GAC Whois Working Group
Posted: 22 June 2003
GAC Whois Working Group Discussion Paper
The GAC working group has agreed to host a workshop on the margins of the June 2003 ICANN meeting in Montreal to discuss public policy issues and potential solutions associated with the Whois database. These issues include law enforcement’s access to Whois data; the role of Whois data in enforcement of intellectual property rights; concerns about privacy and data mining; and other consumer rights and protection issues, such as freedom of speech and spam. The GAC Whois Workshop will explore these issues and then look at a number of possible private and public sector solutions, examining the pros and cons of each.
Public Policy Issues
There are many public policy goals supported by the collection and availability of domain name registrant contact information data:
However, the policy goals supported by the collection and availability of contact data must be balanced against the public policy goals of:
Another set of issues concerns improving the accuracy of Whois data. If Whois data are not accurate, the Whois database does not fulfil the goals noted above. There have been widely reported concerns about the quality of Whois data. The Final Report of the GNSO Council’s Whois Task Force on Accuracy and Bulk Access notes significant concerns about the ability of Whois to effectively identify a domain name holder, with nearly one half of commercial and government users reporting that they had been harmed or inconvenienced by inaccurate Whois data1. Likewise, a survey by revenue authorities in Australia suggests that approximately 15% of commercial Web sites could not be traced to a registered business entity or person2. Finally, experiences of consumer protection law enforcement authorities in actual cases have highlighted the day to day nature of the problem3.
Options for Addressing the Public Policy Concerns
Various stakeholders have proposed different options for addressing the concerns regarding law enforcement, privacy, consumer protection, and accuracy. These options, which are not mutually exclusive, include the following:
1. Status Quo
Retaining the status quo may be one approach to addressing the concerns outlined above. While some find the current system acceptable, others do not agree that this system sufficiently addresses such concerns. Currently, ICANN requires registrars to collect certain information from domain registrants and post some of that information in the Whois database. If a registrar does not abide by these requirements, ICANN can cancel the registrar’s accreditation.
The current system allows registrants to use third party agent registration services. There are several different types of services being offered. One allows a domain name registrant to go to a third party web hosting company and register its domain on the third level (i.e., example.geocities.com) using an umbrella organization that can operate to allow anonymity at the level of registration of the domain name: the “third party host” approach. Another, called a “proxy service,” provides that registrars (e.g., domainsbyproxy.com) or Internet Service Providers (ISPs) allow a domain name holder to register their domain at the second level but the contact information provided to the Whois database is that of a third party agent. Availability of these types of services may help to alleviate some of the privacy concerns about the Whois database.
The accuracy concerns could be addressed within the existing system, by encouraging greater ICANN enforcement of obligations in the Registrar Accreditation Agreement.
2. Allowing Third Party Registration for Non-Commercial Domains
One concern with retaining the status quo is that, if the use of third party registration services becomes widespread, law enforcement would lose immediate access to the actual registrant’s contact information, which is necessary to fight fraud and other criminal activity on the Internet. One option for addressing this problem is that the Registrar Accreditation Agreement could be rewritten to prohibit the use of third party registration services for commercial domain names, but to allow use of them for non-commercial or personal domain names. Most law enforcers, such as consumer protection enforcement officials and those criminal enforcers investigating Internet scams, are less concerned with websites used for personal, as opposed to commercial purposes, and therefore, registrants in this category could use third party registration services. Commercial registrants would have less need to use these third party services because there is less privacy justification for masking their identity. However, this solution does not address the need of some law enforcers, such as those investigating child pornography or taxation authorities, to have immediate access to contact information for non-commercial sites. These law enforcers currently use and will continue to need access to Whois information to conduct investigations, and will likely face difficulties in obtaining such information from third party sources, particularly those who are located abroad and not directly subject to the law enforcement authority’s subpoena power to obtain information
3. Governmental Participation In Whois Database Administration
Another approach is for governments to undertake greater participation in the administration of the Whois database. Private registrars are not in a position, nor do they have the authority, to police domain name systems or online content to determine who is a commercial operator, whether a particular registrant’s privacy interests are important, etc. They may not have the appropriate resources or ability to compel domain name registrants to provide accurate and reliable information.
The question of what participation is appropriate and how it can be implemented is difficult. Governmental participation might take several forms. Governments could set standards for data collection, civil and criminal penalties for non-compliance, and/or standardized takedown procedures. Governments could also maintain the Whois database. However, government maintenance of the personal data of all registrants could have a negative impact on some domain name owners, for example those who use their sites to post political views contrary to those of the current regime. Government access to such data could endanger such dissidents and inhibit their activities. Legal justification for the collection and maintenance of personal data by governments may differ under national law, and the uses of various components of such data by different parts of a government as well as by private concerns may be difficult to harmonize.
If the GAC were to encourage national legislatures to pass laws that provide for civil or criminal penalties for abuse of the Whois database collection or availability, that could drive the registrar functions offshore to other countries. Moreover, this approach could result in hundreds of inconsistent laws, and registrars doing business globally would have to incur significant compliance costs.
Another alternative is for governments to establish a treaty containing uniform rules for collection and maintenance of Whois data. Enforcement could be accomplished by individual countries or through an international governmental organization that would administer the WHOIS database. Of course, it would take a lot of time and effort to establish worldwide consensus on a treaty and/or an organization, which ultimately has the potential of adding another layer of bureaucracy onto the domain registration process. Finally, government regulation will be costly.
4. Tiered Access
Another option is that of tiered access to the Whois database. Stakeholders have proposed different versions of this option, but the main thrust is to create a different level of access to Whois data, depending on the category of the Whois data user. The first tier could allow the general public access to the name of the registrar, the name server, the creation date and the expiration date. The second tier could allow law enforcement to get password-protected access to all data collected. The third tier could allow access to all data to those who apply for it, pay a fee and indicate for what purpose the information is to be used. This type of system has been proposed by the .name TLD but has not yet been approved by the UK data protection authorities to determine if it is an acceptable system under the EU Data Protection Directive. Some registrars are encouraging further exploration of this option. This proposal also raises certain challenges, similar to the challenges discussed in option 2.
5. Use of a Single TLD for Personal Registrations
Finally, another idea to reconcile the public policy concerns is to designate one TLD for personal registration and have a separate Whois policy for that TLD. The designated TLD could be an existing one or perhaps a new one. This approach could resolve registrar concerns about distinguishing between commercial and non-commercial registrations. This raises the potential concern that the single TLD used for personal registration could become a haven for wrongful conduct. But this concern could be alleviated by imposing strict rules for registrars to police this personal TLD space. Alternatively, a government or governments could take over administration of this TLD.
Comments concerning the layout, construction and functionality of this site
should be sent to firstname.lastname@example.org.