[council] WHOIS Area 3 terms of reference (accuracy)

["Bruce Tonkin" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>]

Title: Improving Accuracy of collected data

Participants:
- 1 representative from each constituency
- ALAC liaison
- GAC liaison
- ccNSO liaison
- SECSAC liaison
- liaisons from other GNSO WHOIS task forces

Description of Task Force:
==========================

Data is collected from registrants at the time of registration to
facilitate future contact of the registrant for a range of reasons
including business issues (for example problems with payment), security
and stability issues (for example relating to fraudulent use of a domain
name, or failure of a nameserver associated with a domain name),
intellectual property infringement, and other legal issues (e.g use of a
domain name as part of a consumer fraud or a criminal activity).  Many
users of the data perceive that there is an unacceptable level of
inaccuracy in the data that compromises its ability to facilitate
identifying and contacting registrants.

Data quality has been recognised as important by several groups.  For
example one of the OECD Privacy Guidelines (from:
http://cs3-hq.oecd.org/scripts/pwv3/pwhome.htm) states that: "Personal
data should be relevant to the purposes for which they are to be used,
and, to the extent necessary for those purposes, should be accurate,
complete and kept up-to-date"."    The OECD Guidelines for Consumer
Protection in the Context of Electronic Commerce (from:
http://www.oecd.org/dataoecd/5/34/1824782.pdf ) states that: "Businesses
engaged in electronic commerce with consumers should provide accurate,
clear and easily accessible information about themselves" and
"Businesses should not exploit the special characteristics of electronic
commerce to hide their true identity or location, or to avoid compliance
with consumer protection standards and/or enforcement mechanisms".

The ICANN Security and Stability Committee (from:
http://www.icann.org/committees/security/whois-recommendation-01dec02.ht
m) stated that:
"It is essential that Whois data used to provide contact information for
the party responsible for an Internet resource is validated at the time
of a registrant's initial registration and on a regular basis
thereafter."

The GNSO constituencies rated the issue of data quality with respect to
procedures currently followed by registrars to promote accurate,
complete and up-to-date data as one of the top 5 priority issues (see:
http://www.gnso.icann.org/issues/whois-privacy/table-whois-privacy-issue
.shtml, and issue 6 in the WHOIS Privacy Issues Report at:
http://www.icann.org/gnso/issue-reports/whois-privacy-report-13may03.htm
).

The main issues associated with data quality include:
- verification of data at the time of registration
- ongoing maintenance of data during the period of registration
- protecting against deliberate submission of false information

The types of contact data that may be verified for correctness include
name (registrant, admin, technical and billing), domain name, postal
address, email address, fax number, phone number, and other domain name
related data.  Verification software can attempt to verify that a
particular data element is correctly formatted and exists.  Note however
it is often difficult to obtain such software that works on a global
basis.  Another issue is ensuring that the data is actually associated
with the registrant (for example there have been incidents of identity
fraud, where the data is completely verifiable but associated with
another person).  Domain names are provided purely electronically, and
rarely involve delivery of a service to a physical address, or delivery
to a physical person.  This makes automated verification more difficult.

The recent WHOIS policy development process created a new policy called
the WHOIS data reminder policy
(http://www.icann.org/registrars/wdrp.htm) that creates a process where
a registrant is reminded on an annual basis to update the WHOIS data.
There is also an established process whereby a user of the data may
lodge a complaint with a registrar to get the contact data corrected. If
the registrant does not correct the information, a registrar may cancel
the domain name licence.  (see clause 3.7.7.2 of the Registrar
Accreditation Agreement
http://www.icann.org/registrars/ra-agreement-17may01.htm).  The recent
WHOIS policy process also included a new policy to ensure that the
redemption grace period could not be used as a mechanism to avoid these
provisions (see Section 1B of
http://www.icann.org/registrars/ra-agreement-17may01.htm).

It is difficult to use verification or maintenance approaches for
registrants that deliberately provide false information.    The
high-cost mechanisms to verify contact information with a high degree of
uncertainty can be easily evaded by low-cost mechanisms at the disposal
of some registrants.  In such cases it may be necessary to collect
additional information associated with an online registration to aid in
contacting the registrant including credit card information, source IP
addresses, website traffic logs, or use other approaches to identify
registrations with suspected false information.  It also may be
necessary to create expedited procedures for responding to misuse of a
domain name associated with deliberately false information.

The purpose of this task force is to develop mechanisms to improve the
quality of contact data collected at the time of registration.


Out-of-scope
============
To ensure that the task force remains narrowly focussed to ensure that
its goal is reasonably achievable and within a reasonable time frame, it
is necessary to be clear on what is not in scope for the task force.

Given that previous ICANN policy changes
(http://www.icann.org/minutes/minutes-27mar03.htm) have addressed issues
associated with maintaining accurate information (WHOIS data reminder
policy, and mechanisms for handling complaints about inaccurate data),
this will not be studied in this task force.  The effectiveness of these
mechanisms will need to be evaluated by the ICANN staff and reported to
the GNSO (for example 12 months after implementation of the policies).
Note not all the policy changes agreed by the ICANN Board in March 2003
are implemented as of October 2003.

The task force should not consider issues associated with changing the
data elements that are collected.  This is the subject of a separate
task force.

The task force should not consider mechanisms for restricting the public
display for some data elements, which may lead to a reduction in the
provision of false information by those registrants seeking to protect
their privacy.  This is the subject of a separate task force.



Tasks/Milestones
================

- collect information on the current techniques that registrars use to
verify that the data collected is correct.  For example techniques to
detect typing errors by registrants intending to provide correct
information.  Survey approaches used by cctlds to verify that the
contact data collected is correct.

- collect information on techniques used by other online service
providers (where there is no physical contact with the registrant and no
physical delivery of goods or services) to verify that data collected is
correct.

- create a best practices document for improving data verification based
on the information collected that can be applied on a global basis

- determine whether any changes are required in the contracts to specify
what data verification is necessary at time of collection to improve
accuracy

- determine what verification mechanisms can be used cost effectively to
combat the deliberate provision of false information, and determine
whether additional mechanisms are necessary to provide traceability of
registrants, or provide for more timely responses for misuse of domain
names associated with deliberately false information.