ICANN ICANN Email List Archives

[At-Large Advisory Committee]

<<< Chronological Index >>>    <<< Thread Index >>>

[alac] DRAFT: Impact statement on WHOIS. COMMENT BEFORE TUESDAY.

  • To: alac@xxxxxxxxx
  • Subject: [alac] DRAFT: Impact statement on WHOIS. COMMENT BEFORE TUESDAY.
  • From: Thomas Roessler <roessler-mobile@xxxxxxxxxxxxxxxxxx>
  • Date: Sat, 15 Feb 2003 16:54:50 +0100

Please find attached a draft of an ALAC impact statement with
regards to WHOIS policy.  We'll need to submit this by Tuesday.

I've tried to keep this on a rather general level, by putting things
into context and asking for further work on that topic. Please
comment ASAP.

(Welcome to the wonderful world of GNSO deadlines. ;-)

Thomas Roessler                         <roessler@xxxxxxxxxxxxxxxxxx>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <title>ALAC Impact Statement on WHOIS Accuracy and Bulk Access</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-15">
  <meta name="author"
 content="Thomas Roessler &lt;roessler@xxxxxxxxxxxxxxxxxx&gt;">
  <style type="text/css"> <!--
h1, h2, h3, h4, h5, h6, p, li, td { font-family: arial, helvetica, sans-serif; }
h3 { margin-left: 40px; }
h4 { margin-left: 60px; }
h5, h6 { margin-left: 80px; }
<table cellpadding="2" cellspacing="2" border="0"
 style="text-align: left; width: 100%;">
                                        <td valign="top"><img
 src="icann-logo.gif" alt="" style="width: 188px; height: 145px;">
                                        <td valign="middle"
 style="text-align: center;">                                           
      <p><span style="font-weight: bold; font-size: x-large;">At-Large Advisory
      <p><span style="font-weight: bold; font-size: xx-large;">Impact Review:
WHOIS Accuracy and Bulk Access<br>
      <p><span style="font-weight: bold;">NN February 2003</span>  </p>
<hr width="100%" size="2">
<p style="margin-left: 80px;">The At-Large Advisory Committee appreciates
the opportunity to submit a review of the impact of the WHOIS Task Force's
recommendations on individual Internet users. In this review, we have tried
to consider the Task Force's recommendations within a broader policy context,
and tried to identify priorities for further work where we believe that it
needs to be undertaken.<br>
<p style="margin-left: 80px;">The committee is aware that the Task Force
is currently in the process of producing issues reports on most of these
topics. We hope that the present review can also serve as a useful contribution
to that work.<br>
<h3>WHOIS Accuracy</h3>
<p style="margin-left: 80px;">The impact of any measures for the improvement
of WHOIS Accuracy must be considered with two very different classes of 
in mind.<br>
<p style="margin-left: 80px;">On the one hand, there are those registrants
who welcome (or maybe just accept) the publication of their data through
the WHOIS database, and have a desire that accurate data are published that
way. There is no need for any formal "enforcement" of accurate WHOIS data
with respect to this class of registrants -- instead, any measures to improve
WHOIS data accuracy for this class of registrants are about making registrars'
processes more registrant-friendly, and easier to use. An annual opportunity
to review and easily correct WHOIS data (without sanctions in the case of
registrant's non-response) is one such step. The At-Large Advisory Committee
observes that the Task Force's policy 1.A provides such an opportuntiy, and
does not mandate any sanctions in the event that registrant does not respond
to a notice on reviewing his WHOIS data. Thus, this proposed policy seems
like a way to make the interaction between registrars and registrants work
more smoothly, which the Committee welcomes. <br>
<p style="margin-left: 80px;">The second class of registrants is much more
complex to handle: Those who do not accept publication of personal data in
registrars' and registries' WHOIS systems, and provide "inaccurate" contact
information to registrars. There are various reasons registrants may have
for this behaviour, both legitimate and illegitimate; even worse, the concepts
of legitimate and illegitimate reasons vary across cultures and across 
One country's constitutionally-protected anonymous free speaker might be
another country's hate-speech criminal who hides behind bad WHOIS data; one
constituency's stalking victim may be another constituency's infringer.<br>
<p style="margin-left: 80px;">A careful balance of diverging interests will
have to be found in further policy work. This balance will not only have
to involve considerations on how to ensure accurate WHOIS data: It will also
have to take into account the uses various parties may have for WHOIS data,
and the conditions under which the data are being made accessible. It will,
finally, have to take into account legitimate privacy interests of registrants,
and applicable laws in force in a wide variety of jurisdictions.<br>
<p style="margin-left: 80px;">Considering the Task Force's recommendations,
the ALAC observes that <span style="font-style: italic;">any</span> measures
designed to enforce accuracy of publicly available WHOIS data against the
will of the domain name holder will shift the existing de-facto balance in
a way which benefits those who want to use the data (for whatever purpose,
legitimate or illegitimate), and which causes problems for those who don't
want to publish these data (once again, both for legitimate and illegitimate
<p style="margin-left: 80px;">The specific steps proposed in chapter II.1.B
of the Task Force's report describe a complaint mechanism, by which a third
party can trigger registrars to investigate the accuracy of existing WHOIS
data. This mechanism is presented as a practical recommendation, not as a
consensus policy. It is mostly based on the recommendations of the GNSO's
WHOIS Implementation Committee.<br>
<p style="margin-left: 80px;">The ALAC appreciates that the process attempts
to provide some basic safeguards against fraudulent complaints by giving
registrars some leeway to ignore obviously unjustified complaints, and protect
bona fide registrants.<br>
<p style="margin-left: 80px;">Once a complaint is found justified, the registrar
will send an inquiry to the registrant (through any available contact points),
and ask the registrant to provide updated information. Any updated information
received is subject to "commercial reasonable steps" to check its plausibility;
presumably, these steps will involve automated heuristics. If these heuristics
fail, "the registrant should be required to provide further justification."
ALAC interprets this to imply that automated heuristic plausibility checks
alone should not, in general, be a reason for registrars to place existing
domain names on hold, or cancel registrations -- in particular in those 
in which the registrant has been successfully contacted through some 
channel. ALAC also observes that, given that many registrars accept customers
around the globe, it may frequently be easy for bad faith registrants to
provide "plausible" data which are still not useable as contact information.<br>
<p style="margin-left: 80px;">The registrant only has limited time to respond
to registrar's inquiry. In earlier versions of the Task Force's report, a
15 day period was proposed; the WHOIS Implementation Committee has opted
for a 30 day time line. The Task Force's final report simply talks about
a "time limit (to be agreed)."<br>
<p style="margin-left: 80px;">According to a note from Louis Touton to the
WHOIS Task Force, no time limit can be found in current RAA or policy 
The 15 day time period in RAA only concerns a time after which 
must reserve the right to cancel registrations -- nothing forces them to
exercise that right.<br>
<p style="margin-left: 80px;">The ALAC believes that the WHOIS Implementation
Committee's proposal to apply a 30 day time limit is reasonable. Shorter
time limits bear a variety of risks for bona fide registrants which have
been pointed out in many of the comments received by the WHOIS Task Force.
If necessary, the ALAC is available to contribute to any further discussion
of this issue.<br>
<h3>Bulk Access</h3>
<p style="margin-left: 80px;">The Task Force's policy 2.A proposes that "use
of bulk access WHOIS data for marketing should not be permitted." In order
to implement this policy, the Task Force suggests a change to the bulk access
agreement which is described in section 3.3.6 of the RAA, and observes that
the bulk-access provision in section of the RAA would become 
The WHOIS Implementation Committee has, in its final report, stated that
more specific language defining "marketing activities" would be desirable.
The ALAC cautions that any such specification would have to ensure that no
marketing use of bulk data is permitted unconditionally which would have
been covered by the current RAA language's opt-out provision.<br>
<p style="margin-left: 80px;">The ALAC appreciates that the Task Force's
recommendations are an attempt to limit undesired side effects of bulk access.
But it is not clear to what extent the new policy will indeed have the desired
effect on marketing uses of WHOIS data. The enforceability of registrars'
bulk access agreements is questionable: There are no contractual sanctions
for data users who violate the agreement; the current RAA does not even address
the future eligibility of data users who have broken bulk access agreements
in the past.<br>
<p style="margin-left: 80px;">In order to address these concerns, a more
fundamental review of the RAA's bulk access provisions must be undertaken.
Those purposes within the scope of ICANN's mission and core values for which
bulk access needs to be granted (if any) should be clearly identified, and
bulk access should only be made available for this limited set of purposes,
and to trustworthy data users. The review process will also need to take
into account legal concerns, such as the ones recently articulated in the
European Commission's contribution on WHOIS. The At-Large Advisory Committee
considers a review process of the RAA's bulk access provisions a priority,
and will contribute to it.<br>
<p style="margin-left: 80px;">Besides these concerns about the RAA's bulk
access provisions, the At-Large Advisory Committee also observes that 
WHOIS can be abused to automatically obtain WHOIS information about large
numbers as domains, as evidenced by a recent attempt to copy Nominet's WHOIS
<p style="margin-left: 80px;">The Task Force's recommendations to systematically
enforce the accuracy of WHOIS data shift the existing balance between the
interests of data users and data subjects in favor of data users. In an 
where "inaccurate" data have been perceived to be one of the most practical
methods <span style="font-style: italic;"></span>for protecting registrants'
privacy, this will inevitably increase the need for privacy protection 
to be built into the contractual framework.<br>
<p style="margin-left: 80px;">The Task Force's recommendations on Bulk Access
attempt to remove one possibility for undesirable uses of WHOIS data; despite
the good intent, the effectivity of this attempt is unclear since other ways
to access WHOIS data en masse remain open.<br>
<p style="margin-left: 80px;">Both observations together lead to the common
conclusion that the Task Force's recommendations can only be first steps
towards a future WHOIS policy environment, which will have to be the result
of a thorough review of the existing policy.<br>
<p style="margin-left: 80px;">The ALAC is available to contribute to this
<p style="margin-left: 80px;"><br>

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy