Please review these Whois comments

[Milton Mueller]

Important work on Whois is going on in the Task Force.

The TF asks us to "Define the purpose of" specific elements on the
whois database, namely the "Registered Name Holder, technical, and
administrative contacts." Kathy Kleiman prepared these comments. The
basic point here is that we should not collect and display personal data
about the name holder and administrative contacts because it is not
needed for resolving technical problems. I've reviewed and edited the
statement and approve of it as it stands. Hope you have time to weigh
in.

==================================
(Draft) Statement of the NCUC on WHOIS Contacts

Task 2 asks us to "(2) Define the purpose of the Registered Name
Holder, technical, and administrative contacts, in the context of the
purpose of WHOIS, and the purpose for which the data was collected. Use
the relevant definitions from Exhibit C of the Transfers Task force
report as a starting point (from
http://www.icann.org/gnso/transfers-tf/report-exhc-12feb03.htm).

The NCUC believes that once we have selected a purpose for our
database, data protection laws require us to closely examine whether the
information we collect meets the goals we have set out - and make
adjustments accordingly.  These comments discuss the Contact data
currently collected for WHOIS, the personal nature of much it, and raise
the question whether this data should be collected at all for WHOIS
purposes.

I.	Data Protection Laws Require Limited Collection of
Personal Data	

In its 2003 Opinion, the Article 29 Data Protection Working Party of
European Union Data Protection Commissions urged ICANN to closely
examine the personal data it collects for WHOIS.  The Commissioners
warned:
"Article 6c of the Directive imposes clear limitations concerning the
collection and processing of personal data meaning that data should be
relevant and not excessive for the specific purpose.  In that light it
is essential to limit the amount of personal data to be collected and
processed."  See Opinion 2/2003 on the application of the data
protection principles to the Whois directories
http://europa.eu.int/comm/justice_home/fsj/privacy/
workinggroup/wpdocs/2003_en.htm (emphasis added).

The Data Protection Commissioners' concern over collection of WHOIS
data is grounded in the clear language of the EU Date Protection
Directive and its Article 6 ("Principles Relating to Data Quality")
which clearly requires limits to the collection of personal data:
"Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further  processed in a way incompatible with those purposes. ***
(c) adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed;"
http://europa.eu.int/eur
lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML


Similarly, the Canadian Personal Information Protection and Electronics
Document Act require limits to the collection of personal data:
"The purpose of this Part is to establish, in an era in which
technology increasingly facilitates the circulation and exchange of
information, rules to govern the collection, use and disclosure of
personal information in a manner that recognizes the right of privacy of
individuals with respect to their personal information and the need of
organizations to collect, use or disclose personal information for
purposes that a reasonable person would consider appropriate in the
circumstances."
http://laws.justice.gc.ca/en/P-8.6/93196.html#rid-93228


Based on these legal requirements, the NCUC submits that the WHOIS Task
Force must review the contact data currently collected, evaluate whether
it is personal and determine whether it should continue to be collected
in keeping with the purpose of WHOIS database.  Over-collection of
personal data does not serve ICANN's mission nor does it help
registrars comply with the many existing laws that protect registrant
privacy worldwide.

II.	The Purpose of the WHOIS Database

In our Task 1 comments, NCUC submitted a clear definition of the
purpose of the WHOIS database:
"The purpose of the WHOIS is to provide to third parties an accurate
and authoritative link between a domain name and a responsible party who
can either act to resolve, or reliably pass information to those who can
resolve, technical problems associated with or caused by the domain."
NCUC Comments to Task 1.

As discussed in our comments, this technical purpose is consistent with
the original purpose of the WHOIS, as set out by Vint Cerf and others,
and within the limited scope of ICANN's mission.


III.  Contact Data:  Definition?  Personal?  Fits Purpose of WHOIS?

The GNSO Council asked us to examine the definitions and purpose of the
Technical Contact, Administrative Contact and Registered Name Holder.
We do so in light of the legal considerations set out above.

A.	Technical Contact

The Transfer Task Force defined technical contact as:

"the individual, role or organization that is responsible for the
technical operations of the delegated zone. This contact likely
maintains the domain name server(s) for the domain. The technical
contact should be able to answer technical questions about the domain
name, the delegated zone and work with technically oriented people in
other zones to solve technical problems that affect the domain name
and/or zone."

The next step requires us to assess whether Technical Contact data is
personal and needs to be treated with special care.  In our review with
our Constituency, we found that occasionally Technical Contact Data is
the personal data of an individual. Increasingly, however, registrants
entrust a technical party to manage their domain name and expertly
handle any technical problems that arise. Often it is an ISP, online
service provider, Registrar or web host provider. Thus, for individuals
and small organizations, we found that the technical contact field does
not raise strong concerns regarding personal data.

Further, in assessing whether collection of Technical Contact data fits
within the purpose of ICANN and the WHOIS database, we found that it
does.  The Technical Contact is the person designated to respond to
exactly the set of technical problems and issues at the heart of the
WHOIS purpose.  Accordingly, NCUC submits that Technical Contact data
should be collected and maintained for the WHOIS database.

B.	Administrative Contact

The Transfer Task Force defined administrative contact as:

"an individual, role or organization authorized to interact with the
Registry or Registrar on behalf of the Domain Holder. The administrative
contact should be able to answer non-technical questions about the
domain name's registration and the Domain Holder."

The next step requires us to assess whether Administrative Contact data
is personal and needs to be treated with special care.  In our review,
we found that the Administrative Contact data OFTEN includes personal
data, especially for individuals and small organization leaders who must
list their own names, home addresses, personal (and often unlisted)
phone numbers and private email addresses for the Administrative Contact
field.

This type of personal data is exactly what the privacy laws of many
regions and countries set out to protect.  Its collection invokes major
privacy concerns for individuals and small organizations -- and the
formal protection of data protection laws in many countries in which
registrants live and registrars operate.
Further, in assessing whether collection of Administrative Contact data
fits within the purpose of ICANN and the WHOIS database, we found that
it does not.  By the Transfer TF definition, the Admin is responsible
for "non-technical questions" which range as far as the imagination
and generally are completely outside the scope of ICANN:  Is the domain
name for sale?  Is the woman described on a website available for a
date?  Can a stranger meet the child shown in a family picture?  There
are very good reasons for the privacy protections and other national and
local protections to operate for the Administrative Contact.

Further, since the purpose of the WHOIS database is technical and the
Administrative Contact is expressly non-technical, NCUC submits that
this contact data should no longer be collected for the WHOIS database.


C.	Registered Name Holder or "Domain Holder"

The Transfer Task Force defined domain holder as:
 "The individual or organization that registers a specific domain
name. This individual or organization holds the right to use that
specific domain name for a specified period of time, provided certain
conditions are met and the registration fees are paid. This person or
organization is the "legal entity" bound by the terms of the relevant
service agreement with the Registry operator for the TLD in
question."

Following this definition, we must evaluate whether the registrant data
is personal and should be treated with special care.  Of all the contact
data, we find the Domain Holder to be the most personal.  This is the
woman, the family head, the Cub Scout leader, and other individuals and
leaders of small organizations who must list their personal names, home
addresses, private phone numbers and personal email addresses.  Once
published, this personal data is used for all the abuse and misuse
documented in the Task Force Uses report - from spamming to stalking and
harassment.

This personal data is exactly the type of data that data protection
laws seek to protect.  Article 29 Data Protection Commissioners now urge
ICANN and our TF that:  "The registration of domain names by
individuals raises different legal considerations than that of companies
and other legal persons registering domain names" and  "it is
essential to limit the amount of personal data to be collected and
processed." See Article 29 WG citation above.

The collection of such personal data as a global ICANN WHOIS policy
serves no technical purpose.  Individual registrants rarely answer
technical questions about their domains or their abuse - and would
almost always refer such a question (such as the hijacking of their
domain name by a spammer) to their technical contact instead.
Accordingly, the collection of Domain Holder data serves little purpose
for the WHOIS database and should not be continued as a global ICANN
policy.

Conclusion:
The best way to protect millions of individual and small organizational
domain name registrants, and to comply with data protection laws
worldwide, is for ICANN to carefully review the contact data collected
for the WHOIS database and limit the data to that necessary for its
technical purposes and mission.