D. Marketing use of WHOIS data; bulk access provisions.
The current bulk access provisions in the Registrar Accreditation Agreement (the RAA) contained in Section 3.3.6 allow for the sale of customer information contained in Whois databases to third parties under certain conditions, including but not limited to the following:
Registrar may charge an annual fee (not more than $10,000).
Registrar must enter into an agreement with the third party which requires the third party to agree not to use the data:
For mass, unsolicited marketing, other than to its own existing customers, and
To enable high-volume, automated, electronic processes that send queries or data to any registry or registrar, except to register or modify domain names.
The agreement may
Require the third party to agree not to sell or redistribute the data, and
Enable registrants who are individuals to opt out of bulk access for marketing purposes and therefore require third party to abide by the terms of that opt out policy.
An overwhelming majority (89%) of respondents said that registrants should be asked to opt in for their information to be available for marketing purposes, or that there should be no use of the data for marketing at all, while a minority (11%) indicated that they did not object to use of the data for marketing generally or by virtue of an opt-out policy.
Because these results suggest that respondents object to the use of their personal information contained in the WHOIS database for unsolicited marketing activities, it is clear that there must be a serious evaluation of the bulk access provisions in the RAA to determine how the policy can be changed, whether there are realistic limitations as to what the data can be used for, or whether it must simply be eradicated.
Without further research, we cannot say with certainty that the bulk access provisions should be eradicated, although such a possibility should not be dismissed. In making that determination, the benefits of third party bulk access for should be weighed against the strength of the argument that registrant information should not be available in this form. A pertinent question here is what legitimate purpose is furthered by the use of Whois data in bulk form by third parties? Given that marketing is not a necessary feature of the DNS, is it sensible to make such data available for marketing purposes?
We recognize that there may be legitimate uses being served by bulk access to Whois data (e.g., research, law/intellectual property enforcement and the provision of value-added services); however, the responses of the survey participants merit an evaluation of these legitimate uses and whether they outweigh registrants interests. To ensure utility of any Whois database, it is crucial that information contained therein is accurate. It should be evaluated whether bulk access to registrant information impedes such accuracy, and whether, therefore, bulk access is deleterious to actual usage of Whois.
While this recommendation does not rule out eradication of the current bulk access provision, it focuses on modifications of the provision to enhance the protection of Whois data. Specifically, we have parsed through the various components of subsection 3.3.6, highlight the problem with the provision and make suggestions for an improved provision in light of enhancing protection of data. Finally, we provide the full text of what we would perceive to be a more acceptable provision given the survey results (Appendix A).
Section 3.3.6 of the RAA is broken down into several components, as follows:
3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one time per week for download by third parties who have entered into a bulk access agreement with Registrar.
This subsection 3.3.6.1 indicates that the registrar must make available its Whois data to “third parties who have entered into a bulk access agreement.” There are no limitations as to the types of entities or individuals that can enter into this agreement, whether an unsolicited marketing agency, a legitimate third party Whois provider, or otherwise. This subsection could be modified with limitations on the types of third parties eligible to enter into a bulk access agreement, in particular those parties who are able to articulate a legitimate need for bulk access to Whois.
3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.
It would seem that providing registrars with a financial incentive to provide bulk access to data would encourage such activity, while simultaneously deterring those third parties with a legitimate need from accessing the data in bulk. We would recommend allowing the registrar only to charge a third party for its actual costs of providing electronic copies of the data on a regular basis to the third party.
3.3.6.3 Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass, unsolicited, commercial advertising or solicitations to entities other than such third party's own existing customers.
This provision, by its own terms, allows registrars to sell rights to use their Whois databases for purposes of unsolicited, mass marketing. While third parties may not authorize others to use the data for this purpose, they can themselves use the data to for unsolicited marketing purposes. Other than limiting unsolicited marketing to the third party’s own customers, there are no limitations on the marketing use of the Whois data by the third party.. This subsection is probably acceptable, however, if registrars are required to allow registrants to opt out of these uses (see below).
3.3.6.4 Registrar's access agreement shall require the third party to agree not to use the data to enable high-volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations.
If a third party has bulk access to the Whois database, there is no need for such third party to enable high-volume, automated queries. However, if such third party provides access to its licensed Whois database to others (for example, where the third party is a provider of Whois data), this requirement is important to ensure that its database does not generate unsolicited marketing practices through high-volume queries.
3.3.6.5 Registrar's access agreement may require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.
Making the prohibition on sale or redistribution of data by the third party an option (“access agreement may require”) does not provide any protection of the Whois data. To protect the integrity of the Whois database, this provision must be changed so that a third party is “required” not to sell or redistribute the data except as part of a value-added product or service.
3.3.6.6 Registrar may enable Registered Name Holders who are individuals to elect not to have Personal Data concerning their registrations available for bulk access for marketing purposes based on Registrar's "Opt-Out" policy, and if Registrar has such a policy, Registrar shall require the third party to abide by the terms of that Opt-Out policy; provided, however, that Registrar may not use such data subject to opt-out for marketing purposes in its own value-added product or service.
This provision currently allows a registrar to make its own determination of whether to implement an opt-out policy. If it does not, a registrant’s information will be accessible via the bulk access procedure. While the results of the survey indicate that respondents object to either an opt-out or no policy at all , the Task Force recommends that this provision be changed to “require” a registrar to implement an opt-out policy. We believe that the concept of opt-out may have been overlooked by respondents who reacted viscerally to the general lack of any option as to whether their information is included in bulk access. In addition, we believe that immediately requiring the adoption of an opt-in policy may result in a significant deterioration of the information contained in the bulk access database, which would be detrimental to legitimate third parties making non-marketing uses. If, after adoption and evaluation of a requirement for an opt-out policy, it is clear that improper marketing uses of bulk access data are continuing, , then an opt-in policy for any marketing uses should be implemented. It is crucial that opt-out policies implemented by registrars are simple and transparent and that the opt-out of the registrant are respected in practice.
We believe that the modifications that we have recommended in this report will enhance the protection of registrants’ information in accordance with the desires expressed in the survey. In addition, we believe that this enhanced protection could minimize conflicts between Whois policies relating to registrar bulk access with international privacy laws.
Revised bulk access provision (italics generally showing the suggested modifications):
3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one time per week for download by third parties who have entered into a bulk access agreement with Registrar and who are able to articulate a legitimate need for bulk access to Whois.
3.3.6.2 Registrar may charge an annual fee, its actual cost of providing such bulk access to the data (such cost not to exceed $10,000).
3.3.6.3 Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass, unsolicited, commercial advertising or solicitations to entities other than such third party's own existing customers.
3.3.6.4 Registrar's access agreement shall require the third party to agree not to use the data to enable high-volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations.
3.3.6.5 Registrar's access agreement shall require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.
3.3.6.6 Registrar shall enable Registered Name Holders who are individuals to elect not to have Personal Data concerning their registrations available for bulk access for marketing purposes based on Registrar's "Opt-Out" policy, and [DELETE] Registrar shall require the third party to abide by the terms of that Opt-Out policy; provided, however, that Registrar may not use such data subject to opt-out for marketing purposes in its own value-added product or service.