ALIGNING ICANN POLICY WITH PRIVACY RIGHTS OF INTERNET USERS
September 5, 2014 – IGF Workshop from Istanbul, Turkey
>> PRANASH PRAKASH: Shall we start?
Good morning. Thank you for coming by for this panel on ICANN processes and privacy issues.
My name is Pranash Prakash with the Yale Information Society project as well as with the center for Internet and society. Today we have a fabulous lineup of renowned experts on this issue who fill different roles in the ICANN system and who have very strong opinions about privacy related issues one way or the other.
So I will, since we started late I’ll keep my comments very brief. I’ll just tell the order in which the panelists will go. First, Michele, Paul, and Monica. Fourth, Richard sitting to my right. Fifth, Stephanie and then fifth will go Sierra and then Stephanie. Each will make their remarks introducing their points of views and then we will have an open discussion bringing in the audience and myself.
>> Michele. If I speak too quickly wave madly or something. Because I generally have two speeds, ridiculously fast or even faster.
Just to explain who I am, I am the founder and CEO of black knight. Registrar based in Ireland which means that we are a hosting company within the ICANN space I happen to be the Chair of the registrar stakeholder group, though I am not speaking in that capacity. I am also on the board of the Internet infrastructure coalition and various other entities and organisations and things.
To put this in context what we are talking about here in this session is to do with gTLDs, generic top level domains, info bis plus all the new top level domains such as dot ninja, dot social and things like that which of course we sell if you go to our website.
We are not talking about country codes. We are not talking about stuff around say dot FR, dot DE, dot UK or any of the other countries. ICANN does not have control over policies involving country codes.
The entire thing around privacy and ICANN policy really came to a head with the introduction of the 2013RAA. The RAA is the contract between registrars, companies like mine, and ICANN. ICANN being the Internet cooperation for assigned names and numbers which is a California based yada yada yada who have an overseeing role with regard to names and numbers, but we really only care about names.
The contract mandates the information that registrars such as ourselves have to collect and also mandates a certain amount of data that we have to display in what is known as WHOIS. It also mandates how long we are meant to hold on to that data. Which is, of course, Ram, slap, bang into various other things that other people on this panel are more qualified to speak about than I am.
WHOIS as a concept, it is a directory. It is a way to get information about which entity or which person a resource has been assigned to. Originally this started out as being something to address a purely technical issue. So you had a network operator in one part of the world, a network operator in another part of the work. If there were communications issues between the two networks it would be useful to know who the hell to yell at, ring or whatever, to sort out those problems.
Over time, the WHOIS has evolved and depending on who you are, you will use it for a variety of different reasons. And there’s an entire debate and debacle about what it could be used for or what it is used for.
In the IP address space there is WHOIS as well. That has evolved quite a bit over time but is more limited in scope in that it is primarily dealing with a technical resource. I think that covers anything I had to say.
>> Thank you.
>> PRANASH PRAKASH: Thank you very much, Michael I. Paul?
>> PAUL DIAZ: Paul daze, public interest registry, vice president of policy. We are the operator of.org. We also currently operate 3IDN versions of ORG and hope to soon bring to market a new TLD for nongovernmental organisations. So NGO and romance language equivalent, ONG. Like Mike ami I serve as Executive Committee recollect for the registry stakeholder group. I’m the Chair and before working for PIR I spent ten years at network solutions so I have registrar experience as well.
To frame and set the, begin to paint the picture here, Pranesh asked me to speak about the different between thick and thin WHOIS. A lot of our discussions today will be focused on WHOIS. To make sure everybody understands, except for two legacy TLDs, common net that operate as a thin model, everybody else operates as a thick registry operator or thick WHOIS operator. What that means is that the registry has a responsibility for publishing the information that appears for the names under their management.
That data, however, is provided by their accredited registrars. In my case,.org, Mike Kelly’s black night will push to us the information required under our agreement with ICANN to be publicly posted in the gTLD space you can have privacy and proxy registrations as well. So information is published. It may be my personal name, address, et cetera. Or if I subscribe to a privacy service, you may see my name or not. And then in all likelihood you would see contact information for the provider of that privacy service.
It creates a lot of confusion down the road. Understand the universe is thick. It means that the registry operator is responsible for publishing the authoritative source as opposed to a thin model where you go to the registrar anyway. But ultimately that contact information is collected by the registrars, not the registries. That leads to a lot of customer service questions from my organisation, folks asking I need to get in touch with soâ€‘andâ€‘so because they are doing something in.org and we have to refer it because we don’t have that data. We are not the original collector, just the publisher.
I also ask to make note, we want to be careful about acronyms. I signed a contract with ICANN called a registry agreement, RA. Registrar sign an accreditation agreement, RAA. In turn they will have a side agreement with us. Another acronym that doesn’t matter platform the important one for our discussions today is the RAA. There have been three flavors over time. The original ones dated 2001. All those subsequently were taken over by either 2009 or more recently 2013. Very importantly, and again we will get more into detail, there was a push from parts of the ICANN community, drove ICANN to negotiate with the registrars to update. Ultimately we got in the 2013 version. That RAA has additional requirements: Verification, like requirements but they are in there nonetheless. Also passâ€‘through obligations. In the past resellers who are not contractually bound to ICANN could be used as a Roop loophole for certain obligations. That has been addressed in the 2013 to some degree or varying degrees. Very importantly the 2013 RAA is also a requirement for any registrar that wants to offer new tlds. So this was a big stick that ICANN used to push through the agreement. Folks who wanted to offer the new ones must be operating under 2013. I can still work with a registrar who is still on 2009 for.org but I would not be able to work with them for 2013. It was supposed to bring in consumer confidence for protection measures to the market. That remains to be seen, but it is a requirement. I think I’ll leave it there. Covered.
>> PRANASH PRAKASH: Thank you very much, Michaeli and Paul for giving us this basic low down on what the WHOIS system is, how it works and the important distinctions that we must keep in mind while carrying forward this debate.
Next we have Monica sorry, I massacred your last name. Please introduce yourself and the report that you are reporting on.
>> Thank you very much. Hello, everyone. I’m a fellow at the research center for Internet and human rights. I participate on this panel and in IGF as a privacy expert for the Council of Europe.
Today I am so happy to be invited also on this panel. Today I would like to briefly present to you the Council of Europe report that has been recently released, which we wrote together with Thomas Snyder about ICANN’s procedures and policies in the light of human rights and fundamental freedoms.
Although the opinions expressed in this report are ours rather than representing the opinion of the 47 Member States, but without going into too much detail I would like to just briefly highlight maybe the main findings and main methodologies that we adopted to say that what we have now within ICANN from data protection perspective is very, very bad. So as it was mentioned earlier, the register, the RAA, it was already explained what it is. It was adopted with a very strong pressure and lobbying from the law enforcement agencies and especially the five Is, intelligence agencies at the expense of the privacy considerations, we argue.
As you all know, after the contract has been terminated with the domain name owners, the data is, personal data, a great variety of data is still kept for two years in order to have potential access by the law enforcement agencies.
What we do with this information and these mechanisms of the ICANN, we try to excise them from the Council of Europe. We only try to examine and highlight the issues that would be critical and relevant from the European perspective. That’s why we examine Strasbourg and Luxembourg’s jurisprudence. This leaves colleagues from other countries very unhappy but nonetheless this is a Council of Europe work. That was our main goal.
So we tried to remind GAC members as well as other important stakeholders within ICANN that pretty much these rules do not really comply with any international data protection standards or the jurisprudence developed by these two important courts. We tried to highlight that there is this test developed in Strasbourg that any interference with privacy rights must be in accordance with the law, must have a legitimate aim and must be proportionate. To start with, there seems to be no statute that would purport such retention of data. Thus the first requirement of the test seems to fail. The second one is actually accepted as a legitimate aim and we do not really dispute that. What we dispute is the proportionality and necessity in the democratic society. Here we bring into parallel the latest decision of the European court of justice. I’m sure you know about it. This is a digital rights Ireland case where the data retention directive was invalidated because of its disproportionate effect on privacy rights. We draw a parallel to this and claim this is very similar. Even if it would satisfy all the other requirements, this one would definitely fail.
Two years after the contractual basis is no longer valid is rather disproportionate. And if the Member States and the countries would like to have data retained for long periods, it is for them to actually innate the legislation that would stipulate this. So this would reflect the traditional jurisprudence developed in the Strasbourg court. We also are applying the very, very standard data protection rules which claim that there is a purpose limitation principle, which means that the data that is collected for one purpose cannot be used for another. This is what we have in the ICANN. RAA. Finally, we also have a look at the voice database where thirdâ€‘party access is rather unlimited and say that this is also not really in compliance with any international standards on data privacy.
So I think I’ll keep it short and give it to the other panelists and maybe later we can have a discussion. But this was the idea to highlight where maybe all the mechanisms and policies in place at the moment would not be in compliance with international law and actually with the whole framework of European data protection. So thank you.
>> PRANASH PRAKASH: Thank you very much, Monica. If you could ask you to briefly touch upon what third-party services you mentioned?
>> Monica: Okay. So how it works is that in the database there is a variety of data kept of the domain name owners which is accessible to pretty much anyone because it is available online.
And it goes into sharp contrast with the idea that a third-party access needs to have a lot of safeguards from the data protection regime, at least in Europe.
In many cases you either need to have a public office function to be able to do it for administrative purposes or in other cases you would need to have a court order to actually access the data kept by other organisations, or be that public. This goes into very sharp contrast.
>> PRANASH PRAKASH: Thank you very much. Now, Richard who is from Euro Pol, Richard, do you agree with what Monica said about disproportionalty?
>> RICHARD LEANING: My name is Richard Leaning, I’m the law enforcement officer from the U.K., Europe Pol, the Europe peen crime center, also one of the officers who put together the recommendations for the new RA 2013.
But our recommendations were just recommendations. And it was adopted by the ICANN community going through due process. Whatever is in the RAA 2013 was adopted by the community, not just by law enforcement pushing it. So you have to be quite careful in the words we use. It is not law enforcement that said we wanted, we would like. It went through due process of the ICANN community which is where we got the RAA2013.
Regarding the privacy side, yeah, everyone is right to privacy. The problem we have as law enforcement officers, say I’m a cop, street cop dealing with crime, all types of crime that has presence on the Internet. That’s either IP addresses or domain names. We have trouble identifying people with responsibilities for the domain names. The WHOIS at the moment is not accurate. If I took it at face value I spend have of my name in Disney land looking for Mickey Mouse because that’s who registered most of the domain names. We welcome the process that Michaeli and his team has done. There has to be a compromise between the needs â€‘â€‘ it’s not just law enforcement. There are other actors out there who need accurate WHOIS for a start.
There are loads of things out there that the public would need to be safe about. So yeah, I agree that maybe this is a pendulum. So I’ve come here to understand what the concerns are.
>> PRANASH PRAKASH: Could you give us a couple of examples of how WHOIS’s detail has been found useful in law enforcement in cases, et cetera?
>> RICHARD LEANING: It has been found useful because some of the bad actors that we are looking at now started when the Internet was very young. And they leave a trace because they didn’t know how to wipe themselves clean from an early age.
So there’s always an e-mail address somewhere in there that is good for us, or a telephone number or a physical address or a user name. There’s always something in there.
But it proves the negative as well because sometimes domain names, you can see a pattern of how they have been registered, where they have been registered, payment, all this type of thing. So it is a useful tool. It is one of many tools that we use in our investigations. But it is just one. If we can try and make that one a little bit more accurate, it will help us in building up all of our avenues.
>> PRANASH PRAKASH: One last question for you before we move on. If you had privacy proxies which allowed you to mask your identity while purchasing a domain name and privacy proxies that allowed the use of bit coins, say, what is your opinion about that?
>> RICHARD LEANING: That is going to be an issue. The bottom line is, we would like to know who has responsibility for that domain name. If it is behind a proxy service, we would go to the proxy service and ask if they have accurate data which they probably do, or, but if you have a domain name common sense suggests that someone must know who is responsible for that domain name.
>> PRANASH PRAKASH: Next up we have Sierra Nas, who is from the Article 29 Working Group, Working Party. I think we finally have a good debate going. Where do you stand on this debate?
>> SIEERA NAS: Yes, thank you very much for having me. So I personally work for the Dutch data protection authority but am here to represent the Article 29 Working Party, which is the name of the collaboration of 28 individual data protection authorities in Europe. We write opinions and we wrote a number of letters to ICANN regarding the RAA.
Basically, I think my colleague from the Council of Europe summarized all of our criticism with regard to the data retention obligations in the RAA, namely that it is not proportionate and there is no lawful obligation, legal obligation for registrars to retain these data after the contract has been terminated.
It has been a bit difficult to communicate with ICANN. Like it turned out to be difficult in general to discuss privacy issues with our U.S. counterpart because of a basic misunderstanding about the human rights value that we attach in Europe to privacy, as opposed to a more consumer approach in the U.S.
So that has been difficult. We sent this letter, three letters in total saying that really yes, all 28 data protection authorities in Europe think that all parties should get a general waiver from the new data retention obligation.
With regard to the comments made by my colleague from Europol if I may summarize, you mentioned there has to be kind of a compromise. The police does need access to accurate data. And the public needs to be safe, right?
In my mind you could compare that to the police innocently demanding for a curfew for everybody after 8:00 o’clock at night. That would definitely reduce the crime rate in a country. Certainly after 8:00 o’clock in the evening, right? It is not an innocent suggestion actually, I would suggest. It is quite vital if law enforcement asks in a public governmental forum like ICANN for the need for data to be retained two years after termination of a contract, I do not find that an innocent suggestion in order for a general public need to be safe. I think the police itself should also take these fundamental human rights at heart and not propose such suggestions in the first place but start with a far more proportionate proposal.
I think it is a measure that is way too broad. Therefore, disproportionate. That is the opinion of the Article 29. Thank you.
>> PRANASH PRAKASH: Could you also address how the differences between jurisdictions could be taken care of? Because if, for instance, a law was to be put in place, then it would have to be some kind of either national law or transnational law within a region like the EU but that would still lead to differences. How would that be taken care of?
>> SJOERA NAS: Two short remarks. So first of all, data protection directive is already applicable across Europe. And as data protection authorities we have reasoned and specified why this retention obligation is illegal across Europe. So that is current law.
If Member States would individually want to introduce a retention, it would have to pass parliament but also pass a new strict test created by the European corporate of justice which says that if government wants access for law enforcement purposes to data retained for or collected basically for commercial purposes, then there is a very strict proportionality test, that is the fundamental data protection which Monica referred to. After this ruling it will be very difficult for Member States in Europe to pass new legislation introducing data retention obligations.
Does that answer your question?
>> PRANASH PRAKASH: Yes. Next up we have Stephanie Perrin and Stephanie served on an expert Working Group that issued its final report on this and other aspects of WHOIS policy quite recently. And Stephanie also authored a dissenting note to that report.
So Stephanie, could you please tell us more about that? And whether you share the views of the European privacy advocates on this panel?
>> STEPHANIE PERRIN: I think briefly, let me just give you my summary opinion of what’s going on at ICANN. Many people have read Alice in Wonderland. There’s a companion volume, Alice through the looking glass. I have to say I was recruited from outside ICANN to come in as the privacy expert to the expert Working Group. This was an attempt to solve the 14-year struggle between the privacy advocates and the Intellectual Property and law enforcement advocates on the other side as to what goes in the WHOIS.
Now, in Alice’s adventures through the looking glass, the title doesn’t matter, basically she is in a backwards world. And I found myself after about six months, I’m busy doing a doctorate at the University of Toronto on why privacy isn’t implemented. I said to my thesis advisers, this is a fascinating problem at ICANN. I will move my there sis over to why ICANN doesn’t have privacy in WHOIS. And one of the central problems and shamelessly, I will say if anyone would like to be interviewed, I would like to interview you, if you have been watching ICANN.
Things are backwards. If you are doing something in the public interest, analyzing the relevant laws in what has to, it must be confessed that trans-border data flow is a jurisdictional sink hole into which one can fall. It always has been that way, since the early ’60s when we started worrying about trans-border data flow. For ICANN to just duck that problem and say well, if you don’t have a law we are not going to apply it and that law doesn’t apply here because it’s the State of California. And this contract which we are making the registrars sign is according to the laws of the State of California, that is not acceptable from a public policy perspective in my view.
Now, I did find myself on the experts Working Group and it is disbanded now. So I don’t speak at all as a member of the group except to reâ€‘Gail you with my experiences.
But I have been responsible for administering law inside a public organisation, the Department of communications, which deals with these kinds of issues, although it was so many years ago, it was before the Internet.
I have been responsible for crafting an international standard that Canada came out, a quality standard for privacy. Then we went on and developed a law. Then I worked in the private sector as chief privacy officer. Then I worked in the privacy Commissioner’s office as a oversight officer and now looked at it philosophically as a pointy-headed Ph.D. student. I take a kaleidoscope view of what is happening in ICANN. It’s still backwards. I cannot find a lens where this makes sense or is acceptable.
That’s a rather brash statement. We did some good things in the expert Working Group report. We said that where privacy law applied, it would apply to that individual. That individual could assert their rights.
Unfortunately, and the reason why I issued a dissenting report we also put a clause in that said in order to basically get a domain name registered you can send it to the use of the information. This is one of the fundamental problems in privacy in a narrow look at privacy legislation. Legislation that doesn’t necessarily focus enough on proportionality and purpose and back it with human rights and have mechanisms to stop coerced consent. So that if you put that kind of clause in, in Canada, for instance, with the law that I’m most familiar with, I cosign away my rights.
So to say that privacy law applied so we are okay doesn’t work anymore. You just signed away your rights. That was why I dissented. It was one clause that triggered it. There are a number of other things that are very difficult to put in practice, from a practical point that’s really the lens that I take to these things, from pragmatic implementation perspective in the report.
The one thing that I think is really useful and a step forward and also difficult ton enforce is the concept that you have a right to have an anonymous domain registration for purposes of free speech, protection of people who are at risk, and there are all kinds of people at risk if their location is found. And I think that surely I would like to continue to try to work on that project.
So ICANN has created a beast. I’m now hanging around and volunteering my time.
>> PRANASH PRAKASH: Could you, Stephanie, also say a little bit about the recommendations and specifically what happens if someone just goes and registers a domain name under a fake name? What kinds of liability mechanisms arise? What responsibilities lie on registrars?
>> STEPHANIE PERRIN: Well, that would be more of a question for Michele. I can tell you as the privacy advocate here, we have a lot of sympathy for that as a problem. Particularly if I it’s my name that somebody is registering as a fake name on their criminal website.
There is no reason for law enforcement and privacy not to be at other ends of the table on this. I think we are very aligned on many, many issues. I would totally agree that the data retention is disproportionate and the data retention doesn’t necessarily catch the guy using the fake name, taking my maim name. It is no good. I would like to see, having worked in government, I want to see the actual results of the risk mitigations that we put in place. And if we measure the results, how many times that escrow data has actually been useful for the purposes that are cited? I’m sure it’s useful for intelligence, but intelligence is not one of the stated purposes, you know? Criminal investigation is supposed to be why you are escrowing that data. And I would like to see the reason for some of the metadata that they are collecting.
Now, as an adjunct, if I may go on a rant here and please interrupt me with questions, but as an individual out there when you register your domain name, do you have a clue that the metadata about your transactions with your registrar is being gathered? You don’t even know what that metadata might be. You know, you assume when you see something: Oh, well, must be something to do with a root server. Please don’t explain it to me. I don’t want to know.
But these things are really important from a criminal investigation. As I always used to say, if it’s good enough to get the FBI to my door, I want to know about it. Okay, inadequate explanation of what the data is being collected for and used for.
>> PRANASH PRAKASH: Thank you very much, Stephanie. Next we have Joy Liddicoat from the Association for Progressive Communications. Amongst the many, many hats that Joy wears as a lawyer, she is also on the board of Internet NZ which manages the dot NZ TLD. CcTLDs have been conspicuous by their absence in this discussion because most of ICANNs policies don’t directly apply to them. But privacy concerns still arise.
Joy, could you give us perspectives on that?
>> JOY LIDDICOAT: Sure, thank you. A few remarks about my background and perhaps some critical reflection. In the dot NZ ccTLD space, harkening back to the RFCs which created it, dot NZ was originally run out of a university with a few geeks with computers thought that somebody might want to use this thing called domain name space. This was back in the 1980s.
Then gradually the amount of up take and registrations started to escalate and this responsibility was handed or entrusted to a new organisation called Internet Nz. So we managed the Delegation and in Internet Nz we had a separate substructure which Delegation is further delegated to the domain name, and it is the organisation that sets the policies, registrar accreditation, WHOIS policy privacy in the country code space.
And I was on the board of the subcommittee but I have been elected as vice-‘president of Internet NZ so I am off that program.
We look at this, what is going on in ICANN and we strike gold. We strike gold a lot. We have some of the same registrar accreditation agreement and also a subsidiary which runs the registry and which, from our perspective the WHOIS database was really originally created out of the sense of responsibility for transparency. In other words, here we were managing a public resource and we wanted to have, in the domain information about who the domain name holders were. It’s also one of our obligations under the RFC1591 and related standards.
And for sure, we, back in the 1980s we weren’t really thinking about privacy in the way that we are now. However, we have developed privacy related policies. We periodically check the WHOIS database for accuracy. And have been known to request registrars, where we had concerns, to make sure that the rest of the data is accurate as it can be.
But we are fortunate in that space because we had very strong nationality legislation on privacy and exceptionally competent Commissioner, John Edwards who is very familiar with the topics and interested.
So we don’t suffer from the same problematic nature of which privacy standard to apply. Because we aren’t bound by ICANN commitments. We have a letter of agreement with ICANN. Recognizing our role as a ccTLD operator, but I do foresee that we are going to run into problems. Increasingly in the C C. TLD space we see ICANN accredited registrars wanting to offer services in the ccTLDs space and being accredited as and we have more than 70 registrars accredited in our ccTLD, which is amazing given there are only about 80,000 people living in New Zealand. We recently opened up the second level domain so you can directly register and it is generating interest in this space.
I don’t think we are looking at ICANN policy in this critically. We are not comfortable with how the registrar accreditation agreement was negotiated. Definitely we were noncommercial users, but definitely concerned about the back door negotiations and the secret negotiations that happened around the accreditation. We don’t do that as a ccTLD. We publish the registrar agreements with proposed changes for people to see and comment on. I think there have been some flaws, deep flaws in the ICANN process which maybe could have learned from a few ccTLDs about how to do that. So I’ll leave my remarks there.
>> PRANASH PRAKASH: Thank you. I would like to open up the panelists to ask each other questions. And along with that, if folks in the audience have questions and remote participants have questions, could you start formulating them so that we can get to you soon?
Would any of the panelists have rebuttals or further questions for each other? I have a few for you.
>> You know, we are at opposite ends of the table but we are very close in what we want and would like. Regarding the RAA, our engagement with ICANN is with the rules that were in place at the time. We don’t make the rules. We play by the rules. We didn’t have secret meetings or underhanded discussions. We did through our GACs our recommendations board, they were accepted through the processes of ICANN.
The bit I’m interested in is about.
(Richard Leaning.) in a criminal investigation you’re quite right, maybe we should start into evidence why the WHOIS is helpful or unhelpful in our investigations, as the case may be.
The bit I’m p interested in, if you are saying that as soon as the contract has been terminated, are you saying that all information should then be deleted? Or I am not sure what you mean by that.
>> SIERRA NAS: Okay. In our letters the Working Party specified that communication details, to store those six months, up to two years after the contract has been terminated, there is no legal ground. But of course, fiscal legislation may apply in different Member States that requires, for example, the fact that take transaction has occurred may be stored for up to seven years, as far as I know in the Netherlands. It differs per Member State. There is always going to be some trace of a financial transaction. These communication details you mentioned as well, like e-mail address and phone numbers and nicknames and Skype names and whatever. They just should be deleted immediately according to data protection law, the minute the account is terminated. In some cases even earlier. If you have an account during ten years, an agreement for a period of ten years for a.com domain, it is not very compliant with data protection law to store the original IP address for a period of ten years. That would be excessive.
So it depends on the circumstances, but it won’t be the case that data protection law requires all data to be deleted immediately. It is a balancing act which data are no longer necessary to fulfill the contract.
>> PRANASH PRAKASH: And Stephanie, I have one additional question to you. If you could address both this issue and that question, is that free speech, you said, the freedom of expression leads to a desire for anonymity. That it’s necessary at times to be able to express yourself freely and this has indeed been recognized by the Supreme Court of Canada as well in a recent judgment.
But when there is such a great amount of choice out there, when it is not just gTLDs that you can register, that you can buy, when you can go to various ccTLDs which have, which gather varying levels of data and to many of which are not very, don’t really check the data that is input, for reasons of practicality.
When you can sue dough mustily register on various ccTLDs and put forward your ideas sue dough themmously, what is the problem that ICANN policies for a few gTLDs?
>> STEPHANIE PERRIN: I have think there’s a fundamental problem that there is, the backwards problem is that there is no basic policy of what is in the public it, what data should be collected and what those purposes are. They have to be legitimate. They have to be proportionate. What we have now is a very weird silo effect throughout ICANN, not just in the application. As a simple registrant and I’ve worked in this business all my career in IT, and I call myself simple because I would not know that the ccTLDs would be a better place to register if I wanted my data not escrowed. How the heck would I know that? Do I have to go to that level of investigation of what is becoming a necessity of life, to have a domain? I don’t think so. I don’t think that is acceptable. I think the onus is on ICANN to harmonize its policies, not to the lowest common denominator but to the highest level.
So absent that policy we have this weird effect going on where a different stakeholders are doing, and different registries are doing different things.
>> PRANASH PRAKASH: Couldn’t some ccTLDs emerge as paragons of free speech, like Canada or Iceland or other countries which are trying to promote that reputation?
>> STEPHANIE PERRIN: But if you’re not a fan of the IGF or ICANN and God help me, I wish I weren’t sometimes when I’m at ICANN you wouldn’t know that, would you? If you are lost in a village in a country in the heart of Africa and you don’t get access to the wondrous Canadian privacy enhancing wondrous Canadian privacy domain registrars, how would you know? I don’t think that is a good approach from a sound policy perspective.
President point that I raised my hand about was these constitutional cases. And it speaks to this whole issue of not having a sound policy. So we just had a Supreme Court case finally after 16 years, throw out a provision of the law in Canada that was excessive. That allowed police to get access to telecom information and ISP information and of course registrar information without a warrant. We’ve got no objection to police going in and getting information, but let’s have a process because if you don’t have a process you will have abuse. Period, end of statement. The police have as much to lose from abuse. Because when the abuse is discovered, then they can’t do their legitimate business. That’s why you have procedures, to make sure that everything runs correctly. And the warrant procedure need not be burdensome and need not take time. It also covers the registrar who are being served these things. They too have abuse problems. When you have a back door pipes going into registrars that the population doesn’t know about, then you’ve opened up the security hole for somebody else to get in there.
So that is the kind of fight that we have going on here. And I never thought I would hear myself saying that we need better procedure, but that’s what we need in this area. It has to be backed by sound policy.
>> PRANASH PRAKASH: Excellent. Sure, the one last question I will try to get some opinions on in this would be about privacy proxy services. So Paul, dot NGO as a trusted gTLD is planning on not allowing for proxy sers s. Could you explain the rationale to that? I want one of the panelists to respond to PIR’s decision.
>> PAUL DIAZ: Sure. So let me just step back. In dot org as it currently exists, privacy proxy is absolutely allowed. With NGO, not in the marketplace yet, it is still forthcoming, as a new TLD we can set any policies we desire. While it has been communicated on the application and made clear to the community.
Public registry participating for four plus years now, to address the needs, the pain points, the most important is being found because once they are found, they can begin to collaborate online. Very importantly they can bring attention to their cause to help generate donations, you know, finances are always so very important for not for profits.
So we decided as a matter of policy that we would not have privacy or proxy service allowed in NGO. That the information that a registrant puts in as to who is for NGO or ONG must be their own. It’s a delicate decision and not taken lightly, given the mission of many of these groups, one can imagine our response to those who say well, they should be able to … mask their identity. They have a choice. The choice is dot org. But for the value, the benefit that NGO will bring, having or not having anonymity, not having privacy proxy, didn’t make sense for that particular name space.
But again, it is our unique environment or situation. It is not necessarily applicable to other TLDs.
>> PRANASH PRAKASH: And dot NGO also has further information about from WHOIS. There is the directory services, apart from WHOIS. Is that compulsory? Or could an NGO say we don’t want to go in for that additional â€‘â€‘ which I recognize as additional payment?
>> PAUL DIAZ: Sure. I don’t want this to turn into a sales pitch for NGO, but the directory, your profile page, think of it akin to like a Facebook page. There’s very basic contact information there, the kind of information that almost any entity would want to put on a basic website. That’s what it is, basically a one page website.
>> PRANASH PRAKASH: Any p responses to that before we go first to the remote participants and then to the rest of the audience?
>> Try to get the microphone to work would help. Just responding to Paul’s sort of indirectly. The ICANN does have some processes around policy development. With respect to WHOIS, however, for a variety of historical reasons they tend to be rather broken. Michaeli.)
>> STEPHANIE PERRIN: Backwards.
>> Stephanie, calm down. We spent the last 18 months together on the ONG. We are overly familiar with ourselves at this point.
At present, the default is public display of all contact data. The thing is, people should not conflate and confuse the collection and the display. They are two separate things.
Now, law enforcement, I will, of course, rip into them as much as possible but I do honestly see that he needs to have access to accurate data for dealing with crime. And we can’t avoid that. That’s a reality.
But there is no â€‘â€‘ I don’t understand, I fail to p understand and I really find completely disingenuous from those who keep pushing for this fully public publishing of data, I don’t understand the logic behind it.
Now, law enforcement, real police, these agents of states, those states to whom we pay our taxes, et cetera, et cetera, guardians of our safety, et cetera, et cetera. They have legitimate reasons, lect mate rights to access data. Of course, you know, within certain bounds. They can’t go off pulling out our data just for laughs, but they have a reason to do that.
The problem we’re finding in this space, there are lots of other third-parties, primarily IP lawyers sorry to say it who want to have access to everybody’s data so they can protect their trademarks, so they can protect their interests which are primarily commercial. And they want everything to be fully public because they don’t have a legitimate right to gain access to the private details.
And I’ve said this in the past in various fora and I’ll say it again. There’s an over loading of the WHOIS. It is being used for purposes for which it was never intended. There are lots of third-parties trying to real purpose the data that is being provided. Like if I want to register a domain name I have to provide details. I give up certain rights and I’m perfectly happy with that. That doesn’t mean I’m giving my data to some random American company not ICANN specific purpose to go and sell that data to third parties, said purportedly to protect consumer interests.
>> PRANASH PRAKASH: Thank you, Michaeli and that’s lawyer. I won’t take the IP lawyer as a slight against me. I think of myself as access to knowledge lawyer.
>> You’re all evil!
>> PRANASH PRAKASH: Any remote participant questions so far?
Any audience questions? Please, raise your hands. First …
>> AUDIENCE: I’m Alex. Two comments. One for rich Leaning from Interpol. I think if people had better guarantees about their data not being accessed by third-parties and not used for unintended purposes, people may be more honest about the information they share. That made me think about the effectiveness in having an accurate database. If people had more guarantees they might be more honest in that process.
The second was on the last point about the State being guardians and there to protect us. Unfortunately, states have gone well beyond what has been given to them by law to protect us. They’ve gone beyond what the law tells them they can do and the right that we as citizens to some extent need to sacrifice for our security. Unless that trust is restored I don’t believe people m believe them anymore.
>> PRANASH PRAKASH: I will eel take a couple more questions and come back to the panel.
>> AUDIENCE: Hi, hello. I’m a journalist. Thanks for the discussion. I would like to challenge, why has this discussion not taken place like five years ago in the governmental advisory Committee of ICANN? Where a data protection official could have challenged like we heard today the law enforcement side about their requests, what they want to have from WHOIS. Because we never had that. And that partly, I think, result the in the whole mess that we saw over the years.
So my question, actually my positive question would be: Will the Article 29 group make an effort to be at the next ICANN meeting? Because I understand WHOIS will be a major topic there. And also the extended versions of WHOIS.
Then I would like to challenge Mr. Leaning. You said there have been no secret meetings, which is not true. I mean, even at the ICANN meetings there were closed meetings of law enforcement for some ICANN meetings it was like for three or four days. I don’t know what you did there. Because it was closed. But I know that there came, papers came out with data retention provisions that went far beyond what we see now.
>> PRANASH PRAKASH: And I will take one more.
>> AUDIENCE: Hi. Good afternoon. My name is Chisholm sov ski, I’m from Poland. I’m responsible for squaring the circle you mentioned especially when it comes to the retention after the CJ’s ruling. Obviously this has much broader implications also when it comes to the question that you are actually addressing when it comes to ICANN.
What I would like you to be a little bit more specific because and help me out how to square that circle and do the balancing act. I agree 100 percent with you that after the CJ’s ruling it will be quite difficult.
But now enforcement agencies also in my country say that only the status combo allows us to pursue the criminals, so on and so forth whereas privacy advocates are saying definitely status quo is, cannot be actually sustained. Also in the view of this CJ’s ruling.
First of all when it comes to proportionality, it seems for me absolutely clear that retention has been in certain cases abused because certain types of crimes have to be specified, really serious crimes as opposed to crimes which do not necessity that sort of measures. I heard that the German government is trying to square the circle by simply stated that first of all there will be some very serious crimes clearly specified. And then there will be no retention across the board. But if the authorities have legitimate concerns, they can ask, for example, for certain data to be retained. Up until the moment when there is a court order to actually release them. I wanted to ask you about the parallel to the whole problem of WHOIS and so on and so forth, especially you representing the group of Article 29 and the gentleman from Europeol. Would that be sort of a direction to square the circle, to really specify, to look at proportionality and to look at ways which would actually give us a little bit more flexibility but at the same time guarantees that retention will not be abused?
>> PRANASH PRAKASH: Excellent. If I may add one thing to that is, when mutual legal assistance treats, NLATS to quite an extent been an abject failure, how do we say, for example, if there is a court warrant that comes out from India and the registrar is looking in the U.S., then how do we actually get that process to work which you are describing?
So some of the panelists have now specific questions. I’ll start from this side and once we’re through I’ll come back to the audience for more questions.
>> Can I just respond to that last question? If we did a really good analysis of the use of the data, understanding, of course, that this is going to probably be not available to journalists, we need to know what kind of investigations actually need two-year-old data, escrowed data, bearing in mind that the site is down and dead. There’s no relationship with the registrar anymore.
>> PRANASH PRAKASH: One thing Stephanie to interrupt you, please don’t say escrowed because escrow is different within the ICANN context. Stored, retained.
(Michaeli.) because we as registrars have that, but that’s just registration.
>> STEPHANIE PERRIN: This is what clone is like, folks, in case you were thinking of signing up. It’s always more complicated than it looks.
We need to understand what kinds of investigations this is useful for. There is this thing called the data preservation order. If you are doing a longâ€‘term investigation of a whole network of fishy looking sites. I don’t mean that in the phish, phishing you know, not the anti-phishing Working Group, that kind of thing. You can slap a rest preservation order on that. As my colleague explained, you don’t need to take the m sites with of the little grandmother with the pictures of her grappled children.
This is not the same as it was years ago when all this started to roll downhill to see what needs to be done should be done. That will square the circle. Data preservation would solve a lot of your problems.
>> To respond to the call, why didn’t Article 29 Working Party intervene five years ago when this process started to be developed, we did actually.
(Sierra) we wrote an opinion in 2003 and wrote letters in 2006 and 2007, just for the record we were aware.
>> PRANASH PRAKASH: And who were these letters sent to, ICANN or the GAC?
>> SIERRA NAS: GAC is, of course, a Committee within ICANN. We prefer to address the CEO of ICANN because we think it’s more efficient to go to the top level. But it is indeed a problem that GAC, government representatives from the Member States, well, maybe were a bit more or better informed, let’s be subtle, by the law enforcement demands than by the data protection demands.
Of course in 2005 the world looked completely different. Law enforcement indeed had a voice that was much more heard than data protection. Data protection was basically considered hiding for all the evil in the world. And now the tide has turned and I think data protection concerns are much better heard and especially with such a ruling from the European court of justice which is irrepealable. It is the end verdict. It is not permitted. It’s disproportionate. Governments may not introduce such data retention legislation lightheartedly. That is the other thing from the Polish representative that asked for, isn’t there some kind of arrangement you can think of from data protection point of view to combat serious crimes, right? Can I summarize your question like that? I do agree with Stephanie Perrin, there is an alternative which often has been argued for by the Article 29 Working Party which is the quick freeze or the preservation.
Of course, given the necessity of a case is convincing, yes, you may preserve a lot of ongoing data in an ongoing investigation. The problem we have seen in Europe for the past six years after the introduction of the data retention legislation is that there has been no convincing evidence that it has actually contributed in a proportionate way to the fighting of serious crime. The European Commission has sent questionnaire after questionnaire to the Member States. All the Member States came up with is horrific examples. Examples, right, of child pornography, kidnapping. When we look closely at these examples, a lot of these cases could have been solved by starting within that investigation by asking for the available data that were available anyway. Cases of kidnapping, you don’t wait for two years of asking who call the mobile phone number of the disappeared child, right?
So we were shocked to see that this was management by speech and by horrific speech, which we all abhor, right, these cases. Now it’s time to come up with real evidence like Stephanie said. Thank you.
>> If I can add and top up on this why we didn’t have these meetings and these talks five years ago in 2005, I would like to say, I guess, that we have a different rules of the game now since all the Snowden revelations. I think that privacy is gaining more teeth on the international level now. It is also demonstrated by the fact that this is not the first time in ICANN and in IGF. Stephanie said she has been working on this 14 years and no one listened to her but in ICANN highlighting the privacy issues. That’s our responsibility not as geeks or advocates but as citizens of the world to push this further. There will hardly be any better moment for actually having leverage than just now. I hope you all hear me and are with me.
>> Hi. The struggles gone on for 14 years. I have only been working on it at ICANN for a year and a half. I don’t think I could take 14 years, you know.
I want to get something done and fast. But I can tell you why nothing has happened from the other side, from civil society side. I I should wait until my research is done, but my experience as someone volunteering my time while there are the best Intellectual Property lawyers around sitting across the table from me, and they are getting paid. Meantime, this is not me whining about my expenses not being paid from a year ago. It is me whining about a structural deficit within ICANN. The folks that are there to represent civil society have umpteen things that they are looking at. Free speech all the other processes to get the deep expertise that you need to combat all of the other arguments. Somebody has to volunteer their time. High priced human rights lawyers aren’t willing to do that, especially when it costs them money to come. That’s a problem.
>> PRANASH PRAKASH: Could we have Richard also responding?
>> RICHARD LEANING: I don’t know where to start on my big list of answers.
Yes, to the journalist. Law enforcement have law enforcement ice at ICANN and they have been closed. They are closed because it’s basically a training day where Internet experts basically tell us and train us and some of the colleagues how the Internet works. So at ICANN everyone goes to ICANN from the Internet. So they learn how the domain name Stef works, they tell us how the six works. That’s it, a training day where experts come to us and build our capabilities in how the Internet works.
That is it. It is not any under hand dealing or secret stuff. Common sense would suggest if law enforcement were going to have some sort of secret meeting with ICANN, would we put in it the agenda of the ICANN? Really and say look, we’re in this room and it’s secret but we’ll let everyone know we’re there. Really? I know some cops are dumb but we are not that dumb, okay?
So in London, we actually opened up for the morning session and we had a great crowd turn up. By half an hour, everyone was bored and they all walked out. It will be open again in L.A. Please come and see what we talk about. I guarantee you, you will be bored. It’s basic stuff to cops on the streets that do not know anything about the Internet.
>> Richard, if you don’t mind me adding, I have attended some of these. It’s called operational security. There is no, there are no secret hand shakes. I have been in the room several times. It is really down to helping law enforcement get a better grip on the technical realities, explaining to them how the ICANN policies and processes work.
I think the reason that they have been closed there’s a multitude of reasons for that. Just because a meeting is closed doesn’t mean that the people in the room are coming up with crazy conspiracies. I would love it if it was that interesting, but honestly, it is not.
>> We have listened to the criticism and that’s why we will not put down that it’s close the. It will be open. It’s Tuesday next time in the L.A. Please I’ll buy you a cup of coffee and we’ll have a chat.
We have done investigations, to answer some of our many techniques, many different things about investigations. I could go on for days about the complexity of a criminal investigation some of the things you said, yes, we may have to go back two years because which may sound strange, because the defense have asked us to do something to prove or disprove something that their client has done. I should say, there’s a legal system and we have to play by that legal system. Sometimes we have to go back because the defense have asked us to go back, not because the prosecution want us.
I won’t go into too much detail, but the thing about the WHOIS is, law enforcement didn’t invent the WHOIS. The WHOIS was there. If ICANN and the registrars and registries are going to have the WHOIS, let’s make it accurate. Otherwise, let’s not have it. You’ve got it and all we’re saying is, while you’ve got it, it’s meant to identify the people responsible for the domains, let’s have it accurate. That’s all. We didn’t invent the WHOIS. Our suggestion was if you are going to make the effort of getting those details, do you not really think that Mickey Mouse in fan fantasy land is accurate is valuable? Verify the details on WHOIS if you are going to have a WHOIS.
Now, do we need a WHOIS? Should the registrars take more responsibility about the WHOIS, should we discuss it with the registrar? The law enforcement doesn’t mind where the information is, as long as it’s there and accurate and we can go through due process to get the necessary safeguards to get that information.
So basically all I have to say on that.
>> PRANASH PRAKASH: Thank you. So we will take two more questions and we have eight more minutes so we will do them rapidly. We will take the questions and get them answered and do one rapid fire round of closing comments.
>> David Fiors with eyesight DC. The question for you guys is, do you see any counter veiling public right or need to know who registers a domain? To balance against privacy concerns? Should I be able to know who is publishing bad stuff about me?
And if so, how would you balance those two things?
>> AUDIENCE: Is it on? Thank you.
Hi. My name is Chris La het, the ICANN ombudsman. I seem to be by default in charge of privacy issues within ICANN.
There are two issues for me. This is really a request for information as much as anything else. There is privacy within ICANN which is its own topic. And I do in fact get complaints from time to time about the privacy of information which is provided to ICANN for various purposes. And the use that is made of it. So it is not an academic interest. I really want to know some of the answers. And my view is that our policy within ICANN definitely needs attention and revision because it would make my job a bit easier, among other things.
The policy outside ICANN, if you can say outside the ICANN community is a much bigger issue. And the cross border issues I don’t think have been touched on too much.
But one of the fundamental problems we have at ICANN is that we don’t have any, if you like, founding constitutional document. We have a set of bylaws which are based on Californian law. But I venture to suggest this is probably better said as a personal opinion â€‘â€‘ that we have moved beyond the need for a United States based constitutional or founding document. We need something that is deeper.
And within that, that means that such a document would, of course, like any constitutional documents, would deal with issues like privacy. That means when you sign up for using ICANN in whatever sense, then you are going to buy into those fundamental principles which are in effect a form of human rights.
So I think we’ve got to think in a bigger sense about how we are going to solve some of those cross-border issues. I just throw that in just to add discussion.
>> PRANASH PRAKASH: Thank you. I’ll take one quick last question.
>> My name is Nhish from the nation of India. This is regarding the GNS Council initial report specifically on locking and cyber flight. Is that audible now?
Yes, so when WHOIS is looked at, looked at for following due process whereas notice could be sent. This initial report proposes that the lock-in should be, there should be lock in between the registrar and the registrant to ensure that there is no cyber flight. So in that context, how important WHOIS database becomes and whether it is relevant at all. Because you are totally subverting the whole process that is in place. So how would you respond to that? Thank you.
>> PRANASH PRAKASH: A number of questions, including would ICANN be better off as a Geneva organisation, perhaps? And I’ll just allow all â€‘â€‘ actually, I think we should start off with the rapid fire and closing statements. If you can have your responses as well for that, let’s start from this side.
>> From our side, it is interesting (Michaeli.) we may sound like we come from different places, we all want the same thing, we want the Internet to be a safe place and how we get there, there is a long journey to travel. Obviously we can’t be naive to think there will never be crime on the Internet. There will be crime on the Internet until the Internet finally dies, long after I’ve gone. As there is crime in the real world.
It’s how you manage that crime and prevent disrupting when people are victims of crime. Law enforcement, no matter where they are, have a chance of finding the person who is responsible or persons who are responsible.
If you go into the basic Internet IP addresses, domain names, that is the Internet. So if people go through the trouble of registering who has a domain name, all we’re saying if we are going to do that, let’s make that accurate. For however long we keep it or what we do with it, but let’s make it accurate. That’s all we basically would like to see.
>> PRANASH PRAKASH: Thanks. Paul? And could all panelists keep their remarks around 45 seconds, please?
>> PAUL DIAZ: I can make it quick. It is unfortunate we are running out of the time because the questions at the end, in particular Chris’ question about the need to focus on the transnationality nature, the leadership that we see in Europe in particular around privacy protection, privacy rights, not necessarily the experience elsewhere. For an organisation like mine that operates, we may be U.S. based but we operate globally. The majority of our registrants are from anywhere other than the United States.
It is difficult to find that balance and unfortunately, because it is such a complex issue, that is why we have been having a WHOIS debate for 14 bloody years with no end in sight. These are not easy. These are not simple questions. Finding common denominators, whether it’s the highest or the lowest, even that is difficult. So my expectation is that we will continue to debate these things and maybe we will be back here next year.
>> PRANASH PRAKASH: I hope so.
>> I would like to highlight perhaps a positive dimension because as far as I understand the Human Rights Council is also having a meeting next week on the importance of privacy in the digital age. I would like to say there haven’t been a better moment since we had the important judgments on the importance of privacy, all the reports by Frank La Rue and now the report by the Commissioner on human rights on the importance of privacy in digital. We have Google ruling and digital Ireland ruling, digital rights Ireland and the general Asun Lee resolution. This is the reason why we have the broad resolutions in here because the leverage is slightly.
Changed and now civil society and us as citizens have slightly more power than we used to have. Our voice may be heard. So I leave you with this positive note that I hope that in L.A. ICANN fun it will be discussed and opened more to more participants to intervene with their opinions and views on this and privacy will gain more teeth within ICANN as well.
>> PRANASH PRAKASH: Joy? You have been evading quite awhile.
>> JOY LIDDICOAT: Thanks. A couple of practical suggestions for recommendations. One is that certainly at ccTLD at what we have done, worked actively with law enforcement in light of our privacy policies to do things like give them sorry, don’t take it off my 45 seconds.
>> PRANASH PRAKASH: Mike cally,?
>> The barrier to getting involved where are ICANN stuff is really high. It’s so hard. You just turn up.
If you are interested in influencing this, please do turn up. It is not hard. If you’re having difficulty, if you’re finding it confusing, you know, speak to one of us. This charming ICANN staffers floating around the IGF, they are more than happy to give you their business cards.
To the gentleman’s question in the back about the URG lock and WHOIS, have a look at the URG process, essentially the WHOIS data has to be confirmed as part of the official triggering of the UGRD. It’s tied up with pendency, not my choice of words, having to do with UGRP and as registrar we have to tell WIPO or whatever, who the domain name is registered to at that time and the only information we would have at that time is.
>> I’m I’ll skip my 45 seconds to give Stephanie the floor.
I’ve talked enough, but I would be happy to answer any questions if people have them afterwards. Thanks.
>> PRANASH PRAKASH: Since we started late, I think we are ending on time. I would like to thank the cosponsors of this workshop, Council of Europe, the federal office of communication of Switzerland, ICANN’s noncommercial stakeholder group, and most of all, IP Justice and Robin Gross and all the panelists could we please have a round of applause for them?
(The session concluded.)
The following is the UNEDITED output of the real-time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record. The following is UNEDITED.