Re: [alac] WHOIS impact review: Some proposed changes.

["Sebastian Ricciardi" <sricciardi@xxxxxxxxxxxxxxx>]

ALAC Impact Statement on WHOIS Accuracy and Bulk AccessBoth observations 
together lead to the common conclusion that the Task Force's recommendations 
can only be first steps towards a future WHOIS policy environment. That future 
WHOIS policy environment will have to be designed with a renewed focus on 
enforceability. In particular, this implies that the future policy environment 
will have to directly address major issues left open at this point of time - 
such as registrants' privacy. Relying upon non-enforcement of policy instead is 
not a long-term option.

Shouldn't be any enforcement until privacy issue is solved. On the other hand, 
it's true that we cannot rely on non-enforcement rules. I like tha way Thomas 
manage this matter. 

The text is fine for me.

Sebastian


  ----- Original Message ----- 
  From: Thomas Roessler 
  To: alac@xxxxxxxxx 
  Sent: Monday, February 17, 2003 6:49 PM
  Subject: [alac] WHOIS impact review: Some proposed changes.


  I'm attaching a slightly revised version of the impact review.
  Changes are limited to the conclusion, and are marked by
  overstriking and underlining in the attached version of the
  document.


  The first change is mostly a clarification, and puts focus on the
  registrants' perception of what is or is not an appropriate tool to
  protect one's privacy in the current environment (as opposed to the
  old text which left open who perceived something). The text now also
  says that the shift of balance caused by strict enforcement of
  accuracy requirements is "reason for concern." I'd hope that this
  change is acceptable to everyone.


  The second change concerns the common conclusion, and would make the
  ALAC's statement more aggressive, but not precisely in the direction
  Vittorio has suggested: Instead of calling for non-enforcement, it's
  a call for enforceable policy (with the - unspoken - implication
  that current policy may not be enforceable...), and for work on that
  policy to "begin as swiftly as possible." The reason for this is
  that I don't think we'd do ourselves a favor by explicitly calling
  for registrars' non-compliance with their agreements, or for ICANN's
  non-enforcement of certain policies.  This would get us on a
  slippery slope, which may contribute to further eroding the weight
  of the RAA -- also in areas where compliance might be for the
  benefit of registrants.  We might regret such a pronouncement later
  on.

  I realize that the old version of the text may be easier for others
  on this Committee to agree to, and I'd have no problem at all to
  forward it to the WHOIS Task Force.  However, I want to make sure
  that we have the option to make a stronger statement if we want to.
  Please let me know what you prefer.



  For your information, I'm also including a dissenting opinion which
  was sent to the WHOIS Task Force today by Ruchika Agrawal from EPIC,
  on behalf of the Non-Commercial Users' Constituency (NCUC, former
  NCDNHC).  Her dissenting opinion goes much more in the direction of
  Vittorio's proposed statement, and recommends directly not to
  enforce accuracy until privacy has been solved.



  Please let me know what you think.


  Kind regards,
  -- 
  Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>



------------------------------------------------------------------------------


         
       At-Large Advisory Committee

        Impact Review: WHOIS Accuracy and Bulk Access


        NN February 2003 
       


------------------------------------------------------------------------------

  Introduction
  The At-Large Advisory Committee appreciates the opportunity to submit a 
review of the impact of the WHOIS Task Force's recommendations on individual 
Internet users. In this review, we have tried to consider the Task Force's 
recommendations within a broader policy context, and tried to identify 
priorities for further work where we believe that it needs to be undertaken.


  The committee is aware that the Task Force is currently in the process of 
producing issues reports on most of these topics. We hope that the present 
review can also serve as a useful contribution to that work.


  WHOIS Accuracy
  The impact of any measures for the improvement of WHOIS Accuracy must be 
considered with two very different classes of registrants in mind.


  On the one hand, there are those registrants who welcome (or maybe just 
accept) the publication of their data through the WHOIS database, and have a 
desire that accurate data are published that way. There is no need for any 
formal "enforcement" of accurate WHOIS data with respect to this class of 
registrants -- instead, any measures to improve WHOIS data accuracy for this 
class of registrants are about making registrars' processes more 
registrant-friendly, and easier to use. An annual opportunity to review and 
easily correct WHOIS data (without sanctions in the case of registrant's 
non-response) is one such step. The At-Large Advisory Committee observes that 
the Task Force's policy 1.A provides such an opportuntiy, and does not mandate 
any sanctions in the event that registrant does not respond to a notice on 
reviewing his WHOIS data. Thus, this proposed policy seems like a way to make 
the interaction between registrars and registrants work more smoothly, which 
the Committee welcomes. 


  The second class of registrants is much more complex to handle: Those who do 
not accept publication of personal data in registrars' and registries' WHOIS 
systems, and provide "inaccurate" contact information to registrars. There are 
various reasons registrants may have for this behaviour, both legitimate and 
illegitimate; even worse, the concepts of legitimate and illegitimate reasons 
vary across cultures and across constituencies: One country's 
constitutionally-protected anonymous free speaker might be another country's 
hate-speech criminal who hides behind bad WHOIS data; one constituency's 
stalking victim may be another constituency's infringer.


  A careful balance of diverging interests will have to be found in further 
policy work. This balance will not only have to involve considerations on how 
to ensure accurate WHOIS data: It will also have to take into account the uses 
various parties may have for WHOIS data, and the conditions under which the 
data are being made accessible. It will, finally, have to take into account 
legitimate privacy interests of registrants, and applicable laws in force in a 
wide variety of jurisdictions.


  Considering the Task Force's recommendations, the ALAC observes that any 
measures designed to enforce accuracy of publicly available WHOIS data against 
the will of the domain name holder will shift the existing de-facto balance in 
a way which benefits those who want to use the data (for whatever purpose, 
legitimate or illegitimate), and which causes problems for those who don't want 
to publish these data (once again, both for legitimate and illegitimate 
reasons).


  The specific steps proposed in chapter II.1.B of the Task Force's report 
describe a complaint mechanism, by which a third party can trigger registrars 
to investigate the accuracy of existing WHOIS data. This mechanism is presented 
as a practical recommendation, not as a consensus policy. It is mostly based on 
the recommendations of the GNSO's WHOIS Implementation Committee.


  The ALAC appreciates that the process attempts to provide some basic 
safeguards against fraudulent complaints by giving registrars some leeway to 
ignore obviously unjustified complaints, and protect bona fide registrants.


  Once a complaint is found justified, the registrar will send an inquiry to 
the registrant (through any available contact points), and ask the registrant 
to provide updated information. Any updated information received is subject to 
"commercial reasonable steps" to check its plausibility; presumably, these 
steps will involve automated heuristics. If these heuristics fail, "the 
registrant should be required to provide further justification." ALAC 
interprets this to imply that automated heuristic plausibility checks alone 
should not, in general, be a reason for registrars to place existing domain 
names on hold, or cancel registrations -- in particular in those situations in 
which the registrant has been successfully contacted through some 
communications channel. ALAC also observes that, given that many registrars 
accept customers around the globe, it may frequently be easy for bad faith 
registrants to provide "plausible" data which are still not useable as contact 
information.


  The registrant only has limited time to respond to registrar's inquiry. In 
earlier versions of the Task Force's report, a 15 day period was proposed; the 
WHOIS Implementation Committee has opted for a 30 day time line. The Task 
Force's final report simply talks about a "time limit (to be agreed)."


  According to a note from Louis Touton to the WHOIS Task Force, no time limit 
can be found in current RAA or policy provisions. The 15 day time period in RAA 
3.7.7.2 only concerns a time after which registrars must reserve the right to 
cancel registrations -- nothing forces them to exercise that right.


  The ALAC believes that the WHOIS Implementation Committee's proposal to apply 
a 30 day time limit is reasonable. Shorter time limits bear a variety of risks 
for bona fide registrants which have been pointed out in many of the comments 
received by the WHOIS Task Force. If necessary, the ALAC is available to 
contribute to any further discussion of this issue.


  Bulk Access
  The Task Force's policy 2.A proposes that "use of bulk access WHOIS data for 
marketing should not be permitted." In order to implement this policy, the Task 
Force suggests a change to the bulk access agreement which is described in 
section 3.3.6 of the RAA, and observes that the bulk-access provision in 
section 3.3.6.6 of the RAA would become inapplicable. The WHOIS Implementation 
Committee has, in its final report, stated that more specific language defining 
"marketing activities" would be desirable. The ALAC cautions that any such 
specification would have to ensure that no marketing use of bulk data is 
permitted unconditionally which would have been covered by the current RAA 
language's opt-out provision.


  The ALAC appreciates that the Task Force's recommendations are an attempt to 
limit undesired side effects of bulk access. But it is not clear to what extent 
the new policy will indeed have the desired effect on marketing uses of WHOIS 
data. The enforceability of registrars' bulk access agreements is questionable: 
There are no contractual sanctions for data users who violate the agreement; 
the current RAA does not even address the future eligibility of data users who 
have broken bulk access agreements in the past.


  In order to address these concerns, a more fundamental review of the RAA's 
bulk access provisions must be undertaken. Those purposes within the scope of 
ICANN's mission and core values for which bulk access needs to be granted (if 
any) should be clearly identified, and bulk access should only be made 
available for this limited set of purposes, and to trustworthy data users. The 
review process will also need to take into account legal concerns, such as the 
ones recently articulated in the European Commission's contribution on WHOIS. 
The At-Large Advisory Committee considers a review process of the RAA's bulk 
access provisions a priority, and will contribute to it.


  Besides these concerns about the RAA's bulk access provisions, the At-Large 
Advisory Committee also observes that query-based WHOIS can be abused to 
automatically obtain WHOIS information about large numbers as domains, as 
evidenced by a recent attempt to copy Nominet's WHOIS database.

  Conclusion
  The Task Force's recommendations to systematically enforce the accuracy of 
WHOIS data shift the existing balance between the interests of data users and 
data subjects in favor of data users. In an environment where registrants have 
perceived "inaccurate" data have been perceived to be one of the most practical 
methods for protecting registrants' their privacy, this change is reason for 
concern. It will inevitably increase the need for privacy protection mechanisms 
to be built into the contractual framework.


  The Task Force's recommendations on Bulk Access attempt to remove one 
possibility for undesirable uses of WHOIS data; despite the good intent, the 
effectivity of this attempt is unclear since other ways to access WHOIS data en 
masse remain open.


  Both observations together lead to the common conclusion that the Task 
Force's recommendations can only be first steps towards a future WHOIS policy 
environment, which will have to be the result of a thorough review of the 
existing policy.


  Both observations together lead to the common conclusion that the Task 
Force's recommendations can only be first steps towards a future WHOIS policy 
environment. That future WHOIS policy environment will have to be designed with 
a renewed focus on enforceability. In particular, this implies that the future 
policy environment will have to directly address major issues left open at this 
point of time - such as registrants' privacy. Relying upon non-enforcement of 
policy instead is not a long-term option.


  The ALAC is available to contribute to this review the discussion on revising 
WHOIS policy. These discussions should begin as swiftly as possible.