AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

Versions Compared

Old Version 3

changes.mady.by.user Matt Ashtiani

Saved on

compared with

New Version 4

changes.mady.by.user Matt Ashtiani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

FIRST DRAFT SUBMITTED

The first draft submitted will be placed here before the call for comments beginscompleteness, accuracy and accessibility of Whois data is critical for Internet users: for consumers dealing with online providers of products and services, for trademark holders, for corporate and communications regulators and for law enforcement agencies. The ALAC position is that all ‘Whois’ information for the actual holder of the domain name - the beneficial user (a term in the proposed privacy and proxy specification) should be complete and verified. If verification is not possible, the registration should be suspended.

One of the major concerns of the ALAC has been the looseness of RAA requirements for Whois data.  It was not clear that Whois data requirements covered the beneficial user of the Registered Name if they used resellers or privacy/proxy services. It was also not clear whether or how their Whois data would be verified. The wording of Whois requirements also made ICANN enforcement of the Whois requirements difficult if not impossible.

The ALAC therefore supports changes to the RAA and its accompanying documents.  Together, they significantly tighten information requirements, particularly on resellers, and include a new requirement that contact information be verified. We particularly support the new requirement on the Registrars to suspend the registration of the Registered Name Holder in circumstances where the Whois contact information cannot be verified.

There are, however, still significant gaps that have not been addressed. 

Revised RAA:

Both the data that a registrar must provide to a registry (3.2.1) and the Whois information that a registrar must collect and make publicly available (3.3.1.8) can be changed merely by agreement between the registrar and registry, and with ICANN approval.  With the movement towards universally ‘thick’ Whois registries, the data a registrar provides to a registry should include all of the Whois data, not simply what is now required.  And given the importance of Whois data, the Whois information collected and published by registrars should not be changed without public discussion and input.

Proposed Whois Accuracy Program Specification

The Specification uses the term ‘account holder’ or ‘account holder who pays’.  We assume what is meant is the beneficial user of the domain name, regardless of payment method.  Therefore, the term ‘account holder’ should be defined in the RAA as the individual or organisation that is the beneficial user of the domain name. 

The Specification has lesser requirements on verification of Whois data for the beneficial users than for Registered Name Holders.  Specifically, while registrars are required to suspend registration when Whois information for a Registered Name Holder cannot be verified, there is no suspension requirement for beneficial user information. Because of the importance of complete and accurate Whois information for the actual user of the domain name, any registration where the beneficial user Whois information cannot be verified should be suspended.

The verification of Whois data for the beneficial user may be done by one of three organizations. Clearly the actual registrar is responsible under the RAA for compliance with Specification requirements for verification and suspension. (RAA 3.7.8 now requires registrar compliance with the Specification). Registrars are also responsible for their reseller compliance with all RAA requirements. (RAA 3.12)

The difficulty is with the privacy/proxy servers. Under the RAA, any Registered Name Holder that licenses the use of a domain name to a third party is nevertheless deemed to be the Registered Name Holder (RAA 3.7.7.3), rather than the actual beneficial user of the name. Therefore, it is critical that there are similar requirements for Whois data collection, verification and, when necessary, suspension for Whois information of users of privacy and proxy services.

Specification on Privacy and Proxy Registrations

Under the RAA, any Registered Name Holder that licenses the use of a domain name to a third party is, nevertheless, the registered name holder of that name.  However, because they are distributing the use of a domain name, they should be caught by the same requirements for the collection and accuracy of Whois data as for all beneficial users of the domain name.  Therefore, the Specification should contain specific requirements on all privacy and proxy servers to collect and verify Whois information for any beneficial user of a domain name they licence.  And they should be required to suspend the registration of that name if contact details cannot be verified.

There are, nevetheless, legitimate reasons why beneficial users of a domain name may not want their contact details publicly available.  Therefore, while requirements for Whois data for privacy and proxy services should be for complete, verified Whois data, the circumstances in which that data will be made available will be limited.

Indeed, the Specification lacks significan detail on what such services should offer.  It does not include any requirement for accurate contact details of the beneficial user, discussed above.  Significantly, it also gives no guidance as to what privacy protection a privacy server should offer.  Nor does it provide any guidance on circumstances where it may be legitimate to access those details.

In the interests of both Whois data accuracy and genuine privacy protection, the Specification should be developed as soon as possible.