[gnso-rds-pdp-purpose] purpose: collecting and publishing data for legal purposes

[Greg Aaron]

Dear sub-team:

Here's a first stab at this topic. This material mainly references ICANN policy and ICANN contracts.  I'm sure there are additional angles and references, and I am hoping legal experts can supplement.   All additions/corrections are appreciated.

************

SUMMARY:
Registration data is collected in order to record the identity of the party that has registered a gTLD domains name.  This party is the registrant, or "registered domain-name holder," and has attendant legal rights and responsibilities.  ICANN policies require that the name of the sponsoring registrar, the registrant's contact data, and other contact data be published publicly in WHOIS, so that they can be identified by and contacted by various parties for legal purposes.  Some national laws assume that domain registrants will be identified through registration data.

2013 REGISTRAR ACCREDITATION AGREEMENT (2013 RAA) { https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en }:

This document defines what a registrant is.  It states:
"1.1 "Account Holder" means the person or entity that is paying for the Registered Name or otherwise controls the management of the registered name, when that person or entity is not the Registered Name Holder....
1.16 "Registered Name Holder" means the holder of a Registered Name."

Note that an Account Holder can be the same or different from a domain's Registrant. An Account Holder can create an account at a registrar, and then use that account to register domains names for other registrants.  So, the business transaction of making a registration is related to but can also be distinct from  being a domain registrant. The 2013 RAA requires that registrars record data about the Account Holders and Registered Name Holders.  The identities of Account Holders are not necessarily published in WHOIS -- there is no "Account Holder" contact type.  If the Account Holder and Registered Name Holder are one and the same, its data appears in WHOIS in the Registrant Contact fields.

The 2013 RAA contains terms that are binding between the registrant and its registrar, stating legal rights and responsibilities.  Among others it states:
"3.7.7 Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar including at least the provisions set forth in Subsections 3.7.7.1 through 3.7.7.12, and which agreement shall otherwise set forth the terms and conditions applicable to the registration of a domain name sponsored by Registrar.... Registrar shall use commercially reasonable efforts to enforce compliance with the provisions of the registration agreement between Registrar and any Registered Name Holder that relate to implementing the requirements of Subsections 3.7.7.1 through 3.7.7.12 or any Consensus Policy."

Through the contracts, the registrant has rights and responsibilities under ICANN policies, and under any applicable registry and registrar policies.  Among those, all gTLD registrants are bound to the Uniform Dispute Resolution Policy (UDRP).  Registrants of new gTLD domains are also bound to the Uniform Rapid Suspension policy, or URS.  Registrants may also have legal rights and responsibilities under local laws.

ICANN UDRP and URS:

Under ICANN policy, contact data published in WHOIS is required to administrate UDRP and URS cases.  The UDRP and URS policies assume that the contact data is published publicly, where potential complainants can see it.

The Uniform Domain Name Dispute Resolution Policy { https://www.icann.org/resources/pages/policy-2012-02-25-en } states as follows:

"1. Purpose. This Uniform Domain Name Dispute Resolution Policy (the "Policy") has been adopted by the Internet Corporation for Assigned Names and Numbers ("ICANN"), is incorporated by reference into your Registration Agreement, and sets forth the terms and conditions in connection with a dispute between you and any party other than us (the registrar) over the registration and use of an Internet domain name registered by you.
2. Your Representations. By applying to register a domain name, or by asking us to maintain or renew a domain name registration, you hereby represent and warrant to us that (a) the statements that you made in your Registration Agreement are complete and accurate; (b) to your knowledge, the registration of the domain name will not infringe upon or otherwise violate the rights of any third party; (c) you are not registering the domain name for an unlawful purpose; and (d) you will not knowingly use the domain name in violation of any applicable laws or regulations. It is your responsibility to determine whether your domain name registration infringes or violates someone else's rights."

The accompanying Rules for Uniform Domain Name Dispute Resolution Policy (the "Rules", https://www.icann.org/resources/pages/udrp-rules-2015-03-11-en ) state:

"Registrar means the entity with which the Respondent has registered a domain name that is the subject of a complaint.
Registration Agreement means the agreement between a Registrar and a domain-name holder.
Respondent means the holder of a domain-name registration against which a complaint is initiated."

The UDRP Rules then require that official communications be sent to the contacts published in WHOIS, specifically the Registrant, Administrative, and Technical contacts:
"2. Communications
(a) When forwarding a complaint, including any annexes, electronically to the Respondent, it shall be the Provider's responsibility to employ reasonably available means calculated to achieve actual notice to Respondent. Achieving actual notice, or employing the following measures to do so, shall discharge this responsibility:
(i) sending Written Notice of the complaint to all postal-mail and facsimile addresses (A) shown in the domain name's registration data in Registrar's Whois database for the registered domain-name holder, the technical contact, and the administrative contact and (B) supplied by Registrar to the Provider for the registration's billing contact; and
(ii) sending the complaint, including any annexes, in electronic form by e-mail to:
(A) the e-mail addresses for those technical, administrative, and billing contacts;....
(e) Either Party may update its contact details by notifying the Provider and the Registrar."

The URS { https://newgtlds.icann.org/en/applicants/urs/procedure-01mar13-en.pdf  } contains similar requirements to use domain contact data published in WHOIS:
"[The Complaint will contain the following:]
1.2.3 Name of Registrant (i.e. relevant information available from Whois) and Whois listed available contact information for the relevant domain name(s).
1.2.4 The specific domain name(s) that are the subject of the Complaint. For each domain name, the Complainant shall include a copy of the currently available Whois information and a description and copy, if available, of the offending portion of the website content associated with each domain name that is the subject of the Complaint....
4.2 Within 24 hours after receiving Notice of Lock from the Registry Operator, the URS Provider shall notify the Registrant of the Complaint ("Notice of Complaint"), sending a hard copy of the Notice of Complaint to the addresses listed in the Whois contact information, and providing an electronic copy of the Complaint....
4.3 The Notice of Complaint to the Registrant shall be sent through email, fax (where available) and postal mail. The Complaint and accompanying exhibits, if any, shall be served electronically."

The URS Rules {  { https://newgtlds.icann.org/en/applicants/urs/rules-28jun13-en.pdf  }  state:
"2. Communications
(a) When forwarding a Complaint, including any annexes, electronically to the Respondent, it shall be the Provider's responsibility to employ reasonably available means calculated to achieve actual notice to Respondent. Achieving actual notice, or employing the following measures to do so, shall discharge this responsibility:
(i) sending the Notice of Complaint to all email, postal mail and facsimile addresses shown in the domain name's registration data in the Whois database for the registered domain-name holder, the technical contact, and the administrative contact, as well as to any email addresses for the Respondent provided by the Complainant..."

CONSENSUS POLICY: EXPIRED DOMAIN DELETION POLICY

The Expired Domain Deletion Policy  { https://www.icann.org/resources/pages/registars/accreditation/eddp-en } requires that registrant data be published in WHOIS and handled in a certain way during UDRP disputes:

"3.7.5.7 In the event that a domain which is the subject of a UDRP dispute is deleted or expires during the course of the dispute, the complainant in the UDRP dispute will have the option to renew or restore the name under the same commercial terms as the registrant. If the complainant renews or restores the name, the name will be placed in Registrar HOLD and Registrar LOCK status, the WHOIS contact information for the registrant will be removed, and the WHOIS entry will indicate that the name is subject to dispute."

CONSENSUS POLICY: INTER-REGISTRAR TRANSFER POLICY:

The newest version of the Inter-Registrar Transfer Policy [ https://www.icann.org/resources/pages/transfer-policy-2015-09-24-en ] became Consensus Policy in 2015 and takes effect on 1 August 2016.  A slightly different version became effective 31 January 2015 { https://www.icann.org/resources/pages/policy-transfers-2014-07-02-en }.

The policy is a set of requirements regarding the transfer of domains from one sponsoring registrar to another.  A purpose of the policy is to prevent transfers that have not been authorized by the domain holder (including malicious "domain hijackings").  As such, the Policy defines who has rights to the domain, and states that only Administrative Contacts  and the Registered Name Holders (Registrant contacts)  may authorize transfers.  The Policy states that these contacts must be published in the publicly-accessible WHOIS.

The version of the Policy taking effect on 1 August 2016 says:

"1.1 Transfer Authorities
The Administrative Contact and the Registered Name Holder, as listed in the Losing Registrar's or applicable Registry's (where available) publicly accessible Whois service are the only parties that have the authority to approve or deny a transfer request to the Gaining Registrar. In the event of a dispute, the Registered Name Holder's authority supersedes that of the Administrative Contact.

Registrars may use Whois data from either the Registrar of Record or the relevant Registry for the purpose of verifying the authenticity of a transfer request; or from another data source as determined by a consensus policy....

2.1.2 In the event that the Gaining Registrar relies on a physical process to obtain this authorization, a paper copy of the FOA will suffice insofar as it has been signed by the Transfer Contact and further that it is accompanied by a physical copy of the Registrar of Record's Whois output for the domain name in question....

2.2.1 Transmission of a "transfer" command constitutes a representation on the part of the Gaining Registrar that the requisite authorization has been obtained from the Transfer Contact listed in the authoritative Whois database....

3.6 In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.

II.B. Availability of Change of Registrant
1.1 In general, registrants must be permitted to update their registration/Whois data and transfer their registration rights to other registrants freely."


NATIONAL LAWS:

There are national laws that address the registration and use of gTLD domain names.  These laws assume that registrants can be identified via registration data.

An example is the U.S. Anticybersquatting Consumer Protection Act (ACPA), 15 USC §1125(D) { https://www.law.cornell.edu/uscode/text/15/1125 }   This law "was intended to prevent 'cybersquatting,' an expression that has come to mean the bad faith, abusive registration and use of the distinctive trademarks of others as Internet domain names, with the intent to profit from the goodwill associated with those trademarks." (Shields v. Zuccarini, 254 F3d 476 3d Cir. 2001)  The ACPA is used to contest the registration of gTLD domains.

The ACPA assumes that the identity of the registrant is established via registration records provided by the registrar: "A person shall be liable for using a domain name under subparagraph (A) only if that person is the domain name registrant or that registrant's authorized licensee."  The ACPA also states that the plaintiff may send a notice of the alleged violation and intent to proceed under legal process "to the registrant of the domain name at the postal and e-mail address provided by the registrant to the registrar."  The law also requires that "Documents sufficient to establish control and authority regarding the disposition of the registration and use of the domain name" must also be deposited with the court.

[NOTE to WG: Does anyone know of other national laws that apply to gTLD names?  Please insert here.  I googled a bit but did not find any readily.  The Danish Domain Name Act is applicable to .DK domains only, the French Post and Electronic Communications Code (CPCE) applies to .FR and .RE domains only, Belgium's Act on Cybersquatting is for .BE domains only, and the Finnish Domain Nama Act applies to .FI domains only.)

*************

All best,
--Greg


**********************************
Greg Aaron
Vice-President, Product Management
iThreat Cyber Group / Cybertoolbelt.com
mobile: +1.215.858.2257
**********************************
The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-purpose/attachments/20160331/67edbbe2/attachment-0001.html>