<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p>Dear Noncommercials, <br>
</p>
<p>I am one of your 6 representatives on the EPDP. I have also been
on the RDS working group, am currently serving on the GNSO
Council, the EPDP IRT and the PPSAI IRT. I served on the PPSAI
(Privacy Proxy Services Accreditation Issues,
<a class="moz-txt-link-freetext" href="https://gnso.icann.org/en/group-activities/active/ppsai">https://gnso.icann.org/en/group-activities/active/ppsai</a> ) pdp back
in 2013-2016 , where this issue on whether or not registrants
should have to identify themselves as individuals or businesses
(we were not actually using the term "legal persons" at the time,
because ICANN was ignoring the GDPR and this is a term that is
more commonly used in Europe than elsewhere). I came to ICANN in
2013 to serve on the Experts Working Group (EWG) that was
examining the RDS registry with a view to expanding it. (final
report
<a class="moz-txt-link-freetext" href="https://www.icann.org/resources/pages/gtld-directory-services-2013-02-14-en">https://www.icann.org/resources/pages/gtld-directory-services-2013-02-14-en</a>)<br>
</p>
<p>I also have been working not exclusively but predominantly, on
privacy and access to information issues since 1984. I am not a
lawyer, just a policy wonk and researcher. As someone who has
been fighting vociferously within government and outside
government in the private sector about surveillance and human
rights, I bristle somewhat at my worthy colleague describing me as
naive, however that is neither here nor there. Lets focus on the
issues at stake. First let me correct Milton's description of my
position.</p>
<p>At no time have I ever suggested that it would be acceptable for
registrars to overrule my designation of myself as a natural
person, or in the case of a legal person, a statement that the
contact data of employees needs to be protected because it
contains personal data. Never. However, as we all know or should
know, busy entrepreneurs will take short cuts and avoid spending
money.....there is strong pressure to push organizations to self
identify as legal persons, and publish their data. It is my
position that this is a residue of the old WHOIS thinking that is
a policy position which has no merit as a policy, in that we have
seen no evidence that the stability of the DNS has been hampered
by somewhat blanket protection of the registrant data. In fact,
the contracted parties have stated that abuse has gone down,
possibly because there is less personal data being published. So
to push all data of legal persons into a published registry is
neither necessary or sound policy.</p>
<p>Now lets talk about how difficult it is to differentiate between
legal persons and individuals.Milton makes it sound easy, but as
Farzi pointed out in her helpful intervention, not all
jurisdictions use or recognize the term. Not all registrants are
legally trained, familiar with data protection risks, are
comfortable operating in the english language, or understand the
DNS and its registration processes. This does not mean they are
not "smart" [or that I am labelling them as such] it simply
recognizes that to most people, a domain is not a familiar term,
they want a website and they will talk to their local services
provider or web builder or any of a hundred other entrepreneurs to
get their website up and with it the domain name they need or
want. For the organizations that we in NCSG represent, namely the
non-commercials, that goes double. One of the charities that I
volunteer as privacy officer for is itself a corporation, and not
a small one at that, but the local websites that have been set up
to raise funds or promote activities, from finding funding and
housing for refugees, to raising money for soup kitchens, homeless
shelters, promoting free lunches, reaching out to victims of
domestic violence....do I need to go on? Those are not
technically registered by the corporation, they are registered by
individuals, and those folks as volunteers in the organization may
be long gone....remember that once a registration is on
auto-renewal, somebody keeps paying the bill but especially in our
sector, it could be quite vague who that is, where they are, and
what there status in the organization is. Remember that domain
names are cheap, this kind of payment could be coming out of petty
cash or a donor's pocket.</p>
<p>So if I, a privacy professional who has 37 years of experience
would have to consult the corporate lawyers to figure out the
precise status of these registrations, after 8 years at ICANN
working on this stuff and writing a doctoral dissertation on it
while doing so, how on earth is the poor soul who is getting the
cross examination from the registrar/reseller/other contracted
party going to get it right? Sure, Procter and Gamble, Nike, the
large corporations and NGOS know who they are and how they
registrar. Those we represent may not.</p>
<p>I would also like to say a few words on the sadly
under-represented small businesses and sole entrepreneurs of the
world. We live in a gig economy. Even without COVID and
lockdowns, more and more individuals are working for themselves.
Many privacy laws protect employees, and recognize their rights,
but that usually does not extend to contractors. Many companies
now are forcing their employees into "contractor" status, often to
avoid paying benefits, health and safety liability or whatever.
Those who are following the court cases surrounding Uber drivers
will know that this issue is interpreted differently in different
jurisdictions. The GDPR recognizes the privacy rights of
employees. A good question to ask, is whether employees
understand their own privacy rights. Most don't, in my
experience, and I make a living doing privacy training among other
things.</p>
<p>The policy we are developing must address the privacy rights of
employees of legal persons, and other persons employed by those
entities in certain cases. The GDPR applies to personal
information. The rather sparse statement that it does not apply
to legal persons is not particularly helpful in actually parsing
the data in a DNS registration. So the guidance we are working on
has to guide individuals to the point where they can knowledgeably
attest to one of the following statements:</p>
<p>1) that they are an individual, and if they choose to publish
their personal information they are doing so in full knowledge of
the risks and what will happen to their data<br>
</p>
<p>2) that they are responsible for a legal person's registrations,
and that they can attest to the fact that no personal information
is being disclosed in the registration. Given how frequently
employees change roles over time, and the fact that registrations
tend to auto-renew, I have grave concerns that this is where
personal info is going to seep back into the records without the
knowledge or attention of the original registrant who filled out
the forms. Remember the trends to working from home, sometimes on
owned equipment or wifi.</p>
<p>I believe that if the contracted parties, who are the data
controllers in this situation and therefore own the risk and the
liability attendant with this decision, have to do this
verification or trust the decision of the registrant, we will see
either rising costs of domain names (if they do it right) or the
same kind of opt-in situation we see throughout the world now,
where people opt in to things without understanding their risk.
We in the legal subcommittee fired off a couple of questions to
Bird and Bird, our outside counsel, on how the contracted parties
could reduce their risk in this situation, and indeed they have
provided advice on that. (see the summary text prepared by staff
<a class="moz-txt-link-freetext" href="https://docs.google.com/document/d/1whCpXHm3UPmJ-IDSbliveSkwxL679x2U/edit#heading=h.gjdgxs">https://docs.google.com/document/d/1whCpXHm3UPmJ-IDSbliveSkwxL679x2U/edit#heading=h.gjdgxs</a>,
but I recommend reading the actual advice from Bird and Bird).</p>
<p>Milton has taken a strong position that the Registrars or other
contracted parties should not be permitted to overrule the
designation of a registrant. He calls it a slippery slope. I
maintain that if the contracted parties feel there might be an
error in the designation of "legal person" they should err on the
side of caution and protect their customer's data. I cannot see a
slippery slope there. Nor have I seen evidence brought forward
that their will be harm to the security and stability of the DNS,
just the usual wailing and gnashing of teeth without stats to back
it up. Let us therefore err on the side of protecting
registrants' data.<br>
</p>
<p>I fully agree that the risk in this situation is trivial when
compared to what is happening to our social media habit tracking,
our political choices, our health records, biometric recognition
systems etc etc. However, remember that we represent those who
want websites for political speech, for the exercise of human
rights, for the development of underprivileged persons in an
increasingly unbalanced world.....those people deserve our
vigilance. There is no reason to publish that information, if
there is a valid reason to ask for it, the request can go through
the SSAD system we are supposed to be building, and the third
party wanting the info will get it within 3 business days. If it
is life or death, either the domain will cease to work as a result
of takedown, or the request will be expedited. There is no need
to compromise, and while I understand Milton's desire to
compromise, I see absolutely no need to do so here. This fight is
not going to end, there will be further pressure to harmonize,
make decisions automatic, geo-locate, you name it, we have fought
about these issues endlessly and I for one do not thing it is
going to stop until the full WHOIS is back up the way it was for
the first 18 years or so in the life of ICANN.</p>
<p>I am happy to answer any questions, or discuss this matter.
Thanks to those few of you who read this.</p>
<p>Kind regards, Stephanie Perrin<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 2021-04-24 5:44 p.m., Mueller,
Milton L wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BN7PR07MB46894139FDFCD8F072347BD3A1449@BN7PR07MB4689.namprd07.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Dear Noncommercials,<o:p></o:p></p>
<p class="MsoNormal">I am one of your representatives of the
EPDP, and ICANN working group that is trying to bring ICANN’s
Whois policy into compliance with privacy principles.
<o:p></o:p></p>
<p class="MsoNormal">Just yesterday we received this statement
from the current chair of the group, Keith Drazek:<o:p></o:p></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;text-indent:-.25in;vertical-align:baseline"><span
style="font-size:7.0pt"> </span><span
style="font-size:6.0pt;font-family:"Calibri",sans-serif">
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
EPDP Team is a representative group – you have all been
appointed by your respective groups to represent them in
this effort. As a result, any proposals and interventions
you make are expected to be on behalf of your group. We
understand that this requires significant coordination which
is not always possible in real-time but it is important that
we do not find ourselves in a situation where a specific
proposal or suggestion is debated to then find that other
members of the same group do not stand behind the proposal
or suggestion. <o:p></o:p></span></p>
<p class="MsoNormal" style="-webkit-text-size-adjust: auto"><span
style="font-size:10.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal">I suspect Keith found it necessary to say
this because lately another NCSG representative on the EPDP,
Stephanie, and I have been openly disagreeing. Let me explain
what the disagreement is about. We will have to appeal to the
Policy Committee, and the membership, to help resolve it. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Privacy protections under the GDPR only
apply to natural persons, that is to say living breathing
humans, not to legal persons, i.e. corporations or companies.
And in most cases, we do not mind if company data is published
in their domain record. In many cases it can even help with
economic and legal accountability. However, we both recognize
that there is a large gray area of small companies or home
offices where the line between personal and legal is thin,
blurry or nonexistent. A registrant that is formally a legal
person may want the privacy protection of a natural person.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">One of the issues we are dealing with in
Phase 2 is whether and how registrars should differentiate
between those two types of registrants. Under the current
Phase 1 agreement, contracted parties are not required to
differentiate between registrants who are legal or natural
persons, but they can do so if they wish to. I believe both
Stephanie and I (and the contracted parties) agree on NOT
requiring them to differentiate.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But if registrars DO choose to
differentiate, we have to worry about HOW they do it.
Currently, the EPDP is working on a guidance document that
will set out ways to do it. I want to make sure that the
guidance protects the rights of registrants.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My position is that registrants should be
given a clear choice to self-designate as a legal person or
not. When given that choice, they must be clearly told that
their data will be published, and if they don’t want the data
published, they should not self-designate as a legal person.
Under my view, the registrant, and the registrant alone,
should decide for themselves whether to declare as legal
person or not.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephanie’s position is that registrants
are not smart enough to make this choice for themselves.
Worse, her belief that registrants cannot look out for their
own interests makes her in favor of the idea that REGISTRARS
should be able to make the choice for them. In other words, a
commercial registrar, based on their own information about
you, could decide that you are registering a domain name on
behalf of a company and classify you as a legal person without
your participation or consent.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In my view, this is a very bad idea, even a
dangerous one. It makes the registrar responsible for
verifying certain aspects of your identity. We already know
that those who want more surveillance and control of
registrants want registrars to be more restrictive and take on
a bigger role vetting who is registering domains. This idea is
also very bad for the registrars, because if a registrar is
making the decision about whether you are a legal or natural
person, then the registrar will be legally liable for the
decision. Further down the road, those who want a more
restrictive internet will love the precedent set, they will
ask the registrars to do more and more to vet and regulate
their customers.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I believe that Stephanie has good motives
for her position; as I understand it she thinks that if
registrars have this ability to decide for the registrant,
they will err on the side of non-disclosure. But this is very
naïve. Yes, some of the registrars we are dealing with in EPDP
are sincere supporters of their customers privacy. But others
are not. Further, Stephanie is forgetting about the fact that
many registrars are operating in authoritarian countries where
individual rights are not respected. I am also deeply troubled
by a position that registrants are children who cannot take
care of themselves. I think Stephanie’s position is also
motivated by the view that we are better off if there is no
differentiation at all. This may be true, but it is
unrealistic. The default policy, ALREADY, is that registrars
will be able to differentiate if they want to. I am trying to
plan for the possibility that many of them will want to. If
they do, we want registrants to be in control of their status,
not registrars or any other third party allegedly acting on
their behalf.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My hope is that the membership and the PC
will resolve this issue in favor of the “registrant in
control” position.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Sorry for the long message<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dr. Milton L Mueller<o:p></o:p></p>
<p class="MsoNormal">Georgia Institute of Technology<o:p></o:p></p>
<p class="MsoNormal">School of Public Policy<o:p></o:p></p>
<p class="MsoNormal"><img style="width:2.0416in;height:.8194in"
id="Picture_x0020_1"
src="cid:part1.FFE3D2AD.D513F022@digitaldiscretion.ca"
alt="IGP_logo_gold block" class="" width="196" height="79"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
NCSG-PC mailing list
<a class="moz-txt-link-abbreviated" href="mailto:NCSG-PC@lists.ncsg.is">NCSG-PC@lists.ncsg.is</a>
<a class="moz-txt-link-freetext" href="https://lists.ncsg.is/mailman/listinfo/ncsg-pc">https://lists.ncsg.is/mailman/listinfo/ncsg-pc</a>
</pre>
</blockquote>
</body>
</html>