[council] Review of Registrar disclosure of WHOIS data policies

Bruce Tonkin Bruce.Tonkin at melbourneit.com.au
Mon Jun 6 10:58:36 UTC 2005

Hello Maria,

As discussed on the Council call last week, all registrars are required


3.7.7 Registrar shall require all Registered Name Holders to enter into
an electronic or paper registration agreement with Registrar including
at least the following provisions: The Registered Name Holder shall provide to Registrar accurate
and reliable contact details and promptly correct and update them during
the term of the Registered Name registration, including: the full name,
postal address, e-mail address, voice telephone number, and fax number
if available of the Registered Name Holder; name of authorized person
for contact purposes in the case of an Registered Name Holder that is an
organization, association, or corporation; and the data elements listed
in Subsections, and A Registered Name Holder's willful provision of inaccurate or
unreliable information, its willful failure promptly to update
information provided to Registrar, or its failure to respond for over
fifteen calendar days to inquiries by Registrar concerning the accuracy
of contact details associated with the Registered Name Holder's
registration shall constitute a material breach of the Registered Name
Holder-registrar contract and be a basis for cancellation of the
Registered Name registration. Any Registered Name Holder that intends to license use of a
domain name to a third party is nonetheless the Registered Name Holder
of record and is responsible for providing its own full contact
information and for providing and updating accurate technical and
administrative contact information adequate to facilitate timely
resolution of any problems that arise in connection with the Registered
Name. A Registered Name Holder licensing use of a Registered Name
according to this provision shall accept liability for harm caused by
wrongful use of the Registered Name, unless it promptly discloses the
identity of the licensee to a party providing the Registered Name Holder
reasonable evidence of actionable harm. Registrar shall provide notice to each new or renewed Registered
Name Holder stating: The purposes for which any Personal Data collected from the
applicant are intended; The intended recipients or categories of recipients of the
data (including the Registry Operator and others who will receive the
data from Registry Operator); Which data are obligatory and which data, if any, are
voluntary; and How the Registered Name Holder or data subject can access and,
if necessary, rectify the data held about them. The Registered Name Holder shall consent to the data processing
referred to in Subsection The Registered Name Holder shall represent that notice has been
provided equivalent to that described in Subsection to any
third-party individuals whose Personal Data are supplied to Registrar by
the Registered Name Holder, and that the Registered Name Holder has
obtained consent equivalent to that referred to in Subsection of
any such third-party individuals. Registrar shall agree that it will not process the Personal Data
collected from the Registered Name Holder in a way incompatible with the
purposes and other limitations about which it has provided notice to the
Registered Name Holder in accordance with Subsection above. Registrar shall agree that it will take reasonable precautions
to protect Personal Data from loss, misuse, unauthorized access or
disclosure, alteration, or destruction. The Registered Name Holder shall represent that, to the best of
the Registered Name Holder's knowledge and belief, neither the
registration of the Registered Name nor the manner in which it is
directly or indirectly used infringes the legal rights of any third
party. For the adjudication of disputes concerning or arising from use
of the Registered Name, the Registered Name Holder shall submit, without
prejudice to other potentially applicable jurisdictions, to the
jurisdiction of the courts (1) of the Registered Name Holder's domicile
and (2) where Registrar is located. The Registered Name Holder shall agree that its registration of
the Registered Name shall be subject to suspension, cancellation, or
transfer pursuant to any ICANN adopted specification or policy, or
pursuant to any registrar or registry procedure not inconsistent with an
ICANN adopted specification or policy, (1) to correct mistakes by
Registrar or the Registry Operator in registering the name or (2) for
the resolution of disputes concerning the Registered Name. The Registered Name Holder shall indemnify and hold harmless
the Registry Operator and its directors, officers, employees, and agents
from and against any and all claims, damages, liabilities, costs, and
expenses (including reasonable legal fees and expenses) arising out of
or related to the Registered Name Holder's domain name registration.


Please audit the web-based registration process of the top 10
registrars, as well as another 10 registrars that use web based
registration for the following:

(1) Whether the registrar appears to be compliant with clause 3.7.7
during the registration process.

(2) Document for each registrar:
"The purposes for which any Personal Data collected from the applicant
are intended"

(3) How each registrar obtains consent to the terms and conditions,
options include:
Full text of the terms and conditions on a registration page, versus
terms and conditions available via a link to a separate webpage.

(4) Whether each registrar also provides information about data usage
through a privacy page

(5) Identify any other method used to inform the registrant of the WHOIS
E.g whether the registrar offers some form of service to protect the
disclosure of personal contact data   (e.g "private registration"
services etc)

A spreadsheet with the five categories above would probably be the
easiest way of collecting the information.

Bruce Tonkin

More information about the council mailing list