<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><base href="x-msg://707/"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link=blue vlink=purple style='word-wrap: break-word;-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Kim,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks for your comprehensive reply. I agree that this is a useful discussion for the review team as a whole, and wanted to follow up your points further.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>At the risk of losing the thread of the conversation, I have inserted my comments into your email below. In case my formatting efforts to make the new text clear fail, I have put a ‘P:’ in from of each of my comments – I hope this makes sense when you read the below.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Kind regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Peter<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Kim G. von Arx [mailto:kim@vonarx.ca] <br><b>Sent:</b> Wednesday, 2 March 2011 1:57 PM<br><b>To:</b> Nettlefold, Peter<br><b>Cc:</b> rt4-whois@icann.org WHOIS<br><b>Subject:</b> Re: [Rt4-whois] WHOIS Public Comments - for your review [SEC=UNCLASSIFIED]<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Peter et al, <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thank you for your very thorough and valuable points. Since I am not sure whether I will be able to make the call tonight, I thought I should send my responses now and that will also give everyone at least some time to mull over them. Generally, I certainly understand your concerns and attempt to be as inclusive as possible and that is, quite often, one of the most difficult issues in legal drafting. As I am sure everyone has seen in some contract or another a definition which seems to be quite clear and it even lists some definitive examples, but then there is all of a sudden a sub-clause that is the "catch-all" phrase which basically says "and everything else that could possibly be included". The problem with those kind of approaches is that it makes legal documents and legislation virtually impossible to interpret accurately and effectively and the courts have to parse the "intent" from external sources, i.e, outside the four corners of the contract or statute. Therefore, I am a strong proponent of clear and, if possible, closely defined terms, definitions, etc. <span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>P: I agree with your sentiments, and I am also an advocate for clarity. In this case, I had understood that we are trying to reach out to the community for input. As a result of that input, we may decide that our initial definitions are too broad, too narrow or even inappropriate. If we get some responses that we later decide are out of scope because our initial definitions were too broad, then I do not see a particular issue with that (if that were the case, then presumably we would have reasoned arguments to explain our position). I would be more concerned if someone with a legitimate interest did not interact with the review team as they felt excluded. If I have misunderstood this process, and we are offering final definitions designed to include and exclude stakeholders, and that these will form a pre-set basis for our final analysis and recommendations, then I think we need to have a different conversation. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>The reason for that is that it is always easier to give more down the road than to take away. With respect to "law enforcement" and applicable law" I think that your broader definitions are a little bit too broad for the purpose that the AOC statement puts forth: <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>“ICANN additionally commits to enforcing its existing policy relating to WHOIS, subject to <b>applicable laws</b>. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information. One year from the effective date of this document and then no less frequently than every three years thereafter, ICANN will organize a review of WHOIS policy and its implementation to assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of <b>law enforcement </b>and promotes consumer trust.” <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I feel that your definitions are more encompassing than is required for the purpose of the definition, i.e., in relation to WHOIS only. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I have provided my specific comments to your points below:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Law enforcement</span></u><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>As noted in my earlier email, I have some reservations about the law enforcement definition that has been proposed. I think I understand what is intended and why some of the caveats have been included, but from my perspective I think a simpler formulation would achieve the same result with less ambiguity and sensitivity.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>As such I propose the following, based on earlier definitions circulated by the sub-group:</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div style='margin-left:36.0pt'><p class=MsoNormal><em><span style='font-style:normal'>“Law Enforcement shall be considered to be an organisation endorsed by a government and whose responsibilities include the maintenance, co-ordination, or enforcement of laws, multi-national treaty or other legal obligations.”</span></em><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal>=> "endorsed" is a fairly ambiguous term and can be interpreted too broadly. Indeed, certain IP constituencies here in Canada are "endorsed" by the government, but, by no means, I would argue should be considered "law enforcement". Also, for example, chartered banks are "endorsed" by government, but I don't think anyone would suggest that they should also be included in "law enforcement". All of the aforementioned is not fettered by the second part of the definition, i.e,. "whose responsibility include..." etc. since either of the examples I raised do, maintain, co-ordinate, etc. some laws of some sort. <o:p></o:p></p></div><p class=MsoNormal><br><span style='color:#1F497D'>P: Leaving aside the question of whether ‘part and parcel’ or ‘endorsed’ is clearer or more appropriate, I would respond directly to what I think your point is – i.e. the exclusion of some organisations. I would pose the following question: if a relevant government decided to endorse an organisation with responsibility for maintaining, co-ordinating or enforcing laws, is it really the place of this review team to argue that this is inappropriate? If so, on what basis?</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>My reasoning is below:</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div style='margin-left:18.0pt'><p class=MsoNormal style='text-indent:-18.0pt'><span style='font-size:11.0pt;font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span class=apple-converted-space> </span></span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>The exclusive list of ‘department, division...’ etc appears to be unnecessary, and risks excluding a legitimate law enforcement organisation. Reference to an organisation appears to achieve the same goal.</span><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>=> just the reference to an "organization" does not result in the same meaning and is significantly broader especially with the word following it - "endorsed".<o:p></o:p></p></div><p class=MsoNormal><br><span style='color:#1F497D'>P: I’m not wedded to the word ‘organisation’. I only offer it as an alternative to an exclusive list, which has an inherent risk of exclusion.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='margin-left:18.0pt'><p class=MsoNormal style='text-indent:-18.0pt'><span style='font-size:11.0pt;font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span class=apple-converted-space> </span></span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I do not understand what is meant by ‘part and parcel’. In my view, reference to an organisation ‘endorsed’ by a government (noting that it must have specific and legitimate legal responsibilities) is sufficient and clearer.</span><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>=> the part and parcel was meant to convey that it has to be part of a government and cannot be just an entity which is, e.g., an IP constituency or a bank some of which are "organizations" and are "endorsed" by governments. <o:p></o:p></p></div><p class=MsoNormal><br><span style='color:#1F497D'>P: See above.<br><br></span><o:p></o:p></p><div><div style='margin-left:18.0pt'><p class=MsoNormal style='text-indent:-18.0pt'><span style='font-size:11.0pt;font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span class=apple-converted-space> </span></span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I suggest that the reference to ‘responsibilities’ should be inclusive, as a legitimate law enforcement organisation may have other responsibilities (e.g. advising government t on the effectiveness of laws etc).</span><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>=> the "maintenance, co-ordination" covers the aspect of the example you raised. Indeed, I would argue that you cannot maintain and co-ordinate anything unless you have some metrics against which you measure your success in maintaining and co-ordinating. However, the advising responsibilities with respect to policy changes (which then eventually may lead to revised laws) are not. <o:p></o:p></p></div><p class=MsoNormal><br><span style='color:#1F497D'>P: I agree with your response to my example. My concern is that we exclude an agency that has a legitimate role in law enforcement because that is not its only function. So long as an organisation has such a legitimate role, I think it should be included.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='margin-left:18.0pt'><p class=MsoNormal style='text-indent:-18.0pt'><span style='font-size:11.0pt;font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span class=apple-converted-space> </span></span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I understand the reference to ‘regulations’, but think that it should be broader (in Australia, regulation has a particular meaning and is only one type of ‘legislative instrument’, all of which have the force of law). I propose that we use ‘other legal obligations’ instead, as a broader formulation.</span><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>=> the addition of "other legal obligations" makes the entire definition fairly obsolete because with the other changes proposed, the pool of "actual" law enforcement (based on the revised definition) is exceptionally broad and I believe that that opens the door for exactly the kind of organizations we intended to exclude. I agree with your point that regarding regulations as they do also have a specific meaning here in Canada. In essence, regulations are attached to statutes as the "operating" part of a statute. To be more inclusive, we should also include directives, ordinances, by-laws, etc. In light of that, I would propose that we change that part of the definition to simply refer to "laws or multi-national treaty obligations" or simply "government imposed legal obligations". <o:p></o:p></p></div><p class=MsoNormal><br><span style='color:#1F497D'>P: I agree. I had a similar discussion with stakeholders, but we could not think of an alternative that worked. You’ve provided one, and so I’d support your formulation of ‘government imposed legal obligations’.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='margin-left:18.0pt'><p class=MsoNormal style='text-indent:-18.0pt'><span style='font-size:11.0pt;font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span class=apple-converted-space> </span></span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I do not think the references to boundaries are necessary, and raise sensitive geo-political issues beyond the remit of the review team.</span><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>=> I would argue that it is actually quite important. While I understand your concerns, but there are numerous countries which have and still are using their "long arm jurisdiction" to influence the behavior of people outside their respective jurisdictional boundaries. <o:p></o:p></p></div><div><p class=MsoNormal><br><span style='color:#1F497D'>P: I have to disagree. It seems to me to be sensitive territory, and I don’t understand what would be gained by the review team focusing on this.</span><o:p></o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Applicable laws</span></u><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>With regard to applicable laws, I think the definition does a good job of covering the field of possible laws that regulate personal data.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>However, I note that the relevant sentence in the AoC refers to an obligation on ICANN to enforce its WHOIS policies (without caveats). Without specific advice from ICANN on what it considers the relevant laws to be, I propose a simple change to the proposed definition to make it inclusive rather than exclusive. In this way, if ICANN decides that the contract/commercial law of a country is relevant to its ability to enforce a contract obligation, then we haven’t inadvertently excluded this.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I also have concerns about the phrase ‘internationally recognised legal norms’, as agreement about what an internationally recognised legal norm is would appear to be beyond the scope of the review team. I have tried to simplify the definition accordingly:</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div style='margin-left:36.0pt'><p class=MsoNormal>“Includes any and all local and national laws that regulate and/or control the collection, use, access, and disclosure of personally identifiable information. It may also include other relevant legal obligations or treaties.”<o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>=> I do believe that the reference to the human rights norms etc. is an important one and as such I don't think it should be deleted. <span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>P: No argument from me that human rights are important. What I do question is what is meant by an ‘internationally recognised legal norm’?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>With respect to "other relevant legal obligations or treaties", I think that makes the definition to broad and as such defeats the purpose of defining the term "applicable law". I do understand your point about trying to make it more inclusive, but we, as the sub-team, were of the view that when you boil all of the aspects of the WHOIS down to its core, the issues at hand are: collection, use, access, disclosure, and destruction of personally identifiable information. All the other issues, such as torts, contract, ip, etc. laws are laws which provide for limits and exceptions to the general tenant of the collection, use, access, disclosure, and destruction of personally identifiable information. We are not talking about "legitimate uses" in this definition, but are simply stating that the core applicable law is founded in the administration, within a government, of the collection, use, access, disclosure, and destruction of personally identifiable information. <span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>P: I agree, and disagree. The problem may be that I didn’t explain myself fully (although I accept that you may still disagree). My point is that ‘applicable laws’ is set out in the AoC differently to the parts that set out the scope for the review team. As such, it covers ‘applicable laws’ from ICANN’s perspective in ‘enforcing its existing policy’. I think we’ve all agreed that one way that ICANN implements and enforces its policies (even if they’re not the official ‘policy’ as such) is through its RAA and RRA contracts. The extent to which ICANN can enforce these is presumably subject to commercial/company/contract etc law. That is my point. I agree that it’s not directly related to the WHOIS data as such, but may be relevant to how effectively ICANN can implement and enforce its WHOIS policies.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>Each privacy law and the EU or the UN data/privacy protection regime carve out numerous exceptions. Therefore, the other laws, uses, etc. are by reference included in this definition through the respective privacy and data protection regimes in each country. <o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I hope my rambling made some sense. Again thank you for your comments and I think this discussion is a very beneficial one for all of us because it leads us to a clearer and, eventually, mutual understanding of all the issues involved in this review which, in turn will provide us withe hymnbook from which we all can sing. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Kim<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div>
<P><br/><B>-------------------------------------------------------------------------------</B><br/>
<p>The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. Any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may result in severe penalties.</p>
</br>
<p>If you have received this e-mail in error please notify the Security Advisor of the Department of Broadband, Communications and the Digital Economy, 38 Sydney Ave, Forrest ACT 2603, telephone (02) 6271-1376 and delete all copies of this transmission together with any attachments.</p>
</br>
<p>Please consider the environment before printing this email.</p>
<br/><B>-------------------------------------------------------------------------------</B><br/>
</P></body></html>