[council] Proposed ToR for Task Force 2

["Milton Mueller" <mueller@xxxxxxx>]

I have made some modifications and additions to
Bruce's original draft, keeping within its spirit but
narrowing the focus and adding milestones.

Title: Review of data collected and displayed

Participants:
- 1 representative from each constituency
- ALAC liaison
- GAC liaison
- ccNSO liaison
- SECSAC liaison
- liaisons from other GNSO WHOIS task forces

Description of Task Force:
==========================

There are domain name holders that are concerned about their privacy,
both in terms of data that is collected and held about them, and also in
terms of what data is made available to other parties.

Extensive contact information can assist a registrar or network provider
to contact a domain name holder in the event of a technical problem or
in the event of domain name expiration.  However, a domain name
holder may be prepared to make a personal decision to accept a lower
standard of service (e.g take their own steps to be reminded of when a
domain expires) in return for greater privacy.  A domain name holder
may be prepared to provide extensive contact information to their domain
name provider, but would prefer to control what information is available
for public access.  For example a telephone customer may provide
detailed address information to a telephone service provider, but may
elect not to have this information displayed in a public whitepages
directory.  Note however that national laws often permit access to the 
complete information to groups such as law enforcement and emergency 
services personnel.  Another issue is that there is limited public 
understanding of the present contractual obligations.  Most domain name 
holders are unaware that their information is being displayed publically via 
the present port-43 and interactive web access methods.

The purpose of this task force is to determine:

a) What is the minimum required information about registrants that 
must be collected at the time of registration to maintain adequate 
contact-ability?

b) Should domain name holders be allowed to remove certain 
parts of the required contact information from anonymous (public) 
access, and if so, what data elements can be withdrawn from public 
access and what contractual changes (if any) are required to enable 
this? Should registrars be required to notify domain name holders when 
the withheld data is released to third parties?

c) What is the best way to inform registrants of what information about 
themselves is made publicly available when they register a domain 
name and what options they have to restrict access to that data and
receive notification of its use?

To ensure that the task force remains focussed and that
its goal is achievable and within a reasonable time frame, it
is necessary to be clear on what is out of scope for the task force.

Out-of-scope
============

The task force should not examine the mechanisms available for 
anonymous public access of the data - this is the subject of a separate 
task force.

The task force should not examine mechanisms for law enforcement 
access to the data collected.  This is generally subject to varying local
laws, and may be the subject of a future task force.

The task force should not study new methods or policies for ensuring 
the accuracy of the required data. However, it should study 
whether giving registrants the ability to withhold data from public, 
anonymous access will increase user incentives to keep the contact 
information they supply current and accurate.

The task force should not consider issues regarding registrars' ability 
to use Whois data for their own marketing purposes, or their claims 
of proprietary rights to customers' personal data. 

Tasks/Milestones
================
This Task Force would begin at the same time as the other one and 
execute its duties in the following order:

1. Conduct an analysis of the existing uses of the registrant data 
elements currently captured as part of the domain name registration 
process. Develop list of minimal required elements for  contact-ability. The 
intent is to determine whether all of the data 
elements now collected are necessary for current and foreseeable 
needs of the community, and if so, how they may be acquired with 
the greatest accuracy, least cost, and in compliance with applicable 
privacy, security, and stability considerations. 4-5 months?

2. Decide what options will be given to registrants to remove data 
elements from public access and what contractual changes  (if any) are required 
to enable this. 3 months?

3. Examine the current methods by which registrars and their resellers 
inform registrants of the purpose for which contact data is collected, 
and how that data will be released to the public. Examine whether policy 
changes (or published guidelines) are necessary to improve how this 
information is provided to registrants. 2 months?