Sorry, you need to enable JavaScript to visit this website.
Skip to main content

WHOIS Privacy Steering Group

Last Updated:
Date

ATTENDEES:


 Acting Chair: Bruce Tonkin (non voting)



Voting members of the committee (Note with reference to the GNSO Council decision documented in the minutes of the meeting on 5 June 2003, each constituency could appoint one or two members to the WHOIS Steering Group - the members may be from outside the GNSO Council - each constituency would have one vote in any vote proposed in the WHOIS Steering Group.)



Intellectual Property Interests Constituency : Steve Metalitz, Kiyoshi Tsuru

gTLD Registries constituency: David Maher

Commercial and Business Users constituency: Marilyn Cade, Grant Forsyth

Non Commercial Users Constituency: Stephanie Perrin, Milton Mueller

Registrars Constituency: Tom Keller, Mark Jeftovic

Internet Service and Connectivity Providers constituency: Maggie Mansourkia

GNSO Council independent representative: Alick Wilson



Non-voting Liaisons

At-Large Advisory Committee (ALAC) liaisons: Thomas Roessler, Wendy Seltzer



(Note the At-Large Advisory Committee has the same status of the Government Advisory Committee in the new ICANN structure and may report its findings and recommendations directly to the ICANN Board, and in addition may appoint non-voting liaisons to the GNSO Council. The role of Advisory Committees is described in Article XI of the new bylaws - and part 4 of section 2 describes the structure of ALAC in more detail)



Absent: with apologies.

ccTLD liaison: Nigel Roberts

Bruce Tonkin reported that the GNSO constituencies' input rated issues 10 and 12 at the top:

1. Top: 10. Are the current means of query-based access appropriate? Should both web-based access and port-43 access be required? (RAA � 3.3.1.) 1 1 1 1 1 5 11. What are the purposes for providing public query-based access? Are the elements currently required to be disclosed in public query-based access adequate and appropriate? (RAA � 3.3.1.)

12. What measures, if any, should registrars and registry operators be permitted to take to limit data mining of Whois servers?



2. Second: Intellectual Property Interests and the Non-commercial Users constituencies were concerned about sufficient disclosure

5. Are the current requirements that registrars make disclosures to, and obtain consent by, registrants concerning the uses of collected data adequate and appropriate? (See RAA �� 3.7.7.4 to 3.7.7.6.



3. Third, related to quality of data issues



4. Fourth, related to data disclosure



Bruce also mentioned that during a Registrar/ Registry meting in Marina del Rey, Los Angeles 11/12 September, there was further discussion on WHOIS Issues, along with some input from the Intellectual Property constituency.

Taking into account the priority areas identified by the GNSO Constituency and other discussions on WHOIS within the ICANN community, Bruce drafted for the steering committee three possible task forces with a narrow focus in the areas of data mining for marketing purposes, data collection/disclosure, and problems with the provision of false information by registrants. The Internet Engineering Task Force (IETF) approach was used: (a) ensure each task force has a narrow focus, (b) reasonably achievable goals, (c) achievable within a reasonable timeframe.

Bruce opened the discussion on the following

a. whether it was appropriate to identify 3 narrowly focussed task forces

b. whether the 3 areas of the task forces were appropriate:

(1) Restricting bulk access to WHOIS data for marketing purposes [issues included] - 10, 12, 13, 14, 15, and 16

[summary] - bulk access to WHOIS data is available through a combination of zonefile access, port-43 WHOIS protocol, interactive web pages, and bulk access agreement. There are currently limited mechanisms to restrict access for marketing purposes.

[out-of-scope] - changes to bulk access agreement - this was the subject of a recent policy update - changes to the data collected or the data made available via anonymous (public) data access (this will be part of a separate task force)

[in-scope] - changes to the methods of access to the present data to prevent data mining for marketing purposes - ensuring that legitimate access to WHOIS - e.g. by law enforcement, intellectual property, network operations, consumer information are maintained by any changes



(2) Review of data collected and data displayed [issues included] - 1, 2, 3, 5, 11, 13

[summary] - domain name holders are concerned about the amount of information that is made available for full public access and the amount of information that they must provide [in-scope] - changes to the amount of data that must be collected - changes to data provided for anonymous public access - changes to the way registrants are informed about how their data is made public or made available to other parties [out-of-scope] - mechanisms for access (covered by task force 1)



(3) Mechanisms for responding to domain name holders that deliberately provide false information to avoid prosecution (e.g for criminal behavior) or other civil legal action (e.g for trademark infringement)

[issues included] - 4, 6, 7, 18

[in-scope] - should fully anonymous registration be permitted - what other forms of data should registrars collect to assist enforcement (e.g. credit card information, source IP addresses, web traffic logs) - what action should be taken when a domain name is the subject of legal action and the domain name holder has provided false information - how to handle wide variations in legal jurisdiction (e.g. laws regarding website content may vary widely)

[out-of-scope] - data quality relating to domain name holders mistyping some contact information (usually at least one of the pieces of contact data will be accurate in such cases), and data quality relating to a domain name holder changing address, phone number etc after the point of registration (this was covered by the recent WHOIS policy decision to require an annual reminder message to be sent to domain name holders) - mechanisms to further validate legitimate domain name holder data at time of registration (registrars generally already provide checks to ensure that are able to obtain domain name renewal revenue)

Bruce added that the first general area, restricting bulk access to WHOIS data for marketing purposes, was the highest priority and efforts should be focussed there.

The decision to run all three task forces parallel or sequentially would be left to the GNSO Council taking into account the resources within the GNSO community to work on the task forces.



Comments followed from:

David Maher endorsed the proposal of 3 task forces and supported the allocation of subjects.

Steve Metalitz supported the overall approach, but expressed concern (a) about running 3 task forces at the same time and (b) the identification of issues that seemed to go beyond the top 5 identified by the constituencies. He felt that the issues identified in the second set had a narrow basis of support as priority matters. Expressed concern about human bandwidth, and emphasized the time and work needed in consultations with constituencies.

Milton Mueller proposed minor changes: while bulk access was the most popular issue and should be addressed first, data collection was critical and issue 3 could not be addressed until issues 1 and 2 had been resolved. In addition, there were critical interrelated elements that should be looked at simultaneously and a single task force would be difficult to manage.

Wendy Seltzer said it would be helpful to address 1 and 2 in parallel and cautioned about creating solutions in one area that would cause problems in another.

Tom Keller expressed the need for extensive public comment on recommendations

Thomas Roessler noted that the first two task forces should be run in parallel to optimize exchange of information and interim solutions should be avoided.

Stephanie Perrin mentioned that EPIC would like to participate in both task force 1 and 2.

Kiyoshi Tsuru proposed one group dealing with the 5 issues and expressed concern about reaching a resolution in a reasonable time and the effectiveness and coordination of several groups.

Bruce Tonkin summarized the group's feelings: running all 3 task forces in parallel was not feasible, but 1 and 2 should be run in parallel as separate task forces. The outcomes are well defined: task force 1 takes the access approach and task force 2 looks at the data elements to be displayed. Quite different people could volunteer to be on the task forces.

The task force addressing the data mining issue could be accomplished in a reasonable timeframe. However the review of data collected and data displayed is, according to Paul Twomey, generally important across ICANN, in that the WHOIS policy should be revisited since the underlying environment of the Internet has changed, thus task force 2 would need more time.



Maggie Mansourkia expressed concern about the manageability of two task forces in terms of human resources, timing and preferred a serial approach.

Steve Metalitz felt that issue 5.

" Are the current requirements that registrars make disclosures to, and obtain consent by, registrants concerning the uses of collected data adequate and appropriate? (See RAA �� 3.7.7.4 to 3.7.7.6."

was a priority issue, but agreed that it did not fit with task force 1.. Bruce Tonkin suggested that this issue be dealt with first in the task force 2. Steve also noted that the issue may be one of contractual compliance with the existing provision to inform registrants.



Milton Mueller emphasized that the broader picture from the point of view of the WHOIS process, why people want to data mine, should be looked at, so as avoid seeing data collection from a restricted constituency point of view.

Grant Forsyth, Marilyn Cade and Kiyoshi Tsuru emphasized the resource issue and supported working on one task force at a time. In addition it was argued that Non-English speakers could better manage participation in one task force at a time.



Bruce Tonkin proposed:

Moving forward with the following approach:
 1. Focus on the terms of reference for task force 1 & 2

2. Allow the GNSO Council to decide, based on the resources each constituency puts forward, whether task force 1 & 2 would run simultaneously or sequentially.

Motion carried unanimously by all present.


Bruce Tonkin called for discussion on the proposed terms of reference for task force 1



Title: Restricting bulk access to WHOIS data for marketing purposes



Description of Task Force:

In the recent policy recommendations relating to WHOIS: it was decided that the use of bulk access WHOIS data for marketing should not be permitted. Bulk access need not be the entire database (millions of records) of contact information but could also be considered to be hundreds of WHOIS data records. The current registry and registrar contracts provide for third parties to obtain access to bulk WHOIS information via an agreement that limits the use of the information for marketing purposes (the number of these agreements in existence is probably less than 10 for each large registrar). However most collections of bulk WHOIS data are currently obtained by a combination of using free zonefile access (via signing a registry zonefile access agreement - the number of these in existence approaches 1000 per major registry) to obtain a list of domains, and then using anonymous (public) access to either port-43 or interactive web pages to retrieve large (great than 100 records) volumes of contact information. Once the information is initially obtained it can be kept up-to-date by detecting changes in the zonefile, and only retrieving information related to the changed records. This process is often described as "data mining". The net effect is that bulk access to WHOIS data is easily available for marketing purposes, and is generally anonymous (the holders of this information are unknown).



The purpose of this task force is to determine what contractual changes (if any) are required to allow registrars to protect domain name holder data from data mining for the purposes of marketing.



In-scope ======== The purpose of this section to clarify the issues should be considered in proposing any policy changes.

The task force must ensure that groups such as law enforcement, intellectual property, internet service providers, and consumers can continue to retrieve information necessary to perform their functions. In some cases this may require the provision of searching facilities (e.g that can return more than one record in response to a query) as well as look-up facilities (that only provide one record in response to a query).

The task force must ensure that any access restrictions do not restrict the competitive provision of services using WHOIS information (for example ensure that intellectual property protection can be provided competitively), nor restrict the transfer of domain name records between registrars.



Out-of-scope ============ To ensure that the task force remains narrowly focussed to ensure that its goal is reasonably achievable and within a reasonable time frame, it is necessary to be clear on what is not in scope for the task force.

The task force should not aim to specify a technical solution. This is the role of registries and registrars in a competitive market, and the role of technical standardization bodies such as the IETF. Note the IETF presently has a working group called CRISP to develop an improved protocol that should be capable of implementing the policy outcomes of this task force.

The task force should not review the current bulk access agreement provisions. These were the subject of a recent update in policy in March 2003.

The task force should not study the amount of data available for public (anonymous) access for single queries. Any changes to the data collected or made available will be the subject of a separate policy development process.



Tasks/Milestones ================

- collect requirements from non-marketing users of contact information (this could be extracted from the Montreal workshop and also by GNSO constituencies, and should also include accessibility requirements (e.g based on W3C standards) [milestone 1 date]

- review general approaches to prevent automated electronic data mining and ensure that the requirements for access are met (including accessibility requirements for those that may for example be visually impaired) [milestone 2 date]

- determine whether any changes are required in the contracts to allow the approaches to be used above (for example the contracts require the use of the port-43 WHOIS protocol and this may not support approaches to prevent data mining) [milestone 3 date]



Each milestone should be subject to development internally by the task force, along with a public comment process to ensure that as much input as possible is taken into account.

Steve Metalitz agreed with the procedure but commented that the description of bulk was very confusing. He noted that there is no definition of "bulk" other than the existence of the bulk access agreement. The task force would also need to define what is meant by data mining, and have an understanding of the technical issues associated with data mining.

Bruce Tonkin clarified that the intent was to indicate that it was not just the entire WHOIS database that caused problems with unsolicited marketing, but the data mining of significant portions (it was then debatable whether significant was 100 records, 1000 records, 10000 records etc).

Milton Mueller suggested that question 13, differentiated access should be mentioned.

Marilyn Cade expressed her thanks for the work done by Bruce and suggested differentiating between:

1. providing bulk access to create value added services

2. bulk access to third parties for spams when the user does not understand what is happening.

"Legitimate" should be defined.

Kiyoshi Tsuru proposed adding accuracy, to which Bruce Tonkin commented that he disagreed with adding accuracy to the first task force, but agreed that accuracy is an important issue as it was the intent of the 3rd task force to look at the distinction between malicious inaccurate data and inadvertent inaccurate data.

Thomas Roessler suggested examining the requirements/mechanisms for who gets privileged access to data and who does not.

Tom Keller suggested clarifying "in scope" what legitimate use is and who has access.



Plan of action forward

Bruce Tonkin proposed:



One week deadline:

- that each constituency discuss the terms of reference, comment by email to the list

Two week deadline:

- meet (teleconference) to discuss the terms of reference.


Bruce Tonkin thanked everyone for their presence and participation and ended the call at 8:15 am Friday 19 September, Melbourne time, 23:15 UTC.