[nc-whois] Final (?): Bulk Access.
Please find attached the (hopefully) final HTML version of the Bulk Access part of our report. I have taken the liberty to change some formatting, and to add hyperlinks where I suspected they may be useful. Please review this in order to make sure that I don't introduce any new problems. -- Thomas Roessler <roessler@does-not-exist.org>Title: Marketing Use of WHOIS Data; Bulk Access ProvisionsBackgroundThe current bulk access provisions in the Registrar Accreditation Agreement (the "RAA") contained in Section 3.3.6 allow for the sale of customer information contained in WHOIS databases to third parties under certain conditions, including but not limited to the following:
An overwhelming majority (89%) of survey
respondents said that registrants should be asked to opt in for
their information to be available for marketing purposes, or that there
should be no use of the data for marketing at all, while a minority (11%)
indicated that they did not object to use of the data for marketing generally
or by virtue of an opt-out policy.
RecommendationsBased on the results of the survey and the feedback from the community on reports published and statements made by the Task Force, the Task Force makes the following recommendations:
The Task Force makes additional medium- to longer-term recommendations:
Discussion/Consensus ProcessBecause the survey results and community feedback suggest vehement objection to the use of personal information contained in the WHOIS database for unsolicited marketing activities, it is clear that there must be a serious evaluation of the bulk access provisions in the RAA to determine how the policy can be changed, whether there are realistic limitations as to what the data can be used for, or whether it must simply be eliminated.
Without further research, we cannot say with certainty that the bulk access provisions should be eliminated, although such a possibility should not be dismissed. In making that determination, the benefits of third party bulk access should be weighed against the strength of the argument that registrant information should not be available in this form. In considering whether there is merit to the wholesale elimination of bulk access, a pertinent question is what legitimate purposes within the scope of ICANN's mission, if any, are furthered by the use of WHOIS data in bulk form by third parties? Currently, as we have stated, given that registrants strongly object to the use of their data for marketing, and since marketing is not a necessary feature of the DNS, the Task Force believes that there is no rationale for making such data available for marketing purposes. We recognize that there may be legitimate uses being served by bulk
access to WHOIS data (e.g., research, law/intellectual property enforcement,
and registrant inquiry, etc.); however, the responses of the survey
participants merit an evaluation of these and other legitimate uses
and whether or to what extent the bulk access policies should accommodate
them. As stated, it is the intention of the Task Force to consult with
the community to determine what those legitimate purposes are. To ensure utility of any WHOIS database, it is crucial that information
contained therein is accurate. It should be evaluated whether bulk access
to registrant information impedes such accuracy, and whether, therefore,
bulk access is deleterious to actual usage of WHOIS. In addition to these concerns, it is imperative that any ICANN policy that is formulated with respect to bulk access take into account any national laws which are determined to be applicable to an ICANN contracting party (e.g., a registrar). As an example, to the extent any party who has entered into an agreement with ICANN is determined to be subject to certain national laws (e.g., privacy directives or laws), such national laws will have implications as to what information that party can and cannot provide. It should be noted that while the Task Force recognizes that privacy issues are relevant to the discussion of WHOIS generally, and perhaps more specifically to bulk access WHOIS, respondents to the survey generally did not identify privacy as a primary concern. Nonetheless, subsequent feedback from the community made it clear that privacy issues are an integral part of the bulk access discussion, and the Task Force intends to address privacy issues in the medium- to longer-term. Inclusive in the review of these privacy issues, the Task Force will examine laws that currently exist to protect the privacy of individuals. The Task Force has not ruled out elimination of the current bulk access provisions, which has been suggested by some of the comments received, and is being supported by a number of task force members. However, in this document we have focused on modifications of the current RAA provisions to enhance the protection of WHOIS data. Specifically, we have parsed through the various components of subsection 3.3.6, highlighting problems with the specific provision and making suggestions for an improved provision in light of enhancing protection of personally identifiable information and against marketing uses. Suggested Revisions to the RAA Bulk Access ProvisionsThe Task Force’s primary recommendation is to prohibit any marketing use of bulk data
by effecting the revisions in subsection
3.3.6.3. In addition, the Task Force recommends requiring third parties not to resell or
redistribute data in accordance with our recommendation in subsection 3.3.6.5.
If the ICANN Board does not agree with the Task Force’s recommendation relating to the elimination of marketing uses of bulk access data, then the Task Force recommends strengthening the protection of privacy of individuals by requiring a minimum opt-out policy in subsection 3.3.6.6, and giving registrars discretion to implement an opt-in policy. Section 3.3.6 of the RAA is broken down into several components, as follows: A. 3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one time per week for download by third parties who have entered into a bulk access agreement with Registrar. This subsection 3.3.6.1 indicates that the registrar must make available its WHOIS data to any "third parties who have entered into a bulk access agreement." There are no limitations as to the entities or individuals that can enter into this agreement, whether an unsolicited marketing agency, a legitimate third party WHOIS provider, or otherwise. This subsection of the RAA should be modified to incorporate limitations on the third parties eligible to enter into a bulk access agreement, in particular those parties who are able to articulate a "legitimate" need for bulk access to WHOIS, as well as limitations on the uses of the data that are permitted. As stated, the survey results, together with community feedback, made very clear that "legitimate" uses of bulk access WHOIS do not include marketing. As for the more general definition, the Task Force has not yet had an opportunity to make a determination as to what uses of bulk access WHOIS data, if any, should be considered "legitimate." The Task Force expects to arrive at a definition of "legitimate" by enlisting community feedback.
B. 3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.
The Task Force’s initial perception was that the US$10,000 might provide some registrars with a financial incentive to provide bulk access to data, while simultaneously deterring those third parties with a legitimate need from accessing the data in bulk. Feedback from the registrar community indicates that US$10,000 is not enough of a financial incentive to encourage registrars to actively market bulk access. In fact, it has been stated that many registrars are reticent to provide such access to users for fear of their competitors gaining access to information about their customers and using that information to their competitive advantage. More important in this analysis is that to the extent a purpose is deemed "legitimate" use of bulk access WHOIS, such access should not be prohibitively expensive. In this context, there has been discussion of cost recovery versus production of revenue, and it has been argued that since registrars do not view bulk access as a revenue producer, perhaps a cost recovery structure should be implemented. However, because costs and resources vary across registrars and because the details of a registrar’s operations should not be the subject of an ICANN policy development process, the Task Force simply states here that to the extent that a searcher meets the "legitimate" purpose threshold, the fee for bulk access should not deter such a searcher from gaining such access, and therefore, the concept of a cap on such fee is a wise one. Because of the lack of discussion as to what a reasonable fee structure should be, the Task Force therefore seeks further input from the community as to whether the current structure is adequate, and if not, what type of a fee structure should be implemented. Dissenting opinion from Thomas Roessler and Abel Wisman (General Assembly): It is not clear why an ICANN-imposed cap on the bulk access fee should lead to fairer pricing than the approach of leaving such pricing to negotiations between data users and registrars. Also, it should be noticed that the "deterrent" argument made above has merit only as an argument against cost-based pricing, but not as an argument in favor of any kind of a cap.
C. 3.3.6.3 Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass, unsolicited, commercial advertising or solicitations to entities other than such third party's own existing customers.
This provision, by its own terms, allows registrars to sell rights to use their WHOIS databases for purposes of unsolicited, mass marketing. In addition, while third parties may not authorize others to use the data for this purpose, they can themselves use the data to for unsolicited marketing purposes. Other than limiting unsolicited marketing to the third party’s own customers, there are no limitations on the marketing use of the WHOIS data by the third party. If ICANN Board agrees with the Task Force that bulk access WHOIS data should not be used for marketing purposes, then the provision should be changed to read as follows (changed language in italics): Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, sms, and wireless alerts. If, however, ICANN continues to allow bulk access to WHOIS for marketing purposes, then this subsection is only acceptable if registrars are required to allow registrants, at a minimum, to opt out of these uses (see discussion at section F below). Based on the feedback from the survey and from the community in response to the Interim Report, it is clear that the community does not support the use of bulk access WHOIS for marketing purposes. As such, the Task Force recommends that this provision be revised as noted above. It has been noted that this provision may be difficult to enforce. For this reason, the Task Force recommends that the enforceability of the provision (as revised) would be the object of future monitoring and review efforts. It should further be noted that registrars do not need bulk access to WHOIS data to market to their own customers.
D. 3.3.6.4 Registrar's access agreement shall require the third party to agree not to use the data to enable high-volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations.
This requirement is important to ensure that "legitimate" uses of bulk WHOIS data do not lead to automated processes which may unduly interfere with the regular operation of registrars' and registries' systems. However, as has been pointed out, this provision is extremely difficult to enforce, and the Task Force intends to take steps to review its enforceability. E. 3.3.6.5 Registrar's access agreement may require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.
If ICANN agrees with the Task Force that marketing is not a "legitimate" use of bulk access WHOIS data, and this provision is interpreted to relate solely to marketing practices, this provision should be revised so that it simply reads (changed language in italics): Registrar's access agreement shall require the third party to agree not to sell or redistribute the data. Under a bulk access policy where marketing is not considered a legitimate purpose, the option of incorporating value-added products or services solely in a marketing context by licensees of bulk access WHOIS should be disallowed. The general prohibition on sale or redistribution of bulk access Whois data should be maintained. The Task Force understands, however, that the reference to "value-added product or service" may mean, for example, services that combine this data with other data with the resulting database made available to law enforcement, legal services, and others on a query basis for research purposes. In this case, the change proposed above should be struck, and only the change described in the following paragraph should be made. The Task Force hopes to suggest clarifications of this term in further review. As a general matter, making the prohibition on sale or redistribution of data by the third party an option ("access agreement may require") does not provide any protection of the WHOIS data. To protect the integrity of the WHOIS database, the Task Force notes that this provision would have to be changed so that a third party is "required" not to sell or redistribute the data except as part of a value-added product or service. Additionally, a provision could be added which explicitly forbids any use for purposes other than the ones stated in the bulk access agreement (i.e., marketing). Thus, the Task Force recommends that the word "may" be changed to "shall" in the first sentence of this paragraph.
F. 3.3.6.6 Registrar may enable Registered Name Holders who are individuals to elect not to have Personal Data concerning their registrations available for bulk access for marketing purposes based on Registrar's "Opt-Out" policy, and if Registrar has such a policy, Registrar shall require the third party to abide by the terms of that Opt-Out policy; provided, however, that Registrar may not use such data subject to opt-out for marketing purposes in its own value-added product or service.
This provision currently allows a registrar to make its own determination of whether to implement an opt-out policy. If it does not, a registrant’s information will be accessible via the bulk access procedure for any currently permissible use, including marketing. If ICANN agrees with the Task Force that marketing is not a "legitimate" use of bulk access WHOIS data, this provision should be deleted in its entirety. If, however, marketing continues to be a permitted use of bulk access WHOIS data, while the results of the survey indicate that respondents have concerns about either an opt-out or no policy at all, the Task Force recommends that this provision be changed to, at a minimum, to "require" a registrar to implement, at a minimum, an opt-out policy. Incorporating such a minimum requirement should not preclude any registrar from implementing a more stringent opt-in policy (in particular, if such a policy is required by national laws determined to be applicable to an ICANN contracting party, e.g., a registrar). We believe that the concept of opt-out may have been overlooked by respondents who reacted viscerally to the general lack of any option as to whether their information is included in bulk access. In addition, we believe that immediately requiring the adoption of an opt-in policy may result in a significant deterioration of the information contained in the bulk access database, which would be detrimental to legitimate third parties making non-marketing uses of the data. In either circumstance, the Task Force recognizes that requirement of a minimum opt-out policy or the alternative opt-in policy will require additional work (e.g., the writing of additional code by registrars). For example, both a minimum opt-out policy and an opt-in policy will require the registrar to take an action by clearly notifying the registrant that he or she has the option of not being included in the database for marketing purposes and acting upon a response from such registrant. If, after adoption and
evaluation of a minimum requirement for an opt-out policy, it is clear
that improper marketing uses of bulk access data are continuing, and
if it is still not possible to prohibit marketing uses, then a mandatory
opt-in policy for any marketing uses should be implemented. It is crucial
that opt-out policies implemented by registrars are simple and transparent
and that the opt-out of the registrant is respected in practice. As has
been noted, it is important that the options available to registrants should
be clearly stated, separate from the core of the registration agreement
so that it is absolutely clear to customers that they can register a domain
name without making their information available for marketing purposes.
|