WHOIS TASK FORCE 1 RESTRICTING ACCESS OF WHOIS FOR MARKETING PURPOSES PRELIMINARY REPORT .pdf version

---

WHOIS TASK FORCE 1
RESTRICTING ACCESS OF WHOIS FOR MARKETING PURPOSES
PRELIMINARY REPORT

In general, the process worked as follows: First, each day Verio downloaded, in compressed format, a list of all currently registered domain names, of all registrars, ending in .com, .net, and .org. That list or database is maintained by Network Solutions, Inc. ("NSI") and is published on 13 different "root zone" servers. The registry list is updated twice daily and provides the domain name, the sponsoring registrar, and the nameservers for all registered names. Using a computer program, Verio then compared the newly downloaded NSI registry with the NSI registry in downloaded a day earlier in order to isolate the domain names that had been registered in the last day and the names that had been removed. After downloading the list of new domain names, only then was a search robot used to query the NSI database to extract the name of the accredited registrar of each new name.5 That search robot then automatically made successive queries to the various registrars' Whois databases, via the port 43 access channels, to harvest the relevant contact information for each new domain name registered. Once retrieved, the Whois data was deposited into an information database maintained by Verio. The resulting database of sales leads was then provided to Verio's telemarketing staff. [citations omitted]

1. Although there are mechanisms currently employed by Whois Providers that have had limited success on the amount of data mining, such mechanisms alone, are insufficient to prevent data mining of the Whois database for marketing purposes.
2. The output of this Whois Task Force depends heavily on the output of Whois TF 2 (which data elements are included in the publicly available Whois).
3. Subject to the exceptions set forth in the remainder of this report, To the extent that data deemed to be sensitive by the Internet community is recommended to be publicly disclosed by Whois TF 2, then at a minimum, the requestor of Whois information should be required to identify itself to the Whois Provider (i.e., the Registrar or the Registry [in the case of thick registries]) along with the reasons for which it seeks the data. Representatives from the Noncommercial, ALAC, Registrar and Registries Constituencies believe that such information should be made available to the registrant whose Whois information is sought, whereas representatives of the from the Intellectual Property, Commercial and Business Users Constituency and Internet Service Providers disagree with the requirement that notice be provided to the registrant. They believe that an acceptable alternative to the notice requirement could be to require the preservation of some form of audit trail so that in the rare case in which Whois access were abused, it could be established who had made the request.
4. It is not possible to create technical restrictions under the current port 43 specifications that will limit port 43 access to a specific type of purpose such as "non-marketing uses."
5. To the extent sensitive data is required to be displayed, Port 43 should only be used by registrars to facilitate transfers if no other mechanism is available to registrars for this purpose.
6. Some members of the Task Force stated that they may not be fundamentally opposed to having an automated mechanism to retrieve sensitive data for identified requestors with approved purposes provided that certain terms and conditions (set forth below) apply.
7. A Cost benefit analysis and a feasibility study should be done when considering any significant changes in Whois requirements.

1. Currently, Port 43 does not provide a way for a requestor to identify him or herself or the reasons for which it is seeking the data.
2. If only Non-sensitive Data is displayed, there is little reason to change anything with respect to Port 43 .
3. If Sensitive Data will be displayed, then Port 43 would not be able to provide the functionality described in Section 4 above.
4. Port 43 should, however, not be shut down completely. The Task Force believes that unless other mechanisms were available to the Registrars to retrieve sensitive data, Port 43 should be available to Registrars solely for the purpose carrying out its obligations with respect to transfers of domain names between registrars.

• The Requestor is asked to sign (or "click") an electronic license agreement for the Sensitive data promising:
  • To use the data for only the purpose(s) indicated;
  • That the Whois data will not be used for marketing purposes; and
  • That the Requestor shall be prohibited from compiling, leasing, sublicensing, reselling or otherwise transferring the data to any third party (except to comply with law).
• The Requestor is identified to the Whois Provider;
• The Requestors identity and purposes for such information is disclosed to the Registrant.
  • The group recognizes, however, that an exception may need to be granted for certain law enforcement investigations (including civil investigations), only when notification of the registrant will defeat the purpose of the investigation.
• The Sensitive Data is provided to the Requestor in human-readable format only (and not computer readable).

• If there were a White List or Individual Use List, who would serve as the central authority ("Authority") that determines the eligibility for entities to be on these lists?
• Does this same Authority maintain the centralized white-list or Individual Use List database/system?
• What are the criteria that the Authority uses to determine who is eligible to be on either list?
• Is there a limit of the number of entities that can be on the White or Individual Use Lists?
• Who pays for the implementation of either system? Would there be a contribution paid by the members of the either list?
• If entities on the White or Individual Use List must give the reasons for their queries, how does (or can) that information be delivered to the registrants?

– registrant name, address, e-mail address, and phone number, unless registrant has requested that this information be made available.
– administrative contact name, address, e-mail address, and phone number, unless registrant (or admin-c) has requested that this information be made available.
– billing contact. These data are traditionally not published by registrars, but are included in many thick registries' public Whois services.

– Registrar of record.
– Name servers.
– Status of domain name.
– Contact data, if the data subject specifically requests that these data be included in the public tier.

1. to verify the availability of a name they might wish to register
2. to thwart security attacks of their networks and servers
3. to validate the legitimacy of a website for transactions
4. to identity consumer fraud and cyber-scam incidents
5. to undertake routine reviews to protect their brands
6. to support UDRP and other infringement proceedings
7. to combat spam.

1. Accuracy and access. Accuracy and access to accurate data are the top priorities. Enforcement of accuracy requirements is essential.
2. Use of data. It is key to find a balance between data use for legitimate purposes and avoiding unwelcome or illegal use.
3. Balance of Stakeholder needs. Any changes in access to Whois must be balanced across the needs of all stakeholders and take into account the costs to the registries/registrars to maintain more complex systems, as well as the burden on the legitimate users of Whois.
4. Marketing. Whois data should never be used for marketing purposes. This includes precluding the use of Whois data for marketing by the registry or registrar other than for services that are directly applicable to registration or other purposes that are not inconsistent with the original purpose [see OECD Guidelines] or for which the registrant has explicitly opted-in.
5. Scope. The focus for now should be ensuring a consistent system of Whois across generic top-level domain names. Any discussion of Whois policies that might affect Whois within country-code domain names should be addressed later and through the new Country Code Names Supporting Organisation.

• Concerns arise from marketing use. The BC has previously stated that marketing uses of Whois data should be prohibited. The basis of much data protection law is that data should only be used for the purpose directly applicable to registration or other purposes that are not inconsistent with the original purpose [see OECD Guidelines] or for which the registrant has explicitly opted-in.
• Spam. Confusion exists today regarding whether and to what extent Whois data is used for the development of Spam. Data indicates that the involvement is small, but in any case, it is important to not allow contamination of the issues relating to Whois by the issue of spam prevention. Regardless of the limited degree of impact, mechanisms to limit any use should be supported.

• Eliminate marketing. The BC believes that Whois data should never be used for marketing purposes. This includes precluding the use of Whois data for marketing by the registry or registrar, other than for services which are directly applicable to registration or for which the registrant has explicitly opted-in.
• Limit access to Port 43 access. Although it does not appear that Whois is a significant contributor to Spam, the BC supports the limitation on port 43 access (an Internet-based access used by registrars and others) to discourage any use for that purpose. Also, this will limit uses of port 43 for other marketing purposes.
• Creation of a White list approach for "legitimate use". There are legitimate uses of Whois, which should be supported, including uses facilitated by bulk access. Such uses include research, creation of third party value-added services, etc. The BC therefore supports the creation of a list of legitimate uses, and recommends that such uses be limited via registry/registrar/third party contract when bulk access is provided to such third parties. Specific conditions as to use should e specified in the contractual terms.
• The BC therefore proposes that the examination of such a white list process should be referred to Council for consideration as a policy development process.

• Privacy concerns: The question of whether and how Whois data should be made public has been raised. It is unclear whether this question pertains to a broadly held governmental concern with all Whois data or whether the question relates to the narrow class of registrations by individuals with privacy concerns. In any case, the question of changing access to Whois data is a current and important one.
• Registrant Awareness of public access to Whois: The question has also been raised about whether registrants are aware of what Whois data is and how it is displayed and why it is needed.
• Segregation of registrants into categories presents problems of definition. There have been discussions about the concept of segregating registrants into different categories and having different requirements for gathering and publishing Whois data, based on the user category. The determination of what category a registrant fits into is not a simple determination, since, for example, individuals may register names for speculation, business development, or for personal use. And the reality is that the problems with consumer fraud, piracy, and trademark infringement are typically perpetrated by individuals, who provide false registration information, in order to avoid pursuit.
• Differentiated or "tiered" Access by Authenticated Users: There has been some limited discussion about creating a two tier approach to access and requiring a Whois user to be approved or authenticated to have access all data.
• Services which offer anonymity for registrants: Some have raised the issue of providing a mechanism for individual anonymity for legitimate individuals. Such mechanisms exist in telephony, where the telephony provider receives accurate contact information and acts as the point of contact for legitimate requests. Alternatively, anonymous gTLD registrations can be obtained by individuals through several mechanisms such as registration through one's ISP.
• Privacy and existing obligations: Although some entities have raised the question of what privacy laws apply to Whois data, there is not a consistent interpretation of law. A few countries have established that their privacy laws apply to the display of country-code Whois data. Certain data privacy entities have begun to ask what data privacy protections should apply. Yet many countries require businesses and NGOs to provide accurate information when they apply for services such as a business license, tax exempt status, inclusion in a directory, or trademarks.
• All data elements are needed. BC members responding to the questionnaire regarding data elements relied upon by business users indicated that all data elements are used. When some part of the elements are incomplete or inaccurate it is even more important to have access to as many data elements as possible. This enables a thorough effort at contacting the registrant, or in the case of consumer fraud, to support law enforcement.
• Display of data elements: All data elements should be displayed, or at a minimum accessible via an easy to use and validated process that would allow access to an authenticated user. However, this needs further and careful examination. It is not acceptable to simply create broad categories of 'business' and 'individual' without a recognition of the issues involving the misuse of a special category.

• All existing data elements are needed. The BC recognises the continued need for all the data elements that are available in Whois today.
• Registrants should be informed: Fact based, neutral toned information about Whois should be included in the registration process, and specific acknowledgement/consent should be obtained at the time of registration. Registrants should also be renotified when they renew their registration of the importance of accurate and complete data.
• Assessment of a differentiated access model should be undertaken: Examination of the broad implications of establishing a differentiated access model, including costs, broad impact on registrants and Whois users, and taking into account CRISP and other emerging standards, should be a community and Council priority. The development of such a change in Whois will require a further PDP process.
• Updated Information is needed to begin such a consideration: The Council should be asked to support the briefing by all three TFs by IETF on the status of CRISP and any other emerging and relevant standards.

• Accuracy because Whois is public communication. A domain name registration in a TLD is a public form of communication, and as such, requires accurate data for the Whois registry.
• Accuracy because users need accurate data. The average Internet user, whether business, government, NGO or individual, has an expectation of accurate Whois information, which they then use to address legitimate issues: verifying the legitimacy of a web site, pursuing a network problem, addressing IP infringement concerns, calling for assistance from law enforcement, etc.
• Accuracy is important for individuals and organisations. The same concerns about the need for accurate data are independent of the nature of the registrant. A non-statistical survey of BC members regarding the situations they have experienced with trademark infringements, consumer fraud, and network issues indicates that there are problems with individuals and with organisations. However, none of the consumer fraud incidents encountered by the well-known brand holders involved organisations. The five situations examined all involved individuals who provided false information. Discussions with law enforcement have and continue to evidence similar problems with individuals.
• Some examples of data authentication exist in other industries, including financial services and in some of the ccTLDs.

• Best Practices are available from other sources: The BC recommends further examination of best practices in authentication in other industries and from selected ccTLDs.
• Changes to the contracts are needed to ensure there is enforcement. The requirement to provide accurate data is a part of the Registrar contract, yet it appears that few registrars fulfill this requirement. The BC believes that this must be enforced by ICANN while allowing flexibility in the way registrars carry out this obligation. The previous Whois TF discussed the development of graduated sanctions. They also heard from several ccTLDs with successful data verification practices. The BC calls for the development of policy to evaluate a system of graduated sanctions.

Recommendation: more research is needed, and standards may offer solutions to development of modifications to Whois. Discussion of Whois is limited by a lack of research which would allow fact based policy. The ccTLD registries also have significant experiences which could be the better understood and provide useful "understanding" to guide gTLD policy development. The BC encourages the GNSO Council to seek current information on both the CRISP project (on Whois standards undertaken by the Internet Engineering Task Force) and any other relevant standards process, to examine the role of these potential standards in providing a solution. The BC recognizes that the cost of implementing changes in Whois must be analyzed and understood as changes are considered. Changes in Whois should not become an "unfunded mandate" upon registrars.

Footnote: The BC continues to discuss the Whois issues and may provide further comments or modifications to these positions after concluding an ongoing internal process.

1. The need for manual intervention in providing Whois service
2. Requirements that increase the likelihood of automated Whois queries
3. Complex requirements that cannot be standardized across multiple registries
4. Policies that increase the likelihood of litigation and other forms of dispute resolution
5. Requirements to provide different Whois services for different localities
6. Requirements that conflict with local law and thereby create burden on registries for negotiations and legal fees
7. Changes to the publicly available information - many registrants use Whois for monitoring their registration information and a number of web hosting firms and ISPs use it to confirm registration of domain names; changes to publicly available information could shift additional work to the registry

Any Whois access requirement changes that increase the likelihood of any of these factors occurring can be expected to have financial impact.

Implementation Timeframe Estimates

Registries, large and small, will require full product development cycles to implement any significant changes to Whois systems. These cycles vary by registry but can be longer than six months after final requirements are defined. Registrars also have similar requirements.

Because so many applications rely on Whois information, advance notice must be provided to the community at large to allow sufficient time for such applications to be modified to accommodate changes. Because of the widespread global use of Whois information, it is not unreasonable to expect that at least six months notice should be given to the Internet community for any significant changes to Whois access.

Questions Discussed by the Constituency

The gTLD Registry Constituency specifically raised and discussed six questions relating to the work of Whois Task Force 1. Summaries of the responses to the questions are provided below.

Question 1: What types of access should be made available for viewing Whois information? (Web-based access, Port 43, Bulk Access, etc.)

Question 6: In other words, how can we ensure that legitimate parties (however that is defined) have access to Whois information, but also reduce data mining and the burdens on our systems?

Concluding Statements

1. It is essential to deal with the paramount concern of personal privacy along with the needs of intellectual property and law enforcement as limited exceptions to the protection of privacy.
2. We recognize that certain parties may at times need to have access to a number of elements listed in the current form of Whois. A technical means of providing this tiered access (i.e., allowing these parties to access the information, while preventing others from getting the information) could be through the IRIS protocol developed by the CRISP working group of the IETF. When finalized, we believe that a comprehensive review of this technical solution be undertaken. We believe a more detailed effort is needed to identify any specific parties that need access to selected elements and what information should be obtained about such access.
3. Cost benefit analysis should be done when considering any significant changes in Whois requirements.
4. Careful consideration should be given to the feasibility of registrars and registries to implement any proposed changes in Whois requirements including but not limited to enforcing such requirements. And sufficient time should be allowed for any associated migration.
5. The Whois framework must provide ways for registries and registrars to ensure that they can comply fully with their local legislation requirements.

• Any provision should maintain and ensure availability of unhampered access to Port 43 for legitimate applications (such as research services) that require high volume access to domain name Whois for use in creating value-added products and services that are of great value to the intellectual property community and to the business community in general. As long as enforcement of the RAA provisions regarding bulk access to Whois remains almost non-existent, availability of port 43 access is essential in assuring the viability of these services.
• Adequate provision must be made for intermediaries which aggregate low-volume requests from end-users into a relatively high volume of queries through Port 43.
• A solution must identify realistic volume break-points between low-volume queries via Port 43 that should remain unrestricted, and a very high volume of queries that could, in principle, require an efficient and workable form of disclosure to registrars (or registries in the thick registry model) of the uses to which query results would be put.
• The solution should also preserve the unrestricted availability of Whois queries through a web-based interface, and the status of Port 43 as a service available free of charge.
• The solution must be accompanied by proactive enforcement of the obligation to make bulk access available.
• Finally, the solution must also address questions of scalability, particularly in the thin registry environment.

• to research and verify domain registrants that could vicariously cause liability for ISPs because of illegal, deceptive or infringing content.
• to prevent or detect sources of security attacks of their networks and servers
• to identify sources of consumer fraud, spam and denial of service attacks and incidents
• to effectuate UDRP proceedings
• to support technical operations of ISPs or network administrators

– Focused on restricting access to Whois data for marketing purposes
– Seeks to determine what contractual changes (if any) are needed to protect domain name holder data from data miners.
– What technological means are available to accommodate these possible contractual changes while simultaneously ensuring law enforcement, intellectual property, ISPs, and consumers continue to retrieve information necessary to perform their respective tasks

– Focused on reviewing Whois data collected and displayed to ensure accurate identification of registrants.
– Seeks to determine the best manner in which to inform registrants of what information is made publicly available when domain names are registered and options for restricting access
– Contemplates the ability of registrants to remove/shield certain parts of required contact information from anonymous, public access
– Furthering this is the need to determine what information may be removed, by whom, and what contractual changes are required to enable this.

– Focused on developing mechanisms to improve the quality of contact data that must be collected at the time of registration in accordance with the registrar accreditation agreement and the relevant registry agreement
– Related issues:

• Verification of data at time of registration
• Ongoing maintenance of data during registration period
• Protecting against deliberate submission of false information

• In light of small and regional ISPs' reliance on Port 43 access, the ISPCP Constituency believes its use ought to be preserved at this time. However, its use should be strictly limited by non-technical means such as rate limiting. In the long term, we strongly discourage its continued use.
• A general agreement would be useful on the types of uses that are legitimate and should be continued.
• Any proposed solution should include such legitimate access, including Web based queries and be scalable.
• ICANN staff should undertake development of a uniform access policy that is enforced - in addition, compliance procedures for such a policy should be implemented.
• The ISPCP rejects the notion that the purpose of Whois data is not intended for tracking registrants that are in the business violating laws or deceiving end users and thus, should not be used for any purpose beyond technical reasons.

Task Force 2- Review of Data Collected and Displayed

The ISPCP Constituency is aware of the real and legitimate privacy concerns over the amount and type of data collected and displayed in Whois data. Registrants should be provided with a limited list of needs for which their data may be used, so as to help prevent the possibility of inadequate notice. The ISPCP further notes that for a very small fraction of registrants with legitimate political and free speech concerns, there should continue to be processes in place for proxy registrations where their data will be kept private and provided only upon a limited set of circumstances.

There have been many assertions that the current display of Whois data is not legal or proper under the laws of some regions, namely the EU. However, of the EU member states’ ccTLD operators who submitted Task Force 2 responses, all have indicated that they work closely with their respective country’s data protection authorities and are in full compliance with their respective privacy laws.

Privacy concerns can further be alleviated by providing proper and adequate notice to all registrants, in a format that is conspicuous and highlights the disclosures within the registrant contract. In many regions it is a common legal requirement that data only be used for the purpose it was originally collected. By itemizing the legitimate needs for which one’s data may be used, this requirement can be met.

The ISPCP Constituency proposes:

• That all elements continue to be collected and displayed, for those authorized to obtain access.
• That adequate and full disclosure must be provided regarding the uses of data, at the point of registration, and such requirement should be enforced.
• Anonymous gTLD registrations continue to be made allowed for individuals through current processes.
• The ISPCP supports the concept of tiered access as a principle, but is concerned with cost, enforcement and other practical implementation issues that must be clearly set forth prior to the implementation of such mechanism. The ISPCP will reserve final assessment on this principle until such time that a clearly defined and viable method is proposed.

• The creation of a best practices document aimed to improve data verification, with the prospect of a global application.
• Registrars take increased and more uniform measures to verify accurate data. The ISPCP does not advocate removing all flexibility from current or future registrar practices, but some uniformity and compliance with best practices will net a more accurate database.
• ICANN staff should undertake a review of the current registrar contractual terms and determine whether they are adequate or need to be changed in order to encompass improved data accuracy standards and verification practices.

1. First and foremost, NCUC thinks it imperative that ICANN recognize the well-established data protection principle that the purpose of data and data collection processes must be well-defined before policies regarding its use and access can be established. The purpose of Whois originally was identification of domain owners for purposes of solving technical problems. The purpose was _not_ to provide law enforcement or other self-policing interests with a means of circumventing normal due process requirements for access to contact information. None of the current Whois Task Forces are mandated to revise the purpose of the Whois directory. Therefore, the original, technical purpose must be assumed until and unless ICANN initiates a new policy development process to change it.
2. Second, based on input from the community NCUC does not believe it is possible to develop technical mechanisms that can restrict port 43 or port 80 access only to a specific type of purpose; e.g., "nonmarketing uses." Access restrictions imposed by TF1 will inevitably apply to any Whois userregardless of purpose. Moreover, restricting Port 43 access while leaving Port 80 open will only drive the automated processes to Port 80. Therefore we question whether TF1 can achieve anything of value.
3. Third, given the limited scope of TF1, we think it important for the task force to refrain from making judgments about the legitimacy of, justifications for, or "need" for any non-marketing uses. It is outside the scope of TF1 to make any such determinations. Accordingly, we will oppose any access restriction policy based on classification of users.
4. Fourth, we note that automated scripts or programs using port 43 are effectively a substitute for bulk access. According to George Papapavlou of the European Union, under data protection law bulk access is a "disproportionate, privacy infringing step, unless a very convincing, specific case can be made which has to be followed by due process. This applies not only to marketing but to any purpose." Therefore, a policy determination on port 43 access is best made in conjunction with a determination on bulk access, even though this is ruled out of scope by the task force's description of work.
5. Fifth, the best way to stop abuse of ports 43 or 80 is to get data that is valuable to spammers out of the public Whois database. Data that is in Whois will be accessible to lots of people; therefore, privacy concerns require getting data out of Whois or reducing access to it for all. This is, of course, a matter for Whois Task force 2, dealing with data elements.
6. Our participation in the entire Whois process will try to make sure that minor modifications in port 43 (or 80) access do not become an excuse for doing nothing else to protect Internet users' privacy.

1. The concept is impractical. Creating such a list would add a huge operational burden to ICANN. There are hundreds of millions of Internet users and they come from every geographic region and language group, and involve data use purposes ranging from academic research to IP enforcement. ICANN would in effect be setting up a global certification process that had to be able to respond to all this diversity. If ICANN did this task conscientiously, the administrative burden would be huge. Not only would it have to investigate the legitimacy of each applicant, it should in principle also be able to constantly monitor the behavior of approved entities to make sure that they were not abusing their privileges. It would have to be willing to withdraw the privilege, and handle disputes and appeals relating to that.
   
   If ICANN did not do this task conscientiously, if it simply added entities pro forma to the list whenever they applied, then there is no reason to create the list at all. Anyone and everyone could get the status, which is no different than opening up all Whois information to everyone.
2. The concept is discriminatory. The right to access Whois data must be balanced against the privacy rights of the domain name registrants. Once the proper balance is struck, all Internet users should have the same rights to access Whois data under the same terms and conditions. Intellectual property interests have no greater claim on that information than anyone else. The White List, in our opinion, is designed to create a two-class world of the spied-upon users, who have no rights, and privileged, surveillance- authorized users, who are permitted to spy on registrants.
3. The concept violates international privacy norms. A White List would give any approved user the equivalent of bulk access to Whois zone files. According to George Papapavlou of the European Union, under data protection law bulk access is a "disproportionate, privacy infringing step, unless a very convincing, specific case can be made which has to be followed by due process. This applies not only to marketing but to any purpose." In other words, no one has the right to fish through sensitive personal data just to see if they can find anything of interest. But a White List would grant this right.
4. The White List concept is unnecessary. Under the proposals supported by registrars, NCUC, and ALAC, the concept of a known user with a known purpose making a request for each individual domain name she wants to investigate can give legitimate users and purposes access to the information they need without creating a centralized administrative entity and without violating privacy.

1. Shut off port-43 access to the public. This requires a definition of certain issues:
   • Who is the "the public"
   • Who has access
     • Registrars must be granted access to port-43 Whois, in standardized format, but only for the purposes of performing transfers and only for so long as all gTLD registries are not EPP (thick or thin) or until another inter-registrar transfer mechanism replaces it.
     • The identities of the non-public requestors must be known to the registrars and may be recorded by the registrars so that it can be communicated to the registrants in appropriate circumstances.
     • The requestor must have a defined, valid purpose for each request and that purpose must be known to the registrars and may be recorded by the registrars so that it can be communicated to the registrants. Some registrars believe a valid purpose exists currently and some do not.
     • The requestor cannot act as a proxy
   • Port-43 query rate limiting must be allowed to protect against mining, but the level of the limit must be determined.
2. Display the Whois information on a publicly accessible web site, but only in a manner such that the information cannot be easily mined, and consistent with the policies and governmental laws under which it was collected. It is the registrars' real-world experience that CAPTCHA systems (systems that perform checks for humans, such as requesting a person to type in number to access a single Whois record) and other systems (such as tracking the number of queries from a particular IP address), though imperfect, do work to greatly reduce automated data mining of the Whois via the web. Registrars must continue to be allowed to use such systems.
3. Continue to provide "identity protection" products to registrants.

1. Mining of registrar's port-43 output
2. Mining of fat registry's port-43 output
3. Mining a 3rd party's port-43 that proxies access to any registrar's or registry's port-43 output
4. Mining the registrar's web-based display of Whois information
5. Mining the fat registries web-based display of Whois information
6. Bulk access

Jeffrey J. Neuman – Chair
David Fares – Commercial and Business Users Constituency
Marilyn Cade – Commercial and Business Users Constituency
David Maher – gTLD Registries Constituency
Jeremy Banks – IP Constituency
John Wolfe – IP Constituency
Tony Harris – ISPCP
Milton Mueller – Noncommercial Domain Name Holders Constituency
Paul Stahura – Registrars Constituency

Wendy Seltzer
Thomas Roessler