[dow2tf] Whois task force 2 Constituency position statements
WHOIS TASK FORCE 2 Constituency Position Statements: 1. At Large Advisory Committee (ALAC) 2. Intellectual Property Interests Constituency (IPC) 3. Commercial and Business Users Constituency (BC) 4. Non Commercial Users Constituency (NCUC) 5. Internet Service Providers and Connectivity Providers Constituency (ISPCP ) 6. Registrars Constituency (attached in pdf format) Policy proposal from ALAC on how to change the data elements collected and displayed. For your information, our input for Task Force 1 is also included. Unless we specifically speak about registrars, our remarks apply to registrar and to thick registry WHOIS systems alike. At-Large Advisory Committee: http://alac.info/ Task Force 2: Data elements displayed and collected Policy proposal We recommend that the mandatory collection and display of personal information about registrants be reduced as far as possible. What information is actually required for placing a domain name registration should be a matter of registrars' business models, and of applicable law, not of ICANN policy. We consider the removal of the following data elements from registrars' and registries WHOIS services (in a tiered model, from *all* tiers) a priority: - registrant name, address, e-mail address, and phone number, unless registrant has requested that this information be made available. - administrative contact name, address, e-mail address, and phone number, unless registrant (or admin-c) has requested that this information be made available. - Billing contact. These data are traditionally not published by registrars, but are included in many thick registries' public WHOIS services. For the purposes of a tiered access system (see recommendations for task force 1), we would recommend that the following information be included in a public tier: - Registrar of record. - Name servers. - Status of domain name. - Contact data, if the data subject specifically requests that these data be included in the public tier. Implementation remarks None. Rationale For personal registrations, the registrant, administrative contact, and billing contact data sets are most likely to concern sensitive information, such as the registrant's home address and phone number. We recognize that domain name registrations by online merchants often imply less privacy concerns; it has been argued that online merchants must make privacy information public in many jurisdictions. We are confident that businesses will also follow these duties by requesting registrars to make contact information about them available publicly. Conversely, if bad actors decide not to make contact information publicly available, that could actually make bad actors more easily recognizable, and provide consumers with a "red flag." Discussion of other proposals At the WHOIS workshop in Rome, we have heared several lawyers praise the usefulness of registrant and other telephone numbers in WHOIS services. That way, we were told, many cases could be settled by a single phone call. The easier the contact, we were told, the merrier. This argument is troubling: What we were hearing there is a request to ICANN to enable lawyers to make off the record contact with other parties to a dispute that may not have a lawyer readily available, and to make this contact in a way which makes it hard for the registrant to get legal counsel involved in early negotiations arising out of the dispute. Telephone numbers of registrant and administrative contacts should be *removed* from WHOIS services for precisely this reason: Forcing the non-registrant party to a dispute to open up that dispute by on-the-record means (e-mail, fax [not universally available], postal mail) ensures that registrants have an opportunity to retain legal counsel in these disputes, and to fully understand any claims made by the non-registrant party. It also helps to avoid legal bluff and plain bullying. To summarize, it may be true that availability of phone numbers enables quick settlement. But availability of phone numbers also favors situations in which these settlements are achieved by dubious means, to the detriment of the registrant. Task Force 1: Access to data Policy proposal We recommend a simple two-tiered system. Tier 1 -- public access. Users who access a future WHOIS-like system anonymously get access to non-sensitive information concerning a domain name registration, to be defined in detail by task force 2. Tier 2 -- authenticated access. Users who want to access a more complete data set (to be defined in detail by task force 2) need to reliably identify themselves, and indicate the purpose for which they want to access the data. The identity of the data user and their purpose is recorded by registrars and registries, and made available to registrants when requested. This information could be withheld for a certain amount of time if the data user is (1) a law enforcement authority that is (2) accessing the data for law enforcement purposes. Implementation remarks We do not recommend any particular implementation of this proposal, but note that "reliable identification" could be provided by commercially available SSL certificates. In general, we would favor implementation of our proposal in a dedicated protocol (such as IRIS) over implementation through Web forms. Rationale The key aspect for deciding whether access to data gathered by registrars can be given to a third party is the purpose for which this data is going to be used. Obviously, registrars have no way to verify the purpose for which WHOIS data is being accessed. The best heurisitc we know of is to hold data users accountable for their activities, and to put enforcement of purpose limitations into the hands of registrants. This can be achieved by reliably identifying data uses and putting their identity, contact information, and purpose indication in the hands of registrants. At the same time, a tiered system -- if implemented reasonably -- could preserve the ability of data users to automatically access WHOIS data in reasonable quantities. Registrars, on the other hand, would be enabled to limit the amount of data any particular party can access in a given interval of time. Identifying data users and their purposes would also enable registrars to comply with legal obligations to make this kind of information available to data subjects. Discussion of other proposals There have been suggestions that "automated access" could be used as a heuristic to determine illegitimate access. In this scheme, automated access is blocked by attempting to require human attention with all queries. One set of implementations of these kinds of tests is known as CAPTCHA. There is evidence that automated access is also being used for legitimate purposes; on the other hand, there is publicly available information on how CAPTCHA-like tests are being circumvented in other contexts. The circumvention here is based on a fundamental design problem of CAPTCHAs. <http://boingboing.net/2004_01_01_archive.html#107525288693964966> One particularly popular CAPTCHA has been broken in academic more than a year ago, but is still being used by registrars. <http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html> Accessibility problems posed by CAPTCHA-like tests are not fully understood by now; we note, though, that purely visual tests are insufficient from an accessibility point of view. <http://www.w3.org/TR/turingtest/> In conclusion, CAPTCHA tests address the wrong problem, and they address it badly. We strongly recommend against going down this path. **************************************************************************** *************************************** Intellectual Property Interests Constituency Statement (IPC) Whois Task Force 2 April 13, 2004 This statement responds to the issue identified in the purpose statement of the terms of reference for Task Force 2, see http://gnso.icann.org/issues/whois-privacy/tor2.shtml The purpose of this task force is to determine: a) What is the best way to inform registrants of what information about themselves is made publicly available when they register a domain name and what options they have to restrict access to that data and receive notification of its use? Based on the limited data which has been collected so far, IPC believes that the effectiveness of notification to domain name registrants, and the obtaining of their consent as required by the RAA Secs. 3.7.7.4, 3.7.7.5, generally need improvement. For example, obtaining specific consent on this issue from the registrant during the registration process, separate from obtaining agreement to extensive terms and conditions for the registration in general, should be encouraged. Similarly, some registrars should be more specific and forthright in communicating to registrants about the circumstances under which Whois data is available to third parties. ICANN should: · incorporate compliance with the notification and consent requirement as part of its overall plan to improve registrar compliance with the RAA. (See MOU Amendment II.C.14.d). · issue an advisory reminding registrars of the importance of compliance with this contractual requirement, even registrars operating primarily in countries in which local law apparently does not require registrant consent to be obtained. IPC believes that registrars should take the lead in developing best practices, with input from other interested constituencies, that will improve the effectiveness of giving notice to, and obtaining consent from, domain name registrants with regard to uses of registrant contact data. IPC would be glad to participate in such an effort. b) What changes, if any, should be made in the data elements about registrants that must be collected at the time of registration to achieve an acceptable balance between the interests of those seeking contact-ability, and those seeking privacy protection? Based on the data collected so far, IPC does not think that any data element currently collected by registrars about registrants should be eliminated. IPC has identified certain data elements that may not be currently collected (or at least are not currently displayed in response to Whois queries) but whose inclusion would improve the usefulness of Whois data. These include: · chain of title information · date of initial registration · notice of encumbrances · date and method of last verification of registrant contact information* *Although these additional desired data elements were identified in response to the questionnaire sent by TF 2, IPC recognizes that action on them may fall within the purview of TF 3. c) Should domain name holders be allowed to remove certain parts of the required contact information from anonymous (public) access, and if so, what data elements can be withdrawn from public access, by which registrants, and what contractual changes (if any) are required to enable this? Should registrars be required to notify domain name holders when the withheld data is released to third parties? As a general matter, IPC does not support the suppression of public access to any element of Whois data that is currently made public. All such data elements make a contribution to the promotion of transparency and accountability in the domain name system. To the contrary, ICANN should consider requiring additional data elements already collected by registrars (such as contact data for billing contacts) to be made available through Whois. It should also consider requiring the collection, and the public availability, of certain data elements that may not be currently collected, as outlined in response to the previous question. Finally, it should make the set of data elements that are made publicly available more uniform across gTLDs. Based on the limited data compiled so far, IPC supports further consideration of two exceptions to the general principle stated above. First, further research should be conducted on the use of ?proxy registration services? within the framework of Sec. 3.7.7.3 of the RAA, including but not limited to the following issues: · the rate of uptake of such services, and consumer response to them; · what steps are taken to ensure that the registrar collects (or has immediate access to) accurate, complete and current contact information on all registrants taking advantage of such services; · the circumstances under which contact information of the actual registrant is disclosed pursuant to the RAA provision (i.e., the ?evidence of actionable harm? scenario); · how registrants are notified when the withheld data is released to third parties; · scalability of such services. Second, further research should be conducted into the operation by certain ccTLDs (e.g., .nl) of case-by-case mechanisms for the withholding of Whois data on individual registrants who demonstrate special circumstances, and on the feasibility of adapting such mechanisms to the gTLD environment. **************************************************************************** ******************************************* INTERIM Business Constituency Position - Input to the GNSO Council task forces on WHOIS - April 2004 In order to provide input to all three Task Forces (TF) and provide a broader statement from the Commercial and Business User Constituency (hereafter Business Constituency or BC), we have consolidated our input into a single document. Members of the Business Constituency use the Internet to conduct business. The Business Constituency is a constituency representing customers of providers of connectivity, domain names, IP addresses, protocols and other services related to electronic commerce in its broad sense. The BC membership includes corporations, entrepreneurs, and associations. The BC recognizes that the Internet is changing and evolving into a more commercial and widely used communication mechanism, and that the characteristics of the Internet users are also changing, over time. It is generally agreed that more and more users are registering domain names for a wider and wider variety of purposes. As the user characteristics are changing and the Internet is growing, it is important to keep in mind the key issues of Internet stability. The BC believes that accurate WHOIS data is an essential element to that core value. In examining the possibility of changes in the WHOIS, the BC believes that better mechanisms are needed to ensure accurate WHOIS data, while balancing the needs of the full set of stakeholders and affected parties. Principles for the use of WHOIS Striking a balance among concerns and needs of the different stakeholders related to accuracy, reliability, access and privacy issues is the goal. This is consistent with the OECD Guidelines on the Protection of Privacy and Trans-border Data Flows of Personal Data, the international consensus, that works to strike a balance between effective privacy protection and the free flow of information. Purposes of Business User access to WHOIS: Business users access the WHOIS database to obtain registrant contact information for the following reasons: 1. to verify the availability of a name they might wish to register 2. to thwart security attacks of their networks and servers 3. to validate the legitimacy of a website for transactions 4. to identity consumer fraud and cyber-scam incidents 5. to undertake routine reviews to protect their brands 6. to support UDRP and other infringement proceedings 7. to combat spam. The BC?s guiding principles related to WHOIS are: 1. Accuracy and access. Accuracy and access to accurate data are the top priorities. Enforcement of accuracy requirements is essential. 2. Use of data. It is key to find a balance between data use for legitimate purposes and avoiding unwelcome or illegal use. 3. Balance of Stakeholder needs. Any changes in access to WHOIS must be balanced across the needs of all stakeholders and take into account the costs to the registries/registrars to maintain more complex systems, as well as the burden on the legitimate users of WHOIS. 4. Marketing. WHOIS data should never be used for marketing purposes. This includes precluding the use of WHOIS data for marketing by the registry or registrar other than for services that are directly applicable to registration or other purposes that are not inconsistent with the original purpose [see OECD Guidelines] or for which the registrant has explicitly opted-in. 5. Scope. The focus for now should be ensuring a consistent system of WHOIS across generic top-level domain names. Any discussion of WHOIS policies that might affect WHOIS within country-code domain names should be addressed later and through the new Country Code Names Supporting Organisation. Task Force One: What contractual changes, if any, are needed to protect domain name holders from data mining for the purpose of marketing? The BC notes: Concerns arise from marketing use. The BC has previously stated that marketing uses of WHOIS data should be prohibited. The basis of much data protection law is that data should only be used for the purpose directly applicable to registration or other purposes that are not inconsistent with the original purpose [see OECD Guidelines] or for which the registrant has explicitly opted-in. § Spam. Confusion exists today regarding whether and to what extent WHOIS data is used for the development of Spam. Data indicates that the involvement is small, but in any case, it is important to not allow contamination of the issues relating to WHOIS by the issue of spam prevention. Regardless of the limited degree of impact, mechanisms to limit any use should be supported. The BC therefore proposes: § Eliminate marketing. The BC believes that WHOIS data should never be used for marketing purposes. This includes precluding the use of WHOIS data for marketing by the registry or registrar, other than for services which are directly applicable to registration or for which the registrant has explicitly opted-in. § Limit access to Port 43 access. Although it does not appear that WHOIS is a significant contributor to Spam, the BC supports the limitation on port 43 access (an Internet-based access used by registrars and others) to discourage any use for that purpose. Also, this will limit uses of port 43 for other marketing purposes. § Creation of a White list approach for ?legitimate use?. There are legitimate uses of WHOIS, which should be supported, including uses facilitated by bulk access. Such uses include research, creation of third party value-added services, etc. The BC therefore supports the creation of a list of legitimate uses, and recommends that such uses be limited via registry/registrar/third party contract when bulk access is provided to such third parties. Specific conditions as to use should e specified in the contractual terms. § The BC therefore proposes that the examination of such a white list process should be referred to Council for consideration as a policy development process. Task Force Two: data collection and display of data elements The BC notes: § Privacy concerns: The question of whether and how WHOIS data should be made public has been raised. It is unclear whether this question pertains to a broadly held governmental concern with all WHOIS data or whether the question relates to the narrow class of registrations by individuals with privacy concerns. In any case, the question of changing access to WHOIS data is a current and important one. § Registrant Awareness of public access to WHOIS: The question has also been raised about whether registrants are aware of what WHOIS data is and how it is displayed and why it is needed. § Segregation of registrants into categories presents problems of definition. There have been discussions about the concept of segregating registrants into different categories and having different requirements for gathering and publishing WHOIS data, based on the user category. The determination of what category a registrant fits into is not a simple determination, since, for example, individuals may register names for speculation, business development, or for personal use. And the reality is that the problems with consumer fraud, piracy, and trademark infringement are typically perpetrated by individuals, who provide false registration information, in order to avoid pursuit. § Differentiated or ?tiered? Access by Authenticated Users: There has been some limited discussion about creating a two tier approach to access and requiring a WHOIS user to be approved or authenticated to have access all data. § Services which offer anonymity for registrants: Some have raised the issue of providing a mechanism for individual anonymity for legitimate individuals. Such mechanisms exist in telephony, where the telephony provider receives accurate contact information and acts as the point of contact for legitimate requests. Alternatively, anonymous gTLD registrations can be obtained by individuals through several mechanisms such as registration through one?s ISP. § Privacy and existing obligations: Although some entities have raised the question of what privacy laws apply to WHOIS data, there is not a consistent interpretation of law. A few countries have established that their privacy laws apply to the display of country-code WHOIS data. Certain data privacy entities have begun to ask what data privacy protections should apply. Yet many countries require businesses and NGOs to provide accurate information when they apply for services such as a business license, tax exempt status, inclusion in a directory, or trademarks. § All data elements are needed. BC members responding to the questionnaire regarding data elements relied upon by business users indicated that all data elements are used. When some part of the elements are incomplete or inaccurate it is even more important to have access to as many data elements as possible. This enables a thorough effort at contacting the registrant, or in the case of consumer fraud, to support law enforcement. § Display of data elements: All data elements should be displayed, or at a minimum accessible via an easy to use and validated process that would allow access to an authenticated user. However, this needs further and careful examination. It is not acceptable to simply create broad categories of ?business? and ?individual? without a recognition of the issues involving the misuse of a special category. The BC therefore proposes: § All existing data elements are needed. The BC recognises the continued need for all the data elements that are available in WHOIS today. § Registrants should be informed: Fact based, neutral toned information about WHOIS should be included in the registration process, and specific acknowledgement/consent should be obtained at the time of registration. Registrants should also be renotified when they renew their registration of the importance of accurate and complete data. § Assessment of a differentiated access model should be undertaken: Examination of the broad implications of establishing a differentiated access model, including costs, broad impact on registrants and WHOIS users, and taking into account CRISP and other emerging standards, should be a community and Council priority. The development of such a change in WHOIS will require a further PDP process. § Updated Information is needed to begin such a consideration: The Council should be asked to support the briefing by all three TFs by IETF on the status of CRISP and any other emerging and relevant standards. Task Force 3: Mechanisms to improve quality of contact data The BC notes: § Accuracy because WHOIS is public communication. A domain name registration in a TLD is a public form of communication, and as such, requires accurate data for the WHOIS registry. § Accuracy because users need accurate data. The average Internet user, whether business, government, NGO or individual, has an expectation of accurate WHOIS information, which they then use to address legitimate issues: verifying the legitimacy of a web site, pursuing a network problem, addressing IP infringement concerns, calling for assistance from law enforcement, etc. § Accuracy is important for individuals and organisations. The same concerns about the need for accurate data are independent of the nature of the registrant. A non-statistical survey of BC members regarding the situations they have experienced with trademark infringements, consumer fraud, and network issues indicates that there are problems with individuals and with organisations. However, none of the consumer fraud incidents encountered by the well-known brand holders involved organisations. The five situations examined all involved individuals who provided false information. Discussions with law enforcement have and continue to evidence similar problems with individuals. § Some examples of data authentication exist in other industries, including financial services and in some of the ccTLDs. The BC therefore proposes: § Best Practices are available from other sources: The BC recommends further examination of best practices in authentication in other industries and from selected ccTLDs. § Changes to the contracts are needed to ensure there is enforcement. The requirement to provide accurate data is a part of the Registrar contract, yet it appears that few registrars fulfill this requirement. The BC believes that this must be enforced by ICANN while allowing flexibility in the way registrars carry out this obligation. The previous WHOIS TF discussed the development of graduated sanctions. They also heard from several ccTLDs with successful data verification practices. The BC calls for the development of policy to evaluate a system of graduated sanctions. Recommendation: more research is needed, and standards may offer solutions to development of modifications to WHOIS. Discussion of WHOIS is limited by a lack of research which would allow fact based policy. The ccTLD registries also have significant experiences which could be the better understood and provide useful ?understanding? to guide gTLD policy development. The BC encourages the GNSO Council to seek current information on both the CRISP project (on WHOIS standards undertaken by the Internet Engineering Task Force) and any other relevant standards process, to examine the role of these potential standards in providing a solution. The BC recognizes that the cost of implementing changes in WHOIS must be analyzed and understood as changes are considered. Changes in WHOIS should not become an ?unfunded mandate? upon registrars. Footnote: The BC continues to discuss the WHOIS issues and may provide further comments or modifications to these positions after concluding an ongoing internal process. **************************************************************************** *********************************** Noncommercial Users Constituency Comments WHOIS Task Force 2 April 16, 2004 The Noncommercial Users Constituency (NCUC) represents the views of one of the largest and most dynamic set of domain name registrants: the noncommercial community, including human rights organizations, political and civil liberties groups, libraries and archives, families, hobbyists, technologists, universities and academics, and organizations bringing the Internet and new technologies to developing countries. We note the importance of our group as highlighted by W.G. Champion Mitchell, chair and CEO of Network Solutions (the largest ICANN-accredited registrar) to the ICANN Board in the public forum of the ICANN meeting in Rome: ?I WOULD LIKE TO SPEAK WITH YOU, HOWEVER, AND TRY TO SPEAK WITH A VOICE OF A CONSTITUENCY THAT IS NOT BEING HEARD TODAY, THE MOST IMPORTANT CONSTITUENCY THAT EXISTS, THE ONE THAT I AM SURE YOU CARE ABOUT GREATLY, AND I KNOW I CARE ABOUT GREATLY, AND THAT IS THE AVERAGE USER OF THE INTERNET AND OF OUR SERVICES.? In analyzing the data elements of the WHOIS, and what data elements should be removed and revised, it is critical for TF2 to consider closely the concerns of those who are the domain name owners ? those who data is subject to the use and abuse of the WHOIS database/directory. The Noncommercial Users Constituency submits: 1) TF2 and ICANN must recognize the well established data protection principle that the purpose of data and data collection processes must be well defined before policies regarding its use and access can be established. The purpose of Whois originally was identification of domain owners for purposes of solving technical and operational problems. See, for example, comments of European Commission, Internal Marketing DG, http://www.dnso.org/dnso/notes/ec-comments-whois-22jan03.pdf. (The purpose was *not* to provide law enforcement and other self policing interests with a means of circumventing normal due process requirements for gaining access to contact information.) None of the current Whois Task Forces are mandated to revise the purpose of the Whois directory. Therefore, the original technical and operational purpose of the WHOIS database/directory must be assumed until and unless ICANN initiates a new policy development process to change it. 2) Under no circumstances (now or in the future) may the purposes of a tool mandated by ICANN or maintained under the terms of an ICANN contract be greater than the purpose of ICANN itself. According to ICANN?s recently revised agreement with the US Department of Commerce, ICANN?s purpose is straight-forward: ?the technical management of the DNS.? Amendment 6 to ICANN/DOC MOU, http://www.icann.org/general/amend6-jpamou-17sep03.htm. The WHOIS database/directory must exist, if at all, to serve no more than technical and operational purposes within ICANN?s scope of authority. 3) ICANN has no legal or moral authority to preempt and supercede national law national privacy protections accorded by many countries to their citizens and residents. There are numerous countries with comprehensive privacy laws in European and throughout the world. The original of many of these privacy principles dates back to the human rights abuses of World War II and the Holocaust. That ICANN?s contracts require collection and disclosure of personal data in excess of national law is clear from the comments of the European Commission, the Article 29 Data Protection Working Party, and the International Working Group on Data Protection in Telecommunications to TF2 and its predecessor. In light of such clear concern and opposition to the WHOIS data elements, ICANN must change its practices to not conflict with closely-held and much-valued privacy laws and principles. 4) ICANN must stop putting ICANN-accredited registrars and thick registries in an untenable position: the need to comply with the ICANN-mandated collection and disclosure of personal data of DN registrants vs. legal obligations to comply with their country?s laws and the laws of the country in which the DN registrant is located. Complaints are already being filed against registrars in EU countries; EU data protection commissioners are already contacting ccTLDs and gTLDs (e.g., .NAME) to change their registrant collection and disclosure practices; and the Italian Data Protection Authority?s Secretary-General made clear at the ICANN meeting in Rome that he will begin serious enforcement of Italian Privacy Law not only against Italy-based registrars and registries, but also in some cases, against registrars and registries based outside of Italy, but working with the registrants within Italy. Registrars and registries must be allowed to comply with national law regarding collection, disclosure and transborder transfer of personal data absent superceding contractual obligations of ICANN. 5) ICANN must stay out of the battles over freedom of expression v. intellectual property expansion online. The NCUC submits that WHOIS was never intended to be a list of all speakers or a single point for all content policing. Further, the laws of some countries, such as the US, protect anonymous political and personal speech as a fundamental value of open and democratic societies. It is not for the ICANN community to second-guess or supercede these values of free speech and freedom of expression. 6) No amount of secondary use of WHOIS date justifies setting aside fundamental principles of freedom of expression and personal privacy as a matter of ICANN policy or contract. Certainly intellectual property and law enforcement are aided in having huge amounts of information regarding content providers available instantaneously. But so too are those engaged in identity theft, stalking, abuse of intellectual property, law enforcement illegalities, and other abuses (see further discussion below). Both intellectual property owners and law enforcement, for legitimate purposes, have tremendous powers to command information under due process procedures; what they need and are entitled to, they can legally and expeditiously obtain. But, the mere fact that a private data field, once disclosed, has valuable secondary uses does not override a registrant's privacy and freedom of expression rights. By analogy, we note that millions of people around the world routinely use digitized, copyrighted music files through peer?to?peer networks (and feel justified in doing so, and that there is no available substitute for their method of access). However, in making public policy on file?sharing, we do not simply take a public opinion poll of those users. We take into consideration the existing legal rights of producers of the music, and NCUC asserts that the same principle must be applied to the WHOIS. 7) Proxy services are not providing true protections for privacy or freedom of expression. Based on their own contractual provisions, they relinquish personal data to requesters for a variety of reasons falling far short of legal due process or court order. Domain name registrants are entitled to the full protection of their rights, including privacy and freedom of expression, to the full extent under law. Accordingly, and in light of the concerns, national laws and principles set out above, the NCUC strongly urges WHOIS TF2 and ICANN to: 1) Remove from the WHOIS database/directory those data elements that identify the registrant directly, namely: Registrant and Administrative Contact (which for small organizations, families, individuals, and many others, is the same as the registrant). 2) Remove from the Registrar Accreditation Agreement requirements that Registrars must collect registrant and administrative contact data, including name, address, phone and email. (Accordingly, ICANN must revise and eliminate sections of the Registrar Accreditation Agreement (RAA), including 3.7.7.1 which requires collection by Registrars of ?accurate and reliable contact details and promptly correct and update them during the term of the Registered Name registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number if available of the Registered Name Holder.? ) 3) Remove from the Registrar Accreditation Agreement requirements that Registrars must publish registrant and administrative contact data, including name, address, phone and email. (Accordingly, ICANN must revise and eliminate sections of the RAA, including Section 3.3 ?Public Access to Data on Registered Names? which requires publication by Registrars of ?an interactive web page and a port 43 Whois service providing free public query-based access to up-to-date (i.e., updated at least daily) data concerning all active Registered Names sponsored by Registrar for each TLD in which it is accredited,? including the registrant and administrative contact fields.) 4) Remove from the Registrar Accreditation Agreement requirements that Registrars serving as proxies, and thereby providing privacy for domain name registrants, must disclose the registrant and administrative contact data for reasons falling far short of legal due process (e.g., threats against the registrant or to the registry or registrar) or the registrars will be deemed to assume liability for the speech and expression of the registrant using the domain name. (Accordingly, ICANN must revise and eliminate sections of the RAA, including 3.7.7.3, which requires registrars acting as proxies to ?accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.?) 5) Limit operation of the WHOIS database/directory to the bounds of ICANN?s technical mandate. Accordingly, the NCUC sets out the following new WHOIS database/directory listing of selected existing and new fields: technical contact, registry [new field], registrar [new field], name servers of the registrant, creation and expiration date of the domain name. Appendix: Sections of NCUC comments regarding abuses of WHOIS data Submitted February 2004 to TF2, in its data gathering phase The Noncommercial Users Constituency (NCUC) has tremendous concerns with the collection of many WHOIS data elements. We are concerned about making contact information available unconditionally and anonymously to the public, companies, and governments without accountability, auditability or due process. Such a requirement is contrary to national law and policy. NCUC calls on Whois Task Force 2 to correct the situation by reforming WHOIS to better protect privacy and freedom of expression. We address the data elements of concern below, and offer an array of reasons for the harm and threat their complete and full disclosure may pose to domain name registrants in the noncommercial community. I. Personal WHOIS Data Reveal Peoples? Homes and Families WHOIS Data Elements of Concern: Group A: Personal Data Registrant Name Registrant Address Registrant Phone Number Registrant Email Administrative Contact Address Administrative Contact Phone Number Administrative Contact Email For small organizations, the same person almost invariably serves as the domain name registrant and the administrative contact. Thus, the Administrative Contact address and phone fields raise the same privacy concerns as those of the corresponding Registrant fields. The NCUC does not seek to be inflammatory, but the harms raised by the forced collection and publication of personal information in data fields cannot be taken lightly. Such harms, as we outline in brief below, cannot be discounted or dismissed. Such harms include: * Identity Theft * Spamming and other Forms of Email and Phone Harassment * Stalking * Unwarranted Threats from Overly Broad Intellectual Property Claims * Unwarranted Surveillance and Threats from Companies, Government, and Law * Basic Violations of Personal Privacy A. IDENTITY THEFT Identity theft is a common and growing problem. It is the subject of considerable information and advice from consumer and government groups worldwide. The fundamental piece of advice for preventing identity theft remains: don?t give out your personal information online. Yet registering a domain name, even for noncommercial community, requires the disclosure of exactly the type of personal data, such as name, address, phone and email, that we are urged not to give out online ? and certainly not to allowed published in global forms available to all. TF2 should use the change of WHOIS practices to remove, or allow the opting-out, of fields which assist Identity Theft. B. TELEMARKETING, SPAMMING AND OTHER FORMS OF EMAIL AND PHONE HARASSMENT The global publication of email addresses and phone numbers creates the means for people to be harassed by phone and email: through crank calls, telemarketing, and especially spam. With the current publication of all elements, without any opting-out option, this information is freely available for any fraudulent or spamming entity to use and abuse. Revealing this information to the world should not be a condition of registering a domain name or posting expression online. C. STALKING One home address can lead to stalking and lead to death. Unfortunately, over a million people in the US have been stalked. One stalking website described the harsh reality: ?High?profile cases of celebrities being stalked have raised the public's awareness to this crime. But the majority of stalking victims are ordinary people, mostly women, who are being pursued and threatened by someone with whom they have had a prior relationship. Approximately 80% of stalking cases involve women stalked by ex? boyfriends and former husbands.? One harsh example changed the way government agencies throughout the US deal with personal data, including home address and phone. Until the late 1990s, many Department of Motor Vehicles (DMVs) sold their driver?s license data ? including names and address provided as a condition of receiving a license. Robert Bard, a deranged fan of the young actress Rebecca Schaeffer, bought her address from the California DMV, stalked her and killed her. There are many descriptions of this story online. One is at: http://www.tvtome.com/tvtome/servlet/PersonDetail/personid?8786. It would be easy to dismiss stalking as a problem outside the Internet and DNS were there not examples of the WHOIS data being used for stalking. Some posted examples include: 1) ?Because my information was listed on whois, a man who has been harassing me online for about a year, was able to get my home address, and telephone number and step up his harassment of me.? Network Solutions Domain Name Registrant. Example provided by Brian Cute, NSI, at Tunisia WHOIS Workshop, http://www.icann.org/carthage/whois?workshop?agenda.htm. 2) ?Bingo! After being stalked until I moved to a different state I can tell you that privacy is a major factor and that WHOIS should not be the criteria for customers need for accurate information regarding a business. I had a small home business (resume consulting and word processing ? no walk in traffic) and had no problems with customers who screened me as well as I screened them. The phone book had only the city listed, as did the display ad, yet whois insisted on my home street address [emphasis added]. I had to put up tall fencing, security doors, bars on the windows and get guard dogs as a result of the stalking that was a direct result of whois. I now use a P.O. Box and have an unlisted number for my family and friends to use. ***** My personal and family privacy is a safety concern as well as the usual concerns. Anyone working from a SOHO has the same concerns. Personal safety and privacy are rights we count on and the expectation of preserving them is written in our US Constitution. I should not have to pay for a service to hide my information from the public. It should be automatically done. As long as the registrar has the information in its files, that is sufficient for those who have a (proven)legitimate need for it. If you don't want to do business with me, that's just fine. I'm not inviting you to my home, so you don't need my address.? by ldg on Thursday February 05 2004, @09:33PM (#12934) User #2935 The NCUC does not believe that noncommercial speakers should have to reveal their home address, and expose themselves and their families to dangers such as stalking as a condition of registering domain names and sharing noncommercial expression online. We note that, with the rise of easy access to reverse directories, the home phone number also provides access to home addresses, and raises the same privacy concerns as an address. D. UNWARRANTED THREATS OF JAIL AND HEAVY FINES FROM OVERLY BROAD INTELLECTUAL PROPERTY ALLEGATIONS Since the mid-1990s, with the rise of World Wide Web technology and greater knowledge of domain name registration, there have been conflicts over domain names, the extent of trademark law, and whether common words should be open to all (as they are in all other forms of speech) or favored for trademark owners. In the mid-1990s, Intellectual Property Attorneys, especially those with the big firms and representing large clients, found a new tool: the WHOIS data. Never before was it so easy to reach a small noncommercial organization, families, individuals, even children, at their home due to the availability of personal fields in the WHOIS data. This availability has lead to flagrant abuse, with small noncommercial organizations and individuals receiving unsubstantiated and overbroad threats ? made all the scarier by the letters being sent to the home. ?As a telecommunications and intellectual property attorney in the mid-1990s, I was amazed to see the horrible letters sent to domain name registrants at their homes. These letters often were (and sometimes still are) outside the bounds of professional conduct. Taking advantage of the big vs. little discrepancy, and sensing the vulnerability of a domain name registrant for a small organization reached at his/her home, these letters threatened ongoing harassment, litigation, triple damages and even jail. Generally, the more threatening the letter, the less substantiated the claims, and some were downright reverse domain name hijacking. But people feel very scared by these letters. Kathryn Kleiman, Esq., Co-Founder of NCUC and Internet Law and Policy Attorney. Unsubstantiated allegations by intellectual property owners involving domain names are so pervasive they have their own name: reverse domain name hijacking. ICANN defines this as: the ?bad faith [to] attempt to deprive a registered domain?name holder of a domain name.? Section 1, Definitions. Mere allegation of infringement or misuse should not require the disclosure of the domain name registrant?s home address or phone number. No such disclosure is required for the publication of information by noncommercial organizations in any other communications medium, including newspapers, broadcasting or telephones. The NCUC submits that national and local law provide the due process mechanisms for when accusers can contact the accused. Such rules should be followed by ICANN, not circumvented by global WHOIS data element publication. E. UNWARRANTED THREATS OF JAIL AND HEAVY FINES FROM COMPANIES, GOVERNMENT AND LAW ENFORCEMENT ACTING OUTSIDE OF LEGAL SCOPE AND LEGITIMATE NEED Noncommercial organizations throughout the world regularly invite the wrath of corporations, governments and law enforcement by criticizing their actions. In some countries, corporate criticism is a daily practice of newspaper editors and broadcasters, but in other parts of the world it is practiced at great cost by those desperate to share information about corporate sweatshops, pollution, or bribery of governments (as a few examples). Similarly, in some countries, noncommercial organizations are chartered to openly and publicly criticize government officials and law enforcement practices. These organizations openly lobby for civil liberties and due process, and take to court government officials and law enforcement officers who act illegally outside the scope of their office. In other countries, such criticism is not published openly, for fear of arrest, trial and treason. Instead, people will publish anonymously or under pen names, or even leave the country to share their concerns and impassioned pleas for help with the world. Such messages about government abuse can include torture, massacres, jailing of political dissidents, harsh suppression of protests on campuses, unfair laws, and failure of law enforcement to equally and fairly protect all (as a few examples). To all the open and global publication of a registrant?s name, address and phone as a condition of registering a domain name for human rights, political speech, and civil liberties discussion is a violation of principles worldwide that protect noncommercial and political speech. The United National Declaration of Human Rights, treaties, national and local laws protection such political criticism with high praise and anonymity. It seems unfair and fundamentally immoral to allow unlimited, unaccountable access to the information about human rights organizations, and other noncommercial political groups, based solely on the fact they have registered a domain name. F. BASIC VIOLATIONS OF PERSONAL PRIVACY Laws worldwide protect the collection, distribution and publication of personal data and give people a right to expect that their home addresses, phone numbers and email addresses will be protected. The EU Privacy Directive is the model of these laws, and its principles have been adopted by many countries (both members and not members of the EU). Citizens of these countries have the right to know that the protections of their national laws are being followed by registries and registrars in these countries. This is not the situation under the current WHOIS system today. II. Additional data in WHOIS exposes people to spam, deceptive marketing practices, and more. WHOIS Data Elements of Concern: Group B: Additional Data Subject to Abuse and Misuse Registrant and Administrative Contact E?Mail address Registrant and Administrative Contact Fax number Creation Date Expiration Date While not raising privacy concerns per se, these elements are subject to misuse, from spam to manipulative and fraudulent service office offerings. We think these fields would be better handled under the system we set forth in the section below. III. Conclusion of Concerns Section If Whois data remains fully accessible on a public and anonymous basis, we strongly favor the elimination of all personally identifiable contact data as a required element of Whois except for: Technical Contact Name Technical Contact Address Technical Contact E?Mail address Technical Contact Phone number Technical Contact Fax number Other data elements containing contact information could be continued as voluntary elements; i.e., registrants would have the right to fill them out or leave them blank as desired. We favor continued mandatory inclusion of the following data elements: Domain Status Domain Name ID Domain Name Registrar ID* Name of Registrar Name Server(s) Name Server ID* Our recommendations are intended to return Whois to its original purpose as a technical coordination vehicle. We note that the best way to improve accuracy of the data is to provide privacy and security. Domain name registrants? incentives to provide accurate information will dramatically increase once they feel the information is secure. If these data elements are not fully removed from the Whois database, NCUC favors immediate adoption of privacy protections for the WHOIS fields, and the creation of an ?opt-out? policy that allows a domain name registrant to fully understand and freely choose whether or not to allow his/her personal data to be published in worldwide directories and available anonymously in any form. These options would apply to all of the data elements we favor removing from the data elements above. Accordingly, the NCUC calls upon TF2 to recommend solutions for the WHOIS data elements that: - protect personal privacy - protect the expression of noncommercial organizations - protect political speakers - protect personal and family speakers - protect hobbyists - protect academics **************************************************************************** *********************************** Internet Service Provider and Connectivity Provider Constituency (ISPCP) WHOIS STATEMENT April 2004 Introduction The ISPCP Constituency herein provides input to the three Whois Task Forces as required by ICANN by-laws. The ISPCP stresses the need for balanced policy that takes into consideration the interests of all stakeholders, and allows for the effective enforcement of civil and criminal laws while protecting registrant information from marketing or other illegitimate/illegal uses. This goal is the underlying theme running throughout the comments below. It is also consistent with commonly accepted tenets of privacy protections and laws throughout the world. ISPCP Uses of Whois Data 1. to research and verify domain registrants that could vicariously cause liability for ISPs because of illegal, deceptive or infringing content. 2. to prevent or detect sources of security attacks of their networks and servers 3. to identify sources of consumer fraud, spam and denial of service attacks and incidents 4. to effectuate UDRP proceedings 5. to support technical operations of ISPs or network administrators Terms of Reference for Whois Task Forces WHOIS Task Force 1 --Focused on restricting access to WHOIS data for marketing purposes --Seeks to determine what contractual changes (if any) are needed to protect domain name holder data from data miners. --What technological means are available to accommodate these possible contractual changes while simultaneously ensuring law enforcement, intellectual property, ISPs, and consumers continue to retrieve information necessary to perform their respective tasks WHOIS Task Force 2 --Focused on reviewing WHOIS data collected and displayed to ensure accurate identification of registrants. --Seeks to determine the best manner in which to inform registrants of what information is made publicly available when domain names are registered and options for restricting access --Contemplates the ability of registrants to remove/shield certain parts of required contact information from anonymous, public access --Furthering this is the need to determine what information may be removed, by whom, and what contractual changes are required to enable this. WHOIS Task Force 3 --Focused on developing mechanisms to improve the quality of contact data that must be collected at the time of registration in accordance with the registrar accreditation agreement and the relevant registry agreement --Related issues: · Verification of data at time of registration · Ongoing maintenance of data during registration period · Protecting against deliberate submission of false information ISPCP Position Task Force 1 ? Restricting Access to Whois Data The ISPCP Constituency is in strong favor of limiting access to Whois data in respect of privacy concerns and does not see any legitimate purpose for access to bulk data for marketing purposes. ISPCP members spend tremendous resources to combat spam delivered through their networks and to their subscribers. Even minimal use of Whois data for marketing should be prohibited and further steps should be taken to enforce current policy limiting such use. However, the ISPCP opposes the notion that Whois data is not intended for enforcement purposes and that private parties do not have legitimate need for ready and efficient access to the data. The ISPCP Constituency proposes that in light of forgoing interests: · In light of small and regional ISPs? reliance on Port 43 access, the ISPCP Constituency believes its use ought to be preserved at this time. However, its use should be strictly limited by non-technical means such as rate limiting. In the long term, we strongly discourage its continued use. · A general agreement would be useful on the types of uses that are legitimate and should be continued. · Any proposed solution should include such legitimate access, including Web based queries and be scalable. · ICANN staff should undertake development of a uniform access policy that is enforced ? in addition, compliance procedures for such a policy should be implemented. · The ISPCP rejects the notion that the purpose of Whois data is not intended for tracking registrants that are in the business violating laws or deceiving end users and thus, should not be used for any purpose beyond technical reasons. Task Force 2- Review of Data Collected and Displayed The ISPCP Constituency is aware of the real and legitimate privacy concerns over the amount and type of data collected and displayed in Whois data. Registrants should be provided with a limited list of needs for which their data may be used, so as to help prevent the possibility of inadequate notice. The ISPCP further notes that for a very small fraction of registrants with legitimate political and free speech concerns, there should continue to be processes in place for proxy registrations where their data will be kept private and provided only upon a limited set of circumstances. There have been many assertions that the current display of Whois data is not legal or proper under the laws of some regions, namely the EU. However, of the EU member states? ccTLD operators who submitted Task Force 2 responses, all have indicated that they work closely with their respective country?s data protection authorities and are in full compliance with their respective privacy laws. Privacy concerns can further be alleviated by providing proper and adequate notice to all registrants, in a format that is conspicuous and highlights the disclosures within the registrant contract. In many regions it is a common legal requirement that data only be used for the purpose it was originally collected. By itemizing the legitimate needs for which one?s data may be used, this requirement can be met. The ISPCP Constituency proposes: · That all elements continue to be collected and displayed, for those authorized to obtain access. · That adequate and full disclosure must be provided regarding the uses of data, at the point of registration, and such requirement should be enforced. · Anonymous gTLD registrations continue to be made allowed for individuals through current processes. · The ISPCP supports the concept of tiered access as a principle, but is concerned with cost, enforcement and other practical implementation issues that must be clearly set forth prior to the implementation of such mechanism. The ISPCP will reserve final assessment on this principle until such time that a clearly defined and viable method is proposed. Task Force 3 ? Improving Accuracy of Collected Data Finally, the ISPCP Constituency is quite concerned about the abundance of inaccurate and incomplete data. Such deficiencies significantly hinder ISPs ? ability to identify and contact registrants. Thus, ISPs support ready access to accurate Whois data to facilitate resolution of network problems, sourcing of spam. Further, ready access to accurate data is necessary for the securing our networks and enforcing our acceptable use policies. Because of the heavy reliance by ISPs on registrants? data to facilitate future contact with the registrant for business issues, security and stability issues, intellectual property infringement and a myriad of other legal issues, accuracy is of the utmost importance. While automated verification software does exist, its accuracy and therefore its reliability on a global scale is suspect. Registrars should take a multiple steps to ensure that the data they receive is accurate, and there should be some enforcement mechanism to ensure registrars? compliance. In addition, it would be useful for registrars to have a list of best practices that further help verify data and produce an accurate database. The ISPCP Constituency proposes: · The creation of a best practices document aimed to improve data verification, with the prospect of a global application. · Registrars take increased and more uniform measures to verify accurate data. The ISPCP does not advocate removing all flexibility from current or future registrar practices, but some uniformity and compliance with best practices will net a more accurate database. · ICANN staff should undertake a review of the current registrar contractual terms and determine whether they are adequate or need to be changed in order to encompass improved data accuracy standards and verification practices. **************************************************************************** *********************************** GNSO Secretariat Attachment:
RC_Statement_TF2.pdf |