[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: BOUNCE comment-guidelines@zephyr.isi.edu: Message too long (>100000)



Because of the length of the attachment, this message was not automatically
posted when it was originally sent.  ICANN has received the attachment, the
text of which was provided in the message below and in a separate "part
two" message that has already been posted.

>
>Dear ICANN,
>
>
>For consideration in Singapore, we are attaching comments on the draft
>guidelines on accrediting registrars.  The document is attached in two
>formats.  We also repeat the text in this and a second e-mail.  The
>text in the body of the emails does not include footnotes that appear
>in the attached Word and rtf versions.
>
>
>Thank you,
>
>
>James X. Dempsey
>
>Senior Staff Counsel
>
>Center for Democracy and Technology
>
>1634 I Street, NW
>
>Washington, DC 20006
>
>
>(202) 637-9800
>
>
>Part 1
>
>
>Comments of the Center for Democracy and Technology 
>
>on the WIPO Interim Report and 
>
>on the ICANN Guidelines for Accreditation of Internet Domain Name
>Registrars:
>
>
>Privacy and Other Human Rights Implications 
>
>of the Domain Name System
>
>
>26 February 1999
>
>						
>
>
>Introduction
>
>
>"The Internet can be very simply described as a, or the, network of
>networks.  That simple technical description, however, lacks the
>eloquence to speak of the profound ways in which the Internet is
>affecting the way in which we communicate with each other, the way we
>express ourselves, the way we learn, the way we do business and the way
>in which we interact culturally.  Given the profound changes that we
>sense are underway, we have difficulty in placing faith in the simple
>technical definition."  
>
>
>With this beginning, the Interim Report of the World Intellectual
>Property Organization (WIPO) on the domain name process takes note of
>the manner in which the Internet is affecting many aspects of modern
>communications, business, and culture.  The decentralized nature of the
>Internet makes private, anonymous communication possible; it lowers
>barriers to speaking and publishing, allowing every user to voice an
>opinion.  While a stable and well-functioning domain name system is
>essential to the continued well-being of the Internet, a centralized
>management structure for domain names has implications for these
>decentralized, democratic values.
>
>
>Domain name management impacts not only narrow technical questions and
>the interests of the trademark community, but the privacy and free
>expression interests of Internet users.   These comments of CDT assume
>that it is necessary, in the course of DNS administration, to collect,
>at one or more central repositories, some information about domain
>names.  But careful consideration must be given to how much information
>should be collected about domain name holders: fair information
>practices dictate that collection of personally-identifiable
>information should be kept to the minimum necessary to achieve the
>immediate purpose.  There may even be situations in which registrars
>would collect no personally-identifiable information and still promote
>stability and respect for the rights of others.  There also arise a set
>of questions surrounding the use and disclosure of the information that
>is collected: who should have access to it, for what purposes and under
>what standard of authority or justification.  
>
>
>These comments explore these broader civil liberties issues involved in
>name registration in general and trademark dispute resolution in
>particular.  We focus on possible privacy concerns with the creation,
>access to and use of the domain name registration database(s).  No
>immediate solutions are presented.  Our basic message is that
>establishing privacy rules will not be easy, but that current proposed
>rules are inadequate and that the task must be given fuller attention
>through a broader consultative process. We also briefly mention some
>free expression/access concerns.
>
>
>Background on DNS Database Proposals
>
>
>The WIPO Interim Report focuses on creation of a database of domain
>name holders in order to provide an efficient and reliable manner of
>identifying and contacting potential trademark infringers.  "[T]he
>purpose of the collection of contact details is to enable a third party
>which considers that its intellectual property rights have been
>infringed as a result of a domain name registration to be able to
>obtain reliable and accurate information concerning the domain name
>holder in order to establish contact with the holder." 
>
>
>The goals of the Internet Corporation for Assigned Names and Numbers
>(ICANN) are to ensure the stability of the DNS while promoting
>competition in the delivery of registration services.   ICANN has said
>that the registration system should be convenient and easy to use from
>the perspective of individuals or organizations.  The system should
>allow portability of domain name registration from one registrar to
>another without disadvantage, and should put all registrars on a level
>playing field with regard to access to registries. 
>
>
>The draft guidelines issued by ICANN for the establishment of a domain
>name registry system address data collection issues in the following
>principles for accrediting registrars: 
>
>
>3. The registration agreement should protect legal rights (including
>intellectual property rights) of the parties, and of third parties
>where applicable.  It should contain provisions that minimize disputes
>over rights to use of particular domain names, and in the event of
>dispute, it should contain provisions that enhance the orderly and
>timely resolution of disputes. 
>
>
>4. The information obtained from applicants for domain names should
>include only the data elements reasonably needed for the assignment and
>use of the name. Registrars and other parties acquiring, storing and
>using such information should be bound by reasonable privacy
>principles, consistent with facilitation of dispute resolution and law
>enforcement. Domain name applicants should have an opportunity to
>register names on behalf of third parties who wish to remain anonymous.
>
>
>
>Contents of the DNS Database(s)
>
>
>	Paragraph 85 of the WIPO Interim Report describes the potential scope
>of the domain name registration database by identifying at least 17
>data elements:
>
>
>(1) domain name (or embedded part thereof), and (2) name of domain name
>holder.  The result of a query on these items could be a browse list
>featuring any records corresponding to the search criteria.  In
>relation to each record the following information could be displayed:
>(1) gTLD, (2) any sublevel domain(s), (3) name of domain name holder,
>(4) street address, (5) city, (6) state/province, (7) postal codes, (8)
>country, (9) e-mail address, (if available), (10) phone number, (11)
>fax number, (if applicable), (12) authorized contact person, (if
>applicable), (13) status of the domain name including whether it is in
>dispute (e.g., operational, pending, on hold, in dispute), (14) the
>registration authority for the domain name, (15) the date the domain
>name was registered, (16) primary and secondary servers hostnames and
>netaddresses, and (17) an indication of whether the domain name holder
>has opted for certain ADR procedures further discussed in Chapter 3,
>below.
>
>
>In addition, paragraph 85 notes that some would like to include the
>historical chain of title information for a domain name and any
>information about relevant intellectual property rights that may be
>held by the domain name holder. 
>
>
>	ICANN's proposal seems to be only slightly more limited.  According to
>the draft guidelines, "The SLD [Second Level Domain name] holder shall
>be required to provide to the registrar accurate and reliable contact
>details and promptly to update them during the term of the SLD
>registration, including: the full name, postal address, e-mail address,
>voice telephone number, and fax number if available of the SLD holder;
>name of authorized person for contact purposes in the case of an SLD
>holder that is an organization, association or corporation; and the
>data elements listed in IV.3.a.ii, iii, and vi-ix above."   The
>referenced section IV.3.a states that the data elements to be submitted
>would include: 
>
>
>i. The name of the SLD being registered; 
>
>ii. The IP addresses of the primary nameserver and any secondary
>nameservers    for the SLD; 
>
>iii. The corresponding names of those nameservers; 
>
>iv. The identity of the registrar; 
>
>v. The expiration date of the registration; 
>
>vi. The name and postal address of the SLD holder; 
>
>vii. The name, postal address, e-mail address, voice telephone number,
>and where available fax number of the technical contact for the SLD; 
>
>viii. The name, postal address, e-mail address, voice telephone number,
>and where available fax number of the administrative contact for the
>SLD; 
>
>ix. The name, postal address, e-mail address, voice telephone number,
>and where available fax number of the zone contact for the SLD; 
>
>x. Any remark concerning the registered SLD name that should appear in
>the Whois data.
>
>
>The use of the word "include" suggests that the list is not exclusive. 
>Nowhere do the guidelines implement the promise of the principles that
>"The information obtained from applicants for domain names should
>include only the data elements reasonably needed for the assignment and
>use of the name."  Unless it is made clear that these data elements are
>a ceiling, information maintained by registrars on their customers may
>include additional information.   
>
>
>It is noteworthy that the last paragraph of proposed Section IV.9.g.i
>of the ICANN guidelines would provide a mechanism for anonymous holding
>of SLDs through an entity (such as an ISP) that licenses SLDs to third
>parties wishing to remain anonymous.
>
>
>Privacy Concerns
>
>
>As both ICANN and WIPO recognize, demands for contact information will
>surely arise. A database containing names, street addresses, email
>addresses, and telephone numbers of domain name holders would be a
>valuable commodity for marketers, reporters, governments, and others.  
>Litigants with complaints not related to trademark infringement,
>businesses, reporters, and others can be expected to seek access to any
>DNS administrative database.  
>
>
>In addition to private third party uses, the proposed domain name
>database will be of great interest to - and could be subject to misuse
>by -- government entities.  In connection with  criminal
>investigations, governments may make demands on registrars or on the
>database for information about domain name holders and their
>activities.  For example, a government agency pursuing an investigation
>of a domain name holder for fraud might seek to obtain information
>without any notice to the domain name holder under investigation.  In
>other instances, a government might seek special access to the database
>in the name of national security.  Establishing rules to balance
>governmental interests against the other interests and values
>represented on the Internet will present a significant challenge. 
>Certain countries do not have legal standards limiting law enforcement
>access to personal data, and Internet user may be vulnerable to
>inappropriate searches in the guise of criminal or national security
>investigations. 
>
>
>The U.S. Postal Service address system provides an example of how
>personal contact information in a database can be used by third
>parties. The U.S. Postal Service used to offer a service that allowed
>anyone to obtain the new address of an individual who had filed a
>change of address order.  Investigators, attorneys, financial and
>insurance companies, businesses, and news organizations routinely used
>the system, often buying the entire database, often without the
>knowledge of postal customers.  In 1994, the Postal Service decided to
>limit the service to governments, to process servers, and when
>necessary to comply with a court order.  
>
>
>The Question of Standards
>
>	
>
>Guidelines limiting the types of information to be collected must be
>established to prevent registrars or others in the DNS process from
>cultivating this valuable data resource for their own purposes. 
>Without standards for information collection, Internet users could be
>subjected to potentially inappropriate requests for information,
>including identification numbers, demographic information, and online
>usage information.  
>
>
>>From our viewpoint, it is not clear that people have to sacrifice
>privacy in order to have a presence on the Internet.  For example, a
>registrar could offer to register names without collecting any
>personally-identifiable information.  The registrar could be obligated
>to suspend or cancel the name of a particular SLD holder in the event
>of trademark infringement or illegal conduct, but otherwise the system
>would allow very robust protection of anonymity, something that could
>be extremely important, for example, to those wishing to use the power
>of the Internet to criticize repressive regimes. 
>
>
>Secondly, users should not be forced to choose between anonymity and
>full exposure.  Establishing clear, restrictive rules can avoid the
>development of inappropriate uses of DNS database records. Setting
>standards for access to and disclosure of information can prevent
>potential secondary uses of the database from infringing upon the
>privacy of Internet users.
>
>
>So far, neither WIPO nor ICANN have developed adequate rules for
>privacy of information collection and use in the course of DNS
>administration.  While the ICANN draft guidelines state as a general
>principle that "registrars and other parties acquiring, storing and
>using such information should be bound by reasonable privacy
>principles," the draft ICANN guidelines fall far short of fair
>information practices.  The privacy provision in IV.8 states: 
>
>
>a. 	The registry administrator would provide each registrar with notice
>as to: 
>
>i.	The purposes for which data about any identified or identifiable
>natural person ("Personal Data") to be provided by the registrar are
>intended; 
>
>ii.	The recipients or categories of recipients of any Personal Data
>provided by the registrar; and 
>
>iii.	How any Personal Data provided by the registrar and maintained in
>the registry can be accessed and, if necessary, rectified. 
>
>b.	The registry administrator would, in the registrar/registry
>administrator contract, agree that the registry will not process any
>Personal Data provided by the registrar in a way incompatible with the
>purposes and other limitations about which it has provided notice to
>the registrar. 
>
>
>Thus, the guidelines state that any use of the data is permitted so
>long as notice is provided.  In a similar vein, the guidelines go on to
>require that domain name holders must consent to whatever data use and
>disclosure the registrar gives notice of: 
>
>
>ii.  The registrar would provide notice to each SLD holder-customer
>stating: 
>
>A. The purposes for which any data collected from the applicant about
>any
>
>identified or identifiable natural person ("Personal Data") are
>intended; 
>
>B. The intended recipients or categories of recipients of the data
>(including the
>
>registry administrator and others who will receive the data from the
>registry); 
>
>C. Which data are obligatory and which data, if any, are voluntary; and
>
>
>D. How the data subject can access and, if necessary, rectify the data
>held about
>
>them.
>
>
>iii. The SLD holder shall consent to the data processing referred to in
>section IV.9.g.ii. 
>
>
>The ICANN draft guidelines do not explicitly restrict registrars from
>using the data for purposes other than ensuring that domain names will
>resolve to the IP addresses of their host computers throughout the
>Internet.  To the contrary, the guidelines seem to endorse any use for
>which notice has been given: 
>
>
>v. The registrar shall agree that it will not process the Personal Data
>collected from the SLD holder in a way incompatible with the purposes
>and other limitations about which it has provided notice to the SLD
>holder in accordance with Section ii, above.
>
>
>The WIPO Interim Report notes that there are potential privacy concerns
>with open access to the proposed database: "In contrast to this call
>for the widespread availability of registration data, some other
>commentators were of the opinion that the extent to which, and the
>manner in which, any contact information is made available to third
>parties should be guided by privacy considerations."  The Interim
>Report proposes two alternative approaches: (1) an open, searchable
>database; and (2) a "filtered" database.  The report goes on to state
>that filtered access would work in one of two ways, in which third
>party intermediary would handle requests for contact information. With
>a "filtered" database, designating a third party as an intermediary
>raises further privacy issues.   Who will be given this decision-making
>capability?  What will be their standards and procedures for permitting
>access?   The WIPO Interim Report calls for further discussion
>regarding access capabilities.  
>
>