[council] Updated consensus recommendation on improving notification to Registered Name Holders of the public access to contact data via the WHOIS service

Wed Jul 27 12:44:35 UTC 2005

Hello All,

I have updated the consensus recommendation proposal that I posted on 25
June 2005 (following a GNSO Council meeting) based on feedback received
from members of the IP constituency and registrars.

(1) I have added an explicit reference to RAA Clause 3.7.7.5 as
requested by Niklas Lagergren in the GNSO Council meeting in Luxembourg
(at the end of the (I) Background).

(2) In the (II) Problem statement (second paragraph after ICANN mission
and values) - I have made the language a bit more neutral regarding the
expectations of registrants regarding public access to information -
without implying that registrants at some locations may behave
differently from those at other locations with different laws.    I have
also improved the wording of the following paragraph to make it clearer
that a registrant may provide a range of information to a registrar, but
that the registrant should be clear as to which pieces of data will be
made public.

(3) In (III) the Proposed Consensus Recommendation, I have clarified
that ICANN will provide information on best practices for making the
WHOIS requirements clear in the registration agreement.

Regards,
Bruce Tonkin

(I) Background
===============

The obligations of a registrar are governed by the Registrar
Accreditation Agreement (RAA)
(http://www.icann.org/registrars/ra-agreement-17may01.htm) and ICANN
consensus policies
(http://www.icann.org/general/consensus-policies.htm).

The obligations of a Registered Name Holder (Registrant) is governed by
an electronic or paper registration agreement with the Registrar.  Each
Registrar's agreement is different, and Registered Name Holders (or
their agents) should review each agreement when making their choice of
Registrar.

A registrar is obligated by the RAA to require a Registered Name Holder
to agree to provide to the registrar accurate and reliable contact
details and promptly correct and update them during the term of the
Registered Name registration (clause 3.7.7.1 of the RAA).

A registrar is obligated by the RAA to, at its expense, provide an
interactive web page and a port 43 Whois service providing free public
query-based access to up-to-date (i.e., updated at least daily) data
concerning all active Registered Names sponsored by the Registrar
(clause 3.3.1 of the RAA).   In addition a Registrar must provide
third-party bulk access to the data  (clause 3.3.6 of the RAA).

A registrar is obligated by the RAA (clause 3.7.7.4) to provide notice
in the registration agreement with the Registered Name Holder stating:

(a) The purposes for which any Personal Data collected from the
applicant are intended;

(b) The intended recipients or categories of recipients of the data
(including the Registry Operator and others who will receive the data
from Registry Operator);

(c) Which data are obligatory and which data, if any, are voluntary; and

(d) How the Registered Name Holder or data subject can access and, if
necessary, rectify the data held about them.

A registrar is also obligated by the RAA (clause 3.7.7.5) to obtain
consent from the registrant to the data processing described above
(clause 3.7.7.4).

(II) Problem statement with respect to ICANN's mission and Core Values
=====================================================================

>From Article 1, Section 1 of the ICANN Bylaws
(http://www.icann.org/general/bylaws.htm#I ):

"The mission of The Internet Corporation for Assigned Names and Numbers
("ICANN") is to coordinate, at the overall level, the global Internet's
systems of unique identifiers, and in particular to ensure the stable
and secure operation of the Internet's unique identifier systems. In
particular, ICANN:

	1. Coordinates the allocation and assignment of the three sets
of unique identifiers for the 	Internet, which are

	a. Domain names (forming a system referred to as "DNS");

	b. Internet protocol ("IP") addresses and autonomous system
("AS") numbers; and

	c. Protocol port and parameter numbers.

	2. Coordinates the operation and evolution of the DNS root name
server system.

	3. Coordinates policy development reasonably and appropriately
related to these technical 	functions."

In addition one of ICANN's core values is:
"Preserving and enhancing the operational stability, reliability,
security, and global interoperability of the Internet."   (Core value 1,
from Article 1, section 2)

The problem with the current system is that although registrars are
required to include information in the registration agreement on the
purposes for which data is collected and the intended recipients of the
data, the information is often hard to find in long agreements, and
often the information does not explicitly explain that personal data is
freely available to third parties via the WHOIS service  (for example
sometimes a registrar makes a general statement such as that the
information is provided to third parties in accordance with ICANN
policies).

Some registrants would not expect their personal data to be used for
anything other than the registration and renewal of a domain name, and
the authentication of an entity claiming to be the registrant.   Where
data is made public, registrants may expect to be able to opt-out of
public display of the information.

The lack of knowledge amongst Registered Name Holders can lead to
security problems for domain names.   Registered Name Holders may
provide Personal information to companies that can be used by those
companies for authentication (for example home billing address), and
separately provide public information (such as post office box and
business telephone number, typically via websites, whitepages and yellow
pages
services) suitable for third parties to contact the Registered Name
Holders.  Without an understanding of which information will be made
public via the WHOIS service, a Registered Name Holder may be
inadvertently releasing information to the public
normally used for authentication.   If a Registered Name Holder
inadvertently provides information to a registrar for public display,
this may assist domain name hijackers
(and those using stolen credit cards) to pretend to be the Registered
Name Holder.   An improved understanding by Registered Name Holders of
the purpose of WHOIS and the data elements displayed in the WHOIS
service may improve the security and stability of the DNS.

Thus the problem falls under the ICANN mission, and in particular the
first core value.

(III) Proposed Consensus Recommendation
=======================================

(1) Registrars must provide notice in the registration agreement with
the Registered Name Holder that is easy to find, clear, and conspicuous
within the registration agreement stating:

(a) The purposes of the WHOIS service, which consists of the provision
of an interactive web page and a port 43 Whois service providing free
public query-based access to up-to-date (i.e., updated at least daily)
data concerning all active Registered Names sponsored by the Registrar.
In addition the WHOIS service includes the provision of third-party bulk
access to the data.

(b) The purposes of the Registered Name Holder, technical, and
administrative contacts

(c) Which of the contact data in (b) will be made public via the WHOIS
service in (a).

(2) ICANN must provide on its website information on industry best
practice to meet the obligation in (1) above.

The proposed recommendation will help ensure that Registered Name
Holders are more fully informed about registrar data handling practices
and obligations, and that they provide current and accurate contact
information that is appropriate for public access and sufficient for
third parties to contact them in accordance with the purposes of the
WHOIS service.   The purposes will be refined as part of the current
WHOIS task force work.   Information (which may include
Personal Data) that can be used for authentication and billing purposes
may be separately provided to registrars.