ICANN/DNSO
DNSO Mailling lists archives

[nc-whois]


<<< Chronological Index >>>    <<< Thread Index >>>

[nc-whois] [fwd] Interim ALAC Statmenet on WHOIS (from: roessler@does-not-exist.org)


FYI.
-- 
Thomas Roessler                        <roessler@does-not-exist.org>





----- Forwarded message from Thomas Roessler <roessler@does-not-exist.org> -----

From: Thomas Roessler <roessler@does-not-exist.org>
To: Marilyn Cade <mcade@att.com>, Tony Harris <harris@cabase.org.ar>,
	Bruce Tonkin <Bruce.Tonkin@melbourneit.com.au>
Cc: Vittorio Bertola <vb@bertola.eu.org>
Date: Thu, 20 Feb 2003 13:47:55 +0100
Subject: Interim ALAC Statmenet on WHOIS

Please find attached a statement from the Interim ALAC concerning
the WHOIS Task Force's Final Report.  We would greatly appreciate if
this could be forwarded to the GNSO Council prior to today's
conference call.  In the statement, the ALAC reviews the Task
Force's recommendations' possible impact on individual Internet
users, and puts them into a broader policy context. Registrant
privacy is identified as a priority for further work.

The Committee is looking forward to contributing to both the Task
Force's current work on issues reports and to the GNSO's future work
on WHOIS.


The Interim ALAC is, as you know, a very young committee.  Making
any formal recommendation to the Council on how to proceed on the
Task Force's report would not be appropriate at this point.


Finally, I'd like to transmit the Committee's deep appreciation for
the Task Force's diligent work in an extremely challenging policy
area.

Kind regards,
-- 
Thomas Roessler                        <roessler@does-not-exist.org>







  Interim At-Large Advisory Committee
  
  Comments on the WHOIS Task Force's Final Report on Accuracy and
  Bulk Access

  Introduction

   The Interim At-Large Advisory Committee thanks the WHOIS Task Force
   for its exhaustive and diligent work on challenging policy issues, and
   appreciates the opportunity to submit its comments on the Task Force's
   Final Report on Accuracy and Bulk Access. We have considered the Task
   Force's recommendations with a focus on their effect on individual
   Internet users, but also within a broader policy context, and have
   tried to identify priorities for further work where we believe that it
   needs to be undertaken.

   The committee is aware that the Task Force is currently in the process
   of producing issues reports on several topics; these issues reports
   will probably cover many of the broader points we make in this
   document. We hope that the present statement can serve as a useful
   contribution to that work. We are also looking forward to further
   contributing to the issues reports themselves and to the general
   discussion on WHOIS issues.

  WHOIS Accuracy

   The impact of any measures for the improvement of WHOIS Accuracy must
   be considered with two very different classes of registrants in mind.

   On the one hand, there are those registrants who welcome (or maybe
   just accept) the publication of their data through the WHOIS database,
   and have a desire that accurate data are published that way. There is
   no need for any formal "enforcement" of accurate WHOIS data with
   respect to this class of registrants -- instead, any measures to
   improve WHOIS data accuracy for this class of registrants are about
   making registrars' processes more registrant-friendly, and easier to
   use. An annual opportunity to review and easily correct WHOIS data
   without sanctions in the case of registrant's non-response -- as
   recommended by the Task Force as policy 1.A -- is one such step.

   The second class of registrants is much more complex to handle: Those
   who do not accept publication of personal data in registrars' and
   registries' WHOIS systems, and provide "inaccurate" contact
   information to registrars. There are various reasons registrants may
   have for this behaviour, both legitimate and illegitimate; even worse,
   the concepts of legitimate and illegitimate reasons vary across
   cultures and across constituencies.

   A careful balance of diverging interests will have to be found in
   further policy work. This balance will not only have to involve
   considerations on how to ensure accurate WHOIS data: It will also have
   to take into account the uses various parties may have for WHOIS data,
   and the conditions under which the data are being made accessible. It
   will, finally, have to take into account legitimate privacy interests
   of registrants, and applicable laws in force in a wide variety of
   jurisdictions.

   Considering the Task Force's recommendations, the ALAC observes that
   any measures designed to enforce accuracy of publicly available WHOIS
   data against the will of the domain name holder will shift the
   existing de-facto balance in a way which benefits those who want to
   use the data (for whatever purpose, legitimate or illegitimate), and
   which causes problems for those who don't want to publish these data
   (once again, both for legitimate and illegitimate reasons).

   The specific steps proposed in chapter II.1.B of the Task Force's
   report describe a complaint mechanism, by which a third party can
   trigger registrars to investigate the accuracy of existing WHOIS data.
   This mechanism is presented as a practical recommendation, not as a
   consensus policy. It is mostly based on the recommendations of the
   GNSO's WHOIS Implementation Committee.

   The ALAC appreciates that the process attempts to provide some basic
   safeguards against fraudulent complaints by giving registrars some
   leeway to ignore obviously unjustified complaints, and protect bona
   fide registrants.

   Once a complaint is found justified, the registrar will send an
   inquiry to the registrant (through any available contact points), and
   ask the registrant to provide updated information. Any updated
   information received is subject to "commercially reasonable steps" to
   check its plausibility; presumably, these steps will involve automated
   heuristics. If these heuristics fail, "the registrant should be
   required to provide further justification." ALAC interprets this to
   imply that automated heuristic plausibility checks alone should not,
   in general, be a reason for registrars to place existing domain names
   on hold, or cancel registrations -- in particular in those situations
   in which the registrant has been successfully contacted through some
   communications channel. ALAC also observes that, given that many
   registrars accept customers around the globe, it may frequently be
   easy for bad faith registrants to provide "plausible" data which are
   still not useable as contact information.

   The registrant only has limited time to respond to registrar's
   inquiry, which is not specified in the Task Force's final report. The
   ALAC believes that the WHOIS Implementation Committee's proposal to
   apply a 30 day time limit is reasonable. Shorter time limits bear a
   variety of risks for bona fide registrants which have been pointed out
   in many of the comments received by the WHOIS Task Force. If
   necessary, the ALAC is available to contribute to any further
   discussion of this issue.

   When accurate WHOIS data are not provided during the correction
   period, the domain name is put on hold according to the process
   proposed by the Task Force; the registration is not immediately
   cancelled. ALAC appreciates that this is a step designed in order to
   provide additional safety to registrants, and to avoid certain
   incentives for abuses of the accuracy complaint mechanism.

  Bulk Access

   The Task Force's policy 2.A proposes that "use of bulk access WHOIS
   data for marketing should not be permitted." In order to implement
   this policy, the Task Force suggests a change to the bulk access
   agreement which is described in section 3.3.6 of the RAA, and observes
   that the bulk-access provision in section 3.3.6.6 of the RAA would
   become inapplicable. The WHOIS Implementation Committee has, in its
   final report, stated that more specific language defining "marketing
   activities" would be desirable. The ALAC cautions that any such
   specification would have to ensure that no marketing use of bulk data
   is permitted unconditionally which would have been covered by the
   current RAA language's opt-out provision.

   The ALAC appreciates that the Task Force's recommendations are an
   attempt to limit undesired side effects of bulk access. But it is not
   clear to what extent the new policy will indeed have the desired
   effect on marketing uses of WHOIS data, since the enforceability of
   registrars' bulk access agreements is questionable.

   Thus, while the ALAC clearly supports the Task Force's recommendation,
   a more fundamental review of the RAA's bulk access provisions must be
   undertaken. Those purposes within the scope of ICANN's mission and
   core values for which bulk access needs to be granted (if any) should
   be clearly identified, and bulk access should only be made available
   for this limited set of purposes, and to trustworthy data users. The
   review process will also need to take into account legal concerns,
   such as the ones recently articulated in the European Commission's
   contribution on WHOIS. The At-Large Advisory Committee considers a
   review process of the RAA's bulk access provisions a priority, and
   will contribute to it.

   Besides these concerns about the RAA's bulk access provisions, the
   At-Large Advisory Committee also observes that query-based WHOIS can
   be abused to automatically obtain WHOIS information about large
   numbers of domains, as evidenced by a recent attempt to copy Nominet's
   WHOIS database.

  Conclusion

   The Task Force's recommendations to systematically enforce the
   accuracy of WHOIS data shift the existing balance between the
   interests of data users and data subjects in favor of data users. In
   an environment where registrants have perceived "inaccurate" data to
   be one of the most practical methods for protecting their privacy,
   this shift of balance is reason for concern. It will inevitably
   increase the need for privacy protection mechanisms to be built into
   the contractual framework.

   The Task Force's recommendations on Bulk Access remove one possibility
   for undesirable uses of WHOIS data. The effectivity of this step is,
   however, unclear since other ways to access WHOIS data en masse remain
   open.

   Both observations together lead to the common conclusion that the Task
   Force's recommendations can only be first steps towards a future WHOIS
   policy environment. That future WHOIS policy environment will have to
   be designed with a renewed focus on enforceability. In particular,
   this implies that the future policy environment will have to directly
   address major issues left open at this point of time - such as
   registrants' privacy. Relying upon non-enforcement of policy instead
   is not an option.

   The ALAC is available to contribute to future discussions on revising
   WHOIS policy. These discussions should begin as swiftly as possible.

----- End forwarded message -----


<<< Chronological Index >>>    <<< Thread Index >>>