Privacy issues with the Expert Working Group on gTLD Directory Services

The EWG report is out… Now the hard work begins!

The Expert Working Group on Directory Services for the gTLD has released its report, 15 long months in the making.  It has been a tremendous amount of work, many compromises have been made, and the consensus report gives great guidance for moving forward in implementing a new replacement for the WHOIS.  With some 180 recommendations, the EWG Report tries to address all facets of the problems that have beset WHOIS…accuracy, reliability, accountability and privacy being four important issues.  I hope this blog can address some of the lively debates we have had, and how we resolved different tensions in our approach to the recommendations and solutions.

Of course, if recalibrating the WHOIS directory were easy, it would have been done years ago.  

Privacy has been a long-standing issue in the WHOIS debates.  This is my area of expertise, since I have served over 30 years in privacy and data protection arenas, in both government and the private sector.  The EWG made a number of recommendations with respect to privacy in the report, notably:

  • The fundamental shift from the wide open WHOIS, to the concept that data requestors would be accredited and accountable for the data they access
  • The recommendation to develop a privacy policy that provides a floor of data protection throughout the RDS ecosystem.
  • The recommendation to develop a system of secure credentials which preserve the anonymity of persons at risk who wish to register a domain name but not be traceable by those seeking to locate and harm them.
  • The proposal for a rules engine, which would automatically apply jurisdiction and relevant data protection rules.

Briefly, the Registration Directory Service (RDS) would operate by centralizing data collected by Registrars and currently made accessible through WHOIS, into an aggregated or synchronized repository – the RDS itself (see notebox on page 110 on the geographically disbursed nature of this repository).

  • Once in the RDS, some data elements would be “ungated” and available to the general public for any purpose, much as is the case with the current WHOIS system (see in particular Figure 6 on p. 61 of the EWG Report).
  • Other data elements would be “gated”, meaning that entities will need to be accredited before these data elements can be accessed (see recommendation 42).
  • Authentication would be purpose-specific, meaning someone accredited for purpose X will only be permitted to access data elements responsive to purpose X (see recommendation 58).

In spite of all these attempts to address the privacy and free expression concerns raised by the current WHOIS model, I felt obligated to release a dissent at the same time as the EWG Report.

The devil lies in the details, and in my view, we need more detail about how the data protection recommendations would actually work.

My comments flag these key issues:

  • A broad principle of consent for access to and use of gated data and ambiguities surrounding its wording and application (recommendation 28);
  • The requirement for every registrant to name a set of “Purpose-Based Contacts”, notably one for legal purposes) (EWG Report p. 52: “Legal Contact ID: Not in RAA”);
  • The ambiguity surrounding the wording on where and how the data required for purpose based contacts, notably that of the legal contact which requires address and phone number, is published (p. 134 and footnote 39).

Numerous people have asked me why I dissented.  

People appear to be scratching their heads over why I have called attention to these issues…what could be wrong with asking for consent?  Data protection folks don’t usually ask such questions, as they are well aware of the problems with “blanket” consents.  Such broad consents could effectively nullify some of our other protections, and the language we have used does not provide enough guidance to those seeking to implement these recommendations, in my view.  There are very few data protection practitioners at ICANN, hence the need to elaborate further.

I have received much valuable feedback from the EWG and others on my original dissent.  I will include some of this feedback in further comments on my own blog, and I appreciate the positive spirit demonstrated as we try to move forward and make sure our intentions are well understood.  In the meantime, this brief description sets out the areas where I am concerned that our many privacy mitigations have been overly counterbalanced by these specifications concerning purpose-based contacts.  I remain convinced that it is important to point out the parts of our report where the language is at best confusing.

We can explain further what the intent of the EWG was in frequently asked questions and in slide decks.  But in my experience, it is always the text of the report that is authoritative.  It needs to say exactly what we meant it to say.

If I had sufficient faith that additions and clarifications on such issues could easily be added in the working group processes that will flow from the report, I would not raise these issues.  Sadly, my current analysis of ICANN’s respect for privacy protection, throughout the ecosystem, does not give me such confidence, nor does the robust nature of discussion in working groups.  I remain committed to helping draft better language, and working on restoring the balance in this very important piece of work.

I really appreciate this opportunity to discuss my dissenting comments.  I invite anyone to respond and show me where I am wrong in my interpretation, if this is indeed the case, or help me in formulating proposals to resolve these concerns, and address them in clear language.

Dissenting EWG Report from Stephanie Perrin

What follows is the exact text of a dissent presented to the Expert Working Group (EWG) for inclusion with the final report on A Next Generation Registration Directory Service (RDS), released on June 6, 2014.  A more thorough discussion of the issues raised, with footnotes to the original, will follow in my next blogpost.  In particular, please note that in our public presentations and ancillary materials presented at the London50 ICANN meeting, the group clarified that most purpose-based contact information (PCBs)  is intended to be protected and made available to accredited users for permissible purposes only.  While this clearly states our intention, I maintain that the report still requires clarification in its language, to avoid confusion.

It has been an honor and a privilege to serve on the EWG for the past 16 months, and I am truly impressed at the work we have done, and the spirit of consensus that has enlivened our discussions on the complex matters we were tasked to address. This has been a tremendous amount of hard work, and my colleagues have worked selflessly, with weekly calls, research and reading, and many face to face meetings.

Finding the correct balance between transparency, accountability, and privacy is never easy, especially in a global context with different cultures, legal regimes, and economic power. I am very proud of what we have achieved, so it is with great reluctance that I raise issues where I cannot agree with the consensus on some aspects of this report. I feel it is my responsibility, as one who was brought on the committee to provide data protection expertise, to point out some weakness in some of the provisions that we are recommending.

The EWG report is complex, and must be read in its entirety; sometimes it is quite hard to follow how things would actually be implemented, particularly if you are a reader who is not immersed in the arcane details of domain name registrations on a daily basis. There is nothing devious in that, the matters are very detailed and deciding which order to put them in, what topics ought to be addressed in which section, is not easy. The end result, however, is that one must follow a thread through the report to determine ultimate impact.

The purpose of this appendix is to follow the thread of protection of the sensitive information of the average simple domain name registrant. Whether they be an individual, small company, or small organization, we need to see what happens, and how rights, whether legislated or simply claimed on the principle of fundamental fairness in the administration of a public good, are enforced. I regret to say that I am not happy with what I find when I follow that trail.

I have tried to explain how these rights ought to be implemented and enforced, to those who are more familiar with their own areas of expertise both within the EWG and in the broader community, and this appendix is added in an attempt to help further clarify these issues. I am concerned that the rights and important interests of these individuals may not be effectively protected by the inter-related provisions which we have set out.

There are three basic outcomes where I cannot agree with the consensus.

1)   The requirement to have a legal contact, where address and phone number are mandatory to provide, and published outside the gate, in the publicly available data.

2)   The default, if one is a simple registrant who does not want to hire a lawyer or other actor to assume the role of legal contact and publish their details in the RDS, to publishing registrant information, notably address and phone number in the RDS outside the gate.

3)   The inclusion of a principle of consent (28), whereby a registrant may consent to the use or processing of her gated information for the permissible purposes enumerated for accredited actors behind the gate.

Let me provide some context around each of these points.

Firstly, these details appear in the section on purpose-based contacts (PBCs), which proposes a new ecosystem of validated contacts. I support this, and the associated accountability mechanisms, whole-heartedly. I agree with the consensus view, that domain name registrants must be accountable for the use of the resource. Being a privacy advocate, I do not equate accountability with transparency of detailed personal or business information, I equate it with responsiveness. If a registrant fails to respond to serious issues, it is appropriate to expedite the action, depending on the issue, and contact the registrar to take action.

However, I understand the objective of our proposal of gated access to be the sheltering of customer data: the purpose of the gate is to screen out bad actors from harassing innocent registrants, deter identity theft, and ensure that only legitimate complaints arrive directly at the door of the registrants. It is also to protect the ability of registrants to express themselves anonymously.

Placing all contact data outside the gate defeats certain aspects of having a gate in the first place. Obviously large companies are eager to publish their contact data, as it makes it easier for them to streamline requests and manage the actions over thousands of domain names. A simple registrant with a couple of domain names has entirely different needs and resources, and is unlikely to want to spend money hiring an ISP or Registrar to provide these contacts for them.

I whole-heartedly applaud the emphasis we have achieved in this report on the necessity of having privacy/proxy services in the RDS ecosystem, for both individuals and organizations. I do not believe that should be the only way an individual or small organization can avoid having their private information published. We have a principle that recommends providing resources for registrants who are economically disadvantaged, but it is not clear how we could implement that globally, particularly in developing economies where the need is likely greatest.

An additional context, is that we propose a rules engine that enforces jurisdiction, with respect to the privacy rights of individuals who are protected by personal data protection law. This is an ambitious and potentially very useful proposal, but it only protects individuals, and occasionally legal persons in some jurisdictions, and only where data protection is in place, and would find the presence of name, address and phone number in a public directory to be in conflict with data protection law.   These are very important caveats. Not all data protection regimes would find, or have found, that directory information must be protected.   Secondly, it is not clear enough for me how that rules engine would encode rights. Would it be based on precedents? My interpretation of the law? Your interpretation of the law? This is a difficult question and provides no certainty as to the outcome in the instances where I have cited my disagreement. A third problem with the rules engine, is that it proposes to address regimes with data protection law only….what happens to organizations that have a constitutional right to privacy for the purposes of free speech and freedom of association, such as in the United States? Finally, is it fair to individuals in jurisdictions where their countries have not enacted data protection law? Does ICANN, in the monopoly administration of a public resource, not have a responsibility to set standards on an ethical basis, based on sound best practice?

The two remedies then, I find inadequate for the reasons cited above:

1)   Hire a privacy proxy/service provider, or proxy contact, if you do not want your contact data published in the public portion of the RDS;

2)  The rules engine will enforce data protection rights, and place this data behind the gate.

I am not confident that these will be effective as a means of allowing independent registrants to gate their name and contact information. We have indeed proposed another mitigation for this and other privacy-related problems in the privacy section. The EWG recommends that ICANN develop a privacy policy to govern the RDS. I am extremely pleased with this recommendation. It is my view, however, that it will not be a proper policy unless it governs the collection instrument, which can be found in the requirements set out in the 2013 RAA, and the escrow requirements, to be found in the same place. However, this is a magnificent step forward as far as I am concerned, and I believe once the PDP is struck to work on the policy, my arguments will be persuasive on the need to include the collection and retention instruments, as presented in the contract requirements. Once again, though, until this instrument is developed, and the actual enforcement mechanisms determined, it would be unwise to rely on its potential to reverse the clauses to which I am objecting.

I would like now to address the consent principle. It is my view that we cannot elevate one principle of data protection above the others, because they are inter-related. Consent must be read in the context of legitimacy of purpose, proportionality, rights to refuse, rights to withdraw consent, specificity of purpose and use, and so on. To offer individuals and organizations the opportunity to consent to the use of their sensitive, gated data, for all the permissible purposes, in my view can be read as providing blanket consent to accredited users behind the gate. It can be read as voluntarily giving up any privacy protection one might have expected under local law, and any right to select some purposes as opposed to others. It greatly simplifies one of the biggest problems we faced as a group in grappling with the concept of accrediting users only for certain specific purposes, but from a privacy perspective it greatly reduces the effectiveness of the gate as a privacy mechanism. Once again, if you understand the risks, you will hire a proxy service. From the perspective of an elite North American, this looks like a no-brainer, just hire a proxy.

However, we have a responsibility to examine this from the perspective of a global eco-system. We have now set up a system where accredited actors have access to inside data, others do not. We have labored long and hard in the group to ensure that the parameters of the RDS are flexible and allow individuals to apply for access beyond the gate to resolve specific problems and issues they encounter, but in fact the vast majority of end-users will be unlikely to make effective use of this right. I totally agree with my colleagues that the market will rush to provide this kind of service at low cost, but I flag it as an element to watch in this discussion.

I hope that this clarification serves to flag some issues that are important with respect to data protection. I would like to reiterate my strong support for this report. I believe this report, and the work that lies behind it, is an important contribution to the WHOIS evolution. I would stress however, that we are setting up the ecosystem to manage personal information globally. Different cultures have different norms with respect to the transparency of their citizens, and it is appropriate to err on the side of protection of information.

I would therefore conclude with the following recommendations:

    1. Gate the legal contact information for individuals and organizations who wish to protect their private data
    2. Consent needs to be meaningful, specific, explicit and for legitimate purposes. A blanket consent as envisioned here does not meet these requirements

Privacy policy at a mature level needs to be developed to inform the other policies referred to here. It cannot come in as the caboose at the end of the train.

I appreciate the opportunity to make these comments.

Respectfully,

Stephanie Perrin

 

Welcome to Stephanie Perrin’s Blog

When blogging first became the rage, I never really thought it was something I would do.  I recall even referring to it as “narcissism on steroids”, as people talked about what they were eating for breakfast and how bad traffic was, I did wonder who had time for this with a wonderful world on their doorsteps to explore.

So I start this blog with some trepidation.  You should be out smelling the roses, as they are in bloom here in Canada right now.  But if you care about an old curmudgeon’s thoughts on privacy and civil liberties, which will be for the most part what I plan to blog about, read on.

My first official blog is on my dissenting views on the Expert Working Group’s report on replacing the WHOIS, or https://community.icann.org/pages/viewpage.action?pageId=40175189.  As the lone privacy expert on that working group, I reluctantly reached the conclusion that I was duty bound to dissent from the majority view.  I hope that my reasoning is clear, and that those who care about these rather arcane issues will comment.