[NCSG-PC] EPDP policy issues

[Stephanie E Perrin]

Dear Noncommercials,

I am one of your 6 representatives on the EPDP.  I have also been on the 
RDS working group, am currently serving on the GNSO Council, the EPDP 
IRT and the PPSAI IRT.  I served on the PPSAI (Privacy Proxy Services 
Accreditation Issues, 
https://gnso.icann.org/en/group-activities/active/ppsai ) pdp back in 
2013-2016 , where this issue on whether or not registrants should have 
to identify themselves as individuals or businesses (we were not 
actually using the term "legal persons" at the time, because ICANN was 
ignoring the GDPR and this is a term that is more commonly used in 
Europe than elsewhere).  I came to ICANN in 2013 to serve on the Experts 
Working Group (EWG) that was examining the RDS registry with a view to 
expanding it.  (final report 
https://www.icann.org/resources/pages/gtld-directory-services-2013-02-14-en)

I also have been working not exclusively but predominantly, on privacy 
and access to information issues since 1984.  I am not a lawyer, just a 
policy wonk and researcher.  As someone who has been fighting 
vociferously within government and outside government in the private 
sector about surveillance and human rights, I bristle somewhat at my 
worthy colleague describing me as naive, however that is neither here 
nor there.  Lets focus on the issues at stake.  First let me correct 
Milton's description of my position.

At no time have I ever suggested that it would be acceptable for 
registrars to overrule my designation of myself as a natural person, or 
in the case of a legal person, a statement that the contact data of 
employees needs to be protected because it contains personal data. 
Never.  However, as we all know or should know, busy entrepreneurs will 
take short cuts and avoid spending money.....there is strong pressure to 
push organizations to self identify as legal persons, and publish their 
data.  It is my position that this is a residue of the old WHOIS 
thinking that is a policy position which has no merit as a policy, in 
that we have seen no evidence that the stability of the DNS has been 
hampered by somewhat blanket protection of the registrant data.  In 
fact, the contracted parties have stated that abuse has gone down, 
possibly because there is less personal data being published.  So to 
push all data of legal persons into a published registry is neither 
necessary or sound policy.

Now lets talk about how difficult it is to differentiate between legal 
persons and individuals.Milton makes it sound easy, but as Farzi pointed 
out in her helpful intervention, not all jurisdictions use or recognize 
the term. Not all registrants are legally trained, familiar with data 
protection risks, are comfortable operating in the english language, or 
understand the DNS and its registration processes.  This does not mean 
they are not "smart" [or that I am labelling them as such] it simply 
recognizes that to most people, a domain is not a familiar term, they 
want a website and they will talk to their local services provider or 
web builder or any of a hundred other entrepreneurs to get their website 
up and with it the domain name they need or want.  For the organizations 
that we in NCSG represent, namely the non-commercials, that goes 
double.  One of the charities that I volunteer as privacy officer for is 
itself a corporation, and not a small one at that, but the local 
websites that have been set up to raise funds or promote activities, 
from finding funding and housing for refugees, to raising money for soup 
kitchens, homeless shelters, promoting free lunches, reaching out to 
victims of domestic violence....do I need to go on?  Those are not 
technically registered by the corporation, they are registered by 
individuals, and those folks as volunteers in the organization may be 
long gone....remember that once a registration is on auto-renewal, 
somebody keeps paying the bill but especially in our sector, it could be 
quite vague who that is, where they are, and what there status in the 
organization is.  Remember that domain names are cheap, this kind of 
payment could be coming out of petty cash or a donor's pocket.

So if I, a privacy professional who has 37 years of experience would 
have to consult the corporate lawyers to figure out the precise status 
of these registrations, after 8 years at ICANN working on this stuff and 
writing a doctoral dissertation on it while doing so, how on earth is 
the poor soul who is getting the cross examination from the 
registrar/reseller/other contracted party going to get it right?  Sure, 
Procter and Gamble, Nike, the large corporations and NGOS know who they 
are and how they registrar.  Those we represent may not.

I would also like to say a few words on the sadly under-represented 
small businesses and sole entrepreneurs of the world.  We live in a gig 
economy.  Even without COVID and lockdowns, more and more individuals 
are working for themselves. Many privacy laws protect employees, and 
recognize their rights, but that usually does not extend to 
contractors.  Many companies now are forcing their employees into 
"contractor" status, often to avoid paying benefits, health and safety 
liability or whatever. Those who are following the court cases 
surrounding Uber drivers will know that this issue is interpreted 
differently in different jurisdictions.  The GDPR recognizes the privacy 
rights of employees.  A good question to ask, is whether employees 
understand their own privacy rights.  Most don't, in my experience, and 
I make a living doing privacy training among other things.

The policy we are developing must address the privacy rights of 
employees of legal persons, and other persons employed by those entities 
in certain cases.  The GDPR applies to personal information.  The rather 
sparse statement that it does not apply to legal persons is not 
particularly helpful in actually parsing the data in a DNS 
registration.  So the guidance we are working on has to guide 
individuals to the point where they can knowledgeably attest to one of 
the following statements:

1) that they are an individual, and if they choose to publish their 
personal information they are doing so in full knowledge of the risks 
and what will happen to their data

2) that they are responsible for a legal person's registrations, and 
that they can attest to the fact that no personal information is being 
disclosed in the registration. Given how frequently employees change 
roles over time, and the fact that registrations tend to auto-renew, I 
have grave concerns that this is where personal info is going to seep 
back into the records without the knowledge or attention of the original 
registrant who filled out the forms.  Remember the trends to working 
from home, sometimes on owned equipment or wifi.

I believe that if the contracted parties, who are the data controllers 
in this situation and therefore own the risk and the liability attendant 
with this decision, have to do this verification or trust the decision 
of the registrant, we will see either rising costs of domain names (if 
they do it right) or the same kind of opt-in situation we see throughout 
the world now, where people opt in to things without understanding their 
risk. We in the legal subcommittee fired off a couple of questions to 
Bird and Bird, our outside counsel, on how the contracted parties could 
reduce their risk in this situation, and indeed they have provided 
advice on that.  (see the summary text prepared by staff 
https://docs.google.com/document/d/1whCpXHm3UPmJ-IDSbliveSkwxL679x2U/edit#heading=h.gjdgxs, 
but I recommend reading the actual advice from Bird and Bird).

Milton has taken a strong position that the Registrars or other 
contracted parties should not be permitted to overrule the designation 
of a registrant.  He calls it a slippery slope.  I maintain that if the 
contracted parties feel there might be an error in the designation of 
"legal person" they should err on the side of caution and protect their 
customer's data.  I cannot see a slippery slope there.  Nor have I seen 
evidence brought forward that their will be harm to the security and 
stability of the DNS, just the usual wailing and gnashing of teeth 
without stats to back it up.  Let us therefore err on the side of 
protecting registrants' data.

I fully agree that the risk in this situation is trivial when compared 
to what is happening to our social media habit tracking, our political 
choices, our health records, biometric recognition systems etc etc.  
However, remember that we represent those who want websites for 
political speech, for the exercise of human rights, for the development 
of underprivileged persons in an increasingly unbalanced world.....those 
people deserve our vigilance.  There is no reason to publish that 
information, if there is a valid reason to ask for it, the request can 
go through the SSAD system we are supposed to be building, and the third 
party wanting the info will get it within 3 business days.  If it is 
life or death, either the domain will cease to work as a result of 
takedown, or the request will be expedited.  There is no need to 
compromise, and while I understand Milton's desire to compromise, I see 
absolutely no need to do so here.  This fight is not going to end, there 
will be further pressure to harmonize, make decisions automatic, 
geo-locate, you name it, we have fought about these issues endlessly and 
I for one do not thing it is going to stop until the full WHOIS is back 
up the way it was for the first 18 years or so in the life of ICANN.

I am happy to answer any questions, or discuss this matter. Thanks to 
those few of you who read this.

Kind regards, Stephanie Perrin



On 2021-04-24 5:44 p.m., Mueller, Milton L wrote:
>
> Dear Noncommercials,
>
> I am one of your representatives of the EPDP, and ICANN working group 
> that is trying to bring ICANN’s Whois policy into compliance with 
> privacy principles.
>
> Just yesterday we received this statement from the current chair of 
> the group, Keith Drazek:
>
> The EPDP Team is a representative group – you have all been appointed 
> by your respective groups to represent them in this effort. As a 
> result, any proposals and interventions you make are expected to be on 
> behalf of your group. We understand that this requires significant 
> coordination which is not always possible in real-time but it is 
> important that we do not find ourselves in a situation where a 
> specific proposal or suggestion is debated to then find that other 
> members of the same group do not stand behind the proposal or suggestion.
>
> I suspect Keith found it necessary to say this because lately another 
> NCSG representative on the EPDP, Stephanie, and I have been openly 
> disagreeing. Let me explain what the disagreement is about. We will 
> have to appeal to the Policy Committee, and the membership, to help 
> resolve it.
>
> Privacy protections under the GDPR only apply to natural persons, that 
> is to say living breathing humans, not to legal persons, i.e. 
> corporations or companies. And in most cases, we do not mind if 
> company data is published in their domain record. In many cases it can 
> even help with economic and legal accountability. However, we both 
> recognize that there is a large gray area of small companies or home 
> offices where the line between personal and legal is thin, blurry or 
> nonexistent. A registrant that is formally a legal person may want the 
> privacy protection of a natural person.
>
> One of the issues we are dealing with in Phase 2 is whether and how 
> registrars  should differentiate between those two types of 
> registrants. Under the current Phase 1 agreement, contracted parties 
> are not required to differentiate between registrants who are legal or 
> natural persons, but they can do so if they wish to. I believe both 
> Stephanie and I (and the contracted parties) agree on NOT requiring 
> them to differentiate.
>
> But if registrars DO choose to differentiate, we have to worry about 
> HOW they do it. Currently, the EPDP is working on a guidance document 
> that will set out ways to do it. I want to make sure that the guidance 
> protects the rights of registrants.
>
> My position is that registrants should be given a clear choice to 
> self-designate as a legal person or not. When given that choice, they 
> must be clearly told that their data will be published, and if they 
> don’t want the data published, they should not self-designate as a 
> legal person. Under my view, the registrant, and the registrant alone, 
> should decide for themselves whether to declare as legal person or not.
>
> Stephanie’s position is that registrants are not smart enough to make 
> this choice for themselves. Worse, her belief that registrants cannot 
> look out for their own interests makes her in favor of the idea that 
> REGISTRARS should be able to make the choice for them. In other words, 
> a commercial registrar, based on their own information about you, 
> could decide that you are registering a domain name on behalf of a 
> company and classify you as a legal person without your participation 
> or consent.
>
> In my view, this is a very bad idea, even a dangerous one. It makes 
> the registrar responsible for verifying certain aspects of your 
> identity. We already know that those who want more surveillance and 
> control of registrants want registrars to be more restrictive and take 
> on a bigger role vetting who is registering domains. This idea is also 
> very bad for the registrars, because if a registrar is making the 
> decision about whether you are a legal or natural person, then the 
> registrar will be legally liable for the decision. Further down the 
> road, those who want a more restrictive internet will love the 
> precedent set, they will ask the registrars to do more and more to vet 
> and regulate their customers.
>
> I believe that Stephanie has good motives for her position; as I 
> understand it she thinks that if registrars have this ability to 
> decide for the registrant, they will err on the side of 
> non-disclosure. But this is very naïve. Yes, some of the registrars we 
> are dealing with in EPDP are sincere supporters of their customers 
> privacy. But others are not. Further, Stephanie is forgetting about 
> the fact that many registrars are operating in authoritarian countries 
> where individual rights are not respected. I am also deeply troubled 
> by a position that registrants are children who cannot take care of 
> themselves. I think Stephanie’s position is also motivated by the view 
> that we are better off if there is no differentiation at all. This may 
> be true, but it is unrealistic. The default policy, ALREADY, is that 
> registrars will be able to differentiate if they want to. I am trying 
> to plan for the possibility that many of them will want to. If they 
> do, we want registrants to be in control of their status, not 
> registrars or any other third party allegedly acting on their behalf.
>
> My hope is that the membership and the PC will resolve this issue in 
> favor of the “registrant in control” position.
>
> Sorry for the long message
>
> Dr. Milton L Mueller
>
> Georgia Institute of Technology
>
> School of Public Policy
>
> IGP_logo_gold block
>
>
> _______________________________________________
> NCSG-PC mailing list
> NCSG-PC at lists.ncsg.is
> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20210425/36271076/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 16925 bytes
Desc: not available
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20210425/36271076/attachment.png>