I see, the good stuff comes right before the conference call! Clearly this is going to be one of the more interesting areas for our report. I do like the simplicity of Emily's analysis and perhaps that could be a beginning for the report discussion, i.e., breaking down the current practice in terms of the requirements of the RAA. The balance is arguably policy but nevertheless something I think we should attempt to deal with, but carefully, in particular so that all options are set forth logically in an even handed manner. To the extent we can achieve consensus on some, that would be great. There may be certain positions/recommendations that would apply to both proxy and privacy; and others that would not. Some may feel that privacy is inapplicable to non-commercial organizations and others not. Reaching consensus on all recommendations may be unlikely but we should see how far we can get. If we are going to introduce national legal requirements and bias' into this section, and both US first amendment and EU data protection concepts have potentially significant implications, then let's try to be non-geocentric and also, if possible, mention national legal requirements from other parts of the world to the extent we are aware of them. Seth From: rt4-whois-bounces@icann.org [mailto:rt4-whois-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Wednesday, October 12, 2011 7:58 AM To: Emily Taylor Cc: rt4-whois@icann.org Subject: Re: [Rt4-whois] FW: Reviewing proxy/privacy ideas [SEC=UNCLASSIFIED] Hi Peter, Emily and All, I have been giving this a lot of thought too. I have also been doing some research, and although I have been deeply embedded in the proxy/privacy issue for some time, there is still so much I don't know! Here are some of my thoughts: 1) I think you are right in dividing privacy from proxy from privacy registrations. As you wrote, and as Emily has written below in her recent email, proxy and privacy services (although spoken in the same breath) are different. I think our WRT Report can play an important role in laying out the differences, and sharing why, to us, these differences result in very clear and differing obligations and responsibilities. 2) I don't think you restrict privacy services to natural persons. As we have discussed in our meetings, there are many political organizations, religious groups and even commercial companies that claim privacy rights, and have legitimate reasons for not wanting to disclose a physical address. What I do think we can encourage the ICANN Community to develop is a series of guidelines for appropriate disclosure of the underlying data to law enforcement and others (called "Reveal" in ICANN parlance). (I also think the ICANN Community can develop a series of guidelines for appropriate practices for passing on information to the registrant at his/her/its address or email to notify them of all legal proceedings, inquiries to purchase the domain name, etc. -- this might defuse a lot of the existing tensions ("Relay" in ICANN parlance). 3) I do like the idea of best practices for privacy providers. 4) After great thought, and debate with several people on the Team (tx you!), I agree with you about proxy providers. I think your #7 is probably right: that "ICANN should claify that the full rights and responsibilities of a registrant accrue to the entity identified as the registrant." There does not seem to be any other way to do it. 5) An additional point: Education. perhaps we can use our recommendations to encourage clearer education of registrants, the ICANN Community, and the greater Law Enforcement, Commercial and other Communities. We can lay out the difference of proxy and privacy providers, and ways the choice of privacy or proxy might impact the registrants, and parties seeking the registrant. 6) One more additional point: Tiered Access. I don't know if we should get into this, but the Whois protocol can be modernized and updated to include levels of access for data -- e.g., privacy of addresses and telephone numbers -- and then provide access to those who a) identify themselves, and b) meet the criteria for access, e.g., law enforcement. In this case, the Whois information is held by registrar and registries, and thus much closer to ICANN. It is also far cheaper for registrants (who are currently paying more for their privacy services per year than their domain name, in many cases). Finally, it open future options for the registries and registrars to manage access to the data -- perhaps pursuant to rules ICANN might someday create. The current Whois protocol can't provide this service, but others can (Restful DNS, etc). Perhaps a win-win? Best and tx for all of your leadership in this area, Peter! Kathy << From Emily: Hi Peter Thanks for reviving this discussion. I've been mulling over privacy proxy recommendations, that would be suitable and not pre-empt the findings of studies. I think that a route might be to go back to the first principles in the contract. 1. Proxies are the registrant. Therefore they take the heat if there's any problem with the domain name, and the onus/responsibility is on them to prove that there is another party who should be blamed in a timely way. 2. Privacy registrations - on the face of it, these are inaccurate, and therefore the domain becomes subject to cancellation if the true registration details are not revealed in a timely manner. So, the policies are there, the contractual powers are there. There needs to be more responsiveness on the part of registrars in cancelling/amending/revealing underlying details where there's a problem. Thoughts? Best, Emily On 11 October 2011 05:49, Nettlefold, Peter <Peter.Nettlefold@dbcde.gov.au> wrote: Hi Kathy, I wanted to follow up the conversation about proxy services that we began in MDR. In particular, I wanted to ask about what you meant by the recommendation: 'Registrars may not knowingly use for their own registrations, or register the domain names of p/p service providers who do not have contracts with them' I'm assuming that a registrar has a contract with every registrant as a matter of course, so I take it that this is referring to having up front contracts with p/p providers? My question is would this be separate to a global ICANN p/p accreditation or registration scheme? My first intent here is to be really clear on what is intended. Secondly, I wonder if it would be more efficient and effective to have this kind of approach run in conjunctions with an ICANN accreditation scheme - i.e. ICANN would accredit p/p providers in a similar way that it does registrars, and any registrar could then do business with those providers? Otherwise, couldn't we would be faced with a range of issues, including registrars potentially signing contracts with themselves (or their subsidiaries, affiliates etc) to serve as p/p providers? I'm still looking forward to feedback from other team members on the question of whether proxy services should be recognised by ICANN, but wanted to discuss your proposals in the interim. Cheers, Peter From: "kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>" <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> Subject: [Rt4-whois] Reviewing proxy/privacy ideas Date: September 21, 2011 7:26:51 AM PDT To: RT4 WHOIS <rt4-whois@icann.org<mailto:rt4-whois@icann.org>>, Sharon Lemon <sharonchallis@aol.com<mailto:sharonchallis@aol.com>> Reply-To: "kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>" <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> Hi All, After good food and great company last night, I awoke with some new ideas regarding proxy/privacy service providers. What we know: - Not too much. Proxy/privacy providers (p/p) are not something we have studied closely. We know that many people, including very experienced Net users, do not have a clear distinction. They are generally used in the same voice at the same time. - We have no clear data about p/p. The upcoming GNSO studies will provide a) a study on reveal and relay requests to p/p providers, and b) a study of what percentage of "bad guys" are under p/p registration. We have only a study that says that 15-20% of domain names are under p/p, and an array of comments. We have not actual facts about p/p providers themselves. - Under US law, there is a strong protection of privacy and even anonymity in Free Speech, but "no tradition of anonymous commerce in the US." Let me quote the World Trademark Review, Aug/Sept 2011, article: "Why Trademark Owners Must lead the fight for accountability in e-commerce." ** "Clearly the First Amendment includes the right to speak anonymously. Moveover, the First Amendment places anonymous speech on the Internet on the same footing as other speech. As with other forms of expression, the ability to speak anonymously on the Internet promotes the robust exchange of ideas and allows individuals to express themselves without fear of economic or official retaliation or concern about social ostracism. The importance of the Internet to the expression of protected speech cannot be overstated..." Like the International Trademark Association, in some recent legislative work in the US, let's focus on the conduct we are most concerned about: - Domain names being used in conjunction with "goods or services advertised or sold at that [a] website." (International Trademark Association language as part of promoting a new US Statute for services of process to domain registrants whose data cannot be found - article above) For our WRT decisions, let's please not create confusion. The lines between p/p are difficult and unclear. Let's focus on conduct we know is out there and bounds that can be quickly established and are likely to help. ** Let me offer some reflections of yesterday. We all seem to agree that: ** - WE CAN BIND P/P CLOSER TO REGISTRARS, thus a Draft Recommendation: Registrars may not knowingly use for their own registrations, or register the domain names of p/p service providers who do not have contracts with them; do not have clear agreements to gather accurate Whois data from registrants; do not have clear contractual obligations to Reveal the underlying registrant data when requested under law or pursuant to ICANN rules. - ICANN will rapidly establish a proceeding, with Law Enforcement and Consumer Communities, as well as privacy and free speech Official and Experts, to develop a set of Reveal and Relay rules for p/p providers, in conjunction with the ICANN Community. - Registrant Declaration: is the domain name being used for goods or services sold or advertised using the domain name (note: this includes not only websites, but emails and other forms of domain name use). (Note: the GNSO might want to wait to set up rules until soon after their $200,000+ studies are completed within the year) Overall, separating out p/p providers without much more work and very, very, very extensive education -- it will be very confusing to ICANN and the Internet public. Best, Kathy _______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org<mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois ---------------------------------------------------------------------------- --- NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This message has been content scanned by the Axway MailGate. MailGate uses policy enforcement to scan for known viruses, spam, undesirable content and malicious code. For more information on Axway products please visit www.axway.com. ---------------------------------------------------------------------------- --- -- <http://www.etlaw.co.uk/images/stories/etlaw/etclogo250x60.gif> 76 Temple Road, Oxford OX4 2EZ UK t: +44 (0)1865 582 811 . m: +44 (0)7540 049 322 emily@emilytaylor.eu www.etlaw.co.uk Emily Taylor Consultancy Limited is a company registered in England and Wales No. 730471. VAT No. 114487713. --