[dow3tf] Whois task force 3: 6 GNSO Constituency and the ALAC statements

["GNSO SECRETARIAT" <gnso.secretariat@xxxxxxxxxxxxxx>]

Task Force 3 GNSO Constituency and the ALAC Statements

1.	ALAC  Statement
2.	Non Commercial Users Constituency Statement (NCUC)
3.	gTLD Registry Constituency Statement
4.	Internet Service Providers and Connectivity Constituency Statement
(ISPC)(parsed from a single submitted document)
5.	Draft Commercial and Business Users  Constituency Statement (BC) (parsed
from single document)
6.	Intellectual Property Interests Constituency Statement (IPC )
7.	Draft Registrar Constituency Statement


1.	ALAC  Statement

At-Large Advisory Committee statement
on Whois Task Force III


March 19, 2004

Summary and recommendations

The At-Large Advisory Committee would like to express appreciation for the
difficult and time-consuming work that the Task Force has been doing.

However, we stress that trying to get accurate information from people who
are not willing to provide it is a waste of time and effort. No automated
verification scheme is able to tell between true data and plausible data,
and thus such schemes would only have the effect of increasing the number of
crimes such as identity theft and make reliable identification of actual
fraudsters even more difficult.

Generic TLDs are a global resource which should be impartially accessible to
registrants from all parts of the world. Verification schemes usually do not
cover all parts of the world with the same effectiveness, and often
information which may seem implausible to an American eye will be actually
true; so these schemes must not be used to unfairly discriminate access to
gTLDs depending on the registrant's country. Also, any communication with
the registrant should happen in the registrant's own language; and the
registrant should not be asked to bear the cost of verification activities,
since they are not part of the service he is asking for, but rather of
services desired by some third-party data users.

The actual feasibility of a verification scheme that meets these
requirements, even after the data gathering activity made by the task force,
is still unproven. For these reasons, we recommend against taking any action
in this field at this stage.

We thus suggest that the focus of the work on Whois accuracy is shifted from
how to force unwilling people to provide their true information to how to
effectively allow registrants who want to provide true information to do so.
There are a number of practical hurdles for any registrant to keep his/her
data up to date, and removing these hurdles would prove much more beneficial
to the overall accuracy of the Whois databases than going after an
impossible and worrying dream of a global centralized control system over
registrants' identities.

Finally, we note that the Registrar Accreditation Agreement provisions about
data collection, display and accuracy requirements and their enforcement are
clearly illegal, and thus void, in a number of jurisdictions.

Thus we recommend that ICANN suspends any enforcement of those provisions
until the RAA and the related policies are amended so to comply with
existing laws; as clearly and repeatedly exposed in writing and in person by
a number of relevant public authorities, any other choice is likely to bring
ICANN and involved registrars to litigation with registrants and with the
Privacy Authorities in European and other countries.


A deeper analysis on the problem of Whois accuracy

We think that, to be able to solve a problem, you should first investigate
the reasons why it happens. In this case, you could roughly divide the
registrants whose data are inaccurate into four categories:
1.	Those who purposedly provide inaccurate data for fraudulent reasons.
2.	Those who purposedly provide inaccurate data to protect their privacy.
3.	Those who mistakenly provide inaccurate data.
4.	Those who provide accurate data at registration, but then fail to keep
them up to date so that the information becomes inaccurate.

Until now, the general discussion on accuracy has been almost completely
focused on the first category ? and we think this is an error. The purpose
of the Whois system is not to provide bullet-proof identification for those
who register domains and operate services on top of them, but rather to
provide quick contact information for those domain holders who want to be
contacted. Turning the Whois system into a certified directory of domain
name owners would go beyond its purpose and, as practice shows, is
practically incompatible with its spirit and architecture.

Also, at the present state of technology and of operational practices, costs
of very secure authentification of world-wide registrants for all domain
name registrations would be high and would possibly destroy the domain name
market as we know it today. We think it might be more cost-effective (and
also more respectful of basic civil rights of people) to seek after
fraudulent registrants once they actually commit a fraud, rather than to
presume that all registrants are to commit frauds and so should be carefully
screened in advance.

Finally, we point out that there is no verification system, other than
requiring a person to physically show up and exhibit a secure proof of
identity such as a passport or national ID document, that could tell between
true personal data and plausible, but fake, personal data. If going down the
path of imposing stricter and stricter checks on data as they are submitted
by the registrant during the registration process, after spending lots of
time and lots of money on them, we might actually discover that no benefit
has arisen in terms of fraud prevention, but that the stricter checks have
caused a huge increase in crimes like identity theft, which by the way are
made easier by the very existence of the public and anonymously accessible
Whois system.

Said this, we think that an increased accuracy in the Whois database, if
limited to those registrants who actually agree to provide their data, would
be highly desirable. This is why we think that future activities in the
field of enhanced accuracy should not focus on the first category of the
above list, but rather on the other three.

We will not discuss here the issue of privacy protection, which is the
subject of another task force; we just stress that the overwhelming majority
of those who purposedly provide inaccurate data does so for privacy
protection reasons, rather than for fraudulent intentions. Just allowing
these people not to disclose their data to the public, but just to the
registrar, would actually avoid most cases of wilful inaccuracy.

The third category is, according to our experience, somewhat small ? also
because this kind of errors is clerical and can easily be fixed in case
there is actual need to contact the owner. Once the registrant's desire to
publish their data is ascertained, some simple automated verifications could
be made by the registrar's system, to warn the registrant about possible
errors.

However, creating an automatical verification algorithm for all countries
and scripts of the world might prove very difficult and prone to errors for
less common countries; the current practical examples only come from TLDs
and environments with geographically limited registrants. On the other hand,
systems which provide automatical verification only for residents of some
countries could be acceptable only as long as they do not prevent or make it
unreasonably harder for residents of ?unverifiable? countries to register
domains. This is why we think that the output of this automated verification
algorithms should only be used as a warning to the registrant, but should
not prevent the registrant from submitting data that might seem incorrect,
as they could possibly be absolutely correct.

We also note that requiring Roman-script information for registrants of
those countries who do not use Roman characters would be unduly
discriminating them in access to gTLDs. All registrants should be asked to
provide their data only in their local language and script, and just as an
option they could be asked whether they want to provide Romanized data as
well. Requiring the ability to type in Roman script to register domains in
global generic TLDs is unacceptable.

Finally, we think that much could be done to improve the situation of the
fourth category ? those registrants who would be happy to provide accurate
information, but who fail to keep it up to date. In fact, experience shows
that updating Whois data is a long and difficult process for registrants. In
many cases, the registrant has to send faxes, make phone calls, and suffer
other costs while devoting a significant amount of time; in other cases, the
authentication mechanism used by registries or registrars is based on the
e-mail address (or on a username/password couple which, if forgot, will be
resent to the current e-mail address), so that a change in the e-mail
address of the registrant will make him/her unable to manage the
information, and will make these domains orphan. If you add this to the fact
that keeping personal data up to date in a public Whois registry certainly
cannot be the first worry of a registrant when he's changing address, phone
number or e-mail address, you realize that this is possibly the easiest
cause of inaccuracy in Whois databases.

Also, in many cases the registrant is only the last link in a long chain of
interactions that starts with a registry, then goes through an
ICANN-accredited registrar, a domain name reseller, a web hosting company,
or even an ?Internet-savvy? friend who does the job for the registrant. We
think that this is an unavoidable consequence of the average registrant
turning from a skilled engineer in a small Internet, as it was when Whois
was designed, to a non-technical average person in a mass Internet. It is
very difficult to create the awareness of the existence and purpose of the
Whois database for non-technical persons on a mass scale, and we think this
is another reason why we should never expect the Whois to be a terribly
accurate list of all registrants.

However, for this category the problem possibly lies in the lack of simple
online systems for the registrant to edit his/her data in the database at no
cost. Thus we think that one of the two following solutions should be tried:
1.	Requiring registries to directly deal with registrants' update requests,
by supplying them a virtual certificate or account at registration, plus
offline procedures to recover access if such account is lost;
2.	Changing the architecture of the Whois database from centralized to
distributed.

Since the first option would raise many concerns in terms of business
models, customer ownership, and cost recovery, the second could possibly be
more interesting. After all, the very reason for which the DNS system was
created, replacing the old centralized hosts table, was the impossibility of
keeping this centralized table up to date. We should simply apply the same
principle and move the data at the edge of the network, by embedding Whois
servers into DNS server implementations. Whois queries could then be sent
directly to the authoritative name servers for the domain, and only if no
reply is received, the registry could be used as a fall-back. This way,
registrants would be able to keep their Whois information up to date as
easily as they keep their zone files up to date, and even if this would not
completely solve the problem, it would possibly cause a dramatic increase in
the number of Whois records that are actually kept updated.

We thus recommend a shift in the focus of accuracy-related discussions, so
to deal with those types of inaccuracy that can and should actually be
solved, rather than dealing with world-wide verification and law enforcement
systems that are not practically conceivable at the present social and
political state of our planet, and that would anyway have to be discussed at
other political levels.


2.	NCUC Constituency Statement

NCUC STATEMENT FOR WHOIS TASK FORCE 3:

WHOIS Task Force 3 (TF3) deals with the accuracy of WHOIS data, established
to determine the best mechanisms to improve the quality of the data.  The
Non-Commercial Users Constituency (NCUC) approach to Task Force 3 is guided
by the following principles:


3.	First, the NCUC does not believe that accuracy of WHOIS data is
unconditionally desirable.  These task forces were established with the
assumption for task force 3 that accuracy is desirable in all cases and
regardless of the extent of the WHOIS data elements.  The NCUC recognizes
the need to protect such extensive and public data from identity theft and
spam and to protect freedom of speech.  Submission of personally
identifiable contact data should be a choice, not a requirement.  Many
people are indeed forced to enter incorrect data in order to protect
themselves.

4.	Second, the NCUC thinks it imperative that ICANN recognize the
well-established data protection principle that the purpose of data and
data collection processes must be well-defined before policies  regarding
its use and access can be established. The purpose of  WHOIS originally was
identification of domain owners for purposes  of solving technical problems.
The purpose was _not_ to provide  law enforcement or other self-policing
interests with a means of  circumventing normal due process requirements for
access to contact  information. None of the current WHOIS Task Forces are
mandated to  revise the purpose. Therefore, the original purpose must be
assumed until and unless ICANN initiates a new policy development process to
change it.

5.	Third, registrants should be allowed to protect their personally
identifiable information, a protection recognized by the European Data
Protection Directive, Article 29 Working Party, by the OECD Privacy
Guidelines and by data protection legislation across the world. As George
Papapavlou and Giovanni Buttarrelli pointed out, it is possible that WHOIS
data accuracy requirements may indeed be breaking many of these laws. The
NCUC submits that accuracy is desirable solely to the extent necessary to
serve the purpose of the data collection and the interest of the data
subject; accordingly, technical information should be accurate. However,
there should be no penalization for inaccurate data entry given that the
extent and the accessibility of the data currently required goes well beyond
the purpose of data collection. As Papapavlou discussed, when there are
various options to achieve a purpose, priority must be given to the least
privacy-intrusive option.

5.	Fourth, while this task force was established with privacy defined as out
of scope, privacy is key to accuracy of data entry.  Data protection
principles have to be implemented and enforced as a whole.  The best way to
improve the accuracy is to provide privacy and security.  Show registrants
that their data will be safeguarded, that their e-mail accounts will be
protected from spam and that they themselves will be protected from stalkers
and other criminals, and they will be more likely to enter accurate data.
Users will continue to feel the need to protect their privacy by their own
means, to defend themselves, if the policies of WHOIS data do not.

6.	Finally, the NCUC supports the development of methods to facilitate
accuracy of data for those who wish to submit accurate data, in other words
opt-in.  We are against, however, calls to require accurate data entry and
penalize or even criminalize those who choose not to.  This task force has
reached out to various companies in order to collect data on verification
procedures, but has found this process difficult (ironically, because
companies are concerned with the privacy of their policies and procedures).
The responses submitted to the TF3 questionnaire are sparse.  We do not have
enough data to allow Task Force 3 to reach any conclusion of best practices
for verifying accuracy.  However, this Task Force has received testimony
that domain name holders in numerous cases are having a very difficult time
updating, revising and changing their own data.   This is currently the most
important issue facing the task force: that the data subjects themselves
cannot update their domain name information.  Further, it is a violation of
the EU Privacy Directive.  Accordingly, this TF must first take on clear
proposals for revisions of the procedures by which registrars, thick
registries, and resellers handle instructions from domain name holders to
update and/or correct domain name data.  These procedures must include:
clear instructions to domain name holders on how to update their
information; special email addresses for expedited and priority handling of
such updates; and TF3-proposed revisions to the Registrars Accreditation
Agreement to insure that the EU Privacy Directive rules on the ability of
domain name holders to update and policy the accuracy of their own data is
ensured and followed.

The principles of this statement were developed by the Task Force
representative, and then submitted to the NCUC Policy Committee and
constituency email list for consideration and discussion. Under our charter
(Section V), NCUC has a Policy Committee chaired by our GNSO Council
representatives (see http://www.ncdnhc.org/charter/current_charter.htm).
The Policy Committee is responsible for developing constituency positions
for GNSO Council meetings and Task forces. Those positions must be submitted
to the constituency email list, but votes of the entire constituency are not
required to develop constituency statements.

In developing a statement, we submit the statement to the constituency for
discussion on our email list. This usually results in a few comments leading
to some modification of the original proposed statement by the Task Force
representative. The amended statement is resubmitted to the list and if
there are no objections it is submitted as a constituency position. If there
are still major disagreements, we might hold a vote, but we are more likely
to note both positions in our statement.  There were no disagreements with
this TF3 statement.

The Non-Commercial Users Constituency has no financial interest in this
issue, but does have an interest in protections of privacy and human rights
as the members are users and domain name registrants.


3.	Registry Constituency Statement

GTLD CONSTITUENCY POSITION FOR TF 3



Below is the Registry Constituency response to the call for submissions from
the GNSO Names Council Whois Task Force 3: Whois Data Accuracy and the
issues identified within the terms of reference for this task force.

This task force has been specifically requested to:

·         Collect information on the current techniques that registrars use
to verify that the data collected is correct. For example techniques to
detect typing errors by registrants intending to provide correct
information. Survey approaches used by ccTLDs to verify that the contact
data collected is correct.

·         Collect publicly available information on the techniques used by
other online service providers (to verify that data collected is correct) as
well as information on the price of services offered by the online service
provider.

·         Create a best practices document for improving data verification
based on the information collected that can be applied on a global basis

·         Determine whether any changes are required in the contracts to
specify what data verification is necessary at time of collection to improve
accuracy

·         Determine what verification mechanisms can be used cost
effectively to combat the deliberate provision of false information, and
determine whether additional mechanisms are necessary to provide
traceability of registrants, or provide for more timely responses for misuse
of domain names associated with deliberately false information.


The gTLD Registry Constituency arrived at the ?Supermajority? positions
described in this statement primarily through email discussions occurring
from February through April 2004 supplemented to a small degree by
discussions occurring as part of agendas for the in-person constituency
meeting in Rome on 2 March 2004 and regular constituency teleconference
meetings during March and April 2004.  All constituency registry members
were included in email discussions on the constituency list.

Financial Impact

Financial impact to registries of changes to Whois requirements would vary
depending on what the nature of the changes are, what implementation time
frames are required, etc. Until specific requirements are defined, it is not
possible to quantify financial impact.

Implementation Timeframe Estimates

Because so many applications rely on Whois information, advance notice must
be provided to the community at large to allow sufficient time for such
applications to be modified to accommodate changes.  Because of the
widespread global use of Whois information, it is not unreasonable to expect
that at least six months notice should be given to the Internet community
for any significant changes.

Constituency Comments

* We recommend that, with respect to Registrant contact data, any
verification mechanisms which may be implemented in the future should be
implemented at the registrar level. This enhances effective communication
with the registrant and allows for a more efficient methodology for
correction of any inaccurate information by the registrant.

* Implementation of any data verification schemes should to be done on a
?global basis? and not be applied to any gTLD on a country-by-country basis.

 * We concur with previous recommendations that an in-depth examination of
Registrar data collection and protection practices be undertaken by the GNSO
Council (or another appropriate body) in order that the GNSO community can
accurately discern policy implications of the various data protection
regulations in effect in various registrant jurisdictions.

* We recognize that until the concerns of privacy are adequately dealt with
on a regional and international basis, it will be very difficult to resolve
the Whois data accuracy problem. In this regard, the gTLD Registry
Constituency strongly recommends that this fact be recognized and that a
concerted effort be made to address it. Until that is done, regardless of
what mechanisms are put in place to improve accuracy, individuals concerned
about privacy and registrars and registries operating in jurisdictions with
strict privacy regulations will find ways to protect privacy, which may work
against steps to improve accuracy.
One way to implement, from a technical perspective, the policy objectives of
achieving accurate WHOIS information, while at the same time balancing the
appropriate privacy interests, may be through the nearly completed IRIS
protocol being developed by the CRISP working group.  Once finalized, we
recommend that ICANN comprehensively evaluate such protocol."



4.	 Internet Service Providers and Connnectivity Providers Constituency
Statement (ISPC)(parsed from single submitted document)

Task Force 3 ? Improving Accuracy of Collected Data

Finally, the ISPCP Constituency is quite concerned about the abundance of
inaccurate and incomplete data.  Such deficiencies significantly hinder ISPs
? ability to identify and contact registrants.    Thus, ISPs support ready
access to accurate Whois data to facilitate resolution of network problems,
sourcing of spam.  Further, ready access to accurate data is necessary for
the securing our networks and enforcing our acceptable use policies.

Because of the heavy reliance by ISPs on registrants? data to facilitate
future contact with the registrant for business issues, security and
stability issues, intellectual property infringement and a myriad of other
legal issues, accuracy is of the utmost importance.

While automated verification software does exist, its accuracy and therefore
its reliability on a global scale is suspect.  Registrars should take a
multiple steps to ensure that the data they receive is accurate, and there
should be some enforcement mechanism to ensure registrars? compliance.  In
addition, it would be useful for registrars to have a list of best practices
that further help verify data and produce an accurate database.

The ISPCP Constituency proposes:

·	The creation of a best practices document aimed to improve data
verification, with the prospect of a global application.
·	Registrars take increased and more uniform measures to verify accurate
data.  The ISPCP does not advocate removing all flexibility from current or
future registrar practices, but some uniformity and compliance with best
practices will net a more accurate database.
·	ICANN staff should undertake a review of the current registrar contractual
terms and determine whether they are adequate or need to be changed in order
to encompass improved data accuracy standards and verification practices.


5.	Commercial and Business Users  Constituency Statement (BC) (parsed from a
single submitted document)

Task Force 3: Mechanisms to improve quality of contact data

The BC notes:
§	Accuracy because WHOIS is public communication. A domain name registration
in a TLD is a public form of communication, and as such, requires accurate
data for the WHOIS registry.

§	Accuracy because users need accurate data. The average Internet user,
whether business, government, NGO or individual, has an expectation of
accurate WHOIS information, which they then use to address legitimate
issues:  verifying the legitimacy of a web site, pursuing a network problem,
addressing IP infringement concerns,  calling for assistance from law
enforcement, etc.

§	Accuracy is important for individuals and organisations. The same concerns
about the need for accurate data are independent of the nature of the
registrant.  A non-statistical survey of BC members regarding the situations
they have experienced with trademark infringements, consumer fraud, and
network issues indicates that there are problems with individuals and with
organisations. However, none of the consumer fraud incidents encountered by
the well-known brand holders involved organisations. The five situations
examined all involved individuals who provided false information.
Discussions with law enforcement have and continue to evidence similar
problems with individuals.

§	Some examples of data authentication exist in other industries, including
financial services and in some of the ccTLDs.


The BC therefore proposes:

§	Best Practices are available from other sources: The BC recommends further
examination of best practices in authentication in other industries and from
selected ccTLDs.

§	Changes to the contracts are needed to ensure there is enforcement. The
requirement to provide accurate data is a part of the Registrar contract,
yet it appears that few registrars fulfill this requirement. The BC believes
that this must be enforced by ICANN while allowing flexibility in the way
registrars carry out this obligation. The previous WHOIS TF discussed the
development of graduated sanctions.  They also heard from several ccTLDs
with successful data verification practices. The BC calls for the
development of policy to evaluate a system of graduated sanctions.


6. Intellectual Property Interests Constituency Statement (IPC)

IPC Constituency Statement

Whois Task Force 3

March 24, 2004

This statement responds to the issue identified in the purpose statement of
the terms of reference for Task Force 3:  see
http://gnso.icann.org/issues/whois-privacy/tor3.shtml

The purpose of this task force is to develop mechanisms to improve the
quality of contact data that must be collected at the time of registration,
in accordance with the registrar accreditation agreement (in particular
clauses 3.3.1 and 3.7.7.1), and the relevant registry agreement (e.g.
Unsponsored TLD Agreement: Appendix O (.biz)).

IPC?s recommendations for improvement of data quality include the following.

·	ICANN should work with all relevant parties to create a uniform,
predictable, and verifiable mechanism for ensuring compliance with the
WHOIS-related provisions of the present agreements, and should devote
adequate resources to such a compliance program.  The Registrar
Accreditation Agreement makes the requirements clear.  See
http://gnso.icann.org/issues/whois-privacy/raa-whois-16dec03.shtml.
However, this agreement is only as good as the level of compliance with it,
and recent decisions by US courts indicate that only ICANN can enforce these
agreements.  See Register.com v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004).

·	ICANN should ask each registrar to present a plan, by a date certain, for
substantially improving the accuracy of Whois data that it collects.  The
plans will be made publicly available except to the extent that they include
proprietary data.  The plans should include at least the following features:

o	identification and public disclosure of a contact point for receiving and
acting upon reports of false Whois data;

o	how the registrar will train employees and agents regarding the Whois data
accuracy requirements;

o	how the registrar will take reasonable steps to screen submitted contact
data for falsity, which steps may include use of automated screening
mechanisms, manual checking, including spot-checking, and verification of
submitted data;

o	when false data comes to the registrar?s attention, whether through a
third-party complaint or otherwise, how the registrar will treat other
registrations in which the contact data submitted is substantially identical
to that in the registration that has come to the registrar?s attention;

o	how the registrar monitors the extent to which contact data submitted to
it through re-sellers or other agents is false or significantly incomplete,
and what the consequences are for re-sellers or agents whose performance is
unacceptable;

o	 how the registrar evaluates compliance by its current registrants with
the obligation to provide accurate and current contact data;

o	how the registrar measures performance in improving the quality of the
Whois data it manages

·	The RAA and gTLD registry agreements should be modified to provide for a
regime of graduated or intermediate sanctions for patterns of violations by
a registrar of the Whois data accuracy obligations of those agreements.
(This recommendation is without prejudice to the possibility that such a
regime would also be appropriate for encouraging compliance with other
provisions of these agreements.)

·	The PDP with regard to the issues addressed by TF3 should mutate into an
ongoing effort with the following goals:

o	Research and dissemination of information on practicable and
cost-effective methods used to improve the quality of identifying and
contact data submitted by customers in online transactions outside the realm
of gTLD domain name registration

o	Development of best practices within the realm of gTLD domain name
registration for improving the accuracy, currentness, and reliability of
contact data in the Whois database


7.	Draft Registrar Constituency Statement

GNSO Registrar Constituency Draft Submission
Whois Task Force 3: Whois Data Accuracy
March 24, 2003
Prepared by:
Ross Wm. Rader, (ross@xxxxxxxxxx) on behalf of
The GNSO Registrar Constituency

Overview
This document responds to the call for submissions from the GNSO Names
Council Whois Task Force 3: Whois Data Accuracy and the issues identified
within the terms of reference for this task force

This task force has been specifically requested to:

·	collect information on the current techniques that registrars use to
verify that the data collected is correct. For example techniques to detect
typing errors by registrants intending to provide correct information.
Survey approaches used by ccTLDs to verify that the contact data collected
is correct.

·	collect publicly available information on the techniques used by other
online service providers (to verify that data collected is correct) as well
as information on the price of services offered by the online service
provider.

·	create a best practices document for improving data verification based on
the information collected that can be applied on a global basis

·	determine whether any changes are required in the contracts to specify
what data verification is necessary at time of collection to improve
accuracy

·	determine what verification mechanisms can be used cost effectively to
combat the deliberate provision of false information, and determine whether
additional mechanisms are necessary to provide traceability of registrants,
or provide for more timely responses for misuse of domain names associated
with deliberately false information.

Response
The issue of a useful and sustainable model for appropriate access to
registrant data via publicly accessible means  continues to be a primary
concern for the ICANN GNSO Registrar Constituency. Registrar Constituency
membership are the primary caretakers of Whois access and Whois data in the
gTLD namespace and have a vested interest in ensuring that it is responsibly
administered within the bounds of appropriate public policy as established
by ICANN.

The Registrar Constituency started formulating its position on Whois during
its formative year in 1999 with a request to the ICANN Board of Directors to
ensure that the public Whois service located at http://rs.internic.net
remained accessible to all members of the public and did not become a
specialized marketing vehicle for specific corporate interests.  The
Constituency position continues to grow in conjunction with its examination
and discussion of the issues with the DNSO/GNSO and larger internet
community.

This dialogue will continue to be important as long the internet community
requires access to registrant data via publicly accessible means. The
Constituency views this dialogue as an imperative component in its ongoing
decisions of how to best operate this important resource in a manner that
balances the interests of stakeholders in accordance with established ICANN
policy. In this regard, the primary interest of Registrars is that of
commercial implementer, operator and caretaker.

Balancing the interests of those who require access to accurate data and
those obligated to maintain accurate data is neither an easy nor a forgiving
task. On one hand, we have to satisfy those actors who legitimately require
immediate access to accurate registrant data to protect the rights or assets
of public and private interests from infringement or misappropriation by
third parties.  On the other, Registrars must be concerned with the
contractual rights and obligations of those parties responsible for
maintaining the accuracy of the registrant data  and also those of the
registrants .

The current body of policy allows Registrars to uphold their obligations in
a responsible manner that does not impinge the contractual rights or
obligations of other parties to these agreements. This capability is clouded
by the lack of available data regarding some of the more recently enacted
elements of the policy, notably the Whois Data Reminder Policy.  Further, it
is unclear whether or not the appropriate measurements are being taken or
what reporting mechanisms exist. Timely measurement and reporting is a
prerequisite to the ICANN community gauging the effectiveness and
scalability of the policy it enacts.

The Registrar Constituency is a broad and diverse group of commercial
providers. Registrar firms come from all parts of the world , operate in
many different languages and cater to their chosen markets with every
imaginable business model. Not only are Accredited Registrars required to
abide by the terms of their contracts with ICANN, but also by the laws that
they operate under. Resolving the conflicts between law and contracts,
language, culture and differing business models is a daunting task. The
Constituency recognizes that more work is required to ensure that all
Registrars are equitably applying existing policy while ensuring that the
competitive diversity of its Membership is fostered and promoted. ICANN's
ongoing program of compliance and education is one such example of positive
efforts in this direction. These programs are a necessary element of ICANN's
function and its efforts should receive the full support of the community.

To these ends, the Registrar Constituency makes the following submissions to
the ICANN GNSO Names Council Whois Task #3, Whois Data Accuracy.

Submission
1.	The Constituency recommends that ICANN continues to develop its ongoing
compliance plan to ensure that contracted parties are appropriately meeting
their obligations under the various agreements.

Specific attention must be paid to;
a)	the resources assigned to managing this plan;
b)	the specific elements of compliance that the internet community is
primarily concerned with;
c)	development and implementation of a graduated scale of sanctions that can
be applied against those who are not in compliance with their obligations or
otherwise infringing the contracted rights under these agreements;
d)	Measurement and reporting mechanisms that allow appropriate analysis of
the effectiveness of this ongoing program with specific attention paid
initially to existing compliance assistance mechanisms such as ICANN's
online Whois data inaccuracy reporting tools ;
e)	Continued outreach to and education of affected stakeholders to ensure
that existing requirements and obligations are understood and met and that
new requirements are captured and appropriately dealt with. This effort
should ensure that ICANN advisories related to this issue  are specifically
brought to the attention of newly accredited Registrars and that resources
be made available to the Registrar community to ensure that the impact and
scope of these obligations are apparent and understood. Similar resources
should be made available to new Registrants and brought to their attention
via the registration agreement that all Registrants must agree to prior to
the activation of their gTLD registration ;
f)	Ongoing development and promotion of gTLD Registry, Registrar and
Registrant best practices that foster the accuracy of the Registrant data
contained in the Whois database

2.	The Constituency further recommends that ICANN does not ratify any policy
related to Whois data accuracy that alters the balance of rights and
obligations found in current policy.

3.	Finally, the Constituency recommends that a specific examination of
Registrar data collection and protection practices be undertaken by the GNSO
Council (or another appropriate body) in order that the GNSO community has
sufficient and appropriate appreciation of the policy implications of the
various data protection regulations in effect in the various jurisdictions
that Registrars operate.
  "ICANN Whois Data Problem Report",
http://reports.internic.net/cgi/rpt_whois/rpt.cgi

  For instance, " Registrar Advisory Concerning Whois Data Accuracy",
http://www.icann.org/announcements/advisory-10may02.htm

  "ICANN Registrar Accreditation Agreement, section 3.7.7",
http://www.icann.org/registrars/ra-agreement-17may01.htm#3.7.7