Fwd: ICANN contract [SEC=UNCLASSIFIED]

[Robin Gross]

Begin forwarded message:

> From: "Kelly Hart" <Kelly.Hart at oaic.gov.au>
> Date: August 29, 2012 9:52:04 PM PDT
> To: "Robin at ipjustice.org" <Robin at ipjustice.org>,  
> "dave at DIFFERENCE.COM.AU" <dave at DIFFERENCE.COM.AU>
> Subject: ICANN contract [SEC=UNCLASSIFIED]
>
> Dear Mr Cake and Ms Gross
>
> Thank you for your email about the Non-Commercial Users  
> Constituency’s (NCUC) privacy concerns in relation to the draft  
> Registrar Accreditation Agreements (RAA) that are being considered  
> by the Internet Corporation for Assigned Names and Numbers (ICANN).
>
> The Office of the Australian Information Commissioner (OAIC) is an  
> independent statutory agency that brings together the functions of  
> information policy, oversight of privacy protection and freedom of  
> information in one agency. As the national privacy regulator the  
> OAIC provides general advice on privacy issues and the application  
> of the Privacy Act. The Privacy Act applies to ‘personal  
> information', which is defined in s 6(1) as information or an  
> opinion, whether true or not, about an individual whose identity is  
> apparent or can be reasonably ascertained from that information.  
> The Privacy Act contains eleven Information Privacy Principles  
> (IPPs) which apply to Australian, ACT Government and Norfolk Island  
> agencies . It also includes ten National Privacy Principles (NPPs)  
> which generally apply to private sector organisations, but which do  
> not apply to certain exempt organisations including some small  
> businesses and State or Territory authorities.
>
> You may be aware that an Australian Government representative from  
> the Department of Broadband, Communications, and the Digital  
> Economy was a member of the WHOIS Policy Review Team (Review Team).  
> The Review Team published a report of findings and recommendations  
> about the registrar/registrant system, including about privacy  
> matters. Australia is also a member of the Government Advisory  
> Committee (GAC) which recommended the Review Team’s report be taken  
> into account during the RAA amendment process. The recommendations  
> include ensuring effective law enforcement, data improvement and  
> regulation of the privacy/proxy service system.
> The OAIC (and the former Office of the Privacy Commissioner) has  
> been approached about particular privacy matters that arise in  
> relation to the information of registrants and its availability  
> through WHOIS services, including law enforcement access to the  
> information. Under the Privacy Act personal information may be  
> disclosed for law enforcement purposes in certain circumstances  
> (NPP 2 (f), (g) and (h) – see  Privacy fact sheet: National Privacy  
> Principles).
> We appreciate the NCUC raising their concerns about broader privacy  
> considerations with us. We will be monitoring the contract  
> developments with interest and providing input where appropriate.
>
> Kind regards
> Kelly
>
> Kelly Hart (nee Wood) |Director| Policy
> Office of the Australian Information Commissioner
> GPO Box 2999 CANBERRA ACT 2601 |www.oaic.gov.au
> Phone:  +61 2 6239 9192 |  kelly.hart at oaic.gov.au
>
> Protecting information rights – advancing information policy
>
> ** I am in the office on Wednesdays, Thursdays and Fridays **
>
>
> From: Robin Gross [mailto:robin at ipjustice.org]
> Sent: Monday, 23 July 2012 6:05 AM
> To: Robin Gross
> Cc: David Cake (dave at difference.com.au) (dave at difference.com.au)
> Subject: Urgent Request from Non-Commercial Users Constituency for  
> Privacy / Data Protection Office to review ICANN contract for  
> privacy compliance
>
> Dear Privacy Commissioner:
>
> I am writing to you as a matter of urgency concerning online  
> privacy. I represent the Non-Commercial Users Constituency of ICANN  
> and have concerns regarding ICANN’s the current consultation  
> relating to contracts with Registrars. A short letter from your  
> office would help greatly to balance the negotiation discussion. I  
> ask you to send correspondence to the ICANN Board Chair and CEO.
>
> As you will be aware, the international management of Internet  
> naming and addressing is conducted by ICANN, the Internet  
> Corporation for Assigned Names and Numbers. As part of ICANN’s  
> work, contractual arrangements are entered into with private  
> corporations to offer particular Internet domain names to the  
> public. These private corporations (“Registrars”) in turn undertake  
> to manage the personal details of their customers (“Registrants”)  
> in accordance with the requirements of their contract with ICANN.
>
> Registrars collect and hold personal information about registrants  
> and have obligations to uphold privacy-related principles for the  
> collection, use, storage and disposal of this registration data. It  
> is my belief that ICANN requirements within the contracts with  
> Registrars must uphold and not violate international human rights  
> standards on privacy, in particular collection, access to, and use  
> of such data. Incursions on privacy are permissible, only when  
> restricted to exceptional circumstances, such as access by law  
> enforcement bodies pursuant to a judicial process and in any event  
> subject to rules relating to access to data across national borders.
>
> The aggregated database of registrants’ contact information is  
> called the WHOIS database, and is currently required to be  
> published to unauthenticated requesters. In my view, information  
> within this database must only be collected for the purpose for  
> which is needed, and sensitive information must be made available  
> only to those with demonstrated need. There is no clearly  
> established need for the collection of, for instance, telephone  
> numbers for the purposes of registering a domain name, although  
> Registrars and others may find this convenient. A blanket  
> requirement to provide telephone numbers would, therefore, seem to  
> be an unreasonable intrusion into the privacy rights of  
> registrants. Similarly, physical addresses and secondary identity  
> verification documents are not required for the operation of the  
> domain name system, and in my view should not be permitted or  
> required in the contracts ICANN has with Registrars.
>
> I am sure you will understand that with the creation of a data-rich  
> database, concerns regarding the proper and secure storage and  
> compliant arrangements for the disposal of registration data when  
> it is no longer required become more important and potentially  
> privacy-intrusive. In my view, the current requirements in the new  
> draft contracts with Registrars are likely to infringe national  
> privacy laws and have impact on citizens within your jurisdiction.
>
> For example, WHOIS contact details need only be an email address of  
> a technical officer who is empowered by the registrant to fix  
> technical issues with a domain name address or pass on  
> communications. There is no technical need for identity  
> verification, let alone regular or annual verification, beyond the  
> existing requirements. In many jurisdictions where freedom of  
> expression is tenuous, the greater the degree of anonymity or  
> pseudonymity, the greater the freedom of expression. This is even  
> more acute when the database is stored in a foreign country and  
> subject to different national laws regarding privacy and access by  
> public officials to private databases. It is important, therefore,  
> to ensure that national laws relating to privacy are respected.
>
> The Article 29 Working Party has previously considered WHOIS, and  
> raised concerns as far back as 2003, saying that “it is necessary  
> to look for less intrusive methods that would still serve the  
> purpose of the Whois directories without having all data directly  
> available on-line to everybody.” http://ec.europa.eu/justice/ 
> policies/privacy/docs/wpdocs/2003/wp76_en.pdf   Unfortunately,  
> ICANN’s draft contract goes in the opposite direction, exacerbating  
> the privacy harms.
>
> The draft contracts are open for comment – see http://www.icann.org/ 
> en/news/announcements/announcement-7-04jun12-en.htm - and I would  
> request your organisation review and consider the privacy impacts  
> of these new contracts – in particular the summary of the  
> negotiating team’s responses to law enforcement submissions. On  
> behalf of the Non-Commercial User Constituency, I recommend that  
> your organisation respond to the ICANN consultative process to  
> ensure that privacy considerations and respect for national privacy  
> laws remains a strong feature of ICANN’s contractual arrangements.  
> Your comments would be very helpful in giving balanced background  
> to the negotiations.
>
> I recommend that you send comments directly to Dr. Steve Crocker,  
> Chair of the ICANN Board, and Akram Atallah, interim CEO, via email  
> to the Director of Board Support, diane.schroeder at icann.org.  
> Comments by the end of July would be most helpful, but any  
> information you can add would be welcome.
>
> Please feel free to contact me dave at DIFFERENCE.COM.AU if the NCUC  
> can provide further information or background.
>
> Very truly yours,
>
> David Cake, Chair, Non-Commercial Users Constituency
>
> Robin Gross, Chair, Non-Commercial Stakeholders Group
> More info on ICANN RAA contract negotiations:
>      https://community.icann.org/display/RAA/Negotiations+Between 
> +ICANN+and+Registrars+to+Amend+the+Registrar+Accreditation+Agreement
> _______________________________________________
> Robin D. Gross, IP Justice Executive Director
> Web: www.ipjustice.org
> Email: Robin at ipjustice.org
> Phone: +1 415.553.6261
>
>
> **********************************************************************
> WARNING: The information contained in this email may be confidential.
> If you are not the intended recipient, any use or copying of any part
> of this information is unauthorised. If you have received this email
> in error, we apologise for any inconvenience and request that you
> notify the sender immediately and delete all copies of this email,
> together with any attachments.
> **********************************************************************
>




IP JUSTICE
Robin Gross, Executive Director
1192 Haight Street, San Francisco, CA  94117  USA
p: +1-415-553-6261    f: +1-415-462-6451
w: http://www.ipjustice.org     e: robin at ipjustice.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20120906/9ef7bb85/attachment.html>