Tag Archives: privacy

Privacy Concerns in the Domain Name System by Samantha Bradshaw & Laura DeNardis

Social Science Research Network logoAbstract: Some of the most contentious policy debates of our time involve questions surrounding the privacy of user data and the extent to which personally identifiable information is encrypted on mobile devices, in transit, or in the cloud. However, one aspect of personal privacy often missing from the public discourse is the question of confidentiality in the Internet’s Domain Name System (DNS).

The DNS is a distributed but hierarchically organized system that translates alphanumeric domain names into IP addresses. One facet of Internet governance scholarship on the DNS has focused on examining public policy concerns related to freedom of speech, intellectual property, cybersecurity, and jurisdictional oversight. However, the design of the DNS also inherently raises a number of privacy concerns, one being the technological condition that DNS queries are almost always unencrypted. Although these queries do not contain “content” such as email text, images, or search terms, they do reveal the sites a user visits. As such, query data can disclose sensitive information-seeking practices related to addiction services, gender identity, disease treatment, pornography, abortion clinics, mental illness, employment, or online dating services. Given that almost every activity online begins with a DNS query, concerns about the prospects for unauthorized access to query information and practices for how queries are processed, retained, aggregated, or shared should be examined further.

Situated conceptually in the field of Science and Technology Studies (STS) and topically within the extensive body of research on global Internet governance, this research project asks: to what extent do DNS queries raise privacy considerations; what is at stake for Internet privacy, security, business models and stability; and how can various Internet governance stakeholders address these privacy concerns? To help establish the dominant frames for conceptualizing privacy in the public sphere, the research project examines dominant media sources for a five-year period between 2010-2015 and compares this coverage data to other online privacy concerns such as search engine privacy and user device encryption. To assess the extent of privacy concerns implicated by DNS queries and understand the stakes of various privacy mitigating options, the research project draws from interviews with DNS engineers and privacy advocates; the archival mailing lists of the DNS Privacy Working Group; proceedings of meetings of the Internet Engineering Task Force; and relevant Internet Request for Comments (RFCs).

This paper makes two contributions to information and communication technology policy and scholarship: first, it will contribute to the corpus of Internet governance scholarship around the Domain Name System by expanding the spectrum of policy issues it implicates to include concerns about individual privacy; and second, it will provide an evidentiary basis to expand policymaking considerations around privacy to include DNS queries rather than primarily content and personally identifiable information.

 

Daily Wrap: Whois Privacy, Domain Suspensions Not a Priority for PIPCU, the Litigious IOC, IPv6 Grows in APEC and Neustar Expands, Again

FairWinds Partners logo“Whois privacy services by cybersquatters can frustrate and sometimes delay the resolution of a domain dispute but it can’t prevent the inevitable,” say FairWinds Partners in a recent blog posting. But they do result in “brand owner[s] having to incur the expense of filing a UDRP or URS complaint.”

City of London Police logoA London police unit, the City of London Police’s Intellectual Property Crime Unit (PIPCU), has decided that suspending pirate domain names is no longer a priority, according to TorrentFreak. The report says that after ICANN ruled that registrars don’t have to suspend domain names without a valid court order, the police have decided to put more emphasis on other enforcement tactics.”

The International Olympic Committee is very protective of its trademarks and litigious when it comes to those it believes to protecting those marks. So now the IOC and the U.S. Olympic Committee have sued a businessman on trademark charges, claiming he’s stockpiled more than 1,000 domain names of potential Olympic host cities and years to raise money, according to Courthhouse News Service.

However Stephen P. Frayne Jr. has “filed a complaint in the District Court for the Northern District of Illinois, averring that he acquired the domain name solely to establish a bona fide noncommercial forum for an ‘open and honest discussion’ about the Olympic Games, the complaint states.”

Use of IPv6 in the Asia Pacific is growing. According to recent stats from APNIC Labs, there are some encouraging signs across the region, with the United States (26.5%), Peru (15.5%), Japan (15.7%), Malaysia (10.2%) and Singapore (9.6%) all among the top 15 economies for IPv6 end-user adoption. In the post on the APNIC blog, it notes that “globally, IPv6 adoption has seen a 100% increase in the last 12 months. Although this only represents 4.9% of total users there is reason to be optimistic about the overall trend.”

Neustar is expanding its wings. In 2015 it has acquired Bombora, the Neustar logoregistry for the .au and .om ccTLDs, and assets owned by Transaction Network Services, to add to, among other acquisitions, .CO Internet in 2014. And just last week it acquired MarketShare Partners, LLC, a fast-growing marketing analytics technology provider to major brands, for $450 million. The purchase price is effectively reduced to approximately $390 million after taking into account tax benefits resulting from the transaction.

Could Closed Room TPP And OECD Deals Could Mean End to Whois Privacy

Privacy proxy services used by registrants are under threat following proposals in the Trans Pacific Partnership and from “a new revision of the OECD E-commerce Recommendation that would require domain name registration information to be made publicly available for websites that are promoting or engaged in commercial transactions with consumers,” according to the Electronic Frontier Foundation.And this, also according to the EFF, when ICANN’s GNSO Privacy & Proxy Services Accreditation Issues Working Group looked like it would “accept that privacy services should remain generally available, including by those who use their domain names commercially.”Both of these changes are being pushed by the United States with the backing of corporate interests, particularly those in the entertainment industries.The secretive Trans Pacific Partnership (TPP), a proposed trade agreement between 12 countries – Brunei, Chile, New Zealand, Singapore, Australia, Canada, Japan, Malaysia, Mexico, Peru, the United States and Vietnam – “has just ridden roughshod over that entire debate (at least for country-code top-level domains such as .us, .au and .jp), by cementing in place rules (QQ.C.12) that countries must provide ‘online public access to a reliable and accurate database of contact information concerning domain-name registrants.'””The same provision also requires countries to adopt an equivalent to ICANN’s flawed Uniform Domain-Name Dispute Resolution Policy (UDRP), despite the fact that this controversial policy is overdue for a formal review by ICANN, which might result in the significant revision of this policy. Where would this leave the TPP countries, that are locked in to upholding a UDRP-like policy for their own domains for the indefinite future?”The TPP’s prescription of rules for domain names completely disregards the fact that most country code domain registries have their own, open, community-driven processes for determining rules for managing domain name disputes. More than that, this top-down rulemaking on domain names is in direct contravention of the U.S. administration’s own firmly-stated commitment to uphold the multi-stakeholder model of Internet governance. Obviously, Internet users cannot trust the administration that it means what it says when it gives lip-service to multi-stakeholder governance — and that has ramifications that go even deeper than this terrible TPP deal.”These proposed agreements go against everything that ICANN has sought to achieve through its attempts at improving accountability with its multi-stakeholder model.For more information see:

The Final Leaked TPP Text Is All That We Feared
https://www.eff.org/deeplinks/2015/10/final-leaked-tpp-text-all-we-fearedU.S. Bypasses ICANN Debates on Domain Privacy with Closed Room Deals at the OECD and TPP
https://www.eff.org/deeplinks/2015/10/us-bypasses-icann-debates-domain-privacy-closed-room-deals-oecd-and-tppDomain Registrars Have to Ask ICANN’s Permission to Comply With Laws Protecting Your Privacy
https://www.eff.org/deeplinks/2015/10/domain-registrars-have-ask-icanns-permission-comply-laws-protecting-your-privacyVoluntary Practices and Rights Protection Mechanisms: Whitewashing Censorship at ICANN
https://www.eff.org/deeplinks/2015/10/voluntary-practices-and-rights-protection-mechanisms-whitewashing-censorship-icann

Domain Name Commission calls for public comment on .NZ WHOIS review

NZ Domain Name Commissioner logo[news release] As part of a wide-ranging two stage review, the Domain Name Commission Limited (DNCL) has today launched the first of two public consultations on the .nz WHOIS.

The WHOIS is the publicly available search service that that lets people find registration information for a .nz domain name. Using the WHOIS is commonly known as a ‘domain name search’.

In this first public consultation, members of the public and interested stakeholders are being asked to comment on a number of matters, including why .nz registrant data should / or should not be collected and made publicly available in the WHOIS.

To assist with people’s understanding of the .nz WHOIS and how it currently works, DNCL has put together a consultation paper and a one-page overview at https://dnc.org.nz/whois-review-consultation-1.

The deadline for making a submission on the first public consultation is 6 November 2015. Submissions can be made by email to policies@dnc.org.nz, or by mail to PO Box 11 881, Wellington.

A second consultation and public meetings in Christchurch, Auckland, Wellington and online will follow later in the year on what information is displayed in the WHOIS, and how.

Domain Name Commissioner Debbie Monahan says public feedback will help inform DNCL’s thinking as it progresses the WHOIS review, and encourages all interested parties to familiarise themselves with the first public consultation and make a submission.

For more information about DNCL’s .nz WHOIS review process and associated public consultations please visit https://dnc.org.nz/whois-review-consultation-1.

This Domain Name Commissioner news release was sourced from:
dnc.org.nz/story/domain-name-commission-calls-public-comment-nz-whois-review

Privacy Advocates Aghast As Entertainment Industry Pushes For Commercial Registrants To Reveal WHOIS

Privacy advocates are aghast at ICANN’s proposed changes to current rules around privacy and proxy services for domain name registrants. The changes, that many see as being lobbied for by the US entertainment industry, would see “commercial” registrants forced to reveal their identity and contact details.But the request for comments has outraged many including privacy advocates. The Electronic Frontier Foundation has given an example of “a free community website for transgender authors” that currently uses a proxy registration service keeping the registrant’s details private. The EFF asks whether such a website could be considered commercial, which under the proposals would force the registrant to reveal their contact details, or not.And as the EFF notes, the proposal is being pushed by US entertainment companies who told Congress earlier this year that domain registration privacy should only be allowed in limited circumstances. The entertainment companies want to be able to use registration data to be able “to discover the identities of website owners whom they want to accuse of copyright and trademark infringement, preferably without a court order.”In the Initial Report on the Privacy and Proxy Services Accreditation Issues Policy Development Process [pdf]that is open for public comment until 7 July, it asks if “domains used for online financial transactions for commercial purpose should be ineligible for privacy and proxy [P/P] registrations.” And it wants to know why or why not respondents think so.The paper also requests comments on whether “it would be useful to adopt a definition of ‘commercial’ or ‘transactional’ to define those domains for which P/P service registrations should be disallowed? If so, what should the definition(s) be?”Additional issues canvassed include what measures should be taken to ensure contactability and responsiveness of providers along with should “full WHOIS contact details for ICANN-accredited privacy/proxy service providers be required?” How to deal with websites with malicious or illegal content is also addressed.To date there have been well over 10,000 comments submitted, the vast majority opposing the changes.

ICANN: GNSO Privacy & Proxy Services Accreditation Issues Working Group Initial Report

ICANN logoPurpose (Brief): This public comment proceeding seeks to obtain community input on the Initial Report from the GNSO’s Policy Development Process Working Group on issues relating to the accreditation of privacy and proxy service providers.

Public Comment Box Link: https://www.icann.org/public-comments/ppsai-initial-2015-05-05-en

Comment Period Opens on: 5 May 2015

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2015-05-05-en

Nominet Undertaking Contact Data Disclosure in the .UK WHOIS Consultation

Nominet logoNominet is currently consulting on a proposed policy to clarify what data about registrants is published in the .UK WHOIS and, regardless of what’s published, ensure accurate data is held essential for running .UK.

The deadline for submissions is 3 June 2015.

How to participate

Read the consultation document here [PDF] / [Word Doc].

To review a condensed version of the proposals, without background research or analysis of other policy options, a short version of the consultation document [PDF] / [Word Doc] is available.

For registrars, a document summarising relevant information, with particular regard to practical implementation of the proposals, is available.

The questions are consistent across all documents. Responses can be submitted using the online form here.

The consultation document refers to a range of supporting material, published below under “Appendices to the consultation documents”.

Attend a webinar or roundtable

Nominet will be holding two webinars and a roundtable meeting as part of this consultation, which are open to all stakeholders. Interest can be registered below.

Webinar: 15.00, Thursday 16 April 2015 – Sign up form

Webinar: 11.00, Tuesday 22 April 2015 – Sign up form

Roundtable: 10.30, Thursday 30 April 2015 – Sign up form

Appendices to the consultation documents

 

 

ICANN: Call for Volunteers for Implementation Advisory Group to Review Existing ICANN Procedure for Handling WHOIS Conflicts with Privacy Laws

ICANN logoICANN seeks volunteers to serve on an Implementation Advisory Group (IAG) to review and suggest potential changes to the implementation of the ICANN Procedure for Handling WHOIS Conflicts with Privacy Laws (the Procedure.)

What This Team Will Do

The IAG will work with ICANN staff on reviewing the current steps of the Procedure and identifying possible changes to the procedure to facilitate resolution of issues where WHOIS requirements conflict with applicable laws. The IAG is expected to explore whether any of the Procedure’s elements ought to be amended in order to strike this balance. Any recommended changes made will need to be in line with the Procedure’s underlying policy, which was adopted by the GNSO Council in 2005. As a result, recommended changes to the implementation of the procedure, if any, will be shared with the GNSO Council to ensure that these do not conflict with the intent of the original policy recommendations.

How This Team Will Work

Like other ICANN working groups, the Implementation Advisory Group will use transparent, open processes. The meetings of the IAG are expected to take place via conference calls which will be recorded, and the recordings will be available to the public. Initially, it is expected the group will meet once every two weeks, but the IAG will then determine its preferred schedule and methodology. The mailing list for the IAG will be archived publicly. Observers are welcome to join the mailing list to monitor the discussions. These observers will receive emails from the group, but will not be able to post messages or attend meetings. IAG members are expected to submit Statements of Interest (SOI). The group will collaborate using a public workspace.

How To Join

ICANN invites interested parties to join the IAG, which will be open to anyone interested to join. ICANN urges interested community members willing to work on this initiative and with a range of views to join and contribute to the group’s work. As noted above, you can join the IAG either as a member or an observer. Please contact whois-iag-volunteers@icann.org if you wish to join the IAG.

Background

In November 2005, the Generic Names Supporting Organization (GNSO) concluded a policy development process (PDP) on WHOIS conflicts with privacy law which recommended that “In order to facilitate reconciliation of any conflicts between local/national mandatory privacy laws or regulations and applicable provisions of the ICANN contract regarding the collection, display and distribution of personal data via the gTLD WHOIS service, ICANN should:

  1. Develop and publicly document a procedure for dealing with the situation in which a registrar or registry can credibly demonstrate that it is legally prevented by local/national privacy laws or regulations from fully complying with applicable provisions of its ICANN contract regarding the collection, display and distribution of personal data via WHOIS.
  2. Create goals for the procedure which include:
    1. Ensuring that ICANN staff is informed of a conflict at the earliest appropriate juncture;
    2. Resolving the conflict, if possible, in a manner conducive to ICANN‘s Mission, applicable Core Values, and the stability and uniformity of the WHOIS system;
    3. Providing a mechanism for the recognition, if appropriate, in circumstances where the conflict cannot be otherwise resolved, of an exception to contractual obligations to those registries/registrars to which the specific conflict applies with regard to collection, display and distribution of personally identifiable data via WHOIS; and
    4. Preserving sufficient flexibility for ICANN staff to respond to particular factual situations as they arise”.

The ICANN Board adopted the recommendations in May 2006 and the final Procedure was made effective in January 2008. Although to date no registrar or registry operator has formally invoked the Procedure, concerns have been expressed both by public authorities as well as registrars and registry operators concerning potential conflicts between WHOIS contractual obligations and local law.

Given that the WHOIS Procedure has not been invoked and yet numerous concerns have arisen from contracted parties and the wider community, ICANN launched a review as part of the Procedure. The review was launched with the publication of a paper for public comment on 22 May 2014. The paper outlined the Procedure’s steps and invited public comments on a series of questions. The body of public comment was analyzed by ICANN staff, and the proposed next step is the formation of an IAG to consider changes to how the Procedure is enacted and used. ICANN staff found common themes among some of the suggestions in the public comments, which may allow for changes to implementation of the Procedure in line with the underlying policy.

On 22 September 2014, the GAC noted [PDF, 55 KB] that the issues around the WHOIS Conflicts with National Law Procedure warrant further time and attention, as they touch on significant public policy matters associated with national laws and the legitimate uses of WHOIS data. The IAG is open to participation and GAC members and other government stakeholders are encouraged to take part in the group to contribute to advancement of the work in this area.

The IAG’s recommendation will then be shared with the GNSO Council to determine the next steps.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2014-10-14-en

Neylon “Angry, Frustrated And Unhappy” With ICANN

Michele Neylon is not happy with ICANN. Actually, he’s “angry, frustrated and unhappy”.

The reason is, “ICANN has put us and other European Union based registrars in an utterly ridiculous situation,” Neylon wrote on his Blacknight Solutions blog.

“We are expected to ask ICANN for permission to comply with Irish and EU data privacy law.

“Or put another way, an Irish company is obliged to jump through hoops with a California based corporation in order to be able to operate within Irish law.”

It’s a situation that has been brewing for some time Neylon wrote, with discussions with ICANN happening for the last two years.

His company went from being a domain name reseller to an ICANN-accredited registrar to cut out the middleman. And now a new contract has been published, but as he notes “the new contract has issues if you’re based in the EU.”

“The central tenet of data privacy law is summed up in Article 6(e) of the European Data Protection Directive 95/46/EC which deals with retention of data (emphasis added):
    kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected

“Which under Irish law is Data Protection (Amendment) Act 2003:
    “Article 4 (e). preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored”

“However ICANN explicitly demands that registrars retain the data for way longer.”

Neylon’s problem is that the period of time ICANN want the data to be held is “simply too long”.

To seek some clarification, Neylon reached out to Ireland’s Data Protection Commissioner, and they advised, in short, ‘without any rationale for the data being held for so long they had issues with it’.

The EU also has problems with the requirement. Neylon writes the “European Union, has written to ICANN on several occasions telling them clearly that the 2013 RAA is not compatible with EU law.

“They also made it very clear that they didn’t think it was reasonable to ask every EU based ICANN accredited registrar to jump through hoops to get an exemption to the clauses.”

And then he asks “What did ICANN do about it? Short answer – nothing.”

In his posting, Neylon finds it problematical that ICANN doesn’t understand law.

To read the post in full, see blog.blacknight.com/blow-fuse.html.

ICANN: Status Update from the Expert Working Group on gTLD Directory Services

ICANN logoICANN has embarked on a journey to reinvent today’s WHOIS system. Help the EWG envision a better system by joining the discussion at ICANN‘s Buenos Aires meeting and online.

The Expert Working Group on gTLD Directory Services (EWG) has been working to envision a clean-slate approach to better meet global Internet community needs for domain name registration data with greater privacy, accuracy, and accountability. In its Initial Report [PDF, 1.70 MB] published in June, the EWG recommended a series of principles and proposed a model for the next-generation Registration Directory Service (RDS) to replace today’s WHOIS system.

In advance of the ICANN-48 Meeting in Buenos Aires, the EWG has published a Status Update Report [PDF, 2.26 MB] that provides further insight into the EWG’s analysis and highlights its current thoughts on key issues, after more extensive exploration of open areas and careful consideration of all Community comments received on its Initial Report. As the EWG’s deliberations are on-going, it is hoped that this report will provide insight into the team’s recommendations, answer questions, and stimulate lively Community dialogue in Buenos Aires and online input.

Key issues highlighted in this Status Update Report [PDF, 2.26 MB] include:

  • Identifying the data elements to be freely available on an anonymous basis, and those that might require authenticated, gated access through accreditation for permissible purposes
  • Details on the principles for better privacy or proxy services and a proposal for secured protected credentials for use by at-risk individuals
  • Suggestions to improve data quality through standardization validation, periodic checks, and prevalidated contacts
  • Consideration of jurisdictional and applicable law issues, notably data protection law
  • Suggestions for ensuring harmonized approaches to data protection and security measures, and a framework for binding corporate rules to meet data protection obligations.
  • Exploration of how existing technical protocols could be utilized by the EWG’s recommended implementation model (such as EPP or the RDAP protocol under development by the IETF)
  • Comparison of the current WHOIS system (as improved in the 2013 RAA) to the EWG’s recommended next-generation registration data directory service
  • Description of various implementation models examined by the EWG, including a detailed comparison of pro and cons.

The ideas presented in this Status Update Report are works-in progress, not consensus recommendations, and may be further updated by the EWGin Buenos Aires. The EWG hopes to use Community input and research into specific areas to reach fact-based recommendations to be delivered in its Final Report.

Join the discussion

There are several ways to participate in this journey to envision a better system:

What’s Next?

Due to the complexity of the task at hand and the importance of basing any next-generation RDS on a solid understanding of the benefits and impacts that would likely result, the EWG has not yet completed its recommendations, but intends to do so in early 2014, informed by Community feedback and in-depth analysis of selected areas. The EWG expects to reconvene in March 2014 to derive fact-based recommendations, delivering its final report to the ICANN Board before June 2014.

Background

In December, ICANN announced the creation of an Expert Working Group (EWG) on next-generation gTLD Registration Directory Services, as a first step in fulfilling the ICANN Board’s directive to help redefine the purpose and provision of gTLD registration data. The EWG’s findings are expected to serve as a foundation to help the GNSO create a new global policy for the provision of gTLD registration data.

A significant milestone was reached on 24 June 2013 with the publication of the Expert Working Group on gTLD Directory Services (EWG)’s Initial Report and FAQs, opening a consultation period with the ICANN community. The initial report [PDF, 1.70 MB] enumerated the users, purposes, data elements, recommended principles and features, and proposed model to guide the development of a next generation Registration Directory Service (RDS) to replace WHOIS.

The initial report was accompanied by a questionnaire soliciting community input on complex areas needing further analysis to draft consensus recommendations.  While comments were received on the entire initial report, two topics received the most feedback: the EWG’s recommendation to replace fully anonymous WHOIS with a gated access paradigm, and the suggested Aggregated RDS (ARDS) implementation model.

The EWG’s Status Update Report [PDF, 2.26 MB] aims to highlight the EWG’s current thinking on these and many other key issues, after careful consideration of all comments and feedback received to date.  It also provides a great deal more detail on the analysis that lay behind the Initial Report [PDF, 1.70 MB], as requested by the community.

More Information

The EWG work stems from the Board’s directive to redefine the purpose and provision of gTLD registration data, while balancing data accuracy and access issues with safeguards for protecting data. The EWG considered the important community work done over the last decade by the GNSO, the SSAC, the WHOIS Review Team, the GAC and others.

The EWG’s Initial Report [PDF, 1.70 MB] reflects the EWG’s consensus view of design principles and features needed in a new RDS, along with a proposed Model illustrating how these could be fulfilled in the ICANN domain ecosystem. For more information, please refer to the Frequently Asked Questions prepared by the EWG after its Initial Report.

Initial Report Executive Summary

Initial Report

Consultation Archives

To view the Expert Working Group’s activities, please refer to the EWG wiki.

This ICANN announcement was sourced from:
www.icann.org/en/news/announcements/announcement-11nov13-en.htm