[NCSG-PC] EPDP policy issues
Mueller, Milton L
milton at gatech.edu
Sun Apr 25 00:44:42 EEST 2021
Dear Noncommercials,
I am one of your representatives of the EPDP, and ICANN working group that is trying to bring ICANN's Whois policy into compliance with privacy principles.
Just yesterday we received this statement from the current chair of the group, Keith Drazek:
The EPDP Team is a representative group - you have all been appointed by your respective groups to represent them in this effort. As a result, any proposals and interventions you make are expected to be on behalf of your group. We understand that this requires significant coordination which is not always possible in real-time but it is important that we do not find ourselves in a situation where a specific proposal or suggestion is debated to then find that other members of the same group do not stand behind the proposal or suggestion.
I suspect Keith found it necessary to say this because lately another NCSG representative on the EPDP, Stephanie, and I have been openly disagreeing. Let me explain what the disagreement is about. We will have to appeal to the Policy Committee, and the membership, to help resolve it.
Privacy protections under the GDPR only apply to natural persons, that is to say living breathing humans, not to legal persons, i.e. corporations or companies. And in most cases, we do not mind if company data is published in their domain record. In many cases it can even help with economic and legal accountability. However, we both recognize that there is a large gray area of small companies or home offices where the line between personal and legal is thin, blurry or nonexistent. A registrant that is formally a legal person may want the privacy protection of a natural person.
One of the issues we are dealing with in Phase 2 is whether and how registrars should differentiate between those two types of registrants. Under the current Phase 1 agreement, contracted parties are not required to differentiate between registrants who are legal or natural persons, but they can do so if they wish to. I believe both Stephanie and I (and the contracted parties) agree on NOT requiring them to differentiate.
But if registrars DO choose to differentiate, we have to worry about HOW they do it. Currently, the EPDP is working on a guidance document that will set out ways to do it. I want to make sure that the guidance protects the rights of registrants.
My position is that registrants should be given a clear choice to self-designate as a legal person or not. When given that choice, they must be clearly told that their data will be published, and if they don't want the data published, they should not self-designate as a legal person. Under my view, the registrant, and the registrant alone, should decide for themselves whether to declare as legal person or not.
Stephanie's position is that registrants are not smart enough to make this choice for themselves. Worse, her belief that registrants cannot look out for their own interests makes her in favor of the idea that REGISTRARS should be able to make the choice for them. In other words, a commercial registrar, based on their own information about you, could decide that you are registering a domain name on behalf of a company and classify you as a legal person without your participation or consent.
In my view, this is a very bad idea, even a dangerous one. It makes the registrar responsible for verifying certain aspects of your identity. We already know that those who want more surveillance and control of registrants want registrars to be more restrictive and take on a bigger role vetting who is registering domains. This idea is also very bad for the registrars, because if a registrar is making the decision about whether you are a legal or natural person, then the registrar will be legally liable for the decision. Further down the road, those who want a more restrictive internet will love the precedent set, they will ask the registrars to do more and more to vet and regulate their customers.
I believe that Stephanie has good motives for her position; as I understand it she thinks that if registrars have this ability to decide for the registrant, they will err on the side of non-disclosure. But this is very naïve. Yes, some of the registrars we are dealing with in EPDP are sincere supporters of their customers privacy. But others are not. Further, Stephanie is forgetting about the fact that many registrars are operating in authoritarian countries where individual rights are not respected. I am also deeply troubled by a position that registrants are children who cannot take care of themselves. I think Stephanie's position is also motivated by the view that we are better off if there is no differentiation at all. This may be true, but it is unrealistic. The default policy, ALREADY, is that registrars will be able to differentiate if they want to. I am trying to plan for the possibility that many of them will want to. If they do, we want registrants to be in control of their status, not registrars or any other third party allegedly acting on their behalf.
My hope is that the membership and the PC will resolve this issue in favor of the "registrant in control" position.
Sorry for the long message
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
[IGP_logo_gold block]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20210424/37f282cd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 16925 bytes
Desc: image002.png
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20210424/37f282cd/attachment.png>
More information about the NCSG-PC
mailing list