Last update: Sun Aug 17 22:48:44 CEST 2003
Joining late, this time. Ruchika Agrawal approaches the end of her talk as I join, asks whether uniform policy for all classes of registrants is appropriate; discusses OECD privacy principles. Mentions inaccuracies when there are no proper privacy protections in place. FTC recommendations on what not reveal to reduce risk of identity theft. Conflict with gobally accessible, publicly available WHOIS as required by the RAA.
Final note on free speech, privacy, anonymity: Closely tied. Without privacy, can't fully exercise free speech. Anonymizing proxies no adequate replacement, since intermediary will be liable according to RAA.
Alan Davidson, assoc. director of CDT: About CDT. Sent out presentation to whois-coordination. Two goals. One, present another privacy perspective, underscore some things Ruchika said. Present beginnings of "whois privacy toolkit" -- set of ideas on how to address concerns. Important to understand potential ways to address problem. Can meet many goals of WHOIS while protecting personal privacy. Many acknowledge historical and legitimate demands for registrant data. Technical, law enforcement, consumer protection, private enforcement, ... Current system doesn't meet goals; accuracy suffers if privacy and security not protected. Different privacy expectations for different kinds of registrants. Commercials -- little expectations. Non-commercials, individuals -- serious expectations. Expectations are culturally dependent, individual idiosyncracies. For many people, some information in WHOIS is personally identifiable, and sensitive. Not just identity, but home address, home phone, fax, and so on. Field-by-field discussion would be useful. Concern whether the WHOIS system conforms to fair information practices. In some cases, answer "no". Concern: Public availability of all data, including personally identifiable fields for individual. How to limit secondary uses of database, beyond what's intended? Ruchika touched on some risks which come from public availability. Marketing. Targets of scams, ID theft, criminal purposes. Increasing concerns about govt access and data mining. Political speakers -- availability can chill free expression. Hard to find solid examples and solid data. FTC noted that most victims of ID theft have no idea where information came from. Qualitative argument -- may find out about real privacy violations long after the fact. Real privacy risks -- what to do? Many tools available to address privacy. Tiering availability. Tiered access. Notice to registrants about actual access. Concern about legitimate investigations could be dealt with by delaying report. Not a particularly new approach. Just come up with the right kind of standard. Audit trail, ID/password access to data, track use of ID -- could go a long way in dealing with concerns. Encourage proxy registrations. Reporting about WHOIS use. Revise bulk access rules. Better notice and education for end users. Different rule sets for different TLDs. [someone speaking in the background, hard to understand] Disfavor solutions which would require ICANN to come up with determination who is law enforcement. Would favor "thin" architectures. Let anyone sign on for access, add safeguards. Current system doesn't meet privacy needs, nor needs of those who have legitimate access.
Karl Auerbach: Various blog entries, continuing conversation with Ross. Actually implements things besides doing ICANN. How can you build system which satisfies needs, protects privacy, is efficient, etc. Focus on system, not on philosophical underpinnings. First, some elements, second, how they work together, third, scenarios. Believes system works for law enforcement and non-law enforcement. Sharp line between the two. New system. Not what we have today. Sort of looks like it. Prove identity of querying party. Audit log -- record transactions. "Credit report" -- data subject can on occasion go in and get report on who is asking questions about subject. Public report (?). Possible reduction of (in?)precision of information returned.
Some people will have pre-arranged identities with the system -- IP lawyers, NOC staff, etc can get certificate. Other won't be able to identify, lesser privileges, information through different channels, information fuzzed. Audit log: Person who makes request will have to do things: Identify, offer proof of identity. Enunciate why they want information. Maybe "I'm curious". Maybe "I'm IP attorney fighting infringement." Describe in short words circumstances -- e.g., what mark is being violated? Time stamp it. Record it permanently. Public report to identify every single person which accesses database, not identify whom they inquired about. Flip side: Data subject can get (once a month/quarter/...?) report. Who has been asking questions about your domain? Identify person. "Fred has been asking about your domain because of curiosity. Joe has been asking because he also has that mark, and it's being infringed upon." Notice about who asks questions, and why. Law enforcement should have ability to delay disclosure in credit report. For certain classes of users, data might be less precise -- truncate phone number, postal code instead of full address, etc. Scenarios. IP attorney accuses domain of violating mark. Proper credentials. Go through identification magic -- fill out web form. Go past something that resembles spamassassin -- not gibberish? If not gibberish and user not blacklisted, query database, and information comes back. Another scenario -- law enforcement. Exactly the same procedure. Ask that inquiry isn't on credit report. Works. John Random asks. Return information through e-mail. Time-deferred. Make it fuzzy.
Believes system works. Introduces system. Privileged users become visible. Implementable. Not burdensome. Don't believe it meets full privacy requirements. Feasible compromise.
Ken Stubbs for clarification: Consumer trying to buy? Karl: Separate topic. Internet business license? Distinct discussion. Be careful about walking down path of too much self-enforcement of what should be done by law enforcement.
Wendy Seltzer: Speaking primarily with EFF hat on. About EFF. Not speaking on ALAC's behalf. Primary interest in WHOIS privacy issues comes from the fact that domain names are essentially a printing press for speech. They are tools for online speakers. The whois amounts to a speakers' registry. Anyone who wants to speak under own domain name, has to put a great deal of information online. Starting from the wrong end: In other media, someone who wants to print a newsletter, start a pamphlet, doesn't have to make information about self available. Traditionally a strong protection for anonymous speech. Federalist papers. Privacy and anonymity of online speech can be similarly important. Forcing disclosure of identity, personally identifiable information equivalent to persuming guilt. ... WHOIS has increased cost of speech. Can chill some kinds of speech -- political dissidents, think about Chinese dissidents who won't be speaking for very much longer if their name becomes available. Citizens who want to discuss political topics, disagree with pervailing wisdom. ... Proxy solution, speak through somebody else's domain name. But: In other contexts, we don't require speakers to choose less protective means of speech. Shouldn't do this online. Returning to earlier comments. Most frequently hear interests of law enforcement and intellectual property holders. Critical to distinguish govt interest sharply from private interest, private enforcement. Even when private parties can't directly find speaker's identity, they have subpoena, once infringement has been alleged. Can file under John Doe nomination, subsequently find speaker's identity. Legal and technical means to shut down speech under investigation. Where anonymity is important for speaker, not right to take away anonymity first, investigate justification for that later. Adding privacy options to the WHOIS giving stronger protection to the data likely to increase accuracy of all data.
Sven MÃ¶rs: Thanks. About Berlin data protection commissioner's agency. Not speaking on anyone's behalf. Not EC, not Article 29 working party, etc. Just giving view on European perspective. Following his posting on the mailing list. Would want to start from question: Why should ICANN care about European privacy legislation at all? You're in the US, we're in Europe. Might not be a problem. Problem not so much with ICANN, but with registrars. Lots of registrars in Europe. To those registrars, European legislation is fully applicable. Need to follow data protection laws in respective country. Questionable whether current regime is in line with law. Why's that so? OECD report comparing ccTLDs: Will find that ccTLDs have lots of different policies with regard to WHOIS access. Some of these measures have been taken because natl. authorities took view that unlimited access and too many data elements published are not in line with data protection law. Very likely that authority that has applied policy to country-code TLD in country will apply same policy to gTLD registrars. Poses some problems with regard to unlimited access, amount of data published. .de -- some discussion with de-NIC some years ago. Private individuals' telephone number only published with specific consent. .uk -- instead of indicating name, (...?) Lots of other things. Not consistent. At least for Germany, authorities here are just starting to look at gTLD registrars. Existing RAA with bulk access, marketing uses, amount of data published, is not in line with German legislation, and also with European directive on data protection. Might want to give another example to give feeling how European data protection person might look at it. If you look at directive, one of important things is data subject, data controller. Data controller can do lots of things with subject's data -- e.g., for fulfilling a contract. WHOIS: Data controller is probably the registrar (contract in place). What data controller can do with data collected depends on specified purpose. Tricky regarding WHOIS: First question would be for specified purposes. ... Proportionality principle -- once you have purpose specified (core thing!), you can judge whether amount of data being published is proportionated with regard to specified purpose, whether accessibility of data is proportionate with regard to purpose. Would make distinction between case-to-case transmission to parties who can state legitimate/legal interest, and unlimited publication. Best guess at the moment is to advocate that ICANN should take existing data protection regulations into account when developing new policy. Doesn't have solution. Dialogue as first step.
Barbara Simons: Question for all, question for Karl. Alan talked about oversight, accountability on slides. How to enforce? To Karl: Have law enforcement conceal information for arbitrary time -- warrantless search? Oppressive regimes? Have woman shelter put up web site -- would they have to put up their location? Alan: Good point. Something like what Karl suggests would be helpful. Accountability/enforcement: Notice important. Targets can best find out who abuses. Karl: Law enforcement rights is massive body of law. Too massive to be put in software. Look for pragmatic approach. System proposed not perfect for anyone. Barbara's question is good. Not all searches require warrant.
Jean-Michel Becar: Quick comments. Registrar, public company. If have to find solution, keep it simple. Will have hard time to come to board of directors to ask for funds. Quick, easy, cheap solution. Second comment about RAA. If they could renegotiate, leave door open for countries to implement privacy laws.
Robin Layton: Quick question to Sven. If telephone numbers are published in Europe -- how does privacy directive treat publication, what's responsibility of companies who issue reports? MÃ¶rs: Start with Germany. Registrant for phone number has right to if and how number published. Can opt for not having it published, just having it in printed directory (not electronic), can decide what set of data to be included in directory -- address? full name? partial name? All works. ... Pretty much the same in other European countries, though not fully harmonized.
Steve Metalitz: Question for Sven. Appreciates that speaks on own behalf. Gathers that there are some formal conclusions in ccTLD context, but not in gTLD registrar context. 1. Correct? 2. Are ccTLD conclusions accessible somewhere? Transparency question -- public availability of decisions. MÃ¶rs: Not aware of activities regarding gTLDs in EU, except .name. Art 29 working party is looking at WHOIS problem and privacy. Don't know what outcome will be, but expects actions in the member states. To second question: Yes, they are. But mostly just in commissioners' native language. Some agencies make English translations. Best source he knows is OECD report mentioned in list posting.
Elana Broitman: MÃ¶rs had mentioned that current rules not compliant with German authorities' requirements, EU directive. She was under impression that as long as you provide proper information to customer, you are compliant. MÃ¶rs: German situation -- not in line, that private individuals are forced to give telephone number. Extended searches would also be against the law. With regard to contractual things, complicated question. One thing to do would be to base processing on free consent. *Free* consent. If consent not free, need to demonstrate need with regard to data processing. If there are less intrusive means available, need to apply that. Elana: Clarification. Even if publication revealed, not allowed to provide information openly if other less intrusive means available. Yes and no. Notice and consent not sufficient. Can't put anything you like into contract, unless people have a choice in their decision.
Ken Stubbs: Heared an awful lot about potential problems, sinister applications about having an open system. Very concerned that inadequate address is given to ordinary consumer use of WHOIS. Need easy access to commercially-oriented SLDs. Karl: Consumer being curious not enough reason. But if business relationship, that seems like good enough reason. Whole bunch of question. Hobbies turn businesses -- Yahoo. That's why he mentioned Internet business license idea. Separate and distinct mechanism. Proof of who you are when doing business.
Becky Burr: Follow up on Elana's question regarding consent. Thinks that different authorities in different member states might take different positions on this. In some places, if there is choice, i.e., could choose to register domain name in .de where information is not available, wouldn't it then be possible to condition gTLD registration on consent to publication. MÃ¶rs: Tricky question. Becky absolutely right that data protection legislation is not fully harmonized in detail. Choice is extremely good question. Under some circumstances, that might work, i.e., if there are no disadvantages, it might work. On the other hand, consent used as last resort when you don't have right -- can be revoked at any point. Karl: Notes that data subject is perfectly free to make information available itself. Completely adequate mechanism for people to opt in without using WHOIS framework.
Margie Milam: Law enforcement don't have resources to follow up to every fraud. To extent to which business can do things cheaply, that helps. Sometimes, WHOIS record is only source of information. Difficult to get information from elsewhere -- think about cybersquatters, some kinds of fraud issues. OECD cybersquatting case. Categorizing registrants -- personal v. commercial users? Karl: Boundary between commercial and personal use is thin. What was Yaoo when they first started? Internet more than just web. And it's all hidden behind same domain name. Ability of private bodies to go after information -- could go into discovery. Expensive, slow. Accuse you, get data?
Ruchika Agrawal: Wants to add to Sven's point on European perspective, maybe a clarifying question. Points to IWGDPT comments. ... (Missing question.) MÃ¶rs: Contract with third party in foreign country doesn't get you out of danger of enforcement of privacy law.
Ross: Whiteboarding exercise. Elana Broitman: People have done terrific job. Would hate to see this not be used productively. Suggests that results be submitted to the public lists, WHOIS Steering Group. Sven MÃ¶rs: Possible way to move forward in Montreal -- set up discussion process with article 29 working party. Good alternative to every registrar approaching national authority. Working with art. 29 could contribute to get some uniform set of rules throughout Europe. Andrew Newton: Would like to present bridging document in Montreal. Mike Palage: Brief discussion about what to send out to lists from whois-wpc. Provide framework of presentations for Tuesday, could address some concerns. Make sure that presentations on these calls be incorporated in materials. Factual background.
Ross: Thanks to everybody. Important thing: Re-establish strong line of communication between stakeholders. Thanks everybody for time, see in Montreal.
Thu Jun 12 15:09:53 CEST 2003 #