RE: [gnso-dow123] Proposed consensus recommendation on improving notification to Registered Name Holders of the public access to contact data via the WHOIS service

["Steven J. Metalitz IIPA" <metalitz@xxxxxxxx>]

 I appreciate Bruce's efforts on this which are quite helpful but not,
perhaps, wholly successful. See some comments inline below.  (Suggested
additions are in CAPS, deletions are [bracketed]).  

Steve Metalitz

-----Original Message-----
From: owner-gnso-dow123@xxxxxxxxx [mailto:owner-gnso-dow123@xxxxxxxxx]
On Behalf Of Bruce Tonkin
Sent: Saturday, June 25, 2005 5:25 AM
To: council@xxxxxxxxxxxxxx
Cc: gnso-dow123@xxxxxxxxxxxxxx
Subject: [gnso-dow123] Proposed consensus recommendation on improving
notification to Registered Name Holders of the public access to contact
data via the WHOIS service

Hello All,

Building on the work of the WHOIS task force, and the discussion on the
GNSO Council to reach consensus, the following is a proposed consensus
recommendation.

I have put the recommendation in the context of solving a problem within
ICANN's mission - ie that of security.    I expect that there will also
be benefits outside of ICANN's mission - including consumer protection
(which includes privacy protection), but these are not addressed
directly.

I welcome feedback and suggestions for improvement.   

The recommendation (or as it is refined on the Council mailing list)
will be on the agenda for the GNSO Council meeting in Luxembourg, and I
encourage Council members to discuss it with their constituencies in
Luxembourg.

Finally I would like to thank the members of the WHOIS task force for
their work in this area.

Regards,
Bruce Tonkin


(I) Background
===============

The obligations of a registrar are governed by the Registrar
Accreditation Agreement (RAA)
(http://www.icann.org/registrars/ra-agreement-17may01.htm) and ICANN
consensus policies
(http://www.icann.org/general/consensus-policies.htm).

The obligations of a Registered Name Holder (Registrant) is governed by
an electronic or paper registration agreement with the Registrar.  Each
Registrar's agreement is different, and Registered Name Holders (or
their agents) should review each agreement when making their choice of
Registrar.

A registrar is obligated by the RAA to require a Registered Name Holder
to agree to provide to the registrar accurate and reliable contact
details and promptly correct and update them during the term of the
Registered Name registration (clause 3.7.7.1 of the RAA).

A registrar is obligated by the RAA to, at its expense, provide an
interactive web page and a port 43 Whois service providing free public
query-based access to up-to-date (i.e., updated at least daily) data
concerning all active Registered Names sponsored by the Registrar
(clause 3.3.1 of the RAA).   In addition a Registrar must provide
third-party bulk access to the data  (clause 3.3.6 of the RAA).

A registrar is obligated by the RAA (CLAUSE 3.7.7.4) to provide notice
in the registration agreement with the Registered Name Holder stating:

(a) The purposes for which any Personal Data collected from the
applicant are intended;

(b) The intended recipients or categories of recipients of the data
(including the Registry Operator and others who will receive the data
from Registry Operator);

(c) Which data are obligatory and which data, if any, are voluntary; and

(d) How the Registered Name Holder or data subject can access and, if
necessary, rectify the data held about them.

THE REGISTRAR IS ALSO REQUIRED TO OBTAIN THE CONSENT OF THE REGISTRANT
TO "THE DATA PROCESSING REFERRED TO IN SUBSECTION 3.7.7.4."  RAA CLAUSE
3.7.7.5.    

(II) Problem statement with respect to ICANN's mission and Core Values
=====================================================================

>From Article 1, Section 1 of the ICANN Bylaws
(http://www.icann.org/general/bylaws.htm#I ):

"The mission of The Internet Corporation for Assigned Names and Numbers
("ICANN") is to coordinate, at the overall level, the global Internet's
systems of unique identifiers, and in particular to ensure the stable
and secure operation of the Internet's unique identifier systems. In
particular, ICANN:

        1. Coordinates the allocation and assignment of the three sets
of unique identifiers for the   Internet, which are

        a. Domain names (forming a system referred to as "DNS");

        b. Internet protocol ("IP") addresses and autonomous system
("AS") numbers; and

        c. Protocol port and parameter numbers.

        2. Coordinates the operation and evolution of the DNS root name
server system.

        3. Coordinates policy development reasonably and appropriately
related to these technical      functions."


In addition one of ICANN's core values is:
"Preserving and enhancing the operational stability, reliability,
security, and global interoperability of the Internet."   (Core value 1,
from Article 1, section 2)


The problem with the current system is that although registrars are
required to include information in the registration agreement on the
purposes for which data is collected and the intended recipients of the
data, the information is often hard to find in long agreements, and
often the information does not explicitly explain that personal data is
freely available to third parties via the WHOIS service  (for example
sometimes a registrar makes a general statement such as that the
information is provided to third parties in accordance with ICANN
policies).

[Many registrants that reside in locations where strong privacy laws
exist, would not expect their personal data to be used for anything
other than the registration and renewal of a domain name, and the
authentication of an entity claiming to be the registrant.   In some
locations a registrant must have the option to opt-in or opt-out of
making the data provided for a registration available for any other
purpose.]  Comment:  This paragraph seems to be based on legal premises
which may be questionable and also makes empirical statements which may
lack evidentiary support. Do we have a basis for suggesting that
registrants from one location are more likely to be uninformed about
uses of Whois data than those in other locations?  Which locations
(jurisdictions?) are referred to in the last statement, and does the
statement validly apply to uses of the data for which the registrant has
given consent?  

The lack of knowledge amongst Registered Name Holders can lead to
security problems for domain names.   CONFUSION AMONG [Many] Registered
Name Holders CAN LEAD THEM TO SUPPLY INAPPROPRIATE DATA FOR THE WHOIS
SERVICE, WHICH CAN BE MISUSED BY [provide Personal information to
companies that can be used by those companies for authentication (for
example home billing address), and provide public information (such as
post office box and business telephone number, typically via websites,
whitepages and yellow pages
services) suitable for third parties to contact the Registered Name
Holders.   Without an understanding of the obligation of a registrar to
publish information to the public via a WHOIS service, Registered Name
Holders may be inadvertently releasing information to the public
normally used for authentication.   This assists] domain name hijackers
(and those using stolen credit cards) to pretend to be the Registered
Name Holder. FURTHERMORE, THE CONSENT WHICH THE REGISTRAR IS REQUIRED TO
OBTAIN SHOULD BE AN INFORMED ONE. FINALLY, IMPROVED UNDERSTANDING BY
REGISTRANTS OF THE WHOIS SYSTEM CAN HELP IT FULFILL ITS ROLE IN
PROMOTING SECURITY AND STABILITY.    

Comment:  The proposed text seems somewhat one-sided in terms of the
security and stability issues that may be raised.   

Thus the problem falls under the ICANN mission, and in particular the
first core value.
 
Comment:  Was this previously in dispute?  

(III) Proposed Consensus Recommendation
=======================================

(1) Registrars must provide notice in the registration agreement with
the Registered Name Holder that is easy to find, clear, and conspicuous
within the registration agreement stating:

(a) The purposes of the WHOIS service, which consists of the provision
of an interactive web page and a port 43 Whois service providing free
public query-based access to up-to-date (i.e., updated at least daily)
data concerning all active Registered Names sponsored by the Registrar.
In addition the WHOIS service includes the provision of third-party bulk
access to the data.

(b) The purposes of the Registered Name Holder, technical, and
administrative contacts

(c) Which of the contact data in (b) will be made public via the WHOIS
service in (a).

Comment:  Note this is much more prescriptive than the original
proposal, though it could well be useful to registrants.  
 
(2) ICANN must provide on its website information on industry best
practice to meet the obligation in (1) above, and how to make the
information available to the Registered Name Holder through means in
addition to the registration agreement (e.g as part of the registration
process, or via a privacy policy).  

Comment:  Although the revised recommendation is prescriptive on what
registrants must be told in the registration agreement, it seems that
there would be no requirement to inform registrants in any other way,
although "best practices" would be provided.  Given the problems
revealed by the TF2 and staff surveys of existing agreements, is this
sufficient to make it likely that the disclosure situation will improve?


The proposed recommendation will HELP ensure that Registered Name
Holders ARE MORE FULLY INFORMED ABOUT REGISTRAR DATA HANDLING PRACTICES
AND OBLIGATIONS, AND THAT THEY PROVIDE CURRENT AND ACCURATE [provide]
contact information that is appropriate for public access and sufficient
for third parties to contact them in accordance with the
purposes of the WHOIS service.   The purposes will be refined as part of
the current WHOIS task force work.   [Information (which may include
Personal Data) that can be used for authentication and billing purposes
will be separately provided to registrars.]

COMMENT: How is the last sentence, which apparently requires
authentication and billing data to be submitted separately from data
destined for public disclosure via Whois, less burdensome from the
registrar perspective than requiring a separate notification to
registrants regarding disclosure of Whois data, as in the original
recommendation?  What is the record of current practices?