ICANN/GNSO GNSO Email List Archives

[council]


<<< Chronological Index >>>    <<< Thread Index >>>

[council] RE: [gnso-dow123] Proposed consensus recommendation on improving notification to Registered Name Holders of the public access to contact data via the WHOIS service

  • To: tim@xxxxxxxxxxx, Bruce.Tonkin@xxxxxxxxxxxxxxxxxx
  • Subject: [council] RE: [gnso-dow123] Proposed consensus recommendation on improving notification to Registered Name Holders of the public access to contact data via the WHOIS service
  • From: "Marilyn Cade" <marilynscade@xxxxxxxxxxx>
  • Date: Sun, 26 Jun 2005 13:33:19 -0400
  • Cc: gnso-dow123@xxxxxxxxxxxxxx, council@xxxxxxxxxxxxxx
  • In-reply-to: <20050626145243.26767.qmail@webmail02.mesa1.secureserver.net>
  • Sender: owner-council@xxxxxxxxxxxxxx

<html><div style='background-color:'><DIV class=RTE>
<P>I will look at this.</P>
<P>But, as Tim says, this discussion isn't about privacy policies per se. </P>
<P>&nbsp;</P>
<P>It is about where the notice and consent statements are provided. </P>
<P>&nbsp;</P>
<P>Tim, as to what lawyers think about "clear and conspicious" -- as someone who did 
a lot of work on the online privacy policy initiative in the US and in the negotiations with the 
Euros on safe harbor, BUT is not a lawyer, only a pragmatic business/policy type, you are right to 
note that you can get a range of views on intrepretations of words.</P>
<P>&nbsp;</P>
<P>The offer i made of the language was to achieve an outcome. I'm not wedded to that 
phrase, only to the concept of having the registrant informed. </P>
<P>How about we all think of a pragmatic approach,and then we instruct the lawyers to 
help us? Isn't that the right approach, after all, for legal guidance? </P>
<P>I recall that we were often able to turn to the legal counsel, Louie Touton, for 
such advice. Perhaps we should be asking for consultation -- not advice, at this stage -- 
with the ICANN legal team on this interpretation. </P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P><BR><BR>&nbsp;</P><BR><BR><BR>&gt;From: Tim Ruiz &lt;tim@xxxxxxxxxxx&gt;<BR>&gt;Reply-To: Tim Ruiz &lt;tim@xxxxxxxxxxx&gt;<BR>&gt;To: Bruce Tonkin &lt;Bruce.Tonkin@xxxxxxxxxxxxxxxxxx&gt;<BR>&gt;CC: gnso-dow123@xxxxxxxxxxxxxx, council@xxxxxxxxxxxxxx<BR>&gt;Subject: RE: [gnso-dow123] Proposed consensus recommendation on improving notification to Registered Name Holders of the public access to contact data via the WHOIS service<BR>&gt;Date: Sun, 26 Jun 2005 07:52:43 -0700<BR>&gt;<BR>&gt;Bruce,<BR>&gt;<BR>&gt;This is only a slight improvement. I say that because of this part of<BR>&gt;your draft:<BR>&gt;<BR>&gt;"...(1) above, and how to make the information available to the<BR>&gt;Registered Name Holder through means in<BR>&gt;addition to the registration agreement (e.g as part of the registration<BR>&gt;process, or via a privacy policy)."<BR>&gt;<BR>&gt;That seems to put it right back to having many of the same problems as<BR>&gt;before. If the notice is "clear and conspicuous" in the registration<BR>&gt;agreement, and the registration agreement has to always be accessible<BR>&gt;by the registrant, then why does it need to be available somehow in<BR>&gt;addition to that?<BR>&gt;<BR>&gt;If we want to put a requirement on Registrars to have a privacy<BR>&gt;statement, I have no problem with that. And if we want to require that<BR>&gt;this notice be a part of that privacy statement, that is also<BR>&gt;reasonable. But I would prefer that the recommendation be specific, and<BR>&gt;not so open ended that we have no idea of what will come out of the<BR>&gt;other end when actually implemented by ICANN. I would suggest that<BR>&gt;section quoted above be removed.<BR>&gt;<BR>&gt;Also, I will be interested in the what lawyers among think about the<BR>&gt;"clear and conspicuous" verbiage.<BR>&gt;<BR>&gt;Tim<BR>&gt;<BR>&gt;-------- Original Message --------<BR>&gt;Subject: [gnso-dow123] Proposed consensus recommendation on improving<BR>&gt;notification to Registered Name Holders of the public access to contact<BR>&gt;data via the WHOIS service<BR>&gt;From: "Bruce Tonkin" &lt;Bruce.Tonkin@xxxxxxxxxxxxxxxxxx&gt;<BR>&gt;Date: Sat, June 25, 2005 4:25 am<BR>&gt;To: council@xxxxxxxxxxxxxx<BR>&gt;Cc: gnso-dow123@xxxxxxxxxxxxxx<BR>&gt;<BR>&gt;Hello All,<BR>&gt;<BR>&gt;Building on the work of the WHOIS task force, and the discussion on the<BR>&gt;GNSO Council to reach consensus, the following is a proposed consensus<BR>&gt;recommendation.<BR>&gt;<BR>&gt;I have put the recommendation in the context of solving a problem within<BR>&gt;ICANN's mission - ie that of security.&nbsp;&nbsp;&nbsp;&nbsp;I expect that there will also<BR>&gt;be benefits outside of ICANN's mission - including consumer protection<BR>&gt;(which includes privacy protection), but these are not addressed<BR>&gt;directly.<BR>&gt;<BR>&gt;I welcome feedback and suggestions for improvement.<BR>&gt;<BR>&gt;The recommendation (or as it is refined on the Council mailing list)<BR>&gt;will be on the agenda for the GNSO Council meeting in Luxembourg, and I<BR>&gt;encourage Council members to discuss it with their constituencies in<BR>&gt;Luxembourg.<BR>&gt;<BR>&gt;Finally I would like to thank the members of the WHOIS task force for<BR>&gt;their work in this area.<BR>&gt;<BR>&gt;Regards,<BR>&gt;Bruce Tonkin<BR>&gt;<BR>&gt;<BR>&gt;(I) Background<BR>&gt;===============<BR>&gt;<BR>&gt;The obligations of a registrar are governed by the Registrar<BR>&gt;Accreditation Agreement (RAA)<BR>&gt;(http://www.icann.org/registrars/ra-agreement-17may01.htm) and<BR>&gt;ICANN consensus policies<BR>&gt;(http://www.icann.org/general/consensus-policies.htm).<BR>&gt;<BR>&gt;The obligations of a Registered Name Holder (Registrant) is governed by<BR>&gt;an electronic or paper registration agreement with the Registrar.&nbsp;&nbsp;Each<BR>&gt;Registrar's agreement is different, and Registered Name Holders (or<BR>&gt;their agents) should review each agreement when making their choice of<BR>&gt;Registrar.<BR>&gt;<BR>&gt;A registrar is obligated by the RAA to require a Registered Name Holder<BR>&gt;to agree to provide to the registrar accurate and reliable contact<BR>&gt;details and promptly correct and update them during the term of the<BR>&gt;Registered Name registration (clause 3.7.7.1 of the RAA).<BR>&gt;<BR>&gt;A registrar is obligated by the RAA to, at its expense, provide an<BR>&gt;interactive web page and a port 43 Whois service providing free public<BR>&gt;query-based access to up-to-date (i.e., updated at least daily) data<BR>&gt;concerning all active Registered Names sponsored by the Registrar<BR>&gt;(clause 3.3.1 of the RAA).&nbsp;&nbsp; In addition a Registrar must provide<BR>&gt;third-party bulk access to the data&nbsp;&nbsp;(clause 3.3.6 of the RAA).<BR>&gt;<BR>&gt;A registrar is obligated by the RAA to provide notice in the<BR>&gt;registration agreement with the Registered Name Holder stating:<BR>&gt;<BR>&gt;(a) The purposes for which any Personal Data collected from the<BR>&gt;applicant are intended;<BR>&gt;<BR>&gt;(b) The intended recipients or categories of recipients of the data<BR>&gt;(including the Registry Operator and others who will receive the data<BR>&gt;from Registry Operator);<BR>&gt;<BR>&gt;(c) Which data are obligatory and which data, if any, are voluntary; and<BR>&gt;<BR>&gt;(d) How the Registered Name Holder or data subject can access and, if<BR>&gt;necessary, rectify the data held about them.<BR>&gt;<BR>&gt;<BR>&gt;<BR>&gt;(II) Problem statement with respect to ICANN's mission and Core Values<BR>&gt;=====================================================================<BR>&gt;<BR>&gt;From Article 1, Section 1 of the ICANN Bylaws<BR>&gt;(http://www.icann.org/general/bylaws.htm#I ):<BR>&gt;<BR>&gt;"The mission of The Internet Corporation for Assigned Names and Numbers<BR>&gt;("ICANN") is to coordinate, at the overall level, the global Internet's<BR>&gt;systems of unique identifiers, and in particular to ensure the stable<BR>&gt;and secure operation of the Internet's unique identifier systems. In<BR>&gt;particular, ICANN:<BR>&gt;<BR>&gt;1. Coordinates the allocation and assignment of the three sets<BR>&gt;of unique identifiers for the Internet, which are<BR>&gt;<BR>&gt;a. Domain names (forming a system referred to as "DNS");<BR>&gt;<BR>&gt;b. Internet protocol ("IP") addresses and autonomous system<BR>&gt;("AS") numbers; and<BR>&gt;<BR>&gt;c. Protocol port and parameter numbers.<BR>&gt;<BR>&gt;2. Coordinates the operation and evolution of the DNS root name<BR>&gt;server system.<BR>&gt;<BR>&gt;3. Coordinates policy development reasonably and appropriately<BR>&gt;related to these technical functions."<BR>&gt;<BR>&gt;<BR>&gt;In addition one of ICANN's core values is:<BR>&gt;"Preserving and enhancing the operational stability, reliability,<BR>&gt;security, and global interoperability of the Internet."&nbsp;&nbsp; (Core value 1,<BR>&gt;from Article 1, section 2)<BR>&gt;<BR>&gt;<BR>&gt;The problem with the current system is that although registrars are<BR>&gt;required to include information in the registration agreement on the<BR>&gt;purposes for which data is collected and the intended recipients of the<BR>&gt;data, the information is often hard to find in long agreements, and<BR>&gt;often the information does not explicitly explain that personal data is<BR>&gt;freely available to third parties via the WHOIS service&nbsp;&nbsp;(for example<BR>&gt;sometimes a registrar makes a general statement such as that the<BR>&gt;information is provided to third parties in accordance with ICANN<BR>&gt;policies).<BR>&gt;<BR>&gt;Many registrants that reside in locations where strong privacy laws<BR>&gt;exist, would not expect their personal data to be used for anything<BR>&gt;other than the registration and renewal of a domain name, and the<BR>&gt;authentication of an entity claiming to be the registrant.&nbsp;&nbsp; In some<BR>&gt;locations a registrant must have the option to opt-in or opt-out of<BR>&gt;making the data provided for a registration available for any other<BR>&gt;purpose.<BR>&gt;<BR>&gt;The lack of knowledge amongst Registered Name Holders can lead to<BR>&gt;security problems for domain names.&nbsp;&nbsp; Many Registered Name Holders<BR>&gt;provide Personal information to companies that can be used by those<BR>&gt;companies for authentication (for example home billing address), and<BR>&gt;provide public information (such as post office box and business<BR>&gt;telephone number, typically via websites, whitepages and yellow pages<BR>&gt;services) suitable for third parties to contact the Registered Name<BR>&gt;Holders.&nbsp;&nbsp; Without an understanding of the obligation of a registrar to<BR>&gt;publish information to the public via a WHOIS service, Registered Name<BR>&gt;Holders may be inadvertently releasing information to the public<BR>&gt;normally used for authentication.&nbsp;&nbsp; This assists domain name hijackers<BR>&gt;(and those using stolen credit cards) to pretend to be the Registered<BR>&gt;Name Holder.<BR>&gt;<BR>&gt;Thus the problem falls under the ICANN mission, and in particular the<BR>&gt;first core value.<BR>&gt;<BR>&gt;<BR>&gt;(III) Proposed Consensus Recommendation<BR>&gt;=======================================<BR>&gt;<BR>&gt;(1) Registrars must provide notice in the registration agreement with<BR>&gt;the Registered Name Holder that is easy to find, clear, and conspicuous<BR>&gt;within the registration agreement stating:<BR>&gt;<BR>&gt;(a) The purposes of the WHOIS service, which consists of the provision<BR>&gt;of an interactive web page and a port 43 Whois service providing free<BR>&gt;public query-based access to up-to-date (i.e., updated at least daily)<BR>&gt;data concerning all active Registered Names sponsored by the Registrar.<BR>&gt;In addition the WHOIS service includes the provision of third-party bulk<BR>&gt;access to the data.<BR>&gt;<BR>&gt;(b) The purposes of the Registered Name Holder, technical, and<BR>&gt;administrative contacts<BR>&gt;<BR>&gt;(c) Which of the contact data in (b) will be made public via the WHOIS<BR>&gt;service in (a).<BR>&gt;<BR>&gt;<BR>&gt;(2) ICANN must provide on its website information on industry best<BR>&gt;practice to meet the obligation in (1) above, and how to make the<BR>&gt;information available to the Registered Name Holder through means in<BR>&gt;addition to the registration agreement (e.g as part of the registration<BR>&gt;process, or via a privacy policy).<BR>&gt;<BR>&gt;The proposed recommendation will ensure that Registered Name Holders<BR>&gt;provide contact information that is appropriate for public access and<BR>&gt;sufficient for third parties to contact them in accordance with the<BR>&gt;purposes of the WHOIS service.&nbsp;&nbsp; The purposes will be refined as part of<BR>&gt;the current WHOIS task force work.&nbsp;&nbsp; Information (which may include<BR>&gt;Personal Data) that can be used for authentication and billing purposes<BR>&gt;will be separately provided to registrars.<BR>&gt;<BR></DIV></div></html>




<<< Chronological Index >>>    <<< Thread Index >>>