FINAL VERSION TO BE SUBMITTED IF RATIFIED
The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote.
FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC
The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.
FIRST DRAFT SUBMITTED
The first draft submitted will be placed here before the call for comments begins.
The At-Large Advisory Committee (ALAC) appreciates the opportunity to comment on the Draft Accreditation and Access Model. At the heart of the matter is the notion of “purpose” versus “use.” There are those within the ICANN community that believe we should venture back 30 years in our quest for purpose while others believe the unforeseen growth of the internet requires a broader definition of purpose in which “security and stability” includes some measure of consumer protection. End user surveys suggest that the majority of end users rely on all of the actors outlined in the proposed model to protect their interests.
Consequently, use and purpose can be difficult to distinguish in the modern era. As a The ALAC agrees with the ICANN ORG presumption that the current model for data collection is the path forward in the near term. The nuance, at present, is in designing a model of accreditation and access. The ALAC understands that tiered access is the most probable solution to ensuring compliance with the General Data Protection Regulation (GDPR), but we do have serious concerns as to the structure of this proposed model. Within the current draft, the model provides an all-or-nothing approach to the data sought, where the petitioner’s request and purpose may only justify access to specific non-public data. Furthermore, specific data requests may require a higher bar (for example judicial) for access. We recommend a three-dimensional access model of accreditation akin to that of receiving security clearance in the United States: 1) identity of the petitioner; 2) determining the petitioner’s purpose; and 3) requesting information on how they will use that data. At its core, the mission of the accreditation model should be to provide a reliable and trusted domain name system (DNS) and the ALAC feels these considerations will propel the ICANN community further in that direction.
Identity of the Petitioner
As noted above, the first stage is to identify who is requesting the information. The ALAC recommends that the ICANN community should develop a system in which certain members or entities have levels of access to non-public information. The system should be very much analogous to obtaining a security clearance in the United States. Thus, depending level of access for which you qualify, determines what type of non-public data you or your organization will have access to.
In equity and efficiency, until such an assessment is made, the ALAC recommends that ICANN should look into the use of anonymized emails to address most of the concerns related to third-party access of such data so long as the petitioner has made a prima facia case that they seek the data for a legitimate purpose. We believe it serves as a way for those whom feel as though their various rights have been violated to reach out to the necessary party, while not disclosing any personal information. Additionally, it allows the petitioning party to go through the accreditation process to seek the relevant data concurrently.
Although it appears the current draft of the accreditation model sets up a three-tiered system that seems to address some of these concerns, it provides little clarity as to how much access a petitioner might receive upon request. The categories are as follows: 1) regular; 2) special access; and 3) one-time access. It is unclear to the At-Large Committee how this plays out in relation to the three other categories of legitimate reasons (i.e, IP investigations, Security investigations, and business investigations). Additionally, it is unclear as to how or who will ultimately make such determinations, because the Accreditation model does not appear to provide much criteria as to the qualifications of a member of its so-called “Accreditation Review Panel.” The ALAC requests further clarification from the drafting ICANN communities.
Defining Legitimate Purpose
The ALAC understands that the purpose of this draft model is to provide a temporary solution to comply with the E.U.’s GDPR that will be in full effect on May 25, 2018. Maintaining the integrity of an individual’s personal information, either within the E.U. or outside of it, is a priority to the ALAC. WHOIS is a multifunctional system that is invaluable for those attempting to conduct research as well as protect consumers from fraud, phishing and other illegal enterprises. ICANN should promulgate a solution that balances the equities between GDPR compliant protection of personal information and the other essential functions of WHOIS. The ALAC believes that all the actors described in the proposed accreditation model play a legitimate role in consumer protection.
In its letter, WP29 lists out various amount of criticism of ICANN’s interim model and provides what it feels are measures by which ICANN can accommodate these criticisms. For example, on issue of purpose specification, the WP29 believes the phrase “legitimate access..[to] accurate, reliable and uniform registration data” within the interim model’s text is too broad and would, thus, violate Article 5(1)(b) of the GDPR. WP29 recommends that ICANN better define the term “purposes” and take out the term “include” in this context to ensure that ICANN’s interim model meets the comprehensive-and-exhaustive standard under Article 5. Even though we believe that WP29’s recommendation is vague, the ALAC recommends that ICANN should reiterate its considerations for legitimate purposes under in its interim model, like allowing registrars to perform basic administrative functions, research and specific forms of consumer protection including IP enforcement.
Petitioner’s Disclosure of their Intended Use of the Non-Public Data
The ALAC recommends that, before a petitioner is granted access to the non-public WHOIS data, they must disclose in detail how they will use the data and disclose whether they intend to give access of such information to third-parties. This will ensure the integrity of the potential data subject’s rights and provide ICANN with better information to avoid unwanted or unintended disclosures that may run afoul to certain provisions of the GDPR. Furthermore, a “purpose tier” creates another axis to balance privacy and consumer protection, allowing for different criteria for data access depending on intended use.
We appreciate the opportunity to share our views on this matter. Thank you in advance for your time and consideration on this important issue.
8 Comments
Seun Ojedeji
Holly Raiche
I have great difficulty with the first paragraph - about purpose. Purpose is still the critical first step in determining what information is collected, how it is used, who can access it and for what reason. (that is true not just for GDPR, but for privacy regimes globally.) So start with ICANN's mission - purpose, since they are the data controller since it is the RAAA/Registry agreements that mandate data collection: to ensure the stable and secure operation of the Internet's unique identifier system.
On consumer protection, if you read legal advice on what that might mean and those who could access information, it is clear that the collectors go beyond just law enforcement to include regulatory agencies as well - which would include both competition and consumer protection agencies. What the advice is also clear about is that access by individuals is not okay.
We should also clarify that when we are talking about 'petitioner', we are talking about a representative of an organisation of some sort. Yes, it gets tricky when a TINY organisation (one person) has been accredited to have access to information for a particular purpose in set circumstances.
Finally, I am not convinced that the protection of IP can be classed as consumer protection and, in my view, we should let the IP community argue for access on their own.
Otherwise, I agree with the thrust of these comments
Jonathan Zuck
We're not going to come up with a statement with which everyone agrees but we just MIGHT come up with a statement with which everyone can live. I wasn't trying to disregard the notion of purpose but suggest instead that it had evolved from the time of the inception of whois. Agree there should be a purpose in mind for all data collection but using use cases as a framework for that purpose isn't out of line.
We should never carry the water for the IP folks but neither should we ignore the validity of IP enforcement to consumer protection. Remember it goes well beyond movies and music and extends to other types of fraudulent behavior and counterfeit products such as surge protectors that don't work or drugs with deadly consequences. The fact that an IP holder had a financial incentive (either directly or indirectly via damage to its brand) doesn't change the potential benefit enjoyed by consumers.
Holly Raiche
Jonathan: My problem with the first paragraph is that it reads as if those who are insisting that we actually start with purpose are trying to go back 30 years. I am not. So we don't need that. What we need is simply a statement of purpose that reflects ICANN's purpose in the 21st century - and I think you will agree to that. I also think that ICANN's mission statement is broad enough to address enforcement of laws. And because we are arguing for an access regime that goes beyond blanket accreditation to a tiered access that asks not only for accreditation, but accreditation FOR THAT PARTICULAR USE. So I agree - we really aren't that far apart. We can start with a contemporary purpose - ICANN's mission, andthen go to accreditation for particular parties - in SPECIFIC situations - which is pretty much what you are saying.
Jonathan Zuck
Okay, I'm not talking about you but there are certainly some that ARE advocating for "original purpose" rather than a more modern one. Perhaps it's a bit too sassy. I can make that change. Can we get together on the idea that IP is important as well?
Holly Raiche
Thanks Jonathan. If you go with ICANN's stated mission, it hasn't changed in 30 years. What probably has changed is what is done with the information - just because it now is possible. So stick with ICANN's mission, noting that includes its core values - the public interest is there. And on IP, ages ago, while I was on the privacy/proxy WG, what we came up with was that, where there is a reasonable suspision that trademarks have been violated, then the claimant/legal advisor should be given access to the relevant email address and, failing successful contect, further information. So something like instances of breach of the law or potential breaches (something that doesn't allow just phishing) should give access. Maybe the way around 'original purpose', as I suggested, is to talk about ICANN's 'original purpose' - mission and core values - which fit nicely into what you are suggesting. And my IP idea is as above. If we are talking aabout genuine apprehension that a rademark is being abused, it fits nicely into granting access for a breach or alleged breach of law. So I don't think we are disagreeing.
Bastiaan Goslings
Thanks for taking a shot at this, Jonathan Zuck .
After quickly going through the draft A&A Model, I do agree with Holly Raiche 's remarks. And I (too?) therefor think the sentence 'There are those within the ICANN community that believe we should venture back 30 years (etc)' in the draft response can be removed in its entirety. I also think the 'Consequently, use and purpose can be difficult to distinguish in the modern era' can be deleted. I do not agree that making this distinction is that difficult. The draft itself IMO actually clearly argues, or attempts to say, that there are e.g. 'Legitimate and lawful purposes for access' (= use) for 'Intellectual Property Owners and Agents' on page 5, while the reasons (purposes) to collect are detailed in Annex B. Indirectly referring to Art 6. 1 (b), (e) and (f) of the GDPR. And there is a link to ICANN Mission there too: 'As such, in support of ICANN’s mission to coordinate and ensure the stable and secure operation of the Internet’s unique identifiers, personal data domd (SIC) in domain name registration data may be collected and processed for the following purposes:'(etc).
So indeed, as Holly said 'I don't think we are disagreeing'?
Hadia Elminiawi
Thank you Jonathan and all for the draft statement
The way I read it - the current model did not specify any kind of approach with regard to the accreditation or the use of the data, but left it to the provider. Under section 3 "requirements for access" with regard to the accreditation the proposed model says "Requester will provide all documentation reasonably requested by provider to demonstrate that requester, and each individual designated by Requester to access the RDDS Data ...." that is,the provider will determine the required documents and process them in accordance to his accreditation review process and policies - which could and would differ from one provider to another - again with regard to the use of the data the proposed model says "Each authorized user must agree to provider’s terms of use and privacy policy as a condition of their continued use of the site ... "
Even with regard to the purpose it is up to the provider to determine if the requester has a legitimate purpose or not.
So I think if we want to comment on the access and use of the data, we should advice ICANN to come up with a unified accreditation model rather than leaving it to each provider to determine what suits them best.