Comment II on WHOIS Policy Review Team Draft Report - LEA Focus

[Avri Doria]

Comment on draft-final-report-05dec11-en.pdf 

Over the last several years, ICANN and many of its constituent parts, have done everything possible to bring the voice of Law Enforcement Agencies (LEA) into the discussions on WHOIS and Registrar agreements.  And these LEAs have done an excellent job of giving the community a picture of the problems being experienced on the network by some users at the hands of some registrants and some registrars.  The WHOIS Review Team has followed this pattern.

Unfortunately, since the first LEA panels and continuing with the WHOIS Review Team, this has been a one side conversation.  Rarely have governmental Data Protection Officers and Privacy Officials been included in the discussion.  And I cannot remember a time when there was parity between the proponents of the LEA perspective and the governments' protectors of data privacy.

The WHOIS Review Team report suffers from this deficiency.  Specifically:

"
Formed in October 2010, the WHOIS Review Team comprised representatives from across the ICANN constituencies, a representative of law enforcement and two independent experts.
"

There was no governmental representative of Data Privacy*.  And while the civil society advocates for data privacy did the best they could, it is obvious from reading the report that they never had the level of influence that the representatives/advocates of law and trademark enforcement had.  How could they?  The Law enforcement representative could speak with the authority of government with no countervailing sovereign view point. 

The one sided approach of the WHOIS  Review Team, unfortunately, leaves the report incomplete.

I recommend that the final report be changed to specifically require the presence of Data Protection Officers and Data Retentions Officers, by whatever titles they come in all ongoing discussions.  A standard of parity should be set so that whenever a LEA representative is invited to a discussion, they are pared with a governmental Data Privacy representative, preferably from the same government, so that both sides of the story can be heard.   In so far as I can tell, as of this writing, there are NO comments from governmental privacy officers. I therefore also recommend that an additional special outreach should be done to a variety of governmental privacy offices to make sure that these recommendations fall appropriately within the bounds of privacy and data retention laws, before any implementation activities are undertaken. To do anything less prejudices the discussion and rends the outcome, in this case the report and any ensuing policy recommendations,  less credible.

Avri Doria


* Many governments have Data Privacy enforcement officers under one title or another.  E.g. in the US such offices can be found in Department of Homeland Security and Department of Justice.