ICANN ICANN Email List Archives

[At-Large Advisory Committee]

<<< Chronological Index >>>    <<< Thread Index >>>

Re: [alac] updated draft on WHOIS.

  • To: Thomas Roessler <roessler-mobile@xxxxxxxxxxxxxxxxxx>, Vittorio Bertola <vb@xxxxxxxxxxxxxx>
  • Subject: Re: [alac] updated draft on WHOIS.
  • From: Erick Iriarte Ahon <faia@xxxxxxxxxxxxxxxxx>
  • Date: Wed, 19 Feb 2003 11:48:05 -0500

My comments:

At 04:57 p.m. 19/02/2003 +0100, Thomas Roessler wrote:
On 2003-02-19 16:20:05 +0100, Vittorio Bertola wrote:

> I have just talked with Thomas and we thought it better to turn
> the comment from an impact review directed to the task force into
> a comment directed to the Names Council, which gives us until
> tomorrow noon GMT to send it out. Thomas will post a revised
> draft as soon as possible.

It's attached.  I've changed the headline, and made the minimal
adjustments to the introduction necessary to make this suitable for
submission to the Council.

There are no changes to the substance, but I have made one subtle
wording change in the first paragraph of the conclusion: Instead of
noting that "this change" is reason for concern, I've turned this
into "this shift of balance" -- just to make sure that accuraccy
enforcement itself isn't the reason for concern...

Thomas Roessler                         <roessler@xxxxxxxxxxxxxxxxxx>

At-Large Advisory Committee

Statement on the WHOIS Task Force's Final Report on Accuracy and Bulk Access

NN February 2003



The At-Large Advisory Committee appreciates the opportunity to submit its comments on the WHOIS Task Force's Final Report on Accuracy and Bulk Access. In these comments, we have tried to consider the Task Force's recommendations within a broader policy context, and tried to identify priorities for further work where we believe that it needs to be undertaken.

The committee is aware that the Task Force is currently in the process of producing issues reports on most (if not all) of these topics. We hope that the present statement can also serve as a useful contribution to that work. We are also willing to otherwise contribute to the development of these isuses reports.

WHOIS Accuracy

The impact of any measures for the improvement of WHOIS Accuracy must be considered with two very different classes of registrants in mind.

On the one hand, there are those registrants who welcome (or maybe just accept) the publication of their data through the WHOIS database, and have a desire that accurate data are published that way. There is no need for any formal "enforcement" of accurate WHOIS data with respect to this class of registrants -- instead, any measures to improve WHOIS data accuracy for this class of registrants are about making registrars' processes more registrant-friendly, and easier to use.

And agree with at least the local policies about personal data protection, it's necessary a specific policy of the registrar-register about this issue, publicated in the web site, and the registrants will have to know this policies before "buy" a domain name.

An annual opportunity to review and easily correct WHOIS data (without sanctions in the case of registrant's non-response) is one such step.

Agree with which legislation? we need to declarate something about legislation and jurisdiccion applicable for this issues. If not, it's "dead-letter" ;)

The At-Large Advisory Committee observes that the Task Force's policy 1.A provides such an opportuntiy, and does not mandate any sanctions in the event that registrant does not respond to a notice on reviewing his WHOIS data. Thus, this proposed policy seems like a way to make the interaction between registrars and registrants work more smoothly, which the Committee welcomes.

Maybe we can create a "sanctions" by the icann, for negligence.

The second class of registrants is much more complex to handle: Those who do not accept publication of personal data in registrars' and registries' WHOIS systems, and provide "inaccurate" contact information to registrars. There are various reasons registrants may have for this behaviour, both legitimate and illegitimate; even worse, the concepts of legitimate and illegitimate reasons vary across cultures and across constituencies: One country's constitutionally-protected anonymous free speaker might be another country's hate-speech criminal who hides behind bad WHOIS data; one constituency's stalking victim may be another constituency's infringer.

A careful balance of diverging interests will have to be found in further policy work. This balance will not only have to involve considerations on how to ensure accurate WHOIS data: It will also have to take into account the uses various parties may have for WHOIS data, and the conditions under which the data are being made accessible. It will, finally, have to take into account legitimate privacy interests of registrants, and applicable laws in force in a wide variety of jurisdictions.

Considering the Task Force's recommendations, the ALAC observes that any measures designed to enforce accuracy of publicly available WHOIS data against the will of the domain name holder will shift the existing de-facto balance in a way which benefits those who want to use the data (for whatever purpose, legitimate or illegitimate), and which causes problems for those who don't want to publish these data (once again, both for legitimate and illegitimate reasons).

Maybe it's necesarry a explicited agreement from the user for publicated his information.

The specific steps proposed in chapter II.1.B of the Task Force's report describe a complaint mechanism, by which a third party can trigger registrars to investigate the accuracy of existing WHOIS data. This mechanism is presented as a practical recommendation, not as a consensus policy. It is mostly based on the recommendations of the GNSO's WHOIS Implementation Committee.

The ALAC appreciates that the process attempts to provide some basic safeguards against fraudulent complaints by giving registrars some leeway to ignore obviously unjustified complaints, and protect bona fide registrants.

But we need mechanism to denounce ilegitime use of the data. by third parts.

Once a complaint is found justified, the registrar will send an inquiry to the registrant (through any available contact points), and ask the registrant to provide updated information. Any updated information received is subject to "commercial reasonable steps" to check its plausibility; presumably, these steps will involve automated heuristics. If these heuristics fail, "the registrant should be required to provide further justification." ALAC interprets this to imply that automated heuristic plausibility checks alone should not, in general, be a reason for registrars to place existing domain names on hold, or cancel registrations -- in particular in those situations in which the registrant has been successfully contacted through some communications channel. ALAC also observes that, given that many registrars accept customers around the globe, it may frequently be easy for bad faith registrants to provide "plausible" data which are still not useable as contact information.

The registrant only has limited time to respond to registrar's inquiry. In earlier versions of the Task Force's report, a 15 day period was proposed; the WHOIS Implementation Committee has opted for a 30 day time line. The Task Force's final report simply talks about a "time limit (to be agreed)."

According to a note from Louis Touton to the WHOIS Task Force, no time limit can be found in current RAA or policy provisions. The 15 day time period in RAA only concerns a time after which registrars must reserve the right to cancel registrations -- nothing forces them to exercise that right.

The ALAC believes that the WHOIS Implementation Committee's proposal to apply a 30 day time limit is reasonable.


Shorter time limits bear a variety of risks for bona fide registrants which have been pointed out in many of the comments received by the WHOIS Task Force. If necessary, the ALAC is available to contribute to any further discussion of this issue.

Bulk Access

The Task Force's policy 2.A proposes that "use of bulk access WHOIS data for marketing should not be permitted."

and will say: Prohibited

In order to implement this policy, the Task Force suggests a change to the bulk access agreement which is described in section 3.3.6 of the RAA, and observes that the bulk-access provision in section of the RAA would become inapplicable. The WHOIS Implementation Committee has, in its final report, stated that more specific language defining "marketing activities" would be desirable. The ALAC cautions that any such specification would have to ensure that no marketing use of bulk data is permitted unconditionally which would have been covered by the current RAA language's opt-out provision.

The ALAC appreciates that the Task Force's recommendations are an attempt to limit undesired side effects of bulk access. But it is not clear to what extent the new policy will indeed have the desired effect on marketing uses of WHOIS data. The enforceability of registrars' bulk access agreements is questionable: There are no contractual sanctions for data users who violate the agreement; the current RAA does not even address the future eligibility of data users who have broken bulk access agreements in the past.

In order to address these concerns, a more fundamental review of the RAA's bulk access provisions must be undertaken. Those purposes within the scope of ICANN's mission and core values for which bulk access needs to be granted (if any) should be clearly identified, and bulk access should only be made available for this limited set of purposes, and to trustworthy data users. The review process will also need to take into account legal concerns, such as the ones recently articulated in the European Commission's contribution on WHOIS. The At-Large Advisory Committee considers a review process of the RAA's bulk access provisions a priority, and will contribute to it.

It's necessary to understand that we have a lot of different legislation about privacy or data protection, and different degrees in this legislation, maybe we can recomended use a complete protection of the data, and need a explicited policy by the registrar for take "data" from registrants and need a specific "agree" for publicated.

Besides these concerns about the RAA's bulk access provisions, the At-Large Advisory Committee also observes that query-based WHOIS can be abused to automatically obtain WHOIS information about large numbers of domains, as evidenced by a recent attempt to copy Nominet's WHOIS database.


The Task Force's recommendations to systematically enforce the accuracy of WHOIS data shift the existing balance between the interests of data users and data subjects in favor of data users. In an environment where registrants have perceived "inaccurate" data to be one of the most practical methods for protecting their privacy, this shift of balance is reason for concern. It will inevitably increase the need for privacy protection mechanisms to be built into the contractual framework.

The Task Force's recommendations on Bulk Access attempt to remove one possibility for undesirable uses of WHOIS data; despite the good intent, the effectivity of this attempt is unclear since other ways to access WHOIS data en masse remain open.

Both observations together lead to the common conclusion that the Task Force's recommendations can only be first steps towards a future WHOIS policy environment. That future WHOIS policy environment will have to be designed with a renewed focus on enforceability. In particular, this implies that the future policy environment will have to directly address major issues left open at this point of time - such as registrants' privacy. Relying upon non-enforcement of policy instead is not a long-term option.

I repeat: It's necessary to understand that we have a lot of different legislation about privacy or data protection, and different degrees in this legislation, maybe we can recomended use a complete protection of the data, and need a explicited policy by the registrar for take "data" from registrants and need a specific "agree" for publicated.

The ALAC is available to contribute to future discussions on revising WHOIS policy. These discussions should begin as swiftly as possible.

JPEG image

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy