of the Names Council's
November 30, 2002
Click here to submit a comment on this report.
Comments must be received by 9 January
The present document contains consensus policy recommendations as well
as advice and comment from the Task Force. For the reader's convenience,
we provide links to those recommendations which are expected
to be treated as consensus policies as defined in the applicable
3.1, section III.A: Registrants should be required to review and validate all WHOIS data upon renewal of a registration.
IV: It is recommended that any marketing use of bulk
WHOIS data should be forbidden by appropriately modifying the
Registrar Accreditation Agreement's bulk access provisions.
WHOIS is an important resource to users, ISPs,
governmental users, intellectual property holders and the intellectual
property community, and to registrars. Yet, and not surprisingly, some questions
related to WHOIS are controversial. Several questions still deserve addressing.
These include privacy issues; the cost of maintaining accurate data; who
should have unlimited access; what uses are “legitimate”, and many more.
Many of these are described in more detail in the various recommendations
for further work contained in this report.
Other key questions remain open for further
discussion and work: For instance, we do not present a comprehensive answer
to the question what uses of WHOIS data (and bulk access to these data in
particular) should be considered "legitimate". We do not present an answer
to the question who should be able to access WHOIS data in what form and
under what conditions.
Overall, throughout the work of the Task Force, it has been apparent that WHOIS is important to its users, and that it is a resource that is used throughout all kinds of groups of users of the global Internet.
Over the past year, the WHOIS Task Force has
completed analysis of a survey, undertaken
extensive further outreach,
and developed an Interim
Report which focused on four key issues. In the Interim Report,
the Task Force proposed to the community that the focus of short term
policy recommendations should be:
The comments received during the comment period appeared to support this focus. Items 2 and 3 of the Interim Report, Uniformity and Better Searchabilty, were presented as longer term work items. The Task Force will, within the next few weeks, finalize a second report which will porvide guidance for further work on Uniformity and Enhanced Searchability. Comments received supported the Task Force's prioritization.
In this report, ensuring accurate and reliable data in the WHOIS databases is identified by the WHOIS Task Force as a critical issue. The Task Force first addresses enforcement of existing RAA responsibilities, and then moves on to address consensus recommendations. The report also notes the need for further work in several areas related to accuracy.
This report also recommends
against marketing uses of bulk access to WHOIS data. It addresses
the concerns raised by the Internet community about privacy as needing
further work, and recommends several processes to address increased understanding
of the concerns, applicable law, and possible solutions.
The Task Force has taken extensive input, presented numerous updates and made many presentations. This report presents and summarizes the input received and attempts to address the concerns raised, in particular by registrars concerned about the cost of implementing accuracy requirements, and by individuals who believe that privacy is not yet adequately addressed.
The Task Force acknowledges that the work is not completed on WHOIS. In fact, the Task Force envisions that WHOIS will be a topic of work and dialogue throughout 2003.
This Task Force, or another appropriate body, will need to address several key issues, including the question of “access” to WHOIS; whether differential access is a useful concept; how standards fit in; and what their ‘status’ is; what privacy issues are for individuals versus corporate or organizational representatives listed in WHOIS; how to develop acceptable processes with the agreement of the ccTLDs; what national laws may be determined to be applicable.
We recommend to the Names Council that this Task Force continue to address the issues which are being identified in the Task Force's reports.
The Task Force recommendations to the Names
Council present several areas where the Names Council and the ICANN board
have the ability to support significant improvements in WHOIS policy in
the short term. Improved accuracy
and better protection against marketing will
help to address key concerns of the Internet community. These first steps
are important. Improving how WHOIS serves the broad Internet community
has been, and is our goal.
There is more to do. We have acknowledged that
and even describe some of the work still needed. But we should not wait:
We recommend that, in the short term, the Names Council endorse our recommendations
on accuracy and marketing uses of WHOIS data.
Submittedon behalf of the WHOIS Task Force.
A paraphrased version of
the initial terms of reference: "To consult with the community
with regard to establishing whether a review of any questions related
to ICANN’s WHOIS policy is due and if so to recommend a mechanism for such
The Task Force was tasked by the ICANN Domain Name Supporting Organization (DNSO) Names Council to give advice on WHOIS Policy. The Task Force followed the work of a WHOIS Committee convened by ICANN staff to give advice on implementation of WHOIS for the .com/.net/.org domains as required under the Registrar agreement. This Committee addressed implementing questions related to WHOIS in these domains and concluded its work in April, 2001. The implementation of the committee’s work included the establishment of a WHOIS Task Force on domain name system policy. The Task Force was approved in the Names Council meeting of February 8, 2001.
In general, the purpose of the Task Force’s work is to consult with the community with regard to establishing whether a review of any questions related to ICANN’s WHOIS policy is due and is to recommend a mechanism for such a review. As the Task Force has worked, they have chosen to interpret their mandate broadly, and have shared that perspective with the Names Council on several occasions, as well as publishing this interpretation in the various public presentations that they have made.
The Task Force presents recommendations on two of the four key areas presented in the Interim Report. These recommendations include consensus policies, advice and commentary on the enforcement of existing policies, and priorities for further work within these areas.
ICANN should ask registrars to identify, by a date certain, a reliable contact point to receive and act upon reports of false WHOIS data. ICANN should encourage registrars to (i) provide training for these contact points in the handling of such reports, and (ii) require re-sellers of registration services to identify and train similar contacts.
ICANN should post registrar contact points on its web site (perhaps on the list of accredited registrars). It should also encourage registrars to take reasonable steps to make their own contact points publicly available, such as by posting this information on the registrar’s home page, including it on the page displayed in response to a query to the registrar’s Whois, and/or in other ways.
ICANN should continue to maintain an optional and standardized complaint form on this issue in the internic.net site. Registrars, registries and re-sellers should be encouraged to provide a link to this site. In order to better ensure follow up, the complaint form should supply a "ticket number" for the complaint and should be designed so ICANN receives a copy of the registrars' response to the complaint (i.e., the form should incorporate a simple, automated mechanism for the registrar to report back to ICANN on the outcome of complaints).
B. ICANN should modify and supplement its May 10, 2002 registrar advisory as follows:
ICANN should remind registrars that "willful provision of inaccurate or unreliable information" is a material breach of the registration agreement, without regard to any failure to respond to a registrar inquiry. A functional definition -- based on the actual usability of contact details -- should be used for “inaccurate or unreliable”.
ICANN should clearly state to registrars that "accepting unverified 'corrected' data from a registrant that has already deliberately provided incorrect data is not [not "may not be," as the advisory now states] appropriate." Accordingly, where registrars send inquiries to registrants in this situation, they should require not only that registrants respond to inquiries within 15 days but that the response be accompanied by documentary proof of the accuracy of the "corrected" data submitted, and that a response lacking such documentation may be treated as a failure to respond. The specifics of acceptable documentation in this situation should be the subject of further discussions.
There is not a consensus on the Task Force (taking into account comments received) that 15 days without a response is a sufficient time period to establish a material breach in all cases. ICANN should work with registrars, over the next 6 months, to monitor and collect more extensive data on the specific impact of the 15 days period in RAA 126.96.36.199, and its actual implementation by registrars, on good faith registrations, in particular from developing countries, that are subject to accuracy inquiries.
Dissenting opinion of Abel Wisman and
Thomas Roessler (GA): In view of the postal delivery
times outside the USA, the lengthened holidays in some countries
across the world and the general difficulty in contacting people
in certain parts of the world, it would be prudent for ICANN and
the registrars to address leniency towards the 15 day period for
cases which are not overtly fraudulent, while the task force continues
its work on its recommendations regarding the accuracy of the whois
ICANN should encourage registrars to take steps to remind registrants of their obligations to submit and maintain complete and accurate contact data at appropriate points, including but not limited to the time of renewal of a registration.
Registrars should be encouraged to develop, in consultation with other interested parties, “best practices” concerning the “reasonable efforts” which should be undertaken to investigate reported inaccuracies in contact data (RAA Section 3.7.8).
The following interim recommendations for improved enforcement of Whois obligations require further discussion by this Task Force or another appropriate body. Item (A) would, and item (B) might, require the development of a new policy or specification under RAA 3.7.8.
The following proposed changes to the registrar accreditation agreement to enhance Whois data accuracy are recommended as consensus policies:
A. Registrants should be required to review and validate all WHOIS data upon renewal of a registration. The specifics of required validation remain to be determined by this Task Force or another appropriate body.
B. When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should not be included in the zone file until accurate and verified contact information is available. The details of this procedure are under investigation in the Names Council's deletes task force.
A. Responses to the interim report indicate interest in placing registrations for which accurate or updated contact data has not been received in an appropriate hold status for some period of time prior to the eventual deletion of the registrations (see item III(B) above). Registrations in this hold status would be returned to operational status upon provision of accurate and verified contact information. Further research by this Task Force or an other appropriate body, in consultation with registrars and other interested parties, is needed to determine whether the benefits of adding this additional step outweigh the potential costs.
B. Adding a regime of graduated or intermediate sanctions for patterns of violations by a registrar of the WHOIS obligations of the agreements. (This would supplement the current sanction of revocation of accreditation.)
Issue discussed in IV(B) (intermediate sanctions)
Sections I and II below give a high-level overview of the Task Force's
recommendations and their background. Section III
further elaborates on the reasoning behind the recommendations, and section IV contains detailed discussion and recommendations
on the RAA's bulk access provisions.
The current bulk access provisions in the Registrar Accreditation Agreement (the "RAA") contained in Section 3.3.6 allow for the sale of customer information contained in WHOIS databases to third parties under certain conditions, including but not limited to the following:
Registrar may charge an annual fee (not more than $10,000). [RAA 188.8.131.52]
Registrar must enter into an agreement with the third party which requires the third party to agree not to use the data:
The agreement may
An overwhelming majority (89%) of survey
respondents said that registrants should be asked
to opt in for their information to be available for marketing
purposes, or that there should be no use of the data for marketing
at all, while a minority (11%) indicated that they did not
object to use of the data for marketing generally or by virtue
of an opt-out policy.
A. Based on the results of the survey and the feedback from the community on reports published and statements made by the Task Force, the Task Force makes the following recommendations:
There is consensus that use of bulk access WHOIS data for marketing should not be permitted. The Task Force therefore recommends that the relevant provisions of the RAA be modified or deleted to eliminate the use of bulk access WHOIS data for marketing purposes. If this change is made, the provisions on registrant opt-out for marketing purposes could also be eliminated.
To the extent that ICANN disagrees with the Task Force’s Recommendation 1, and marketing uses continue to be permitted under the RAA, certain modifications should be made to the relevant provisions to enhance protection of personally identifiable information and of abuses of such information.
The Task Force notes that many provisions relating to the bulk access rules are not currently being enforced. It recommends that the changes that will be recommended at the end of the review process should be drafted with an eye toward enforceability and respect for applicable national laws, and that reasonable enforcement of the new rules be undertaken.
The Task Force’s proposed recommendations on marketing uses of bulk WHOIS data would be implemented as changes to the registrars’ bulk access agreements, as defined in 184.108.40.206 of the RAA. To the extent that registrars make their part of the WHOIS database available in bulk to third parties without regard for the bulk access provisions, separate safeguards against marketing and other inappropriate uses should be considered.
The Task Force should investigate the suggestion that there should be termination of licenses of licensees of bulk access WHOIS who breach a bulk access agreement and that such licensees should be ineligible from gaining access through a new agreement. The Task Force has not had adequate time to consider all of the issues surrounding such suggestion.
The following five points should be evaluated in conjunction with one another:
In its further review, the Task Force should consider broadly whether bulk access can be justified or whether it should simply be eliminated.
Further review of the bulk access policy must take place in order to determine which uses of bulk access to WHOIS data, if any, should be considered "legitimate." In the context of such review, the Task Force should solicit feedback of current bulk access licensees.
After determining whether there exist legitimate uses of bulk access to WHOIS data, there should be a weighing of whether such uses outweigh the privacy interests of individuals in protecting their personally identifiable information.
The Task Force should learn about the applicability and impact of national privacy and other laws as they relate to bulk access provisions. In connection with this review, the Task Force should also examine current and existing laws that have been implemented to protect individuals against misuse of their personally identifiable information.
A review should be undertaken of actual experiences of registrars in providing bulk data. If it can be demonstrated that those who have accessed WHOIS through a bulk access license are those who have inappropriately used the resources, then there is a strong argument for elimination or drastic reform of bulk access.
Because the survey results and community feedback suggest vehement objection to the use of personal information contained in the WHOIS database for unsolicited marketing activities, it is clear that there must be a serious evaluation of the bulk access provisions in the RAA to determine how the policy can be changed, whether there are realistic limitations as to what the data can be used for, or whether it must simply be eliminated.
Without further research, we cannot say with certainty that the bulk access provisions should be eliminated, although such a possibility should not be dismissed. In making that determination, the benefits of third party bulk access should be weighed against the strength of the argument that registrant information should not be available in this form. In considering whether there is merit to the wholesale elimination of bulk access, a pertinent question is what legitimate purposes within the scope of ICANN's mission, if any, are furthered by the use of WHOIS data in bulk form by third parties? Currently, as we have stated, given that registrants strongly object to the use of their data for marketing, and since marketing is not a necessary feature of the DNS, the Task Force believes that there is no rationale for making such data available for marketing purposes.
We recognize that there may be legitimate uses
being served by bulk access to WHOIS data (e.g., research,
law/intellectual property enforcement, and registrant inquiry,
etc.); however, the responses of the
participants merit an evaluation of these and other legitimate uses and whether or to what extent the bulk access policies should accommodate them. As stated, it is the intention of the Task Force to consult with the community to determine what those legitimate purposes are.
To ensure utility of any WHOIS database, it
is crucial that information contained therein is accurate.
It should be evaluated whether bulk access to registrant information
impedes such accuracy, and whether, therefore, bulk access
is deleterious to actual usage of WHOIS.
In addition to these concerns, it is imperative that any ICANN policy that is formulated with respect to bulk access take into account any national laws which are determined to be applicable to an ICANN contracting party (e.g., a registrar). As an example, to the extent any party who has entered into an agreement with ICANN is determined to be subject to certain national laws (e.g., privacy directives or laws), such national laws will have implications as to what information that party can and cannot provide.
It should be noted that while the Task Force recognizes that privacy issues are relevant to the discussion of WHOIS generally, and perhaps more specifically to bulk access WHOIS, respondents to the survey generally did not identify privacy as a primary concern. Nonetheless, subsequent feedback from the community made it clear that privacy issues are an integral part of the bulk access discussion, and the Task Force intends to address privacy issues in the medium- to longer-term. Inclusive in the review of these privacy issues, the Task Force will examine laws that currently exist to protect the privacy of individuals.
The Task Force has not ruled out elimination of the current bulk access provisions, which has been suggested by some of the comments received, and is being supported by a number of task force members. However, in this document we have focused on modifications of the current RAA provisions to enhance the protection of WHOIS data. Specifically, we have parsed through the various components of subsection 3.3.6, highlighting problems with the specific provision and making suggestions for an improved provision in light of enhancing protection of personally identifiable information and against marketing uses.
The Task Force’s primary recommendation is
to prohibit any marketing use of bulk data
by effecting the revisions in subsection
220.127.116.11. In addition, the Task Force recommends requiring third parties not to resell or redistribute
data in accordance with our recommendation in subsection
If the ICANN Board does not agree with the Task Force’s recommendation relating to the elimination of marketing uses of bulk access data, then the Task Force recommends strengthening the protection of privacy of individuals by requiring a minimum opt-out policy in subsection 18.104.22.168, and giving registrars discretion to implement an opt-in policy.
Section 3.3.6 of the RAA is broken down into several components, on each of which detailed comments, and, where appropriate, recommendations are provided.
A. 22.214.171.124 Registrar shall make a complete electronic copy of the data available at least one time per week for download by third parties who have entered into a bulk access agreement with Registrar."
This subsection 126.96.36.199 indicates that the registrar must make available its WHOIS data to any "third parties who have entered into a bulk access agreement." There are no limitations as to the entities or individuals that can enter into this agreement, whether an unsolicited marketing agency, a legitimate third party WHOIS provider, or otherwise.
This subsection of the RAA should be modified to incorporate limitations on the third parties eligible to enter into a bulk access agreement, in particular those parties who are able to articulate a "legitimate" need for bulk access to WHOIS, as well as limitations on the uses of the data that are permitted. As stated, the survey results, together with community feedback, made very clear that "legitimate" uses of bulk access WHOIS do not include marketing.
As for the more general definition, the Task Force has not yet had an opportunity to make a determination as to what uses of bulk access WHOIS data, if any, should be considered "legitimate." The Task Force expects to arrive at a definition of "legitimate" by enlisting community feedback.
B. 188.8.131.52 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.
The Task Force’s initial perception was that the US$10,000 might provide some registrars with a financial incentive to provide bulk access to data, while simultaneously deterring those third parties with a legitimate need from accessing the data in bulk. Feedback from the registrar community indicates that US$10,000 is not enough of a financial incentive to encourage registrars to actively market bulk access. In fact, it has been stated that many registrars are reticent to provide such access to users for fear of their competitors gaining access to information about their customers and using that information to their competitive advantage.
More important in this analysis is that to the extent a purpose is deemed "legitimate" use of bulk access WHOIS, such access should not be prohibitively expensive. In this context, there has been discussion of cost recovery versus production of revenue, and it has been argued that since registrars do not view bulk access as a revenue producer, perhaps a cost recovery structure should be implemented. However, because costs and resources vary across registrars and because the details of a registrar’s operations should not be the subject of an ICANN policy development process, the Task Force simply states here that to the extent that a searcher meets the "legitimate" purpose threshold, the fee for bulk access should not deter such a searcher from gaining such access, and therefore, the concept of a cap on such fee is a wise one.
Because of the lack of discussion as to what a reasonable fee structure should be, the Task Force therefore seeks further input from the community as to whether the current structure is adequate, and if not, what type of a fee structure should be implemented.
Dissenting opinion of Thomas Roessler and Abel Wisman (General Assembly): It is not clear why an ICANN-imposed cap on the bulk access fee should lead to fairer pricing than the approach of leaving such pricing to negotiations between data users and registrars. Also, it should be noticed that the "deterrent" argument made above has merit only as an argument against cost-based pricing, but not as an argument in favor of any kind of a cap.
C. 184.108.40.206 Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass, unsolicited, commercial advertising or solicitations to entities other than such third party's own existing customers.
This provision, by its own terms, allows registrars to sell rights to use their WHOIS databases for purposes of unsolicited, mass marketing. In addition, while third parties may not authorize others to use the data for this purpose, they can themselves use the data to for unsolicited marketing purposes. Other than limiting unsolicited marketing to the third party’s own customers, there are no limitations on the marketing use of the WHOIS data by the third party.
If ICANN Board agrees with the Task Force that bulk access WHOIS data should not be used for marketing purposes, then the provision should be changed to read as follows (changed language in italics):
"Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, sms, and wireless alerts."
If, however, ICANN continues to allow bulk access to WHOIS for marketing purposes, then this subsection is only acceptable if registrars are required to allow registrants, at a minimum, to opt out of these uses (see discussion at section F below). Based on the feedback from the survey and from the community in response to the Interim Report, it is clear that the community does not support the use of bulk access WHOIS for marketing purposes. As such, the Task Force recommends that this provision be revised as noted above. It has been noted that this provision may be difficult to enforce. For this reason, the Task Force recommends that the enforceability of the provision (as revised) would be the object of future monitoring and review efforts.
It should further be noted that registrars do not need bulk access to WHOIS data to market to their own customers.
D. 220.127.116.11 Registrar's access agreement shall require the third party to agree not to use the data to enable high-volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations.
This requirement is important to ensure that "legitimate" uses of bulk WHOIS data do not lead to automated processes which may unduly interfere with the regular operation of registrars' and registries' systems.
However, as has been pointed out, this provision is extremely difficult to enforce, and the Task Force intends to take steps to review its enforceability.
E. 18.104.22.168 Registrar's access agreement may require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.
In this subsection 22.214.171.124, the term "value-added
product or service" is not defined, and consensus does not exist on the
Task Force as to whether this term relates solely to marketing or whether
it encompasses a more narrow view that does not involve marketing. The
Task Force hopes to suggest clarifications of this term in further review.
(i) If the term "value-added product or service" relates solely to marketing, the Task Force makes the following recommendation: If the ICANN board agrees with the Task Force that marketing is not a "legitimate" use of bulk access WHOIS data, this provision should be revised so that it simply reads (changed language in italics):
"Registrar's access agreement shall require the third party to agree not to sell or redistribute the data."
Under a bulk access policy where marketing
is not considered a legitimate purpose, the option of incorporating value-added
products or services solely in a marketing context by licensees
of bulk access WHOIS should be disallowed. The general prohibition
on sale or redistribution of bulk access Whois data should be
(ii) The Task Force understands, however, that the reference to "value-added product or service" may mean, for example, services that combine this data with other data with the resulting database made available to law enforcement, legal services, and others on a query basis for research purposes. In this case, the change proposed above should be struck, and only the change described in the following paragraph should be made.
As a general matter, making the prohibition
on sale or redistribution of data by the third party an
option ("access agreement may require") does not provide any
protection of the WHOIS data. To protect the integrity of the
WHOIS database, the Task Force notes that this provision would
have to be changed so that a third party is "required" not to
sell or redistribute the data except as part of a value-added product
or service. Additionally, a provision could be added which explicitly
forbids any use for purposes other than the ones stated in the bulk
access agreement (i.e., marketing).
Thus, the Task Force recommends that the word "may" be changed to "shall" in the first sentence of this paragraph.
F. 126.96.36.199 Registrar may enable Registered Name Holders who are individuals to elect not to have Personal Data concerning their registrations available for bulk access for marketing purposes based on Registrar's "Opt-Out" policy, and if Registrar has such a policy, Registrar shall require the third party to abide by the terms of that Opt-Out policy; provided, however, that Registrar may not use such data subject to opt-out for marketing purposes in its own value-added product or service.
This provision currently allows a registrar to make its own determination of whether to implement an opt-out policy. If it does not, a registrant’s information will be accessible via the bulk access procedure for any currently permissible use, including marketing.
If ICANN agrees with the Task Force that marketing is not a "legitimate" use of bulk access WHOIS data, this provision should be deleted in its entirety.
If, however, marketing continues to be a permitted use of bulk access WHOIS data, while the results of the survey indicate that respondents have concerns about either an opt-out or no policy at all, the Task Force recommends that this provision be changed to, at a minimum, to "require" a registrar to implement, at a minimum, an opt-out policy. Incorporating such a minimum requirement should not preclude any registrar from implementing a more stringent opt-in policy (in particular, if such a policy is required by national laws determined to be applicable to an ICANN contracting party, e.g., a registrar).
We believe that the concept of opt-out may have been overlooked by respondents who reacted viscerally to the general lack of any option as to whether their information is included in bulk access. In addition, we believe that immediately requiring the adoption of an opt-in policy may result in a significant deterioration of the information contained in the bulk access database, which would be detrimental to legitimate third parties making non-marketing uses of the data.
In either circumstance, the Task Force recognizes that requirement of a minimum opt-out policy or the alternative opt-in policy will require additional work (e.g., the writing of additional code by registrars). For example, both a minimum opt-out policy and an opt-in policy will require the registrar to take an action by clearly notifying the registrant that he or she has the option of not being included in the database for marketing purposes and acting upon a response from such registrant.
If, after adoption and evaluation of a minimum requirement for an opt-out policy, it is clear that improper marketing uses of bulk access data are continuing, and if it is still not possible to prohibit marketing uses, then a mandatory opt-in policy for any marketing uses should be implemented. It is crucial that opt-out policies implemented by registrars are simple and transparent and that the opt-out of the registrant is respected in practice. As has been noted, it is important that the options available to registrants should be clearly stated, separate from the core of the registration agreement so that it is absolutely clear to customers that they can register a domain name without making their information available for marketing purposes.
The Task Force believes that their recommendations
can begin to contribute to both improved accuracy and to lessen the misuse
of access to the WHOIS database for marketing purposes. It is difficult
to quantify the “impact” on registrants, registrars, and registries. However,
the recommendations were made with the expectations that quantifiable
changes and improvements could be achieved.
Based on the comments received, some members
of the registrar constituency expressed concerns about the cost impact
on registrars to address accuracy, in particular. Very few expressions
of concern were received about changes in marketing uses, or in bulk access.
It should, however, be noticed that the Task
Forces alternative recommendation on bulk
access -- mandating that at least an opt-out opportunity must be made available
to registrants -- would have a cost impact on those registrars who currently
do not implement the opt-out provision. This impact would not arise when
the Task Force's primary recommendation
The Task Force comments that it expects cost
impacts to be recoverable by registrars through possible changes in fees.
There will be a significant impact on ICANN
staff. Much more staff time is expected and will be required. Further,
while little discussion took place about the qualifications of ICANN staff,
the Task Force in general expected that a range of activities, which could
range from senior staff to administrative support, would be required. This
is expected to have an impact on ICANN budget and staffing.
section of this report recommends systematic enforcement
of existing policy. In the comments received by the
Task Force, concerns have been raised that this enforcement may in fact
have a harmful impact on good faith registrations. Concerns were, in particular,
raised concerning the 15 day period defined in paragraph
188.8.131.52 of the RAA: It has been argued that many registrants may,
in practice, not be able to respond to an accuracy challenge within that
amount of time. Some registrars apply even stricter time frames to their
registrants. One member of the Task Force has reported about an incident
in which a registrar, acting upon a fraudulent accuracy complaint, imposed
a 7 day deadline for the verification of perfectly valid WHOIS data. Failure
to respond to this challenge in time would have lead to the loss of a well-established
domain name. The Task Force acknowledges these concerns, and has recommended monitoring of the impact of the 15 day period
and its implementation.
The Task Force hopes that its recommendations on Bulk Access to WHOIS data may contribute
to reduce inappropriate uses of these data.
The Task Force's recommendation
on bulk access would make third party access to WHOIS data under the
RAA's bulk access provisions unavailable for marketing uses of these data.
Constituencies who submitted comments as a constituency on the Interim report include the IPC and the gTLD Registry Constituency.
This document is open for comments for 8 days. Constituency impact reviews, received during this 8 day period, will be forwarded to the Names Council, as part of the final submission.
The Task Force prepared and published a web-based
survey on ICANN's web site on June 10, 2001. The survey closed
in August 2001. 3035 responses were received. Since respondents were
self-selected, the survey was not
A preliminary evaluation of the
survey results was presented at ICANN's Ghana meetings in March, 2002.
The final evaluation
of the results was presented at the Bucharest meetings in June 2002.
Based on the survey responses, the Task Force
identified four areas for further work:
The Bucharest report also contained draft recommendations in each of these
The Task Force's final evaluation of the survey
results was presented at ICANN's meetings in Bucharest. Comments
were received between June 18 and August 28, 2002.
[comments-whois] comments-whois mailing list is open DNSO Listadmin
Whois query Nainil Chheda - \[domains.eliteral.com\]
[comments-whois] Re: [registrars] Public comment period on WHOIS TF final report untill 14 August Tim Ruiz
[comments-whois] Asleep at the wheel DannyYounger
[comments-whois] Whois Final report Don Brown
[comments-whois] WHOIS Information Opt-out for Individuals Gian A. Ameri
[comments-whois] Whois used for marketing Glen Taylor
UNICE comments on DNSO WHOIS report Bonnaffous Marie-Laure -
[comments-whois] Whois is an important resource but is broken in its current state. todd glassey
[comments-whois] Updating your own whois information ... Registrant perspective Elisabeth Porteneuve
[Olivier.Guillard@nic.fr: Re: whois survey DNSO and IETF] Olivier
[comments-whois] Nominet UK's response to the Draft Final Report of the Names Council's WHOIS Task Force Lisa Benjamin
[comments-whois] Publication of personal data in whois database m.laudahn
extraneous data in whois Johnwong001
[comments-whois] WHOIS Task Force Draft Final Report Purslow, Neil A.
Privacy rights DannyYounger
[comments-whois] Whois Comments Keng
[comments-whois] My comments on the WHOIS Task Force Report Vittorio Bertola
The present summary is copied verbatim from
the Task Force's Interim
Wants a Whois query that shows only admin email, date of registration and expiry of domain. Does not want any other details to be displayed.
Wants a specific definition of what “accuracy” of Whois data means, a specific definition of what reasonable effort on Registrar’s part is required to ensure that accuracy, and what steps Registrar may take, without repercussions, when inaccuracies are found. Wants uniformity of data formats and elements across various TLDs and registrars, including ccTLDs. Wants this to be pursued as part of recommendation for gTLDs, believes ccTLDs can wait for a separate deliberation. Use of the Whois data for marketing purposes of any kind, should be prohibited, unless they have a verifiable EXISTING business relationship (perhaps within the last 12 months). By allowing a PRIOR business relationship, you give the largest Registrar, a prior monopoly, an unfair advantage. The registrant should not have to "opt-in" or "opt-out". The Whois data should never be viewed, used, or treated as a marketing list.
Irritated with Task Force’s recommendation that there be a review of the current bulk access provisions of the Registrar Accreditation Agreement because the ICANN board already referred the matter to the Names Council (Jan. 22) and the Council voted to delegate to the Whois TF (Feb. 14). Wants the decision to be made, irritated that it’s taking as long as it is.
Disagrees with TF’s findings with respect to accuracy of Whois database. First, cancellation of registration due to outdated information is too harsh. Where a registrant has moved, for example, there is no reasonable way for a registrar to update this information. Domain name shouldn’t be cancelled when registrar can’t contact registrant or registrant doesn’t reply. Sees this situation as similar to the proposed redemption grace period situation, where the community seems to see the importance of saving registrant’s domain names even when expiration/deletion is caused by the registrant’s own negligence. Secondly, wants to see definitions of what constitutes compliance and non-compliance with registrar’s requirements for accuracy. What is the reasonable and commercially practical protocol for verifying new registrations and re-verifying old registrations? Should the registrar telephone each new registrant? What if there is no answer? What if there is a typo in the telephone number field? What if the registrant has moved?
.Name domain names should be excluded from having to provide Whois data because the .name extensions are being used by individuals, not companies. ICANN’s current policy applies to companies and organizations, not individuals. "[I]ndividuals" registering a .name domain, unlike any other legal entity, should continue to be allowed, in compliance with the E.U. and U.K. Data Protection Act, to opt-out from the publishing of their personal data in WHOIS searches or for that matter in any other way, shape, or form.
Would like to see limits placed on registrar’s use of Whois for marketing purpose, citing as an example, Register.com’s practice of inserting “make on offer on this domain” into every Whois query.
UNICE is an independent organization representing
European businesses vis-à-vis the institutions of the EU. Believes
that the same requirements to provide accurate Whois data should be
applied not only to accredited registrars but all ccTLD registrars as
well. Sanctions, such as the possibility to suspend or cancel an
inaccurate domain name should also be in place. Believes that data
format for Whois information now applicable to gTLDs should be applied
to ccTLDs. Phone and fax numbers of the registrant should only be
available on an opt-in basis, as they are not considered to be essential
for the purposes of businesses and IP interests. Believes a centralized
database providing Whois for gTLDs and ccTLDs would be beneficial, but
that it should not be ICANN’s responsibility to provide. Believes users
should be able to search by all data fields. Suggests that while basic
information should be available for free, a more detailed search could
be paid for by users. UNICE doesn’t support the use of personal data
in Whois databases for marketing purposes. An opt-in accepting use rather
than an opt-out clause and restrictions on access to bulk data would assist
in reducing opportunities for misuse of the data.
Highly critical of ICANN and Whois policy in general. Suggests major overhaul of Whois database, including “pruning” existing entries by determining whether or not they are valid. Suggests ICANN make a determination about what to do with dead entries in Whois.
Comments of a registrant. Argues that updating her own information is too difficult to do. Wishes it were as easy as it use to be under the NIC-Handle format, where she could update the NIC-Handle once and all associated domain names were updated. Wants an easy and efficient way to update all registrant data.
Concerned that “registrant” is being confused with the person who has rights to the domain name. Suggests that a new field be added to Whois information, “holder” indicating the entity that holds the rights to the domain name. Advocates searching by registrant name, allowing for limits on the number of results that may be pulled.
Nominet requires a warranty by the registrant that the data provided is accurate and an indemnity should Nominet receive a claim based on inaccurate data. Nominet reserves the right to cancel or suspend a domain name if there is independent verification that the information is “grossly inaccurate, unreliable, or false.” Feels that it is the registrant’s responsibility to provide accurate data, and that expanded Whois should help the registrants identify whether the data is accurate or not. Suggests it would be very costly, a cost eventually passed on to the registrant, to require the registrar to verify the accuracy of registrant data. Believes that uniformity of formats between gTLDs and ccTLDs may be difficult due to national data protection laws. This concern is also extended to the issue of better searchability for Whois databases that might include ccTLDs. Nominet doesn’t support the use of the register for marketing purposes, and supports proposals to provide stronger privacy protection for registrants in this regard.
Maintains a site that deals critically with adverse conditions in the world, worldimprover.net. Advocates keeping personal registrant data “secret” in order to make it more difficult for people in high places to pursue their evil course.
Identified embedded auto-redirect html script tags in the Whois data, both web and Port 43. They are used to redirect browsers or html-aware telnet clients to some penny-per-click sites. Suggests that sections A-Accuracy of Data in Whois Database, or B-Uniformity of Data formats and Elements, be expanded to discourage the use of executable script tags, or the placement of promotional data into inappropriate fields in the Whois contact database. Also suggests as an alternative, creating new fields in the Whois contact database where this kind of promotional information can be entered. Suggests discouraging the use of html tags in Port 43 Whois data.
Suggests that the proposed enforcement provisions related to data accuracy be themselves enforceable in the key jurisdictions and apply evenly to registered domain holders in different jurisdictions across the Community. Suggests that the Task Force consider the drafting of the model provisions in more detail and conduct a legal review of the enforceability of these measures in key jurisdictions.
argues that if he can have an unlisted phone number, why not a domain name without Whois contact data? Suggests that there be a domain name registration equivalent to an unlisted telephone number and that registrars should be allowed to charge for that service.
Advocates free and easy Whois accessibility. Advocates Whois data uniformity across registrars. Does not think marketing of Whois information is inappropriate. Believes that the domain name owner should have the right to review the marketing materials before committing. It should be the domain owner’s choice.
This comment was not properly summarized in
the Interim Report due to a clerical error. It was then re-submitted
in response to that report. See below.
In September 2002, the Task Force held a number
of conference calls with different interest groups, in order to discuss
During its conference call on September 3,
2002, the Task Force was joined by Ross Rader (Tucows) and Rick Wesson
(Alice's registry; CTO of the regisrars' constituency).
No official minutes of this call are available.
According to private (and incomplete) notes of a member of the task
force, the discussion covered several of the areas of the Task Force's
work. Topics discussed included options for improving WHOIS data quality,
factors currently contributing to bad accuracy, and actual experiences
with the current bulk access provisions.
Members of the Task Force joined a conference
call organized by the registrars' constituency. The constituency
has made available minutes
of the call. Discussions covered all four areas of the Task Force's
On September 9, the Task Force was joined by
Berny Turcott (.ca). Mr. Turcott in particular presented the Canadian
registry's approach to improving WHOIS data accuracy. The telephone
conference was recorded;
On September 23, the Task Force was joined
by Sabine Dolderer (.de) and Patricio Poblete (.cl). The call was both recorded
The Task Force was informed about the WHOIS services being made available
by ccTLD operators who need to take into account national regulatory
The Task Force was joined by Alan Davidson
from the Center for Democracy and Technlogy (CDT), who gave a presentation
on privacy issues with regards to WHOIS. A transcript
of the call is available.
The Task Force's Interim
Report was published on October 15, 2002. It was open for
written comments were received between October 15 and November 8.
In the present report, only those comments relevant to either the WHOIS
accuracy or the bulk access topics are summarized.
List for Comments on Whois TF Interim Report DNSO Secretariat
[comments-whois] comments DNSO Secretariat
Re: [ga] WHOIS INTERIM REPORT OPEN for PUBLIC COMMENT John Berryhill
[comments-whois] What Do They Mean By "Inaccurate Data" John Berryhill Ph.D. J.D.
Re: [ga] WHOIS INTERIM REPORT OPEN for PUBLIC COMMENT Vittorio
[comments-whois] "Role" Accounts - and a test of the whois reporting form John Berryhill Ph.D. J.D.
[comments-whois] Need clearnce Gena Saltikov
[comments-whois] Re: [ga] WHOIS INTERIM REPORT OPEN for PUBLIC COMMENT Jeff Williams
[comments-whois] Forwarding of comments to list Jefferson Nunn
RE: [ga] WHOIS INTERIM REPORT OPEN for PUBLIC COMMENT Cade,Marilyn
S - LGA
[comments-whois] Re: [ga] WHOIS INTERIM REPORT OPEN for PUBLIC COMMENT Jeff Williams
[comments-whois] RE: [ga] WHOIS INTERIM REPORT OPEN for PUBLIC COMMENT Cade,Marilyn S - LGA
Michael Palage Comments to the Whois Task Force Michael D. Palage
[comments-whois] Re: [ga] Text Posting of Michael Palage's Comments on Whois Task Force Jeff Williams
[comments-whois] [fwd] [ga] FWD: Some comments on WHOIS (third world perspective) (from: firstname.lastname@example.org) Thomas Roessler
[comments-whois] [nc-whois] comments from Karl Auerbach posted to GA Kristy McKee
[comments-whois] International Trademark Association Comments on Whois Report Michael Heltzer
[comments-whois] Consumers need Protection from VeriSign Mindy Owes
[comments-whois] Whois Data fields and contact information necessary. Jeff Williams
[comments-whois] Michael Palage's Proposed Recommendations Michael D. Palage
[comments-whois] Take II - Michael Palage's Proposed Recommendations Michael D. Palage
Re: ensuring that your voice and input is heard on open comment
sites Jeff Williams
[comments-whois] RE: ensuring that your voice and input is heard on open comment sites Cade,Marilyn S - LGA
[comments-whois] Re: ensuring that your voice and input is heard on open comment sites Antonio Harris
[comments-whois] Whois task force recommendations Bhavin Turakhia
[comments-whois] Re: Whois Task Force Interim Report Bhavin Turakhia
Go Daddy's Comments on the Whois TF Interim Report Tim Ruiz
[comments-whois] NYIPLA Internet Law Committee Comments Regarding Interim Reportof the Names Council's WHOIS Task Force Jonathan Moskin
[comments-whois] Intellectual Property Constituency Comments on the Whois TFRepor t Djolakian, Laurence
[comments-whois] Followup to Shanghai Comments Ross Wm. Rader
Comments of Turner Broadcasting System, Inc. to Interim Report of
the Names Council's Whois Task Force McMurtry, Rick
[comments-whois] gTLD Constituency Comments to the Whois Interim Report Karen Elizaga
[comments-whois] Comments in support of Interim Report of the Names Council Rebecca J. Richards
[comments-whois] Time Inc. Comments Scherer, Bob
[comments-whois] Comments of Warner Music Group Inc. Interim Report of the NamesC ouncil's Whois Task Force Hennessy, Erin
[comments-whois] MPAA Comments on the Whois Task Force Interim Report Dow, Troy
[comments-whois] Comments of Time4 Media, Inc. - Interim Report of the NamesCounc il's Whois Task Force Lee, Paul
[comments-whois] Specific Response to Task Force Inquiries Ross Wm. Rader
[comments-whois] Comments on the Interim Report of the Names Council's WHOIS Task Force Mark Bohannon
Response to Task Force Interm Report Rick Wesson
[comments-whois] Whois TF Interim Report: Comment Marc Schneiders
[comments-whois] Comments on Interim Report of the Names Council's WHOIS Task Force Michael Erdle
[comments-whois] Ironically mumbai is about to be affected Bhavin Turakhia
[comments-whois] WHOIS: Process and Substance Norbert Klein
[comments-whois] [Fwd: WHOIS: Process and Substance] - follow-up Norbert Klein
[comments-whois] whois tf report comments Paul Stahura
John Berryhill points out that the TF's interim report does not define a standard for inaccurate contact data. As an example, he points to a UDRP case in which the complainant claims that a telephone number provided in the WHOIS is "inaccurate" because it is not listed for the respondent. He also points out that the requirement for an "accurate" telephone number implies the requirement for the domain name holder to have a telephone number.
Also, Dr. Berryhill raises the concern that "bad contact data" complaints can be raised systematically and in an abusive manner, in order to harass domain name holders.
John Berryhill points out that the current practice (and the task force's interim report) does not address the - common! - use of role accounts (like "Hostmaster Role Account") for WHOIS contact data.
In fact, the current RAA language requires that WHOIS contact data (as opposed to registrant data) contains the contact's "name."
This comment, received from Jefferson Nunn (CIO, Internet Solutions Group) elaborates on a number of privacy objections against any requirement that /valid/ telephone numbers of individuals be published in the WHOIS service.
(It is questionable whether this concern is indeed in the scope of considerations on data accuracy.)
This document contains personal comments from Michael D. Palage on a number of topics raised by the task force's interim report. In this message, only those concerning the WHOIS data accuracy portions of the report are summarized or quoted.
(1) Graduated sanctions and the possible application of automated filters when domain name registrations are placed. The comments hold that "imposing graduated fines and mandating business practices (filters) contradicts ICANN's role as a technical coordination body". Further, the comments point out that these "recommendations are not supported by any data to demonstrate the technical nor commercial viability of these automated mechanisms on small, medium and large-scale registrars. In fact these recommendations would appear to contradict established case law that has held filters place an unreasonable burden on registrars. See Worldsport Networks Limited v. Artinternet S.A. and Cedric Loison."
(2) Possible problems to honest domain name holders caused by a rigid enforcement of the present challenge-and-cancellation procedure for correcting inaccurate WHOIS data. It is suggested that, instead of completely deleting the domain name from the registration system, the domain name is only removed from the zone file.
(3) The inclusion of thick registries with the accuracy recommendations made in the task force's interim report. These comments are too extensive to be summarized in this document.
(4) Mr. Palage describes a possible abuse scenario of a policy which would mandate the deletion of all domain names associated with a specific set of bad contact data (I.A.4.d of the interim report). The problem occurs when registrant or contact information for a domain name has been wrongly replaced by contact information about an existing entity which is not related to this specific domain name, but may occur in the context of other registrations.
This comment from Srikanth Narra was forwarded to the comments site indirectly. The comment specifically provides a third world perspective on WHOIS accuracy, and points out that with registrants from developing countries, the only contact information which can be given in an accurate manner is often the postal address. However, postal service to the relevant regions may be extremely slow and unreliable, which makes verification of a postal address within 15 days impossible.
These comments from the International Trademark Association support the interim report's suggestions on WHOIS data accuracy.
This comment was submitted by Jeff Williams. He writes: "Further our [INEGroup] members decidedly believe that only an admin. E-Mail and phone number contact that is of that Admin.'s. choice that are working phone Number and E-Mail address."
This comment includes, as "recommendation 2", proposed language for a Names Council resolution on WHOIS accuracy issues. The resolution suggests the creation of a standardized "Whois Accuracy Inquiry Notice" which would be translated in as many languages as possible. After receiving a notification of potentially false or inaccurate whois data, registrars would be required to send this notice to registrants, "in the language(s) of the registration agreement, along with links to translations of the WAIN in other languages". As a change to current policy, a domain name would be put on hold indefinitely after a period of 30 days. (Current policy: Deletion after 15 days.) The registrar would not be allowed to either renew the domain name or remove it from hold status until the registrant has provided documented proof (supposedly on the accuracy of present or corrected WHOIS information; this is not clear). Additionally, third parties submitting WHOIS accuracy complaints would be required (1) to provide contact information so the registrant can possibly initiate legal action in cases of bad faith complaints, and to (2) state that the submission "is not intended to interfere with the lawful operations of the domain name registrant or registrar".
The proposed resolution then goes on to recommend a number of possible ways for implementing this suggestion.
This comment was submitted by Bhavin Turakhia on behalf of Directi, an accredited registrar. Several possible difficulties which may make it hard to reach a registrant within a 15 day time line in case of an accuracy complaint are listed. A 45 day time line is suggested as being far more appropriate. Also, it is suggested to place problematic domain names on registrar-hold instead of deleting them. Mr. Turakhia also points to the comments submitted by Mr. Palage (see the summary of msg000012.html above).
This comment, submitted by Tim Ruiz on behalf of GoDaddy Software, mostly focuses on the accuracy issue. Mr. Ruiz objects against the recommendation that registrars should use automated mechanisms to screen out incorrect contact data, on the basis that the task force report does not consider "the cost of these tools, and the problems associated with the accuracy of these tools themselves." Also, according to this comment, "pinging email domains, automating the dialing of phone numbers, etc. have another set of technical obstacles and costs that make them impractical to implement and unreliable." Mr. Ruiz objects against the current 15 day time frame, and suggests that a 45 day period may be more reasonable. He also requests that the terms "willful" and "blatant" (which are currently used in the task force's language on inaccurate whois data) be clearly defined, in order to avoid subjective judgments from entering into these considerations. "Such a vaguely defined policy will be difficult, if not impossible, to enforce," Mr. Ruiz writes. Finally, Mr. Ruiz articulates his belief that the "3 strikes policy" suggested by the task force is unnecessary: "The current RAA simply needs to be enforced, and ICANN has recently been working toward that goal."
In addition to these comments, Mr. Ruiz states his support for the comments submitted by Mr. Palage (see the summary of msg000012.html above).
This comment, submitted by Laurence Djolakian on behalf of the Intellectual Property Constituency, expresses that constituency's support for the interim report's recommendations on the accuracy of WHOIS data.
This extremely comprehensive 12-page comment was submitted by Ross Wm. Rader on behalf of Tucows. This summary attempts to identify the most important key points; I strongly recommend reading the full comments.
As far as the accuracy section of the interim report is concerned, Tucows suggests these questions for the task force's consideration:
What has the [task force] done to measure ICANN's recent enforcement activities as it relates to Whois and how much does this effect the problems that you are trying to deal with in the area of accuracy? Would it be safer to say that mandatory periodic re-validation of Whois data has been identified as one potential technique for improving data quality? Or, has the Task Force investigate the other options fully and discounted them? If so, what options were investigated and why were they discounted?
Additionally, the submission includes comments on the individual recommendations contained in the interim report. As far as the enforcement of current policies (I.A) is concerned, most of these comments concern specific questions around the impact of a possible implementation of the interim report's requirements. Concerning A4b, a distinction between "willful submission" and "blatant disregard" is highlighted. Concerning A4c, the submission asks for specific standards concerning documentary proof of accuracy of data provided.
There are also concerns on the graduated sanctions system suggested in the task force's report: It is asked whether the interim report's recommendations intent to shift the primary responsibility for WHOIS data accuracy from the registrant to the registrar. Concerning B4C1b (collecting the fine from funds deposited by registrars with registries), the feasibility and desirability of this particular approach is questioned.
As a follow-up to the previous submission by Tucows, this comment contains specific comments on the questions asked in the interim report. Tucows argues that (1) it is not clear that the mechanisms proposed in the interim report actually lead to the desired results, and that (2) it is not demonstrated that "failures in the enforcement mechanism require a more structured approach complete with fines and sanctions". On the basis of these observations, it is concluded that an implementation of the structure described in the interim report would be "unreasonable." The task force is urged "to recommend that the community determine first if enforcement of the current contractual provisions will lead to an improvement of Whois data accuracy. "
In response to the task force's specific questions, the comment takes issue with a number of the recommendations: With respect to the inclusion of thick registry operators with the proposed recommendations, Tucows points out that thick registries are custodians of data provided by registrars, and do not have contractual relationships with the registrants themselves. An argument is made that recommendations 1-3 (improvements to the complaint mechanism) will not help to increase data quality "in the majority of records", based on the large number of registrations, and an estimate that the number of complaints actually received will be several orders of magnitude smaller. Tucows is not aware of any "technically competent means" to implement recommendation 4a (screening for obviously bad data), and doubts that - even if such a technology exists - it would actually achieve the requirements behind the recommendation. Additionally, Tucows notes that such screening may drive bad-faith registrants further underground, making enforcement even more difficult; further discussion of this is recommended. The comment also cautions that recommendations 4b-d should not be pursued unless "appropriate and affordable technology has been demonstrated to solve the problems described." A policy that registries, registrars and/or resellers periodically remind registrants of their accuracy obligations is considered an appropriate recommendation; however, specific implementations should not be recommended. Tucows recommends that the task forces explores the idea "that Registrants should be required to verify the accuracy of the data that they have provided prior to allowing the Registrant to undertake significant modifications or actions with their domain name." "Further, ICANN should support the development of cross-registry/registrar contact object management standard."
The comments objects against the proposed sanctions program, and argues that only "a proactive program geared toward ensuring that Registrants uphold their obligations can ultimately achieve the goals of the Task Force."
The comments further express support for recommendation C1 of the accuracy chapter. Tucows has not evaluated the cost of implementing this, but expects it to be moderate.
C2 and C3 are rejected as being technically and economically unpractical, and would "require the implementation of manual and automated systems that have not yet been developed. ... We strongly believe that implementation of these recommendations would have a significant impact on the capability of our organization to compete and prosper."
This extensive comment was posted by Karen Elizaga on behalf of the gTLD registries constituency. doc00004.doc contains a useful summary of these comments, followed by a number of individual contributions. Within the scope of the present document, I can only try to identify a number of key points; reading the full comments is highly recommended.
Concerning the accuracy complaint process, it is suggested that complainants should themselves provide accurate contact information, i.e., there should be no possibility for anonymous complaints. It is suggested that a quick loss of names should be limited to the "worst" cases, and that small mistakes (like a one-digit mistake in a zip code) should correspond to longer response periods. Registries should not be subject to the proposed 3-strike policy since they don't have a direct contractual relationship with the registrant. A4a is characterized as being virtually impossible due to the cost and complications (including a slow-down of SRS transactions) which would be caused by an implementation of the automated filtering suggestions. A comment contributed by Chuck Gomes generally questions whether accuracy of WHOIS information can be enforced on a global basis.
Concerning A4e, the abuse scenario introduced by Mr. Palage is mentioned. The practical applicability of the proposed sanctions program to intermediaries is questioned, due to the lack of a direct contractual relationship with ICANN. More details are provided in mark-up of the text, contained in doc00005.doc. In this mark-up, the gTLD registry constituency in particular takes up a couple of points mentioned in other comments: The risk of bad faith complaints (see Berryhill, above); possibly replacing cancellation of registrations in case of inaccurate data by registry hold.
This comment, submitted by Rebecca J. Richards on behalf of TRUSTe, emphasizes the importance of accurate and available WHOIS information for TRUSTe, and expresses support for the accuracy recommendations in the task force's interim report. This comment literally copies some parts of the IPC comment.
These comments, submitted Rick D. McMurtry on behalf of Turner Broadcasting System, by Bob Scherer on behalf of Time Inc., by Erin Hennessy on behalf of Warner Music Group, and by Lee Paul on behalf of Time4 Media, Inc., emphasize the importance of access to WHOIS data and their accuracy for various parts of the AOL Time Warner group (occasionally using precisely same wording throughout several of the submissions, occasionally providing specific anecdotal evidence of problems encountered in the past), and generally support the accuracy recommendations contained in the interim report.
This comment was submitted by Troy Dow on behalf of the Motion Picture Association of America. The statement expresses the MPAA's support for the accuracy recommendations contained in the interim report.
This comment was submitted by Mark Bohannon on behalf of the Software & Information Industry Association. The comment emphasizes the importance of legitimate uses of WHOIS data in language which closely follows (or even copies) the IPC and TRUSTe comments, and expresses support for the task force's accuracy recommendations.
This comment was submitted by Rick Wesson (Alice's Registry). Mr. Wesson hopes to publish statistically significant research in the future in order to prove the hypothesis that the vast majority of domain registrations don't have accuracy issues. Concerning the graduated sanctions program, it is noted that "at the time the document was authored, there existed no methodology to test the assertion that graduated sanctions could improve the accuracy of the data published in the whois."
This comment from Marc Schneiders specifically addresses the interim report's accuracy recommendations, which are called consumer and registrar unfriendly. Issues pointed out include: The potential for abuse of the complaint process in order to harass registrars or registrants; the possible use of "role account" type names (like xyz domain manager) for the registrant information, coupled with accurate addressing information; challenges with actually implementing accuracy requirements on a worldwide basis. The 15 day correction period is identified as too short, on the basis that registrants may, for instance, be on vacation for such a time period.
This comment was submitted by Michael Erdle on behalf of the Internet Committee of the Intellectual Property Institute of Canada. The comment is not an official position of the IPIC.
The five-page attachment to the message contains elaborate comments on the accuracy recommendations in the interim report, and answers to the specific questions asked by the task force. Within the scope of this document, I'll try to identify a number of key points; reading the full comments is strongly recommended.
Conceptually, the comment splits data accuracy into two distinct sets of concerns: A need to improve overall data quality, and a need for corrective measures in specific cases of inaccurate data.
Concerning the measures suggested to improve overall data quality (like using existing technical measures for screening registrant information), the comment calls for a careful evaluation of the "limitations, efficacy and appropriate scope of use" of these tools, before any implementation of the recommendations. It is warned that, due to the danger that automated tools may inevitably contain errors themselves, and that errors may happen outside the scope of responsibility of the registrant, no domain name should automatically be canceled exclusively based on automatic screening. The comment observes that the terms "obviously incorrect" and "blatantly false" are not defined in the report, "and arguably cannot be defined with any precision." Similarly, the question is raised who should make the judgment whether incorrect information has been "deliberately" submitted by the registrant.
Periodic e-mail reminders are identified as a good idea "to attempt to prevent inaccuracies, however, if a registrar is notified of false information, it will have to take active steps to contact the registrant by whatever means possible to verify the information."
The comment warns that, given a significant number of domain name registrations with outdated WHOIS data, the measures suggested in the interim report may create a potential for abuse against bona fide registrations.
Concerning the graduated sanctions program, the comment asks who would be responsible for actually identifying patterns of non-compliance. Provided that ICANN would document complaints, identify patterns, and take action, the recommendations "appear to be of use," if combined with appropriate safeguards.
Concerning the steps suggested in C (items for possible re-negotiation of the RAA), only step 1 is found to be beneficial (re-validation of WHOIS data upon renewal).
This comment contains an additional note from Bhavin Turakhia, pointing out that changes to telephone numbering schemes (like one currently taking place in Bombay) may lead to inaccurate data on a large scale without bad faith on the registrants' side, leaving postal mail as the most reliable mechanism for contacting registrants. In the Bombay example, however, Mr. Turakhia notes that no back and forth communication through postal mail would be possible within 15 days.
This comment, submitted by Paul Stahura from eNom on November 14, argues that "requiring whois data to be verified at time of renewal will require development and extra cost." He doubts that this will lead to an improvement, but on the other hand believes that a periodic reminder to update whois data may be a good idea.
Mr. Stahura also points to a possible interaction between better searchability and accuracy: Better searchability of the WHOIS database, he argues, would increase the motivation of good faith registrants to provide bad data.
He also asks for definitions of "incorrect" or "inaccurate" WHOIS data.
The comments on the graduated sanctions proposal are based on the understanding that the fines suggested would be $ 1,000 per domain name found to have incorrect data.
This comment from Vittorio Bertola was originally posted during the Task Force's first comment period in August, but effectively lost in the interim report due to a clerical error. Mr. Bertola observes that "registrants have to be provided with options to opt in or out from any kind of usage, distribution and processing of their data that is not strictly necessary to supply the DNS service; these options must be clearly stated, separated from the core of the domain registration agreement, and it must be absolutely clear to customers that they can register the domain name even if they do not accept to provide their personal information for these additional uses." Mr. Bertola explicitly applies this principle to bulk access, even if not aimed at marketing purposes.
In this comment, Michael Palage remarks: "Despite several comments from participants regarding privacy rights it appears that the Whois Task Force did not provide a very detailed analysis of the European Data Privacy Directive, or other national laws. Any potential ICANN policy that is implemented must take into account national law and local stakeholder perspectives, particularly when an ICANN contracting party is subject to the jurisdiction of these laws."
In this further comment, Michael Palage writes that the current WHOIS system fails to "adequately meet the needs and concerns of governments, intellectual property owners, domain name registration authorities, as well as consumer and privacy advocacy groups." He then suggests to dissolve the Task Force, and initiate a "blue ribbon panel" in order to perform "a comprehensive bottoms-up [sic!] review and overhaul."
This comment from Karl Auerbach remarks that the interim report does not answer the "primary question why personally identifiable information must be published to the public at all." Mr. Auerbach then elaborates on a number of privacy protection mechanisms, in particular including the requirement that those examining the WHOIS reports first identify themselves, and that the "time, date, and identity of every inquiry be recorded and made available to the data subjects.
In this comment from the NYIPLA Internet Law Committee, an argument based on U.S. law is given which leads to the view of the Committee that domain name registrations are public records. A dissenting opinion by Wendy Seltzer, included with the comment, argues in favor of the use of anonymous or pseudonymous contacts, baesd on the observation that "in the United States, anonymous speech is a constitutionally protected right."
This message (including attachments) contains the comments from the gTLD registry constituency. With respect to the interim recommendations on bulk access and marketing, it is observed that the "biggest problem with bulk access is the inability to enforce requirements. If conditions are virtually unenforceable, then nothing is gained by making changes except possibly creating a false sense of accomplishment and increasing costs." It is asked who should decide what constitutes "legitimate" use of bulk data. The idea of cost-based bulk access to WHOIS data is called "socialistic" and "terrible". It is requested that the notes about RAA 184.108.40.206 be clarified as dealing specifically with registrars making WHOIS databases available to third parties for marketing purposes. Further, 220.127.116.11 is called "meaningless" unless it's enforceable; re 18.104.22.168, it is asked how a registrar should determine that Whois data is being used for improper marketing purposes, and it is doubted that this is feasible at all.
This comment, submitted by Rebecca J. Richards on behalf of TRUSTe, "strongly supports the review of the bulk access provisions of the RAA." It is suggested that by "following the fair information practices of notice, choice, access and security, the WHOIS database can balance the safety of the public at-large with the privacy of Web site owners." TRUSTe supports making an opportunity to opt-out of third party marketing uses of WHOIS available to all registrants.
"Providing the database information to mass marketers without providing those in the database even the courtesy of allowing them to opt-out does not create a trusting, transparent and accountable system," the comment continues.
It is also noticed that "the WHOIS database has been an important tool for consumer safety and, in our experience, has been an irreplaceable means of ensuring the validity of the privacy promises that companies make."
This comment was submitted by Troy Dow on behalf of the MPAA. The comments on bulk access and privacy are too concise to benefit from being summarized, so I quote them completely: "The Whois Survey clearly indicates both privacy concerns over bulk access to Whois data for marketing purposes and strong support for the continued public availability of Whois data for legitimate purposes. As the Interim Report recognizes, there are a number of legitimate non-marketing purposes for bulk access. In fact, much of the functionality supported by the survey respondents might be realized through third-party services enabled by bulk access to reliable Whois data. MPAA would support efforts to protect against the use of bulk access to Whois data for unwanted and unsolicited marketing purposes. In fact, such efforts may in fact contribute to better, more accurate Whois data for legitimate uses. Care can and should be taken, however, to address such privacy concerns in a way that continues to accommodate bulk access by responsible parties in furtherance of legitimate uses of Whois data."
This extensive comment was submitted by Ross Wm. Rader on behalf of Tucows. Tucows notes that limitations of the types of third parties eligible to enter into a bulk access agreement would require subjective determinations by registrars whether some definitions are satisfied. Tucows believes that this would require the installation of some kind of an appeals process, and proposes that such an approach "would likely be unwieldy."
Tucows takes the position that access to bulk data should be determined by registrars themselves, and feels that the bulk access requirement is inappropriate. Practical experience is cited as having demonstrated "that those that most desire access to these customer lists are those that are most likely to inappropriate use these resources." It is argued that the market-based approach advocated would enable registrants to choose registrars based on privacy policies, thereby increasing competition.
Regarding practical experiences with the current bulk access regime, Tucows quotes "inappropriate marketing (slamming, deceptive notices), misappropriation of intellectual property under the terms of the license and other wholly inappropriate activities."
The idea of restricting the fee for bulk data is rejected. Instead, market-based pricing is suggested.
The proposed modification of section 3.3.6 of the RAA is rejected.
The approach of imposing a number of minimal safeguards on bulk access provided by registrars on a voluntary basis seems to be acceptable to the commenter; it is suggested that the "restrictions on a registrars capability to impose new or differing requirements on bulk whois users" should be modified.
Tucows observes that registrars typically do make the condition in 22.214.171.124 mandatory even with the current language. In order to support business models which may not implement such a requirement, Tucows suggests that "it would seem prudent to continue to allow the flexibility in implementation as specified in the current contracts."
Under the assumption that the current contractual requirements are continued, a provision which explicitly forbids any use for purposes other than those stated in the bulk access agreement is supported by Tucows. In the event of a change to the requirements, the question should be re-evaluated.
With respect to the opt-out provision, Tucows notes customer demand for an opt-in policy, and suggests that registrars should have the choice between opt-out and opt-in policies.
Tucows' response to the task force's question about different policies and different sets of bulk data for marketing and non-marketing uses is slightly confusing; I have asked Ross Rader for clarification, and will forward this to the Task Force. The response in Tucows' own words: "Not under the regulated approach advocated by the Task Force. Each of these approaches possesses significant social and economic costs for Registrants and Registrars that would be more appropriately dealt with through a market-based approach to the issue of Bulk Whois data access."
This comment was submitted by Rick Wesson (Alice's Registry). It emphasizes that privacy is the "single most talked about topic with WHOIS", and that it impacts each of the areas of the report. "The fact remains that the largest use of whois is for marketing purposes, the task-force MUST address this issue in its final report."
This comment, submitted by Michael Erdle on behalf of the Domain Names and Trade-marks on the Internet Committee of the Intellectual Property Institute of Canada. The Committee "notes that searching and marketing of WHOIS data must comply with applicable privacy laws. For example, in Canada, registrars must obtain consent to the collection and use of the data. In many situations, implied consent and "opt-out" procedures are not sufficient." It is noted that explicit consent to both collection and use of data may be required, in particular when the use is "not directly necessary for hte maintenance of the registry."
In this comment, Norbert Klein (Open Forum of Cambodia) articulates surprise that, after the long process the Task Force has gone through, the bulk access recommendations do not answer the question what use is to be considered "legitimate."
In this comment, Paul Stahura from Enom points
to the possible interaction between overly broad access to and
use of WHOIS data and accuracy of these data. With respect to bulk
access to these data, Mr. Stahura recommends that "the $10k cap should
be eliminated for anyone who is not authorized somehow by ICANN to
get the bulk data." There should be small set of entities granted
the ability to access bulk data at a relatively low price, which would
(1) be policed by ICANN, and (2) could compete to offer services.
No opt-out of this "authorized" bulk access would be allowed. Mr.
Stahura apparently envisions these services as a replacement for (some
features of) registrars' port 43 and web interfaces.
On October 27, 2002, members of the WHOIS Task Force met with a number of registrars at ICANN's Shanghai meetings. Much of the discussion was focused on the interim report's accuracy recommendations. No official minutes of this meeting are known to be available. However, several members of the WHOIS Task Force shared their recollection of the meeting during a telephone conference of the task force on November 13, 2002, which has been transcribed.
To date, while two dissenting statements about a particular recommendation are included in the report, actual minority reports have not been received. Should any be received, they will be forwarded to the Names Council.
The importance of WHOIS data accuracy was first established
through the survey the Task Force conducted.
Support has been articulated in numerous comments received from
various parts of the intellectual property community, and other submissions.
The Task Force's recommendations
on limiting bulk access for marketing uses are based on concerns articulated
in many responses to the WHOIS Survey,
as well as many submissions in the comments
received. In addition, it has also been pointed out by commenters that
marketing use of WHOIS data would be a disincentive for registrants to provide
accurate data. Comments received indicated that removing bulk access for
marketing uses could therefore contribute to an improvement of WHOIS data
Several statements have been received which
would support the stronger recommendation of completely removing the RAA's
bulk access provisions. Some members of the Task Force have presented counter
arguments, noting that there are "legitimate" users of bulk access who,
in particular, use the data obtained to develop third party services not
related to any marketing activities.
The Task Force has recommended
that this isue should be investigated in detail in the near term.
A more detailed collection of arguments and
deliberations can be found both in the explanations to the Task Force's actual recommendations, and
in the outreach summary.
The Task Force has not been able to undertake extensive cost analysis at this point of its recommendations at this point.
In fact, feedback from the Task Force to the Names Council would include a recommendation that this area be seriously evaluated for development of alternative approaches to develop a cost analysis be undertaken. Once ICANN staff ae available to support policy development, such a requirement will make more sense. For now, this Task Force notes that such an analysis is extremely difficult to undertake during the policy develoment process itself. It clearly needs to be further defined and developed overall.
We recommend that this analysis be undertaken during the implementation phase.
However, the Task Force notes that policy may be required, even if it represents significant costs or changes in existing processes. For instance, the impact of purposely inaccurate WHOIS data when fraud is involved is serious. Taking steps to address how to change purposely fraudulent data may be an expensive endeavor. Yet, an essential one.
The Task Force has discussed the areas of cost to the extent possible and offers the following guidance.
In the areas of enforcement of existing requirements for accuracy, there will certainly be a need for increased ICANN staff resources. Experience of the existing staff in dealing with this problem today will be able to provide some guidance on the additional time and resources
which may be required and which should be included in the ICANN staffing plan/budget.
Additional “risks” areas: Several comments have been received from members of the Task Force that given the concerns of governments regarding accuracy of data, that the community should address this issue proactively, or risk more directive involvement of multiple governments who may have different views on how best to address accuracy. Such an approach could result in a “patchwork” of requirements which represents a “risk” which must be taken into account and could result in significant administrative burdens on registrars, and on registrants who register with registrars located in different countries. Clearly, developing a solution which can be accepted broadly is a better approach.
Inaccuracy in WHOIS data also impacts registrars who rely on WHOIS data to notify registrants of problems, renewal notices, validation of transfer requests, etc.
For the most part, the enforcement of existing recommendations for accuracy should have widely distributed, but low direct costs to the registrars. However, it must be acknowledged that there will be some additional staffing costs to deal with improved accuracy, and as/if systems are redesigned, there will be some costs to the registrars.
While the Task Force acknowledges that there are costs associated with the recommended changes in programming of systems inherent in many of the recommendations and possibly in additional staff time, the costs implications of specific changes have not been completely explored. The Task Force recommends that this topic can be addressed as part of the implementation process. A working group of Registrars, ICANN staff, and TF representatives could quickly explore this issue in more detail.
The Task Force discussed the concern which
registrars have regarding adding in new requirements and the additional costs
which that may bring. [Note: This Task Force did not discuss pricing, fully
recognizing that is out of scope for a policy Task Force. ] However, the
Task Force members acknowledged that consensus policy may require additional
investments, in resources, or systems. Within the Task Force, there is no
expectation that the Registrars should bear additional costs without the
ability to pass that along to the registration process. For instance, as
an example only, but not presented as a recommendation, one TF member has
suggested that if paper notification is required to fulfill the notification
about data accuracy, that the contract between the registrar and registrant
could provide for recovery of such costs from the registrant. The registrar
may or may not chose to exercise a charge back. The Task Force makes no comment
on their choice.
In the initial stages of implementation in accuracy, the Task Force believes that the single most definable cost segment will be the increase in ICANN staffing necessary to undertake improved enforcement, and to work with the registrars to implement the recommendations. It should be acknowledged that broad registrar participation in developing implementation of the recommendations will be essential to ensure that the full range of interests of registrars, given their diversity, are taken into account. Certainly, registrars time to participate may be viewed by many as an additional burden, yet their participation is essential.
In short, the Task Force acknowledges the need for a separate work activity to address further the issue of costs and will provide liaison participation to such an effort, which should take place as part of an implementation process, directed by ICANN staff.
Marketing uses of Bulk Access and WHOIS Data: The Task Force largely heard only objections from Survey respondents, from business users, privacy advocates, and from Registrars regarding the provision of bulk access to third parties. The recommendations of the Task Force would limit marketing uses of bulk access data. In addition, the Task Force recommended further work on any marketing uses of WHOIS data. The Task force is also recommending a change in registrar agreements to require a minimum “opt out” and allow Registrars to implement “opt in”.
The Task Force acknowledges that these changes may require software programming changes by registrars; probably changes in marketing materials, postings on web sites, re-education of existing staff, etc. The analysis of such costs were not undertaken by the Task Force.
The Task Force did discuss the need for registrars
to be able to include costs into their business models, but did not discuss
pricing, which is clearly out of the scope of a policy Task Force.
The Task Force recommends a separate work effort involving ICANN staff, technical resources, Registrars, and other relevant parties to undertake discussion of implementation issues, including any needed identification of costs issues.
Note: The Task Force itself has recommended that it, or another similar body continue further work related to these areas. This should be taken into account in the implementation processes.
The present document was published on November
30, 2002. Public comments are being accepted until December 8, 2002.
The Task Force has given considerable thought to the issues of WHOIS, and acknowledged in the Report Executive Summary that the work related to WHOIS is not complete. The Task Force envisions that WHOIS will be a topic of work and further learning and dialogue, not just within ICANN’s gTLD supporting organization but also with the new Country Code Supporting Organization, and with the GAC. For some time now, the GAC members have been making their interests and concerns about WHOIS known within the GAC itself. Recently, the Task Force co-chairs have discussed with several country members, and with the chair, the interests of the Task Force in discussing their interests, views, and concerns. A proposal for an approach is provided under this section as a “Recommendation for a WHOIS Workshop”
Upon acceptance by the Names Council of the recommendations contained in this Policy Report on Accuracy and Bulk Access, the Task Force envisions that the process of implementation discussions can begin. Task Force members will be available to consult or advise, during this process, as needed.
However, the priority of the Task Force, while this is happening, will be to continue its work in the sections in the report which are clearly noted for “further work” related to accuracy and bulk access and marketing uses of WHOIS data.
These work areas may result in further changes to the RAA, in some areas. The Task Force therefore recommends that it undertake concluding such work within a reasonable time frame, taking into account that there is a worldwide holiday season during the last month of the calendar 2002.
In addition, the WHOIS Task Force’s present report addresses only two of the four issues it identified in its Interim Report. Work has been undertaken by two additional working groups on consistency of data elements and enhanced searchability; this work continues and is expected to be completed shortly. At this point, a preliminary view of the the recommendations indicates that they will provide for mid to longer term working initiatives; the further work related to concluding these two areas we believe, should be completed by this Task Force. However, some of the recommendations may be in the form of “recommending monitoring” by ICANN staff with periodic reports back to the Names Council/its replacement. Such recommendations would not necessarily require a standing WHOIS Task Force involvement.
However, one shorter term recommendation which developed during the outreach on consistency of data elements and searchability was the importance of further dialogue with ccTLD managers. The Task Force was able to hear from a few managers regarding their practices, national requirements, and the challenges they face. Of strong interest by the Task Force is a more extensive dialogue with ccTLD managers regarding how they deal with issues of data accuracy, marketing uses, as well as consistency and searchability.
As noted in the opening paragraph, the GAC itself has also indicated a strong interest in further examination of WHOIS issues.
Therefore, the Task Force recommends and has begun to develop plans to work with interested parties, including the GAC, to develop a WHOIS Workshop where further exploration of the key issues will be undertaken. This workshop will be an informational format, and should include several panels, where issues are presented, and discussed in a format which results in white papers and presentations which can be included in the further work of the Names Council WHOIS Task Force.
Such a workshop is expected to include invitational presentations from ccTLDs; privacy advocates, governmental representatives, as well as registrars, business users, intellectual property representatives. The Task Force recommends that such a Workshop be hosted at the upcoming March ICANN meeting, and that all constituencies and the At Large Organization, as well as other Supporting organizatins be invited to attend and participate. It is expected by the Task Force that multi-national organizations, such as WIPO, OECD, ITU, and the EC, as well as individual countries who are members of the GAC will have an interest and the Task Force recommends to the Names Council that
The Task Force would welcome the involvement and support of the ICANN staff in undertaking and planning such a workshop. The Task Force would expect to launch a planning process immediately following the Amsterdam meeting and to quickly assess the feasibility of holding the Workshop in Rio, given time factors.
Gilbert Estillore Lumantao
In the past, the Non-Commerdial Domain Name
Holders' Constituency has been represented by Y. J. Park.
Miriam Sapiro served on the Task Force until Summer 2002.
Karen is about to leave the Task Force, and
is being replaced by Fran.
Tony serves as one of the Task Force's co-chairs.
Oscar A. Robles Garay
Marilyn S. Cade
Theresa Swinehart used to serve on the Task Force on behalf of the Business Constituency.
Marilyn serves as one of the Task Force's co-chairs.
In the past, the Intellectual Property Constituency
has also been represented by Axel aus der Mühlen.
The registrars' constituency has originally
been represented on the Task Force by Paul Kane, who also served as
the Task Force's initial chairman.
The General Assembly has originally been represented
on the Task Force by Danny Younger, then the GA's chairman.