[nc-whois] WHOIS policy primer
Here's a first fragment of a draft for a WHOIS policy primer.
This one's a walk-through of the registrar accreditation
agreements (actually, there are two of these, with small
differences), which is hopefully at least a bit more
understandable than the agreements themselves. Missing bits: A
review of the .name appendix to the RAA (which is currently
missing from the ICANN web site), which may contain changes to
query-based access, and an overview of registries' WHOIS
provisions. In any event, the most important policies (at least
from a privacy point of view...) are contained in the RAA: Even
the thick registries basically make the same query-based access
available as registrars (with .name as an exception), with the
same non-restrictions on use of the data, and, possibly, advanced
query possibilities. Bulk access to thick registries' whois data
is more limited than with registrars. So I hope that this is
useful even in its current incomplete state. I'll add more when I
find the time. That means, in particular, not this week.
Thomas Roessler <firstname.lastname@example.org>
Access to Registrars' Data
Thomas Roessler <email@example.com>
August 21, 2002
Access to registrars' data about domain name registrations is controlled
by the Registrar Accreditation Agreement (RAA). This agreement is available
in two versions from November
1999 (applicable to registrars accredited only for .com, .net, .org),
and from May 2001
(applicable to registrars in .biz, .info, .name, and to electing registrars
in .com, .net, .org). The rules on public access to these data can be found
in section 3.3
of the respective agreements.
Availability of Data
of the RAA obligates registrars to provide, at their own expense, and to the
public, web-based and port 43 query access
to up-to-date (i.e., updated at
least daily) data concerning all active Registered Names sponsored
by Registrar for each TLD in which it is accredited.
The agreement contains a provision which allows appendices for specific
TLDs to modify this list of requirements; no of the existing TLD-specific
appendices make any use of that provision.
Use of WHOIS data
of the RAA determines the possible use of the data made available through
query-based whois. This is expressed in terms of restrictions registrars
may (or rather, may not) impose on data recipients.
Registrars may impose no restrictions
besides those explicitly listed in the accreditation agreement or determined
by an ICANN policy; until today, no such policy exists.
WHOIS data obtained by query-based WHOIS access may be used for any lawful purpose, with two exceptions:
- Spamming. The 1999 RAA explicitly forbids use of WHOIS data for
e-mail spam in this section, while the 2001 agreement also mentions telephone
or facsimile advertising. Also, the 2001 agreement permits use of data
for such solicitations to data recipient's own customers.
- Automated high-volume processes which affect registry or registrar
systems. The 1999 agreement only talks about Registrar (or its systems); this is generalized
in the 2001 agreement.
Cross-registrar WHOIS / centralized database
of the RAA contains an obligation to registrars to cooperate in the establishment
of a distributed, cross-registrar query-based WHOIS. Alternatively - if the Whois service implemented by
registrars does not in a reasonable time provide reasonably robust, reliable,
and convenient access to accurate and up-to-date data - it
is the registrar's obligation to supply data from its database to facilitate the development of a centralized
Whois database for the purpose of providing comprehensive Registrar Whois
Availability of Data
imposes the additional obligation on registrars to make the same data subject
to query-based access available in bulk. Bulk data are made accessible for
download at least once per week (184.108.40.206;
for an annual fee of at most USD 10,000 (220.127.116.11;
Use of Bulk Data
of the RAA describe the contents of registrars' access agreements. There
are both conditions the registrar shall
impose on data users, and conditions the registrar may impose on data users. This implies
that registrars may not impose any other conditions on the use of bulk WHOIS
The effectiveness of these provisions is, however, limited by section 3.3.7
of the RAA until the earlier of either establishment of a new ICANN policy
on bulk access to WHOIS data, or demonstration,
to the satisfaction of the United States Department of Commerce, that no
individual or entity is able to exercise market power with respect to registrations
or with respect to registration data used for development of value-added
products and services by third parties.
The possible provisions of registrars' bulk access agreements are these:
- Data may not be used for spamming. Paragraph 18.104.22.168
of the 2001 RAA includes e-mail, telephone and telefax, and has an exception
for existing customers of the data recipient, while section II.F.6.c
of the 1999 RAA is limited to e-mail; note the analogy to the restrictions
on the use of WHOIS data obtained through the query-based access.This provision
is mandatory (shall require) and
not at the registrar's discretion.
- Data may not be used for high-volume processes which affect registry
or registrar systems. This is an optional provision (may require) in section II.F.6.d
of the 1999 RAA, and a mandatory provision (shall require) in section 22.214.171.124
of the 2001 RAA. Note that the 1999 RAA's language is restricted to Registrar (or its systems), analogously
to the provisions concerning the use of WHOIS data obtained from the query-based
access, while the 2001 language is generalized.
- Registrars may forbid the
further sale and distribution of bulk WHOIS data by data recipients. Registrars
may not forbid that data recipients
use (sell, distribute) the data as part of value-added services and products.
However, registrars may demand
that these products and services do not permit the extraction of a substantial portion of the bulk data.
of the RAA provides that registrars may
establish an opt-out policy; note that this is not mandatory. This opt-out
policy - if established - is limited to individual domain name holders, and
it only covers bulk acess for marketing
purposes (except spamming, which is forbidden anyway - see above).
The opt-out cannot be limited to third parties' marketing use of registration
data: If registrants opt out of marketing use, Registrar may not use such data subject
to opt-out for marketing purposes in its own value-added product
It should be noted that this provision is stated as an explicit allowance
to registrars. This implies that registrars may not establish any other policies with
respect to the availability of WHOIS data. WHOIS data provided for
bulk access (and supposed to be used for any non-marketing purpose) must be complete.
Information for Registrants
contains registrars' obligation to inform registrants about the purposes and
intended recipients (or categories of recipients) of any personal data collected
from the registrant. Personal data are defined, in section 1.6
of the agreement, as data about any identified
or identifiable natural person.