Re: [alac] updated draft on WHOIS.

[Erick Iriarte Ahon <faia@xxxxxxxxxxxxxxxxx>]

My comments:

At 04:57 p.m. 19/02/2003 +0100, Thomas Roessler wrote:
> On 2003-02-19 16:20:05 +0100, Vittorio Bertola wrote:
>
> > I have just talked with Thomas and we thought it better to turn
> > the comment from an impact review directed to the task force into
> > a comment directed to the Names Council, which gives us until
> > tomorrow noon GMT to send it out. Thomas will post a revised
> > draft as soon as possible.
>
> It's attached.  I've changed the headline, and made the minimal
> adjustments to the introduction necessary to make this suitable for
> submission to the Council.
>
> There are no changes to the substance, but I have made one subtle
> wording change in the first paragraph of the conclusion: Instead of
> noting that "this change" is reason for concern, I've turned this
> into "this shift of balance" -- just to make sure that accuraccy
> enforcement itself isn't the reason for concern...
>
> --
> Thomas Roessler                         <roessler@xxxxxxxxxxxxxxxxxx>
> a4117d.jpg
>
> At-Large Advisory Committee
>
> Statement on the WHOIS Task Force's Final Report on Accuracy and Bulk Access
>
> NN February 2003
>
>
> ----------
>
>
> Introduction
>
>
>
> The At-Large Advisory Committee appreciates the opportunity to submit its 
> comments on the WHOIS Task Force's Final Report on Accuracy and Bulk 
> Access. In these comments, we have tried to consider the Task Force's 
> recommendations within a broader policy context, and tried to identify 
> priorities for further work where we believe that it needs to be undertaken.
>
> The committee is aware that the Task Force is currently in the process of 
> producing issues reports on most (if not all) of these topics. We hope 
> that the present statement can also serve as a useful contribution to that 
> work. We are also willing to otherwise contribute to the development of 
> these isuses reports.
>
>
> WHOIS Accuracy
>
>
>
> The impact of any measures for the improvement of WHOIS Accuracy must be 
> considered with two very different classes of registrants in mind.
>
> On the one hand, there are those registrants who welcome (or maybe just 
> accept) the publication of their data through the WHOIS database, and have 
> a desire that accurate data are published that way. There is no need for 
> any formal "enforcement" of accurate WHOIS data with respect to this class 
> of registrants -- instead, any measures to improve WHOIS data accuracy for 
> this class of registrants are about making registrars' processes more 
> registrant-friendly, and easier to use.

And agree with at least the local policies about personal data protection, 
it's necessary a specific policy of the registrar-register about this 
issue, publicated in the web site, and the registrants will have to know 
this policies before "buy" a domain name.

> An annual opportunity to review and easily correct WHOIS data (without 
> sanctions in the case of registrant's non-response) is one such step.

Agree with which legislation? we need to declarate something about 
legislation and jurisdiccion applicable for this issues. If not, it's 
"dead-letter" ;)

> The At-Large Advisory Committee observes that the Task Force's policy 1.A 
> provides such an opportuntiy, and does not mandate any sanctions in the 
> event that registrant does not respond to a notice on reviewing his WHOIS 
> data. Thus, this proposed policy seems like a way to make the interaction 
> between registrars and registrants work more smoothly, which the Committee 
> welcomes.

Maybe we can create a "sanctions" by the icann, for negligence.


> The second class of registrants is much more complex to handle: Those who 
> do not accept publication of personal data in registrars' and registries' 
> WHOIS systems, and provide "inaccurate" contact information to registrars. 
> There are various reasons registrants may have for this behaviour, both 
> legitimate and illegitimate; even worse, the concepts of legitimate and 
> illegitimate reasons vary across cultures and across constituencies: One 
> country's constitutionally-protected anonymous free speaker might be 
> another country's hate-speech criminal who hides behind bad WHOIS data; 
> one constituency's stalking victim may be another constituency's infringer.
>
> A careful balance of diverging interests will have to be found in further 
> policy work. This balance will not only have to involve considerations on 
> how to ensure accurate WHOIS data: It will also have to take into account 
> the uses various parties may have for WHOIS data, and the conditions under 
> which the data are being made accessible. It will, finally, have to take 
> into account legitimate privacy interests of registrants, and applicable 
> laws in force in a wide variety of jurisdictions.
>
> Considering the Task Force's recommendations, the ALAC observes that any 
> measures designed to enforce accuracy of publicly available WHOIS data 
> against the will of the domain name holder will shift the existing 
> de-facto balance in a way which benefits those who want to use the data 
> (for whatever purpose, legitimate or illegitimate), and which causes 
> problems for those who don't want to publish these data (once again, both 
> for legitimate and illegitimate reasons).

Maybe it's necesarry a explicited agreement from the user for publicated 
his information.


> The specific steps proposed in chapter II.1.B of the Task Force's report 
> describe a complaint mechanism, by which a third party can trigger 
> registrars to investigate the accuracy of existing WHOIS data. This 
> mechanism is presented as a practical recommendation, not as a consensus 
> policy. It is mostly based on the recommendations of the GNSO's WHOIS 
> Implementation Committee.
>
> The ALAC appreciates that the process attempts to provide some basic 
> safeguards against fraudulent complaints by giving registrars some leeway 
> to ignore obviously unjustified complaints, and protect bona fide registrants.

But we need mechanism to denounce ilegitime use of the data. by third parts.

> Once a complaint is found justified, the registrar will send an inquiry to 
> the registrant (through any available contact points), and ask the 
> registrant to provide updated information. Any updated information 
> received is subject to "commercial reasonable steps" to check its 
> plausibility; presumably, these steps will involve automated heuristics. 
> If these heuristics fail, "the registrant should be required to provide 
> further justification." ALAC interprets this to imply that automated 
> heuristic plausibility checks alone should not, in general, be a reason 
> for registrars to place existing domain names on hold, or cancel 
> registrations -- in particular in those situations in which the registrant 
> has been successfully contacted through some communications channel. ALAC 
> also observes that, given that many registrars accept customers around the 
> globe, it may frequently be easy for bad faith registrants to provide 
> "plausible" data which are still not useable as contact information.
>
> The registrant only has limited time to respond to registrar's inquiry. In 
> earlier versions of the Task Force's report, a 15 day period was proposed; 
> the WHOIS Implementation Committee has opted for a 30 day time line. The 
> Task Force's final report simply talks about a "time limit (to be agreed)."

> According to a note from Louis Touton to the WHOIS Task Force, no time 
> limit can be found in current RAA or policy provisions. The 15 day time 
> period in RAA 3.7.7.2 only concerns a time after which registrars must 
> reserve the right to cancel registrations -- nothing forces them to 
> exercise that right.
>
> The ALAC believes that the WHOIS Implementation Committee's proposal to 
> apply a 30 day time limit is reasonable.

agree

> Shorter time limits bear a variety of risks for bona fide registrants 
> which have been pointed out in many of the comments received by the WHOIS 
> Task Force. If necessary, the ALAC is available to contribute to any 
> further discussion of this issue.
>
>
> Bulk Access
>
>
>
> The Task Force's policy 2.A proposes that "use of bulk access WHOIS data 
> for marketing should not be permitted."

and will say: Prohibited

> In order to implement this policy, the Task Force suggests a change to the 
> bulk access agreement which is described in section 3.3.6 of the RAA, and 
> observes that the bulk-access provision in section 3.3.6.6 of the RAA 
> would become inapplicable. The WHOIS Implementation Committee has, in its 
> final report, stated that more specific language defining "marketing 
> activities" would be desirable. The ALAC cautions that any such 
> specification would have to ensure that no marketing use of bulk data is 
> permitted unconditionally which would have been covered by the current RAA 
> language's opt-out provision.
>
> The ALAC appreciates that the Task Force's recommendations are an attempt 
> to limit undesired side effects of bulk access. But it is not clear to 
> what extent the new policy will indeed have the desired effect on 
> marketing uses of WHOIS data. The enforceability of registrars' bulk 
> access agreements is questionable: There are no contractual sanctions for 
> data users who violate the agreement; the current RAA does not even 
> address the future eligibility of data users who have broken bulk access 
> agreements in the past.
>
> In order to address these concerns, a more fundamental review of the RAA's 
> bulk access provisions must be undertaken. Those purposes within the scope 
> of ICANN's mission and core values for which bulk access needs to be 
> granted (if any) should be clearly identified, and bulk access should only 
> be made available for this limited set of purposes, and to trustworthy 
> data users. The review process will also need to take into account legal 
> concerns, such as the ones recently articulated in the European 
> Commission's contribution on WHOIS. The At-Large Advisory Committee 
> considers a review process of the RAA's bulk access provisions a priority, 
> and will contribute to it.

It's necessary to understand that we have a lot of different legislation 
about privacy or data protection, and different degrees in this 
legislation, maybe we can recomended use a complete protection of the data, 
and need a explicited policy by the registrar for take "data" from 
registrants and need a specific "agree" for publicated.


> Besides these concerns about the RAA's bulk access provisions, the 
> At-Large Advisory Committee also observes that query-based WHOIS can be 
> abused to automatically obtain WHOIS information about large numbers of 
> domains, as evidenced by a recent attempt to copy Nominet's WHOIS database.
>
>
> Conclusion
>
>
>
> The Task Force's recommendations to systematically enforce the accuracy of 
> WHOIS data shift the existing balance between the interests of data users 
> and data subjects in favor of data users. In an environment where 
> registrants have perceived "inaccurate" data to be one of the most 
> practical methods for protecting their privacy, this shift of balance is 
> reason for concern. It will inevitably increase the need for privacy 
> protection mechanisms to be built into the contractual framework.
>
> The Task Force's recommendations on Bulk Access attempt to remove one 
> possibility for undesirable uses of WHOIS data; despite the good intent, 
> the effectivity of this attempt is unclear since other ways to access 
> WHOIS data en masse remain open.
>
> Both observations together lead to the common conclusion that the Task 
> Force's recommendations can only be first steps towards a future WHOIS 
> policy environment. That future WHOIS policy environment will     have to 
> be designed with a renewed focus on enforceability. In particular, this 
> implies that the future policy environment will have to directly address 
> major issues left open at this point of time - such as registrants' 
> privacy. Relying upon non-enforcement of policy instead is not a long-term 
> option.

I repeat: It's necessary to understand that we have a lot of different 
legislation about privacy or data protection, and different degrees in this 
legislation, maybe we can recomended use a complete protection of the data, 
and need a explicited policy by the registrar for take "data" from 
registrants and need a specific "agree" for publicated.



> The ALAC is available to contribute to future discussions on revising 
> WHOIS policy. These discussions should begin as swiftly as possible.