[registrars] Draft Registrar Submission to TF1

[Elana Broitman]

RC Statement 		Vers1
On Whois TF1: Restricting Access/Data Mining

The registrars' policy recommendation for the Restricting Access/Data Mining whois task force (TF1) has a great dependency on the results of the data collected and displayed (whois task force (TF2)).  If for example, the TF2 determines that the data to be displayed, especially via port-43, is limited to non-sensitive information ("non-sensitive information" defined as the domain itself, name servers, organization-names, and the registrar-of-record) and does not include personally identifiable information, then the information to be mined will be of less value to miners and hence, mining will be reduced.  On the other hand, if the TF2 determines that sensitive information ("sensitive information" defined as, but not limited to, person-names, street addresses, phone and fax numbers, and email addresses) is to be displayed, then there will be a great incentive to mine the data because it will be more valuable.  There is also a dependency on TF3, because if accuracy requirements are made more exacting, and at the same time, this far more accurate and current data is mandated to be displayed, then it becomes even more valuable, which further increases the motivation for mining.  The potential rate of mining is a concern not only to the registrants, whose sensitive data is taken by miners, but also to registrars, for whom this has significant business implications.

Whois data is the registrant's information.  It should remain in the control of the data subject as much as possible.  As the whois data moves away from the registrants to the registrars and further, to "thick" registries, and to even more distant (and un-identified) 4th and 5th parties, the registrant loses more and more control.  As the public has learned more about how their information is abused, customers have begun to demand more privacy for their information and to object to such loss of control to parties with which they have no relationship or contact.  Customers are not happy about their registrars publishing their sensitive whois data because registrars can not guarantee that the "4th and 5th" parties would treat the data in a manner consistent with the policies and laws under which it was collected.  

Requiring registrars to make data available to parties that they can not bind to any standards or restrictions flies in the face of registrars' responsibilities to their customers.  Registrars are in the untenable position of having to comply with directly contradictory requirements - from ICANN, and from their customers and national privacy laws.    As the whois information is passed to these other entities, more access policy-control problems are created (because there are geometrically more locations at which to mine the data). Because the registrars are closer to the registrants, their customers, registrars are in the best position of protecting their customers' data, per the permissions provided by the registrants. To protect their customers, registrants strongly advocate for the ability to maintain data control. This means the right to display only non-sensitive information to the public, while providing appropriate limited access to the sensitive information.  This also means providing only non-sensitive information at the registry level.

 
If TF2 determines that sensitive information must be displayed on the Web, the registrars support a policy whereby registrars may:
1)	Shut off port-43 access to the public.  This requires a definition of certain issues:. 
a.	Who is the "the public" 
b.	Who has access
i.	Registrars must be granted access to port-43 whois,  in standardized format, but only for the purposes of performing transfers and only for so long as all gTLD registries are not EPP (thick or thin) or until another inter-registrar transfer mechanism replaces it.
ii.	The identities of the non-public requestors must be known to the registrars and may be recorded by the registrars so that it can be communicated to the registrants in appropriate circumstances.
iii.	The requestor must have a defined, valid purpose for each request and that purpose must be known to the registrars and may be recorded by the registrars so that it can be communicated to the registrants.  Some registrars believe a valid purpose exists currently and some do not.
iv.	The requestor cannot act as a proxy 
c.	Port-43 query rate limiting must be allowed to protect against mining, but the level of the limit must be determined.
2)	Display the whois information on a publicly accessible web site, but only in a manner such that the information cannot be easily mined, and consistent with the policies and governmental laws under which it was collected.  It is the registrars' real-world experience that CAPTCHA systems (systems that perform checks for humans, such as requesting a person to type in number to access a single whois record) and other systems (such as tracking the number of queries from a particular IP address), though imperfect, do work to greatly reduce automated data mining of the whois via the web.  Registrars must continue to be allowed to use such systems.
3)	Continue to provide "identity protection" products to registrants.

The safe guards established for Port 43 access must be put in place for all analogous access points.   All of the following access points provide a miner with access to all, or a large portion, of the whois database of many registrants' sensitive information.  
1)	Mining of registrar's port-43 output
2)	Mining of fat registry's port-43 output
3)	Mining a 3rd party's port-43 that proxies access to any registrar's or registry's port-43 output
4)	Mining the registrar's web-based display of whois information
5)	Mining the fat registries web-based display of whois information
6)	Bulk access 
Therefore, the same, any safe guard policies and controls put in place for one access point must be in place for the others.  (For example, if the identity of the requestor (and purpose, lets say) must be known for bulk access, then it also must be known for mining (high query rate) of port-43.)



Elana Broitman
Register.com
575 Eighth Avenue
New York, NY 10018
Phone (212) 798-9215
> EFax  (800) 886-2716
Fax   (212) 629-9309
ebroitman at register.com 


-----Original Message-----
From: Eric Brunner-Williams in Portland Maine
[mailto:brunner at nic-naa.net]
Sent: Friday, April 02, 2004 12:12 PM
To: Elana Broitman
Cc: Paul Stahura; registrars at dnso.org; brunner at nic-naa.net
Subject: Re: [registrars] Draft Registrar Submission to TF1 


Elana,

Could you put your edits out on the list as text please?

Thanks.

Eric