RE: [council] Review of Registrar disclosure of WHOIS data policies
Dear all, Attached is a spreadsheet presenting privacy notification information on the top 10 registrars (the top 10 list was compiled by comparing the late 2003 top 10 by Benjamin Edelman and today's top 10 at registrarstats.com). I have archived the relevant sections and all urls of the privacy and registration documents for each registrar at; http://www.furl.net/members/mfarrell10 Regarding the spreadsheet, the column entitled 'Whether the registrar appears to be compliant with clause 3.7.7 during the registration process' has been left empty as I do not feel in a position to make this judgement about registrars. I am still researching (5) Identify any other method used to inform the registrant of the WHOIS requirements E.g whether the registrar offers some form of service to protect the disclosure of personal contact data (e.g "private registration" services etc). On the whole, registrars don't appear to use alternative services as a means to inform registrants of Whois, although several do indeed provide these services. However, I will provide this information later on. Column (2) Document for each registrar:"The purposes for which any Personal Data collected from the applicant are intended" shows that only one registrar, Melbourne IT, seems to provide an explicit purpose or purposes of data collection. The rest mostly detail data uses without specifically stating a purpose for its collection. I am sending you the top 10 registrars ahead of the 10 randomly chosen ones. This assignment has proved rather time consuming (about 2 full days, not including other ongoing tasks) and I am aware that Council and task force members wish to see progress in the other areas I am tasked with also. I propose to return to and complete this assignment after I have made progress on the Council's other request to compile information on the uses of Whois data. Please let me know if this prioritisation should be changed. I hope this information is of use to the Council. Please do send me any input or corrections you may have on the spreadsheet. Best regards, Maria -----Original Message----- From: owner-council@xxxxxxxxxxxxxx [mailto:owner-council@xxxxxxxxxxxxxx] On Behalf Of Bruce Tonkin Sent: Monday, June 06, 2005 12:59 PM To: Maria Farrell Cc: council@xxxxxxxxxxxxxx Subject: [council] Review of Registrar disclosure of WHOIS data policies Hello Maria, As discussed on the Council call last week, all registrars are required to: BEGIN CLAUSE 3.7.7 3.7.7 Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar including at least the following provisions: 3.7.7.1 The Registered Name Holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the Registered Name registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number if available of the Registered Name Holder; name of authorized person for contact purposes in the case of an Registered Name Holder that is an organization, association, or corporation; and the data elements listed in Subsections 3.3.1.2, 3.3.1.7 and 3.3.1.8. 3.7.7.2 A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for cancellation of the Registered Name registration. 3.7.7.3 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm. 3.7.7.4 Registrar shall provide notice to each new or renewed Registered Name Holder stating: 3.7.7.4.1 The purposes for which any Personal Data collected from the applicant are intended; 3.7.7.4.2 The intended recipients or categories of recipients of the data (including the Registry Operator and others who will receive the data from Registry Operator); 3.7.7.4.3 Which data are obligatory and which data, if any, are voluntary; and 3.7.7.4.4 How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them. 3.7.7.5 The Registered Name Holder shall consent to the data processing referred to in Subsection 3.7.7.4. 3.7.7.6 The Registered Name Holder shall represent that notice has been provided equivalent to that described in Subsection 3.7.7.4 to any third-party individuals whose Personal Data are supplied to Registrar by the Registered Name Holder, and that the Registered Name Holder has obtained consent equivalent to that referred to in Subsection 3.7.7.5 of any such third-party individuals. 3.7.7.7 Registrar shall agree that it will not process the Personal Data collected from the Registered Name Holder in a way incompatible with the purposes and other limitations about which it has provided notice to the Registered Name Holder in accordance with Subsection 3.7.7.4 above. 3.7.7.8 Registrar shall agree that it will take reasonable precautions to protect Personal Data from loss, misuse, unauthorized access or disclosure, alteration, or destruction. 3.7.7.9 The Registered Name Holder shall represent that, to the best of the Registered Name Holder's knowledge and belief, neither the registration of the Registered Name nor the manner in which it is directly or indirectly used infringes the legal rights of any third party. 3.7.7.10 For the adjudication of disputes concerning or arising from use of the Registered Name, the Registered Name Holder shall submit, without prejudice to other potentially applicable jurisdictions, to the jurisdiction of the courts (1) of the Registered Name Holder's domicile and (2) where Registrar is located. 3.7.7.11 The Registered Name Holder shall agree that its registration of the Registered Name shall be subject to suspension, cancellation, or transfer pursuant to any ICANN adopted specification or policy, or pursuant to any registrar or registry procedure not inconsistent with an ICANN adopted specification or policy, (1) to correct mistakes by Registrar or the Registry Operator in registering the name or (2) for the resolution of disputes concerning the Registered Name. 3.7.7.12 The Registered Name Holder shall indemnify and hold harmless the Registry Operator and its directors, officers, employees, and agents from and against any and all claims, damages, liabilities, costs, and expenses (including reasonable legal fees and expenses) arising out of or related to the Registered Name Holder's domain name registration. END CLAUSE 3.7.7 Please audit the web-based registration process of the top 10 registrars, as well as another 10 registrars that use web based registration for the following: (1) Whether the registrar appears to be compliant with clause 3.7.7 during the registration process. (2) Document for each registrar: "The purposes for which any Personal Data collected from the applicant are intended" (3) How each registrar obtains consent to the terms and conditions, options include: Full text of the terms and conditions on a registration page, versus terms and conditions available via a link to a separate webpage. (4) Whether each registrar also provides information about data usage through a privacy page (5) Identify any other method used to inform the registrant of the WHOIS requirements E.g whether the registrar offers some form of service to protect the disclosure of personal contact data (e.g "private registration" services etc) A spreadsheet with the five categories above would probably be the easiest way of collecting the information. Regards, Bruce Tonkin Attachment:
Top 10 Registrar whois disclosure review.xls
|