FINAL VERSION SUBMITTED (IF RATIFIED)
The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote.
FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC
The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.
DRAFT SUBMITTED FOR DISCUSSION
The first draft submitted will be placed here before the call for comments begins. The Draft should be preceded by the name of the person submitting the draft and the date/time. If, during the discussion, the draft is revised, the older version(S) should be left in place and the new version along with a header line identifying the drafter and date/time should be placed above the older version(s), separated by a Horizontal Rule (available + Insert More Content control).
The At-Large Advisory Committee (ALAC) appreciates the opportunity to comment on the Draft Accreditation and Access Model. At the heart of the matter is the notion of “purpose” versus “use.” There are those within the ICANN community that believe we should venture back 30 years in our quest for purpose while others believe the unforeseen growth of the internet requires a broader definition of purpose in which “security and stability” includes some measure of consumer protection. End user surveys suggest that the majority of end users rely on all of the actors outlined in the proposed model to protect their interests.
Consequently, use and purpose can be difficult to distinguish in the modern era. As a The ALAC agrees with the ICANN ORG presumption that the current model for data collection is the path forward in the near term. The nuance, at present, is in designing a model of accreditation and access. The ALAC understands that tiered access is the most probable solution to ensuring compliance with the General Data Protection Regulation (GDPR), but we do have serious concerns as to the structure of this proposed model. Within the current draft, the model provides an all-or-nothing approach to the data sought, where the petitioner’s request and purpose may only justify access to specific non-public data. Furthermore, specific data requests may require a higher bar (for example judicial) for access. We recommend a three-dimensional access model of accreditation akin to that of receiving security clearance in the United States: 1) identity of the petitioner; 2) determining the petitioner’s purpose; and 3) requesting information on how they will use that data. At its core, the mission of the accreditation model should be to provide a reliable and trusted domain name system (DNS) and the ALAC feels these considerations will propel the ICANN community further in that direction.
Identity of the Petitioner
As noted above, the first stage is to identify who is requesting the information. The ALAC recommends that the ICANN community should develop a system in which certain members or entities have levels of access to non-public information. The system should be very much analogous to obtaining a security clearance in the United States. Thus, depending level of access for which you qualify, determines what type of non-public data you or your organization will have access to.
In equity and efficiency, until such an assessment is made, the ALAC recommends that ICANN should look into the use of anonymized emails to address most of the concerns related to third-party access of such data so long as the petitioner has made a prima facia case that they seek the data for a legitimate purpose. We believe it serves as a way for those whom feel as though their various rights have been violated to reach out to the necessary party, while not disclosing any personal information. Additionally, it allows the petitioning party to go through the accreditation process to seek the relevant data concurrently.
Although it appears the current draft of the accreditation model sets up a three-tiered system that seems to address some of these concerns, it provides little clarity as to how much access a petitioner might receive upon request. The categories are as follows: 1) regular; 2) special access; and 3) one-time access. It is unclear to the At-Large Committee how this plays out in relation to the three other categories of legitimate reasons (i.e, IP investigations, Security investigations, and business investigations). Additionally, it is unclear as to how or who will ultimately make such determinations, because the Accreditation model does not appear to provide much criteria as to the qualifications of a member of its so-called “Accreditation Review Panel.” The ALAC requests further clarification from the drafting ICANN communities.
Defining Legitimate Purpose
The ALAC understands that the purpose of this draft model is to provide a temporary solution to comply with the E.U.’s GDPR that will be in full effect on May 25, 2018. Maintaining the integrity of an individual’s personal information, either within the E.U. or outside of it, is a priority to the ALAC. WHOIS is a multifunctional system that is invaluable for those attempting to conduct research as well as protect consumers from fraud, phishing and other illegal enterprises. ICANN should promulgate a solution that balances the equities between GDPR compliant protection of personal information and the other essential functions of WHOIS. The ALAC believes that all the actors described in the proposed accreditation model play a legitimate role in consumer protection.
In its letter, WP29 lists out various amount of criticism of ICANN’s interim model and provides what it feels are measures by which ICANN can accommodate these criticisms. For example, on issue of purpose specification, the WP29 believes the phrase “legitimate access..[to] accurate, reliable and uniform registration data” within the interim model’s text is too broad and would, thus, violate Article 5(1)(b) of the GDPR. WP29 recommends that ICANN better define the term “purposes” and take out the term “include” in this context to ensure that ICANN’s interim model meets the comprehensive-and-exhaustive standard under Article 5. Even though we believe that WP29’s recommendation is vague, the ALAC recommends that ICANN should reiterate its considerations for legitimate purposes under in its interim model, like allowing registrars to perform basic administrative functions, research and specific forms of consumer protection including IP enforcement.
Petitioner’s Disclosure of their Intended Use of the Non-Public Data
The ALAC recommends that, before a petitioner is granted access to the non-public WHOIS data, they must disclose in detail how they will use the data and disclose whether they intend to give access of such information to third-parties. This will ensure the integrity of the potential data subject’s rights and provide ICANN with better information to avoid unwanted or unintended disclosures that may run afoul to certain provisions of the GDPR. Furthermore, a “purpose tier” creates another axis to balance privacy and consumer protection, allowing for different criteria for data access depending on intended use.
We appreciate the opportunity to share our views on this matter. Thank you in advance for your time and consideration on this important issue.
