inquiry, litigation or threat of sanctions) when the registry/registrar can demonstrate that it cannot comply with WHOIS obligations due to local or national privacy laws. 

     

    There are two fundamental reasons why the policy is unworkable. The first is the bizarre outcome that registrars and registries must seek ICANN permission to comply with their applicable local laws.  The second obvious flaw is that it means registrars/registries must wait until there is an ‘inquiry or investigation etc of some sort before the process can be triggered.

     

    This Implementation Working Group (IWG) was formed to ‘ consider the need for changes to how the procedure is invoked and used’.  The difficulty with that approach is that it does not address the basic flaws in the processes proposed: it still assumes that ICANN has a role in determining registry/registrar compliance with applicable local law and it still believes that solution lies in legal events that ‘trigger’ a resolution process.

     

    The ISG report proposes an “Alternative Trigger’ (Appendix 1) or a Written Legal Opinion (Dual Trigger) (Appendix 2).  The Alternative Trigger process is far simpler and preferable.  Indeed, the language suggests that the process might be used to reconcile ICANN WHOIS requirements with relevant privacy law more generally, and not on just on a case by case basis.

     

    There are, however, difficulties with the Alternative Trigger proposal, as follows.

    • It relies on advice from law firms (whose advice would not bind the relevant privacy agency), or on agencies themselves (who are most often reluctant to provide such advice)
    • The onus is on individual registries/registrars to invoke the process.  There are many smaller registries/registrars that would not have the resources to fund such advice, particularly if it is needed on a case by case basis
    • Because laws/regulations on the handling of personal information vary from area to area (whether national or regional), different registries/registrars will be bound by different sets of requirements – in order to comply with the same contractual terms
    • It is also not clear why GAC advice is included in both proposed ‘triggers’. The expertise of individual GAC members relates to ICANN’s remit: domain names, IP addresses and protocols.

     

    The ALAC supports both of the proposals made by Christopher Wilkinson (Appendix 4) which address the issues raised .  The first is – at the least – a ‘block exemption’ for all registries/registrars in the relevant jurisdiction.  This would eliminate the ‘case by case’ approach to the issue and provide certainty for all registries/registrars (whether large or small) in that area. 

     

    A better approach is his call for a ‘best practice’ policy on the collection, retention and revealing of WHOIS information.  This would ensure that, regardless of the jurisdiction of the registrar/registries – and registrants – all would receive the same privacy protection.

  3. Carlton Samuels

    This could work.  I would add a 2nd declaratory to the first paragraph for effect:

    "To be clear, the ALAC holds this policy framework is wholly misguided. We now declare it is now untenable to support it, going forward."

    I still truly believe that we should state the objective up front so that the Board or anybody else need not go thru the weeds - where the justification is outlined - to see what is decided.

     

    -Carlton 

  4. Lutz Donnerhacke

    As said multiple times (i.e. 2011) the concept of local law and whois can be fulfilled.

    The essential aspect for me is the question whether Whois must be operated at all. If so, how it can be run in a legal way all over the world. This proposal would even solve the problem of Whois accuracy:

    •  Just because technicians originally found it useful to query their private address books on a mutually basis, this practice should not be considered as a base component of the Internet by intellectual property holders and law enforcement agencies. On the contrary: the legality and appropriateness must be checked due to the changed conditions since 1978.

    • The data collection of Whois dispense with formal international foundations, sometimes they are in direct conflict with national legislation. The German data protection, for example, prohibits the collection of this data directly, since no specific purpose is present. Injecting such data into central databases and permitting public, unrestricted access is not even considered.

    • Although the demand for specifying the concrete, directly accessible contact person (responsible for maintaining the stability of the resource in the network) makes up the core idea of Whois, proxy services are allowed almost everywhere. Such a proxy service is a placeholder for the actual person in the Whois, but hands out the correct data only on request in individual cases and with the consent of the person concerned. The simultaneous demand for directly contact in an emergency and authorization of proxy services is inconsistent and make Whois services senseless.

    • The data in the Whois are worthless for the purpose of law enforcement. Heavy criminals simply do not register their Internet resources under their real names, they usually use stolen credit cards and forged identities. Thousands of network operators can not be expected to carry out identification procedures which resists organized crime. But it is also naive to assume that the criminals do not own even the ISP or registar directly or indirectly. For organized crime any successor of Whois must fail.

    • On the AtLarge-Summit in Mexico, the law enforcement clearly explained, that they need to go the full way down from the IANA, through the registries, and down the reseller chain up to the end users (for domains and IPs) in order to obtain reliable information. Whois helps them only at the initial orientation and to determination of the Registry.

    • The data in Whois can not be used for law enforcement agencies. In lighter crime the current Whois databases are often the only data source on which investigators can rely on, because i.e. fraud, worth a few bags of Euros does not justify a preliminary identification of all users. For light crime a system like Whois would be simply unconstitutional in most countries.

    • Data collection in the Whois quickly becomes obsolete. Transferring personal data of network subscribers into external databases creates a divergence between the accurate, current data and the initial copy made at the first registration. The effort to keep this data always in sync is substantial, if one would not immediately call for direct public access to the CRM systems of the providers or a full copy of this data in a timely manner. (Local LAE do grant themselves such a direct access to the ISP databases.) Public insight into the business data of corporation is not even being considered in any other industry.

    • Registration of sub domains and assigning individual addresses are excluded from any Whois service in practice. Formally speaking, the non-inclusion into Whois in order to protect the customer or to save resources is not permitted by the current Whois design. This invalidated much of the potential uses of Whois.


    In short: Whois is data retention of all Internet participants worldwide, permanently.

    My proposal can therefore only be:

     

    • Determine the actual, real use cases of Whois.
    • Evaluate these usage patterns with respect to remit of ICANN.
    • Should the review identify legitimate and worthy forms of use, the Whois service has a "thick" approach with central databases should be transformed into a very "thin" approach with references, resulting in a distributed database run by the individual operators. Data will be queried where they are kept up to date and enjoys the protection of national laws. (Example below)
    • Should the review do not show any legitimate use case or an excessive amount of abuse, the Whois service an all of it's successors should be canceled.


    Example of thin Whois.

    $ whois -h whois.iana.org www.apple.com

    refer:        whois.verisign-grs.com
    domain:       COM
    organisation: VeriSign Global Registry Services
    address:      12061 Bluemont Way
    address:      Reston Virginia 20190
    address:      United States
    (Notice the correct contract details, NOT the holder)

    $  whois -h whois.verisign-grs.com www.apple.com
       Domain Name: APPLE.COM
       Registrar: CSC CORPORATE DOMAINS, INC.
       Sponsoring Registrar IANA ID: 299
       Whois Server: whois.corporatedomains.com
    (Notice the correct contract details, NOT the holder)

    $ whois -h whois.corporatedomains.com apple.com

    Domain Name: apple.com
    Registrant Name: Domain Administrator
    Registrant Organization: Apple Inc.
    Registrant Street: 1 Infinite Loop
    Registrant City: Cupertino
    (Notice the correct holder)

     

    And please notice, that all this data is queried from the directly responsible servers under the local law the company, which is providing this service has to follow. So the output and the collected data might vary.

     

  5. Holly Raiche

    Lutz and Carlton are both right.  Lutz called for a wholescale review of Whois - which was done by the EWG.  And they came to the same conclusions that Lutz, Carlton, I and anyone else in ICANN (and outside) who recognises the basic contradictions between making all personal contact information of registrants publicly available and the growing body of international privacy law.

     

    That said, we still need to respond to this specific call for comment.  What I have tried to do in my draft response is point out why it is difficult to support the proposed IWG's 'solutions'.  In the end, I propose ALAC support for the least worst option - while point to its problems as well.

     

    I also understand Carlton's suggestion for another sentence to my text - even the proposed alternative is less than satisfactory: it is - again - the least worst option.  So my revised proposed text is as follows:

     

    The ALAC does not support  the Implementation Advisory Group’s proposed alternative ‘triggers'.  The whole policy framework on which the 'triggers' are based is contrary to the growing body of  inernational law on data protection. Instead, the ALAC supports the “Minority Views’ of Stephanie Perrin and Christopher Wilkinson and their alternative proposals to address the Whois conflicts issues.

     

    The original goal of this policy (concluded by the GNSO in November 2005) was to develop procedures that could reconcile mandatory laws on data protection with the requirements on registries and registrars under contract with ICANN for the collection, display and distribution of WHOIS personal information.   

     

    Unfortunately, the Task Force charged with implementing the policy adopted a ‘solution’ that is virtually unworkable and has never been used.  Under the ‘solution’ the registrar/registry should notify ICANN within 30 days of situations (an inquiry, litigation or threat of sanctions) when the registry/registrar can demonstrate that it cannot comply with WHOIS obligations due to local or national data protection laws. 

     

    There are two fundamental reasons why the policy is unworkable. The first is the bizarre  requirement that registrars and registries must seek ICANN permission to comply with their applicable local laws.  The second obvious flaw is that it means registrars/registries must wait until there is an ‘inquiry or investigation' etc of some sort before the process can be triggered.

     

    This Implementation Working Group (IWG) was formed to ‘ consider the need for changes to how the procedure is invoked and used’.  The difficulty with that approach is that it does not address the basic flaws in the processes proposed: it still assumes that ICANN has a role in determining registry/registrar compliance with applicable local law and it still believes that solution lies in legal events that ‘trigger’ a resolution process.

     

    The IWG report proposes an “Alternative Trigger’ (Appendix 1) or a Written Legal Opinion (Dual Trigger) (Appendix 2).  Of the two proposals, the Alternative Trigger process is far simpler and preferable.  Indeed, the language suggests that the process might be used to reconcile ICANN WHOIS requirements with relevant data protection law more generally, and not on just on a case by case basis. 

     

    There are, however, difficulties with the Alternative Trigger proposal, as follows.

    • It relies on advice from law firms (whose advice would not bind the relevant data protection agency), or on data protection agencies themselves (who are most often reluctant to provide such advice)
    • The onus is on individual registries/registrars to invoke the process.  There are many smaller registries/registrars that would not have the resources to fund such advice, particularly if it is needed on a case by case basis
    • Because laws/regulations on the handling of personal information vary from area to area (whether national or regional), different registries/registrars will be bound by different sets of requirements – in order to comply with the same contractual terms
    • It is also not clear why GAC advice is included in both proposed ‘triggers’. The expertise of individual GAC members relates to ICANN’s remit: domain names, IP addresses and protocols - not data protection laws.

     

    The ALAC supports both of the proposals made by Christopher Wilkinson (Appendix 4) which address the issues raised .  His first proposal is – at the least – a ‘block exemption’ for all registries/registrars in the relevant jurisdiction.  This would eliminate the ‘case by case’ approach to the issue and provide certainty for all registries/registrars (whether large or small) in that area. 

     

    His second proposal - a better approach - is his call for a ‘best practice’ policy on the collection, retention and revealing of WHOIS information.  This would ensure that, regardless of the jurisdiction of the registrar/registries – and registrants – all would receive the same privacy protection.

  6. Carlton Samuels

    I support this text.

     

    Carlton

  7. Lutz Donnerhacke

    Thank you Holly,

    But I do not like with your conclusion: You are asking for "same privacy" for "all participants. But this contradicts with different local regulations, so the obvious consequence is, that not everyone has the same rights worldwide.

    Just accept the fact of regional differences comes out with a solution which respects the local laws by distributing the data instead of centralizing it, hence a thin Whois.

    The "same rules for everyone" approach is common in the civil society (especially at ICANN) but it requires a common world law.

  8. Holly Raiche

    I agree with your statement of the problem.  But the problem is the one that Christopher pointed to - the same contractual words will apply differently in different jurisdictions. 

    As I suggest however, my recommendation is support for either of his options: the first is that the same rules apply for all registries/registrars in the relevant area, and the second - what you are commenting on - the requirements on registries/registrars are the same for all gTLDs.  Either one is better than what is being proposed.