Legal aspects of Whois? Database Internet Governance at the crossroads

Transcription

1 Legal aspects of Whois? Database Internet Governance at the crossroads Dana Irina Cojocarasu

2 Background information: Domain name system Helps user navigate the Internet by translating numeric IP addresses ( ) of the websites into conventional denominations (oecd.org) Hierarchy & uniqueness Root TLD gtld cctld STLD

3 Whois? Service that allows interested parties to adress queries to a database containing information about: An already registered domain name The registrant (contact details) The address of the servers used

4 Background information: Domain name lifecycle Registrant physical/ legal person who registered a domain name Registrar legal person authorised to to offer registration and upkeep services for domain names (intermediary) Registry - legal person uniquely responsible for a TLD (legal, technical, administrative) Application Registration Operation Termination Evolution

5 Project tasks: CONTRACTS, POLICIES & LAW-.NO,.COM,.EU Whois Database Protection Whois Data Protection Access of law enforcement to unpublished data

6 Final outline: 1: Decision making bodies and normative framework in the DNS: gtld Policy Development Process (PDP); cctld PDP; 2: The Whois Service: - The features of the Whois database (evolution, input, search, output); - The functions of the Whois database 3: The legal protection of the Whois database: - Ownership of copyright / sui generis-right; - Limitations in the exercise of the database rights (statutory, contractual); 4: Protection of personal data in the Whois database - The incidence of data protection legislation on the whois service - Legal basis for the processing of p.d. via the Whois service; - The features of a legally compliant processing of p.d a best practice framework (personal data management, data subject management, confidentiality and security of processing); 5: Effective law enforcement through a privacy friendly Whois service

7 ICANN Board GNSO Council Advisory Committee gtld PDP ISSUE REPORT GNSO Council ICANN STAFF RECOMMENDATIONS CHARTER / TERMS of REFERENCE Initiate PUBLIC COMMENT (20 days) PUBLIC COMMENT REPORT START Policy Development Process Task Force PRELIMINARY TASK FORCE REPORT CONSTITUENCY STATEMENTS Initiate PUBLIC COMMENT (20 days) INITIAL TASK FORCE REPORT PUBLIC COMMENT REPORT FINAL TASK FORCE REPORT GNSO Council ICANN Board BOARD REPORT ADOPT POLICY

8 Decision making at cctld level National cctld ICANN Registrar Registrar Registrar Accreditation Policy Registration Framework REGISTRY Designation Procedure Policy management & supervision ccnso CREATE cctld Policy on: allocation & assignment of unique Internet identifiers; operation & evolution of root name server system GOVERNMENT GAC Inform & request

9 ICANN Whois: purpose and functions Purpose: Enable access to data: Responsible / 3rd party (.com) reasonably accurate and up to date (.eu) Contact information (.no) Why? resolve issues related to the configuration of the records - GAC(2005) legitimate purposes (undefined) -.eu Non exhaustive exemplification of desirable uses-.no Functions (the core values that are served by the publication of registrant data): It facilitates operability; It creates transparency ; It facilitates accountability; Absolute presumption that the content of the database is accurate and up to date!

10 Accurate and updated Whois databases: roles and responsibilities The registrants- obligations: To provide accurate and reliable contact details To update the provided information while the domain is active The registrars: (.com) present at least annually the information it detains (.com) following a complaint: Seeks evidence by contacting the registrant commercially reasonable checks whether the information is plausible Place the domain on-hold / may cancel (.no) upon application: check representation The registries (.eu &.no) Simple checks (postnumber, adress, telephone ) Database cleaning (against information in the Registry for legal persons) Challenges: All or nothing Plausible (.com) Partial incorectness? Reputation system for the Registrars? Report system? (WDPRS)

11 Rights in the Whois database Applicable law (.no,.eu,.com) Copyright protection for databases require originality (Feist Publications v. Rural Telephones Co. (US)) Sui-generis protection requires substantial qualitative / quantitative investment Doctrine of misappropriation (US) Whois databasen: Contains data about all the registered domains (limited choice); The nature of the data to be collected about each registrant is mandated via agreements (creative selection of the contents?) All the Registrars in.com are required to provide Whois services. In cctld best practice; Simple queries are free of charge Rights of the database maker: to define lawful use to define conditions of access to the database Limitations: Extraction and use of insubstantial parts (except repeated acts of extraction); Direct marketing Permitted to make private use of non-electronic copies of the database (Åndsverkloven 12(2)(c)) Who owns the IP rights in the Whois database for.com? Are the Registries and the Registrars in gtlds only agents of ICANN? Can the Registrar Accreditation Agreements be enforced against an European Registrar?

12 The incidence of data protection legislation on WHOIS service Personal data (natural/ legal persons (?)); Processing operations; Rolles cctld - the Registry data controller - the Registrars data processor gtld - in teory: ICANN acts as a data controller (centralised system for registrar accreditation; assigns right and obligations) - in practice: the Registrars shall be regarded as data controllers with regard to the Whois databases they manage

13 Legal basis for processing personal ( Whois) data Directive 95/46/EC Consent freely given, informed, specific WHOIS the registrants are under an obligation to provide information upon registering the domain name; - limited information about who/ how/ why - consent to the registration of the domain/ publication of the data? Perform the terms of a contract? Compliance with a legal obligation to which the controller is subject Interpretation of the key concepts in accordance with the national implementations of the Directive

14 Personal data processing via the Whois service Directive 95/46/EC: data quality (art. 6), access rights (art.12), the right to object (art. 14), security of processing (art.17), and notification of the Supervisory authority (art.18) Management of personal data; Interaction with the data subject; System design (security); WHOIS Dichotomy between the declared purpose of the processing and the routines implemented in achieving it; Low level of correspondence between the purpose of the access and the information displayed; Unclear what kind of reaction one may expect upon contacting each of the roles (administrative, technical, legal contact points); Insufficient routines for deletion of registered data (not stored longer than is necessary for the purpose of the processing); Better practice examples: Layered access to the Whois data depending on the purpose of the request for access (.uk,.name); Free access to fewer information about the natural persons then about legal persons (.eu) The requirement to document a legitimate interest when claiming full access to individual records (.eu) Allowing both legal and natural person Registrants to opt-out from having their contact information made freely available (.nl) Describing and displaying the purpose of each type of contact points recorded (.de)

15 Personal data protection- requirements for system design (security) technical and organizational measures; appropriate level of security (state of the art, the costs, the risks, nature of the data) The controller should also check whether the communication partners and suppliers ensure an adequate level information security (Datatilsynet) Empirical evidence needed! ICANN s Security and Stability Advisory Council (2007): technical measures would best prevent the misuse of WHOIS data for spam purposes Protected Whois Delegated Whois

16 SSAC empirical data (90 days):.eu does not permit delegated-whois measures; The most common protected-whois measures are: CAPTCHA Making available the personal data as picture, not as text GNSO Study Hypothesis Group (august 2008) Whois misuse studies

17 Law enforcement...and data protection are not antithetic goals Art.13d Directive 95/46/EC- legal basis for implementing special routines for access to personal data for law enforcement purposes Art. 8(2) EMC- limits the interference by a public authority with the exercise of privacy rights except such as is in accordance with the law The registry/ registrar should be able to distinguish between a request from the competent public authority and a request form a private party: General access Concrete assessment (legitimate interest, evidence) upon request» Presupposes that evidence can be preserved but not necessarily given access to» Is access to Whois data indispensable? (can other databases be used) Challenges (need for further research): Who are the competente investigative authorities? Nationally? (the police: NOU 2003:21, strprl. 199a) Internationally?( jf. EU Framework Decision) Empirical evidence should be provided on need/ risk One should explore the possibility to use allready established cooperation fora (EOURPOL, EUROJUST, SIS etc.)

18 Challenges met with the Whois project: Dynamic ; Comparative analysis; Multiple actors (Registry, Registrant, Registrar) involved and several interests to take into consideration; Broad spectrum of legal issues (contract law, IP, data protection, criminal procedure); Limited time frame; Relatively limited access to descriptions of technical processes;

19 and this is only the top of the iceberg There is only limited empirical data about the need, the use and the misuse of the Whois database; The purpose of the whois service is still a controversed matter; The division of competence between the Registries, the Registrars and the Registrants is unclear The policies for access of law enforcement to Whois data are not agreed (international issue) Subsidiarity principle!

20

21 Første runde med varsling, sommeren 2006 Antall e-poster ut mai/juni 2006: Antall domener berørt: Antall e-post retur/feilmeldinger: (63%) Antall henvendelser til andrelinja: ca. 190 totalt Andre runde med varsling, vinteren 2006/2007 Antall e-poster og brev sendt desember - februar: Antall domener berørt: Antall e-post retur/feilmeldinger: (70%) Antall brev i retur: (43%) Antall henvendelser til andrelinja (cirkatall): 700 e-poster, 30 faks og brev, anslagsvis rundt 300 telefoner. Hvor mange henvendelser som kundesenteret har tatt seg av er ikke kjent, men de har rapportert om tidvis stor trafikk. Antall henvendelser om utsettelse i forkant av sletting: 43. Dette gjaldt til sammen 140 domener. Per 1. juni var det 25 domener igjen på den lista, resten er blitt overført.