FINAL VERSION TO BE SUBMITTED IF RATIFIED
The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote.
FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC
The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.
FIRST DRAFT SUBMITTED
The ALAC does not support the Implementation Advisory Group’s proposed alternative ‘triggers'. The whole policy framework on which the 'triggers' are based is contrary to the growing body of inernational law on data protection. Instead, the ALAC supports the “Minority Views’ of Stephanie Perrin and Christopher Wilkinson and their alternative proposals to address the Whois conflicts issues.
The original goal of this policy (concluded by the GNSO in November 2005) was to develop procedures that could reconcile mandatory laws on data protection with the requirements on registries and registrars under contract with ICANN for the collection, display and distribution of WHOIS personal information.
Unfortunately, the Task Force charged with implementing the policy adopted a ‘solution’ that is virtually unworkable and has never been used. Under the ‘solution’ the registrar/registry should notify ICANN within 30 days of situations (an inquiry, litigation or threat of sanctions) when the registry/registrar can demonstrate that it cannot comply with WHOIS obligations due to local or national data protection laws.
There are two fundamental reasons why the policy is unworkable. The first is the bizarre requirement that registrars and registries must seek ICANN permission to comply with their applicable local laws. The second obvious flaw is that it means registrars/registries must wait until there is an ‘inquiry or investigation' etc of some sort before the process can be triggered.
This Implementation Working Group (IWG) was formed to ‘ consider the need for changes to how the procedure is invoked and used’. The difficulty with that approach is that it does not address the basic flaws in the processes proposed: it still assumes that ICANN has a role in determining registry/registrar compliance with applicable local law and it still believes that solution lies in legal events that ‘trigger’ a resolution process.
The IWG report proposes an “Alternative Trigger’ (Appendix 1) or a Written Legal Opinion (Dual Trigger) (Appendix 2). Of the two proposals, the Alternative Trigger process is far simpler and preferable. Indeed, the language suggests that the process might be used to reconcile ICANN WHOIS requirements with relevant data protection law more generally, and not on just on a case by case basis.
There are, however, difficulties with the Alternative Trigger proposal, as follows.
- It relies on advice from law firms (whose advice would not bind the relevant data protection agency), or on data protection agencies themselves (who are most often reluctant to provide such advice)
- The onus is on individual registries/registrars to invoke the process. There are many smaller registries/registrars that would not have the resources to fund such advice, particularly if it is needed on a case by case basis
- Because laws/regulations on the handling of personal information vary from area to area (whether national or regional), different registries/registrars will be bound by different sets of requirements – in order to comply with the same contractual terms
- It is also not clear why GAC advice is included in both proposed ‘triggers’. The expertise of individual GAC members relates to ICANN’s remit: domain names, IP addresses and protocols - not data protection laws.
The ALAC supports both of the proposals made by Christopher Wilkinson (Appendix 4) which address the issues raised . His first proposal is – at the least – a ‘block exemption’ for all registries/registrars in the relevant jurisdiction. This would eliminate the ‘case by case’ approach to the issue and provide certainty for all registries/registrars (whether large or small) in that area.
His second proposal - a better approach - is his call for a ‘best practice’ policy on the collection, retention and revealing of WHOIS information. This would ensure that, regardless of the jurisdiction of the registrar/registries – and registrants – all would receive the same privacy protection.
8 Comments
Ariel Liang
Comment from Carlton Samuels sent to the penholder group on 9 October 2015 at15:03 UTC
==
CW:
Here's my idea of a statement:
----------------------------------------------------------------------
The ALAC remains troubled by the facts of this IAG-WHOIS Conflicts process and their implications.
On principle, we cannot accept this insistence that on its face, members of the community are obliged to become scofflaws and violate national privacy laws under colour of contract.
These procedures result in users in some places being stripped of rights and dragooned into regimes of unequal protection, market distortions, service degradation and, eventually, disconnection from the ICANN community. In fact, the procedures being adopted have the potential to create unequal market conditions in a single country, depending on the registrar and their connections in contract.
The time has come for this procedure to see the sunset. Recent developments on the Safe Harbour arrangements [add link here to recent EU Supreme Court ruling] between the European Union and the United States screams guidance. We strongly advise ICANN to move with deliberate speed to a new regime where privacy rights of all users are equally protected and recognized in contract and practice.
---------------------------------------------------------------------------------
-Carlton
Holly Raiche
I agree with Carlton's sentiments: the IWG was being asked to improve a procedure that is basically flawed. My suggestion below is to explain why the whole premise on which the IWG works was flawed and why both of the 'solutions' are flawed. Instead, we should step back and come up with something that comes closer to recognising the basic contradiction between privacy laws and WHOIS requirements.
My suggested text:
The ALAC has deep concerns with the Implementation Advisory Group’s proposed alternative ‘triggers’ and supports the “Minority Views’ of Stephanie Perrin and Christopher Wilkinson.
The original goal of this policy (concluded by the GNSO in November 2005) was to develop procedures that could reconcile mandatory laws on privacy with the requirements on registries and registrars under contract with ICANN for the collection, display and distribution of WHOIS personal information.
Unfortunately, the Task Force charged with implementing the policy adopted a ‘solution’ that is virtually unworkable and has never been used. Under the ‘solution’ the registrar/registry should notify ICANN within 30 days of situations (an inquiry, litigation or threat of sanctions) when the registry/registrar can demonstrate that it cannot comply with WHOIS obligations due to local or national privacy laws.
There are two fundamental reasons why the policy is unworkable. The first is the bizarre outcome that registrars and registries must seek ICANN permission to comply with their applicable local laws. The second obvious flaw is that it means registrars/registries must wait until there is an ‘inquiry or investigation etc of some sort before the process can be triggered.
This Implementation Working Group (IWG) was formed to ‘ consider the need for changes to how the procedure is invoked and used’. The difficulty with that approach is that it does not address the basic flaws in the processes proposed: it still assumes that ICANN has a role in determining registry/registrar compliance with applicable local law and it still believes that solution lies in legal events that ‘trigger’ a resolution process.
The ISG report proposes an “Alternative Trigger’ (Appendix 1) or a Written Legal Opinion (Dual Trigger) (Appendix 2). The Alternative Trigger process is far simpler and preferable. Indeed, the language suggests that the process might be used to reconcile ICANN WHOIS requirements with relevant privacy law more generally, and not on just on a case by case basis.
There are, however, difficulties with the Alternative Trigger proposal, as follows.
The ALAC supports both of the proposals made by Christopher Wilkinson (Appendix 4) which address the issues raised . The first is – at the least – a ‘block exemption’ for all registries/registrars in the relevant jurisdiction. This would eliminate the ‘case by case’ approach to the issue and provide certainty for all registries/registrars (whether large or small) in that area.
A better approach is his call for a ‘best practice’ policy on the collection, retention and revealing of WHOIS information. This would ensure that, regardless of the jurisdiction of the registrar/registries – and registrants – all would receive the same privacy protection.
Carlton Samuels
This could work. I would add a 2nd declaratory to the first paragraph for effect:
"To be clear, the ALAC holds this policy framework is wholly misguided. We now declare it is now untenable to support it, going forward."
I still truly believe that we should state the objective up front so that the Board or anybody else need not go thru the weeds - where the justification is outlined - to see what is decided.
-Carlton
Lutz Donnerhacke
As said multiple times (i.e. 2011) the concept of local law and whois can be fulfilled.
The essential aspect for me is the question whether Whois must be operated at all. If so, how it can be run in a legal way all over the world. This proposal would even solve the problem of Whois accuracy:
In short: Whois is data retention of all Internet participants worldwide, permanently.
My proposal can therefore only be:
Example of thin Whois.
$ whois -h whois.iana.org www.apple.com
refer: whois.verisign-grs.com
domain: COM
organisation: VeriSign Global Registry Services
address: 12061 Bluemont Way
address: Reston Virginia 20190
address: United States
(Notice the correct contract details, NOT the holder)
$ whois -h whois.verisign-grs.com www.apple.com
Domain Name: APPLE.COM
Registrar: CSC CORPORATE DOMAINS, INC.
Sponsoring Registrar IANA ID: 299
Whois Server: whois.corporatedomains.com
(Notice the correct contract details, NOT the holder)
$ whois -h whois.corporatedomains.com apple.com
Domain Name: apple.com
Registrant Name: Domain Administrator
Registrant Organization: Apple Inc.
Registrant Street: 1 Infinite Loop
Registrant City: Cupertino
(Notice the correct holder)
And please notice, that all this data is queried from the directly responsible servers under the local law the company, which is providing this service has to follow. So the output and the collected data might vary.
Holly Raiche
Lutz and Carlton are both right. Lutz called for a wholescale review of Whois - which was done by the EWG. And they came to the same conclusions that Lutz, Carlton, I and anyone else in ICANN (and outside) who recognises the basic contradictions between making all personal contact information of registrants publicly available and the growing body of international privacy law.
That said, we still need to respond to this specific call for comment. What I have tried to do in my draft response is point out why it is difficult to support the proposed IWG's 'solutions'. In the end, I propose ALAC support for the least worst option - while point to its problems as well.
I also understand Carlton's suggestion for another sentence to my text - even the proposed alternative is less than satisfactory: it is - again - the least worst option. So my revised proposed text is as follows:
The ALAC does not support the Implementation Advisory Group’s proposed alternative ‘triggers'. The whole policy framework on which the 'triggers' are based is contrary to the growing body of inernational law on data protection. Instead, the ALAC supports the “Minority Views’ of Stephanie Perrin and Christopher Wilkinson and their alternative proposals to address the Whois conflicts issues.
The original goal of this policy (concluded by the GNSO in November 2005) was to develop procedures that could reconcile mandatory laws on data protection with the requirements on registries and registrars under contract with ICANN for the collection, display and distribution of WHOIS personal information.
Unfortunately, the Task Force charged with implementing the policy adopted a ‘solution’ that is virtually unworkable and has never been used. Under the ‘solution’ the registrar/registry should notify ICANN within 30 days of situations (an inquiry, litigation or threat of sanctions) when the registry/registrar can demonstrate that it cannot comply with WHOIS obligations due to local or national data protection laws.
There are two fundamental reasons why the policy is unworkable. The first is the bizarre requirement that registrars and registries must seek ICANN permission to comply with their applicable local laws. The second obvious flaw is that it means registrars/registries must wait until there is an ‘inquiry or investigation' etc of some sort before the process can be triggered.
This Implementation Working Group (IWG) was formed to ‘ consider the need for changes to how the procedure is invoked and used’. The difficulty with that approach is that it does not address the basic flaws in the processes proposed: it still assumes that ICANN has a role in determining registry/registrar compliance with applicable local law and it still believes that solution lies in legal events that ‘trigger’ a resolution process.
The IWG report proposes an “Alternative Trigger’ (Appendix 1) or a Written Legal Opinion (Dual Trigger) (Appendix 2). Of the two proposals, the Alternative Trigger process is far simpler and preferable. Indeed, the language suggests that the process might be used to reconcile ICANN WHOIS requirements with relevant data protection law more generally, and not on just on a case by case basis.
There are, however, difficulties with the Alternative Trigger proposal, as follows.
The ALAC supports both of the proposals made by Christopher Wilkinson (Appendix 4) which address the issues raised . His first proposal is – at the least – a ‘block exemption’ for all registries/registrars in the relevant jurisdiction. This would eliminate the ‘case by case’ approach to the issue and provide certainty for all registries/registrars (whether large or small) in that area.
His second proposal - a better approach - is his call for a ‘best practice’ policy on the collection, retention and revealing of WHOIS information. This would ensure that, regardless of the jurisdiction of the registrar/registries – and registrants – all would receive the same privacy protection.
Carlton Samuels
I support this text.
Carlton
Lutz Donnerhacke
Thank you Holly,
But I do not like with your conclusion: You are asking for "same privacy" for "all participants. But this contradicts with different local regulations, so the obvious consequence is, that not everyone has the same rights worldwide.
Just accept the fact of regional differences comes out with a solution which respects the local laws by distributing the data instead of centralizing it, hence a thin Whois.
The "same rules for everyone" approach is common in the civil society (especially at ICANN) but it requires a common world law.
Holly Raiche
I agree with your statement of the problem. But the problem is the one that Christopher pointed to - the same contractual words will apply differently in different jurisdictions.
As I suggest however, my recommendation is support for either of his options: the first is that the same rules apply for all registries/registrars in the relevant area, and the second - what you are commenting on - the requirements on registries/registrars are the same for all gTLDs. Either one is better than what is being proposed.