Re: [ispcp] SECRETARIAT: ISPCP Position on WHOIS Notification and Consent

["Anthony Harris" <harris@xxxxxxxxxxxxx>]

RECOMMENDATIONS RELATING TO IMPROVING NOTIFICATION AND CONSENT FOR THE USE CONTACT DATA IN THE WHOIS SYSTEMMark,

I support this statement.

Please correct a typo in the last line of comment on item 2
(Constituents).

Regards

Tony Harris
  ----- Original Message ----- 
  From: Mark McFadden 
  To: ispcp@xxxxxxxxx 
  Cc: mcf@xxxxxxx 
  Sent: Thursday, April 21, 2005 6:45 PM
  Subject: [ispcp] SECRETARIAT: ISPCP Position on WHOIS Notification and Consent


  All:

  The attached document is proposed as the ISPCP statement on the recommendations concerning improvements to notification and consent and whois. The Secretariat encourages comment on this response to the ISPCP mailing list. If consensus is reached on the list, this document will be forwarded to the gNSO as the position of the ISPCP community on Monday at 1200 CST (1800 UTC).

  Thank you,

  Mark McFadden
  ISPCP Secretariat 
------------------------------------------------------------------------------

  Recommendations relating to improving notification and consent for the use contact data in the WHOIS system
   

   

   

  1.        Registrars must ensure that disclosures regarding availability and third-party access to personal data associated with domain names actually be presented to registrants during the registration process.  Linking to an external web page is not sufficient.

   

  The ISPCP constituency supports this recommendation, as it is a key factor to provide understanding of  the registrant as to the treatment that his/her data will be subject to. If this can be accomplished during the registration process, instead of through reading "fine print" after the registration has been concluded, it would appear to be a sound business practice, and conducive to transparency with regards to personal data manipulation. Pointing the registrant to a webpage is not a good solution, as the registrant may waive this option in the hurry to complete his/her registration, perhaps failing to pay adequate attention to the notice.

   

  2.        Registrars must ensure that these disclosures are set aside from other provisions of the registration agreement if they are presented to registrants together with that agreement.  Alternatively, registrars may present data access disclosures separate from the registration agreement. The wording of the notice provided by registrars should, to the extent feasible, be uniform.

   

  The ISPCP constituency has no problem with either alternative, and supports the necessity of some form of 'highlighting" this notice, in a way that ensures it cannot go unnoticed by the registrant. The wording of the notice could perhaps be incorporated into the RAA to ensure uniformity across all registrars. Although these recommendations are not targetted to the subject of accuracy, perhaps the 'enhanced' notice to registrants could simultaneously stress the need to supply accurate data to the registrar? The collection of complete and accurate data, independently of the debate on who will have access to it and how, is something the ISPCP considers vital to the activities of it's constsituents.
   

  3.        Registrars must obtain a separate acknowledgement from registrars that they have read and understand these disclosures.  This provision does not affect registrars' existing obligations to obtain registrant consent to the use of their contact information in the WHOIS system.

   

  The ISPCP supports this recommendation, assuming that the correct phrasing is 'Registrars must obtain a separate acknowledgement from registrants' (the above text reads registrars at both ends of the procedure). The question that perhaps must be examined here is: what happens if the registrant fails to acknowledge reading and understanding of the disclosure procedures? Can he/she complete the registration template anyway? Which is the 'default' conclusion in the absence of registrant compliance?

   

  As a final comment, the ISPCP fully understands the concerns of the Registrar community regarding possible cost factors in implementing the required changes as proposed in the above recommendations. However, in view of the prolongued and widespread debate over WHOIS and Personal Data, it would appear there is no option other than to do something about improving notification, and it would behoove the Registrars to evaluate the least-cost method for achieving this.

   

  --------------------------------------------------------------------------------------------------------------------------------------------

   

  IPC COMMENTS - EXTRACT

  For example, obtaining specific consent on this issue from the registrant during the registration process, separate from obtaining agreement to extensive terms and conditions for the registration in general, should be encouraged. Similarly, some registrars should be more specific and forthright in communicating to registrants about the circumstances under which Whois data is available to third parties. 

  " issue an advisory reminding registrars of the importance of compliance with this contractual requirement, even registrars operating primarily in countries in which local law apparently does not require registrant consent to be obtained.

  IPC believes that registrars should take the lead in developing best practices, with input from other interested constituencies, that will improve the effectiveness of giving notice to, and obtaining consent from, domain name registrants with regard to uses of registrant contact data. IPC would be glad to participate in such an effort. 

  Recommendation 1 states that "[l]inking to an external web page is not sufficient" to provide the required disclosure. It is unclear to us what an "external" (or "internal" for that matter) web page is. Perhaps this sentence could be amended to read: "Linking to a web page is not sufficient."

  Recommendation 2 states that disclosures must be "set aside" from other provisions of the registration agreement if the disclosure is presented as part of the agreement. It is unclear what "set aside" means. Futhermore, Recommendation 2 allows as an alternative that disclosures may be presented "separate from the registration agreement." This might be viewed as inconsistent with the requirement in Recommendation 1 that the disclosure be provided "during the registration process." As such, Recommendation 2 could be amended as follows: "Such disclosures must be displayed prominently and conspicuously prior to the agreement being executed by the registrant, regardless of whether they appear as a term of the agreement or separate from the agreement."

  IPC also suggests that the recommendations include notice to registrants of the consequences of providing false or inaccurate Whois data during the registration process. The text of such a notice could be similar to what registrars provide registrants pursuant to the Whois Data Reminder Policy. 

   

   

  Statement of the Noncommercial Users Constituency on Whois Task Force
  1/2 Recommendation: Improving Notification and Consent for the Use of
  Contact Data in the Whois Service

  1. Constituency position
  Noncommercial domain name users welcome efforts to ensure that domain
  name registrants are better informed about the publication of their
  private contact information via the Whois system. Public, anonymous
  access to private contact information poses a number of risks to
  registrants and may violate their rights to privacy. Until this
  situation is reformed, conspicuous notification is essential.

  The text we reviewed contains an error. Under point 3, the sentence
  "Registrars must obtain a separate acknowledgement from registrars that
  they have read and understand these disclosures" should read
  "Registrars must obtain a separate acknowledgement from _registrants_
  that they have read and understand these disclosures."

  NCUC strongly supports the requirement to set aside the notification
  and to require a distinct and separate acknowledgement from registrants
  that they are aware of the exposure of their private information. We
  observe, however, that for customers registering multiple domain names
  in the same transaction, only one such acknowledgement should be
  required. The constituency would like to make sure that the same
  notification and acknowledgement should take place during renewals.

  We strongly support the statement "The wording of the notice provided
  by registrars should, to the extent feasible, be uniform." Because of
  the highly competitive nature of the registrar business, registrars
  have
  an incentive to downplay or obscure the privacy implications of
  registering a domain name because they fear it may deter customers from
  signing up. The specific wording of the notification, therefore, should
  not be left to the discretion of registrars. We suggest that the wording
  be developed by staff subject to the approval of the GNSO Council, and
  translated as literally as possible into different languages by an
  independent party. This language should then be incorporated into the
  Registrar Accreditation Agreement.

  2. Method for Reaching Agreement on NCUC position

  NCUC's Chair drafted and circulated via email a constituency statement
  on its discussion list, soliciting input from its members. A minor
  addition to the draft, concerning renewals, was suggested and agreed and
  incorporated into the constituency statement. All comments were
  supportive except for one, which emphasized the additional burden on
  registrants of the additional process.

  3. Impact on Constituency.
  While there is some recognition that the registration process might be
  slightly more complicated as a result of the proposed change, all member
  organizations but one considered the benefits of more prominent
  notification and registrant awareness to outweigh any burden.



  Dr. Milton Mueller
  Syracuse University School of Information Studies
  http://www.digital-convergence.org
  http://www.internetgovernance.org





  To:          TF1-2

  CC:        gNSO Council

                  BC List

  From: Marilyn Cade and David Fares, for the BC

  Date: January 31, 2005

   

  . 

  PROVISIONAL COMMENTS OF THE BC:

  The BC membership has reviewed the comments provided and we are submitting these as the provisional comments, while we conclude the validation of our membership. That will be completed shortly. We do not expect changes to these comments, however. Thus, these comments can be taken as the input of the BC.

   

  The BC has several questions about the proposed recommendation which are described below, along with some suggested modifications; however, the BC fully supports the general intent of the draft policy recommendation. 

   

  Suggested changes or requests for clarification are noted below, embedded in a copy of the recommendation. Immediately following our suggested changes are further comments and suggestions. 

   

  Suggested modifications to the Proposed Policy: 

   

  1. Registrars must ensure that notices regarding availability and possible third-party access to personal data associated with domain name registrations actually be presented to registrants during the registration process in a manner that is easily visible and distinct to the registrant.   Linking to an external web page is not sufficient.

   

  2. Registrars must ensure that these notices are set aside from other provisions of the registration agreement if they are presented to registrants together with that agreement. 

   

  Alternatively, registrars may present data availability and data access notices separate from the registration agreement, as long as the registration cannot be completed until there is acknowledgement of the notice. The wording of the notice provided by registrars should  be uniform and based on guidance included in the consensus policy. 

   

  3. Registrars must obtain a separate acknowledgement from registrants that they have read and understand these notices. This provision does not affect registrars' existing obligations to obtain registrant consent to the use of their contact information in the WHOIS system, as a registrant must permit such use before registration can occur.

   

   

  General Input and Further Comments of the BC

  The BC suggests that it is preferable to use the term "notice", since the use of disclosure makes it sound as though the registrars are making the decision individually regarding the requirement to provide accurate data and to have that data included in the WHOIS database.

   

  In fact, the registrant is required by current policy to provide accurate information and we believe that the purpose is to remind the registrants of their obligations.

   

  Secondly, we recommend the use of uniform and consistent notices. We believe that the Registrars and the registrants are best served by using a uniform and consistent notice. We are concerned that it is possible to provide confusing notices regarding the obligation and wish to prevent that, or to have this viewed as a way to achieve a competitive advantage. 

   

  It is the position of the BC that ensuring a fair and level playing field in the areas of policy/contract compliance is best supported by uniform and consistent notices; we also recommend that such notices should be developed with guidance by the Council's relevant TF, with approval by Council, and drafted by the ICANN staff/legal counsel. 

   

  We inserted the additional language to the last sentence in #3 in order to clarify that "consent" should not suggest that this is an option. Acceptance of this policy requirement is required before the registration can continue, as specified by current consensus policy of ICANN. 

   

  Impact on BC members: The BC members are negatively impacted by inaccurate registrant data, since they are reliant upon WHOIS data for a number of uses, including policing their domain names, preventing fraud; defending against harmful and confusing uses of their trademark names by competitors, or for other negative purposes. They also heavily use WHOIS data in cooperation with law enforcement when dealing with fraud, and other civil legal issues, or in resolving and dealing with network problems. Thus accurate data is extremely important to the BC membership. The BC also endorses the need for registrants to be factually informed of their obligations.  We do not believe that entities, whether individuals or organizations/corporations should be allowed to register domain names without providing full and complete contact data that is kept accurate and up to date.

   

  Implementation: As to the length of time it will take to implement the policy, it appears to us that the policy can be implemented expeditiously, once approved by the TF, and then the Council and sent to the Board for approval. The drafting of a standardized statement to be used for disclosure should be done by the ICANN staff/legal counsel, with the input and agreement of the Council, and should not be an onerous task, since there are many models of notice statements in the commercial and non commercial online world. 

   

  As a part of approving the consensus policy, the Council could request from the registrars constituency preliminary advice on how long it might take to enable a uniform posting throughout the registrar community.  Understandably, the registrars will want to have this change supported by factual explanations that explain to the registrants in a neutral manner, the need for the change and the purpose of the change. However, it is the position of the BC that ICANN should not exclude those who are impacted by such changes, e.g. users/registrants as represented by the BC, ISPCP, IPC, Non Commercial representatives, At Large, from participating in any consideration about the development of a uniform posting notice, or any discussions about time frames. 

   

  Further Recommendations to the TF: 

   

  Extension to renewals: Further, we strongly recommend that this notice be required in any re-registration, or renewal of a registration. It is likely that the TF has taken that for granted in its deliberations, but we note it, in the event it has been overlooked.

   

  Additional and related work of the TF: The TF is also examining "tiered access" at this time, and as a separate work item from the above proposed policy modification. In the view of the BC members, this TF should also be examining the availability of services that meet the needs of any registrant with a legitimate need for non display of data. This should include the availability of "anonymizing services" provided either by the registrar or third parties for a fee, and the soon to be available .post which seems to provide yet another solution for any registrant who needs to remain anonymous. 

   

  In any event, the BC notes that its members fully support the gathering of full identifying and contact data, and that all data collected should be accurate, and that mechanisms to support the efficient and effective correction of data should be a priority. 

   

  Timing of policy changes: However, since TF 3 is also considering a related possible policy change, the BC recommends that other policy changes related to WHOIS based on consensus policy be examined for possible aggregation, if feasible, and practical. We exclude the work on Tiered Access from this given its fledgling nature, but the work of the present TF3 should be considered for possible implementation at the same time as this policy change, should they both be accepted as consensus policy. Thus, if there are a number of changes approved as consensus policy, they all be made at one time, so that the registrars and registrants are not overburdened by multiple changes, introduced at different times.

   

  Better Information and Educational resources by ICANN: Finally, the BC has from time to time noted that it supports the importance of ICANN itself providing easily available and distributed information about changes in policy.  

   


  -----Original Message-----
  From: owner-dow1-2tf@xxxxxxxxxxxxxx [mailto:owner-dow1-2tf@xxxxxxxxxxxxxx]
  On Behalf Of Thomas Keller
  Sent: Monday, January 31, 2005 12:10 PM
  To: dow1-2tf@xxxxxxxxxxxxxx
  Subject: [dow1-2tf] preliminary submission of the Registrar Constituency

  Hello all,

  please find below the preliminary submission of the Registrar
  Consituency in regard to the policy recommendations of Whois 
  TF 1-2 . Please keep in mind that this version is not the
  offical statement of the Constituency until voted upon. The
  ballot for finalization is just on its way.

  Best,

  tom

  # RC Preliminary Submission ---------------------------------------

  Whereas, the GNSO Registrar Constituency ("RC") has considered the
  proposed policy recommendations of Whois Task Force 1/2 in their
  entirety;

  Whereas, the RC believes that the continued stability of the
  registration process depends on its simplicity, straightforwardness, and
  transparency;

  Whereas, burdening this process with policy and consumer rights
  education notices diminishes its simplicity, straightforwardness and
  transparency;

  Whereas, the RC believes that prescribing the method of notification
  from registrants interferes with the simplicity of this process,
  discourages desirable business innovations, and represents entirely new
  obligations that would require many registrars to completely
  re-establish their method of registration;

  Whereas, the RC appreciates and understands the concerns of the task
  force pertaining to Recommendations #2 and #3, but does not agree with
  the costly and difficult to implement proposal to require the specific
  highlighting of one provision out of the many important provisions
  contained within the registration agreement;

  Whereas, the requirements in Recommendation #3 already are mandated in
  the current Registrar Accreditation Agreement in sub-sections 3.7.7.4,
  3.7.7.5, and 3.7.7.6; and

  Whereas, no data or evidence has been presented that indicate that the
  requirements of the current RAA are unsuitable or ineffective; and
  implementing a separate and additional acknowledgement from registrants
  as proposed would be a costly and cumbersome process that cannot be
  practically implemented in the current environment.

  Therefore, it is resolved that;

  [Resolved 1.0]; the Registrar Constituency does not support adopting
  Recommendation #1 as consensus policy, but would support a
  recommendation in the following form:

  "Registrars must ensure that disclosures regarding availability and
  third-party access to personal data associated with domain names
  actually be available to registrants during the registration process;"

  [Resolved 2.0]; the Registrar Constituency does not support adopting
  Recommendation #2 as consensus policy, but encourages registrars to
  increase such notification to registrants on a voluntary basis;

  [Resolved 3.0]; the Registrar Constituency does not support adopting
  Recommendation #3 as a consensus policy, as it believes that the current
  RAA requirements are sufficient, but encourages registrars to increase
  such notification to registrants on a voluntary basis;

  [Resolved 4.0]; the foregoing positions of the Registrar Constituency be
  reported to the Whois Task Force 1/2 and be included in any Task Force
  report; and

  [Resolved 4.1]; the Task Force members from the Registrar Constituency
  represent the foregoing positions at Task Force 1/2.