[registrars] Update on WHOIS discussions on GNSO Council

["Bruce Tonkin" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>]

Hello All,

There were two issues relating to WHOIS discussed in the GNSO Council
meeting around 12 hours ago.

(1) The proposed recommendation:

"1.	Registrars must ensure that disclosures regarding availability
and third-party access to personal data associated with domain names
actually be presented to registrants during the registration process.
Linking to an external web page is not sufficient. 

2.	Registrars must ensure that these disclosures are set aside from
other provisions of the registration agreement if they are presented to
registrants together with that agreement.  Alternatively, registrars may
present data access disclosures separate from the registration
agreement.  The wording of the notice provided by registrars should, to
the extent feasible, be uniform. 
3.	Registrars must obtain a separate acknowledgement from
registrants  that they have read and understand these disclosures.  This
provision does not affect registrars' existing obligations to obtain
registrant consent to the use of their contact information in the WHOIS
system. "

Philip Sheppard, Niklas Lagergren, Maureen Cubberly - all spoke in
favour of the recommendation.

Tom Keller, Bruce Tonkin - spoke against the recommendation.
(note Ross Rader was unable to make the call)

As some absent Council members had not given clear voting instructions
for this particular recommendation, the vote was adjourned until the
next Council meeting on 
23 June 2005.

My view was that most of the larger registrars tend to already meet the
spirit of the recommendation in the sense that they either have clear
privacy policies accessible to their users, or they offer users a choice
between the public display of their contact information, or the use of a
private registration service.

At Marilyn Cade's suggestion - The ICANN staff (Maria Farrell) will
review the top 10 registrars, and a selection of a 10 of the remaining
registrars, to determine how registrars make registrants aware of their
obligations to provide contact information for public display via the
WHOIS service.


(2) Revised Terms of Reference for the WHOIS task force

Niklas Lagergren proposed adding a requirement for the WHOIS task force
to develop a policy for up-front verification of WHOIS information.
This motion received 12 votes in favour out of a total of 26 votes.
Therefore the motion failed.

The following terms of reference were then accepted.

Terms of Reference for WHOIS task force

The mission of The Internet Corporation for Assigned Names and Numbers
("ICANN") is to coordinate, at the overall level, the global Internet's
systems of unique identifiers, and in particular to ensure the stable
and secure operation of the Internet's unique identifier systems. 

In performing this mission, ICANN's bylaws set out 11 core values to
guide its decisions and actions. Any ICANN body making a recommendation
or decision shall exercise its judgment to determine which of these core
values are most relevant and how they apply to the specific
circumstances of the case at hand, and to determine, if necessary, an
appropriate and defensible balance among competing values.

ICANN has agreements with gTLD registrars and gTLD registries that
require the provision of a WHOIS service via three mechanisms: port-43,
web based access, and bulk access.   The agreements also require a
Registered Name Holder to provide to a Registrar accurate and reliable
contact details and promptly correct and update them during the term of
the Registered Name registration, including: the full name, postal
address, e-mail address, voice telephone number, and fax number if
available of the Registered Name Holder; name of authorized person for
contact purposes in the case of an Registered Name Holder that is an
organization, association, or corporation; the name, postal address,
e-mail address, voice telephone number, and (where available) fax number
of the technical contact for the Registered Name; and the name, postal
address, e-mail address, voice telephone number, and (where available)
fax number of the administrative contact for the Registered Name.   The
contact information must be adequate to facilitate timely resolution of
any problems that arise in connection with the Registered Name.

A registrar is required in the Registrar Accreditation Agreement (RAA)
to take reasonable precautions to protect Personal Data from loss,
misuse, unauthorized access or disclosure, alteration, or destruction.

The goal of the WHOIS task force is to improve the effectiveness of the
WHOIS service in maintaining the stability and security of the
Internet's unique identifier systems, whilst taking into account where
appropriate the need to ensure privacy protection for the Personal Data
of natural persons that may be Registered Name Holders, the authorised
representative for contact purposes of a Register Name Holder, or the
administrative or technical contact for a domain name.

Tasks:

(1) Define the purpose of the WHOIS service in the context of ICANN's
mission and relevant core values, international and national laws
protecting privacy of natural persons, international and national laws
that relate specifically to the WHOIS service, and the changing nature
of Registered Name Holders.


(2) Define the purpose of the Registered Name Holder, technical, and
administrative contacts, in the context of the purpose of WHOIS, and the
purpose for which the data was collected.  
Use the relevant definitions from Exhibit C of the Transfers Task force
report as a starting point (from
http://www.icann.org/gnso/transfers-tf/report-exhc-12feb03.htm):

"Contact: Contacts are individuals or entities associated with domain
name records. Typically, third parties with specific inquiries or
concerns will use contact records to determine who should act upon
specific issues related to a domain name record. There are typically
three of these contact types associated with a domain name record, the
Administrative contact, the Billing contact and the Technical contact.

Contact, Administrative: The administrative contact is an individual,
role or organization authorized to interact with the Registry or
Registrar on behalf of the Domain Holder. The administrative contact
should be able to answer non-technical questions about the domain name's
registration and the Domain Holder. In all cases, the Administrative
Contact is viewed as the authoritative point of contact for the domain
name, second only to the Domain Holder.

Contact, Billing: The billing contact is the individual, role or
organization designated to receive the invoice for domain name
registration and re-registration fees.

Contact, Technical: The technical contact is the individual, role or
organization that is responsible for the technical operations of the
delegated zone. This contact likely maintains the domain name server(s)
for the domain. The technical contact should be able to answer technical
questions about the domain name, the delegated zone and work with
technically oriented people in other zones to solve technical problems
that affect the domain name and/or zone.
Domain Holder: The individual or organization that registers a specific
domain name. This individual or organization holds the right to use that
specific domain name for a specified period of time, provided certain
conditions are met and the registration fees are paid. This person or
organization is the "legal entity" bound by the terms of the relevant
service agreement with the Registry operator for the TLD in question."


(3) Determine what data collected should be available for public access
in the context of the purpose of WHOIS.  Determine how to access data
that is not available for public
access.   The current elements that must be displayed by a registrar
are:

- The name of the Registered Name;

- The names of the primary nameserver and secondary nameserver(s) for
the Registered Name;

- The identity of Registrar (which may be provided through Registrar's
website);

- The original creation date of the registration;

- The expiration date of the registration;

- The name and postal address of the Registered Name Holder;

- The name, postal address, e-mail address, voice telephone number, and
(where available) fax number of the technical contact for the Registered
Name; and

- The name, postal address, e-mail address, voice telephone number, and
(where available) fax number of the administrative contact for the
Registered Name.


(4) Determine how to improve the process for notifying a registrar of
inaccurate WHOIS data, and the process for investigating and correcting
inaccurate data.  Currently a registrar "shall, upon notification by any
person of an inaccuracy in the contact information associated with a
Registered Name sponsored by Registrar, take reasonable steps to
investigate that claimed inaccuracy. In the event Registrar learns of
inaccurate contact information associated with a Registered Name it
sponsors, it shall take reasonable steps to correct that inaccuracy."


(5) Determine how to resolve differences between a Registered Name
Holder's, gTLD Registrar's, or gTLD Registry's obligation to abide by
all applicable laws and governmental regulations that relate to the
WHOIS service, as well as the obligation to abide by the terms of the
agreements with ICANN that relate to the WHOIS service.   
[Note this task refers to the current work in the WHOIS task force
called 'Recommendation 2', A Procedure for conflicts, when there are
conflicts between a registrar's of registry's legal obligations under
local privacy laws and their contractual obligations to ICANN.]