Draft Comments WHOIS TF2

[KathrynKL at AOL.COM]

All:
I have also been busy preparing a draft of the NCUC Constituency Statement of
WHOIS TF2 (due Friday).  Please take a look and let me know what you think.
Regards, Kathy

Noncommercial Users Constituency Comments v.1
WHOIS Task Force 2
April 2004

The Noncommercial Users Constituency (NCUC) represents the views of one of
the largest and most dynamic set of domain name registrants: the noncommercial
community, including human rights organizations, political and civil liberties
groups, libraries and archives, families, hobbyists, technologists,
universities and academics, and organizations bringing the Internet and new technologies
to developing countries.

We note the importance of our group as highlighted by W.G. Champion Mitchell,
chair and CEO of Network Solutions (the largest ICANN-accredited registrar)
to the ICANN Board in the public forum of the ICANN meeting in Rome:  "I WOULD
LIKE TO SPEAK WITH YOU, HOWEVER, AND TRY TO SPEAK WITH A VOICE OF A
CONSTITUENCY THAT IS NOT BEING HEARD TODAY, THE MOST IMPORTANT CONSTITUENCY THAT EXISTS,
THE ONE THAT I AM SURE YOU CARE ABOUT GREATLY, AND I KNOW I CARE ABOUT
GREATLY, AND THAT IS THE AVERAGE USER OF THE INTERNET AND OF OUR SERVICES."  [ICANN
captioning]

In analyzing the data elements of the WHOIS, and what data elements should be
removed and revised, it is critical for TF2 to consider closely the concerns
of those who are the domain name owners - those who data is subject to the use
and abuse of the WHOIS database/directory.

The Noncommercial Users Constituency submits:

1) Under no circumstances (now or in the future) may the purposes of a tool
mandated by ICANN or maintained under the terms of an ICANN contract be greater
than the purpose of ICANN itself.  According to ICANN's recently revised
agreement with the US Department of Commerce, ICANN's purpose is straight-forward:
 "the technical management of the DNS."  Amendment 6 to ICANN/DOC MOU,
http://www.icann.org/general/amend6-jpamou-17sep03.htm.  The WHOIS
database/directory must exist, if at all, to serve no more than technical and operational
purposes within ICANN's scope of authority.

2) TF2 and ICANN must recognize the well established principle of
comprehensive data protection legislation that the purpose of data and data collection
processes must be well defined before policies regarding its use and access can
be established.  With a data element format established before domain names or
even commercial use of the Net, the WHOIS purpose was not to provide
intellectual property interests with self-policing data, and a means of bypassing
traditional due process reqruiements.  See, for example, comments of European
Commission, Internal Marketing DG,
http://www.dnso.org/dnso/notes/ec-comments-whois-22jan03.pdf.  None of the current Whois Task Forces are mandated to revise
the purpose of the Whois directory, and therefore the original technical and
operational purpose of the WHOIS database/directory must be assumed until and
unless ICANN initiates a new policy development process to change it.

3) ICANN has no legal or moral authority to preempt and supercede national
law national privacy protections accorded by many countries to their citizens
and residents. There are numerous countries with comprehensive privacy laws in
European and throughout the world.  The original of many of these privacy
principles dates back to the human rights abuses of World War II and the Holocaust.
 That ICANN's contracts require collection and disclosure of personal data in
excess of national law is clear from the comments of the EC, the Article 29
Data Protection Working Party, and the International Working Group on Data
Protection in Telecommunications to TF2 and its predecessor.  In light of such
clear concern and opposition to the WHOIS data elements, ICANN must change its
practices to not conflict with closely-held and much-valued privacy laws and
principles.

4) ICANN must stop putting ICANN-accredited registrars and thick registries
in an untenable position:  the need to comply with the ICANN-mandated
collection and disclosure of personal data of DN registrants vs. legal obligations to
comply with their country's laws and the laws of the country in which the DN
registrant is located.  Complaints are already being filed against registrars in
EU countries; EU data protection commissioners are already contacting ccTLDs
and gTLDs (e.g., .NAME) to change their registrant collection and disclosure
practices; and the Italian Data Protection Authority's Secretary-General made
clear at the ICANN meeting in Rome that he will begin serious enforcement of
Italian Privacy Law not only against Italy-based registrars and registries, but
also in some cases, against registrars and registries based outside of Italy,
but working with the registrants within Italy.  Registrars and registries must
be allowed to comply with national law regarding collection, disclosure and
transborder transfer of personal data absent superceding contractual
obligations of ICANN.

5) ICANN must stay out of the battles over freedom of expression v.
intellectual property expansion online.  The NCUC submits that WHOIS was never intended
to be a list of all speakers or a single point for all content policing.
Further, the laws of some countries, such as the US, protect anonymous political
and personal speech as a fundamental value of open and democratic societies.
It is not for the ICANN community to second-guess or supercede these values
of free speech and freedom of expression.

6) No amount of secondary use of WHOIS data justifies setting aside
fundamental principles of freedom of expression and personal privacy as a matter of
ICANN policy. Certainly intellectual property and law enforcement are aided in
having huge amounts of information regarding content providers available
instantaneously.  But so too are those engaged in identity theft, stalking, abuse of
intellectual property, law enforcement illegalities, and other abuses (see
further discussion below).  Both intellectual property owners and law
enforcement, for legitimate purposes, have tremendous powers to command information under
due process procedures; what they need and are entitled to, they can legally
and expeditiously obtain.  But, the mere fact that a private data field, once
disclosed, has valuable secondary uses does not override a registrant's
privacy rights.  By analogy, we note that millions of people around the world
routinely use digitized, copyrighted music files through peer-to-peer networks (and
feel justified in doing so, and that there is no available substitute for
their method of access).  However, in making public policy on file-sharing, we do
not simply take a public opinion poll of those users. We take into
consideration the existing legal rights of producers of the music, and NCUC asserts that
the same principle must be applied to the WHOIS.

Accordingly, and in light of the concerns, national laws and principles set
out above, the NCUC strongly urges WHOIS TF2 and ICANN to:

1) Remove from the WHOIS database/directory those data elements that identify
the registrant directly, namely:  Registrant and Administrative Contact
(which for small organizations, families, individuals, and many others, is the same
as the registrant).

2) ICANN must remove from the Registrar Accreditation Agreements requirements
that registrars collect and disclose registrant and administrative contact
data to the world in the globally available WHOIS database.

3) ICANN must remove requirements that anyone serving as a proxy and
providing privacy and anonymity for domain name registrants, as protected by national
law, disclose the data for reasons short of due process (including
unsubstantiated threats against the registrant or to the registry or registrar).

4) The WHOIS database/directory will operate within the bounds of the ICANN
technical mandate and the bounds of data protection laws if: the WHOIS listing
provides the following important fields:  technical contact, registry [new
field], registrar [new field], and name servers of the registrant, registration
and expiration dates of the domain name.

Appendix 1:
Sections of NCUC Comments Regarding Abuses of WHOIS data
(Submitted to TF2 in February 2004 in its data gathering phase)

The Noncommercial Users Constituency (NCUC) has tremendous concerns with the
collection of many WHOIS data elements. We are concerned about making contact
information available unconditionally and anonymously to the public,
companies, and governments without accountability, auditability or due process.  Such a
requirement is contrary to national law and policy. NCUC calls on Whois Task
Force 2 to correct the situation by reforming WHOIS to better protect privacy
and freedom of expression.

We address the data elements of concern below, and offer an array of reasons
for the harm and threat their complete and full disclosure may pose to domain
name registrants in the noncommercial community.


I.  Personal WHOIS Data Reveal Peoples' Homes and Families

WHOIS Data Elements of Concern:
Group A: Personal Data
Registrant Name
Registrant  Address
Registrant Phone Number
Registrant Email
Administrative Contact Address
Administrative Contact Phone Number
Administrative Contact Email

For small organizations, the same person almost invariably serves as the
domain name registrant and the administrative contact. Thus, the Administrative
Contact address and phone fields raise the same privacy concerns as those of the
corresponding Registrant fields.

The NCUC does not seek to be inflammatory, but the harms raised by the forced
collection and publication of personal information in data fields cannot be
taken lightly.  Such harms, as we outline in brief below, cannot be discounted
or dismissed.  Such harms include:
* Identity Theft
* Spamming and other Forms of Email and Phone Harassment
* Stalking
* Unwarranted Threats from Overly Broad Intellectual Property Claims
* Unwarranted Surveillance and Threats from Companies, Government, and Law
* Basic Violations of Personal Privacy

A. IDENTITY THEFT

Identity theft is a common and growing problem.  It is the subject of
considerable information and advice from consumer and government groups worldwide.
The fundamental piece of advice for preventing identity theft remains: don't
give out your personal information online.

Yet registering a domain name, even for noncommercial community, requires the
disclosure of exactly the type of personal data, such as name, address, phone
and email, that we are urged not to give out online - and certainly not to
allowed published in global forms available to all.

TF2 should use the change of WHOIS practices to remove, or allow the
opting-out, of fields which assist Identity Theft.

B.   TELEMARKETING, SPAMMING AND OTHER FORMS OF EMAIL AND PHONE HARASSMENT

The global publication of email addresses and phone numbers creates the means
for people to be harassed by phone and email: through crank calls,
telemarketing, and especially spam.   With the current publication of all elements,
without any opting-out option, this information is freely available for any
fraudulent or spamming entity to use and abuse.  Revealing this information to the
world should not be a condition of registering a domain name or posting
expression online.

C.  STALKING

One home address can lead to stalking and lead to death.  Unfortunately, over
a million people in the US have been stalked.  One stalking website described
the harsh reality:

"High-profile cases of celebrities being stalked have raised the public's
awareness to this crime. But the majority of stalking victims are ordinary
people, mostly women, who are being pursued and threatened by someone with whom they
have had a prior relationship. Approximately 80% of stalking cases involve
women stalked by ex- boyfriends and former husbands."

One harsh example changed the way government agencies throughout the US deal
with personal data, including home address and phone.  Until the late 1990s,
many Department of Motor Vehicles (DMVs) sold their driver's license data -
including names and address provided as a condition of receiving a license.
Robert Bard, a deranged fan of the young actress Rebecca Schaeffer, bought her
address from the California DMV, stalked her and killed her.  There are many
descriptions of this story online. One is at:
http://www.tvtome.com/tvtome/servlet/PersonDetail/personid-8786.


It would be easy to dismiss stalking as a problem outside the Internet and
DNS were there not examples of the WHOIS data being used for stalking.  Some
posted examples include:

1)  "Because my information was listed on whois, a man who has been harassing
me online for about a year, was able to get my home address, and telephone
number and step up his harassment of me."  Network Solutions Domain Name
Registrant.  Example provided by Brian Cute, NSI, at Tunisia WHOIS Workshop,
http://www.icann.org/carthage/whois-workshop-agenda.htm.


2) "Bingo! After being stalked until I moved to a different state I can tell
you that privacy is a major factor and that WHOIS should not be the criteria
for customers need for accurate information regarding a business. I had a small
home business (resume consulting and word processing - no walk in traffic)
and had no problems with customers who screened me as well as I screened them.
The phone book had only the city listed, as did the display ad, yet whois
insisted on my home street address [emphasis added]. I had to put up tall fencing,
security doors, bars on the windows and get guard dogs as a result of the
stalking that was a direct result of whois. I now use a P.O. Box and have an
unlisted number for my family and friends to use. ***** My personal and family
privacy is a safety concern as well as the usual concerns. Anyone working from a
SOHO has the same concerns. Personal safety and privacy are rights we count on
and the expectation of preserving them is written in our US Constitution. I
should not have to pay for a service to hide my information from the public. It
should be automatically done. As long as the registrar has the information in
its files, that is sufficient for those who have a (proven)legitimate need for
it. If you don't want to do business with me, that's just fine. I'm not
inviting you to my home, so you don't need my address."
by ldg on Thursday February 05 2004, @09:33PM (#12934)
User #2935

The NCUC does not believe that noncommercial speakers should have to reveal
their home address, and expose themselves and their families to dangers such as
stalking as a condition of registering domain names and sharing noncommercial
expression online.

We note that, with the rise of easy access to reverse directories, the home
phone number also provides access to home addresses, and raises the same
privacy concerns as an address.

D. UNWARRANTED THREATS OF JAIL AND HEAVY FINES FROM OVERLY BROAD INTELLECTUAL
PROPERTY ALLEGATIONS

Since the mid-1990s, with the rise of World Wide Web technology and greater
knowledge of domain name registration, there have been conflicts over domain
names, the extent of trademark law, and whether common words should be open to
all (as they are in all other forms of speech) or favored for trademark owners.

In the mid-1990s, Intellectual Property Attorneys, especially those with the
big firms and representing large clients, found a new tool: the WHOIS data.
Never before was it so easy to reach a small noncommercial organization,
families, individuals, even children, at their home due to the availability of
personal fields in the WHOIS data.  This availability has lead to flagrant abuse,
with small noncommercial organizations and individuals receiving
unsubstantiated and overbroad threats - made all the scarier by the letters being sent to
the home.

"As a telecommunications and intellectual property attorney in the mid-1990s,
I was amazed to see the horrible letters sent to domain name registrants at
their homes.  These letters often were (and sometimes still are) outside the
bounds of professional conduct.  Taking advantage of the big vs. little
discrepancy, and sensing the vulnerability of a domain name registrant for a small
organization reached at his/her home, these letters threatened ongoing
harassment, litigation, triple damages and even jail.  Generally, the more threatening
the letter, the less substantiated the claims, and some were downright reverse
domain name hijacking.  But people feel very scared by these letters.  Kathryn
Kleiman, Esq., Co-Founder of NCUC and Internet Law and Policy Attorney.

Unsubstantiated allegations by intellectual property owners involving domain
names are so pervasive they have their own name: reverse domain name
hijacking.  ICANN defines this as: the "bad faith [to] attempt to deprive a registered
domain-name holder of a domain name."  Section 1, Definitions.

Mere allegation of infringement or misuse should not require the disclosure
of the domain name registrant's home address or phone number.  No such
disclosure is required for the publication of information by noncommercial
organizations in any other communications medium, including newspapers, broadcasting or
telephones.   The NCUC submits that national and local law provide the due
process mechanisms for when accusers can contact the accused.  Such rules should
be followed by ICANN, not circumvented by global WHOIS data element
publication.

E.  UNWARRANTED THREATS OF JAIL AND HEAVY FINES FROM COMPANIES, GOVERNMENT
AND LAW ENFORCEMENT ACTING OUTSIDE OF LEGAL SCOPE AND LEGITIMATE NEED


Noncommercial organizations throughout the world regularly invite the wrath
of corporations, governments and law enforcement by criticizing their actions.
In some countries, corporate criticism is a daily practice of newspaper
editors and broadcasters, but in other parts of the world it is practiced at great
cost by those desperate to share information about corporate sweatshops,
pollution, or bribery of governments (as a few examples).

Similarly, in some countries, noncommercial organizations are chartered to
openly and publicly criticize government officials and law enforcement
practices.  These organizations openly lobby for civil liberties and due process, and
take to court government officials and law enforcement officers who act
illegally outside the scope of their office.  In other countries, such criticism is
not published openly, for fear of arrest, trial and treason. Instead, people
will publish anonymously or under pen names, or even leave the country to share
their concerns and impassioned pleas for help with the world.  Such messages
about government abuse can include torture, massacres, jailing of political
dissidents, harsh suppression of protests on campuses, unfair laws, and failure
of law enforcement to equally and fairly protect all (as a few examples).

To all the open and global publication of a registrant's name, address and
phone as a condition of registering a domain name for human rights, political
speech, and civil liberties discussion is a violation of principles worldwide
that protect noncommercial and political speech.  The United National
Declaration of Human Rights, treaties, national and local laws protection such political
criticism with high praise and anonymity.  It seems unfair and fundamentally
immoral to allow unlimited, unaccountable access to the information about
human rights organizations, and other noncommercial political groups, based solely
on the fact they have registered a domain name.

F. BASIC VIOLATIONS OF PERSONAL PRIVACY

Laws worldwide protect the collection, distribution and publication of
personal data and give people a right to expect that their home addresses, phone
numbers and email addresses will be protected.  The EU Privacy Directive is the
model of these laws, and its principles have been adopted by many countries
(both members and not members of the EU).   Citizens of these countries have the
right to know that the protections of their national laws are being followed
by registries and registrars in these countries.   This is not the situation
under the current WHOIS system today.

II.  Additional data in WHOIS exposes people to spam, deceptive marketing
practices, and more.

WHOIS Data Elements of Concern:
Group B: Additional Data Subject to Abuse and Misuse
Registrant and Administrative Contact E-Mail address
Registrant and Administrative Contact Fax number
Creation Date
Expiration Date

While not raising privacy concerns per se, these elements are subject to
misuse, from spam to manipulative and fraudulent service office offerings.  We
think these fields would be better handled under the system we set forth in the
section below.

III.  Conclusion of Concerns Section

If Whois data remains fully accessible on a public and anonymous basis, we
strongly favor the elimination of all personally identifiable contact data as a
required element of Whois except for:

Technical Contact Name
Technical Contact Address
Technical Contact E-Mail address
Technical Contact Phone number
Technical Contact Fax number

Other data elements containing contact information could be continued as
voluntary elements; i.e., registrants would have the right to fill them out or
leave them blank as desired.

We favor continued mandatory inclusion of the following data elements:

Domain Status
Domain Name ID
Domain Name
Registrar ID*
Name of Registrar
Name Server(s)
Name Server ID*

Our recommendations are intended to return Whois to its original purpose as a
technical coordination vehicle. We note that the best way to improve accuracy
of the data is to provide privacy and security. Domain name registrants'
incentives to provide accurate information will dramatically increase once they
feel the information is secure.

If these data elements are not fully removed from the Whois database, NCUC
favors immediate adoption of privacy protections for the WHOIS fields, and the
creation of an "opt-out" policy that allows a domain name registrant to fully
understand and freely choose whether or not to allow his/her personal data to
be published in worldwide directories and available anonymously in any form.
These options would apply to all of the data elements we favor removing from the
data elements above.

Accordingly, the NCUC calls upon TF2 to recommend solutions for the WHOIS
data elements that:
- protect personal privacy
- protect the expression of noncommercial organizations
- protect political speakers
- protect personal and family speakers
- protect hobbyists
- protect academics
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20040412/810b5dd1/attachment.html>