Important work on Whois is going on in the Task Force. The TF asks us to "Define the purpose of" specific elements on the whois database, namely the "Registered Name Holder, technical, and administrative contacts." Kathy Kleiman prepared these comments. The basic point here is that we should not collect and display personal data about the name holder and administrative contacts because it is not needed for resolving technical problems. I've reviewed and edited the statement and approve of it as it stands. Hope you have time to weigh in. ================================== (Draft) Statement of the NCUC on WHOIS Contacts Task 2 asks us to "(2) Define the purpose of the Registered Name Holder, technical, and administrative contacts, in the context of the purpose of WHOIS, and the purpose for which the data was collected. Use the relevant definitions from Exhibit C of the Transfers Task force report as a starting point (from http://www.icann.org/gnso/transfers-tf/report-exhc-12feb03.htm). The NCUC believes that once we have selected a purpose for our database, data protection laws require us to closely examine whether the information we collect meets the goals we have set out - and make adjustments accordingly. These comments discuss the Contact data currently collected for WHOIS, the personal nature of much it, and raise the question whether this data should be collected at all for WHOIS purposes. I. Data Protection Laws Require Limited Collection of Personal Data In its 2003 Opinion, the Article 29 Data Protection Working Party of European Union Data Protection Commissions urged ICANN to closely examine the personal data it collects for WHOIS. The Commissioners warned: "Article 6c of the Directive imposes clear limitations concerning the collection and processing of personal data meaning that data should be relevant and not excessive for the specific purpose. In that light it is essential to limit the amount of personal data to be collected and processed." See Opinion 2/2003 on the application of the data protection principles to the Whois directories http://europa.eu.int/comm/justice_home/fsj/privacy/ workinggroup/wpdocs/2003_en.htm (emphasis added). The Data Protection Commissioners' concern over collection of WHOIS data is grounded in the clear language of the EU Date Protection Directive and its Article 6 ("Principles Relating to Data Quality") which clearly requires limits to the collection of personal data: "Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. *** (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;" http://europa.eu.int/eur lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML Similarly, the Canadian Personal Information Protection and Electronics Document Act require limits to the collection of personal data: "The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances." http://laws.justice.gc.ca/en/P-8.6/93196.html#rid-93228 Based on these legal requirements, the NCUC submits that the WHOIS Task Force must review the contact data currently collected, evaluate whether it is personal and determine whether it should continue to be collected in keeping with the purpose of WHOIS database. Over-collection of personal data does not serve ICANN's mission nor does it help registrars comply with the many existing laws that protect registrant privacy worldwide. II. The Purpose of the WHOIS Database In our Task 1 comments, NCUC submitted a clear definition of the purpose of the WHOIS database: "The purpose of the WHOIS is to provide to third parties an accurate and authoritative link between a domain name and a responsible party who can either act to resolve, or reliably pass information to those who can resolve, technical problems associated with or caused by the domain." NCUC Comments to Task 1. As discussed in our comments, this technical purpose is consistent with the original purpose of the WHOIS, as set out by Vint Cerf and others, and within the limited scope of ICANN's mission. III. Contact Data: Definition? Personal? Fits Purpose of WHOIS? The GNSO Council asked us to examine the definitions and purpose of the Technical Contact, Administrative Contact and Registered Name Holder. We do so in light of the legal considerations set out above. A. Technical Contact The Transfer Task Force defined technical contact as: "the individual, role or organization that is responsible for the technical operations of the delegated zone. This contact likely maintains the domain name server(s) for the domain. The technical contact should be able to answer technical questions about the domain name, the delegated zone and work with technically oriented people in other zones to solve technical problems that affect the domain name and/or zone." The next step requires us to assess whether Technical Contact data is personal and needs to be treated with special care. In our review with our Constituency, we found that occasionally Technical Contact Data is the personal data of an individual. Increasingly, however, registrants entrust a technical party to manage their domain name and expertly handle any technical problems that arise. Often it is an ISP, online service provider, Registrar or web host provider. Thus, for individuals and small organizations, we found that the technical contact field does not raise strong concerns regarding personal data. Further, in assessing whether collection of Technical Contact data fits within the purpose of ICANN and the WHOIS database, we found that it does. The Technical Contact is the person designated to respond to exactly the set of technical problems and issues at the heart of the WHOIS purpose. Accordingly, NCUC submits that Technical Contact data should be collected and maintained for the WHOIS database. B. Administrative Contact The Transfer Task Force defined administrative contact as: "an individual, role or organization authorized to interact with the Registry or Registrar on behalf of the Domain Holder. The administrative contact should be able to answer non-technical questions about the domain name's registration and the Domain Holder." The next step requires us to assess whether Administrative Contact data is personal and needs to be treated with special care. In our review, we found that the Administrative Contact data OFTEN includes personal data, especially for individuals and small organization leaders who must list their own names, home addresses, personal (and often unlisted) phone numbers and private email addresses for the Administrative Contact field. This type of personal data is exactly what the privacy laws of many regions and countries set out to protect. Its collection invokes major privacy concerns for individuals and small organizations -- and the formal protection of data protection laws in many countries in which registrants live and registrars operate. Further, in assessing whether collection of Administrative Contact data fits within the purpose of ICANN and the WHOIS database, we found that it does not. By the Transfer TF definition, the Admin is responsible for "non-technical questions" which range as far as the imagination and generally are completely outside the scope of ICANN: Is the domain name for sale? Is the woman described on a website available for a date? Can a stranger meet the child shown in a family picture? There are very good reasons for the privacy protections and other national and local protections to operate for the Administrative Contact. Further, since the purpose of the WHOIS database is technical and the Administrative Contact is expressly non-technical, NCUC submits that this contact data should no longer be collected for the WHOIS database. C. Registered Name Holder or "Domain Holder" The Transfer Task Force defined domain holder as: "The individual or organization that registers a specific domain name. This individual or organization holds the right to use that specific domain name for a specified period of time, provided certain conditions are met and the registration fees are paid. This person or organization is the "legal entity" bound by the terms of the relevant service agreement with the Registry operator for the TLD in question." Following this definition, we must evaluate whether the registrant data is personal and should be treated with special care. Of all the contact data, we find the Domain Holder to be the most personal. This is the woman, the family head, the Cub Scout leader, and other individuals and leaders of small organizations who must list their personal names, home addresses, private phone numbers and personal email addresses. Once published, this personal data is used for all the abuse and misuse documented in the Task Force Uses report - from spamming to stalking and harassment. This personal data is exactly the type of data that data protection laws seek to protect. Article 29 Data Protection Commissioners now urge ICANN and our TF that: "The registration of domain names by individuals raises different legal considerations than that of companies and other legal persons registering domain names" and "it is essential to limit the amount of personal data to be collected and processed." See Article 29 WG citation above. The collection of such personal data as a global ICANN WHOIS policy serves no technical purpose. Individual registrants rarely answer technical questions about their domains or their abuse - and would almost always refer such a question (such as the hijacking of their domain name by a spammer) to their technical contact instead. Accordingly, the collection of Domain Holder data serves little purpose for the WHOIS database and should not be continued as a global ICANN policy. Conclusion: The best way to protect millions of individual and small organizational domain name registrants, and to comply with data protection laws worldwide, is for ICANN to carefully review the contact data collected for the WHOIS database and limit the data to that necessary for its technical purposes and mission.