Comment II on WHOIS Policy Review Team Draft Report - LEA Focus

[Avri Doria <avri@xxxxxxx>]

Comment on draft-final-report-05dec11-en.pdf 

Over the last several years, ICANN and many of its constituent parts, have done 
everything possible to bring the voice of Law Enforcement Agencies (LEA) into 
the discussions on WHOIS and Registrar agreements.  And these LEAs have done an 
excellent job of giving the community a picture of the problems being 
experienced on the network by some users at the hands of some registrants and 
some registrars.  The WHOIS Review Team has followed this pattern.

Unfortunately, since the first LEA panels and continuing with the WHOIS Review 
Team, this has been a one side conversation.  Rarely have governmental Data 
Protection Officers and Privacy Officials been included in the discussion.  And 
I cannot remember a time when there was parity between the proponents of the 
LEA perspective and the governments' protectors of data privacy.

The WHOIS Review Team report suffers from this deficiency.  Specifically:

"
Formed in October 2010, the WHOIS Review Team comprised representatives from 
across the ICANN constituencies, a representative of law enforcement and two 
independent experts.
"

There was no governmental representative of Data Privacy*.  And while the civil 
society advocates for data privacy did the best they could, it is obvious from 
reading the report that they never had the level of influence that the 
representatives/advocates of law and trademark enforcement had.  How could 
they?  The Law enforcement representative could speak with the authority of 
government with no countervailing sovereign view point. 

The one sided approach of the WHOIS  Review Team, unfortunately, leaves the 
report incomplete.

I recommend that the final report be changed to specifically require the 
presence of Data Protection Officers and Data Retentions Officers, by whatever 
titles they come in all ongoing discussions.  A standard of parity should be 
set so that whenever a LEA representative is invited to a discussion, they are 
pared with a governmental Data Privacy representative, preferably from the same 
government, so that both sides of the story can be heard.   In so far as I can 
tell, as of this writing, there are NO comments from governmental privacy 
officers. I therefore also recommend that an additional special outreach should 
be done to a variety of governmental privacy offices to make sure that these 
recommendations fall appropriately within the bounds of privacy and data 
retention laws, before any implementation activities are undertaken. To do 
anything less prejudices the discussion and rends the outcome, in this case the 
report and any ensuing policy recommendations,  less credible.

Avri Doria


* Many governments have Data Privacy enforcement officers under one title or 
another.  E.g. in the US such offices can be found in Department of Homeland 
Security and Department of Justice.