ICANN/GNSO GNSO Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Concerns re: TF3 Report

  • To: whois-tf3-report-comments@xxxxxxxxxxxxxx
  • Subject: Concerns re: TF3 Report
  • From: KathrynKL@xxxxxxx
  • Date: Mon, 5 Jul 2004 13:24:53 EDT

Comments to WHOIS Task Force 3
From Kathryn Kleiman

I submit these comments to Task Force 3 as an individual.  In writing them,
I bring my experience as a co-founder of the Noncommercial Users
Constituency and as a member of the WHOIS Task Force 2.

1.   I am saddened and surprised by the TF3 report online.  It is not a
product that in any way resembles the reports produced  by WHOIS TF1
or TF2.  TF1 and TF2 recognized that there are three major communities
involves in the WHOIS debate:

     - Data Subjects (domain name holders)
     - Data Users
     - Registration Industry (data collectors and processors).

For six months all of these communities in TF1 and TF2 have debated,
wrestled and worked together to arrive at Interim Reports that reflect a
mid-point, a compromise and a way forward.   Why didn't TF3 do the
same?  How can TF3 produce a report in which each and every
recommendation is opposed by all of its data subject members and
half of the registration industry?  

Please move forward only when you have agreement from all three
communities above.  This is the type of issue that can split ICANN,
governments and the Internet community.  We worked hard in the other
Task Forces to find common ground on complex and controversial issues.
You must the same.  TF3 is not the exclusive province of the data users,
such as the intellectual property and commercial interests.  We have to
work through all these issues together, and you have not done your job.

2.   The TF3 report lacks context and does not clearly acknowledge the
role of the other task forces and its place in the three task force process.
As you read TF3's work, it seems to stand alone, and that is not the case.
As you know, privacy and accuracy are issues of deep concern in the
WHOIS debate.  ICANN has been warned not just by data subjects, but
also by government representatives and leaders, that the WHOIS practice
of publishing personal and "sensitive data" is a violation of national laws,
including national data protection laws.  Accuracy and privacy must move
forward together.

Because privacy is not considered in your scope, TF3 must discuss its
out-of-scope limitations in its reports.   It is widely speculated that
adding privacy to the database will greatly further accuracy (and based on
unlisted telephone number models, there is a good basis for making this
speculation).  Readers must know that there are options for accuracy other
than "sticks" and penalties, and that such options could help accuracy
advance in a positive manner. Even if you don't explore the issue, you must
present its possibility and submit that you felt it was beyond your scope.
Not everything has to be based on excessive penalties. 

3.  TF3 must discuss its context.  Right now, your report seems to exist in
its own right.  But that is not the way it was envisioned or presented to the
Constituencies by Council.  TF3 is one of three task forces, all looking at
complicated parts of the privacy/accuracy/availability debate in the WHOIS
area.  TF3 must acknowledge the other two task forces, and that only after
the findings and work of TF1 and TF2 is it appropriate to proceed with
increased levels of accuracy in the WHOIS.  Solve the personal
data/sensitive data problem, and accuracy becomes far less controversial to
the ICANN community, government leaders and data protection
commissioners.  Don't solve the privacy problem, and demands for
increased accuracy will deeply divide ICANN's communities and
governments.   TF3 must discuss the larger process in which its
recommendations will play out.

4) TF3 must adopt much more neutral terminology throughout its report.
Using the phrase "false WHOIS data" conveys a sense of negative intent,
such as when a person adopts a "false persona." But inaccurate WHOIS
data, on its face and without additional information, has no negative, false or
intentional overtones.  Inaccurate data can appear in the WHOIS database,
as in any database, for an number of reasons including typos, later changes,
software error, unintentional swaps (domain name A, but data from domain
name B), inaccurate updates, hacking, etc. (I used to be a data security
auditor, and saw many ways for inaccurate data to enter systems.) Neither
TF3 nor ICANN has the right to presume the intent of the data subject until
that intent is proven.  Accordingly, it is incumbent on TF3 and ICANN to
use neutral, not negative, language and change all references from "false
WHOIS data" to "inaccurate WHOIS data."  

5) If TF3 recommendations go forward (see concerns below), then it
should bound each recommendation to "technical and operational data"
[TF2 terminology] or "non-sensitive data" [TF1 terminology].  If TF3 is
going to proceed without data gathering and only on the basis of selected
constituency statements, then it is incumbent that TF3 carefully stay within
the bounds of ICANN's mandate and limit its recommendation to the
technical and operational data of the domain name system.  
6)  In response to the specific Recommendations of TF3, I respond below:

Overall:   To all recommendations, I have the same question: what is the
basis for these recommendations?  Where is the independent data you have
gathered in your data gathering phase regarding problems in the ICANN
data correction process, as recently revised?  Where is the discussion, in
each recommendation, of the downsides that it might offer?  Where are the
limits that stop unreasonable parties from making the WHOIS database a
witch-hunt for the individual, organizations and even companies who are
exercising their human rights to share controversial political, cultural and
personal ideas and have created no technical or operational problem with
their domain name use online?

I object to each recommendation based on the above questions, and
discuss a few below. 

    #1 TF3's recommendation includes: "ICANN should devote additional
resources to such a compliance program in order to provide adequate

In a tight budget, why should ICANN devote further and additional
resources to a process in which it seems to be heavily involved already? 

    #3 TF3's recommendation includes: "Any Best Practices that are viewed as
being mechanisms for improving data verification on a global basis should
be developed by or under the direction of ICANN, soliciting the
cooperation of responsible registrars, and disseminated to accredited
registrars and other relevant parties as part of ICANN's ongoing
educational and compliance initiatives."

Best Practices must be developed with the solicitation and cooperation of
all three communities -- data users, data subjects and the registration
industry -- not just registrars.  The deep concern this issue has raised in the
last several ICANN meetings is proof enough that the issues are far
reaching and the implications of deep concern for all.   

    #4 TF3's recommendation includes: "Specific examination of registrar data
collection and protection practices should be undertaken, including
investigating all options for the identification and viability of possible: A)
automated and manual verification processes that can be employed for
identifying suspect domain name registrations containing plainly false or
inaccurate data and for communicating such information to the domain
name registrant; and b) readily available databases that could be used for or
to assist in data verification, taking into account the wide variety of
situations that exist from region to region."

Why?  Where is the data collected in the TF3 data gathering process that
leads to this conclusion?
This is one of the areas where stretching slightly outside your scope is a
good idea. If providing basic privacy protections for domain name owners
can dramatically increase accuracy, then the registration industry and
ICANN can dramatically decrease costs.  Why go the expensive way first?

    #5 TF3 recommends: ICANN should also consider including the ""last
verified date" and "method of verification" as WHOIS data elements, as
recommended by the Security and Stability Advisory Committee.

This recommendation is clearly out of scope for TF3 and must be deleted
or referred to TF2.  As you know, your out-of-scope section specifically
states: "The task force should not consider issues associated with changing
the data elements that are collected. This is the subject of a separate task

    #6 This recommendation includes many new steps for Registrar to
undertake for accuracy.  Where is the data collected by TF3 that shows
that current procedures are not working?  Where is the warning that
adopting these additional procedures, without finding protections against
bulk access and to protect privacy (TF1 and 2) could cause even greater
conflict with national law and national law enforcement (see concerns
expressed to the ICANN community by George Papapavlou, EU, and
Giovanni Buttarelli, Italy, at the Rome ICANN Meeting, among others).

If TF3 chooses to go forward with this recommendation, it should expressly
apply only to technical and operational WHOIS data   labeled "non-
sensitive" by TF1.

    #7 Where does recommendation #7 differ from existing practices?

    #8 TF3 recommends: "ICANN should consider requiring Registrars to
verify at least two of the following three data elements provided by domain
name registrants - phone, facsimile and email - and ensure that these
elements function and that the Registrar receives a reply from these means
of communication. Where none of the three data elements works, then the
domain name should immediately be placed on hold. If only one of the
means of communication works, then the domain name shall be placed on
hold for a period of 15 days in which the domain name registrant shall
correct all of the WHOIS data elements. If the domain name registrant fails
to correct all of the WHOIS "

Here, as in #6 above, TF3 must discuss the tension between privacy and
accuracy, or it presents a distorted picture.  Requiring this type of check,
on people's home address and unlisted phone numbers, will greatly a
greatly increased level of concern for domain name holders (data subjects)
and their governments and data protection commissioners worldwide.  TF3
should expressly suggest that this recommendation be held until resolution
of TF1 and TF2's issues, or expressly bound to technical contact data only.

    #9 TF3 recommends: "Where a domain name registration is canceled due
to the non-functionality of WHOIS data elements - phone, facsimile, and
email - the domain name can be reconnected for a fee to be set by the
registrar. Upon reconnection of any domain name in circumstances where
the domain name had been placed on hold or was immediately canceled,
the Registrar shall verify all data elements before reconnecting the domain
name. The Registrar should ensure that the reconnection charge it imposes
is sufficient to cover the costs of the heightened verification it must perform
in reconnecting a previously canceled domain."

Until the privacy issues are resolved, this cancellation may be viewed as an
additional cost for protecting the privacy guaranteed by national law.   This
raises problems, I am told, under national law. TF3 should be careful to
include in its recommendations that the only costs associated with the
reconnection of a domain name be fair, reasonable, not excessive, and
waived should the registrant prove he/she was protecting right guaranteed
by his/her national law or where the fault is that of the registrar (e.g, did not
promptly update data).  

    #10 Recommendation: "When a domain name registration is canceled (or
suspended, etc.) for false contact data, all other registrations with identical
contact data should be canceled (or suspended, etc.) in like fashion."

Absolutely not.  TF3 has not thought through the disastrous implications of
this policy for domain name holders operating under proxies.  There are
now cases of proxy services which register thousands of domain names for
honest individuals and small businesses, and then the proxy acts in a manner
which is improper.  Rather than solving the problem in a business-like and
professional manner, TF3 recommends the willy-nilly cancellation of
thousands of domain names.  This is clearly not a well-thought out,
well-researched or well-evaluated position.  This resolution must
deleted absent further, and comprehensive danger, of the full range
of its implications.  I also think such a recommendation, if followed, must
be tied to some proof of technical or operational problem that the set of
domain names has caused online. 

    #11 Recommendation: "ICANN staff should undertake a review of the
current registrar contractual terms and determine whether they are adequate
or need to be changed in order to encompass improved data accuracy
standards and verification practices as a result of the current PDP."

No, ICANN staff should be asked by TF3 to evaluate current registrar
contractual terms only after it receives the Council recommendations
regarding all three WHOIS task forces and has a basis for determining
the Council's recommendation for both accuracy and privacy standards.

    #12 Recommendation: "ICANN should develop and implement a
graduated scale of sanctions that can be applied against those who are not
in compliance with their contractual obligations or otherwise violating the
contractual rights under these agreements."

Only after ICANN has resolved the Catch-22 of national privacy laws and
WHOIS collection and disclosure requirements should ICANN move
forward with any revised type of sanctions.  TF3 should say so.

<<< Chronological Index >>>    <<< Thread Index >>>