Comment Close
Date
Statement
Name 

Status

Assignee(s)

Call for
Comments Open
Call for
Comments
Close 
Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number
07.07.2015

GNSO Privacy & Proxy Services Accreditation Issues Working Group Initial Report

ADOPTED 13Y, 0N, 0A

Holly Raiche Carlton Samuels

06.07.201509.07.2015   
Mary Wong
AL-ALAC-ST-0715-02-01-EN

 

For information about this Public Comment, please click here 

 

FINAL VERSION TO BE SUBMITTED IF RATIFIED

Please download the PDF here.  



FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft is provided in both Word and PDF formats. 

Word

PDF

 


FIRST DRAFT SUBMITTED

Draft Response to Initial Report of PPSAI 

The ALAC welcomes the opportunity to respond to the Initial Report of the Privacy and Proxy Services Accreditation Issues Report

The ALAC’s response is grounded on four general principles we believe must drive development of the Specifications:

  • The protections provided in the final Specification should not be less than that which is required under the Interim Specification
  • That there is no discrimination for accessing privacy and proxy services by either natural or legal persons provided the rules developed apply equally across all classes.
  • A balance must be struck between legitimate privacy rights of individuals and the legitimate needs of law enforcement and others in determining when and in what circumstances a privacy or proxy service customer’s personal information will be revealed or published
  • The specifications may not be so onerous as to result in a chilling effect for users to access privacy and proxy services 

The ALAC’s response to specific questions raised in the Issues Report are as follows:

When must contact requests to the customer be forwarded to the P/P customer?

We agree that all contact requests must be forwarded including:

  • those required under the RAA, and from ICANN
  • all requests from law enforcement agencies and other third parties alleging domain name abuse.

We hold that requests from law enforcement agencies and ‘other third parties alleging domain name abuse’ should include government agencies (in the jurisdiction of the p/p provider) charged with the regulation of potentially criminal behaviour such as fraud and/or consumer depredations such as misleading and deceptive conduct in that jurisdiction. 

It should be left up to individual p/p providers as to whether other contact requests are forwarded (possibly excepting spam, etc.). We recommend that the classes of such contacts subject be clearly stated and published in the provider’s terms of service. 

Should or must the provider forward a further request(s), at whose costs and should there be a limit on the number of requests?

In every day life, individuals are not required to respond to any communication, whether by post, telephone or other electronic communication. Communication through the Internet should not be treated differently.

In response to this question, it should be left up to the individual provider as to the circumstances in which a contact request will be forwarded by other means. Equally, it should be left to the provider as to whether they are prepared to use other means to contact the customer and whether they are prepared to absorb the costs.  In general terms, however, the cost should be on the party making a contact request.

In any event, persistent failure to reach a customer by means properly noted in the terms of service should trigger re-verification of customer’s contact by the provider in keeping with existing terms of the RAA.

If the matter involves potentially serious criminal behaviour or serious misuse of the DNS, law enforcement agencies can become involved.  In other cases, dispute resolution processes such as the UDRP can be used.

Should it be mandatory for accredited P/P service providers to comply with express requests from LEA in the provider’s jurisdiction not to notify a customer? 

Yes.

Should there be mandatory publication for certain types of activity e.g. malware/viruses or violation of terms of service relating to illegal activity?

If misuse of the DNS and/or illegal activity has been proven, most likely other and more severe responses will have been made including termination of use of the domain name by the party providing the privacy or proxy service.

Other questions raised in an Annex to the report include the following:

What (if any) should the remedies be for unwarranted Publication?

Once personal details have been made known either to an individual requestor or more broadly published, the damage has been done.  Depending on the facts of each case, there may be compensation for damage caused by a breach of contract thru civil means.  ICANN Compliance must be notified since such breach may also amount to a breach of the Specification.

Should requestors be allowed to escalate every request to a 3rd party forum or should the WG develop standards and thresholds

Again, it should be up to individual providers on how they handle contact requests from third parties, as long as the customer is informed of the individual provider’s policies on this issue. 

Finally, one issue that was not addressed in the Issues Report, but is of concern to the ALAC is compliance with the Specification.  Under the 2013 RAA, registrar compliance with the Specification is required, and through the Registrar, its affiliates and resellers. 

Proxy services can be provided by a registrant who, in turn, licenses the use of the domain name to their customer and it is the registrant’s details that appear in the Whois database rather than the proxy service customer.  In those circumstances, it may be possible for registrars (and their affiliates and resellers) to include in contracts with their customers (registrants), a requirement that if the registrant provides a proxy service, they will comply with the Specification.  In that way, enforcement of specification requirements can be through that contractual arrangement.

  • No labels

26 Comments

  1. To formalize what I said in regards to EXISTING rules prohibiting mass marketing emails in the hopes to insert this as a development objective for ICANN.

    The RAA states (and has ALWAYS stated):

    "3.3.5 In providing query-based public access to registration data...Registrar shall permit use of data it provides in response to queries for any lawful purposes except to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers"

    As I stated, ICANN has yet to create an enforcement mechanism to deal with this. Please, do not accept that it is "impossible", it is completely possible. ICANN can build and maintain a rather straightforward scheme for analyzing and then addressing UCE sent to WHOIS contacts.

    1. I appreciate the concern, but the issue you raise is about breach of the RAA and actions that should be taken by ICANN for breach of the RAA. This is about the issues report on the p/p specification - which is not about misuse of Whois data, but rather, about the terms and conditions under which a requestor should have access to Whois data that is held by the p/p provider.

      1. Holly,

        What I'm getting it is the core of the issue. Having P/P in the first place is presumably about protecting the registrant from some kind of abuse. If we actually enforce rules about misuse of the data this lessens the burden of having to hide it. Give teeth to the enforcement and mis-users will be less likely to request access to the data when the situation does not merit it. 

        -Garth

        1. Garth

          Misuse of the data is not the only reason registrants use p/p services - which I know you know.  And many of those reasons are not about hiding from misuse - they are about legitimate corporate behavious, as well as about well grounded fear by individuals/groups (e.g., women's shelters, human rights groups in hostile environments) that would use p/p services whether or not there is adequate enforcement of rules against misuse of the data. So proper enforcement of mis-use for scamming, etc will not deal with those issues.

           

          That said, if you think the mention of enforcement should be strengthened, please suggest text

           

          Holly

  2. One issue that seems to not be addressed by our statement is the use of P/P for commercial purposes.

    In my opinion, we should clearly say that we see the need in some legitimate cases, but also have consumer protection concerns where a company is doing business over the Internet and provides no information as to their real identity or physical whereabouts, thereby not providing consumers with the normal tools available to them in the case of mis-representation, bad service or fraud.

    1. The issue is addressed when it says:

      We hold that requests from law enforcement agencies and ‘other third parties alleging domain name abuse’ should include government agencies (in the jurisdiction of the p/p provider) charged with the regulation of potentially criminal behaviour such as fraud and/or consumer depredations such as misleading and deceptive conduct in that jurisdiction.

      It would be too difficult to manage access to Whois data held by a p/p provider for every aggrieved consumer alleging fraud. That is the thought behind not arguing for individuals to have access to Whois data in such circumstances.

       

      But I absolutely agree that the need for Whois data goes well beyond just law enforcement/security agencies and should also apply to corporate and consumer regulators for instances of fraud, or misleading and deceptive conduct.  That is why we are arguing for access to the Whois data held by the p/p provider beyond just law enforcement/security to other government agencies that are tasked to address fraud or deceptive conduct - generally against the law.  I'm not sure I'd lump that with bad service since, while unpleasant for the customer, generally is not (sadly) against the law.


       

       

       

       

  3. Holly, I agree that following up on every consumer request is unreasonable, but perhaps there is another path. As guardians of the user (ie consumer), I don't think we can not even mention it.

     

    Without even an indication of where the registrant is, it would be impossible to refer it to the appropriate consumer agency.

     

    1. I take your point - but am not clear how having individuals have access to the data helps.  In Australia, the complaint would be made to our Australian Competition and Consumer Commission - and they use the Whois data to track down the miscreant.  And because they are a Government agency, they can use their status to follow up with our own law enforcement agencies to track down the site. That is likely to be far mor successful than an individual trying to get redress from the miscreant who deliberately does not leave contact details.

       

      That said, what wording do you suggest for 'another path'?

      1. Example of Australia is good. And IF I know the company is in Australia, I may have a path forward. But at the moment, I do not know if it is in Montreal, Brisbane or Shanghai. THAT is a problem.

        I'm not proposing an answer, just making the case that it needs to be considered by the PDP-WG. Part of a possible answer is that there may be different rules for a company using a P/P service if it is doing business under that domain name. That is a very different situation from a layer setting up a domain name to protect the identity of a company about to launch a product. But I do not understand enough of the nuances to propose a good answer. But that does not mean we should not raise it.

         

        1. And I am happy to raise it - again.  This is one of the very many tricky issues that have been gone over, and over,,, in the WG discussions.  In Europe, apparently, there is a solution because it is against the law for trading corporations not to have full and accurate contact details on their website.  That said, because the laws differ  between countries (or don't exist) it doesn't have an easy fix.  Happy to try again.

          1. Thanks. 

            To be clear, regardless of whether we get what we want, I think we have an obligation to raise the issue as it is a crucial one on behalf of those who we represent. The European law is great. We cannot enforce content on the websites using domain names granted on gTLDs, but we can try to ensure that obfuscating their contact infor is either not allowed or more difficult.

      2. The standard is when the p/p provider is presented with allegations of abuse, they have to go to triage mode. And whether by their own advice or a third party advising and in keeping with rules established in the p/p contract, arrive at a decision; relay/reveal/publish. 

        The proposal established a lower bar for law enforcement but it is not a free ride. And even then, there is a lower bar for law enforcement in the jurisdiction where the registrant is domiciled.

        If the allegations are egregious and prima facie, then the p/p provider may, on the balance of the evidence reveal.  So the intention is for the evidence to trigger a process leading to the relay/reveal/publication decision and not so much the source of the allegation.

        -Carlton

  4. Holly,

    That assumes a local government cares and has the wherewithall to do anything. Many of the issues consumer face on the Internet do not reach this level of attention.Consumers MUST have their own path.

    -Garth 

    1. Garth

       

      As I have said to Alan, I am not convinced that the ordinary consumer would know to go to Whois data.  And if they do, what will they do with the information?  Most likely, the individual/company will be offshore/out of jurisdiction.  So the recourse will have to be through a government agency and/or law enforcement anyway. Is there another 'own path' that an individual could take that would not involve some kind of assistance from government agencies and/or law enforcement? (and yes, what would the consumer's own path be that should justify all aggrieved consumers to have access to data held by p/p providers - because basic privacy law is about protection of an individual's personal information - with exceptions that are about reasonable apprehension by responsible agencies of criminal activity)

      We are trying to strike a balance here between an individual's right to privacy as against legitimate expectations on protection against criminal, fradulent behaviour.  (and yes, that's not easy)

      Holly

       

       

      1. Holly,,

        This may assume too much. The consumer complaint is not always immediately criminal or fraud. There are disputes that can resolved informally, minor abuse, customer service problems, misunderstandings, etc. None of these issues can be resolved if there is no one to talk to. In the cases of secrecy and anonymity EVERY situation becomes a legal matter. My point is that they don't always have to go there, but without direct contact there are no other options. We also cannot assume consumers can't use WHOIS. The registrars often respond to abuse complaints with "talk to the site owner" but here you can't. So you go back to the registrar and they say "we don't control the content, we're just a registrar." ICANN doesn't deal with "customer service issues" so the consumer is screwed.

        -Garth

  5. We have been given a bit of extra time to get this submitted (by 9 July 2015). 

    1. Thank goodness - and thanks

      However, we should still try for something in the next few days - really ASAP.

      Holly

  6. Thanks for putting the link to the ApTI on this wiki.

    They do make a very important point in saying

    in section 1.3.2, under the “ On Disclosure and Publication in relation to Requests by LEA and other Third Parties other than Trademark and Copyright Owners” heading, the most problematic being item #2 “ Should there be mandatory Publication for certain types of activity e.g. malware/viruses or violation of terms of service relating to illegal activity?”, which would transform the privacy/proxy service providers into an arm of LEAs and would force them to take measures against clients without the intervention of the courts.

    ALAC should make the point more strongly that, before Publication, there must be clear evidence that the beneficial customer/registrant is guilty of responsibility for malware/viruses or violation of terms of service relating to illegal activity.

    They also discuss an issue raised by not allowing commercial sites, or sites that allow online transactions not to use p/p services.

    The ALAC position agrees with this and will make this clearer in our response.

    The ApTI submission also talks about copyright and the SOPA/copyright issues, and again, our submission does not support what is being asked for.

    The ApTI submission also states that:

    This measure will definitely fail any European Union privacy impact assessment test...

    The ALAC, along with other privacy advocates on the working group, aargue strongly for privacy protections built into the planned specification.  Indeed, registrars, particularly from EU countries, who are also members of the working group could not support a specification that they could not lawfully comply with.

  7. Quite frankly, the statement reiterates a catalog of grievances pertaining privacy rights, almost all of which we share but mostly outside of the terms of reference of the WG.  Regarding the matter of disclosure/pubblication on the word of LEAs, here's what the statement offers:

    "Should there be mandatory publication for certain types of activity e.g. malware/viruses or violation of terms of service relating to illegal activity?

    If misuse of the DNS and/or illegal activity has been proven, most likely other and more severe responses will have been made including termination of use of the domain name by the party providing the privacy or proxy service."

     

    The statement implies a YES to the question then goes on to contemplate more severe penalties as allowed by the RAA - such as those Garth has pointed to earlier in the thread. 

     

    I suggest the following rewrite for clarification:

    "Should there be mandatory publication for certain types of activity e.g. malware/viruses or violation of terms of service relating to illegal activity?

    "Yes, when misuse of the DNS under the terms of the service and illegal activity is proved. P/P Provider actions does not preclude other likely and more severe responses allowed by the RAA or in law."

     

    1. "Yes, when misuse of the DNS under the terms of the service and illegal activity is proved..."

      Proved to who's satisfaction?

      1. Perhaps established is a better word than 'proved' since 'proved' implies a court decision.  Established could include p/p providers being asked by law enforcement/other agencies, based on a warrant, to take a site down.  At least warrants mean that the relevant authority will have had to convince a magistrate (or equivalent) of the matters alleged.  It could also mean that the relevant government agency (corporate regulator, for example) could provide the reason(s) why they believe that the relevant site(s) is involved in fraud.  And because we are also talking about a breach of terms of the contract, it could also include ICANN becoming involved in what they believe is a breach.

         

        And because you are asking what is meant by proved, I am assuming you believe in the importance of their being evidence behind allegations of misuse of the DNS or other illegal activitiy before any action is taken.  And that has been my point: before the privacy protections offered by p/p providers is broken, there needs to a credible and sustainable reason for doing so.

        1. I like the word 'established'; indicates a much looser standard and we don't want to invoke a juridical one here.

           

      2. This would be the P/P provider; the 'terms of service' is really between them and the customer. Remember too that those terms must meet some obligations in Specifications.

  8. The test that should have been added to the final version - and hopefully can still be incorporated - is one I promised above, as follows:

    Should  registrants  of  domain  names  associated  with  commercial  activities  and  which  are used for commercial online financial transactions be prohibited from using, or continuing to use, p/p services

    No.  Commercial online financial transactions can be provided by a range of people/organisations including charities, human rights organisations, women's refuges or other entities that may have quite legitimate reasons for the use of p/p services but want to engage in fund raising activities. Trying to draw a distinction betwen charitiable, human rights or other fund raising activities and other commercial online transactions would be extremely difficult for p/p providers that would have to decide whether to allow such an entity to use a p/p service - in advance of allowing the entity to subscribe to the service.

    If the commericial entitly does misuse the service, we are recommending that not only law enforcement agencies, but other government agencies charged with corporate and consumer protection be given access to relevant Whois data.