As we approached this project, we identified the following key research questions:
- What are the privacy issues and problems inherent in the collection, use and disclosure to third parties of the personal information of registrants of domain names?
- What guidance have data protection authorities provided to data controllers with respect to the reliance on standards?
- What kinds of standards exist, and are they of interest to the data controllers involved in this case study?
- What can standards do to solve privacy problems here?
- Is standards development required, and if so what kind of standards are required?
We approached these questions by reviewing the history of the WHOIS debate and comments of the privacy commissioners, as analysed in detail in Perrin’s doctoral dissertation 1. Perrin has been a key participant in the policy development process at ICANN for over 6 years, and has been discussing the standards project with stakeholders, and referring to the policy analysis required for compliance with GDPR extensively during 2018-2019. She has also been engaged with the International Working Group on Data Protection in Telecommunications and Media (IWGDPT) as they prepared a working paper on ICANN and the WHOIS issue, released in March of 2018 2.
Due to Perrin’s previous research, we thus had a solid perspective on both the privacy issues in this debate, and the positions that the data commissioners have taken since ICANN was being imagined, back in 1996. A constant phenomenon has been the refusal of ICANN to address privacy issues in any serious way, until such time as the prospect of fines amounting to potentially 4% of gross revenues prompted the contracted parties, the registrars and the registries who hold personal data of registrants, to put their collective foot down and demand to be exempted from their long standing contractual obligations as expressed in the Registrar Accreditation Agreement 3 to collect and publish subscriber data. This resulted in the Temporary Specification 4. While contracted parties doubtless care about their customers’ satisfaction and well-being, heretofore the respect for registrant privacy rights has hardly found its way into policy at ICANN.
Our review of available standards focused on the ISO standards 27001 and 27002, other standards in the ISO 27000 series, the accreditation standards already used by the community of registrars and registries at ICANN, and recommendations issued by the Security and Stability Advisory Committee of ICANN (SSAC) 5. Once the Technical Study Group was established we followed their work and included the material which they referred to in their reference materials.
The data commissioners of Europe, formerly known as the Article 29 Working Party, have published a number of documents on the topic of standards, available at their archive and detailed in our reference materials. We examined these and the recent publications they have produced as the European Data Protection Board. Although ICANN has been engaged in a number of meetings with the data protection commissioners in Europe, and leaders have blogged about these meetings periodically, it has been difficult to glean much concrete information about the advice which they have received from the commissioners.
Armed with this information, we invited key stakeholders who could speak about these matters to our workshop in Barcelona.
- https://www.icann.org/groups/ssac For a list of documents, see https://www.icann.org/groups/ssac/documents Important documents in this series include SAC104, SAC101, SAC087, SAC083, SAC081, SAC075, SAC061, SAC055, SAC051, SAC044