|
ATTENDEES:
Acting Chair: Bruce Tonkin
(non voting)
Voting members of the committee (Note with reference to the GNSO Council decision
documented in the minutes
of the meeting on 5 June 2003, each constituency could appoint one or two members
to the WHOIS Steering Group - the members may be from outside the GNSO Council
- each constituency would have one vote in any vote proposed in the WHOIS Steering
Group.)
Intellectual Property Interests Constituency : Steve Metalitz, Kiyoshi Tsuru
gTLD Registries constituency: David Maher
Commercial and Business Users constituency: Marilyn Cade, Grant Forsyth
Non Commercial Users Constituency: Stephanie Perrin, Milton Mueller
Registrars Constituency: Tom Keller, Mark Jeftovic
Internet Service and Connectivity Providers constituency: Maggie Mansourkia
GNSO Council independent representative: Alick Wilson
Non-voting Liaisons
At-Large Advisory Committee (ALAC) liaisons: Thomas Roessler, Wendy Seltzer
(Note the At-Large Advisory Committee has the same status of the Government
Advisory Committee in the new ICANN structure and may report its findings and
recommendations directly to the ICANN Board, and in addition may appoint non-voting
liaisons to the GNSO Council. The role of Advisory Committees is described in
Article XI of the new bylaws
- and part 4 of section 2 describes the structure of ALAC in more detail)
Absent: with apologies.
ccTLD liaison: Nigel Roberts
Bruce Tonkin reported that
the GNSO constituencies' input rated issues 10 and 12 at the top:
1. Top: 10. Are the current
means of query-based access appropriate? Should both web-based access and port-43
access be required? (RAA § 3.3.1.) 1 1 1 1 1 5 11. What are the purposes for
providing public query-based access? Are the elements currently required to
be disclosed in public query-based access adequate and appropriate? (RAA § 3.3.1.)
12. What measures, if any, should registrars and registry operators be permitted
to take to limit data mining of Whois servers?
2. Second: Intellectual Property Interests and the Non-commercial Users constituencies
were concerned about sufficient disclosure
5. Are the current requirements that registrars make disclosures to, and obtain
consent by, registrants concerning the uses of collected data adequate and appropriate?
(See RAA §§ 3.7.7.4 to 3.7.7.6.
3. Third, related to quality of data
issues
4. Fourth, related to data disclosure
Bruce also mentioned that during a Registrar/ Registry meting in Marina
del Rey, Los Angeles 11/12 September, there was further discussion on WHOIS
Issues, along with some input from the Intellectual Property constituency.
Taking into account the priority
areas identified by the GNSO Constituency and other discussions on WHOIS within
the ICANN community, Bruce drafted for the steering committee three possible
task forces with a narrow focus in the areas of data mining for marketing purposes,
data collection/disclosure, and problems with the provision of false information
by registrants. The Internet Engineering Task Force (IETF) approach was used:
(a) ensure each task force has a narrow focus, (b) reasonably achievable goals,
(c) achievable within a reasonable timeframe.
Bruce opened the discussion
on the following
a. whether it was appropriate to identify 3 narrowly focussed task forces
b. whether the 3 areas of the task
forces were appropriate:
(1) Restricting bulk access to WHOIS data for marketing purposes [issues included]
- 10, 12, 13, 14, 15, and 16
[summary] - bulk access to WHOIS data is available through a combination of
zonefile access, port-43 WHOIS protocol, interactive web pages, and bulk access
agreement. There are currently limited mechanisms to restrict access for marketing
purposes.
[out-of-scope] - changes to bulk access agreement - this was the subject of
a recent policy update - changes to the data collected or the data made available
via anonymous (public) data access (this will be part of a separate task force)
[in-scope] - changes to the methods of access to the present data to prevent
data mining for marketing purposes - ensuring that legitimate access to WHOIS
- e.g. by law enforcement, intellectual property, network operations, consumer
information are maintained by any changes
(2) Review of data collected and data displayed [issues included] - 1, 2, 3,
5, 11, 13
[summary] - domain name holders are concerned about the amount of information
that is made available for full public access and the amount of information
that they must provide [in-scope] - changes to the amount of data that must
be collected - changes to data provided for anonymous public access - changes
to the way registrants are informed about how their data is made public or made
available to other parties [out-of-scope] - mechanisms for access (covered by
task force 1)
(3) Mechanisms for responding to domain name holders that deliberately provide
false information to avoid prosecution (e.g for criminal behavior) or other
civil legal action (e.g for trademark infringement)
[issues included] - 4, 6, 7, 18
[in-scope] - should fully anonymous registration be permitted - what other forms
of data should registrars collect to assist enforcement (e.g. credit card information,
source IP addresses, web traffic logs) - what action should be taken when a
domain name is the subject of legal action and the domain name holder has provided
false information - how to handle wide variations in legal jurisdiction (e.g.
laws regarding website content may vary widely)
[out-of-scope] - data quality relating to domain name holders mistyping some
contact information (usually at least one of the pieces of contact data will
be accurate in such cases), and data quality relating to a domain name holder
changing address, phone number etc after the point of registration (this was
covered by the recent WHOIS policy decision to require an annual reminder message
to be sent to domain name holders) - mechanisms to further validate legitimate
domain name holder data at time of registration (registrars generally already
provide checks to ensure that are able to obtain domain name renewal revenue)
Bruce added that the first
general area, restricting bulk access to WHOIS data for marketing purposes,
was the highest priority and efforts should be focussed there.
The decision to run all three task forces parallel or sequentially would be
left to the GNSO Council taking into account the resources within the GNSO community
to work on the task forces.
Comments followed from:
David Maher endorsed the proposal
of 3 task forces and supported the allocation of subjects.
Steve Metalitz supported the overall approach, but expressed concern
(a) about running 3 task forces at the same time and (b) the identification
of issues that seemed to go beyond the top 5 identified by the constituencies.
He felt that the issues identified in the second set had a narrow basis of support
as priority matters. Expressed concern about human bandwidth, and emphasized
the time and work needed in consultations with constituencies.
Milton Mueller proposed minor changes: while bulk access was the most
popular issue and should be addressed first, data collection was critical and
issue 3 could not be addressed until issues 1 and 2 had been resolved. In addition,
there were critical interrelated elements that should be looked at simultaneously
and a single task force would be difficult to manage.
Wendy Seltzer said it would be helpful to address 1 and 2 in parallel
and cautioned about creating solutions in one area that would cause problems
in another.
Tom Keller expressed the need for extensive public comment on recommendations
Thomas Roessler noted that the first two task forces should be run in
parallel to optimize exchange of information and interim solutions should be
avoided.
Stephanie Perrin mentioned that EPIC would like to participate in both
task force 1 and 2.
Kiyoshi Tsuru proposed
one group dealing with the 5 issues and expressed concern about reaching a resolution
in a reasonable time and the effectiveness and coordination of several groups.
Bruce Tonkin summarized the group's feelings: running all 3 task forces
in parallel was not feasible, but 1 and 2 should be run in parallel as separate
task forces. The outcomes are well defined: task force 1 takes the access approach
and task force 2 looks at the data elements to be displayed. Quite different
people could volunteer to be on the task forces.
The task force addressing the data mining issue could be accomplished in a reasonable
timeframe. However the review of data collected and data displayed is, according
to Paul Twomey, generally important across ICANN, in that the WHOIS policy should
be revisited since the underlying environment of the Internet has changed, thus
task force 2 would need more time.
Maggie Mansourkia expressed concern about the manageability of two task
forces in terms of human resources, timing and preferred a serial approach.
Steve Metalitz felt that issue 5.
" Are the current requirements that registrars make disclosures to, and
obtain consent by, registrants concerning the uses of collected data adequate
and appropriate? (See RAA §§ 3.7.7.4 to 3.7.7.6."
was a priority issue, but agreed that it did not fit with task force 1.. Bruce
Tonkin suggested that this issue be dealt with first in the task force 2. Steve
also noted that the issue may be one of contractual compliance with the existing
provision to inform registrants.
Milton Mueller emphasized that the broader picture from the point of
view of the WHOIS process, why people want to data mine, should be looked at,
so as avoid seeing data collection from a
restricted constituency point of view.
Grant Forsyth, Marilyn Cade and
Kiyoshi Tsuru emphasized
the resource issue and supported working on one task force at a time.
In addition it was argued that Non-English
speakers could better manage participation in one task force at a time.
Bruce Tonkin proposed:
Moving forward with the following
approach:
1. Focus on the terms
of reference for task force 1 & 2
2. Allow the GNSO Council to decide, based on the resources each constituency
puts forward, whether task force 1 & 2 would run simultaneously or sequentially.
Motion carried unanimously by
all present.
Bruce Tonkin called for discussion on the proposed terms of reference
for task force 1
Title: Restricting bulk access to WHOIS data for marketing purposes
Description of Task Force:
In the recent policy
recommendations relating to WHOIS: it was decided that the use of bulk access
WHOIS data for marketing should not be permitted. Bulk access need not be the
entire database (millions of records) of contact information but could also
be considered to be hundreds of WHOIS data records. The current registry and
registrar contracts provide for third parties to obtain access to bulk WHOIS
information via an agreement that limits the use of the information for marketing
purposes (the number of these agreements in existence is probably less than
10 for each large registrar). However most collections of bulk WHOIS data are
currently obtained by a combination of using free zonefile access (via signing
a registry zonefile access agreement - the number of these in existence approaches
1000 per major registry) to obtain a list of domains, and then using anonymous
(public) access to either port-43 or interactive web pages to retrieve large
(great than 100 records) volumes of contact information. Once the information
is initially obtained it can be kept up-to-date by detecting changes in the
zonefile, and only retrieving information related to the changed records. This
process is often described as "data mining". The net effect is that bulk access
to WHOIS data is easily available for marketing purposes, and is generally anonymous
(the holders of this information are unknown).
The purpose of this task force is to determine what contractual changes
(if any) are required to allow registrars to protect domain name holder data
from data mining for the purposes of marketing.
In-scope ======== The purpose of this section to clarify the issues should
be considered in proposing any policy changes.
The task force must ensure that groups such as law enforcement, intellectual
property, internet service providers, and consumers can continue to retrieve
information necessary to perform their functions. In some cases this may require
the provision of searching facilities (e.g that can return more than one record
in response to a query) as well as look-up facilities (that only provide one
record in response to a query).
The task force must ensure that any access restrictions do not restrict the
competitive provision of services using WHOIS information (for example ensure
that intellectual property protection can be provided competitively), nor restrict
the transfer of domain name records between registrars.
Out-of-scope ============ To ensure that the task force remains narrowly
focussed to ensure that its goal is reasonably achievable and within a reasonable
time frame, it is necessary to be clear on what is not in scope for the task
force.
The task force should not aim to specify a technical solution. This is the role
of registries and registrars in a competitive market, and the role of technical
standardization bodies such as the IETF. Note the IETF presently has a working
group called CRISP to develop an improved protocol that should be capable of
implementing the policy outcomes of this task force.
The task force should not review the current bulk access agreement provisions.
These were the subject of a recent update in policy in March 2003.
The task force should not study the amount of data available for public (anonymous)
access for single queries. Any changes to the data collected or made available
will be the subject of a separate policy development process.
Tasks/Milestones ================
- collect requirements from non-marketing users of contact information (this
could be extracted from the Montreal workshop and also by GNSO constituencies,
and should also include accessibility requirements (e.g based on W3C standards)
[milestone 1 date]
- review general approaches to prevent automated electronic data mining and
ensure that the requirements for access are met (including accessibility requirements
for those that may for example be visually impaired) [milestone 2 date]
- determine whether any changes are required in the contracts to allow the approaches
to be used above (for example the contracts require the use of the port-43 WHOIS
protocol and this may not support approaches to prevent data mining) [milestone
3 date]
Each milestone should be subject to development internally by the task force,
along with a public comment process to ensure that as much input as possible
is taken into account.
Steve Metalitz agreed with
the procedure but commented that the description of bulk was very confusing.
He noted that there is no definition of "bulk" other than the existence of the
bulk access agreement. The task force would also need to define what is meant
by data mining, and have an understanding of the technical issues associated
with data mining.
Bruce Tonkin clarified that the intent was to indicate that it was not
just the entire WHOIS database that caused problems with unsolicited marketing,
but the data mining of significant portions (it was then debatable whether significant
was 100 records, 1000 records, 10000 records etc).
Milton Mueller suggested that question 13, differentiated access should
be mentioned.
Marilyn Cade expressed her thanks for the work done by Bruce and
suggested differentiating between:
1. providing bulk access to create value added services
2. bulk access to third parties for spams when the user does not understand
what is happening.
"Legitimate" should be defined.
Kiyoshi Tsuru proposed
adding accuracy, to which Bruce Tonkin commented that he disagreed with
adding accuracy to the first task force, but agreed that accuracy is an important
issue as it was the intent of the 3rd task force to look at the distinction
between malicious inaccurate data and inadvertent inaccurate data.
Thomas Roessler suggested examining the requirements/mechanisms for who
gets privileged access to data and who does not.
Tom Keller suggested clarifying "in scope" what legitimate
use is and who has access.
Plan of action forward
Bruce Tonkin proposed:
One week deadline:
- that each constituency discuss the terms of reference, comment by email to
the list
Two week deadline:
- meet (teleconference) to
discuss the terms of reference.
Bruce
Tonkin thanked everyone for their presence and participation and ended the call
at 8:15 am Friday 19 September, Melbourne time, 23:15 UTC.
|
