All,

The Council of Europe has also responded to NCUC's privacy letter (attached) and stated that it shares our concerns about ICANN's compliance with privacy rights.

Best,
Robin


Begin forwarded message:

From: KWASNY Sophie <[log in to unmask]>
Date: October 11, 2012 5:42:39 AM PDT
To: "'[log in to unmask]'" <[log in to unmask]>
Cc: THACI Elvana <[log in to unmask]>
Subject: RE: Urgent Request from Non-Commercial Users Constituency for Council of Europe to review ICANN contract for privacy compliance
Dear Mr Gross, 
 
Please find attached a letter of the Chair of the Consultative Committee of Convention 108 for your attention.
 
Should you need any complementary information, please do not hesitate to contact me.
 
Best regards,

Sophie Kwasny
Data Protection Unit
Human Rights and Rule of Law (DG I)
CONSEIL DE L'EUROPE - COUNCIL OF EUROPE
tel :  + 33(0) 3 90 21 43 39

www.coe.int/dataprotection

From: Robin Gross [mailto:[log in to unmask]]
Sent: Sunday 22 July 2012 22:20
To: THACI Elvana
Cc: David Cake ([log in to unmask]) ([log in to unmask]); Wolfgang Kleinwächter
Subject: Urgent Request from Non-Commercial Users Constituency for Council of Europe to review ICANN contract for privacy compliance

Dear Thaci Elvana:

I am writing to you as a matter of urgency concerning online privacy. I represent the Non-Commercial Users Constituency of ICANN and have concerns regarding ICANN’s the current consultation relating to contracts with Registrars. A short letter from your office would help greatly to balance the negotiation discussion. I ask you to send correspondence to the ICANN Board Chair and CEO.

As you will be aware, the international management of Internet naming and addressing is conducted by ICANN, the Internet Corporation for Assigned Names and Numbers. As part of ICANN’s work, contractual arrangements are entered into with private corporations to offer particular Internet domain names to the public. These private corporations (“Registrars”) in turn undertake to manage the personal details of their customers (“Registrants”) in accordance with the requirements of their contract with ICANN.

Registrars collect and hold personal information about registrants and have obligations to uphold privacy-related principles for the collection, use, storage and disposal of this registration data. It is my belief that ICANN requirements within the contracts with Registrars must uphold and not violate international human rights standards on privacy, in particular collection, access to, and use of such data. Incursions on privacy are permissible, only when restricted to exceptional circumstances, such as access by law enforcement bodies pursuant to a judicial process and in any event subject to rules relating to access to data across national borders.

The aggregated database of registrants’ contact information is called the WHOIS database, and is currently required to be published to unauthenticated requesters. In my view, information within this database must only be collected for the purpose for which is needed, and sensitive information must be made available only to those with demonstrated need. There is no clearly established need for the collection of, for instance, telephone numbers for the purposes of registering a domain name, although Registrars and others may find this convenient. A blanket requirement to provide telephone numbers would, therefore, seem to be an unreasonable intrusion into the privacy rights of registrants. Similarly, physical addresses and secondary identity verification documents are not required for the operation of the domain name system, and in my view should not be permitted or required in the contracts ICANN has with Registrars.

I am sure you will understand that with the creation of a data-rich database, concerns regarding the proper and secure storage and compliant arrangements for the disposal of registration data when it is no longer required become more important and potentially privacy-intrusive. In my view, the current requirements in the new draft contracts with Registrars are likely to infringe national privacy laws and have impact on citizens within your jurisdiction.

For example, WHOIS contact details need only be an email address of a technical officer who is empowered by the registrant to fix technical issues with a domain name address or pass on communications. There is no technical need for identity verification, let alone regular or annual verification, beyond the existing requirements. In many jurisdictions where freedom of expression is tenuous, the greater the degree of anonymity or pseudonymity, the greater the freedom of expression. This is even more acute when the database is stored in a foreign country and subject to different national laws regarding privacy and access by public officials to private databases. It is important, therefore, to ensure that national laws relating to privacy are respected.

The Article 29 Working Party has previously considered WHOIS, and raised concerns as far back as 2003, saying that “it is necessary to look for less intrusive methods that would still serve the purpose of the Whois directories without having all data directly available on-line to everybody.” http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp76_en.pdf   Unfortunately, ICANN’s draft contract goes in the opposite direction, exacerbating the privacy harms.

The draft contracts are open for comment – see http://www.icann.org/en/news/announcements/announcement-7-04jun12-en.htm - and I would request your organisation review and consider the privacy impacts of these new contracts – in particular the summary of the negotiating team’s responses to law enforcement submissions. On behalf of the Non-Commercial User Constituency, I recommend that your organisation respond to the ICANN consultative process to ensure that privacy considerations and respect for national privacy laws remains a strong feature of ICANN’s contractual arrangements. Your comments would be very helpful in giving balanced background to the negotiations.

I recommend that you send comments directly to Dr. Steve Crocker, Chair of the ICANN Board, and Akram Atallah, interim CEO, via email to the Director of Board Support, [log in to unmask]. Comments by the end of July would be most helpful, but any information you can add would be welcome.

Please feel free to contact me [log in to unmask] if the NCUC can provide further information or background.

Very truly yours,

David Cake, Chair, Non-Commercial Users Constituency 

Robin Gross, Chair, Non-Commercial Stakeholders Group

More info on ICANN RAA contract negotiations:  
     https://community.icann.org/display/RAA/Negotiations+Between+ICANN+and+Registrars+to+Amend+the+Registrar+Accreditation+Agreement
_______________________________________________
Robin D. Gross, IP Justice Executive Director
Web: www.ipjustice.org
Email: [log in to unmask]
Phone: +1 415.553.6261