[gnso-dow123] NCUC Contacts Statement
I am pleased to submit the NCUC Statement on WHOIS Contacts. Text below (with formatted file attached for the Joint Constituency Statement). Regards, Kathy ------------------------------------------------------------------------------ ------------------------------------- Statement of the Noncommercial Users Constituency on WHOIS Contacts Task 2 asks us to "(2) Define the purpose of the Registered Name Holder, technical, and administrative contacts, in the context of the purpose of WHOIS, and the purpose for which the data was collected. Use the relevant definitions from Exhibit C of the Transfers Task Force Report as a starting point (http://www.icann.org/gnso/transfers-tf/report-exhc-12feb03.htm). The NCUC believes that once we have selected a purpose for our database, data protection laws require us to closely examine whether the information we collect meets the goals we have set out â and make adjustments accordingly. These comments discuss the Contact data currently collected for WHOIS and the personal nature of much of it. They raise the question whether this data should be collected at all for WHOIS purposes. I. Data Protection Laws Require Limited Collection of Personal Data In its 2003 Opinion, the Article 29 Data Protection Working Party of European Union Data Protection Commissions urged ICANN to closely examine the personal data it collects for WHOIS. The Commissioners warned: âArticle 6c of the Directive imposes clear limitations concerning the collection and processing of personal data meaning that data should be relevant and not excessive for the specific purpose. In that light it is essential to limit the amount of personal data to be collected and processed.â Opinion 2/2003 on the application of the data protection principles to the Whois directories http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp76_en.pd f (emphasis added). The Data Protection Commissionersâ concern over collection of WHOIS data is grounded in the clear language of the EU Data Protection Directive and its Article 6 âPrinciples Relating to Data Qualityâ which clearly sets limits on the collection of personal data: âMember States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. *** (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;â Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, http://europa.eu.int/comm/justice_home/fsj/privacy/law/index_en.htm. The Canadian Personal Information Protection and Electronics Document Act also sets limits on the collection of personal data: âThe purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.â http://laws.justice.gc.ca/en/P-8.6/93196.html#rid-93228 [emphasis added]. Similarly, Australiaâs Privacy Principles mandate: â1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.â National Privacy Principles (Extracted from the Privacy Amendment (Private Sector) Act 2000), http://www.privacy.gov.au/publications/npps01.html. Based on these legal requirements, the NCUC submits that the WHOIS Task Force must review the contact data currently collected, evaluate whether it is personal, and determine whether it should continue to be collected in keeping with the purpose of the WHOIS Database. Over-collection of personal data does not serve ICANNâs mission nor does it help registrars comply with the many existing laws that protect registrant privacy worldwide. II. The Purpose of the WHOIS Database In our Task 1 comments, NCUC submitted a clear definition of the purpose of the WHOIS database: âThe purpose of the WHOIS is to provide to third parties an accurate and authoritative link between a domain name and a responsible party who can either act to resolve, or reliably pass information to those who can resolve, technical problems associated with or caused by the domain.â Statement of the NCUC on WHOIS Purpose. As discussed in our comments, this technical purpose is consistent with the original purpose of the WHOIS, as set out by Vint Cerf and others, and within the limited scope of ICANNâs mission. III. Contact Data: Definition? Personal? Fits Purpose of WHOIS? The GNSO Council asked us to examine the definitions and purpose of the Technical Contact, Administrative Contact and Registered Name Holder. We do so in light of the legal considerations set out above. A. Technical Contact The Transfer Task Force defined technical contact as: âthe individual, role or organization that is responsible for the technical operations of the delegated zone. This contact likely maintains the domain name server(s) for the domain. The technical contact should be able to answer technical questions about the domain name, the delegated zone and work with technically oriented people in other zones to solve technical problems that affect the domain name and/or zone.â The next step requires us to assess whether Technical Contact data is personal and needs to be treated with special care. In our review with our Constituency, we found that occasionally Technical Contact Data is the personal data of an individual. Increasingly, however, registrants entrust a technical party to manage their domain name and expertly handle any technical problems that arise â often an ISP, online service provider, Registrar or web host provider. Thus, for individuals and small organizations, we found that the technical contact field does not raise strong concerns regarding personal data. Further, in assessing whether collection of Technical Contact data fits within the purpose of ICANN and the WHOIS database, we found that it does. The Technical Contact is the person designated to respond to exactly the set of technical problems and issues at the heart of the WHOIS purpose. Accordingly, NCUC submits that Technical Contact data should be collected and maintained for the WHOIS database. B. Administrative Contact The Transfer Task Force defined administrative contact as: âan individual, role or organization authorized to interact with the Registry or Registrar on behalf of the Domain Holder. The administrative contact should be able to answer non-technical questions about the domain name's registration and the Domain Holder.â The next step requires us to assess whether Administrative Contact data is personal and needs to be treated with special care. In our review, we found that the Administrative Contact data OFTEN includes personal data, especially for individuals and small organization leaders who must list their own names, home addresses, personal (and often unlisted) phone numbers and private email addresses for the Administrative Contact field. This type of personal data is exactly what the privacy laws of many regions and countries set out to protect. Its collection invokes major privacy concerns for individuals and small organizations -- and draws the formal protection of data protection laws in many countries in which registrants live and registrars operate. Further, in assessing whether collection of Administrative Contact data fits within the purpose of ICANN and the WHOIS database, we found that it does not. By the Transfer TF definition, the Admin is responsible for ânon-technical questionsâ which range as far as the imagination and generally are completely outside the scope of ICANN: Is the domain name for sale? Is the woman described on a website available for a date? Can a stranger meet the child shown in a family picture? There are very good reasons for the privacy protections and other national and local protections to operate for the Administrative Contact. Finally, since the purpose of the WHOIS database is technical and the Administrative Contact is expressly non-technical, NCUC submits that this contact data should no longer be collected for the WHOIS database. C. Registered Name Holder or âDomain Holderâ The Transfer Task Force defined domain holder as: âThe individual or organization that registers a specific domain name. This individual or organization holds the right to use that specific domain name for a specified period of time, provided certain conditions are met and the registration fees are paid. This person or organization is the âlegal entityâ bound by the terms of the relevant service agreement with the Registry operator for the TLD in question.â Following this definition, we must evaluate whether the registrant data is personal and should be treated with special care. Of all the contact data, we find the Domain Holder to be the most personal. This is the woman, the family head, the Cub Scout leader, and other individuals and leaders of small organizations who must list their personal names, home addresses, private phone numbers and personal email addresses. Once published, this personal data is used for all the abuse and misuse documented in the Task Force Uses report â from spamming to stalking and harassment. This personal data is exactly the type of data that data protection laws seek to protect. Article 29 Data Protection Commissioners now urge ICANN and our TF that: âThe registration of domain names by individuals raises different legal considerations than that of companies and other legal persons registering domain namesâ and âit is essential to limit the amount of personal data to be collected and processed.â Article 29 WG citation above. The collection of such personal data as a global ICANN WHOIS policy serves no technical purpose. Individual registrants rarely answer technical questions about their domains or their abuse â and would refer such questions (such as the hijacking of their domain name by a spammer) to their technical contact instead. Accordingly, the collection of Domain Holder data serves little purpose for the WHOIS database and should not be continued as a global ICANN policy. Conclusion: The best way to protect millions of individual and small organizational domain name registrants, and to comply with data protection laws worldwide, is for ICANN to carefully review the contact data collected for the WHOIS database and limit the data strictly to that necessary for its technical purposes and mission. Outreach Statement: Months ago the NCUC TF representatives queried NCUC members regarding Whois data and what they and their organizations place in the contact fields. The answers and discussion that ensued were incorporated into this statement. The NCUC TF representatives then prepared this Contacts Statement. It was posted to the Constituency list on August 31, and subsequently adopted as the official position of the Constituency. Attachment:
NCUC Contacts Statement.rtf |