Proposed comments for the WHOIS RT

Wendy Seltzer wendy at SELTZER.COM
Fri Mar 16 01:31:57 CET 2012 

Thanks very much to Maria and Joy for contributions to this, proposed
comments for the WHOIS RT.  Comments are due March 18, but I'd like to
send them before leaving tomorrow, if possible.
<http://www.icann.org/en/news/announcements/announcement-05dec11-en.htm>

We would like to commend the general readability of the report. WHOIS
has become a very complex issue, and presenting it so clearly and
accessibly facilitates participation in both this consultation process
and participation more generally. We particularly appreciate the hard
work of collecting the WHOIS policies from the various places where
they reside.

High-level recommendations:

The report should explicitly recommend that WHOIS policy recognize
that registrants, both individual and organizations, commercial and
non-commercial, have a legitimate interest in, *and in many jurisdictions
the legal right to, the privacy of their personal data*.

In the normative discussion, privacy should be given equivalent emphasis
to accuracy. *It would be instructive in this regard to reference the
OECD privacy guidelines, agreed to by all OECD member countries with input
from business and civil society. Data accuracy (or 'quality') is considered
by OECD members to be of equal importance to purpose specification, use
limitation and security safeguards, none of which factors are supported by
Whois as it currently operates. (OECD Guideline reference:
http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html
) *

It is as important that registrants have privacy as that
their data be accurately recorded. At the moment, the report appears,
from its emphasis on access and accuracy, to discount those privacy
concerns *that are accepted by all OECD member states and participating
business and civil society actors as having equal importance.*


Section F. Findings

The brief ‘tour de table’ provides useful background reading, but
*should* include
reference to the fact that ICANN’s Whois policies are
incompatible with the OECD privacy guidelines and also applicable national
laws in many countries, including
member states of the European Union.*The European Union's Article 29
Working Party of national data protection officers provided specific input
to ICANN's 2003 Montreal meeting regarding the many ways gTLD Whois
breaches EU law. These included the lack of definition of a purpose of
Whois, lack of use limitation, misuse of Whois data by third parties and
the disproportionality of the publication of personal data. The Article 29
Working Party concluded that "there is no legal ground justifying the
mandatory publication of personal data referring to this person. (the
registrant)". *

*(Article 29 WP reference: Opinion 2/2003 on the application of the data
protection principles*

*to the Whois directories  *
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp76_en.pdf)

*It is very concerning that the findings of the Whois Review Team do not
consider the glaring fact of the illegality of gTLD Whois requirements in
many jurisdictions, and the incompatibility of Whois as it currently stands
with the only internationally accepted guidelines on data privacy. *


Section G. Recommendations

1.  Single Whois Policy - "The Board should oversee the creation of a
single Whois policy document."

We welcome the call for a single Whois policy that sets out the
requirements, globally and facilitates registrants who wish to consult
those requirements. Whois ‘policy’ is currently inferred from registry
and registrar contracts.* A single Whois policy should be compatible with
the internationally accepted OECD privacy guidelines, in respect of a
statement of purpose for the use of data, use limitation, data accuracy and
appropriate security safeguards for personal data.* However, gTLD policy
development is the
responsibility of the GNSO, not the Board (until the final stages),
and needs to be developed through the bottom up process, with the
cooperation of the multiple stakeholders affected.

3 - "Make Whois a Strategic Priority"

Change "Strategic Priority" to "Strategic Consideration." As the
review team was focused only on WHOIS, it was in no position to
analyze the tradeoffs involved in setting global priorities. Many
items on ICANN's policy agenda *may be considered* more worthy of the
community's
limited time and attention. *The appropriate process for the community to
prioritize issues such as Whois is via the Strategic Plan.* No evidence
is offered in this report to support prioritizing
WHOIS o*ver other issues of importance to the community as a whole.*

5 - Data Accuracy - As many law enforcement comments in the report
suggest, contactability is more important than "accuracy." Separation
of the contact details from the public display could enhance the
accuracy of the contact details available to appropriately qualified
requesters.

10-16. "Data Access: Privacy and Proxy Services."

The recommendations should explicitly acknowledge the importance of
privacy and proxy services in providing options to legitimate Internet
users to preserve their privacy. National laws in the United States,
for example, recognize privacy interests not only for individuals, but
for associations. The report further documents the legitimate
interests of even commercial Internet users in private domain name
registrations.
*       In relation to the references to national legislation: it is
important to note that this reference may be problematic if national
legislation violates international human rights standards, for example,
relating to freedom of expression (see the citation of this report below).
*       Freedom of association: proxy registration services can support the
rights of human rights defenders to carry out lawful activity without
persecution. Threats to registrants include surveillance of registrants
through use of information which is accessed via WHOIS data - continuing to
expand the nature of information held in WHOIS will only heighten the
safety
concerns of human rights defenders. In addition, just in time attacks on
websites of civil society organisations have been used to disrupt lawful
activity and democratic participation in a number of countries: see
Deibert,
R., Palfrey, J., Rohozinski, R. & Zittrain, J. (Eds.) (2011). Access
Controlled: The Shaping of Power, Rights, and Rule in Cyberspace. MIT
Press.
*       Governments whose legislation is in violation of these rights
should
not be able to rely on such laws when requesting WHOIS data access and
proxy
information. It would be unreasonable to require Registrars to carry out an
additional analysis. Other options include:
(1)     Provide that LEA WHOIS data requests may be refused where there are
reasonable grounds to believe that such requests may violate *registrants'
*
rights of freedom of expression or freedom of association
(2)     Require LEA to verify that national laws comply with human rights
standards
(3)     Require LEA to verify that WHOIS requests do not violate
international human rights standards

>
17 - Data access - "ICANN should set up a dedicated, multilingual
interface website to provide thick Whois data for" COM and NET, who
have thin whois.  This is subject to existing policy and policy-making
by the GNSO. It is inappropriate for the Review Team to intervene at
this level of detail into the GNSO policy process, *and in a way that
privileges certain substantive outcomes over others.*


Section E. Work of this RT

A factual point. There is only one Chatham House rule, so the statement
referring to it should use the singular.

Freedom of Expression References:

As noted by the UN Special Rapporteur on Freedom of Opinion and Expression
in his annual report of 2011:

               23.     The vast potential and benefits of the Internet are
rooted in its unique characteristics, such as its speed, worldwide reach
and
relative anonymity. At the same time, these distinctive features of the
Internet that enable individuals to disseminate information in "real time"
and to mobilize people has also created fear amongst Governments and the
powerful. This has led to increased restrictions on the Internet through
the
use of increasingly sophisticated technologies to block content, monitor
and
identify activists and critics, criminalization of legitimate expression,
and adoption of restrictive legislation to justify such measures. In this
regard, the Special Rapporteur also emphasizes that the existing
international human rights standards, in particular article 19, paragraph 3
of the ICCPR, remain pertinent in determining the types of restrictions
that
are in breach of States' obligations to guarantee the right to freedom of
expression.
               24.     As set out in article 19, paragraph 3 of the ICCPR,
there are certain, exceptional types of expression which may be
legitimately
restricted under international human rights law, essentially to safeguard
the rights of others. This issue has been examined in the previous annual
report of the Special Rapporteur. However, the Special Rapporteur deems it
appropriate to reiterate that any limitation to the right to freedom of
expression must pass the following three-part, cumulative test:
(1)     it must be provided by law, which is clear and accessible to
everyone (principles of predictability and transparency); and
(2)     it must pursue one of the purposes set out in article 19, paragraph
3 of the ICCPR, namely (i) to protect the rights or reputations of others,
or (ii) to protect national security or of public order, or of public
health
or morals (principle of legitimacy); and
(3)     it must be proven as necessary and the least restrictive means
required to achieve the purported aim (principles of necessity and
proportionality).
                       Moreover, any legislation restricting the right to
freedom of expression must be applied by a body which is independent of any
political, commercial, or other unwarranted influences in a manner that is
neither arbitrary nor discriminatory, and with adequate safeguards against
abuse, including the possibility of challenge and remedy against its
abusive
application.
And further:

26      However, in many instances, States restrict, control, manipulate and
censor content disseminated via the Internet without any legal basis, or on
the basis of broad and ambiguous laws; without justifying the purpose of
such actions; and/or in a manner that is clearly unnecessary and/or
disproportionate to achieve the intended aim, as explored in the following
sections. Such actions are clearly incompatible with States' obligations
under international human rights law, and often create a broader chilling
effect on the right to freedom of opinion and expression.
(full reference: Frank La Rue "Report of the Special Rapporteur on the
promotion and protection of the right to freedom of opinion and expression"
(26 April 2011, A/HRC/17/27) also available at: http://scr.bi/z6lZ8N )





-- 
Wendy Seltzer -- wendy at seltzer.org +1 914-374-0613
Fellow, Yale Law School Information Society Project
Fellow, Berkman Center for Internet & Society at Harvard University
http://cyber.law.harvard.edu/seltzer.html
https://www.chillingeffects.org/
https://www.torproject.org/
http://www.freedom-to-tinker.com/

More information about the Ncuc-discuss mailing list