Whois Task Force 3 - Summary of Comments

Last Updated: 9 September 2009
WHOIS TASK FORCE 3



Summary of Comments Submitted to WHOIS Task Force 3: Accuracy

July 5, 2004


Brief Summary of Public Comments
Extended Summary of Public Comments
List of Individuals/Organizations Submitting Comments

Brief Summary of Whois Task Force 3 Public Comments

Comments About Whois Accuracy:

In the public comments submitted to whois task force 3, comments by the Intellectual Property interests stated that Whois data accuracy is necessary for them to quickly investigate and prevent copyright infringement. For example, ASCAP wrote, “With accurate publicly available Whois data, ASCAP is able to contact website owners, negotiate performance licenses and fairly distribute royalties to the owners of performed copyrighted music." And the MPA wrote that, "The MPA’s chief concern with the current state of the Whois database is its wild inaccuracy, which makes enforcement much more time-consuming. That delay poses serious threats in the online arena where unauthorized copies of motion pictures costing millions of dollars to produce can be illegally transmitted instantaneously, and without cost, across the world, in high quality digital formats.”

Many comments pronounced that data must be protected before discussing accuracy of the data, and many stated that only technical data should be accurate, personal data should be optional if it is included at all. The public stated that Whois data was originally gathered for technical purposes and only the minimum data needed for technical purposes, the technical data, needs to be accurate for network stability. Other public comments stated that the premise of this task force is mistaken by assuming that accuracy is always desirable.

Other commentators argued that intellectual property enforcement is not a viable use of Whois data and that it should not shape Whois policy. They say intellectual property holders and enforcers are not trying to contact registrants because of technical issues, but rather content issues that should be dealt with through the legal system rather than ICANN. Other comments stated that it is not within ICANN’s mandate to get involved in that debate. Certainly this is a debate that will not be solved within this task force.

Some questioned use of the term “false” to describe inaccurate data and expressed the need for a more neutral term. Some even questioned the value of accuracy, suggesting accuracy would not stop spammers, criminals, etc who will adjust anyway. They suggested the risks to privacy and free expression are too great to require accuracy, particularly when ICANN could be using alternatives other than Whois data to maintain network stability (one suggestion was to use IP addresses). There was also a remark that it would be better to strive for precision in collecting just the data necessary to purchase/sell a domain, rather than require accuracy of many data elements.

The public comments also stated that this council formation of this task force should not have defined privacy as out of scope, saying that privacy protections are key to ensuring accuracy which the task force failed to recognize. The public comments included many statements asserting the right to privacy and free and anonymous speech protections. They repeatedly noted that accuracy requirements of Whois policy, as currently proposed, will violate many national laws. They also repeated the need to submit inaccurate data in order to defend personal information from the many existing vulnerabilities. The public stated that most users who provide inaccurate Whois data do so not out of malicious intent, but out of a reasonable desire to protect their privacy in a system that offers few such protections. They stated that the more valuable the data the greater the incentive to try to protect it by entering inaccurate information included in an insecure database. They also stated that the best way to ensure accuracy is to minimize the amount of sensitive data accessible from the database. They commented that the vulnerabilities of the Whois data lead to inaccurate information entry and therefore, the instability.

Comments on the Recommendations:

There was a significant split in the comments submitted to Task Force 3 and their evaluation of the Preliminary Report and the work of task force 3. The intellectual property representatives (CCDN, ITA, MPA, HBO/Time, ASCAP, Viacom) supported the document and the recommendations. The other public comments heavily criticized the work of the task force, specifically the fact that the task force produced no usable research results and yet determined best practices. Karl Auerbach stated, "I find the report to be inadequate and lacking both the factual and logical foundation to support its conclusions and recommendations."

There were many comments stating the proposals of this task force will violate many national laws. Examples were provided suggesting the proposals of this report would be violations of European, Argentinean, Peruvian, Canadian and Australian law.

Many wrote that the original purpose of whois was purely technical and ICANN and this task force should restrict its recommendations to technical data. Kathy Kleiman suggested a way to move forward is to bind each recommendation to "technical and operational data" [TF2 terminology] or "non-sensitive data" [TF1 terminology]. She suggested this task force carefully stay within the bounds of ICANN's mandate and limit its recommendation to the technical and operational data of the domain name system."

Two of the public comments expressed support for working with the Registrar’s minority report.

Comments were provided on each of the recommendations specifically, most of which were divided with support from the Intellectual Property community and opposition from others. This obviously makes these points of contention difficult to evaluate and solve. There were a few points, however, where there was agreement or where the comments distinctly showed that the recommendation should be altered. Recommendation 8, for example, set a time limit of 15 days for inaccuracy correction. It was suggested by many that this time limit is too short and indeed, too harsh according to the ITA, “there may be situations where a domain name holder has legitimate reasons for not being able to respond with 15 days and losing the domain name would be a harsh result.” CIPPIC suggested a reasonable amount of time would be 30-45 days, Cox said 30 days was insufficient and 90 would be better. Many of the comments submitted argued that this time limit and any sanctions should only apply to the technical data. While there was support for various sanctions for technical data, given the numerous examples of national laws which would be applicable to Whois, it was also suggested that any mention of sanctions should be recommendations only after ICANN has consulted and verified accordance with national laws.

In addition, recommendation 5, it was pointed out, is out-of-scope for this task force. Task force 3 cannot add any data elements, but can only suggest that task force 2 explore the addition of data elements.

There was little agreement amongst the public on responsibility for the costs of accuracy requirements, with suggestions that registrars are responsible, complainants are responsible and arguments for and against registrants being responsible.

Public comments suggested the task force had not studied implementability for accuracy verification. They also pointed out that some of the recommended best practices are identical to policy already adopted and some overlap with WDRP just approved in 2003, and some were previously recommended and found to be un-implementable.

There were many comments submitted suggesting ICANN is barking up the wrong tree with Whois data and suggesting ICANN explore alternatives for maintenance of network stability.

It was pointed out that the task force made no recommendation for a dispute resolution process, nor are there suggestions for any improvement in mechanisms for maintenance of accurate data. The ITA suggested the task force analyze the drawbacks of its recommendations.

Finally, it was suggested that this task force consider Unicode awareness and its role in promoting accuracy. As Chun stated, "The continued use of ASCII makes it impossible for people in many countries to provide accurate data. The entire registrar system has to be unicode aware and some registrars need dragging into the 21st century, as does the domain name system."

Comments Evaluating the Work of the Task Force:

Despite the fact that this task force is interested in consensus, some commentators noted that the vote was extremely divided. They also noted the difficulty faced by this task force in producing any best practices having no data to support their development as a result of the poor survey response rate. They noted the problem faced by this task force developing recommendations independent of the other task forces. The Preliminary Report was faulted for lacking context and not clearly acknowledging the role of the other task forces and its place in the three task force process. As Kleiman, a representative to task force 2, suggested, “TF3 must acknowledge the other two task forces, and that only after the findings and work of TF1 and TF2 is it appropriate to proceed with increased levels of accuracy in the WHOIS. Solve the personal data/sensitive data problem, and accuracy becomes far less controversial to the ICANN community, government leaders and data protection commissioners. Don't solve the privacy problem, and demands for increased accuracy will deeply divide ICANN's communities and governments. TF3 must discuss the larger process in which its recommendations will play out.”

The commentators pointed out that this task force had not determined methods of implementation and nor has it proved implementation of the practices would be possible. It also recommended practices already developed or found to be un-implementable.

Some public comments stated that accuracy needs to be improved and the task force has made significant steps. However, other public comments stated that the privacy problem is immediate and Whois policy needs to be resolved quickly, but that this task force has not progressed very far in this respect. The ITA stated, "it is still very important to collect further information in connection with data accuracy issues in order to determine where efforts are most needed. Consequently, the subcommittee encourages further use and improvement of existing resources such as the Whois Data Problem Report System (WDPRS) in order to collect further information regarding, inter alia, the following up of reported inaccuracies." Still others stated that this task force missed the mark and has not made any recommendations or suggested any best practices that will improve technical stability.


Extended Summary of Public Comments

Comments About Whois Accuracy:

Alan Cox:

"I would also submit that the belief that accurate data will help may be misleading. Spammers likewise can adapt. No registrar has the capability to deal with tracking down organisations that operate forwarding addresses in deepest Siberia. Legitimate useless data is easy to arrange."

Viacom:

“the Viacom Companies rely on real-time, prompt, anonymous, public access to accurate and up-to-date Whois information for enforcement against online copyright and trademark infringement, as well as for management of our domain name portfolios and a host of other legitimate and productive purposes. We use this information on a daily basis to review third party domain name registrations, evaluate infringements and contact the infringers to make them aware of our claims and take further action if necessary. Accordingly, it is crucial that we be able to view accurate information including the registrant and administrative contacts’ names and addresses, and emails or facsimile numbers without onerous restrictions on use.”

Tom Cross:

"Creating an open DNS Whois system with enforced data accuracy is neither practical, nor is it just. It would prevent democratic governments from developing their own policies that balance the various interests involved in Internet content. Furthermore, as many Internet addresses are not associated with domain names, no DNS Whois system will ever be a comprehensive solution to the problem of accountability. ICANN would be well served to focus its energies on the IP address Whois systems instead, were they can make real progress toward a sustainable solution for Internet management without having to unilaterally resolve fundamental questions about freedom of speech."

Jisuk:

“accuracy of personal data in whois database is not necessary, nor always desirable. Since most of the report is based on the assumption that the accuracy of whois data is necessary or desirable, it is difficult to comment on the contents of the report.”

MPA:

“The MPA’s chief concern with the current state of the Whois database is its wild inaccuracy, which makes enforcement much more time-consuming. That delay poses serious threats in the online arena where unauthorized copies of motion pictures costing millions of dollars to produce can be illegally transmitted instantaneously, and without cost, across the world, in high quality digital formats”

IP Justice:

“accuracy of Whois data is not unconditionally desirable and that database protections are necessary to ensure fundamental freedom of expression values.”

Cox:

"There are situations where inaccurate ownership information is essential. Undercover police operations are but one. The policy must not prevent national security considerations."

Rebelljb:

"Should not penalize non-commercial users for providing inaccurate sensitive information such as their names, addresses, or telephone numbers."

Comments by the Intellectual Property interests stated that Whois data accuracy is necessary for them to quickly investigate and prevent copyright infringement

ASCAP:

"Without publicly available accurate Whois data – particularly owner name and contact information -- it would be difficult for ASCAP to determine the owner of web sites that perform copyrighted music. With accurate publicly available Whois data, ASCAP is able to contact website owners, negotiate performance licenses and fairly distribute royalties to the owners of performed copyrighted music."

"ASCAP’s members are also recording artists who seek to prevent piracy of their works, consumers who want to be ensured that the Web Sites they visit are not fraudulent and parents who want the ability to control and hold accountable those that target their children with inappropriate content. In each case, accurate publicly available Whois information is crucial to meet those ends."

MPA:

"The MPA and its member companies make extensive use of Whois information both in their efforts to fight online copyright infringement of motion pictures, and in policing their trademarks for the purposes of investigating infringement and cybersquatting. Prompt access to reliable Whois information allows the MPA to quickly contact those responsible for suspect or illegal online activity, including posting motion pictures to websites, to ensure that the website is taken down or the infringing material removed."

"The MPA’s chief concern with the current state of the Whois database is its wild inaccuracy, which makes enforcement much more time-consuming. That delay poses serious threats in the online arena where unauthorized copies of motion pictures costing millions of dollars to produce can be illegally transmitted instantaneously, and without cost, across the world, in high quality digital formats. The Task Force 3 Report makes numerous recommendations which we support as positive first steps toward actively improving the accuracy of the Whois database. Specifically, we would like to identity some recommendations for further comment."

HBO/Time:

"Whois Data Accuracy is imperative for intellectual property rights holders from an enforcement perspective. Therefore, we concur with the comments already noted by the CCDN, particularly that improving accuracy of Whois data is a high priority matter. Registrars should take steps to verify data submitted to them. Generally speaking, the recommendations of TF3 are reasonable first steps and HBO supports them."

Some of the commentators argued that intellectual property enforcement is not a viable use of Whois data, that it should not shape Whois policy.

IP Justice:

"IP Justice strongly disagrees with the Preliminary Report published by Whois Task Force 3 (WTF3), which basically adopts the position advocated by the intellectual property holders lobby. The May 28, 2004 Preliminary Report proposes shifting the expense and burden of obtaining accurate personal information away from those requesting it and over to the Registrars and Registries. It advocates for requiring Registrars to draft plans to improve the accuracy of personal data and the rightholders’ access to the data. The Whois Task Force 3 Report ignores the reality that may rightsholders regularly abuse this data and overstate their intellectual property rights in order to prosecute or harass individuals for publishing critical or controversial information on the Internet."

Tom Cross:

"A large number of the people who are advocating accurate DNS WHOIS data have absolutely no interest in the security or reliability of the Internet. They are not trying to find a way to contact people because of technical issues. They are intellectual property holders and they want every website to have a public address where they can serve threats of prosecution should they decide that the contents of the website in question offend their interests. These people do not want to comply with the due process that our legal system affords defendants in such cases because its expensive, and because it means explaining their claims to a judge. They don't want to deal with ISPs for similar reasons. Frequently, as I'm sure you are aware, legal threats are sent out which have absolutely no basis in law. The individuals who receive them often have to comply because they simply don't have the resources to defend themselves even if they are in the right. Consider the archives at http://www.chillingeffects.org/ These are not technical security and reliability issues. These are content issues, and they should be dealt with through the legal system, not through ICANN. I strongly urge you to carefully reconsider your position on this matter."

Other comments stated that it is not within ICANN’s mandate to get involved in that debate.

ASCAP:

"We believe it is crucial that a uniform mandatory policy be placed into effect that will require compliance with Whois policies, particularly those regarding the public posting of accurate owner contact information."

Tom Cross:

"It is not important, in this context [ip or privacy], which side of the debate you fall on. The objective question we must ask ourselves is whether ICANN is properly equipped to balance these interests at all. It's hard to see a middle ground here. Either information is collected, or it is not. Either the information is made available, or it is not. How does ICANN plan to sort out who is and is not a legitimate consumer of collected contact information in a tiered access system? Lost in this debate are the purely technical stability, reliability, and security issues that ICANN is responsible for and equipped to address."

CPSR- Peru:

“We find that ICANN must keep the status of technical organization. Having been conceived as a technical body, ICANN should not take any decisions exceeding their purposes. Doing the opposite would only lead to the weakening of ICANN as a respected institution.”

Kathy Kleiman:

"If TF3 recommendations go forward (see concerns below), then it should bound each recommendation to "technical and operational data" [TF2 terminology] or "non-sensitive data" [TF1 terminology]. If TF3 is going to proceed without data gathering and only on the basis of selected constituency statements, then it is incumbent that TF3 carefully stay within the bounds of ICANN's mandate and limit its recommendation to the technical and operational data of the domain name system."

Many comments pronounced that data must be protected first, before discussing accuracy of the data, and many stated that only technical data should be accurate, personal data should be optional if it’s included at all. The public stated that Whois data was originally gathered for technical purposes and only the minimum data needed for technical purposes, the technical data, needs to be accurate for network stability.

CIPPIC:

"Although the Whois was initially developed to facilitate communication between network administrators and to aid in the resolution of technical problems, it has evolved with the development and popularity of the Internet, and is now used for a variety of purposes by businesses, network administrators, law enforcement agencies, and the general public…. the Whois database should be limited in use to facilitating communication between network administrators and aiding in the resolution of technical and operational problems. Registrants have a legitimate and reasonable expectation of privacy and have legitimate reasons for concealing their personal information. Whois data should not be openly available to law enforcement agencies, intellectual property rights holders, or the general public."

Tom Cross:

"Intellectual property interests do not have technical concerns. They are interested in content, and whether or not that content is legal. … There is a legitimate need to contact network operators in the event of a technical problem. People have traditionally relied on the DNS Whois system for obtaining this contact information because people tend to think about networks in terms of domain names. However, technical issues are related to Internet traffic, and Internet traffic comes from IP addresses, not domain names. In fact, IP addresses frequently aren't associated with domain names at all. As the Internet matures the IP address Whois systems are increasingly more valuable for contacting network operators then the DNS Whois system."

Some questioned the term “false” …

IP Justice:

A “fundamental flaw with Whois Task Force 3 is that it conflates “inaccurate” information with “false” information, when the two are substantially different in intentionality."

Kathy Kleiman:

"TF3 must adopt much more neutral terminology throughout its report. Using the phrase "false WHOIS data" conveys a sense of negative intent, such as when a person adopts a "false persona." But inaccurate WHOIS data, on its face and without additional information, has no negative, false or intentional overtones. Inaccurate data can appear in the WHOIS database, as in any database, for an number of reasons including typos, later changes, software error, unintentional swaps (domain name A, but data from domain name B), inaccurate updates, hacking, etc. (I used to be a data security auditor, and saw many ways for inaccurate data to enter systems.) Neither TF3 nor ICANN has the right to presume the intent of the data subject until that intent is proven. Accordingly, it is incumbent on TF3 and ICANN to use neutral, not negative, language and change all references from "false WHOIS data" to 'inaccurate WHOIS data.'"

precision rather than accuracy of many data elements

Auerbach:

"The report begins by failing to comprehend the meaning of "accuracy".

Accuracy is not an absolute term. One definition of accuracy is the absence of incorrect information. In that regard, a blank field on a form is completely accurate. The task force's report makes it clear that this is not the definition of accuracy that is being used by the task force. If the task force wishes its report to itself be able to claim that it is accurate then the task force must necessarily articulate what it means by accuracy.

I submit that accuracy is measured by context. In the case of business data the typical metric of accuracy is whether the data exchanged, in all directions among all parties to the transaction, is whether that data is sufficient to support the business being transacted.

As measured in the context of the registrar-customer transaction the first metric of accuracy is whether the information conveyed at the time of the registration is sufficient to support that registration. The second metric is whether the information conveyed is sufficient to maintain the relationship. And the final metric is whether the information at the time of potential renewal is sufficient to support renewal, if the potential for such renewal was part of the original understanding.

Before going further it is necessary to distinguish the concept of "accuracy" from that of "precision". It is perfectly accurate for every domain name registrant in existence to indicate that he or she lives on planet Earth. But most would not consider that to be usefully precise.

At the time of the initial registration of a domain name the following information needs to be conveyed:

Customer-to-Registrar:
    Desired domain name
    List of name servers

Registrar-to-Customer:
   Whether the name requested name has been allocated to the customer (implying that the name and customer's name server list have been placed into the appropriate zone file.)

The public comments included many statements asserting the right to privacy and free and anonymous speech protections.

Australian Government:

"Privacy is an individual right and bulk access to Whois personal data can be misused to send spam, or for criminal activity such as identity theft and/or fraud. There are many reasons why a domain name registrant may wish to limit access to personal data. While some Registrants may have suspicious intentions, others merely wish to protect themselves from bulk marketing (spam), virus and security related events and/or internet based fraud and swindles, such as false and misleading registration renewals."

Jisuk:

"Having some anonymity may be the only way for ordinary individuals to protect themselves from potential abuse of their personal information. In that sense, sometimes providing false information would be the only practically effective and logically rational way to protect oneself. Concealing one’s identity to gain anonymity on the current network environment is a tool to protect oneself from unknown harm or invasion and to maintain individual control over one’s private space. This kind of “defensive” lying has clear benefits and a positive purpose, and is often permitted in society. In the same token, I think that the protection of registrants’ privacy is worth securing by not forcing to provide absolutely accurate information and imposing disadvantages if they do not comply."

Center for Democracy and Technology:

“Many users who provide inaccurate Whois data do so not out of malicious intent, but out of a reasonable desire to protect their privacy in a system that offers few such protections. As long as users lack confidence that the Whois system is capable of protecting their privacy, the overall accuracy of the database is likely to suffer.”

Right to Free Expression

IP Justice:

"ICANN’s policies for the collection and management of domain name owners’ personal information violate universally recognized freedom of expression rights. Most countries in the world have constitutions or other legal instruments guaranteeing individuals the right to speak, publish, communicate, or otherwise express one’s opinions and views without burdensome governmental restrictions. For example, the United States’ First Amendment to the Constitution guarantees freedom of expression to its citizens in order to foster robust public debate and protect the rights of unpopular or controversial speakers.

A growing number of international agreements also guarantee the public’s freedom of expression rights. For example, the Universal Declaration of Human Rights, proclaimed in 1948 by the United Nations, states, “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers” (Article 19).

Similar freedom of expression guarantees are made in Article 19 of the International Covenant on Civil and Political Rights; Article 11 of the European Union Charter on Fundamental Rights; Article 10 of the European Convention for Protection of Human Rights and Fundamental Freedoms."

Right to Anonymous speech

Tom Cross:

The Supreme Court of the United States eloquently defended anonymous speech in McIntyre V. Ohio Elections Commission (1995):

"Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority. It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation--and their ideas from suppression--at the hand of an intolerant society. The right to remain anonymous may be abused when it shields fraudulent conduct. But political speech by its nature will sometimes have unpalatable consequences, and, in general, our society accords greater weight to the value of free speech than to the dangers of its misuse."

Anonymous Speech is a RIGHT, not a privilege. This point has been reaffirmed over and over again by almost 230 years of American jurisprudence of which you surely must be aware. The Federalist Papers, published anonymously, are so fundamental to our system of government that every high school student is required to study them. The Supreme Court has repeatedly defended anonymous speech, and frankly, I cannot express this point more clearly then Justice Stevens did in McIntyre V. Ohio Elections Commission (1995): "Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority. See generally J. S. Mill, On Liberty, in On Liberty and Considerations on Representative Government 1, 3-4 (R. McCallum ed. 1947). It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation--and their ideas from suppression--at the hand of an intolerant society. The right to remain anonymous may be abused when it shields fraudulent conduct. But political speech by its nature will sometimes have unpalatable consequences, and, in general, our society accords greater weight to the value of free speech than to the dangers of its misuse." We cannot relegate political speech on the Internet to second class citizenship.

IP Justice:

"Like the right to distribute thoughts and ideas, the right to anonymous publishing is an essential component to freedom of expression guarantees. It protects the most valuable speech in a free society: the views that challenge the status quo, the majority, or government.

The US Supreme Court has historically recognized that the constitution’s freedom of expression guarantees protects a publisher’s right to anonymity. According to the US Supreme Court, the right to speak anonymously, “exemplifies the purpose behind the Bill of Rights, and the First Amendment in particular.” (McIntyre v. Ohio Elections Comm., 514 U.S. 334 (1995).
According to Justice Stevens, anonymity is a prerequisite for speech in some cases. He pointed out that the motivation for anonymous publication may be to avoid social ostracism, to prevent retaliation, or to protect privacy. It is anonymous speech that shields individuals “from the tyranny of the majority … [It] protects unpopular individuals from retaliation – and their ideas from suppression – a the hand of an intolerant society.” Id.

In Watchtower Bible & Tract Society of New York, Inc. v. Village of Stratton, 122 S. Ct. 2080, 2090 (2002), the US Supreme Court ruled that a municipal ordinance requiring pamphleteers to disclose names implicates “anonymity interests” rooted in the First Amendment’s freedom of expression guarantees. The US Supreme Court also struck down a law requiring citizens to wear identification badges because it violated citizens’ First Amendment right to anonymity. (Buckley v. Am. Constitutional Law Foun., Inc., 525 U.S. 182 (1992).

Lower federal courts have specifically extended the right to publish anonymously to the Internet, ruling that “the constitutional rights of Internet users, including the right to speak anonymously, must be carefully safeguarded,” (Doe v. 2TheMart.com, Inc., 140 F. Supp.2d at 1097). The First Amendment right communicate anonymously over the Internet was also upheld in ACLU v. Johnson, 4 F. Supp.2d 1029, 1033 (D.N.M. 1998), aff’d, 194 F.3d 1149 (10th Cir. 1999) and in ACLU of Georgia v. Miller, 977 F. Supp. 1228, 1230 (N.D. Ga 1997), which additionally recognized the constitutional right to communicate pseudonymously on the Internet.

Canadian courts have likewise extended the right to speak anonymously to the Internet.
“Some degree of privacy or confidentiality with respect to the identity of the Internet protocol address of the originator of message has significant safety value and is in keeping with what should be perceived as being good public policy.” Wilkins J. in Irwin Toy v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. S.C.J.)

ICANN’s policies require full disclosure of a domain name registrant’s personal contact information and do not allow people to anonymously register a domain name, even though there are numerous legitimate reasons why a person would need to keep their identity confidential. Human rights workers, religious minorities, political dissidents and other unpopular or controversial speakers risk persecution, even death, for publishing their views and opinions, and have legitimate reasons for maintaining their anonymity.

By preventing anonymous website ownership and publication, ICANN’s policies have the harmful widespread societal effect of preventing Internet publishers’ freedom of expression rights. As explained by US Supreme Court Justice Hugo Black in 1960, “there can be no doubt that such an identification requirement would tend to restrict freedom to distribute information and thereby freedom of expression.” Talley v. California 362 U.S. 60, 64 (1960). ICANN should amend its Whois database policies to permit the anonymous registration of an Internet domain name in order to ensure the historical tradition of the right to anonymous publishing continues into cyberspace."

"The submission of personally identifiable Whois contact data should be made optional. We second ALAC’s recommendation that no further action should be taken to compel unwilling individuals to provide accurate personal data.”

Right to Free Association

IP Justice:

"Closely related to an individual’s right to freedom of expression and anonymity, is the fundamental right to freedom of association. The right to freedom of association forbids the forced disclosure of an individual’s affiliation with advocacy groups.

Citizens of most countries are guaranteed freedom of association rights in their national constitutions or other instruments. Additionally, a fundamental right to freedom of association is guaranteed in most international treaties and agreements that deal with civil rights. For example, Article 20 of the Universal Declaration of Human Rights proclaims that everyone has the right to freedom of association.

Similar guarantees of freedom to associate are contained in Article 21 of the International Covenant on Civil and Political Rights; Article 12 of the European Union Charter on Fundamental Rights; Article 11 of the European Convention for Protection of Human Rights and Fundamental Freedoms.

In NAACP v. Alabama 357 U.S. 449, 462 (1958) the US Supreme Court noted that revealing the names and addresses of NAACP members could have resulted in beatings and lynchings in 1958. The Court ruled that, “compelled disclosure of affiliation with groups engaged in advocacy may constitute [an] effective restraint on freedom of association.”

Because ICANN does not allow for the anonymous registration of a website, registrants are forced to disclose their affiliation with a controversial domain name that engages in advocacy. An anonymous person is simply not permitted to register an Internet domain name, forcing public disclosure and preventing the exercise of freedom of association rights. Under ICANN’s policies, a human rights worker in China cannot register a website without the Chinese government having access to this information, including the activist’s home address and telephone number.

Without freedom of expression and association rights in cyberspace, Internet citizens have less protection to engage in political speech online than they have traditionally enjoyed, causing the quality of debate to suffer. As a quasi-governmental organization undertaking key Internet governance roles, ICANN should abide by international and national legal principles. It should change its Whois database polices to respect freedom of association rights by permitting anonymous domain name registrations. ICANN continues to call its own legitimacy to govern into question by imposing polices that no government would be permitted to get away with."

The public comments also stated that this council formation of this task force should not have defined privacy as out of scope, that privacy protections are key to ensuring accuracy. There is a need to submit inaccurate data in order to defend personal information from the many existing vulnerabilities.

Australian Government:

"Privacy is an individual right and bulk access to Whois personal data can be misused to send spam, or for criminal activity such as identity theft and/or fraud. There are many reasons why a domain name registrant may wish to limit access to personal data. While some Registrants may have suspicious intentions, others merely wish to protect themselves from bulk marketing (spam), virus and security related events and/or internet based fraud and swindles, such as false and misleading registration renewals. There is no empirical data suggesting these issues or the problem of inaccuracy of the Whois data is widespread. However, if permitted to develop, a perceived lack of accuracy of this essential data could lead to a lack of confidence and trust in the credibility of Whois data and the administration of the Internet."

Amanda Reid:

“Privacy protections are key to ensuring accuracy. The more valuable the data the greater the incentive to try to protect it by falsifying information included in an insecure database. The best way to ensure accuracy is to minimize the amount of sensitive data accessible from the database.”Reid

CIPPIC:

“We agree with the statements made by the NCUC that the best manner in which to improve the accuracy of Registrant contact information is to ensure the protection of Registrant personal information. Registrants concerned about their personal privacy will be more likely to provide accurate and up-to-date information if they can be ensured that third parties will not have unfettered access to this information.”

Accuracy requirements of Whois data as currently proposed will violate many national laws.

IP Justice:

WHOIS Accuracy Requirements must adhere to international and national laws – “Domain name registrants must be given an opportunity to correct inaccurate information, suppress personal information disclosures, and have a right to be immediately told when their personal information is disclosed to third parties in accordance with national privacy and consumer protection laws.”

Australian Government:

“It is imperative that the integrity of the Internet be guaranteed and that all Whois data (administrative and technical) be correctly maintained and published to ensure the stability of the Internet. There is a requirement for a balanced approach to managing this situation, in a way that is beneficial to the individuals and appropriate for the Internet as a whole, but importantly in a way consistent with national law.

Privacy and the right to privacy are important individual rights. In Australia, the Privacy Act 1988 is the overarching legislation applying in this area and ccTLD Registrars and Registrants operating in the Australian jurisdiction are subject to the provisions of the Act.

The Australian Domain Administration limited (auDA) is endorsed by the Australian Government to operate the .au domain for the benefit of all Australian stakeholders. auDA regularly reviews its policies and completed a review of its Whois Policy in August 2003. auDA's Whois policy is fully compliant with the Australian Privacy Act. The Australian Government is satisfied with the operation of auDA and its policies.

RSH:

I definitely object to any restrictions imposed that are not sanctioned by Canada or Canadians in general, as well. If actions to restrict my ability to research via IP address are imposed by those outside Canada, I fully believe that they are in violation of my rights under Canadian law as well.

IP Justice:

Examples of International Law in Relation to WHOIS -

ICANN Internet governance policies further erode the public’s privacy protections by ignoring guidelines outlined in key international documents such as the OECD Privacy Guidelines and the UN Guidelines for Personal Data Files.

These international privacy policy guidelines recommend a path to database privacy protection based on a number of widely accepted fundamental principles. Unfortunately, ICANN’s Whois database policies systematically flout the consumer protections recommended in the privacy guidelines.

For example, ICANN’s policies regulating the Whois database ignores the “Collection Limitation Principle” which states that there should be limits on the collection of personal data and that any such data should be obtained by lawful means and with the consent of the data subject, where appropriate. The massive cross-purposes to which the Whois database information is put, also demonstrates a disregard for the “Purpose Specification Principle”, which requires the specific purposes of collected personal data be made clear at the time of collection. The universally accepted “Use Limitation Principle” is also ignored by ICANN’s policy choices regarding the Whois database. This privacy protection principle states the use or disclosure of personal data should be limited to specific purposes stated at the time of collection and that data obtained for one purpose cannot be used for other purposes.

Despite its efforts to function in an Internet governance role, ICANN remains unwilling to provide consumers with the same level of civil liberties and consumer protections that governments would be required to provide, if a government were managing the domain name system.

Examples of National Law Violation -

Canada

Nations have enacted legislation protecting the privacy of database information that ICANN Whois policies routinely violate. In 2000, Canada passed the Canadian Personal Information protection and Electronic Documents Act (PIPEDA), which requires that a consumer be provided with Internet services even if she refuses to consent to the disclosure of her personal information. If Registrars obey this Canadian law and give Canadian website owners the right to decide if their personal information will be published, Registrars will be breach of the contractual obligations to ICANN.

In March 2004, an Ottawa court ruled against the Canadian recording industry in its legal bid to obtain personal information on dozens of Peer-2-Peer (P2P) file-sharers. In balancing the interests of intellectual property claimants to personal data against the privacy rights of consumers, Justice von Finckenstein found that “the privacy concerns outweigh the public interest concerns in favour of disclosure.” BMG Canada v. Doe, 2004 FC 488.

Because ICANN mandates the publication of a website owner’s personal information, its policies violate the consumer privacy protections found in the national laws of Canada. And ICANN’s Whois database policies put Registrars and Registries in the untenable position of having to choose between either violating their customers’ privacy rights or their own contractual obligations to ICANN.

Argentina

Argentina also contains strong privacy protection laws regarding personal data that ICANN Whois database policies violate as a regular course of business. The Argentine Constitution creates a special remedy for the protection of personal data, known as “habeas data”. In Argentina, the protection of personal data is considered a fundamental right. Section 16 of the Argentina Personal Data Protection Act No. 25.326 (Decree No. 1558/2001) grants citizens of Argentina the right to suppress or correct their Whois personal information. Yet ICANN’s polices do not recognize these rights. Section 5 of the Argentine law requires express consent from a person to use or disclose of their personal information. Yet ICANN does not even given consumers a choice to keep their personal information confidential. Section 11 of the Argentine Law guarantees that personal information may only be communicated upon the previous consent of the data subject. It also provides consumers with a right to be informed about who their personal information has been disclosed to and its purpose. (IP Justice)

European Laws

ICANN’s policies for the collection and management of website owners’ personal information also violate a number of international laws designed to protect the privacy of personal data. For example, Article 8 of the EU Charter on Fundamental Rights guarantees Europeans with the right to the protection of personal data concerning him or her. It only permits the use of personal information that was obtained with the consent of the subject or by law, and only for the specified purposes consented to. Article 8 of the European Convention on Privacy provides consumers with similar data privacy protections

Important privacy protections guaranteed to European Union citizens from a 1995 and 2002 EU Data Protection Directive are also infringed by ICANN’s policies over the Whois database of personal information. Article 12.2 of EU Directive 2002/58/EC makes it illegal to publish personal information on subscribers of directories (such as ICANN’s Whois database) without the subscriber’s consent. It also guarantees EU citizens with an opportunity to verify, correct, or withdraw the personal data free of charge. ICANN forces its Registrars and Registries to violate this EU directive when it compels the publication of European website owners’ personal information in the Whois database.

According to the Article 29 Working Group’s “Opinion 2/2003 on the Application of the Data Protection Principles to the WHOIS Directories” published on 13 June 2003 by the independent EU Advisory Body on Data Protection and Privacy:
“In the case where an individual registers a domain name, … while it is clear that the identity and contact information should be known to his/her service provider, there is no legal ground justifying the mandatory publication of personal data referring to this person. Such a publication of the personal data of individuals, for instance their address and their telephone number, would conflict with their right to determine whether their personal data are included in a public directory and if so which.”

ICANN also undermines Article 5 of European Convention on Privacy, which guarantees that information “must be stored for specified purposes and not used in ways incompatible with those purposes.” ICANN officially collects registrants’ personal information under the claim that it is needed for “technical purposes”. But since the Whois database is frequently used by intellectual property claimants, direct marketers, law enforcement agents, and stalkers to obtain personal information on consumers, ICANN’s permitted use of the data vastly exceeds the specified purpose for which it was collected.

CPSR- Peru:

Latin America, Peru

The collection and management of personal data done by ICANN must comply with the data protection principles and standards generally admitted by national laws, international treaties, case law and expert opinions.

Several Latin American countries have enacted laws to protect personal data accordingly to the principles set forth in the laws of the European Union. Perú, Paraguay and Columbia have adopted specific laws; the Constitutional Courts have also held those principles as legally binding. Laws based on the European Union principles are currently in force in Argentina and Chile.

With regard to the right to informational self-determination, the Peruvian Constitutional Court has held that: "the right recognized by Article 2, sec. 6 of the Constitution "is aimed to protect the personal or familiar privacy, the image and the identity vis a vis the danger posed by the usage and potential manipulation of data through electronic computers". (...) "[It] guarantees the right of any individual to preserve [the privacy, image and identity] by means of the control on the collection, usage and dissemination of the concerned data."

The same high Court has also held that "the protection of the right to informational self-determination through habeas data comprises, in the first place, the capacity to demand before a court of law the access to information records, either computerized or not, notwithstanding whatever form they such records assume, where personal data are stored. Such access may be intended to know which data are registered, for which prupose and for whom have those data being recorded, as good as the person(s) retrieving or accessing such information. Secondly, 'habeas data' may be intended to add data to the record, either because an update is required or an inclusion of previously unregistered data is deemed necessary for an adequate reference on the image and identity of the affected person. The referred right, or an habeas data process when the right is denied, allows an individual to rectify the personal or family information recorded, to avoid its dissemination beyond the purposes that gave grounds to its recording, and even delete the data that reasonably should not be stored.(2)

We believe that one of the positive outcomes of using those generally accepted standards and principles will be the submission of more accurate data by the domain registrants, since they would rest assured of a treatment that conforms to the law.

CPSR- Peru:

Constitutional rights, as freedom of expression, are affected when personal information is requested. Most seriously, when such data are managed without compliance of the basic principles of personal data protection.

Anonymity is a right, and also a need, for many persons and organizations. Human rights organizations, investigative journalists, representatives of minority sectors, and aboriginal communities, inter alia, may require their data to be kept confidentially. As long as such right to confidentiality is not guaranteed, the requirement for accuracy in the WHOIS records must be suspended.

Regarding this issue, we must point out the Declaration of Principles on Freedom of Expression of the Inter-American Commission on Human Rights (approved during the 108th Period, October 2000). That document is a set of thirteen principles detailing the requirements for freedom of expression on the grounds of international law and cases. The following statements are among the most significant:

"3. Every person has the right to access to information about himself or herself or his/her assets expeditiously and not onerously, whether it be contained in databases or public or private registries, and if necessary to update it, correct it and/or amend it."

"5. Prior censorship, direct or indirect interference in or pressure exerted upon any expression, opinion or information transmitted through any means of oral, written, artistic, visual or electronic communication must be prohibited by law. Restrictions to the free circulation of ideas and opinions, as well as the arbitrary imposition of information and the imposition of obstacles to the free flow of information violate the right to freedom of expression.(3)"

Freedom of expression is a right protected also by other international Human Rights' agreements, as Article 19 of the Universal Declaration on Human Rights, Article 19 of the International Covenant on Civil and Political Rights, and Article 10 of the European Convention on Human Rights. But the Article 13 of the American Convention on Human Rights has a special value: it gives maximum span to freedom of expression, and puts to a minimum any restrictions on the free flow of ideas (4).

Comments on the Recommendations:

Kathy Kleiman:

"Overall: To all recommendations, I have the same question: what is the basis for these recommendations? Where is the independent data you have gathered in your data gathering phase regarding problems in the ICANN data correction process, as recently revised? Where is the discussion, in each recommendation, of the downsides that it might offer? Where are the limits that stop unreasonable parties from making the WHOIS database a witch-hunt for the individual, organizations and even companies who are exercising their human rights to share controversial political, cultural and personal ideas and have created no technical or operational problem with their domain name use online? I object to each recommendation based on the above questions."

- Recommendations 1 and 2

CCDN:

Contract Compliance: Recommendations 1 and 2 - The CCDN supports these recommendations. In particular, we note the importance of establishing mechanisms for accurately monitoring and reporting on registrars’ compliance with their contractual obligations, particularly with respect to Whois data accuracy. Such data will be critical in determining which registrars are fully complying with the RAA and which are not. Such data, when made publicly available, will greatly enhance transparency and accountability, thus allowing consumers to chose those registrars they feel are best doing their jobs.

Kleiman:

"TF3's recommendation includes: "ICANN should devote additional resources to such a compliance program in order to provide adequate support." In a tight budget, why should ICANN devote further and additional resources to a process in which it seems to be heavily involved already?"

Viacom:

The Viacom Companies support Recommendations 1, 2, 8, 9 and 10, which include mechanisms for requiring the accuracy of the Whois information. We believe that it is the registrar’s responsibility to obtain and maintain accurate registration information for enforcement and accountability purposes. Furthermore, in many cases those who register one domain name with false data have similarly used false data to register other domain names, so under these Recommendations, when any domain name is cancelled or placed on hold for failure to provide accurate contact data, all domain names with similar false contact data should be likewise cancelled or placed on hold. Moreover, ICANN should undertake to create a mechanism to monitor and report registrars’ compliance. Inaccurate or false information results in significant delays and burdens on our enforcement program, and undermines the usefulness of Whois data generally for a wide range of legitimate business purposes.

- Recommendations 3 and 4

CCDN:

"We support these recommendations. ICANN should undertake to examine current registrar data verification practices, and the viability of introducing such methods as manual, and automated spot-checking. In addition, ICANN should look at the data verification practices of other online businesses, such as retailers or financial institutions, and ccTLD registries, and the viability of those methodologies for the gTLD registrar business. Furthermore, if ICANN moves toward a tiered access system which depends upon verification or authentication of the identity of Whois requesters, similar procedures should be applied to verify or authenticate the identity of domain name registrants."

Kleiman:

"TF3's recommendation includes: "Any Best Practices that are viewed as being mechanisms for improving data verification on a global basis should be developed by or under the direction of ICANN, soliciting the cooperation of responsible registrars, and disseminated to accredited registrars and other relevant parties as part of ICANN's ongoing educational and compliance initiatives." Best Practices must be developed with the solicitation and cooperation of all three communities -- data users, data subjects and the registration industry -- not just registrars. The deep concern this issue has raised in the last several ICANN meetings is proof enough that the issues are far reaching and the implications of deep concern for all.

TF3's recommendation also includes: "Specific examination of registrar data collection and protection practices should be undertaken, including investigating all options for the identification and viability of possible: A) automated and manual verification processes that can be employed for identifying suspect domain name registrations containing plainly false or inaccurate data and for communicating such information to the domain name registrant; and b) readily available databases that could be used for or to assist in data verification, taking into account the wide variety of situations that exist from region to region." Why? Where is the data collected in the TF3 data gathering process that leads to this conclusion? This is one of the areas where stretching slightly outside your scope is a good idea. If providing basic privacy protections for domain name owners can dramatically increase accuracy, then the registration industry and ICANN can dramatically decrease costs. Why go the expensive way first?"

- Recommendation 5

CCDN:

"We strongly support the addition of a “last verified date” element and a “method of verification” element to the Whois database. Such elements will significantly contribute to the overall accuracy of Whois and to the security and stability of the domain name system, as recognized by ICANN’s Security and Stability Advisory Committee. "

ALAC:

We read the Task Force's recommendation that "ICANN consider" such a change as a proposal for a future policy-development process. Before such a policy can be adopted, implementability needs to be studied: The basic question here is how to encode the "method of verification" in a way which scales across language barriers, globally. The appropriate place for ICANN's consideration of this proposal would be a future GNSO Task Force.

Kleiman:

"TF3 recommends: ICANN should also consider including the ""last verified date" and "method of verification" as WHOIS data elements, as recommended by the Security and Stability Advisory Committee. This recommendation is clearly out of scope for TF3 and must be deleted or referred to TF2. As you know, your out-of-scope section specifically states: "The task force should not consider issues associated with changing the data elements that are collected. This is the subject of a separate task force."

Viacom:

“The Viacom Companies support Recommendation 5 which proposes the addition of a “last verified date” element and a “method of verification” element to the Whois database. Such elements will significantly contribute to the overall accuracy and reliability of Whois information, and such information is crucial to our enforcement efforts in locating the infringers.”

MPA:

"We support Recommendation 5 which proposes the addition of two new data elements to the Whois database. Including the date of last verification and the method of verification will help Whois users determine whether information for that domain name is reliable. Such reliability is crucial to locating those registrants engaged in infringing activities."

- Recommendation 6

Kleiman:

"This recommendation includes many new steps for Registrar to undertake for accuracy. Where is the data collected by TF3 that shows that current procedures are not working? Where is the warning that adopting these additional procedures, without finding protections against bulk access and to protect privacy (TF1 and 2) could cause even greater conflict with national law and national law enforcement (see concerns expressed to the ICANN community by George Papapavlou, EU, and Giovanni Buttarelli, Italy, at the Rome ICANN Meeting, among others). If TF3 chooses to go forward with this recommendation, it should expressly apply only to technical and operational WHOIS data labeled "non- sensitive" by TF1."

Viacom:

“The Viacom Companies support Recommendation 6, sub recommendation 4, in which registrars would be required to take steps to correct false data in all registrations for which substantially similar Whois information has been shown to be false for one of those registrations. The existence of such duplicate registrations is, under the current system, easily known to each registrar but invisible to the public.”

CCDN:

"The CCDN supports this recommendation. In particular, we strongly agree that such a plan should take into consideration steps registrars would take to correct false data in all registrations for which substantially similar Whois information has been shown to be false for one of those registrations. The existence of such duplicate registrations is, under the current system, easily known to each registrar but invisible to the public."

ALAC:

It's unclear what the status of these recommendations is supposed to be: Is the Task Force suggesting that registrars' development of the plans mentioned be mandatory? Or is the suggestion that ICANN produce a "hall of shame" of registrars who do not comply with non-mandatory measures?

- Recommendation 7

CCDN:

"We support this recommendation."

Viacom:

“The Viacom Companies also support Recommendation 7 which requires that registrants annually update contact information.”

ALAC:

This proposed best practice appears to substantially overlap with the WDRP developed by the DNSO WHOIS Task Force, and approved by the ICANN Board in 2003; see <http://www.icann.org/registrars/wdrp.htm>. Changes to the WDRP at this point of time would be premature.

Kleiman:

"Where does recommendation #7 differ from existing practices?"

- Recommendation 8

ALAC:

It remains unclear what "ICANN should consider" is supposed to mean in this recommendation.

The substance of the proposed registrar practice is also troubling.

The recommendation completely ignores the availability of registrants' postal addresses as an additional channel of contact that can be used by registrars in order to obtain updated phone and e-mail contact data when the data available don't work; note that the collection of facsimile numbers is effectively optional under current RAA language.

The recommendation that domain names be placed on hold "immediately" does not make any sense, and would be harmful: Communication channels have outages which lie outside registrants' responsibility and influence; registrants may be out of reach and may need time to respond. After how many days of non-response is an e-mail address determined "not to work"? After how many days without anyone accepting a call is a phone number found "not to work"?

A proposal containing some similar steps was discussed by the DNSO WHOIS Task Force and the subsequent Implementation Committee. Under that proposal, domains would have been put on hold after 15 days of non-response to accuracy inquiries. The WHOIS Implementation Committee found that recommendation un-implementable, and recommended a 30 day time line instead, see <http://www.dnso.org/clubpublic/nc-whois/Arc00/doc00085.doc>.

The proposed practice would also significantly lower the threshold for cancellation of domain names: The current "willful provision of inaccurate or unreliable information" (RAA 3.7.7.2) standard would be replaced by a diffuse "not all means of communication work immediately" standard, with strict time lines for cancellation. This change would be detrimental to the stability of domain name registrations.

Finally, in cases in which an e-mail address that uses the disputed domian name is the only available means of contact, the proposed policy would actually shut down the only existing communications channel to the registrant.

To summarize, best practice #8 ignores registrants' interests to an extent which borders to contempt. It does not pay attention to the stability of domain name registrations. It does not pay attention to questions of implementability. It ignores previous work and community consensus.

We respectfully suggest that the Task Force give up this recommendation.

CCDN:

"The CCDN strongly supports these recommendations. The ability to swiftly contact the person responsible for a website is imperative for combating online copyright infringement. Such contact should be through prompt means, such as via phone, fax, or email. These recommendations will greatly enhance the likelihood that such contact points are accurate. In addition, as noted above in our comment on Recommendation 6, often those who register one domain name with false data have similarly registered other domain names with false contact data. Recommendation 10 recognizes this reality and proposes that when any domain name is cancelled or placed on hold for failure to provide accurate contact data, all domain names with similar false contact data should be likewise cancelled or placed on hold. When implemented, this recommendation will greatly contribute to improving the accuracy of the Whois database."

IP Justice:

"IP Justice strongly disagrees with the Preliminary Report’s “Proposed Best Practices” Nos. 8-10 which require Registrars to verify at least two or three data elements (phone, fax, email) to obtain a website and all three to reconnect a domain name. No justification is provided for such an extremist position as to require this degree of verified information and intrusion of privacy. The proposals even recommend canceling all of a person’s domain names because her contact data becomes outdated on a single registration, even though the registrations are fully paid for and no illegal activity has taken place."

MPA:

"In addition, we support Recommendations 8, 9, and 10, which propose obligations for registrars to enforce the accuracy of Whois information that they have registered. Registrars must bear some responsibility for the accuracy of the database, and these recommendations help to fulfill that purpose. Specifically, we support Recommendation 10, which states that anytime a domain name registration is put on hold or cancelled due to false contact data, all other domain name registrations using that false data should also be cancelled or placed on hold."

Viacom:

“The Viacom Companies support Recommendations 1, 2, 8, 9 and 10, which include mechanisms for requiring the accuracy of the Whois information. We believe that it is the registrar’s responsibility to obtain and maintain accurate registration information for enforcement and accountability purposes. Furthermore, in many cases those who register one domain name with false data have similarly used false data to register other domain names, so under these Recommendations, when any domain name is cancelled or placed on hold for failure to provide accurate contact data, all domain names with similar false contact data should be likewise cancelled or placed on hold. Moreover, ICANN should undertake to create a mechanism to monitor and report registrars’ compliance. Inaccurate or false information results in significant delays and burdens on our enforcement program, and undermines the usefulness of Whois data generally for a wide range of legitimate business purposes.”

Kleiman:

"TF3 recommends: "ICANN should consider requiring Registrars to verify at least two of the following three data elements provided by domain name registrants - phone, facsimile and email - and ensure that these elements function and that the Registrar receives a reply from these means of communication. Where none of the three data elements works, then the domain name should immediately be placed on hold. If only one of the means of communication works, then the domain name shall be placed on hold for a period of 15 days in which the domain name registrant shall correct all of the WHOIS data elements. If the domain name registrant fails to correct all of the WHOIS." Here, as in #6 above, TF3 must discuss the tension between privacy and accuracy, or it presents a distorted picture. Requiring this type of check, on people's home address and unlisted phone numbers, will greatly a greatly increased level of concern for domain name holders (data subjects) and their governments and data protection commissioners worldwide. TF3 should expressly suggest that this recommendation be held until resolution of TF1 and TF2's issues, or expressly bound to technical contact data only."

ITA:
"The suggested 15-day correction deadline before cancellation of a domain name (item number 8 in the Task Force's list of "Matters Requiring Further Consideration") might end up being a problem rather than an improvement to the current situation. Indeed, there may be situations where a domain name holder has legitimate reasons for not being able to respond with 15 days and losing the domain name would be a harsh result."

- Recommendation 9

Viacom:

“The Viacom Companies support Recommendations 1, 2, 8, 9 and 10, which include mechanisms for requiring the accuracy of the Whois information. We believe that it is the registrar’s responsibility to obtain and maintain accurate registration information for enforcement and accountability purposes. Furthermore, in many cases those who register one domain name with false data have similarly used false data to register other domain names, so under these Recommendations, when any domain name is cancelled or placed on hold for failure to provide accurate contact data, all domain names with similar false contact data should be likewise cancelled or placed on hold. Moreover, ICANN should undertake to create a mechanism to monitor and report registrars’ compliance. Inaccurate or false information results in significant delays and burdens on our enforcement program, and undermines the usefulness of Whois data generally for a wide range of legitimate business purposes.”

CCDN:

"The CCDN strongly supports these recommendations. The ability to swiftly contact the person responsible for a website is imperative for combating online copyright infringement. Such contact should be through prompt means, such as via phone, fax, or email. These recommendations will greatly enhance the likelihood that such contact points are accurate. In addition, as noted above in our comment on Recommendation 6, often those who register one domain name with false data have similarly registered other domain names with false contact data. Recommendation 10 recognizes this reality and proposes that when any domain name is cancelled or placed on hold for failure to provide accurate contact data, all domain names with similar false contact data should be likewise cancelled or placed on hold. When implemented, this recommendation will greatly contribute to improving the accuracy of the Whois database."

IP Justice:

"IP Justice strongly disagrees with the Preliminary Report’s “Proposed Best Practices” Nos. 8-10 which require Registrars to verify at least two or three data elements (phone, fax, email) to obtain a website and all three to reconnect a domain name. No justification is provided for such an extremist position as to require this degree of verified information and intrusion of privacy. The proposals even recommend canceling all of a person’s domain names because her contact data becomes outdated on a single registration, even though the registrations are fully paid for and no illegal activity has taken place."

MPA:

"In addition, we support Recommendations 8, 9, and 10, which propose obligations for registrars to enforce the accuracy of Whois information that they have registered. Registrars must bear some responsibility for the accuracy of the database, and these recommendations help to fulfill that purpose. Specifically, we support Recommendation 10, which states that anytime a domain name registration is put on hold or cancelled due to false contact data, all other domain name registrations using that false data should also be cancelled or placed on hold."

ALAC:

This proposal seems to be substantially identical to policy I.1.B of the DNSO's WHOIS Task Force <http://www.icann.org/gnso/whois-tf/report-19feb03.htm#I>; that policy has been accepted by Council and Board, but has not been implemented, yet. Adopting another, mostly identical consensus policy would appear unwise.

Kleiman:

"TF3 recommends: "Where a domain name registration is canceled due to the non-functionality of WHOIS data elements - phone, facsimile, and email - the domain name can be reconnected for a fee to be set by the registrar. Upon reconnection of any domain name in circumstances where the domain name had been placed on hold or was immediately canceled, the Registrar shall verify all data elements before reconnecting the domain name. The Registrar should ensure that the reconnection charge it imposes is sufficient to cover the costs of the heightened verification it must perform in reconnecting a previously canceled domain." Until the privacy issues are resolved, this cancellation may be viewed as an additional cost for protecting the privacy guaranteed by national law. This raises problems, I am told, under national law. TF3 should be careful to include in its recommendations that the only costs associated with the reconnection of a domain name be fair, reasonable, not excessive, and waived should the registrant prove he/she was protecting right guaranteed by his/her national law or where the fault is that of the registrar (e.g, did not promptly update data)."

- Recommendation 10

Viacom:

“The Viacom Companies support Recommendations 1, 2, 8, 9 and 10, which include mechanisms for requiring the accuracy of the Whois information. We believe that it is the registrar’s responsibility to obtain and maintain accurate registration information for enforcement and accountability purposes. Furthermore, in many cases those who register one domain name with false data have similarly used false data to register other domain names, so under these Recommendations, when any domain name is cancelled or placed on hold for failure to provide accurate contact data, all domain names with similar false contact data should be likewise cancelled or placed on hold. Moreover, ICANN should undertake to create a mechanism to monitor and report registrars’ compliance. Inaccurate or false information results in significant delays and burdens on our enforcement program, and undermines the usefulness of Whois data generally for a wide range of legitimate business purposes.”

Kleiman:

"Recommendation: "When a domain name registration is canceled (or suspended, etc.) for false contact data, all other registrations with identical contact data should be canceled (or suspended, etc.) in like fashion." Absolutely not. TF3 has not thought through the disastrous implications of this policy for domain name holders operating under proxies. There are now cases of proxy services which register thousands of domain names for honest individuals and small businesses, and then the proxy acts in a manner which is improper. Rather than solving the problem in a business-like and professional manner, TF3 recommends the willy-nilly cancellation of thousands of domain names. This is clearly not a well-thought out, well-researched or well-evaluated position. This resolution must deleted absent further, and comprehensive danger, of the full range of its implications. I also think such a recommendation, if followed, must be tied to some proof of technical or operational problem that the set of domain names has caused online."

ALAC:

This proposal ignores identity theft issues: Contact data that perfectly identify the registrant of one domain name can be false for another domain name. Blanket application of this proposal would cause damage to registrants who haven't done anything wrong.

CCDN:

"The CCDN strongly supports these recommendations. The ability to swiftly contact the person responsible for a website is imperative for combating online copyright infringement. Such contact should be through prompt means, such as via phone, fax, or email. These recommendations will greatly enhance the likelihood that such contact points are accurate. In addition, as noted above in our comment on Recommendation 6, often those who register one domain name with false data have similarly registered other domain names with false contact data. Recommendation 10 recognizes this reality and proposes that when any domain name is cancelled or placed on hold for failure to provide accurate contact data, all domain names with similar false contact data should be likewise cancelled or placed on hold. When implemented, this recommendation will greatly contribute to improving the accuracy of the Whois database."

IP Justice:

"IP Justice strongly disagrees with the Preliminary Report’s “Proposed Best Practices” Nos. 8-10 which require Registrars to verify at least two or three data elements (phone, fax, email) to obtain a website and all three to reconnect a domain name. No justification is provided for such an extremist position as to require this degree of verified information and intrusion of privacy. The proposals even recommend canceling all of a person’s domain names because her contact data becomes outdated on a single registration, even though the registrations are fully paid for and no illegal activity has taken place."

MPA:

"In addition, we support Recommendations 8, 9, and 10, which propose obligations for registrars to enforce the accuracy of Whois information that they have registered. Registrars must bear some responsibility for the accuracy of the database, and these recommendations help to fulfill that purpose. Specifically, we support Recommendation 10, which states that anytime a domain name registration is put on hold or cancelled due to false contact data, all other domain name registrations using that false data should also be cancelled or placed on hold."

- Recommendation 11

Kleiman:

"Recommendation: "ICANN staff should undertake a review of the current registrar contractual terms and determine whether they are adequate or need to be changed in order to encompass improved data accuracy standards and verification practices as a result of the current PDP." No, ICANN staff should be asked by TF3 to evaluate current registrar contractual terms only after it receives the Council recommendations regarding all three WHOIS task forces and has a basis for determining the Council's recommendation for both accuracy and privacy standards."

ALAC:

This "best practice" appears to describe an eventual policy implementation process. There is no need to include the demand for such a process as a specific Task Force recommendation.

As a way forward, we recommend that Task Force 3 seriously consider the minority position submitted by the registrars' constituency. This document could provide a basis for improving WHOIS accuracy and registrar compliance with their accuracy-related obligations in a way which is responsive to registrants' and users' needs.

- Recommendation 12

CCDN:

"We strongly support this recommendation. As it is currently drafted, the RAA provides for only one form of sanction for a registrar’s failure to comply with its contractual obligations, including the obligations regarding Whois data accuracy. That sanction is de-accreditation. Because this sanction is so severe, ICANN has overwhelming incentives to refrain from using it. This fundamentally undermines ICANN’s stated goal of improving compliance with contractual obligations, including those contained in the RAA. We agree that a more likely incentive for registrar compliance with the RAA is a scale of graduated sanctions. Different sanctions may apply for different violations, or more severe sanctions could be administered for patterns of bad behavior. Because some of these sanctions stop short of revoking accreditation, ICANN is far more likely to use them, and thus to succeed in its compliance program. In short, we believe that a system of graduated sanctions, applying to violations of the RAA, including those provisions specific to Whois data accuracy, will greatly contribute to more effective compliance enforcement, and thus, to the accuracy of the Whois database as a whole."

Viacom:

“Finally, the Viacom Companies support Recommendation 12, which allows for a scale of graduated sanctions to improve ICANN’s enforcement of registrars’ obligations. Since the penalty of de-accreditation is severe and rarely utilized, different sanctions short of de-accreditation could be applied to different violations contributing to more effective enforcement of compliance, and thus, to the accuracy of the Whois database as a whole.”

Kleiman:

"Recommendation: "ICANN should develop and implement a graduated scale of sanctions that can be applied against those who are not in compliance with their contractual obligations or otherwise violating the contractual rights under these agreements." Only after ICANN has resolved the Catch-22 of national privacy laws and WHOIS collection and disclosure requirements should ICANN move forward with any revised type of sanctions. TF3 should say so."

MPA:

"the MPA supports Recommendation 12. A system of graduated sanctions is an appropriate step to improving ICANN’s enforcement of registrar obligations, particularly the obligations surrounding Whois data accuracy. There must be other penalties available to ICANN in addition to de-accreditation, a sanction so severe that ICANN has little desire to use it. We believe a graduated sanctions system would give ICANN the incentive it needs to actively enforce contractual obligations under the Registrar Accreditation Agreement. These obligations include the registrars’ requirements regarding Whois data accuracy. Actively enforcing these obligations would, in turn, improve the accuracy of Whois as a whole."


GENERAL COMMENTS ON SANCTIONS

Correction opportunities and Suspension

- time limit

CIPPIC:

"Registrants who have mistakenly provided inaccurate data should be given the opportunity to correct the errors without penalty prior to the suspension of their domain name. Failure to properly correct errors within a reasonable amount of time (e.g. 30-45 days) should result in the suspension of the domain name registration. If the Registrant corrects the information during the suspension period, the Registrar should be required to reactivate the domain name. While we agree that the Registrar should be able to charge a fee for re-connection, we believe that this fee should be limited to recovery by the Registrar of the costs of re-registration. Failure to correct errors in contact information after suspension should result in the cancellation of the domain name registration after a reasonable amount of time (e.g. 10-15 days)."

Cox:

"There are situations where 30 days is insufficient. These may arise from non-delivery of documents due to postal errors, holidays, and also in some situations the correction of the data may itself be prevented by ongoing legal dispute (eg domain name ownership disputes). The due process must recognize situations where the data update is itself subject to dispute or being prevented. Unless the data in question pertains to actual network problems there seems to be no justified reason to hurry. It would be better if 90 days were allowed. It would be appropriate if the time constraints were merely guidelines subject to situation."

- sanctions only as last resort

Cox:

"It would also be better if suspension after 30 days was a last resort and only used when actual problems were being caused. Cancellation should never IMHO occur until the payment period for the domain expires, only suspension. This also improves the situation for registrars in locations that have legal precedent holding domain names are property."

- sanctions resulting from technical reasons only

Rebelljb:

"They should only be required to provide accurate technical contact information. Many of them might represent groups that are operating in countries where the governments do not fully respect human rights such as freedom of expression or peaceable assembly. Providing sensitive contact information could not only make such users vulnerable to spamming and criminal activities, but it could also make certain NGOs more susceptible to persecution perpetrated by governments or other groups. Therefore, it would be good for the ICANN to consider not penalizing website owners/operators for providing false names, addresses, telephone numbers, or personal e-mail addresses in the WHOIS database."

CPSR – Peru:

“The parties should not be coercively held accountable by the accuracy of the data they submit, nor be severely punished by lack of accuracy or false data with regard to personal information. Furthermore, those two categories (inaccurate and false data) was not clearly differentiated and treated in distinct ways.

When data is not of a technical nature, no sanctions for inaccuracies (as domain cancellation) should exist. “

RESPONSIBILITY FOR COSTS

- Registrar

HBO/Time:

"Other commercial ventures, such as eBay, have included name and address verification as part of their registration process. We recognize that registrars are volume businesses and verification will cost money. But it should be recognized as a cost of doing business, and if imposed equally on all registrars, will not harm competition. If registrars want a tiered access system that depends on authentication of Whois data requesters, then they should also move toward a registration system that depends on authentication of domain name registrants."

- Complainant

Chun:

“Registrars should be allowed to charge for the correction service of inaccurate whois data to those complainants in order to discourage frivolous complaints through WDPRS. However, to impose some fee to registrants seems to be inappropriate because the corrected contact information of registrants would be potentially beneficial even to those Registrars given the expected re-registration promotion.”

- Payment to Complaining User

rsh:

"When I receive and report a phishing message I should be able to be compensated for that report and ICANN should provide for that as well. Whatever the fee agreed to by ICANN, it should be available as compensation as an inducement to the various registrars and the domain name holders to make an effort to go after those committing these types of crime, instead of leaving it up to the end users of email to protect themselves without any real help from those who benefit from having domains on the Internet, and those who are the registrars under ICANN rules."

- Registrants or not?

IP Justice:

“registrants should not directly or indirectly bear the costs of any data verification service primarily required by third-party data users”

ITA:

"financial burden to be borne by the "bad registrants" In order to improve data accuracy, action needs to be undertaken with full cooperation from all registrars. This can be difficult to achieve if sanctions or other coercive measures are the only tools available to elicit registrar cooperation. As a result, the subcommittee recommends exploring the feasibility of a system in which verification tasks are invoiced to the domain name holder, perhaps by way of a fee for those that do not reply to verification inquiries from the registrars. For example, registrars might be authorized (or even required) by ICANN to automatically charge registrants a "false Whois penalty" when they submit contact data that is inaccurate. Such a penalty could perhaps be based on a multiple of the pro-rated annual registration fee and be payable when the registrant fails to respond to a verification inquiry by the registrar. Registrars would not be required to distinguish between deliberately false and negligently false data. Provided the penalty is sufficient, this system would encourage registrars to act on their own in order to verify the data. Registrants who correct the data would then receive back a portion of the penalty (to be set by ICANN) to encourage them to act in a responsible manner."

- Dispute Resolution Process

Cox:

- Missing a resolution process

begs the existence of proper arbitration procedure to avoid everyone but lawyers suffering.

- Mechanisms for Maintenance of Data

RSH:

Accuracy for large commercial firms not maintained - "I require that all data be ACCURATE. In recent searches I have found inoperative email addresses on file for locations such as Citibank and HP.COM, so it is clear that some names are NOT being maintained, be they the technical contact or the operational contact. This makes reporting of misuse of their domain names difficult."

IP Justice and CIPPIC:

Facilitate accuracy for those wishing to provide it – “We agree, in large part, with the recommendations of the Whois Task Force III At-Large Advisory Committee (ALAC). ALAC suggested that Registrants whose data is inaccurate could be roughly divided into four categories: 1. Those who purposely provide inaccurate data for fraudulent reasons. 2. Those who purposely provide inaccurate data to protect their privacy. 3. Those who mistakenly provide inaccurate data. 4. Those who provide accurate data at registration, but then fail to keep them up to date so that the information becomes inaccurate. As pointed out by the ALAC, it is a waste of both time and effort to attempt to get accurate information from those who do not wish to provide it; those engaged in fraudulent activities are unlikely to provide accurate information voluntarily. WTF3 should instead concentrate on mechanisms to improve the accuracy of contact information for those Registrants falling into the other three categories.

ALAC properly pointed out that one of the primary reasons that Registrants fail to keep their data up to date is the inconvenient, difficult, and often complicated steps which must be undertaken in order to amend contact information. We suggest that all Registrars be required to provide an online mechanism which allows Registrants to access their personal information and make changes as necessary. Similar to above, Registrants who are found to have inaccurate data should be given the opportunity to correct the errors without penalty prior to the suspension of their domain name. Failure to properly correct errors in contact information should result in the suspension and, if not attended to, termination, of the Registrant’s domain name.”

- Notice for Registrants

Center for Democracy and Technology:

“Other incremental changes recommended by the task force to improve privacy are welcome. For example, better notice to registrants of the privacy implications of putting their personal information in the Whois database is a crucial step. The importance of such notice increases as domain name registration becomes easier and more prevalent, including among more novice Internet users who are likely to have a less complete understanding of the Whois system.”

- Need Unicode Awareness

Cox:

"The continued use of ASCII makes it impossible for people in many countries to provide accurate data. The entire registrar system has to be unicode aware and some registrars need dragging into the 21st century, as does the domain name system."

ALTERNATIVE RECOMMENDATIONS

- Preference to Work with Registrar's Document

Chun's comments on the Registrar’s report:

Technical complaints only - We can accept the idea of WDPRS as the useful mechanism for data accuracy, but legitimate complaints in WDPRS should be limited to those things which have some relations with technical function of naming system.

Correction opportunity (no time requirements) w/o suspension If WDPRS report some legitimate complaints to Registrars and if whois data cannot be validated, such measures to freeze or to hold those names until those names in question are to be verified, we agree, could be taken. But in any event, the cancellation of the registered names should not be allowed.

Registrars should charge complainants - Registrars should be allowed to charge for the correction service of inaccurate whois data to those complainants in order to discourage frivolous complaints through WDPRS. However, to impose some fee to registrants seems to be inappropriate because the corrected contact information of registrants would be potentially beneficial even to those Registrars given the expected re-registration promotion.

Multi-lingualism necessary - we emphasize the importance of accommodating multi-lingual registration environment for getting more accurate whois data. To register whois data only in English and the registration information including terms of references which is given only in English in registration process would give enough incentive for non-English speaking registrants to provide inaccurate whois data. Furthermore, those non-English registrants should also suffer disadvantageous conditions even in all other notifications including confirming the expiring valid date. In this respect, Alan Cox's proposal that the entire registrar system has to be unicode aware would be welcomed to all non-English speaking users.

Technical problems only - The accuracy, if it is to be necessarily required as in RAA, is needed for "facilitating timely resolution of any problems that arise in connection with the Registered Name." (RAA 3.7.7.3) That is to say, this accuracy is needed at the event when some technical problem occurs in naming function of the registered name. It means that this accuracy is a safeguard for domain name licensee to get warranty of more stable and reliable naming service rather than to fulfill all other purposes which are not specified in registration process and go beyond the scope of ICANN's mission – the technical coordination of addressing schemes.

Tom Cross (IP Address)

IP Address Solution - develop an enforcement mechanism that ensures compliance from millions of people, many of whom are private individuals and not businesses. The universe of ISPs is smaller by an order of magnitude or more, and in almost every case ISPs are organizations that can afford to implement compliance processes. This problem is much less complex. If we were to require that all organizations which provide network service to third parties register in the IP address Whois system (instead of just the medium and large networks) and require that contact information be renewed on a regular basis, we will have made significant progress toward ensuring that every IP address on the Internet can be quickly associated with technical contact information for the network providing service to that address. (Tom Cross)

Intellectual property interests do not have technical concerns. They are interested in content, and whether or not that content is legal. If ICANN can ensure that every IP address is properly associated with the network that provides service for it, the ITA will be able to contact those network providers when they have a problem with an Internet site (or the DNS registrar if the domain name itself is the problem). These organizations know their customers, because they have to bill them, and often run cables to them. Furthermore, these organizations have ultimate control over the customer's access to the network. Whether the ITA can get the customer's personal contact information from the ISP will depend on the rules of the government of the jurisdiction in question. (Tom Cross)

Creating an open DNS Whois system with enforced data accuracy is neither practical, nor is it just. It would prevent democratic governments from developing their own policies that balance the various interests involved in Internet content. Furthermore, as many Internet addresses are not associated with domain names, no DNS Whois system will ever be a comprehensive solution to the problem of accountability. ICANN would be well served to focus its energies on the IP address Whois systems instead, were they can make real progress toward a sustainable solution for Internet management without having to unilaterally resolve fundamental questions about freedom of speech.

Karl Auerbach

"At the time of the initial registration of a domain name the following information needs to be conveyed:

Customer-to-Registrar:
Desired domain name
List of name servers

Registrar-to-Customer:
Whether the name requested name has been allocated to the customer (implying that the name and customer's name server list have been placed into the appropriate zone file.)

Not all registrations involve money and billing. Nor do all registrations necessarily impute a desire for renewal - one area of domain name businesses that have been arbitrarily foreclosed until now by ICANN have been non-renewable, short term registrations for single-time events, elections, movies, etc.

If a registration involves the payment of a fee, then the exchange of information must be adequate to facilitate the payment of that fee. After that payment, that information is no longer needed to support the registration process. It is a well known principle of privacy that information should be retained only if it is relevant to a transaction. Thus a registrar that is desirous of protecting privacy would be acting quite within reason should it erase transactional information once that information has ceased to be of value.

Maintenance of the relationship between registrar and customer is largely driven by the needs of the customer. For that reason there is no particular reason, in the context of maintenance of the registration information (i.e. the list of name servers) for the registrar to retain precise, that thus privacy infringing, information regarding the customer.

Third parties who today bombard the DNS whois databases are not parties to the maintenance relationship. As task force 1 indicated, such third parties ought to be required to make a preliminary showing that they have reason to examine the registration data. The degree of precision of the data disclosed must, therefore, vary in conformance with the degree of precision of that showing and of the nature of the purported grievance.

Finally, renewal processing only requires sufficient information to consummate the renewal transaction at the time of the transaction - there is no need for such information to be exchanged in advance of renewal or to be retained after renewal.

Additional data gathering and maintenance burdens the system with additional costs. Absent a clear showing of illegal activity on the part of the majority of domain name registrars and customers it would be improper to impose such costs on all transactions. Yet the task force's report seems to have elevated the ill-actions of a very, very few into a blanket accusation against all domain name registrants as a self-bootstrapping argument to encumber the entire domain registration system with excess costs and an institutional system of excess information disclosure amounting to a wholesale violation of the privacy of every member of the community of internet users.

If the demands of such third parties trigger the gathering and maintenance of data above and beyond the data used for registration, maintenance, and renewal then those third parties ought to pay the costs of such gathering and maintenance."

- Verification procedures - ebay model

HBO/Time:

"Other commercial ventures, such as eBay, have included name and address verification as part of their registration process. We recognize that registrars are volume businesses and verification will cost money. But it should be recognized as a cost of doing business, and if imposed equally on all registrars, will not harm competition. If registrars want a tiered access system that depends on authentication of Whois data requesters, then they should also move toward a registration system that depends on authentication of domain name registrants".


Comments Evaluating the Work of the Task Force:

Jisuk:

"putting together best practices is very premature at this time."

Chun:

Report is "based on very poor survey results."

Auerbach:

"I find the report to be inadequate and lacking both the factual and logical foundation to support its conclusions and recommendations."

MPA:

“The Task Force 3 Report makes numerous recommendations which we support as positive first steps toward actively improving the accuracy of the Whois database.”

Chun:

"The vote results for each item of the proposed best practice appears to be extremely split into two non-negotiable factions among stakeholders. This shows up that the present proposal of the TF3 is too immature as well as contradictory to the spirit of consensus building."

CPSR – Peru:

“The parties should not be coercively held accountable by the accuracy of the data they submit, nor be severely punished by lack of accuracy or false data with regard to personal information. Furthermore, those two categories (inaccurate and false data) was not clearly differentiated and treated in distinct ways.

When data is not of a technical nature, no sanctions for inaccuracies (as domain cancellation) should exist. “

Kathy Kleiman:

"I am saddened and surprised by the TF3 report online. It is not a product that in any way resembles the reports produced by WHOIS TF1 or TF2. TF1 and TF2 recognized that there are three major communities involves in the WHOIS debate:

- Data Subjects (domain name holders)
- Data Users
- Registration Industry (data collectors and processors).

For six months all of these communities in TF1 and TF2 have debated, wrestled and worked together to arrive at Interim Reports that reflect a mid-point, a compromise and a way forward. Why didn't TF3 do the same? How can TF3 produce a report in which each and every recommendation is opposed by all of its data subject members and half of the registration industry?

Please move forward only when you have agreement from all three communities above. This is the type of issue that can split ICANN, governments and the Internet community. We worked hard in the other Task Forces to find common ground on complex and controversial issues.
You must the same. TF3 is not the exclusive province of the data users, such as the intellectual property and commercial interests. We have to work through all these issues together, and you have not done your job."

ITA:

The TF should be "taking into account from the outset the possible drawbacks to any proposed system."

Jisuk and Chun:

Expressed preference for working on the Registrars Constituency Minority Report. (Comments made on that document).

Kathy Kleiman:

The TF3 report lacks context and does not clearly acknowledge the role of the other task forces and its place in the three task force process. As you read TF3's work, it seems to stand alone, and that is not the case. As you know, privacy and accuracy are issues of deep concern in the
WHOIS debate. ICANN has been warned not just by data subjects, but also by government representatives and leaders, that the WHOIS practice of publishing personal and "sensitive data" is a violation of national laws, including national data protection laws. Accuracy and privacy must move forward together.

Because privacy is not considered in your scope, TF3 must discuss its out-of-scope limitations in its reports. It is widely speculated that adding privacy to the database will greatly further accuracy (and based on unlisted telephone number models, there is a good basis for making this speculation). Readers must know that there are options for accuracy other than "sticks" and penalties, and that such options could help accuracy advance in a positive manner. Even if you don't explore the issue, you must present its possibility and submit that you felt it was beyond your scope. Not everything has to be based on excessive penalties.

TF3 must discuss its context. Right now, your report seems to exist in its own right. But that is not the way it was envisioned or presented to the Constituencies by Council. TF3 is one of three task forces, all looking at complicated parts of the privacy/accuracy/availability debate in the WHOIS area. TF3 must acknowledge the other two task forces, and that only after the findings and work of TF1 and TF2 is it appropriate to proceed with increased levels of accuracy in the WHOIS. Solve the personal data/sensitive data problem, and accuracy becomes far less controversial to the ICANN community, government leaders and data protection commissioners. Don't solve the privacy problem, and demands for increased accuracy will deeply divide ICANN's communities and governments. TF3 must discuss the larger process in which its recommendations will play out.

CPSR- Peru –

“It is our opinion that ICANN must work to ensure access to accurate information for network administrators, so that they are able to contact domain registrants only for technical issues. However, such actions require to set up adequate policies to secure privacy including reduced access and minimal information requirement to encourage the submission of accurate data.“

ITA:

"it is still very important to collect further information in connection with data accuracy issues in order to determine where efforts are most needed. Consequently, the subcommittee encourages further use and improvement of existing resources such as the Whois Data Problem Report System (WDPRS) in order to collect further information regarding, inter alia, the following up of reported inaccuracies."

Center for Democracy and Technology:

ICANN has a variety of tools at its disposal to protect personal information. “These include tiered access, a robust audit system for Whois queries, and notice to registrants of when their data is accessed. CDT strongly supports the Task Force’s recommendations of further detailed investigation of these approaches. We emphasize, however, that investigation must not become a permanent proxy for actual implementation. The privacy problem—and its flip side, the accuracy problem—are real and immediate.”


Comments Received From:

Jisuk Woo
Professor at Seoul National University
Graduate School of Public Administration
Seoul National University
Jinbonet Korea
email: jisuk@xxxxxxxxx

Chun Eung Hwi
General Secretary, PeaceNet Seoul
Yangchun P.O.Box 81
Seoul, 158-600, Korea
phone: (+82) 2-2166-2205
pcs: (+82) 019-259-2667
eMail: chun@xxxxxxxxxxxxxx

HBO/Time
Erin S. Hennessy
Senior Counsel, Time Warner Inc.
On behalf of Home Box Office, Inc. and Time Inc.

Amanda Reid
JD/PhD Candidate
University of Florida

Canadian Internet Policy and Public Interest Clinic (CIPPIC)
Philippa Lawson, Executive Director
(613) 562-5800 (2556)
plawson@uottawa.ca

Robin Gross, Esq.
Executive Director, IP Justice
+1-415-553-6261
robin@ipjustice.org

Tom Cross

Ryan M. Lehning, Counsel
Copyright Coalition on Domain Names

Steven J. Metalitz
Ryan M. Lehnin, Counsel
Copyright Coalition on Domain Names
CCDN Participants include:
American Society of Composers, Authors, and Publishers (ASCAP)
Business Software Alliance (BSA)
Broadcast Music, Inc. (BMI)
Motion Picture Association of America (MPAA)
Recording Industry Association of America (RIAA)
Software and Information Industry Association (SIIA)
Time Warner
Walt Disney Company

RSH - R.S. (Bob) Heuman
Toronto, ON, Canada
Independent Computer Security Consulting
Web Site Auditing for Compliance with Standards

American Society of Composers,
Authors and Publishers
Sam Mosenkis, Director of Legal Affairs
ASCAP
One Lincoln Plaza
New York, NY 10023
smosenkis@ascap.com

David E. Green
Vice President and Counsel
Technology and New Media
Motion Picture Association of America
202-293-1966 ext. 172
dgreen@mpaa.org

Michael E. Heltzer
External Relations Manager
International Trademark Association

Alan Cox

Rebeljb

Australian Government
Ashley Cross
GAC Representative

Mallory Levitt
Viacom Companies

Karl Auerbach

Mike Steffen
Policy Analyst
Center for Democracy and Technology
http://www.cdt.org/

CPSR-Peru
Katitza Rodriguez
Pedro Mendizábal Simonetti
http://www.peru.cpsr.org

Thomas Roessler
ALAC