[whois-sc] Follow-up to the last call.

[Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>]

This message elaborates on some of the points we (Wendy and Thomas)
made on the group's last conference call.

There are, basically, three main concerns we have with respect to
WHOIS: First, the mandatory collection of personal data, second, the
lacking awareness of registrants for the handling of their data, and
third, the availability of these data for purposes which are not
directly related to the registrar's and registry's technical needs
in fulfilling the domain name contract.


1. There are trade-offs between these concerns: The current regime
benefits awareness and transparency, by making it easy for
registrants to check themselves what kinds of personal data about
them and about others are made available to third parties.  Everyone
has access from the same pool of data, whether for an academic
study, or legal claims.

An approach which would make access to the data more difficult for
the general public (or would restrict this kind of access), but
would make the complete data available to some classes of data users
(e.g., IPC members ;) would make it much harder for registrants to
understand what data are available to whom, and under what
conditions, and would make it harder for parties, including
registrants being challenged by such privileged data users, to
acquire equivalent data with which to defend themselves.  It would
tend to privilege some users above others, on non-universally-
accepted criteria often including (de facto) ability to pay.


      Recommendation: Any PDP on tiered access must also consider
      making WHOIS auditable.  This could, e.g., happen by (1)
      reliably identifying data users, and (2) letting data subjects
      know who accesses their data for what purposes, (3) letting
      anyone facing challenge based on data available through
      privileged WHOIS access gain access on an equivalent level in
      order to defend or counterclaim; (4) ensuring that the tiers
      do not collapse into "ability to pay."

2. Concerning data collection, we are unconvinced that all the data
collected and published today are necessary, or just useful.

For instance, one argument we heared during last week's call was
that the availability of technical contact information was crucial
to the Internet's security and stability.  While we recognize that
this argument may have merit with respect to information in RIRs' IP
address WHOIS service, it does not pass muster with respect to
domain name WHOIS: For technical contact information to be useful,
the contact point identified must be able and willing to help, which
is more likely to be true if the contact information is voluntarily
provided; even more obviously, the data is also useless unless both
the party seeking contact and the point of contact share at least
one common language.  Assuming this becomes ever more unlikely as
the Internet expands around the globe.  Functionally, the current
architecture leads to the equivalent of making technical contact
data voluntary.

	a. Recommendation: A PDP should explore which data elements
	are useless or unnecessary, and can be removed from WHOIS on
	this ground.

	b. Recommendation: A PDP should explore whether the
	collection (or the disclosure) of some or all contact data
	could be left to the registrants' discretion.

The more radical variant of our second recommendation could be
implemented by adopting the "evidence of actionable harm" standard
from RAA 3.7.7.3 for accuracy complaints: If a domain name registrar
receives evidence of actionable harm, he would have to cancel a
registration for which contact data has not been provided, or is not
disclosed.  "Inaccuracy" by itself would no longer be a ground for
cancellation of a domain name.  (Likewise, in case of technical
trouble for third parties, a server could be taken offline when
there is no technical contact information.)

We understand that this approach would also have implications for
the UDRP (which could range from a default ruling in favor of the
complainant to a more sophisticated "anonymous respondent" mechanism
which would only be applicable when the registrar has contact
information, but is not allowed to disclose it), and the WDRP (which
could be changed into a reminder of the risks to not having accurate
contact information publicly available) which would need to be
examined closely. 

We believe that it is possible to strike a sustainable balance
between privacy and accountability along these lines.



3. International compliance issues.  We agree that it would be hard
or even infeasible to produce a WHOIS policy which precisely mirrors
all possibly or actually applicable privacy rules around the globe.

	Recommendation: Instead of going for a
	one-size-doesnt-fit-any policy, ICANN should leave local
	questions on the local level, and develop a policy framework
	which permits registrars to comply with applicable privacy
	legislation through local or national "policy profiles".


Kind regards,

Wendy Seltzer / Thomas Roessler
         (ALAC liaisons)