[gnso-dow123] Ideas about Whois from the GNSO Public Forum in Sao Paulo

["Maria Farrell" <maria.farrell@xxxxxxxxx>]

Dear all,
 
Here is a short summary of ideas regarding Whois services made during the
public forum, ahead of our task force call today.
 
All the best, Maria 
 
Summary of ideas presented in Whois GNSO public forum, Sao Paulo, December
2006

 

This is a short summary of ideas for Whois services presented during the
GNSO 

Public Forum in Sao Paulo.  It extracts from the comments some suggestions
about how Whois should be run, particularly ideas that are not included in
the current task force report. 


Bruce Tonkin, Melbourne IT 


Registrars have introduced their own services for privacy, which are at a
small additional cost to the registration fee. Those services have a huge
take-up. There's probably 30% of registrations through our company that have
been registered with a privacy system of some form. 

 

The OPoC proposal is an ideal proposal for dealing with this unrestricted
data-mining issue. It allows for appropriate data to be displayed that lets
a member of the public contact the registrant using that data, and that OPoC
is then responsible for forwarding the request on.

 

At the level ofprotecting business interests, we need a second tier. This
tier should be based on the fact that some authentication is done of the
person that's requesting the data. And at this tier it's reasonable that
they should be able to access more detailed information about the
registrant, but that's based on a tiered access. That still allows
registrars to put privacy services in front of that, if they wish. But this
is a second tier where we're authenticating the party that's accessing that
data and that party needs to commit that they will only use the data for
legitimate purposes and particularly won't use the data for unsolicited
marketing.

 

Then where I see Steve's proposal coming is at a third tier, that is, where
we do a much stronger authentication of the end registrant, which is not the
case in the earlier steps. There is some justification for that registrant
needing to bury their data very deep. And at that layer, if it passes this
special consideration proposal, then in my mind the only way that that data
can be retrieved should be via court order. Using an analogy, because we
seem to be using law enforcement analogies, essentially at that point
they've gone into a witness protection program. Steve's proposal is, in my
mind, the equivalent of a witness protection program, so it's obviously
needed in a number of special circumstances. 

 

So I see three tiers, the first tier being the OPoC proposal that the
registrars have put forward which deals with open public access to Whois;
the second tier, which doesn't seem to have been discussed by the task force
in any depth, but at least a standardized process for authenticating who it
is that's asking for the data and the party that asks for that data needs to
commit that they're not going to use it for unsolicited marketing. The
second tier is where I see the counterfeiting groups and the intellectual
property groups, et cetera getting access. And then the third tier is the
witness protection program tier, where someone really doesn't want to be
found for whatever reason, and that requires a lot more verification. You'd
actually have to fully identify the person, they'd have to have
justification, and then need a very high level, like a court order, to be
able to retrieve that data.

 


Steve Delbianco, Netchoice Coalition, member of the Business Constituency. 


And the second question is: how would your proposals then, on the back end,
beef up ICANN's ability to enforce whatever new policies have been
developed, so that registrars have to actually follow the rules in a
diligent and time-sensitive manner? 


 Steve Metalitz (in response)


In terms of beefing up enforcement, that's a very good question which
neither proposal really addresses. It's out of scope for this task force.
Also out of scope is one of the points that Bruce raised, which is; should
registrars be doing something more to authenticate the data that they
collect at the time of registration as far as registrant contact data That
is a topic very much worth discussion, but it is not part the remit of this
task force.

 

 


Jim Reid (Telnic)


 Finally, I would like to say something about tiered access. It's also got
some potential, and some drawbacks, too. Taking into account data protection
measures specifically in Western Europe, I could only disclose data to
somebody if they will comply with EU data protection law. So if I have to
pass this data to someone, say, in the US, they must either have a contract
with Telnic or abide by safe harbor provisions or the EU model clauses that
govern personal data transfers. That would have to be incorporated somehow
into any kind of tiered access arrangements. 


 Bob Hutchinson (identified self later as with Dynamic Ventures)


 Whois perhaps should be connecting you to the proper legal authority for
shutting down that web site, as opposed to giving me the information about
who it is who registered that web site.