WHOIS TF 3 proposed NCUC statement

Frannie Wellings wellings at EPIC.ORG
Mon Mar 22 16:48:57 CET 2004


Hi everyone! Please take a look at this proposal for the NCUC
statement regarding WHOIS task force 3 (accuracy) and provide me with
any comments or suggestions.  Thanks so much, Frannie

PROPOSED STATEMENT FOR WHOIS TASK FORCE 3:

Accuracy

WHOIS Task Force 3 (TF3) deals with the accuracy of WHOIS data. Task
Force 3 was established to determine the best mechanisms to improve
the quality of the data.  The Non-Commercial Users Constituency
(NCUC) approach to Task Force 3 is guided by the following principles:

- First, the NCUC does not believe that accuracy of WHOIS data is
unconditionally desirable.  These task forces were established with
the assumption for Task Force 3 that accuracy is desirable in all
cases and regardless of the extent of the WHOIS data elements.  The
NCUC recognizes the need to protect such extensive and public data
from identity theft and spam and to protect freedom of speech.
Submission of personally identifiable contact data should be a
choice, not a requirement.  Many people are indeed forced to enter
incorrect data in order to protect themselves.

- Second, the NCUC thinks it imperative that ICANN recognize the
well-established data protection principle that the purpose of data
and  data collection processes must be well-defined before policies
regarding its use and access can be established. The purpose of
WHOIS originally was identification of domain owners for purposes  of
solving technical problems. The purpose was _not_ to provide  law
enforcement or other self-policing interests with a means of
circumventing normal due process requirements for access to contact
information. None of the current WHOIS Task Forces are mandated to
revise the purpose. Therefore, the original purpose must be assumed
until and unless ICANN initiates a new policy development process to
change it.

- Third, registrants should be allowed to protect their personally
identifiable information, a protection recognized by the European
Data Protection Directive, by the Article 29 Working Party, by the
OECD Privacy Guidelines and by data protection legislation across the
world. As George Papapavlou and Giovanni Buttarrelli pointed out, it
is possible that WHOIS data accuracy requirements may indeed be
breaking many of these laws. The NCUC submits that accuracy is
desirable solely to the extent necessary to serve the purpose of the
data collection and the interest of the data subject; accordingly,
technical information should be accurate. However, there should be no
penalization for inaccurate data entry given that the extent and the
accessibility of the data currently required goes well beyond the
purpose of data collection. As Papapavlou discussed, when there are
various options to achieve a purpose, priority must be given to the
least privacy-intrusive option.

- Fourth, while this task force was established with privacy defined
as out of scope, privacy is key to accuracy of data entry.  Data
protection principles have to be implemented and enforced as a whole.
The best way to improve the accuracy is to provide privacy and
security.  Show registrants that their data will be safeguarded, that
their e-mail accounts will be protected from spam and that they
themselves will be protected from stalkers and other criminals, and
they will be more likely to enter accurate data. Users will continue
to feel the need to protect their privacy by their own means, to
defend themselves, if the policies of WHOIS data do not.

- Finally, if there is a way to facilitate accuracy of data for those
who wish to submit accurate data, in other words opt-in, the NCUC
would be highly supportive.  We are against, however, calls to
require accurate data entry and penalize or even criminalize those
who choose not to.  This Task Force has reached out to various
companies in order to collect data on verification procedures, but
has found this process difficult (ironically, because companies are
concerned with the privacy of their policies and procedures).  The
responses submitted to the Task Force 3 questionnaire are sparse.  We
do not have enough data to allow Task Force 3 to reach any conclusion
of best practices for verifying accuracy.  However, this Task Force
has received testimony that domain name holders in numerous cases are
having difficulty updating, revising and changing their own data.
This is currently the most important issue facing the task force:
that the data subjects themselves cannot update their domain name
information.  Further, it is violation of the EU Privacy Directive.
Accordingly, this Task Force must first take on clear proposals for
revisions of the procedures by which registrars, thick registries,
and resellers handle instructions from domain name holders to update
and/or correct domain name data.  These procedures must include:
clear instructions to domain name holders on how to update their
information; special email addresses for expedited and priority
handling of such updates; and TF3-proposed revisions to the
Registrars Accreditation Agreement to insure that the EU Privacy
Directive rules on the ability of domain name holders to update and
policy the accuracy of their own data is ensured and followed.

--

-----------------------------------------------------------------
Frannie Wellings
Policy Fellow, Electronic Privacy Information Center
Coordinator, The Public Voice
1718 Connecticut Ave. N.W., Suite 200
Washington, D.C.  20009   USA
wellings at epic.org
+1 202 483 1140 extension 107 (telephone)
+1 202 483 1248 (fax)
http://www.epic.org
http://www.thepublicvoice.org
-----------------------------------------------------------------


More information about the Ncuc-discuss mailing list