RE: [nc-whois] Critical Relationship Between Accuracy and Privacy That the WHOIS Task Force Continues To Overlook and My Contribution to the WHOIS Privacy Issues Report

["Cade,Marilyn S - LGCRP" <mcade@att.com>]

Ruchika

 

Thanks for your comments below, and the references which you've included. They are, again, among  the kind of contributions which we all need to be providing to the TF members.

 

I can comment only as the co-chair of the Task Force, and as a member of the Council. The role of Task Forces is to undertake policy analysis, and development of consensus based policy recommendations, and to provide them to the Council for approval.  I understand that in working on a Task Force, that I cannot guarantee the outcome of the decision of the Council.   However, the discussions at Council yesterday should  have made it clear that the Council is fully committed to considering the Issues Report in Rio. That is why we are working as a Task Force to develop the Issues Report.

 

More importantly, the Task Force has been, in my view, and continues to be fully committed to understanding all sides of the issues it is examining.  Your continued contributions are very important to the development of the Issues Report.  It is important, again, for the Task Force to consider the broad range of issues related to privacy related to WHOIS. We cannot overlook that not all data is inaccurate "on purpose", nor for privacy reasons.  Secondly, we have other information to also take into account, such as the OECD guidelines related to consumer protection.  This is not to disagree with the legitimate concerns of individuals, who are indeed acting as individuals, related to their personal contact information.  The focus of the Task Force needs to be on looking further at all issues.

 

Best Regards,

 

Marilyn Cade

Co-Chair

 

-----Original Message-----
From: Ruchika Agrawal [mailto:agrawal@epic.org]
Sent: Thursday, February 20, 2003 10:45 PM
To: NC-WHOIS
Cc: Bruce Tonkin (E-mail); discuss@icann-ncc.org; ehchun@peacenet.or.kr
Subject: [nc-whois] Critical Relationship Between Accuracy and Privacy That the WHOIS Task Force Continues To Overlook and My Contribution to the WHOIS Privacy Issues Report

Dear Co-Members of the WHOIS Task Force:

Based on some of your comments during our teleconference call this week, email postings, and GNSO teleconference meeting today, I want to emphasize a very important point that some members of the Task Force continue to overlook. 

Enforcement of accuracy of WHOIS data has serious implications on privacy.  Some domain name registrants have legitimate reasons for providing inaccurate WHOIS information -- for example, to protect their privacy and protect their personally identifiable information from being globally, publicly accessible -- and especially when there are no privacy safeguards in place.  A number of studies demonstrate that when no privacy safeguards are in place, individuals often engage in privacy "self-defense."  When polled on the issue, individuals regularly claim that they have withheld personal information and have given false information.  See:

·       Privacy, Costs, and Consumers Privacy, Consumers, and Costs: How the Lack of Privacy Costs Consumers and Why Business Studies of Privacy Costs are Biased and Incomplete, Robert Gellman, March 26, 2002, http://www.epic.org/reports/dmfprivacy.html;

·       Trust and Privacy Online: Why Americans Want to Rewrite the Rules, Pew Internet & American Life Project, August 20, 2000, http://www.pewinternet.org/reports/toc.asp?Report=19; and

·       Graphic, Visualization, & Usability Center 7th WWW User Survey, April 1997, http://www.gvu.gatech.edu/user_surveys/survey-1997-04/#exec.

Please also see the report I submitted to the Federal Trade Commission for their panel on "Cooperation Between the FTC and Domain Registration Authorities." <attached >  Again, while I do not oppose accurate data per se, I do oppose the Task Force’s recommendation to enforce accuracy of WHOIS information when the Task Force has failed to adequately address privacy issues.  Minimally, enforcement of accuracy and insurance of privacy safeguards should be concurrent. 

As per Ram’s email and the gTLD constituency’s views on accuracy and privacy, I quote:

“My constituency members are saying that they are under considerable pressure from legal, corporate, community and other bodies to tie implementation of better accuracy and privacy together, so that enhanced accuracy standards and mechanisms do not lead to unlawful privacy methods/practices (for those who operate under the EU Data protection restrictions, for instance).” http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00932.html

I am happy to work on the privacy issues report as long as the WHOIS Task Force can guarantee that enforcement of accuracy and implementation of privacy safeguards would be concurrent (or that implementation of appropriate privacy safeguards would precede enforcement of accuracy).  This guarantee does not conflict with the vote taken during the GNSO Council meeting today, as the GNSO Council specifically and only voted on the WHOIS Task Force’s Final Report’s consensus policies (see below).

Bruce -- can you please confirm my interpretation of the GNSO’s vote on the WHOIS Task Force’s Final Report? 

Sincerely,
Ruchika Agrawal
WHOIS Task Force Member
Non-Commercial Constituency

----------------------------------
I. Consensus Policies

1. Consensus Policies: Accuracy of WHOIS Data.

These two policies match the alternative wording proposed in the Implementation Committee's report, sections 1 and 2, which was accepted by the WHOIS Task Force. Further comments and additions are marked by underlining.

A. At least annually, a registrar must present to the Registrant the current WHOIS information, and remind the registrant that provision of false WHOIS information can be grounds for cancellation of their domain name registration. Registrants must review their WHOIS data, and make any corrections.

B. When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should be placed in registrar hold status until the registrant has provided updated WHOIS information to the registrar-of-record.

The Task Force observes that the purpose of this policy is to make sure that the redemption process cannot be used as a tool to bypass registrar's contact correction process.

2. Consensus Policies: Bulk Access to WHOIS Data.

There are no substantial changes to to the policies contained in section 3.2 of the Policy Report. However, the extensive discussion presented in that report has been removed in this document. Additionally, some technical changes proposed by ICANN's General Counsel have been incorporated.

A. Use of bulk access WHOIS data for marketing should not be permitted. The Task Force therefore recommends that the obligations contained in the relevant provisions of the RAA be modified to eliminate the use of bulk access WHOIS data for marketing purposes. The obligation currently expressed in section 3.3.6.3 of the RAA could, for instance, be changed to read as follows (changed language underlined):

"Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts."

The bulk-access provision contained in 3.3.6.6 of the RAA would then become inapplicable.

B. Section 3.3.6.5 of the Registrar Accreditation Agreement currently describes an optional clause of registrars' bulk access agreements, which disallows further resale or redistribution of bulk WHOIS data by data users. The use of this clause shall be made mandatory.