[ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team Discussion Paper

Konstantinos Komaitis k.komaitis at STRATH.AC.UK
Thu Jul 21 10:27:04 CEST 2011


This is great - thank you very much Wendy for leading us on this. WHOIS issues are very important and it is brilliant that we get to submit comments.

Thanks again.

KK

Dr. Konstantinos Komaitis,

Senior Lecturer,
Director of Postgraduate Instructional Courses
Director of LLM Information Technology and Telecommunications Law
University of Strathclyde,
The Law School,
Graham Hills building, 
50 George Street, Glasgow G1 1BA 
UK
tel: +44 (0)141 548 4306
http://www.routledgemedia.com/books/The-Current-State-of-Domain-Name-Regulation-isbn9780415477765
Selected publications: http://hq.ssrn.com/submissions/MyPapers.cfm?partid=501038
Website: www.komaitis.org


-----Original Message-----
From: Wendy Seltzer [mailto:wendy at seltzer.com] 
Sent: Τετάρτη, 20 Ιουλίου 2011 7:45 μμ
To: NCSG-NCUC-DISCUSS at LISTSERV.SYR.EDU; ncsg-policy at n4c.eu NCSG Policy
Subject: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team Discussion Paper

I propose these as NCUC comments to the WHOIS Review Team <http://www.icann.org/en/public-comment/whoisrt-discussion-paper-09jun11-en.htm>
The comment deadline is July 23 -- Saturday. Thanks to Milton, Avri, Brenden, and Konstantinos for input.

If there is interest in sending these as NCSG, I would be happy to update the references. I'll submit Friday.

--Wendy

NCUC is pleased to share these comments on the WHOIS Review Team's discussion paper. The NCUC includes among its constituents many individual and non-profit domain name registrants and Internet users, academic researchers, and privacy and consumer advocates who share concerns about the lack of adequate privacy protections in WHOIS. We believe ICANN can offer better options for registrants and the Internet-using public, consistent with its commitments.

> 4. How can ICANN balance the privacy concerns of some registrants with 
> its commitment to having accurate and complete WHOIS data publicly 
> accessible without restriction?
and
> 10. How can ICANN improve the accuracy of WHOIS data?

Privacy and accuracy go hand-in-hand. Rather than putting sensitive information into public records, some registrants use "inaccurate" data as a means of protecting their privacy. If registrants have other channels to keep this information private, they may be more willing to share accurate data with their registrar.

The problem for many registrants is indiscriminate public access to the data. The lack of any restriction means that there is an unlimited potential for bad actors to access and use the data, as well as legitimate users and uses of these data.

At the very least, WHOIS access must give natural persons greater latitude to withhold or restrict access to their data. That position, which is consistent with European data protection law, has even been advanced by the U.S. Federal Trade Commission and F.B.I.


ICANN stakeholders devoted a great deal of time and energy to this question in GNSO Council-chartered WHOIS Task Forces.  At the end of the Task Force discussion in 2006, the group proposed that WHOIS be modified to include an Operational Point of Contact (OPOC):
<http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>

Under the OPOC proposal, "accredited registrars [would] publish three types of data:
1) Registered Name Holder
2) Country and state/province of the registered nameholder
3) Contact information of the OPoC, including name, address, telephone number, email."

Registrants with privacy concerns could name agents to serve as OPoC,thereby keeping their personal address information out of the public records.

NCUC recommends reviewing the documents the WHOIS Task Force produced relating to the OPOC proposal, including the final task-force report on the purpose of WHOIS:
<http://gnso.icann.org/issues/whois-privacy/tf-report-15mar06.htm>, Ross Rader's slides from a presentation on the subject, <http://gnso.icann.org/correspondence/rader-gnso-sp-04dec06.pdf> and the report on OPoC <http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>
The GNSO in October 2007 accepted the WHOIS task-force report and concluded the PDP.
<http://gnso.icann.org/meetings/minutes-gnso-31oct07.html>

>5. How should ICANN address concerns about the use of privacy/proxy
services and their impact on the accuracy and availability of the WHOIS data?

ICANN should recognize that privacy and proxy services fill a market need; the use of these services indicates that privacy is a real interest of many domain registrants.  Concerns about the use of these services is unwarranted.


>12. Are there barriers, cost or otherwise, to compliance with WHOIS policy?

Even with the provisions for resolving conflicts with national law, WHOIS poses problems for registrars in countries with differing data protection regimes. Registrars do not want to wait for an enforcement action before resolving conflicts, and many data protection authorities and courts will not give rulings or opinions without a live case or controversy. ICANN's response, that there's no problem, does not suit a multi-jurisdictional Internet.

> 14. Are there any other relevant issues that the review team should be 
> aware of? Please provide details.

Consider allowing registrants greater choice: a registrant can get a domain with no WHOIS information at all, at the registrant's peril if the domain is challenged and he/she is unable to respond. This is already the de facto circumstance for domains registered with false information, so why not make it an official option?

Proposals for verification (pre- or post-registration) of name and address information are completely unworkable for standard gTLDs, although they might be proposed by registries looking to differentiate.
There is no standard address format, or even any standard of physical addressing that holds across the wide range of geographies and cultures ICANN and registrars serve.

Inaccurate WHOIS data should not be used as conclusive evidence of bad faith, especially in the context of ICANN's policies such as the UDRP.
Although within the UDRP, the need to identify a registrant is vital, WHOIS details should not be used to make outright determinations concerning abusive registrations of domain names.



--
Wendy Seltzer -- wendy at seltzer.org +1 914-374-0613 Fellow, Princeton Center for Information Technology Policy Fellow, Berkman Center for Internet & Society at Harvard University http://cyber.law.harvard.edu/seltzer.html
https://www.chillingeffects.org/
https://www.torproject.org/
http://www.freedom-to-tinker.com/


More information about the Ncuc-discuss mailing list