Staff Manager's Issues Report on Privacy
Issues Related to Whois
(13 May 2003)
Contents
Summary
Preliminary Catalog of Issues
Issues Concerning Data
Collection
Issues Concerning Data Quality
Issues Concerning Data Handling
Issues Concerning Data
Disclosure
Issues Concerning Data Use
Issues Concerning
Classification of Registrants
Issues
Concerning Commercial Confidentiality and Rights in Data
Stakeholder Groups
and Their Apparent Positions
Whois/Privacy Activities
in Other Groups
Recommended Process for
Proceeding
Characteristics of the Issues
General Counsel's Remarks
on Scope
Recommendations for Proceeding
At its
25 March 2003 meeting, the GNSO Council decided (in Decision 5) to
request that the staff produce an issues report on privacy issues. The
Council suggested that the following two documents be used in producing
the report:
Summary
This Issues Report has been prepared according to Item
2 of the GNSO Policy-Development Process (PDP), adjusted as appropriate
to accommodate the ongoing transition to the New Bylaws’ procedures. Item
2 of the PDP lists the following elements for an Issue Report:
a. The proposed issue raised for consideration;
b. The identity of the party submitting the issue;
c. How that party is affected by the issue;
d. Support for the issue to initiate the PDP; and
e. A recommendation from the Staff Manager as to whether the Council
should initiate the PDP for this issue (the "Staff Recommendation").
Each Staff Recommendation shall include the opinion of the ICANN General
Counsel regarding whether the issue proposed to initiate the PDP is
properly within the scope of the ICANN policy process and within the
scope of the GNSO.
In requesting the staff to prepare an Issues Report, the GNSO Council
suggested that two documents that were discussed in the GNSO Council meeting
on 25 March 2003 be used in the preparation:
1. "Whois
Issues Paper on Privacy" (11 March 2003) prepared by Marilyn
Cade on behalf of the Whois Task Force, drawing on the contributions
of the Task Force in meetings and previous documents and discussions.
2. "Privacy
Issues Report: The Creation of a New Task Force Is Necessary for an
Adequate Resolution of the Privacy Issues Associated with Whois"
(10 March 2003) prepared by Electronic Privacy Information Center (EPIC)
and Ruchika Agrawal.
In reviewing these documents, as well as other information that has been
posted in the community discussion of the relationship between Whois (concerned
with the display of data about a registrant and associated contacts such
as technical, administration and billing) and privacy (concerned with
what data is collected from registrant, and how it is used, maintained,
and made available to others), several features of the discussion are
evident:
A. There are many issues involved, not just a
single issue.
B. There is a stark divergence of views held by
different segments of the community about many, if not all, of the issues.
C. In many cases, the divergence of views appears
to be based on the lack of a common understanding of various facts and
circumstances relevant to the issues.
D. There also appears to be an imperfect general
understanding regarding the requirements concerning Whois currently
established in (a) ICANN agreements and policies and (b) legal requirements
established by laws and other governmental requirements.
E. The multiple issues have not been crisply defined,
and different segments of the community prefer to define them in different
ways. (See point F immediately below.)
F. Many segments of the community discern linkages
between various of the issues, so that their view of what resolutions
of one issue are acceptable are dependent on how another issue is resolved.
Different segments of the community discern different linkages.
G. ICANN entities other than the GNSO have constituents
with a stake, and thus an interest, in how the issues are resolved.
These considerations lead the staff to recommend that the appropriate
action at this time is to commence a phase of fact-finding and issue-definition
work, prior to commencing policy-development processes on the substance
of particular issues.
After providing a preliminary catalog of issues, this Issues Report briefly
characterizes the interests of various stakeholder groups as they now
appear. This report next reviews the activities of other ICANN groups
and stakeholders that seem relevant to Whois privacy issues. In a final
section, it sets forth recommendations for a process to move forward,
in coordination with other entities (within ICANN and potentially outside),
toward the initial exploration of the menagerie of issues, with the view
of better defining them and attaining a working understanding of how the
various issues interrelate, so that it is practical to sequence a series
of substantive PDPs on them. These staff recommendations take into account
some preliminary guidance of the General Counsel concerning the relationship
of the issues to ICANN’s Mission and Core Values and the GNSO’s scope.
Preliminary
Catalog of Issues
Based on the "Whois
Issues Paper on Privacy" (11 March 2003), the "Privacy
Issues Report: The Creation of a New Task Force Is Necessary for an Adequate
Resolution of the Privacy Issues Associated with Whois" (10 March
2003), and other materials discussed in the community, it appears that
the following issues concerning privacy are thought by at least some segment
of the community to be worthy of policy development within the GNSO:
Issues Concerning Data
Collection
1. Should the elements of data that registrars
are required to collect at the time of registration of a domain name
be revised? (See Registrar Accreditation Agreement (RAA) § 3.2.)
2. Should registrars be prohibited by ICANN from
collecting additional items of data?
3. Should all registrants, or certain classes
of registrants (see Issue 18 below), be afforded
the option of not providing some or all elements that registrars are
required to collect and, if so, which elements?
4. Should the current mechanism for pseudonymous
registration be changed or supplemented with one or more alternative
mechanisms? (See RAA § 3.7.7.3.)
Should steps be taken to encourage broader availability of this mechanism?
5. Are the current requirements that registrars
make disclosures to, and obtain consent by, registrants concerning the
uses of collected data adequate and appropriate? (See RAA §§
3.7.7.4 to
3.7.7.6.)
Issues Concerning Data
Quality
6. Are the procedures currently followed by registrars
adequate to promote accurate, complete, and up-to-date data, as required
by both privacy and accountability principles? (See RAA §§
3.7.7.1,
3.7.7.2,
and 3.7.8,
as well as the GNSO’s Whois recommendations on accuracy adopted
by the ICANN Board on 27 March 2003.)
7. What should be the consequences when a registrant
provides inaccurate or incomplete data, or fails to correct inaccurate
or incomplete data? (See RAA §§ 3.7.7.1,
3.7.7.2,
and 3.7.8.)
Are safeguards needed to prevent abusive reports of inaccuracies? Should
certain classes of registrants (see Issue 18 below)
be permitted to provide inaccurate or incomplete data?
Issues Concerning Data
Handling
8. Are the current requirements that registrars
handle personal data according to the notices given at the time of registration,
and in a manner that avoids loss, misuse, unauthorized access or disclosure,
alteration, or destruction, adequate and appropriate? (See RAA §§ 3.7.7.7
and 3.7.7.8.)
9. Are the current requirements for handling of
registrar data by registry operators adequate and appropriate?
Issues Concerning Data
Disclosure
10. Are the current means of query-based access
appropriate? Should both web-based access and port-43 access be required?
(RAA § 3.3.1.)
11. What are the purposes for providing public
query-based access? Are the elements currently required to be disclosed
in public query-based access adequate and appropriate? (RAA § 3.3.1.)
12. What measures, if any, should registrars
and registry operators be permitted to take to limit data mining of
Whois servers?
13. Should access to data be differentiated based
on the party receiving access, or based on the use to which the data
will be put? If so, how should differentiated access be implemented
and how should the cost of differentiation be funded?
14. Should the current requirement that registrars
provide bulk Whois access for non-marketing uses be further limited
or eliminated? (RAA § 3.3.6,
as well as the GNSO’s Whois recommendations on accuracy adopted
by the ICANN Board on 27 March 2003.)
Issues Concerning Data Use
15. Which uses of Whois data by members of the
public should be permitted (e.g., resolving technical problems, sourcing
spam, identifying online merchants, law enforcement activities, identifying
online infringers for enforcement of intellectual property rights, etc.)?
Which uses should be prohibited?
16. How should restrictions on permissible uses
by members of the public be enforced? (RAA §§ 3.3.6.3
to 3.3.6.5.)
17. To what extent is Whois data actually used
to the harm of registrants (e.g., identity theft, spam, stalking, and
other harassment)?
Issues
Concerning Classification of Registrants
18. Should certain types of registrants (e.g.,
those using domains for political and similar activities) be exempt
from the usual requirements to provide data, or to have it available
in Whois? How should the eligibility of particular registrants for these
exemptions be determined? Are measures required to address the possibility
of abuses in the classification procedure?
Issues
Concerning Commercial Confidentiality and Rights in Data
19. Should registrars have the option, independent
of their customers, to protect the confidentiality of Whois data based
on registrars’ proprietary rights to that data? Are the current provisions
permitting registrars to claim proprietary rights in personal data about
their customers appropriate? (RAA § 3.5.)
20. Should there be ICANN requirements limiting
registrars' ability to sell or use Whois data, or other data collected
about customers, for commercial purposes?
The above list, though long, is not intended to be exhaustive. These
are only issues that are apparent from the two referenced reports and
recent online discussions. The large number of issues indicates that it
is not feasible for the GNSO to simultaneously develop policy concerning
all issues. Some focusing will be essential to effective development of
sound policies.
Stakeholder
Groups and Their Apparent Positions
As mentioned above, different segments of the community have differing
perspectives on the many Whois/privacy issues. The contours of the various
positions are poorly defined in many cases. In 2001, the DNSO Whois Task
Force conducted an online survey concerning uses of and opinions concerning
Whois. Although not based on a scientific sampling technique, that survey
provides some insights into attitudes toward Whois issues. In addition,
the DNSO/GNSO Task Force has solicited views from various constituencies.
Based on that information, the following very preliminary characterizations
of constituency views seem appropriate:
Non-Commercial Users Place great emphasis on privacy
of Whois data.
Commercial Users Place great emphasis on accountability
of uses of the Internet, and therefore on accessibility of Whois data
for legitimate purposes.
Intellectual Property Interests Stress the importance
of ready access to accurate Whois data to support investigation of cybersquatting,
copyright violations, and counterfeiting activities.
ISPs Support ready access to accurate Whois data
to facilitate resolution of network problems and sourcing of spam.
Registrars View registrant data as an important
business asset which should not be made available to competitors. (In
this regard, registrars are largely aligned with resellers.) Registrars
also receive complaints from registrants reporting that they have received
unsolicited renewal notices, and other offers by phone, postal mail,
fax, or e-mail targeted at registrants using the information available
via Whois. However, registrars also need a mechanism to access the registrant
data of competitors to confirm authorization of transfers. Registrars
also bear the expense of providing registrar-level Whois service.
gTLD Registries Registry operators bear the expense
of providing registry-level Whois service, and may also view the aggregate
data as an important business asset that should not be made available
to competing registry operators.
Other segments of the Internet community, not fully included in GNSO
constituencies, have also exhibited significant, legitimate interests
in Whois policy. These include individual Internet users, law-enforcement
and consumer-protection authorities, taxation authorities, and privacy
and free-speech advocates.
Whois/Privacy
Activities in Other Groups
Four other groups in ICANN are actively involved in investigating Whois
issues:
At-Large Advisory Committee The ALAC has initiated
a comment forum on
Whois issues to gather information from individual Internet users
regarding their opinions.
Governmental Advisory Committee At its March 2003
meeting, the GAC
formed a working group on Whois issues. The GAC working group has
requested that the President organize a workshop on Whois issues to
be held at the ICANN Montreal meeting.
Security and Stability Advisory Committee The SAC
has issued a recommendation
on Whois issues as pertinent to its area of expertise. That recommendation
is now in Version 2.
ICANN Board At its March 2003 meeting, the ICANN
Board directed
the President to appoint a President's Standing Committee on Privacy,
to be responsible for monitoring the implications of existing and proposed
ICANN policies on the handling of personal data.
In addition to the above ICANN groups, various governmental bodies are
currently engaged in Whois-related work, including the OECD, the European
Commission, the US Federal Trade Commission, and the International Working
Group on Data Protection in Telecommunications. Many of these groups have
shown interest in being involved in policy-development activities within
ICANN on Whois and data privacy.
Recommended
Process for Proceeding
Characteristics of the Issues.
From the above, it seems clear that the GNSO does not have the resources
to engage in PDPs on all Whois/privacy issues that have been raised. Because
of the large number of issues, as well as the need to bridge significant
differences in opinion in order to achieve consensus, PDPs on the issues
are likely to require significant commitments of time by ICANN participants.
At a minimum, some type of phased approach will be necessary. Indeed,
it seems likely that it will be advisable to initiate a PDP on only some
of the issues cataloged above.
Many participants in the discussion argue that various issues are linked,
in the sense that their views on what resolutions of one issue are acceptable
depend on how other issues are resolved.
The written contributions to date reflect strong divergences in assumptions
about the underlying facts and circumstances. It also appears that participants
in the discussions could benefit from having access to reliable information
concerning existing ICANN policies and requirements, as well as the legal
requirements established by laws and other governmental requirements.
It seems clear that further analysis of the topic area as a whole, including
analysis of the possible issues and their interrelationships as well as
investigation and discussion of the underlying circumstances, will be
necessary before the issues can be sufficiently understood and defined
to allow prudent decisions on what PDPs to pursue and how to phase and
structure those PDPs.
General Counsel's Remarks
on Scope. The present lack of clear definition of the issues renders
it impractical to determine presently whether the various issues are within
the scope of ICANN and of the GNSO policy process. To be sure, some of
the issues appear clearly to involve coordination of policy matters closely
related to the gTLD DNS-registration function, and thus to be within the
scope of both ICANN and the GNSO policy process. Most of the issues appear
to involve "policies" in the sense that they are broadly applicable
to multiple situations and organizations, to involve an enduring need
to establish a framework for future decision-making, or implicate existing
ICANN policies.
Other issues (e.g., Issues 2 and 20
above), depending on how they are defined, may fall outside ICANN’s scope.
Still other issues, such as those envisioning classification of types
of registrants and uses of data, could lead to elaborate policies that
would require significantly more intrusive ICANN enforcement activities
than at present.
Based on the current, preliminary state of delineation of the issues,
however, it is not feasible to reach confident conclusions about whether
the issues are in ICANN’s or the GNSO's scope.
In saying that, however, it is important to add that many groups
within and outside ICANN, private-sector and governmental
have a role in establishing policies in this area. Even given the limits
on its scope in terms of recommending policy, it may be appropriate for
the GNSO to consult with other groups to foster informed discussions by
all the groups involved.
Recommendations for Proceeding.
The staff recommends that the GNSO Council not initiate a PDP on any of
the Whois/privacy issues until significant additional work is done on
investigating the factual background, in analyzing interrelationships
of the issues, and in more clearly delineating the issues to be pursued.
Additional work in these areas should provide the necessary understanding
of the circumstances surrounding the uses and misuses of Whois, their
effects on privacy concerns, and the issues and their inter-relationships.
To move forward, the staff recommends:
1. The GNSO Council should form a Whois/Privacy
Steering Group, with representation by all constituencies. (The GNSO
Council may wish to consider having this Steering Group chaired by a
person independent of any constituency.) The charter of the Whois/Privacy
Steering Group should be clearly defined to include the following tasks,
with the purpose of guiding the GNSO in the process of establishing
a work plan for development of policy recommendations on Whois/privacy
issues:
(a) acquiring relevant, reliable information
concerning the circumstances related to uses and misuses of Whois;
(b) better defining the privacy-related
issues arising from Whois and better understanding their inter-relationships;
(c) identifying groups outside the
GNSO (including groups that are now working on, or that plan to work
on, Whois/privacy issues) that can assist the GNSO in its policy-development
work on Whois/privacy issues and consulting with them concerning specific
ways (such as factual analyses on specific questions) in which they
might assist;
(d) presenting to the GNSO Council
a recommended work plan for its activities in the developing policy
recommendations on Whois/privacy issues (see recommendation 3 below
for more details).
2. A major initial focus of the fact-finding
and issue-definition process should be the dissemination of information
and community-wide sharing of views about the nature and costs of providing
Whois services, actual uses and misuses of Whois, relevant current ICANN
policies, and privacy requirements in various jurisdictions. In that
regard, the GNSO Council should join with the GAC working group in requesting
the President to organize a Whois workshop at the ICANN Montreal meeting
with that focus.
3. The Whois/Privacy Steering Group
should provide its work plan by a specified date (such as 1 August 2003)
well in advance of the Carthage meeting. The
work plan should define the five (approximately) issues that the Whois/Privacy
Steering Group recommends be accorded high priority in the policy-development
process. The work plan should also identify groups with which the Whois/Privacy
Steering Group recommends that the GNSO collaborate in policy development,
and describe the nature and benefits of the proposed collaboration.
4. Issue Reports should be prepared on
each of these issues (see GNSO
PDP Item 2) in time for the GNSO Council’s consideration of all
of them at the Carthage meeting.
5. After considering and discussing the
Issue Reports, the GNSO Council should initiate PDPs in a sequence it
concludes is appropriate, with the understanding that any task forces
formed would be separate from the Whois/Privacy Steering Group. To the
extent determined appropriate by the GNSO Council, the PDPs could be
conducted in conjunction with other groups.
Respectfully submitted,
Louis Touton
Acting Staff Manager, Whois/Privacy Issues
General Counsel
Comments concerning
the layout, construction and functionality of this site
should be sent to webmaster@icann.org.
Page Updated
31-May-2003
©2003 The Internet Corporation for Assigned
Names and Numbers. All rights reserved. |