[dow1tf] NCUC Constituency Statement on TF 1

["Milton Mueller" <mueller@xxxxxxx>]

NCUC statement on Whois Task force 1 (v3)

Whois Task Force 1 (TF1) deals with the relatively narrow issue of 
restricting marketing users' access to Whois data through means other 
than bulk access under license. 

NCUC notes, however, that the results of Whois TF1 may have 
implications for the other task forces, and vice versa. Our approach 
to TF1 takes this into account and will be guided by the following 
principles:

1. First and foremost, NCUC thinks it imperative that ICANN recognize 
the well-established data protection principle that the purpose of data 
and data collection processes must be well-defined before policies 
regarding its use and access can be established. The purpose of Whois 
originally was identification of domain owners for purposes of solving 
technical problems. The purpose was _not_ to provide law enforcement 
or other self-policing interests with a means of circumventing normal due 
process requirements for access to contact information. None of the 
current Whois Task Forces are mandated to revise the purpose of the 
Whois directory. Therefore, the original, technical purpose 
must be assumed until and unless ICANN initiates a new policy 
development process to change it.

2. Second, based on input from the community NCUC does not believe it is 
possible to develop technical mechanisms that can restrict port 43 or 
port 80 access only to a specific type of purpose; e.g., "nonmarketing uses." 
Access restrictions imposed by TF1 will inevitably apply to any whois user
regardless of purpose. Moreover, restricting Port 43 access while leaving 
Port 80 open will only drive the automated processes to Port 80. Therefore
we question whether TF1 can achieve anything of value.

3. Third, given the limited scope of TF1, we think it important for the 
task force to refrain from making judgments about the legitimacy of, 
justifications for, or "need" for any non-marketing uses. It is outside the 
scope of TF1 to make any such determinations. Accordingly, we will 
oppose any access restriction policy based on classification of users. 

4. Fourth, we note that automated scripts or programs using port 43 are
effectively a substitute for bulk access. According to George Papapavlou 
of the European Union, under data protection law bulk access is a 
"disproportionate, privacy infringing step, unless a very convincing, 
specific case can be made which has to be followed by due process. 
This applies not only to marketing but to any purpose." Therefore,
a policy determination on port 43 access is best made in conjunction
with a determination on bulk access, even though this is ruled out of
scope by the task force's description of work.

5. Fifth, the best way to stop abuse of ports 43 or 80 is to get data that is 
valuable to spammers out of the public Whois database. Data that is in 
Whois will be accessible to lots of people; therefore, privacy concerns 
require getting data out of Whois or reducing access to it for all. This is, 
of course, a matter for Whois Task force 2, dealing with data elements. 

6. Our participation in the entire Whois process will try to make sure that 
minor modifications in port 43 (or 80) access do not become an excuse 
for doing nothing else to protect Internet users' privacy.