RE: [dow1-2tf] Moving forward on "conspicuous notice"?
- To: "Thomas Roessler" <roessler@xxxxxxxxxxxxxxxxxx>, <dow1-2tf@xxxxxxxxxxxxxx>
- Subject: RE: [dow1-2tf] Moving forward on "conspicuous notice"?
- From: "Steven J. Metalitz IIPA" <metalitz@xxxxxxxx>
- Date: Tue, 28 Sep 2004 09:46:22 -0400
- Sender: owner-dow1-2tf@xxxxxxxxxxxxxx
- Thread-index: AcSlWXB0i8qFHv+CTn2Ca71aWiHb+QABxsGQ
- Thread-topic: [dow1-2tf] Moving forward on "conspicuous notice"?
I support Thomas' approach here. It includes some specific, concrete
recommendations which sound reasonably implementable.
However, I question his proposed "success metric." It's not clear who
would be carrying out a survey of a sample of registrants, but such a
survey could be expensive and perhaps difficult to design, administer,
and interpret. I think the best we can hope for is to measure the
compliance by registrars with the three specific recommendations that
Thomas suggests. That can be measured fairly easily, either by
self-reporting by registrars, or by ICANN staff (or outside contractor)
going through the registration process at all or a representative sample
I also think the third recommendation should include the word "consent"
since, after all, that is what the Registrar Accreditation Agreement
requires that registrars obtain from registrants.
[mailto:owner-dow1-2tf@xxxxxxxxxxxxxx] On Behalf Of Thomas Roessler
Sent: Tuesday, September 28, 2004 8:47 AM
Subject: [dow1-2tf] Moving forward on "conspicuous notice"?
I'm somewhat concerned that there has been (almost) no follow-up
discussion on Tuesday's call so far. On the call, some suggested that
we should look at legal approaches to "conspicuous notice" to figure out
the right balance between burden to processing parties and forcing
registrants to take notice.
BUT: "Conspicuous notice" of data processing in the form of, say,
all-caps or boldface parts of the registration agreement may be
considered enough in some contexts in some jurisdictions. In other
jurisdictions, you may encounter requirements such as explicit,
deliberate, and free consent to well-specified purposes, maybe even in
writing. The point here is that the burden on the processing party may
be balanced against data subjects' awareness and free consent in
significantly different ways.
At this point, and with the major work item of tiered access still
before us, I'd suggest this group pragmatically (and on-list!) look at
ways to increase registrant awareness above the current levels,
recognizing that we are certainly not going to fix WHOIS' privacy
problems in dealing with the "conspicuous notice" milestone.
Here's a possible set of recommendations, to get things started; these
are mostly based on TF2's findings, except for the success metric part.
Objective: Increase registrant awareness of WHOIS.
Success Metric: Significant increase of registrant awareness
of WHOIS, as measured by sampling registrants prior to and
12 months after implementation.
1. Registrars must ensure that disclosures regarding
availability and third-party access to personal data
associated with domain names actually be presented to
registrants during the registration process. Linking to an
external web page is not sufficient.
2. Registrars must ensure that these disclosures are set
aside from other provisions of the registration agreement if
they are presented to registrants together with that
agreement. Alternatively, registrars may present data
access disclosures separate from the registration agreement.
3. Registrars must obtain a separate acknowledgement from
registrants that they have read and understood these
Thomas Roessler * Personal soap box at <http://log.does-not-exist.org/>.