Non-Commercial Users Send Letter to Privacy Commissioners on Proposed Changes to ICANN Registrar Agreement

NCUC Letter to Privacy Experts – June 28, 2012

Dear Colleague,

I am writing to you as a matter of urgency concerning online privacy. I represent the Non-Commercial Users Constituency of ICANN and have concerns regarding ICANN’s the current consultation relating to contracts with Registrars. A short letter from your organization would help greatly to balance the negotiation discussion. I ask you to send correspondence to the ICANN Board Chair and CEO.

As you will be aware, the international management of Internet naming and addressing is conducted by ICANN, the Internet Corporation for Assigned Names and Numbers. As part of ICANN’s work, contractual arrangements are entered into with private corporations to offer particular Internet domain names to the public. These private corporations (“Registrars”) in turn undertake to manage the personal details of their customers (“Registrants”) in accordance with the requirements of their contract with ICANN.

Registrars collect and hold personal information about registrants and have obligations to uphold privacy-related principles for the collection, use, storage and disposal of this registration data. It is my belief that ICANN requirements within the contracts with Registrars must uphold and not violate international human rights standards on privacy, in particular collection, access to, and use of such data. Incursions on privacy are permissible, only when restricted to exceptional circumstances, such as access by law enforcement bodies pursuant to a judicial process and in any event subject to rules relating to access to data across national borders.

The aggregated database of registrants’ contact information is called the WHOIS database, and is currently required to be published to unauthenticated requesters. In my view, information within this database must only be collected for the purpose for which is needed, and sensitive information must be made available only to those with demonstrated need. There is no clearly established need for the collection of, for instance, telephone numbers for the purposes of registering a domain name, although Registrars and others may find this convenient. A blanket requirement to provide telephone numbers would, therefore, seem to be an unreasonable intrusion into the privacy rights of registrants. Similarly, physical addresses and secondary identity verification documents are not required for the operation of the domain name system, and in my view should not be permitted or required in the contracts ICANN has with Registrars.

I am sure you will understand that with the creation of a data-rich database, concerns regarding the proper and secure storage and compliant arrangements for the disposal of registration data when it is no longer required become more important and potentially privacy-intrusive. In my view, the current requirements in the new draft contracts with Registrars are likely to infringe national privacy laws and have impact on citizens within your jurisdiction.

For example, WHOIS contact details need only be an email address of a technical officer who is empowered by the registrant to fix technical issues with a domain name address or pass on communications. There is no technical need for identity verification, let alone regular or annual verification, beyond the existing requirements. In many jurisdictions where freedom of expression is tenuous, the greater the degree of anonymity or pseudonymity, the greater the freedom of expression. This is even more acute when the database is stored in a foreign country and subject to different national laws regarding privacy and access by public officials to private databases. It is important, therefore, to ensure that national laws relating to privacy are respected.

The Article 29 Working Party has previously considered WHOIS, and raised concerns as far back as 2003, saying that “it is necessary to look for less intrusive methods that would still serve the purpose of the Whois directories without having all data directly available on-line to everybody.”

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp76_en.pdf

Unfortunately, ICANN’s draft contract goes in the opposite direction, exacerbating the privacy harms. The draft contracts are open for comment – see http://www.icann.org/en/news/announcements/announcement-7-04jun12-en.htm – and I would request your organization review and consider the privacy impacts of these new contracts – in particular the summary of the negotiating team’s responses to law enforcement submissions (attached). On behalf of the Non-Commercial User Constituency, I recommend that your organization respond to the ICANN consultative process to ensure that privacy considerations and respect for national privacy laws remains a strong feature of ICANN’s contractual arrangements. Your comments would be very helpful in giving balanced background to the negotiations.

I recommend that you send comments directly to Dr. Steve Crocker, Chair of the ICANN Board, and Akram Atallah, interim CEO, via email to the Director of Board Support, diane.schroeder@icann.org. Comments by the end of July would be most helpful, but any information you can add would be welcome.

Please feel free to contact me if the NCUC can provide further information or background.

Very truly yours,

David Cake, Chair, Non-Commercial Users Constituency