Proposed NCUC Comments on the WHOIS Review Team Discussion Paper

[Robin Gross]

Wonderful!  Thank you very much, Wendy, for taking the lead on this comment.

All best,
Robin


On Jul 20, 2011, at 11:44 AM, Wendy Seltzer wrote:

> I propose these as NCUC comments to the WHOIS Review Team
> <http://www.icann.org/en/public-comment/whoisrt-discussion-paper-09jun11-en.htm>
> The comment deadline is July 23 -- Saturday. Thanks to Milton, Avri,
> Brenden, and Konstantinos for input.
> 
> If there is interest in sending these as NCSG, I would be happy to
> update the references. I'll submit Friday.
> 
> --Wendy
> 
> NCUC is pleased to share these comments on the WHOIS Review Team's
> discussion paper. The NCUC includes among its constituents many
> individual and non-profit domain name registrants and Internet users,
> academic researchers, and privacy and consumer advocates who share
> concerns about the lack of adequate privacy protections in WHOIS. We
> believe ICANN can offer better options for registrants and the
> Internet-using public, consistent with its commitments.
> 
>> 4. How can ICANN balance the privacy concerns of some registrants
>> with its commitment to having accurate and complete WHOIS data
>> publicly accessible without restriction?
> and
>> 10. How can ICANN improve the accuracy of WHOIS data?
> 
> Privacy and accuracy go hand-in-hand. Rather than putting sensitive
> information into public records, some registrants use "inaccurate" data
> as a means of protecting their privacy. If registrants have other
> channels to keep this information private, they may be more willing to
> share accurate data with their registrar.
> 
> The problem for many registrants is indiscriminate public access to the
> data. The lack of any restriction means that there is an unlimited
> potential for bad actors to access and use the data, as well as
> legitimate users and uses of these data.
> 
> At the very least, WHOIS access must give natural persons greater
> latitude to withhold or restrict access to their data. That position,
> which is consistent with European data protection law, has even been
> advanced by the U.S. Federal Trade Commission and F.B.I.
> 
> 
> ICANN stakeholders devoted a great deal of time and energy to this
> question in GNSO Council-chartered WHOIS Task Forces.  At the end of the
> Task Force discussion in 2006, the group proposed that WHOIS be modified
> to include an Operational Point of Contact (OPOC):
> <http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>
> 
> Under the OPOC proposal, "accredited registrars [would] publish three
> types of data:
> 1) Registered Name Holder
> 2) Country and state/province of the registered nameholder
> 3) Contact information of the OPoC, including name, address, telephone
> number, email."
> 
> Registrants with privacy concerns could name agents to serve as
> OPoC,thereby keeping their personal address information out of the
> public records.
> 
> NCUC recommends reviewing the documents the WHOIS Task Force produced
> relating to the OPOC proposal, including the final task-force report on
> the purpose of WHOIS:
> <http://gnso.icann.org/issues/whois-privacy/tf-report-15mar06.htm>, Ross
> Rader's slides from a presentation on the subject,
> <http://gnso.icann.org/correspondence/rader-gnso-sp-04dec06.pdf> and the
> report on OPoC
> <http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>
> The GNSO in October 2007 accepted the WHOIS task-force report and
> concluded the PDP.
> <http://gnso.icann.org/meetings/minutes-gnso-31oct07.html>
> 
>> 5. How should ICANN address concerns about the use of privacy/proxy
> services and their impact on the accuracy and availability of the WHOIS
> data?
> 
> ICANN should recognize that privacy and proxy services fill a market
> need; the use of these services indicates that privacy is a real
> interest of many domain registrants.  Concerns about the use of these
> services is unwarranted.
> 
> 
>> 12. Are there barriers, cost or otherwise, to compliance with WHOIS policy?
> 
> Even with the provisions for resolving conflicts with national law,
> WHOIS poses problems for registrars in countries with differing data
> protection regimes. Registrars do not want to wait for an enforcement
> action before resolving conflicts, and many data protection authorities
> and courts will not give rulings or opinions without a live case or
> controversy. ICANN's response, that there's no problem, does not suit a
> multi-jurisdictional Internet.
> 
>> 14. Are there any other relevant issues that the review team should
>> be aware of? Please provide details.
> 
> Consider allowing registrants greater choice: a registrant can get a
> domain with no WHOIS information at all, at the registrant's peril if
> the domain is challenged and he/she is unable to respond. This is
> already the de facto circumstance for domains registered with false
> information, so why not make it an official option?
> 
> Proposals for verification (pre- or post-registration) of name and
> address information are completely unworkable for standard gTLDs,
> although they might be proposed by registries looking to differentiate.
> There is no standard address format, or even any standard of physical
> addressing that holds across the wide range of geographies and cultures
> ICANN and registrars serve.
> 
> Inaccurate WHOIS data should not be used as conclusive evidence of bad
> faith, especially in the context of ICANN's policies such as the UDRP.
> Although within the UDRP, the need to identify a registrant is vital,
> WHOIS details should not be used to make outright determinations
> concerning abusive registrations of domain names.
> 
> 
> 
> -- 
> Wendy Seltzer -- wendy at seltzer.org +1 914-374-0613
> Fellow, Princeton Center for Information Technology Policy
> Fellow, Berkman Center for Internet & Society at Harvard University
> http://cyber.law.harvard.edu/seltzer.html
> https://www.chillingeffects.org/
> https://www.torproject.org/
> http://www.freedom-to-tinker.com/
> 




IP JUSTICE
Robin Gross, Executive Director
1192 Haight Street, San Francisco, CA  94117  USA
p: +1-415-553-6261    f: +1-415-462-6451
w: http://www.ipjustice.org     e: robin at ipjustice.org