[nc-whois] Summary: Comments on Bulk Acces, Marketing, and Privacy.
This comment from Vittorio Bertola was originally posted during the
Task Force's first comment period in August, but effectively lost in
the interim report due to a clerical error. Mr. Bertola observes
that "registrants have to be provided with options to opt in or out
from any kind of usage, distribution and processing of their data
that is not strictly necessary to supply the DNS service; these
options must be clearly stated, separated from the core of the
domain registration agreement, and it must be absolutely clear to
customers that they can register the domain name even if they do not
accept to provide their personal information for these additional
uses." Mr. Bertola explicitly applies this principle to bulk access,
even if not aimed at marketing purposes.
In this comment, Michael Palage remarks: "Despite several comments
from participants regarding privacy rights it appears that the Whois
Task Force did not provide a very detailed analysis of the European
Data Privacy Directive, or other national laws. Any potential ICANN
policy that is implemented must take into account national law and
local stakeholder perspectives, particularly when an ICANN
contracting party is subject to the jurisdiction of these laws."
In this further comment, Michael Palage writes that the current
WHOIS system fails to "adequately meet the needs and concerns of
governments, intellectual property owners, domain name registration
authorities, as well as consumer and privacy advocacy groups." He
then suggests to dissolve the Task Force, and initiate a "blue
ribbon panel" in order to perform "a comprehensive bottoms-up [sic!]
review and overhaul."
This comment from Karl Auerbach remarks that the interim report does
not answer the "primary question why personally identifiable
information must be published to the public at all." Mr. Auerbach
then elaborates on a number of privacy protection mechanisms, in
particular including the requirement that those examining the WHOIS
reports first identify themselves, and that the "time, date, and
identity of every inquiry be recorded and made available to the data
In this comment from the NYIPLA Internet Law Committee, an argument
based on U.S. law is given which leads to the view of the Committee
that domain name registrations are public records. A dissenting
opinion by Wendy Seltzer, included with the comment, argues in favor
of the use of anonymous or pseudonymous contacts, baesd on the
observation that "in the United States, anonymous speech is a
constitutionally protected right."
This message (including attachments) contains the comments from the
gTLD registry constituency. With respect to the interim
recommendations on bulk access and marketing, it is observed that
the "biggest problem with bulk access is the inability to enforce
requirements. If conditions are virtually unenforceable, then
nothing is gained by making changes except possibly creating a false
sense of accomplishment and increasing costs." It is asked who
should decide what constitutes "legitimate" use of bulk data. The
idea of cost-based bulk access to WHOIS data is called "socialistic"
and "terrible". It is requested that the notes about RAA 22.214.171.124
be clarified as dealing specifically with registrars making WHOIS
databases available to third parties for marketing purposes.
Further, 126.96.36.199 is called "meaningless" unless it's enforceable;
re 188.8.131.52, it is asked how a registrar should determine that Whois
data is being used for improper marketing purposes, and it is
doubted that this is feasible at all.
This comment, submitted by Rebecca J. Richards on behalf of TRUSTe,
"strongly supports the review of the bulk access provisions of the
RAA." It is suggested that by "following the fair information
practices of notice, choice, access and security, the WHOIS database
can balance the safety of the public at-large with the privacy of
Web site owners." TRUSTe supports making an opportunity to opt-out
of third party marketing uses of WHOIS available to all registrants.
"Providing the database information to mass marketers without
providing those in the database even the courtesy of allowing them
to opt-out does not create a trusting, transparent and accountable
system," the comment continues.
It is also noticed that "the WHOIS database has been an important
tool for consumer safety and, in our experience, has been an
irreplaceable means of ensuring the validity of the privacy promises
that companies make."
This comment was submitted by Troy Dow on behalf of the MPAA. The
comments on bulk access and privacy are too concise to benefit from
being summarized, so I quote them completely: "The Whois Survey
clearly indicates both privacy concerns over bulk access to Whois
data for marketing purposes and strong support for the continued
public availability of Whois data for legitimate purposes. As the
Interim Report recognizes, there are a number of legitimate
non-marketing purposes for bulk access. In fact, much of the
functionality supported by the survey respondents might be realized
through third-party services enabled by bulk access to reliable
Whois data. MPAA would support efforts to protect against the use
of bulk access to Whois data for unwanted and unsolicited marketing
purposes. In fact, such efforts may in fact contribute to better,
more accurate Whois data for legitimate uses. Care can and should
be taken, however, to address such privacy concerns in a way that
continues to accommodate bulk access by responsible parties in
furtherance of legitimate uses of Whois data."
This extensive comment was submitted by Ross Wm. Rader on behalf of
Tucows. Tucows notes that limitations of the types of third parties
eligible to enter into a bulk access agreement would require
subjective determinations by registrars whether some definitions are
satisfied. Tucows believes that this would require the installation
of some kind of an appeals process, and proposes that such an
approach "would likely be unwieldy."
Tucows takes the position that access to bulk data should be
determined by registrars themselves, and feels that the bulk access
requirement is inappropriate. Practical experience is cited as
having demonstrated "that those that most desire access to these
customer lists are those that are most likely to inappropriate use
these resources." It is argued that the market-based approach
advocated would enable registrants to choose registrars based on
privacy policies, thereby increasing competition.
Regarding practical experiences with the current bulk access regime,
Tucows quotes "inappropriate marketing (slamming, deceptive
notices), misappropriation of intellectual property under the terms
of the license and other wholly inappropriate activities."
The idea of restricting the fee for bulk data is rejected. Instead,
market-based pricing is suggested.
The proposed modification of section 3.3.6 of the RAA is rejected.
The approach of imposing a number of minimal safeguards on bulk
access provided by registrars on a voluntary basis seems to be
acceptable to the commenter; it is suggested that the "restrictions
on a registrars capability to impose new or differing requirements
on bulk whois users" should be modified.
Tucows observes that registrars typically do make the condition in
184.108.40.206 mandatory even with the current language. In order to
support business models which may not implement such a requirement,
Tucows suggests that "it would seem prudent to continue to allow the
flexibility in implementation as specified in the current contracts."
Under the assumption that the current contractual requirements are
continued, a provision which explicitly forbids any use for purposes
other than those stated in the bulk access agreement is supported by
Tucows. In the event of a change to the requirements, the question
should be re-evaluated.
With respect to the opt-out provision, Tucows notes customer demand
for an opt-in policy, and suggests that registrars should have the
choice between opt-out and opt-in policies.
Tucows' response to the task force's question about different
policies and different sets of bulk data for marketing and
non-marketing uses is slightly confusing; I have asked Ross Rader
for clarification, and will forward this to the Task Force. The
response in Tucows' own words: "Not under the regulated approach
advocated by the Task Force. Each of these approaches possesses
significant social and economic costs for Registrants and Registrars
that would be more appropriately dealt with through a market-based
approach to the issue of Bulk Whois data access."
This comment was submitted by Rick Wesson (Alice's Registry). It
emphasizes that privacy is the "single most talked about topic with
WHOIS", and that it impacts each of the areas of the report. "The
fact remains that the largest use of whois is for marketing
purposes, the task-force MUST address this issue in its final
This comment, submitted by Michael Erdle on behalf of the Domain
Names and Trade-marks on the Internet Committee of the Intellectual
Property Institute of Canada. The Committee "notes that searching
and marketing of WHOIS data must comply with applicable privacy
laws. For example, in Canada, registrars must obtain consent to the
collection and use of the data. In many situations, implied consent
and "opt-out" procedures are not sufficient." It is noted that
explicit consent to both collection and use of data may be required,
in particular when the use is "not directly necessary for hte
maintenance of the registry."
In this comment, Norbert Klein (Open Forum of Cambodia) articulates
surprise that, after the long process the Task Force has gone
through, the bulk access recommendations do not answer the question
what use is to be considered "legitimate."
In this comment, Paul Stahura from Enom points to the possible
interaction between overly broad access to and use of WHOIS data and
accuracy of these data. With respect to bulk access to these data,
Mr. Stahura recommends that "the $10k cap should be eliminated for
anyone who is not authorized somehow by ICANN to get the bulk data."
There should be small set of entities granted the ability to access
bulk data at a relatively low price, which would (1) be policed by
ICANN, and (2) could compete to offer services. No opt-out of this
"authorized" bulk access would be allowed. Mr. Stahura apparently
envisions these services as a replacement for (some features of)
registrars' port 43 and web interfaces.
Thomas Roessler <email@example.com>