ICANN | GAC Whois Working Group Discussion Paper

GAC Whois Working Group
Discussion Paper

Posted: 22 June 2003

GAC Whois Working Group Discussion Paper

The GAC working group has agreed to host a workshop on the margins of the June 2003 ICANN meeting in Montreal to discuss public policy issues and potential solutions associated with the Whois database. These issues include law enforcement’s access to Whois data; the role of Whois data in enforcement of intellectual property rights; concerns about privacy and data mining; and other consumer rights and protection issues, such as freedom of speech and spam. The GAC Whois Workshop will explore these issues and then look at a number of possible private and public sector solutions, examining the pros and cons of each.

Public Policy Issues

There are many public policy goals supported by the collection and availability of domain name registrant contact information data:

• Internet Service Providers (ISPs), hosting companies, and network operators need the data to maintain and investigate problems concerning the technical operation of networks and network services and tracking down sources of unwanted e-mail solicitations (spam);

• Law enforcement officials need contact data to investigate illegal activities online;

• Intellectual property owners need the data to determine the identity of those conducting piracy or trademark counterfeiting operations online as well as to identify cybersquatters;

• Consumers need it to identify the commercial entity with whom they are dealing online and to identify those to hold accountable for problems;

• Internet users and victims of unwanted e-mail solicitations (spam) need the data to work with ISPs and network services to track down the source of spam;

• Parents who need contact information to protect their children on the Internet; and

• Tax officials who monitor e-commerce transactions.

However, the policy goals supported by the collection and availability of contact data must be balanced against the public policy goals of:

• Protecting the privacy of citizens who use the Internet, and complying with national laws that restrict the collection and availability of personal data;

• Preventing the use of Whois data for purposes of unsolicited commercial marketing.

• Preventing personal contact information contained in the database from being used for purposes of harassment, identity theft, or stalking.

• Preventing public accessibility to Whois data from undermining individuals’ freedom of speech because it does not permit registration of websites to engage in anonymous political speech.

Another set of issues concerns improving the accuracy of Whois data. If Whois data are not accurate, the Whois database does not fulfil the goals noted above. There have been widely reported concerns about the quality of Whois data. The Final Report of the GNSO Council’s Whois Task Force on Accuracy and Bulk Access notes significant concerns about the ability of Whois to effectively identify a domain name holder, with nearly one half of commercial and government users reporting that they had been harmed or inconvenienced by inaccurate Whois data¹. Likewise, a survey by revenue authorities in Australia suggests that approximately 15% of commercial Web sites could not be traced to a registered business entity or person². Finally, experiences of consumer protection law enforcement authorities in actual cases have highlighted the day to day nature of the problem³.

Options for Addressing the Public Policy Concerns

Various stakeholders have proposed different options for addressing the concerns regarding law enforcement, privacy, consumer protection, and accuracy. These options, which are not mutually exclusive, include the following:

1. Status Quo

Retaining the status quo may be one approach to addressing the concerns outlined above. While some find the current system acceptable, others do not agree that this system sufficiently addresses such concerns. Currently, ICANN requires registrars to collect certain information from domain registrants and post some of that information in the Whois database. If a registrar does not abide by these requirements, ICANN can cancel the registrar’s accreditation.

The current system allows registrants to use third party agent registration services. There are several different types of services being offered. One allows a domain name registrant to go to a third party web hosting company and register its domain on the third level (i.e., example.geocities.com) using an umbrella organization that can operate to allow anonymity at the level of registration of the domain name: the “third party host” approach. Another, called a “proxy service,” provides that registrars (e.g., domainsbyproxy.com) or Internet Service Providers (ISPs) allow a domain name holder to register their domain at the second level but the contact information provided to the Whois database is that of a third party agent. Availability of these types of services may help to alleviate some of the privacy concerns about the Whois database.

The accuracy concerns could be addressed within the existing system, by encouraging greater ICANN enforcement of obligations in the Registrar Accreditation Agreement.

Points for Discussion

• What are the current provisions for the collection and availability of Whois data?

• Why was Whois data collected originally, and what are the uses now?

• Do third party registration services adequately protect privacy?

• Is increased enforcement alone likely to achieve or at least improve accuracy?

• Should registrars provide more up-front verification of Whois data to improve accuracy?

• Are additional enforcement mechanisms desirable?

• Should the Registrar Accreditation Agreement be modified to implement a procedure under which a website goes black when there is an allegation or proof of inaccurate Whois information?

• What are the costs, and who should bear them, of making significant changes in content to or structure of the Whois databases?

2. Allowing Third Party Registration for Non-Commercial Domains

One concern with retaining the status quo is that, if the use of third party registration services becomes widespread, law enforcement would lose immediate access to the actual registrant’s contact information, which is necessary to fight fraud and other criminal activity on the Internet. One option for addressing this problem is that the Registrar Accreditation Agreement could be rewritten to prohibit the use of third party registration services for commercial domain names, but to allow use of them for non-commercial or personal domain names. Most law enforcers, such as consumer protection enforcement officials and those criminal enforcers investigating Internet scams, are less concerned with websites used for personal, as opposed to commercial purposes, and therefore, registrants in this category could use third party registration services. Commercial registrants would have less need to use these third party services because there is less privacy justification for masking their identity. However, this solution does not address the need of some law enforcers, such as those investigating child pornography or taxation authorities, to have immediate access to contact information for non-commercial sites. These law enforcers currently use and will continue to need access to Whois information to conduct investigations, and will likely face difficulties in obtaining such information from third party sources, particularly those who are located abroad and not directly subject to the law enforcement authority’s subpoena power to obtain information

Points for Discussion

• Can those who need to know the contact data of a registrant get access to it through other procedural methods?

• How would the distinction between “commercial” and “non-commercial” be made?

• How would this distinction be enforced?

• Imposing additional obligations on registrars to enforce these types of distinctions could impose significant costs on the domain registration process.

3. Governmental Participation In Whois Database Administration

Another approach is for governments to undertake greater participation in the administration of the Whois database. Private registrars are not in a position, nor do they have the authority, to police domain name systems or online content to determine who is a commercial operator, whether a particular registrant’s privacy interests are important, etc. They may not have the appropriate resources or ability to compel domain name registrants to provide accurate and reliable information.

The question of what participation is appropriate and how it can be implemented is difficult. Governmental participation might take several forms. Governments could set standards for data collection, civil and criminal penalties for non-compliance, and/or standardized takedown procedures. Governments could also maintain the Whois database. However, government maintenance of the personal data of all registrants could have a negative impact on some domain name owners, for example those who use their sites to post political views contrary to those of the current regime. Government access to such data could endanger such dissidents and inhibit their activities. Legal justification for the collection and maintenance of personal data by governments may differ under national law, and the uses of various components of such data by different parts of a government as well as by private concerns may be difficult to harmonize.

If the GAC were to encourage national legislatures to pass laws that provide for civil or criminal penalties for abuse of the Whois database collection or availability, that could drive the registrar functions offshore to other countries. Moreover, this approach could result in hundreds of inconsistent laws, and registrars doing business globally would have to incur significant compliance costs.

Another alternative is for governments to establish a treaty containing uniform rules for collection and maintenance of Whois data. Enforcement could be accomplished by individual countries or through an international governmental organization that would administer the WHOIS database. Of course, it would take a lot of time and effort to establish worldwide consensus on a treaty and/or an organization, which ultimately has the potential of adding another layer of bureaucracy onto the domain registration process. Finally, government regulation will be costly.

Points for Discussion

• Would government administration of Whois adequately address the public policy concerns at issue?

• Who should bear the burden of paying for a well-functioning Whois system?

• Are there better alternatives to government administration of Whois data for meeting the public policy purposes concerned?

4. Tiered Access

Another option is that of tiered access to the Whois database. Stakeholders have proposed different versions of this option, but the main thrust is to create a different level of access to Whois data, depending on the category of the Whois data user. The first tier could allow the general public access to the name of the registrar, the name server, the creation date and the expiration date. The second tier could allow law enforcement to get password-protected access to all data collected. The third tier could allow access to all data to those who apply for it, pay a fee and indicate for what purpose the information is to be used. This type of system has been proposed by the .name TLD but has not yet been approved by the UK data protection authorities to determine if it is an acceptable system under the EU Data Protection Directive. Some registrars are encouraging further exploration of this option. This proposal also raises certain challenges, similar to the challenges discussed in option 2.

Points for Discussion

• If tiered access provides different levels of access to different users of the data, should a single database be used and administered by a single operator to ensure uniformity and consistency? If so, could such a single database include information from both gTLD and ccTLD domains, to the extent such information is available?

• What legal ramifications are there for such an operator? Should the database be managed by governments?

• Would this option require fees to be charged for access?

• How would the distinction between “commercial” and “non-commercial” be made?

• How would this distinction be enforced? In addition, this approach requires registrars to make policy decisions about who should have access to data.

• How does a registrar in Italy determine whether a request for law enforcement access to Whois data from a local U.S. agency is legitimate?

• What is to stop someone from posing as a copyright owner to obtain access to Whois data?

5. Use of a Single TLD for Personal Registrations

Finally, another idea to reconcile the public policy concerns is to designate one TLD for personal registration and have a separate Whois policy for that TLD. The designated TLD could be an existing one or perhaps a new one. This approach could resolve registrar concerns about distinguishing between commercial and non-commercial registrations. This raises the potential concern that the single TLD used for personal registration could become a haven for wrongful conduct. But this concern could be alleviated by imposing strict rules for registrars to police this personal TLD space. Alternatively, a government or governments could take over administration of this TLD.

Points for Discussion

• Is this solution feasible? If not, why not?

• What is the best way to address the concern that such a TLD might become a haven for wrongful conduct?

Notes:

1. See “Final Report of the GNSO Council’s WHOIS Task Force: Accuracy and Bulk Access” (19 February 2003), available at: http://www.dnso.org/dnso/notes/20030219.WhoisTF accuracy and bulkaccess.html.

2. See Australian Tax Office, “Tax and the Internet: Second Report” (December 1999) 6.2.11, available at: http://www.ato.gov.au/content.asp?doc=/content/businesses/ecommerce_tati2.htm.

3. See Prepared Statement of the Federal Trade Commission on The Integrity and Accuracy of the "WHOIS" Database, Before the House Subcommittee on Courts, the Internet, and Intellectual Property of the Committee on the Judiciary, 107th Cong., 2d. Sess. (May 22, 2002), available at http://www.ftc.gov/os/2002/05/whois.htm.

Comments concerning the layout, construction and functionality of this site
should be sent to webmaster@icann.org.