[dow2tf] Additional material for data analysis

[Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>]

The speech by Alonso-Blas actually was captioned; see
<http://icann.org/montreal/captioning-whois-24jun03.htm>.  I'm
attaching a text version.

On .pl, http://dns.pl/english/whois.html should have some information.

The IWGDPT's documents are at the following URLs:

* http://www.icann.org/correspondence/garstka-to-lynn-15jan03.htm
* http://www.datenschutz-berlin.de/doc/int/iwgdpt/dns_en.htm

Regards,
-- 
Thomas Roessler  <roessler@xxxxxxxxxxxxxxxxxx>
At-Large Advisory Committee: http://alac.info/

Diana Alonso Blas: Thank you very much. I'm very happy to be here and
have an opportunity to participate in this very interesting debate up to
now. The data protection people have not always been involved in this
discussion as much as they should. It might be part our fault. But it
is now very important that we come into this discussion, and we try to
involve ourselves as much as possible, certainly on the European side,
because on the American side EPIC and others have been others but not
from the European Commission up to now.

So I'm in the beautiful position of being after the coffee break, so
everyone is drinking coffee somewhere but I will start anyway.

I am going to concentrate on the European perspective, my job in the
European Commission. I have to say, however, there are very similar
provisions in other parts of the world. We have the OECD guidelines that
are implemented in many other countries in the world. We have similar
liaisons in countries like Hungary, the Channel Islands, and others. So
the issues for Europe will be similar issues in other countries as well.

In Europe we have several pieces of legislation. The first one is the
directive 95/46 the general protection directive. That's one I'll talk
in much more detail about. But there is also second directive which is
very recent, 2002, the number of 58, which deals with the electronic
communications. And this one is also very relevant because it contains a
number of provisions that could have direct implications for the Whois
discussion.

This directive has not been fully implemented in all the member
states. The period of implementation only ends in October this year. But
it has to be taken into account now already.

There are also many important documents of what we call the article
29 working party and that's a group of the European data protection
authorities that are brought together and that they have the task of
implementing and interpreting also the provisions of the directive. And
they have dealt with many issues related to the Whois as well and to
all the Internet discussions.

There is also the council of Europe convention that I mention here because
it is not only European. It is open also to signing and ratification by
any country in the world.

And very similar provisions.

On the next one, what are the concerns that we have about the Whois
discussions? I think we have tried sometimes from a distance to
contribute to this discussion in the past. The European Commission sent
recent contributions to ICANN and also the Whois task force. It was
always a common approach between the internal market as the director of
general where I work and the colleagues of the information society who
are the ones you know better because they're always involved in this
discussion. And we have always tried to work very closely together in
order to offer a common view regarding this issue.

The data protection authorities have also raised concerns regarding the
Whois discussion, especially because they have received complaints of
national level concerning the misuse of the Whois.

They have received different kinds of complaints. On one side, from
individuals who complain about the misuse of the data. They have also
received concerns from the registrars themselves who felt that they were
caught between a rock and a hard place because whether they obeyed to
the ICANN requirements, somehow they are not respecting the European
legislation they have in place or if not they might be in a difficult
position. So I think that's something we need to take very much into
account.

I would also like to stress that European data protection authorities,
article 29 working party has issued a paper on the 13th of June of this
month that I have circulated and I hope it's available in the materials
of this workshop in which they address specifically the data protection
principles and their application to the Whois, and they come to a number
of very interesting points. So I strongly recommend you to read it.

There is also the international working group on privacy in the
telecommunication sector that has issued a common position on this issue
already in May 2000. After that, they have also sent different letters to
ICANN raising several concerns. The important thing is that this group is
not only composed of the European data protection authority. It involves
also experts from different groups, including academics and others. And
it involves also people from outside Europe. So it's important to see
that this is a group that has quite a broad composition.

Also citizens have raised complaints. Not only with the data protection
authorities. We did receive a petition also to the European parliament
done by a general citizen. I mention it because I think it's interesting,
the reason why the citizen complained was not mainly data protection but
because he thought that the publication of his name and personal data on
the Whois was something that would limit his freedom of speech. Well,
the thing has been raised in different papers also previously. So I
think it's an important point.

So, indeed, there were increasing concerns for different reasons. The main
one, I think, is because lately we have seen more and more registering
their own domain names. I think it's important to make clear that there
are very different issues at stake, when legal persons, companies, et
cetera, registry the domain names and when individuals do so. There are
different concerns that need to be taken into account and I think that's
why this possible distinction between commercial and noncommercial could
play an important role.

We were also a bit concerned about the fact that the reports of the Whois
task force that we have read with a lot of interest seem to ignore, to a
certain extent, at least, the real purpose of the Whois. And certainly the
existing legal framework of the European union. We were a bit puzzled when
we saw questions like what would you like to use the Whois data for. In
our legislation, it doesn't work that way. Maybe we would like it to be
like this, but it's not. We need to start by defining very completely,
very detailed way what is the purpose we collect the data and then we
have to assess whether the use of this data is compatible with that. And
if it's not compatible, it cannot be used.

So in our legislation, it's much more difficult than this. And it doesn't
allow this kind of flexibility.

So maybe to enter into the first point, I have mentioned the two
directives. Do these directives apply to the Whois? I would say the first
point I don't think has ever been discussed. There is clearly personal
data involved in the Whois.

The definition will have a processing or directives is very broad,
meaning it goes from the moment in which the data are collected to the
moment in which they are accessed, used, published, et cetera, so all
this is covered by the directives. And the point that has often been
misunderstood is the fact that the data are also protected, even when
they are in the public-available registry. Sometimes people say, well, but
they are already on the Internet. Well, it doesn't really matter. They are
still protected in the directives and the principles have to be respected.

So as a first conclusion, I would say that not everything that might
seem useful or even desirable is legally possible. At least not under
the present regime.

So the key issue, I think, is the question of the purpose. And as I have
said, under our legislation, we need to very well define purpose for
the Whois. I think that nobody has ever challenged the original purpose
that has been raised also by the previous speakers, the issue of being
a technical contact in case of problems. Nobody has ever challenged that
legitimate purpose. The problem is, as I said, that we need to define very
clearly what is the purpose. And it seems to me that what we see now more
and more in this discussion is that we all know in practice the Whois is
being used for many other purposes, but it's not clearly defined as such.

So I think we might have to be very honest on that and try to address
this clearly and say what are the uses we want to make of it, if any. And
then see, well, is this possible under the legislation we have. And are
there possible solutions we can find.

So we need to describe first the purpose, clearly. And then we need to
define what a compatible use is of that. And when discussing what is
compatible, we often use the criterion is this a reasonable expectation
for the user? Can the user who has a domain name register expect that
his or her data will be used for any such a purpose?

So indeed, we might come to the situation in which we would like to
use the data for a certain purpose, but this is not possible under our
legislation. And there I have to say that the opinion of the article 29
working party has been rather critical in referring in this context to
what they call self-policing policy of the private sector. Their view
is this would not be compatible with the original purpose of the Whois.

I think it has been made clear in several discussions that the
issue is mainly related to the private sector use of this data, not
the public sector because for the public sector we do have already
several possibilities under the directives for use of this data when
necessary. There are existing legal procedures for that. The problem is
much more for the private sector, and there I have to say, obviously,
the European Commission has mixed emotions about it because we also have
intellectual property interests and we obviously want to protect also
the right holders but we need to find a position in which we can do both
things within the legal system and respecting also the legislation and
data protection. And this is not necessarily simple, but we'll need to
discuss this further and see if any solution can be found.

So the principle of proportionality is one of the core issues. I think I
have to make a distinction in the discussion between the data necessary
for the registration itself and the data that should be published in the
Whois. In particular, what the proportionality principle means is we look
always for the less intrusive means to serve the purpose. So I think what
we need to ask ourselves is are there other possibilities of serving the
purposes we want to serve while not having all this information available
on the web site or potentially available to anybody who wants to have it.

So in some countries, solutions have been found through the use of the
Internet service providers. For instance, in France and in Germany and
the UK, well, you will hear also the colleague from .nl who is going
to talk after me who is going to present the specific situation in the
Netherlands and the European Commission has proposed in several occasions,
in several papers addressed to ICANN, WIPO and other organizations, some
kind of a two-step approach, would make actually the data not available
to the general public but only available to those who really need it
with the possible control after it.

I'm not saying that this is a necessarily easy solution but it could be
explored at least to see if this could be found.

So indeed, we need to process only data, the relevant and not
excessive. This is something we would like you to keep in mind when
discussing uniformity, meaning that if uniformity means collecting
the same data everywhere, this same data would be more than what we now
already collect in Europe, this would be a big problem in our legislation
because we have the obligation of keeping the data to a minimum necessary.

And there are specific problems also regarding the telephone numbers and
the general right not to be included in a directory. This is a right given
by article 12.2 of the new directive on telecommunications. It is in any
case, clear that the individual has the right not to have his telephone
number listed in a public telephone book. What would obviously make a
bit, let's say, strange at least that the same individual would have,
then, the obligation to provide his phone number to be published on the
Whois available to the general public.

The second part of the reasoning is even more complicated. Would it
mean that this provision, in fact, implies that the individual has the
right not to be included at all in the Whois? And to be honest, I'm
not completely sure if this answer is correct or not. We are presently
discussing this with the colleagues in charge of the information
society. Most probably, we are going to ask also an opinion to the legal
service to know what this exactly means.

But indeed, this will have to be kept in mind in discussion.

Possibly I would like to mention also, in this discussion whether this
provision could be interpreted as such or not. We might have to keep in
mind as well a recent judgment of the European court of Luxembourg that
in a case related to Austria, said very clearly we should not interpret
the data protection legislation restrictively but possibly the other way
around to give sufficient rights to the individuals. So this could also
play a role in this discussion.

So one of the issues that have also raised much concern is the question
of making the Whois more searchable. The article 29 working party,
the European data protection society, as I mentioned, have dealt with
this already in 2002 in general terms, considering that the processing
of personal data in various directories would not be fair, unlawful,
unless the individual has the right to consent to it. And by consent,
we don't mean opt out but opt in. So it should be very clear.

So on the other hand, I wouldn't like to give the impression that
we oppose all the different proposals that have been presented. We
do have quite good feelings about a number of the issues presented as
well. Of course, accuracy is a very important issue, is also one of the
principles of our directive. But we have to keep in mind, obviously,
why are individuals giving not accurate data. And if the reason is they
don't feel sufficiently protected we might have to address this first
before asking them to make sure they provide accurate information.

Concerning bulk access, we would certainly support all possible
limitations of that. The opinion of the European Commission is very clear
on that. We think that bulk access should not be acceptable for any kind
of purpose because it's not proportional at all and there are other
means to serve these kinds of purposes. And it should be important to
keep in mind also that the directive 2002, the electronic communications
directive only allows the use of e-mail addresses for direct marketing
with a specific consent, opt in, of the user.

So as a conclusion, I would like to say we need to respect the existing
data protection framework in Europe. Indeed, we shouldn't place the
registrars, as I said before, between a rock and a hard place. This
would be clear compatibility between what they are asked to do by the
contract and what they have to do according to the law.

We also need to look for privacy enhancing ways of running the Whois. I
think in practical terms, they could be solutions that serve the purposes
we want to serve while protecting the rights of the individuals and I
think we need to all work together in trying to look for that.

And I would also like to ask you to keep in mind and to involve the data
protection community in these discussions. I mean, it's the first time
I'm here. I'm sure that many other colleagues from Europe would be happy
to participate in these kind of discussions in the future.

And I think, certainly, that the article 29 working party, who have just
approved an opinion in time for this meeting, would also be very pleased
to be involved in this discussion.

Thank you very much.

(Applause).

Vinton Cerf: I'm sorry; will you entertain a question or two? Do we
have time?

I would just want to suggest an idea that I'm not sure has come out in the
presentations or the discussions. It seems to me that the registration
of a domain name is not something which is forced on anyone. No one has
to register a domain name.

When you do that, with whatever responsibility you choose, either as an
individual or as a corporate officer or acting on behalf of an entity,
whenever you do that, you may incur some obligations to the rest of the
community that uses the domain name system.

So I'd like to suggest for your consideration that the Whois table
is not simply a public directory which is randomly assembled, but,
rather, it's a side effect of having accepted some obligations as a
registrant. And I would distinguish that from, for example, the public
directory listings of telephone numbers which are a consequence solely
of having been assigned a phone number.

Perhaps those two could be distinguished.

Diana Alonso Blas: Well, I see your point, and I think that, in fact,
that's the reason why many individuals make the difference between
what are the consequences of registering a domain name when you do it
for commercial purposes and then obviously you have a number of legal
obligations. Also in Europe, you have to identify yourself, you have
to registry yourself possibly for the chamber of commerce, et cetera,
you have to pay tax. Of course it's not that you have the choice whether
you want to do it or not. You have these legal obligations, and nobody
is saying you shouldn't accept them as a part of it.

But I think the difference is for individuals who just want to have a
web site for their own purposes of publishing whatever information they
want to. And I think that in this kind of very Internet world, it would
be kind of, let's say, not very open minded to say, well, individuals
have the choice whether to registry a domain name or not. I think having
a domain name can be pretty important for many people, for professional
and personal activities nowadays. So it wouldn't be a real choice when you
want to have it or not. Many people might need it for professional reasons
or might want to have it because it's important also for the development.

So I think we need to make a difference between those who really use
the domain names for certain commercial activities and therefore have
a number of legal applications they have to respect, and one of them is
to be registering different registrants who could be one of them who is
Whois, and those who use it for personal use.

Karl Auerbach: I also have a question. Two questions have arisen during
our discussions of privacy with respect to Whois, and one is the Internet
is used to some extent, to a large extent for people to go into various
forms of offering goods and services, and there's people who buy from
them. And there's a degree of fraud going on. And there's a concern
that those who are buying need the ability to validate the quality of
the person they're buying from.

And my first question is how is that situation handled under the
privacy laws in Europe? And my second question, which is related, is
law enforcement. How do we know what kind of access to give to a law
enforcement person? How do we know who a law enforcement person is? How do
we know they're acting in their scope of authority? To what extent do we
notify the data subject that the law enforcement is even looking at them?

Those are my questions.

Diana Alonso Blas: Well, I hope I remember them both but I will start
with the first.

Well, I will start with the second because probably I remember it
better. As to the law enforcement question, I would say our legislation
in Europe has specific provisions for law enforcement. Article 13 of
the directive has a number of exceptions that need to be implemented as
national law. So indeed, if you're confronted with a situation in which
you are not completely sure whether you are acting according to these
rules, I would say, well, why don't you then contact the data protection
of your country and make sure you're fully aware of the situation in
which you can provide this information to the law enforcement or not.

So there are indeed provisions for that but make sure you are sufficiently
informed and, indeed that, the law enforcement agency is acting according
to the powers as well.

There are provisions for that.

As to the first one, I would say it is also so in Europe, according
to many pieces of legislation of commercial law, also the e-commerce
directive and other directives that individuals who undergo professional
or commercial activities have to identify themselves. It is also on our
data protection directive that when an individual collects information
from a person, has to identify themselves. So we are in no way opposing
that.

What we are saying is that, first, we have to make clear what exactly
the data that needs to be collected and published in these cases, and
second, that I think it has been said also by others there might not be
one single solution that feeds all the cases, and we might need to think
of different regimes for different kinds of uses and cases of people
having a domain name. And I think to that extent the person following
me will give a good example of different solutions that have been found.

Thank you.