[NCSG-PC] Fwd: [NCSG-Discuss] Comments on the Whois compliance models

[Rafik Dammak]

Hi all,

We got a comment for the GDPR compliance model. The deadline for submission
ins the 29th Jan, which is the coming monday. We need act quickly within
this weekend .

Best,

Rafik

---------- Forwarded message ----------
From: "Mueller, Milton L" <milton at gatech.edu>
Date: Jan 26, 2018 6:05 PM
Subject: [NCSG-Discuss] Comments on the Whois compliance models
To: <NCSG-DISCUSS at listserv.syr.edu>
Cc:

I offer the following as a first draft of the NCSG position on the 12
January 2018 call for comments released by ICANN org.



Principles

Our evaluation of the models offered by ICANN are based on three
fundamental principles. No model that fails to conform to all three is
acceptable to the NCSG.



1. The purpose of whois must be strictly tied to ICANN's mission. That is,
the data that is collected and the data that are published must directly
and demonstrably contribute to ICANN's mission as defined in Article 1 of
its new bylaws. We reject any definition of Whois purpose that is based on
the way people happen to make use of data that can be accessed
indiscriminately in a public directory. The fact that certain people
currently use Whois for any purpose does not mean that the purpose of Whois
is to provide thick data about the domain and its registrant to anyone who
wants it for any reason.



2. Whois service, like the DNS itself, should be globally uniform and not
vary by jurisdiction. ICANN was created to provide globalized governance of
the DNS so that it would continue to be globally compatible and
coordinated. Any solution that involves fragmenting the policies and
practices of Whois along jurisdictional lines is not desirable.



3. No tiered access solution that involves establishing new criteria for
access can feasibly be created in the next 3 months. We would strongly
resist throwing the community into a hopeless rush to come up with entirely
new policies, standards and practices involving tiered access to data, and
we do not want ICANN staff to invent a policy that is not subject to
community review and approval.



Based on these three principles, we believe that Model 3 is the only viable
option available. Model 3 minimizes the data publicly displayed to that
which is required for maintaining the stability, security and resiliency of
the DNS. Model 3 could be applied across the board, and would be
presumptively legal regardless of which jurisdiction the registrar,
registry or registrant are in. And Model 3 relies on established legal due
process for gaining access to additional information.



There is room for discussion about how much data could be publicly
displayed under Model 3 consistent with ICANN's mission. E.g., it may be
within ICANN's mission to include additional data in the public record,
such as an email address for the technical contact and even possibly the
name of the registrant.



The process of gaining access to additional data in Model 1 is completely
unacceptable. Self-certification by any third party requestor is, we
believe, not compliant with GDPR nor does is such access justified by the
purpose of Whois or ICANN's mission.



Model 2 might possibly be acceptable if an suitable set of criteria and
processes were devised, but it simply is not feasible for such a
certification program to be developed in 3 months. A certification program
thrown together in a rush poses huge risks for loopholes, poor procedures,
and a legal challenge to ICANN, either from DPAs or from individuals
affected.



Dr. Milton L. Mueller

Professor, School of Public Policy

Georgia Institute of Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20180128/f6731de5/attachment.htm>