ICANN/GNSO GNSO Email List Archives

[ispcp]


<<< Chronological Index >>>    <<< Thread Index >>>

[ispcp] SECRETARIAT: ISPCP Position on WHOIS Notification and Consent

  • To: <ispcp@xxxxxxxxx>
  • Subject: [ispcp] SECRETARIAT: ISPCP Position on WHOIS Notification and Consent
  • From: "Mark McFadden" <mcf@xxxxxxx>
  • Date: Thu, 21 Apr 2005 16:45:53 -0500
  • Cc: <mcf@xxxxxxx>
  • Organization: University of Wisconsin - Milwaukee
  • Reply-to: <mcf@xxxxxxx>
  • Sender: owner-ispcp@xxxxxxxxxxxxxx
  • Thread-index: AcVGu3oIjx2ISlv0T1uBr8kWCGtkPw==

All:

The attached document is proposed as the ISPCP statement on the
recommendations concerning improvements to notification and consent and
whois. The Secretariat encourages comment on this response to the ISPCP
mailing list. If consensus is reached on the list, this document will be
forwarded to the gNSO as the position of the ISPCP community on Monday at
1200 CST (1800 UTC).

Thank you,

Mark McFadden
ISPCP Secretariat 
  _____  


Recommendations relating to improving notification and consent for the use
contact data in the WHOIS system


 

 

 

1.        Registrars must ensure that disclosures regarding availability and
third-party access to personal data associated with domain names actually be
presented to registrants during the registration process.  Linking to an
external web page is not sufficient.

 

The ISPCP constituency supports this recommendation, as it is a key factor
to provide understanding of  the registrant as to the treatment that his/her
data will be subject to. If this can be accomplished during the registration
process, instead of through reading "fine print" after the registration has
been concluded, it would appear to be a sound business practice, and
conducive to transparency with regards to personal data manipulation.
Pointing the registrant to a webpage is not a good solution, as the
registrant may waive this option in the hurry to complete his/her
registration, perhaps failing to pay adequate attention to the notice.

 

2.        Registrars must ensure that these disclosures are set aside from
other provisions of the registration agreement if they are presented to
registrants together with that agreement.  Alternatively, registrars may
present data access disclosures separate from the registration agreement.
The wording of the notice provided by registrars should, to the extent
feasible, be uniform.

 


The ISPCP constituency has no problem with either alternative, and supports
the necessity of some form of 'highlighting" this notice, in a way that
ensures it cannot go unnoticed by the registrant. The wording of the notice
could perhaps be incorporated into the RAA to ensure uniformity across all
registrars. Although these recommendations are not targetted to the subject
of accuracy, perhaps the 'enhanced' notice to registrants could
simultaneously stress the need to supply accurate data to the registrar? The
collection of complete and accurate data, independently of the debate on who
will have access to it and how, is something the ISPCP considers vital to
the activities of it's constsituents.


 

3.        Registrars must obtain a separate acknowledgement from registrars
that they have read and understand these disclosures.  This provision does
not affect registrars' existing obligations to obtain registrant consent to
the use of their contact information in the WHOIS system.

 

The ISPCP supports this recommendation, assuming that the correct phrasing
is 'Registrars must obtain a separate acknowledgement from registrants' (the
above text reads registrars at both ends of the procedure). The question
that perhaps must be examined here is: what happens if the registrant fails
to acknowledge reading and understanding of the disclosure procedures? Can
he/she complete the registration template anyway? Which is the 'default'
conclusion in the absence of registrant compliance?

 

As a final comment, the ISPCP fully understands the concerns of the
Registrar community regarding possible cost factors in implementing the
required changes as proposed in the above recommendations. However, in view
of the prolongued and widespread debate over WHOIS and Personal Data, it
would appear there is no option other than to do something about improving
notification, and it would behoove the Registrars to evaluate the least-cost
method for achieving this.

 

----------------------------------------------------------------------------
----------------------------------------------------------------

 

IPC COMMENTS - EXTRACT

For example, obtaining specific consent on this issue from the registrant
during the registration process, separate from obtaining agreement to
extensive terms and conditions for the registration in general, should be
encouraged. Similarly, some registrars should be more specific and
forthright in communicating to registrants about the circumstances under
which Whois data is available to third parties. 

" issue an advisory reminding registrars of the importance of compliance
with this contractual requirement, even registrars operating primarily in
countries in which local law apparently does not require registrant consent
to be obtained.

IPC believes that registrars should take the lead in developing best
practices, with input from other interested constituencies, that will
improve the effectiveness of giving notice to, and obtaining consent from,
domain name registrants with regard to uses of registrant contact data. IPC
would be glad to participate in such an effort. 

Recommendation 1 states that "[l]inking to an external web page is not
sufficient" to provide the required disclosure. It is unclear to us what an
"external" (or "internal" for that matter) web page is. Perhaps this
sentence could be amended to read: "Linking to a web page is not
sufficient."

Recommendation 2 states that disclosures must be "set aside" from other
provisions of the registration agreement if the disclosure is presented as
part of the agreement. It is unclear what "set aside" means. Futhermore,
Recommendation 2 allows as an alternative that disclosures may be presented
"separate from the registration agreement." This might be viewed as
inconsistent with the requirement in Recommendation 1 that the disclosure be
provided "during the registration process." As such, Recommendation 2 could
be amended as follows: "Such disclosures must be displayed prominently and
conspicuously prior to the agreement being executed by the registrant,
regardless of whether they appear as a term of the agreement or separate
from the agreement."

IPC also suggests that the recommendations include notice to registrants of
the consequences of providing false or inaccurate Whois data during the
registration process. The text of such a notice could be similar to what
registrars provide registrants pursuant to the Whois Data Reminder Policy.
<http://www.icann.org/registrars/wdrp.htm> 

 

 

Statement of the Noncommercial Users Constituency on Whois Task Force
1/2 Recommendation: Improving Notification and Consent for the Use of
Contact Data in the Whois Service

1. Constituency position
Noncommercial domain name users welcome efforts to ensure that domain
name registrants are better informed about the publication of their
private contact information via the Whois system. Public, anonymous
access to private contact information poses a number of risks to
registrants and may violate their rights to privacy. Until this
situation is reformed, conspicuous notification is essential.

The text we reviewed contains an error. Under point 3, the sentence
"Registrars must obtain a separate acknowledgement from registrars that
they have read and understand these disclosures" should read
"Registrars must obtain a separate acknowledgement from _registrants_
that they have read and understand these disclosures."

NCUC strongly supports the requirement to set aside the notification
and to require a distinct and separate acknowledgement from registrants
that they are aware of the exposure of their private information. We
observe, however, that for customers registering multiple domain names
in the same transaction, only one such acknowledgement should be
required. The constituency would like to make sure that the same
notification and acknowledgement should take place during renewals.

We strongly support the statement "The wording of the notice provided
by registrars should, to the extent feasible, be uniform." Because of
the highly competitive nature of the registrar business, registrars
have
an incentive to downplay or obscure the privacy implications of
registering a domain name because they fear it may deter customers from
signing up. The specific wording of the notification, therefore, should
not be left to the discretion of registrars. We suggest that the wording
be developed by staff subject to the approval of the GNSO Council, and
translated as literally as possible into different languages by an
independent party. This language should then be incorporated into the
Registrar Accreditation Agreement.

2. Method for Reaching Agreement on NCUC position

NCUC's Chair drafted and circulated via email a constituency statement
on its discussion list, soliciting input from its members. A minor
addition to the draft, concerning renewals, was suggested and agreed and
incorporated into the constituency statement. All comments were
supportive except for one, which emphasized the additional burden on
registrants of the additional process.

3. Impact on Constituency.
While there is some recognition that the registration process might be
slightly more complicated as a result of the proposed change, all member
organizations but one considered the benefits of more prominent
notification and registrant awareness to outweigh any burden.



Dr. Milton Mueller
Syracuse University School of Information Studies
http://www.digital-convergence.org <http://www.digital-convergence.org/> 
http://www.internetgovernance.org <http://www.internetgovernance.org/> 





To:          TF1-2

CC:        gNSO Council

                BC List

From: Marilyn Cade and David Fares, for the BC

Date: January 31, 2005

 

. 

PROVISIONAL COMMENTS OF THE BC:

The BC membership has reviewed the comments provided and we are submitting
these as the provisional comments, while we conclude the validation of our
membership. That will be completed shortly. We do not expect changes to
these comments, however. Thus, these comments can be taken as the input of
the BC.

 

The BC has several questions about the proposed recommendation which are
described below, along with some suggested modifications; however, the BC
fully supports the general intent of the draft policy recommendation. 

 

Suggested changes or requests for clarification are noted below, embedded in
a copy of the recommendation. Immediately following our suggested changes
are further comments and suggestions. 

 

Suggested modifications to the Proposed Policy: 

 

1. Registrars must ensure that notices regarding availability and possible
third-party access to personal data associated with domain name
registrations actually be presented to registrants during the registration
process in a manner that is easily visible and distinct to the registrant.
Linking to an external web page is not sufficient.

 

2. Registrars must ensure that these notices are set aside from other
provisions of the registration agreement if they are presented to
registrants together with that agreement. 

 

Alternatively, registrars may present data availability and data access
notices separate from the registration agreement, as long as the
registration cannot be completed until there is acknowledgement of the
notice. The wording of the notice provided by registrars should  be uniform
and based on guidance included in the consensus policy. 

 

3. Registrars must obtain a separate acknowledgement from registrants that
they have read and understand these notices. This provision does not affect
registrars' existing obligations to obtain registrant consent to the use of
their contact information in the WHOIS system, as a registrant must permit
such use before registration can occur.

 

 

General Input and Further Comments of the BC

The BC suggests that it is preferable to use the term "notice", since the
use of disclosure makes it sound as though the registrars are making the
decision individually regarding the requirement to provide accurate data and
to have that data included in the WHOIS database.

 

In fact, the registrant is required by current policy to provide accurate
information and we believe that the purpose is to remind the registrants of
their obligations.

 

Secondly, we recommend the use of uniform and consistent notices. We believe
that the Registrars and the registrants are best served by using a uniform
and consistent notice. We are concerned that it is possible to provide
confusing notices regarding the obligation and wish to prevent that, or to
have this viewed as a way to achieve a competitive advantage. 

 

It is the position of the BC that ensuring a fair and level playing field in
the areas of policy/contract compliance is best supported by uniform and
consistent notices; we also recommend that such notices should be developed
with guidance by the Council's relevant TF, with approval by Council, and
drafted by the ICANN staff/legal counsel. 

 

We inserted the additional language to the last sentence in #3 in order to
clarify that "consent" should not suggest that this is an option. Acceptance
of this policy requirement is required before the registration can continue,
as specified by current consensus policy of ICANN. 

 

Impact on BC members: The BC members are negatively impacted by inaccurate
registrant data, since they are reliant upon WHOIS data for a number of
uses, including policing their domain names, preventing fraud; defending
against harmful and confusing uses of their trademark names by competitors,
or for other negative purposes. They also heavily use WHOIS data in
cooperation with law enforcement when dealing with fraud, and other civil
legal issues, or in resolving and dealing with network problems. Thus
accurate data is extremely important to the BC membership. The BC also
endorses the need for registrants to be factually informed of their
obligations.  We do not believe that entities, whether individuals or
organizations/corporations should be allowed to register domain names
without providing full and complete contact data that is kept accurate and
up to date.

 

Implementation: As to the length of time it will take to implement the
policy, it appears to us that the policy can be implemented expeditiously,
once approved by the TF, and then the Council and sent to the Board for
approval. The drafting of a standardized statement to be used for disclosure
should be done by the ICANN staff/legal counsel, with the input and
agreement of the Council, and should not be an onerous task, since there are
many models of notice statements in the commercial and non commercial online
world. 

 

As a part of approving the consensus policy, the Council could request from
the registrars constituency preliminary advice on how long it might take to
enable a uniform posting throughout the registrar community.
Understandably, the registrars will want to have this change supported by
factual explanations that explain to the registrants in a neutral manner,
the need for the change and the purpose of the change. However, it is the
position of the BC that ICANN should not exclude those who are impacted by
such changes, e.g. users/registrants as represented by the BC, ISPCP, IPC,
Non Commercial representatives, At Large, from participating in any
consideration about the development of a uniform posting notice, or any
discussions about time frames. 

 

Further Recommendations to the TF: 

 

Extension to renewals: Further, we strongly recommend that this notice be
required in any re-registration, or renewal of a registration. It is likely
that the TF has taken that for granted in its deliberations, but we note it,
in the event it has been overlooked.

 

Additional and related work of the TF: The TF is also examining "tiered
access" at this time, and as a separate work item from the above proposed
policy modification. In the view of the BC members, this TF should also be
examining the availability of services that meet the needs of any registrant
with a legitimate need for non display of data. This should include the
availability of "anonymizing services" provided either by the registrar or
third parties for a fee, and the soon to be available .post which seems to
provide yet another solution for any registrant who needs to remain
anonymous. 

 

In any event, the BC notes that its members fully support the gathering of
full identifying and contact data, and that all data collected should be
accurate, and that mechanisms to support the efficient and effective
correction of data should be a priority. 

 

Timing of policy changes: However, since TF 3 is also considering a related
possible policy change, the BC recommends that other policy changes related
to WHOIS based on consensus policy be examined for possible aggregation, if
feasible, and practical. We exclude the work on Tiered Access from this
given its fledgling nature, but the work of the present TF3 should be
considered for possible implementation at the same time as this policy
change, should they both be accepted as consensus policy. Thus, if there are
a number of changes approved as consensus policy, they all be made at one
time, so that the registrars and registrants are not overburdened by
multiple changes, introduced at different times.

 

Better Information and Educational resources by ICANN: Finally, the BC has
from time to time noted that it supports the importance of ICANN itself
providing easily available and distributed information about changes in
policy.  

 


-----Original Message-----
From: owner-dow1-2tf@xxxxxxxxxxxxxx [mailto:owner-dow1-2tf@xxxxxxxxxxxxxx]
On Behalf Of Thomas Keller
Sent: Monday, January 31, 2005 12:10 PM
To: dow1-2tf@xxxxxxxxxxxxxx
Subject: [dow1-2tf] preliminary submission of the Registrar Constituency

Hello all,

please find below the preliminary submission of the Registrar
Consituency in regard to the policy recommendations of Whois 
TF 1-2 . Please keep in mind that this version is not the
offical statement of the Constituency until voted upon. The
ballot for finalization is just on its way.

Best,

tom

# RC Preliminary Submission ---------------------------------------

Whereas, the GNSO Registrar Constituency ("RC") has considered the
proposed policy recommendations of Whois Task Force 1/2 in their
entirety;

Whereas, the RC believes that the continued stability of the
registration process depends on its simplicity, straightforwardness, and
transparency;

Whereas, burdening this process with policy and consumer rights
education notices diminishes its simplicity, straightforwardness and
transparency;

Whereas, the RC believes that prescribing the method of notification
from registrants interferes with the simplicity of this process,
discourages desirable business innovations, and represents entirely new
obligations that would require many registrars to completely
re-establish their method of registration;

Whereas, the RC appreciates and understands the concerns of the task
force pertaining to Recommendations #2 and #3, but does not agree with
the costly and difficult to implement proposal to require the specific
highlighting of one provision out of the many important provisions
contained within the registration agreement;

Whereas, the requirements in Recommendation #3 already are mandated in
the current Registrar Accreditation Agreement in sub-sections 3.7.7.4,
3.7.7.5, and 3.7.7.6; and

Whereas, no data or evidence has been presented that indicate that the
requirements of the current RAA are unsuitable or ineffective; and
implementing a separate and additional acknowledgement from registrants
as proposed would be a costly and cumbersome process that cannot be
practically implemented in the current environment.

Therefore, it is resolved that;

[Resolved 1.0]; the Registrar Constituency does not support adopting
Recommendation #1 as consensus policy, but would support a
recommendation in the following form:

"Registrars must ensure that disclosures regarding availability and
third-party access to personal data associated with domain names
actually be available to registrants during the registration process;"

[Resolved 2.0]; the Registrar Constituency does not support adopting
Recommendation #2 as consensus policy, but encourages registrars to
increase such notification to registrants on a voluntary basis;

[Resolved 3.0]; the Registrar Constituency does not support adopting
Recommendation #3 as a consensus policy, as it believes that the current
RAA requirements are sufficient, but encourages registrars to increase
such notification to registrants on a voluntary basis;

[Resolved 4.0]; the foregoing positions of the Registrar Constituency be
reported to the Whois Task Force 1/2 and be included in any Task Force
report; and

[Resolved 4.1]; the Task Force members from the Registrar Constituency
represent the foregoing positions at Task Force 1/2.






 



<<< Chronological Index >>>    <<< Thread Index >>>