WHOIS Task Force9 August 2005 - Minutes ATTENDEES:
GNSO Constituency representatives:
Jordyn Buchanan - Chair
gTLD Registries constituency - Ken Stubbs
gTLD Registries constituency - David Maher
Registrars constituency - Paul Stahura
Registrars constituency - Ross Rader
Registrars constituency - Tom Keller
Registrars constituency - Tim Ruiz (alternate)
Non Commercial Users Constituency - Milton Mueller
Non Commercial Users Constituency - Kathy Kleiman
Commercial and Business Users constituency - Marilyn Cade
Commercial and Business Users Constituency - David Fares
Intellectual Property Interests Constituency - Niklas Lagergren
Internet Service and Connectivity Providers constituency - Greg Ruth Liaisons
At-Large Advisory Committee (ALAC) liaisons - Wendy Seltzer - absent - apologies
GAC Liaison - Suzanne Sene
ICANN Staff:
Olof Nordling - Manager, Policy Development Coordination
Liz Williams -
Maria Farrell Farrell - ICANN GNSO Policy Officer -absent - apologies
GNSO Secretariat - Glen de Saint Géry gTLD Registries constituency - Phil Colebrook - observer Absent:
Intellectual Property Interests Constituency - Steve Metalitz - apologies
Internet Service and Connectivity Providers constituency - Tony Harris - apologies
Internet Service and Connectivity Providers constituency - Maggie Mansourkia - apologies
Non Commercial Users Constituency - Frannie Wellings
Commercial and Business Users Constituency - Sarah Deutsch - apologies MP3 Recording Agenda
1. Discuss proposal on the Conflict with National Laws procedure
2. Discuss statements on the purpose of Whois and the purpose of the various contacts
3. Discuss recommendation 1 on improving notification to Registered Name Holders of the public access to contact data via the WHOIS service 1. Discuss proposal on the Conflict with National Laws procedure
Jordyn Buchanan referred to Olof Nordling's document that gathered all the constituency statements to date.
Constituency statements had been received from:
The Intellectual Property Interests constituency
The Non Commercial Users constituency on recommendation 2,
gTLD registry constituency
The Internet Service Providers and Connectivity Providers constituency There was general agreement among the members that no further changes were needed to the text in the light of the constituency statements.
The outstanding statements from the Commercial and Business Users and Registrars constituencies should be provided within the next two weeks if they were to be included in the report.
Jordyn Buchanan proposed working with Olof Nordling and getting an initial report out to the list within the next week so that the task force members would have one week to review the report and be ready to vote on 23 August 2005. ACTION - Next steps
- provide Initial report
- vote on initial report on next call 23 August 2005 2. Discuss statements on the purpose of Whois and the purpose of the various contacts Status of constituency statements received:
The Intellectual Property Interests
The Internet Service Providers and Connectivity Providers constituency
The Non Commercial Users constituency on purpose of Whois, (the contacts still outstanding).
Brief overview of the constituency statements: Niklas Largergren summarised the Intellectual Property Interests constituency's statement (IPC) stating that in the IPC’s view, it was clear that the purpose of the Whois database – from its inception, through the commercialization of the Internet, and continuing today – had always included to provide the public with ready access to the identity and contact information for domain name registrants. That purpose had never changed, and registrants have always been on notice of this purpose, regardless of when they registered their domains. This purpose was also fully consistent with the contextual factors listed in Terms of Reference #1.
In addition the constituency provided a background paper which referred to specific national situations such as
European Data Protection Directive, the Canadian Personal Information Protection and Electronic Documents Act, International and National Laws that Relate Specifically to Whois Services, the The Changing Nature of Registered Name Holders, and traced the Whois database back to as early as 1982, during the days of ARPANET, the U.S. Department of Defense’s precursor to today’s Internet.
Milton Mueller referred to "included to provide the public with ready access to the identity and contact information for domain name registrants" and asked why that had been included as it did not refer to the purpose of the Whois data available .
Niklas Largergren responded that use made of the whois data should be distinguished from the actual purpose. The IPC's view was to provide access regardless of the intended use.
Kathy Kleiman noted a change in the IPC view in that National laws did apply to whois data.
Niklas Largergren commented that the 1995 data protection directive was applicable to Whois. There could be deferring points of view on what was meant by applicable and what the consequences of the applicability were but clearly personal data was intended and not sensitive data.
Kathy Kleiman asked whether the statements filed by the European Union regarding the data protection official interpretation of their own laws were included in the background paper.
Niklas Largergren responded that it was their interpretation but not the European Union's position. The Article 29 Working Party was an informal group that gathered the data protection commissioners from the 25 member states of the European Union and they adopted the document but it did not mean that it was the official view of the European Union. The only body which could fully pronounce on the applicability would be the Court of Justice and to a lesser extent the European Commission. The Article 29 Working Party was an advisory group to which the European Commission provided the secretariat.
Kathy Kleiman informed the task force that the NCUC would also be providing a parallel background paper. Greg Ruth said that the Internet Service and Connectivity Providers constituency (ISPCP) view point was that data was needed to provide a service to their customers usually in tracking down perpetrators of illegal or anti-social behaviour and as much information as existed was necessary for this purpose.
Jordyn Buchanan read extracts from the statement:
"The Whois database serves the purpose of providing contact information to the public regarding the individual or organization that has registered a domain name. This is true today, and it has been true throughout the history of the domain name system’s Whois database. The ISPCP believes that regardless of the vast growth of the number of domain registrations, some core principles should remain unchanged, and ready access to all Whois data is one such principle. Despite the confusion over the “use” versus the “purpose”, in fact both are dependant on the type of notice that is provided at time of registration. If adequate notice is provided regarding the intended purposes of data collection, then all uses (but nothing more) consistent with that notice shall be valid. Nevertheless, here again are the following purposes of Whois for the ISPCP. 1. to research and verify domain registrants that could vicariously cause liability for ISPs b/c of illegal, deceptive or infringing content.
2. to prevent or detect sources of security attacks of their networks and servers
3. to identify sources of consumer fraud, spam and denial of service attacks and incidents
4. to effectuate UDRP proceedings
5. to support technical operations of ISPs or network administrators"
Ken Stubbs commented on an apparent contradiction in the ISPCP statement and Verizon's aggressive defense of a suite filed by the recording industry where they refused access. If there was legitimate right to access, that right needed to be clearly indicated.
Greg Ruth commented that there was a distinction between what was accessible by the general public and what needed to be accessed by the service providers who had access to as much data as required , however if there were a consent statement of trust with a registrar to supply data, then that too was appropriate to provide all the access needed.
Milton Mueller asked how the concepts of the usefulness of the data were linked to the ICANN mission and Greg Ruth responded that "stability of the Internet " was the link.
Did ISPs need to know the identity of the registrant or did they need to contact the registrant? The more information there was the better the inappropriate use of network problems like fraud, spam, could be resolved.
Problems could be divided into technical and contact. Milton Mueller and Kathy Kleiman over viewed the Non-commercial Users constituency statement
"The importance of defining "purpose" Regarding international and national privacy laws, NCUC notes that it is well-established in data protection law that the purpose of data and data collection processes must be well-defined before policies regarding data collection, use and access can be established. The need for an explicit, well-defined purpose is meant to protect data subjects from abuse by either the data collectors or third parties using the data. A definition of purpose is intended to impose strict constraints on the collection and use of contact data. WHOIS and ICANN's mission and core values Regarding ICANN's mission and relevant core values, we note that ICANN's mission is primarily technical: In enumerating ICANN's core values, we find that the first three are most relevant to a discussion of WHOIS and its purpose: 1. Preserving and enhancing the operational stability, reliability, security, and global interoperability of the Internet. 2. Respecting the creativity, innovation, and flow of information made possible by the Internet by limiting ICANN's activities to those matters within ICANN's mission requiring or significantly benefiting from global
coordination. 3. To the extent feasible and appropriate, delegating coordination functions to or recognizing the policy role of other responsible entities that reflect the interests of affected parties. The original purpose of the WHOIS protocol, when the Internet was an experimental network, was the identification of and provision of contact information for, domain administrators for purposes of solving technical problems. Vinton G. Cerf, speaking at the "Freedom 2.0" conference held in Washington DC in May 2004 confirmed directly that the original purpose of WHOIS was indeed purely technical.** Further, Core Value #3 expressly recognizes the "policy role" of "other ,responsible entities." It is incumbent on ICANN to limit its role in the collection, use and especially disclosure of data to only that needed for technical
and operational tasks. Proposed definition of purpose:
NCUC proposes the following definition of purpose for the WHOIS service:
The purpose of the WHOIS is to provide to third parties an accurate and authoritative link between a domain name and a responsible party who can either act to resolve, or reliably pass information to those who can
resolve, technical problems associated with or caused by the domain. By "technical problems" we mean problems affecting the operational stability, reliability, security, and global interoperability of the Internet. Excluded or invalid purposes It is important to also identify purposes that are inconsistent with ICANN's stated mission and core values. First, WHOIS is not designed to be a global data mining operation with completely unlimited access to all registrant data by any Internet user for any purpose, including marketing. Second, the purpose of WHOIS data is not to facilitate legal or other kinds of retribution by those interested in pursuing companies and individuals who criticize and compete against them. Third, the purpose of WHOIS is not to expand the surveillance powers given to law enforcement under law, or to bypass the protections and limitations imposed by sovereign governments to prevent the abuse and misuse of personal data, even by law enforcement. CONCLUSION Overall, the published WHOIS data should serve only the original purpose of the database and the powers of ICANN - technical and interoperability functions of ICANN. Additional access to information should be regulated otherwise. "
Milton Mueller commented that he had difficulties with fraud being presented as a security and stability issue and was of the opinion that it was a policy law enforcement issue.
Jordyn Buchanan asked how not displaying the broader possible range of Whois data would be viewed by the NCUC as meeting the ICANN core mission?
Milton Mueller referred back to the concept of purpose in the data protection laws and stated that the purpose was to resolve technical problems associated with the domain name and the IP address system, thus any data that was not absolutely necessary to fulfill that purpose should not be made available to third parties. David Maher commented that the gTLD registries fundamentally agreed with the NCUC that there was no need to make all of the information public. The IPC background paper presented a distortion of the European Commission position stating that the European Commission supported the total public availability of personal data. The statement was so grossly out of perspective that the IPC should consider withdrawing the statement.
The Commission statement cited in the footnote was also erroneous and the accurate cite was:
Article 29 Working Party Opinion 2/2003 on the application of the data protection principles to the Whois directories, available at
http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp76_en.pdf
Further David Maher quoting from the Working Party Opinion:
“…it is essential to limit the amount of personal data to be collected and processed.”
“The registration of domain names by individuals raises different legal considerations than that of companies or other legal persons registering domain names.”
“In the light of the proportionality principle, it is necessary to look for less intrusive methods that would still serve the purpose of the Whois directories without having all data directly available on-line to everybody.”
In conclusion:
“The Working Party encourages ICANN and the Whois community to look at privacy enhancing ways to run the Whois directories in a way that serves its original purpose whilst protecting the rights of individuals. It should in any case be possible for individuals to register domain names without their personal details appearing on a publicly available register.”
[emphasis in original]
The European Commission had made it very clear what their views were, and it was not what the Intellectual Property Constituency had represented the views to be.
Davis Fares sought clarification about a unified European Commission position on the issue and did not believe that there was one.
David Maher said he was referring to the use of the Article 29 Working Party Opinion in 2003 which was the base support of the IPC background paper.
Suzanne Sene stated that there would be a publicly available report on the Whois/Law Enforcement session in Luxembourg. Another workshop was being planned in Vancouver to focus on some of the public policy aspects of the use of Whois data protection.
David Fares commented from the CBUC's statement still in draft form:
" The Whois database may have originally been conceived as a database of technical contacts. However, the Internet has evolved through commercialization, becoming a medium for commerce and a source of information. The purpose of the Whois database must therefore reflect this evolution. With the above in mind, the BC proposes the following purpose of the Whois database: A database of contact information sufficient to contact the registrant or their agent(s) to enable the prompt resolution of technical, legal and other matters relating to the registrant’s registration and use of its domain name." Clarification was sought on "agent", generally someone acting on behalf of the registrant, an ISP or an anonymysing company etc.
Ross Rader suggested that another term be used as "agent" had a strict legal definition. Jordyn Buchanan suggested further discussion on the European Union perspective.
Niklas Largergren commented that the 1995 Data Protection Directive was applicable, but questioned the meaning of applicability. A basic confusion was the belief that any processing of personal data was prohibited and in fact the Directive stated that the only data that could not be processed was sensitive data, such as sexual orientation, ethnic origin, political belief etc. and there was none of that in Whois data bases. Personal data and not sensitive data was the issue. The 1995 directive actually provided for flexibility in particular article 7 was mentioned which indeed foresaw that sometimes processing could be necessary for the purposes of the legitimate interest pursued by the controller or the third party that did process the personal data.
The IPC wanted to point that out in the submissions. David Maher responded that the statement was deceptive and a distortion. The mistake in the background paper was not the quote itself, that the url was wrong.
Niklas Largergren and David Maher agreed to take the topic off list and review the paper. Jordyn Buchanan summarised commonalities between the purpose statements:
Key differences Both the IPC and the ISPCP statements said that the purpose of Whois was to provide accurate contact information for the registrant whereas the NCUC stated that the purpose was to provide a link to the responsible parties who could act to resolve or reliably pass information to those who could resolve the problems, and the CBUC statement seemed to indicate that it could be either the registrant or an agent. Two areas were highlighted where a common view could possibly be reached:
1. Whether or not the task force thought that the purpose of Whois was to provide information about:
- the registrant per se - or
- whether it was in order to provide information about either the registrant or the agent - or
- whether it had to be someone capable of resolving issues related to the domain? The NCUC purpose was limited to resolving technical problems,
The ISPCP statement to a certain extent reflected the same,
The CBUC appeared to have a broader set of issues that Whois was intended to help resolve,
The IPC stated that the purpose of the Whois was simply to provide the data regardless of what the purpose was. 2. What types of problems or issues was Whois intended to resolve? Jordyn Buchanan proposed initiating discussion on the two topics on the mailing list. 3. Discuss recommendation 1 on improving notification to Registered Name Holders of the public access to contact data via the WHOIS service
Ross Rader commented that there were various opinions that recommendation 1 constituted a privacy waiver and did not believe that it was the task force's intention, thus would like to have a better sense whether the interpretation was consistent with the intent of the task force or not and if it was not then it should be resolved before the recommendation went to the GNSO Council.
Jordyn Buchanan stated that the topic had not been raised during discussions on the issue, thus there was no intention for it to be a privacy waiver.
Milton Mueller commented that perhaps it was a question of people working unconsciously at cross purposes. The NCUC would never view notification as being consent because there was no other domain name system that could be participated in, therefore once notification was given it was taken as consent was a travesty, or in legal terms a contract of adhesion. The NCUC supported the notification to let people know what was happening and believed that it might stimulate the use of privacy protection services registrars were offering as well as supporting the ICANN process and making the Whois policy more rational. Being presented with notification and being told that it was waiving rights and as the ISP representative said, that anything could be done with the information as long as the registrant was notified, was presenting a stark choice, no domain name or no privacy, or no rights over information.
Nicolas Largercommented that he was not aware of any previous discussion mentioning a privacy waiver. In the RAA, provision 3.7.7.4. and 3.7.7.5 there was language that stated that a registrar was required to notify a registrant about Who is and what it meant and that the registrar was required to obtain consent from the registrant for the publication of personal data in the Who is database. The concern of the task force appeared to be that the notification made to the registrant was not conspicuous and very often hidden in a long text in small print that the registrant would click on to proceed to the next stage. The task force members believed that it would be useful to make the notification procedure more conspicuous so that the registrant would know what he was signing up to.
Jordan Buchanan added that the task force also looked at ways in which the registrant consented to that use and it was explicitly removed to only apply to notice.
Kathy Kleiman stated that outside opinions viewed the text as a privacy waiver and it was clearly not the intent of the task force. Emphasising the language of the EU Privacy Directive article 7 "Member States shall provide that personal data may be processed only if
a) the data subject has unambiguously given his consent" would lead to the notice provision being interpreted as a privacy waiver, Kathy felt that the task force should take action. Jordyn Buchanan, supported by Ross Rader, and Milton Mueller, Niklas Largergren and Kathy Kleiman
( the latter two suggested that the communication to the Council should emphasise timing and not withdrawing the recommendation)
proposed:
Drafting a letter to Bruce Tonkin, the GNSO Council chair about a concern raised that the current proposal relating to improving notice to registrants regarding the use of their contact details in the Whois system may be viewed as a waiver of registrants privacy rights. It was not the intent of the task force that the recommendation act as any sort of waiver, but the issue was not considered during the work of the task force. Since the task force believed that it was an important issue and believed that it would be premature for the Council to adopt the policy recommendations without considering it Council was requested to either: a) Refer the recommendation back to the Task Force for further consideration of this specific issue; alternatively, the Council may want to consider this specific issue itself, or b) Delay adoption of this recommendation until such time as the full range of issues currently being considered by the task force have resulted in a broader set of recommendations that may render this issue moot. Next call Tuesday 23 August 2005
1. Voting on the procedure for National Laws
2. Discuss two questions on purpose:
1. Whether or not the task force thought that the purpose of Whois was to provide information about:
- the registrant per se - or
- whether it was in order to provide information about either the registrant or the agent - or
- whether it had to be someone capable of resolving issues related to the domain?
2. What types of problems or issues was Whois intended to resolve? The next Whois task force teleconference:
Tuesday 23 August 2005 at 9:30 EST 13:30 UTC Jordyn Buchanan thanked all the task force members for participating. The WHOIS task force call ended at 17 :10 CET - | 