[ga] On Privacy

["babybows.com" <webmaster@babybows.com>]

I would like to thank Dave Crocker for reminding me to remain focused on
ICANN's very narrow scope of activities.  (I had thought that governmental
intrusion into areas that affected ICANN stakeholders, like the libraries in
the non-commercial constituency, was a subject open to discussion, in much
the same way as Department of Commerce preferential treatment of
Intellectual Property interests to the detriment of other constituencies
might be a valid topic of discussion, but I will defer to Dave's better
judgement on what constitutes an ICANN-related matter).   I will be glad to
rephrase my comment accordingly, and to express my personal interest in
those privacy matters that are specifically relevant to ICANN:


The Open Letter from Tucows pertaining to Registrant Privacy Protection
makes the following points:

- A growing number of third parties continue to utilize the publicly
accessible
Whois databases as a source for sales leads
- Industry leaders have stepped up their efforts to sell their Whois
database and
related market demographics
- Registrant privacy does not appear to be a pending agenda item for any
relevant
policy bodies.

As the marketing of Bulk Whois data has emerged as a privacy issue, one may
want to begin by considering the current language in the registrar's
accreditation agreement which states:

"Unless and until ICANN adopts a different policy, Registrar shall permit
use of data it provides in response to queries for any lawful purposes
except to: (a) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail (spam);"

This should be compared with the new language in the Unsponsored TLD
Agreements and in the new Verisign Agreement:

"Unless and until ICANN establishes a different policy, Registry Operator
shall permit use of data it provides in response to queries for any lawful
purposes except to: (a) allow, enable, or otherwise support the transmission
by e-mail, **telephone, or facsimile** of mass unsolicited, commercial
advertising or solicitations to entities other than the data recipient's own
existing customers;"

It would appear that as a matter of "policy", ICANN has already deemed it
prudent to place further restrictions on the use of Bulk Whois data (no
telephone or fax solicitations).  While I personally support this
initiative, one has to wonder why the DNSO was not consulted with regard to
such policy considerations... but that is another matter entirely.

What Tucows has proposed (in part) is a modification of the language in the
Registrars Accredition Agreement that essentially mirrors the language in
the new Registry agreements:

"Unless and until ICANN adopts a different policy, Registrar shall permit
use of data it provides in response to queries for any lawful purposes
except to: (a) allow, enable, or otherwise support the transmission of mass
unsolicited commercial advertising via e-mail or other means, or direct
solicitation via e-mail (spam) or other means;"

This is a step in the right direction, although it might be best for the
sake of uniformity to use the current registry language in the RAA.

Michael Froomkin has noted, "I agree that the Tucows proposal is a better,
albeit far from best, policy, compared to what we have. But I think we'd all
be better off if ICANN were to define the minimum amount of whois
information necessary for the techncial functioning of the internet -- which
I take to be a techncial contact and no more. ICANN should then require that
minimum and no more. Everything else is social policy and should be decided
by national authorities or their delegates (e.g. the EU in the case of
european registries)."

What should be the minimum amount of information in a WHOIS database?  This
will most likely become a subject of discussion in the Names Council WHOIS
committee, and is probably a matter that should be addressed in the GA as it
does touch upon legitimate privacy concerns and is implicated in the
commitment by Verisign to develop "a truly universal WHOIS service that
would function effectively across all Top Level Domains, not just the
.com/.net/.org registries operated by VeriSign" (quoting Stuart Lynn).

Our Registrars Constituency also has posted its concerns regarding the
amount and type of data to be held in a centralized WHOIS (although their
point of view does not reflect privacy concerns as much as it does
anti-competitive concerns):

"First, VeriSign should not be allowed to create a centralized database for
all three of its gTLDs, and use that to try to extend the term of the .com,
.net, or .org registry agreements.  Second, registrars are quite concerned
that VeriSign would have access to and hold all of the registrars' data.
This creates enormous competitive implications, which must be considered
with utmost seriousness.  Third, any change in the current Whois
architecture would entail potentially costly changes to registrars' systems.
Such costs must be part of the consideration in moving toward a centralized
registry.  In the interest of stability, we would recommend that the portion
of the $200 million fund that VeriSign has pledged toward the universal
Whois be used to offset administrative and programming costs that registrars
may incur to make the necessary transition."
http://www.dnso.org/clubpublic/registrars/Arc01/doc00023.doc

One might ask, is there perhaps another entity that could provide a
centralized WHOIS database other than Verisign?  If so, perhaps this might
alleviate the Registrars' concerns to some degree.

In any event, a decision will ultimately need to be made regarding which
data will be maintained for purposes of both WHOIS lookup and Bulk WHOIS
licensing.  The current requirement states:

"The data accessible shall consist of elements that are designated from time
to time according to an ICANN-adopted policy. Until ICANN otherwise
specifies by means of an ICANN-adopted policy, this data shall consist of
the following elements as contained in Registrar's database:

a. The name of the SLD being registered and the TLD for which registration
is being requested;
b. The IP addresses of the primary nameserver and secondary nameserver(s)
for the SLD;
c. The corresponding names of those nameservers;
d. The identity of Registrar (which may be provided through Registrar's
website);
e. The original creation date of the registration;
f. The expiration date of the registration;
g. The name and postal address of the SLD holder;
h. The name, postal address, e-mail address, voice telephone number, and
(where available) fax number of the technical contact for the SLD; and
i. The name, postal address, e-mail address, voice telephone number, and
(where available) fax number of the administrative contact for the SLD.

Whatever decision is made, it will need to address the concerns of the
Intellectual Property constituency, the Registrars and Registries
constituencies, and the as-yet-still-not-established Individuals'
constituency (that has a number of valid privacy concerns).  As the General
Assembly is the only ICANN body that can currently represent (to some
degree) the interests of individuals, we have an obligation to make sure
that as an impacted party, individuals are well represented in ongoing
policy deliberations.

The GA, if it continues discussions on the privacy implications of WHOIS
usage, will need to reach out to all parties that have a stake in such
discussions, including members of the European community that have a very
different take on privacy than do most Americans.  The establishment of a
consensus policy requires us to document our outreach process... but I will
admit to not being sure that we actually have an outreach process in place.
Perhaps this is another matter to consider...

Finally, one will eventually need to ask, while curtailing the marketing
efforts of others, does the Registrar community in fact have proprietary
rights to the data they collect, or does an individual's right to privacy
imply that these domain name holders are not to be contacted with regard to
the possible purchase of ancillary services by the Registrars themselves and
their affiliates?  The Tucows proposal only concerns itself with the sale of
Bulk WHOIS data to third parties, noting "The only exception would be those
parties with whom they originally contracted for service, who would not be
able to resell this information."













--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html