Comments on the whois task force report

[Patrick Vande Walle <patrick@xxxxxxxxxxxxxx>]

First of all, the report does not include a comprehensive study of
privacy laws in major countries around the world. Though a difficult
exercise, it would allow to set the context in which the whois policy
should be developed. It would be a waste of time to develop a policy
that cannot be implemented because it breaches the law.

Several times in the report the assumption is made that the applicable
law and jurisdiction is that of the registrar or registry. There is a
growing trend, especially in Europe, to consider that the relevant law
and jurisdiction for distance selling should be that of the buyer,
especially if the buyer is an individual.

I am also surprised to see that "law enforcement agencies or
intellectual property rights holders" are being put on the same level
throughout the text, as if a private third party had the same legal and
democratic legitimacy as a state agency. It seems quite logical that IP
right holders have no more (or less) rights that any other complainant.
As such, it should go through the same channel to exercise their right
as any other 3rd party. This also allows to filter out groundless and
frivolous complaints.

The "special circumstances" proposal is obviously the example of what
should not be done. Who gets to decide what constitutes a "concrete and
real interest in their personal safety or security that cannot be
protected other than by suppressing that public access" ? What is the
legitimacy of such body ? How does it scale on a worldwide basis ?
Further, it does not address the need to protect individuals and
companies from e-mail spam or phone harassment.

The OPoC proposal seems reasonable with a few adjustments. There should
be a possibility for individuals to have an unlisted domain name, just
like there are unlisted phone numbers. In such a case, the registrar or
ISP could act as the OPoC. 

As mentioned in the report, the accuracy of the whois data will improve
when it will become less public and proper checks are made on who
requests the data and for what purpose.  A code of conduct, as
mentioned  in the OPoC  proposal, is of little value if there are no
incentives for it to be effectively enforced. There should be additional
measures, like external audits and sanctions for those in breach with
the code of conduct (suspension or revocation of the ICANN accreditation
for registrars for example).

The bottom line is that we need a policy that can actually be
implemented by registrars. Rather than looking at what we can agree on
within the narrow ICANN community, we should be looking at what is
realistically feasible within the existing legal frameworks and agree on
a common denominator.

Patrick Vande Walle