2008/05/07 Minutes

Minutes of the Meeting of the CIRA Board of Directors held via teleconference on May 7, 2008, at 3:30 p.m. Ottawa time.

Directors attending: Paul Andersen, Annette Cyr, John Demco (ex-officio and Secretary), Heather Dryden (ex-officio), Christopher Goodfellow, Robert Ford, Byron Holland (ex-officio), Ron Kawchuk, Lynne Mackan-Roy (Vice-Chair), Ross Rader, Bill Reid, Debi Rosati (Chair), Jeff Rybak, Rick Sutcliffe

Regrets: Richard Anderson

Guests: Albert Chang (CIRA), Michael Stewart (CIRA)

Recording Secretary: Lynn Gravel (CIRA)

1. Approval of Agenda

Be it resolved that the agenda be adopted as presented.

(Moved: L. Mackan-Roy, seconded: R. Rader)

R. Ford joined the meeting

2. WHOIS Status and Issue Update

B. Holland provided the Board of Directors with a summary of WHOIS issues and referenced Section 6 of CIRA’s Privacy Policy which permits disclosure of Individual Registrant’s information to third parties through two mechanisms: a Court Order or pursuant to PIPEDA:

6. Disclosure

…We will disclose personal information, other than via the WHOIS, as stated below, and the “Registration Information Access Rules and Procedures”, as explained above, only:

(a) in the event that a law enforcement agency, court of competent jurisdiction, tribunal, judicial board, administrative body, judicial commission, or any other judicial body of competent jurisdiction requests personal information by way of an order, ruling, decision, subpoena, warrant, or judgment; or

(b) pursuant to the Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5;…”

B. Holland noted that in some limited instances a Court Order is unreasonably expensive and time consuming and exposes CIRA to undue liability and risks staff is of the view that it is imperative to properly document the implementation process for Section 6 (b) of the Privacy Policy [permitted disclosure pursuant to PIPEDA].

B. Holland proposed that as part of the implementation of the Privacy Policy and WHOIS, and to ensure compliance with PIPEDA, a procedure be documented which allows disclosure under certain limited and specific circumstances. It was noted that since this procedure is consistent with Section 6 (b) of CIRA’s Privacy Policy, no changes to the Privacy Policy or other CIRA policies would be required. B. Holland advised the board that this was strictly an issue of implementation. Furthermore, PIPEDA required that a process be in place for the disclosure of information and Section 6(b) of the Privacy Policy [permitted disclosure pursuant to PIPEDA] was meaningless without a documented procedure.

B. Holland noted that under this proposed mechanism, CIRA would disclose the name of the Registrant and the contact details for the administrative and technical contact only to requestors who are clearly able to establish that they have a legitimate reason for access to this information and backed by supporting documentation. Supporting documentation would consist of independent or third party proof or validation showing that the requestor has a legitimate reason for access to WHOIS information. Staff foresees two categories of issues: 1) the domain name violates an intellectual property right of the requestor; and 2) the domain name gives rise to a personal claim such as identity theft. Registrants would be advised of this process and consent to it in advance.

Certain members of the Board of Directors raised concerns that this process implied a policy change inconsistent with a previous Board’s original intent and that the process favoured one group over the others. For example, it involved giving administrative process driven disclosure to intellectual property rights holders in advance of other groups such as law enforcement.

M. Stewart stated that he believed this was not a policy change per se. Instead, the proposed change accomplished two goals: defining a process for the existing Section 6(b) of the Privacy Policy, and mitigating the risks posed in Section 6(a). As Section 6(b) provides that CIRA will disclose personal information pursuant to PIPEDA, he felt it was necessary to establish a process for disclosure in order to make this section meaningful. Furthermore, PIPEDA required that a process be in place. Staff believes that the original intent, as is, is valid and reasonable, but that PIPEDA demands a process for disclosure to support Section 6(b).

Staff also noted that they were working in parallel with other groups, namely, law enforcement, with respect to the circumstances in which CIRA will disclose Registrant information. In this regard, the processes for disclosure of WHOIS information for private parties and for law enforcement were working in parallel, and one group was not being favoured over the other.

A. Chang, L. Gravel, B. Holland and M. Stewart withdrew from the meeting and the Board of Directors held an in camera session.

J. Rybak joined the in camera session.

Following the in camera session, A. Chang, L. Gravel, B. Holland and M. Stewart rejoined the meeting.

Concern was expressed that there was not enough time to properly review the implementation procedure with CIRA’s numerous stakeholders. Furthermore, certain of the Board members were of the recollection that it had been decided that Registrant Information would only be disclosed pursuant to a Court Order, irrespective of Section 6(b) of the Privacy Policy, and the requirement of PIPEDA for a disclosure notification and process. In their view, the disclosure of Registrant information without a Court Order was a policy change, which required CIRA to go through the Policy Development Process.

Staff noted that this position contradicted the wording in Section 6(b) of the Privacy Policy. Staff highlighted that the Board had agreed to a Privacy Policy which included Section 6(b) [permitted disclosure under PIPEDA]. Accordingly, it was necessary to document the procedure for disclosure in advance in order to make this section meaningful, and to be compliant with PIPEDA which required that a documented procedure be in place. Given this contradiction, certain members of the Board of Directors discussed deleting Section 6(b), as this was contrary to the intention of a previous Board that Registrant information would only be disclosed pursuant to a Court Order. Staff was requested to look into what would be required in order to delete Section 6(b) of the Privacy Policy, and to report back to the Board.

There was considerable debate between the Board and staff over staff’s proposed implementation procedure where certain of the Board members were of the view that staff was moving too quickly. R. Ford and other Directors suggested that the scheduled June 10th "go live" date for the WHOIS implementation be delayed to complete discussions with Industry Canada and the RCMP. It was suggested that the timelines are now very short and important implementation issues have been raised which need to be properly flushed out and debated. A discussion was held on the advantages and disadvantages of delaying implementation. Several directors and B. Holland commented against delaying implementation given the impact that would have on the WHOIS rollout and CIRA’s credibility, especially given the prior delays. Staff indicated that they felt the discussions with Industry Canada and the RCMP could be properly completed in time for the currently scheduled June 10th implementation. The Board of Directors proposed that staff proceed with the implementation of the new WHOIS on June 10, 2008, with expedited public consultations conducted at the same time on the issue of disclosure of Registrant information. Staff noted that if this was the plan, this meant that there could not be any disclosure exceptions in the interim for any particular stakeholder, and that the discussions with groups such as law enforcement would have to be deferred and be part of the public consultations.

3. Adjournment

The meeting was adjourned at 6:00 p.m. and it was agreed to reconvene on May 9, 2008 at a time to be determined.

Minutes of the Meeting of the CIRA Board of Directors held via teleconference on May 9, 2008 at 8:30 a.m. Ottawa time

Directors attending: Paul Andersen, Richard Anderson, Annette Cyr, John Demco (ex-officio and Secretary), Heather Dryden (ex-officio), Robert Ford, Christopher Goodfellow, Byron Holland (ex-officio), Ron Kawchuk, Lynne Mackan-Roy (Vice-Chair), Ross Rader, Bill Reid, Debi Rosati (Chair), Jeff Rybak, Rick Sutcliffe

Guests: Albert Chang (CIRA), Michael Stewart (CIRA), Len St-Aubin (Industry Canada)

Recording Secretary: Lynn Gravel (CIRA)

1. WHOIS Status and Issue Update

D. Rosati thanked the Board of Directors for their time and discussion regarding this matter since the last meeting and anticipated that a decision would be made at the conclusion of the meeting. D. Rosati introduced Len St-Aubin, Director General, Telecommunications Policy at Industry Canada. L. St-Aubin was asked to join the call to articulate Industry Canada’s position on the WHOIS Policy.

Industry Canada highlighted the importance of taking into account CIRA’s established policy and process when implementing the WHOIS policy. Given the various interests of stakeholders with regard to WHOIS implementation, and the fact that CIRA operates a public resource, CIRA needs to be attentive to a wider range of interests and impacts than a private company needs to be.

The Department further recognised the challenge now facing CIRA as it works to execute the policy in a practical or workable manner. CIRA needs a defensible rationale for implementation measures to be taken, as well as a strategy for notifying the public and the various stakeholder groups involved or affected by the implementation of the WHOIS policy. Industry Canada explained that from the Department’s point of view, such care and consideration is necessary in order to preserve the credibility of the organisation.

Industry Canada strongly urged CIRA to focus simultaneously on the various legitimate uses of the WHOIS, to contend with issues such as, trademark infringement, situations where an individual’s personal name has been used to misrepresent, child exploitation, attacks on the network, and national security (narrowly defined) when considering what circumstances could necessitate provision of the non-published WHOIS name and address of an individual to a third party, without presentation of a court order. Industry Canada also emphasised that the concerns of law enforcement should not be considered secondary to the legitimate interests of other stakeholders.

Industry Canada conveyed that a principled approach based on privacy can be maintained and that, from this perspective, section 6(b) of CIRA’s Privacy Policy could be used to draft an executable process for those situations warranting provision of non-published WHOIS name and address of an individual to a third party, without a court order.

Industry Canada indicated that it remains ready to work with and assist CIRA and the Board in the successful implementation of CIRA’s WHOIS policy.

R. Anderson joined the meeting.

L. St-Aubin withdrew from the meeting.

As a preliminary matter, D. Rosati reminded the Board of Directors of the Directors’ Code of Conduct, specifically, their fiduciary duty to maintain confidentiality as well as to disclose Conflicts of Interest. It appears that there had been some discussions outside the Board and there were concerns that a Board member may have discussed the WHOIS Policy outside the Board. At the request of D. Rosati, M. Stewart summarized the Policy as a general reminder, and referred the Board of Directors to Section 3: Conflict of Interest and Section 4: Confidentiality. An objection was raised to this interpretation of the Policy on the basis that it was important that Board members be allowed to consult with outside people regarding decisions of the Board. M. Stewart articulated that he was simply reading the Policy as is, with no interpretation, and other Board members commented that a Board member should not be discussing Board matters with outsiders without the express consent of the Board. R. Ford asked that any director who may have spoken to or discussed WHOIS policy outside the Board to indicate so, and no such discussions were indicated. D. Rosati asked that each Director declare any conflicts, and no conflicts of interest were declared.

D. Rosati put a suggestion of how to move the meeting forward. Since L. St-Aubin presented Industry Canada’s view, B. Holland would then provide a discussion of the four possible scenarios identified by Staff. A motion would then be put forward for a vote.

A request was made that Directors have an opportunity to present submissions after the vote explaining why they voted the way they did.

B. Holland presented the following four implementation scenarios to the Board of Directors:

1) Implement WHOIS with specified process for Section 6(b)

Under this scenario, CIRA would implement WHOIS on June 10, 2008 with a stringent process outside of Court Orders to allow those with a legitimate reason access to certain Registrant information. This would be limited to (1) law enforcement in the areas of child exploitation, national security, and attacks on the network, (2) intellectual property rights (e.g. trademarks), and (3) personal claims (e.g. identity theft). Parties would be required to show that they had a legitimate reason for the Registrant information, backed by supporting documentation. Non-Law Enforcement parties would also be required to first use the Interested Party Contact Procedure. B. Holland also indicated that there would be a guaranteed consultation process within the first 12 months of the WHOIS launch.

2) Implement WHOIS but with an immediate consultation

Under this scenario, Staff would implement WHOIS and would only disclose Registrant information pursuant to a Court Order. There would be an immediate consultation process throughout the summer on the issue of disclosure, with the Board making a decision around Labour Day. It was noted that Staff would require specific direction from the Board regarding critical requests for Registrant information which could arise before the Board made its decision.

3) Stop implementation of WHOIS, with consultation

Under this scenario, Staff would stop the implementation of WHOIS, and would initiate public consultations. B. Holland noted that this would allow Staff to look at the issues with the benefit of the years of history. However, this scenario would also have certain negative consequences, such as Individual Registrants would be delayed in obtaining privacy protection.

4) Implement WHOIS with no changes or consultations

Under this scenario, Staff would implement WHOIS as is with no changes or consultations. Registrant information would only be disclosed pursuant to a Court Order.

Staff’s recommendation was to proceed with the first scenario. Staff strongly believed that this first option struck the most reasonable balance between the various affected stakeholders and as a result presented the smallest legal and operational risk. B. Holland noted that this scenario was consistent with the principles articulated in Michael Binder’s letter to CIRA of September 15, 2006 in which he recognized “the importance of considering the issues raised by stakeholders about trademark infringement and spamming” and that “it will be important as the new policy is implemented to strike a balance, to the extent possible, between the governing principle of privacy protection and facilitating access, as permitted by the new policy”.

According to Staff, Scenarios two and three offered other avenues for implementation that incurred respectively higher risk and liability profiles, operational overhead, and costs. Staff was of the view that Scenario four presented a significant and unacceptable level of risk to the organization and felt that it was not in the best interests of CIRA or its stakeholders, and strongly recommended that this approach not be considered.

A Board member presented a possible fifth scenario, which would involve the deletion of Section 6(b) of CIRA’s Privacy Policy. However, Staff responded that this appeared to be the same as Scenario 4. If CIRA determined that it would only disclose Registrant information pursuant to a Court Order, this would be inconsistent with Section 6(b) of the Privacy Policy and would require its deletion.

Staff put forward a resolution to the Board of Directors:

Be it resolved that the Board of Directors agrees with staff’s recommendation that they proceed to implement a process, pursuant to Section 6(b) of CIRA's Privacy Policy, whereby certain personal information of Individual Registrants will be disclosed by CIRA under certain circumstances, as follows:

Such circumstances are: Intellectual Property claims (e.g. trademark, copyright), personal claims (e.g. identity theft) and law enforcement matters (i.e. child exploitation, national security (narrowly defined) and attacks on the Internet). Staff will determine the best means, process and documentation to implement such process and circumstances, as well as the necessary communications strategy;

Staff will announce and implement this process by June 10, 2008 (the date the new WHOIS policy is being implemented);

CIRA will hold a public consultation regarding this disclosure process within 12 months of its implementation; and

Staff will update the Board on the implementation of this disclosure process, at the Board of Directors’ meeting on June 3, 2008.

(Moved: L. Mackan-Roy, seconded: A. Cyr, in favour: A. Cyr, R. Ford, C. Goodfellow, R. Kawchuk, L. Mackan-Roy, B. Reid, D. Rosati, R. Sutcliffe; opposed: P. Andersen, R. Anderson, R. Rader and J. Rybak, motion carried).

It was directed that Staff produce an implementation package and communications strategy at the June 3, 2008 meeting.

Directors were advised that they would be given the opportunity to put forward their comments on why they voted the way they had if they wished to do so.

2. Adjournment

There being no further business, on motion by A. Cyr and seconded by R. Sutcliffe, the meeting was adjourned at 9:45 a.m.