ICANN/DNSO
DNSO Mailling lists archives

[nc-whois]


<<< Chronological Index >>>    <<< Thread Index >>>

[nc-whois] Final (?): Bulk Access.


Please find attached the (hopefully) final HTML version of the Bulk
Access part of our report.  I have taken the liberty to change some
formatting, and to add hyperlinks where I suspected they may be
useful.

Please review this in order to make sure that I don't introduce any
new problems.
-- 
Thomas Roessler                        <roessler@does-not-exist.org>
Title:

Marketing Use of WHOIS Data; Bulk Access Provisions



Background

The current bulk access provisions in the Registrar Accreditation Agreement (the "RAA") contained in Section 3.3.6 allow for the sale of customer information contained in WHOIS databases to third parties under certain conditions, including but not limited to the following:

  • Registrar may charge an annual fee (not more than $10,000). [RAA 3.3.6.2]

  • Registrar must enter into an agreement with the third party which requires the third party to agree not to use the data:

    • For mass, unsolicited marketing, other than to its own existing customers [RAA 3.3.6.3], and

    • to enable high-volume, automated, electronic processes that send queries or data to any registry or registrar, except to register or modify domain names. [RAA 3.3.6.3]

  • The agreement may

    • Require the third party to agree not to sell or redistribute the data [RAA 3.3.6.5], and

    • Enable registrants who are individuals to opt out of bulk access for marketing purposes and therefore require third party to abide by the terms of that opt out policy.  [RAA 3.3.6.6]

An overwhelming majority (89%) of survey respondents said that registrants should be asked to opt in for their information to be available for marketing purposes, or that there should be no use of the data for marketing at all, while a minority (11%) indicated that they did not object to use of the data for marketing generally or by virtue of an opt-out policy.


Recommendations

Based on the results of the survey and the feedback from the community on reports published and statements made by the Task Force, the Task Force makes the following recommendations:

  1. There is consensus that use of bulk access WHOIS data for marketing should not be permitted; the Task Force therefore recommends that the relevant provisions of the RAA be modified or deleted to eliminate the use of bulk access WHOIS data for marketing purposes. If this change is made, the provisions on registrant opt-out for marketing purposes could also be eliminated.

  2. To the extent that ICANN disagrees with the Task Force’s Recommendation 1, and marketing uses continue to be permitted under the RAA, certain modifications should be made to the relevant provisions to enhance protection of personally identifiable information and of abuses of such information.

  3. The Task Force notes that many provisions relating to the bulk access rules are not currently being enforced. It believes that the changes that will be recommended at the end of the review process should be drafted with an eye toward enforceability and respect for applicable national laws, and that reasonable enforcement of the new rules be undertaken.

The Task Force makes additional medium- to longer-term recommendations:

  1. The Task Force’s proposed recommendations on marketing uses of bulk WHOIS data would be implemented as changes to the registrars’ bulk access agreements, as defined in 3.3.6.1 of the RAA. To the extent that registrars make their part of the WHOIS database available in bulk to third parties without regard for the bulk access provisions, separate safeguards against marketing and other inappropriate uses should be considered. Integral to this discussion is the definition of what "bulk access" WHOIS data is.

  2. The Task Force should investigate ramifications around a suggestion made that there should be termination of licenses of licensees of bulk access WHOIS who breach a bulk access agreement and that such licensees should be ineligible from gaining access. The Task Force has not had adequate time to consider all of the issues surrounding such suggestion.

  3. The following five points should be evaluated in conjunction with one another:

    • In its further review, the Task Force should consider broadly whether bulk access can be justified or whether it should simply be eliminated.

    • Further review of the bulk access policy must take place in order to determine which uses of bulk access to WHOIS data, if any, should be considered "legitimate." In the context of such review, the Task Force should solicit feedback of current bulk access licensees.

    • After determining whether there exist legitimate uses of bulk access to WHOIS data, there should be a weighing of whether such uses outweigh the privacy interests of individuals in protecting their personally identifiable information.

    • The Task Force should learn about the applicability and impact of national privacy and other laws as they relate to bulk access provisions. In connection with this review, the Task Force should also examine current and existing laws that have been implemented to protect individuals against misuse of their personally identifiable information.

    • A review should be undertaken of actual experiences of registrars in providing bulk data. If it can be demonstrated that those who have accessed WHOIS through a bulk access license are those who have inappropriately used the resources, then there is a strong argument for elimination or drastic reform of bulk access.

  4. If marketing uses of bulk Whois data continue to be permitted and a required opt-out minimum standard for such marketing uses is implemented by ICANN, the effects of such policy should be monitored to determine whether a more stringent opt-in standard should be introduced.

Discussion/Consensus Process

Because the survey results and community feedback suggest vehement objection to the use of personal information contained in the WHOIS database for unsolicited marketing activities, it is clear that there must be a serious evaluation of the bulk access provisions in the RAA to determine how the policy can be changed, whether there are realistic limitations as to what the data can be used for, or whether it must simply be eliminated.

Without further research, we cannot say with certainty that the bulk access provisions should be eliminated, although such a possibility should not be dismissed. In making that determination, the benefits of third party bulk access should be weighed against the strength of the argument that registrant information should not be available in this form. In considering whether there is merit to the wholesale elimination of bulk access, a pertinent question is what legitimate purposes within the scope of ICANN's mission, if any, are furthered by the use of WHOIS data in bulk form by third parties? Currently, as we have stated, given that registrants strongly object to the use of their data for marketing, and since marketing is not a necessary feature of the DNS, the Task Force believes that there is no rationale for making such data available for marketing purposes.

We recognize that there may be legitimate uses being served by bulk access to WHOIS data (e.g., research, law/intellectual property enforcement, and registrant inquiry, etc.); however, the responses of the survey participants merit an evaluation of these and other legitimate uses and whether or to what extent the bulk access policies should accommodate them. As stated, it is the intention of the Task Force to consult with the community to determine what those legitimate purposes are.

To ensure utility of any WHOIS database, it is crucial that information contained therein is accurate. It should be evaluated whether bulk access to registrant information impedes such accuracy, and whether, therefore, bulk access is deleterious to actual usage of WHOIS.

In addition to these concerns, it is imperative that any ICANN policy that is formulated with respect to bulk access take into account any national laws which are determined to be applicable to an ICANN contracting party (e.g., a registrar). As an example, to the extent any party who has entered into an agreement with ICANN is determined to be subject to certain national laws (e.g., privacy directives or laws), such national laws will have implications as to what information that party can and cannot provide.

It should be noted that while the Task Force recognizes that privacy issues are relevant to the discussion of WHOIS generally, and perhaps more specifically to bulk access WHOIS, respondents to the survey generally did not identify privacy as a primary concern. Nonetheless, subsequent feedback from the community made it clear that privacy issues are an integral part of the bulk access discussion, and the Task Force intends to address privacy issues in the medium- to longer-term. Inclusive in the review of these privacy issues, the Task Force will examine laws that currently exist to protect the privacy of individuals.

The Task Force has not ruled out elimination of the current bulk access provisions, which has been suggested by some of the comments received, and is being supported by a number of task force members. However, in this document we have focused on modifications of the current RAA provisions to enhance the protection of WHOIS data. Specifically, we have parsed through the various components of subsection 3.3.6, highlighting problems with the specific provision and making suggestions for an improved provision in light of enhancing protection of personally identifiable information and against marketing uses.

Suggested Revisions to the RAA Bulk Access Provisions

The Task Force’s primary recommendation is to prohibit any marketing use of bulk data by effecting the revisions in subsection 3.3.6.3. In addition, the Task Force recommends requiring third parties not to resell or redistribute data in accordance with our recommendation in subsection 3.3.6.5.

If the ICANN Board does not agree with the Task Force’s recommendation relating to the elimination of marketing uses of bulk access data, then the Task Force recommends strengthening the protection of privacy of individuals by requiring a minimum opt-out policy in subsection 3.3.6.6, and giving registrars discretion to implement an opt-in policy.

Section 3.3.6 of the RAA is broken down into several components, as follows:

A. 3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one time per week for download by third parties who have entered into a bulk access agreement with Registrar.

This subsection 3.3.6.1 indicates that the registrar must make available its WHOIS data to any "third parties who have entered into a bulk access agreement." There are no limitations as to the entities or individuals that can enter into this agreement, whether an unsolicited marketing agency, a legitimate third party WHOIS provider, or otherwise.

This subsection of the RAA should be modified to incorporate limitations on the third parties eligible to enter into a bulk access agreement, in particular those parties who are able to articulate a "legitimate" need for bulk access to WHOIS, as well as limitations on the uses of the data that are permitted. As stated, the survey results, together with community feedback, made very clear that "legitimate" uses of bulk access WHOIS do not include marketing.

As for the more general definition, the Task Force has not yet had an opportunity to make a determination as to what uses of bulk access WHOIS data, if any, should be considered "legitimate." The Task Force expects to arrive at a definition of "legitimate" by enlisting community feedback.

B. 3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.

The Task Force’s initial perception was that the US$10,000 might provide some registrars with a financial incentive to provide bulk access to data, while simultaneously deterring those third parties with a legitimate need from accessing the data in bulk. Feedback from the registrar community indicates that US$10,000 is not enough of a financial incentive to encourage registrars to actively market bulk access. In fact, it has been stated that many registrars are reticent to provide such access to users for fear of their competitors gaining access to information about their customers and using that information to their competitive advantage.

More important in this analysis is that to the extent a purpose is deemed "legitimate" use of bulk access WHOIS, such access should not be prohibitively expensive. In this context, there has been discussion of cost recovery versus production of revenue, and it has been argued that since registrars do not view bulk access as a revenue producer, perhaps a cost recovery structure should be implemented. However, because costs and resources vary across registrars and because the details of a registrar’s operations should not be the subject of an ICANN policy development process, the Task Force simply states here that to the extent that a searcher meets the "legitimate" purpose threshold, the fee for bulk access should not deter such a searcher from gaining such access, and therefore, the concept of a cap on such fee is a wise one.

Because of the lack of discussion as to what a reasonable fee structure should be, the Task Force therefore seeks further input from the community as to whether the current structure is adequate, and if not, what type of a fee structure should be implemented.

Dissenting opinion from Thomas Roessler and Abel Wisman (General Assembly): It is not clear why an ICANN-imposed cap on the bulk access fee should lead to fairer pricing than the approach of leaving such pricing to negotiations between data users and registrars. Also, it should be noticed that the "deterrent" argument made above has merit only as an argument against cost-based pricing, but not as an argument in favor of any kind of a cap.

C. 3.3.6.3 Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass, unsolicited, commercial advertising or solicitations to entities other than such third party's own existing customers.

This provision, by its own terms, allows registrars to sell rights to use their WHOIS databases for purposes of unsolicited, mass marketing. In addition, while third parties may not authorize others to use the data for this purpose, they can themselves use the data to for unsolicited marketing purposes. Other than limiting unsolicited marketing to the third party’s own customers, there are no limitations on the marketing use of the WHOIS data by the third party.

If ICANN Board agrees with the Task Force that bulk access WHOIS data should not be used for marketing purposes, then the provision should be changed to read as follows (changed language in italics):

Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, sms, and wireless alerts.

If, however, ICANN continues to allow bulk access to WHOIS for marketing purposes, then this subsection is only acceptable if registrars are required to allow registrants, at a minimum, to opt out of these uses (see discussion at section F below). Based on the feedback from the survey and from the community in response to the Interim Report, it is clear that the community does not support the use of bulk access WHOIS for marketing purposes. As such, the Task Force recommends that this provision be revised as noted above. It has been noted that this provision may be difficult to enforce. For this reason, the Task Force recommends that the enforceability of the provision (as revised) would be the object of future monitoring and review efforts.

It should further be noted that registrars do not need bulk access to WHOIS data to market to their own customers.

D. 3.3.6.4 Registrar's access agreement shall require the third party to agree not to use the data to enable high-volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations.

This requirement is important to ensure that "legitimate" uses of bulk WHOIS data do not lead to automated processes which may unduly interfere with the regular operation of registrars' and registries' systems.

However, as has been pointed out, this provision is extremely difficult to enforce, and the Task Force intends to take steps to review its enforceability.

E. 3.3.6.5 Registrar's access agreement may require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.

If ICANN agrees with the Task Force that marketing is not a "legitimate" use of bulk access WHOIS data, and this provision is interpreted to relate solely to marketing practices, this provision should be revised so that it simply reads (changed language in italics):

Registrar's access agreement shall require the third party to agree not to sell or redistribute the data.

Under a bulk access policy where marketing is not considered a legitimate purpose, the option of incorporating value-added products or services solely in a marketing context by licensees of bulk access WHOIS should be disallowed. The general prohibition on sale or redistribution of bulk access Whois data should be maintained. The Task Force understands, however, that the reference to "value-added product or service" may mean, for example, services that combine this data with other data with the resulting database made available to law enforcement, legal services, and others on a query basis for research purposes. In this case, the change proposed above should be struck, and only the change described in the following paragraph should be made. The Task Force hopes to suggest clarifications of this term in further review.

As a general matter, making the prohibition on sale or redistribution of data by the third party an option ("access agreement may require") does not provide any protection of the WHOIS data. To protect the integrity of the WHOIS database, the Task Force notes that this provision would have to be changed so that a third party is "required" not to sell or redistribute the data except as part of a value-added product or service. Additionally, a provision could be added which explicitly forbids any use for purposes other than the ones stated in the bulk access agreement (i.e., marketing). Thus, the Task Force recommends that the word "may" be changed to "shall" in the first sentence of this paragraph.

F. 3.3.6.6 Registrar may enable Registered Name Holders who are individuals to elect not to have Personal Data concerning their registrations available for bulk access for marketing purposes based on Registrar's "Opt-Out" policy, and if Registrar has such a policy, Registrar shall require the third party to abide by the terms of that Opt-Out policy; provided, however, that Registrar may not use such data subject to opt-out for marketing purposes in its own value-added product or service.

This provision currently allows a registrar to make its own determination of whether to implement an opt-out policy. If it does not, a registrant’s information will be accessible via the bulk access procedure for any currently permissible use, including marketing.

If ICANN agrees with the Task Force that marketing is not a "legitimate" use of bulk access WHOIS data, this provision should be deleted in its entirety.

If, however, marketing continues to be a permitted use of bulk access WHOIS data, while the results of the survey indicate that respondents have concerns about either an opt-out or no policy at all, the Task Force recommends that this provision be changed to, at a minimum, to "require" a registrar to implement, at a minimum, an opt-out policy. Incorporating such a minimum requirement should not preclude any registrar from implementing a more stringent opt-in policy (in particular, if such a policy is required by national laws determined to be applicable to an ICANN contracting party, e.g., a registrar).

We believe that the concept of opt-out may have been overlooked by respondents who reacted viscerally to the general lack of any option as to whether their information is included in bulk access. In addition, we believe that immediately requiring the adoption of an opt-in policy may result in a significant deterioration of the information contained in the bulk access database, which would be detrimental to legitimate third parties making non-marketing uses of the data.

In either circumstance, the Task Force recognizes that requirement of a minimum opt-out policy or the alternative opt-in policy will require additional work (e.g., the writing of additional code by registrars). For example, both a minimum opt-out policy and an opt-in policy will require the registrar to take an action by clearly notifying the registrant that he or she has the option of not being included in the database for marketing purposes and acting upon a response from such registrant.

If, after adoption and evaluation of a minimum requirement for an opt-out policy, it is clear that improper marketing uses of bulk access data are continuing, and if it is still not possible to prohibit marketing uses, then a mandatory opt-in policy for any marketing uses should be implemented. It is crucial that opt-out policies implemented by registrars are simple and transparent and that the opt-out of the registrant is respected in practice. As has been noted, it is important that the options available to registrants should be clearly stated, separate from the core of the registration agreement so that it is absolutely clear to customers that they can register a domain name without making their information available for marketing purposes.




<<< Chronological Index >>>    <<< Thread Index >>>