RE: [whois-sc] DRAFT 3: Task force 2

["Cade,Marilyn S - LGCRP" <mcade@xxxxxxx>]

I did speak on the call about the concern that I have that we went to the trouble of prioritizing, including asking our constituencies about priorities, and now I see something of an effort to ignore that prioritization. The Council has limited resources. The wild card/registry service issue is  a new and pressing priority for Council to address. 

I do recommend that we consider this carefully, and keeping a spirit of a collegial and collaborative process, think about what is feasible to address, at this time. 

I understand Steve Metalitz' suggestion and consider it a better approach to focus on Issue 5. It is consistent with the prioritization undertaken by the group. 

If it is not supported, then I can support extending the TORs as suggested...Much more work... and that has to be understood, and carefully thought about in light of other priorities of Council. We do not live in a vacuum. ...So, the Steering Group needs to frankly, and honestly discuss the time limits, their own limits of time, and staff demands. Otherwise, we are shortchanging the community, and ourselves... only to pay later. :-)

It is possible to work an agenda with several stages to it... I fear that it is possible that with four TFs underway: 
2 on WHOIS
1 on UDRP
1 on new gTLDs
and now a Council process for the rest of the year on registry services, that none of us will do our "day" jobs. 

Personally, I still have to fulfill my day job ... last I talked to most of you, so do you... and I wonder if we don't need to think responsibly, as managers of our own time and the resources we commit, about whether we will do a superficial job if we do too many jobs at once. 



202-255-7348c
mcade@xxxxxxx


-----Original Message-----
From: Steve Metalitz [mailto:metalitz@xxxxxxxx]
Sent: Thursday, October 09, 2003 4:04 PM
To: 'Bruce Tonkin'; whois-sc@xxxxxxxx
Subject: RE: [whois-sc] DRAFT 3: Task force 2


Bruce,

As you know, I remain concerned that these draft TORs denigrate the
priority-setting process that we all participated in, by delving into issues
that only one or two constituencies identified as a priority.  Thus I have
suggested that the TORs for this task force be limited to Issue 5 from the
Issues Report, which the majority of constituencies identified as a
priority, and which roughly maps to the first task identified in your draft.
I believe this would be the best approach. 

However, as an alternative, the TORs must be expanded so that they include
the remaining one of the "top 5" priority issues identified by the group:
the accuracy of Whois data (Issue 6).  This makes logical sense as well,
since it is almost meaningless to treat "contact-ability" as the key issue
without dealing with ways to improve the accuracy and reliability of the
data.   

I have attempted to incorporate this additional issue in the TOR in the
revision below.  My proposed insertions and deletions  are preceded by
"+++".    (Yours continue to be marked by "**.")

I did not address here Tom's suggestions about documenting applicable local
privacy law.  I will just note that this is an exceptionally complicated
legal issue and I doubt that a GNSO Task Force will be well equipped to
determine even which local laws are applicable, much less how they apply.


Steve Metalitz

Title: Review of data collected and displayed

Participants:
- 1 representative from each constituency
- ALAC liaison
- GAC liaison
- ccNSO liaison
- SECSAC liaison
- liaisons from other GNSO WHOIS task forces

Description of Task Force:
==========================

There are domain name holders that are concerned about their privacy,
both in terms of data that is collected and held about them, and also in
terms of what data is made available to other parties.  

[**INSERT** At the same time, domain names, associated email addresses,
and web sites located by domain names can be used in connection with
fraud, criminal activity, and intellectual property infringement.  This
gives rise to a need for accurate identification of the registrant,
and/or a need to reliably contact the individual or organization that is
the registered name holder.] [+++ INSERT+++ Many users of Whois perceive
that there is an unacceptable level of inaccuracy in  Whois data that
compromises its ability to facilitate identifying and contacting
registrants.]   

[**INSERT** Similar trade-offs between privacy concerns and
identification affect the technical functions of Whois.] 
Extensive contact information can assist a registrar or network provider
to contact a domain name holder in the event of a technical problem or
in the event of domain name expiration.  However, a domain name holder
may be prepared to make a personal decision to accept a lower standard
of service (e.g take their own steps to be reminded of when a domain
expires) in return for greater privacy.  A domain name holder may be
prepared to provide extensive contact information to their domain name
provider, but would prefer to control what information is available for
public access. {+++INSERT+++ The Security and Stability Advisory Committee
has expressed concerns about the impact of inaccurate Whois data on the
ability to contact needed parties when technical problems arise.]

[**INSERT** Identifiers in other media typically attempt to balance
identification and privacy concerns.] 
For example a telephone customer may provide detailed address
information to a telephone service provider, but may elect not to have
this information displayed in a public whitepages directory.  Note
however that national laws often permit access to the complete
information to groups such as law enforcement and emergency services
personnel.  [+++INSERT+++ Similarly, the ability of persons whose data is
listed in various public registers to opt out of public disclosure of these
items may be very limited.]

[**INSERT** Although the GNSO has in the past adopted new policies (See
http://www.icann.org/gnso/whois-tf/report-19feb03.htm) regarding the
accuracy of data and bulk access, the prior Task Force chose to defer
considerations of privacy to a future point.] 

Another issue is that there is limited public understanding of the
present contractual obligations [+++INSERT+++ ,including the obligations to
disclose to those who provide data the uses to which it will be put, and to
obtain their consent].  Most domain name holders are [+++INSERT+++ probably]
unaware
that their information is being displayed publically via the present
port-43 and interactive web access methods,  
[**INSERT** or is made available to third parties under the bulk WHOIS
access agreement.]

The purpose of this task force is to determine:

[***NOTE the list below has been reordered with (a) now corresponding to
issue 5 in the WHOIS Privacy issues report, which was identified by
several constituencies as a high priority issue**]

a) What is the best way to inform registrants of what information about
themselves is made publicly available when they register a domain name
and what options they have to restrict access to that data and receive
notification of its use?

b) What {+++ INSERT +++ changes, if any, should be made in the data
elements] {+++ DELETE +++ is the minimum required information] about
registrants that must
be collected at the time of registration [+++INSERT+++ ,and the manner of
their collection and maintenance,] to maintain adequate
contact-ability [+++INSERT+++ ,including data reliability]?

c) Should domain name holders be allowed to remove certain parts of the
required contact information from anonymous (public) access, and if so,
what data elements can be withdrawn from public access [+++INSERT +++, by
which registrants], and what
contractual changes (if any) are required to enable this? Should
registrars be required to notify domain name holders when the withheld
data is released to third parties?



To ensure that the task force remains focussed and that its goal is
achievable and within a reasonable time frame, it is necessary to be
clear on what is out of scope for the task force.

Out-of-scope
============

The task force should not examine the mechanisms available for anonymous
public access of the data - this is the subject of a separate task
force.

The task force should not examine mechanisms for law enforcement access
to the data collected.  This is generally subject to varying local laws,
and may be the subject of a future task force.

The task force should [+++DELETE+++ not] study new methods or policies for
ensuring the
accuracy of the required data,  
[+++DELETE +++ [**INSERT as this will be subject of a separate task force]. 
However, it should study+++END DELETE+++] [+++INSERT+++ including] whether
giving registrants the ability to
withhold data from public, anonymous access will increase user
incentives to keep the contact information they supply current and
accurate. [+++NOTE:  The preceding sentence should be moved from the "out of
scope" section.] 

The task force should not consider issues regarding registrars' ability
to use Whois data for their own marketing purposes, or their claims of
proprietary rights to customers' personal data. 

Tasks/Milestones
================
This Task Force would begin at the same time as the other one and
execute its duties in the following order:

[**NOTE the following list has been re-ordered to take into account item
5 of the WHOIS Privacy issues report, which was identified by several
constituencies as a high priority item]

1. Examine the current methods by which registrars and their resellers
inform registrants of the purpose for which contact data is collected,
and how that data will be released to the public. Examine whether policy
changes (or published guidelines) are necessary to improve how this
information is provided to registrants.

2. Conduct an analysis of the existing uses of the registrant data
elements currently captured as part of the domain name registration
process [+++INSERT+++ and the methods intended to promote the accuracy of
the data elements.] Develop list of [+++INSERT+++ optimal] {+++DELETE +++
minimal] required elements [+++ INSERT +++ and collection methods +++] for
contact-ability [+++INSERT +++ including data reliability].
The intent is to determine whether all of the data elements now
collected are necessary for current and foreseeable needs of the
community, [+++ INSERT+++ whether any different elements should be added or
substituted to improve contact-ability,] and [+++DELETE +++ if so,] how
[+++INSERT +++ the data] [+++ DELETE +++ they] may be acquired with the
greatest
accuracy, least cost, and in compliance with applicable privacy,
security, and stability considerations.

3. [** INSERT Document existing methods by which registrants can
maintain anonymity and assess their adequacy]  Decide what options
[+++INSERT+++ if any] will
be given to registrants to remove data elements from public access and
what contractual changes  (if any) are required to enable this.

[** INSERT 4. Taking into account the outcomes in 2 and 3, re-examine
the methods by which registrars inform registrants of the use of their
contact data by third parties and the options registrants might have to
remove data elements from public view.]





  

-----Original Message-----
From: Bruce Tonkin [mailto:Bruce.Tonkin@xxxxxxxxxxxxxxxxxx]
Sent: Friday, October 03, 2003 8:59 AM
To: whois-sc@xxxxxxxx
Subject: [whois-sc] DRAFT 3: Task force 2


Hello All,

The attached draft 3 is an enhancement of Draft 1 (presented at the 1st
teleconference), and Draft 2 (modified by Milton Mueller and presented
at the last teleconference).  This draft incorporates some text provided
to me by Milton Mueller following the call, and also incorporates
comments received during the call.

Look for [** to detect changes.

I invite further input.

Regards,
Bruce Tonkin


Title: Review of data collected and displayed

Participants:
- 1 representative from each constituency
- ALAC liaison
- GAC liaison
- ccNSO liaison
- SECSAC liaison
- liaisons from other GNSO WHOIS task forces

Description of Task Force:
==========================

There are domain name holders that are concerned about their privacy,
both in terms of data that is collected and held about them, and also in
terms of what data is made available to other parties.

[**INSERT** At the same time, domain names, associated email addresses,
and web sites located by domain names can be used in connection with
fraud, criminal activity, and intellectual property infringement.  This
gives rise to a need for accurate identification of the registrant,
and/or a need to reliably contact the individual or organization that is
the registered name holder.]

[**INSERT** Similar trade-offs between privacy concerns and
identification affect the technical functions of Whois.] 
Extensive contact information can assist a registrar or network provider
to contact a domain name holder in the event of a technical problem or
in the event of domain name expiration.  However, a domain name holder
may be prepared to make a personal decision to accept a lower standard
of service (e.g take their own steps to be reminded of when a domain
expires) in return for greater privacy.  A domain name holder may be
prepared to provide extensive contact information to their domain name
provider, but would prefer to control what information is available for
public access. 

[**INSERT** Identifiers in other media typically attempt to balance
identification and privacy concerns.] 
For example a telephone customer may provide detailed address
information to a telephone service provider, but may elect not to have
this information displayed in a public whitepages directory.  Note
however that national laws often permit access to the complete
information to groups such as law enforcement and emergency services
personnel.  

[**INSERT** Although the GNSO has in the past adopted new policies (See
http://www.icann.org/gnso/whois-tf/report-19feb03.htm) regarding the
accuracy of data and bulk access, the prior Task Force chose to defer
considerations of privacy to a future point.] 

Another issue is that there is limited public understanding of the
present contractual obligations.  Most domain name holders are unaware
that their information is being displayed publically via the present
port-43 and interactive web access methods,  
[**INSERT** or is made available to third parties under the bulk WHOIS
access agreement.]

The purpose of this task force is to determine:

[***NOTE the list below has been reordered with (a) now corresponding to
issue 5 in the WHOIS Privacy issues report, which was identified by
several constituencies as a high priority issue**]

a) What is the best way to inform registrants of what information about
themselves is made publicly available when they register a domain name
and what options they have to restrict access to that data and receive
notification of its use?

b) What is the minimum required information about registrants that must
be collected at the time of registration to maintain adequate
contact-ability?

c) Should domain name holders be allowed to remove certain parts of the
required contact information from anonymous (public) access, and if so,
what data elements can be withdrawn from public access and what
contractual changes (if any) are required to enable this? Should
registrars be required to notify domain name holders when the withheld
data is released to third parties?



To ensure that the task force remains focussed and that its goal is
achievable and within a reasonable time frame, it is necessary to be
clear on what is out of scope for the task force.

Out-of-scope
============

The task force should not examine the mechanisms available for anonymous
public access of the data - this is the subject of a separate task
force.

The task force should not examine mechanisms for law enforcement access
to the data collected.  This is generally subject to varying local laws,
and may be the subject of a future task force.

The task force should not study new methods or policies for ensuring the
accuracy of the required data,  
[**INSERT as this will be subject of a separate task force]. 
However, it should study whether giving registrants the ability to
withhold data from public, anonymous access will increase user
incentives to keep the contact information they supply current and
accurate.

The task force should not consider issues regarding registrars' ability
to use Whois data for their own marketing purposes, or their claims of
proprietary rights to customers' personal data. 

Tasks/Milestones
================
This Task Force would begin at the same time as the other one and
execute its duties in the following order:

[**NOTE the following list has been re-ordered to take into account item
5 of the WHOIS Privacy issues report, which was identified by several
constituencies as a high priority item]

1. Examine the current methods by which registrars and their resellers
inform registrants of the purpose for which contact data is collected,
and how that data will be released to the public. Examine whether policy
changes (or published guidelines) are necessary to improve how this
information is provided to registrants.

2. Conduct an analysis of the existing uses of the registrant data
elements currently captured as part of the domain name registration
process. Develop list of minimal required elements for  contact-ability.
The intent is to determine whether all of the data elements now
collected are necessary for current and foreseeable needs of the
community, and if so, how they may be acquired with the greatest
accuracy, least cost, and in compliance with applicable privacy,
security, and stability considerations.

3. [** INSERT Document existing methods by which registrants can
maintain anonymity and assess their adequacy]  Decide what options will
be given to registrants to remove data elements from public access and
what contractual changes  (if any) are required to enable this.

[** INSERT 4. Taking into account the outcomes in 2 and 3, re-examine
the methods by which registrars inform registrants of the use of their
contact data by third parties and the options registrants might have to
remove data elements from public view.]