<<<
Chronological Index
>>> <<<
Thread Index
>>>
[alac] WHOIS impact review: Some proposed changes.
- To: alac@xxxxxxxxx
- Subject: [alac] WHOIS impact review: Some proposed changes.
- From: Thomas Roessler <roessler-mobile@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 17 Feb 2003 22:49:01 +0100
I'm attaching a slightly revised version of the impact review.
Changes are limited to the conclusion, and are marked by
overstriking and underlining in the attached version of the
document.
The first change is mostly a clarification, and puts focus on the
registrants' perception of what is or is not an appropriate tool to
protect one's privacy in the current environment (as opposed to the
old text which left open who perceived something). The text now also
says that the shift of balance caused by strict enforcement of
accuracy requirements is "reason for concern." I'd hope that this
change is acceptable to everyone.
The second change concerns the common conclusion, and would make the
ALAC's statement more aggressive, but not precisely in the direction
Vittorio has suggested: Instead of calling for non-enforcement, it's
a call for enforceable policy (with the - unspoken - implication
that current policy may not be enforceable...), and for work on that
policy to "begin as swiftly as possible." The reason for this is
that I don't think we'd do ourselves a favor by explicitly calling
for registrars' non-compliance with their agreements, or for ICANN's
non-enforcement of certain policies. This would get us on a
slippery slope, which may contribute to further eroding the weight
of the RAA -- also in areas where compliance might be for the
benefit of registrants. We might regret such a pronouncement later
on.
I realize that the old version of the text may be easier for others
on this Committee to agree to, and I'd have no problem at all to
forward it to the WHOIS Task Force. However, I want to make sure
that we have the option to make a stronger statement if we want to.
Please let me know what you prefer.
For your information, I'm also including a dissenting opinion which
was sent to the WHOIS Task Force today by Ruchika Agrawal from EPIC,
on behalf of the Non-Commercial Users' Constituency (NCUC, former
NCDNHC). Her dissenting opinion goes much more in the direction of
Vittorio's proposed statement, and recommends directly not to
enforce accuracy until privacy has been solved.
Please let me know what you think.
Kind regards,
--
Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ALAC Impact Statement on WHOIS Accuracy and Bulk Access</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-15">
<meta name="author"
content="Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>">
<style type="text/css"> <!--
h1, h2, h3, h4, h5, h6, p, li, td { font-family: arial, helvetica, sans-serif; }
h3 { margin-left: 40px; }
h4 { margin-left: 60px; }
h5, h6 { margin-left: 80px; }
-->
</style>
</head>
<body>
<table cellpadding="2" cellspacing="2" border="0"
style="text-align: left; width: 100%;">
<tbody>
<tr>
<td valign="top"><img
src="icann-logo.gif" alt="" style="width: 188px; height: 145px;">
<br>
</td>
<td valign="middle"
style="text-align: center;">
<p><span style="font-weight: bold; font-size: x-large;">At-Large Advisory
Committee</span></p>
<p><span style="font-weight: bold; font-size: xx-large;">Impact Review:
WHOIS Accuracy and Bulk Access<br>
</span></p>
<p><span style="font-weight: bold;">NN February 2003</span> </p>
</td>
</tr>
</tbody>
</table>
<br>
<hr width="100%" size="2">
<h3>Introduction</h3>
<p style="margin-left: 80px;">The At-Large Advisory Committee appreciates
the opportunity to submit a review of the impact of the WHOIS Task Force's
recommendations on individual Internet users. In this review, we have tried
to consider the Task Force's recommendations within a broader policy context,
and tried to identify priorities for further work where we believe that it
needs to be undertaken.<br>
</p>
<p style="margin-left: 80px;">The committee is aware that the Task Force is
currently in the process of producing issues reports on most of these topics.
We hope that the present review can also serve as a useful contribution to
that work.<br>
</p>
<h3>WHOIS Accuracy</h3>
<p style="margin-left: 80px;">The impact of any measures for the improvement
of WHOIS Accuracy must be considered with two very different classes of
registrants
in mind.<br>
</p>
<p style="margin-left: 80px;">On the one hand, there are those registrants
who welcome (or maybe just accept) the publication of their data through the
WHOIS database, and have a desire that accurate data are published that way.
There is no need for any formal "enforcement" of accurate WHOIS data with
respect to this class of registrants -- instead, any measures to improve WHOIS
data accuracy for this class of registrants are about making registrars'
processes
more registrant-friendly, and easier to use. An annual opportunity to review
and easily correct WHOIS data (without sanctions in the case of registrant's
non-response) is one such step. The At-Large Advisory Committee observes
that the Task Force's policy 1.A provides such an opportuntiy, and does not
mandate any sanctions in the event that registrant does not respond to a
notice on reviewing his WHOIS data. Thus, this proposed policy seems like
a way to make the interaction between registrars and registrants work more
smoothly, which the Committee welcomes. <br>
</p>
<p style="margin-left: 80px;">The second class of registrants is much more
complex to handle: Those who do not accept publication of personal data in
registrars' and registries' WHOIS systems, and provide "inaccurate" contact
information to registrars. There are various reasons registrants may have
for this behaviour, both legitimate and illegitimate; even worse, the concepts
of legitimate and illegitimate reasons vary across cultures and across
constituencies:
One country's constitutionally-protected anonymous free speaker might be another
country's hate-speech criminal who hides behind bad WHOIS data; one
constituency's
stalking victim may be another constituency's infringer.<br>
</p>
<p style="margin-left: 80px;">A careful balance of diverging interests will
have to be found in further policy work. This balance will not only have to
involve considerations on how to ensure accurate WHOIS data: It will also
have to take into account the uses various parties may have for WHOIS data,
and the conditions under which the data are being made accessible. It will,
finally, have to take into account legitimate privacy interests of registrants,
and applicable laws in force in a wide variety of jurisdictions.<br>
</p>
<p style="margin-left: 80px;">Considering the Task Force's recommendations,
the ALAC observes that <span style="font-style: italic;">any</span> measures
designed to enforce accuracy of publicly available WHOIS data against the
will of the domain name holder will shift the existing de-facto balance in
a way which benefits those who want to use the data (for whatever purpose,
legitimate or illegitimate), and which causes problems for those who don't
want to publish these data (once again, both for legitimate and illegitimate
reasons).<br>
</p>
<p style="margin-left: 80px;">The specific steps proposed in chapter II.1.B
of the Task Force's report describe a complaint mechanism, by which a third
party can trigger registrars to investigate the accuracy of existing WHOIS
data. This mechanism is presented as a practical recommendation, not as a
consensus policy. It is mostly based on the recommendations of the GNSO's
WHOIS Implementation Committee.<br>
</p>
<p style="margin-left: 80px;">The ALAC appreciates that the process attempts
to provide some basic safeguards against fraudulent complaints by giving
registrars
some leeway to ignore obviously unjustified complaints, and protect bona
fide registrants.<br>
</p>
<p style="margin-left: 80px;">Once a complaint is found justified, the
registrar
will send an inquiry to the registrant (through any available contact points),
and ask the registrant to provide updated information. Any updated information
received is subject to "commercial reasonable steps" to check its plausibility;
presumably, these steps will involve automated heuristics. If these heuristics
fail, "the registrant should be required to provide further justification."
ALAC interprets this to imply that automated heuristic plausibility checks
alone should not, in general, be a reason for registrars to place existing
domain names on hold, or cancel registrations -- in particular in those
situations
in which the registrant has been successfully contacted through some
communications
channel. ALAC also observes that, given that many registrars accept customers
around the globe, it may frequently be easy for bad faith registrants to provide
"plausible" data which are still not useable as contact information.<br>
</p>
<p style="margin-left: 80px;">The registrant only has limited time to respond
to registrar's inquiry. In earlier versions of the Task Force's report, a
15 day period was proposed; the WHOIS Implementation Committee has opted for
a 30 day time line. The Task Force's final report simply talks about a "time
limit (to be agreed)."<br>
</p>
<p style="margin-left: 80px;">According to a note from Louis Touton to the
WHOIS Task Force, no time limit can be found in current RAA or policy
provisions.
The 15 day time period in RAA 3.7.7.2 only concerns a time after which
registrars
must reserve the right to cancel registrations -- nothing forces them to
exercise
that right.<br>
</p>
<p style="margin-left: 80px;">The ALAC believes that the WHOIS Implementation
Committee's proposal to apply a 30 day time limit is reasonable. Shorter time
limits bear a variety of risks for bona fide registrants which have been
pointed out in many of the comments received by the WHOIS Task Force. If
necessary, the ALAC is available to contribute to any further discussion of
this issue.<br>
</p>
<h3>Bulk Access</h3>
<p style="margin-left: 80px;">The Task Force's policy 2.A proposes that "use
of bulk access WHOIS data for marketing should not be permitted." In order
to implement this policy, the Task Force suggests a change to the bulk access
agreement which is described in section 3.3.6 of the RAA, and observes that
the bulk-access provision in section 3.3.6.6 of the RAA would become
inapplicable.
The WHOIS Implementation Committee has, in its final report, stated that more
specific language defining "marketing activities" would be desirable. The
ALAC cautions that any such specification would have to ensure that no marketing
use of bulk data is permitted unconditionally which would have been covered
by the current RAA language's opt-out provision.<br>
</p>
<p style="margin-left: 80px;">The ALAC appreciates that the Task Force's
recommendations
are an attempt to limit undesired side effects of bulk access. But it is
not clear to what extent the new policy will indeed have the desired effect
on marketing uses of WHOIS data. The enforceability of registrars' bulk access
agreements is questionable: There are no contractual sanctions for data users
who violate the agreement; the current RAA does not even address the future
eligibility of data users who have broken bulk access agreements in the
past.<br>
</p>
<p style="margin-left: 80px;">In order to address these concerns, a more
fundamental
review of the RAA's bulk access provisions must be undertaken. Those purposes
within the scope of ICANN's mission and core values for which bulk access
needs to be granted (if any) should be clearly identified, and bulk access
should only be made available for this limited set of purposes, and to
trustworthy
data users. The review process will also need to take into account legal
concerns, such as the ones recently articulated in the European Commission's
contribution on WHOIS. The At-Large Advisory Committee considers a review
process of the RAA's bulk access provisions a priority, and will contribute
to it.<br>
</p>
<p style="margin-left: 80px;">Besides these concerns about the RAA's bulk
access provisions, the At-Large Advisory Committee also observes that
query-based
WHOIS can be abused to automatically obtain WHOIS information about large
numbers as domains, as evidenced by a recent attempt to copy Nominet's WHOIS
database.</p>
<h3>Conclusion</h3>
<p style="margin-left: 80px;">The Task Force's recommendations to
systematically
enforce the accuracy of WHOIS data shift the existing balance between the
interests of data users and data subjects in favor of data users. In an
environment
where <span style="text-decoration: underline;">registrants have
perceived</span>
"inaccurate" data <span style="text-decoration: line-through;">have been
perceived</span> to be one of the most practical methods <span
style="font-style: italic;"></span><span
style="text-decoration: underline;"></span>for protecting <span
style="text-decoration: line-through;">registrants'</span> <span
style="text-decoration: underline;">their </span>privacy, this <span
style="text-decoration: underline;">change is reason for concern. It
</span>will
inevitably increase the need for privacy protection mechanisms to be built
into the contractual framework.<br>
</p>
<p style="margin-left: 80px;">The Task Force's recommendations on Bulk Access
attempt to remove one possibility for undesirable uses of WHOIS data; despite
the good intent, the effectivity of this attempt is unclear since other ways
to access WHOIS data en masse remain open.<br>
</p>
<p style="margin-left: 80px;"><span
style="text-decoration: line-through;">Both observations together lead to
the common conclusion that the Task Force's recommendations can only be first
steps towards a future WHOIS policy environment, which will have to be the
result of a thorough review of the existing policy.</span><br>
</p>
<p style="margin-left: 80px;"><span style="text-decoration: underline;">Both
observations together lead to the common conclusion that the Task Force's
recommendations can only be first steps towards a future WHOIS policy
environment.
That future WHOIS policy environment will have to be designed with a renewed
focus on enforceability. In particular, this implies that the future policy
environment will have to directly address major issues left open at this
point of time - such as registrants' privacy. Relying upon non-enforcement
of policy instead is not a long-term option.</span><br>
</p>
<p style="margin-left: 80px;"><span style="text-decoration:
underline;"></span><span
style="text-decoration: underline;"></span>The ALAC is available to contribute
to <span style="text-decoration: line-through;">this review </span><span
style="text-decoration: underline;">the discussion on revising WHOIS
policy</span><span
style="text-decoration: underline;">. These discussions should begin as
swiftly as possible</span>.<br>
</p>
<p style="margin-left: 80px;"><br>
</p>
<br>
</body>
</html>
--- Begin Message ---
- To: nc-whois@xxxxxxxx
- Subject: [nc-whois] WHOIS Task Force Final Report - Dissenting Opinion from A Non-commercial Constituency Representative
- From: Ruchika Agrawal <agrawal@xxxxxxxx>
- Date: Mon, 17 Feb 2003 12:50:23 -0500
<html>
Dear Co-Members of the WHOIS Task Force:<br><br>
As a non-commercial constituency representative on the WHOIS Task Force,
I am writing to express my dissenting opinion on the Task Force?s
accuracy recommendation.<br><br>
While I do not oppose accurate data per se, I do oppose the Task Force?s
recommendation to enforce accuracy of WHOIS information when the Task
Force has failed to adequately address privacy issues. I also
believe the Task Force final report fails to reflect several suggestions
made by members to address this specific problem. For this reason,
the report cannot fairly be described as a ?consensus?
position.<br><br>
The Task Force failed to recommend appropriate privacy safeguards for
domain name registrants with reasonable and legitimate expectations of
privacy and the Task Force failed to assess the misuses of WHOIS
data. The very existence of inaccurate data suggests that there are
domain name registrants who do care to safeguard their privacy and
prevent the misuse of their personally identifiable information.
Furthermore, a number of comments submitted to the WHOIS Task Force?s
recommendations report raise privacy and data misuse issues that the
WHOIS Task Force has effectively ignored:
<dl><font face="Symbol">
<dd>·<x-tab> </x-tab></font>there
must be a provision for individuals to keep their personal phone numbers
private (04 Dec 2002, see
<a
href="http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00005.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00005.html</a></u></font>);<font
face="Symbol">
<dd>·<x-tab> </x-tab></font>unlimited
public access to WHOIS data poses real risks to individuals (9 Dec 2002 ,
see
<a
href="http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00012.html"
eudora="autourl">http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00012.html</a>);<font
face="Symbol">
<dd>·<x-tab> </x-tab></font>the
Task Force has failed to properly and fully address community concerns
regarding privacy (8 Jan 2003,
<a
href="http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00022.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00022.html</a></u></font>);<font
face="Symbol">
<dd>·<x-tab> </x-tab></font>the
availability of personally identifiable information on WHOIS raises major
problems with respect to the increasingly serious problem of identity
theft (08 Jan 2003, see
<a
href="http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00023.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00023.html</a></u></font>);
<font face="Symbol">
<dd>·<x-tab> </x-tab></font>nothing
in the Task Force?s report answers the primary question regarding why
personally identifiable information must be published to the public at
all (9 Jan 2003,
<a
href="http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00025.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00025.html</a></u></font>);<font
face="Symbol">
<dd>·<x-tab> </x-tab></font>choosing
to use the domain name system for either personal or professional use
should not be a cause for the abuse your name, address, phone number, fax
number and e-mail (9 Jan 2003,
<a
href="http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00027.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00027.html</a></u></font>);<font
face="Symbol">
<dd>·<x-tab> </x-tab></font>and
more.<br><br>
</dl>A number of privacy and data misuse issues have been expressed by
way of comments to the Task Force?s interim and final reports as early as
July 2002. It is not clear what criteria the WHOIS Task Force is
applying to suggest that accuracy of WHOIS data supersedes legitimate
privacy interests. <br><br>
Moreover, the non-commercial constituency representatives expressed the
need to address privacy protection:
<dl><font face="Symbol">
<dd>·<x-tab> </x-tab></font>links
to postings discussing privacy issues, legitimate reasons for concealing
identity, free speech, etc. for the 2001 Congressional Hearings on
WHOIS/Accuracy (1 Jun 2002,
<a href="http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00368.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00368.html</a></u></font>);<font
face="Symbol">
<dd>·<x-tab> </x-tab></font>.uk
whois database as a case study of WHOIS privacy issues (14 Jun 2002,
<a href="http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00410.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00410.html</a></u></font>);<font
face="Symbol">
<dd>·<x-tab> </x-tab></font>the
European Commission?s views on the compliance of the .name registration
agreement with EU privacy laws, which also has implications on
.com/.org/.net WHOIS (4 Sep 2002,
<a href="http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00507.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00507.html</a></u></font>);<font
face="Symbol">
<dd>·<x-tab> </x-tab></font>WHOIS
privacy issues including consumer protection, expectation of privacy,
etc. (30 Sep 2002,
<a href="http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00553.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00553.html</a></u></font>);<font
face="Symbol">
<dd>·<x-tab> </x-tab></font>not
clear why the WHOIS Task Force is moving forward with accuracy when
privacy issues have not been adequately addressed (30 Dec 2002, lunch
meeting between myself and WHOIS co-chair Marilyn
Cade);<font face="Symbol">
<dd>·<x-tab> </x-tab></font>not
clear why the WHOIS Task Force is talking about uniformity and accuracy
without having completely addressed accessibility issues and request
for a plan, or a strategy, and a time line to resolve
accessibility issues (04 Jan 2003,
<a href="http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00800.html"
eudora="autourl"><font
color="#0000FF"><u>http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00800.html</a></u></font>);
and<font face="Symbol">
<dd>·<x-tab> </x-tab></font>appropriate
privacy guidelines in the context of the Registrar Accreditation
Agreement (7 Jan 2003, GNSO WHOIS Task Force Teleconference).<br><br>
</dl>It is not clear why these points, which are central to the
development of a sensible WHOIS policy, are being put off.
Proposing a ?privacy issues report? is unresponsive. Postponing
privacy issues while enforcing accuracy also presents the unacceptable
risk of privacy issues being dismissed or resolved unsatisfactorily (see
<font
color="#0000FF"><u>http://gnso.icann.org/dnso/dnsocomments/comments-whois/Arc03/msg00004.html</u></font>
and <font
color="#0000FF"><u>http://gnso.icann.org/dnso/dnsocomments/comments-whois/Arc03/msg00006.html</u></font>).
Minimally, enforcement of accuracy and insurance of privacy safeguards should
be concurrent. <br><br>
The WHOIS Task Force is well aware of these issues, but has chosen not to
address them. For this reason, I ask that my dissent be incorporated in the
Final Report as a Minority Report. <br><br>
Sincerely,<br>
Ruchika Agrawal<br>
Non-Commercial Constituency<br>
WHOIS Task Force<br>
</html>
--- End Message ---
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|