ICANN/GNSO GNSO Email List Archives

[dow2tf]


<<< Chronological Index >>>    <<< Thread Index >>>

[dow2tf] Whois task force 2 Constituency position statements

  • To: "2DOW2tf" <dow2tf@xxxxxxxxxxxxxx>
  • Subject: [dow2tf] Whois task force 2 Constituency position statements
  • From: "GNSO SECRETARIAT" <gnso.secretariat@xxxxxxxxxxxxxx>
  • Date: Mon, 19 Apr 2004 22:47:29 +0200
  • Importance: Normal
  • Reply-to: <gnso.secretariat@xxxxxxxxxxxxxx>
  • Sender: owner-dow2tf@xxxxxxxxxxxxxx

WHOIS TASK FORCE 2
Constituency Position Statements:

1. At Large Advisory Committee (ALAC)
2. Intellectual Property Interests Constituency (IPC)
3. Commercial and Business Users Constituency (BC)
4. Non Commercial Users Constituency (NCUC)
5. Internet Service Providers and Connectivity Providers Constituency
(ISPCP )
6. Registrars Constituency (attached in pdf format)

Policy proposal from ALAC on how to change
the data elements collected and displayed.

For your information, our input for Task Force 1 is also included.

Unless we specifically speak about registrars, our remarks apply to
registrar and to thick registry WHOIS systems alike.

At-Large Advisory Committee: http://alac.info/

Task Force 2: Data elements displayed and collected

   Policy proposal

	We recommend that the mandatory collection and display of
	personal information about registrants be reduced as far as
	possible.  What information is actually required for placing
	a domain name registration should be a matter of registrars'
	business models, and of applicable law, not of ICANN policy.


	We consider the removal of the following data elements from
	registrars' and registries WHOIS services (in a tiered
	model, from *all* tiers) a priority:

	- registrant name, address, e-mail address, and phone
	  number, unless registrant has requested that this
	  information be made available.

	- administrative contact name, address, e-mail address, and
	  phone number, unless registrant (or admin-c) has requested
	  that this information be made available.

	- Billing contact.  These data are traditionally not
	  published by registrars, but are included in many thick
	  registries' public WHOIS services.


	For the purposes of a tiered access system (see
	recommendations for task force 1), we would recommend that
	the following information be included in a public tier:

	- Registrar of record.
	- Name servers.
	- Status of domain name.

	- Contact data, if the data subject specifically requests
	  that these data be included in the public tier.

   Implementation remarks

	None.

   Rationale

	For personal registrations, the registrant, administrative
	contact, and billing contact data sets are most likely to
	concern sensitive information, such as the registrant's home
	address and phone number.

	We recognize that domain name registrations by online
	merchants often imply less privacy concerns; it has been
	argued that online merchants must make privacy information
	public in many jurisdictions.  We are confident that
	businesses will also follow these duties by requesting
	registrars to make contact information about them available
	publicly.  Conversely, if bad actors decide not to make
	contact information publicly available, that could actually
	make bad actors more easily recognizable, and provide
	consumers with a "red flag."

   Discussion of other proposals

   	At the WHOIS workshop in Rome, we have heared several
	lawyers praise the usefulness of registrant and other
	telephone numbers in WHOIS services.  That way, we were
	told, many cases could be settled by a single phone call.
	The easier the contact, we were told, the merrier.

	This argument is troubling: What we were hearing there is a
	request to ICANN to enable lawyers to make off the record
	contact with other parties to a dispute that may not have a
	lawyer readily available, and to make this contact in a way
	which makes it hard for the registrant to get legal counsel
	involved in early negotiations arising out of the dispute.

	Telephone numbers of registrant and administrative contacts
	should be *removed* from WHOIS services for precisely this
	reason: Forcing the non-registrant party to a dispute to
	open up that dispute by on-the-record means (e-mail, fax
	[not universally available], postal mail) ensures that
	registrants have an opportunity to retain legal counsel in
	these disputes, and to fully understand any claims made by
	the non-registrant party.  It also helps to avoid legal
	bluff and plain bullying.

	To summarize, it may be true that availability of phone
	numbers enables quick settlement.  But availability of phone
	numbers also favors situations in which these settlements
	are achieved by dubious means, to the detriment of the
	registrant.



Task Force 1: Access to data

   Policy proposal

	We recommend a simple two-tiered system.

	Tier 1 -- public access.  Users who access a future
	WHOIS-like system anonymously get access to non-sensitive
	information concerning a domain name registration, to be
	defined in detail by task force 2.

	Tier 2 -- authenticated access.  Users who want to access a
	more complete data set (to be defined in detail by task
	force 2) need to reliably identify themselves, and indicate
	the purpose for which they want to access the data.

	The identity of the data user and their purpose is recorded
	by registrars and registries, and made available to
	registrants when requested.  This information could be
	withheld for a certain amount of time if the data user is
	(1) a law enforcement authority that is (2) accessing the
	data for law enforcement purposes.

   Implementation remarks

	We do not recommend any particular implementation of this
	proposal, but note that "reliable identification" could be
	provided by commercially available SSL certificates.  In
	general, we would favor implementation of our proposal in a
	dedicated protocol (such as IRIS) over implementation
	through Web forms.

   Rationale

	The key aspect for deciding whether access to data gathered
	by registrars can be given to a third party is the purpose
	for which this data is going to be used.  Obviously,
	registrars have no way to verify the purpose for which WHOIS
	data is being accessed.

	The best heurisitc we know of is to hold data users
	accountable for their activities, and to put enforcement of
	purpose limitations into the hands of registrants.  This can
	be achieved by reliably identifying data uses and putting
	their identity, contact information, and purpose indication
	in the hands of registrants.

	At the same time, a tiered system -- if implemented
	reasonably -- could preserve the ability of data users to
	automatically access WHOIS data in reasonable quantities.
	Registrars, on the other hand, would be enabled to limit the
	amount of data any particular party can access in a given
	interval of time.

	Identifying data users and their purposes would also enable
	registrars to comply with legal obligations to make this
	kind of information available to data subjects.

   Discussion of other proposals

	There have been suggestions that "automated access" could be
	used as a heuristic to determine illegitimate access.  In
	this scheme, automated access is blocked by attempting to
	require human attention with all queries.  One set of
	implementations of these kinds of tests is known as CAPTCHA.

	There is evidence that automated access is also being used
	for legitimate purposes; on the other hand, there is
	publicly available information on how CAPTCHA-like tests are
	being circumvented in other contexts.  The circumvention
	here is based on a fundamental design problem of CAPTCHAs.
	<http://boingboing.net/2004_01_01_archive.html#107525288693964966>

	One particularly popular CAPTCHA has been broken in academic
	more than a year ago, but is still being used by registrars.
	<http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html>

	Accessibility problems posed by CAPTCHA-like tests are not
	fully understood by now; we note, though, that purely visual
	tests are insufficient from an accessibility point of view.
	<http://www.w3.org/TR/turingtest/>

	In conclusion, CAPTCHA tests address the wrong problem, and
	they address it badly.  We strongly recommend against going
	down this path.
****************************************************************************
***************************************
Intellectual Property Interests Constituency Statement (IPC)

Whois Task Force 2

April 13, 2004

This statement responds to the issue identified in the purpose statement of
the terms of reference for Task Force 2, see
http://gnso.icann.org/issues/whois-privacy/tor2.shtml

The purpose of this task force is to determine:
a) What is the best way to inform registrants of what information about
themselves is made publicly available when they register a domain name and
what options they have to restrict access to that data and receive
notification of its use?

Based on the limited data which has been collected so far, IPC believes that
the effectiveness of notification to domain name registrants, and the
obtaining of their consent as required by the RAA Secs. 3.7.7.4, 3.7.7.5,
generally need improvement.

For example, obtaining specific consent on this issue from the registrant
during the registration process, separate from obtaining agreement to
extensive terms and conditions   for the registration in general, should be
encouraged.  Similarly, some registrars should be more specific and
forthright in communicating to registrants about the circumstances under
which Whois data is available to third parties.

ICANN should:
·	incorporate compliance with the notification and consent requirement as
part of its overall plan to improve registrar compliance with the RAA.  (See
MOU Amendment II.C.14.d).
·	issue an advisory reminding registrars of the importance of compliance
with this contractual requirement, even registrars operating primarily in
countries in which local law apparently does not require registrant consent
to be obtained.

IPC believes that registrars should take the lead in developing best
practices, with input from other interested constituencies, that will
improve the effectiveness of giving notice to, and obtaining consent from,
domain name registrants with regard to uses of registrant contact data.  IPC
would be glad to participate in such an effort.

b) What changes, if any, should be made in the data elements about
registrants that must be collected at the time of registration to achieve an
acceptable balance between the interests of those seeking contact-ability,
and those seeking privacy protection?

Based on the data collected so far, IPC does not think that any data element
currently collected by registrars about registrants should be eliminated.
IPC has identified certain data elements that may not be currently collected
(or at least are not currently displayed in response to Whois queries) but
whose inclusion would improve the usefulness of Whois data. These include:

·	chain of title information
·	date of initial registration
·	notice of encumbrances
·	date and method of last verification of registrant contact information*

*Although these additional desired data elements were identified in response
to the questionnaire sent by TF 2, IPC recognizes that action on them may
fall within the purview of TF 3.


c) Should domain name holders be allowed to remove certain parts of the
required contact information from anonymous (public) access, and if so, what
data elements can be withdrawn from public access, by which registrants, and
what contractual changes (if any) are required to enable this? Should
registrars be required to notify domain name holders when the withheld data
is released to third parties?

As a general matter, IPC does not support the suppression of public access
to any element of Whois data that is currently made public.  All such data
elements make a contribution to the promotion of transparency and
accountability in the domain name system.  To the contrary, ICANN should
consider requiring additional data elements already collected by registrars
(such as contact data for billing contacts) to be made available through
Whois.  It should also consider requiring the collection, and the public
availability, of certain data elements that may not be currently collected,
as outlined in response to the previous question.  Finally, it should make
the set of data elements that are made publicly available more uniform
across gTLDs.

Based on the limited data compiled so far, IPC supports further
consideration of two exceptions to the general principle stated above.

First, further research should be conducted on the use of ?proxy
registration services? within the framework of Sec. 3.7.7.3 of the RAA,
including but not limited to the following issues:
·	the rate of uptake of such services, and consumer response to them;
·	what steps are taken to ensure that the registrar collects (or has
immediate access to) accurate, complete and current contact information on
all registrants taking advantage of such services;
·	the circumstances under which contact information of the actual registrant
is disclosed pursuant to the RAA provision (i.e., the ?evidence of
actionable harm? scenario);
·	how registrants are notified when the withheld data is released to third
parties;
·	scalability of such services.

Second, further research should be conducted into the operation by certain
ccTLDs (e.g., .nl) of case-by-case mechanisms for the withholding of Whois
data on individual registrants who demonstrate special circumstances, and on
the feasibility of adapting such mechanisms to the gTLD environment.
****************************************************************************
*******************************************
INTERIM Business Constituency Position
-	Input to the GNSO Council task forces on WHOIS
-	April 2004

In order to provide input to all three Task Forces (TF) and provide a
broader statement from the Commercial and Business User Constituency
(hereafter Business Constituency or BC), we have consolidated our input into
a single document.


Members of the Business Constituency use the Internet to conduct business.
The Business Constituency is a constituency representing customers of
providers of connectivity, domain names, IP addresses, protocols and other
services related to electronic commerce in its broad sense. The BC
membership includes corporations, entrepreneurs, and associations.

The BC recognizes that the Internet is changing and evolving into a more
commercial and widely used communication mechanism, and that the
characteristics of the Internet users are also changing, over time. It is
generally agreed that more and more users are registering domain names for a
wider and wider variety of purposes.  As the user characteristics are
changing and the Internet is growing, it is important to keep in mind the
key issues of Internet stability.  The BC believes that accurate WHOIS data
is an essential element to that core value. In examining the possibility of
changes in the WHOIS, the BC believes that better mechanisms are needed to
ensure accurate WHOIS data, while balancing the needs of the full set of
stakeholders and affected parties.


Principles for the use of WHOIS
Striking a balance among concerns and needs of the different stakeholders
related to accuracy, reliability, access and privacy issues is the goal.
This is consistent with the OECD Guidelines on the Protection of Privacy and
Trans-border Data Flows of Personal Data, the international consensus, that
works to strike a balance between effective privacy protection and the free
flow of information.

Purposes of Business User access to WHOIS:
Business users access the WHOIS database to obtain registrant contact
information for the following reasons:
1.	to verify the availability of a name they might wish to register
2.	to thwart security attacks of their networks and servers
3.	to validate the legitimacy of a website for transactions
4.	to identity consumer fraud and cyber-scam incidents
5.	to undertake routine reviews to protect their brands
6.	to support UDRP and other infringement proceedings
7.	to combat spam.

The BC?s guiding principles related to WHOIS are:

1.	Accuracy and access. Accuracy and access to accurate data are the top
priorities. Enforcement of accuracy requirements is essential.

2.	Use of data. It is key to find a balance between data use for legitimate
purposes and avoiding unwelcome or illegal use.

3.	Balance of Stakeholder needs. Any changes in access to WHOIS must be
balanced across the needs of all stakeholders and take into account the
costs to the registries/registrars  to maintain more complex systems, as
well as the burden on the legitimate users of WHOIS.

4.	Marketing. WHOIS data should never be used for marketing purposes. This
includes precluding the use of WHOIS data for marketing by the registry or
registrar other than for services that are directly applicable to
registration or other purposes that are not inconsistent with the original
purpose [see OECD Guidelines] or for which the registrant has explicitly
opted-in.

5.	Scope. The focus for now should be ensuring a consistent system of WHOIS
across generic top-level domain names. Any discussion of WHOIS policies that
might affect WHOIS within country-code domain names should be addressed
later and through the new Country Code Names Supporting Organisation.


Task Force One: What contractual changes, if any, are needed to protect
domain name holders from data mining for the purpose of marketing?

The BC notes:
Concerns arise from marketing use. The BC has previously stated that
marketing uses of WHOIS data should be prohibited.  The basis of much data
protection law is that data should only be used for the purpose directly
applicable to registration or other purposes that are not inconsistent with
the original purpose [see OECD Guidelines] or for which the registrant has
explicitly opted-in.

§	Spam.  Confusion exists today regarding whether and to what extent WHOIS
data is used for the development of Spam. Data indicates that the
involvement is small, but in any case, it is important to not allow
contamination of the issues relating to WHOIS by the issue of spam
prevention. Regardless of the limited degree of impact, mechanisms to limit
any use should be supported.

The BC therefore proposes:
§	Eliminate marketing. The BC believes that WHOIS data should never be used
for marketing purposes. This includes precluding the use of WHOIS data for
marketing by the registry or registrar, other than for services which are
directly applicable to registration or for which the registrant has
explicitly opted-in.

§	Limit access to Port 43 access. Although it does not appear that WHOIS is
a significant contributor to Spam, the BC supports the limitation on port 43
access (an Internet-based access used by registrars and others) to
discourage any use for that purpose.  Also, this will limit uses of port 43
for other marketing purposes.

§	Creation of a White list approach for ?legitimate use?. There are
legitimate uses of WHOIS, which should be supported, including uses
facilitated by bulk access. Such uses include research, creation of third
party value-added services, etc. The BC therefore supports the creation of a
list of legitimate uses, and recommends that such uses be limited  via
registry/registrar/third party contract when  bulk access is provided to
such third parties. Specific conditions as to use should e specified in the
contractual terms.

§	The BC therefore proposes that the examination of such a white list
process should be referred to Council for consideration as a policy
development process.


Task Force Two: data collection and display of data elements

The BC notes:
§	Privacy concerns: The question of whether and how WHOIS data should be
made public has been raised. It is unclear whether this question pertains to
a broadly held governmental concern with all WHOIS data or whether the
question relates to the narrow class of registrations by individuals with
privacy concerns.   In any case, the question of changing access to WHOIS
data is a current and important one.

§	Registrant Awareness of public access to WHOIS: The question has also been
raised about whether registrants are aware of what WHOIS data is and how it
is displayed and why  it is needed.

§	Segregation of registrants into categories presents problems of
definition. There have been discussions about the concept of segregating
registrants into different categories and having different requirements for
gathering and publishing WHOIS data, based on the user category.  The
determination of what category a registrant fits into is not a simple
determination, since, for example, individuals may register names for
speculation, business development, or for personal use. And the reality is
that the problems with consumer fraud, piracy, and trademark infringement
are typically perpetrated by individuals, who provide false registration
information, in order to avoid pursuit.

§	Differentiated or ?tiered? Access by Authenticated Users: There has been
some limited discussion about creating a two tier approach to access and
requiring a WHOIS user to be approved or authenticated to have access all
data.

§	Services which offer anonymity for registrants: Some have raised the issue
of providing a mechanism for individual anonymity for legitimate
individuals. Such mechanisms exist in telephony, where the telephony
provider receives accurate contact information and acts as the point of
contact for legitimate requests.  Alternatively, anonymous gTLD
registrations can be obtained by individuals through several mechanisms such
as registration through one?s ISP.

§	Privacy and existing obligations: Although some entities have raised the
question of what privacy laws apply to WHOIS data, there is not a consistent
interpretation of law. A few countries have established that their privacy
laws apply to the display of country-code WHOIS data. Certain data privacy
entities have begun to ask what data privacy protections should apply.  Yet
many countries require businesses and NGOs to provide accurate information
when they apply for services such as a business license, tax exempt status,
inclusion in a directory, or trademarks.

§	All data elements are needed. BC members responding to the questionnaire
regarding data elements relied upon by business users indicated that all
data elements are used.  When some part of the elements are incomplete or
inaccurate it is even more important to have access to as many data elements
as possible.  This enables a thorough effort at contacting the registrant,
or in the case of consumer fraud, to support law enforcement.


§	Display of data elements: All data elements should be displayed, or at a
minimum accessible via an easy to use and validated process that would allow
access to an authenticated user.  However, this needs further and careful
examination. It is not acceptable to simply create broad categories of
?business? and ?individual? without a recognition of the issues involving
the misuse of a special category.


The BC therefore proposes:
§	All existing data elements are needed. The BC recognises the continued
need for all the data elements that are available in WHOIS today.

§	Registrants should be informed: Fact based, neutral toned information
about WHOIS should be included in the registration process, and specific
acknowledgement/consent should be obtained at the time of registration.
Registrants should also be renotified when they renew their registration of
the importance of accurate and complete data.

§	Assessment of a differentiated access model should be undertaken:
Examination of the broad implications of establishing a differentiated
access model, including costs, broad impact on registrants and WHOIS users,
and taking into account CRISP and other emerging standards, should be a
community and Council priority. The development of such a change in WHOIS
will require a further PDP process.

§	Updated Information is needed to begin such a consideration: The Council
should be asked to support the briefing by all three  TFs by IETF on the
status of CRISP and any other emerging and relevant standards.


Task Force 3: Mechanisms to improve quality of contact data

The BC notes:
§	Accuracy because WHOIS is public communication. A domain name registration
in a TLD is a public form of communication, and as such, requires accurate
data for the WHOIS registry.

§	Accuracy because users need accurate data. The average Internet user,
whether business, government, NGO or individual, has an expectation of
accurate WHOIS information, which they then use to address legitimate
issues:  verifying the legitimacy of a web site, pursuing a network problem,
addressing IP infringement concerns,  calling for assistance from law
enforcement, etc.

§	Accuracy is important for individuals and organisations. The same concerns
about the need for accurate data are independent of the nature of the
registrant.  A non-statistical survey of BC members regarding the situations
they have experienced with trademark infringements, consumer fraud, and
network issues indicates that there are problems with individuals and with
organisations. However, none of the consumer fraud incidents encountered by
the well-known brand holders involved organisations. The five situations
examined all involved individuals who provided false information.
Discussions with law enforcement have and continue to evidence similar
problems with individuals.

§	Some examples of data authentication exist in other industries, including
financial services and in some of the ccTLDs.


The BC therefore proposes:

§	Best Practices are available from other sources: The BC recommends further
examination of best practices in authentication in other industries and from
selected ccTLDs.

§	Changes to the contracts are needed to ensure there is enforcement. The
requirement to provide accurate data is a part of the Registrar contract,
yet it appears that few registrars fulfill this requirement. The BC believes
that this must be enforced by ICANN while allowing flexibility in the way
registrars carry out this obligation. The previous WHOIS TF discussed the
development of graduated sanctions.  They also heard from several ccTLDs
with successful data verification practices. The BC calls for the
development of policy to evaluate a system of graduated sanctions.


Recommendation: more research is needed, and standards may offer solutions
to development of modifications to WHOIS.  Discussion of WHOIS is limited by
a lack of research which would allow fact based policy.  The ccTLD
registries also have significant experiences which could be the better
understood and provide useful ?understanding? to guide gTLD policy
development. The BC encourages the GNSO Council to seek current information
on both the CRISP project (on WHOIS standards undertaken by the Internet
Engineering Task Force) and any other relevant standards process, to examine
the role of these potential standards in providing a solution. The BC
recognizes that the cost of implementing changes in WHOIS must be analyzed
and understood as changes are considered. Changes in WHOIS should not become
an ?unfunded mandate? upon registrars.


Footnote: The BC continues to discuss the WHOIS issues and  may provide
further comments or modifications to these positions after concluding an
ongoing internal process.

****************************************************************************
***********************************
Noncommercial Users Constituency Comments
WHOIS Task Force 2
April 16, 2004

The Noncommercial Users Constituency (NCUC) represents the views of one of
the largest and most dynamic set of domain name registrants: the
noncommercial community, including human rights organizations, political and
civil liberties groups, libraries and archives, families, hobbyists,
technologists, universities and academics, and organizations bringing the
Internet and new technologies to developing countries.

We note the importance of our group as highlighted by W.G. Champion
Mitchell, chair and CEO of Network Solutions (the largest ICANN-accredited
registrar) to the ICANN Board in the public forum of the ICANN meeting in
Rome:  ?I WOULD LIKE TO SPEAK WITH YOU, HOWEVER, AND TRY TO SPEAK WITH A
VOICE OF A CONSTITUENCY THAT IS NOT BEING HEARD TODAY, THE MOST IMPORTANT
CONSTITUENCY THAT EXISTS, THE ONE THAT I AM SURE YOU CARE ABOUT GREATLY, AND
I KNOW I CARE ABOUT GREATLY, AND THAT IS THE AVERAGE USER OF THE INTERNET
AND OF OUR SERVICES.?

In analyzing the data elements of the WHOIS, and what data elements should
be removed and revised, it is critical for TF2 to consider closely the
concerns of those who are the domain name owners ? those who data is subject
to the use and abuse of the WHOIS database/directory.

The Noncommercial Users Constituency submits:

 1)  TF2 and ICANN must recognize the well established data protection
principle that the purpose of data and data collection processes must be
well defined before policies regarding its use and access can be
established. The purpose of Whois originally was identification of domain
owners for purposes of solving technical and operational problems.  See, for
example, comments of European Commission, Internal Marketing DG,
http://www.dnso.org/dnso/notes/ec-comments-whois-22jan03.pdf.  (The purpose
was *not* to provide law enforcement and other self policing interests with
a means of circumventing normal due process requirements for gaining access
to contact information.) None of the current Whois Task Forces are mandated
to revise the purpose of the Whois directory. Therefore, the original
technical and operational purpose of the WHOIS database/directory must be
assumed until and unless ICANN initiates a new policy development process to
change it.

2)	Under no circumstances (now or in the future) may the purposes of a tool
mandated by ICANN or maintained under the terms of an ICANN contract be
greater than the purpose of ICANN itself.  According to ICANN?s recently
revised agreement with the US Department of Commerce, ICANN?s purpose is
straight-forward:  ?the technical management of the DNS.?  Amendment 6 to
ICANN/DOC MOU, http://www.icann.org/general/amend6-jpamou-17sep03.htm.  The
WHOIS database/directory must exist, if at all, to serve no more than
technical and operational purposes within ICANN?s scope of authority.

3)	ICANN has no legal or moral authority to preempt and supercede national
law national privacy protections accorded by many countries to their
citizens and residents. There are numerous countries with comprehensive
privacy laws in European and throughout the world.  The original of many of
these privacy principles dates back to the human rights abuses of World War
II and the Holocaust.  That ICANN?s contracts require collection and
disclosure of personal data in excess of national law is clear from the
comments of the European Commission, the Article 29 Data Protection Working
Party, and the International Working Group on Data Protection in
Telecommunications to TF2 and its predecessor.  In light of such clear
concern and opposition to the WHOIS data elements, ICANN must change its
practices to not conflict with closely-held and much-valued privacy laws and
principles.

4)	ICANN must stop putting ICANN-accredited registrars and thick registries
in an untenable position:  the need to comply with the ICANN-mandated
collection and disclosure of personal data of DN registrants vs. legal
obligations to comply with their country?s laws and the laws of the country
in which the DN registrant is located.  Complaints are already being filed
against registrars in EU countries; EU data protection commissioners are
already contacting ccTLDs and gTLDs (e.g., .NAME) to change their registrant
collection and disclosure practices; and the Italian Data Protection
Authority?s Secretary-General made clear at the ICANN meeting in Rome that
he will begin serious enforcement of Italian Privacy Law not only against
Italy-based registrars and registries, but also in some cases, against
registrars and registries based outside of Italy, but working with the
registrants within Italy.  Registrars and registries must be allowed to
comply with national law regarding collection, disclosure and transborder
transfer of personal data absent superceding contractual obligations of
ICANN.

5)	ICANN must stay out of the battles over freedom of expression v.
intellectual property expansion online.  The NCUC submits that WHOIS was
never intended to be a list of all speakers or a single point for all
content policing.   Further, the laws of some countries, such as the US,
protect anonymous political and personal speech as a fundamental value of
open and democratic societies.  It is not for the ICANN community to
second-guess or supercede these values of free speech and freedom of
expression.

6)	No amount of secondary use of WHOIS date justifies setting aside
fundamental principles of freedom of expression and personal privacy as a
matter of ICANN policy or contract. Certainly intellectual property and law
enforcement are aided in having huge amounts of information regarding
content providers available instantaneously.  But so too are those engaged
in identity theft, stalking, abuse of intellectual property, law enforcement
illegalities, and other abuses (see further discussion below).  Both
intellectual property owners and law enforcement, for legitimate purposes,
have tremendous powers to command information under due process procedures;
what they need and are entitled to, they can legally and expeditiously
obtain.  But, the mere fact that a private data field, once disclosed, has
valuable secondary uses does not override a registrant's privacy and freedom
of expression rights.  By analogy, we note that millions of people around
the world routinely use digitized, copyrighted music files through
peer?to?peer networks (and feel justified in doing so, and that there is no
available substitute for their method of access).  However, in making public
policy on file?sharing, we do not simply take a public opinion poll of those
users. We take into consideration the existing legal rights of producers of
the music, and NCUC asserts that the same principle must be applied to the
WHOIS.

7)	Proxy services are not providing true protections for privacy or freedom
of expression.  Based on their own contractual provisions, they relinquish
personal data to requesters for a variety of reasons falling far short of
legal due process or court order.  Domain name registrants are entitled to
the full protection of their rights, including privacy and freedom of
expression, to the full extent under law.


Accordingly, and in light of the concerns, national laws and principles set
out above, the NCUC strongly urges WHOIS TF2 and ICANN to:

1)	Remove from the WHOIS database/directory those data elements that
identify the registrant directly, namely:  Registrant and Administrative
Contact (which for small organizations, families, individuals, and many
others, is the same as the registrant).

	2)	Remove from the Registrar Accreditation Agreement requirements that
Registrars must collect registrant and administrative contact data,
including name, address, phone and email.  (Accordingly, ICANN must revise
and eliminate sections of the Registrar Accreditation Agreement (RAA),
including 3.7.7.1 which requires collection by Registrars of ?accurate and
reliable contact details and promptly correct and update them during the
term of the Registered Name registration, including: the full name, postal
address, e-mail address, voice telephone number, and fax number if available
of the Registered Name Holder.? )

	3)	Remove from the Registrar Accreditation Agreement requirements that
Registrars must publish registrant and administrative contact data,
including name, address, phone and email.  (Accordingly, ICANN must revise
and eliminate sections of the RAA, including Section 3.3 ?Public Access to
Data on Registered Names? which requires publication by Registrars of ?an
interactive web page and a port 43 Whois service providing free public
query-based access to up-to-date (i.e., updated at least daily) data
concerning all active Registered Names sponsored by Registrar for each TLD
in which it is accredited,? including the registrant and administrative
contact fields.)

	4)	Remove from the Registrar Accreditation Agreement requirements that
Registrars serving as proxies, and thereby providing privacy for domain name
registrants, must disclose the registrant and administrative contact data
for reasons falling far short of legal due process (e.g., threats against
the registrant or to the registry or registrar) or the registrars will be
deemed to assume liability for the speech and expression of the registrant
using the domain name.  (Accordingly, ICANN must revise and eliminate
sections of the RAA, including 3.7.7.3, which requires registrars acting as
proxies to ?accept liability for harm caused by wrongful use of the
Registered Name, unless it promptly discloses the identity of the licensee
to a party providing the Registered Name Holder reasonable evidence of
actionable harm.?)

5)	Limit operation of the WHOIS database/directory to the bounds of ICANN?s
technical mandate.  Accordingly, the NCUC sets out the following new WHOIS
database/directory listing of selected existing and new fields:  technical
contact, registry [new field], registrar [new field], name servers of the
registrant, creation and expiration date of the domain name.

Appendix:
Sections of NCUC comments regarding abuses of WHOIS data
Submitted February 2004 to TF2, in its data gathering phase

The Noncommercial Users Constituency (NCUC) has tremendous concerns with the
collection of many WHOIS data elements. We are concerned about making
contact information available unconditionally and anonymously to the public,
companies, and governments without accountability, auditability or due
process.  Such a requirement is contrary to national law and policy. NCUC
calls on Whois Task Force 2 to correct the situation by reforming WHOIS to
better protect privacy and freedom of expression.

We address the data elements of concern below, and offer an array of reasons
for the harm and threat their complete and full disclosure may pose to
domain name registrants in the noncommercial community.

I.  Personal WHOIS Data Reveal Peoples? Homes and Families

WHOIS Data Elements of Concern:
	Group A: Personal Data
	Registrant Name
	Registrant  Address
Registrant Phone Number
Registrant Email
	Administrative Contact Address
Administrative Contact Phone Number
	Administrative Contact Email

	For small organizations, the same person almost invariably serves as the
domain name registrant and the administrative contact. Thus, the
Administrative Contact address and phone fields raise the same privacy
concerns as those of the corresponding Registrant fields.

	The NCUC does not seek to be inflammatory, but the harms raised by the
forced collection and publication of personal information in data fields
cannot be taken lightly.  Such harms, as we outline in brief below, cannot
be discounted or dismissed.  Such harms include:
* Identity Theft
* Spamming and other Forms of Email and Phone Harassment
* Stalking
* Unwarranted Threats from Overly Broad Intellectual Property Claims
	* Unwarranted Surveillance and Threats from Companies, Government, and Law
* Basic Violations of Personal Privacy

	A. IDENTITY THEFT

	Identity theft is a common and growing problem.  It is the subject of
considerable information and advice from consumer and government groups
worldwide.  The fundamental piece of advice for preventing identity theft
remains: don?t give out your personal information online.

	Yet registering a domain name, even for noncommercial community, requires
the disclosure of exactly the type of personal data, such as name, address,
phone and email, that we are urged not to give out online ? and certainly
not to allowed published in global forms available to all.

	TF2 should use the change of WHOIS practices to remove, or allow the
opting-out, of fields which assist Identity Theft.

	B.   TELEMARKETING, SPAMMING AND OTHER FORMS OF EMAIL AND PHONE HARASSMENT

	The global publication of email addresses and phone numbers creates the
means for people to be harassed by phone and email: through crank calls,
telemarketing, and especially spam.   With the current publication of all
elements, without any opting-out option, this information is freely
available for any fraudulent or spamming entity to use and abuse.  Revealing
this information to the world should not be a condition of registering a
domain name or posting expression online.

	C.  STALKING

	One home address can lead to stalking and lead to death.  Unfortunately,
over a million people in the US have been stalked.  One stalking website
described the harsh reality:

?High?profile cases of celebrities being stalked have raised the public's
awareness to this crime. But the majority of stalking victims are ordinary
people, mostly women, who are being pursued and threatened by someone with
whom they have had a prior relationship. Approximately 80% of stalking cases
involve women stalked by ex? boyfriends and former husbands.?

One harsh example changed the way government agencies throughout the US deal
with personal data, including home address and phone.  Until the late 1990s,
many Department of Motor Vehicles (DMVs) sold their driver?s license data ?
including names and address provided as a condition of receiving a license.
Robert Bard, a deranged fan of the young actress Rebecca Schaeffer, bought
her address from the California DMV, stalked her and killed her.  There are
many descriptions of this story online. One is at:
http://www.tvtome.com/tvtome/servlet/PersonDetail/personid?8786.


	It would be easy to dismiss stalking as a problem outside the Internet and
DNS were there not examples of the WHOIS data being used for stalking.  Some
posted examples include:

     1)  	?Because my information was listed on whois, a man who has been
harassing me online for about a year, was able to get my home address, and
telephone number and step up his harassment of me.?  Network Solutions
Domain Name Registrant.  Example provided by Brian Cute, NSI, at Tunisia
WHOIS Workshop, http://www.icann.org/carthage/whois?workshop?agenda.htm.


		2) 	?Bingo! After being stalked until I moved to a different state I can
tell you that privacy is a major factor and that WHOIS should not be the
criteria for customers need for accurate information regarding a business. I
had a small home business (resume consulting and word processing ? no walk
in traffic) and had no problems with customers who screened me as well as I
screened them. The phone book had only the city listed, as did the display
ad, yet whois insisted on my home street address [emphasis added]. I had to
put up tall fencing, security doors, bars on the windows and get guard dogs
as a result of the stalking that was a direct result of whois. I now use a
P.O. Box and have an unlisted number for my family and friends to use. *****
My personal and family privacy is a safety concern as well as the usual
concerns. Anyone working from a SOHO has the same concerns. Personal safety
and privacy are rights we count on and the expectation of preserving them is
written in our US Constitution. I should not have to pay for a service to
hide my information from the public. It should be automatically done. As
long as the registrar has the information in its files, that is sufficient
for those who have a (proven)legitimate need for it. If you don't want to do
business with me, that's just fine. I'm not inviting you to my home, so you
don't need my address.?
			by ldg on Thursday February 05 2004, @09:33PM (#12934)
			User #2935

	The NCUC does not believe that noncommercial speakers should have to reveal
their home address, and expose themselves and their families to dangers such
as stalking as a condition of registering domain names and sharing
noncommercial expression online.

	We note that, with the rise of easy access to reverse directories, the home
phone number also provides access to home addresses, and raises the same
privacy concerns as an address.
	D. UNWARRANTED THREATS OF JAIL AND HEAVY FINES FROM OVERLY BROAD
INTELLECTUAL PROPERTY ALLEGATIONS

	Since the mid-1990s, with the rise of World Wide Web technology and greater
knowledge of domain name registration, there have been conflicts over domain
names, the extent of trademark law, and whether common words should be open
to all (as they are in all other forms of speech) or favored for trademark
owners.

	In the mid-1990s, Intellectual Property Attorneys, especially those with
the big firms and representing large clients, found a new tool: the WHOIS
data.  Never before was it so easy to reach a small noncommercial
organization, families, individuals, even children, at their home due to the
availability of personal fields in the WHOIS data.  This availability has
lead to flagrant abuse, with small noncommercial organizations and
individuals receiving unsubstantiated and overbroad threats ? made all the
scarier by the letters being sent to the home.

	?As a telecommunications and intellectual property attorney in the
mid-1990s, I was amazed to see the horrible letters sent to domain name
registrants at their homes.  These letters often were (and sometimes still
are) outside the bounds of professional conduct.  Taking advantage of the
big vs. little discrepancy, and sensing the vulnerability of a domain name
registrant for a small organization reached at his/her home, these letters
threatened ongoing harassment, litigation, triple damages and even jail.
Generally, the more threatening the letter, the less substantiated the
claims, and some were downright reverse domain name hijacking.  But people
feel very scared by these letters.  Kathryn Kleiman, Esq., Co-Founder of
NCUC and Internet Law and Policy Attorney.

	Unsubstantiated allegations by intellectual property owners involving
domain names are so pervasive they have their own name: reverse domain name
hijacking.  ICANN defines this as: the ?bad faith [to] attempt to deprive a
registered domain?name holder of a domain name.?  Section 1, Definitions.

	Mere allegation of infringement or misuse should not require the disclosure
of the domain name registrant?s home address or phone number.  No such
disclosure is required for the publication of information by noncommercial
organizations in any other communications medium, including newspapers,
broadcasting or telephones.   The NCUC submits that national and local law
provide the due process mechanisms for when accusers can contact the
accused.  Such rules should be followed by ICANN, not circumvented by global
WHOIS data element publication.

E.  UNWARRANTED THREATS OF JAIL AND HEAVY FINES FROM COMPANIES, GOVERNMENT
AND LAW ENFORCEMENT ACTING OUTSIDE OF LEGAL SCOPE AND LEGITIMATE NEED

	Noncommercial organizations throughout the world regularly invite the wrath
of corporations, governments and law enforcement by criticizing their
actions.  In some countries, corporate criticism is a daily practice of
newspaper editors and broadcasters, but in other parts of the world it is
practiced at great cost by those desperate to share information about
corporate sweatshops, pollution, or bribery of governments (as a few
examples).

	Similarly, in some countries, noncommercial organizations are chartered to
openly and publicly criticize government officials and law enforcement
practices.  These organizations openly lobby for civil liberties and due
process, and take to court government officials and law enforcement officers
who act illegally outside the scope of their office.  In other countries,
such criticism is not published openly, for fear of arrest, trial and
treason. Instead, people will publish anonymously or under pen names, or
even leave the country to share their concerns and impassioned pleas for
help with the world.  Such messages about government abuse can include
torture, massacres, jailing of political dissidents, harsh suppression of
protests on campuses, unfair laws, and failure of law enforcement to equally
and fairly protect all (as a few examples).

	To all the open and global publication of a registrant?s name, address and
phone as a condition of registering a domain name for human rights,
political speech, and civil liberties discussion is a violation of
principles worldwide that protect noncommercial and political speech.  The
United National Declaration of Human Rights, treaties, national and local
laws protection such political criticism with high praise and anonymity.  It
seems unfair and fundamentally immoral to allow unlimited, unaccountable
access to the information about human rights organizations, and other
noncommercial political groups, based solely on the fact they have
registered a domain name.

F.	BASIC VIOLATIONS OF PERSONAL PRIVACY

	Laws worldwide protect the collection, distribution and publication of
personal data and give people a right to expect that their home addresses,
phone numbers and email addresses will be protected.  The EU Privacy
Directive is the model of these laws, and its principles have been adopted
by many countries (both members and not members of the EU).   Citizens of
these countries have the right to know that the protections of their
national laws are being followed by registries and registrars in these
countries.   This is not the situation under the current WHOIS system today.

II.  Additional data in WHOIS exposes people to spam, deceptive marketing
practices, and more.

	WHOIS Data Elements of Concern:
	Group B: Additional Data Subject to Abuse and Misuse
	Registrant and Administrative Contact E?Mail address
	Registrant and Administrative Contact Fax number
	Creation Date
	Expiration Date

 While not raising privacy concerns per se, these elements are subject to
misuse, from spam to manipulative and fraudulent service office offerings.
We think these fields would be better handled under the system we set forth
in the section below.

III.	 Conclusion of Concerns Section

If Whois data remains fully accessible on a public and anonymous basis, we
strongly favor the elimination of all personally identifiable contact data
as a required element of Whois except for:

Technical Contact Name
Technical Contact Address
Technical Contact E?Mail address
Technical Contact Phone number
Technical Contact Fax number

Other data elements containing contact information could be continued as
voluntary elements; i.e., registrants would have the right to fill them out
or leave them blank as desired.

We favor continued mandatory inclusion of the following data elements:

Domain Status
Domain Name ID
Domain Name
Registrar ID*
Name of Registrar
Name Server(s)
Name Server ID*

Our recommendations are intended to return Whois to its original purpose as
a technical coordination vehicle. We note that the best way to improve
accuracy of the data is to provide privacy and security. Domain name
registrants? incentives to provide accurate information will dramatically
increase once they feel the information is secure.

If these data elements are not fully removed from the Whois database, NCUC
favors immediate adoption of privacy protections for the WHOIS fields, and
the creation of an ?opt-out? policy that allows a domain name registrant to
fully understand and freely choose whether or not to allow his/her personal
data to be published in worldwide directories and available anonymously in
any form. These options would apply to all of the data elements we favor
removing from the data elements above.

Accordingly, the NCUC calls upon TF2 to recommend solutions for the WHOIS
data elements that:
 	- protect personal privacy
	- protect the expression of noncommercial organizations
	- protect political speakers
	- protect personal and family speakers
	- protect hobbyists
	- protect academics
****************************************************************************
***********************************
Internet Service Provider and Connectivity Provider Constituency (ISPCP)
WHOIS STATEMENT
April 2004

Introduction
The ISPCP Constituency herein provides input to the three Whois Task Forces
as required by ICANN by-laws.  The ISPCP stresses the need for balanced
policy that takes into consideration the interests of all stakeholders, and
allows for the effective enforcement of civil and criminal laws while
protecting registrant information from marketing or other
illegitimate/illegal uses.  This goal is the underlying theme running
throughout the comments below.  It is also consistent with commonly accepted
tenets of privacy protections and laws throughout the world.

ISPCP Uses of Whois Data

1.	to research and verify domain registrants that could vicariously cause
liability for ISPs because of illegal, deceptive or infringing content.
2.	to prevent or detect sources of security attacks of their networks and
servers
3.	to identify sources of consumer fraud, spam and denial of service attacks
and incidents
4.	to effectuate UDRP proceedings
5.	to support technical operations of ISPs or network administrators

Terms of Reference for Whois Task Forces


WHOIS Task Force 1
--Focused on restricting access to WHOIS data for marketing purposes
--Seeks to determine what contractual changes (if any) are needed to protect
domain name holder data from data miners.
--What technological means are available to accommodate these possible
contractual changes while simultaneously ensuring law enforcement,
intellectual property, ISPs, and consumers continue to retrieve information
necessary to perform their respective tasks


WHOIS Task Force 2
--Focused on reviewing WHOIS data collected and displayed to ensure accurate
identification of registrants.
--Seeks to determine the best manner in which to inform registrants of what
information is made publicly available when domain names are registered and
options for restricting access
--Contemplates the ability of registrants to remove/shield certain parts of
required contact information from anonymous, public access
--Furthering this is the need to determine what information may be removed,
by whom, and what contractual changes are required to enable this.


WHOIS Task Force 3
--Focused on developing mechanisms to improve the quality of contact data
that must be collected at the time of registration in accordance with the
registrar accreditation agreement and the relevant registry agreement
--Related issues:
·	Verification of data at time of registration
·	Ongoing maintenance of data during registration period
·	Protecting against deliberate submission of false information

ISPCP Position

Task Force 1 ? Restricting Access to Whois Data

The ISPCP Constituency is in strong favor of limiting access to Whois data
in respect of privacy concerns and does not see any legitimate purpose for
access to bulk data for marketing purposes.  ISPCP members spend tremendous
resources to combat spam delivered through their networks and to their
subscribers.  Even minimal use of Whois data for marketing should be
prohibited and further steps should be taken to enforce current policy
limiting such use.  However, the ISPCP opposes the notion that Whois data is
not intended for enforcement purposes and that private parties do not have
legitimate need for ready and efficient access to the data.

The ISPCP Constituency proposes that in light of forgoing interests:

·	In light of small and regional ISPs? reliance on Port 43 access, the ISPCP
Constituency believes its use ought to be preserved at this time. However,
its use should be strictly limited by non-technical means such as rate
limiting.  In the long term, we strongly discourage its continued use.
·	A general agreement would be useful on the types of uses that are
legitimate and should be continued.
·	Any proposed solution should include such legitimate access, including Web
based queries and be scalable.
·	ICANN staff should undertake development of a uniform access policy that
is enforced ? in addition, compliance procedures for such a policy should be
implemented.
·	The ISPCP rejects the notion that the purpose of Whois data is not
intended for tracking registrants that are in the business violating laws or
deceiving end users and thus, should not be used for any purpose beyond
technical reasons.

Task Force 2- Review of Data Collected and Displayed

The ISPCP Constituency is aware of the real and legitimate privacy concerns
over the amount and type of data collected and displayed in Whois data.
Registrants should be provided with a limited list of needs for which their
data may be used, so as to help prevent the possibility of inadequate
notice. The ISPCP further notes that for a very small fraction of
registrants with legitimate political and free speech concerns, there should
continue to be processes in place for proxy registrations where their data
will be kept private and provided only upon a limited set of circumstances.

There have been many assertions that the current display of Whois data is
not legal or proper under the laws of some regions, namely the EU.  However,
of the EU member states? ccTLD operators who submitted Task Force 2
responses, all have indicated that they work closely with their respective
country?s data protection authorities and are in full compliance with their
respective privacy laws.

Privacy concerns can further be alleviated by providing proper and adequate
notice to all registrants, in a format that is conspicuous and highlights
the disclosures within the registrant contract.  In many regions it is a
common legal requirement that data only be used for the purpose it was
originally collected.  By itemizing the legitimate needs for which one?s
data may be used, this requirement can be met.

The ISPCP Constituency proposes:

·	That all elements continue to be collected and displayed, for those
authorized to obtain access.
·	That adequate and full disclosure must be provided regarding the uses of
data, at the point of registration, and such requirement should be enforced.
·	Anonymous gTLD registrations continue to be made allowed for individuals
through current processes.
·	The ISPCP supports the concept of tiered access as a principle, but is
concerned with cost, enforcement and other practical implementation issues
that must be clearly set forth prior to the implementation of such
mechanism.  The ISPCP will reserve final assessment on this principle until
such time that a clearly defined and viable method is proposed.


Task Force 3 ? Improving Accuracy of Collected Data

Finally, the ISPCP Constituency is quite concerned about the abundance of
inaccurate and incomplete data.  Such deficiencies significantly hinder ISPs
? ability to identify and contact registrants.    Thus, ISPs support ready
access to accurate Whois data to facilitate resolution of network problems,
sourcing of spam.  Further, ready access to accurate data is necessary for
the securing our networks and enforcing our acceptable use policies.

Because of the heavy reliance by ISPs on registrants? data to facilitate
future contact with the registrant for business issues, security and
stability issues, intellectual property infringement and a myriad of other
legal issues, accuracy is of the utmost importance.

While automated verification software does exist, its accuracy and therefore
its reliability on a global scale is suspect.  Registrars should take a
multiple steps to ensure that the data they receive is accurate, and there
should be some enforcement mechanism to ensure registrars? compliance.  In
addition, it would be useful for registrars to have a list of best practices
that further help verify data and produce an accurate database.

The ISPCP Constituency proposes:

·	The creation of a best practices document aimed to improve data
verification, with the prospect of a global application.
·	Registrars take increased and more uniform measures to verify accurate
data.  The ISPCP does not advocate removing all flexibility from current or
future registrar practices, but some uniformity and compliance with best
practices will net a more accurate database.
·	ICANN staff should undertake a review of the current registrar contractual
terms and determine whether they are adequate or need to be changed in order
to encompass improved data accuracy standards and verification practices.
****************************************************************************
***********************************

GNSO Secretariat








Attachment: RC_Statement_TF2.pdf
Description: Adobe PDF document



<<< Chronological Index >>>    <<< Thread Index >>>