ICANN’s Expert Working Group (EWG) on Whois and privacy, which published its final report today, has unfortunately continued a long tradition of failing to find consensus between privacy advocates and business interests. The business interests see coerced publication of domain name registration data as an invaluable aid to brand protection and law enforcement, and many brand protection services, who make their living on this data, do special interest lobbying to influence ICANN. ICANN’s staff and board consistently bias their processes in favor of those interests. So nothing has changed, in the end.
In publishing its final report, the lone privacy advocate on the EWG, Stephanie Perrin of Canada, raised some serious concerns about how the EWG was violating basic data protection norms. Her objections were explained over a period of several days. Extreme pressure was put on Perrin to abandon her objections. In the end, she could not agree, and as is the norm, prepared a dissenting opinion. The dissent was provided on time, and the committee was told it would be three pages long. But the chair of the EWG, Jean-Francois Baril, is now suppressing this dissent. He has refused to include it in the report and is excoriating Perrin for not going along.
So Mr. Baril is basically saying that you have no right to dissent, that real consensus is not necessary, and if you do dissent, the working group has no obligation to publish it along with the report. This means, however, that Mr Baril has failed. This is not a consensus report. Nothing really has changed in the last 14 years.
What is the EWG? Its creation was announced on 13 December 2012 by ICANN‘s President and CEO. It attempted to move beyond the Whois name and referred to “gTLD Directory Services.” In the words of an ICANN blog,
ICANN has embarked on a journey to reinvent today’s WHOIS system.
It sounded promising: the EWG was part of a “new effort to redefine the purpose of collecting, maintaining and providing access to gTLD registration data” that would consider safeguards for protecting data.
In typical ICANN fashion, the EWG members were hand-picked by the board, and some accused it of being overly weighted toward brand protection interests; however, at the last minute ICANN did add Perrin to the EWG. Perrin, now a doctoral student at the University of Toronto, was once Director of Research and Policy in the Office of the Privacy Commissioner of Canada, and Director of Privacy Policy at Industry Canada.
The purpose of the EWG was to break the gridlock that has afflicted the intersection of privacy and domain registration policy for the last 14 years. It failed. And Mr. Baril’s overreaction to the existence of dissent compounds the problem, turning it into a procedural failure as well. The text of Ms. Perrin’s dissent follows here. As should be evident, it is well-reasoned, respectful, and deserves to be part of the official report:
——-
Dissenting Report from Stephanie Perrin
June 6, 2014
It has been an honor and a privilege to serve on the EWG for the past 16 months, and I am truly impressed at the work we have done, and the spirit of consensus that has enlivened our discussions on the complex matters we were tasked to address. This has been a tremendous amount of hard work, and my colleagues have worked selflessly, with weekly calls, research and reading, and many face to face meetings. Finding the correct balance between transparency, accountability, and privacy is never easy, especially in a global context with different cultures, legal regimes, and economic power. I am very proud of what we have achieved, so it is with great reluctance that I raise issues where I cannot agree with the consensus on some aspects of this report. I feel it is my responsibility, as one who was brought on the committee to provide data protection expertise, to point out some weakness in some of the provisions that we are recommending.
The EWG report is complex, and must be read in its entirety; sometimes it is quite hard to follow how things would actually be implemented, particularly if you are a reader who is not immersed in the arcane details of domain name registrations on a daily basis. There is nothing devious in that, the matters are very detailed and deciding which order to put them in, what topics ought to be addressed in which section, is not easy. The end result, however, is that one must follow a thread through the report to determine ultimate impact. The purpose of this appendix is to follow the thread of protection of the sensitive information of the average simple domain name registrant. Whether they be an individual, small company, or small organization, we need to see what happens, and how rights, whether legislated or simply claimed on the principle of fundamental fairness in the administration of a public good, are enforced. I regret to say that I am not happy with what I find when I follow that trail. I have tried to explain how these rights ought to be implemented and enforced, to those who are more familiar with their own areas of expertise both within the EWG and in the broader community, and this appendix is added in an attempt to help further clarify these issues. I am concerned that the rights and important interests of these individuals may not be effectively protected by the inter-related provisions which we have set out.
There are three basic outcomes where I cannot agree with the consensus.
The requirement to have a legal contact, where address and phone number are mandatory to provide, and published outside the gate, in the publically available data.
The default, if one is a simple registrant who does not want to hire a lawyer or other actor to assume the role of legal contact and publish their details in the RDS, to publishing registrant information, notably address and phone number in the RDS outside the gate.
The inclusion of a principle of consent (28), whereby a registrant may consent to the use or processing of her gated information for the permissible purposes enumerated for accredited actors behind the gate.
Let me provide some context around each of these points.
Firstly, these details appear in the section on purpose-based contacts, which proposes a new ecosystem of validated contacts. I support this, and the associated accountability mechanisms, whole-heartedly. I agree with the consensus view, that domain name registrants must be accountable for the use of the resource. Being a privacy advocate, I do not equate accountability with transparency of detailed personal or business information, I equate it with responsiveness. If a registrant fails to respond to serious issues, it is appropriate to expedite the action, depending on the issue, and contact the registrar to take action.
However, I understand the objective of our proposal of gated access to be the sheltering of customer data: the purpose of the gate is to screen out bad actors from harassing innocent registrants, deter identity theft, and ensure that only legitimate complaints arrive directly at the door of the registrants. It is also to protect the ability of registrants to express themselves anonymously. Placing all contact data outside the gate defeats certain aspects of having a gate in the first place. Obviously large companies are eager to publish their contact data, as it makes it easier for them to streamline requests and manage the actions over thousands of domain names. A simple registrant with a couple of domain names has entirely different needs and resources, and is unlikely to want to spend money hiring an ISP or Registrar to provide these contacts for them.
I whole-heartedly applaud the emphasis we have achieved in this report on the necessity of having privacy/proxy services in the RDS ecosystem, for both individuals and organizations. I do not believe that should be the only way an individual or small organization can avoid having their private information published. We have a principle that recommends providing resources for registrants who are economically disadvantaged, but it is not clear how we could implement that globally, particularly in developing economies where the need is likely greatest.
An additional context, is that we propose a rules engine that enforces jurisdiction, with respect to the privacy rights of individuals who are protected by personal data protection law. This is an ambitious and potentially very useful proposal, but it only protects individuals, and occasionally legal persons in some jurisdictions, and only where data protection is in place, and would find the presence of name, address and phone number in a public directory to be in conflict with data protection law. These are very important caveats. Not all data protection regimes would find, or have found, that directory information must be protected. Secondly, it is not clear enough for me how that rules engine would encode rights. Would it be based on precedents? My interpretation of the law? Your interpretation of the law? This is a difficult question and provides no certainty as to the outcome in the instances where I have cited my disagreement. A third problem with the rules engine, is that it proposes to address regimes with data protection law only….what happens to organizations that have a constitutional right to privacy for the purposes of free speech and freedom of association, such as in the United States? Finally, is it fair to individuals in jurisdictions where their countries have not enacted data protection law? Does ICANN, in the monopoly administration of a public resource, not have a responsibility to set standards on an ethical basis, based on sound best practice?
The two remedies then, I find inadequate for the reasons cited above:
Hire a privacy proxy/service provider, or proxy contact, if you do not want your contact data published in the public portion of the RDS
The rules engine will enforce data protection rights, and place this data behind the gate.
I am not confident that these will be effective as a means of allowing independent registrants to gate their name and contact information. We have indeed proposed another mitigation for this and other privacy-related problems in the privacy section. The EWG recommends that ICANN develop a privacy policy to govern the RDS. I am extremely pleased with this recommendation. It is my view, however, that it will not be a proper policy unless it governs the collection instrument, which can be found in the requirements set out in the 2013 RAA, and the escrow requirements, to be found in the same place. However, this is a magnificent step forward as far as I am concerned, and I believe once the PDP is struck to work on the policy, my arguments will be persuasive on the need to include the collection and retention instruments, as presented in the contract requirements. Once again, though, until this instrument is developed, and the actual enforcement mechanisms determined, it would be unwise to rely on its potential to reverse the clauses to which I am objecting.
I would like now to address the consent principle. It is my view that we cannot elevate one principle of data protection above the others, because they are inter-related. Consent must be read in the context of legitimacy of purpose, proportionality, rights to refuse, rights to withdraw consent, specificity of purpose and use, and so on. To offer individuals and organizations the opportunity to consent to the use of their sensitive, gated data, for all the permissible purposes, in my view can be read as providing blanket consent to accredited users behind the gate. It can be read as voluntarily giving up any privacy protection one might have expected under local law, and any right to select some purposes as opposed to others. It greatly simplifies one of the biggest problems we faced as a group in grappling with the concept of accrediting users only for certain specific purposes, but from a privacy perspective it greatly reduces the effectiveness of the gate as a privacy mechanism. Once again, if you understand the risks, you will hire a proxy service. From the perspective of an elite North American, this looks like a no-brainer, just hire a proxy.
However, we have a responsibility to examine this from the perspective of a global eco-system. We have now set up a system where accredited actors have access to inside data, others do not. We have labored long and hard in the group to ensure that the parameters of the RDS are flexible and allow individuals to apply for access beyond the gate to resolve specific problems and issues they encounter, but in fact the vast majority of end-users will be unlikely to make effective use of this right. I totally agree with my colleagues that the market will rush to provide this kind of service at low cost, but I flag it as an element to watch in this discussion.
I hope that this clarification serves to flag some issues that are important with respect to data protection. I would like to reiterate my strong support for this report. I believe this report, and the work that lies behind it, is an important contribution to the Whois evolution. I would stress however, that we are setting up the ecosystem to manage personal information globally. Different cultures have different norms with respect to the transparency of their citizens, and it is appropriate to err on the side of protection of information. I would therefore conclude with the following recommendations:
Gate the legal contact information for individuals and organizations who wish to protect their private data
Consent needs to be meaningful, specific, explicit and for legitimate purposes. A blanket consent as envisioned here does not meet these requirements
Privacy policy at a mature level needs to be developed to inform the other policies referred to here. It cannot come in as the caboose at the end of the train.
I appreciate the opportunity to make these comments.
Stephanie Perrin
Dear Mr Mueller,
I read your blog above and Stephanie Perrin’s dissenting report as well quickly reviewed the EWG’s report.
While I agree that Ms Perrin has some valid concerns – I understand her point “Placing all contact data outside the gate defeats certain aspects of having a gate in the first place.”
However, I am confused about your comments about the process that the EWG followed, please help me understand.
a) While it is true that the dissenting opinion was not included in the report, you mentioned the chair “is excoriating Perrin for not going along” as well as “Mr. Baril’s overreaction to the existence of dissent” where did you hear of this excoriating for instance? Is there some other information that is not publicly available which indicated this overreaction and excoriating?
b) I read in the Appendix of the ICANN report that they made special efforts to get wide variety of backgrounds, cultures, countries represented in the EWG. This is a very difficult topic (as you yourself have appreciated) and IMHO it would be impossible to get 100% complete harmonious agreement. In my simple mind, however, consensus means agreement with large majority of the team, not the entire team. So please help me understand how this final result is not a consensus, given the complexity of the topic?
c) I am confused by your statement “many brand protection services, who make their living on this data, do special interest lobbying to influence ICANN. ICANN’s staff and board consistently bias their processes in favor of those interests.” Please help me understand what evidence there exists of these special interest lobbies?
d) You say above “The purpose of the EWG was to break the gridlock that has afflicted the intersection of privacy and domain registration policy for the last 14 years. It failed. And Mr. Baril’s overreaction to the existence of dissent compounds the problem, turning it into a procedural failure as well.” Please help me understand – are you saying that by not incorporating one dissenting view, that this whole exercise has failed entirely?
Thank you.
Dear Xia Shaoting:
Thanks for your comments. You will forgive me if I begin my answer by asking you a question: who are you? Who do you work for? You seem to be quite well-informed and up to date about the EWG but your name does not appear on the EWG itself, or on any ICANN staff or meeting attendance records. The only Xia Shaoting Google turns up is a Shanghai physician and pioneer of Chinese medicine who was active around 1925. (If you are his reincarnation, I want to talk to you about my knee when we are finished).
Of course we welcome comments from total strangers who just happened to read a very complex 166 page report – and its appendices as well! – two days after it was released. But we would appreciate some identification and attribution so that others can, as we say in the U.S., know where you’re coming from. Perhaps you could show us the contact info in your domain registration? 😉 Or shall we track back your IP address?
Regarding question a) we learned of the refusal to publish the dissent on the NCSG email list which is archived here: http://listserv.syr.edu/scripts/wa.exe?A1=ind1406&L=NCSG-DISCUSS We made a decision to publish the dissent as soon as we learned that it would not be published in the report. We hold the chairman of the group responsible for refusing to publish the dissent because he is in charge of that working group; are you implying that he did not make that decision? If so, who did? As you can see from the archives, Ms. Perrin asked me not to publish it for 48 hours, but that request came after it was published and thus was disregarded. As you can also see from my comments on that archive, the key issue for us is not the substance of her comments but the arbitrary and discriminatory decision to refuse to allow them to be included in the final report, for which Mr. Baril is most definitely responsible. We will change the article, of course, if you can provide any conclusive facts to the contrary.
Regarding question b) in which you say “consensus means agreement with large majority of the team, not the entire team,” no, I am afraid you are dead wrong. Consensus is a very well-defined term. The dictionary defines it as “a general agreement about something: an idea or opinion that is shared by all the people in a group.” Synonyms listed are “accord, unity, unanimity,” etc. Classic Quaker consensus means that no one, not a single person in a group, objects to a decision strongly enough to block it. ICANN has for too many years played a game in which it has refused to recognize a lack of consensus when the objecting parties are from civil society or are civil rights motivated, especially on this issue. The EWG is actually quite small, and gaining assent from Perrin, the only person on the team with data protection expertise and background, was vital to any attempt to gain real consensus.
As for question c), you deny the existence of special interest lobbies in ICANN? Tell you what. Get yourself to an ICANN meeting, let me know if it is London, Los Angeles, or any other one, and I will give you a personal guided tour of special interest lobbies in ICANN. You’ll be shaking hands with so many lawyers and consultants you may want to bring some Chinese herbal lotion. If you want less dynamic and interesting evidence, take a look at this old blog post of ours, https://www.internetgovernance.org/2013/09/14/meltdown-iii-how-top-down-implementation-replaced-bottom-up-policymaking/ which documents ICANN staff’s catering to trademark/brand protection interests. And take a look at the public comments submitted regarding the EWG preliminary reports. It’s pretty obvious where people line up.
Responding to your question d) “Are you saying that by not incorporating one dissenting view, that this whole exercise has failed entirely?” Not necessarily. As Ms. Perrin herself has pointed out, there _is_ consensus on something around 80% of the report. There was a chance here to move forward on an honest basis that respects some minor divergence of views. But apparently, Baril couldn’t permit that. By suppressing the publication of the dissent and PRETENDING that there is consensus and that Perrin’s privacy concerns don’t matter, Mr. Baril and any other EWG members have made this disagreement far worse than it needed to be. They may have wrecked their chance to build a new consensus on Whois. It has alienated the privacy interests and undermined confidence in the fairness of the process.
Thank you for your response.
Let me first clarify – I am a student of internet governance and came across your blog while looking through the net for different resources. I had not even heard of the EWG or the report until I read about it on your blog. I have not read the 166 page report in its entirety as I already mentioned above. For someone who professes to advocate privacy and data protection, I am baffled as to why you chose to reveal my last name (when your blog states the email address is a secret), or threaten to track back my IP address or make reference to Chinese medicinal oil…but that is a separate topic. I state again, my intention is to understand your point of view and would appreciate your patience in explaining it.
to go back to your points above
a) I do not know whose decision it was to exclude Ms Perrin’s view from the final report, hence my question. Thanks anyway to pointing me to the NCSG email list and the relevant correspondences, which clarified.
b) point taken
c) I am confused by your response – I do not deny or affirm anything, because I do not know and am asking for your view and evidence. I see your point that there are probably a lot of interested parties who have a view to push/share…but what’s new? If there are a lot of parties (lawyers, consultants as you mentioned) who are advocates for big corporates, aren’t there also other parties, for example, other lawyers who advocate the views of civil liberties unions and the like?
d) Again, I am confused…why do you say that ICANN is pretending that there is consensus? I note on the introduction to this report on the ICANN website, there is reference made to a dissenting view.
In any case, irrespective of whether or not Ms Perrin’s view was incorporated into the report, I would like to better understand your view on what Ms Perrin pointed out (which IMHO has a great deal of merit) – “Placing all contact data outside the gate defeats certain aspects of having a gate in the first place.” This information includes telephone number and street address in domain name registration. Because I am new to this and only started following this debate recently, I don’t understand why the EWG is still insisting on making telephone number and address visible. Mr Mueller, what is your view on this?
Thank you.
Assuming the EWG was constituted under ANNEX 1: GNSO Working Group Guidelines, it is clear how dissenting opinions should be handled:
“In cases of Consensus…an effort should be made to document that variance in viewpoint…” (10)