A week ago, I published a series of emails between myself and Nominet, over their new ‘data quality policy’, which led to my home address being published against my will on May 30th.
While there was some explanation, it was already lengthy at some 6,000 words, so I felt in the main it could stand as it was. There have been further emails from Nominet, as well as numerous comments on both my article, and a featured piece by The Guardian.
So, I felt it was time to expand on some of the issues and give some kind of commentary, because there seems to be a fair bit of misunderstanding going on here.
First, the further emails.
When I published the initial piece on the 6th (as part of the ‘reset the net’ campaign – a coincidence, not something planned) I had sent a response in the day before (in fact 27 hours earlier) and their statement was that they’d ‘addressed all the points’ previously and they have almost always responded early the next day. So I decided it was time to go public.
I was really lucky in that one of the first people to pick up on the tweet that I used to announce it was Wikipedia supremo Jimmy Wales. He read the emails, and then responded directly to Nominet. That kind of exposure was very influential, and one they clearly couldn’t back down from, because the next day I found this email sitting in my inbox.
As tends to be the case, bad publicity gets results quicker than their own procedures, and facts and logic ever seem to. Also, notice the statement. “I’m dealing with this, and please remove references to the person working for us”.
They want to protect their employees’ privacy, after having stomped all over mine. It’s an issue several people have brought up in the comments as well, and so this seems like a perfect time to explain why.
At the core of this is whole issue is my personal information. I have not wanted it published and I have been clearly vocal to them that I do not wish it to be published. Miss Dawson chose to publish my information, not me.
The link I gave was to a site called ‘LinkedIn’. It’s a ‘social media’ site that focuses on business, and employment. A big part of it is about your work history, and lots of recruiters cruise the site looking for people to fill prospective job vacancies. The ‘about us’ page on their site is pretty clear on that. What’s also clear is that, like any social media site, you have to sign up for an account, you have to fill it out, and you have to set your desired level of privacy.
The page set up by Miss Dawson, filled with information by Miss Dawson, and then published publically by… Miss Dawson. It is information she compiled with the express purpose of publically displaying (I did nothing more to find it than search for ‘Hannah Dawson Nominet” and it was the first result).
Now, the morning after last week’s piece went out, she realised what happened, and then decided to make the profile ‘private’, so that the details of her work history are no longer visible. However, as I’d warned her on the 29th when I informed her I would be filing a complaint, information published on the internet cannot be made private later on (and for a whole other kettle of fish on attempt to deal with that, see the current mess that is the “EU Right to be Forgotten”.)
So let’s do a nice recap table.
|Miss Dawson’s Data||Mr Noton’s Data|
Type of data
Who provided it
Intended status of data at time
Who Authorised the publication
Put that way, is it as ‘hypocritical’ as ‘Simon’ says in his comment?
Of course, Simon’s just defending his co-worker, since (as I also pointed out in my response on the 29th) getting an email address is nothing compared to the IP addresses people leave, Simon’s points to Nominet’s own network.
The reality is, she made some information about herself pubic deliberately, now wants to hide it; but has no problem with making my information public despite me not wanting it published. That’s hypocrisy, Simon.
So, I just *had* to reply, and I did so quite… vigorously. It comes to 4 screen caps because I send plaintext, not HTML so I’m a fixed width.
So she has the weekend to think over things, and doesn’t get back to me until June 10th. This is where there’re a few real doozies in there.
Quite a long email from her in fact, so even making it nice and wide requires two screen grabs.
First, note that she’s not digitally signed the email as requested. Scott has already said that the company was set up for it, so it’s not an unreasonable request.
So let’s break down her mail. First lines are fluff, so let’s get to the meat.
She refers to a contract ‘at the point of registration’. In fact the link she points to states ‘this was changed May 4 2014’, thus it’s not the contract I agreed to. Oh dear. It’s not going well for her already.
So, next point, the first relevant section is 4.2. So, what’s it say?
What you Must do
4.2 notify us at once about any court proceedings which involve the domain name; and
Oh dear, a failure again there. Perhaps she meant 4.1
4.1 give and keep us notified of your correct name, postal address and any phone, fax or e-mail information and those of your contacts (if you appoint any, see condition 5.2). This duty includes responding quickly and correctly to any request from us to confirm or correct the information on the register;
She also (correctly) this time refers to 11.2 which states
11. We will make your personal data available in the following ways, but not release it for any other purpose to any other person. We may:
11.2 include it on the WHOIS (which is also available outside the EEA) and PRSS. For these purposes we will publish your name and (unless you are a consumer and choose to opt out) your address, but not your phone or fax number or e-mail address;
Ok, so let’s see her reasoning.
She quotes their definition of correct.
‘correct’ – This means that the information must be good enough to allow us to contact you quickly at any reasonable time without having to get information from anywhere else, must not be deceptive, and (if possible for that type of information) must clearly identify you. For your name this also means that the information must be detailed enough that we can tell exactly who you are (in legal terms, exactly which legal entity we have this contract with).
Unfortunately for her, She’s on a bit of a loser here. She has already demonstrated that the information they have is ‘good enough to allow them to contact me quickly’. Dang.
But what about the name? Doing a little researching, it’s pretty clear they’re not going to prevail here either. See, K`Tetch Dureek’ isn’t something I’ve come up with, spur of the moment and only for this. It’s unique, distinctive, and has been a means of self-identification that I have used since 1996. So it’s pretty clear just who they have that contract with.
In fact, their email request initially went to K`Tetch Dureek, and they got me. If they sent a package via snail-mail to K`Tetch, they’d get… me. Should they call the phone number listed and ask for K`Tetch, they get… me.
Also, there’s this idea of ‘contacting me quickly’. Just how ‘quickly’ are they talking? If my DSL goes down, or I am at Dragon Con (where internet connectivity is almost non-existent because of the crowds) what then? Could they call me? No, cell phone reception is bad for the same reason (70,000 people in 5 city blocks…). That leaves a physical letter. Sorry, but that’s going to take a few days anyway.
And what sort of need do they have for ‘quickly’ anyway? Is there a bomb strapped under the name server listing, and they need to let me know so I can evacuate? Am I at risk of losing a Bazillion bucks from a recently deceased Nigerian Prince because there was a delay in reaching me? Or is it more along the lines of ‘within a week’, which they seem to have managed, quite easily. Remind me why they needed more than a quick email to ‘validate’? Hell, my registrar has my payment info as well. So why do you need more?
Oh, that’s right
They need to be there for the people buying from me.
If only I was actually selling anything to anyone, on my site.
The problem they have is that under UK law, there’s no clear restriction in law about pseudonyms, as long as they’re not used to confuse or deceive. If I’d chosen John Smith (all around common name, and sometimes pseudonym of the Doctor) for instance, they’d be on stronger ground. Yet a distinctive (if not unique) pseudonym, used consistently over a period of 18 years, it’s hard to argue it’s an attempt to deceive.
Even Miss Dawson was quick to accept that they knew who they were dealing with after a first reply. In fact, when you actually look at the activity of Nominet, you’ll find that I’ve actually complied with the policy AS WRITTEN. They have, however, decided to take a very narrow interpretation of that policy and make it the only way.
Sorry, but your written legal policy is your written legal policy. If you don’t like your policies having loopholes, then you need to hire better lawyers to write them.
So, now they want me to ‘validate’ for them. An activity that they have been unable to show has a legitimate purpose. But, they also want me to provide to them, a company that has already exposed my Personally Identifiable Information (PII) – which is a class of information with a certain legal standing – publically, even more information, in the form of more documents.
You can’t make this up!
And just to ensure I hand over the information quick-smart, they’ve added a threat. “Do it by the 22nd, or we’re going to take the thing you’ve paid for away” Not very nice of them is it.
I will say this very clearly to Nominet again, as I have through email.
I am in compliance with the letter of your policy under UK law in this matter. Your demand that I provide you with further personal information, after you have already shown great disregard for it contrary to UK and EU law, and do so under threat. That is the position of a company who feels itself to be above the law.
That’s just one half of things though. If I don’t jump through their validation hoops, they’ll violate the contract. And since I’m in compliance with the policy as written, that means the contractual breach is by them (anyone know a good lawyer?)
But let’s go to the other half, the bit that exposed my info in the first place, and it’s here I should reveal something.
See, every single day, I’ve been checking the whois information, just to keep track of things. Guess what happened sometime in the 30 minutes either side of this email being sent.
Yep, they’ve decided to ‘opt me out’ again. Amazing, it’s as if they’re worried.
It’s the determination of ‘commerciality’ or not that affects the opt-in/out status. The last 800 words have been about me ‘getting to keep the domain I paid for’. This is about my privacy.
They go with a quick quote from the policy, and then states ‘”it’s not always straight forward, but we’re going to carry on claiming you’re being a company”. That was not in doubt, though, for a very simple reason.
Had they looked at it and said ‘whoops’, you know, you’re right. Your site is a personal one, and should be opted out, they have a problem. Specifically under the data protection rules, they’ve had my PII, and made it public, for no good reason. What’s more, I even asked them to re-evaluate, and hold off on making it public, which they didn’t do. Finally, I’ve made a complaint to the Information Commissioners Office.
If they admit they made a mistake that means admitting they mishandled my information. It also means they deliberately ignored a request that would have greatly reduced the impact as well. That’s not something the ICO looks kindly on. The last case like this (revealing personal info wrongly) I was involved with that went the ICO, was the case of ACS:law, who lost personal info in an email backup. ACS:law was fined £1000, and only got off so lightly because he had stopped trading and had limited financial means otherwise it would have been a £200,000 fine. It was also information on 14,000 ISP customers where the security ‘wasn’t fit for purpose’.
Now imagine how many UK domains they’ve potentially opted-in incorrectly. And in this case they’ve done so deliberately, even denying reconsideration. But I will say something else – that they’ve opted me out again means they’re not so sure on the policy now.
Let’s just remind us of their justification again though. It was
- a widget linking to Amazon, where they could buy the paperback edition of ‘No Safe Harbor’ (which is available as a free ebook).
- two Google advert banners (one in the right sidebar and one at the bottom)
- A box to subscribe to the blog which is basically an email version of RSS
- Numerous links to ‘trading websites’
- Some kind of ‘donate’ link, which I can’t seem to find anywhere (unless they’re talking about Flattr, which isn’t a ‘donate’ link)
These are all serious issues, which CLEARLY make this a commercial site. Except I’m not selling anything (except a snazzy line in Pirate Political Though, which can be yours for the low-low price of £Think critically, honestly and scientifically!). There is no way for a visitor to this site to perform a financial transaction with me.
You can go to Amazon and buy a copy of No Safe Harbor, sure. I won’t see a penny. Any money goes directly to the Florida Pirate Party (and I do mean *directly*. I do not get anything). Oh, and the book sales are all handled through Amazon, and the book is produced through Amazon’s Print-on-demand service. Any commercial contract is with Amazon then, and not with me. So there’s no reason that this makes any sort of commercial relationship that needs my details. Oh, except my disclosure that I’m involved with the book (if nothing else, to avoid running afoul of FTC guidelines & regulations.
Google’s advert banners. Here there’s no way at all for a visitor to give me money. The advertiser has a relationship with Google, Google has one with me. There’s no financial relationship with any site visitor. So, again, no business between me and a visitor, amazing. Such adverts are notoriously low paying too, not exactly a big money-spinner, and almost certainly won’t cover hosting costs.
Now we’re onto the heavy stuff, with the email subscription! It’s absolutely clear that an email notification of a new post makes it a commercial site. I mean, obvious, isn’t it? Sarcasm aside, this is *so* completely ignorant, that it’s hard to take anything else from Nominet seriously.
When it comes to numerous links to trading websites though, yes, you got me. I link to Facebook (has its whole ‘credits’ system for games, plus it sells adverts. Then there’s twitter (sells tweet promotion). Google, reddit, flattr, LinkedIn, Wikipedia, Nominet – they’re all websites which ‘trade’, and are also some of the very first websites any person will link to (well, except Nominet, people seem to only link to them after Nominet’s done something stupid) Does not make any site, a commercial site however. Nor does it need any ‘validation and publication’ of the domain owner’s PII. If there’s a problem, and a link is used deceptively, there’s these official bodies people can contact that aren’t just some non-profit with delusions of grandeur, like Trading Standards in the UK, or the Federal Trade Commission in the US.
Oh, and yes, there’s a link to my hosting provider at the bottom. Nominet says ‘it likes people to know who they’re dealing with’, well, visiting here, you’re communicating with the servers of THAT company. They’ve also been an absolute PLEASURE to deal with
Finally, there’s a ‘donate link’. Amazing, this one I can’t even find. There’s a Flattr link, but flattr isn’t a donation. With Flattr, you don’t get to even choose how much the person you flattr gets, because it’s more akin to a Facebook ‘like’ combined with a tip-jar. Here’s a nice easy breakdown of how it works. But there is *no* donate link. No point you can go and say ‘hey, I’ll send this guy $5” or “my dear chap have £10”. Don’t know how simpler to say it though, except
THERE IS NOT ONE!
Only a quick point here and it really does undermine a lot of their case when you think about it. Here, they’ve admitted that their customer service policy and procedures were not as good as they’d liked. This is a process almost every employee (undoubtedly) uses every single day, and cover in all staff initial training. So it’s got flaws, and yet their ‘commerciality’ policy doesn’t? Not even willing to consider it? What hubris.
It’s just quite puzzling just how I can be “a closer match to being commercial/trading than consumer.” Unless you remember what Scott said last week, “it’s rare that a .uk domain name is able to opt-out of having their address details displayed.” Their process is DESIGNED to classify almost all sites as commercial.
It’s a lot like ‘pornography’. If you ask someone to define it, they’d have a hard time, and then end up saying “I guess I know it when I see it”. That’s Nominet’s policy when it comes to ‘commercial’. They can’t point to anything that is a solid or concrete ‘commercial’ activity, a hard line if you will, but instead decide it’s a judgement call.
That’s fine for personal stuff, but not for policy. It is especially NOT ‘fine’ when it comes to interactions with laws. Why, because subjectivity is not consistent. Take pornography for instance. I am a white European male in my 30s. I have a pretty liberal attitude to nudity, and sexuality – I help run panels on ‘safe BDSM’ each year.
Now take an Afghan warlord (or member of the Taliban). He would see a bare shoulder as indecent, and a thigh would have him getting an aneurism as he sentenced the woman to punishment for not wearing a Chadri.
The same personal levels of ‘indecency’ are for two very different acts. A normal act for the UK, such as wearing a bikini in public, would be have an indecency level in Afghanistan that would only be matched by bestiality or paedophilia. The two acts are not comparable except in that to certain people, it reaches a certain ‘level’.
This is why subjectivity is bad. It’s why, for instance, the UK has a ‘watershed’ for adult programming on TV, and OFCOM has a nice big section of rules defining specifics, because you can’t make and enforce policy on something as variable as someone’s ‘feeling’.
How’s about instead, if we ask someone that’s really good at deciding if something is a business, or if it’s a hobby. Someone like HM Revenue & Customs perhaps? Let’s see, they say that
It is unlikely that hobbies which involve a registered person making minimal supplies are business. However, in some cases the person’s hobby can lead them to make substantial supplies and may grow to become a business activity. Many successful businesses grow out of a hobby or private interest.
When judging whether a hobby should be seen as a business activity you should consider whether the activity is taxable for income tax purposes. The Income Tax (Trading and Other Income) Act 2005, Part 2, Chapter 2, Section 5 states that:
Income tax is charged on the profits of a trade, profession or vocation.
If I’ve been making profits here, then Google’s been stiffing me. I’ve yet to ever have a year where the ad revenue on this site exceeds the cost of the hosting, let alone the cost of the domain as well. Of course, both of those are peanuts to the real expense, which is the cost of the DSL needed to access this, which is $52/month. So in the eyes of the tax-man, this is not a business.
It’s actually an issue that’s come up back in my old Robot Combat days. Building them is quite expensive, and some teams managed to get sponsorship. It was to the point, many teams considered making themselves a business, not just to claim tax back, but also because of the limited liability. In the vast majority of cases it failed, because the business ran at a loss; a business run constantly at a loss is a hobby (or a conservative government)
Anyway, onwards! It’s interesting that she seems to think this kind of explanation works, it doesn’t. Until the 4th, every email I had sent, had been replied to by a Nominet member of staff by the next business day. There was no response on the 5th, so I decided to publish. The reply above came on the 6th, after they’d clearly gotten calls. They’d decided things were ‘done’ it seems, and she jumped in, because it was going south, publically.
Finally, notice the threat she ends with. She’s hinting at legal action. Doesn’t bother me at all. It’s actually a sign they’re scared, just like the re-enabling of the opt-out. And the ‘worked with the ICO’ – that can mean nothing more than emailing them and saying ‘hey, we publish the details of commercial sites, and give them a chance to appeal, that ok?’ and them replying ‘probably’. So, perhaps they could detail this ‘worked with’ more clearly.
When you don’t define a commercial site clearly, when the problems are not so much the policy itself, but the definitions used in it, and the method/circumstances of implementation, then the ICO will still have a problem. They may have approved the policy expecting a ‘common sense’ or ‘obvious’ definition of commercial sites, instead of one that Nominet themselves admits is all but impossible to comply with.
So, I basically write this down, and send it back to her.
This morning I get another response.
You’ll notice she now drops any and all mention of ‘commerciality’ does this mean she knows she’s going to lose on this point? Dunno. It could just be that they’re afraid of digging an even deeper hole.
Instead, she focuses entirely on the issue of ‘verification of identity’. This is an area where, if anything, she’s on shakier legal ground.
Her insistence that it’s “important” for Nominet to be able to identify with some certainty the party they have a contract with is nice to say, but in reality a bit bogus. She admits that I can act pseudonomically if I wish, under UK law.
Despite that, she ‘wants more’. She wants additional ‘verification’ that I am me, and requests additional PII to do so. Oops, bit of a no-no. Kirti, Scott and Hannah have all accepted the K`Tetch=Andrew. They have accepted it, because they’ve dealt with ‘Andrew’ when the only listing is for K`Tetch. Without additional proof they’ve accepted the identity as a pseudonomic one. There has never been any question of this. They have discussed the account with me, they have responded to changes they’ve made on the account.
They have no doubt that K`Tetch=Andrew and Andrew=K`Tetch
So why the demand to obtain more information? Unfortunately (again) for Nominet, You can’t just demand PII without good cause, just ask the EU. On the EU page about data collecting and processing, they have a nice little page, with the law broken down into nice easy-to-read chunks.
Under the Data Protection Directive, collecting and processing the personal data of individuals is only legitimate in one of the following circumstances laid down by Article 7 of the Directive:
- Where the individual concerned, (the ‘data subject’), has unambiguously given his or her consent, after being adequately informed; or
Well, I unambiguously and definitively REFUSED to give consent. That one’s down.
- if data processing is needed for a contract, for example, for billing, a job application or a loan request; or
Kinda, yes. However, also no. I entered into a contract with Namecheap, a subcontractor of Nominet. My billing information was handled by them, not Nominet, and was found to be more than accurate for the purpose. Further, that may justify their having the information; it in no-way supports their release of the information.
- if processing is required by a legal obligation; or
At no time has any legal obligation been raised.
- if processing is necessary in order to protect the vital interest of the data subject, for example, processing of medical data of a victim of a car accident; or
- if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or
This is what they’ve been claiming on twitter. It’s “in the public interest” that people know who they’re buying from. This is the rationale behind their ‘opt out policy’. Again, it rests on the definition of commercial that’s entirely vague and subjective, and unlikely to stand to significant outside scrutiny.
- if the data controller or a third party has a legitimate interest in doing so, so long as this interest does affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers’ business interests and the privacy of data subjects.
(While it says ‘does’ the actual text of the directive makes it clear that it should say ‘does not’. Also, the second sentence does not make sense otherwise.)
Final point. They want more PII from me, to do what is claimed to be a legitimate interest, and yet no interest has been stated beyond ‘public trust of websites’ and ‘our new policy’, and they show no compelling business interest for their policy.
If they can’t show that, then they’re basically demanding information they shouldn’t have, and that’s even more of a no-no.
Finally, ends with a threat that they’ll seize the domain, if I don’t give them that info. That’s not good. ‘Run the risk’, not “will” or “in accordance with our policy”, just ‘run the risk’. It’s an admission if nothing else that the policy is arbitrary, and has inherent inconsistency. That doesn’t bode well for them with the ICO, or any other similar body.
So let’s recap. She accepts that pseudonyms ‘not for the purpose of deception’ are allowed under UK law, and that there’s no legal requirement that it be recorded.
She states that it’s important’ to identify with some certainty the party with whom they have a contact. They have had a legally acceptable pseudonym on their records for a number of years, and on the first attempt to contact via those details, have had zero problems. In addition, they immediately recognised the pseudonym for what it was, in all dealings beyond the initial contact. Plus, the contractual details provided via their subcontractor (including billing information) are accurate.
It’s also patently false. Scott Jones has stated to me and others that we can use any legitimate postal address. That, therefore, does not lend itself to ‘verifying who they have a contact with’. So if it can be any ‘legitimate address’, why can’t it be ‘any legitimate name’? Indeed, 123-reg will list that as ‘Identity Protection Service’. So they’d contact them, who would contact me. It actually undermines their claims.
So, they’re ‘merely asking’ (or in reality, demanding) for more ‘proof’ for something they admit has no legal obligation to be registered under UK law, demanding that proof in the forum of documentation that would therefore not exist, for a policy that is inconsistent and for which the justification can be circumvented by their own policies.
And if you can make any kind of justification for that, then you’re probably working as Nominet in-house counsel.
Personally, I’m going to continue to fight on.