Telnic, whois and Data Protection

1
Telnic, whois and Data Protection
ICANN, San Juan
June 2007
2
A New Approach
.tel is an innovative top level domain whose
purpose differs from all existing TLDs.
3
Other TLDs are about content
IP Address129.42.18.103
4
.mobi is also about content
www.BMW.mobi
5
.tel is about communication
hertz.tel
tel 442078280000email info_at_hertz.com
6
What contact information can you store?

• Fixed line telephone numbers
• Mobile telephone numbers
• SMS/MMS
• Email addresses
• VoIP/IM ID (skype, AIM, ICQ, etc.)
• Fax numbers
• and much more

7
Telnic-operated Web Gateway to Access .tel from a
Web Browser
PCs
Mac
Mobiles
8
Access .tel fromstandalone applications
9
Unique Features of .tel

• No web sites!
• .tel is about contact data, not content
• Web gateways operated by Telnic
• No user defined address records
• Condition of ICANN contract Telnic charter
• Telnic will police this
• .tel domains contain contact data the registrant
  chooses to publish
• Phone numbers, SIP addresses, IM handles, etc

10
Data Protection Overview

• 8 Principles
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with an individuals rights
• Secure
• Not transferred to other countries without
  adequate protection

11
Data Protection Concepts

• Personal Data
• Any data identifying a living person
• Data Subject
• Person identified by Personal Data
• Data Processor
• Entity which processes Personal Data on behalf of
  the Data Controller
• Data Controller
• Entity which decides the purposes and manner in
  which Personal Data is processed

12
Export of Personal Data

• Can go to countries having equally strong Data
  Protection standards
• e.g. Rest of the EU
• Two options for other jurisdictions
• EU Model Clauses
• Safe Harbour provisions (if these exist)
• Both mean Data Processor is bound by UK/EU Data
  Protection principles

13
Data Protection Provisions

• Individuals have some control over how their
  Personal Data is used
• Check what datas held about them
• How that data is used processed
• Correct errors
• Data Controllers must respect individuals rights
• Failing to do so has resulted in legal action
• Proceedings against spammers
• Business mis-use of Personal Data

14
whois, Telnic and Data Protection

• Individuals registering .tel domain names have
  rights under the Data Protection Act
• UK Information Commissioners Office issued
  guidance to Telnic saying individuals must have
  the option of having their Personal Data
  disclosed in whois or not.
• Not offering this option breaks the law
• ICANNs registry contract does not provide for
  this option

15
The whois Challenge

• Comply with UK law and discharge Telnics ICANN
  whois obligations to the fullest extent
• Obvious need to strike the best possible balance
• Give individuals an opt-out of whois
• Provide registrant data to those with legitimate
  reasons for requesting it
• A whois service alone cannot address these
  (mutually exclusive?) goals

16
whois Policy Development

• Learned from the experiences of other UK based
  TLDs
• Also had guidance from Information Commissioners
  Office
• Some form of tiered access was the way to go
• Limited data disclosure through whois in some
  cases
• Paid-for access to get access to registry
  database
• For legitimate business purposes
• Law enforcement could get something else

17
Proposed Tiered Access Policy

• Web-based access controlled by user name and
  password
• Sent by paper mail to minimise fraudulent use and
  data mining
• TCs will have Data Protection obligations
• Meant for small numbers of requests
• Real-time access offered as an extra option
• Stricter checking/accreditation
• Tougher Data Protection constraints

18
Proxies

• Not a viable option
• .tel is an sTLD
• All registrants are members of the community
• Registry must have registrant data
• Registry is the Data Controller
• Proxy operators would inherit UK Data Protection
  compliance obligations as a result of their
  relationship with the Data Controller, Telnic
• Safe Harbour and EU model clauses again
• Difficult for Telnic to police
• Telnic probably still liable for breaches by a
  proxy

19
QUESTIONS?