<<<
Chronological Index
>>> <<<
Thread Index
>>>
[alac] updated draft on WHOIS.
- To: Vittorio Bertola <vb@xxxxxxxxxxxxxx>
- Subject: [alac] updated draft on WHOIS.
- From: Thomas Roessler <roessler-mobile@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Feb 2003 16:57:00 +0100
On 2003-02-19 16:20:05 +0100, Vittorio Bertola wrote:
> I have just talked with Thomas and we thought it better to turn
> the comment from an impact review directed to the task force into
> a comment directed to the Names Council, which gives us until
> tomorrow noon GMT to send it out. Thomas will post a revised
> draft as soon as possible.
It's attached. I've changed the headline, and made the minimal
adjustments to the introduction necessary to make this suitable for
submission to the Council.
There are no changes to the substance, but I have made one subtle
wording change in the first paragraph of the conclusion: Instead of
noting that "this change" is reason for concern, I've turned this
into "this shift of balance" -- just to make sure that accuraccy
enforcement itself isn't the reason for concern...
--
Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ALAC Impact Statement on WHOIS Accuracy and Bulk Access</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-15">
<meta name="author"
content="Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>">
<style type="text/css"> <!--
h1, h2, h3, h4, h5, h6, p, li, td { font-family: arial, helvetica, sans-serif; }
h3 { margin-left: 40px; }
h4 { margin-left: 60px; }
h5, h6 { margin-left: 80px; }
-->
</style>
</head>
<body>
<table cellpadding="2" cellspacing="2" border="0"
style="text-align: left; width: 100%;">
<tbody>
<tr>
<td valign="top"><img
src="icann-logo.gif" alt="" style="width: 188px; height: 145px;">
<br>
</td>
<td valign="middle"
style="text-align: center;">
<p><span style="font-weight: bold; font-size: x-large;">At-Large Advisory
Committee</span></p>
<p><span style="font-weight: bold; font-size: xx-large;">Statement
on the WHOIS Task Force's Final Report on Accuracy and Bulk Access<br>
</span></p>
<p><span style="font-weight: bold;">NN February 2003</span> </p>
</td>
</tr>
</tbody>
</table>
<br>
<hr width="100%" size="2">
<h3>Introduction</h3>
<p style="margin-left: 80px;">The At-Large Advisory Committee appreciates
the opportunity to submit its comments on the WHOIS Task Force's Final Report
on Accuracy and Bulk Access. In these comments, we have tried to consider
the Task Force's recommendations within a broader policy context, and tried
to identify priorities for further work where we believe that it needs to
be undertaken.<br>
</p>
<p style="margin-left: 80px;">The committee is aware that the Task Force is
currently in the process of producing issues reports on most (if not all)
of these topics. We hope that the present statement can also serve as a useful
contribution to that work. We are also willing to otherwise contribute to
the development of these isuses reports.<br>
</p>
<h3>WHOIS Accuracy</h3>
<p style="margin-left: 80px;">The impact of any measures for the improvement
of WHOIS Accuracy must be considered with two very different classes of
registrants
in mind.<br>
</p>
<p style="margin-left: 80px;">On the one hand, there are those registrants
who welcome (or maybe just accept) the publication of their data through the
WHOIS database, and have a desire that accurate data are published that way.
There is no need for any formal "enforcement" of accurate WHOIS data with
respect to this class of registrants -- instead, any measures to improve WHOIS
data accuracy for this class of registrants are about making registrars'
processes
more registrant-friendly, and easier to use. An annual opportunity to review
and easily correct WHOIS data (without sanctions in the case of registrant's
non-response) is one such step. The At-Large Advisory Committee observes
that the Task Force's policy 1.A provides such an opportuntiy, and does not
mandate any sanctions in the event that registrant does not respond to a
notice on reviewing his WHOIS data. Thus, this proposed policy seems like
a way to make the interaction between registrars and registrants work more
smoothly, which the Committee welcomes. <br>
</p>
<p style="margin-left: 80px;">The second class of registrants is much more
complex to handle: Those who do not accept publication of personal data in
registrars' and registries' WHOIS systems, and provide "inaccurate" contact
information to registrars. There are various reasons registrants may have
for this behaviour, both legitimate and illegitimate; even worse, the concepts
of legitimate and illegitimate reasons vary across cultures and across
constituencies:
One country's constitutionally-protected anonymous free speaker might be another
country's hate-speech criminal who hides behind bad WHOIS data; one
constituency's
stalking victim may be another constituency's infringer.<br>
</p>
<p style="margin-left: 80px;">A careful balance of diverging interests will
have to be found in further policy work. This balance will not only have to
involve considerations on how to ensure accurate WHOIS data: It will also
have to take into account the uses various parties may have for WHOIS data,
and the conditions under which the data are being made accessible. It will,
finally, have to take into account legitimate privacy interests of registrants,
and applicable laws in force in a wide variety of jurisdictions.<br>
</p>
<p style="margin-left: 80px;">Considering the Task Force's recommendations,
the ALAC observes that <span style="font-style: italic;">any</span> measures
designed to enforce accuracy of publicly available WHOIS data against the
will of the domain name holder will shift the existing de-facto balance in
a way which benefits those who want to use the data (for whatever purpose,
legitimate or illegitimate), and which causes problems for those who don't
want to publish these data (once again, both for legitimate and illegitimate
reasons).<br>
</p>
<p style="margin-left: 80px;">The specific steps proposed in chapter II.1.B
of the Task Force's report describe a complaint mechanism, by which a third
party can trigger registrars to investigate the accuracy of existing WHOIS
data. This mechanism is presented as a practical recommendation, not as a
consensus policy. It is mostly based on the recommendations of the GNSO's
WHOIS Implementation Committee.<br>
</p>
<p style="margin-left: 80px;">The ALAC appreciates that the process attempts
to provide some basic safeguards against fraudulent complaints by giving
registrars
some leeway to ignore obviously unjustified complaints, and protect bona
fide registrants.<br>
</p>
<p style="margin-left: 80px;">Once a complaint is found justified, the
registrar
will send an inquiry to the registrant (through any available contact points),
and ask the registrant to provide updated information. Any updated information
received is subject to "commercial reasonable steps" to check its plausibility;
presumably, these steps will involve automated heuristics. If these heuristics
fail, "the registrant should be required to provide further justification."
ALAC interprets this to imply that automated heuristic plausibility checks
alone should not, in general, be a reason for registrars to place existing
domain names on hold, or cancel registrations -- in particular in those
situations
in which the registrant has been successfully contacted through some
communications
channel. ALAC also observes that, given that many registrars accept customers
around the globe, it may frequently be easy for bad faith registrants to provide
"plausible" data which are still not useable as contact information.<br>
</p>
<p style="margin-left: 80px;">The registrant only has limited time to respond
to registrar's inquiry. In earlier versions of the Task Force's report, a
15 day period was proposed; the WHOIS Implementation Committee has opted for
a 30 day time line. The Task Force's final report simply talks about a "time
limit (to be agreed)."<br>
</p>
<p style="margin-left: 80px;">According to a note from Louis Touton to the
WHOIS Task Force, no time limit can be found in current RAA or policy
provisions.
The 15 day time period in RAA 3.7.7.2 only concerns a time after which
registrars
must reserve the right to cancel registrations -- nothing forces them to
exercise
that right.<br>
</p>
<p style="margin-left: 80px;">The ALAC believes that the WHOIS Implementation
Committee's proposal to apply a 30 day time limit is reasonable. Shorter time
limits bear a variety of risks for bona fide registrants which have been
pointed out in many of the comments received by the WHOIS Task Force. If
necessary, the ALAC is available to contribute to any further discussion of
this issue.<br>
</p>
<h3>Bulk Access</h3>
<p style="margin-left: 80px;">The Task Force's policy 2.A proposes that "use
of bulk access WHOIS data for marketing should not be permitted." In order
to implement this policy, the Task Force suggests a change to the bulk access
agreement which is described in section 3.3.6 of the RAA, and observes that
the bulk-access provision in section 3.3.6.6 of the RAA would become
inapplicable.
The WHOIS Implementation Committee has, in its final report, stated that more
specific language defining "marketing activities" would be desirable. The
ALAC cautions that any such specification would have to ensure that no marketing
use of bulk data is permitted unconditionally which would have been covered
by the current RAA language's opt-out provision.<br>
</p>
<p style="margin-left: 80px;">The ALAC appreciates that the Task Force's
recommendations
are an attempt to limit undesired side effects of bulk access. But it is
not clear to what extent the new policy will indeed have the desired effect
on marketing uses of WHOIS data. The enforceability of registrars' bulk access
agreements is questionable: There are no contractual sanctions for data users
who violate the agreement; the current RAA does not even address the future
eligibility of data users who have broken bulk access agreements in the
past.<br>
</p>
<p style="margin-left: 80px;">In order to address these concerns, a more
fundamental
review of the RAA's bulk access provisions must be undertaken. Those purposes
within the scope of ICANN's mission and core values for which bulk access
needs to be granted (if any) should be clearly identified, and bulk access
should only be made available for this limited set of purposes, and to
trustworthy
data users. The review process will also need to take into account legal
concerns, such as the ones recently articulated in the European Commission's
contribution on WHOIS. The At-Large Advisory Committee considers a review
process of the RAA's bulk access provisions a priority, and will contribute
to it.<br>
</p>
<p style="margin-left: 80px;">Besides these concerns about the RAA's bulk
access provisions, the At-Large Advisory Committee also observes that
query-based
WHOIS can be abused to automatically obtain WHOIS information about large
numbers of domains, as evidenced by a recent attempt to copy Nominet's WHOIS
database.</p>
<h3>Conclusion</h3>
<p style="margin-left: 80px;">The Task Force's recommendations to
systematically
enforce the accuracy of WHOIS data shift the existing balance between the
interests of data users and data subjects in favor of data users. In an
environment
where registrants have perceived "inaccurate" data <span
style="text-decoration: line-through;"></span>to be one of the most practical
methods <span style="font-style: italic;"></span><span
style="text-decoration: underline;"></span>for protecting their privacy,
this shift of balance is reason for concern. It<span
style="text-decoration: underline;"> </span>will inevitably increase the
need for privacy protection mechanisms to be built into the contractual
framework.<br>
</p>
<p style="margin-left: 80px;">The Task Force's recommendations on Bulk Access
attempt to remove one possibility for undesirable uses of WHOIS data; despite
the good intent, the effectivity of this attempt is unclear since other ways
to access WHOIS data en masse remain open.<br>
</p>
<p style="margin-left: 80px;">Both observations together lead to the common
conclusion that the Task Force's recommendations can only be first steps
towards a future WHOIS policy environment. That future WHOIS policy environment
will have to be designed with a renewed focus on enforceability. In
particular,
this implies that the future policy environment will have to directly address
major issues left open at this point of time - such as registrants' privacy.
Relying upon non-enforcement of policy instead is not a long-term option.<br>
</p>
<p style="margin-left: 80px;">The ALAC is available to contribute to future
discussions on revising WHOIS policy. These discussions should begin as swiftly
as possible.<br>
</p>
<p style="margin-left: 80px;"><br>
</p>
<br>
</body>
</html>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|