FINAL VERSION TO BE SUBMITTED IF RATIFIED
The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote.
FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC
The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.
FIRST DRAFT SUBMITTED
The first draft submitted will be placed here before the call for comments begins.
25 Comments
Holly Raiche
My comments on the models:
General comments:
Any model adopted should, as much as possible, be close to a position that everyone is comfortable with. The reality is that actually changing the current RDS policy (i.e., requirements in the RAA on the collection and public access to registration data) will take at least another couple of years (The current RDS WG is only at the first stage of the policy change needed - 18 months after it started at least). So this ‘interim’ model will be used for a significant amount of time before it is replaced. Further, if we are calling on registrars/registries to adopt a model now, it should be as close as possible to the ultimate solution so that registries/registrars don’t have to change their systems yet again. ( I recognise this is called an ‘interim’ solution: the reality - it will be a long ‘interim’)
A related point - any policy adopted should be one that applies globally. There should not be a policy that gives one part of the globe a level of privacy protection that does not apply elsewhere. And on a more practical note, how does a registrar or registry be sure of whether all of their customers live in an area that attracts one level of privacy protection or another.
The basis of any model adopted should be on privacy principles. Yes, the GDPR is the most stringent, but we need to recognise that data protection legislation has been enacted globally, based on fundamental OECD principles. Those principles include the direction that data collectors must only collect information - particularly personal information - that is necessary for them to carry out their function(s), that the data collector must - up front - tell the data subject the purposes to which the data will be put and the circumstances in which defined others will access the data.
The final document should use the language of SSAC51 - for the data itself, the service and the protocol. Using ‘Whois’ leads to confusion as to what is being referred to
Specific comments:
Approach- Clause 6: Agree with the statement that all of the compliance models are based on tiered access - and agree with tiered access
Commonalities - Clause 1: I am not sure we should agree with the statement that registrars may collect (but not necessarily publish) all of the personal data elements currently in the Thick registration data. This is an issue that the RDS WG is working through - to determine what information is actually necessary for the the registrars/registries to carry out their functions. However, I accept that this may be too hard for anyone outside of the WG discussions to come to final agreement upon
Purpose Description - Purpose of Whois. This text confuses two things. The purpose of ICANN is about coordination, stability etc of the Internet’s unique identifier system. But the purpose that is critical here is the purpose of the collector - the registrar. So the tests for whether the information should be collected is whether the registrar needs the information to carry out their functions
Models - General.Only Models 2B and Model 3 apply globally. On that basis, reject Models 1 and 2A
Model 2A vs Model 3:
In Model 2A - the name of the registrant is only displayed with the consent of the registrant (whether a natural person or company), access to non-public data would be to a defined set of third party requesters under a formal accreditation/certification program (this could include law enforcement agencies, certified intellectual lawyers, etc based on pre-defined criteria and as part of a formal accreditation process. As an interim measure, self certification could be used as part of an interim mechanism
In model 3, the registrant’s name would be displayed (with or without consent), and not publish personal data. However, this would require assessment on a field by field basis as to whether personal data would be included. There would be a stricter regime for access - only under applicable law and subject to due process requirements such as under subpoena or oner judicial order.
My recommendation: Go with either Model 2B or 3. Model 3 is the stricter, but appears to be a bit complex in its assessment against each field. Certainly there are very tight controls on access to the data. Model 2A has the possibility of more access - based on pre-determined requirements/accreditation. The timeframe for data retention under both is also different (life of registration +1 year for 2A, and +60 days)
My personal choice - Model 2B - as long as there is a tight accreditation process, and tightly defined criteria for who (already accredited) gets access to personal information in what circumstances. But this is for ALAC members to decide.
Alan Greenberg
Holly, I cannot agree with "The basis of any model adopted should be on privacy principles.".
The At-Large principle has long been that we do support rights of registrants, but that when there is a potential clash between rights of registrants and the needs of Internet users (a FAR larger community than gTLD registrants) we must factor in those needs.
In this case, we have a situation where those who purvey malware, spam, phishing and such will be given a great boost by registrant privacy, and we need to do what we can to ensure that those who fight such activities can still do so. This will not be easy, and perhaps there will be a blackout period initially, but it has to be the target. If we do not do this, then we are failing the community whose interests we are here to defend.
Alan
Christopher Wilkinson
Good evening: From a cursory reading of about 50 pages on this matter that have appeared in the past ten days, it would seem to me that Model 3 is the most consistent with the ALAC 2017 position on WHOIS waivers. (An issue that pre-dates GDPR).
Regarding Model 3, I do not understand the point about field-by-field analysis for personal data
Regarding Hamilton III, I have never understood the rationale for giving 'intellectual property lawyers' privileged access to registration data on a par with law enforcement.
Thankyou Olivier for drawing all this to our attention. Thankyou Holly for your detailed analysis and recommendations.
Regards
Christopher Wilkinson - 20 January.
PS: Since all these issues were clearly already on the table at ICANN60, it is really not on for ICANN to publish their Models on 12 January and bounce the community into responding within two weeks!
Alan Greenberg
Although it is not clear from the descriptions, I have now been told that we will not necessarily limit ourselves to one of the presented models, but that we can pick and choose characteristics.
Justine Chew
Yes, I heard Goran confirm this at the ICANN IP and BC hosted Conversation on WHOIS and Compliance with EU's GDPR and ICANN Contracts held on 24 Jan.
We may also want to look at the additional 5 community proposed models, also shared at this link for additional thoughts.
Holly Raiche
Thanks Justine. Actually two of the models in particular are most useful. Thomas Rickard (Eco Internet Indusry Assoc) is particularly useful on the application of relevant law to this issue. My one comment is what, while the GDPR (and indeed most data protection regimes) follow the data minimisation principle, as he argues, I am very unsure that it is possible for the community to agree on what data is actually required by registries/registrars for their function(s). It is an issue that the RDS WG has spend weeks (really months) on and the likelihood of reaching final agreement between now and 25 May is almost non existent. The other particularly useful of the five models is the iThreat Cybergoup, although some of the recommendations on data publication I'd question. My other issue with that subission is that it would focus on the EU. I believe that we should arrive at an interim solution that is global, for reasons I have already outlined.
Holly Raiche
I have real difficulty with Alan's rejection of privacy principles. First - we are not talking just about principles - we are talking about law in many countries (including Australia and Canada) apart from the EU countries. Second - those principles always recognise the legitimate interests of law enforcement agencies (broadly interpreted) in addressing criminal activity. So there is no clash. The discussions now include how to define those bodies involved in the detection and addressing of the illegality - all difficult issues. Those discussions are more nuanced - how to define law enforcement agency, and how to define those activities that warrant access.
So the clash is not about the rights of registrants versus the rights of users. It is about how to ensure that the definitions of law enforcement agencies and illegal actvity are broad enough to address abuse of the DNS system that harms users while upholding respect for an individual's privacy.
Alan Greenberg
Holly, I have not rejected privacy principles and I don't need to be told that we (ICANN and its contracted parties) need to obey laws.
As you point out, privacy legislation may allow a broad interpretation of law enforcement and the principle of proportionality will allow others to get access to otherwise confidential information as well.
My point is that we must take advantage of things like that to ensure that we can keep the Internet relatively safe (it is far to late to keep it safe!).
Look at model 3 which says that information will be revealed only with a subpoena or warrant, even for legal persons which get no protection under GDPR and many similar laws. THAT is what I am worried about - options that ARE available within the law but we choose not to avail ourselves of in the name of greater privacy than the law requires.
We are not debating the merits of privacy here, or of GDPR-like legislation. We are talking about how ICANN will interpret it and perhaps change its policies and practices to respect the laws and not cripple efforts that are at the core of minimizing risk on the Internet.
Holly Raiche
Alan - First - my mistake - above- on my preferred preference - it should be 2B as it would apply globally. My concern with 2B - the need to be careful in both determining defnintions for accreditation tests and striking an appropriate balance between genuine need for access and protection of personal information - not an easy task. But as both you and Carlton observed, Model 2B is very close to what the WG came up with anyway. I am also concerned with Model 3 - because of its apparent complexity. And yes, it would impose far stricter rules on access to information.
Holly Raiche
Hadia Abdel Salam Mokhtar El Miniawi made the following comment in an email:
After going through the document I am more towards option 2b where I think it provides a good balance between what is available and what is not and all registrations across the globe are treated equally, taking into account the data protection rules the location will not be an element when making registration or business decisions and while model 3 also allows for that, it seems too restrictive in areas and too complicated in othersmade the following comment in an email;
Holly Raiche
After yesterday's ALAC call, it seems that the response we draft should focus on the elements of the model we favour rather than just pick a model. So I will rephrase my proposed response - restating much of what I have already said, but with a focus on the elements that ALAC supports for whatever model is finally adopted. (this is a bit explanatory - the final text can be shortened)
Holly Raiche
We need a draft that can be voted on, so below is my suggested response, only slightly different to what is above, but taking into account comments made in the recent webinar organised by Steve Bianco.
The ALAC provides the following comments in light of the necessity for ICANN Org to have an agreed approach on enforcement of its contracts with registries and registrars (and their resellers) before provisions of the General Data Protection Regulations (GDPR) become enforceable on 25 May 2018. We also note that within that timeframe, registries and registrars (and their resellers) must have implemented requirements of the agreed approach before the May deadline. Because of the very tight timeframe, the ALAC notes that the emphasis for the Interim Model will not address all of the requirements of the GDPR. It will only address the most urgent of the Compliance Model elements: the direct contradiction between the contractual requirements for the publication of potentially personal information and the legal prohibitions surrounding the publication of personal information. Other elements of GDRP (and data protection requirements in other jurisdictions) are being addressed by the Registration Data Services Working Group.
The ALAC supports the following elements of a Model for Compliance:
While this is an 'interim' solution with a focus on Compliance, any final decision is some time away. If registries/registrars are to change their processes, any change should be as close as possible to what a longer term policy would require.
Model 2 (A and B) would only publish the tech and Admin contacts of the registrant and only the registrant's name with their consent. Model 3 would not publish the name at all. Both Models 2 and 3 more closely comply with the GDPR and other data protection legislation. However, Model 2 does recognise need to contact the registrar/registry in legitimate situations, and also recognises that registrants may wish to have their name associated with the domain name.
Alan Greenberg
Holly, I have significant problems with your proposal:
Seun Ojedeji
Alan Greenberg
Seun, of course we will require policy changes in the long run. The purpose of the current exercise is to decide on what we have compliance ignore until we can implement policy changes.
Regarding warrants, To look in your house, a warrant may be required, but in real life all sorts of personal information is given out regularly to those we trust (such as your employer or bank or anyone you buy something from online) and we need the equivalent of that in the domain name business. How we do that is the challenge.
Holly Raiche
Point 1: Of course privacy is not absolute, And if you choose a domain name that identifies you personally, it is your choice to do so, and data protection law will not stop you. For those who do choose not to be so identified, they should be - and are - protected.
Point 2: At this point, I am not at all fussed on the terminology. And the reason I am arguing for adoption of a model that will apply globally is - as I have stated above - that EU countries are not the only ones covered by data protection law. As I keep saying, many other jurisdictions, Australia, Canada and many other countries globally, have legal data protection regimes. I understand concerns about access law enforcement agencies have to personal data, when that is required. But data regimes generally, and the EU regime in particular, already allows access for law enforcement purposes to address the issues.
Point 3: This is a difficult issue that has taken a lot of discussion in the various 'Whois' WGs, as you would be aware. I'd generally agree that if the registrant is listed as a company, then the company name should be displayed. However, there are some situations - women's refuges, human rights organisations, etc - where the organisation itself may be in danger if publicly listed.
Poiont 4: I think you misunderstood what I said. What I was saying is that there are situations where law enforcement agencies should have access to personal data. And another situation where clearly access should be given is in order to comply with court orders.
Concluding: There are difficult issues that the existing RDS WG has grappled with for many months - they raise legitimate concerns on all sides of the argument. But we are running out of time. Registries/registrars are already starting to implment processes to ensure compliance with GDPR and/or their own data protection requirements. We aren't going to solve what are difficult issues over night. But the elements of a Compliance model we call for should, as far as possible, bring us closer to compliance with data protection regimes - including the GDPR.
Alan Greenberg
Holly, my reference to point 4 was based on your support of Model 3 which would only grant access on presentation of such a legal instrument and not simply by virtue of being an (authenticated and approved) law enforcement agency.
Alan Greenberg
I am not at all sure we are going to come to closure here. I am preparing to submit a statement of my own, and perhaps others want to do the same.
In essence:
Holly Raiche
I appreciate that the issues are now easy to get your head around, and some people may not feel comfortable voting. But that said, before we abandon hope of agreement on a model, could we at least ask ALAC members if they want to vote on a statement or not.
It is always open to anyone to make an individual subission, regardless of what the SO/AC does. And if ALAC as a whole decides not to submit a final statement, I will certainly submit what I have said.
But this is a really important issue, and my preference would be that we submit at least a majority statemeent - that can have a minority statement as well.
Alan Greenberg
My submitted comments.
Alan Greenberg
Our (and others') request for an extension has been refused. However, the reply also encourages further input "as soon as possible". So new input will still be accepted, although clearly the window is very short.
At this point, as far as I can see, I have been the only At-Large person to submit a personal comment, and no RALO or At-Large comments have been submitted.
My comment is pointed to above, and all submitted comments may be seen at https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en.
Alan
Carlton Samuels
Streups.
The USG say they will support a model that enables 'easy access' to WHOIS data. From the use cases friend Redl referred to substantiate the view, the policy position seems to be that all now collected is continued indefinitely. So now, the matter of publication.
If I read the tea leaves right, the policy position of the USG is that they expect the public WHOIS to undergo minimal change.
In the end, never mind transition, kick and scream all you want, our Uncle Sam will get its way.
Save yourself the angst and choose the model that is closest to that....or, make a hybrid.
The End,
-Carlton
Holly Raiche
I have also made a personal submission - almost word for word what I suggested. And Carlton - we can but try. The RDS WG hasn't finished, but it is clear that most of the information collected under the RAA (which is really the issue) can be justified. (agreed, not all of it) so the issue is who gets to see it and under what circumstances (ah, therein lies the rub) In my view - as you know - there must be real limits. No individual access, real brakes on the claims of the IP community. Confine access - which is my attempt at hybrid. (and there are enough countries in the EU (even without the UK) so attention must be paid.
Alan Greenberg
Holly, why do you say "real brakes on the claims of the IP community"? As I read the EU letter, IP rights are one of the things wthey feel must be allowed for, and Lawyers are among the few groups we are talking about that are already subject to accreditation and must follow certain ethical guidelines. So on paper, it looks pretty much like business as usual for them, once we get the paperwork straight.
Holly Raiche
On IP claims: In the many conversations I have had over the years, one of the complaints made in discussions was that in some instances, the holders of a name are simply harrassed over claims (not substantiated) of IP rights. So in the earlier WG on access to privacy/proxy information on the registrant (I don't think you were in this one), on when the BC (particularly the IP people) could have access to registrant information, they would have to assert - and substantiate - both their right to the relevant domain name and that they were taking action to protect that name. So the issue was NOT about those with a genuine case to be made. It was about the misuse of data to harass. In short, I am not talking about legitimate protection of IP rights - I am talking about misue of registrant data in the name of IP rights, and asking that, when such rights are asserted, that they can be substantiaated and a case made.