1 Introduction & Background to Whois

1 Introduction & background

     1.2 Summary of Task Force voting

2 Formulations of the definition of the purpose of Whois

     Formulation 1

     Formulation 2

3 Public comment report

     3.1 Introduction

     3.2 Staff summary of selected comments - Formulation 1

     3.3 Staff summary of selected comments - Formulation 2

4 Constituency statements

     4 (a) Commercial and Business Users Constituency

         1. Purpose of Whois

         2. Purpose of Whois contacts

     4 (b) Noncommercial Users Constituency

         1. Purpose of Whois

         2. Purpose of Whois contacts

     4 (c) Intellectual Property Constituency

         1. Purpose of Whois

         2. Purpose of Whois contacts

     4 (d) Registrar Constituency

         1. Purpose of Whois

         2. Purpose of Whois Contacts

     4 (e) Registry Constituency

         1. Purpose of Whois

         2. Purpose of Whois Contacts

     4 (f) Internet Service Providers and Connectivity Providers Constituency

         1. Purpose of Whois

         2. Purpose of Whois contacts

5 GNSO Public Forum discussion

Annex A — WHOIS Task Force Terms of Reference

Annex B — ICANN's core values

This document is the Preliminary Task Force Report on the Purpose of Whois and of the Whois Contacts. It has been produced by the Whois Task Force of the GNSO, and comprises the task force's work on tasks 1 and 2 of its terms of reference. On 2^nd June, 2005, the GNSO Council agreed terms of reference (http://gnso.ic ann.org/policies/terms-of-reference.html ) for the Whois Task force. These terms of reference required the Whois Task Force to complete the following tasks regarding the purpose of Whois:

(1) Define the purpose of the WHOIS service in the context of ICANN's mission and relevant core values, international and national laws protecting privacy of natural persons, international and national laws that relate specifically to the WHOIS service, and the changing nature of Registered Name Holders.

(2) Define the purpose of the Registered Name Holder, technical, and administrative contacts, in the context of the purpose of WHOIS, and the purpose for which the data was collected. Use the relevant definitions from Exhibit C of the Transfers Task force report (http://www.icann.org/gnso/transfers-tf/report-exhc-12feb03.htm) as a starting point:

"Contact: Contacts are individuals or entities associated with domain name records. Typically, third parties with specific inquiries or concerns will use contact records to determine who should act upon specific issues related to a domain name record. There are typically three of these contact types associated with a domain name record, the

Administrative contact, the Billing contact and the Technical contact.

Contact, Administrative: The administrative contact is an individual, role or organization authorized to interact with the Registry or Registrar on behalf of the Domain Holder. The administrative contact should be able to answer non-technical questions about the domain name's registration and the Domain Holder. In all cases, the Administrative Contact is viewed as the authoritative point of contact for the domain name, second only to the Domain Holder.

Contact, Billing: The billing contact is the individual, role or organization designated to receive the invoice for domain name registration and re-registration fees.

Contact, Technical: The technical contact is the individual, role or organization that is responsible for the technical operations of the delegated zone. This contact likely maintains the domain name server(s) for the domain. The technical contact should be able to answer technical questions about the domain name, the delegated zone and work with technically oriented people in other zones to solve technical problems that affect the domain name and/or zone.

Domain Holder: The individual or organization that registers a specific domain name. This individual or organization holds the right to use that specific domain name for a specified period of time, provided certain conditions are met and the registration fees are paid. This person or organization is the "legal entity" bound by the terms of the relevant service agreement with the Registry operator for the TLD in question."

The Whois Task Force has worked steadily since June 2005, and has now produced two working formulations of the purpose of Whois. These formulations were presented by the task force chair, Jordyn Buchanan, at the GNSO Public Forum during the ICANN Vancouver meeting in December 2005. (An excerpt of the public forum summary is reproduced in section 4 of this document, below.) Jordyn Buchanan invited public comments on the two draft formulations of the purpose of Whois in section 2, below.

The constituency statements included in this report present the constituencies' positions on the broad issues of the purpose of Whois and the Whois contacts and do not include specific comments on the formulations 1 and 2. They provide important background information that supplements the two formulations. The formulations were developed by considering the positions advocated by each of the constituency statements and creating text that seems to be generally consistent with several of those statements.

Public comments were invited particularly on the two formulations of the purpose of Whois in section 2. Commenters were encouraged to explain the use cases of the formulations where appropriate, e.g. by giving practical examples and explaining how the differences between the two definitions may affect those practical examples

1.2 Summary of Task Force voting

A task force vote on this report and the two formulations of the purpose of Whois closed on 16 March, 2006. The results are summarised in the tables below.

Vote to approve the Final Task Force Report:

Vote on formulations 1 and 2:

Jordyn Buchanan (Task Force Chair) abstained. Wendy Seltzer (At Large Advisory Committee Liaison) did not have a vote, but indicated that her preference would be to accept the report and to support Formulation 1.

Task 1 of the task force terms of reference requires the Whois Task Force to define the purpose of Whois. Defining the purpose is important as it will guide work on the other work items in the terms of reference. The purpose of Whois — when defined — will have a significant impact in determining the operation of Whois.

The Whois Task Force worked on developing definitions of the purpose of Whois from July to November, 2005. Beginning from a list of the current uses of Whois, the task force paid particular attention to the uses and purpose of Whois in relation to solving problems. The task force discussed the difference between use and purpose, analysed the technical and legal uses and purposes of Whois, and whether its purpose relates to the domain name registration only or more broadly to how the domain name is used.

The task force has not been able to reach a consensus definition on the purpose of Whois. Instead, the task force has produced two formulations of the definition of the purpose of Whois. Public comments on the formulations, along with specific examples and illustrations of support or opposition, are invited to help reach a decision on the definition of the purpose of Whois.

Formulation 1

"The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver."

Formulation 1 is supported by the representatives of the following constituencies:

• Registrar Constituency

• Registry Constituency

• NonCommercial Users Constituency.

These representatives support Formulation 1 because they believe it is consistent with the narrow technical mission of ICANN, ICANN's Core Values¹ (particularly 1-3) and national data protection laws worldwide.

The core values cited in support of Formulation #1 are:

1. Preserving and enhancing the operational stability, reliability, security, and global interoperability of the Internet.

2. Respecting the creativity, innovation, and flow of information made possible by the Internet by limiting ICANN's activities to those matters within ICANN's mission requiring or significantly benefiting from global coordination.

3. To the extent feasible and appropriate, delegating coordination functions to or recognizing the policy role of other responsible entities that reflect the interests of affected parties.

Formulation 2

"The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party or parties for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, technical, legal or other issues related to the registration or use of a domain name."

Formulation 2 is supported by representatives of the following constituencies:

• Intellectual Property Constituency

• Internet Service Providers and Connectivity Providers Constituency

• Commercial and Business Users Constituency

These representatives support Formulation 2 because they believe it is most consistent with the history of Whois and follows its growth and expansion as a means of communication - in both number of users and importance - of the Internet. They also believe that Formulation 2 is most consistent with the actual uses of Whois to help resolve issues broadly related to how the domain name is used, and that it is consistent with ICANN's Mission and Core Values

Common ground and differences between formulations 1 and 2

These two formulations are similar in a number of respects. Both formulations indicate that the purpose of the Whois service is to display contact information for domain names, and that the contact information displayed by the services should be capable of resolving issues relating to the domain name, or of passing on information to someone who can. The principal differences between the two formulations is that Formulation 2 describes a broader range of issues that the service is intended to address.

The text of the two formulations is compared in the following version, which uses square brackets to show the differences between Formulation 1 and Formulation 2:

The purpose of the gTLD Whois service is to provide information sufficient to contact [a] or [the] responsible [party] or [parties] for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve [issues related to the configuration of the records associated with the domain name within a DNS nameserver] or [technical, legal or other issues related to the registration or use of a domain name]."

3.1   Introduction

The public comment period on the "Preliminary Task Force Report on the Purpose of Whois and of the Whois Contacts" (http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-18jan06.htm) ran from 19 January 2006 to 8 February 2006.  42 separate comments were received from 40 respondents, with some submitting duplicate or multiple comments. The comments are archived at: http://forum .icann.org/lists/whois-comments/index.html .

The comments show a division in the community, with 9 respondents expressing support for Formulation 1 and 33 respondents supporting Formulation 2.  A number of the comments supporting Formulation 2 featured similar argumentation and structure which may be the result of one or more constituencies encouraging participation and responses during the public comment period. As ICANN seeks to improve the representation of different interests and groups in its policy processes, input from diverse and previously silent groups is welcome.  The fact alone of a concerted effort to provide input should not itself undermine the credibility or usefulness of the responses received.  However, for the purposes of fairly analysing the public comments received, it is not clear in this case that the quantity of comments received reflects the diversity of opinion.

On the whole, those in favour of Formulation 1 referred to ICANN's limited technical mission as stated in ICANN's core values.  Those favouring Formulation 2 stated that the narrowing of the Whois purpose would limit their current uses of the data in ways harmful to their business or to society as a whole. To avoid repetition of points made elsewhere in this Task Force Report, the summaries in sections 5.2 and 5.3 focus on new information or argumentation regarding the purpose of Whois. A list of all respondents, ordered by the formulation they support, is provided as section 3.4.

3.2 Staff summary of selected comments - Formulation 1

EPIC (the Electronic Privacy Information Center, USA) asked if ICANN had given sufficient consideration to the threat of identity theft.  EPIC noted that the US Federal Trade Commission had received 250,000 complaints of identity theft in 2004 and thatthe problem is estimated to cost the US $53 billion USD per year. EPIC said that countries that limit the publication of personal data "have simply not experienced the same level of criminal conduct as (have) those countries that make this information widely available". (http://f orum.icann.org/lists/whois-comments/msg00042.html)

Milton Mueller noted that "not a single individual registrant or consumer group has spoken in favour of Formulation 2".

Michael Geist noted that Canadian privacy legislation "prohibits the mandatory disclosure of personal information not strictly necessary to provide the service".  Whois has the potential to create "a chilling effect on Internet speech by mandating the disclosure of personal information in connection with criticism or whistleblower sites". Formulation 2 extends the purpose of Whois to legal issues involving a domain name and could be used to suppress free speech.

Danny Younger argued that corporate executives should not be allowed to hide behind corporate registrations, but should be made subject to the publication of their personal data so that they could be exposed to "the probability of identity theft, stalking and netizen rage".

A commenter who sent his comments via Andy Oram (as he did not wish to be identified) said that Whois impacts on bloggers who "live where they work, at home. Providing that kind of contact information publicly is a way of setting them up for identity theft, stalking, stupid lawsuits, and the fear of never knowing when some net kook is going to show up on one's doorstep." For bloggers, "anonymity doesn't reflect a desire to be serious. It really is a question of safety."

Mikki Barry (Domain Name Rights Coalition) also noted the effect of Whois on bloggers, and also on political dissidents.  Mikki Barry said she had "personally received postal mail threats and (have) been stalked" using information in the Whois.

The American Library Association noted its own history as standing for "the privacy rights of information seekers and providers, including the right of anonymous speech".  The association said ICANN has "an obligation to minimize the impacts of its technical decisions on broader social policy issues".

Karl Auerbach characterised Formulation 2 as "little more than an overt raid by select commercial interests to bypass established and proper legal means of obtaining information".  He noted that "women have been stalked based on DNS whois data".  He described an attorney for a large media conglomerate who "uses whois data to send automated cease-and-desist letters to anyone who registers a domain name that has any semblance to hiscompany's marks", saying this is "an abuse of process".  The same lawyer also said that his company uses an intermediary to prevent the company's name appearing in the whois database.

3.3   Staff summary of selected comments - Formulation 2

Those in favour of Formulation 2 generally said Formulation 1 was too narrow and would hinder their efforts to protect trademarks, investigate copyright piracy, cyber-squatting, online fraud, phishing and cybercrime in general.

Microsoft said Formulation 1 would raise the barriers to identifying criminals, and that Formulation 2 "will maintain the delicate balance that has already been struck between accountability and privacy interests".

The Mexican Association for the Protection of Intellectual Property said its members and the Mexican Government rely on accurate Whois data for surveillance and enforcement of IP rights, and for fighting cybercrime. It noted that "consumer fraud is one of the most serious problems in cyberspace in Mexico" and also noted that "Identity theft has transformed into one in the main ways of defrauding the users of financial services in the net, severly affecting the patrimony of many people". "Quick pursuit" is the basis for the Whois system.

eBay said it relies on "speedy, convenient access to the Whois data ... for a wide range of purposes." These purposes included the specific need to ensure that PayPal services comply with obligations, as well as the uses generally referred to by other organisations. The most recent report of the "Anti-Phishing Working Group counted 16,822 unique reports of phishing emails in November 2005 alone". eBay and PayPal are major targets for phishing attacks, and they use Whois hundreds of times a day. Speed is essential to stop fraudulent sites stealing money.  eBay said that PayPal would not be able to meet its own regulatory requirements without Whois as it currently operates.

The Transamerica Corporation's detailed response gave numerous examples of fictitious registrations using its trademarks, and described how these are used to defraud individuals. It described the existing system of domain name registration as "scandalous", and the UDRP as "inadequate", particularly as the UDRP "requires the complainant to waive all remedies against the entity who is, with increasing frequency, the culpable party — namely, the domain name registrar."

Disney, addressing arguments in favour of Formulation 1, said "Reliability and security as a purely technical matter is of little use where a lack of online accountability and reliability drives people away from the Internet as a mode of communications, commercial transactions, or other forms of interaction."

The International Trademark Association said that the historical purpose of Whois includes the resolution of legal disputes, not just technical issues. It said that because Whois asks for consent, it is compliant with data protection laws such as those of Canada or the EU. The INTA compared the Whois to the European Community trademark database and the US Patent and Trademark Office as these organisations disclose or "return" information on applicants and trademark owners. The INTA said that specific US laws depend on information available in the Whois. It also asserted that limiting Whois would impede service of process.

The Motion Picture Association (US) said historical evidence suggests Whois has served a wider purpose than a strictly technical one, and referred to RFCs 812, 954,1834 and 2167.

The American Red Cross gave a number of specific examples of fraudulent websites set up in the aftermath of Hurricane Katrina (a disaster that occurred in the US in August, 2005). These websites invoked or mimicked the American Red Cross to fraudulently solicit donations to those affected by the disaster. The American Red Cross used Whois to quickly shut down unauthorised and fraudulent websites — speed was clearly of the utmost importance in preventing donations flowing to fraudulent entities. In the long run, "reduced public confidence in the integrity of online donation sites could reduce the ability of the American Red Cross, and similar organisations, to use the Internet to raise funds quickly and efficiently help disaster victims and respond to emergencies."

5.4 List of respondents

Comments in favour of Formulation 1

EPIC - Electonic Privacy Information Center

Milton Mueller, NCUC

Michael Geist, Univ. of Ottawa, CIRA Board of Directors, PIR Global Advisory Council

Danny Younger

Andy Oram

Anonymous Blogger (forwarded by Andy Oram)

American Library Association Karl Auerbach

Karl Auerbach

Domain Name Rights Coalition

Comments in favour of Formulation 2

Sony Pictures

Microsoft

MarkMonitor (endorsed by 19 other companies, including Bloomberg LP, Canadian Broadcasting Corporation, Corbis Corp., and Dell Inc. (US, UK and Canada)

SIIA - Software and Information Industry Association (US)

AMMPI - Mexican Association for the Protection of IP / AIPPI - Mexican Group of the International Association for the Protection of IP

eBay

Time Warner

Transamerica Corporation

Internet Commerce Coalition (US)

The Walt Disney Corp.

BPI - British Phonographic Industries Ltd.

General Growth Properties Inc. (US)

INTA - International Trademark Association

News Corporation

Warner Bros.

Clifford Chance

Stichting Brein (anti-piracy organisation, Netherlands)

ASCAP - American Society of Composers, Authors and Publishers

IFPI Denmark / Danish Video Association

Walgreens Inc.

Raquel Alcantara, organisation unknown, 'copyright industry'

Motion Picture Association (US)

IFPI Belgium

Anti-Piracy Association of Serbia and Montenegro

Society Civile des Producteurs Phonographiques (France)

IFPI Sweden

VAP - Austrian anti-piracy association

Copyright Information and Anti-Piracy Centre, Finland

American Intellectual Property Law Association

Mars UK Ltd.

American Red Cross

4 (a) Commercial and Business Users Constituency

Background

Constituencies have been invited to provide input on the Whois Task Force Terms of Reference Items 1 (Purpose) and 2 (Purpose of WHOIS contacts). This statement has been prepared in accordance with the GNSO policy development process criteria for "Constituency Statements". (see annex).

Related Documents:

Reference, http://forum .icann.org/lists/gnso-dow123/msg00416.html.

1. Purpose of Whois

a key medium for commerce and a rich source of information and resources for users.  The purpose of the Whois database as the primary resource of contact information must therefore reflect this evolution.

requisite to the registration of a domain name, the inclusion of the administrative, technical and contact details into a publicly accessible Whois database.  The RAA also mandates that registrants receive notification of the public accessibility of this information.

display of data.

anonymous registration be desired. In any case, the correct data should be collected, and maintained by the agent, for provision upon legitimate request.

With the above in mind, the BC proposes the following purpose of the Whois database:

A database of contact information sufficient to contact the registrant or their agent(s) to enable the prompt resolution of technical, legal and other matters relating to the registrant's registration and use of its domain name.

Effect on the Constituency, including financial impact

Analysis of the period of time that would likely be necessary to implement the policy.

• Little time would be needed for implementation, since this is essentially the status quo.

2. Purpose of Whois contacts

The BC believes there is a need to clarify the information that should be provided in the three categories defined in the Transfers Policy and to use consistency of terminology.

Terminology

The Transfers policy uses the term "domain holder" in place of "Registered Name Holder". The BC recommends that these two terms are treated as interchangeable with each other.

a. Registered Name Holder

The Registered Name Holder is the registrant and thus responsible for the domain name registration generally, including for canceling or transferring a name. This individual's or the organisation's name and contact should be provided in this category.

b. Technical Contact

The technical contact is responsible for responding to inquiries related to the technical functioning of the web site and to deal with any technical problems. An individual competent to respond to those kinds of inquiries should be provided in this category.

(If a registrant chooses to use their ISP or other third party as the technical contact, that changes in no way the need for accurate data for the Registered Name Holder).

3. Administrative Contact

The Administrative Contact may be responsible for dealing with the content on the web site and is responsible to the registered name holder, unless they are the same person. The BC supports the definition in the Transfers policy:

The Administrative Contact is: "an individual, role, or organization authorized to interact with the Registry or Registrar on behalf of the Domain Holder. The administrative contact should be able to answer non-technical questions about the domain name's registration and the Domain Holder. In all cases, the Administrative Contact is viewed as the authoritative point of contact for the domain name, second only to the Domain Holder."

Note: the holder, technical and administrative contacts may be one and the same.

Effect on the Constituency, including financial impact

• This policy will have a positive impact on the BC and more broadly for all Internet users who need to check Whois data for policing domain names, deal with network problems and phishing attacks; check out a web site to see with whom they are doing business, or where their children are finding information, etc. by enhancing the accuracy and usability of the Whois database.

• There should be no financial impact on the constituency as a result of this policy. It is possible that there may be minimal costs to the Registrars if they are not fully complying with the present RAA. Any costs would be related to the provision, in automated form, of descriptive information of what is recommended to fill each separate category.

Analysis of the period of time that would likely be necessary to implement the policy.

• An implementation working group, to include representation from the user constituencies, but largely to include Registrars, should be established. The implementation time frame should be short.

3. Outreach process

GNSO policy development process section 7.d.:

1. Constituency Statements. The Representatives will each be responsible for soliciting the position of their constituencies, at a minimum, and other comments as each Representative deems appropriate, regarding the issue under consideration. This position and other comments, as applicable, should be submitted in a formal statement to the task force chair (each, a "Constituency Statement") within thirty-five (35) calendar days after initiation of the PDP. Every Constituency Statement shall include at least the following:

(i) If a Supermajority Vote was reached, a clear statement of the constituency's position on the issue;

(ii) If a Supermajority Vote was not reached, a clear statement of all positions espoused by constituency members;

(iii) A clear statement of how the constituency arrived at its position(s). Specifically, the statement should detail specific constituency meetings, teleconferences, or other means of deliberating an issue, and a list of all members who participated or otherwise submitted their views;

(iv) An analysis of how the issue would affect the constituency, including any financial impact on the constituency; and

(v) An analysis of the period of time that would likely be necessary to implement the policy.

With respect to (i) (ii) (iii) the BC approval process allows for a 14 day comment period for a position to be adopted combined where appropriate with meetings and member calls.

Statement on Purpose

• The BC members were notified of the new terms of reference for the combined Task

Force on 19 May 2005

• The TF reps prepared a draft purpose statement and posted it to the Constituency on 19

July 2005.

• The statement and the issues were discussed at the Luxembourg meeting 11 July 2005.

• A conference call was held on 26 July 2005

• The draft statement on Purpose was posted to the BC list on 2 August 2005 and adopted

after a 14 day period.

Statement on Purpose of Contacts

• The BC members were notified of new terms of reference for the combined Task Force

on 19 May 2005

• The forthcoming draft statement on Purpose of Contacts was discussed at the

Luxembourg meeting 11 July 2005.

• BC members were asked to participate in a Contacts survey on 22 July 2005

• A conference call was held on 26 July 2005.

• The draft statement on Purpose of Contacts was posted to the BC list on 2 August 2005

and adopted after a 14 day period.

4 (b) Noncommercial Users Constituency

1. Purpose of Whois

Task 1 asks us to "Define the purpose of the WHOIS service in the context of ICANN's mission and relevant core values, international and national laws protecting privacy of natural persons, international and national laws that relate specifically to the WHOIS service, and the changing nature of Registered Name Holders."

The importance of defining "purpose":

Regarding international and national privacy laws, NCUC notes that it is well-established in data protection law that the purpose of data and data collection processes must be well-defined before policies regarding data collection, use and access can be established. The need for an explicit, well-defined purpose is meant to protect data subjects from abuse by either the data collectors or third parties using the data. A definition of purpose is intended to impose strict constraints on the collection and use of contact data. A specified purpose determines what data elements should be collected, and therefore actively prevents collection of any data that is not clearly necessary for that purpose.

Furthermore, a defined purpose helps to ensure that data is used only for the specified purposes, preventing uses that are different from or incompatible with the purpose giving rise to their collection. Finally, sound data protection principles hold that data subjects must be informed of the purpose for which the Data is intended and whether and under what conditions the Data is likely to be passed to a third party.

WHOIS and ICANN's mission and core values

Regarding ICANN's mission and relevant core values, we note that ICANN's mission is primarily technical: "to coordinate, at the overall level, the global Internet's systems of unique identifiers, and in particular to ensure the stable and secure operation of the Internet's unique identifier systems." In enumerating ICANN's core values, we find that the first three are most relevant to a discussion of WHOIS and its purpose:

1. Preserving and enhancing the operational stability, reliability, security, and global interoperability of the Internet.

2. Respecting the creativity, innovation, and flow of information made possible by the Internet by limiting ICANN's activities to those matters within ICANN's mission requiring or significantly benefiting from global coordination.

3. To the extent feasible and appropriate, delegating coordination functions to or recognizing the policy role of other responsible entities that reflect the interests of affected parties

The original purpose of the WHOIS protocol, when the Internet was an experimental network, was the identification of and provision of contact information for domain administrators for purposes of solving technical problems. This original purpose is consistent with the plain language of ICANN's current mission and is further supported by core value #1, which addresses exclusively technical values such as stability, reliability, security and interoperability.

Vinton G. Cerf, speaking at the "Freedom 2.0" conference held in Washington DC in May 2004 confirmed directly that the original purpose of WHOIS was indeed purely technical.**

Further, Core Value #3 expressly recognizes the "policy role" of "other responsible entities." Nowhere is this policy role clearer than in the steps governments have taken to protect the personal data of their citizens. It is incumbent on ICANN to limit its role in the collection, use and especially disclosure of data to only that needed for technical and operational tasks. The rest is rightly governed by sovereign law.

We further note that Core Values #2 and #3 **(respecting creativity and recognizing the policy role of other responsible entities, respectively), in spirit and language mandate that ICANN must limit its activities to a minimal set of areas requiring global technical coordination. Thus, although WHOIS data may be useful for a broad variety of purposes, uses and users, ICANN's core values require that it not embrace those purposes and activities just because it can, or because interested parties find it convenient. ICANN must limit its activities to matters within its mission and recognize and defer to the policy role of other responsible entities.

Proposed definition of purpose

NCUC proposes the following definition of purpose for the WHOIS service:

The purpose of the WHOIS is to provide to third parties an accurate and authoritative link between a domain name and a responsible party who can either act to resolve, or reliably pass information to those who can resolve, technical problems associated with or caused by the domain.

By "technical problems" we mean problems affecting the operational stability, reliability, security, and global interoperability of the Internet.

Excluded or invalid purposes

It is important to also identify purposes that are inconsistent with ICANN's stated mission and core values.

First, WHOIS is not designed to be a global data mining operation with completely unlimited access to all registrant data by any Internet user for any purpose, including marketing.

Second, the purpose of WHOIS data is not to facilitate legal or other kinds of retribution by those interested in pursuing companies and individuals who criticize and compete against them. Companies with allegations against domain name registrants can seek subpoenas of specific subscriber records through Internet service providers, or learn about a domain name registrant's identity information through requested subpoenas of registrar records.

Third, the purpose of WHOIS is not to expand the surveillance powers given to law enforcement under law, or to bypass the protections and limitations imposed by sovereign governments to prevent the abuse and misuse of personal data, even by law enforcement. Law enforcement agencies can subpoena specific subscriber records through Internet service providers, or learn about a domain name registrant's identity information through subpoenas of registrar records. It is not for ICANN to preempt or undervalue the due process protections set up by national government who must balance not only legitimate law enforcement needs, but also officers operating "ultra vires" and outside of their authority and law enforcement officers operating for other countries which do not share the same laws and values of the registrant's country.

Conclusion of NCUC statement on purpose of WHOIS

Overall, the published WHOIS data should serve only the original purpose of the database and the powers of ICANN - technical. Additional access to information about the domain name registrant, including the names and address of those using their domain names to post valuable and controversial political and social messages and critiques, should be handled pursuant to the well thought out national laws that exist in every other area of telecommunications (e.g., telephone, cable, and Internet Service Provider data).

2. Purpose of Whois contacts

Task 2 asks us to "(2) Define the purpose of the Registered Name Holder, technical, and administrative contacts, in the context of the purpose of WHOIS, and the purpose for which the data was collected. Use the relevant definitions from Exhibit C of the Transfers Task Force Report as a starting point (http://www.icann.org/gnso/transfers-tf/report-exhc-12feb03.htm).



The NCUC believes that once we have selected a purpose for our database, data protection laws require us to closely examine whether the information we collect meets the goals we have set out — and make adjustments accordingly. These comments discuss the Contact data currently collected for WHOIS and the personal nature of much of it.  They raise the question whether this data should be collected at all for WHOIS purposes.



I. Data protection laws require limited collection of personal data

In its 2003 Opinion, the Article 29 Data Protection Working Party of European Union Data Protection Commissions urged ICANN to closely examine the personal data it collects for WHOIS.  The Commissioners warned: 



"Article 6c of the Directive imposes clear limitations concerning the collection and processing of personal data meaning that data should be relevant and not excessive for the specific purpose.  In that light it is essential to limit the amount of personal data to be collected and processed." 



Opinion 2/2003 on the application of the data protection principles to the Whois directories

http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp7… (emphasis added). 



The Data Protection Commissioners' concern over collection of WHOIS data is grounded in the clear language of the EU Data Protection Directive and its Article 6  "Principles Relating to Data Quality" which clearly sets limits on the collection of personal data: 



"Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further  processed in a way incompatible with those purposes. ***

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;"



Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, http://europa.eu.int/comm/justice_home/fsj/privacy/law/index_en.htm.



The Canadian Personal Information Protection and Electronics Document Act also sets limits on the collection of personal data:  



"The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances." 



http://laws.justice.gc.ca/en/P-8.6/93196.html#rid-93228 [emphasis added].



Similarly, Australia's Privacy Principles mandate:

"1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities."



National Privacy Principles (Extracted from the Privacy Amendment (Private Sector) Act 2000), http://www.privacy.gov.au/publications/npps01.html.



Based on these legal requirements, the NCUC submits that the WHOIS Task Force must review the contact data currently collected, evaluate whether it is personal, and determine whether it should continue to be collected in keeping with the purpose of the WHOIS Database.  Over-collection of personal data does not serve ICANN's mission nor does it help registrars comply with the many existing laws that protect registrant privacy worldwide. 



II. The Purpose of the WHOIS Database

In our Task 1 comments, NCUC submitted a clear definition of the purpose of the WHOIS database:



"The purpose of the WHOIS is to provide to third parties an accurate and authoritative link between a domain name and a responsible party who can either act to resolve, or reliably pass information to those who can resolve, technical problems associated with or caused by the domain." 

(Statement of the NCUC on WHOIS Purpose, above)



As discussed in our comments, this technical purpose is consistent with the original purpose of the WHOIS, as set out by Vint Cerf and others, and within the limited scope of ICANN's mission. 



III.  Contact Data:  Definition?  Personal?  Fits Purpose of WHOIS?

The GNSO Council asked us to examine the definitions and purpose of the Technical Contact, Administrative Contact and Registered Name Holder.  We do so in light of the legal considerations set out above.



A. Technical Contact

The Transfer Task Force defined technical contact as:

"the individual, role or organization that is responsible for the technical operations of the delegated zone. This contact likely maintains the domain name server(s) for the domain. The technical contact should be able to answer technical questions about the domain name, the delegated zone and work with technically oriented people in other zones to solve technical problems that affect the domain name and/or zone."



The next step requires us to assess whether Technical Contact data is personal and needs to be treated with special care.  In our review with our Constituency, we found that occasionally Technical Contact Data is the personal data of an individual.  Increasingly, however, registrants entrust a technical party to manage their domain name and expertly handle any technical problems that arise — often an ISP, online service provider, Registrar or web host provider.   Thus, for individuals and small organizations, we found that the technical contact field does not raise strong concerns regarding personal data. 



Further, in assessing whether collection of Technical Contact data fits within the purpose of ICANN and the WHOIS database, we found that it does.  The Technical Contact is the person designated to respond to exactly the set of technical problems and issues at the heart of the WHOIS purpose.  Accordingly, NCUC submits that Technical Contact data should be collected and maintained for the WHOIS database.



B. Administrative Contact

The Transfer Task Force defined administrative contact as:

"an individual, role or organization authorized to interact with the Registry or Registrar on behalf of the Domain Holder. The administrative contact should be able to answer non-technical questions about the domain name's registration and the Domain Holder."

     

The next step requires us to assess whether Administrative Contact data is personal and needs to be treated with special care.  In our review, we found that the Administrative Contact data OFTEN includes personal data, especially for individuals and small organization leaders who must list their own names, home addresses, personal (and often unlisted) phone numbers and private email addresses for the Administrative Contact field. 



This type of personal data is exactly what the privacy laws of many regions and countries set out to protect.  Its collection invokes major privacy concerns for individuals and small organizations -- and draws the formal protection of data protection laws in many countries in which registrants live and registrars operate. 



Further, in assessing whether collection of Administrative Contact data fits within the purpose of ICANN and the WHOIS database, we found that it does not.  By the Transfer TF definition, the Admin is responsible for "non-technical questions" which range as far as the imagination and generally are completely outside the scope of ICANN:  Is the domain name for sale?  Is the woman described on a website available for a date?  Can a stranger meet the child shown in a family picture?  There are very good reasons for the privacy protections and other national and local protections to operate for the Administrative Contact.



Finally, since the purpose of the WHOIS database is technical and the Administrative Contact is expressly non-technical, NCUC submits that this contact data should no longer be collected for the WHOIS database. 



C. Registered Name Holder or "Domain Holder"

The Transfer Task Force defined domain holder as:

"The individual or organization that registers a specific domain name. This individual or organization holds the right to use that specific domain name for a specified period of time, provided certain conditions are met and the registration fees are paid. This person or organization is the 'legal entity' bound by the terms of the relevant service agreement with the Registry operator for the TLD in question."



Following this definition, we must evaluate whether the registrant data is personal and should be treated with special care.  Of all the contact data, we find the Domain Holder to be the most personal.  This is the woman, the family head, the Cub Scout leader, and other individuals and leaders of small organizations who must list their personal names, home addresses, private phone numbers and personal email addresses.  Once published, this personal data is used for all the abuse and misuse documented in the Task Force Uses report — from spamming to stalking and harassment. 



This personal data is exactly the type of data that data protection laws seek to protect.  Article 29 Data Protection Commissioners now urge ICANN and our TF that: 



"The registration of domain names by individuals raises different legal considerations than that of companies and other legal persons registering domain names" and  "it is essential to limit the amount of personal data to be collected and processed." Article 29 WG citation above.



The collection of such personal data as a global ICANN WHOIS policy serves no technical purpose.  Individual registrants rarely answer technical questions about their domains or their abuse — and would refer such questions (such as the hijacking of their domain name by a spammer) to their technical contact instead.   Accordingly, the collection of Domain Holder data serves little purpose for the WHOIS database and should not be continued as a global ICANN policy.



Conclusion

The best way to protect millions of individual and small organizational domain name registrants, and to comply with data protection laws worldwide, is for ICANN to carefully review the contact data collected for the WHOIS database and limit the data strictly to that necessary for its technical purposes and mission.



Outreach statement

Months ago, the NCUC TF representatives queried NCUC members regarding Whois data and what they and their organizations place in the contact fields.  The answers and discussion that ensued were incorporated into this statement.  The NCUC TF representatives then prepared this Contacts Statement.  It was posted to the Constituency list on August 31, and subsequently adopted as the official position of the Constituency.  

4 (c) Intellectual Property Constituency

This statement responds to the request for constituency input on the Whois Task Force Terms of Reference Items 1 (purpose of Whois) and 2 (purpose of Whois contacts). See Call for constituency statements on Tasks 1&2 of Whois Task Force Terms of Reference, at ht tp://forum.icann.org/lists/gnso-dow123/msg00416.html. The Terms of Reference may be found at http://gnso. icann.org/policies/terms-of-reference.html. Pursuant to requirements of the GSNO policy development process, outlined by the ICANN bylaws, see Annex A, Sec. 7(d), available at http://www.icann.org/general/archive-bylaws/bylaws-19apr04.htm, the IPC came to the following conclusion.

1. Purpose of Whois

Term of Reference #1 is to define the purpose of the Whois database in the context of (1) ICANN's mission and relevant core values, (2) international and national laws protecting privacy of natural persons, (3) international and national laws that relate specifically to Whois services, and (4) the changing nature of Registered Name Holders.

In IPC's view, it is clear that the purpose of the Whois database — from its inception, through the commercialization of the Internet, and continuing today — has always included to provide the public with ready access to the identity and contact information for domain name registrants. That purpose has never changed, and registrants have always been on notice of this purpose, regardless of when they registered their domains. This purpose is also fully consistent with the contextual factors listed in TOR #1. Please see attached background paper for further documentation of this conclusion. (backgrounder is available at http: //forum.icann.org/lists/gnso-dow123/msg00465.html)

i) If a Supermajority Vote was reached, a clear statement of the constituency's position on the issue;

See above.

(ii) If a Supermajority Vote was not reached, a clear statement of all positions espoused by constituency members;

N/A

(iii) A clear statement of how the constituency arrived at its position(s). Specifically, the statement should detail specific constituency meetings, teleconferences, or other means of deliberating an issue, and a list of all members who participated or otherwise submitted their views;

The IPC membership was notified of the request for a constituency statement on June 22. A draft constituency statement was circulated on July 8. The statement and the issue were discussed at the IPC meeting in Luxembourg on July 11. A revised statement was circulated to the IPC membership on July 20, and was discussed at an IPC teleconference meeting on July 22. At that meeting, on a motion, which was seconded, it was agreed without objection to approve the constituency statement, subject to minor drafting changes in the background paper.

(iv) An analysis of how the issue would affect the constituency, including any financial impact on the constituency;

This issue will have a positive impact on IPC by maintaining and potentially enhancing the utility of the Whois database, a vital tool for protecting intellectual property rights in the online environment. IPC does not anticipate any financial impact on the constituency as a result of this policy, nor do we perceive any new costs associated with this particular policy that would need to be borne by another constituency.

(v) An analysis of the period of time that would likely be necessary to implement the policy.

None.

2. Purpose of Whois contacts

Term of Reference #2 is to define the purpose of (1) the Registered Name Holder,² (2) the technical contact, and (3) the administrative contact, in the context of the purpose of the Whois database. IPC supports the effort to define these terms. We note that, today, there is absolutely no consistency in how registrants populate these databases. the fact that these terms (or their cognates) are defined in a Transfers Policy of ICANN is completely unknown to all but a handful of domain name registrants, and thus these definitions have no correlation to the reality of how these categories are defined in practice. However, providing information in the Whois database about each of these points of contact fulfills a useful role.

A. Registered Name Holder

As discussed in response to Terms of Reference #1 above, the purpose of the Whois database, in terms of ICANN's mission and core values, is primarily to promote the reliability and security of the Internet. Making Whois data publicly available regarding the Registered Name Holder is critical to accomplishing this purpose. The Registered Name Holder is ultimately responsible for the use of the domain name and the operation of the corresponding website or other Internet resource, and is also the entity with authority to transfer the domain name registration to another party. Making information on the Registered Name Holder available thus directly promotes accountability and transparency, which in turn increases the overall reliability and security of the Internet.

B. Technical Contact

The purpose of the Technical Contact is to help ensure the operational stability, security, and global interoperability of the Internet, pursuant to ICANN's core value (1).

C. Administrative Contact

The purposes of identifying the Administrative Contact in the Whois database are (1) to give registrars a clearly identified authorized voice of the Registered Name Holder for purposes of managing the domain name, and (2) to give other members of the public a clearly identified point of contact for issues regarding the content of the corresponding website or other Internet resource. For instance, the Administrative Contact should have the authority to modify content on the site or to accept legal process or similar notifications concerning that content.

The IPC notes, however, that the definition provided by the Transfers Task Force Report as referenced in ICANN's June 2 Terms of Reference is somewhat confusing. Namely, the Transfers Report defines the administrative contact as:

an individual, role [?], or organization authorized to interact with the Registry or Registrar on behalf of the Domain Holder [note reference is not to the "Registered Name Holder"]. The administrative contact should be able to answer non-technical questions about the domain name's registration and the Domain Holder. In all cases, the Administrative Contact [sic — note inconsistent capitalization within the definition] is viewed as the authoritative point of contact for the domain name, second only to the Domain Holder.

Final Report and Recommendations of the GNSO Council's Transfers Task Force, Exhibit C: Standardized Definitions, at http ://www.icann.org/gnso/transfers-tf/report-exhc-12feb03.htm (emphasis added).

The definition thus states that the Administrative Contact is "the" authoritative point of contact, but in the next breath demotes that authority to being secondary to the Domain Holder. The IPC agrees that the Domain Holder should have ultimate authority over the domain name, and suggests that the definition of Administrative Contact more clearly reflect that it is not "the" authoritative point of contact, but rather that it is the Domain Holder's authorized point of contact for managing the domain name.

i) If a Supermajority Vote was reached, a clear statement of the constituency's position on the issue;

See above.

(ii) If a Supermajority Vote was not reached, a clear statement of all positions espoused by constituency members;

N/A

(iii) A clear statement of how the constituency arrived at its position(s). Specifically, the statement should detail specific constituency meetings, teleconferences, or other means of deliberating an issue, and a list of all members who participated or otherwise submitted their views;

The IPC membership was notified of the request for a constituency statement on June 22. A draft constituency statement was circulated on July 8. The statement and the issue were discussed at the IPC meeting in Luxembourg on July 11. A revised statement was circulated to the IPC membership on July 20, and was discussed at an IPC teleconference meeting on July 22. On a motion, which was seconded, it was agreed without objection to approve the constituency statement.

(iv) Analysis of how the issue would affect the constituency, including any financial impact on the constituency;

This policy will have a positive impact on IPC by potentially enhancing the utility of the Whois database, a vital tool for protecting intellectual property rights in the online environment. IPC does not anticipate any financial impact on the constituency as a result of this policy, nor do we perceive any costs associated with this particular policy that would need to be borne by another constituency. However, this could change depending upon implementation of the policy (see below).

(v) Analysis of the period of time that would likely be necessary to implement the policy.

It is not clear that this particular Term of Reference contemplates any implementation activity. Assuming that agreement is reached upon the purpose of the various contact categories, IPC believes the Task Force should consider what steps should be taken to (1) inform current and future registrants of these conclusions; (2) encourage or require registrars and registries to provide guidance to registrants in populating these data fields; and (3) facilitate registrants making changes to Whois entries in order to bring them into greater compliance with the agreed-upon purposes. The period of time for implementation would of course be one topic for consideration.

4 (d) Registrar Constituency

Preamble — The Purpose of the Domain Name System, ICANN and the GNSO

ICANN's scope of engagement is defined by its agreement with the United States Department of Commerce³ ("DOC") which stipulates that ICANN and the DOC will collaborate to carry out the following domain name system ("DNS") management functions;

1. Establishment of policy for and direction of the allocation of IP number blocks;

2. Oversight of the operation of the authoritative root server system;

3. Oversight of the policy for determining the circumstances under which new top level domains

would be added to the root system;

4. Coordination of the assignment of other Internet technical parameters as needed to maintain

universal connectivity on the Internet; and

5. Other activities necessary to coordinate the specified DNS management functions, as agreed by

the Parties.

In turn, the GNSO finds its mandate within ICANN"s bylaws⁴ which stipulate that the function of the GNSO shall be limited to "...developing and recommending to the ICANN Board substantive policies relating to generic top-level domains."

The purpose of the domain name system is to enable a decentralized system of administering the Internet's authoritative database of host information. This host information includes IP address and mail routing information, references to other domains and other technical information required to facilitate client-server interactions via the Internet.

The purpose of the gTLD domain registration system is to provide host operators with the means to register and receive a delegation of authority for a specific zone which they administer via the domain name system.

These arrangements carry several implications. It puts direct management of root-level and top-level domain delegations within ICANN's scope. The GNSO's responsibility for developing policy in the area of generic top level domains is derived from this. Responsibility for policy development related to IP addressing, country-code domains and protocol identifiers fall to other organizations within ICANN's structure.

The GNSO has influence over policy that manages the types of gTLD delegations that may be requested and granted. String-length restrictions, character set guidelines and trademark-centric string-content restrictions are all examples of the types of limitations ICANN's GNSO has imposed on delegation requests. However, this does not mean that the GNSO has any direct policy influence over how delegations that do meet these criteria are managed after they have been granted. The GNSO's influence over the operational management of a zone is limited to a very narrow and appropriate set of specifications that outline the processes registrants may use to transfer delegations to one another, choose a new registrar to interface with and so on.

Since neither of ICANN and the GNSO are technical standards creation bodies, neither have any control over how delegations technically function within the domain name system beyond specifying the standardized protocols that will be used. For instance, past GNSO policy recommendations have included advice advocating the development of new technical standards within the IETF and stipulations that currently deployed standards continue to be used. Neither of these recommendations are inappropriate nor out of scope for the GNSO.

Finally, the functional mapping of hostnames to IP addresses, and of IP addresses to host based applications and content such as web sites or email services via the DNS record is a function that is managed locally by the DNS administrator. Central to the function of the DNS is the notion of zone delegation which puts 100% of the technical, operational and policy management of a zone in the hands of the local host administrator. These local functions are naturally outside of ICANN and the GNSO's sphere of control.

The GNSO's policy making powers can be summed up very simply —

The GNSO only has the capability to manage what gets registered and how registrations are administered, but not what registrations are used for.

Any discussion of the purpose of Whois must be consistent with this context and naturally limited to two key areas;

1. Processes, standards and policies related to domain registration and administration activity.

2. specific areas of the domain name system, including;

   1. ensuring technical standards compliance for registrants, registrars and registries, and;

   2. the ongoing management of the authoritative record of name server delegations.

1. Purpose of Whois

Shedding light on the purpose of ICANN, the GNSO and the domain name system also sheds light on the purpose of the gTLD Whois System. There is a tendency within ICANN circles to view specific parts of the DNS as being isolated from one another, when in fact each of these constituency pieces is an integral part of a much larger system. Each of these specific parts is required to function efficiently or the stability and efficiency of the entire system will start to fail.

But, there is little understanding of what the domain name system actually entails, and as a result, there are many opinions as to what the gTLD Whois System actually is. A popular view is that the purpose of the Whois System is to act as a directory of contact information. However, an examination of the data and protocols that ICANN requires registrars and registries to publish and use to implement the Whois System paints a picture that implies a much broader purpose for the gTLD Whois System than the very narrow purpose of acting as a directory of contact information.

Publicly accessible directories of contact information, such as the directory of Senators of the 109^th Congress of the United States of America⁵ typically includes information like the name, mail and email address and phone number of the individuals and companies included in the directory.

i.e.

Sample record from the directory of Senators of the 109th Congress Akaka, Daniel- (D - HI) 141 HART SENATE OFFICE BUILDING WASHINGTON DC 20510 (202) 224-6361 E-mail: senator@akaka.senate.gov

This sample record is consistent with records found in other contact directories, online and offline, such as the white page directories published by telephone companies⁶, the professional networking web directory operated by LinkedIn⁷ or the directory of contact information for the members of the MPAA⁸.

Each of these directories has one thing in common — the data included in each of the records is consistent with its purpose — to provide the public with ready access to contact information.

On the other hand, the gTLD Whois System provides a much broader dataset in response to third party queries;

Sample record from the gTLD Whois System Whois info for, tucows.com: Registrant: Tucows ( Delaware ) Inc. 96 Mowat Avenue Toronto, Ontario M6K3M1 CA Domain name: TUCOWS.COM Administrative Contact: Administrator, DNS dnsadmin@tucows.com 96 Mowat Avenue Toronto, Ontario M6K3M1 CA +1.4165350123x0000 Technical Contact: Administrator, DNS dnsadmin@tucows.com 96 Mowat Avenue Toronto, Ontario M6K3M1 CA +1.4165350123x0000 Registrar of Record: TUCOWS, INC. Record last updated on 22-Nov-2004. Record expires on 06-Sep-2006. Record created on 07-Sep-1995. Domain servers in listed order: DNS1.TUCOWS.COM 216.40.37.11 DNS2.TUCOWS.COM 216.40.37.12 DNS3.TUCOWS.COM 204.50.180.59 Domain status: REGISTRAR-LOCK

If the gTLD Whois System was simply a directory of contact information, then there would be no reason to include additional information aboutthe domain delegation in the record displayed in response to a query which would be intended to discover contact information.

This additional information includes:

• the zone that was delegated ("tucows") and the zone that the delegation belongs to ("com")

• the date that the delegation was granted ("07-Sep-1995") and when the delegation next expires ("06-Sep-2006")

• which domain name servers are authoritative for this particular zone ("dns1, dns2 and dns3.tucows.com")

• the status of the delegation ("REGISTRAR-LOCK")

This is a lot of additional information to include in a simple database of contact information for domain name registrants. This additional information was not included by accident — it was included because it was central to the intended purpose of the gTLD Whois System in support of the domain name system. Queries destined for this system are not provided with contact records, they are provided delegation records.

The gTLD Whois System is a record lookup service that uses the Whois protocol to allow third parties to determine which entity currently holds the delegation for a particular second level domain. The purpose of this lookup service is to facilitate the technical co-ordination and inter-operation of specific delegations within the registration and domain name systems.

Examples of technical co-ordination and inter-operation include;

• Resolving issues related to lame delegation (i.e. delegation records that specify nameservers that are not authoritative for the delegation in question).

• Determining which name servers are intended to be authoritative for a specific delegation (i.e. comparing the delegation records with data from other sources while troubleshooting configuration issues).

• Determining the status of a delegation (INACTIVE, CLIENT LOCK, PENDING RENEW, and other EPP/RRP status codes⁹.).

• Determining which delegant is responsible for the activity of a specific network host.

• Determining when a specific delegation was granted.

Facilitating technical co-ordination and inter-operation does not include;

• Providing contact information for host operators to help third parties resolve civil and criminal matters.

• Facilitating commercial transactions related to the transfer of delegations between registrants.

• Facilitating interactions between network providers.

• Providing the general public with ready access to the identity and contact information for domain name registrants and the associated contacts.

• Facilitating the resolution of host based security and network attacks.

2. Purpose of Whois Contacts

The purpose of specific contact types in the gTLD Whois System cannot be divorced from the purpose of the overall gTLD Whois System, or that of the GNSO and ICANN.

There are at least four contact types listed in the current gTLD Whois System — the "Registrant", the "Administrative Contact", the "Technical Contact" and the "Sponsoring Registrar". Some gTLD Whois records also include contact information for the ISP or reseller acting as the liaison between the Registrar and Registrant. As previously discussed, there are many other technical details included in these records in addition to the contact information.

The following table describes the purpose of only three of these contact types;

This view of the purpose of these contact types also carries implications that warrant further examination.

1. The contact information currently associated with the Registrant type is extraneous. A record that intends to provide delegation information need not also provide contact information. This contact information could be removed from the gTLD Whois System with little operational impact.

2. The purpose of the Administrative Contact and the Technical Contact are very closely related. In fact, there is little to distinguish each of these record types on a practical basis. The continued relevance and value of maintaining separate contact types should be examined.

4 (e) Registry Constituency

This statement responds to the request for constituency input on the WHOIS COMBINED TASK FORCE Terms of Reference (2 June 2005) Tasks 1 (Purpose of WHOIS) and 2 (Purpose of WHOIS contacts).

Pursuant to requirements of the GSNO policy development process, the RyC has concluded:

1. Purpose of Whois

The WHOIS function had one original purpose, clearly articulated by the European Commission Data Protection Working Party — "to give people who operate networks a way of contacting the person technically responsible for another network, another domain, when there was a problem."¹⁰ This purpose is a direct result of the nature of the Internet at the time when the function was originated, namely a limited interconnection of research, university and government networks. The visionary founders of the Internet never conceived of the Internet as the global means of mass telecommunications that it has now become

The WHOIS function now has additional purposes that have arisen from the change of character of the Internet. Its explosive growth has unfortunately attracted a minority of users who do not share the high-minded idealism of the Internet's founders. The spammers, cybersquatters, phishers and other abusers of the functions of the Internet, together with users whose intent is criminal (terrorists, et al) have made it necessary to recognize that the WHOIS function has purposes beyond its original purpose. However, recognition of this need does not imply that the function must make all personal data public. There is no justification at this time for a WHOIS function that makes available to the entire world the personal data of millions of domain name registrants.

There are adequate techniques, such as tiered access, that can make WHOIS data available to law enforcement agencies and others that need the data.

The EC Working Party Opinion cited above recognizes the expansion of purposes and at the same time strongly supports the concept that not all data should be made public:

"...it is essential to limit the amount of personal data to be collected and processed."

"The registration of domain names by individuals raises different legal considerations than that of companies or other legal persons registering domain names."

"In the light of the proportionality principle, it is necessary to look for less intrusive methods that would still serve the purpose of the Whois directories without having all data directly available on-line to everybody."

"The Working Party encourages ICANN and the Whois community to look at privacy enhancing ways to run the Whois directories in a way that serves its original purpose whilst protecting the rights of individuals. It should in any case be possible for individuals to register domain names without their personal details appearing on a publicly available register."

[emphasis in original]

It is entirely disingenuous to argue that personal data must be made publicly available because ICANN requires that domain name registrants consent or acknowledge that their data will be publicized. The point of this Task Force's proceeding (and the proceeding of its predecessors) has always been to determine how the WHOIS function should be structured, not to defend its legality or illegality as presently structured.

b) Constituency Position on Task 2 — Purpose of WHOIS Contacts

The RyC believes that the purposes of the various contacts are adequately described in Exhibit C of the Transfers Task force report.

(from http://www.icann.org/gnso/transfers-tf/report-exhc-12feb03.htm):

II. Method for Reaching Agreement on RyC Position

The RyC drafted and circulated via email a constituency statement, soliciting input from its members. RyC members suggested edits and additions to the draft which were subsequently incorporated into the final constituency statement. The statement was adopted by a unanimous vote of the members present at the teleconference meeting on 17 August 2005.

III. Impact on Constituency

Recognition that the WHOIS function has a limited purpose and that personal data should not be publicly available would assist the members of the RyC in fulfilling their legal obligations in their respective jurisdictions.

IV. Time Period Necessary to Complete Implementation

Depending on the actual technical implementation requirements of any agreed-to WHOIS changes, it could take considerable time for registries to implement changes.  Moreover, time for implementation may vary by registry depending on resource availability, size of the WHOIS database, etc.  If the changes involve implementing the IRIS protocol, a lengthy amount of time should be allowed for transition because of the widespread and longstanding use of the existing protocol.

4 (f) Internet Service Providers and Connectivity Providers Constituency

Introduction

The ISPCP Constituency herein provides input as requested to the combined Whois Task Force on the revised terms of reference tasks to be undertaken for by the task force.

1. The task force tasks 1 and 2 as set forth in the terms of reference for the combined Whois task force.

mission and relevant core values, international and national laws protecting privacy of natural persons, international and national laws that relate specifically to the WHOIS service, and the changing nature of Registered Name Holders.

administrative contacts, in the context of the purpose of WHOIS, and the purpose for which the data was collected. As required by the task force terms of reference, the relevant definitions from Exhibit C of the Transfers Task force is used as a starting point and commented upon.

2. Purpose of Whois

The Whois database serves the purpose of providing contact information to the public regarding the individual or organization that has registered a domain name. This is true today, and it has been true throughout the history of the domain name system's Whois database. The ISPCP believes that regardless of the vast growth of the number of domain registrations, some core principles should remain unchanged, and ready access to all Whois data is one such principle.

The ISPCP does not believe there to be a conflict between ICANN's core mission and public access to Whois. In fact, in an open and transparent process that relies on a global community for a bottom-up consensus development process public access should always be a core value in any policy development. After having considered policy changes related to the Whois database for so many years this constituency does not feel any change in this core value is warranted.

Certainly, as we have stated in the past, some rules for protection of the Whois database and registrant privacy are important. Conspicuous notice, prohibition of bulk access for marketing purposes and compliance with local laws are positive aspects of the Whois task forces that the ISPCP welcomes.

In providing the ISPCP specific purposes of Whois data, we'd like to highlight the fact that this discussion has been had before, many times. Despite the confusion over the "use" versus the "purpose", in fact both are dependant on the type of notice that is provided at time of registration. If adequate notice is provided regarding the intended purposes of data collection, then all uses (but nothing more) consistent with that notice shall be valid.

Nevertheless, here again are the following purposes of Whois for the ISPCP:

1. to research and verify domain registrants that could vicariously cause liability for ISPs

because of illegal, deceptive or infringing content.

2. to prevent or detect sources of security attacks of their networks and servers

3. to identify sources of consumer fraud, spam and denial of service attacks and incidents

4. to effectuate UDRP proceedings

5. to support technical operations of ISPs or network administrators

The ISPCP believes these purposes are consistent with ICANN's mission and with the role of service providers in their routine connectivity, hosting and business activities.

2. Purpose of Whois contacts

ICANN's core mission is the security and stability of the domain name system leading to increased reliability of the Internet.

Some consistency in the way domain name registrants populate various fields is useful to all who use Whois.

The purpose of the registered name holder is to name the person or entity that initiates the use of the domain, holds himself or itself as having ultimate responsibility for all things associated with the domain. This contact is often used by ISPs to address legal or business issues related to the domain.

The purpose of the technical contact is to name the individual who is intended to be responsible for addressing technical, security and/or interoperability issues related to the domain. This is a particularly important to ISPs for resolving technical questions related to internet traffic or the domain generally.

The purpose of the administrative contact is to provide a live name and voice to the registered name holder when the registrant is an entity. The administrative contact is intended to be the individual to address business, legal and policy issues related to the domain.

ISPCP Proposal

The Whois task force is now in its third configuration, and has been conducting its efforts at least since 2001. The constituency is grateful to each and every member of the task force as well as ICANN staff, which has contributed to the work in this space. We believe that it is important for the legitimacy of the process and the sanity of the individual members that the task force be specific in its goals and advances. If after years of discussion, areas still exist where consensus policy is not achieved, the task force should so indicate and end discussion in such areas.

It is clear that in fact, there are positive improvements to the system coming from this task force and its predecessors. However, if there is still substantial disagreement over how the purpose and use of data are connected and interact together, it leaves this constituency somewhat disheartened and frustrated.

We hope the task force does continue to reach consensus and achieve each of its goals as outlined in the terms of reference tasks. However, if there are areas where there is too much opposition to achieve consensus, its far better to openly state that and make a report to the ICANN board and community in this regard than to continue to pushing members to argue the same positions and waste valuable effort without getting any closer to policy goals.

The ISPCP constituency wishes you all the best, and hopes that the task force reaches a successful consensus policy on all its terms of reference tasks.

5 (a) PURPOSE OF WHOIS

Jordyn Buchanan, chair of the GNSO's Whois Task Force, update from the task force on defining the purpose of Whois. (General details of the task force are available here: http://gnso.icann.org/i ssues/Whois-privacy/ , Jordyn's presentation is available here:

Jordyn Buchanan outlined the two current formulations on the purpose of Whois, and described the common and distinguishing features of each:

Formulation #1

"The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver."

This formulation is supported by the registrars, registries, and NCUC:

• Consistent with the narrow technical mission of ICANN, ICANN's Core Values (particularly 1-3) and national data protection laws worldwide.

• Core values: #1 Security and Stability, #2 Respecting creativity and flow of information by limiting ICANN's activities to matters in ICANN's mission,

• Delegating to and respecting the policy role of responsible entities that reflect the interests of affected parties

Formulation #2

"The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party or parties for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, technical, legal or other issues related to the registration or use of a domain name."

This formulation is supported by IPC, ISPCP, and BC:

• This approach is most consistent with the history of Whois and follows the growth and expansion, in both number of users and importance as a means of communication, of the Internet.

• This approach is most consistent with the actual uses of Whois to help resolve these issues

• This approach is consistent with ICANN's Mission and Core Values

Jordyn Buchanan reported that everyone in the task force agrees the purpose of Whois is to provide a system for a given domain name to be looked up and produce a set of contact information. The crux of the differences relates to the types of problems the constituencies believe ought to be resolved using the Whois system. (e.g. technical, legal, etc.) Jordyn invited public input on how to resolve differences on the purpose of Whois, specifically on the differences between the two formulations of purpose; which is better and why.

Bruce Tonkin recommended the following to the task force:

• Try to combine the two definitions of Whois into a single definition with unanimous support.

• If the task force cannot do this, then document carefully the two formulations and the rationale for each.

• When considering 'use of a domain name', be clear about whether you mean the name or the DNS record itself, and also the relationship between the domain name and the end content — using examples will be helpful.

The Whois Task Force will soon publish a preliminary task force report on the ICANN website for public comment.

Bruce Tonkin encouraged public comments on the purpose of Whois, saying the more input we get from the public, the better the outcome will be. He recommended the following to those commenting on the preliminary task force report on Whois purpose:

• Explain the use cases, i.e. give practical examples and explain how the differences between the two definitions may affect those practical examples.

5 (b) PUBLIC QUESTIONS AND COMMENTS ON PURPOSE OF WHOIS

Matt Hooker said that as he needed the registrant information as he needs their legal addresses in order to serve legal processes on registrants if necessary, he preferred the first formulation. He spoke against private registrations creeping into the Whois and said it was not sufficient to have information about a registrant's legal representative or other contact. Accuracy of the Whois information was very important.

Jordyn Buchanan said that both formulations currently allow for the concept of agency, i.e. an agent representing the registrant but capable of resolving issues on their behalf or putting requesters in touch with someone who can rapidly contact the registrant. For example, the registrant may not be the correct person to resolve technical issues.

Kathy Kleiman said the privacy conference on Tuesday discussed the ability to protect the individual, small political organizations that may be criticizing governments or corporations, and the need to balance the ability to contact someone to resolve a technical or legal problem while protecting the privacy of the individual. The decision of the GNSO Council on Monday, 28 November 2005 to agree a recommendation on conflicts with national privacy laws was an excellent first step, but just a first step because it does not allow registrars and registries to come into voluntary, pro-active compliance with their data protection laws.

Edward Hasbrouck suggested two extra optional fields in the GNSO; one specifying the jurisdiction where the registrant accepts legal process or considers its governing jurisdiction, and another specifying that one of the existing contacts is authorized to accept legal process on behalf of the registrant or to designate an alternate agend for serving legal process. Consumers should know where an Internet company asserts as its jurisdiction.

Milton Mueller said the discussion was losing focus on the issue at hand; the purpose of Whois within ICANN's mission. He asked how Matt Hooker's and Edward Hasbrouck's suggestions fit with ICANN's mission which is about the coordination of unique identifiers on the Internet. Issues relating to the regulation of e-commerce are not part of ICANN's mission. Milton Mueller therefore supported the first formulation of the purpose of Whois above.

Jordyn Buchanan said that after the task force has completed work on the purpose of Whois, it will get down to more concrete items including Whois data accuracy.

Marilyn Cade said that the previous Whois task force had produced recommendations on bulk access to the Whois data and this is an issue that the Council may also look at for ideas on how to limit data-mining and restrict the uses of bulk access to the data.

Wendy Seltzer echoed Milton Mueller's statement about ICANN's limited mission and the limited role of Whois information, saying Whois should be limited to what's technically required because domain names facilitate more than commerce, e.g. speech.

Bruce Tonkin said registrants do not always have control over the content of the website the domain name points to, so when we use the term 'use of' the domain name, it should be recalled that all the domain name does is provide a link and a mapping from a name to an IP address. Normally, it's necessary to also look up the operator of the I.P. address in question.

On 2 June 2005, The GNSO Council agreed the following terms of reference for the Whois Task Force:

The mission of The Internet Corporation for Assigned Names and Numbers ("ICANN") is to coordinate, at the overall level, the global Internet's systems of unique identifiers, and in particular to ensure the stable and secure operation of the Internet's unique identifier systems.

In performing this mission, ICANN's bylaws set out 11 core values to guide its decisions and actions. Any ICANN body making a recommendation or decision shall exercise its judgment to determine which of these core values are most relevant and how they apply to the specific circumstances of the case at hand, and to determine, if necessary, an appropriate and defensible balance among competing values.

ICANN has agreements with gTLD registrars and gTLD registries that require the provision of a WHOIS service via three mechanisms: port-43, web based access, and bulk access. The agreements also require a Registered Name Holder to provide to a Registrar accurate and reliable contact details and promptly correct and update them during the term of the Registered Name registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number if available of the Registered Name Holder; name of authorized person for contact purposes in the case of an Registered Name Holder that is an

organization, association, or corporation; the name, postal address, e-mail address, voice telephone number, and (where available) fax number of the technical contact for the Registered Name; and the name, postal address, e-mail address, voice telephone number, and (where available) fax number of the administrative contact for the Registered Name. The contact information must be adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name.

A registrar is required in the Registrar Accreditation Agreement (RAA) to take reasonable precautions to protect Personal Data from loss, misuse, unauthorized access or disclosure, alteration, or destruction.

The goal of the WHOIS task force is to improve the effectiveness of the WHOIS service in maintaining the stability and security of the Internet's unique identifier systems, whilst taking into account where appropriate the need to ensure privacy protection for the Personal Data of natural persons that may be Registered Name Holders, the authorised representative for contact purposes of a Register Name Holder, or the administrative or technical contact for a domain name.

Tasks:

(1) Define the purpose of the WHOIS service in the context of ICANN's mission and relevant core values, international and national laws protecting privacy of natural persons, international and national laws

that relate specifically to the WHOIS service, and the changing nature of Registered Name Holders.

(2) Define the purpose of the Registered Name Holder, technical, and administrative contacts, in the context of the purpose of WHOIS, and the purpose for which the data was collected.

Use the relevant definitions from Exhibit C of the Transfers Task force report as a starting point:

(from http:// www.icann.org/gnso/transfers-tf/report-exhc-12feb03.htm ):

"Contact: Contacts are individuals or entities associated with domain name records. Typically, third parties with specific inquiries or concerns will use contact records to determine who should act upon specific issues related to a domain name record. There are typically three of these contact types associated with a domain name record, the

Administrative contact, the Billing contact and the Technical contact. Contact, Administrative: The administrative contact is an individual, role or organization authorized to interact with the Registry or Registrar on behalf of the Domain Holder. The administrative contact should be able to answer non-technical questions about the domain name's registration and the Domain Holder. In all cases, the Administrative Contact is viewed as the authoritative point of contact for the domain name, second only to the Domain Holder.

Contact, Billing: The billing contact is the individual, role or organization designated to receive the invoice for domain name registration and re-registration fees.

Contact, Technical: The technical contact is the individual, role or organization that is responsible for the technical operations of the delegated zone. This contact likely maintains the domain name server(s) for the domain. The technical contact should be able to answer technical questions about the domain name, the delegated zone and work with technically oriented people in other zones to solve technical problems that affect the domain name and/or zone.

Domain Holder: The individual or organization that registers a specific domain name. This individual or organization holds the right to use that specific domain name for a specified period of time, provided certain conditions are met and the registration fees are paid. This person or organization is the "legal entity" bound by the terms of the relevant service agreement with the Registry operator for the TLD in question."

(3) Determine what data collected should be available for public access in the context of the purpose of WHOIS. Determine how to access data that is not available for public access. The current elements that must be displayed by a registrar are:

- The name of the Registered Name;

- The names of the primary nameserver and secondary nameserver(s) for the Registered Name;

- The identity of Registrar (which may be provided through Registrar's website);

- The original creation date of the registration;

- The expiration date of the registration;

- The name and postal address of the Registered Name Holder;

- The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the technical contact for the Registered Name; and

- The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the administrative contact for the Registered Name.

(4) Determine how to improve the process for notifying a registrar of inaccurate WHOIS data, and the process for investigating and correcting inaccurate data. Currently a registrar "shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of

inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy."

(5) Determine how to resolve differences between a Registered Name Holder's, gTLD Registrar's, or gTLD Registry's obligation to abide by all applicable laws and governmental regulations that relate to the WHOIS service, as well as the obligation to abide by the terms of the agreements with ICANN that relate to the WHOIS service. [Note this task refers to the current work in the WHOIS task force called 'Recommendation 2', A Procedure for conflicts, when there are conflicts between a registrar's of registry's legal obligations under local privacy laws and their contractual obligations to ICANN.]

ICANN's core values are as follows:

1. Preserving and enhancing the operational stability, reliability, security and global interoperability of the Internet.

2. Respecting the creativity, innovation and flow of information made possible by the Internet by limiting ICANN's activities to those matters within ICANN's mission requiring or significantly benefiting from global coordination.

3. To the extent feasible and appropriate, delegating coordination functions to or recognizing the policy role of other responsible entities that reflect the interests of affected parties.

4. Seeking and supporting broad, informed participation reflecting the functional, geographic and cultural diversity of the Internet at all levels of policy development and decision-making.

5. Where feasible and appropriate, depending on market mechanisms to promote and sustain a competitive environment.

6. Introducing and promoting competition in the registration of domain names where practicable and beneficial in the public interest.

7. Employing open and transparent policy development mechanisms that (i) promote well-informed decisions based on expert advice, and (ii) ensure that those entities most affected can assist in the policy development process.

8. Making decisions by applying documented policies neutrally and objectively, with integrity and fairness.

9. Acting with a speed that is responsive to the needs of the Internet while, as part of the decision-making process, obtaining informed input from those entities most affected.

10. Remaining accountable to the Internet community through mechanisms that enhance ICANN's effectiveness.

11. While remaining rooted in the private sector, recognizing that governments and public authorities are responsible for public policy and duly taking into account governments' or public authorities' recommendations.

These are the core values as re-stated in the most recent ICANN Strategic Plan (page 4) posted on the ICANN website in May 2005: http:// www.icann.org/strategic-plan/strategic-plan-v7_3.pdf