Proposed comments on Whois TF 1 Report

Mon Jun 7 22:00:46 CEST 2004

Please comment: I would like to report unanimous support from NCUC when we file the comments. 

=====

NCUC Comments on TF 1 Report

The NCUC supports Task Force 1's clear distinction between the treatment of sensitive and non-sensitive data. Access to sensitive data, such as registrant's name, address, telephone number, and email address, should be more limited than access to non-sensitive data, such as technical contact name and contact information. 

NCUC members support the report's conclusion that domain name registrants should be notified when their sensitive data is accessed. Domain name registrants have a right to know who requested the data and what purpose it was requested for. It is unfair and illogical to say that data users can hide and have privacy while data subjects cannot. Both parties have legitimate needs; both parties can be involved in abusive actions. There must be reciprocity among the two. The only exception would be rare cases of governmental law enforcement investigations when such notification would defeat the purpose of an ongoing investigation. We believe that those kinds of exceptions should be handled by national legal systems; e.g., through subpoenas and search warrants, and not by ICANN policy. 

We also wish to emphasize that all requests for sensitive data should be made on an individual basis. The report is not entirely clear about this; in fact, its discussion of an "individual use list" is confused. (See comments of NCUC Task Force member Milton Mueller). Although we agree that the process may need to be automated to minimize burdens on registrars, we strongly support the report's conclusion that the release of the data should come with restrictions on re-use and should be formatted in human-readable as opposed to machine-readable form. 

The NCUC believes that the discussion of "uses" of Whois data in Section III must also acknowledge the potential for "abuses" of the data. It is unacceptable that ICANN policy considers only the convenience and "needs" of those who consume other people's data, and not also consider the risks, threats and inconveniences that can come from abuse of anonymous and unrestricted access to personal contact information. Identity theft, stalking, and spamming are all documented problems that arise from unrestricted public display of Whois data. The final report must acknowledge this.

The report asks for comment on the issue of competition vs. national law. We believe there is no conflict between compliance with national law and robust competition in the domain name market. We believe that permitting registrar practices to vary in accordance with the privacy policies of different national jurisdiction serves the public interest by fostering global consumer choice. In a globalized market, governments that do not protect the privacy of their citizens may in fact lose customers for registrars in their jurisdiction. We believe in letting domain name registrants vote with their pocketbooks for the level of privacy protection they prefer. This is not likely to be the strongest or even a major criterion in most consumer selections of domain name providers. At any rate, ICANN needs to get used to the fact that it is subordinate to sovereign laws. 

NCUC does not oppose taking into consideration the costs and technical feasibility of various changes. However, we are concerned that cost-benefit analysis could be used as a delaying tactic. We note that no cost-benefit study was done before implementing any other Whois-related policies. We ask why, when privacy protections are being considered, cost suddenly becomes an issue. We are not convinced that a formal study is required, in that the record of the current Whois Task Forces contains significant claims and evidence about costs associated with current practices. If real cost-benefit studies are done, we will demand that noncommercial users be represented and that experts in the assessment of non-monetary costs, such as Internet user privacy, risks of identify theft, spamming and stalking, be included in the study, or that the study's methodology permit reasonable monetization of the value to domain name registrants of protecting their personal contact data, as well as the value to registrars of protecting their customer information.