[registrars] Comments on RC whois statements

Wed Apr 7 23:58:27 UTC 2004

Paul, Tom and Ross,

First, kudos on the great job of drafting the RC statements for Whois Task
Force 1, 2 and 3.

I have some comments and observations:

- a comment for all three statements:  it seems like all three task forces
pre-suppose that a problem exists.  I would propose adding language to all
three statements to propose that studies or monitoring tools be developed to
determine the extent of the problem that we are trying to solve. For
example:
	TF1: is data mining a problem?  Is it significant? How do we know?
Who is doing it?
	TF3: is data accuracy a problem?  Is it significant? How do we know?

- I think it would also be useful to articulate the underlying reason why
these are considered important issues.  For example; I always thought the
data accuracy issue was driven by the need to communicate with the
registrant.  If this is true, then it is possible to provide ways of
communication to registrants without exposing any personal data at all via
whois.  The anonymous services already do this.  We could easily mandate
that all registrars provide a simple "contact registrant" feature in their
Whois without disclosing the registrant's email address (as I do on
EnCirca).

- Data collection and metrics will also be very important to determine if
any measures that we implement are successful.  In other words, we need to
be able to have a metric for before and after.

Specifics on Task Force 1: 

-  The key statement here is "The whois data is the registrant's data".  If
so, then why not take the stand that the registrants should be able to
decide and control what data is published about them?  As I mention above,
there are methods for communicating to registrants even if no personal whois
data exists for them.

- You imply that port-43 is not required for EPP registries.  Is this true?
Could we shut-down port-43 tomorrow for EPP registries and still effect
transfers?

- I would like to propose a simple rule: "The compilation of searchable
databases containing whois data mined via port-43 is expressly forbidden and
should be outlawed."

- The last section regarding different ways to access I think misses some
key differences about bulk whois access versus the other methods.  With bulk
whois, the requestor is known AND they are paying for the data.  This leads
to two more rules:

1. All whois requestors must be identified.  Anonymous access is not
allowed.
2. Access to Whois data should be paid for, if being used for commercial
purposes.

Specifics on Task Force 2:
The RC Statement for TF2 recommends that bulk whois be eliminated as a
requirement.  There have also been rumors that some registrars refuse to
provide bulk access.  Some actual data would be useful here.  What is the
extent of bulk whois licensing?  How many registrars have actually bulk
licensed whois data?  How many requestors are asking for it?  What are
asking for?

Regarding the three levels of access: why not let the registrant decide what
data elements they are willing to provide for each of the three levels?  In
other words, the recommendations in this statement could be the minimum data
allowed but the registrant could provide more if they desired.

Specifics on Task Force 3:
Based on ICANN's own data, it is not clear if Whois data accuracy is a
significant enough problem to even warrant a task force.

I would propose a study that would scientifically sample and analyze whois
data to determine the current magnitude of this issue.  Again, this snapshot
is important if we are to ever determine if progress is being made or not.
We should have the results of this study before ICANN starts implementing
compliance programs.  Otherwise, how will we know if they are effective?

Just my two cent's worth.

Best Regards,

Tom Barrett
EnCirca Inc