[gnso-whois-wg] Comments on WWG report draft 1.5 -- Sections 4-7

[Dan Krimm <dan@xxxxxxxxxxxxxxxx>]

Just to reiterate my Section 4 comments from before:

 * Section 4, compliance/enforcement:  I disagree with the reveal-related
provisions here, in particular in lines 359 and 361.  Also, I see no
relevance to mentioning Relay in this circumstance.  The only case that
seems to be pertinent and enforceable here is with respect to Remedy.

In cases where a requester has made a request for action on the domain by
the registrar, we have yet to determine how such requests are to be
evaluated by the registrar, and whether such action is mandated, and if so
in what cases.


To continue:

 * Section 6, objective of Access, lines 435-439:  I would add the word
"legitimate" as in "The objective of Access is to enable activities in
legitimate pursuit of the prevention of criminal or civil harm."  This
implies that both the pursuit and pursuer are legitimate (i.e.,
illegitimate pursuers cannot engage in legitimate pursuit).  Ideally this
point should be made explicit as well.

Also, I again suggest removing references to "public" or "private"
interests.  The second sentence might be re-worded as follows:  "In this
pursuit the group recognised the exceptions to data privacy laws which, in
certain well-defined circumstances, may over-ride the default, which is an
interest of the Registrant or a duty on Registrars to secure personal data."

Once again, trying to define "public" and "private" interests is far too
abstract and arcane of a categorization debate for us to resolve, and I
expect it would destroy whatever consensus we have on the matter here.


 * Section 6.2, port 43, lines 452-452:  While this type of access might
not be provided by port 43 according to its currently defined protocol, we
also ought to state that it should be possible to provide this sort of
access efficiently through some roughly equivalent but separate port access
as long as the protocol for that access is well-defined.


 * Section 6.2, "actionable harm", lines 454-457:  I'm not precisely sure
when IP infringement becomes legally "actionable" but a mere *claim* of IP
infringement must be subject to fair use exceptions et cetera, and those
can only be established in a court of law.  If the intent here is to
consider only trademark issues (such as fraudulent use of a trademark),
then we ought to narrow the wording to that, otherwise it encompasses
copyright, etc., and we open another can of worms trying to determine what
qualifies as actionable.

Also, I don't know why "suspected false declaration as to being a natural
person" should be considered "actionable harm" in and of itself.  It seems
to me it is only actionable if the registrant is engaged in harmful
activity, and then it is that activity that is actionable.  Otherwise, it
is only a matter of the registrant's contract with the registrar.  If there
is harmful activity happening, then the "actionability" ought to derive
from that activity directly.

If there is false Registrant information in the Whois database, then the
Registrar may have cause for some sort of Remedy, but I don't see that this
necessarily justifies Access by the Accessor in and of itself.


 * Section 6.3, "regular access", lines 460-471:  We're apparently using a
new term here by using the word "regular" but we haven't defined it,
really.  I would suggest that in this case there is still a need for
evidence to be presented to justify Access in each case (especially in the
case of private Accessors as distinguished from LEAs), similar to Section
6.2.  However I can envision a scenario where a single piece of evidence
can cover more than one Access if it all relates to a single "case" of
investigation that may entail investigation of multiple domains.


 * Section 6.5, need for access, lines 482-495:  I reiterate my agreement
with Milton's earlier correction to this section: "There was agreement for
the idea that LEAs and LEAs ONLY should have 6.3 access, and some SUPPORT
for the view they should have 6.4 access.  [DK adds:  Thus there was also
SUPPORT for the view that LEAs need not have 6.4 access.]  There was
AGREEMENT that private actors should NOT have 6.4 access."

I also concur with Ross' earlier statement that terms such as those in
lines 491-493 need to be defined subject to international law.  They need
to be defined clearly enough to serve as limited exceptions to the default
principle of protection of privacy of data of natural persons.


 * Section 6.6, authentication and consultant's report, lines 516-522:  It
is clear to me upon reading the report that the consultant's summary
statement is not entirely consistent with the facts presented in the report
itself.  My feeling is that, from the actual facts provided in the report,
it can be seen as either glass-half-empty or glass-half-full, and I am of
the latter tendency, especially as the report mentions one organization in
the explicit affirmative: "HTCC is willing to accredit law enforcement
agencies."  I noted this in an earlier post to this list.

It seems to me that what we have here is a selection of multiple
successful, ongoing proofs-of-concept, and that we need not rely upon
plugging into an existing institution in an immediate ready-to-go manner in
order to consider implementation of such a policy.  In principle it seems
that certification can in fact be done, and if there are resources
available to be applied to the implementation (or, alternatively, money to
be made providing such a service) it is not a matter of possibility but
rather of cost, and who bears the burden of such cost.

While it is understandable that a consultant would not want to be
responsible for confirming absolutely that authentication is immediately at
hand, the report has enough positive demonstration of examples to provide
encouragement that the task is in fact reasonably feasible, given a
well-directed and funded project to implement it.


 * Therefore I must disagree with the statement in lines 525-527.  I don't
think we can rule out "a practical method of authentication" even if the
perfect organization is not immediately in front of us fully formed.  There
is nothing in our charter that I know of that precludes recommending
further development of tools of implementation of whatever policy we agree
on.  If the right implementation tool does not yet exist, ICANN can provide
for its creation in some way.


 * Section 6.6, Implementation options, lines 528-529:  We need to add the
possibility of a project to develop an authentication process, as this
appears to be entirely feasible in principle.  I don't think we have the
time to get into the details of such a project in the time left, but it can
certainly be recommended for follow-up.

Also, with regard to self-declaration, line 529, I would suggest this be
removed, as it is insufficient to properly qualify Accessors for Access,
certainly for private agencies.  But in case it is not removed for LEAs, I
do not agree that a challenge process is optional.  "Self-declaration must
be subject to a challenge procedure by the Registrar."  We certainly do not
want non-LEAs masquerading as LEAs in our system.  That would be atrocious.


 * Section 7.1, commercial vs. non-commercial, lines 533-550: This
distinction is problematic for more reasons than are stated here.

In particular, I disagree that "A set of strict, subordinate criteria might
make it operational."  One intrinsic and ineliminable problem with this
distinction is that, especially in the case of natural persons, it is
impossible to define whether a *person* is "commercial or non-commercial"
because natural people engage in both commercial and non-commercial
activities interspersed all the time in the normal patterns of life.
*Activities* or *uses* may be categorized as commercial or non-commercial,
but not persons themselves.

At best a "web site" might be categorized as commercial or non-commercial,
but that still does not preclude a registrant who is a natural person from
deserving protection for private contact information.

Even persons engaging in some commercial activities deserve protection of
their personal contact data as a default.  A freelancer, consultant or sole
proprietor will need to give out contact information in the normal course
of doing business, however it should be that person's choice as to what
conditions to give out that information (i.e., to provide that information
only to trusted clients at such time as a business pitch is being made, for
example).  If a registrant who is a natural person is not engaged in any
harmful activities associated with the use of the domain, control over
private contact data in Whois should be under the explicit control only of
the registrant.

In short, there is utterly no need for this distinction, and it is in fact
confusing and systematically unworkable as a source for any coherent access
policy.  The difference between natural and legal persons is entirely
sufficient for our needs.

Dan