[NCUC-DISCUSS] Support of the ECO model

Mon Jan 29 18:35:32 CET 2018

All,

I've been traveling (now at NamesCon) and would like to weigh on. I like 
the ECO model.  Here is some information about it with a link to the 
detailed, technical proposal developed by a number of registries and 
registrars, in the EU and outside, in conjunction with Thomas Rickert - 
https://international.eco.de/2018/news/data-protection-and-the-domain-industry-eco-submits-data-model-to-icann.html

1. What I like about includes the following:

1. The ECO model engages in data minimization. It strips down the data 
registrars will actually collect for domain name registration purposes 
to just registrant data -- not technical contact, not administrative 
contact. That's a good step since we've been collecting basically the 
same data since NSFNET. Less data; less exposure.

2. It protects the data of individuals and organizations. This is a 
fundamental concept that NCSG and NCUC have been pushing, teaching, 
educating and advocating for the last 15 years of the WHOIS discussion. 
We (NCUC/NPOC/NCSG) represent organizations and individuals -- all 
engaged in noncommercial speech!  These include political, religious, 
and gender groups all over the world. Battered women's shelters, 
mosques/synagogues/churches located in areas where they are unpopular, 
LGBTQ communities, political minorities. They are legal persons (that's 
how you get insurance to protect the battered women's facility), but 
they are also exposed for the speech positions that they take. This is 
not a hypothetical; I have dealt with concerns for the physical safety 
of human rights groups and dissident speakers around the world for 
almost 20 years.  Fortunately, organizations such as these are protected 
under the GPDR laws that protect not only "personal data" but "sensitive 
data."  I can expand much more (and will in future emails :-)), but for 
now let me share how pleased I was to see that the ECO model protected 
both legal persons and individuals -- including organizations exposed 
for the very speech they share and services they provide (like women's 
health care and education) (note: Model 2B protects legal persons too, 
but not Model 3).

3. It's implementable in the short time. Face it, there's not much time. 
Systems have to be changed and that takes time. The registries and 
registrars, including those on the front lines in Europe, worked hard on 
this model. It's "doable" and means they can move rapidly into 
compliance with the GDPR rules.

4. It is not unlimited access to the data. Other models proposed for 
access had credentialing of the organization -- e.g., a whole law firm 
could access unlimited Whois data including all paralegals and 
attorneys. A unaccountable process. In the ECO model, individual 
attorneys have to certify not only their legal credentials, but their 
reasons for each individual access to the new WHOIS database. This 
access can be checked and audited. Violations can be found, noted, 
published and access blocked. It's not perfect, but it's far, far better 
than what we have now.

Best regards, Kathy

p.s. apologies for the double posting, but I don't think the lists of 
NCSG and NCUC fully overlap.