[gnso-dow123] NCUC constituency statement on Whois purpose (draft)

["Milton Mueller" <mueller@xxxxxxx>]

(Draft) Statement of the NCUC on WHOIS Purpose

Task 1 asks us to "Define the purpose of the WHOIS service in the
context of ICANN's mission and relevant core values, international and
national laws protecting privacy of natural persons, international and
national laws that relate specifically to the WHOIS service, and the
changing nature of Registered Name Holders."

The importance of defining "purpose"

Regarding international and national privacy laws, NCUC notes that it is
well-established in data protection law that the purpose of data and
data collection processes must be well-defined before policies regarding
data collection, use and access can be established. The need for an
explicit, well-defined purpose is meant to protect data subjects from
abuse by either the data collectors or third parties using the data. A
definition of purpose is intended to impose strict constraints on the
collection and use of contact data. A specified purpose determines what
data elements should be collected, and therefore actively prevents
collection of any data that is not clearly necessary for that purpose.
Furthermore, a defined purpose helps to ensure that data is used only
for the specified purposes, preventing uses that are different from or
incompatible with the purpose giving rise to their collection. Finally,
sound data protection principles hold that data subjects must be
informed of the purpose for which the Data is intended and whether and
under what conditions the Data is likely to be passed to a third party.

WHOIS and ICANN's mission and core values

Regarding ICANN's mission and relevant core values, we note that ICANN's
mission is primarily technical: "to coordinate, at the overall level,
the global Internet's systems of unique identifiers, and in particular
to ensure the stable and secure operation of the Internet's unique
identifier systems." In enumerating ICANN's core values, we find that
the first three are most relevant to a discussion of WHOIS and its
purpose:

1. Preserving and enhancing the operational stability, reliability,
security, and global interoperability of the Internet.

2. Respecting the creativity, innovation, and flow of information made
possible by the Internet by limiting ICANN's activities to those matters
within ICANN's mission requiring or significantly benefiting from global
coordination.

3. To the extent feasible and appropriate, delegating coordination
functions to or recognizing the policy role of other responsible
entities that reflect the interests of affected parties

The original purpose of the WHOIS protocol, when the Internet was an
experimental network, was the identification of and provision of contact
information for, domain administrators for purposes of solving technical
problems. This original purpose is consistent with the plain language of
ICANN's current mission and is further supported by core value #1, which
addresses exclusively technical values such as stability, reliability,
security and interoperability.

Vinton G. Cerf, speaking at the "Freedom 2.0" conference held in
Washington DC in May 2004 confirmed directly that the original purpose
of WHOIS was indeed purely technical.**

Further, Core Value #3 expressly recognizes the "policy role" of "other
responsible entities."  No where is this policy role clearer than in the
steps governments have taken to protect the personal data of their
citizens.  It is incumbent on ICANN to limit its role in the collection,
use and especially disclosure of data to only that needed for technical
and operational tasks.  The rest is rightly governed by sovereign law.

We further note that Core Values #2 and #3 **(respecting creativity and
recognizing the policy role of other responsible entities,
respectively), in spirit and language, mandate that ICANN must limit its
activities to a minimal set of areas requiring global technical
coordination. Thus, although WHOIS data may be useful for a broad
variety of purposes, uses and users, ICANN's core values require that it
not embrace those purposes and activities just because it can, or
because interested parties find it convenient. ICANN must limit its
activities to matters within its mission and recognize and defer to the
policy role of other responsible entities.

Proposed definition of purpose

NCUC proposes the following definition of purpose for the WHOIS service:


The purpose of the WHOIS is to provide to third parties an accurate and
authoritative link between a domain name and a responsible party who can
either act to resolve, or reliably pass information to those who can
resolve, technical problems associated with or caused by the domain.  

By "technical problems" we mean problems affecting the operational
stability, reliability, security, and global interoperability of the
Internet.

Excluded or invalid purposes

It is important to also identify purposes that are inconsistent with
ICANN's stated mission and core values.

First, WHOIS is not designed to be a global data mining operation with
completely unlimited access to all registrant data by any Internet user
for any purpose, including marketing.

Second, the purpose of WHOIS data is not to facilitate legal or other
kinds of retribution by those interested in pursuing companies and
individuals who criticize and compete against them.  Companies with
allegations against domain name registrants can seek subpoenas of
specific subscriber records through Internet service providers, or learn
about a domain name registrant's identity information through requested
subpoenas of registrar records.Third,

Third, the purpose of WHOIS is not to expand the surveillance powers
given to law enforcement under law, or to bypass the protections and
limitations imposed by sovereign governments to prevent the abuse and
misuse of personal data, even by law enforcement. Law enforcement
agencies can subpoena specific subscriber records through Internet
service providers, or learn about a domain name registrant's identity
information through subpoenas of registrar records. It is not for ICANN
to preempt or undervalue the due process protections set up by national
government who must balance not only legitimate law enforcement needs,
but also officers operate "ultra virus" and outside of their authority
and law enforcement officers operating for other countries which do not
share the same laws and values of the registrant's country.

CONCLUSION

Overall, the published WHOIS data should serve only the original purpose
of the database and the powers of ICANN - technical.   Additional access
to information about the domain name registrant, including the names and
address of those using their domain names to post valuable and
controversial political and social messages and critiques, should be
handled pursuant to the well thought out national laws that exist in
every other area of telecommunications (e.g., telephone, cable, and
Internet Service Provider data).

Dr. Milton Mueller
Syracuse University School of Information Studies
http://www.digital-convergence.org
http://www.internetgovernance.org