Yes. [No Response] General Questions

Transcription

1 General Questions Q1. Do you agree that the proposals to refine the WHOIS opt-out eligibility and to provide a framework for registrar privacy services meets the policy objectives set out in the consultation document? [ Response] Q2. Do you wish to highlight any potential stakeholder impacts or concerns should the proposal to refine the WHOIS opt-out eligibility criteria be implemented? Please explain, providing examples and evidence to support your view, where possible. We believe that the proposed changes to opt-out eligibility are likely to cause further conflicts and still will not meet the expectations of registrants due to the definition of a data controller. We believe it is highly likely that most websites such as blogs will not conform to these requirements due to the common collection of Name and address for simple login, comment and subscription systems. This will likely lead to further confusion if minet enforces this part of the opt-out requirements and will likely result in similar discontent as the current trading stipulation. We believe this may prove harder for minet to enforce than the existing trading test due to the complexities over 3rd party comment systems, subscription systems and other integrated web technologies which store/process personal data - but where the site owner doesn't actually store or process the information directly, these and other similar situations may cause inconsistent judgments as minet staff investigating these cases would need intimate understanding of how site software works and how personal data is processed and stored to properly determine if the site operator is a data controller. Most registrants are likely to be much less familiar with what defines a Data Controller and aspects of the Data Protection Act than they are with the concept of "trading" which can be more easily explained as "If you make money from your website in any way." We therefore believe minet should reconsider this approach and ensure that the final policy for opt-out eligibility is as simple and clear as possible to reduce confusion and ensure equal treatment of all registrants.

2 Q3. Do you wish to highlight any potential stakeholder impacts or concerns should privacy services be permitted to operate in the way in which we have proposed? Please explain, providing examples and evidence to support your view, where possible. Overall Paragon believes a framework for privacy services is a good step forward and will enable more registrars to offer privacy services without the associated risks of assuming the registrant role. However, we do have concerns over when, how and to whom the registrants data may be disclosed under the minet managed system. Traditionally privacy services define their policy for disclosure and registrants can expect this to be applied across all domains which that service is offered. This will require exceptions to be made for existing privacy services to highlight that.uk domains are not subject to the same disclosure process, and is likely to lead to confusion to registrants. We therefore believe that minet needs to provide a clear policy which sets out when, to whom and how data will be disclosed to 3rd parties - Particularly in cases where minet has no legal obligation, such as a UK Court order, to comply with such request but discloses regardless. Q4. Please provide any other views on the direct impact these proposals may have on you or your organisation. It would be helpful if you could advise your interest in the WHOIS, and the stakeholder group(s) you represent. Paragon Internet Group operates numerous hosting & domain brands and manage a large number of.uk domains for our customers. We also offer our own Privacy Protection service for gtld domains under our ICANN Accreditation and, should this proceed will likely extend this privacy service to.uk as well. The proposal will require some development time to change our systems to support privacy using EPP Disclose as well as time to update details on our website to inform registrants new and existing of the changes and how this may affect their registration. Additionally, minet should consider how changes to opt-out eligibility will impact registrar support services after the transition, especially for any registrants which lose eligibility - We would recommend that minet highlight domains which are no longer eligible due to the change, but were previously, to the registrar before opt-out is removed. An additional grace period should be given to allow time for the registrar to reach out to the registrant and advise them of the change of policy and the implications for them. This would also be an opportunity to offer registrants who will lose opt-out to switch to the privacy option. This should ensure that affected registrants are informed, and avoids unnecessary disclosures of their personal data due to the policy change.

3 Q5. Do you have a commercial interest in the domain name industry, including but not limited to acting on behalf of registrants in the registration of domain names or holding domain names in your own name? We are an ICANN & minet Accredited registrar and also hold a number of names of our own, mostly for commercial purposes. We would now like to ask you specific questions relating to each proposal. t all questions are mandatory. These are set out below for your convenience: Do you agree with our assessment of the options we have chosen to not recommend? Are the proposed criteria for eligibility of the opt-out clear and logical enough for WHOIS users and registrants? Do they meet your expectations as a WHOIS user or registrant? Do you agree that domains used to collect personal data should be excluded from eligibility to opt out? If you do not agree, we would like your thoughts on whether your concerns could be mitigated by being able to use a privacy service. Are there any process or technical consequences of the proposed changes to WHOIS opt-out eligibility that minet should take into account or would discourage implementation of this proposal? Do you think we should change the WHOIS query output so that the name of registrants who are optedout are withheld from publication, as well as their address? What obligations, if any, should registrars be subject to in relation to drawing the attention of registrants to the availability of the WHOIS opt-out? Are there any specific standards that registrars should be asked to meet in order to provide a privacy service? Are there process or technical issues in separating collection from publication of contact data in the way we have suggested that minet should be aware of? Should the framework be restricted only to minet Channel Partner and Accredited Channel Partner Tag holders? If you believe the framework should not be restricted, and that other parties should be permitted to operate privacy services, please explain why and provide comments on how minet could identify, monitor, and enforce the framework for third parties., I wish to answer some or all of the additional questions i. Publish less data on the WHOIS

4 [ Comment] ii. Removing the individual/trading tests from the opt-out [ Comment] iii. Align opt-out eligibility with the E-Commerce Directive [ Comment] iv. Do nothing in relation to privacy services / WHOIS opt-out [ Comment] v. Prohibit privacy services [ Comment] vi. Develop a minet privacy service for registrars to sell on to their customers (white-labelled solution) [ Comment] vii. Regulate privacy services offered by registrars We believe this may be more preferable as it could potentially allow for more competition within privacy services and would enable privacy providers to offer consistent terms on disclosure across all TLDs. WHOIS opt-out proposal Q7a. To qualify to use the opt-out we are proposing that: The registrant must be an individual; and, The domain name must not be used: o to transact with customers (merchant websites);

5 o to collect personal data from subjects (ie data controllers as defined in the Data Protection Act); o to primarily advertise or promote goods, services, or facilities. Are the proposed criteria for eligibility of the opt-out clear and logical enough for WHOIS users and registrants? As described on Q2; we believe the new requirement of not being data controllers will cause confusion and discontent with registrants due to the wide practice of processing basic personal details on even basic websites which are commonly run by individuals. Q7b. Do the criteria meet your expectations as a WHOIS user or registrant? See Q2/Q7a. Q7c. Do you agree that domains used to collect personal data should be excluded from eligibility to opt out? If you do not agree, we would like your thoughts on whether your concerns could be mitigated by being able to use a privacy service. Every registrant should have the option to use a privacy service if desired. We believe the data controller requirement will unfairly impact private individuals running basic websites. Q8. Are there any process or technical consequences of the proposed changes to WHOIS opt-out eligibility that minet should take into account or would discourage implementation of this proposal? Please explain with details about whether this would affect registrants, registrars, WHOIS users, or other stakeholders. Registrants would need to be educated on the differences between opt-out and privacy to make an informed decision on which is best suited to them and when opt-out is, and isn't available to them.

6 Registrars will need to make system changes to support the EPP Disclose command. Additionally it s likely that existing privacy systems, such as those used to enable 3rd parties to send messages to the underlying registrant will need changes to be made. Q9. Do you think we should change the WHOIS query output so that the name of registrants who are opted-out are withheld from publication, as well as their address? While previously this is something registrants often request, we believe the demand for this can better be addressed by privacy services. Q10. What obligations, if any, should registrars be subject to in relation to drawing the attention of registrants to the availability of the WHOIS opt-out? Registrars should be required to highlight the differences between opt-out and privacy services and ensure registrants are able to make an informed choice between the 2 options. There is potential that some registrars may try to mislead registrants into purchasing privacy protection over opt-out even if the registrant is eligible - this should be avoided as it could diminish trust in the.uk namespace. Privacy Services proposal Q11. Which, if any of these standards do you think registrars should be asked to meet in order to provide a privacy service? Being required to respond to or transmit abuse complaints from third parties to the registrant, Provide their own contact details to be published in the WHOIS, Highlight the availability of the opt-out to registrants, Other (please specify) We believe it is appropriate for privacy providers to also be Accredited Channel Partners as they should be expected to meet the same level of service, abuse handling, and responsibility when providing privacy services. This will also encourage registrars which are not accredited to become so; and to attain those same high standards in order to provide their own privacy service and will help to raise standards across the board.

7 Q12. Are there process or technical issues in separating collection from publication of contact data in the way we have suggested that minet should be aware of? For example, updating registration data of domains currently held using a privacy service to the registry moving domains with privacy from a registrar to another (TAG change), where the new registrar does not offer privacy transfer of a domain(s) to a privacy service transfer of a domain(s) to a new registrant minimising the incidence of abuse use of the RFC5733 contact disclose field for both name and address Please explain with details about whether this would affect registrants, registrars, WHOIS users, or other stakeholders. It should be carefully considered how registrar transfers will proceed if the new registrar does not offer a privacy service. Additionally as many registrars will change for this service it may be inappropriate to transfer a name to the new registrars privacy service if that service has not been paid for. This is a tricky technical issue, and not one which can be easily solved under the current Push Transfer process. It would appear the only way to achieve a smooth transfer, without disclosure, would be to switch the transfer process to a pull which would enable the new registrar to initiate the transfer with privacy enabled. Q13. Whilst noting that the proposed privacy services framework would not apply to Self-Managed Tag users where domains must be connected to the registrant, should the framework be restricted only to minet Channel Partner and Accredited Channel Partner Tag holders? Privacy services should be operated with care and high standards, we believe it is appropriate for registrars to be Accredited Channel Partners in order to provide privacy services. Do you wish to provide any supporting evidence in your submission?

8 The feedback we receive will inform our decision on changes to our WHOIS policy. We will publish all formal stakeholder responses after this decision has been made. Please tell us if you agree to the publication of your response by selecting one of the options below. Anonymous responses will not be published although they will be taken into account. I am happy for minet to publish my response, along with my name and organisation