[Rt4-whois] WHOIS Public Comments - for your review [SEC=UNCLASSIFIED]

Kim G. von Arx kim at vonarx.ca
Wed Mar 2 02:57:30 UTC 2011 

Peter et al, 

Thank you for your very thorough and valuable points. Since I am not sure whether I will be able to make the call tonight, I thought I should send my responses now and that will also give everyone at least some time to mull over them.  Generally, I certainly understand your concerns and attempt to be as inclusive as possible and that is, quite often, one of the most difficult issues in legal drafting.  As I am sure everyone has seen in some contract or another a definition which seems to be quite clear and it even lists some definitive examples, but then there is all of a sudden a sub-clause that is the "catch-all" phrase which basically says "and everything else that could possibly be included".  The problem with those kind of approaches is that it makes legal documents and legislation virtually impossible to interpret accurately and effectively and the courts have to parse the "intent" from external sources, i.e, outside the four corners of the contract or statute.  Therefore, I am a strong proponent of clear and, if possible, closely defined terms, definitions, etc.  The reason for that is that it is always easier to give more down the road than to take away.  With respect to "law enforcement" and applicable law" I think that your broader definitions are a little bit too broad for the purpose that the AOC statement puts forth: 

“ICANN additionally commits to enforcing its existing policy relating to WHOIS, subject to applicable laws. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information. One year from the effective date of this document and then no less frequently than every three years thereafter, ICANN will organize a review of WHOIS policy and its implementation to assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of law enforcement and promotes consumer trust.” 

I feel that your definitions are more encompassing than is required for the purpose of the definition, i.e., in relation to WHOIS only.  

I have provided my specific comments to your points below:

>  
> Law enforcement
>  
> As noted in my earlier email, I have some reservations about the law enforcement definition that has been proposed. I think I understand what is intended and why some of the caveats have been included, but from my perspective I think a simpler formulation would achieve the same result with less ambiguity and sensitivity.
>  
> As such I propose the following, based on earlier definitions circulated by the sub-group:
>  
> “Law Enforcement shall be considered to be an organisation endorsed by a government and whose responsibilities include the maintenance, co-ordination, or enforcement of laws, multi-national treaty or other legal obligations.”
>  
=> "endorsed" is a fairly ambiguous term and can be interpreted too broadly.  Indeed, certain IP constituencies here in Canada are "endorsed" by the government, but, by no means, I would argue should be considered "law enforcement".  Also, for example, chartered banks are "endorsed" by government, but I don't think anyone would suggest that they should also be included in "law enforcement".  All of the aforementioned is not fettered by the second part of the definition, i.e,. "whose responsibility include..." etc.  since either of the examples I raised do, maintain, co-ordinate, etc. some laws of some sort.  

> My reasoning is below:
>  
> ·       The exclusive list of ‘department, division...’ etc appears to be unnecessary, and risks excluding a legitimate law enforcement organisation. Reference to an organisation appears to achieve the same goal.

=> just the reference to an "organization" does not result in the same meaning and is significantly broader especially with the word following it - "endorsed".

> ·       I do not understand what is meant by ‘part and parcel’. In my view, reference to an organisation ‘endorsed’ by a government (noting that it must have specific and legitimate legal responsibilities) is sufficient and clearer.

=> the part and parcel was meant to convey that it has to be part of a government and cannot be just an entity which is, e.g., an IP constituency or a bank some of which are "organizations" and are "endorsed" by governments. 

> ·       I suggest that the reference to ‘responsibilities’ should be inclusive, as a legitimate law enforcement organisation may have other responsibilities (e.g. advising government t on the effectiveness of laws etc).

=> the "maintenance, co-ordination" covers the aspect of the example you raised.  Indeed, I would argue that you cannot maintain and co-ordinate anything unless you have some metrics against which you measure your success in maintaining and co-ordinating.  However, the advising responsibilities with respect to policy changes (which then eventually may lead to revised laws) are not.  

> ·       I understand the reference to ‘regulations’, but think that it should be broader (in Australia, regulation has a particular meaning and is only one type of ‘legislative instrument’, all of which have the force of law). I propose that we use ‘other legal obligations’ instead, as a broader formulation.

=> the addition of "other legal obligations" makes the entire definition fairly obsolete because with the other changes proposed, the pool of "actual" law enforcement (based on the revised definition) is exceptionally broad and I believe that that opens the door for exactly the kind of organizations we intended to exclude.  I agree with your point that regarding regulations as they do also have a specific meaning here in Canada.  In essence, regulations are attached to statutes as the "operating" part of a statute.  To be more inclusive, we should also include directives, ordinances, by-laws, etc.  In light of that, I would propose that we change that part of the definition to simply refer to "laws or multi-national treaty obligations" or simply "government imposed legal obligations".  

> ·       I do not think the references to boundaries are necessary, and raise sensitive geo-political issues beyond the remit of the review team.

=> I would argue that it is actually quite important.  While I understand your concerns, but there are numerous countries which have and still are using their "long arm jurisdiction" to influence the behavior of people outside their respective jurisdictional boundaries.   

>  
> Applicable laws
>  
> With regard to applicable laws, I think the definition does a good job of covering the field of possible laws that regulate personal data.
>  
> However, I note that the relevant sentence in the AoC refers to an obligation on ICANN to enforce its WHOIS policies (without caveats). Without specific advice from ICANN on what it considers the relevant laws to be, I propose a simple change to the proposed definition to make it inclusive rather than exclusive. In this way, if ICANN decides that the contract/commercial law of a country  is relevant to its ability to enforce a contract obligation, then we haven’t inadvertently excluded this.
>  
> I also have concerns about the phrase ‘internationally recognised legal norms’, as agreement about what an internationally recognised legal norm is would appear to be beyond the scope of the review team. I have tried to simplify the definition accordingly:
>  
> “Includes any and all local and national laws that regulate and/or control the collection, use, access, and disclosure of personally identifiable information. It may also include other relevant legal obligations or treaties.”
>  

=> I do believe that the reference to the human rights norms etc. is an important one and as such I don't think it should be deleted.  With respect to "other relevant legal obligations or treaties", I think that makes the definition to broad and as such defeats the purpose of defining the term "applicable law".  I do understand your point about trying to make it more inclusive, but we, as the sub-team, were of the view that when you boil all of the aspects of the WHOIS down to its core, the issues at hand are: collection, use, access, disclosure, and destruction of personally identifiable information.  All the other issues, such as torts, contract, ip, etc. laws are laws which provide for limits and exceptions to the general tenant of the collection, use, access, disclosure, and destruction of personally identifiable information.  We are not talking about "legitimate uses" in this definition, but are simply stating that  the core applicable law is founded in the administration, within a government, of the collection, use, access, disclosure, and destruction of personally identifiable information.  Each privacy law and the EU or the UN data/privacy protection regime carve out numerous exceptions.  Therefore, the other laws, uses, etc. are by reference included in this definition through the respective privacy and data protection regimes in each country.  

I hope my rambling made some sense.  Again thank you for your comments and I think this discussion is a very beneficial one for all of us because it leads us to a clearer and, eventually, mutual understanding of all the issues involved in this review which, in turn will provide us withe hymnbook from which we all can sing.  

Kim










-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm.icann.org/pipermail/rt4-whois/attachments/20110301/f182d53d/attachment.html

More information about the Rt4-whois mailing list