ICANN Logo

Staff Manager's Issues Report on Privacy Issues Related to Whois
13 May 2003


Staff Manager's Issues Report on Privacy Issues Related to Whois
(13 May 2003)

Contents

Summary

Preliminary Catalog of Issues

Issues Concerning Data Collection

Issues Concerning Data Quality

Issues Concerning Data Handling

Issues Concerning Data Disclosure

Issues Concerning Data Use

Issues Concerning Classification of Registrants

Issues Concerning Commercial Confidentiality and Rights in Data

Stakeholder Groups and Their Apparent Positions

Whois/Privacy Activities in Other Groups

Recommended Process for Proceeding

Characteristics of the Issues

General Counsel's Remarks on Scope

Recommendations for Proceeding


At its 25 March 2003 meeting, the GNSO Council decided (in Decision 5) to request that the staff produce an issues report on privacy issues. The Council suggested that the following two documents be used in producing the report:

Summary

This Issues Report has been prepared according to Item 2 of the GNSO Policy-Development Process (PDP), adjusted as appropriate to accommodate the ongoing transition to the New Bylawsí procedures. Item 2 of the PDP lists the following elements for an Issue Report:

a. The proposed issue raised for consideration;

b. The identity of the party submitting the issue;

c. How that party is affected by the issue;

d. Support for the issue to initiate the PDP; and

e. A recommendation from the Staff Manager as to whether the Council should initiate the PDP for this issue (the "Staff Recommendation"). Each Staff Recommendation shall include the opinion of the ICANN General Counsel regarding whether the issue proposed to initiate the PDP is properly within the scope of the ICANN policy process and within the scope of the GNSO.

In requesting the staff to prepare an Issues Report, the GNSO Council suggested that two documents that were discussed in the GNSO Council meeting on 25 March 2003 be used in the preparation:

1. "Whois Issues Paper on Privacy" (11 March 2003) prepared by Marilyn Cade on behalf of the Whois Task Force, drawing on the contributions of the Task Force in meetings and previous documents and discussions.

2. "Privacy Issues Report: The Creation of a New Task Force Is Necessary for an Adequate Resolution of the Privacy Issues Associated with Whois" (10 March 2003) prepared by Electronic Privacy Information Center (EPIC) and Ruchika Agrawal.

In reviewing these documents, as well as other information that has been posted in the community discussion of the relationship between Whois (concerned with the display of data about a registrant and associated contacts such as technical, administration and billing) and privacy (concerned with what data is collected from registrant, and how it is used, maintained, and made available to others), several features of the discussion are evident:

A. There are many issues involved, not just a single issue.

B. There is a stark divergence of views held by different segments of the community about many, if not all, of the issues.

C. In many cases, the divergence of views appears to be based on the lack of a common understanding of various facts and circumstances relevant to the issues.

D. There also appears to be an imperfect general understanding regarding the requirements concerning Whois currently established in (a) ICANN agreements and policies and (b) legal requirements established by laws and other governmental requirements.

E. The multiple issues have not been crisply defined, and different segments of the community prefer to define them in different ways. (See point F immediately below.)

F. Many segments of the community discern linkages between various of the issues, so that their view of what resolutions of one issue are acceptable are dependent on how another issue is resolved. Different segments of the community discern different linkages.

G. ICANN entities other than the GNSO have constituents with a stake, and thus an interest, in how the issues are resolved.

These considerations lead the staff to recommend that the appropriate action at this time is to commence a phase of fact-finding and issue-definition work, prior to commencing policy-development processes on the substance of particular issues.

After providing a preliminary catalog of issues, this Issues Report briefly characterizes the interests of various stakeholder groups as they now appear. This report next reviews the activities of other ICANN groups and stakeholders that seem relevant to Whois privacy issues. In a final section, it sets forth recommendations for a process to move forward, in coordination with other entities (within ICANN and potentially outside), toward the initial exploration of the menagerie of issues, with the view of better defining them and attaining a working understanding of how the various issues interrelate, so that it is practical to sequence a series of substantive PDPs on them. These staff recommendations take into account some preliminary guidance of the General Counsel concerning the relationship of the issues to ICANNís Mission and Core Values and the GNSOís scope.

Preliminary Catalog of Issues

Based on the "Whois Issues Paper on Privacy" (11 March 2003), the "Privacy Issues Report: The Creation of a New Task Force Is Necessary for an Adequate Resolution of the Privacy Issues Associated with Whois" (10 March 2003), and other materials discussed in the community, it appears that the following issues concerning privacy are thought by at least some segment of the community to be worthy of policy development within the GNSO:

Issues Concerning Data Collection

1. Should the elements of data that registrars are required to collect at the time of registration of a domain name be revised? (See Registrar Accreditation Agreement (RAA) § 3.2.)

2. Should registrars be prohibited by ICANN from collecting additional items of data?

3. Should all registrants, or certain classes of registrants (see Issue 18 below), be afforded the option of not providing some or all elements that registrars are required to collect and, if so, which elements?

4. Should the current mechanism for pseudonymous registration be changed or supplemented with one or more alternative mechanisms? (See RAA § 3.7.7.3.) Should steps be taken to encourage broader availability of this mechanism?

5. Are the current requirements that registrars make disclosures to, and obtain consent by, registrants concerning the uses of collected data adequate and appropriate? (See RAA §§ 3.7.7.4 to 3.7.7.6.)

Issues Concerning Data Quality

6. Are the procedures currently followed by registrars adequate to promote accurate, complete, and up-to-date data, as required by both privacy and accountability principles? (See RAA §§ 3.7.7.1, 3.7.7.2, and 3.7.8, as well as the GNSOís Whois recommendations on accuracy adopted by the ICANN Board on 27 March 2003.)

7. What should be the consequences when a registrant provides inaccurate or incomplete data, or fails to correct inaccurate or incomplete data? (See RAA §§ 3.7.7.1, 3.7.7.2, and 3.7.8.) Are safeguards needed to prevent abusive reports of inaccuracies? Should certain classes of registrants (see Issue 18 below) be permitted to provide inaccurate or incomplete data?

Issues Concerning Data Handling

8. Are the current requirements that registrars handle personal data according to the notices given at the time of registration, and in a manner that avoids loss, misuse, unauthorized access or disclosure, alteration, or destruction, adequate and appropriate? (See RAA §§ 3.7.7.7 and 3.7.7.8.)

9. Are the current requirements for handling of registrar data by registry operators adequate and appropriate?

Issues Concerning Data Disclosure

10. Are the current means of query-based access appropriate? Should both web-based access and port-43 access be required? (RAA § 3.3.1.)

11. What are the purposes for providing public query-based access? Are the elements currently required to be disclosed in public query-based access adequate and appropriate? (RAA § 3.3.1.)

12. What measures, if any, should registrars and registry operators be permitted to take to limit data mining of Whois servers?

13. Should access to data be differentiated based on the party receiving access, or based on the use to which the data will be put? If so, how should differentiated access be implemented and how should the cost of differentiation be funded?

14. Should the current requirement that registrars provide bulk Whois access for non-marketing uses be further limited or eliminated? (RAA § 3.3.6, as well as the GNSOís Whois recommendations on accuracy adopted by the ICANN Board on 27 March 2003.)

Issues Concerning Data Use

15. Which uses of Whois data by members of the public should be permitted (e.g., resolving technical problems, sourcing spam, identifying online merchants, law enforcement activities, identifying online infringers for enforcement of intellectual property rights, etc.)? Which uses should be prohibited?

16. How should restrictions on permissible uses by members of the public be enforced? (RAA §§ 3.3.6.3 to 3.3.6.5.)

17. To what extent is Whois data actually used to the harm of registrants (e.g., identity theft, spam, stalking, and other harassment)?

Issues Concerning Classification of Registrants

18. Should certain types of registrants (e.g., those using domains for political and similar activities) be exempt from the usual requirements to provide data, or to have it available in Whois? How should the eligibility of particular registrants for these exemptions be determined? Are measures required to address the possibility of abuses in the classification procedure?

Issues Concerning Commercial Confidentiality and Rights in Data

19. Should registrars have the option, independent of their customers, to protect the confidentiality of Whois data based on registrarsí proprietary rights to that data? Are the current provisions permitting registrars to claim proprietary rights in personal data about their customers appropriate? (RAA § 3.5.)

20. Should there be ICANN requirements limiting registrars' ability to sell or use Whois data, or other data collected about customers, for commercial purposes?

The above list, though long, is not intended to be exhaustive. These are only issues that are apparent from the two referenced reports and recent online discussions. The large number of issues indicates that it is not feasible for the GNSO to simultaneously develop policy concerning all issues. Some focusing will be essential to effective development of sound policies.

Stakeholder Groups and Their Apparent Positions

As mentioned above, different segments of the community have differing perspectives on the many Whois/privacy issues. The contours of the various positions are poorly defined in many cases. In 2001, the DNSO Whois Task Force conducted an online survey concerning uses of and opinions concerning Whois. Although not based on a scientific sampling technique, that survey provides some insights into attitudes toward Whois issues. In addition, the DNSO/GNSO Task Force has solicited views from various constituencies. Based on that information, the following very preliminary characterizations of constituency views seem appropriate:

Non-Commercial Users – Place great emphasis on privacy of Whois data.

Commercial Users – Place great emphasis on accountability of uses of the Internet, and therefore on accessibility of Whois data for legitimate purposes.

Intellectual Property Interests – Stress the importance of ready access to accurate Whois data to support investigation of cybersquatting, copyright violations, and counterfeiting activities.

ISPs – Support ready access to accurate Whois data to facilitate resolution of network problems and sourcing of spam.

Registrars – View registrant data as an important business asset which should not be made available to competitors. (In this regard, registrars are largely aligned with resellers.) Registrars also receive complaints from registrants reporting that they have received unsolicited renewal notices, and other offers by phone, postal mail, fax, or e-mail targeted at registrants using the information available via Whois. However, registrars also need a mechanism to access the registrant data of competitors to confirm authorization of transfers. Registrars also bear the expense of providing registrar-level Whois service.

gTLD Registries – Registry operators bear the expense of providing registry-level Whois service, and may also view the aggregate data as an important business asset that should not be made available to competing registry operators.

Other segments of the Internet community, not fully included in GNSO constituencies, have also exhibited significant, legitimate interests in Whois policy. These include individual Internet users, law-enforcement and consumer-protection authorities, taxation authorities, and privacy and free-speech advocates.

Whois/Privacy Activities in Other Groups

Four other groups in ICANN are actively involved in investigating Whois issues:

At-Large Advisory Committee – The ALAC has initiated a comment forum on Whois issues to gather information from individual Internet users regarding their opinions.

Governmental Advisory Committee – At its March 2003 meeting, the GAC formed a working group on Whois issues. The GAC working group has requested that the President organize a workshop on Whois issues to be held at the ICANN Montreal meeting.

Security and Stability Advisory Committee – The SAC has issued a recommendation on Whois issues as pertinent to its area of expertise. That recommendation is now in Version 2.

ICANN Board – At its March 2003 meeting, the ICANN Board directed the President to appoint a President's Standing Committee on Privacy, to be responsible for monitoring the implications of existing and proposed ICANN policies on the handling of personal data.

In addition to the above ICANN groups, various governmental bodies are currently engaged in Whois-related work, including the OECD, the European Commission, the US Federal Trade Commission, and the International Working Group on Data Protection in Telecommunications. Many of these groups have shown interest in being involved in policy-development activities within ICANN on Whois and data privacy.

Recommended Process for Proceeding

Characteristics of the Issues. From the above, it seems clear that the GNSO does not have the resources to engage in PDPs on all Whois/privacy issues that have been raised. Because of the large number of issues, as well as the need to bridge significant differences in opinion in order to achieve consensus, PDPs on the issues are likely to require significant commitments of time by ICANN participants. At a minimum, some type of phased approach will be necessary. Indeed, it seems likely that it will be advisable to initiate a PDP on only some of the issues cataloged above.

Many participants in the discussion argue that various issues are linked, in the sense that their views on what resolutions of one issue are acceptable depend on how other issues are resolved.

The written contributions to date reflect strong divergences in assumptions about the underlying facts and circumstances. It also appears that participants in the discussions could benefit from having access to reliable information concerning existing ICANN policies and requirements, as well as the legal requirements established by laws and other governmental requirements. It seems clear that further analysis of the topic area as a whole, including analysis of the possible issues and their interrelationships as well as investigation and discussion of the underlying circumstances, will be necessary before the issues can be sufficiently understood and defined to allow prudent decisions on what PDPs to pursue and how to phase and structure those PDPs.

General Counsel's Remarks on Scope. The present lack of clear definition of the issues renders it impractical to determine presently whether the various issues are within the scope of ICANN and of the GNSO policy process. To be sure, some of the issues appear clearly to involve coordination of policy matters closely related to the gTLD DNS-registration function, and thus to be within the scope of both ICANN and the GNSO policy process. Most of the issues appear to involve "policies" in the sense that they are broadly applicable to multiple situations and organizations, to involve an enduring need to establish a framework for future decision-making, or implicate existing ICANN policies.

Other issues (e.g., Issues 2 and 20 above), depending on how they are defined, may fall outside ICANNís scope. Still other issues, such as those envisioning classification of types of registrants and uses of data, could lead to elaborate policies that would require significantly more intrusive ICANN enforcement activities than at present.

Based on the current, preliminary state of delineation of the issues, however, it is not feasible to reach confident conclusions about whether the issues are in ICANNís or the GNSO's scope.

In saying that, however, it is important to add that many groups – within and outside ICANN, private-sector and governmental – have a role in establishing policies in this area. Even given the limits on its scope in terms of recommending policy, it may be appropriate for the GNSO to consult with other groups to foster informed discussions by all the groups involved.

Recommendations for Proceeding. The staff recommends that the GNSO Council not initiate a PDP on any of the Whois/privacy issues until significant additional work is done on investigating the factual background, in analyzing interrelationships of the issues, and in more clearly delineating the issues to be pursued. Additional work in these areas should provide the necessary understanding of the circumstances surrounding the uses and misuses of Whois, their effects on privacy concerns, and the issues and their inter-relationships.

To move forward, the staff recommends:

1. The GNSO Council should form a Whois/Privacy Steering Group, with representation by all constituencies. (The GNSO Council may wish to consider having this Steering Group chaired by a person independent of any constituency.) The charter of the Whois/Privacy Steering Group should be clearly defined to include the following tasks, with the purpose of guiding the GNSO in the process of establishing a work plan for development of policy recommendations on Whois/privacy issues:

(a) acquiring relevant, reliable information concerning the circumstances related to uses and misuses of Whois;

(b) better defining the privacy-related issues arising from Whois and better understanding their inter-relationships;

(c) identifying groups outside the GNSO (including groups that are now working on, or that plan to work on, Whois/privacy issues) that can assist the GNSO in its policy-development work on Whois/privacy issues and consulting with them concerning specific ways (such as factual analyses on specific questions) in which they might assist;

(d) presenting to the GNSO Council a recommended work plan for its activities in the developing policy recommendations on Whois/privacy issues (see recommendation 3 below for more details).

2. A major initial focus of the fact-finding and issue-definition process should be the dissemination of information and community-wide sharing of views about the nature and costs of providing Whois services, actual uses and misuses of Whois, relevant current ICANN policies, and privacy requirements in various jurisdictions. In that regard, the GNSO Council should join with the GAC working group in requesting the President to organize a Whois workshop at the ICANN Montreal meeting with that focus.

3. The Whois/Privacy Steering Group should provide its work plan by a specified date (such as 1 August 2003) well in advance of the Carthage meeting. The work plan should define the five (approximately) issues that the Whois/Privacy Steering Group recommends be accorded high priority in the policy-development process. The work plan should also identify groups with which the Whois/Privacy Steering Group recommends that the GNSO collaborate in policy development, and describe the nature and benefits of the proposed collaboration.

4. Issue Reports should be prepared on each of these issues (see GNSO PDP Item 2) in time for the GNSO Councilís consideration of all of them at the Carthage meeting.

5. After considering and discussing the Issue Reports, the GNSO Council should initiate PDPs in a sequence it concludes is appropriate, with the understanding that any task forces formed would be separate from the Whois/Privacy Steering Group. To the extent determined appropriate by the GNSO Council, the PDPs could be conducted in conjunction with other groups.


Respectfully submitted,

Louis Touton
Acting Staff Manager, Whois/Privacy Issues
General Counsel


Comments concerning the layout, construction and functionality of this site
should be sent to webmaster@icann.org.

Page Updated 31-May-2003
©2003 The Internet Corporation for Assigned Names and Numbers. All rights reserved.