Multi-language Versions: SiZH RU FR ES AR
STATUS OF THIS DOCUMENT: Comments incorporated; document in final form.
COMMENT DEADLINE: 10th October 2008, 1200 UTC
*NEXT STEP FOR THIS DOCUMENT: Final draft incorporating comments will be voted on by the ALAC at their 14th October 2008 meeting.
Preliminary Note
The At-Large Advisory Committee (ALAC) wishes to convey to the GGNSO Council the ALAC's views on the report prepared by the Whois Study Hypothesis Group, which can be found at following URL: The report to which this Statement pertains may be found at http://gnso.icann.org/issues/whois/whois-study-hypothesis-group-report-to-council-26aug08.pdf
.
The ALAC wishes to thank the members of the ALAC community who participated in this statement: Carlton Samuels, Alan Greenberg, Danny Younger, Patrick Vande Walle and anonymous contributors.
We note there is no clear distinction in the document between whois services, as provided through whois servers compliant to RFC3192 and whois-like services provided through web-based systems. The differences are important in analyzing how the systems can be misused.
The text-based whois service suffers from its simplicity. It makes bulk data download easy. To the contrary, a web based whois systems can be better tailored to limit bulk queries through captcha validations or other techniques.
With regard to the text-based version of whois, we note and agree with the writers of RFC 3912: "The WHOIS protocol has not been internationalised. The WHOIS protocol has no mechanism for indicating the character set in use. _. This inability to predict or express text encoding has adversely impacted the interoperability (and, therefore, usefulness) of the WHOIS protocol." RFC 3912 further elaborates that: "The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, integrity, and confidentiality. Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone. The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing".
With the above in mind, the ALAC considers that the text-based whois services do not serve the needs of the community anymore. This includes:
- The support of non-ASCII character sets;
- Control of the granularity of displayed data;
- The management of access rights and the auditing of accesses;
- The compliance of the Whois services with the legal requirements registrars and registries are subject to.
We urge the GNSO to consider a new whois-like service with would provide granular access rights to registrant information and proper auditing of accesses, as well as the support for non-ASCII character sets. In this respect, we draw the attention of the GNSO to the SSAC recommendation expressed in SSAC-033 http://www.icann.org/en/committees/security/sac033.pdf.
More generally, the ALAC support the GNSO council's definition of the of the purpose of the whois, as expressed at the GNSO council meeting of 12 April 2006: "The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver."
On the GNSO Whois hypothesis working group studies report, we would like to make the following comments:
Area 1 WHOIS Misuse Studies
Comment 21 and GAC data set 2: Other cases of misuse have been reported, like identifying political opponents and other people persecuted for their opinions.
Area 2 Compliance with data protection laws and the Registrar Accreditation Agreement
If local laws allow a registrant (natural person) to oppose the publication of his/her data in databases like the public whois, he/she should still be allowed to register a domain name. Further analysis is needed to see if:
- Provisions under 3.3.1 and 3.3.6 of the Registrar Accreditation agreement are compatible with the local laws of the Registrar
- If the failure to comply with these provisions by a Registrar because of local laws can lead to the termination of the RAA for said Registrar.
Further analysis is needed regarding the export of registrant data from one country to another. It may be the case that a registrar located in country X is not allowed by law to export natural persons data to a registry in country Y. This matter is further complicated if the registry subcontracts the technical backend to an operator with its registered address in country Z and its data operations in yet another country.
With regard to gTLD registries, the ALAC notes that registry agreements include requirements for whois services which may be incompatible with the legal requirements some registries may be subject to under local law. Further analysis is needed to see if the inability for a registry to comply with ICANN's generally accepted whois requirement could be used as an eliminating criterion in the comparative evaluation process under new gTLD program. If this were the case, the ALAC fears it would distort the evaluation process in favour of registries located in countries or regions with less stringent privacy laws.
Area 3 Availability of privacy services
With regard to the cost of proxy services, it should be noted some registrars may be mandated to offer free proxy services to private individuals under local law.
Area 5 Impact of WHOIS data protection on crime and abuse
Regarding GAC comment 1, it is important to define what is "the legitimate use of gTLD WHOIS data" and who are those entities, who can invoke it and how.
Area 6 Proxy registrar compliance with law enforcement and dispute resolution requests
Regarding Steve Metalitz' comment: It may be true that some registrars operating proxy/privacy services are not revealing registrant data when requested in a UDRP proceeding. These registrars may be prevented to do so under local law. UDRP is an arbitration process, not a legal process. Different rules may apply, depending on local law. Further analysis is needed to see if the UDRP process is compatible with the laws the registrars have to comply with.
Area 7 WHOIS data accuracy
As noted in the report, "The use of non-ASCII character sets in Whois records will detract from data accuracy and readability". This matches the comments we made in the preliminary note above. The Whois Hypothesis study group should investigate if alternative systems would allow better support for non-ASCII character sets, both in the domain names themselves and in the registrant data.
I reaffirm these concerns: 1) The existing text-based whois service is unfit to purpose 2) Introducing non-ASCII characters in whois data tends to muddle rather than give clarity 3) there should be a minimum set of whois data that is required by solemn agreement and enforced by the RAA 4) All access to whois data must be auditable.
Carlton Samuels
contributed by guest@socialtext.net on 2008-10-03 13:20:43 GMT
—
A comment such as this would have far more impact if it included somewhere, the lineage of the comment. That is, how was it created and by whom.
contributed by alan.greenberg@mcgill.ca on 2008-10-03 14:54:34 GMT
—
There are technical and legal methods in reducing the bulk data abuse of whois (port 43). But, what about 'legitimate' bulk access? Ie. I have a bunch of spam, I want to a program to check the whois data on the links so I can identify if it is from the same spammer? By blocking port 43 access, I cannot do that.
contributed by guest@socialtext.net on 2008-10-03 15:19:45 GMT
—
Having participated in the Council's Working Group, allow me to reiterate the conclusion reached: "There was not agreement in the Whois Studies volunteer group regarding whether or not any studies should be conducted." I was part of the contingent opposed to the notion of further studies for the following reasons:
1. Studies are being used as a delaying tactic by parties unwilling to accept the Council's duly-voted-upon WHOIS definition: "The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver."
2. We have now wasted 2 1/2 years since the definition was adopted instead of moving forward with policy development.
3. Even when the ICANN Board resolves to commence studies (such as via the 18 October 2006 Resolution on Economic Studies), those studies never seem to see the light of day.
Approving more studies is nothing but a poorly-disguised effort to further delay policy development activities. If you are someone who wants no changes in the WHOIS for the next several years, then feel free to ask for more studies that will only tell us what we already know.
Danny Younger
contributed by guest@socialtext.net on 2008-10-03 20:29:39 GMT
—
Hypothesis:
With regard to the process to select new gTLD operators, there may be requirements in the RFP that new gTLD operators have to provide whois services similar to those the incumbents already provide. A problem may arise if a potential gTLD operator is based in a country where privacy laws restrict the amount and type of data provided through whois services.
Utility:
If the potential operator does not meet the requirements, he could be eliminated during the selection process. This would effectively distort the selection process in favour of those operators located in countries with weak or no privacy laws.
How the hypothesis could be falsified:
If the RFP for new gTLD submissions includes provisions that whois services need to be offered only to the extent allowed by local and international laws, and that this criterion will not be used to eliminate applicants, especially in case of string contention.
contributed by patrick@vande-walle.eu on 2008-10-04 17:20:11 GMT