RE: [alac] Please review: Draft terms of reference for two WHOIS task forces.

["Denise Michel" <denisemichel@xxxxxxxxxxxxx>]

Please send this info to forum@xxxxxxxxxxxxxx or send me something to add to
the ALAC's comment forum WHOIS section when you have a chance.

Thanks.
Denise

michel@xxxxxxxxx

-----Original Message-----
From: owner-alac@xxxxxxxxx [mailto:owner-alac@xxxxxxxxx]On Behalf Of
Thomas Roessler
Sent: Thursday, September 18, 2003 3:47 PM
To: alac@xxxxxxxxx
Subject: [alac] Please review: Draft terms of reference for two WHOIS
task forces.


Below, I'm including draft terms of reference for two WHOIS task
forces; the whois steering group converged on focusing on these two
issue areas tonight.  Please review these draft terms, and provide
Wendy and me with any input you may have, preferably during the next
couple of days, as the steering group will consider updated drafts
in two weeks' time.

One initial thought from me about the first task force is that this
task force should not look for a bad short-term hack (such as
shutting down port 43 access and using web forms that return WHOIS
data as graphics files), but should preferably develop requirements
for mechanisms that may set the scene for a viable long-term
solution.

During the call, it was raised by the non-commercials that the "the
task force must ensure" language might be too strict for terms of
reference.  I understand that this will be revised.

I have also put a brief notice about this into the "For Public
Comment" section of alac.info.

Regards,
--
Thomas Roessler  <roessler@xxxxxxxxxxxxxxxxxx>
At-Large Advisory Committee: http://alac.info/







----- Forwarded message from Bruce Tonkin
<Bruce.Tonkin@xxxxxxxxxxxxxxxxxx> -----

From: Bruce Tonkin <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>
To: whois-sc@xxxxxxxx
Date: Thu, 18 Sep 2003 21:31:18 +1000
Subject: [whois-sc] Draft terms of reference for task force to prevent data
mining for marketing purposes


Title: Restricting bulk access to WHOIS data for marketing purposes

Participants:
- 1 representative from each constituency
- ALAC liaison
- GAC liaison
- ccNSO liaison
- SECSAC liaison
- liaisons from other GNSO WHOIS task forces

Description of Task Force:
==========================

In the recent policy recommendations relating to WHOIS:
(see http://www.icann.org/gnso/whois-tf/report-19feb03.htm)
it was decided that the use of bulk access WHOIS data for marketing
should not be permitted.  Bulk access need not be the entire database
(millions of records) of contact information but could also be
considered to be hundreds of WHOIS data records.   The current registry
and registrar contracts provide for third parties to obtain access to
bulk WHOIS information via an agreement that limits the use of the
information for marketing purposes (the number of these agreements in
existance is probably less than 10 for each large registrar).  However
most collections of bulk WHOIS data are currently obtained by a
combination of using free zonefile access (via signing a registry
zonefile access agreement - the number of these in existance approaches
1000 per major registry) to obtain a list of domains, and then using
anonymous (public) access to either port-43 or interactive web pages to
retrieve large (great than 100 records) volumes of contact information.
Once the information is initially obtained it can be kept up-to-date by
detecting changes in the zonefile, and only retrieving information
related to the changed records.   This process is often described as
"data mining".  The net effect is that bulk access to WHOIS data is
easily available for marketing purposes, and is generally anonymous (the
holders of this information are unknown).

The purpose of this task force is to determine what contractual changes
(if any) are required to allow registrars to protect domain name holder
data from data mining for the purposes of marketing.

In-scope
========
The purpose of this section to clarify the issues should be considered
in proposing any policy changes.

The task force must ensure that groups such as law enforcement,
intellectual property, internet service providers, and consumers can
continue to retrieve information necessary to perform their functions.
In some cases this may require the provision of searching facilities
(e.g that can return more than one record in response to a query) as
well as look-up facilities (that only provide one record in response to
a query).

The task force must ensure that any access restrictions do not restrict
the competitive provision of services using WHOIS information (for
example ensure that intellectual property protection can be provided
competitively), nor restrict the transfer of domain name records between
registrars.


Out-of-scope
============
To ensure that the task force remains narrowly focussed to ensure that
its goal is reasonably achievable and withina reasonable time frame, it
is necessary to be clear on what is not in scope for the task force.

The task force should not aim to specify a technical solution.  This is
the role of registries and registrars in a competitive market, and the
role of technical standardisation bodies such as the IETF.  Note the
IETF presently has a working group called CRISP to develop an improved
protocol that should be capable of implementing the policy outcomes of
this task force.

The task force should not review the current bulk access agreement
provisions. These were the subject of a recent update in policy in March
2003.

The task force should not study the amount of data available for public
(anonymous) access for single queries.  Any changes to the data
collected or made available will be the subject of a separate policy
development process.

Tasks/Milestones
================

- collect requirements from non-marketing users of contact information
(this could be extracted from the Montreal workshop and also by GNSO
constituencies, and should also include accessibility requirements (e.g
based on W3C standards)
[milestone 1 date]
- review general approaches to prevent automated electronic data mining
and ensure that the requirements for access are met (including
accessibility requirements for those that may for example be visually
impaired)
[milestone 2 date]
- determine whether any changes are required in the contracts to allow
the approaches to be used above   (for example the contracts require the
use of the port-43 WHOIS protocol and this may not support approaches to
prevent data mining)
[milestone 3 date]

Each milestone should be subject to development internally by the task
force, along with a public comment process to ensure that as much input
as possible is taken into account.







----- End forwarded message -----




----- Forwarded message from Bruce Tonkin
<Bruce.Tonkin@xxxxxxxxxxxxxxxxxx> -----

From: Bruce Tonkin <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>
To: whois-sc@xxxxxxxx
Date: Thu, 18 Sep 2003 21:58:54 +1000
Subject: [whois-sc] Draft terms of reference for task force to review data
collected and data displayed


Title: Review data collected and data displayed

Participants:
- 1 representative from each constituency
- ALAC liaison
- GAC liaison
- ccNSO liaison
- SECSAC liaison
- liaisons from other GNSO WHOIS task forces

Description of Task Force:
==========================

There are domain name holders that are concerned about their privacy,
both in terms of data that is collected and held about them, and also in
terms of what parts of that data is made available to other parties.
Extensive contact information can assist a registrar or network provider
to contact a domain name holder in the event of a technical problem or
in the event that a domain name may expire.  However a domain name
holder may be prepared to make a personal decision to accept a lower
standard of service (e.g take their own steps to be reminded of when a
domain expires) in return for greater privacy.   A domain name holder
may be prepared to provide extensive contact information to their domain
name provider, but would prefer to control what information is available
for public access.  For example a telephone customer may provide
detailed address information to a telephone service provider, but may
elect not to have this information displayed in a public whitepages
directory.  Note however that there is generally access to the complete
information to groups such as law enforcement and emergency services
personnel.   Another issue that is often raised is that there is limited
public understanding of the present contractual obligations.  Most
domain name holders are unaware that their information has been
displayed publically via the present port-43 and interactive web access
methods.


The purpose of this task force is to determine what contractual changes
(if any) are required to either allow domain name holders to limit the
amount of information that provide at the time of registration, or limit
the amount of information that is made accessible for anonymous (public)
access.

In-scope
========
The purpose of this section to clarify the issues should be considered
in proposing any policy changes.

The task force should consider not only changes to data collection and
display, but also to how registrants can be kept adequately informed of
what data is made publicly available, and what data may be made
available to other parties such as law enforcement and intellectual
property owners.

With respect to data collected, the task force should consider what is
the amount of data that should be collected assuming that the domain
name holder must be contactable.

The task force should examine what data is made publicly (anonymous)
available, and what choices a domain name holder may have with respect
to which data is publicly available.



Out-of-scope
============
To ensure that the task force remains narrowly focussed to ensure that
its goal is reasonably achievable and withina reasonable time frame, it
is necessary to be clear on what is not in scope for the task force.

The task force should not examine the mechanisms available for anonymous
publoic access of the data - this is the subject of a separate task
force.

The task force should not examine mechanisms for law enforcement access
to the data collected.  This is generally subject to existing local
laws, and maybe the subject of a future task force.

The task force should not study methods for fully anonymous registration
(ie that the domain name holder will never be contactable) - this will
be the subject of a separate task force.



Tasks/Milestones
================
- for further work











----- End forwarded message -----