At 4:00 PM -0400 6/7/04, Milton Mueller wrote: >Please comment: I would like to report unanimous support from NCUC >when we file the comments. Think it's fine. Thanks Milton. Adam Peake GLOCOM Tokyo (er. still not a member, haven't been billed!) >===== > >NCUC Comments on TF 1 Report > >The NCUC supports Task Force 1's clear distinction between the >treatment of sensitive and non-sensitive data. Access to sensitive >data, such as registrant's name, address, telephone number, and >email address, should be more limited than access to non-sensitive >data, such as technical contact name and contact information. > >NCUC members support the report's conclusion that domain name >registrants should be notified when their sensitive data is >accessed. Domain name registrants have a right to know who requested >the data and what purpose it was requested for. It is unfair and >illogical to say that data users can hide and have privacy while >data subjects cannot. Both parties have legitimate needs; both >parties can be involved in abusive actions. There must be >reciprocity among the two. The only exception would be rare cases of >governmental law enforcement investigations when such notification >would defeat the purpose of an ongoing investigation. We believe >that those kinds of exceptions should be handled by national legal >systems; e.g., through subpoenas and search warrants, and not by >ICANN policy. > >We also wish to emphasize that all requests for sensitive data >should be made on an individual basis. The report is not entirely >clear about this; in fact, its discussion of an "individual use >list" is confused. (See comments of NCUC Task Force member Milton >Mueller). Although we agree that the process may need to be >automated to minimize burdens on registrars, we strongly support the >report's conclusion that the release of the data should come with >restrictions on re-use and should be formatted in human-readable as >opposed to machine-readable form. > >The NCUC believes that the discussion of "uses" of Whois data in >Section III must also acknowledge the potential for "abuses" of the >data. It is unacceptable that ICANN policy considers only the >convenience and "needs" of those who consume other people's data, >and not also consider the risks, threats and inconveniences that can >come from abuse of anonymous and unrestricted access to personal >contact information. Identity theft, stalking, and spamming are all >documented problems that arise from unrestricted public display of >Whois data. The final report must acknowledge this. > >The report asks for comment on the issue of competition vs. national >law. We believe there is no conflict between compliance with >national law and robust competition in the domain name market. We >believe that permitting registrar practices to vary in accordance >with the privacy policies of different national jurisdiction serves >the public interest by fostering global consumer choice. In a >globalized market, governments that do not protect the privacy of >their citizens may in fact lose customers for registrars in their >jurisdiction. We believe in letting domain name registrants vote >with their pocketbooks for the level of privacy protection they >prefer. This is not likely to be the strongest or even a major >criterion in most consumer selections of domain name providers. At >any rate, ICANN needs to get used to the fact that it is subordinate >to sovereign laws. > >NCUC does not oppose taking into consideration the costs and >technical feasibility of various changes. However, we are concerned >that cost-benefit analysis could be used as a delaying tactic. We >note that no cost-benefit study was done before implementing any >other Whois-related policies. We ask why, when privacy protections >are being considered, cost suddenly becomes an issue. We are not >convinced that a formal study is required, in that the record of the >current Whois Task Forces contains significant claims and evidence >about costs associated with current practices. If real cost-benefit >studies are done, we will demand that noncommercial users be >represented and that experts in the assessment of non-monetary >costs, such as Internet user privacy, risks of identify theft, >spamming and stalking, be included in the study, or that the study's >methodology permit reasonable monetization of the value to domain >name registrants of protecting their personal contact data, as well >as the value to registrars of protecting their customer information.