[gnso-rds-pdp-wg] Possible requirements for gTLD registration data or directory services

gtheo gtheo at xs4all.nl
Tue May 31 08:39:23 UTC 2016 

Thanks Sara,

Something to keep in mind later on when we hit the deliberation phase. 
Data Retention Spec, though the spec itself is pretty clear, most EU 
Registrars have waivers in place, so not all is collected or stored.

Theo


Sara Bockey schreef op 2016-05-30 07:15 PM:
> Hi all,
> 
>  From my review of the 2013 Registrar Accreditation Agreement [1]
> (RAA), including RAA WHOIS requirements for Registrants [2] (2013)
> 
>  DATA ELEMENTS - WHAT DATA SHOULD BE COLLECTED, STORED, AND DISCLOSED?
> 
> 
>  From the RAA:
> 
>  3.2.1 As part of its registration of Registered Names in a gTLD,
> Registrar shall submit to, or shall place in the Registry Database
> operated by, the Registry Operator for the gTLD the following data
> elements:
> 
>> 3.2.1.1 The name of the Registered Name being registered;
>> 
>> 3.2.1.2 The IP addresses of the primary nameserver and secondary
>> nameserver(s) for the Registered Name;
>> 
>> 3.2.1.3 The corresponding names of those nameservers;
>> 
>> 3.2.1.4 Unless automatically generated by the registry system, the
>> identity of the Registrar;
>> 
>> 3.2.1.5 Unless automatically generated by the registry system, the
>> expiration date of the registration; and
>> 
>> 3.2.1.6 Any other data the Registry Operator requires be submitted
>> to it.
> 
>  The agreement between the Registry Operator of a gTLD and Registrar
> may, if approved by ICANN in writing, state alternative required data
> elements applicable to that gTLD, in which event, the alternative
> required data elements shall replace and supersede Subsections 3.2.1.1
> through 3.2.1.6 stated above for all purposes under this Agreement but
> only with respect to that particular gTLD.
> 
> 3.3.1 At its expense, Registrar shall provide an interactive web page
> and, with respect to any gTLD operating a "thin" registry, a port 43
> Whois service (each accessible via both IPv4 and IPv6) providing free
> public query-based access to up-to-date (i.e., updated at least daily)
> data concerning all active Registered Names sponsored by Registrar in
> any gTLD. Until otherwise specified by a Consensus Policy, such data
> shall consist of the following elements as contained in Registrar's
> database:
> 
>> 3.3.1.1 The name of the Registered Name;
>> 
>> 3.3.1.2 The names of the primary nameserver and secondary
>> nameserver(s) for the Registered Name;
>> 
>> 3.3.1.3 The identity of Registrar (which may be provided through
>> Registrar's website);
>> 
>> 3.3.1.4 The original creation date of the registration;
>> 
>> 3.3.1.5 The expiration date of the registration;
>> 
>> 3.3.1.6 The name and postal address of the Registered Name Holder;
>> 
>> 3.3.1.7 The name, postal address, e-mail address, voice telephone
>> number, and (where available) fax number of the technical contact
>> for the Registered Name; and
>> 
>> 3.3.1.8 The name, postal address, e-mail address, voice telephone
>> number, and (where available) fax number of the administrative
>> contact for the Registered Name.
> 
> The agreement between the Registry Operator of a gTLD and Registrar
> may, if approved by ICANN in writing, state alternative required data
> elements applicable to that gTLD, in which event, the alternative
> required data elements shall replace and supersede Subsections 3.3.1.1
> through 3.3.1.8 stated above for all purposes under this Agreement but
> only with respect to that particular gTLD.
> 
> 3.4.1 For each Registered Name sponsored by Registrar within a gTLD,
> Registrar shall collect and securely maintain, in its own electronic
> database, as updated from time to time:
> 
>> 3.4.1.1 the data specified in the Data Retention Specification
>> attached hereto for the period specified therein;
>> 
>> 3.4.1.2 The data elements listed in Subsections 3.3.1.1 through
>> 3.3.1.8;
>> 
>> 3.4.1.3 the name and (where available) postal address, e-mail
>> address, voice telephone number, and fax number of the billing
>> contact;
>> 
>> 3.4.1.4 any other Registry Data that Registrar has submitted to the
>> Registry Operator or placed in the Registry Database under
>> Subsection 3.2; and
>> 
>> 3.4.1.5 the name, postal address, e-mail address, and voice
>> telephone number provided by the customer of any privacy service or
>> licensee of any proxy registration service, in each case, offered or
>> made available by Registrar or its Affiliates in connection with
>> each registration. Effective on the date that ICANN fully implements
>> a Proxy Accreditation Program established in accordance with Section
>> 3.14, the obligations under this Section 3.4.1.5 will cease to apply
>> as to any specific category of data (such as postal address) that is
>> expressly required to be retained by another party in accordance
>> with such Proxy Accreditation Program.
> 
>> 
> 
> 3.4.2 During the Term of this Agreement and for two (2) years
> thereafter, Registrar (itself or by its agent(s)) shall maintain the
> following records relating to its dealings with the Registry
> Operator(s) and Registered Name Holders:
> 
>> 3.4.2.1 In electronic form, the submission date and time, and the
>> content, of all registration data (including updates) submitted in
>> electronic form to the Registry Operator(s);
>> 
>> 3.4.2.2 In electronic, paper, or microfilm form, all written
>> communications constituting registration applications,
>> confirmations, modifications, or terminations and related
>> correspondence with Registered Name Holders, including registration
>> contracts; and
>> 
>> 3.4.2.3 In electronic form, records of the accounts of all
>> Registered Name Holders with Registrar.
> 
> 3.4.3 During the Term of this Agreement and for two (2) years
> thereafter, Registrar shall make the data, information and records
> specified in this Section 3.4 available for inspection and copying by
> ICANN upon reasonable notice. In addition, upon reasonable notice and
> request from ICANN, Registrar shall deliver copies of such data,
> information and records to ICANN in respect to limited transactions or
> circumstances that may be the subject of a compliance-related inquiry;
> provided, however, that such obligation shall not apply to requests
> for copies of the Registrar's entire database or transaction history.
> Such copies are to be provided at Registrar's expense. In responding
> to ICANN's request for delivery of electronic data, information and
> records, Registrar may submit such information in a format reasonably
> convenient to Registrar and acceptable to ICANN so as to minimize
> disruption to the Registrar's business. In the event Registrar
> believes that the provision of any such data, information or records
> to ICANN would violate applicable law or any legal proceedings, ICANN
> and Registrar agree to discuss in good faith whether appropriate
> limitations, protections, or alternative solutions can be identified
> to allow the production of such data, information or records in
> complete or redacted form, as appropriate. ICANN shall not disclose
> the content of such data, information or records except as expressly
> required by applicable law, any legal proceeding or Specification or
> Policy.
> 
>> 
> 
>  From WHOIS Spec:
> 
> 1.4. Domain Name Data:
> 
> 1.4.1. Query format: whois –h whois.example-registrar.tld
> EXAMPLE.TLD
> 
> 1.4.2. Response format:
> 
> The format of responses shall contain all the elements and follow a
> semi-free text format outline below. Additional data elements can be
> added at the end of the text format outlined below. The data element
> may, at the option of Registrar, be followed by a blank line and a
> legal disclaimer specifying the rights of Registrar, and of the user
> querying the database (provided that any such legal disclaimer must be
> preceded by such blank line).
> 
> Domain Name: EXAMPLE.TLD
> Registry Domain ID: D1234567-TLD
> Registrar WHOIS Server: whois.example-registrar.tld
> Registrar URL: http://www.example-registrar.tld
> Updated Date: 2009-05-29T20:13:00Z
> Creation Date: 2000-10-08T00:45:00Z
> Registrar Registration Expiration Date: 2010-10-08T00:44:59Z
> Registrar: EXAMPLE REGISTRAR LLC
> Registrar IANA ID: 5555555
> Registrar Abuse Contact Email: email at registrar.tld
> Registrar Abuse Contact Phone: +1.1235551234
> Reseller: EXAMPLE RESELLER1
> Domain Status: clientDeleteProhibited2
> Domain Status: clientRenewProhibited
> Domain Status: clientTransferProhibited
> Registry Registrant ID: 5372808-ERL3
> Registrant Name: EXAMPLE REGISTRANT4
> Registrant Organization: EXAMPLE ORGANIZATION
> Registrant Street: 123 EXAMPLE STREET
> Registrant City: ANYTOWN
> Registrant State/Province: AP5
> Registrant Postal Code: A1A1A16
> Registrant Country: AA
> Registrant Phone: +1.5555551212
> Registrant Phone Ext: 12347
> Registrant Fax: +1.5555551213
> Registrant Fax Ext: 4321
> Registrant Email: EMAIL at EXAMPLE.TLD
> Registry Admin ID: 5372809-ERL8
> Admin Name: EXAMPLE REGISTRANT ADMINISTRATIVE
> Admin Organization: EXAMPLE REGISTRANT ORGANIZATION
> Admin Street: 123 EXAMPLE STREET
> Admin City: ANYTOWN
> Admin State/Province: AP
> Admin Postal Code: A1A1A1
> Admin Country: AA
> Admin Phone: +1.5555551212
> Admin Phone Ext: 1234
> Admin Fax: +1.5555551213
> Admin Fax Ext: 1234
> Admin Email: EMAIL at EXAMPLE.TLD
> Registry Tech ID: 5372811-ERL9
> Tech Name: EXAMPLE REGISTRANT TECHNICAL
> Tech Organization: EXAMPLE REGISTRANT LLC
> Tech Street: 123 EXAMPLE STREET
> Tech City: ANYTOWN
> Tech State/Province: AP
> Tech Postal Code: A1A1A1
> Tech Country: AA
> Tech Phone: +1.1235551234
> Tech Phone Ext: 1234
> Tech Fax: +1.5555551213
> Tech Fax Ext: 93
> Tech Email: EMAIL at EXAMPLE.TLD
> Name Server: NS01.EXAMPLE-REGISTRAR.TLD10
> Name Server: NS02.EXAMPLE-REGISTRAR.TLD
> DNSSEC: signedDelegation
> URL of the ICANN WHOIS Data Problem Reporting System:
> http://wdprs.internic.net/
>>>> Last update of WHOIS database: 2009-05-29T20:15:00Z <<<
> 
> 1.5. The format of the following data fields: domain status,
> individual and organizational names, address, street, city,
> state/province, postal code, country, telephone and fax numbers, email
> addresses, date and times must conform to the mappings specified in
> EPP RFCs 5730-5734 (or its successors), and IPv6 addresses format
> should conform to RFC 5952 (or its successor), so that the display of
> this information (or values returned in WHOIS responses) can be
> uniformly processed and understood.
> 
> From Data Retention Spec:
> 
> 1.1. Registrar shall collect the following information from
> registrants at the time of registration of a domain name (a
> "Registration") and shall maintain that information for the duration
> of Registrar's sponsorship of the Registration and for a period of two
> additional years thereafter:
> 
>> 1.1.1. First and last name or full legal name of registrant;
>> 
>> 1.1.2. First and last name or, in the event registrant is a legal
>> person, the title of the registrant's administrative contact,
>> technical contact, and billing contact;
>> 
>> 1.1.3. Postal address of registrant, administrative contact,
>> technical contact, and billing contact;
>> 
>> 1.1.4. Email address of registrant, administrative contact,
>> technical contact, and billing contact;
>> 
>> 1.1.5. Telephone contact for registrant, administrative contact,
>> technical contact, and billing contact;
>> 
>> 1.1.6. WHOIS information, as set forth in the WHOIS Specification;
>> 
>> 1.1.7. Types of domain name services purchased for use in connection
>> with the Registration; and
>> 
>> 1.1.8. To the extent collected by Registrar, "card on file," current
>> period third party transaction number, or other recurring payment
>> data.
> 
> 1.2. Registrar shall collect the following information and maintain
> that information for no less than one hundred and eighty (180) days
> following the relevant interaction:
> 
>> 1.2.1. Information regarding the means and source of payment
>> reasonably necessary for the Registrar to process the Registration
>> transaction, or a transaction number provided by a third party
>> payment processor;
>> 
>> 1.2.2. Log files, billing records and, to the extent collection and
>> maintenance of such records is commercially practicable or
>> consistent with industry-wide generally accepted standard practices
>> within the industries in which Registrar operates, other records
>> containing communications source and destination information,
>> including, depending on the method of transmission and without
>> limitation: (1) Source IP address, HTTP headers, (2) the telephone,
>> text, or fax number; and (3) email address, Skype handle, or instant
>> messaging identifier, associated with communications between
>> Registrar and the registrant about the Registration; and
>> 
>> 1.2.3. Log files and, to the extent collection and maintenance of
>> such records is commercially practicable or consistent with
>> industry-wide generally accepted standard practices within the
>> industries in which Registrar operates, other records associated
>> with the Registration containing dates, times, and time zones of
>> communications and sessions, including initial registration.
> 
>  DATA ACCURACY - WHAT STEPS SHOULD BE TAKEN TO IMPROVE DATA ACCURACY?
> 
>  From the RAA:
> 
> 3.3.2 Upon receiving any updates to the data elements listed in
> Subsections 3.3.1.2, 3.3.1.3, and 3.3.1.5 through 3.3.1.8 from the
> Registered Name Holder, Registrar shall promptly update its database
> used to provide the public access described in Subsection 3.3.1.
> 
> 3.7.8 Registrar shall comply with the obligations specified in the
> Whois Accuracy Program Specification. In addition, notwithstanding
> anything in the Whois Accuracy Program Specification to the contrary,
> Registrar shall abide by any Consensus Policy requiring reasonable and
> commercially practicable (a) verification, at the time of
> registration, of contact information associated with a Registered Name
> sponsored by Registrar or (b) periodic re-verification of such
> information. Registrar shall, upon notification by any person of an
> inaccuracy in the contact information associated with a Registered
> Name sponsored by Registrar, take reasonable steps to investigate that
> claimed inaccuracy. In the event Registrar learns of inaccurate
> contact information associated with a Registered Name it sponsors, it
> shall take reasonable steps to correct that inaccuracy.
> 
> COMPLIANCE - WHAT STEPS ARE NEEDED TO ENFORCE THESE POLICIES?
> 
> From the RAA:
> 
> 3.3.4 Registrar shall abide by any Consensus Policy that requires
> registrars to cooperatively implement a distributed capability that
> provides query-based Whois search functionality across all registrars.
> If the Whois service implemented by registrars does not in a
> reasonable time provide reasonably robust, reliable, and convenient
> access to accurate and up-to-date data, the Registrar shall abide by
> any Consensus Policy requiring Registrar, if reasonably determined by
> ICANN to be necessary (considering such possibilities as remedial
> action by specific registrars), to supply data from Registrar’s
> database to facilitate the development of a centralized Whois database
> for the purpose of providing comprehensive Registrar Whois search
> capability.
> 
> USERS/PURPOSES/ACCESS - WHO SHOULD HAVE ACCESS TO GTLD REGISTRATION
> DATA AND WHY? WHAT STEPS SHOULD BE TAKEN TO CONTROL DATA ACCESS FOR
> EACH USER/PURPOSE?
> 
> From the RAA:
> 
> 3.3.5 In providing query-based public access to registration data as
> required by Subsections 3.3.1 and 3.3.4, Registrar shall not impose
> terms and conditions on use of the data provided, except as permitted
> by any Specification or Policy established by ICANN. Unless and until
> ICANN establishes a different Consensus Policy, Registrar shall permit
> use of data it provides in response to queries for any lawful purposes
> except to: (a) allow, enable, or otherwise support the transmission by
> e-mail, telephone, postal mail, facsimile or other means of mass
> unsolicited, commercial advertising or solicitations to entities other
> than the data recipient’s own existing customers; or (b) enable high
> volume, automated, electronic processes that send queries or data to
> the systems of any Registry Operator or ICANN-Accredited registrar,
> except as reasonably necessary to register domain names or modify
> existing registrations.
> 
> 3.3.6 In the event that ICANN determines, following analysis of
> economic data by an economist(s) retained by ICANN (which data has
> been made available to Registrar), that an individual or entity is
> able to exercise market power with respect to registrations or with
> respect to registration data used for development of value-added
> products and services by third parties, Registrar shall provide
> third-party bulk access to the data subject to public access under
> Subsection 3.3.1 under the following terms and conditions:
> 
>> 3.3.6.1 Registrar shall make a complete electronic copy of the data
>> available at least one (1) time per week for download by third
>> parties who have entered into a bulk access agreement with
>> Registrar.
>> 
>> 3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000,
>> for such bulk access to the data.
>> 
>> 3.3.6.3 Registrar's access agreement shall require the third party
>> to agree not to use the data to allow, enable, or otherwise support
>> any marketing activities, regardless of the medium used. Such media
>> include but are not limited to e-mail, telephone, facsimile, postal
>> mail, SMS, and wireless alerts.
>> 
>> 3.3.6.4 Registrar's access agreement shall require the third party
>> to agree not to use the data to enable high-volume, automated,
>> electronic processes that send queries or data to the systems of any
>> Registry Operator or ICANN-Accredited registrar, except as
>> reasonably necessary to register domain names or modify existing
>> registrations.
>> 
>> 3.3.6.5 Registrar's access agreement must require the third party to
>> agree not to sell or redistribute the data except insofar as it has
>> been incorporated by the third party into a value-added product or
>> service that does not permit the extraction of a substantial portion
>> of the bulk data from the value-added product or service for use by
>> other parties.
> 
> 3.3.7 To comply with applicable statutes and regulations and for other
> reasons, ICANN may adopt a Consensus Policy establishing limits (a) on
> the Personal Data concerning Registered Names that Registrar may make
> available to the public through a public-access service described in
> this Subsection 3.3 and (b) on the manner in which Registrar may make
> such data available. Registrar shall comply with any such Consensus
> Policy.
> 
>  3.5 Rights in Data. Registrar disclaims all rights to exclusive
> ownership or use of the data elements listed in Subsections 3.2.1.1
> through 3.2.1.3 for all Registered Names submitted by Registrar to the
> Registry Database for, or sponsored by Registrar in, each gTLD for
> which it is Accredited. Registrar does not disclaim rights in the data
> elements listed in Subsections 3.2.1.4 through 3.2.1.6 and Subsections
> 3.3.1.3 through 3.3.1.8 concerning active Registered Names sponsored
> by it in each gTLD for which it is Accredited, and agrees to grant
> non-exclusive, irrevocable, royalty-free licenses to make use of and
> disclose the data elements listed in Subsections 3.2.1.4 through
> 3.2.1.6 and 3.3.1.3 through 3.3.1.8 for the purpose of providing a
> service or services (such as a Whois service under Subsection 3.3.4)
> providing interactive, query-based public access. Upon a change in
> sponsorship from Registrar of any Registered Name in each gTLD for
> which it is Accredited, Registrar acknowledges that the registrar
> gaining sponsorship shall have the rights of an owner to the data
> elements listed in Subsections 3.2.1.4 through 3.2.1.6 and 3.3.1.3
> through 3.3.1.8 concerning that Registered Name, with Registrar also
> retaining the rights of an owner in that data. Nothing in this
> Subsection prohibits Registrar from (1) restricting bulk public access
> to data elements in a manner consistent with this Agreement and any
> Specifications or Policies or (2) transferring rights it claims in
> data elements subject to the provisions of this Subsection 3.5.
> 
>  3.7.7.7 Registrar shall agree that it will not process the Personal
> Data collected from the Registered Name Holder in a way incompatible
> with the purposes and other limitations about which it has provided
> notice to the Registered Name Holder in accordance with Subsection
> 3.7.7.4 above.
> 
>  7.2 Handling by ICANN of Registrar-Supplied Data. Before receiving
> any Personal Data from Registrar, ICANN shall specify to Registrar in
> writing the purposes for and conditions under which ICANN intends to
> use the Personal Data. ICANN may from time to time provide Registrar
> with a revised specification of such purposes and conditions, which
> specification shall become effective no fewer than thirty (30) days
> after it is provided to Registrar. ICANN shall not use Personal Data
> provided by Registrar for a purpose or under conditions inconsistent
> with the specification in effect when the Personal Data was provided.
> ICANN shall take reasonable steps to avoid uses of the Personal Data
> by third parties inconsistent with the specification.
> 
> PRIVACY - WHAT STEPS ARE NEEDED TO PROTECT DATA AND PRIVACY?
> 
>  From the RAA:
> 
>  3.7.7.8 Registrar shall agree that it will take reasonable
> precautions to protect Personal Data from loss, misuse, unauthorized
> access or disclosure, alteration, or destruction.
> 
> 	*
> 	*
> 
> Links:
> ------
> [1] 
> https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en
> [2]
> https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#whois
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More information about the gnso-rds-pdp-wg mailing list