Dear NCUCers,

Here is the letter on WHOIS that went to the ICANN board.

Thank you all for your help with this, and especially Kathy K.

who has been fighting the good fight on WHOIS for many

years. We also gathered the support of several of the prominent

members of the EPIC Advisory Board. That may help.

Good luck to those in LA!

Best

Marc and Allison.

--------------

October 30, 2007

Mr. Vinton Cerf, Chairman

Mr. Paul Twomey, President & CEO

Internet Corporation for Assigned Names and Numbers

4676 Admiralty Way, Suite 330

Marina del Rey, CA 90292-6601

USA

Dear Mr. Cerf, Mr Twomey, and Members of the ICANN Board,

The purpose of this letter is to express our support for changes to WHOIS services

that would protect the privacy of individuals, specifically the removal of registrants'

contact information from the publicly accessible WHOIS database.[1] It is also to propose

a sensible resolution to the long-running discussion over WHOIS that would establish a bit

of "policy stability" and allow the various constituencies to move on to other work

EPIC has had long-standing involvement in the WHOIS issue. As a member of

the WHOIS Privacy Steering Committee, EPIC assisted in the development of the

WHOIS work program, and has been a member of the Non-Commercial Users

Constituency for several years. EPIC has submitted extensive comments to ICANN on

WHOIS, and has testified before the US Congress in support of new privacy safeguards

for WHOIS as well as filing a brief in the US courts on the privacy implications of the

WHOIS registry.[2] The Public Voice coalition also organized an important letter in 2003

to ICANN regarding WHOIS policy that was signed by 57 organizations from more than

20 countries which recommended simply that ICANN consider the views of consumer

organizations and civil liberties groups.[3]

Both the WHOIS Task Force and the WHOIS Working Group agree that new

mechanisms must be adopted to address an individual's right to privacy and the protection

of his/her data.[4] Current ICANN WHOIS policy conflicts with national privacy laws,

including the EU Data Protection Directive, which requires the establishment of a legal

framework to ensure that when personal information is collected, it is used only for its

intended purpose. As personal information in the directory is used for other purposes and

ICANN's policy keeps the information public and anonymously accessible, the database

could be found illegal according to many national privacy and data protection laws

including the European Data Protection Directive, European data protection laws and

legislation in Canada and Australia.[5]

The Article 29 Working Party, an independent European advisory body on data

protection and privacy, states that "in its current form the [WHOIS] database does not

take account of the data protection and privacy rights of those identifiable persons who

are named as the contacts for domain names and organizations."[6] The conflict with

national privacy law is real and cannot be dismissed. A sensible resolution of the WHOIS

matter must take this into account.

In addition, country code Top Level Domains are moving to provide more privacy

protection in accordance with national law. For example, regarding Australia's TLD, .au,

the WHOIS policy of the .au Domain Administration Ltd (AUDA) states in section 4.2,

"In order to comply with Australian privacy legislation, registrant telephone and

facsimile numbers will not be disclosed. In the case of id.au domain names (for

individual registrants, rather than corporate registrants), the registrant contact name and

address details also will not be disclosed."[7]

The Final Outcomes Report recently published by the WHOIS Working Group

contains several key compromises and useful statements and represents significant

progress on substantive WHOIS issues. The WHOIS Working Group found agreement in

critical areas that advance the WHOIS discussion within ICANN and provide clear

guidance to the ICANN Board.

In its report, the WHOIS Working Group accepted the Operational Point of

Contact (OPoC) proposal as a starting point, and the best option to date. The OPoC

proposal would replace publicly available registrant contact information with an

intermediate contact responsible for relaying messages to the registrant. The Working

Group agreed that there may be up to two OPoCs, and that an OPoC can be the

Registrant, the Registrar, or any third party appointed by the Registrant. The Registrant is

responsible for having a functional OPOC. The Working Party also agreed that the OPOC

should have a consensual relationship to the Registrant with defined responsibilities. This

would necessitate the creation of a new process, and changes to the Registrar

Accreditation Agreement and Registrar-Registrant agreements to reflect this relationship.

The Board should support the agreed standard for disclosure of unpublished

Whois personal data – reasonable evidence of actionable harm. But the Board should

leave this term undefined, as it is now in the RAA for proxy services. This standard will

allow the OPoC contact, registrars and registries to work within the framework of their

national and local laws to provide access to this personal data.

OPoCs must be allowed to employ strategies and standards similar to those of the

registrars and registries to ensure that the person receiving the protected personal WHOIS

data is in fact a law enforcement official.

The OPoC proposal does not impede reasonable law or intellectual property

enforcement efforts. In fact, effective implementation of the OPoC proposal would

benefit all stakeholders by improving the accuracy of the information in the database.

Because personal data will be kept private, individuals will provide more accurate data.

As a result, the Whois database will be more useful and more reliable.

The OPoC proposal is not the ideal privacy solution. EPIC, as well as groups such

as the Non-Commercial Users Constituency, recommended a distinction between

commercial and non-commercial domains in order to protect the privacy of registrants of

domain names used for religious purposes, political speech, organizational speech, and

other forms of non-commercial speech. EPIC has previously stated that the WHOIS

database should not publicize any registrant information, including name and jurisdiction.

The WHOIS Working Group has proposed a workable framework. It is not a

perfect framework. But it will help ensure that the WHOIS policy conforms with law and

allow ICANN to move forward. If it is not possible to adopt this solution, then the only

sensible approach would be to allow the current WHOIS terms to simply sunset.

Resolution 3 would be the only real option.

The signatories to this letter are willing to assist in finishing off the

implementation details of the OPoC proposal.

Sincerely,

Marc Rotenberg

EPIC Executive Director

Allison Knight

Coordinator

Public Voice Project

Valerie Gordon,

Jamaica Sustainable Development

Network

Robin Gross

IP Justice

Robert Guerra, CPSR

Kim Heitman,

Board Member EFA

Deputy Chair AUDA

Norbert Klein

ICANN GNSO Council member

ICANN NCUC

Open Institute of Cambodia

Kathy Kleiman

Co-Founder, NCUC

Dan Krimm

TJ McIntyre (Chairman)

Digital Rights Ireland

Ville Oksanen

Vice Chairman, EFFI

Ross Rader,

Domain Direct

Members of the EPIC Advisory Board

Steven Aftergood, Project Director

Federation of American Scientists

Anita L. Allen

Professor of Law and Philosphy

University of Pennsylvania

David Banisar, Director

Freedom of Information Project, Privacy

International;

Visiting Research Fellow,

School of Law, University of Leeds

Christine L. Borgman

Professor & Presidential Chair

Dept of Information Studies, UCLA

James Boyle

Professor of Law

Duke Law School

David Chaum

Founder

Punchscan

Julie E. Cohen

Professor Law

Georgetown University Law Center

Simon Davies

Director General

Privacy International

David Farber

Distinguished Career Professor of

Computer Science and Public Policy,

Carnegie Mellon University

David H. Flaherty

Professor Emeritus

University of Western Ontario.

Austin Hill

Brudder Ventures

Jerry Kang

Professor of Law

UCLA Law School

Chris Larsen

CEO

Prosper Marketplace, Inc.

Mary Minow

Founder

LibraryLaw.com

Pablo Molina

Chief Information Officer

Georgetown University Law Center

Deborah C. Peel, MD,

Founder and Chair

Patient Privacy Rights

Anita Ramasastry

Associate Professor of Law

Director, Shidler Center for Law

Commerce & Technology

University of Washington School of

Law

Ronald L. Rivest

Professor of Electrical Engineering and

Computer Science

Massachusetts Institute of Technology

Pamela Samuelson

Distinguished Professor of Law;

Professor of Information Management;

Chancellor's Professor

School of Law – Boalt Hall

University of California at Berkeley

Bruce Schneier

CTO

BT Counterpaine

Edward G. Viltz

President and Founder

Internet Collaboration Coalition

NOTES

[1] EPIC's comments on the ICANN WHOIS Task Force's "Preliminary Task Force Report on WHOIS

Services," January 12, 2007, available at <http://www.epic.org/privacy/whois/comments.html>.

[2] See, e.g., EPIC, "Privacy Issues Report: The Creation of A New Task Force is Necessary For an

Adequate Resolution of the Privacy Issues Associated With WHOIS," .before the GNSO Council (Mar. 10,

2003), See EPIC Testimony Before House Subcommittee, Financial Institutions and Consumer Credit,

Committee on Financial Services "ICANN and the WHOIS Database: Providing Access to Protect

Consumers from Phishing," (July 18, 2006), available

athttp://financialservices.house.gov/media/pdf/071806mr.pdf; Brief Amicus Curiae of EPIC, Peterson v.

Nat. Telecomm. & Info. Admin., No. 06-1216 (4th Cir. Apr. 24, 2006), available at.

http://www.epic.org/privacy/peterson/epic_peterson_amicus.pdf; See generally EPIC WHOIS page,

http://www.epic.org/privacy/whois/.

[3] The Public Voice, "WHOIS Letter to ICANN," (Oct. 28, 2003),

http://thepublicvoice.org/news/whoisletter.html.

[4] Final Report of the WHOIS Task Force, March 12, 2007, available at <http://gnso.icann.org/issues/whois-

privacy/whois-services-final-tf-report-12mar07.htm>; and Final Report of the WHOIS Working Group,

August 20, 2007, available at <http://gnso.icann.org/drafts/icann-whois-wg-report-final-1-9.pdf>.

[5] EPIC and Privacy International, PRIVACY AND HUMAN RIGHTS: AN INTERNATIONAL SURVEY OF PRIVACY

LAWS AND DEVELOPMENTS 154-57 ("WHOIS"), available at <http://www.epic.org/phr06>.

[6] Letter from Article 29 Working Party to ICANN Chair Vinton Cerf, March 12, 2007, available at

<http://www.icann.org/correspondence/schaar-to-cerf-12mar07.pdf>.

[7] For additional country code Top Level Domain policy examples, see EPIC Testimony Before House

Subcommittee, Financial Institutions and Consumer Credit, Committee on Financial Services "ICANN and

the WHOIS Database: Providing Access to Protect Consumers from Phishing," available at

<http://financialservices.house.gov/media/pdf/071806mr.pdf>.

Begin forwarded message:

From: Marc Rotenberg <[log in to unmask]>
Date: October 30, 2007 7:28:16 PM EDT
To: [log in to unmask]
Cc: Marc Rotenberg <[log in to unmask]>, Allison Knight <[log in to unmask]>
Subject: Comments on WHOIS - NGOs and EPIC Advisory Board