Table of Contents

1. Executive Summary
2. Terms of Reference
3. Recommendations
1. Accuracy of WHOIS Data
2. Marketing Use of WHOIS Data; Bulk Access Provisions
4. Impact Analysis
5. Constituency Impact Reviews
6. Record of Outreach
1. The WHOIS Survey
2. Comments received in response to the Bucharest Report
3. Telephone Conferences
   
4. Comments received in response to the Interim Report
5. Meeting with Registrars in Shanghai
   
7. Minority Reports
8. Supporting Arguments
9. Risk/Cost Analysis
10. Publication and Comment Period
11. Further Recommendations for Additional Work
    
12. Appendix

Consensus Policies in this Document

---

1. Executive Summary

WHOIS is an important resource to users, ISPs, governmental users, intellectual property holders and the intellectual property community, and to registrars. Yet, and not surprisingly, some questions related to WHOIS are controversial. Several questions still deserve addressing. These include privacy issues; the cost of maintaining accurate data; who should have unlimited access; what uses are “legitimate”, and many more. Many of these are described in more detail in the various recommendations for further work contained in this report.

The Task Force is recommending significant changes which can lead to improvements in two key areas: accuracy and marketing uses of WHOIS data.

Other key questions remain open for further discussion and work: For instance, we do not present a comprehensive answer to the question what uses of WHOIS data (and bulk access to these data in particular) should be considered "legitimate". We do not present an answer to the question who should be able to access WHOIS data in what form and under what conditions.

Overall, throughout the work of the Task Force, it has been apparent that WHOIS is important to its users, and that it is a resource that is used throughout all kinds of groups of users of the global Internet.

Over the past year, the WHOIS Task Force has completed analysis of a survey, undertaken extensive further outreach, and developed an Interim Report which focused on four key issues. In the Interim Report, the Task Force proposed to the community that the focus of short term policy recommendations should be:

1. Accuracy
2. Protection of Data Subjects
   

The comments received during the comment period appeared to support this focus. Items 2 and 3 of the Interim Report, Uniformity and Better Searchabilty, were presented as longer term work items. The Task Force will, within the next few weeks, finalize a second report which will porvide guidance for further work on Uniformity and Enhanced Searchability. Comments received supported the Task Force's prioritization.

The present document focuses on those issues where the Task Force has identified consensus and support for a number of recommendations in the areas of  Accuracy and Bulk Access. 

In this report, ensuring accurate and reliable data in the WHOIS databases is identified by the WHOIS Task Force as a critical issue. The Task Force first addresses enforcement of existing RAA responsibilities, and then moves on to address consensus recommendations. The report also notes the need for further work in several areas related to accuracy.

This report also recommends against marketing uses of bulk access to WHOIS data. It addresses the concerns raised by the Internet community about privacy as needing further work, and recommends several processes to address increased understanding of the concerns, applicable law, and possible solutions.

The Task Force has taken extensive input, presented numerous updates and made many presentations.  This report presents and summarizes the input received and attempts to address the concerns raised, in particular by registrars concerned about the cost of implementing accuracy requirements, and by individuals who believe that privacy is not yet adequately addressed.

The Task Force acknowledges that the work is not completed on WHOIS. In fact, the Task Force envisions that WHOIS will be a topic of work and dialogue throughout 2003.

This Task Force, or another appropriate body, will need to address several key issues, including the question of “access” to WHOIS; whether differential access is a useful concept; how standards fit in; and what their ‘status’ is; what privacy issues are for individuals versus corporate or organizational representatives listed in WHOIS; how to develop acceptable processes with the agreement of the ccTLDs; what national laws may be determined to be applicable.

We recommend to the Names Council that this Task Force continue to address the issues which are being identified in the Task Force's reports.

The Task Force recommendations to the Names Council present several areas where the Names Council and the ICANN board have the ability to support significant improvements in WHOIS policy in the short term. Improved accuracy and better protection against marketing will help to address key concerns of the Internet community. These first steps are important. Improving how WHOIS serves the broad Internet community has been, and is our goal.

There is more to do. We have acknowledged that and even describe some of the work still needed. But we should not wait: We recommend that, in the short term, the Names Council endorse our recommendations on accuracy and marketing uses of WHOIS data.

Submittedon behalf of the WHOIS Task Force.

---

2. Terms of Reference

A paraphrased version of the initial terms of reference: "To consult with the community with regard to establishing whether a review of any questions related to ICANN’s WHOIS policy is due and if so to recommend a mechanism for such a review."

The Task Force was tasked by the ICANN Domain Name Supporting Organization (DNSO) Names Council to give advice on WHOIS Policy. The Task Force followed the work of a WHOIS Committee convened by ICANN staff to give advice on implementation of WHOIS for the .com/.net/.org domains as required under the Registrar agreement. This Committee addressed implementing questions related to WHOIS in these domains and concluded its work in April, 2001.  The implementation of the committee’s work included the establishment of a WHOIS Task Force on domain name system policy.  The Task Force was approved in the Names Council meeting of February 8, 2001.

In general, the purpose of the Task Force’s work is to consult with the community with regard to establishing whether a review of any questions related to ICANN’s WHOIS policy is due and is to recommend a mechanism for such a review. As the Task Force has worked, they have chosen to interpret their mandate broadly, and have shared that perspective with the Names Council on several occasions, as well as publishing this interpretation in the various public presentations that they have made.

---

3. Recommendations

The Task Force presents recommendations on two of the four key areas presented in the Interim Report. These recommendations include consensus policies, advice and commentary on the enforcement of existing policies, and priorities for further work within these areas.

1. Accuracy of WHOIS Data
2. Marketing Use of WHOIS Data; Bulk Access Provision

3.1 Accuracy of WHOIS Data

I. Enforcement of existing contractual obligations (in the Registrar Accreditation Agreement) regarding accuracy of WHOIS data

A. ICANN should work with all relevant parties to create a uniform, predictable, and verifiable mechanism for the enforcement of the WHOIS-related provisions of the present agreements.

1. Adequate ICANN resources should be devoted to enforcement of the Whois-related provisions of these agreements.

2. ICANN should ask registrars to identify, by a date certain, a reliable contact point to receive and act upon reports of false WHOIS data. ICANN should encourage registrars to (i) provide training for these contact points in the handling of such reports, and (ii) require re-sellers of registration services to identify and train similar contacts.

3. ICANN should post registrar contact points on its web site (perhaps on the list of accredited registrars). It should also encourage registrars to take reasonable steps to make their own contact points publicly available, such as by posting this information on the registrar’s home page, including it on the page displayed in response to a query to the registrar’s Whois, and/or in other ways.

4. ICANN should continue to maintain an optional and standardized complaint form on this issue in the internic.net site. Registrars, registries and re-sellers should be encouraged to provide a link to this site. In order to better ensure follow up, the complaint form should supply a "ticket number" for the complaint and should be designed so ICANN receives a copy of the registrars' response to the complaint (i.e., the form should incorporate a simple, automated mechanism for the registrar to report back to ICANN on the outcome of complaints).

B. ICANN should modify and supplement its May 10, 2002 registrar advisory as follows:

1. ICANN should remind registrars that "willful provision of inaccurate or unreliable information" is a material breach of the registration agreement, without regard to any failure to respond to a registrar inquiry. A functional definition -- based on the actual usability of contact details -- should be used for “inaccurate or unreliable”.

2. ICANN should clearly state to registrars that "accepting unverified 'corrected' data from a registrant that has already deliberately provided incorrect data is not [not "may not be," as the advisory now states] appropriate." Accordingly, where registrars send inquiries to registrants in this situation, they should require not only that registrants respond to inquiries within 15 days but that the response be accompanied by documentary proof of the accuracy of the "corrected" data submitted, and that a response lacking such documentation may be treated as a failure to respond. The specifics of acceptable documentation in this situation should be the subject of further discussions.

3. There is not a consensus on the Task Force (taking into account comments received) that 15 days without a response is a sufficient time period to establish a material breach in all cases. ICANN should work with registrars, over the next 6 months, to monitor and collect more extensive data on the specific impact of the 15 days period in RAA 3.7.7.2, and its actual implementation by registrars, on good faith registrations, in particular from developing countries, that are subject to accuracy inquiries.

C. Additionally, the Task Force recommends.

1. ICANN should encourage registrars to take steps to remind registrants of their obligations to submit and maintain complete and accurate contact data at appropriate points, including but not limited to the time of renewal of a registration.

2. Registrars should also be responsible for ensuring that their agents provide such reminders.

3. ICANN should also take steps to include information about this obligation on its websites at appropriate locations, and consider other ways to educate registrants on this issue.

4. Registrars should be encouraged to develop, in consultation with other interested parties, “best practices” concerning the “reasonable efforts” which should be undertaken to investigate reported inaccuracies in contact data (RAA Section 3.7.8).

II. Further work.

The following interim recommendations for improved enforcement of Whois obligations require further discussion by this Task Force or another appropriate body. Item (A) would, and item (B) might, require the development of a new policy or specification under RAA 3.7.8.

A. Instructing registrars to use commonly available automated mechanisms to screen out obviously incorrect contact data.

B. Treating a complaint about false WHOIS data for one registration as a complaint about false WHOIS data for all registrations that contain identical contact data.

III. RAA changes

The following proposed changes to the registrar accreditation agreement to enhance Whois data accuracy are recommended as consensus policies:

A. Registrants should be required to review and validate all WHOIS data upon renewal of a registration. The specifics of required validation remain to be determined by this Task Force or another appropriate body.

IV. The following proposed changes to the agreements need further discussion

A. Responses to the interim report indicate interest in placing registrations for which accurate or updated contact data has not been received in an appropriate hold status for some period of time prior to the eventual deletion of the registrations (see item III(B) above). Registrations in this hold status would be returned to operational status upon provision of accurate and verified contact information. Further research by this Task Force or an other appropriate body, in consultation with registrars and other interested parties, is needed to determine whether the benefits of adding this additional step outweigh the potential costs.

B. Adding a regime of graduated or intermediate sanctions for patterns of violations by a registrar of the WHOIS obligations of the agreements. (This would supplement the current sanction of revocation of accreditation.)

V. Recommended priorities for further work

1. Issues discussed in items I(B)(3), IV(A) (15-day period, hold period)

2. Issues discussed in II(A), II(B), III(A) specifics, IV(C) (screening/spot checking mechanisms, provision for block complaints against registrations with identical Whois data, validation specifics)

3. Issue discussed in IV(B) (intermediate sanctions)

3.2 Marketing Use of WHOIS Data; Bulk Access Provisions

Sections I and II below give a high-level overview of the Task Force's recommendations and their background.  Section III further elaborates on the reasoning behind the recommendations, and section IV contains detailed discussion and recommendations on the RAA's bulk access provisions.

I. Background

The current bulk access provisions in the Registrar Accreditation Agreement (the "RAA") contained in Section 3.3.6 allow for the sale of customer information contained in WHOIS databases to third parties under certain conditions, including but not limited to the following:

• Registrar may charge an annual fee (not more than $10,000). [RAA 3.3.6.2]

• Registrar must enter into an agreement with the third party which requires the third party to agree not to use the data:

  • For mass, unsolicited marketing, other than to its own existing customers [RAA 3.3.6.3], and

  • to enable high-volume, automated, electronic processes that send queries or data to any registry or registrar, except to register or modify domain names. [RAA 3.3.6.3]

• The agreement may

  • Require the third party to agree not to sell or redistribute the data [RAA 3.3.6.5], and

  • Enable registrants who are individuals to opt out of bulk access for marketing purposes and therefore require third party to abide by the terms of that opt out policy. [RAA 3.3.6.6]

An overwhelming majority (89%) of survey respondents said that registrants should be asked to opt in for their information to be available for marketing purposes, or that there should be no use of the data for marketing at all, while a minority (11%) indicated that they did not object to use of the data for marketing generally or by virtue of an opt-out policy.

II. Summary of Recommendations

A. Based on the results of the survey and the feedback from the community on reports published and statements made by the Task Force, the Task Force makes the following recommendations:

1. There is consensus that use of bulk access WHOIS data for marketing should not be permitted. The Task Force therefore recommends that the relevant provisions of the RAA be modified or deleted to eliminate the use of bulk access WHOIS data for marketing purposes. If this change is made, the provisions on registrant opt-out for marketing purposes could also be eliminated.

2. To the extent that ICANN disagrees with the Task Force’s Recommendation 1, and marketing uses continue to be permitted under the RAA, certain modifications should be made to the relevant provisions to enhance protection of personally identifiable information and of abuses of such information.

3. The Task Force notes that many provisions relating to the bulk access rules are not currently being enforced. It recommends that the changes that will be recommended at the end of the review process should be drafted with an eye toward enforceability and respect for applicable national laws, and that reasonable enforcement of the new rules be undertaken.

B. The Task Force makes additional medium- to longer-term recommendations:

1. The Task Force’s proposed recommendations on marketing uses of bulk WHOIS data would be implemented as changes to the registrars’ bulk access agreements, as defined in 3.3.6.1 of the RAA. To the extent that registrars make their part of the WHOIS database available in bulk to third parties without regard for the bulk access provisions, separate safeguards against marketing and other inappropriate uses should be considered.

2. The Task Force should investigate the suggestion that there should be termination of licenses of licensees of bulk access WHOIS who breach a bulk access agreement and that such licensees should be ineligible from gaining access through a new agreement. The Task Force has not had adequate time to consider all of the issues surrounding such suggestion.

3. The following five points should be evaluated in conjunction with one another:

   • In its further review, the Task Force should consider broadly whether bulk access can be justified or whether it should simply be eliminated.

   • Further review of the bulk access policy must take place in order to determine which uses of bulk access to WHOIS data, if any, should be considered "legitimate." In the context of such review, the Task Force should solicit feedback of current bulk access licensees.

   • After determining whether there exist legitimate uses of bulk access to WHOIS data, there should be a weighing of whether such uses outweigh the privacy interests of individuals in protecting their personally identifiable information.

   • The Task Force should learn about the applicability and impact of national privacy and other laws as they relate to bulk access provisions. In connection with this review, the Task Force should also examine current and existing laws that have been implemented to protect individuals against misuse of their personally identifiable information.

   • A review should be undertaken of actual experiences of registrars in providing bulk data. If it can be demonstrated that those who have accessed WHOIS through a bulk access license are those who have inappropriately used the resources, then there is a strong argument for elimination or drastic reform of bulk access.

4. If marketing uses of bulk Whois data continue to be permitted and a required opt-out minimum standard for such marketing uses is implemented by ICANN, the effects of such policy should be monitored to determine whether a more stringent opt-in standard should be introduced.

III. Discussion/Consensus Process

Because the survey results and community feedback suggest vehement objection to the use of personal information contained in the WHOIS database for unsolicited marketing activities, it is clear that there must be a serious evaluation of the bulk access provisions in the RAA to determine how the policy can be changed, whether there are realistic limitations as to what the data can be used for, or whether it must simply be eliminated.

Without further research, we cannot say with certainty that the bulk access provisions should be eliminated, although such a possibility should not be dismissed. In making that determination, the benefits of third party bulk access should be weighed against the strength of the argument that registrant information should not be available in this form. In considering whether there is merit to the wholesale elimination of bulk access, a pertinent question is what legitimate purposes within the scope of ICANN's mission, if any, are furthered by the use of WHOIS data in bulk form by third parties? Currently, as we have stated, given that registrants strongly object to the use of their data for marketing, and since marketing is not a necessary feature of the DNS, the Task Force believes that there is no rationale for making such data available for marketing purposes.

We recognize that there may be legitimate uses being served by bulk access to WHOIS data (e.g., research, law/intellectual property enforcement, and registrant inquiry, etc.); however, the responses of the
participants merit an evaluation of these and other legitimate uses and whether or to what extent the bulk access policies should accommodate them. As stated, it is the intention of the Task Force to consult with the community to determine what those legitimate purposes are.

To ensure utility of any WHOIS database, it is crucial that information contained therein is accurate. It should be evaluated whether bulk access to registrant information impedes such accuracy, and whether, therefore, bulk access is deleterious to actual usage of WHOIS.

In addition to these concerns, it is imperative that any ICANN policy that is formulated with respect to bulk access take into account any national laws which are determined to be applicable to an ICANN contracting party (e.g., a registrar). As an example, to the extent any party who has entered into an agreement with ICANN is determined to be subject to certain national laws (e.g., privacy directives or laws), such national laws will have implications as to what information that party can and cannot provide.

It should be noted that while the Task Force recognizes that privacy issues are relevant to the discussion of WHOIS generally, and perhaps more specifically to bulk access WHOIS, respondents to the survey generally did not identify privacy as a primary concern. Nonetheless, subsequent feedback from the community made it clear that privacy issues are an integral part of the bulk access discussion, and the Task Force intends to address privacy issues in the medium- to longer-term. Inclusive in the review of these privacy issues, the Task Force will examine laws that currently exist to protect the privacy of individuals.

The Task Force has not ruled out elimination of the current bulk access provisions, which has been suggested by some of the comments received, and is being supported by a number of task force members. However, in this document we have focused on modifications of the current RAA provisions to enhance the protection of WHOIS data. Specifically, we have parsed through the various components of subsection 3.3.6, highlighting problems with the specific provision and making suggestions for an improved provision in light of enhancing protection of personally identifiable information and against marketing uses.

IV. Suggested Revisions to the RAA Bulk Access Provisions

The Task Force’s primary recommendation is to prohibit any marketing use of bulk data by effecting the revisions in subsection 3.3.6.3. In addition, the Task Force recommends requiring third parties not to resell or redistribute data in accordance with our recommendation in subsection 3.3.6.5.

If the ICANN Board does not agree with the Task Force’s recommendation relating to the elimination of marketing uses of bulk access data, then the Task Force recommends strengthening the protection of privacy of individuals by requiring a minimum opt-out policy in subsection 3.3.6.6, and giving registrars discretion to implement an opt-in policy.

Section 3.3.6 of the RAA is broken down into several components, on each of which detailed comments, and, where appropriate, recommendations are provided.

A. 3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one time per week for download by third parties who have entered into a bulk access agreement with Registrar."

This subsection 3.3.6.1 indicates that the registrar must make available its WHOIS data to any "third parties who have entered into a bulk access agreement." There are no limitations as to the entities or individuals that can enter into this agreement, whether an unsolicited marketing agency, a legitimate third party WHOIS provider, or otherwise.

This subsection of the RAA should be modified to incorporate limitations on the third parties eligible to enter into a bulk access agreement, in particular those parties who are able to articulate a "legitimate" need for bulk access to WHOIS, as well as limitations on the uses of the data that are permitted. As stated, the survey results, together with community feedback, made very clear that "legitimate" uses of bulk access WHOIS do not include marketing.

As for the more general definition, the Task Force has not yet had an opportunity to make a determination as to what uses of bulk access WHOIS data, if any, should be considered "legitimate." The Task Force expects to arrive at a definition of "legitimate" by enlisting community feedback.

B. 3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.

The Task Force’s initial perception was that the US$10,000 might provide some registrars with a financial incentive to provide bulk access to data, while simultaneously deterring those third parties with a legitimate need from accessing the data in bulk. Feedback from the registrar community indicates that US$10,000 is not enough of a financial incentive to encourage registrars to actively market bulk access. In fact, it has been stated that many registrars are reticent to provide such access to users for fear of their competitors gaining access to information about their customers and using that information to their competitive advantage.

More important in this analysis is that to the extent a purpose is deemed "legitimate" use of bulk access WHOIS, such access should not be prohibitively expensive. In this context, there has been discussion of cost recovery versus production of revenue, and it has been argued that since registrars do not view bulk access as a revenue producer, perhaps a cost recovery structure should be implemented. However, because costs and resources vary across registrars and because the details of a registrar’s operations should not be the subject of an ICANN policy development process, the Task Force simply states here that to the extent that a searcher meets the "legitimate" purpose threshold, the fee for bulk access should not deter such a searcher from gaining such access, and therefore, the concept of a cap on such fee is a wise one.

Because of the lack of discussion as to what a reasonable fee structure should be, the Task Force therefore seeks further input from the community as to whether the current structure is adequate, and if not, what type of a fee structure should be implemented.

Dissenting opinion of Thomas Roessler and Abel Wisman (General Assembly): It is not clear why an ICANN-imposed cap on the bulk access fee should lead to fairer pricing than the approach of leaving such pricing to negotiations between data users and registrars. Also, it should be noticed that the "deterrent" argument made above has merit only as an argument against cost-based pricing, but not as an argument in favor of any kind of a cap.

C. 3.3.6.3 Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass, unsolicited, commercial advertising or solicitations to entities other than such third party's own existing customers.

This provision, by its own terms, allows registrars to sell rights to use their WHOIS databases for purposes of unsolicited, mass marketing. In addition, while third parties may not authorize others to use the data for this purpose, they can themselves use the data to for unsolicited marketing purposes. Other than limiting unsolicited marketing to the third party’s own customers, there are no limitations on the marketing use of the WHOIS data by the third party.

If ICANN Board agrees with the Task Force that bulk access WHOIS data should not be used for marketing purposes, then the provision should be changed to read as follows (changed language in italics):

"Registrar's access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, sms, and wireless alerts."

If, however, ICANN continues to allow bulk access to WHOIS for marketing purposes, then this subsection is only acceptable if registrars are required to allow registrants, at a minimum, to opt out of these uses (see discussion at section F below). Based on the feedback from the survey and from the community in response to the Interim Report, it is clear that the community does not support the use of bulk access WHOIS for marketing purposes. As such, the Task Force recommends that this provision be revised as noted above. It has been noted that this provision may be difficult to enforce. For this reason, the Task Force recommends that the enforceability of the provision (as revised) would be the object of future monitoring and review efforts.

It should further be noted that registrars do not need bulk access to WHOIS data to market to their own customers.

D. 3.3.6.4 Registrar's access agreement shall require the third party to agree not to use the data to enable high-volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations.

This requirement is important to ensure that "legitimate" uses of bulk WHOIS data do not lead to automated processes which may unduly interfere with the regular operation of registrars' and registries' systems.

However, as has been pointed out, this provision is extremely difficult to enforce, and the Task Force intends to take steps to review its enforceability.

E. 3.3.6.5 Registrar's access agreement may require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.

In this subsection 3.3.6.5, the term "value-added product or service" is not defined, and consensus does not exist on the Task Force as to whether this term relates solely to marketing or whether it encompasses a more narrow view that does not involve marketing. The Task Force hopes to suggest clarifications of this term in further review.

(i) If the term "value-added product or service" relates solely to marketing, the Task Force makes the following recommendation: If the ICANN board agrees with the Task Force that marketing is not a "legitimate" use of bulk access WHOIS data, this provision should be revised so that it simply reads (changed language in italics):

"Registrar's access agreement shall require the third party to agree not to sell or redistribute the data."

Under a bulk access policy where marketing is not considered a legitimate purpose, the option of incorporating value-added products or services solely in a marketing context by licensees of bulk access WHOIS should be disallowed. The general prohibition on sale or redistribution of bulk access Whois data should be maintained.

(ii) The Task Force understands, however, that the reference to "value-added product or service" may mean, for example, services that combine this data with other data with the resulting database made available to law enforcement, legal services, and others on a query basis for research purposes. In this case, the change proposed above should be struck, and only the change described in the following paragraph should be made.

As a general matter, making the prohibition on sale or redistribution of data by the third party an option ("access agreement may require") does not provide any protection of the WHOIS data. To protect the integrity of the WHOIS database, the Task Force notes that this provision would have to be changed so that a third party is "required" not to sell or redistribute the data except as part of a value-added product or service. Additionally, a provision could be added which explicitly forbids any use for purposes other than the ones stated in the bulk access agreement (i.e., marketing).

Thus, the Task Force recommends that the word "may" be changed to "shall" in the first sentence of this paragraph.

F. 3.3.6.6 Registrar may enable Registered Name Holders who are individuals to elect not to have Personal Data concerning their registrations available for bulk access for marketing purposes based on Registrar's "Opt-Out" policy, and if Registrar has such a policy, Registrar shall require the third party to abide by the terms of that Opt-Out policy; provided, however, that Registrar may not use such data subject to opt-out for marketing purposes in its own value-added product or service.

This provision currently allows a registrar to make its own determination of whether to implement an opt-out policy. If it does not, a registrant’s information will be accessible via the bulk access procedure for any currently permissible use, including marketing.

If ICANN agrees with the Task Force that marketing is not a "legitimate" use of bulk access WHOIS data, this provision should be deleted in its entirety.

If, however, marketing continues to be a permitted use of bulk access WHOIS data, while the results of the survey indicate that respondents have concerns about either an opt-out or no policy at all, the Task Force recommends that this provision be changed to, at a minimum, to "require" a registrar to implement, at a minimum, an opt-out policy. Incorporating such a minimum requirement should not preclude any registrar from implementing a more stringent opt-in policy (in particular, if such a policy is required by national laws determined to be applicable to an ICANN contracting party, e.g., a registrar).

We believe that the concept of opt-out may have been overlooked by respondents who reacted viscerally to the general lack of any option as to whether their information is included in bulk access. In addition, we believe that immediately requiring the adoption of an opt-in policy may result in a significant deterioration of the information contained in the bulk access database, which would be detrimental to legitimate third parties making non-marketing uses of the data.

In either circumstance, the Task Force recognizes that requirement of a minimum opt-out policy or the alternative opt-in policy will require additional work (e.g., the writing of additional code by registrars). For example, both a minimum opt-out policy and an opt-in policy will require the registrar to take an action by clearly notifying the registrant that he or she has the option of not being included in the database for marketing purposes and acting upon a response from such registrant.

---

The Bucharest report also contained draft recommendations in each of these areas.