Regarding data collected and the purpose of collecting data
Hello All, There seem to be some concerns about the work on WHOIS affecting the data that is collected. I am not aware of any efforts in the registrar/registry community to change the data that is collected at the time of registration. As Ross has pointed out, privacy laws in various countries already require us to specify the purpose for which data is being collected (usually in the form of a privacy policy published on the website), as does the registrar accreditation agreement (in the form of the agreement between the registrar and the Registered Name Holder). Thus I recommend that the Council assume the following: (1) There is no change in the data that is collected. This is currently covered in clause 3.4 of the registrar agreement: http://www.icann.org/registrars/ra-agreement-17may01.htm#3 "Retention of Registered Name Holder and Registration Data.". "During the Term of this Agreement, Registrar shall maintain its own electronic database, as updated from time to time, containing data for each active Registered Name sponsored by it within each TLD for which it is accredited. The data for each such registration shall include the elements listed in Subsections 3.3.1.1 through 3.3.1.8; the name and (where available) postal address, e-mail address, voice telephone number, and fax number of the billing contact; and any other Registry Data that Registrar has submitted to the Registry Operator or placed in the Registry Database under Subsection 3.2." (2) There is a policy process around the public publication of some of the data that is collected. This is currently covered in clause 3.3 titled "Public Access to Data on Registered Names" "At its expense, Registrar shall provide an interactive web page and a port 43 Whois service providing free public query-based access to up-to-date (i.e., updated at least daily) data concerning all active Registered Names sponsored by Registrar for each TLD in which it is accredited. The data accessible shall consist of elements that are designated from time to time according to an ICANN adopted specification or policy. " Note the WHOIS policy activity is specifically in relation to the second sentence above. (3) If some data is no longer made public, there are other mechanisms for obtaining the data from the registrar. All registrars that are members of the registrars constituency that I have spoken to cooperate with law enforcement. If there are problems with some registrars - then perhaps this is a matter for the registrar accreditation process. (4) The purpose for collecting data is already defined in the registrar agreement. Regarding the purpose for collecting data - this is already in the registrar agreement, specifically in clauses 3.7.7.3, clause 3.7.7.4 and clause 3.7.7.5. Note there is no mention of the public display of such data in these clauses, nor the purpose for the public display.
From clause 3.7 of the registrar agreement, titled: "Business Dealings, Including with Registered Name Holders."
3.7.7.3 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm. 3.7.7.4 Registrar shall provide notice to each new or renewed Registered Name Holder stating: 3.7.7.4.1 The purposes for which any Personal Data collected from the applicant are intended; 3.7.7.4.2 The intended recipients or categories of recipients of the data (including the Registry Operator and others who will receive the data from Registry Operator); 3.7.7.4.3 Which data are obligatory and which data, if any, are voluntary; and 3.7.7.4.4 How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them. 3.7.7.5 The Registered Name Holder shall consent to the data processing referred to in Subsection 3.7.7.4." The terms of reference for the WHOIS task force were deliberately drafted to focus on the Public Access to Data on Registered Names Regards, Bruce Tonkin Registrar rep on GNSO Council
Bruce, Ross, Mawaki, Robin, fellow Councillors, thank you for your responses to the proposed compromise wording. The arguments within get to the heart of the disagreement. I suspect both sides are making assumptions not held by the other side. Bruce, you link to two key issues: "The argument seems to be: (1) Law enforcement need access to data for investigation (2) The data must be made public for everyone in the world to see for this to happen I can't understand this logic." I agree. It is not my logic. I am NOT making the assertion in (2). You assume that because a Registrar agreement TODAY requires public access, that is the status quo upon which we are defining the purpose of WHOIS. In other words you are defining purpose only in the context of the current means of access. The footnote to the compromise definition did state "Note: This definition is explicitly silent on questions of subsequent access to data or data publication". In other words, the assumption in the compromise formulation is to separate the issues of "purpose of data" and "access". One side seems to say: Registrar agreement is a given truth - now lets define purpose then discuss other issues. The other side is saying: Define purpose - discuss access - discuss other issues - implement in Registrar agreement as required. I suspect this lies at the root of the dissonance on both the TF and now Council. It is a key dissonance to overcome. A vote on Wednesday will not be a solution. Without resolving the above it will be a hollow victory for either side. Philip
Philip, --- Philip Sheppard <philip.sheppard@aim.be> wrote:
Bruce, Ross, Mawaki, Robin, fellow Councillors, thank you for your responses to the proposed compromise wording.
snip>>> The footnote to the compromise definition did state "Note: This definition is explicitly silent on questions of subsequent access to data or data publication". In other words, the assumption in the compromise formulation is to separate the issues of "purpose of data" and "access".
And I heard you, and asked when replying to your proposal of the redefined F#2, quote:
3. The definition is silent on questions of subsequent access to data or data publication. If I understand well, are you saying that your proposed definition of the purpose for which the data is collected does not imply that the WHOIS data must remain publicly accessible? Unquote.
But not surprisingly, I haven't gotten any answer from you. It turns out to be that, whether you like it or not, the objective of this policy development and TF is to address the issue of the WHOIS data being made public, as any one can clearly see from the three points of the ToR recalled by Ross: 1. Figure out if the current data being published is appropriate (whether it should be broadened or narrowed) 2. Figure out if all of this data should be made public. 3. Specify how data that is not being made public can be accessed. Even if you ONLY take the first one as you're doing to say you agree on it, the sub-question in brackets ("whether it should be broadened or narrowed"), which is the continuation of the main question, indicates that it is about figuring out how much data needs to be _public_, and how much needs not. And Bruce also clarified this earlier, as the "heart of the issue" stated in Terms of reference no. 3: "Determine what data collected should be available for public access in the context of the purpose of WHOIS. Determine how to access data that is not available for public access." And I seem to understand, when he writes: "we need to move forward [my addition: after the vote] to focus on a solution," he's referring to the second sentence in the quote right above. So, last questions for you Philip: 1. Do you think the question of determining whether the WHOIS data must be publicly available or not (as your refined proposal remains silent on this, while it was the job of the TF to find out), so do you think it is a question the GNSO Council should not bother asking? 2. Do you think it ICANN's _mission_ to cater for law enforcement, just because there might be unlawful deeds over the Net? 3. Don't you think the law provides, or can provide, enough itself with the means of its own enforcement, so that it doesn't need ICANN to take on the mission of a surrogate for law enforcement? Talk to you tomorrow, Mawaki
One side seems to say: Registrar agreement is a given truth - now lets define purpose then discuss other issues. The other side is saying: Define purpose - discuss access - discuss other issues - implement in Registrar agreement as required.
I suspect this lies at the root of the dissonance on both the TF and now Council. It is a key dissonance to overcome.
A vote on Wednesday will not be a solution. Without resolving the above it will be a hollow victory for either side.
Philip
participants (3)
-
Bruce Tonkin -
Mawaki Chango -
Philip Sheppard