WHOIS Implementation Report - 30 January 2003 |
This document provides:
An assessment of whether a recommendation is implementable
Information on issues that will need to be considered during implementation
Suggested additional text to clarify or improve the existing recommendations
Organization of the Analysis
The analysis is mostly contained in two tables. In Table 1 contains an assessment of whether the WHOISTask Force recommendations that relate to Registrars or Registries are implementable, the relative cost of implementation, and the level of support from registrars.
Table 2 contains information on issues associated with the recommendations that will need to be considered during implementation, and also where appropriate additional or alternative text to strengthen or clarify the existing recommendation.
Table Abbreviations
# The number of the recommendation
Cost What is the cost impact if the recommendation is implemented? (high/medium/low/?)
Enf Is the recommendation enforceable if it is implemented? (yes/no/?)
Feas Can the recommendation reasonably be implemented from a process point of view? (yes/no/?)
Supp What is the anticipated level of support for the recommendation from registrars? (high/medium/low/?)
Tech Can the recommendation be reasonably implemented from a technical point of view? (yes/no/?)
N/A Not applicable
TABLE 1 |
|
|||||
# |
WHOIS Task Force Recommendation |
Cost |
Enf |
Feas |
Tech |
Supp |
1 |
Existing Task Force Recommendation: Registrars must require Registrants to review and validate all WHOIS data upon renewal of a registration. (effectively an extension of RAA clause 3.7.7.1 above) The specifics of required validation remain to be determined by this Task Force or another appropriate body. |
Low |
Yes |
Yes, although terms such as validate need clarification – see suggested alternative text |
Yes |
Med |
2 |
When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should not be included in the zone file until accurate and verified contact information is available. The details of this procedure are under investigation in the Names Council's deletes task force. |
High |
Yes |
Yes – although accurate and verified needs clarification |
Yes |
High |
3 |
When registrars send inquiries to registrants regarding the accuracy of data under clause 3.7.8 of the RRA, they should require not only that registrants respond to inquiries within 15 days but that the response be accompanied by documentary proof of the accuracy of the "corrected" data submitted, and that a response lacking such documentation may be treated as a failure to respond. |
High |
Yes |
No – needs major changes |
No |
Low |
4 |
Registrars modify
their bulk WHOIS access agreements to eliminate the use of data for marketing
purposes. The suggested
revised section 3.3.6.3 is: “Registrar’s access
agreement shall require the third party to agree not to use the data to
allow, enable, or otherwise support any marketing activities, regardless
of the medium used. Such media
include but are not limited to e-mail, telephone, facsimile, postal mail,
SMS, and wireless alerts.” The suggested
revised section 3.3.6.5 is: “Registrar's access agreement shall require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties. |
Low |
Yes |
Yes |
Yes |
High |
Table
2 Detailed implementation analysis
|
||
# |
Current recommendation with suggested
enhancements |
Comments and issues |
1 |
Existing Task Force Recommendation Registrars must require Registrants to review and validate all WHOIS data upon renewal of a registration. (effectively an extension of RAA clause 3.7.7.1 above) The specifics of required validation remain to be determined by this Task Force or another appropriate body. Suggested
replacement text: At least annually, a registrar must present to the Registrant the current WHOIS information, and remind the registrant that provision of false WHOIS information can be grounds for cancellation of their domain name registration. Registrants must review their WHOIS data, and make any corrections. |
This is
implementable IF: - the registrar
presents the WHOIS data to the registrant (via website, fax, or postal
message) = REVIEW the registrant
is required to check that the data is still current, and if necessary update
the information = VALIDATE Many registrars
use an auto-renew process, and tying the need to review the WHOIS data to the
exact moment of renewal limits the flexibility of the registrar. Also for 10 year domain name
registrations, a 10 year update is too long.
The data ages very quickly after the first year. Thus registrars believe that the
recommendation should be based on the frequency of review (e.g annually), and
have the flexibility to control when the review happens (e.g a review may
happen whenever an event associated with a domain name happens, e.g renewal,
or nameserver update, but otherwise at least annually) It is not feasible for the Registrar to validate the data (e.g make phone calls to registrant, ring post office to confirm address exists, post a letter and require a reply etc). A registrar may optionally use various heuristic techniques to do some data validation (e.g check that a USA city existing within a particular USA state) but such techniques are not applicable uniformly across the globe. In general it is in the registrars’ best interests to get accurate data as it increases the chance of a successful renewal, so there are commercial incentives here for clever registrars. |
2 |
Existing
Recommendation: When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should not be included in the zone file until accurate and verified contact information is available. The details of this procedure are under investigation in the Names Council's deletes task force. Suggested Replacement text: When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should be placed in Registrar Hold status until the registrant has provided updated WHOIS information to the registrar-of-record. |
The principle is OK, however the details of “accurate and verified” need to be clarified as per the next recommendation. Note the suggested alternative text in recommendation 3, suggests that the initial response will be to place the name on Registrar Hold status if the registrant fails to respond to a request to update the information rather than delete the name. The name would only be deleted if it was not renewed by the registrant after the name has been placed in registrar hold status. In such circumstance if the name is “redeemed” it should be returned to Registrar-Hold status. |
3 |
Existing
Recommendation: When registrars
send inquiries to registrants regarding the accuracy of data under clause
3.7.8 of the RRA, they should require not only that registrants respond to
inquiries within 15 days but that the response be accompanied by documentary
proof of the accuracy of the "corrected" data submitted, and that a
response lacking such documentation may be treated as a failure to respond. Suggested Replacement text: (a) Upon
receiving a complaint about WHOIS accuracy, a registrar may seek evidence or
justification from the complainant. (b) If the
complaint appears justified, then a registrar must at a minimum send an email
to all contact points available in the WHOIS (including registrant, admin,
technical and billing) for that domain name with : a copy of the current disputed WHOIS
information and requesting the WHOIS contact information be updated if the
information is incorrect, and. a reminder that
if the registrant provides false WHOIS information that this can be grounds
for cancellation of their domain name registration. (c) When the registrant responds, a registrar must take commercially
reasonable steps (e.g apply some
heuristic automated data validation techniques (possibly via an
automated tool centrally provided by ICANN)) to check that the new WHOIS
information is plausible. If the data is found to be not plausible,
the registrant must provide further justification (which may be
documentary evidence) before the data will be accepted. - (d) If no response is received or no acceptable data has been provided after a time limit (to be agreed) a Registrar must place a name in REGISTRAR-HOLD (or equivalent) status, until the registrant has updated the WHOIS information. (e) For a name
to be removed from REGISTRAR-HOLD status to active status, the registrant
must contact the registrar with updated WHOIS information (as per (c) above), and the registrar
must confirm that the registrant is contactable via this new information (for
example by requiring that the registrant respond to an email sent to a new
email contact address). . |
This recommendation is NOT implementable
in its current form. The 15 day period is not feasible given
the time taken for a request to actually reach the registrant (due to postal
delays, or just the registrant being on holiday). It should be extended to 30 days to take into account typical
international delivery times (e.g it typically takes 15 days for mail to
reach Australia from USA) for postal mail.
Registrars normally have periods of at least 30 days for a registrant
to respond to a renewal notice for example.
Often registrars will first attempt to contact a registrant via email,
and if that bounces, use postal mail (which tends to stay accurate for
longer). Note that this recommendation should only
be dealing with issues of accuracy.
If there are other issues associated with a domain name (such as its
use in criminal activity) there should be other mechanisms available to have
the domain name disabled or deleted. These other issues should be the subject
of a separate issues report, and subject to the normal policy development
process. In terms of requiring documentary proof -
other than just storing the documentary proof - registrars are not
authentication agencies (they collect information and store it in a registry)
- they do not have skilled staff capable of detecting whether a document is
real or a forgery, nor could they be expected to have staff with knowledge of
all types of documents across all countries. See text below table for discussion on proposed alternative text.. |
4 |
Registrars modify
their bulk WHOIS access agreements to eliminate the use of data for marketing
purposes. The suggested
revised section 3.3.6.3 is: “Registrar’s access
agreement shall require the third party to agree not to use the data to
allow, enable, or otherwise support any marketing activities, regardless
of the medium used. Such media
include but are not limited to e-mail, telephone, facsimile, postal mail,
SMS, and wireless alerts.” The suggested
revised section 3.3.6.5 is: |
There is a need to clarify the definition of “marketing purposes”. This may require a small working group to define, possibly just in the form of examples (but not limited to) of marketing activities covered. e.g text such as: “includes but not limited to the sending of unsolicited, commercial advertising, or solicitation to entities other that the data recipient’s own existing customers” or “any communication, regardless
of the medium, initiated for the purpose of advertising availability or
quality of any property, goods, or services, but such term does not include a
communication (A) to any person with that person's prior express invitation
or permission, (B) to any person with whom the party has an established
business relationship.” |
NEW |
That the time limit
to respond to a WHOIS data complaint be 30 days |
As stated above registrars believe that 15 days is currently not feasible given that most registrar processes that involve contacting the registrant take longer. The downside is that when a registrant fails to respond to an accuracy request that is driven by a need to take action against inappropriate use of a domain name, a longer time period gives the registrant a longer period to continue their activity. The registrars believe that 30 days is a reasonable compromise. This issue may require further work before consensus can be reached with the wider GNSO community. The separate recommendation is an attempt to de-couple the process for updating data as described in recommendation 3 above, from the concern over the current 15 day time limit-suggested by the WHOIS task force recommendation |
NEW |
Insert an
additional recommendation regarding a formal review process |
Suggest consider the text in recommendation 28 of the transfers task force that specifies 3, 6, and 12 month intervals for review/. |
The recommendation needs to identify a cost effective minimum
implementation. Note that contacting
the registrant is a common problem for registrars at the time of renewal, and
various methods are used. Most registrars
use a final step of placing the name in
REGISTRAR HOLD status or equivalent (the name is locked and removed from the
zonefile). The reasons why data may be
inaccurate include: the data has aged over time (e.g the contact person has
changed physical address or changed email service providers), the admin contact
has changed (e.g an employee has left the company), and finally the information
was provided incorrectly on purpose (this is less common and more difficult to
resolve). The first two cases are
generally well supported by the proposal below. The last case (deliberate provision of inaccurate data) is
difficult to solve via the WHOIS Task Force recommendations, and will probably
require other mechanisms to resolve – for example if the domain name is being
used for criminal purposes (which would need an internationally acceptable
definition) it could be placed on HOLD immediately. Registries have reported that some registrants continuously
update their contact information, this can work to prevent the processes of the
WHOIS Task Force being effective. This
could be prevented by limiting the frequency of changes to WHOIS information,
but may cause inconvenience to legitimate changes (e.g to correct a mistyping
of information within 24 hours). Again
the issue is that an alternative mechanism may be necessary to deal with malicious
use of a domain name.
Below is a possible implementation
There are two components:
- contact of the registrant
- correction of information
IN RESPONSE TO A COMPLAINT ABOUT
WHOIS DATA
A registrar may seek evidence or
justification from the complainant (this can prevent a denial of service attack
where third parties repeatedly challenge the WHOIS information of a
registrant) as to why the data is
inaccurate. A standardised complaint
form may simplify the collection of sufficient information to check whether a
complaint appears plausible. If the
complaint appears to be justified then:
-
-