WHOIS Implementation Report - 30 January 2003


 

This document provides:

            An assessment of whether a recommendation is implementable

            Information on issues that will need to be considered during implementation

            Suggested additional text to clarify or improve the existing recommendations

 


Organization of the Analysis

 

The analysis is mostly contained in two tables.  In Table 1 contains an assessment of whether the WHOISTask Force recommendations that relate to Registrars or Registries are implementable, the relative cost of implementation, and the level of support from registrars.

 

Table 2 contains information on issues associated with the recommendations that will need to be considered during implementation, and also where appropriate additional or alternative text to strengthen or clarify the existing recommendation.

 

Table Abbreviations

 

Table Headings

#          The number of the recommendation

Cost     What is the cost impact if the recommendation is implemented? (high/medium/low/?)

Enf       Is the recommendation enforceable if it is implemented? (yes/no/?)

Feas     Can the recommendation reasonably be implemented from a process point of view? (yes/no/?)

Supp    What is the anticipated level of support for the recommendation from registrars? (high/medium/low/?)

Tech     Can the recommendation be reasonably implemented from a technical point of view? (yes/no/?)

 

Legend

           

N/A     Not applicable


 

TABLE 1

 

#

WHOIS Task Force Recommendation

Cost

Enf

Feas

Tech

Supp

1

Existing Task Force Recommendation:

 

Registrars must require Registrants to review and validate all WHOIS data upon renewal of a registration. (effectively an extension of RAA clause 3.7.7.1 above) The specifics of required validation remain to be determined by this Task Force or another appropriate body.

Low

Yes

Yes, although terms such as validate need clarification – see suggested alternative text

Yes

Med

2

When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should not be included in the zone file until accurate and verified contact information is available. The details of this procedure are under investigation in the Names Council's deletes task force.

High

Yes

Yes – although accurate and verified needs clarification

Yes

High

3

When registrars send inquiries to registrants regarding the accuracy of data under clause 3.7.8 of the RRA, they should require not only that registrants respond to inquiries within 15 days but that the response be accompanied by documentary proof of the accuracy of the "corrected" data submitted, and that a response lacking such documentation may be treated as a failure to respond.

High

Yes

No – needs major changes

No

Low

4

Registrars modify their bulk WHOIS access agreements to eliminate the use of data for marketing purposes.   

The suggested revised section 3.3.6.3 is:

“Registrar’s access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used.  Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts.”

The suggested revised section 3.3.6.5 is:

“Registrar's access agreement shall require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.

Low

Yes

Yes

Yes

High

 


 

Table 2  Detailed implementation analysis

#

Current recommendation with suggested enhancements

Comments and issues

1

Existing Task Force Recommendation

 

Registrars must require Registrants to review and validate all WHOIS data upon renewal of a registration. (effectively an extension of RAA clause 3.7.7.1 above) The specifics of required validation remain to be determined by this Task Force or another appropriate body.

 

Suggested replacement text:

 

At least annually, a registrar must present to the Registrant the current WHOIS information, and remind the registrant that provision of false WHOIS information can be grounds for cancellation of their domain name registration.  Registrants must review their WHOIS data, and make any corrections.

This is implementable IF:

- the registrar presents the WHOIS data to the registrant (via website, fax, or postal message) = REVIEW

the registrant is required to check that the data is still current, and if necessary update the information = VALIDATE

 

Many registrars use an auto-renew process, and tying the need to review the WHOIS data to the exact moment of renewal limits the flexibility of the registrar.  Also for 10 year domain name registrations, a 10 year update is too long.  The data ages very quickly after the first year.  Thus registrars believe that the recommendation should be based on the frequency of review (e.g annually), and have the flexibility to control when the review happens (e.g a review may happen whenever an event associated with a domain name happens, e.g renewal, or nameserver update, but otherwise at least annually)

 

It is not feasible for the Registrar to validate the data (e.g make phone calls to registrant, ring post office to confirm address exists, post a letter and require a reply etc).  A registrar may optionally use various heuristic techniques to do some data validation (e.g check that a USA city existing within a particular USA state) but such techniques are not applicable uniformly across the globe.  In general it is in the registrars’ best interests to get accurate data as it increases the chance of a successful renewal, so there are commercial incentives here for clever registrars.

 

2

 Existing Recommendation:

When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should not be included in the zone file until accurate and verified contact information is available. The details of this procedure are under investigation in the Names Council's deletes task force.

Suggested Replacement text:

When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should be placed in Registrar Hold status until the registrant has provided updated WHOIS information to the registrar-of-record. 

The principle is OK, however the details of “accurate and verified” need to be clarified as per the next recommendation. 

 

Note the suggested alternative text in recommendation 3, suggests that the initial response will be to place the name on Registrar Hold status if the registrant fails to respond to a request to update the information rather than delete the name.  The name would only be deleted if it was not renewed by the registrant after the name has been placed in registrar hold status.  In such circumstance if the name is “redeemed” it should be returned to Registrar-Hold status.

 

 

3

Existing Recommendation:

When registrars send inquiries to registrants regarding the accuracy of data under clause 3.7.8 of the RRA, they should require not only that registrants respond to inquiries within 15 days but that the response be accompanied by documentary proof of the accuracy of the "corrected" data submitted, and that a response lacking such documentation may be treated as a failure to respond.

Suggested Replacement text:

(a) Upon receiving a complaint about WHOIS accuracy, a registrar may seek evidence or justification from the complainant. 

 

(b) If the complaint appears justified, then a registrar must at a minimum send an email to all contact points available in the WHOIS (including registrant, admin, technical and billing) for that domain name with

:  a copy of the current disputed WHOIS information and requesting the WHOIS contact information be updated if the information is incorrect, and.

a reminder that if the registrant provides false WHOIS information that this can be grounds for cancellation of their domain name registration.

 

(c) When the registrant responds, a registrar must take commercially reasonable steps (e.g apply some  heuristic automated data validation techniques (possibly via an automated tool centrally provided by ICANN)) to check that the new WHOIS information  is plausible.  If the data is found to be not plausible, the registrant must provide further justification (which may be documentary evidence) before the data will be accepted.

-

(d) If no response is received or no acceptable data has been provided after  a time limit (to be agreed) a Registrar must place a name in REGISTRAR-HOLD (or equivalent) status, until the registrant has updated the WHOIS information.

 

(e) For a name to be removed from REGISTRAR-HOLD status to active status, the registrant must contact the registrar with updated WHOIS information (as per (c)  above), and the registrar must confirm that the registrant is contactable via this new information (for example by requiring that the registrant respond to an email sent to a new email contact address).

 

 

.

 

This recommendation is NOT implementable in its current form.

 

The 15 day period is not feasible given the time taken for a request to actually reach the registrant (due to postal delays, or just the registrant being on holiday).  It should be extended to 30 days to take into account typical international delivery times (e.g it typically takes 15 days for mail to reach Australia from USA) for postal mail.  Registrars normally have periods of at least 30 days for a registrant to respond to a renewal notice for example.  Often registrars will first attempt to contact a registrant via email, and if that bounces, use postal mail (which tends to stay accurate for longer).

 

Note that this recommendation should only be dealing with issues of accuracy.  If there are other issues associated with a domain name (such as its use in criminal activity) there should be other mechanisms available to have the domain name disabled or deleted.

These other issues should be the subject of a separate issues report, and subject to the normal policy development process.

 

In terms of requiring documentary proof - other than just storing the documentary proof - registrars are not authentication agencies (they collect information and store it in a registry) - they do not have skilled staff capable of detecting whether a document is real or a forgery, nor could they be expected to have staff with knowledge of all types of documents across all countries.

 

See text below table for discussion on proposed alternative text..

 

4

Registrars modify their bulk WHOIS access agreements to eliminate the use of data for marketing purposes.   

The suggested revised section 3.3.6.3 is:

“Registrar’s access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used.  Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts.”

The suggested revised section 3.3.6.5 is:

“Registrar's access agreement shall require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.

There is a need to clarify the definition of “marketing purposes”.  This may require a small working group to define, possibly just in the form of examples (but not limited to) of marketing activities covered.

 

e.g text such as:

“includes but not limited to the sending of unsolicited, commercial advertising, or solicitation to entities other that the data recipient’s own existing customers”

 

or

“any communication, regardless of the medium, initiated for the purpose of advertising availability or quality of any property, goods, or services, but such term does not include a communication (A) to any person with that person's prior express invitation or permission, (B) to any person with whom the party has an established business relationship.”

 

(Also see: U.S. federal statute, 47 USCS  Section 227 for another example)

 

Registrars also suggest that consideration be given to a sliding scale for the maximum fee (currently $10,000) chargeable for the WHOIS data.  E.g a fee based on 1 cent per name.

 

NEW

That the time limit to respond to a WHOIS data complaint be 30 days

As stated above registrars believe that 15 days is currently not feasible given that most registrar processes that involve contacting the registrant take longer.  The downside is that when a registrant fails to respond to an accuracy request that is driven by a need to take action against inappropriate use of a domain name, a longer time period gives the registrant a longer period to continue their activity.  The registrars believe that 30 days is a reasonable compromise.  This issue may require further work before consensus can be reached with the wider GNSO community.

 

The separate recommendation is an attempt to de-couple the process for updating data as described in recommendation 3 above, from the concern over the current 15 day time limit-suggested by the WHOIS task force recommendation

NEW

Insert an additional recommendation regarding a formal review process

Suggest consider the text in recommendation 28 of the transfers task force that specifies 3, 6, and 12 month intervals for review/.

 

 

Detailed discussion on recommendation 3

 

The recommendation needs to identify a cost effective minimum implementation.  Note that contacting the registrant is a common problem for registrars at the time of renewal, and various methods are used.  Most registrars use a final step of placing the name  in REGISTRAR HOLD status or equivalent (the name is locked and removed from the zonefile).  The reasons why data may be inaccurate include: the data has aged over time (e.g the contact person has changed physical address or changed email service providers), the admin contact has changed (e.g an employee has left the company), and finally the information was provided incorrectly on purpose (this is less common and more difficult to resolve).  The first two cases are generally well supported by the proposal below.  The last case (deliberate provision of inaccurate data) is difficult to solve via the WHOIS Task Force recommendations, and will probably require other mechanisms to resolve – for example if the domain name is being used for criminal purposes (which would need an internationally acceptable definition) it could be placed on HOLD immediately.  Registries have reported that some registrants continuously update their contact information, this can work to prevent the processes of the WHOIS Task Force being effective.  This could be prevented by limiting the frequency of changes to WHOIS information, but may cause inconvenience to legitimate changes (e.g to correct a mistyping of information within 24 hours).  Again the issue is that an alternative mechanism may be necessary to deal with malicious use of a domain name.

 

Below is a possible implementation

 

There are two components:

- contact of the registrant

- correction of information

 

IN RESPONSE TO A COMPLAINT ABOUT WHOIS DATA

 

A registrar may seek evidence or justification from the complainant (this can prevent a denial of service attack where third parties repeatedly challenge the WHOIS information of a registrant)  as to why the data is inaccurate.  A standardised complaint form may simplify the collection of sufficient information to check whether a complaint appears plausible.   If the complaint appears to be justified then:

-          

CONTACT phase

 

CORRECTION phase

-