DRAFT
9/5/02 --
The Team has discussed the following
issues drawn from the draft final report
section on Whois data
accuracy:
(A) What steps should the Task Force
recommend to improve enforcement of
the existing contractual
obligations (in the Registrar Accreditation
Agreement and in the
ICANN agreements with the new gTLD registries)
regarding accuracy
of Whois data?
(B) Regarding the
proposal for graduated sanctions for violations of
existing
contractual agreements, does the Task Force have specific
sanctions
(short of dis-accreditation/revocation of the
agreements) to propose?
(C) What additional steps to
improve the quality of Whois data should be considered ?
Regarding
issue (A) (enforcement of existing obligations):
The following proposals were circulated
August 23 and have elicited no comments. All or at least most of the
references to registrars could also include the "thick"
gTLD registries, but there could be some differences based on
differing contractual provisions:
(1) ICANN should ask
registrars to identify, by a date certain, a reliable
contact
point for reports of false Whois data (and for requests
for
registration cancellations based on them).
(2) ICANN
should post those contact points on its web site (perhaps on the
list
of accredited registrars).
(3) ICANN should add an optional
complaint form on this issue to the
internic.net site.
The complaint form would supply a "ticket number" for
the
complaint and would be designed for ICANN to be copied on
the
registrars' response to the complaint.
(4) ICANN should supplement its May 10, 2002 registrar
advisory as follows:
(a) ICANN should instruct
registrars to use commonly available
automated mechanisms to
screen out obviously incorrect contact data (e.g.,
ZIP
code/postcode matching software [at least for North
American
registrants], rejecting incomplete fields in contact
data, etc.).
(b) ICANN should remind registrars that
"willful provision of
inaccurate or unreliable information"
is a material breach of the
registration agreement that should
lead to cancellation of the registration
unless there are
extenuating circumstances, and that this breach can be
detected on
the face of the data submitted if it is blatantly false. (It
is
extremely unlikely that someone would submit such contact data
other than
willfully.) In these circumstances there is no
need to attempt to contact
the registrant before cancellation, and
no need to wait 15 days. Once this
willful conduct is
brought to the attention of registrars, the registration
should be
subject to cancellation.
(c) ICANN should clearly state
that "accepting unverified
'corrected' data from a registrant
that has already deliberately provided
incorrect data IS NOT [not
"may not be," as the advisory states]
appropriate."
Accordingly, registrars should require that registrants not
only
respond within 15 days but that the response be accompanied
by
documentary proof of the accuracy of the "corrected"
data submitted, and
that a response lacking such documentation can
be treated as a failure to
respond and thus grounds for
cancellation.
(d) ICANN should tell registrars to
treat a complaint about false
Whois data as to one registration as
a complaint about false Whois data as
to all registrations that
contain identical contact data, and all such
registrations should
be made the subject of an inquiry, corrected, or
cancelled, as the
case may be, en bloc.
Regarding item (B) (graduated sanctions):
The following was circulated by Ram Mohan on August 30 and discussed by the Working Group on that date. Changes reflecting the discussion were circulated on September 2 and no further comments have been received. .
<<<<<<<GRADUATED SANCTIONS APPROACH>>>>>>>>
Note Well: The approach documented below represents a line of thinking only, and does not in any way construe to be the opinion of any constituency, or of the company(ies) that the author(s) are employed in. Any such policy shall be subject to discussion and review in the various DNSO constituencies prior to adoption.
The Task Force should recommend a series of graduated sanctions whose aim is to improve the compliance of registrars to the terms of the RAA with regard to the accuracy of WHOIS data.
In addition,it should be re-emphasized that registrars are responsible for the compliance of their agents (ie. Resellers, and other intermediaries) with WHOIS accuracy directives.
ICANN should modify the contracts of Registry and Registrar operators who are under contractual obligation with ICANN in the following manner:
Graduated Sanctions – “3 Strikes Policy”
Definitions:
For the sake of uniformity, the word “Registrars” below shall include ICANN authorized registrars, as well as any intermediaries and agents of such registrars who engage in the sales and service of Internet domain names through such ICANN authorized registrars, directly or indirectly. “Dcoumented inaccuracies in WHOIS data” does not refer to individual cases which are the subject of complaints, but to recurring patterns or practices of non-compliance identified by ICANN.
Who do the sanctions apply to:
The 3 Strikes Policy shall apply to Registrars, as defined above, and thick registries.
What are the sanctions:
Strike One:
The Registrar shall be provided thirty calendar days to take necessary action to correct documented inaccuracies in WHOIS data. If, at the expiration of the thirty day period, the information in the WHOIS database has not been corrected, and the Registrar does not submit to ICANN evidence of having taken vigorous steps to correct such inaccuracies, the Registrar shall be:
Provided a notice of non-compliance with ICANN contract regarding WHOIS accuracy
Levied a fine of $250 for each instance of non-compliance. The fine would be collected from funds deposited by registrars with registries (ICANN agreements with registries would also have to be revised to authorize this collection). (A collection mechanism would also need to be provided with respect to thick registries.)
Asked to provide a plan to ensure correction of accuracy of the WHOIS data
Given a further thirty days to take action to correct documented inaccuracies in WHOIS data, with penalties for non-compliance as below
Strike Two:
The Registrar shall be provided a further thirty calendar days to take necessary action to correct documented inaccuracies in WHOIS data. This time period shall commence a the conclusion of the first thirty day period automatically. If, at the expiration of the thirty day period, the information in the WHOIS database has not been corrected, and the Registrar does not submit to ICANN evidence of having taken vigorous steps to correct such inaccuracies, the Registrar shall be:
Provided a second notice of non-compliance with ICANN contract regarding WHOIS accuracy
Levied a fine of $500 for each instance of non-compliance.
Asked to provide a plan to ensure correction of accuracy of the WHOIS data
Informed that they have one more opportunity to take steps to correct WHOIS data before more serious action is taken against them for material breach of contract
Given a final thirty days to take action to correct documented inaccuracies in WHOIS data, with penalties for non-compliance as below
Strike Three:
The Registrar shall be provided a further thirty calendar days to take necessary action to correct documented inaccuracies in WHOIS data. This time period shall commence a the conclusion of the first thirty day period automaticallyIf, at the expiration of the thirty day period, the information in the WHOIS database has not been corrected, and the Registrar does not submit to ICANN evidence of having taken vigorous steps to correct such inaccuracies, the Registrar shall be:
Provided a third notice of non-compliance with ICANN contract regarding WHOIS accuracy
Levied a fine of $1,000 for each instance of non-compliance .
The Registrar’s name shall be placed on a public non-compliance list, prominently displayed on ICANN and other public Internet sites.
Asked to provide a plan to ensure correction of accuracy of the WHOIS data
Informed that under the terms of their RAA, they are in danger of incurring further serious penalties, including, should it be so decided, a suspension of Registrar accreditation.
Given a final thirty days to take action to correct documented inaccuracies in WHOIS data, with penalties for non-compliance as below
Next Step:
Suspension of accreditation and rights <to do what? Register new names?> for 5 days.
Final Step:
Removal of accreditation.
How are the sanctions imposed:
Upon discovery of inaccurate WHOIS information in the authoritative database (the Registrar’s database in the case of thin-registries, and the Registry’s database in the case of thick-registries), the discovering party shall be provided a mechanism to submit a complaint. Such a complaint shall receive a tracking number to ensure accountability. [NOTE: this refers to individual instances, not documented problems that could give rise to the sanctions steps above. The ICANN September 3, 2002 announcement appears to provide a mechanism similar to this.]
When do the sanctions apply:
What is the relief from sanctions:
Correction of data [or cancellation of DN registration].
Documented steps to correct data and proof of action and reasons (if any) for delay.
Method(s) to dispute a sanction:
Regarding item (C) (additional steps):
The following additional requirements suggested by Tony Harris were discussed on the Working Group’s conference call on August 30. They were circulated in written form on September 2 and elicited no objections from the Team members.
(1) Registrants should be required to review and validate all Whois data upon renewal of a registration.
(2) Registrars should be required to spot-check a sample of registrations in order to validate the accuracy of contact information submitted. Besides the use of automated methods to screen out obviously false contact data (see item 4(a) under section (A) above), semi-automated methods such as e-mail pinging, automated dialing to validate telephone numbers, etc., may be used to the greatest extent feasible.