NCUC Comments on the WHOIS Review Team Discussion Paper

[Wendy Seltzer <wendy@xxxxxxxxxxx>]

The Non-Commercial Users Constituency (NCUC) is pleased to share these
comments on the WHOIS Review Team's discussion paper. The NCUC includes
among its constituents many individual and non-profit domain name
registrants and Internet users, academic researchers, and privacy and
consumer advocates who share concerns about the lack of adequate privacy
protections in WHOIS. We believe ICANN can offer better options for
registrants and the Internet-using public, consistent with its
commitments.  Responses to specific questions follow:

> 4. How can ICANN balance the privacy concerns of some registrants 
> with its commitment to having accurate and complete WHOIS data 
> publicly accessible without restriction?
and
> 10. How can ICANN improve the accuracy of WHOIS data?

Privacy and accuracy go hand-in-hand. Rather than putting sensitive
information into public records, some registrants use "inaccurate" data
as a means of protecting their privacy. If registrants have other
channels to keep this information private, they may be more willing to
share accurate data with their registrar.

The problem for many registrants is indiscriminate public access to the
data. The lack of any restriction means that there is an unlimited
potential for bad actors to access and use the data, as well as
legitimate users and uses of these data.

At the very least, WHOIS access must give natural persons greater
latitude to withhold or restrict access to their data. That position,
which is consistent with European data protection law, has even been
advanced by the U.S. Federal Trade Commission and F.B.I.


ICANN stakeholders devoted a great deal of time and energy to this
question in GNSO Council-chartered WHOIS Task Forces. At the end of the
Task Force discussion in 2006, the group proposed that WHOIS be modified
to include an Operational Point of Contact (OPOC):
<http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>

Under the OPOC proposal, "accredited registrars [would] publish three
types of data:
1) Registered Name Holder
2) Country and state/province of the registered nameholder
3) Contact information of the OPoC, including name, address, telephone
number, email."

Registrants with privacy concerns could name agents to serve as
OPoC,thereby keeping their personal address information out of the
public records.

NCUC recommends reviewing the documents the WHOIS Task Force produced
relating to the OPOC proposal, including the final task-force report on
the purpose of WHOIS:
<http://gnso.icann.org/issues/whois-privacy/tf-report-15mar06.htm>, Ross
Rader's slides from a presentation on the subject,
<http://gnso.icann.org/correspondence/rader-gnso-sp-04dec06.pdf> and the
report on OPoC
<http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>
The GNSO in October 2007 accepted the WHOIS task-force report and
concluded the PDP.
<http://gnso.icann.org/meetings/minutes-gnso-31oct07.html>


> 5. How should ICANN address concerns about the use of privacy/proxy 
> services and their impact on the accuracy and availability of the 
> WHOIS data?

ICANN should recognize that privacy and proxy services fill a market
need; the use of these services indicates that privacy is a real
interest of many domain registrants. Concerns about the use of these
services is unwarranted.


>12. Are there barriers, cost or otherwise, to compliance with WHOIS policy?

Even with the provisions for resolving conflicts with national law,
WHOIS poses problems for registrars in countries with differing data
protection regimes. Registrars do not want to wait for an enforcement
action before resolving conflicts, and many data protection authorities
and courts will not give rulings or opinions without a live case or
controversy. ICANN's response, that there's no problem, does not suit a
multi-jurisdictional Internet.


> 14. Are there any other relevant issues that the review team should
> be aware of? Please provide details.

Many NCUC members propose allowing registrants greater choice: Permit a
registrant to get a domain showing no WHOIS information at all, with the
possibility that the domain will cease to resolve if the domain is
challenged and the registrant is unable or unwilling to respond. This is
already the de facto circumstance for domains registered with false
information, so why not make it an official option?
(see
<http://gnso.icann.org/issues/whois-privacy/whois-services-final-tf-report-12mar07.htm#_Toc161480292>)

Proposals for verification (pre- or post-registration) of name and
address information are completely unworkable for standard gTLDs,
although they might be proposed by registries looking to differentiate.
There is no standard address format, or even any standard of physical
addressing that holds across the wide range of geographies and cultures
ICANN and registrars serve.

Inaccurate WHOIS data should not be used as conclusive evidence of bad
faith, especially in the context of ICANN's policies such as the UDRP.
Although within the UDRP, the need to identify a registrant is vital,
WHOIS details should not be used to make outright determinations
concerning abusive registrations of domain names.

Thank you,
--Wendy Seltzer, on behalf of the NCUC

-- 
Wendy Seltzer -- wendy@xxxxxxxxxxx
Fellow, Princeton Center for Information Technology Policy
Fellow, Berkman Center for Internet & Society at Harvard University
http://cyber.law.harvard.edu/seltzer.html
https://www.chillingeffects.org/
https://www.torproject.org/
http://www.freedom-to-tinker.com/