COMMENTS OF THE INTELLECTUAL PROPERTY CONSTITUENCY (IPC) Article 29 Data Protection Working Party Guidance to ICANN.

Similar documents
Advisory Statement: Temporary Specification for gtld Registration Data

PURPOSE STATEMENT FOR THE COLLECTION AND PROCESSING OF WHOIS DATA

INTELLECTUAL PROPERTY CONSTITUENCY COMMENTS ON PROPOSED INTERIM MODELS FOR ICANN COMPLIANCE WITH EU GENERAL DATA PROTECTION REGULATION

Introduction. Prepared by: ICANN Org Published on: 12 January 2018

Proposed Interim Model for GDPR Compliance-- Summary Description

General Data Protection Regulation (GDPR)

July 13, Via to RE: International Internet Policy Priorities [Docket No ]

With this vital goal in mind, MarkMonitor believes that the optimal WHOIS model should have, at minimum, these five important characteristics:

Whois Study Table Updated 18 February 2009

Draft Applicant Guidebook, v3

Temporary Specification for gtld Registration Data

Proposed Temporary Specification for gtld Registration Data WORKING DRAFT

en.pdf

Proposal for a model to address the General Data Protection Regulation (GDPR)

Proposed Temporary Specification for gtld Registration Data WORKING DRAFT

Progress Report Negotiations on the Registrar Accreditation Agreement Status as of 1 March 2012

(The Cookbook, 8 March 2018) Prepared by: ICANN organization

GDPR. The new landscape for enforcing and acquiring domains. You ve built your business and your brand. Now how do you secure and protect it?

ECTA POSITION PAPER ON WHOIS

Fast Flux Hosting Final Report. GNSO Council Meeting 13 August 2009

Summary of Expert Working Group on gtld Directory Services June 2014 Final Report

Summary of Public Suggestions on Further Studies of WHOIS including the GAC recommendations of 16 April Updated 10 May 2008

Registry Internet Safety Group (RISG)

ICANN GDPR Proposed Models Redaction Proposal EXECUTIVE SUMMARY:

OnlineNIC PRIVACY Policy

WHOIS Access and the EU General Data Protection Regulation. Part 2

The registration of Domain Names will be centralized and managed through all DOT accredited Registrars selected by the Registry.

Draft Applicant Guidebook, v4

Part 1: Items that Contracted Parties Need from ICANN before May 25 - Prior to Implementation

AMENDMENT NO. 1 TO REGISTRY-REGISTRAR AGREEMENT

Impacts of the GDPR in Afnic - Registrar relations: FAQ

Hogan Lovells Comments on the 3 ICANN Models for WHOIS Compliance with GDPR published on 12 January 2018

Schedule Identity Services

Startup Genome LLC and its affiliates ( Startup Genome, we or us ) are committed to protecting the privacy of all individuals who ( you ):

CHAPTER 13 ELECTRONIC COMMERCE

Matters Related to WHOIS

This descriptive document is intended as the basis for creation of a functional specification for 2

gtld Applicant Guidebook (v ) Module 5

Advisory Concerning Inter-Registrar Transfer Policy. 23 August 2007

The IDN Variant TLD Program: Updated Program Plan 23 August 2012

DNS Abuse Handling. FIRST TC Noumea New Caledonia. Champika Wijayatunga Regional Security, Stability and Resiliency Engagement Manager Asia Pacific

Draft Thick RDDS (Whois) Consensus Policy and Implementation Notes

Ferrous Metal Transfer Privacy Policy

The importance of Whois data bases for spam enforcement

GAC PRINCIPLES REGARDING gtld WHOIS SERVICES. Presented by the Governmental Advisory Committee March 28, 2007

Law Enforcement Recommended RAA Amendments and ICANN Due Diligence Detailed Version

ARTICLE 29 DATA PROTECTION WORKING PARTY

WHOIS High-Level Technical Brief

DRAFT: gtld Registration Dataflow Matrix and Information

10007/16 MP/mj 1 DG D 2B

Comprehensive Study on Cybercrime

.LATROBE TLD REGISTRATION POLICY

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Expert Working Group on gtld Directory Services (EWG) Frequently Asked Questions (FAQs) 2014 Final Report Update

Privacy and Proxy Service Provider Accreditation. ICANN58 Working Meeting 11 March 2017

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

TRANSMITTED VIA FACSIMILE, COURIER SERVICE & ELECTRONIC MAIL RE: NOTICE OF TERMINATION OF REGISTRAR ACCREDITATION AGREEMENT

Effects of ICANN s WHOIS Reforms Under GDPR. Prepared by the Internet Committee 2018/2019

Privacy Policy. Information about us. What personal data do we collect and how do we use it?

GNSO Council Report to the ICANN Board Locking of a Domain Name subject to UDRP Proceedings PDP

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

G8 Lyon-Roma Group High Tech Crime Subgroup

RESOLUTION 45 (Rev. Hyderabad, 2010)

Topic LE /GAC position Registrar Position Agreement in Principle 1. Privacy and Proxy services

ENISA s Position on the NIS Directive

2. What do you think is the significance, purpose and scope of enhanced cooperation as per the Tunis Agenda? a) Significance b) Purpose c) Scope

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

Registration Abuse Policies Final Report. Greg Aaron, RAPWG Chair Sunday, 20 June 2010

Public consultation on Counterfeit and Piracy Watch-List

Review of Law Applicable to the Transition of Data from a Thin to Thick. In March 2014, the ICANN Board adopted GNSO consensus policy

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

UN FREEDOM OF INFORMATION POLICIES INTERNATIONAL TELECOMMUNICATION UNION (ITU)

PRIVACY POLICY OF THE WEB SITE

Privacy Policy of

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

General Data Protection Regulation (GDPR) The impact of doing business in Asia

General Data Protection Regulation (GDPR)

A Next Generation Registration Directory Service (RDS) Briefing by the Expert Working Group (EWG) on gtld Directory Services 13 July 2013

Deloitte Audit and Assurance Tools

EDPB Certification Guidelines

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Draft Resolution for Committee Consideration and Recommendation

Registrar Session ICANN Contractual Compliance

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

Version 1/2018. GDPR Processor Security Controls

ISSUE CHART FOR THE GNSO RAA REMAINING ISSUES PDP ON PRIVACY/PROXY SERVICES

BIOEVENTS PRIVACY POLICY

ISAO SO Product Outline

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Contractual ICANN. An Overview for Newcomers 11 March 2012

The Rough Notes Company, Inc. Privacy Policy. Effective Date: June 11, 2018

International Roaming Charges: Frequently Asked Questions

Latest version, please translate and adapt accordingly!

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

Google Cloud & the General Data Protection Regulation (GDPR)

The Internet Big Bang: Implications for Financial Services Brand Owners

European Union Agency for Network and Information Security

UNITED STATES OF AMERICA COMMENTS ON THE REPORT OF THE WGIG

Data Leak Protection legal framework and managing the challenges of a security breach

Transcription:

COMMENTS OF THE INTELLECTUAL PROPERTY CONSTITUENCY (IPC) Article 29 Data Protection Working Party Guidance to ICANN April 20, 2018 The Intellectual Property Constituency (IPC) of the Generic Names Supporting Organization (GNSO) appreciates the opportunity to comment on the Article 29 Data Protection Working Party (WP29) Guidance on the Interim Model for Compliance with the General Data Protection Regulation (GDPR). In this public comment, we aim to clarify a few apparent factual misunderstandings by WP29, identify areas where we disagree with WP29 interpretation of the GDPR and guidance as a matter of public policy and the global public interest, and recommend improvements to the ICANN Final Interim Model. ICANN s Mission And Mandate To Coordinate The Stable And Secure Operation Of The Internet's Unique Identifier Systems Encompasses A Complex System Of Technical And Policy Considerations. It Is Not Limited To A Singular, Technical Function. The ICANN Bylaws set forth a clear mission to facilitate the openness, interoperability, resilience, security, and/or stability of the DNS including, with respect to gtld registrars and registries, policies that explicitly include the maintenance of and access to accurate and up-todate information concerning registered names and name servers. See ICANN Bylaws, Sections 1.1(1)(i) and Annexes G-1 and G-2 (22 July 2017). The uniform and coordinated resolution for such registration data maintenance and access is reasonably necessary to facilitate interoperability, security and/or stability of the Internet, as well as the provision of registrar services, the security and stability of the registry database for a TLD, and the resolution of disputes regarding the registration of domain names. See id. Facilitating the security and stability of the Internet, by necessity, requires considerations beyond purely technical coordination, and encompasses the development of policies and rules regarding identifying and combating DNS resources that have been, or are being, used for nefarious purposes. 1

The multistakeholder model employed by ICANN recognizes these complexities and allows for the consideration of views from all sectors of society including technical, private sector, academia, civil society, and intellectual property. We are all members of one community dedicated to the security, stability and resiliency of the internet in relationship to the smooth operation all aspect is of domain name registration and resolution from the technical and policy. Facilitating the security and stability of the internet, by necessity, mandates considerations beyond the purely technical such as the development of policies and rules on how to allocate domains and how to identify and disarm domain names that have been used for abusive or nefarious purposes. The WP29 statement that the ICANN mission and mandate is to coordinate the stable operation of the Internet s unique identifier systems posits a much more narrow and inaccurate interpretation of ICANN s mission. The purposes set forth in the Final Interim Model, and in the extensive gtld Registration Dataflow Matrix that ICANN submitted to WP29 in August 2017 (summarized here) reside firmly within the ICANN organizational mission and mandate. These purposes specifically include supporting a framework to address [consumer protection and intellectual property protection] issues involving domain name registrations, coordinating dispute resolution services for certain disputes concerning domain names, and handling contractual compliance complaints submitted by registries, registrars, registrants, and other Internet users. See Section 7.2.1 of the Final Interim Model. Further, these purposes are fully consistent with EU law, including the Intellectual Property Rights Enforcement Directive ("IPRED"), Directive 2004/48/EC of the European Parliament. Moreover, from its inception, through the commercialization of the Internet, and continuing today, a key purpose of the WHOIS database has been to provide the public with ready access to the identity and contact information for domain name registrants. For example, in October 1985 the official specification of the NICNAME/WHOIS protocol provided that The NICNAME/WHOIS Server... provides netwide directory service to Internet users....[i]t delivers the full name, U.S. mailing address, telephone number and network mailbox for... users who are registered in the NIC database. The service is designed to be user-friendly and the information is delivered in human-readable format. See: http://www.faqs.org/rfcs/rfc954.html For more than three decades and long before ICANN even came into existence, the clear and unambiguous purpose of the WHOIS directory has been to supply ready and publicly accessible contact information of domain name registrants. See ICANN, Purpose of WHOIS- Constituency Statements, p. 11-15 (25 July 2005) (Containing a detailed history of the WHOIS directory and its purposes). The Berlin Group Paper Should Be Evaluated Within The Context In Which It Was Drafted. 2

The WP29 guidance specifically references the Working Paper on Privacy and Data Protection Issues with Regard to Registrant Data and the WHOIS Directory at ICANN from the International Working Group on Data Protection in Telecommunications ( Berlin Group ). They encourage ICANN to take careful consideration of the recommendations outlined in this paper. However, the Berlin Group paper was authored in November 2017, well before the Model was presented to the community for discussion and evaluation, and it should be considered with this timing in mind. In addition, factual uncertainty abounds with respect to the origin, content, timeliness, and authority of the Berlin Group paper. While the paper has no attributable authorship, participants within the Berlin Group can confirm that it was primarily authored by a single rapporteur. Moreover, participants within the Berlin Group can also confirm that numerous recommendations in the paper were challenged by several members, including representatives from Europol. All such challenges or otherwise critical comments were rejected by the rapporteur. We are aware of at least one data protection authority involved in the Berlin Group who declined to adopt the paper in light of such inclusiveness concerns. Finally, the paper is dated November 2017, months before the ICANN Interim Model was even released, or before the European Commission issued guidance on the topic; it is a critique of the current Whois system, and does not take into account any of the significant changes proposed in the ICANN interim model or discussed within the ICANN community. Further, noted internet security experts have warned of the impended threats to consumers should Whois go dark without a well articulated and tested accreditation and access model in place. See e.g. Brian Krebs, Krebs on Security, Who Is Afraid Of More Spams And Scams (March 18, 2018). Ultimately, the Berlin Group paper is but one view and lacks authority. It does not enshrine either the ICANN multi-stakeholder ethos, or a meaningful balance between individual privacy rights and legitimate interests, as required by Recital 4 of the GDPR. It was not meant to be leveraged against a Model that had not yet been drafted. It should be accorded little, if any, weight by WP29 or ICANN. The Silence On Forbearance Has Forced ICANN To Look At Alternative Remedies. WP29 guidance did not respond to the primary request from ICANN for forbearance on penalties while an interim model can be finalized and implemented. The WP29 guidance did mention that ICANN should communicate its full plan and timescale by which the solutions will be implemented. We seek clarity from WP29 and ICANN about whether a timescale which extends beyond May 25 would be acceptable, and if WP29 would grant a forbearance on penalties in that case. 3

While silence does not necessarily constitute refusal of the request, we echo the disappointment expressed by ICANN CEO Goran Marby, and more importantly the observation that [w]ithout a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. Accordingly, we fully support the decision by ICANN to study all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. The IPC will also proceed in exploring all available remedies, including legal action in Europe, to preserve access to WHOIS data elements necessary for the purposes that we have extensively and repeatedly enumerated to both WP29 and ICANN, including consumer protection, intellectual property protection, cybersecurity and operational concerns. We Support The Development Of A More Balanced Purpose Statement, Subject To Reasonable Parameters To Avoid Unreasonable Burdens or Latency. WP29 guidance suggests that ICANN will need to make substantial revisions to its purpose statement, to provide an exhaustive and comprehensive list of legitimate purposes. Accordingly, we encourage ICANN to adopt the draft purpose statement included as part of the accreditation and access model, which is more balanced, specific, and exhaustive than the purpose statement presently in the Final Interim Model. See Draft Accreditation & Access Model For Non-Public Whois Data, at Annex A, Purpose Statement For The Collection And Processing Of WHOIS Data (27 March 2018). We note that such an exhaustive and comprehensive list of legitimate purposes comports with the requirements of Article 5.1(a) and 13.1 of the GDPR. We also encourage ICANN to incorporate the information from the gtld Registration Data Flow Matrix (referenced above, and found here) into the Model, with attention to identifying the specific legal basis for legitimate purposes identified by the ICANN community during this exercise. However, we are also concerned with the apparent premise articulated by WP29 suggesting that GDPR compliance requires a detailed purpose statement, with specific legal basis and specific data safeguards for every inquiry seeking a non-public data element, tying the purpose to each individual data element. This approach would introduce severe latency into the process of accessing these important data elements, which could be disastrous in scenarios where time is often of the essence (e.g. to prevent DDoS attacks or similar systematic threats to Internet infrastructure). The Draft Accreditation and Access Model for Non-Public Whois Data should be examined as an alternative to such a process. ICANN s Approach Regarding Territorial Scope and Treatment Of Data Of Natural Versus Legal Persons Is Overbroad. 4

WP29 did not explicitly address all areas of community divergence noted by ICANN, including concerns about the proposal to apply the Model to all domain name registrations regardless of any nexus to the European Economic Area, as well as the lack of any distinction in treatment of data of natural persons versus legal persons under the Model. These concerns were enumerated in the Joint IPC and BC comments on the Model, but were not explicitly highlighted in Mr. Marby s letter to individual DPAs dated March 26, 2018, requesting guidance from WP29. (To be clear, Mr. Marby did reference the extensive analysis and legal support provided by parties who believe that the GDPR is over-compliant, but did not reference these specific issues.) We ask ICANN and WP29 to further examine these aspects of the Model. Anonymized Email Addresses Must Not Stymie Unique Identifier Correlation. WP29 appears to endorse ICANN s proposal to replace public registrant email address with either an anonymized email address or a web form through which third parties can attempt to contact the registrant. Anonymized email address or web form will not necessarily enable WHOIS users to correlate different domain names that might be owned by the same party. This is very important in investigations and enforcement for cybersecurity and law enforcement efforts, as it helps establish patterns of harmful conduct. It is also one of the strongest tools the intellectual property owners have to protect their individual customers from fraud and abuse. These efforts protect consumers and Internet users from fraud, harmful counterfeits, and other malicious activity. Finally, full anonymization of all registrant email addresses seems contrary to alternative approaches adopted by country-code TLD registry operators and numbers authorities, who publish registrant email addresses, and even mandate that certain email addresses cannot include personal data like names or other identifying characteristics. This approach better serves the balance between privacy interests and legitimate purposes for access to the actual registrant email address. We urge WP29 to endorse this more balanced approach, and for ICANN to adopt it as part of the Model. Automated Access To Aggregate Data Is Necessary For Security and Stability Of The Internet. WP29 guidance appears to disfavor automated access to WHOIS data, searchable data, or the ability to perform reverse searches, and favors restrictions on data access on a per-field basis to limit data disclosure to strictly what is necessary to achieve the legitimate purpose that is the basis for the WHOIS query. This guidance appears to look at only one side of the equation, to protect individuals from spamming and similar abuses. The other side is that bulk access to accredited parties allows those who are tasked with protecting consumers and fighting crime access to investigate and enforce against a myriad of wrongdoing including counterfeiting, identity theft and human trafficking. Precluding efficient searchability of WHOIS data will 5

place significant burdens on efforts to perform routine enforcement investigations and slow down much needed enforcement in an ever increasingly abusive internet environment. WP29 Should Clarify Its Guidance Regarding Accreditation and Access To Non-Public WHOIS Data. WP29 appears to support a tiered access system for WHOIS, where an accreditation program is used to enable legitimate third parties to gain access to certain non-public WHOIS data for specified legitimate purposes. However, WP29 appears to caution against the use of a centralized IP address white list as the technical means by which to facilitate access to nonpublic WHOIS data for approved users. We do not read this guidance as opposing the use of such a white list, but rather that such a method could be adopted if adequate technical and organizational data security protocols were put in place in connection with this access mechanism. We note that the proposed accreditation and access model for non-public WHOIS data that is currently under development within the community, cited supra, specifically includes data security obligations, including the logging and audit requirements suggested by WP29, and additional specific security requirements are intended to be incorporated into terms of service that would bind accredited parties. It would be helpful for WP29 to clarify its views our regarding the use of a centralized IP address white list as an acceptable access mechanism, subject to adequate data security protocols. In addition, it is critical that ICANN preserve sufficient access to WHOIS data to permit the Uniform Domain Name Dispute Resolution Policy (UDRP) and Uniform Rapid Suspension (URS) rights protection mechanisms to function. We believe there is broad support within the community, including by ICANN and contracted parties, for the dispute resolution providers that administer these mechanisms to continue to have appropriate WHOIS data access in order to operate without limitation particularly as these mechanisms are enshrined in registration agreement contracts between registrars and registrants. Further ICANN Engagement With WP29 Must Not Interfere With Needed Actions To Preserve Accountability And Transparency In The DNS.. The WP29 letter must not put an end to or delay development and improvement of the ICANN Interim Model. In particular, the ICANN Board must make it a priority to consider the detailed views expressed by the GAC in its Consensus Advice on this topic, most recently in the ICANN 61 Communique, and its other comments on the Interim Model. Acceptance of this Consensus Advice will require significant changes to the Interim Model, and any Board rejection of this Advice must follow the procedures that were painstakingly negotiated within the community in recent years, and which are spelled out in the ICANN Bylaws. 6

Finally, in carrying out further discussions with WP29 regarding the Interim Model, ICANN must not lose sight of the impending crisis which is threatened in just a few weeks. If ICANN allows the gtld Whois system to effectively go dark after May 25, 2018, its ability to continue the stewardship of this cornerstone of Internet accountability and transparency will be fundamentally questioned in many quarters. Institutional risk aversion will not suffice to justify the profound damage to global trust in the Internet that could result if such an event substantially undermines public and private sector efforts to enforce the rule of law online; to protect consumers and children; to preserve intellectual property rights; and to remedy a wide range of serious abuses that exploit the domain name system to harm members of the global Internet community. The IPC urges ICANN to take immediate steps to prevent such a crisis from occurring. Accordingly, these comments must not be considered as a waiver or compromise by the IPC, or its individual members, and are written without prejudice to any rights or remedies that we may seek in order to prevent the collapse of the Whois system. Nevertheless, we hope that all parties can reach a mutually agreeable outcome, and will continue to participate actively in efforts to do so, both within and outside the ICANN framework. These comments are not a waiver or compromise by the IPC, or its individual members, and are written without prejudice to any rights or remedies that we or they may have. All rights and remedies at law and in equity are hereby expressly reserved. Nevertheless, the IPC and its members look forward to working with ICANN to achieve an amicable and mutually agreeable outcome and to avoid escalation of available remedies for the IP community with respect to these matters. Thank you for the opportunity to comment on this important topic. Respectfully submitted, Intellectual Property Constituency 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback