RE: [dow2tf] Whois tf 2: Draft section 2.4
TF2 participants, With apologies for tardiness here is a draft of section 2.4 of the findings (re: collection of data) in text form and attached as a Word document. Steve Metalitz DRAFT 5/17/04 am 2.4 Collection of Data Through the use of questionnaires to which constituencies and members of the public were invited to respond, the Task Force attempted to determine whether there was any consensus on the elimination or expansion of the existing data elements that are collected and disclosed via Whois. The responses do not indicate any such consensus. Some respondents called for a drastic reduction in the number of data elements; some respondents called for additional data elements to be collected and made available; others expressed satisfaction with the status quo. Accordingly, the Task Force proposes the following conclusions on the issues identified in Task/Milestone 2 of the Task Force 2 Description of Work: * all of the data elements now collected are considered by at least some constituencies to be necessary for current and foreseeable needs of the community, though others dispute this; * the Task Force deferred to Task Force 3 on the issue of whether Whois data can be acquired accurately at low cost; * there was no consensus about whether any of the current elements should be made voluntary; * some additional data elements were proposed, but questions were raised about whether some of these (e.g., date and method of last verification of data) fell within the purview of TF3 rather than TF 2; * no issues were raised about how the data may be acquired in compliance with applicable security, and stability considerations. While some view the acquisition of this data as raising privacy concerns, there was no consensus on this point, and the Task Force devoted more of its time and resources to discussing the issues raised in Tasks/Milestones 3 and 4 (limiting data made available for public access/existing and future options to maintain registrant anonymity). -----Original Message----- From: owner-dow2tf@xxxxxxxxxxxxxx [mailto:owner-dow2tf@xxxxxxxxxxxxxx] On Behalf Of GNSO SECRETARIAT Sent: Monday, May 17, 2004 1:13 AM To: 2DOW2tf Subject: [dow2tf] Whois tf 2: Publication of data 2.5 Kathy Kleiman contribution - plain text Publication of Data 2.5 Findings The topic of publication of data received considerable attention in TF2. Originally published for technical and operational purposes, the 20 year old WHOIS protocol has developed a range of secondary uses (outlined below). Once limited to the information of research and technical institutions in a small and limited network, the data -- including registrant name, address, phone and email -- originally invoked no privacy concerns, but today raises the specter of privacy and freedom of expression infringement (outlined below). One topic the TF addressed and did not answer was the purpose of the database. Our mandate was to balance contactability and privacy, which we have tried to do. We leave to another PDP process the knotty question of the ultimate purposes of this database, and whether and how they can change. Findings: 1. WHOIS data continues to serve a host of technical and operational functions for Registries and Registrars. Transfers and other technical processes require the ability to access, verify and transfer WHOIS data. 2. WHOIS data includes personal and sensitive data of the type that people are generally allowed to limit and control in other mediums (such as address and phone in an unlisted phone number, and the control over secondary uses given to owners of personal data in European countries and other countries with comprehensive data protection legislation). Such personal data is found in the registrant, administrative contact and technical contact fields. 3. Publication of data serves a host of secondary purposes, including combating spam, policing trademarks and copyrights, availability/offers for domain names and checking registration data of a domain name by its owner. 4. Publication of WHOIS data raises a host of privacy problems, including identity theft, telemarketing, spamming and other forms of email and telephone harassment, stalking, abuse and harassment by groups acting outside of normal scope and legal need. 5. Publication of all WHOIS data to the world for access on an anonymous basis does not serve the balance of contactability and privacy. 6. Data requesters want timely, even immediate, responsiveness to their requests for personal/sensitive data. Data subjects (domain name holders) want timely, even immediate, notification when their personal/sensitive data is requested and revealed to a third party. Possible Balances: While (as of this writing) TF2 has not come to a final decision regarding which Tiered Access model to recommend, several models were submitted in Constituency statements. The Registries recommended that only General Information be provided in the WHOIS (which is technical data without registrant, administrative contact or technical contact information). The Registrars recommended a 3-tiered system with limited information in the public WHOIS (name/country of registrant, administrative contact and technical contact) and technical data; additional information at a screened-access second tier (name/address of registrant, administrative contact and technical contact) and all data displayed for technical purposes by registries and registrars. Noncommercial Users Constituency called for publication of technical contact data in the WHOIS, but removal of all registrant and administrative contact fields. ALAC also requested removal of all personally identifying information, but asked as an alternative for notification of the domain name holder when his/her personal data was revealed. A compromise proposal submitted to the TF called for a combination of the elements above: reduction of data available to the public for anonymous and unlimited access; additional but limited contact information provided to a party who can verify his/her/its identity and state a specific reason for the access to the particular domain name data; confirmation and then release of data via an automated process; immediate notification of the domain name holder by email of the release of personal data (allowing domain name holder to act for personal safety (e.g., data released to stalker) or enforce legal rights). Publication of Data 3.5 Recommendations: 1. Personal data should not be public in the public WHOIS database (available on an anonymous basis). 2. We believe a tiered access model can be developed that supports privacy and contactability. We believe such a model should be affordable, scalable, provide timely responses to those requesting data (who meet the criteria) and provide timely notification of release of data to domain name holders (subject to appropriate law enforcement exceptions). 3. Registrars and Registries should continue to have full access to the WHOIS data for technical and operational purposes. 4. The model to emerge should take into consideration the most closely-held concerns of data users and data subjects, and those who protect their legal rights. Data users want contact data for domain name holders, especially during a pending legal investigations of a technical nature (such as spoofing or spamming). Data subjects (domain name holders) want personal/sensitive data provided only on as-needed and individual basis, and not in unlimited form to a predetermined group of data requesters. Data protection officials are concerned that overly broad reach into the data without accountability and with broad searching capabilities (e.g., wildcards) will be privacy-intrusive, disproportionate and provide a general presumption of guilt. Attachment:
Domain Names Whois TF 2 DRAFT collection of data findings sjm 051704.doc |