[Rt4-whois] WHOIS Public Comments - for your review [SEC=UNCLASSIFIED]
Nettlefold, Peter
Peter.Nettlefold at dbcde.gov.au
Wed Mar 2 04:33:49 UTC 2011
Hi Kim,
Thanks for your comprehensive reply. I agree that this is a useful discussion for the review team as a whole, and wanted to follow up your points further.
At the risk of losing the thread of the conversation, I have inserted my comments into your email below. In case my formatting efforts to make the new text clear fail, I have put a 'P:' in from of each of my comments - I hope this makes sense when you read the below.
Kind regards,
Peter
From: Kim G. von Arx [mailto:kim at vonarx.ca]
Sent: Wednesday, 2 March 2011 1:57 PM
To: Nettlefold, Peter
Cc: rt4-whois at icann.org WHOIS
Subject: Re: [Rt4-whois] WHOIS Public Comments - for your review [SEC=UNCLASSIFIED]
Peter et al,
Thank you for your very thorough and valuable points. Since I am not sure whether I will be able to make the call tonight, I thought I should send my responses now and that will also give everyone at least some time to mull over them. Generally, I certainly understand your concerns and attempt to be as inclusive as possible and that is, quite often, one of the most difficult issues in legal drafting. As I am sure everyone has seen in some contract or another a definition which seems to be quite clear and it even lists some definitive examples, but then there is all of a sudden a sub-clause that is the "catch-all" phrase which basically says "and everything else that could possibly be included". The problem with those kind of approaches is that it makes legal documents and legislation virtually impossible to interpret accurately and effectively and the courts have to parse the "intent" from external sources, i.e, outside the four corners of the contract or statute. Therefore, I am a strong proponent of clear and, if possible, closely defined terms, definitions, etc.
P: I agree with your sentiments, and I am also an advocate for clarity. In this case, I had understood that we are trying to reach out to the community for input. As a result of that input, we may decide that our initial definitions are too broad, too narrow or even inappropriate. If we get some responses that we later decide are out of scope because our initial definitions were too broad, then I do not see a particular issue with that (if that were the case, then presumably we would have reasoned arguments to explain our position). I would be more concerned if someone with a legitimate interest did not interact with the review team as they felt excluded. If I have misunderstood this process, and we are offering final definitions designed to include and exclude stakeholders, and that these will form a pre-set basis for our final analysis and recommendations, then I think we need to have a different conversation.
The reason for that is that it is always easier to give more down the road than to take away. With respect to "law enforcement" and applicable law" I think that your broader definitions are a little bit too broad for the purpose that the AOC statement puts forth:
"ICANN additionally commits to enforcing its existing policy relating to WHOIS, subject to applicable laws. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information. One year from the effective date of this document and then no less frequently than every three years thereafter, ICANN will organize a review of WHOIS policy and its implementation to assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of law enforcement and promotes consumer trust."
I feel that your definitions are more encompassing than is required for the purpose of the definition, i.e., in relation to WHOIS only.
I have provided my specific comments to your points below:
Law enforcement
As noted in my earlier email, I have some reservations about the law enforcement definition that has been proposed. I think I understand what is intended and why some of the caveats have been included, but from my perspective I think a simpler formulation would achieve the same result with less ambiguity and sensitivity.
As such I propose the following, based on earlier definitions circulated by the sub-group:
"Law Enforcement shall be considered to be an organisation endorsed by a government and whose responsibilities include the maintenance, co-ordination, or enforcement of laws, multi-national treaty or other legal obligations."
=> "endorsed" is a fairly ambiguous term and can be interpreted too broadly. Indeed, certain IP constituencies here in Canada are "endorsed" by the government, but, by no means, I would argue should be considered "law enforcement". Also, for example, chartered banks are "endorsed" by government, but I don't think anyone would suggest that they should also be included in "law enforcement". All of the aforementioned is not fettered by the second part of the definition, i.e,. "whose responsibility include..." etc. since either of the examples I raised do, maintain, co-ordinate, etc. some laws of some sort.
P: Leaving aside the question of whether 'part and parcel' or 'endorsed' is clearer or more appropriate, I would respond directly to what I think your point is - i.e. the exclusion of some organisations. I would pose the following question: if a relevant government decided to endorse an organisation with responsibility for maintaining, co-ordinating or enforcing laws, is it really the place of this review team to argue that this is inappropriate? If so, on what basis?
My reasoning is below:
* The exclusive list of 'department, division...' etc appears to be unnecessary, and risks excluding a legitimate law enforcement organisation. Reference to an organisation appears to achieve the same goal.
=> just the reference to an "organization" does not result in the same meaning and is significantly broader especially with the word following it - "endorsed".
P: I'm not wedded to the word 'organisation'. I only offer it as an alternative to an exclusive list, which has an inherent risk of exclusion.
* I do not understand what is meant by 'part and parcel'. In my view, reference to an organisation 'endorsed' by a government (noting that it must have specific and legitimate legal responsibilities) is sufficient and clearer.
=> the part and parcel was meant to convey that it has to be part of a government and cannot be just an entity which is, e.g., an IP constituency or a bank some of which are "organizations" and are "endorsed" by governments.
P: See above.
* I suggest that the reference to 'responsibilities' should be inclusive, as a legitimate law enforcement organisation may have other responsibilities (e.g. advising government t on the effectiveness of laws etc).
=> the "maintenance, co-ordination" covers the aspect of the example you raised. Indeed, I would argue that you cannot maintain and co-ordinate anything unless you have some metrics against which you measure your success in maintaining and co-ordinating. However, the advising responsibilities with respect to policy changes (which then eventually may lead to revised laws) are not.
P: I agree with your response to my example. My concern is that we exclude an agency that has a legitimate role in law enforcement because that is not its only function. So long as an organisation has such a legitimate role, I think it should be included.
* I understand the reference to 'regulations', but think that it should be broader (in Australia, regulation has a particular meaning and is only one type of 'legislative instrument', all of which have the force of law). I propose that we use 'other legal obligations' instead, as a broader formulation.
=> the addition of "other legal obligations" makes the entire definition fairly obsolete because with the other changes proposed, the pool of "actual" law enforcement (based on the revised definition) is exceptionally broad and I believe that that opens the door for exactly the kind of organizations we intended to exclude. I agree with your point that regarding regulations as they do also have a specific meaning here in Canada. In essence, regulations are attached to statutes as the "operating" part of a statute. To be more inclusive, we should also include directives, ordinances, by-laws, etc. In light of that, I would propose that we change that part of the definition to simply refer to "laws or multi-national treaty obligations" or simply "government imposed legal obligations".
P: I agree. I had a similar discussion with stakeholders, but we could not think of an alternative that worked. You've provided one, and so I'd support your formulation of 'government imposed legal obligations'.
* I do not think the references to boundaries are necessary, and raise sensitive geo-political issues beyond the remit of the review team.
=> I would argue that it is actually quite important. While I understand your concerns, but there are numerous countries which have and still are using their "long arm jurisdiction" to influence the behavior of people outside their respective jurisdictional boundaries.
P: I have to disagree. It seems to me to be sensitive territory, and I don't understand what would be gained by the review team focusing on this.
Applicable laws
With regard to applicable laws, I think the definition does a good job of covering the field of possible laws that regulate personal data.
However, I note that the relevant sentence in the AoC refers to an obligation on ICANN to enforce its WHOIS policies (without caveats). Without specific advice from ICANN on what it considers the relevant laws to be, I propose a simple change to the proposed definition to make it inclusive rather than exclusive. In this way, if ICANN decides that the contract/commercial law of a country is relevant to its ability to enforce a contract obligation, then we haven't inadvertently excluded this.
I also have concerns about the phrase 'internationally recognised legal norms', as agreement about what an internationally recognised legal norm is would appear to be beyond the scope of the review team. I have tried to simplify the definition accordingly:
"Includes any and all local and national laws that regulate and/or control the collection, use, access, and disclosure of personally identifiable information. It may also include other relevant legal obligations or treaties."
=> I do believe that the reference to the human rights norms etc. is an important one and as such I don't think it should be deleted.
P: No argument from me that human rights are important. What I do question is what is meant by an 'internationally recognised legal norm'?
With respect to "other relevant legal obligations or treaties", I think that makes the definition to broad and as such defeats the purpose of defining the term "applicable law". I do understand your point about trying to make it more inclusive, but we, as the sub-team, were of the view that when you boil all of the aspects of the WHOIS down to its core, the issues at hand are: collection, use, access, disclosure, and destruction of personally identifiable information. All the other issues, such as torts, contract, ip, etc. laws are laws which provide for limits and exceptions to the general tenant of the collection, use, access, disclosure, and destruction of personally identifiable information. We are not talking about "legitimate uses" in this definition, but are simply stating that the core applicable law is founded in the administration, within a government, of the collection, use, access, disclosure, and destruction of personally identifiable information.
P: I agree, and disagree. The problem may be that I didn't explain myself fully (although I accept that you may still disagree). My point is that 'applicable laws' is set out in the AoC differently to the parts that set out the scope for the review team. As such, it covers 'applicable laws' from ICANN's perspective in 'enforcing its existing policy'. I think we've all agreed that one way that ICANN implements and enforces its policies (even if they're not the official 'policy' as such) is through its RAA and RRA contracts. The extent to which ICANN can enforce these is presumably subject to commercial/company/contract etc law. That is my point. I agree that it's not directly related to the WHOIS data as such, but may be relevant to how effectively ICANN can implement and enforce its WHOIS policies.
Each privacy law and the EU or the UN data/privacy protection regime carve out numerous exceptions. Therefore, the other laws, uses, etc. are by reference included in this definition through the respective privacy and data protection regimes in each country.
I hope my rambling made some sense. Again thank you for your comments and I think this discussion is a very beneficial one for all of us because it leads us to a clearer and, eventually, mutual understanding of all the issues involved in this review which, in turn will provide us withe hymnbook from which we all can sing.
Kim
-------------------------------------------------------------------------------
The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. Any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may result in severe penalties.
If you have received this e-mail in error please notify the Security Advisor of the Department of Broadband, Communications and the Digital Economy, 38 Sydney Ave, Forrest ACT 2603, telephone (02) 6271-1376 and delete all copies of this transmission together with any attachments.
Please consider the environment before printing this email.
-------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm.icann.org/pipermail/rt4-whois/attachments/20110302/8ce968e0/attachment.html
More information about the Rt4-whois
mailing list