Thanks very much to Maria and Joy for contributions to this, proposed comments for the WHOIS RT. Comments are due March 18, but I'd like to send them before leaving tomorrow, if possible. <http://www.icann.org/en/news/announcements/announcement-05dec11-en.htm> We would like to commend the general readability of the report. WHOIS has become a very complex issue, and presenting it so clearly and accessibly facilitates participation in both this consultation process and participation more generally. We particularly appreciate the hard work of collecting the WHOIS policies from the various places where they reside. High-level recommendations: The report should explicitly recommend that WHOIS policy recognize that registrants, both individual and organizations, commercial and non-commercial, have a legitimate interest in, *and in many jurisdictions the legal right to, the privacy of their personal data*. In the normative discussion, privacy should be given equivalent emphasis to accuracy. *It would be instructive in this regard to reference the OECD privacy guidelines, agreed to by all OECD member countries with input from business and civil society. Data accuracy (or 'quality') is considered by OECD members to be of equal importance to purpose specification, use limitation and security safeguards, none of which factors are supported by Whois as it currently operates. (OECD Guideline reference: http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html ) * It is as important that registrants have privacy as that their data be accurately recorded. At the moment, the report appears, from its emphasis on access and accuracy, to discount those privacy concerns *that are accepted by all OECD member states and participating business and civil society actors as having equal importance.* Section F. Findings The brief ‘tour de table’ provides useful background reading, but *should* include reference to the fact that ICANN’s Whois policies are incompatible with the OECD privacy guidelines and also applicable national laws in many countries, including member states of the European Union.*The European Union's Article 29 Working Party of national data protection officers provided specific input to ICANN's 2003 Montreal meeting regarding the many ways gTLD Whois breaches EU law. These included the lack of definition of a purpose of Whois, lack of use limitation, misuse of Whois data by third parties and the disproportionality of the publication of personal data. The Article 29 Working Party concluded that "there is no legal ground justifying the mandatory publication of personal data referring to this person. (the registrant)". * *(Article 29 WP reference: Opinion 2/2003 on the application of the data protection principles* *to the Whois directories * http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp76_en.pdf) *It is very concerning that the findings of the Whois Review Team do not consider the glaring fact of the illegality of gTLD Whois requirements in many jurisdictions, and the incompatibility of Whois as it currently stands with the only internationally accepted guidelines on data privacy. * Section G. Recommendations 1. Single Whois Policy - "The Board should oversee the creation of a single Whois policy document." We welcome the call for a single Whois policy that sets out the requirements, globally and facilitates registrants who wish to consult those requirements. Whois ‘policy’ is currently inferred from registry and registrar contracts.* A single Whois policy should be compatible with the internationally accepted OECD privacy guidelines, in respect of a statement of purpose for the use of data, use limitation, data accuracy and appropriate security safeguards for personal data.* However, gTLD policy development is the responsibility of the GNSO, not the Board (until the final stages), and needs to be developed through the bottom up process, with the cooperation of the multiple stakeholders affected. 3 - "Make Whois a Strategic Priority" Change "Strategic Priority" to "Strategic Consideration." As the review team was focused only on WHOIS, it was in no position to analyze the tradeoffs involved in setting global priorities. Many items on ICANN's policy agenda *may be considered* more worthy of the community's limited time and attention. *The appropriate process for the community to prioritize issues such as Whois is via the Strategic Plan.* No evidence is offered in this report to support prioritizing WHOIS o*ver other issues of importance to the community as a whole.* 5 - Data Accuracy - As many law enforcement comments in the report suggest, contactability is more important than "accuracy." Separation of the contact details from the public display could enhance the accuracy of the contact details available to appropriately qualified requesters. 10-16. "Data Access: Privacy and Proxy Services." The recommendations should explicitly acknowledge the importance of privacy and proxy services in providing options to legitimate Internet users to preserve their privacy. National laws in the United States, for example, recognize privacy interests not only for individuals, but for associations. The report further documents the legitimate interests of even commercial Internet users in private domain name registrations. * In relation to the references to national legislation: it is important to note that this reference may be problematic if national legislation violates international human rights standards, for example, relating to freedom of expression (see the citation of this report below). * Freedom of association: proxy registration services can support the rights of human rights defenders to carry out lawful activity without persecution. Threats to registrants include surveillance of registrants through use of information which is accessed via WHOIS data - continuing to expand the nature of information held in WHOIS will only heighten the safety concerns of human rights defenders. In addition, just in time attacks on websites of civil society organisations have been used to disrupt lawful activity and democratic participation in a number of countries: see Deibert, R., Palfrey, J., Rohozinski, R. & Zittrain, J. (Eds.) (2011). Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace. MIT Press. * Governments whose legislation is in violation of these rights should not be able to rely on such laws when requesting WHOIS data access and proxy information. It would be unreasonable to require Registrars to carry out an additional analysis. Other options include: (1) Provide that LEA WHOIS data requests may be refused where there are reasonable grounds to believe that such requests may violate *registrants' * rights of freedom of expression or freedom of association (2) Require LEA to verify that national laws comply with human rights standards (3) Require LEA to verify that WHOIS requests do not violate international human rights standards > 17 - Data access - "ICANN should set up a dedicated, multilingual interface website to provide thick Whois data for" COM and NET, who have thin whois. This is subject to existing policy and policy-making by the GNSO. It is inappropriate for the Review Team to intervene at this level of detail into the GNSO policy process, *and in a way that privileges certain substantive outcomes over others.* Section E. Work of this RT A factual point. There is only one Chatham House rule, so the statement referring to it should use the singular. Freedom of Expression References: As noted by the UN Special Rapporteur on Freedom of Opinion and Expression in his annual report of 2011: 23. The vast potential and benefits of the Internet are rooted in its unique characteristics, such as its speed, worldwide reach and relative anonymity. At the same time, these distinctive features of the Internet that enable individuals to disseminate information in "real time" and to mobilize people has also created fear amongst Governments and the powerful. This has led to increased restrictions on the Internet through the use of increasingly sophisticated technologies to block content, monitor and identify activists and critics, criminalization of legitimate expression, and adoption of restrictive legislation to justify such measures. In this regard, the Special Rapporteur also emphasizes that the existing international human rights standards, in particular article 19, paragraph 3 of the ICCPR, remain pertinent in determining the types of restrictions that are in breach of States' obligations to guarantee the right to freedom of expression. 24. As set out in article 19, paragraph 3 of the ICCPR, there are certain, exceptional types of expression which may be legitimately restricted under international human rights law, essentially to safeguard the rights of others. This issue has been examined in the previous annual report of the Special Rapporteur. However, the Special Rapporteur deems it appropriate to reiterate that any limitation to the right to freedom of expression must pass the following three-part, cumulative test: (1) it must be provided by law, which is clear and accessible to everyone (principles of predictability and transparency); and (2) it must pursue one of the purposes set out in article 19, paragraph 3 of the ICCPR, namely (i) to protect the rights or reputations of others, or (ii) to protect national security or of public order, or of public health or morals (principle of legitimacy); and (3) it must be proven as necessary and the least restrictive means required to achieve the purported aim (principles of necessity and proportionality). Moreover, any legislation restricting the right to freedom of expression must be applied by a body which is independent of any political, commercial, or other unwarranted influences in a manner that is neither arbitrary nor discriminatory, and with adequate safeguards against abuse, including the possibility of challenge and remedy against its abusive application. And further: 26 However, in many instances, States restrict, control, manipulate and censor content disseminated via the Internet without any legal basis, or on the basis of broad and ambiguous laws; without justifying the purpose of such actions; and/or in a manner that is clearly unnecessary and/or disproportionate to achieve the intended aim, as explored in the following sections. Such actions are clearly incompatible with States' obligations under international human rights law, and often create a broader chilling effect on the right to freedom of opinion and expression. (full reference: Frank La Rue "Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression" (26 April 2011, A/HRC/17/27) also available at: http://scr.bi/z6lZ8N ) -- Wendy Seltzer -- [log in to unmask] +1 914-374-0613 Fellow, Yale Law School Information Society Project Fellow, Berkman Center for Internet & Society at Harvard University http://cyber.law.harvard.edu/seltzer.html https://www.chillingeffects.org/ https://www.torproject.org/ http://www.freedom-to-tinker.com/