ICANN/GNSO GNSO Email List Archives

[dow1tf]


<<< Chronological Index >>>    <<< Thread Index >>>

[dow1tf] Whois task force 1 Constituency position statements

  • To: "1DOW1tf" <dow1tf@xxxxxxxxxxxxxx>
  • Subject: [dow1tf] Whois task force 1 Constituency position statements
  • From: "GNSO SECRETARIAT" <gnso.secretariat@xxxxxxxxxxxxxx>
  • Date: Mon, 19 Apr 2004 22:48:54 +0200
  • Importance: Normal
  • In-reply-to: <NNEDIOPEMBHEFLDDKOMJCEAEDFAA.gnso.secretariat@gnso.icann.org>
  • Reply-to: <gnso.secretariat@xxxxxxxxxxxxxx>
  • Sender: owner-dow1tf@xxxxxxxxxxxxxx

 WHOIS TASK FORCE 1
Constituency Position Statements:

I. Non Commercial Users Constituency (NCUC)
2. At Large Advisory Committee (ALAC)
3. Intellectual Property Interests Constituency (IPC)
4. Commercial and Business Users Constituency (BC)
5. Internet Service Providers and Connectivity Providers Constituency
(ISPCP )
6. gTLD Registries Constituency

NCUC statement on Whois Task force 1 (v3)

Whois Task Force 1 (TF1) deals with the relatively narrow issue of
restricting marketing users' access to Whois data through means other
than bulk access under license.

NCUC notes, however, that the results of Whois TF1 may have
implications for the other task forces, and vice versa. Our approach
to TF1 takes this into account and will be guided by the following
principles:

1. First and foremost, NCUC thinks it imperative that ICANN recognize
the well-established data protection principle that the purpose of data
and data collection processes must be well-defined before policies
regarding its use and access can be established. The purpose of Whois
originally was identification of domain owners for purposes of solving
technical problems. The purpose was _not_ to provide law enforcement
or other self-policing interests with a means of circumventing normal due
process requirements for access to contact information. None of the
current Whois Task Forces are mandated to revise the purpose of the
Whois directory. Therefore, the original, technical purpose
must be assumed until and unless ICANN initiates a new policy
development process to change it.

2. Second, based on input from the community NCUC does not believe it is
possible to develop technical mechanisms that can restrict port 43 or
port 80 access only to a specific type of purpose; e.g., "nonmarketing
uses."
Access restrictions imposed by TF1 will inevitably apply to any whois user
regardless of purpose. Moreover, restricting Port 43 access while leaving
Port 80 open will only drive the automated processes to Port 80. Therefore
we question whether TF1 can achieve anything of value.

3. Third, given the limited scope of TF1, we think it important for the
task force to refrain from making judgments about the legitimacy of,
justifications for, or "need" for any non-marketing uses. It is outside the
scope of TF1 to make any such determinations. Accordingly, we will
oppose any access restriction policy based on classification of users.

4. Fourth, we note that automated scripts or programs using port 43 are
effectively a substitute for bulk access. According to George Papapavlou
of the European Union, under data protection law bulk access is a
"disproportionate, privacy infringing step, unless a very convincing,
specific case can be made which has to be followed by due process.
This applies not only to marketing but to any purpose." Therefore,
a policy determination on port 43 access is best made in conjunction
with a determination on bulk access, even though this is ruled out of
scope by the task force's description of work.

5. Fifth, the best way to stop abuse of ports 43 or 80 is to get data that
is
valuable to spammers out of the public Whois database. Data that is in
Whois will be accessible to lots of people; therefore, privacy concerns
require getting data out of Whois or reducing access to it for all. This is,
of course, a matter for Whois Task force 2, dealing with data elements.

6. Our participation in the entire Whois process will try to make sure that
minor modifications in port 43 (or 80) access do not become an excuse
for doing nothing else to protect Internet users' privacy.
****************************************************************************
************************************************
At Large Advisory Committee Policy proposal from ALAC on how to change
access to WHOIS data.

For your information, our input for Task Force 2 is also included.

Unless we specifically speak about registrars, our remarks apply to
registrar and to thick registry WHOIS systems alike.

Thomas Roessler

Task Force 1: Access to data

   Policy proposal

	We recommend a simple two-tiered system.

	Tier 1 -- public access.  Users who access a future
	WHOIS-like system anonymously get access to non-sensitive
	information concerning a domain name registration, to be
	defined in detail by task force 2.

	Tier 2 -- authenticated access.  Users who want to access a
	more complete data set (to be defined in detail by task
	force 2) need to reliably identify themselves, and indicate
	the purpose for which they want to access the data.

	The identity of the data user and their purpose is recorded
	by registrars and registries, and made available to
	registrants when requested.  This information could be
	withheld for a certain amount of time if the data user is
	(1) a law enforcement authority that is (2) accessing the
	data for law enforcement purposes.

   Implementation remarks

	We do not recommend any particular implementation of this
	proposal, but note that "reliable identification" could be
	provided by commercially available SSL certificates.  In
	general, we would favor implementation of our proposal in a
	dedicated protocol (such as IRIS) over implementation
	through Web forms.

   Rationale

	The key aspect for deciding whether access to data gathered
	by registrars can be given to a third party is the purpose
	for which this data is going to be used.  Obviously,
	registrars have no way to verify the purpose for which WHOIS
	data is being accessed.

	The best heurisitc we know of is to hold data users
	accountable for their activities, and to put enforcement of
	purpose limitations into the hands of registrants.  This can
	be achieved by reliably identifying data uses and putting
	their identity, contact information, and purpose indication
	in the hands of registrants.

	At the same time, a tiered system -- if implemented
	reasonably -- could preserve the ability of data users to
	automatically access WHOIS data in reasonable quantities.
	Registrars, on the other hand, would be enabled to limit the
	amount of data any particular party can access in a given
	interval of time.

	Identifying data users and their purposes would also enable
	registrars to comply with legal obligations to make this
	kind of information available to data subjects.

   Discussion of other proposals

	There have been suggestions that "automated access" could be
	used as a heuristic to determine illegitimate access.  In
	this scheme, automated access is blocked by attempting to
	require human attention with all queries.  One set of
	implementations of these kinds of tests is known as CAPTCHA.

	There is evidence that automated access is also being used
	for legitimate purposes; on the other hand, there is
	publicly available information on how CAPTCHA-like tests are
	being circumvented in other contexts.  The circumvention
	here is based on a fundamental design problem of CAPTCHAs.
	<http://boingboing.net/2004_01_01_archive.html#107525288693964966>

	One particularly popular CAPTCHA has been broken in academic
	more than a year ago, but is still being used by registrars.
	<http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html>

	Accessibility problems posed by CAPTCHA-like tests are not
	fully understood by now; we note, though, that purely visual
	tests are insufficient from an accessibility point of view.
	<http://www.w3.org/TR/turingtest/>

	In conclusion, CAPTCHA tests address the wrong problem, and
	they address it badly.  We strongly recommend against going
	down this path.



Task Force 2: Data elements displayed and collected

   Policy proposal

	We recommend that the mandatory collection and display of
	personal information about registrants be reduced as far as
	possible.  What information is actually required for placing
	a domain name registration should be a matter of registrars'
	business models, and of applicable law, not of ICANN policy.


	We consider the removal of the following data elements from
	registrars' and registries WHOIS services (in a tiered
	model, from *all* tiers) a priority:

	- registrant name, address, e-mail address, and phone
	  number, unless registrant has requested that this
	  information be made available.

	- administrative contact name, address, e-mail address, and
	  phone number, unless registrant (or admin-c) has requested
	  that this information be made available.

	- Billing contact.  These data are traditionally not
	  published by registrars, but are included in many thick
	  registries' public WHOIS services.


	For the purposes of a tiered access system (see
	recommendations for task force 1), we would recommend that
	the following information be included in a public tier:

	- Registrar of record.
	- Name servers.
	- Status of domain name.

	- Contact data, if the data subject specifically requests
	  that these data be included in the public tier.

   Implementation remarks

	None.

   Rationale

	For personal registrations, the registrant, administrative
	contact, and billing contact data sets are most likely to
	concern sensitive information, such as the registrant's home
	address and phone number.

	We recognize that domain name registrations by online
	merchants often imply less privacy concerns; it has been
	argued that online merchants must make privacy information
	public in many jurisdictions.  We are confident that
	businesses will also follow these duties by requesting
	registrars to make contact information about them available
	publicly.  Conversely, if bad actors decide not to make
	contact information publicly available, that could actually
	make bad actors more easily recognizable, and provide
	consumers with a "red flag."

   Discussion of other proposals

   	At the WHOIS workshop in Rome, we have heared several
	lawyers praise the usefulness of registrant and other
	telephone numbers in WHOIS services.  That way, we were
	told, many cases could be settled by a single phone call.
	The easier the contact, we were told, the merrier.

	This argument is troubling: What we were hearing there is a
	request to ICANN to enable lawyers to make off the record
	contact with other parties to a dispute that may not have a
	lawyer readily available, and to make this contact in a way
	which makes it hard for the registrant to get legal counsel
	involved in early negotiations arising out of the dispute.

	Telephone numbers of registrant and administrative contacts
	should be *removed* from WHOIS services for precisely this
	reason: Forcing the non-registrant party to a dispute to
	open up that dispute by on-the-record means (e-mail, fax
	[not universally available], postal mail) ensures that
	registrants have an opportunity to retain legal counsel in
	these disputes, and to fully understand any claims made by
	the non-registrant party.  It also helps to avoid legal
	bluff and plain bullying.

	To summarize, it may be true that availability of phone
	numbers enables quick settlement.  But availability of phone
	numbers also favors situations in which these settlements
	are achieved by dubious means, to the detriment of the
	registrant.

****************************************************************************
***********************************************
IPC Constituency Statement

Whois Task Force 1

March 26, 2004

This statement responds to the issue identified in the purpose statement of
the terms of reference for Task Force 1, see
http://gnso.icann.org/issues/whois-privacy/tor.shtml

The purpose of this task force is to determine what contractual changes (if
any) are required to allow registrars and registries to protect domain name
holder data from data mining for the purposes of marketing. The focus is on
the technological means that may be applied to achieve these objectives and
whether any contractual changes are needed to accommodate them.

 IPC opposes data mining of Whois for the purpose of marketing, although we
believe there is strong evidence that Whois data is not a significant source
of addresses for spam.  Nevertheless, IPC supports, in principle, the use of
query volume limitations on Port 43 access in order to discourage such
practices.  The uses for which trademark and copyright owners need access to
domain name Whois do not ordinarily require the extremely high query volume
levels that generally would be needed to mine the database for marketing
purposes.    Being supportive of the debate, the IPC submits that any
changes in practice or regulation have to be designed in a manner that does
not inadvertently have detrimental effects on the legitimate use of Whois.
Based on the work of Task Force 1, we remain confident that this goal is
feasible and can be achieved.  To this effect, any effective
technical/policy solution in the area of discouraging data mining of the
domain name Whois database must take a number of points into account,
including the following:

·	Any provision should maintain and ensure availability of unhampered access
to Port 43 for legitimate applications (such as research services) that
require high volume access to domain name Whois for use in creating
value-added products and services that are of great value to the
intellectual property community and to the business community in general.
As long as enforcement of the RAA provisions regarding bulk access to Whois
remains almost non-existent, availability of port 43 access is essential in
assuring the viability of these services.

·	Adequate provision must be made for intermediaries which aggregate
low-volume requests from end-users into a relatively high volume of queries
through Port 43.

·	A solution must identify realistic volume break-points between low-volume
queries via Port 43 that should remain unrestricted, and a very high volume
of queries that could, in principle, require an efficient and workable form
of disclosure to registrars (or registries in the thick registry model) of
the uses to which query results would be put.

·	The solution should also preserve the unrestricted availability of Whois
queries through a web-based interface, and the status of Port 43 as a
service available free of charge.

·	The solution must be accompanied by proactive enforcement of the
obligation to make bulk access available.

·	Finally, the solution must also address questions of scalability,
particularly in the thin registry environment.

IPC does not currently take a position on whether or not the introduction of
a solution as described above would require contractual modifications.

IPC would be interested in participating in an ongoing effort to develop
such a solution.  We propose that this effort be conducted by a small group
representing all directly affected interests, on a realistic timeframe, and
in a manner that will encourage candid consideration of the technical issues
involved, all subject to final review by ICANN.
****************************************************************************
*********************************
 INTERIM Business Constituency Position
-	Input to the GNSO Council task forces on WHOIS
-	April 2004

In order to provide input to all three Task Forces (TF) and provide a
broader statement from the Commercial and Business User Constituency
(hereafter Business Constituency or BC), we have consolidated our input into
a single document.


Members of the Business Constituency use the Internet to conduct business.
The Business Constituency is a constituency representing customers of
providers of connectivity, domain names, IP addresses, protocols and other
services related to electronic commerce in its broad sense. The BC
membership includes corporations, entrepreneurs, and associations.

The BC recognizes that the Internet is changing and evolving into a more
commercial and widely used communication mechanism, and that the
characteristics of the Internet users are also changing, over time. It is
generally agreed that more and more users are registering domain names for a
wider and wider variety of purposes.  As the user characteristics are
changing and the Internet is growing, it is important to keep in mind the
key issues of Internet stability.  The BC believes that accurate WHOIS data
is an essential element to that core value. In examining the possibility of
changes in the WHOIS, the BC believes that better mechanisms are needed to
ensure accurate WHOIS data, while balancing the needs of the full set of
stakeholders and affected parties.


Principles for the use of WHOIS
Striking a balance among concerns and needs of the different stakeholders
related to accuracy, reliability, access and privacy issues is the goal.
This is consistent with the OECD Guidelines on the Protection of Privacy and
Trans-border Data Flows of Personal Data, the international consensus, that
works to strike a balance between effective privacy protection and the free
flow of information.

Purposes of Business User access to WHOIS:
Business users access the WHOIS database to obtain registrant contact
information for the following reasons:
1.	to verify the availability of a name they might wish to register
2.	to thwart security attacks of their networks and servers
3.	to validate the legitimacy of a website for transactions
4.	to identity consumer fraud and cyber-scam incidents
5.	to undertake routine reviews to protect their brands
6.	to support UDRP and other infringement proceedings
7.	to combat spam.

The BC?s guiding principles related to WHOIS are:

1.	Accuracy and access. Accuracy and access to accurate data are the top
priorities. Enforcement of accuracy requirements is essential.

2.	Use of data. It is key to find a balance between data use for legitimate
purposes and avoiding unwelcome or illegal use.

3.	Balance of Stakeholder needs. Any changes in access to WHOIS must be
balanced across the needs of all stakeholders and take into account the
costs to the registries/registrars  to maintain more complex systems, as
well as the burden on the legitimate users of WHOIS.

4.	Marketing. WHOIS data should never be used for marketing purposes. This
includes precluding the use of WHOIS data for marketing by the registry or
registrar other than for services that are directly applicable to
registration or other purposes that are not inconsistent with the original
purpose [see OECD Guidelines] or for which the registrant has explicitly
opted-in.

5.	Scope. The focus for now should be ensuring a consistent system of WHOIS
across generic top-level domain names. Any discussion of WHOIS policies that
might affect WHOIS within country-code domain names should be addressed
later and through the new Country Code Names Supporting Organisation.


Task Force One: What contractual changes, if any, are needed to protect
domain name holders from data mining for the purpose of marketing?

The BC notes:
Concerns arise from marketing use. The BC has previously stated that
marketing uses of WHOIS data should be prohibited.  The basis of much data
protection law is that data should only be used for the purpose directly
applicable to registration or other purposes that are not inconsistent with
the original purpose [see OECD Guidelines] or for which the registrant has
explicitly opted-in.

§	Spam.  Confusion exists today regarding whether and to what extent WHOIS
data is used for the development of Spam. Data indicates that the
involvement is small, but in any case, it is important to not allow
contamination of the issues relating to WHOIS by the issue of spam
prevention. Regardless of the limited degree of impact, mechanisms to limit
any use should be supported.

The BC therefore proposes:
§	Eliminate marketing. The BC believes that WHOIS data should never be used
for marketing purposes. This includes precluding the use of WHOIS data for
marketing by the registry or registrar, other than for services which are
directly applicable to registration or for which the registrant has
explicitly opted-in.

§	Limit access to Port 43 access. Although it does not appear that WHOIS is
a significant contributor to Spam, the BC supports the limitation on port 43
access (an Internet-based access used by registrars and others) to
discourage any use for that purpose.  Also, this will limit uses of port 43
for other marketing purposes.

§	Creation of a White list approach for ?legitimate use?. There are
legitimate uses of WHOIS, which should be supported, including uses
facilitated by bulk access. Such uses include research, creation of third
party value-added services, etc. The BC therefore supports the creation of a
list of legitimate uses, and recommends that such uses be limited  via
registry/registrar/third party contract when  bulk access is provided to
such third parties. Specific conditions as to use should e specified in the
contractual terms.

§	The BC therefore proposes that the examination of such a white list
process should be referred to Council for consideration as a policy
development process.


Task Force Two: data collection and display of data elements

The BC notes:
§	Privacy concerns: The question of whether and how WHOIS data should be
made public has been raised. It is unclear whether this question pertains to
a broadly held governmental concern with all WHOIS data or whether the
question relates to the narrow class of registrations by individuals with
privacy concerns.   In any case, the question of changing access to WHOIS
data is a current and important one.

§	Registrant Awareness of public access to WHOIS: The question has also been
raised about whether registrants are aware of what WHOIS data is and how it
is displayed and why  it is needed.

§	Segregation of registrants into categories presents problems of
definition. There have been discussions about the concept of segregating
registrants into different categories and having different requirements for
gathering and publishing WHOIS data, based on the user category.  The
determination of what category a registrant fits into is not a simple
determination, since, for example, individuals may register names for
speculation, business development, or for personal use. And the reality is
that the problems with consumer fraud, piracy, and trademark infringement
are typically perpetrated by individuals, who provide false registration
information, in order to avoid pursuit.

§	Differentiated or ?tiered? Access by Authenticated Users: There has been
some limited discussion about creating a two tier approach to access and
requiring a WHOIS user to be approved or authenticated to have access all
data.

§	Services which offer anonymity for registrants: Some have raised the issue
of providing a mechanism for individual anonymity for legitimate
individuals. Such mechanisms exist in telephony, where the telephony
provider receives accurate contact information and acts as the point of
contact for legitimate requests.  Alternatively, anonymous gTLD
registrations can be obtained by individuals through several mechanisms such
as registration through one?s ISP.

§	Privacy and existing obligations: Although some entities have raised the
question of what privacy laws apply to WHOIS data, there is not a consistent
interpretation of law. A few countries have established that their privacy
laws apply to the display of country-code WHOIS data. Certain data privacy
entities have begun to ask what data privacy protections should apply.  Yet
many countries require businesses and NGOs to provide accurate information
when they apply for services such as a business license, tax exempt status,
inclusion in a directory, or trademarks.

§	All data elements are needed. BC members responding to the questionnaire
regarding data elements relied upon by business users indicated that all
data elements are used.  When some part of the elements are incomplete or
inaccurate it is even more important to have access to as many data elements
as possible.  This enables a thorough effort at contacting the registrant,
or in the case of consumer fraud, to support law enforcement.


§	Display of data elements: All data elements should be displayed, or at a
minimum accessible via an easy to use and validated process that would allow
access to an authenticated user.  However, this needs further and careful
examination. It is not acceptable to simply create broad categories of
?business? and ?individual? without a recognition of the issues involving
the misuse of a special category.


The BC therefore proposes:
§	All existing data elements are needed. The BC recognises the continued
need for all the data elements that are available in WHOIS today.

§	Registrants should be informed: Fact based, neutral toned information
about WHOIS should be included in the registration process, and specific
acknowledgement/consent should be obtained at the time of registration.
Registrants should also be renotified when they renew their registration of
the importance of accurate and complete data.

§	Assessment of a differentiated access model should be undertaken:
Examination of the broad implications of establishing a differentiated
access model, including costs, broad impact on registrants and WHOIS users,
and taking into account CRISP and other emerging standards, should be a
community and Council priority. The development of such a change in WHOIS
will require a further PDP process.

§	Updated Information is needed to begin such a consideration: The Council
should be asked to support the briefing by all three  TFs by IETF on the
status of CRISP and any other emerging and relevant standards.


Task Force 3: Mechanisms to improve quality of contact data

The BC notes:
§	Accuracy because WHOIS is public communication. A domain name registration
in a TLD is a public form of communication, and as such, requires accurate
data for the WHOIS registry.

§	Accuracy because users need accurate data. The average Internet user,
whether business, government, NGO or individual, has an expectation of
accurate WHOIS information, which they then use to address legitimate
issues:  verifying the legitimacy of a web site, pursuing a network problem,
addressing IP infringement concerns,  calling for assistance from law
enforcement, etc.

§	Accuracy is important for individuals and organisations. The same concerns
about the need for accurate data are independent of the nature of the
registrant.  A non-statistical survey of BC members regarding the situations
they have experienced with trademark infringements, consumer fraud, and
network issues indicates that there are problems with individuals and with
organisations. However, none of the consumer fraud incidents encountered by
the well-known brand holders involved organisations. The five situations
examined all involved individuals who provided false information.
Discussions with law enforcement have and continue to evidence similar
problems with individuals.

§	Some examples of data authentication exist in other industries, including
financial services and in some of the ccTLDs.


The BC therefore proposes:

§	Best Practices are available from other sources: The BC recommends further
examination of best practices in authentication in other industries and from
selected ccTLDs.

§	Changes to the contracts are needed to ensure there is enforcement. The
requirement to provide accurate data is a part of the Registrar contract,
yet it appears that few registrars fulfill this requirement. The BC believes
that this must be enforced by ICANN while allowing flexibility in the way
registrars carry out this obligation. The previous WHOIS TF discussed the
development of graduated sanctions.  They also heard from several ccTLDs
with successful data verification practices. The BC calls for the
development of policy to evaluate a system of graduated sanctions.


Recommendation: more research is needed, and standards may offer solutions
to development of modifications to WHOIS.  Discussion of WHOIS is limited by
a lack of research which would allow fact based policy.  The ccTLD
registries also have significant experiences which could be the better
understood and provide useful ?understanding? to guide gTLD policy
development. The BC encourages the GNSO Council to seek current information
on both the CRISP project (on WHOIS standards undertaken by the Internet
Engineering Task Force) and any other relevant standards process, to examine
the role of these potential standards in providing a solution. The BC
recognizes that the cost of implementing changes in WHOIS must be analyzed
and understood as changes are considered. Changes in WHOIS should not become
an ?unfunded mandate? upon registrars.


Footnote: The BC continues to discuss the WHOIS issues and  may provide
further comments or modifications to these positions after concluding an
ongoing internal process.
****************************************************************************
****************************************
ISPCP CONSTITUENCY WHOIS STATEMENT
April 2004

Introduction
The ISPCP Constituency herein provides input to the three Whois Task Forces
as required by ICANN by-laws.  The ISPCP stresses the need for balanced
policy that takes into consideration the interests of all stakeholders, and
allows for the effective enforcement of civil and criminal laws while
protecting registrant information from marketing or other
illegitimate/illegal uses.  This goal is the underlying theme running
throughout the comments below.  It is also consistent with commonly accepted
tenets of privacy protections and laws throughout the world.

ISPCP Uses of Whois Data

1.	to research and verify domain registrants that could vicariously cause
liability for ISPs because of illegal, deceptive or infringing content.
2.	to prevent or detect sources of security attacks of their networks and
servers
3.	to identify sources of consumer fraud, spam and denial of service attacks
and incidents
4.	to effectuate UDRP proceedings
5.	to support technical operations of ISPs or network administrators

Terms of Reference for Whois Task Forces


WHOIS Task Force 1
--Focused on restricting access to WHOIS data for marketing purposes
--Seeks to determine what contractual changes (if any) are needed to protect
domain name holder data from data miners.
--What technological means are available to accommodate these possible
contractual changes while simultaneously ensuring law enforcement,
intellectual property, ISPs, and consumers continue to retrieve information
necessary to perform their respective tasks


WHOIS Task Force 2
--Focused on reviewing WHOIS data collected and displayed to ensure accurate
identification of registrants.
--Seeks to determine the best manner in which to inform registrants of what
information is made publicly available when domain names are registered and
options for restricting access
--Contemplates the ability of registrants to remove/shield certain parts of
required contact information from anonymous, public access
--Furthering this is the need to determine what information may be removed,
by whom, and what contractual changes are required to enable this.


WHOIS Task Force 3
--Focused on developing mechanisms to improve the quality of contact data
that must be collected at the time of registration in accordance with the
registrar accreditation agreement and the relevant registry agreement
--Related issues:
·	Verification of data at time of registration
·	Ongoing maintenance of data during registration period
·	Protecting against deliberate submission of false information

****************************************************************************
*****************************

ISPCP Position

Task Force 1 ? Restricting Access to Whois Data

The ISPCP Constituency is in strong favor of limiting access to Whois data
in respect of privacy concerns and does not see any legitimate purpose for
access to bulk data for marketing purposes.  ISPCP members spend tremendous
resources to combat spam delivered through their networks and to their
subscribers.  Even minimal use of Whois data for marketing should be
prohibited and further steps should be taken to enforce current policy
limiting such use.  However, the ISPCP opposes the notion that Whois data is
not intended for enforcement purposes and that private parties do not have
legitimate need for ready and efficient access to the data.

The ISPCP Constituency proposes that in light of forgoing interests:

·	In light of small and regional ISPs? reliance on Port 43 access, the ISPCP
Constituency believes its use ought to be preserved at this time. However,
its use should be strictly limited by non-technical means such as rate
limiting.  In the long term, we strongly discourage its continued use.
·	A general agreement would be useful on the types of uses that are
legitimate and should be continued.
·	Any proposed solution should include such legitimate access, including Web
based queries and be scalable.
·	ICANN staff should undertake development of a uniform access policy that
is enforced ? in addition, compliance procedures for such a policy should be
implemented.
·	The ISPCP rejects the notion that the purpose of Whois data is not
intended for tracking registrants that are in the business violating laws or
deceiving end users and thus, should not be used for any purpose beyond
technical reasons.

Task Force 2- Review of Data Collected and Displayed

The ISPCP Constituency is aware of the real and legitimate privacy concerns
over the amount and type of data collected and displayed in Whois data.
Registrants should be provided with a limited list of needs for which their
data may be used, so as to help prevent the possibility of inadequate
notice. The ISPCP further notes that for a very small fraction of
registrants with legitimate political and free speech concerns, there should
continue to be processes in place for proxy registrations where their data
will be kept private and provided only upon a limited set of circumstances.

There have been many assertions that the current display of Whois data is
not legal or proper under the laws of some regions, namely the EU.  However,
of the EU member states? ccTLD operators who submitted Task Force 2
responses, all have indicated that they work closely with their respective
country?s data protection authorities and are in full compliance with their
respective privacy laws.

Privacy concerns can further be alleviated by providing proper and adequate
notice to all registrants, in a format that is conspicuous and highlights
the disclosures within the registrant contract.  In many regions it is a
common legal requirement that data only be used for the purpose it was
originally collected.  By itemizing the legitimate needs for which one?s
data may be used, this requirement can be met.

The ISPCP Constituency proposes:

·	That all elements continue to be collected and displayed, for those
authorized to obtain access.
·	That adequate and full disclosure must be provided regarding the uses of
data, at the point of registration, and such requirement should be enforced.
·	Anonymous gTLD registrations continue to be made allowed for individuals
through current processes.
·	The ISPCP supports the concept of tiered access as a principle, but is
concerned with cost, enforcement and other practical implementation issues
that must be clearly set forth prior to the implementation of such
mechanism.  The ISPCP will reserve final assessment on this principle until
such time that a clearly defined and viable method is proposed.


Task Force 3 ? Improving Accuracy of Collected Data

Finally, the ISPCP Constituency is quite concerned about the abundance of
inaccurate and incomplete data.  Such deficiencies significantly hinder ISPs
? ability to identify and contact registrants.    Thus, ISPs support ready
access to accurate Whois data to facilitate resolution of network problems,
sourcing of spam.  Further, ready access to accurate data is necessary for
the securing our networks and enforcing our acceptable use policies.

Because of the heavy reliance by ISPs on registrants? data to facilitate
future contact with the registrant for business issues, security and
stability issues, intellectual property infringement and a myriad of other
legal issues, accuracy is of the utmost importance.

While automated verification software does exist, its accuracy and therefore
its reliability on a global scale is suspect.  Registrars should take a
multiple steps to ensure that the data they receive is accurate, and there
should be some enforcement mechanism to ensure registrars? compliance.  In
addition, it would be useful for registrars to have a list of best practices
that further help verify data and produce an accurate database.

The ISPCP Constituency proposes:

·	The creation of a best practices document aimed to improve data
verification, with the prospect of a global application.
·	Registrars take increased and more uniform measures to verify accurate
data.  The ISPCP does not advocate removing all flexibility from current or
future registrar practices, but some uniformity and compliance with best
practices will net a more accurate database.
·	ICANN staff should undertake a review of the current registrar contractual
terms and determine whether they are adequate or need to be changed in order
to encompass improved data accuracy standards and verification practices.
****************************************************************************
*****************************
gTLD Registry Constituency Statement for Whois Task Force 1

Draft 6 ? 16 April 2004

This statement is submitted to the ICANN Generic Name Supporting
Organization (GNSO) Whois Taskforce 1 on behalf of the gTLD Registry
Constituency.

It should be noted that much of what Task Force I does relies on what Task
Force II does.  If Task Force II makes a recommendation that no data other
than non-sensitive data would be displayed, then privacy and data mining
become less significant issues.  If Whois just shows domain name, IP
address, Registrar, creation and expiration date, data mining could be
reduced to minimal levels and port 43 concerns could mostly disappear.
Because Task Force I and Task Force II are working concurrently, this
statement does not assume any particular conclusions from Task Force II.

Process Summary

The gTLD Registry Constituency arrived at the positions described in this
statement primarily through email discussions occurring from February
through April 2004 supplemented to a small degree by discussions occurring
as part of agendas for the in-person constituency meeting in Rome on 2 March
2004 and regular constituency teleconference meetings on 17 and 31 March
2004 and 7 April 2004.  All constituency registry members were included in
email discussions on the constituency list.  Primary contributions were made
by the following registry members: DotCoop (.coop), Global Name Registry
(.name), Neulevel (.biz), Public Interest Registry (.org), SITA (.aero) and
VeriSign (.com & .net).   All nine registries participated in voting
regarding specific elements of this statement and responses to questions
discussed.

Issue Analysis ? Impact on the Constituency

Operational Impact

The operational impact of changes to Whois access requirements can be very
significant on registries depending on what the nature of the changes are,
whether the registry is thick or thin, what implementation time frames are
required, available resources, etc.  It should also be expected that
operational impact can be significant for registrars, possibly even more
than registries because the registrars are the custodians of the primary
Whois information and are typically the interface with registrants and their
contacts.

Registry and registrar Whois systems as they exist today are relied on by
millions of users around the world so any changes will potentially affect
many if not all of those users.  Consequently, it is critical to also
consider the operational impact on the various types of Whois users outside
of the registry and registrar constituencies.

One specific operational consideration that must be considered is the
following: until such time as other means are available for registrars to
obtain contact information of registrants associated with other registrars,
registrars will need access to Whois data regarding registrants and
administrative contacts in order to be able to comply with the new Registrar
Transfer Policy; registries and independent dispute providers will also need
access to such data in order to fulfill their roles in the Transfer Dispute
Resolution Policy.

Financial Impact

As with operational impact, financial impact to registries of changes to
Whois access requirements would vary depending on what the nature of the
changes are, whether the registry is thick or thin, what implementation time
frames are required, etc. Until specific requirements are defined, it is not
possible to quantify financial impact.

Some factors that could lead to increased cost for registries are:
1.	The need for manual intervention in providing Whois service
2.	Requirements that increase the likelihood of automated Whois queries
3.	Complex requirements that cannot be standardized across multiple
registries
4.	Policies that increase the likelihood of litigation and other forms of
dispute resolution
5.	Requirements to provide different Whois services for different localities
6.	Requirements that conflict with local law and thereby create burden on
registries for negotiations and legal fees
7.	Changes to the publicly available information - many registrants use
Whois for monitoring their registration information and a number of web
hosting firms and ISPs use it to confirm registration of domain names;
changes to publicly available information could shift additional work to the
registry
Any Whois access requirement changes that increase the likelihood of any of
these factors occurring can be expected to have financial impact.

Implementation Timeframe Estimates

Registries, large and small, will require full product development cycles to
implement any significant changes to Whois systems.  These cycles vary by
registry but can be longer than six months after final requirements are
defined.  Registrars also have similar requirements.

Because so many applications rely on Whois information, advance notice must
be provided to the community at large to allow sufficient time for such
applications to be modified to accommodate changes.  Because of the
widespread global use of Whois information, it is not unreasonable to expect
that at least six months notice should be given to the Internet community
for any significant changes to Whois access.



Questions Discussed by the Constituency

The gTLD Registry Constituency specifically raised and discussed six
questions relating to the work of Whois Task Force 1.  Summaries of the
responses to the questions are provided below.

Question 1: What types of access should be made available for viewing WHOIS
information? (Web-based access, Port 43, Bulk Access, etc.)

Question 1 Response	% Agree	Comments
Web-based Whois access should be at the discretion of any
registry/registrar. 	78%	No registries opposed this; two abstained.For
web-based Whois, access control is more limited than port 43 or IRIS.
Web-based Whois seems most appropriate for a registry?s or registrar?s
customers.  Web-based Whois operates on a different port than both the
Nicname/Whois protocol (port 43) and the CRISP Working Group's new protocol,
IRIS.  For web-based Whois, access control is more limited than port 43 or
IRIS.  Web-based Whois services use the Nicname/Whois protocol (and in the
future, possibly IRIS) to gather Whois information from other registrars and
registries.  It is very difficult for web-based Whois services to gather
information from other web-based Whois services.  Therefore, at a minimum
the Nicname/Whois service on port 43 or a protocol like IRIS must be kept
open.  However, it should be noted that the Nicname/Whois service does not
provide adequate controls for tiered access.
 Any implementation of Whois access should permit registries to customize
Whois access to applicable law. 	100%
Web-based and port 43 Whois service should not be required of registries and
registrars as it is in current agreements with ICANN.  (status quo)	100%
Port 43 Whois access should only be required if it can be implemented to
accommodate privacy legislation in the country where the registry operates.
100%	The CRISP IRIS protocol may be able to accommodate this concern.
Bulk access should not be allowed for marketing purposes. 	100%
Whois bulk access should not be required as it is under current unsponsored
registry agreements. 	89%	No registry opposed this; one abstained.Legal
restrictions are an important part of an answer to question 1.  For example,
sponsored registries cannot provide Bulk Access to Whois to anyone except
ICANN no matter what the outcome of the task force. Privacy considerations
are coming to the fore more and more both on a national and European level
and any opinion we volunteer on access to Whois is intimately connected to
the legal restrictions of registry jurisdiction. IP community or law
enforcement may need bulk access or something like it.
We recognize that certain parties (e.g., law enforcement, IP) may at times
need to have better access to Whois. We suggest that a technical solution be
identified  which allows legitimate parties to search for the information
they need, without requiring registries to turn over all data they have in
the Whois (i.e., current bulk access).  IRIS could be considered as a
potential technical solution.	55%	Only five registries voted on this
response; all five supported it.
As restrictions are and likely to remain standardized, it would be good to
consider standardizing the request format too. With regard to access for
registrars, an ICANN-administered registry of authorized IP numbers would be
useful. 	100%
Non-registry and non-registrar access should be on a need-to-know basis and
limited to users that can demonstrate a legitimate need for the information.
For example, law enforcement agencies with an appropriate legal basis for a
request, e.g., a subpoena, should be able to have access to personal
information when necessary for law enforcement purposes. Intellectual
property researchers should have access subject to agreements limiting its
use. 	78%	Only seven registries voted on this response and all of them
supported it.


Question 2: What has been the effect on registry systems of having to make
available WHOIS information via Port 43 and the web?

Question 2 Response	% Agree	Comments
The effect on registry systems varies by registry.  There has been little or
no effect on the thin registry Whois offered for .com and .net.  Larger
thick registries have experienced operational problems arising from very
high rates of requests on port 43, thereby requiring monitoring and
maintenance of requisite servers.  Smaller registries have not experienced
significant negative impact.	89%	One registry, RegistryPro, abstained
because it has not yet experienced these problems, but such issues are
anticipated after launch.


Question 3: Have we noticed a problem with data mining?  If so, do we have
any facts to support this?

Question 3 Response	% Agree	Comments
Registry Whois data mining tends to be more significant with larger thick
registries.  Data is available to support problems incurred. Some registries
have received spam complaints from registrants.	89%	One registry,
RegistryPro, abstained because it has not yet experienced these problems,
but such issues are anticipated after launch.


Question 4: If the answer to 3 is yes, have we instituted any mechanisms to
deal with such mining (i.e., put in speed bumps on Port 43, or a cloudy GIF
on web-based access?  If yes, what has been the effect of instituting these
measures?

Question 4 Response	% Agree	Comments
Registries have instituted the following types of mechanisms to deal with
data mining: 1) limitations on port 43 access; 2) timeouts which temporarily
block high-rate users; 3) reduced returns on wildcard queries; 4) system
tuning; 5) blocking IP numbers of large-volume abusive requests; and 6) rate
controls.  Publication of the delete pending list for registrars as required
for RGP resulted in reduced mining for some registries.	89%	One registry,
RegistryPro, abstained because it has not yet experienced these problems,
but such issues are anticipated after launch.
Registries  must  be allowed to Implement anti-data-mining controls. Because
restrictions have unpleasant side-effects for innocent parties, including
registries and registrars, standardization of anti-data-mining practices
should be considered to minimize undesirable side effects.  	100%



Question 5: Is it feasible to have tiered access to WHOIS information (i.e.,
only some groups being able to use Port 43, while all others using web based
access)? If so, how could that be implemented?  What are the pros and cons?
What issues would still need to be worked out?

Question 5 Response	% Agree	Comments
Yes, it is feasible to have tiered access to Whois information. 	100%	The
biggest burden with doing tiered access lies in the administration of
authorization and authentication and not within the logistics of writing or
running the service itself. IRIS will have specific mechanisms to allow
registries/registrars to off-load this burden to policy-management entities
(note: the protocol does not mandate the use of these mechanisms). This is
important as it allows consistency of tiered access within a policy
jurisdiction. Without such consistency, tiered access is much less useful.
The two-tier Whois as described would require coordination between
registries and registrars to avoid confusion amongst the relevant parties.
Any moves toward tiered access would need to take into account the parties
and their use of Whois information, i.e., the question of legitimate
parties.
ICANN should administer an access rights database to WHOIS information, with
appropriate separate treatment for different TLDs where necessary. 	100%	The
issue of data privacy will inevitably lead to restricting Whois access and
eventually create a situation where certain parties will have "better"
access than others to Whois data. Providing a centralized administration of
access rights will reduce a burden on each individual registry and move the
responsibility for granting the access rights to the party which prescribed
it. It is not clear that ICANN should administer access to Whois; registries
should do that; but it does seem like it might be desirable for ICANN to
authenticate access rights based on community input.
Whois policy decisions should be based on the technologies that will be
available (e.g., IRIS) not just those that exist today - port 43 Whois and
"cloudy gif images". 	89%	No registry opposed this; one did not vote.CRISP's
protocol documents ("IRIS") have finished last call in the working group and
are now being sent to the IESG for their review and comment.
The Whois framework must provide ways for registries and registrars to
ensure that they can comply fully with their local legislation requirements.
For example registries and registrars operating in Europe must be able to
comply with European data regarding personal data processing. 	89%	No
registry opposed this; one did not vote.


Question 6:  In other words, how can we ensure that legitimate parties
(however that is defined) have access to Whois information, but also reduce
data mining and the burdens on our systems?

Question 6 Response	Agree	Comments
The objectives of Whois must be clearly defined before the problem of data
mining can be addressed. 	100%
Identification of ?legitimate parties? is a core problem. 	100%
The question for a TLD registry is not just whether it can develop its own
side of the IT solution, it must be sure that users (e.g., registrars and
registrants) can comfortably follow. 	100%


Concluding Statements

1.	It is essential to deal with the paramount concern of personal privacy
along with the needs of intellectual property and law enforcement as limited
exceptions to the protection of privacy.

2.	We recognize that certain parties may at times need to have access to a
number of elements listed in the current form of WHOIS.  A technical means
of providing this tiered access (i.e., allowing these parties to access the
information, while preventing others from getting the information) could be
through the IRIS protocol developed by the CRISP working group of the IETF.
When finalized, we believe that a comprehensive review of this technical
solution be undertaken.  We believe a more detailed effort is needed to
identify any specific parties that need access to selected elements and what
information should be obtained about such access.

3.	Cost benefit analysis should be done when considering any significant
changes in Whois requirements.

4. 	Careful consideration should be given to the feasibility of registrars
and registries to implement any proposed changes in Whois requirements
including but not limited to enforcing such requirements.  And sufficient
time should be allowed for any associated migration.

5.	The Whois framework must provide ways for registries and registrars to
ensure that they can comply fully with their local legislation requirements.
****************************************************************************
*********************************************
 GNSO Secretariat











<<< Chronological Index >>>    <<< Thread Index >>>