ALAC Statement on the Whois Review Team's RFC on Scope of Work and Roadmap, Outreach and Action Plans for Whois Review Exercise - Draft
Public Comment on the Whois Review Team (closes 17 April)
The At-Large Advisory Committee welcomes this WHOIS Review exercise and considers it as timely, especially with the imminent addition of new generic top level domains to the root of the Domain Name System. Current policy commits ICANN to “implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information.” ICANN’s implementation of its WHOIS policy framework is grounded on the obligations of registrars defined and agreed in the Registrar Accreditation Agreement (RAA) and certain enforcement mechanisms centred on processes managed by ICANN’s Office of Contract Compliance. It is no secret that the At-Large is concerned about ICANN’s handling of its obligations to the community for contract compliance in this area. The ALAC’s previous statements in context demonstrate that we remain underwhelmed by ICANN’s enforcement regime; “decidedly inadequate and spotty, at best” would be a concise summary of these views.
In our view, the Review Team must first grapple with and provide answers as to whether the principles espoused by the WHOIS construct in context of the Domain Name System remain relevant here forward. Secondly, to the extent that the WHOIS construct remains relevant, we expect the Team to consider and provide definitive guidance as to whether the mechanisms that implement the objectives to which the WHOIS construct is obliged are and remain fit to purpose.
The contents of the WHOIS data-set, the quality of the content and its accessibility are at the heart of the concerns. And the controversy swirls around the several perspectives or understandings of what is meant by “timely, unrestricted and public access to accurate and complete WHOIS information” which baselines the framework for the existing mechanisms and processes today. Voices in the ICANN community, including members of good standing in the At-Large, are certain that the WHOIS obligations compelled by the RAA and as implemented impinge on a registrant’s right to privacy and is a threat to the free speech rights of all Internet users. Some argue that privacy necessarily means anonymity and reject provision or collection of valid WHOIS data. In similar vein, some are in favour of restricted or mediated access to the WHOIS dataset and advocate a slew of so-called privacy services to remedy the direct positive knowledge of the registrant as well as the unfettered access to registrant data compiled in the WHOIS dataset.
The ALAC is on record for insisting that by virtue of being signatory to the RAA contract, ICANN is obliged to ensure the collection of the full dataset as required, to ensure the validity of the contents and, furthermore, has a duty of care to fully enforce the contract obligations. While the ALAC is sensitive to the claims of privacy and are no less in favour of free speech rights, we are equally concerned that with the Internet being a major conduit of commercial activities worldwide, some come to it with hearts and mind laced and bonded with larceny. And as it is in the counterpart ‘bricks and mortar’ world, dissolute behavior is a natural consequence. Therefore, the baseline ‘know your customer’ – and provider - rule is necessary to combat fraudulent activities and must be a generally-accepted conditionality for all transactions with economic implications on the Internet. It is in this context that the original mandate for WHOIS data serves a very important purpose.
The community is riven with the spectre of contending rights, advocated by diametrically opposed and powerful interests. It is therefore rational that some balance must be struck between these contentions. The ALAC wishes to sign on to this perspective - balance can and must be embraced to solution - and offer these specific endorsements as guidelines to forging a workable one:
We acknowledge the calls for privacy as legitimate and in as much as other rights are not critically poached or eroded, would endorse a zone of privacy for the legitimate causes where privacy would be a positive benefactor. Our endorsement of a zone of privacy does not relieve a zone operator of the responsibility to ‘know the customer’
We endorse the commitment to define consumer trust as well as the analysis of factors that would promote consumer trust in the context of the WHOIS.
We endorse a formal definition of the term “law enforcement”’ and the term "legitimate needs of law enforcement."
We are equally seized with and endorse a formal definition of the term “unrestricted and public access” in the context of WHOIS data set
We endorse a heightened approach to identify and document the conflicting claims of privacy versus the ‘need to know’
We endorse and will not retreat from the requirement for unfettered access to WHOIS data save and except specially designated classes as approved by consensus
We endorse the notion that intentional incorrect information attached to a WHOIS entry must be sanctioned
2 Comments
Anonymous
With regard to the WHOIS dataset the ALAC has noted the tension between privacy concerns and accurate full-disclosure obligations, yet once again it has failed to put forward a concrete implementable proposal to strike a balance between these concerns; the following plan serves to correct this shortcoming.
A primary concern posited by the ALAC alludes to larcenous behaviors on an Internet that serves as a major conduit for commercial activities worldwide. Inasmuch as larceny is a transaction-based crime involving the wrongful acquisition of the personal property of another, the key to logically dealing with this concern resides in our ability to determine at the outset which domains engage in transactions – if a domain is not utilized in the pursuit of transactions, then there is generally no opportunity for larceny.
Complementing the above-mentioned ALAC concern is the viewpoint held by the OECD: “Just as conventional businesses are required to identify themselves adequately, commercial web sites should also be required to provide accurate, verifiable and accessible contact data. Indeed requiring such data should be seen as part of the responsible process of providing a trustworthy environment in which electronic commerce can flourish. In this analysis it is paramount to realise that businesses establish domains on the Internet for the express purpose of being globally accessible to customers. Businesses hold themselves out to the world to conduct business and for direct taxation systems to work such businesses cannot be anonymous. There is a strong synergy between consumer protection requirements regarding adequate business identification and the needs of revenue authorities and other regulatory agencies in this regard.” (1)
The WHOIS dataset does not currently differentiate between commercial and non-commercial domains – this needs to be the starting point for all future discussions.
As it is held to be axiomatic that those that engage in business transactions have no expectation of privacy, we need to address the remaining legitimate privacy concerns that have long been iterated by establishing a registration policy that first directs registrars to inquire whether a domain name will be used to engage in commercial activities – the question could be as a simple as:
“will this domain name ever be used to engage in commercial transactions? ___ yes ___ no
If the answer is “yes”, then all data must be accurate, amenable to validation and would automatically preclude the use of any privacy/proxy services as a matter of policy; if the answer is “no”, then the usage of privacy services would be allowed and the anonymity of natural persons (as it pertains to the public display of data) would be respected.
Of course, one can expect that those given to larcenous behaviors will attempt to game this system (which is why a supplemental system of checks and balances needs to be in place). To deal with the issue of incorrect or fraudulent responses to the above-cited commercial activities question, ICANN would modify the current WHOIS Data Problem Reporting System. If a report is submitted that can demonstrate that a domain designated as non-commercial is in fact engaged in commercial activities, the domain (upon registrar verification) will be re-designated as commercial (with WHOIS data accordingly being changed – registrars may, of course, reserve the right to bill their clients for these necessary changes).
This overall approach will serve to accommodate privacy concerns while laying the foundation for an accurate dataset of commercially-utilized domains.
You will note that this proposal is remarkably akin to the Telnic model already endorsed by the ALAC (2). The Telnic WHOIS Policy stipulates that “With respect to the amount and type of domain name registrant data provided in response to queries of the WHOIS service by the general public, the WHOIS service will distinguish between domain name registrants that are companies, businesses, partnerships, non-profit entities, associations, or other types of legal constructs (“Legal Persons”), and domain name registrants that are human beings, perceptible through the senses and subject to physical laws (“Natural Persons”). Domain name registrants will be required to specify whether they qualify as Legal Persons or Natural Persons by clicking the appropriate box during the registration process.” (3)
In order to effectively launch this process, the ALAC needs to do more than merely issuing yet another “Statement”. The ALAC needs to formally invoke the Policy Development Process (PDP). The ALAC has the right under the ICANN bylaws to get the ball rolling – it should do so. Contact the GNSO and get the process to bring about change started.
Finally, the ALAC has also noted its view that “ICANN is further obliged to demand that WHOIS data is validated by registrars”. In light of this proposal, I would modify this “demand” by requiring only commercial WHOIS data to so be validated, and this requirement could be set within the context of an amendment to the Registrar Accreditation Agreement.
This, of course, raises the issue of compliance burdens for registrars and the increased costs that are associated with regulatory regimes. It is not sufficient to state: “We do not believe that registration verification will add significant cost to Registrar operations” (4) – what is needed is a way for registrars to recover their increased costs.
The solution is likely to be found in a credit offered to registrars by way of the variable Registrar Transaction Fee (currently set at $0.18 per transaction year in FY11 for those who have signed the 2009 RAA (a discount of the contracted fee of $0.25) to offset the start-up costs associated with the implementation of registration validation services. This credit could readily be built into the FY12 ICANN Budget with sufficient advance planning.
Thanks for your consideration of this proposal.
Danny Younger
(1) http://www.oecd.org/dataoecd/4/56/14990201.pdf
(2) https://st.icann.org/data/workspaces/gnso-liaison/attachments/whois_policy:20100324135103-0-23509/original/ALAC%2520Statement%2520on%2520WHOIS%2520-%2520Draft%2520%2520Revised%2520-%2520Rev%25231-2010-03-23.doc
(3) http://www.telnic.org/downloads/Whois_Policy.pdf
(4) https://st.icann.org/data/workspaces/gnso-liaison/attachments/whois_policy:20100324135103-0-23509/original/ALAC%2520Statement%2520on%2520WHOIS%2520-%2520Draft%2520%2520Revised%2520-%2520Rev%25231-2010-03-23.doc
Carlton Samuels
Dear Danny:
As usual, a very thoughtful response. It might be useful to note however that the ALAC is commenting on the suitability of the 'roadmap, outreach and action plans' for the WHOIS review. In this context, we took pains to say whether we think the framework for the review is correctly set, the plan of action is adequate to objective and the touchstones proposed are likely to provide the thoroughness that a review of this kind should ensure.
We think we have. We advised the Review Team to revisit the principle for which the WHOIS construct was devised and its continued applicability to the domain name system. We went even further: we identified the priority issues for the At-Large and which, in our estimation, require the special attention of the Review Team.
When the time comes and specific details are returned in answering the questions we think should be answered, your proposals would be very valuable indeed in presenting them to the Review Team. And we will be right there with you championing them to the At-Large in particular and the ICANN community in general.
Kind regards,
Carlton