Here is a very important statement regarding the purpose of whois. The constituency position must be turned in by July 21. Sorry for the late notice. This version was originally draft by myself and Kathy Kleiman and vetted by other NCUC members at the Luxembourg meeting. Due to travel and catch-up I haven't had time to make the edits and send it to you now. If there are no objections, can I ask Kathy to submit it on July 21, as I will be on vacation and probably without Internt access? ========== Statement of the NCUC on WHOIS Purpose July 21, 2005 Task 1 asks us to "Define the purpose of the WHOIS service in the context of ICANN's mission and relevant core values, international and national laws protecting privacy of natural persons, international and national laws that relate specifically to the WHOIS service, and the changing nature of Registered Name Holders." A. The importance of defining "purpose" Regarding international and national privacy laws, NCUC notes that it is well-established in data protection law that the purpose of data and data collection processes must be well-defined before policies regarding data collection, use and access can be established. The need for an explicit, well-defined purpose is meant to protect data subjects from abuse by either the data collectors or third parties using the data. A definition of purpose is intended to impose strict constraints on the collection and use of contact data. A specified purpose determines what data elements should be collected, and therefore actively prevents collection of any data that is not clearly necessary for that purpose. Furthermore, a defined purpose helps to ensure that data is used only for the specified purposes, preventing uses that are different from or incompatible with the purpose giving rise to their collection. Finally, sound data protection principles hold that data subjects must be informed of the purpose for which the Data is intended and whether and under what conditions the Data is likely to be passed to a third party. B. WHOIS and ICANN's mission and core values Regarding ICANN's mission and relevant core values, we note that ICANN's mission is primarily technical: "to coordinate, at the overall level, the global Internet's systems of unique identifiers, and in particular to ensure the stable and secure operation of the Internet's unique identifier systems." In enumerating ICANN's core values, we find that the first three are most relevant to a discussion of WHOIS and its purpose: 1. Preserving and enhancing the operational stability, reliability, security, and global interoperability of the Internet. 2. Respecting the creativity, innovation, and flow of information made possible by the Internet by limiting ICANN's activities to those matters within ICANN's mission requiring or significantly benefiting from global coordination. 3. To the extent feasible and appropriate, delegating coordination functions to or recognizing the policy role of other responsible entities that reflect the interests of affected parties The original purpose of the WHOIS protocol, when the Internet was an experimental network, was the identification of and provision of contact information for domain administrators for purposes of solving technical problems. Speaking at the "Freedom 2.0" conference held by the Electronic Privacy Information Center in May 2004, Vinton G. Cerf, the Chairman of ICANN's Board, confirmed directly that the original purpose of WHOIS was indeed purely technical. This original purpose is consistent with the plain language of ICANN's current mission and is further supported by core value #1, which addresses exclusively technical values such as stability, reliability, security and interoperability. We note also that Core Values #2 and #3 mandate that ICANN limit its activities to a minimal set of areas requiring global technical coordination. Thus, even though WHOIS data may be useful for a broad variety of purposes, uses and users, ICANN's core values require that it not embrace those purposes and activities just because it can, or because interested parties find it convenient. ICANN must limit its activities to matters within its mission and recognize and defer to the policy role of other responsible entities. C. Proposed definition of purpose NCUC proposes the following definition of purpose for the WHOIS service: The purpose of the WHOIS is to provide to third parties an accurate and authoritative link between a domain name and a responsive party who can either act to resolve, or reliably pass information to those who can resolve technical and administrative problems associated with or caused by the domain. By "technical problems" we mean problems affecting the operational stability, reliability, security, and global interoperability of the Internet. By "administrative problems" we mean issues regarding domain transfers and problems regarding who is responsible for a domain. D. Excluded or invalid purposes It is important to also identify purposes that are inconsistent with ICANN's stated mission and core values. First, WHOIS is not designed to be a global data mining operation with completely unlimited access to all registrant data by any Internet user for any purpose, including marketing. Second, the purpose of WHOIS is not to support law enforcement or other self-policing interests. National law enforcement is unrelated to the basic goals of the WHOIS service and of ICANN's global coordinating mission. We have no objection to the use of WHOIS by law enforcement but a WHOIS service is one of many tools law enforcement may use to gain access to more detailed personal data consistent with existing due process mechanisms. Such an ancillary use should not expose the data to uses and abuses incompatible with the primary purpose of WHOIS as stated above. Third, the purpose of WHOIS is not to expand the surveillance powers given to law enforcement under law, or to bypass the protections and limitations imposed by sovereign governments to prevent the abuse and misuse of personal data, even by law enforcement. Law enforcement agencies can obtain wiretap authorizations, subpoena specific subscriber records through Internet service providers, or learn about a domain name registrant's identity information through subpoenas of registrar records. Finally, the purpose of WHOIS data is not to facilitate legal or other kinds of retribution by those interested in pursuing companies and individuals who criticize and compete against them.