ICANN ICANN Email List Archives

[At-Large Advisory Committee]

<<< Chronological Index >>>    <<< Thread Index >>>

[alac] updated draft on WHOIS.

  • To: Vittorio Bertola <vb@xxxxxxxxxxxxxx>
  • Subject: [alac] updated draft on WHOIS.
  • From: Thomas Roessler <roessler-mobile@xxxxxxxxxxxxxxxxxx>
  • Date: Wed, 19 Feb 2003 16:57:00 +0100

On 2003-02-19 16:20:05 +0100, Vittorio Bertola wrote:

> I have just talked with Thomas and we thought it better to turn
> the comment from an impact review directed to the task force into
> a comment directed to the Names Council, which gives us until
> tomorrow noon GMT to send it out. Thomas will post a revised
> draft as soon as possible.

It's attached.  I've changed the headline, and made the minimal
adjustments to the introduction necessary to make this suitable for
submission to the Council.

There are no changes to the substance, but I have made one subtle
wording change in the first paragraph of the conclusion: Instead of
noting that "this change" is reason for concern, I've turned this
into "this shift of balance" -- just to make sure that accuraccy
enforcement itself isn't the reason for concern...

Thomas Roessler                         <roessler@xxxxxxxxxxxxxxxxxx>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <title>ALAC Impact Statement on WHOIS Accuracy and Bulk Access</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-15">
  <meta name="author"
 content="Thomas Roessler &lt;roessler@xxxxxxxxxxxxxxxxxx&gt;">
  <style type="text/css"> <!--
h1, h2, h3, h4, h5, h6, p, li, td { font-family: arial, helvetica, sans-serif; }
h3 { margin-left: 40px; }
h4 { margin-left: 60px; }
h5, h6 { margin-left: 80px; }
<table cellpadding="2" cellspacing="2" border="0"
 style="text-align: left; width: 100%;">
                                         <td valign="top"><img
 src="icann-logo.gif" alt="" style="width: 188px; height: 145px;">
                                         <td valign="middle"
 style="text-align: center;">                                            
      <p><span style="font-weight: bold; font-size: x-large;">At-Large Advisory 
      <p><span style="font-weight: bold; font-size: xx-large;">Statement
on the WHOIS Task Force's Final Report on Accuracy and Bulk Access<br>
      <p><span style="font-weight: bold;">NN February 2003</span>  </p>
<hr width="100%" size="2"> 
<p style="margin-left: 80px;">The At-Large Advisory Committee appreciates 
the opportunity to submit its comments on the WHOIS Task Force's Final Report
on Accuracy and Bulk Access. In these comments, we have tried to consider
the Task Force's recommendations within a broader policy context, and tried
to identify priorities for further work where we believe that it needs to
be undertaken.<br>
<p style="margin-left: 80px;">The committee is aware that the Task Force is
currently in the process of producing issues reports on most (if not all)
of these topics. We hope that the present statement can also serve as a useful
contribution to that work. We are also willing to otherwise contribute to
the development of these isuses reports.<br>
<h3>WHOIS Accuracy</h3>
<p style="margin-left: 80px;">The impact of any measures for the improvement 
of WHOIS Accuracy must be considered with two very different classes of 
in mind.<br>
<p style="margin-left: 80px;">On the one hand, there are those registrants 
who welcome (or maybe just accept) the publication of their data through the
WHOIS database, and have a desire that accurate data are published that way.
There is no need for any formal "enforcement" of accurate WHOIS data with
respect to this class of registrants -- instead, any measures to improve WHOIS
data accuracy for this class of registrants are about making registrars' 
more registrant-friendly, and easier to use. An annual opportunity to review
and easily correct WHOIS data (without sanctions in the case of registrant's
non-response) is one such step. The At-Large Advisory Committee observes
that the Task Force's policy 1.A provides such an opportuntiy, and does not
mandate any sanctions in the event that registrant does not respond to a
notice on reviewing his WHOIS data. Thus, this proposed policy seems like
a way to make the interaction between registrars and registrants work more
smoothly, which the Committee welcomes. <br>
<p style="margin-left: 80px;">The second class of registrants is much more 
complex to handle: Those who do not accept publication of personal data in 
registrars' and registries' WHOIS systems, and provide "inaccurate" contact 
information to registrars. There are various reasons registrants may have 
for this behaviour, both legitimate and illegitimate; even worse, the concepts 
of legitimate and illegitimate reasons vary across cultures and across 
One country's constitutionally-protected anonymous free speaker might be another
country's hate-speech criminal who hides behind bad WHOIS data; one 
stalking victim may be another constituency's infringer.<br>
<p style="margin-left: 80px;">A careful balance of diverging interests will 
have to be found in further policy work. This balance will not only have to
involve considerations on how to ensure accurate WHOIS data: It will also 
have to take into account the uses various parties may have for WHOIS data, 
and the conditions under which the data are being made accessible. It will, 
finally, have to take into account legitimate privacy interests of registrants, 
and applicable laws in force in a wide variety of jurisdictions.<br>
<p style="margin-left: 80px;">Considering the Task Force's recommendations, 
the ALAC observes that <span style="font-style: italic;">any</span> measures 
designed to enforce accuracy of publicly available WHOIS data against the 
will of the domain name holder will shift the existing de-facto balance in 
a way which benefits those who want to use the data (for whatever purpose, 
legitimate or illegitimate), and which causes problems for those who don't 
want to publish these data (once again, both for legitimate and illegitimate 
<p style="margin-left: 80px;">The specific steps proposed in chapter II.1.B 
of the Task Force's report describe a complaint mechanism, by which a third 
party can trigger registrars to investigate the accuracy of existing WHOIS 
data. This mechanism is presented as a practical recommendation, not as a 
consensus policy. It is mostly based on the recommendations of the GNSO's 
WHOIS Implementation Committee.<br>
<p style="margin-left: 80px;">The ALAC appreciates that the process attempts 
to provide some basic safeguards against fraudulent complaints by giving 
some leeway to ignore obviously unjustified complaints, and protect bona
fide registrants.<br>
<p style="margin-left: 80px;">Once a complaint is found justified, the 
will send an inquiry to the registrant (through any available contact points), 
and ask the registrant to provide updated information. Any updated information 
received is subject to "commercial reasonable steps" to check its plausibility; 
presumably, these steps will involve automated heuristics. If these heuristics 
fail, "the registrant should be required to provide further justification." 
ALAC interprets this to imply that automated heuristic plausibility checks 
alone should not, in general, be a reason for registrars to place existing 
domain names on hold, or cancel registrations -- in particular in those 
in which the registrant has been successfully contacted through some 
channel. ALAC also observes that, given that many registrars accept customers 
around the globe, it may frequently be easy for bad faith registrants to provide
"plausible" data which are still not useable as contact information.<br>
<p style="margin-left: 80px;">The registrant only has limited time to respond 
to registrar's inquiry. In earlier versions of the Task Force's report, a 
15 day period was proposed; the WHOIS Implementation Committee has opted for
a 30 day time line. The Task Force's final report simply talks about a "time
limit (to be agreed)."<br>
<p style="margin-left: 80px;">According to a note from Louis Touton to the 
WHOIS Task Force, no time limit can be found in current RAA or policy 
The 15 day time period in RAA only concerns a time after which 
must reserve the right to cancel registrations -- nothing forces them to 
that right.<br>
<p style="margin-left: 80px;">The ALAC believes that the WHOIS Implementation 
Committee's proposal to apply a 30 day time limit is reasonable. Shorter time
limits bear a variety of risks for bona fide registrants which have been
pointed out in many of the comments received by the WHOIS Task Force. If
necessary, the ALAC is available to contribute to any further discussion of
this issue.<br>
<h3>Bulk Access</h3>
<p style="margin-left: 80px;">The Task Force's policy 2.A proposes that "use 
of bulk access WHOIS data for marketing should not be permitted." In order 
to implement this policy, the Task Force suggests a change to the bulk access 
agreement which is described in section 3.3.6 of the RAA, and observes that 
the bulk-access provision in section of the RAA would become 
The WHOIS Implementation Committee has, in its final report, stated that more
specific language defining "marketing activities" would be desirable. The
ALAC cautions that any such specification would have to ensure that no marketing
use of bulk data is permitted unconditionally which would have been covered
by the current RAA language's opt-out provision.<br>
<p style="margin-left: 80px;">The ALAC appreciates that the Task Force's 
are an attempt to limit undesired side effects of bulk access. But it is
not clear to what extent the new policy will indeed have the desired effect
on marketing uses of WHOIS data. The enforceability of registrars' bulk access
agreements is questionable: There are no contractual sanctions for data users
who violate the agreement; the current RAA does not even address the future
eligibility of data users who have broken bulk access agreements in the 
<p style="margin-left: 80px;">In order to address these concerns, a more 
review of the RAA's bulk access provisions must be undertaken. Those purposes
within the scope of ICANN's mission and core values for which bulk access
needs to be granted (if any) should be clearly identified, and bulk access
should only be made available for this limited set of purposes, and to 
data users. The review process will also need to take into account legal
concerns, such as the ones recently articulated in the European Commission's
contribution on WHOIS. The At-Large Advisory Committee considers a review
process of the RAA's bulk access provisions a priority, and will contribute
to it.<br>
<p style="margin-left: 80px;">Besides these concerns about the RAA's bulk 
access provisions, the At-Large Advisory Committee also observes that 
WHOIS can be abused to automatically obtain WHOIS information about large 
numbers of domains, as evidenced by a recent attempt to copy Nominet's WHOIS 
<p style="margin-left: 80px;">The Task Force's recommendations to 
enforce the accuracy of WHOIS data shift the existing balance between the 
interests of data users and data subjects in favor of data users. In an 
where registrants have perceived "inaccurate" data <span
 style="text-decoration: line-through;"></span>to be one of the most practical 
methods <span style="font-style: italic;"></span><span
 style="text-decoration: underline;"></span>for protecting their privacy,
this shift of balance is reason for concern. It<span
 style="text-decoration: underline;"> </span>will inevitably increase the
need for privacy protection mechanisms to be built into the contractual 
<p style="margin-left: 80px;">The Task Force's recommendations on Bulk Access 
attempt to remove one possibility for undesirable uses of WHOIS data; despite 
the good intent, the effectivity of this attempt is unclear since other ways 
to access WHOIS data en masse remain open.<br>
<p style="margin-left: 80px;">Both observations together lead to the common
conclusion that the Task Force's recommendations can only be first steps
towards a future WHOIS policy environment. That future WHOIS policy environment
will     have to be designed with a renewed focus on enforceability. In 
this implies that the future policy environment will have to directly address
major issues left open at this point of time - such as registrants' privacy.
Relying upon non-enforcement of policy instead is not a long-term option.<br>
<p style="margin-left: 80px;">The ALAC is available to contribute to future
discussions on revising WHOIS policy. These discussions should begin as swiftly
as possible.<br>
<p style="margin-left: 80px;"><br>

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy