Comments to WHOIS Task Force 3
From Kathryn Kleiman
I submit
these comments to Task Force 3 as an individual. In writing them,
I
bring my experience as a co-founder of the Noncommercial Users
Constituency
and as a member of the WHOIS Task Force 2.
1. I am saddened
and surprised by the TF3 report online. It is not a
product that in any
way resembles the reports produced by WHOIS TF1
or TF2. TF1 and
TF2 recognized that there are three major communities
involves in the WHOIS
debate:
- Data Subjects (domain name
holders)
- Data Users
-
Registration Industry (data collectors and processors).
For six months
all of these communities in TF1 and TF2 have debated,
wrestled and worked
together to arrive at Interim Reports that reflect a
mid-point, a compromise
and a way forward. Why didn't TF3 do the
same? How can TF3
produce a report in which each and every
recommendation is opposed by all of
its data subject members and
half of the registration industry?
Please move forward only when you have agreement from all
three
communities above. This is the type of issue that can split
ICANN,
governments and the Internet community. We worked hard in the
other
Task Forces to find common ground on complex and controversial issues.
You must the same. TF3 is not the exclusive province of the data
users,
such as the intellectual property and commercial interests. We
have to
work through all these issues together, and you have not done your
job.
2. The TF3 report lacks context and does not clearly
acknowledge the
role of the other task forces and its place in the three task
force process.
As you read TF3's work, it seems to stand alone, and that is
not the case.
As you know, privacy and accuracy are issues of deep concern
in the
WHOIS debate. ICANN has been warned not just by data subjects,
but
also by government representatives and leaders, that the WHOIS
practice
of publishing personal and "sensitive data" is a violation of
national laws,
including national data protection laws. Accuracy and
privacy must move
forward together.
Because privacy is not considered
in your scope, TF3 must discuss its
out-of-scope limitations in its
reports. It is widely speculated that
adding privacy to the
database will greatly further accuracy (and based on
unlisted telephone
number models, there is a good basis for making this
speculation).
Readers must know that there are options for accuracy other
than "sticks" and
penalties, and that such options could help accuracy
advance in a positive
manner. Even if you don't explore the issue, you must
present its possibility
and submit that you felt it was beyond your scope.
Not everything has to be
based on excessive penalties.
3. TF3 must discuss its
context. Right now, your report seems to exist in
its own right.
But that is not the way it was envisioned or presented to the
Constituencies
by Council. TF3 is one of three task forces, all looking at
complicated
parts of the privacy/accuracy/availability debate in the WHOIS
area.
TF3 must acknowledge the other two task forces, and that only after
the
findings and work of TF1 and TF2 is it appropriate to proceed with
increased
levels of accuracy in the WHOIS. Solve the personal
data/sensitive data
problem, and accuracy becomes far less controversial to
the ICANN community,
government leaders and data protection
commissioners. Don't solve the
privacy problem, and demands for
increased accuracy will deeply divide
ICANN's communities and
governments. TF3 must discuss the larger
process in which its
recommendations will play out.
4) TF3 must adopt
much more neutral terminology throughout its report.
Using the phrase "false
WHOIS data" conveys a sense of negative intent,
such as when a person adopts
a "false persona." But inaccurate WHOIS
data, on its face and without
additional information, has no negative, false or
intentional
overtones. Inaccurate data can appear in the WHOIS database,
as in any
database, for an number of reasons including typos, later changes,
software
error, unintentional swaps (domain name A, but data from domain
name B),
inaccurate updates, hacking, etc. (I used to be a data security
auditor, and
saw many ways for inaccurate data to enter systems.) Neither
TF3 nor ICANN
has the right to presume the intent of the data subject until
that intent is
proven. Accordingly, it is incumbent on TF3 and ICANN to
use neutral,
not negative, language and change all references from "false
WHOIS data" to
"inaccurate WHOIS data."
5) If TF3 recommendations go
forward (see concerns below), then it
should bound each recommendation to
"technical and operational data"
[TF2 terminology] or "non-sensitive data"
[TF1 terminology]. If TF3 is
going to proceed without data gathering
and only on the basis of selected
constituency statements, then it is
incumbent that TF3 carefully stay within
the bounds of ICANN's mandate and
limit its recommendation to the
technical and operational data of the domain
name system.
6) In response to the specific Recommendations of TF3, I respond
below:
Overall: To all recommendations, I have the same
question: what is the
basis for these recommendations? Where is the
independent data you have
gathered in your data gathering phase regarding
problems in the ICANN
data correction process, as recently revised?
Where is the discussion, in
each recommendation, of the downsides that it
might offer? Where are the
limits that stop unreasonable parties from
making the WHOIS database a
witch-hunt for the individual, organizations and
even companies who are
exercising their human rights to share controversial
political, cultural and
personal ideas and have created no technical or
operational problem with
their domain name use online?
I object to
each recommendation based on the above questions, and
discuss a few
below.
#1 TF3's recommendation includes:
"ICANN should devote additional
resources to such a compliance program in
order to provide adequate
support."
In a tight budget,
why should ICANN devote further and additional
resources to a process in
which it seems to be heavily involved
already?
#3 TF3's recommendation
includes: "Any Best Practices that are viewed as
being mechanisms for
improving data verification on a global basis should
be developed by or under
the direction of ICANN, soliciting the
cooperation of responsible registrars,
and disseminated to accredited
registrars and other relevant parties as part
of ICANN's ongoing
educational and compliance initiatives."
Best
Practices must be developed with the solicitation and cooperation of
all
three communities -- data users, data subjects and the registration
industry
-- not just registrars. The deep concern this issue has raised in
the
last several ICANN meetings is proof enough that the issues are
far
reaching and the implications of deep concern for
all.
#4 TF3's recommendation
includes: "Specific examination of registrar data
collection and protection
practices should be undertaken, including
investigating all options for the
identification and viability of possible: A)
automated and manual
verification processes that can be employed for
identifying suspect domain
name registrations containing plainly false or
inaccurate data and for
communicating such information to the domain
name registrant; and b) readily
available databases that could be used for or
to assist in data verification,
taking into account the wide variety of
situations that exist from region to
region."
Why? Where is the data collected in the TF3 data gathering
process that
leads to this conclusion?
This is one of the areas where
stretching slightly outside your scope is a
good idea. If providing basic
privacy protections for domain name owners
can dramatically increase
accuracy, then the registration industry and
ICANN can dramatically decrease
costs. Why go the expensive way first?
#5
TF3 recommends: ICANN should also consider including the ""last
verified
date" and "method of verification" as WHOIS data elements, as
recommended by
the Security and Stability Advisory Committee.
This recommendation is
clearly out of scope for TF3 and must be deleted
or referred to TF2. As
you know, your out-of-scope section specifically
states: "The task force
should not consider issues associated with changing
the data elements that
are collected. This is the subject of a separate
task
force."
#6 This recommendation
includes many new steps for Registrar to
undertake for accuracy. Where
is the data collected by TF3 that shows
that current procedures are not
working? Where is the warning that
adopting these additional
procedures, without finding protections against
bulk access and to protect
privacy (TF1 and 2) could cause even greater
conflict with national law and
national law enforcement (see concerns
expressed to the ICANN community by
George Papapavlou, EU, and
Giovanni Buttarelli, Italy, at the Rome ICANN
Meeting, among others).
If TF3 chooses to go forward with this
recommendation, it should expressly
apply only to technical and operational
WHOIS data labeled "non-
sensitive" by
TF1.
#7 Where does recommendation #7 differ from
existing practices?
#8 TF3 recommends: "ICANN
should consider requiring Registrars to
verify at least two of the following
three data elements provided by domain
name registrants - phone, facsimile
and email - and ensure that these
elements function and that the Registrar
receives a reply from these means
of communication. Where none of the three
data elements works, then the
domain name should immediately be placed on
hold. If only one of the
means of communication works, then the domain name
shall be placed on
hold for a period of 15 days in which the domain name
registrant shall
correct all of the WHOIS data elements. If the domain name
registrant fails
to correct all of the WHOIS "
Here, as in #6 above,
TF3 must discuss the tension between privacy and
accuracy, or it presents a
distorted picture. Requiring this type of check,
on people's home
address and unlisted phone numbers, will greatly a
greatly increased level of
concern for domain name holders (data subjects)
and their governments and
data protection commissioners worldwide. TF3
should expressly suggest
that this recommendation be held until resolution
of TF1 and TF2's issues, or
expressly bound to technical contact data
only.
#9 TF3 recommends: "Where a domain name
registration is canceled due
to the non-functionality of WHOIS data elements
- phone, facsimile, and
email - the domain name can be reconnected for a fee
to be set by the
registrar. Upon reconnection of any domain name in
circumstances where
the domain name had been placed on hold or was
immediately canceled,
the Registrar shall verify all data elements before
reconnecting the domain
name. The Registrar should ensure that the
reconnection charge it imposes
is sufficient to cover the costs of the
heightened verification it must perform
in reconnecting a previously canceled
domain."
Until the privacy issues are resolved, this cancellation may be
viewed as an
additional cost for protecting the privacy guaranteed by
national law. This
raises problems, I am told, under national
law. TF3 should be careful to
include in its recommendations that the only
costs associated with the
reconnection of a domain name be fair, reasonable,
not excessive, and
waived should the registrant prove he/she was protecting
right guaranteed
by his/her national law or where the fault is that of the
registrar (e.g, did not
promptly update
data).
#10 Recommendation: "When a
domain name registration is canceled (or
suspended, etc.) for false contact
data, all other registrations with identical
contact data should be canceled
(or suspended, etc.) in like fashion."
Absolutely not. TF3 has not
thought through the disastrous implications of
this policy for domain name
holders operating under proxies. There are
now cases of proxy services
which register thousands of domain names for
honest individuals and small
businesses, and then the proxy acts in a manner
which is improper.
Rather than solving the problem in a business-like and
professional manner,
TF3 recommends the willy-nilly cancellation of
thousands of domain
names. This is clearly not a well-thought out,
well-researched or
well-evaluated position. This resolution must
deleted absent further,
and comprehensive danger, of the full range
of its implications. I also
think such a recommendation, if followed, must
be tied to some proof of
technical or operational problem that the set of
domain names has caused
online.
#11 Recommendation: "ICANN
staff should undertake a review of the
current registrar contractual terms
and determine whether they are adequate
or need to be changed in order to
encompass improved data accuracy
standards and verification practices as a
result of the current PDP."
No, ICANN staff should be asked by TF3 to
evaluate current registrar
contractual terms only after it receives the
Council recommendations
regarding all three WHOIS task forces and has a basis
for determining
the Council's recommendation for both accuracy and privacy
standards.
#12 Recommendation: "ICANN should
develop and implement a
graduated scale of sanctions that can be applied
against those who are not
in compliance with their contractual obligations or
otherwise violating the
contractual rights under these
agreements."
Only after ICANN has resolved the Catch-22 of national
privacy laws and
WHOIS collection and disclosure requirements should ICANN
move
forward with any revised type of sanctions. TF3 should say
so.