This report concludes the work of the Whois Task Force on the GNSO policy development process (PDP) on Whois which seeks to build consensus on policy issues in the generic top level domain (gTLD) space.

1 Contents

1 Contents.. 2

2 Executive Summary.. 4

3 Introduction and Acknowledgments.. 6

Introduction. 6

Acknowledgments. 6

4 Task Force Recommendation.. 7

5 Minority Recommendation of the Task Force.. 11

"Special Circumstances" Model for Whois Policy. 11

6 Success Metrics.. 16

7 Summary of public comments.. 17

7.1.1 Table 7.1—OPoC proposal: issues raised. 17

7.1.2 Table 7.2 —OPoC proposal: suggestions for development 22

7.1.3 Table 7.3— Special Circumstances Proposal: issues raised. 23

7.1.4 Table 7.4—Special Circumstances Proposal: suggestions for development 25

7.2 Summary by topic. 27

7.2.1 Proxy registrations. 27

7.2.2 Data accuracy. 27

7.2.3 Privacy. 28

7.2.4 Distinguishing between commercial and individual/non-commercial registrants 29

7.2.5 Technical or other restrictions to data access. 30

7.2.6 Other points raised. 31

7.3 Summary of support for the proposals. 32

8 Summary of voting on the Task Force Recommendation.. 35

8.1 Table 8.1— Summary of voting. 35

9 Historical Background to this Report.. 37

10 Staff comparison of policy recommendation and minority proposal 40

10.1 Term of Reference 2: Purpose of the contacts. 40

Summary of task force discussion. 42

10.2 Term of Reference 3: Public Access to Data. 44

Summary of task force discussion (including proposal for access to data) 45

10.3 Term of Reference 4: Inaccurate Data. 48

Summary of task force discussion. 49

11 Constituency Statements.. 50

11.1 Requirements for constituency statements. 50

11.2 Statement of the Commercial and Business Users Constituency. 51

13.3 Statement of the Intellectual Property Constituency (IPC)

13.3 Statement of the Registrar Constituency. 64

13.4 Statement of the Registry Constituency. 66

13.5 Statement of the Non Commercial Users Constituency. 72

13.6 Statement of the Internet Service Providers and Connectivity Providers Constituency 75

Appendix A – Full Task Force Terms of Reference.. 78

Appendix B – Proposal to the Task Force by Avri Doria, Milton Mueller, Robin Gross and Wendy Seltzer.. 82

Appendix C – Proposal to the Task Force by Marilyn Cade.. 85

Appendix D – Work Processes and Outreach Activities of the Task Force, 2005-2007 89

Appendix E – Relevant GNSO Council Resolutions.. 91

2 Executive Summary

This is the Final Task Force Report on Whois Services. This report is intended to conclude the work of the Whois Task Force on the GNSO policy development process (PDP) on Whois which seeks to build consensus on policy issues in the generic top level domain (gTLD) space.

This report sets out the key findings of the Whois Task Force since it was convened in February 2005 (amalgamating three task forces on different aspects of Whois).

The task force has reached agreement on the following issues:

• Many registrants do not understand the meaning or purpose of the different Whois contacts (billing contact, administrative contact, technical contact).
• If changes are made to the Whois service, awareness-raising for registrants will be needed.
• New mechanisms to restrict some contact data from publication should be adopted to address privacy concerns.

The Task Force did not arrive at Supermajority support for any of the proposals it considered. The Task Force Policy Recommendation below was supported by a simple majority of Task Force members during a Task Force email vote concluded on 10 March. It is favoured by the following Task Force constituencies/members:

-          Registry Constituency

-          Registrar Constituency

-          Non Commercial User Constituency

-          Nominating Committee appointee.

The Task Force Policy Recommendation was also supported by the non-voting At Large liaison to the Task Force.

Other proposals discussed by the Task Force are contained in Section 5 as well as Appendices B and C of this document. The "Special Circumstances" proposal in Section 5 was supported by a minority of Task Force members from the following constituencies:

-          Commercial and Business User Constituency

-          Intellectual Property Constituency

-          Internet Service Providers and Connectivity Providers Constituency

Summary of the Task Force Policy Recommendation to the GNSO Council

The policy recommendation supported by a majority of Task Force members is the OPoC (Operational Point of Contact) proposal submitted by the Registrar Constituency and subsequently developed by the Task Force.

The OPoC (Operational Point of Contact) proposal (full text in Annex A) was circulated by the registrar constituency on 29 November 2005, and a revised version was submitted to the WHOIS Task Force for further development on 18 January 2006. It proposed to deal with the issue that "the amount of data that ICANN requires registrars to display in the Whois is facilitating all sorts of undesirable behaviours like renewal scams, data-mining, phishing, identity theft, and so on." The OPoC proposal aimed to "rationalize the Whois data output and implement a new contact type called the 'Operational Point of Contact'". (Email from Ross Rader to the task force and the registrar constituency, 29 November, 2005).

• The OPoC proposal was the subject of task force development work from January to October 2006. It includes input and revisions from all constituencies participating in the Task Force.

The OPoC proposal envisages requiring registrants to use an OPoC in place of the current administrative and technical contact details in the published Whois. This would allow registrants to only publish the contact details of the OPoC, rather than the administrative and technical contact details. In the case of an issue with the domain name, the OPoC would contact the registrant.

The OPoC proposal also includes a mechanism for notifying and correcting inaccurate Whois data. It does not include any new mechanism for access to data not published in Whois by, for example, law enforcement agencies or intellectual property rights holders. In task force discussions, proponents of the OPoC proposal have said that continuing the current practice whereby law enforcement agencies and other data requestors work directly with Registrars to arrange for access to specific contact data on a case by case basis provided that such practices are backed up with a statement of best practices that all registrars could employ. The Registry Constituency, which voted in favor of the OPOC proposal, believes that considerable work still needs to be done to address the issue of access to non-public Whois information by law enforcement and others with a legitimate need for access.

Summary of public comments

A public comments period on the Preliminary Task Force report ran from 24 November, 2006 to 15 January, 2007.

Public comments were particularly invited on:

• The Operational Point of Contact (OPoC) proposal
• The Special Circumstances proposal

Some broad directions for development of the Task Force policy recommendation that were raised through the public comments:

• The OPoC should ensure contact with the registered name holder in a defined and short period of time.
• OPoCs should have specified responsibilities for passing communications, including legal notifications, to the registered name holder.
• There need to be clear, consistent, timely and predictable procedures for obtaining access to unpublished data.

The proponents of each proposal provided responses to the public comments received (see section 7 of this report). The proposals have not subsequently been revised.

Next steps

This Task Force Report will be considered by the GNSO Council during the first and/or second quarter of 2007. The Council will then make a policy recommendation to the ICANN Board.

3 Introduction and Acknowledgments

Introduction

This document is the Final Task Force Report on the Whois Service. This report addresses the three remaining items in the terms of reference of the Whois Task Force (set by the GNSO Council on 2 June, 2005, see http://gnso.icann.org/policies/terms-of-reference.html or Annex C of this document):

• purpose of the Whois contacts (e.g. administrative or technical contact);
• public access to data;
• improvement of notification of inaccuracy of data.

The Whois Task Force has completed its work on two other items in the original terms of reference; a procedure for conflicts between Whois contractual requirements and national or local privacy laws, and defining the purpose of the Whois service. The Final Task Force Report on the Purpose of Whois and the Whois Contacts (15 March, 2006; http://gnso.icann.org/issues/whois-privacy/tf-report-15mar06.htm) included constituency statements on the purpose of the Whois contacts, but the subsequent discussion in the GNSO Council did not yield a conclusion on this topic. This report re-considers the purpose of the contacts in the light of the subsequent task force work.

The GNSO Council passed the following resolution regarding the definition of the purpose of Whois, on 12 April, 2006, (http://gnso.icann.org/meetings/minutes-gnso-12apr06.shtml, item 3):

"The GNSO Council recommends that the WHOIS task force use the following definition: "The purpose of the gTLD WHOIS service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS name server." as a working definition to allow the task force to proceed on terms of reference (2), (3), and (4)

This definition has been used by the task force as its working definition. This definition has been adopted as a working definition for the Task Force, and the Council intends to consider improving the wording of the WHOIS service definition so that it is broadly understandable.

This report includes constituency statements from each of the GNSO constituencies, and also a summary of public comments received during the public comment period from 24 November, 2006 to 15 January, 2007. At the end of the public comment period, the task force considered the public comments received, and the constituency statements.

Acknowledgments

This document has been created in the course of the work of the Whois Task Force.

The Whois Task Force is comprised of the following members:

Chair: Jordyn Buchanan (formerly of the Registry and Registrar Constituencies/appointed by Council as independent expert, without voting status; reelected as chair)

Commercial and Business Users Constituency

David Fares

Marilyn Cade

Sarah Deutsch

Internet Service Providers and Connectivity Providers Constituency

Tony Harris *

Greg Ruth*

Maggie Mansourkia

Intellectual Property Constituency

Steve Metalitz

Niklas Lagergren

Ute Decker

Non-Commercial Users Constituency

Milton Mueller

Robin Gross

Registrars Constituency

Paul Stahura

Ross Rader*

Tom Keller*

Tim Ruiz (alternate)

Registry Constituency

David Maher

Ken Stubbs *

Simon Sheard

Appointed by Council as independent expert with voting rights:

Avri Doria*

At Large Advisory Committee Liaison (non-voting)

Wendy Seltzer

Bret Fausett

(Task force members whose names are marked with a * are also members of the GNSO Council.)

4 Task Force Recommendation

The task force proposes the following as its policy recommendation to the GNSO Council:

Proposal for Implementing an Operational Point of Contact

There are four main areas of consideration dealt with by this proposal;

1. The type of contact data published by Registrars via Whois

2. The type of contact data published by Registries via Whois

3. The mechanism by which inaccurate data is dealt with and corrected

4. The mechanism by which prospective gaining registrars obtain the underlying contact information from prospective losing registrars at the time of domain name transfers.

This proposal pre-supposes that 1) domain name contact data not be available through any sources other than those discussed by this proposal, unless by Registrars, and in that case at the Registrar's option, and that 2) regardless of the information displayed, that the domain name contact data collected by registrars remain as specified in the RAA ("Underlying Whois Contact Data").

Scope

This proposal encompasses the Whois services (commonly referred to as "port 43 whois" and "web whois" or "port 80 whois") operated by all ICANN accredited registrars and all gTLD registries (including .aero, .biz, .com, .coop, .info, .jobs, .museum, .name, .net, .org, .pro and .travel as of January 18., 2006).

Purpose of the Points of Contact

1. Purpose of the Registered Name Holder

The registered name holder is the individual or organization that registers a specific domain name. This individual or organization holds the right to use that specific domain name for a specified period of time, provided certain conditions are met and the registration fees are paid. This person or organization is bound by the terms of the relevant service agreement with the Registry operator for the TLD in question.

2. Purpose of the Administrative and Technical Contacts

Under this proposal, the administrative and technical contacts would no longer be displayed within the Whois system. As a result, they would no longer have a purpose within the context of Whois.

3. Purpose of the Operational Point of Contact

This proposal introduces the Operational Point of Contact, which would be collected by registrars and displayed in response to Whois queries regarding specific domain names. The purpose of the operational point of contact is to resolve, or to reliably pass on data to resolve, operational issues relating to a domain name. At a minimum, this must include the resolution of issues relating to the configuration of the records associated with the domain name within a DNS nameserver. The operational point of contact may also be capable of resolving additional types of issues based on an agreement with the registered name holder to do so.

4. Notifying Registrants of the Purpose of the Points of Contact

ICANN will develop a user guide describing the various contacts and the changes in information provided as part of the Whois service. This guide should provide information for both registrants as well as users of the Whois service. At the time the registrar sends its annual Whois Data Reminder Policy notice to each registrant, it must include a link to the ICANN-developed guide on the purpose of each contact.

The Type of Contact Data Published by Registrars;

Accredited Registrars will publish three types of data pertaining to the domain name registration in their respective gTLD Whois repositories;

1. The name of the Registered Name Holder

2. The country and state/province of the Registered Name Holder

3. The contact information for the primary operational point of contact (oPOC), which must include, but is not limited to;

1. The contact name of the oPOC

2. The contact address of the oPOC

3. The contact telephone number of the oPOC

4. The contact email address of the oPOC

4. The date of the initial registration of the domain name (creation date)

5. The date of the expiration of the current term of the domain name (expiry date)

6. The following registry level data:

1. The Registered name

2. The identity of the Sponsoring Registrar

3. The URI of the authoritative Whois server

4. All authoritative nameserver names associated with the domain name registration record

5. The status of the Registered Name (LOCK, HOLD, EXPIRED, or any other Registry specified value)

Registrars must allow a Registrant to provide a minimum of two operational points of contact. As a condition of registration, Registrants must provide a minimum of one operational point of contact. If a Registrant provides a second operational point of contact, the Registrar must pubish this data via whois. If the Registrant has not specified a second operational point of contact, the Registrar is not obligation [ad: obligated] to publish a null or empty record via the Whois service. Registrars may choose to allow Registrants to specify additional operational points of contact beyond the second operational point of contact. If the Registrant exercises this option, the Registrar must publish these additional records in the record of delegation for the domain name in question in a manner consistent with the publication of multiple nameservers in other areas of this same record.

This proposal does not require the publication of any additional data; however Registrars may choose to provide additional data at their discretion.

The Type of Contact Data Published by Registries;

gTLD Registries will publish a limited data set concerning each Registered Name. Registries must not publish or provide any additional data. This Registry Level data is solely limited to;

1. The Registered name

2. The identity of the Sponsoring Registrar which shall consist of separate fields indicating;

3. the Registrar Name and;

4. the corresponding IANA Registrar Identification Number

5. The URI of the authoritative Whois server

6. All authoritative nameserver hostnames and corresponding IP addresses associated with the domain name registration record

7. The status of the Registered Name (LOCK, HOLD, EXPIRED, or any other Registry value specified in the EPP RFC)

8. The date of the initial registration of the domain name (creation date)

9. The date of the expiration of the current term of the domain name (expiry date)

Correcting Inaccurate Whois Data;

In addition to preserving the existing requirement for Accredited Registrars to promptly update registration records when a Registered Name Holder provides them with updated information , Registrars must also positively respond to notices of alleged inaccuracies in a timely manner. Specifically, when a Registrar receives notice of an alleged inaccuracy in the whois record for a particular domain name;

1. the Registrar must notify the Operational Point of Contact or the Registered Name Holder in a timely manner.

2. The oPOC or the Registered Name Holder must correct the alleged inaccuracy or defend the accuracy of the data, also in a timely manner.

3. If the oPOC or the Registered Name Holder does not update the contact record with corrected information within this time period, the Registrar must either place the domain name on "hold" or revoke the registration.

4. Before accepting the new information, the Registrar must verify that the oPOC or the Registered Name Holder is contactable using the new email address provided.

5. If the basis for the original complaint of inaccurate data included data elements other than the e-mail address, the Registrar must take reasonable steps to validate corrections to these other data elements before accepting them.

A standardized mechanism should be used to convey notices of alleged inaccuracy from the internet community and distribute them to the relevant registrar.

Facilitating Inter-registrar Domain Name Transfers

In order to ensure continued domain name portability, Registrars must continue to be able to transfer detailed contact records between one another at the request of the Registered Name Holder or oPOC. Therefore, this proposal recommends that the Sponsoring Registrar must make the data outlined in section 3.3.1 of the RAA be made available to the prospective gaining registrar upon request for the purpose of confirming the Registrant/oPOC identity and validating the authenticity of the domain name transfer request. This proposal further recommends that this mechanism be augmented, when appropriate, by the use of EPP AUTH-INFO tokens/codes.

Finally, this proposal recommends that the existing Inter-registrar Transfer policy be amended to recognize the authority of the Operational Point of Contact and sunset that of the Administrative, Technical and Billing Contacts.

5 Minority Recommendation of the Task Force

This section contains a proposal considered by the task force that did not receive sufficient votes to emerge as the majority policy recommendation to the GNSO Council.

"Special Circumstances" Model for Whois Policy

This paper describes an alternative model for modifying current gTLD Whois policy. It calls for a procedure to accommodate the needs of certain individual non-commercial registrants for special treatment with regard to restricting public access to some of their contact data. It draws upon the system that has been place for some time in the Dutch country code Top Level Domain, .NL, with adaptations necessary for translating that system to the gTLD environment.

Main elements of the Special Circumstances proposal:

1. An independent third-party vendor processes and decides upon "Special Circumstances" applications. ICANN would choose a trusted independent third-party vendor to receive, process and decide upon requests from individual gTLD registrants to curtail public access to their Whois data based on special circumstances. The vendor would be required to apply the criteria developed below, to process applications online, and to render a decision in a very short time frame (e.g., 5 days). It would also be required to carry out these tasks within a budget negotiated with ICANN.

NOTE: In one variant on the proposal, ICANN would choose five independent vendors, one in each of ICANN's global regions, each applying a common set of criteria for considering "special circumstances" applications from individual registrants within that region. For simplicity only, the rest of this proposal will refer to a single vendor.

2. Eligibility criteria for "Special Circumstances." The "special circumstances" option would be open only to individual registrants who are using or will use the domain name for non-commercial purposes, and who can demonstrate that they have a reasonable basis for concern that public access to specific data about themselves (e.g., name, address, e-mail address, telephone number) that would otherwise be publicly displayed in Whois would jeopardize a concrete and real interest in their personal safety or security that cannot be protected other than by suppressing that public access. An individual would be able to hold special circumstance designation for only a limited number (e.g., 5) gTLD domain names at a time. Social service agency providers serving qualifying individuals (e.g., abused women's shelters) could also apply for the designation.

3. Further development of criteria. Beyond the general requirements set forth in paragraph 2, the specific criteria and procedures to be applied for adjudicating such requests would be developed in one of two ways:

the selected third-party vendor would propose criteria which would then be reviewed by a working group consisting of GNSO and GAC representatives; or

a joint GNSO-GAC working group would develop the criteria in consultation with the third-party vendor.

4. Funding administration of the Special Circumstances system. To defray the costs of administering the system, a pre-set proportion of one or more existing volume-sensitive (i.e., per registration transaction) fees currently paid by registrars and/or registries to ICANN would be budgeted for the third-party vendor's operations. Under this model, neither registrants, registrars nor registries would incur additional costs.

5. Application for Special Circumstances at the point of registration. Once the system is operational, registrars would be obligated to advise individual registrants at the time of registration of the option to seek a "special circumstances" designation, and to provide a standard application form issued by the vendor, which registrants could then complete and submit via the registrar.

NOTE: As a variant, registrars could provide registrants a link to the site of the third-party vendor.

6. Provision of data to registrars. Current requirements for registrants to provide registrars with full and accurate contact data and to keep it current, as a condition of registration, would continue to apply to all registrants, including those who have been determined qualified for special circumstances status. Registrars would continue to hold all data. Existing proxy registration services operated by or in connection with registrars would be phased out, and individual registrants participating in such services would be provided with an opportunity to apply under the "special circumstances" mechanism.

7. Display of data and operation of the domain are withheld pending determination of a Special Circumstances application. The registrant's data would be publicly displayed (in accordance with the Registrar Accreditation Agreement) unless and until the third-party vendor notified the registrar (or confirmed) that a special circumstances application by that registrant had been received for the domain name in question. In the case of a new registration, during the (5-day) pendency of the application, the contact information of the registrar would be displayed in publicly accessible Whois rather than the contact information of the registrant, but the domain would be placed in a status that would not allow it to resolve.

NOTE: The preceding paragraph describes the process in a "thin registry" environment. In a "thick registry," notification of receipt of the application, and of the vendor's action upon it, would also be communicated to the registry for purposes of its Whois service.

8. Response to Whois queries for Special Circumstances registrations. If the third-party vendor decides that the applicant has shown the requisite special circumstances, it will notify the registrant, registrar and (in a thick registry environment) the registry. During the life of the special circumstances designation, the contact data for the registrar would continue to be displayed in lieu of the registrant data for all data elements that are the subject of the special circumstances application.

9. Enforcement of non-commercial use criteria. During the life of the special circumstances designation, the third-party vendor would be responsible for spot-checking Internet resources tied to the domain name (e.g., website) to ensure that the use remained non-commercial during the life of the designation (under specific criteria established under paragraph 3 above). If commercial use is observed, the vendor would notify the registrant and registrar and terminate the special circumstances designation.

10. Term and renewal of Special Circumstances designation. The Special Circumstances designation would remain in effect for a set time period (e.g., one year). Special circumstances designations would not be transferable. As part of the Whois Data Reminder Policy, registrars would notify registrants who hold special circumstances designations of the scheduled expiration date of their designation, and provide a link to the vendor so that a registrant could apply for renewal of the designation if s/he still qualified for it.

11. Challenges to Special Circumstances designation. Procedures would be developed for the following: (a) appeal by the registrant of an adverse decision by the vendor on the registrant's special circumstances application; and (b) methods for law enforcement and others with a legitimate complaint of abuse to seek from the third-party vendor access to contact information held by the registrar on registrants in the "special circumstances" category. The latter procedures would be coordinated to the extent feasible with existing procedures such as the UDRP.

12.              Renewal of vendor contract and reporting on system operation. The third-party vendor would report within six months, and annually thereafter, on the operation of the "special circumstances" mechanism, and its contract to operate the mechanism would be subject to renewal or re-competition every 5 years. The specific criteria and procedures developed under point 3 would be subject to review and adjustment on an annual basis, and ad hoc, under the auspices of the working group described there.

Background Information

The .NL Model

.NL is a very large registry, ranking seventh in the world (and third among the ccTLDs). It has over 1.9 million domain names registered. The Netherlands also has a strong privacy/data protection law which is based upon the EU Data Protection Directive. The operator of .NL (called SIDN) has taken great pains to ensure that its Whois policy complies with the Dutch data protection law.

.NL provides a very robust publicly accessible Whois service, very similar to what is currently available in the gTLDs. Article 23.2 of the "Regulations for registration of .nl domain names"[1] provides:

"The public section of the SIDN Register shall include the following details, among others, for each Domain Name or Personal Domain Name, except when the Applicant for a Domain Name or the Holder of a Personal Domain Name has requested SIDN to replace certain details by the details of the Participant:

- the Domain Name or Personal Domain Name;

the name and address of the Holder of the Domain Name (and the address provided in the Netherlands, if applicable);

- the name, telephone number and e-mail address of the Administrative Contact Person for the Holder of the Domain Name;

- the name, telephone number and e-mail address of the technical contact person for the Holder of the Domain Name and/or the Participant concerned;

the Participant concerned;

technical details."

Article 23.3 of the same document provides:

"The public section of the Register shall be open to public electronic consultation."

Under the .NL system, a registrant can ask that some data be withheld from public access (or that the "Participant's"[2] data be substituted). The holder or applicant must submit a written request for data to be withheld from the public section of the register.[3] This request must be made via the Participant acting for the holder/applicant and needs to explain why the holder/applicant believes the data should not appear in the public section of the register. The request will only be granted if special circumstances are deemed to exist. To this end, SIDN weighs up the various interests at stake. If SIDN rejects such a request, an appeal may be made to the Complaints and Appeals Body.[4]

Another SIDN document[5] gives more details about the "special circumstances" criterion:

"For each individual opt-out request the consideration has to be made whether – and if so, to what extent – there are special circumstances justifying the granting of the opt-out request. SIDN uses the criterion that granting of the request may be justified if it can be demonstrated that (a) there is a concrete and real interest at stake and that (b) a report has been filed with the police and/or (c) other precautions/measures have been taken, for instance protection of the data in question with other bodies or organisations.

"A general fear, not specified or motivated in further detail, of receiving spam, of any invasion of privacy or of any individual with malicious intent (a possibility that in principle always exists) is in itself insufficient ground for granting an opt-out request."

The document states that an opt-out request should be granted only when "the specific conditions have been met that make the granting of this request an absolute requirement and that there is no other way to achieve this."

The .NL system demonstrates that a publicly accessible Whois with a broad range of data can be maintained, even in a jurisdiction with strict privacy laws, and that even a relatively large registry can effectively operate a system of evaluating limited "special circumstances" under which data may be kept hidden on a case-by-case basis.

Adapting the .NL Model to the gTLD Environment

For the so-called "thin" registries, notably .com and .net, it would be relatively simple for the registrar simultaneously to collect an application for Special Circumstances at the point of registration, and to configure the domain not to resolve and for information not to be displayed in the Whois database, pending decision on the Special Circumstances application. This is because , in the "thin" registries, the registrar is both the entity responsible for the registration of domains and the entity responsible for maintaining public access to the Whois database. In the "thick" gTLD registries (e.g., .info), it would be only slightly more involved for the registrar and registry to set up a system for the registry's receipt and processing of requests to suppress public access to contact data based on "special circumstances."

The main challenge in adapting the .NL model to the gTLD environment involves who operates the system. Although the registrar remains the sole (in thin registries) or primary provider of complete Whois data, registrar operation of a "special circumstances" system for suppressing public access to Whois data raises two problems: cost and consistency/integrity.

Of course the cost of operating such a system would depend to some extent on the volume of requests, but there would be some fixed costs. Presumably, registrars could be allowed to charge for this service in order to recover their costs, but this could raise perception concerns (requiring vulnerable registrants to bear additional costs); and competitive pressures from larger registrars, or from those that can cross-subsidize this cost from other non-registration services, could make it impractical for many registrars to recover their costs. (At the same time, many registrars already operate proxy or "private" registration services, none of which is free, so perhaps these competitive pressure and perception concerns are less powerful than some fear.)

A more difficult problem is consistency and integrity. The "special circumstances" that would justify curtailing public access can never be precisely defined in advance, and inconsistent decisions about who does or does not qualify for this status seem inevitable if multiple entities are responsible for deciding applications for Special Circumstances. More significantly, particularly if registrars can recover their costs or even treat the "special circumstances" mechanism as a profit center, there are strong incentives to grant every request, no matter what the merits. That would defeat the purpose of the "special circumstances" mechanism, and it would become almost indistinguishable from the proxy services that currently abound, except that each registrar will be obligated to offer one.

This proposal involves centralizing the processing of "special circumstances" in an independent third party, in order to ameliorate these concerns over consistency, integrity, and cost. The preceding proposal reflects this model.

6 Success Metrics

The following success metrics have been developed by the task force to provide guidance for the GNSO and ICANN staff in measuring the success of Whois policy recommendations as and when they are implemented. They will be supplemented by feedback from ICANN staff as detailed policy recommendations are finalized.

Terms of Reference #1 and #2:

1) ICANN should report back periodically on the steps that it has taken to make people aware of any changes to the Whois system as well as the purpose of Whois and the contacts contained in Whois.

2) ICANN should gather data and report back on the awareness of the purpose of Whois as well as the purpose of the contacts contained in Whois.

Term of Reference #3:

1) ICANN should track and compare the number of privacy related complaints received regarding Whois, over time, by month or by quarter.

2) ICANN to measure ability to contact responsible parties for a sampling of domains both before changes go into effect and afterwards.

3) ICANN to survey users of Whois to determine whether contactability improves.

TERMS OF REFERENCE #4:

1) ICANN to evaluate accuracy of a sampling of domains both before and after policy changes to determine whether they improve accuracy.

2) ICANN to report periodically on compliance with policies requiring that registrars disable domains if data is inaccurate and is not updated.

7 Summary of public comments

The public comments period on the Preliminary Task Force report ran from 24 November, 2006 to 15 January, 2007. Seventy seven comments were received. Of these, forty three were on-topic and not duplicates.

The Task Force appreciates the significant effort that went into preparing thoughtful and detailed inputs on the issues and proposals in the Preliminary Task Force Report.

Public comments were particularly invited on:

• The Operational Point of Contact (OPoC) proposal
• The Special Circumstances proposal
• The five proposals in the discussion on access to data

The public comments are archived at;

http://forum.icann.org/lists/whois-services-comments

The Preliminary Task Force Report on Whois Services is available at;

http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm

The four tables below group the comments received into a first column, their support by specific organizations into a second, and a response or discussion of the points raised by the initiators of each proposal. The response to public comments regarding the OPoC proposal was prepared by Ross Rader, of the Registrars Constituency of the GNSO. The response to public comments regarding the Special Circumstances proposal was prepared by Steve Metalitz, of the Intellectual Property Constituency of the GNSO.

7.1.1 Table 7.1—OPoC proposal: issues raised

7.1.2 Table 7.2 —OPoC proposal: suggestions for development

7.1.3 Table 7.3— Special Circumstances Proposal: issues raised

7.1.4 Table 7.4—Special Circumstances Proposal: suggestions for development

7.2 Summary by topic

The following section summarises comments on cross-cutting themes that are not solely related to the two proposals but were the subject of significant public comment.

7.2.1 Proxy registrations

Proxy registrations should be forbidden/phased out: eBay Inc., American Heart Association, March of Dimes Birth Defects Foundation, Motion Picture Association.

Several rights holders said they encounter difficulties today in accessing unpublished data regarding proxy registrations: The Walt Disney Company, eBay Inc.

7.2.2 Data accuracy

OPoC provisions on data accuracy are a step forward; The Walt Disney Company, eBay, The American Intellectual Property Law Association said the segment of the OPoC proposal regarding accuracy "is (the) one segment of the OPoC proposal that we could support, but only in the context of maintaining the status quo of an open Whois system, such as would occur under the Special Circumstances proposal."

Registrars should be required to pro-actively verify the accuracy registrant contact data: eBay Inc., The Walt Disney Company, However, one commenter said verifying the accuracy of contact data is hardly achievable on a general basis.

Registrars should be obliged to terminate registrations with inaccurate Whois data: Special Task Force on Counterfeiting and Piracy Committee of the Intellectual Property Owners Association, American Intellectual Property Law Association, Best Western International Inc.

Rights holders encounter inaccurate Whois data frequently and are unsatisfied that registrars do enough to correct inaccurate data. Some called for better enforcement of existing provisions in the Registrar Accreditation Agreement on registrars' obligations regarding inaccurate Whois data.

Best Western International Inc. raised the question that "it is unclear how a brand owner would be able to request correction of such data if it cannot access the registrant's WHOIS information in the first place."

7.2.3 Privacy

Several commenters from the rights holder perspective said the existing publication of Whois data strikes a balance between privacy rights and other concerns. CAUCE (the Coalition Against Unsolicited Commercial E-mail) said that allowing criminals to obfuscate their activities by cloaking Whois data "will lead to increased levels of privacy violations by way of spam, viruses and spyware. Removing Whois data might provide marginally more privacy to the relatively small number of individuals who register domains, at a disproportionate cost to Internet users at large."

Two commenters noted that the report did not include a study of privacy laws around the world, and that the absence of such an analysis has an impact on the ability to develop a policy that meets national laws. One of these commenter noted that the OPoC proposal was the only way to meet different national privacy laws. Patrick Vande Walle said that "Rather than looking at what we can agree on within the narrow ICANN community, we should be looking at what is realistically feasible within the existing legal frameworks and agree on a common denominator."

The Electronic Privacy Information Center said that the Whois policies conflict with national privacy laws. The original technical purpose of Whois should be adhered to, and that access to Whois data for concerns other than technical issues should be subject to due process. EPIC said anonymous registration of domain names "may be critical for political, artistic and religious expression." Chuck Wilson raised a similar concern regarding the damage Whois can do "to the Internet as a forum for free speech and public information." The New York State Office of the Attorney General Internet Bureau said:

"We are sensitive to the privacy interests of individuals who wish to use a domain name for non-commercial purposes, such as speech; especially those who wish to do so anonymously. However, ... we believe that maintaining a publicly available database of contact information for registrants of commercial websites does nto violate any privacy law, rule, directive, or individual privacy interest."

7.2.4 Distinguishing between commercial and individual/non-commercial registrants

Several commenters suggested distinguishing between different types of registrants, e.g. individuals, non-commercial and commercial registrants, and offering proxy registrations to individuals using domain names for non-commercial purposes. Matt Scholl noted that "Nowadays, many websites are owned by individuals for individual purposes. Just as there is no requirement to disclose private name and address information for telephone owners, there should be no requirement to disclose private name and address information for website owners."

Danny Younger submitted the following proposal:

The New York State Office of the Attorney General Internet Bureau said it believes "maintaining a publicly available database of contact information for registrants of commercial websites does not violate any privacy law, rule, directive, or individual privacy interest." The New York State Office of the Attorney General Internet Bureau proposed that "holders of commercial domain names" continue to be required to submit their contact information for public access via Whois. Noting a 2003 OECD report that said commercial name holders intent on fraud may falsely use a non-commercial registration, the AG office supported further empowering registrars by requiring them to put a domain name on hold or revoke it if inaccurate Whois data regarding the name holder's status is not corrected.

The Electronic Privacy Information Center drew attention to the operation of Australia's TLD, .au, which does not disclose individual registrants' names, addresses and telephone and fax numbers.

7.2.5 Technical or other restrictions to data access

There are two types of 'public access'; web publication of Whois (the current system) and 'on request' confirmed access by request to registrar/thick registry with response on additional confirmation. Neither restricts access to data, but 'on request' access is considered less vulnerable to data harvesting.

The Whois Subcommittee of the International Trademark Association said that "'hybrid' proposals to the task force that "condition access to full Whois information on the searcher clearing technical security measures and/or contractually agreeing not to use the information for a list of specified improper uses" merit further discussion.

Mr. C.A. Fontein of OPTA, the Dutch Post and Telecommunications Authority, asked the task force to take enforcement tasks into consideration when setting boundaries to the access to Whois. He said: "Whether direct access to Whois data is granted to enforcers through some way of tiered or encoded access or in any other way, it is crucial to make the Internet a safer place". OPTA suggested a distinction between 'Type 1' requests for Whois data and 'Type 2' requests:

Volkswagen AG said:

"From our point of view it would not unduly restrict users or users' legitimate interests if sign-on verification were to be required before submitting a query, or if other technical means are used to prevent an automated reading/downloading of whois database data. Contractual restrictions on the use of whois data such as those practiced by the German Registry DENIC eG, that require electronic acceptance of the use restrictions before each request is answered, would not constitute an impairment of our legitimate interests. The state data protection commissioner has confirmed that this practice complies with the strict requirements of the German Data Protection Law."

Patrick Vande Walle said that "accuracy of the whois data will improve when it will become less public and proper checks are made on who requests the data nd for what purpose."

Karl Auerbach called attention to previous proposals that "anyone who asks to view whois data should be required to submit to a permanent and publicly visible ledger the following information:

- Identity (i.e. name, contact information) of the person requesting access

- A short but factual statement describing, with particularity, what specific rights of the person making the inquiry are believed to have been violated by the data subject described in the whois record being accessed."

Dominik Fillip said that; "At minimum, the (rights) Holder should be allowed to hide direct access to the data (name, state and country only) and be allowed the 'on-request' public access".

7.2.6 Other points raised

RE/MAX International Inc., a real estate franchiser, did not support the OPoC proposal because it uses Whois to determine if it will take legal action against domain name registrants who may or may not be its own franchisees.

Referring to the adopted purpose of Whois, several rights-holders asked whether concerns regarding fraud or trademark infringement would be considered by an OPoC to be an 'operational issue relating to a domain name'. Two rights-holders said that 'operational issues' did not include rights holder issues, or would not be interpreted as such by registrars.

A small number of commenters raised the concern that if Whois changes significantly, there will be a consequence for the UDRP (Uniform Dispute Resolution Procedure; http://www.icann.org/udrp). This might mean that the UDRP would have to be altered. The National Arbitration Forum said the following points would be consequences of adopting the OPoC proposal:

"First, if the complainant to a domain name dispute is unable to ascertain who the actual registrant of a domain name is, it could become difficult or impossible to make a fair assessment of the complainant's case with respect to the elements of the various Policies.

Second, under the current UDRP (and other Policies), a respondent has 20 days from commencement of a case to respond to a UDRP complaint. If the National Arbitration Forum and other providers are obligated to serve respondent through an OPoC, it is not only possible, but likely, that delivery of important commencement documents would be at best, delayed and at worst, withheld. We are aware that some registrars do not pass on mail received on behalf of their clients.

Third, ICANN has made it clear that the Whois database is the authoritative source for determining the identity of the Respondent and for where to send case documents. If the information in the database is replaced with OPoC information, we ask that the Task Force consider the implications on the UDRP and related Policies and consider that some of the Rules would become moot or impossible to follow."

Those who prefer the 'Special Circumstances' proposal tended to do so because it represents no significant change to Whois for the vast majority of Internet users. Elman Technology Law, P.C. said the situations giving rise to the use of the Special Circumstances process "should be the rare exception rather than a general rule."

While most /supporters of the 'Special Circumstances' proposal said mechanisms for access to unpublished data should be developed, one commenter said this data should only be available subject to the applicable judicial proceedings.

7.3 Summary of support for the proposals

This section draws out the support of commenters for each of the two proposals. It distinguishes between commenters who support the proposals as published in the Preliminary Task Force Report, and those who said the proposals would benefit from further development. Not all commenters supported either or both proposals. For example, OPTA, the Dutch Post and Telecommunications Authority, did not make a recommendation for either proposal.

Commenters who support the 'Special Circumstances' proposal unreservedly:

• Mars Inc.
• Laurie Self (on behalf of various companies and organizations)
• Whois Subcommittee of the International Trademark Association
• American Society of Composers, Authors and Publishers
• Intercontinental Hotels Group
• BITS Financial Services Round Table

Commenters who broadly support the 'Special Circumstances' proposal but with reservations, modifications or suggestions* for further work:

• eBay Inc.
• Special Task Force on Counterfeiting and Piracy Committee of the Intellectual Property Owners Association
• Electronic Arts
• American Heart Association
• Recording Industry Association of America and the International Federation of the Phonographic Industry (joint letter)
• Motion Picture Association
• American Intellectual Property Law Association
• The International Anti-Counterfeiting Coalition

*The specific reservations/modifications differed, but all were from organisations that broadly supported the 'Special Circumstances' proposal and believed it should be explored further; most raised implementation issues which might be resolved with further work, and a small number were concerned that any data at all would be withheld from public access.

Commenters who support the 'OPoC proposal unreservedly:

• Matt Scholl
• Markus Hanauska

Commenters who support the OPoC proposal with some reservations/suggestions for further work:

• Anti-Counterfeiting and Piracy Committee of the Intellectual Property Owners* Association*
• Rod Dixon
• Patrick Vande Walle
• Electronic Privacy Information Center

* The Anti-Counterfeiting and Piracy Committee of the Intellectual Property Owners said that "the use of operational points of contact could be an effective means for providing owners with sufficient contact information to enable them to contact domain name owners without providing information which can be put to use in illicit scams and activities". This organisation supported "a combination of the two proposals", on the condition of timely transmission of notices from OPoCs to registered name holders.

Final summary of public comments

It is possible to summarise some broad directions for development of the two proposals that were raised through the public comments:

• The OPoC should collect contact information for the registered name holder.
• The OPoC should ensure contact with the registered name holder in a defined and short period of time.
• OPoCs should have specified responsibilities for passing communications, including legal notifications, to the registered name holder.
• The cost allocation model, status, credibility and global scale-ability of the mechanism to consider applications in the Special Circumstances need further consideration.
• If either proposal is adopted, there need to be clear, consistent, timely and predictable procedures for obtaining access to unpublished data.

8 Summary of voting on the Task Force Recommendation

8.1 Table 8.1— Summary of voting

This table summarizes the Task Force vote on the Task Force Recommendation, i.e. the OPoC proposal. The vote was carried out be email, beginning on 7 March, 2007, and the final votes were received on 10 March, 2007.

There were two votes per constituency, and one vote for the Nominating Committee member of the Task Force, Avri Doria. As several constituencies used alternate Task Force members, their votes are note counted in the total, but captured in the following form; (X).

The result of the vote was a simple majority of 7:6 in favour of the OPoC Proposal. The OPoC proposal was therefore adopted as the Task Force Recommendation to the GNSO Council.