I propose these as NCUC comments to the WHOIS Review Team
<http://www.icann.org/en/public-comment/whoisrt-discussion-paper-09jun11-en.htm>
The comment deadline is July 23 -- Saturday. Thanks to Milton, Avri,
Brenden, and Konstantinos for input.

If there is interest in sending these as NCSG, I would be happy to
update the references. I'll submit Friday.

--Wendy

NCUC is pleased to share these comments on the WHOIS Review Team's
discussion paper. The NCUC includes among its constituents many
individual and non-profit domain name registrants and Internet users,
academic researchers, and privacy and consumer advocates who share
concerns about the lack of adequate privacy protections in WHOIS. We
believe ICANN can offer better options for registrants and the
Internet-using public, consistent with its commitments.

> 4. How can ICANN balance the privacy concerns of some registrants
> with its commitment to having accurate and complete WHOIS data
> publicly accessible without restriction?
and
> 10. How can ICANN improve the accuracy of WHOIS data?

Privacy and accuracy go hand-in-hand. Rather than putting sensitive
information into public records, some registrants use "inaccurate" data
as a means of protecting their privacy. If registrants have other
channels to keep this information private, they may be more willing to
share accurate data with their registrar.

The problem for many registrants is indiscriminate public access to the
data. The lack of any restriction means that there is an unlimited
potential for bad actors to access and use the data, as well as
legitimate users and uses of these data.

At the very least, WHOIS access must give natural persons greater
latitude to withhold or restrict access to their data. That position,
which is consistent with European data protection law, has even been
advanced by the U.S. Federal Trade Commission and F.B.I.


ICANN stakeholders devoted a great deal of time and energy to this
question in GNSO Council-chartered WHOIS Task Forces.  At the end of the
Task Force discussion in 2006, the group proposed that WHOIS be modified
to include an Operational Point of Contact (OPOC):
<http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>

Under the OPOC proposal, "accredited registrars [would] publish three
types of data:
1) Registered Name Holder
2) Country and state/province of the registered nameholder
3) Contact information of the OPoC, including name, address, telephone
number, email."

Registrants with privacy concerns could name agents to serve as
OPoC,thereby keeping their personal address information out of the
public records.

NCUC recommends reviewing the documents the WHOIS Task Force produced
relating to the OPOC proposal, including the final task-force report on
the purpose of WHOIS:
<http://gnso.icann.org/issues/whois-privacy/tf-report-15mar06.htm>, Ross
Rader's slides from a presentation on the subject,
<http://gnso.icann.org/correspondence/rader-gnso-sp-04dec06.pdf> and the
report on OPoC
<http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>
The GNSO in October 2007 accepted the WHOIS task-force report and
concluded the PDP.
<http://gnso.icann.org/meetings/minutes-gnso-31oct07.html>

>5. How should ICANN address concerns about the use of privacy/proxy
services and their impact on the accuracy and availability of the WHOIS
data?

ICANN should recognize that privacy and proxy services fill a market
need; the use of these services indicates that privacy is a real
interest of many domain registrants.  Concerns about the use of these
services is unwarranted.


>12. Are there barriers, cost or otherwise, to compliance with WHOIS policy?

Even with the provisions for resolving conflicts with national law,
WHOIS poses problems for registrars in countries with differing data
protection regimes. Registrars do not want to wait for an enforcement
action before resolving conflicts, and many data protection authorities
and courts will not give rulings or opinions without a live case or
controversy. ICANN's response, that there's no problem, does not suit a
multi-jurisdictional Internet.

> 14. Are there any other relevant issues that the review team should
> be aware of? Please provide details.

Consider allowing registrants greater choice: a registrant can get a
domain with no WHOIS information at all, at the registrant's peril if
the domain is challenged and he/she is unable to respond. This is
already the de facto circumstance for domains registered with false
information, so why not make it an official option?

Proposals for verification (pre- or post-registration) of name and
address information are completely unworkable for standard gTLDs,
although they might be proposed by registries looking to differentiate.
There is no standard address format, or even any standard of physical
addressing that holds across the wide range of geographies and cultures
ICANN and registrars serve.

Inaccurate WHOIS data should not be used as conclusive evidence of bad
faith, especially in the context of ICANN's policies such as the UDRP.
Although within the UDRP, the need to identify a registrant is vital,
WHOIS details should not be used to make outright determinations
concerning abusive registrations of domain names.



-- 
Wendy Seltzer -- [log in to unmask] +1 914-374-0613
Fellow, Princeton Center for Information Technology Policy
Fellow, Berkman Center for Internet & Society at Harvard University
http://cyber.law.harvard.edu/seltzer.html
https://www.chillingeffects.org/
https://www.torproject.org/
http://www.freedom-to-tinker.com/