Privacy Must Not Be Overlooked by ICANN, Stakeholders Say
PRAGUE -- Privacy took a center spot in the debate about new contracts between the Internet Corp. for Assigned Names and Numbers and domain name registrars. The so-called registrar accreditation agreement (RAA) has been on ICANN’s table for several years, with governments putting their feet down in Dakar in 2011 to require the integration of a set of recommendations from law enforcement agencies into the RAA. Members of the Noncommercial Users Constituency (NCUC) and of the board now urged that data protection officials be brought into the discussions.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The verification and validation of Whois data for domains -- personal data of a domain name owner -- and a data retention obligation for communication data between ICANN registrars and their customers are unresolved topics in the discussion. The data retention provision would oblige registrars to store a list of communication and financial data of customers until two years after the respective user contract ended. ICANN Senior Vice President Kurt Pritz said the data retention obligation “is related to the privacy issue we discussed.” He said that ICANN staff has just discussed with law enforcement “making a survey of different privacy laws."
Michele Neylon, CEO of Irish registrar Blacknight, heavily criticized ICANN for not starting this much earlier. “The registrars have asked to bring in data protection officials,” said Volker Greimann, legal counsel of German registrar Key-Systems and secretary of ICANN’s Registrar Constituency. Greimann, a member of the negotiating team, said “some of the current proposals cannot be implemented, for example, by German or French registrars.”
"If ICANN is to beef up its support for law enforcement, it must broaden its definition of what it considers ‘law enforcement,'” said Robin Gross, president of IP Justice and head of the NCUC. “Not only should police and military organizations be consulted under the label of ‘law enforcement,’ but also national privacy commissioners or other privacy officials that exist on a local, national or international level,” she said during a session with the board. With privacy being addressed in the U.S. by stakeholders in a process the administration is part of, there should be a rule that “ICANN should never talk to a law enforcement agent unless they are at least virtually handcuffed to their data protection and privacy equivalent from the respective country,” NCUC member Avri Doria said.
Governments argued they or the law enforcement participants in ICANN did consult with privacy authorities at home. “I do not come here as an advocate for law enforcement only; I come here with an Australian government position,” the Australian Governmental Advisory Committee (GAC) representative said. “You can be sure, that from a GAC point of view or certainly from my point of view, that in my positions these issues have been balanced.”
Suzanne Radell, senior policy adviser in NTIA’s Office of International Affairs, warned against a “misapprehension that seems to be developing that we are going in one direction only, without respecting the balancing act,” and “a sense that our law enforcement colleagues routinely ignore privacy laws.” That was not the case, she said. Radell, together with her European Commission colleague Andrea Glorioso, said she welcomed written questions on the privacy issues and was prepared to facilitate the exchange with privacy officials. Privacy was an extremely important part of the negotiations, “and we as public authorities do not take sides,” Glorioso said. “Our job is when we are requested to ensure we can provide the information that is needed.”
The registrars are also pointing to cost issues. Greimann said the registrars have already offered to verify domain customers by email, text or a phone number, but law enforcement and ICANN wanted all three. Domains should resolve and be ready for use only after completed verification. Pritz said that would mean that domain owners could only use their newly acquired names after three to five days. This was the time the China Internet Network Information Center needed for the verification process, Pritz acknowledged: “The Whois validation steps requested by law enforcement, if inserted into the RAA, would change substantially current practice for registrants [of] domain names and their costs.”
ICANN Chairman Steve Crocker said what might be helpful in the discussion was additional information from both sides about the benefits and deficiencies in order to allow “evidence-based decision making.” While ICANN hoped to have a draft of the agreement for the next ICANN meeting in Toronto, it’s unclear if the outstanding issues can be resolved. Registrars propose to go ahead with an agreement on the much longer list of resolved issues and leave the hot topics for a policy development process. Law enforcement is still is pushing for a complete package.