whois comments

[Jisuk Woo <jisuk@xxxxxxxxx>]

First I would like to agree with the report’s general position that national laws and regulations regarding personal data protection should be respected. It would have been an undue burden on registrars not to comply with their local laws in order to conform with whois policy, and this would have made a really negative effect on the protection of unsuspecting local domain name registrants. In a country like Korea this position of the preliminary report is a particularly important one because privacy laws and data protection laws are in the middle of being revised and amended pursuant to the recent development of digital technology and its various impacts. In such a situation, privacy principles of the country and local stakeholders’ relevant interests are better to be respected and coordinated while not prematurely influenced by policies mainly made by external factors. I support the report’s recommendation that a process should be made for appropriate changes in case of a conflict of national law and whois policy.

 

Secondly, I also agree with the recommendation that more conspicuous notice regarding possible uses of the data and relevant processes should be given to registrants at the time of registration. But I also would like to comment that notice is not enough to properly protect registrants from abuses of data that they may or may not realize, and that more discussion regarding obtaining consent from registrants should be made and some kind of process should be devised for this purpose. Especially in the case of sensitive data, registrants should have a right not to give consent. And this option may become a realistic tool for protecting registrants only if the registrants fully understand the process and purpose of the data use, possible consequences, other options they may have, etc. For this purpose, some kind of education and outreach programs should be devised.

 

Thirdly, I am somewhat concerned about the “tiered access” system recommended in section 3.5. Although registrants should have an option to display any or all of their information to the public, it is also important to know whether they understand the implications and consequences of implementing such an option, especially in case of sensitive data. “Individual choice” may mean one thing in one culture but another thing in another country. I suggest that we should be very careful about imposing the western, developed countries’ notion of an “individual’s informed consent” to all the registrants in the world, because the registrants may or may not have necessary knowledge and understanding in order for the consent to be meaningful. This is not an easy problem that we can tackle with in the short run, but differences in cultural backgrounds and knowledge levels are something that should be discussed in ICANN in the long run.

 

In addition, providing access to those meeting the requirements and identifying a legitimate use and issuing them a portable credential can be dangerous if they abuse the credential once acquired. Providing access to personal data should be always made on an individual use-by-use basis, in order not to give them ample chance to abuse. This is especially important in the case of intellectual property law firms or any famous players in the field, and they should not be provided any easier or blanket access to data but should be identified for their identity and purpose of each use every time they request data. It is also important to devise a mechanism to provide immediate notification to the registrant “before” the data are released, so that they registrant could find self-protecting measures if necessary.

 

Jisuk Woo

Seoul National University

Jinbonet Korea

우지숙
서울대학교 행정대학원
Assistant Professor
Graduate School of Public Administration
Seoul National University
tel: 02-880-5633
fax: 02-6248-0951
email: jisuk@xxxxxxxxx