EPIC Comments on WHOIS
EPIC supports the GNSO's proposal to allow registrars and registries to conform with national and local laws regarding privacy and data protection. We believe that this is a critical first step in reforming Whois privacy policies, and that the proposal should be implemented immediately. With this proposal, registrants will be somewhat more secure in their ability to apply the privacy protections offered to them by law. Registrars are also less likely to be faced with the choice of either honoring their contractual agreements under the RAA or obeying the laws of their country. Furthermore, registrants will no longer be subject to the same level of uncertainty as to whether their registrar will comply with the RAA or with the applicable law. We note, however, that this is only a first step, and that a comprehensive reform of Whois privacy policy is crucial. The current proposal requires registrars to "prove" or "credibly demonstrate" a conflict of law. This burden of persuasion creates a high bar for a registrar to find a conflict, and may encourage registrars to simply hope that the conflict will go unnoticed or be unenforced. Similarly, the recommended procedures only provide procedures for when an investigation, litigation, or other civil or governmental proceeding has been initiated. This suggests that registrars and registries are only obligated to take action when, and that ICANN will only provide exceptions for, situations that have already generated enforcement actions. If this is the case, registrars who see clear conflicts between the RAA and local laws have no clear procedure to follow, and are not guaranteed an exception from ICANN penalties for non-compliance. In such a situation, the proposed policy discourages voluntary compliance with local law, and registrars must wait to be sued, prosecuted, or investigated before they may apply for an exception that would allow them to comply both with ICANN policy and the law. User consent is often insufficient to reconcile these problems. A mere boilerplate demand by registrars that users consent to Whois distribution of their private information cannot universally meet the requirements of every data protection law, present and future. More importantly, presenting users with a consent disclaimer does nothing to protect users' privacy rights. Privacy protections for Whois should not be limited to exceptions made in policy for national laws. ICANN has a uniquely powerful role in managing an important facet of the premier means of global communication. As such, it has the responsibility to take steps to assure the rights of Internet users, not merely recalcitrantly follow in the footsteps of various local governments. While EPIC supports the adoption of the proposal, we would encourage GNSO to take further and more thorough action to protect users' privacy. Sincerely,
Sherwin Siy EPIC IPIOP Fellow /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ \/\/\/\/\/\/\/\/\/\/\/\ Marc Rotenberg, Executive Director Electronic Privacy Information Center (EPIC) 1718 Connecticut Ave., NW, Suite 200 Washington, DC 20009 +1 202 482 1140 x1016 [tel] +1 202 483 1248 [fax] htttp://www.epic.org/ |