<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [gnso-dow123] Proposed consensus recommendation on improving notification to Registered Name Holders of the public access to contact data via the WHOIS service
- To: Marilyn Cade <marilynscade@xxxxxxxxxxx>
- Subject: RE: [gnso-dow123] Proposed consensus recommendation on improving notification to Registered Name Holders of the public access to contact data via the WHOIS service
- From: Tim Ruiz <tim@xxxxxxxxxxx>
- Date: Sun, 26 Jun 2005 18:54:04 -0700
Thanks Marilyn. I'm not saying that is the wrong phrasing, I just don't
know. I do know that it has been opened to wide intrepretation in US
courts and from State to State. So maybe something to get advice on.
Tim
-------- Original Message --------
Subject: RE: [gnso-dow123] Proposed consensus recommendation on
improving notification to Registered Name Holders of the public access
to contact data via the WHOIS service
From: "Marilyn Cade" <marilynscade@xxxxxxxxxxx>
Date: Sun, June 26, 2005 12:33 pm
To: tim@xxxxxxxxxxx, Bruce.Tonkin@xxxxxxxxxxxxxxxxxx
Cc: gnso-dow123@xxxxxxxxxxxxxx, council@xxxxxxxxxxxxxx
I will look at this.
But, as Tim says, this discussion isn't about privacy policies per se.
It is about where the notice and consent statements are provided.
Tim, as to what lawyers think about "clear and conspicious" -- as
someone who did a lot of work on the online privacy policy initiative
in the US and in the negotiations with the Euros on safe harbor, BUT is
not a lawyer, only a pragmatic business/policy type, you are right to
note that you can get a range of views on intrepretations of words.
The offer i made of the language was to achieve an outcome. I'm not
wedded to that phrase, only to the concept of having the registrant
informed.
How about we all think of a pragmatic approach,and then we instruct the
lawyers to help us? Isn't that the right approach, after all, for legal
guidance?
I recall that we were often able to turn to the legal counsel, Louie
Touton, for such advice. Perhaps we should be asking for consultation
-- not advice, at this stage -- with the ICANN legal team on this
interpretation.
>From: Tim Ruiz <tim@xxxxxxxxxxx>
>Reply-To: Tim Ruiz <tim@xxxxxxxxxxx>
>To: Bruce Tonkin <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>
>CC: gnso-dow123@xxxxxxxxxxxxxx, council@xxxxxxxxxxxxxx
>Subject: RE: [gnso-dow123] Proposed consensus recommendation on improving
>notification to Registered Name Holders of the public access to contact data
>via the WHOIS service
>Date: Sun, 26 Jun 2005 07:52:43 -0700
>
>Bruce,
>
>This is only a slight improvement. I say that because of this part of
>your draft:
>
>"...(1) above, and how to make the information available to the
>Registered Name Holder through means in
>addition to the registration agreement (e.g as part of the registration
>process, or via a privacy policy)."
>
>That seems to put it right back to having many of the same problems as
>before. If the notice is "clear and conspicuous" in the registration
>agreement, and the registration agreement has to always be accessible
>by the registrant, then why does it need to be available somehow in
>addition to that?
>
>If we want to put a requirement on Registrars to have a privacy
>statement, I have no problem with that. And if we want to require that
>this notice be a part of that privacy statement, that is also
>reasonable. But I would prefer that the recommendation be specific, and
>not so open ended that we have no idea of what will come out of the
>other end when actually implemented by ICANN. I would suggest that
>section quoted above be removed.
>
>Also, I will be interested in the what lawyers among think about the
>"clear and conspicuous" verbiage.
>
>Tim
>
>-------- Original Message --------
>Subject: [gnso-dow123] Proposed consensus recommendation on improving
>notification to Registered Name Holders of the public access to contact
>data via the WHOIS service
>From: "Bruce Tonkin" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>
>Date: Sat, June 25, 2005 4:25 am
>To: council@xxxxxxxxxxxxxx
>Cc: gnso-dow123@xxxxxxxxxxxxxx
>
>Hello All,
>
>Building on the work of the WHOIS task force, and the discussion on the
>GNSO Council to reach consensus, the following is a proposed consensus
>recommendation.
>
>I have put the recommendation in the context of solving a problem within
>ICANN's mission - ie that of security. I expect that there will also
>be benefits outside of ICANN's mission - including consumer protection
>(which includes privacy protection), but these are not addressed
>directly.
>
>I welcome feedback and suggestions for improvement.
>
>The recommendation (or as it is refined on the Council mailing list)
>will be on the agenda for the GNSO Council meeting in Luxembourg, and I
>encourage Council members to discuss it with their constituencies in
>Luxembourg.
>
>Finally I would like to thank the members of the WHOIS task force for
>their work in this area.
>
>Regards,
>Bruce Tonkin
>
>
>(I) Background
>===============
>
>The obligations of a registrar are governed by the Registrar
>Accreditation Agreement (RAA)
>(http://www.icann.org/registrars/ra-agreement-17may01.htm) and
>ICANN consensus policies
>(http://www.icann.org/general/consensus-policies.htm).
>
>The obligations of a Registered Name Holder (Registrant) is governed by
>an electronic or paper registration agreement with the Registrar. Each
>Registrar's agreement is different, and Registered Name Holders (or
>their agents) should review each agreement when making their choice of
>Registrar.
>
>A registrar is obligated by the RAA to require a Registered Name Holder
>to agree to provide to the registrar accurate and reliable contact
>details and promptly correct and update them during the term of the
>Registered Name registration (clause 3.7.7.1 of the RAA).
>
>A registrar is obligated by the RAA to, at its expense, provide an
>interactive web page and a port 43 Whois service providing free public
>query-based access to up-to-date (i.e., updated at least daily) data
>concerning all active Registered Names sponsored by the Registrar
>(clause 3.3.1 of the RAA). In addition a Registrar must provide
>third-party bulk access to the data (clause 3.3.6 of the RAA).
>
>A registrar is obligated by the RAA to provide notice in the
>registration agreement with the Registered Name Holder stating:
>
>(a) The purposes for which any Personal Data collected from the
>applicant are intended;
>
>(b) The intended recipients or categories of recipients of the data
>(including the Registry Operator and others who will receive the data
>from Registry Operator);
>
>(c) Which data are obligatory and which data, if any, are voluntary; and
>
>(d) How the Registered Name Holder or data subject can access and, if
>necessary, rectify the data held about them.
>
>
>
>(II) Problem statement with respect to ICANN's mission and Core Values
>=====================================================================
>
>From Article 1, Section 1 of the ICANN Bylaws
>(http://www.icann.org/general/bylaws.htm#I ):
>
>"The mission of The Internet Corporation for Assigned Names and Numbers
>("ICANN") is to coordinate, at the overall level, the global Internet's
>systems of unique identifiers, and in particular to ensure the stable
>and secure operation of the Internet's unique identifier systems. In
>particular, ICANN:
>
>1. Coordinates the allocation and assignment of the three sets
>of unique identifiers for the Internet, which are
>
>a. Domain names (forming a system referred to as "DNS");
>
>b. Internet protocol ("IP") addresses and autonomous system
>("AS") numbers; and
>
>c. Protocol port and parameter numbers.
>
>2. Coordinates the operation and evolution of the DNS root name
>server system.
>
>3. Coordinates policy development reasonably and appropriately
>related to these technical functions."
>
>
>In addition one of ICANN's core values is:
>"Preserving and enhancing the operational stability, reliability,
>security, and global interoperability of the Internet." (Core value 1,
>from Article 1, section 2)
>
>
>The problem with the current system is that although registrars are
>required to include information in the registration agreement on the
>purposes for which data is collected and the intended recipients of the
>data, the information is often hard to find in long agreements, and
>often the information does not explicitly explain that personal data is
>freely available to third parties via the WHOIS service (for example
>sometimes a registrar makes a general statement such as that the
>information is provided to third parties in accordance with ICANN
>policies).
>
>Many registrants that reside in locations where strong privacy laws
>exist, would not expect their personal data to be used for anything
>other than the registration and renewal of a domain name, and the
>authentication of an entity claiming to be the registrant. In some
>locations a registrant must have the option to opt-in or opt-out of
>making the data provided for a registration available for any other
>purpose.
>
>The lack of knowledge amongst Registered Name Holders can lead to
>security problems for domain names. Many Registered Name Holders
>provide Personal information to companies that can be used by those
>companies for authentication (for example home billing address), and
>provide public information (such as post office box and business
>telephone number, typically via websites, whitepages and yellow pages
>services) suitable for third parties to contact the Registered Name
>Holders. Without an understanding of the obligation of a registrar to
>publish information to the public via a WHOIS service, Registered Name
>Holders may be inadvertently releasing information to the public
>normally used for authentication. This assists domain name hijackers
>(and those using stolen credit cards) to pretend to be the Registered
>Name Holder.
>
>Thus the problem falls under the ICANN mission, and in particular the
>first core value.
>
>
>(III) Proposed Consensus Recommendation
>=======================================
>
>(1) Registrars must provide notice in the registration agreement with
>the Registered Name Holder that is easy to find, clear, and conspicuous
>within the registration agreement stating:
>
>(a) The purposes of the WHOIS service, which consists of the provision
>of an interactive web page and a port 43 Whois service providing free
>public query-based access to up-to-date (i.e., updated at least daily)
>data concerning all active Registered Names sponsored by the Registrar.
>In addition the WHOIS service includes the provision of third-party bulk
>access to the data.
>
>(b) The purposes of the Registered Name Holder, technical, and
>administrative contacts
>
>(c) Which of the contact data in (b) will be made public via the WHOIS
>service in (a).
>
>
>(2) ICANN must provide on its website information on industry best
>practice to meet the obligation in (1) above, and how to make the
>information available to the Registered Name Holder through means in
>addition to the registration agreement (e.g as part of the registration
>process, or via a privacy policy).
>
>The proposed recommendation will ensure that Registered Name Holders
>provide contact information that is appropriate for public access and
>sufficient for third parties to contact them in accordance with the
>purposes of the WHOIS service. The purposes will be refined as part of
>the current WHOIS task force work. Information (which may include
>Personal Data) that can be used for authentication and billing purposes
>will be separately provided to registrars.
>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|