Comments of INTA's Whois Subcommittee

["Michael Heltzer" <mheltzer@xxxxxxxx>]

The Whois Subcommittee of the International Trademark Association, which
is the largest association in the world dedicated exclusively to the
protection of trademarks (see http://www.inta.org <http://www.inta.org/>
) , has reviewed the "Preliminary task force report on a policy
recommendation and advice on a procedure for handling conflicts between
a registrar/registry's legal obligations under privacy law and their
contractual obligations to ICANN," sent to the GNSO membership by the
GNSO Secretariat by email dated September 13, 2005. 

 

In general, the subcommittee finds the proposed procedure to be
comprehensive and thorough should issues arise.  However, it advocates
that ICANN move with extreme caution in order to minimize departures
from compliance with the Registrar Accreditation Agreement ("RAA") by
registrars so as to ensure that a level playing field is kept intact and
the predictability for users of the domain name system is preserved.
The public interest would be best served if ICANN does not allow
departure from the RAA until all alternative avenues are exhausted and
it is the only resolution available. 

 

I.          Consent From Registrants To Disclosure Of Contact
Information In the Whois Database Renders Conflicts Unlikely

 

To date, the subcommittee is not aware of any situation that would
absolutely require departure from the RAA, for two reasons.  First,
current ICANN agreements and registrar practice make clear that the
purposes for collection of Registered Name Holder information include
its dissemination via the Whois system.  Second, to the extent local
laws require a registrar to obtain the Registered Name Holder's consent
before publishing Whois data, the subcommittee is unaware of any legal
prohibitions against obtaining such consent.

 

Moreover, the findings in the preliminary report of Whois Task Force 2
(see
http://www.gnso.icann.org/issues/whois-privacy/Whois-tf2-preliminary.htm
l) ("Preliminary Report") do not demonstrate that there is a need to
allow departures from the RAA. As a result, there is no basis for their
implicit assumption that insurmountable conflicts will arise and
recommendation that the procedure be adopted to allow departures from
the RAA.  The report merely states that "situations have arisen in which
privacy laws or regulations have conflicted with WHOIS-related
contractual obligations with ICANN." (Preliminary Report, section 2.4.)
The report cited only one example: a statement by the .name registry
that it had changed its Whois policy to comply with a request from the
UK Data Commissioner.  Nowhere does the Preliminary Report detail the
nature of the conflicts that have arisen.  The lack of specifics
concerning the nature of conflicts that purportedly have arisen or could
arise between national laws and the RAA makes it impossible to evaluate
whether such purported conflicts actually would require modification of
the RAA.

 

Registrars' are already required under Section 3.7.7.4 and 3.7.7.5 of
the RAA to obtain consent from registrants to the publication of their
contact information in the Whois database.  The subcommittee believes
this existing requirement may be sufficient to meet local privacy laws
in the vast major of, if not all, cases.  A registrar should not be
allowed an exception from its contractual Whois obligations merely by
arguing that it has failed to obtain the consent it is contractually
required to obtain from each registrant.  In the absence of any evidence
of conflicts between the RAA and national law that could not be
surmounted by obtaining the registrant's valid consent for use of the
information, there is no demonstrated need to allow departures from the
RAA. (

 

To the extent any national government seeks to sanction any registrar on
the basis that disclosure of personal information via the Whois system
is contrary to the purpose for which the data was collected, the only
position for ICANN to take that would be consistent with its own
policies and requirements, is that public dissemination is encompassed
within the intended purposes of the collection of the data.  To the
extent ICANN concludes that this is not clear, its proper role is to
clarify that public dissemination is an intended purpose of the data
collection by amending the RAA rather than to grant exceptions to
registrars' obligation to provide Whois data to the public.  



 

II.        Specific Issues with the Policy & Procedure 

 

            A.        Concerns were raised that the confidentiality
provisions in Steps One, Two, and Three could, as a practical matter,
foreclose the ability of interested parties to question or rebut the
need for a departure from the RAA on a case-by-case basis. Such an
ability to question a registrar's assertion of a conflict in a specific
case is particularly important in light of the Task Force's failure to
demonstrate a history of insurmountable conflicts between national laws
and the RAA. Although the subcommittee agrees there could be
circumstance in which confidentiality might be necessary, the policy
should not favor such requests, and in fact should specify that they
would be granted only in extraordinary circumstances.

 

            B.         The subcommittee questions whether the procedure
in Step One should apply to a mere "investigation" that "might affect" a
registrar's compliance. It may be beneficial either to provide
additional definitions concerning these terms or to require that some
kind of enforcement proceeding has been initiated, or that the
investigation be of the specific registrar's policies. The language of
the proposed policy might encourage registrars to seek waivers every
time there is some government "investigation" of any registrar's privacy
policies --or even the privacy policies of any party receiving any
personal data of any kind apart from the Whois system -- under the
argument that it "might affect" the registrar's compliance.

 

            C.        The statement near the end of Step One that
"Meeting the notification requirements permits Registrar/Registries to
participate in investigations and respond to court orders, regulations,
or enforcement authorities in a manner and course deemed best by their
counsel" is ambiguous.  This language appears intended to provide an
incentive for registrars to comply with the notification requirements
set out in Step One.  However, the consequence of failing to meet the
notification requirements are not specified.  If this language is
intended to suggest that the registrar cannot participate in
investigations or respond to enforcement authorities until it has met
its notification requirements, it would likely be unenforceable, so the
policy should instead specify alternative, realistic, enforceable
consequences; in the alternative, the sentence should be removed in its
entirety to eliminate the ambiguity.

 

            D.        In the first paragraph under "Step Two:
Consultation," the last sentence should be amended to specify that the
registrar must obtain consent of the registrants to the publication of
their Whois data, in order to be considered as having complied with its
contractual obligations to the greatest extent possible. In other words,
the last sentence of the first paragraph should be amended to read as
follows: "The goal of the consultation process should be to seek to
resolve the problem in a manner that preserves the ability of the
registrar/registry to comply with its contractual obligations to the
greatest extent possible, including via obtaining consent of registrants
to the publication of their Whois data."

 

            E.         "Step Four:  Resolution" should re-emphasize the
goal of achieving uniform Whois disclosure requirements.  Therefore, the
subcommittee suggests amending the first sentence to read as follows:
"Keeping in the mind the anticipated impact on the operational
stability, reliability, security, or global interoperability of the
Internet's unique identifier systems, and the desire for uniform Whois
requirements to apply to all Registrars/Registries to the extent
possible, the Board should consider and take appropriate action on the
recommendations contained in the General Counsel's report as soon as
practicable." 

 

            F.         The Public Notice portion of the Procedure should
include information about how information made less accessible can be
accessed through other sources.  For example, if a departure from the
RAA resulted in the registrant's name but not address being made
available, the notice should include information on how such information
might be obtained or how to contact the relevant data protection
authorities to gain access to the data.  Therefore, the final sentence
of the recommendation should be amended as follows: "Unless the Board
decides otherwise, if the result of its resolution of the issue is that
data elements in the registrar's Whois output will be removed or made
less accessible, ICANN should issue an appropriate notice to the public
of the resolution and of the reasons for ICANN's forbearance from
enforcement of full compliance with the contractual provision in
question, including relevant contact information for how such data might
be accessed in appropriate circumstances."

 

Thank you for the opportunity to submit comments.

 

Sincerely,

 

Michael E. Heltzer

Manager, External Relations

International Trademark Association