[alac] DRAFT -- priorities for whois-sc

[Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>]

Hello,

there's another prioritization exercise currently going on in the
GNSO, on WHOIS issues.  A list of possible issues, extracted from
the staff manager's report, is appended in the end of this e-mail.

Here is a draft of the list of issues that Wendy and I would suggest
to send to the GNSO secretariat and the WHOIS steering group as the
ALAC's WHOIS priorities, along with some general remarks:

>To: whois-sc@xxxxxxxxxxxxxx, secretariat@xxxxxxxxxxxxxx
>Subject: ALAC top 5
>
>The following whois issues are the ALAC's top five:
>
>        * 1 -- data elements that are collected
>        * 3 -- should registrants be allowed not to provide some data?
>        * 4 -- pseudonymous registration
>        * 5 -- registrars' disclosures to registrants
>        * 7 -- consequences when registrant provides inaccurate data
>
>We think that the chief issues of concern to individual Internet
>users regarding WHOIS involve the mandatory collection of data not
>operationally necessary, the forced disclosure to the public of that
>data, and disclosure to them about the data protection/use policies
>of the registrars to whom they give such data.
>
>Because individuals use domain names to identify and locate
>communications on the Internet, we think it is important that they
>be able to do so without disclosing names or private information.
>
>We also re-iterate our earlier recommendation that the GNSO look at
>how WHOIS can be made auditable, by letting data users identify
>themselves, and the purpose for which they are accessing WHOIS data;
>in particular if the steering group comes to the conclusion that a
>tiered access model should be considered.  We would have listed this
>issue as one of our top 5, had it been identified in the staff
>manager's report.

Comments welcome.

Regards,
-- 
Thomas Roessler                 <roessler (at) does-not-exist.org>






    Issues Concerning Data Collection

    1. Should the elements of data that registrars are required to
    collect at the time of registration of a domain name be revised? (See
    Registrar Accreditation Agreement (RAA) § 3.2.)

    2. Should registrars be prohibited by ICANN from collecting additional
    items of data?

    3. Should all registrants, or certain classes of registrants (see
    Issue 18 below), be afforded the option of not providing some or
    all elements that registrars are required to collect and, if so,
    which elements?

    4. Should the current mechanism for pseudonymous registration be
    changed or supplemented with one or more alternative mechanisms? (See
    RAA § 3.7.7.3.) Should steps be taken to encourage broader
    availability of this mechanism?

    5. Are the current requirements that registrars make disclosures to,
    and obtain consent by, registrants concerning the uses of collected
    data adequate and appropriate? (See RAA §§ 3.7.7.4 to 3.7.7.6.)

    Issues Concerning Data Quality

    6. Are the procedures currently followed by registrars adequate to
    promote accurate, complete, and up-to-date data, as required by both
    privacy and accountability principles? (See RAA §§ 3.7.7.1, 3.7.7.2,
    and 3.7.8, as well as the GNSOs Whois recommendations on accuracy
    adopted by the ICANN Board on 27 March 2003.)

    7. What should be the consequences when a registrant provides
    inaccurate or incomplete data, or fails to correct inaccurate
    or incomplete data? (See RAA §§ 3.7.7.1, 3.7.7.2, and 3.7.8.) Are
    safeguards needed to prevent abusive reports of inaccuracies? Should
    certain classes of registrants (see Issue 18 below) be permitted to
    provide inaccurate or incomplete data?

    Issues Concerning Data Handling

    8. Are the current requirements that registrars handle personal data
    according to the notices given at the time of registration, and in a
    manner that avoids loss, misuse, unauthorized access or disclosure,
    alteration, or destruction, adequate and appropriate? (See RAA §§
    3.7.7.7 and 3.7.7.8.)

    9. Are the current requirements for handling of registrar data by
    registry operators adequate and appropriate?

    Issues Concerning Data Disclosure

    10. Are the current means of query-based access appropriate? Should
    both web-based access and port-43 access be required? (RAA § 3.3.1.)

    11. What are the purposes for providing public query-based access? Are
    the elements currently required to be disclosed in public query-based
    access adequate and appropriate? (RAA § 3.3.1.)

    12. What measures, if any, should registrars and registry operators
    be permitted to take to limit data mining of Whois servers?

    13. Should access to data be differentiated based on the party
    receiving access, or based on the use to which the data will be
    put? If so, how should differentiated access be implemented and how
    should the cost of differentiation be funded?

    14. Should the current requirement that registrars provide bulk Whois
    access for non-marketing uses be further limited or eliminated? (RAA §
    3.3.6, as well as the GNSOs Whois recommendations on accuracy adopted
    by the ICANN Board on 27 March 2003.)

    Issues Concerning Data Use

    15. Which uses of Whois data by members of the public should
    be permitted (e.g., resolving technical problems, sourcing spam,
    identifying online merchants, law enforcement activities, identifying
    online infringers for enforcement of intellectual property rights,
    etc.)? Which uses should be prohibited?

    16. How should restrictions on permissible uses by members of the
    public be enforced? (RAA §§ 3.3.6.3 to 3.3.6.5.)

    17. To what extent is Whois data actually used to the harm of
    registrants (e.g., identity theft, spam, stalking, and other
    harassment)?

    Issues Concerning Classification of Registrants

    18. Should certain types of registrants (e.g., those using domains
    for political and similar activities) be exempt from the usual
    requirements to provide data, or to have it available in Whois? How
    should the eligibility of particular registrants for these exemptions
    be determined? Are measures required to address the possibility of
    abuses in the classification procedure?

    Issues Concerning Commercial Confidentiality and Rights in Data

    19. Should registrars have the option, independent of their customers,
    to protect the confidentiality of Whois data based on registrars
    proprietary rights to that data? Are the current provisions permitting
    registrars to claim proprietary rights in personal data about their
    customers appropriate? (RAA § 3.5.)

    20. Should there be ICANN requirements limiting registrars' ability
    to sell or use Whois data, or other data collected about customers,
    for commercial purposes?