WHOIS TASK FORCE 2 .pdf version

1. Introduction
      1.1 Previous Discussion
      1.2 Genesis of the Task Force
      1.3 Terms of Reference
      1.4 Overview of Recommendations
2. Findings on each issue
      2.1 Notification and Consent
      2.2 Proxy Registrations
      2.3 Local Law
      2.4 Collection of Data
      2.5 Publication of Data
3. Recommendations
      3.1 Notification and Consent
      3.2 Proxy Services
      3.3 Local Law
      3.4 Collection of Data
      3.5 Publication of Data
4. Impact of recommendations
5. Outreach efforts
6. Task force vote
      6.1 Public Comments on Terms and Conditions
      6.2 Data Gathering Process
Appendix A – Data Analysis
      I. National laws and regulations
      II. Current practices by registrars, registries, and resellers
            A. Current data gathered and displayed, by TLD
            B. Existing proxy registration or anonymization services
      III. Current Use of Whois Data

1. Introduction

The WHOIS service dates back at least to 1985 and, as defined in RFC 954, provides a “directory service to Internet users”. Today the WHOIS “directory” includes contact information for tens of millions of domain names, and is used for a wide variety of purposes by network operators, business of all kinds, law enforcement, consumer protection agencies, and members of the public. Through its contracts, ICANN requires registries and registrars to gather and display both technical information and contact details for all registrants. As an increasingly diverse range of both registrants and WHOIS data users have begun making use of the domain name system in recent years, situations have arisen where a registrant’s contact information may be considered sensitive, and calls have been made for better privacy protections within the WHOIS system. This Task Force was chartered to examine the manner in which data is both collected and displayed. We make a number of recommendations that allow the WHOIS service to continue to serve its valuable contactability function, while providing protection for the privacy needs of domain name registrants where appropriate.

1.1 Previous Discussion

WHOIS has been a topic of interest and focus for ICANN since its early days. Following up on the work of a WHOIS Committee convened by ICANN staff to give advice on implementation of WHOIS for the .com/.net/.org domains as required under the RAA, the DNSO (Domain Name Supporting Organization, the precursor to the GNSO) created a Names Council committee. Based on the recommendations of that committee, the DNSO created a task force, with the terms of reference: “Consult with the community with regard to establish whether a review of questions related to ICANN’s WHOIS policy is due and to recommend a mechanism for such a review”. This initial task force was originally composed of representatives from all constituencies, including the ccTLDs and the General Assembly, and was later expanded to include up to three representatives of each of the constituencies of the DNSO and of the General Assembly. The task force launched a survey of WHOIS and its use, analyzed the responses, and prepared a report that included both consensus policy recommendations and other considerations for the Council to consider in further policy work. The survey finding and analysis, and initial Task Force’s membership can be found at http://www.dnso.org/dnso/notes/20021015.NCWhoisTF-interim-report.html and the Task Force's membership at http://www.dnso.org/clubpublic/nc-whois/Arc00/msg00000.html.

In order to meet its mandate of consulting broadly with the community, in addition to the survey and analysis of the responses, the initial task force undertook extensive outreach to various experts and groups, in order to inform and provide additional input to the task force, including consultation within the constituencies and General Assembly. Consultation via conference calls were held with experts from ccTLDs, IETF leadership, the Security and Stability Advisory Committee regarding its report on the impact of WHOIS on security and stability of the Internet; two presentations were hosted with .name and the IETF CRISP working group. Transcripts of these conference call consultations were provided and are available in the DNSO archive. In the course of the work of the Task Force, workshops were also held to brief Council, the Board and the community; these workshops included both reports on the work of the Task Force and its findings, and also on the expert input the Task Force was receiving, including questions related to privacy and accuracy of data.

A final policy report was prepared on November 30, 2002. Public comments were solicited until December 8, 2002, and a (revised) final Policy Report published in December, 2002, proposing both consensus policy and enhancements in ICANN’s enforcement of existing obligations in two areas: Accuracy and Bulk access.

Further work was recommended for both areas and on searchability and consistency of data elements across all TLDS. At its Amsterdam meeting, the Council discussed the task force report and reopened the report for further comment by constituencies and the community. Also at the Amsterdam meeting, the Council also established an Implementation Committee with a deadline of January 31,2003.

The initial WHOIS task force recommended a number of consensus policies that were, after revision by the Implementation Committee and review by the task force, adopted by the GNSO Council and the ICANN board:

1. WHOIS Data Accuracy
   • WHOIS Data Reminder Policy
   • Interaction between deletions of domain names due to inaccurate WHOIS data and the the Redemption Grace Period.
2. Bulk Access
   • Use of Bulk Access WHOIS data for marketing purposes should not be permitted, regardless of the medium used for marketing.
   • Users who license bulk access to WHOIS data must agree not to sell or redistribute the data except as included in “value-added products” that do not permit extraction of a significant portion of the data. (I.e., the clause specified in RAA 3.3.6.5 is now mandatory.)

The recommendations of the initial task force included the continuance of work by Council in several areas.These were not presented as consensus policy but as recommendations to Council for consideration in the further work of Council related to WHOIS.

The final consensus policy recommendations, and other findings of the initial task force, can be found in the Final Report of the GNSO Councils WHOIS TF on Accuracy and Bulk Access, Feb. 6, 2003 approved by the Council, and forwarded to the ICANN Board on 20 February 2003.

The Implementation Committee report can be found at http://www.dnso.org/clubpublic/nc-impwhois/Arc00/msg00057.html. The Council received the Implementation Committee report and included its recommendations in the final Report forwarded to the Board 20 February 2003.

1.2 Genesis of the Task Force

Following the work and recommendation of the initial WHOIS task force, the Council discussed how to proceed on WHOIS issues. The Council did not consider the further recommendations of the initial task force definitive, and thus, there may appear to be something of a discontinuity between the recommendations for further work provided by the initial WHOIS task force and the ongoing GNSO task force work on WHOIS. Some areas suggested by the previous task force are being addressed, and some are pending.

The Council was divided on how to proceed in addressing next stages of work on WHOIS, with some members preferring to focus on the recommendations from the Task Force for next stages of work, and others primarily concerned about privacy aspects of WHOIS. At its meeting in Rio de Janeiro, Council decided to ask ICANN staff to prepare a staff manager's report on WHOIS privacy that would consolidate reports received from the WHOIS Task Force and NCUC. The Council also agreed to schedule discussion of remaining accuracy issues for six months after the implementation of the WHOIS recommendations before the board in Rio de Janeiro, or until completion of the policy development process on privacy, whichever comes first. As suggested in the Staff Manager's Issues Report on Privacy Issues Related to WHOIS, the Council decided to create a WHOIS Privacy Steering Group, in order to examine what issues should be addressed by further WHOIS task forces of Council. Council also requested the ICANN President to organize a workshop for the Montreal meetings which should incorporate the GNSO constituencies as well as the Government Advisory Committee and other groups. The WHOIS Steering Group attempted to identify a neutral chair, but given time constraints, the group agreed to conduct their work with Bruce Tonkin, the chair of Council, as the Chair of the group. The group included members from all constituencies, liaisons from ALAC, ccTLDs, GAC and Council members appointed by the Nominating Committee.

The group worked to identify priorities for the community based on a review of the constituencies and the stakeholders perspectives. This work provided the basis for Council’s chartering of further Task Force work on WHOIS.

The Privacy Steering Group held several conference call meetings, and met face to face at ICANN meetings. Parallel to the steering group’s work, ICANN hosted two workshops in Montreal and Tunisia, where invited experts from key stakeholder groups were invited to present. Presentations were invited from all constituencies and the At Large Advisory Committee. Participants included the OECD, the U.S. Federal Trade Commission, the US Department of Justice, the European Commission, WIPO, data privacy experts from Europe, industry experts in intellectual property issues affected by WHOIS, and ccTLD managers who were invited as experts on how particular issues are dealt with within their ccTLD.

The Council reviewed the work and recommendations of the original TF, and the WHOIS Privacy Steering Group, as well as the public comments and workshop presentations and the formal decision of the At-Large Advisory Committee to raise the review of data elements collected and displayed as an issue for policy development, and decided to create a new PDP related to WHOIS policy. The Council was divided on how best to address the work and after much debate, decided to launch three simultaneous task forces on WHOIS, with the assumption that the alignment of recommendations will take place in Council. WHOIS Task Forces 1 and 2 were launched on 22 October 2003 and Whois Task Force 3 on 23 October 2003; the Descriptions of Work (DOW) of each Task Force is available at:

1.3 Terms of Reference

The purpose of this task force is to determine:

a) What the best way is to inform registrants of what information about themselves is made publicly available when they register a domain name and what options they have to restrict access to that data and receive notification of its use?

b) What changes, if any, should be made in the data elements about registrants that must be collected at the time of registration to achieve an acceptable balance between the interests of those seeking contact-ability, and those seeking privacy protections?

c) Should domain name holders be allowed to remove certain parts of the required contact information from anonymous (public) access, and if so, what data elements can be withdrawn from public access, by which registrants, and what contractual changes (if any) are required to enable this? Should registrars be required to notify domain name holders when the withheld data is released to third parties? If registrants have the ability to withhold data from public anonymous access, will this increase user incentive to keep the contact information they supply current and accurate.

To ensure that the task force remains focused and that its goal is achievable and within a reasonable time frame, it is necessary to be clear on what is out of scope for the task force.

Out-of-scope:

The task force should not examine the mechanisms available for anonymous public access of the data - this is the subject of a separate task force.

The task force should not examine mechanisms for law enforcement access to the data collected. This is generally subject to varying local laws, and may be the subject of a future task force.

The task force should not study new methods or policies for ensuring the accuracy of the required data, as this will be subject of a separate task force.

The task force should not consider issues regarding registrars' ability to use Whois data for their own marketing purposes, or their claims of proprietary rights to customers' personal data.

1.4 Overview of Recommendations

The task force discussions and ensuing recommendations focus on our attempt to balance the needs and rights of registrants to keep their personal information from wrongful access and misappropriation while enabling legitimate uses of the data elements and respecting the needs of those requesting access to the data.

The Task Force recommends a number of changes to current WHOIS policy that are intended to reflect this balance in a reasonable and consistent manner. These recommendations are described in detail in section 3 of this report, but are summarized below:

• More conspicuous notice to registrants by registrars, at the point of registration, of the possible uses of Whois data.
• More conspicuous notice and clarifications to registrants by registrars, at the point of registration, as to the process by which registrant data will be shared.
• Further inquiry should be made into proxy registration services provided by registrars and others in order to provide increased privacy for registrants.
• Registries and registrars should not have to violate local data protection laws in order to conform with Whois policy. If there is a conflict of law and Whois policy, a process should be in place to allow for registrars to show such conflict and make appropriate changes needed for it to conform to the respective local laws.
• The task force believes that a system that provides different data sets for different uses (also known as "tiered access") should be explored to see if it may serve as a useful mechanism to balance the privacy interests of registrants with the ongoing need to contact those registrants by other members of the Internet community, and to determine its viability, balance of interests and financial feasibility.

2. Findings on each issue

2.1 Notification and Consent

According to the ICANN Registrar Accreditation Agreement (RAA), Registrars are required to form an agreement with Registered Name Holders containing the following elements.

Section 3.7.7 of the RAA addresses the requirements of the Registrar/Registrant agreement, including the need for accurate and reliable registrant contact information. To the extent the notice to registrants of data elements collected and displayed are not clear or may be overlooked by registrants based on the overall length and complexity of the registration agreement, it is useful to change the format so that better notice is delivered to registrants. The task force finds that disclosures regarding availability and access to Whois data should be set aside from other provisions of a registration agreement by way of bigger or bolded font, a highlighted section, simplified language or otherwise made more conspicuous.

It follows that separate consent to the Whois disclosures is also useful. By obtaining separate consent from registrants, at the time of agreement, to the specific Whois data provisions, it would further draw attention to and facilitate better understanding of the registrar’s Whois disclosure policy.

2.2 Proxy Registrations

“Proxy Services” were looked at during the Task Force's data analysis phase; see appendix A for results from that phase of the Task Force's work. Groups that submitted preliminary statements during this phase of the Task Force's work included the IPC, NCUC, ISPCP, and ALAC. ISPCP pointed to various proxy providers. IPC indicated that only little anecdotal data about how these services work in practice was available. NCUC warned that the proxy situation means that an intermediary is inserted into the contractual relationship between the “actual” registrant and the registrar, and that this party can do whatever it wants with the domain name. NCUC also pointed out that proxy services are not providing anonymity suitable to protect free speech, because of liabilities incurred by those offering these services. ALAC identified disclosure of actual registrants' identity on slight provocation as the chief problem with proxy services, and suggested that wrongdoing could be stopped without revealing actual registrants' identities. ALAC also pointed to the risks created by inserting a proxy into the contractual relationships between registrar and actual registrant.

Proxy Services were addressed in formal constituency statements by the IPC and NCUC. IPC suggested further research on the use of these services, and identified a number of issues that could be addressed in this kind of research.

NCUC specifically proposed removing sections from the Registrar Accreditation Agreement that require proxy services to disclose registrant and administrative contact data for reasons falling short of legal due process (specifically section 3.7.7.3 of the RAA), and characterized the services as “not providing true protections for privacy or freedom of expression.”

During discussion, NCUC and ALAC representatives suggested that these proxy services do not provide sufficient privacy protections, and proposed stricter protections. IPC recommended further study of proxy services, since the evidence available on the business practices of existing proxy services was insufficient.

Registrar and ALAC representatives argued that regulating the conduct of proxy services that work by registering domain names that are then sub-licensed to registrants proper would amount to generally regulating registrant conduct, and would be undesirable.

Registrar and ALAC representatives also argued that use of this kind of proxy service as a model for large-scale privacy protection would undermine basic assumptions that are at the heart of the new inter-registrar transfers policy, and would break this policy. IPC representatives suggested that further research in this area was needed.

A registrar representative pointed out that proxy services should not be considered a final solution, and that pushing registrants to a separate for-pay service may not address local privacy law concerns. It was also noted that, when provided free of charge, proxy services would effectively lead to a tiered access proposal. A registrar representative stated that his constituency may be more comfortable with a tiered access model than with proxy services, but that no consensus has yet been reached.

Related models under which registrars proxy some communication for registrants were also discussed in the context of balancing contactability and privacy: It was, for instance, suggested that registrars may provide an electronic point of contact for registrants and domain name contacts, without making the registrant's usual e-mail address publicly available.

2.3 Local Law

Registrars are obligated per section 3.3 of the RAA to make available a predefined set of data elements on the whois. As this dataset might contain personal data and Registrars contracting with ICANN, to be able to provide domain name registration services, might operate under different legislation than ICANN the taskforce was mandated in the description of work for Task Force 2:

Document examples of existing local privacy laws in regard to display/transmittal of data (DOW TF2)

to investigate if this obligation might lead to problems in regard to existing privacy laws and regulations in these legislations.

After documenting and reviewing the examples of local privacy laws it is the Task Force’s finding that different nations have very different privacy laws and that the determination whether they are applicable to the gTLD WHOIS situation is not an easy one. However, situations have arisen in which privacy laws or regulations have conflicted with WHOIS-related contractual obligations with ICANN. For example, the recently revised .name WHOIS policy which had to be changed to comply with a request of the UK Data Commissioner. In the Task Force’s questionnaire the Global Names Registry stated that:

“we have changed, and may have to change in the future, the WHOIS policy to follow local regulation as it evolves and incase of successful complaints to the Information Commissioner.” (http://gnso.icann.org/mailing-lists/archives/dow2tf/msg00152.html)

The Task Force belives that there is an ongoing risk of conflict between a registrars or registries legal obligations under local privacy laws and their contractual obligations to ICANN.

Since the variety of the existing local privacy laws does not allow for a One-Size-Fits-All solution the Registrars and Registries encountering such local difficulties should be allowed an exception from the contractual WHOIS obligation for the part of the WHOIS data in question by the local regulation. after proving the existence of such a conflict with a law or regulation. In addition a procedure should be established for seeking to resolve such conflicts with local authorities as new regulations evolve in a way that promotes stability and uniformity of the WHOIS system.

Such steps will undoubtedly achieve a greater legal certainty and foster the international competition on the domain name market.

2.4 Collection of Data

In the Description of Work, the GNSO Council asked the Task Force:  "What Changes, if any should be made in the data elements about registrants that must be collected at the time of registration to achieve an acceptable balance between the interests of those seeking contact-ability, and those seeking privacy protection." Through the use of questionnaires to which constituencies and members of the public were invited to respond, the Task Force attempted to determine whether there was any consensus on the elimination or expansion of the existing data elements that are collected and disclosed via Whois.

The Noncommercial Users' Constituency (NCUC) commented that Registrars should follow well-established data protection principles before collecting extensive personal data, including name, address, phone and email for registrants and administrative contacts.  NCUC felt the current data elements raise deep concerns for privacy and anonymous expression, and that Registrars should be allowed to collect this data as-needed for business purposes, but not on a mandatory basis for global publication in the WHOIS directory. ALAC's comments similarly called for limits to the collection of personal data: "What information is actually required for placing a domain name registration should be a matter of registrars' business models, and of applicable law, not of ICANN policy."

ICANN also heard calls to limit the collection of personal data at the Rome meeting and in comments, including a reference to the European Data Protection Commissioners' Article 29 Working Party, which wrote: "it is essential to limit the amount of personal data to be collected and processed.  This should be kept particularly in mind when discussing the wishes of some parties to increase the uniformity of diverse WHOIS directories." ("Opinion 2/2003 on the application of the data protection principles to the Whois directories," http://europa.eu.int/comm/internal_market/privacy/workingroup/wp2003/wpdocs03_en.htm)

The ISP, Intellectual Property and Business constituencies stated that all data elements should continue to be collected.  The Business Constituency’s statement noted “the continued need for all the data elements that are collected in Whois today.”  The ISP constituency proposed that “all [data] elements continue to be collected and displayed, for those authorized to obtain access.”  The IP constituency opposed elimination of any data element and suggested five others whose inclusion “would improve the usefulness of Whois data.”  The Registry constituency, however, did “not see a need for additional fields beyond those presently available.”   The registrar constituency did not comment specifically on collection of data, but did propose three lists of data elements that should be displayed to different types of requesters, including at least one elements not now required to be collected or displayed under the RAA (e-mail address of registrant).

Accordingly, the Task Force proposes the following conclusions on the issues identified in Task/Milestone 2 of the Task Force 2 Description of Work:

• all of the data elements now collected are considered by at least some constituencies to be necessary for current and foreseeable needs of the community, though others dispute whether such needs are consistent with the purpose of the WHOIS database and the reasons for collection of sensitive/personal data by registrars;
• the Task Force deferred to Task Force 3 on the issue of whether Whois data can be acquired accurately at low cost;
• there was no consensus about whether any of the current elements should be made voluntary;
• some additional data elements were proposed, but questions were raised about whether some of these (e.g., date and method of last verification of data) fell within the purview of Task Force 3 rather than Task Force 2;
• no issues were raised about how the data may be acquired in compliance with applicable security, and stability considerations;
• while some view the acquisition of this data as raising privacy concerns, there was no consensus on this point, and the Task Force devoted more of its time and resources to discussing the issues raised in Tasks/Milestones 3 and 4 (limiting data made available for public access/existing and future options to maintain registrant anonymity).

2.5 Publication of Data

The topic of publication of data received considerable attention in the Task Force.  While public access to the WHOIS databases by Internet users have been a feature of the domain name system since its inception, the network was originally small and the WHOIS database was limited to the information of research and technical institutions. This data—including registrant name, address, phone and email—is now accessible to a much broader spectrum of members of the public (including on anonymous basis). With this evolution have come increasing expressions of concern about the impact of the data on personal privacy and freedom of expression infringement (outlined below). 

One topic the Task Force addressed and did not answer was the purpose of the database.  Our mandate was to balance contactability and privacy, which we have tried to do.  We leave to another day the knotty question of the ultimate purposes of this database, and whether and how they can change. 

Findings:

a) WHOIS data continues to serve a host of technical and operational functions for Registries and Registrars.  Transfers and other technical processes require the ability to access, verify and transfer WHOIS data.

b) WHOIS data often includes personally identifiable and otherwise in the registrant, administrative contact and technical contact fields. It is the type of information that, in some other contexts, individuals, human rights organizations and businesses (such as abortion clinics) have some ability to limit and control access to (e.g. an unlisted or ex-directory phone number).

c) Submissions to the Task Force show that WHOIS data is used for a wide range of uses. The data is widely used by network operators, businesses of all kinds, law enforcement, consumer protection agencies and members of the public for learning who has registered a domain name.

d) Abuses of public access to Whois data have occurred and have impacted on registrant privacy. Instances of identity theft, telemarketing, spamming and other forms of email and telephone harassment, stalking, abuse and harassment by groups acting outside of normal scope and legal need have been presented to the Task Force, although the extent of such abuses has not been documented. 

e) In order to maintain the balance of contactability and privacy, which the Task Force was charged to find, a tiered access system deserves careful consideration and received extensive discussion in the Task Force. Other options that also merit consideration but received less discussion in task force deliberations to date include proxy registration services (see questions raised in section 2.2) and the ability of domain name registrants to “opt-out” of publication of WHOIS data on a case-by-case basis (as is currently the case in some ccTLDs). 

f) Some data requesters want timely, even immediate, responsiveness to their requests for WHOIS data.  Some data subjects (domain name holders) want timely, even immediate, notification when their personal/sensitive data is requested and revealed to a third party.

Possible Balances:

Several models were submitted in Constituency statements.  The Registries recommended that only General Information be provided in the WHOIS (which is technical data without registrant, administrative contact or technical contact information).  The Registrars recommended a 3-tiered system with limited information in the public WHOIS (name/country of registrant, administrative contact and technical contact) and technical data; additional information at a screened-access second tier (name/address of registrant, administrative contact and technical contact) and all data displayed for technical purposes by registries and registrars.

Noncommercial Users Constituency called for publication of technical contact data in the WHOIS, but removal of all registrant and administrative contact fields. ALAC also requested removal of all personally identifying information, but asked as an alternative for notification of the domain name holder when his/her personal data was revealed. On the other hand, the ISPCP raised the concern that notification of the domain name holder when his/her personal data was revealed would be in conflict with ISPs’ legally mandated responsibilities in assisting law enforcement personnel would compromise ISP security and network protection efforts and would otherwise not be a viable aspect of any possible tiered system. The attention of the Task Force was also called to the example of GNR, registry operator for .name, which adopted (with ICANN approval), but has not yet implemented, a tiered access system for Whois in .name.

A tiered access proposal submitted to the Task Force during its deliberations called for a combination of some of the elements above: reduction of data available to the public for anonymous and unlimited access; additional but limited contact information provided to a party who can verify his/her/its identity and state a specific reason for the access to the particular domain name data; confirmation and then release of data via an automated process; immediate notification of the domain name holder by email of the release of personal data (allowing domain name holder to act for personal safety (e.g., data released to stalker) or enforce legal rights). Finally, registrars would be provided with access to the full data for technical co-ordination purposes, such as fulfilling inter-registrar transfer requests.

Other constituencies urged further explorations of other mechanisms to adjust the privacy/contactability balance, including (a) whether a system for withholding some contact data on individual registrants on a case-by-case basis due to special circumstances, already in place in some ccTLDs, could be viably extended to the gTLD environment as well as (b) the role of CRISP and other merging and relevant technical standards.

3. Recommendations

3.1 Notification and Consent

ICANN should:

a) incorporate compliance with the notification and consent requirement (R.A.A. Secs. 3.7.7.4, 3.7.7.5) as part of its overall plan to improve registrar compliance with the RAA. (See MOU Amendment II.C.14.d).

b) issue an advisory reminding registrars of the importance of compliance with this contractual requirement, even registrars operating primarily in countries in which local law apparently does not require registrant consent to be obtained.

c) encourage development of best practices that will improve the effectiveness of giving notice to, and obtaining consent from, domain name registrants with regard to uses of registrant contact data, such as by requesting that GNSO commence a policy development process (or other procedure) with goal of developing such best practices.

3.2 Proxy Services

The Task Force considered a proposal by the non-commercial users' constituency to strike section 3.7.7.3 of the RAA based on privacy and anonymity concerns. Concerns with proxy services were also raised with respect to issues surrounding the far-reaching control that proxy registration service providers can exercise over registrations: In the typical “proxy” setting, the service provider enters into a registration agreement and then sub-licenses the domain name to the “actual” registrant.

There was no agreement on the task force to recommend any modifications to existing ICANN policies regarding proxy services based on the information available to the Task Force.

Instead, through an appropriate mechanism, further research should be conducted on the use of “proxy registration services” within the framework of Sec. 3.7.7.3 of the RAA, including but not limited to the following issues:

• the rate of uptake of such services, their cost, and consumer response to them;
• what steps are taken to ensure the proxy service provider collects (or has immediate access to) accurate, complete and current contact information on all registrants taking advantage of such services?
• the circumstances under which contact information of the actual registrant is disclosed pursuant to the RAA provision (i.e., the “evidence of actionable harm” scenario) and the consequences of such disclosures;
• how registrants are notified when the withheld data is released to third parties;
• the impact of such services on registrar portability;
• scalability of such services;
• concerns raised by customers regarding disclosure of data;
• complaints about registrar proxy or 3^rd party proxy services, including complaints to or by law enforcement officials;
• contractual terms between registrants and proxy services.
• effect of proxy situations on the stability of domain name registrations – what happens when a proxy goes out of business, and the “actual” registrant is unknown to the registrar?
  • Usefulness of proxy services to enable anonymous free speech.

The results of such research could be used to:

• develop a set of best practices for the operation of such services; and/or
• initiate a policy development or other appropriate process toward changing the terms of Sec. 3.7.7.3, if warranted.

Further work should also be conducted on the feasibility of requiring registrars to provide e-mail forwarding services to registrants, and the impact of such a requirement upon registrant privacy and contactability. As a first step, the research agenda outlined above could be expanded to study the operation of such services to the extent they exist today.

3.3 Local Law

ICANN should develop and implement a procedure for dealing with the situation where a registrar (or registry, in thick registry settings) can credibly demonstrate that it is legally prevented by local mandatory privacy law or regulations from fully complying with applicable provisions of its ICANN contract regarding the collection, display and distribution of personal data via Whois. The goal of the procedure should be to resolve the conflict in a manner conducive to stability and uniformity of the Whois system. In all cases this procedure should include:

• Written notification by the affected registrar/registry to ICANN with a detailed report which includes but is not limited to:
  • The law or regulation that causes the conflict.
  • The part of the Whois obligation in question.
  • The steps that will have to be taken to cure the conflict.
• If data elements are removed this must be notified to the requester by the insertion of standardized notice in the Whois results advising the requester of the problem and, if possible, directing requester to another source or alternative procedure for obtaining access to this data element.
• Prompt notification from ICANN to the public informing it of the change and of the reasons for ICANN’s forbearance from enforcement of full compliance with the contractual provision in question.
• The changes must be archived on a public website for future research

Except in those cases arising from a formal complaint or contact by a local law enforcement authority that will not permit consultation with ICANN prior to resolution of the complaint under local law, the procedure should be initiated using the following steps:

• prompt notification by the affected registrar/registry to ICANN with detailed summary of the problem arising including:
  • The law or regulation that causes the conflict.
  • The part of the Whois obligation in question.
• consultation by the registrar/registry with ICANN and other parties (which may include government agencies) to try to resolve the problem/ remove the impediment to full compliance with contract.

3.4 Collection of Data

The Task Forces makes no recommendation with regards to the collection of data at this time.

3.5 Publication of Data

The task force believes that a system that provides different data sets for different uses (also known as "tiered access") may serve as a useful mechanism to balance the privacy interests of registrants with the ongoing need to contact those registrants by other members of the Internet community. The task force believes that such a system should be based on the following principles:

a) Technical and operational details about the domain name should continue to be displayed to the public on anonymous basis. Providing some basic contact information (possibly limited to the name and country for both the registrant and administrative contact) may also be appropriate in the interest of balancing contactibility and privacy concerns for publicly available information. Further contact details for the registrant and administrative contact would only be available in one or more protected tiers.

b) Registrants should have the option to direct that some or all of their protected data be displayed to the public.

c) Those meeting the requirements and identifying a legitimate use to access protected information should be able to obtain it in a timely manner.

d) Those seeking access to protected information should identify themselves in a verifiable manner. Once identified, the user would be issued a portable credential, rather than needing to verify their identity on a registrar-by-registrar (or even registry-by-registry) basis.

e) The system should be affordable, both for implementers and users.

f) Registrars and registries should continue to have full access to the WHOIS data for technical and operational purposes.

However, the task force also identified several questions that still must be answered before a tiered access system can be implemented. Specifically:

a) What process of notification to registrants, if any, should take place when their protected data is accessed other than in circumstances required by law or contract (e.g. the provision of contact to UDRP providers during a UDRP dispute, or to another registrar during a transfer)?

b) What contact data should be shown in the protected tier? How will the data compare with what is now available? How will the accuracy compare with what is now available?

c) What are the mechanisms available for identifying and authorizing those requesting access to protected information? Are those mechanisms fast? Are they affordable? Are they online? Who will administer them, using what criteria?

d) How will the costs of implementing a tiered access system be borne?

e) Will existing technology standards (such as CRISP) would support such a system? If so, how?

4. Impact of recommendations

The task force intends to assess the impact of its recommendations prior to the issuance of its final report.

5. Outreach efforts

6. Task force vote

This report was approved for publication and public comment by a unanimous vote of the task force. However, several constituencies made comments in conjunction with their vote. Those comments are recorded as footnotes to the record of votes below.

The following representatives voted to publish this report:

• Business Constituency
• ntellectual Property Constituency
• Internet Service Providers and Content Providers
• Noncommercial Users Constituency
• Registrar Constituency
• Registry Constituency

Additionally, the representative of the At-Large Advisory Committee and Amadeu Abril-i-Abril, a Nominating Committee appointee to the GNSO Council who participated in the task force, voted in favor of publishing the report.

There were no votes against publication or abstentions.

6.1 Public Comments on Terms and Conditions

After the initial publication of the task force’s terms of reference, public comments on the terms of reference were solicited. Five responses were received. Four of the responses were essentially identical in content. These responses were posted by John Lawford of the Public Interest Advocacy Centre, Barbara Simons, the Past-President of the Association of Computing Machinery, Philippa Lawson of the Canadian Internet Policy and Public Interest Clinic, and Andriy Pazyuk of Privacy Ukraine. These comments suggested that the task force’s charter should be updated to consider laws that protect privacy and freedom of expression.

The fifth comment was received from Mike Lampson of The Registry at Info Avenue. His comment indicated that an individual’s contact information should not be made available to the public, but only in limited circumstances through a “back door” with access rights managed by ICANN or some other non-government organization.

The full text of the public comments is available at http://gnso.icann.org/mailing-lists/archives/dow2/.

6.2 Data Gathering Process

Initially convened on 8 December, 2003, Task Force 2 engaged its work in a serious and diligent manner. The Task Force held weekly meetings and established a schedule for addressing the milestones outlined in the Description of Work. A mailing list was established, with public archives, and materials prepared from work completed was posted to the GNSO website on Whois Privacy issues.

The Task Force presented work-to-date in a public workshop at the Rome ICANN meeting in March 2004.

Task Force 2 developed several resources from existing data: A chart of Whois data elements required and displayed according to registry agreements; A review of the online notification practices of the top 20 registrars (in terms of number of registrants) for whois data uses and requirements; A review of the Montreal Whois workshops for relevant discussions regarding Whois data elements collection and display.

Additionally, the Task Force prepared several surveys, each aimed at a specific audience, to collect information from the GAC members, ccNSO members and ccTLD managers, Registrars, and from the GNSO constituencies. Responses to these surveys were extremely limited.

The Task Force also utilized resources produced outside of ICANN, including the 2003 OECD report: Privacy Online.

Constituency statements were received from all GNSO constituencies, and from the At-Large Advisory Committee. Using the statements and other materials, the Task Force members worked cooperatively through discussion and debate to prepare the Preliminary Report.

APPENDIX A – DATA ANALYSIS

The initial phase of Whois Task Force #2’s work involved gathering and analyzing data relating to the task force’s policy objectives. This document presents a summary analysis of the data reviewed by the task force.

The data gathering phase of the task force’s work examined the following data sources:

• Questionnaires developed by the task force for each of the GNSO’s constituencies, the GAC, the CNSO launching group, and CENTER.
• Data gathered as a part of previous ICANN-related WHOIS initiatives.
• A survey conducted by ICANN staff of data collection and consent practices by large ICANN-accredited registrars.
• Some third party studies of national laws and regulations

I. National laws and regulations

The following statements were reviewed:

George Papapavlou, European Commission:

• Personal data may be processed only if:
  • The data subject has unambiguously consented, or
  • There is a contract to which the data subject is a party.
  • Processing is necessary for compliance of legal obligation of the data controller.
  • Necessary to protect the vital interests of the data subject.
  • To perform a task in the public interest or in the exercise of official authority.
  • Legitimate interests of the controller or third parties to whom data are disclosed except where such interests are overridden by fundamental interests of data subject.
• However, personal data must be:
  • Processed fairly and lawfully.
  • Collected for specific, explicit, and legitimate purposes and not further processed in a way not incompatible with those purposes.
  • Adequate, relevant, and not excessive in relation to the processing purpose.
• Data subject does not have to consent to the disclosure of his personal data if disclosure was part of the processing purpose, of which the data subject has been informed.
• There is no explicit regulation of the transmittal of personal data to other countries that is applicable in connection with domain name registration, but Articles 25 & 26 of Directive 95/46/EC deal with transfer of personal data to third countries and apply to all cases.
  • There are various possibilities foreseen to facilitate international transfers of data while ensuring adequate data protection (consent, contracts, important public interest grounds, public information registers).
• In principle, law of the country where data controller is applies; this may be registrar/registry.
  • Where the data controller is established outside the EU but has processing activities/facilities inside the EU, the law of the EU Member State where his processing equipment is used applies.
• For more information on EU privacy principles, please see Mr. Papavlou’s presentation at http://gnso.icann.org/mailing-lists/archives/tf2-survey/msg00017.html

Marc Schneiders, Responses from the NCUC:

• Laws worldwide protect the collection, distribution and publication of personal data and give people a right to expect that their home addresses, phone numbers and email addresses will be protected. The EU Privacy Directive is the model of these laws, and its principles have been adopted by many countries (both members and not members of the EU).
• For more information, please see full NCUC comments at http://gnso.icann.org/mailing-lists/archives/tf2-survey/msg00013.html

Marvin J. Johnson, ACLU (US):

• Comments provide a legal argument for anonymity and against use of WHOIS data both for US case law regarding commercial and noncommercial registrants in the US.
• For details regarding individual cases please see ACLU comments at http://gnso.icann.org/mailing-lists/archives/tf2-survey/msg00018.html

In addition, information regarding a variety of countries was compiled below:

Country	United Kingdom
1 Overall Count
1.1 Number of Registrars	12
1.2 Rank	2
1.3 Region	Eur
2 Privacy/Anonymity Laws or Regimes
2.1 Laws (Major source for this section, and its citations: Electronic Privacy Information Center's Privacy & Human Rights: An International Survey of Privacy Laws and Development	Comprehensive laws govern the collection, use and dissemination of personal information; oversight body ensures compliance; transborder flows of personal data limited to countries with adequate levels of protection. (The UK Data Protection Act 1998 implements EU Data Protection Directive; "limitations for the use of personal information, access to and correction of records and requires that entities that maintain records register with the Information Commissioner.") Global .Name Registry ("GNR)" is required to get informed consent of the Registrants about the WHOIS policy.
2.2 Enforcement	Office of the Information Commissioner; independent agency; maintains Records Register; enforces Data Protection Act; receives complaints; forwards cases for prosecution; issues reports to public. http://www.informationcommissioner.gov.uk
3 EU Privacy Directive
3.1 Member of EU?	Yes
3.2 Link to EU Privacy Directive	http://europa.eu.int/comm/internal_market/privacy/law_en.htm
3.3 EU Opinion of WHOIS data?	EU Paper to GAC, 12 May 2003: "To the extent that Whois data refer to or allow the identification of natural persons, they fall within the scope of the European directives on personal data protection and in particular Directive 95/46/EC." "Therefore, uniformity could only be supported if data are kept to a minimum at global level. Additional registration requirements cannot be imposed on the basis of achieving uniformity."
3.4 Links to EU WHOIS comments and papers.	http://www.dnso.org/dnso/notes/ec-comments-whois-22jan03.pdf http://www.icann.org/presentations/alonso-blas-whois-workshop-24jun03.pdf http://icann.org/montreal/captioning-whois-24jun03.htm http://gnso.icann.org/mailing-lists/archives/tf2-survey/msg00017.html
4 Article 29 Data Protection Working Party *
4.1 Member of A29WP?	Yes
4.2 Existing Opinion on WHOIS?	Yes, Opinion 2/2003 on the application of the data protection principles to the Whois directories (WP76): "In the light of the proportionality principle, it is necessary to look for less intrusive methods that would still serve the purpose of the Whois directories without having all data directly available on-line to everybody."
4.3 Link to Opinion on WHOIS	English http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp76_en.pdf. Posted in 11 languages http://europa.eu.int/comm/internal_market/privacy/workingroup/wp2003/wpdocs03_en.htm.
5 County Code Registries
5.1 ccTLD WHOIS Policy/data elements	"Registrant Opt-Out" of Nominet
5.2 Any limitations on data elements collected and/or displayed?	Yes, only name/address shown for .UK domain names displayed. Additional opt-out of address listing for domain names of "consumers" not using them for business purposes.
5.3 Links to ccTLD WHOIS policy	http://www.nic.uk/RegistrantOpt-out.html
5.4 Comments on WHOIS
5.5 Links to comments on WHOIS	http://www.dnso.org/dnso/dnsocomments/comments-whois/Arc00/doc00001.doc
6 gTLD Registries
6.1 Links to gTLD WHOIS Policy
6.2 Comments on WHOIS	Global Name Registry has been contacted by the UK Data Commissioner regarding the .name WHOIS. Contact info is www.informationcommissioner.gov.uk. GNR has changed and may have to change again in the future, its WHOIS policy to follow local regulations due to successful complaints to the UK Information Commissioner. For more information on the principles guiding EU member states' national privacy laws, please see comments submitted by GAC member, George Papapavlou on the principles and explanation of the EU Data Protection Directive. http://gnso.icann.org/mailing-lists/archives/tf2-survey/msg00017.html
6.3 Links to comments on WHOIS	http://gnso.icann.org/mailing-lists/archives/tf2-survey/doc00001.doc
7 gTLD Registrars
7.1 Comments on WHOIS
7.2 Links to comments on WHOIS
8 OECD Privacy Guidelines
8.1 Member of OECD?	Yes
8.2 Explanation OECD Privacy Principles	OECD Privacy Principles, see Endnote [1].
8.3 Link to OECD Privacy Principles	http://www.oecd.org/document/18/0,2340,en_2649_37441_1815186_1_1_1_37441,00.html
8.4 Additional OECD Reports on Privacy?	PRIVACY ONLINE: OECD GUIDANCE ON POLICY AND PRACTICE (14th November, 2003)
8.5 Links to Additional OECD Privacy Report	http://www1.oecd.org/publications/e-book/9303051E.PDF
9 Other relevant comments collected but not yet referred to	.nl Registry http://www.icann.org/presentations/boswinkel-whois-workshop-24jun03.pdf
10 Principles	[2] EU Data Protection Directive Principles
	Collection Limitation Principle. "There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject."
	To the extent that Whois data refer to or allow the identification of natural persons, they fall within the scope of the European directives on personal data protection and in particular Directive 95/46/EC. The following principles embedded in this Directive are particularly relevant to the Whois data discussion:
	personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes
	the term processing means any operation, including collection, storage, retrieval, consultation, use, disclosure, dissemination, alteration, destruction
	personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (can the same purpose be achieved through less privacy-intrusive means?)
	personal data must be accurate and, where necessary, up to date
	personal data may be processed only if the data subject has unambiguously given his consent; or if processing is necessary: for the performance of a contract to which the data subject is party; for compliance with a legal obligation; for the performance of a contract to which the data subject is party; for compliance with a legal obligation; for the performance of a task carried out in the public interest; or for the purposes of legitimate interests pursued by the controller or by the third party to whom the data are disclosed, except where such interests are overridden by the privacy interests of the data subject.
	every data subject has the right to obtain from the controller at reasonable intervals confirmation as to whether data relating to him are being processed and for what purpose
	the data subject has the right to object to the processing for direct marketing purposes of personal data relating to him
	the transfer to a third country of personal data may take place only if the third country in question ensures an adequate level of protection.