[ga] my comments to the WHOIS Task Force report

• To: ga@dnso.org
• Subject: [ga] my comments to the WHOIS Task Force report
• From: Vittorio Bertola <vb@vitaminic.net>
• Date: Wed, 28 Aug 2002 14:18:43 +0200
• Sender: owner-ga@dnso.org

Comments on the "Possible Recommendations" of the DNSO WHOIS Task
Force Report


Vittorio Bertola
August 28, 2002


This document exposes my comments to the "Possible Recommendations"
section of the Report of the WHOIS Task Force of DNSO's Names Council.
These comments are personal and do not reflect the view of any of the
entities I am involved with (i.e. ISOC Italy, icannatlarge.com, or the
At Large Organizing Committee). However, they have matured after
careful reading of the discussions on the DNSO GA list and on other
ICANN-related lists, mainly populated by users and individual domain
name owners. So, while I do not claim that the following statements
represent the opinions of these constituencies, I know that they are
shared by a number of their members.


A.	Accuracy of data contained in the WHOIS database

The need of having accurate data listed in the WHOIS service is
agreeable. 

First of all, I note that the only entity able to guarantee the
freshness of the data is the registrant - so if accuracy has to be
granted, the registrant must be deeply involved in the process.
However, if the registrant is to be required to keep its contact data
updated - especially if failure to do so might mean getting penalties
of any kind - then the registrar is to be clearly required to offer
registrants a simple mechanism (ie Web and/or e-mail based) to check
and update his contact data, as a provision in the RAA. Especially in
ccTLDs, there are cases where, as a result of privacy protection
measures, the registrant himself is unable even just to check the
information currently listed for his domain.  However, to protect the
registrant's privacy, such mechanism should be made available to the
registrant only, via an authentication scheme established at the time
of the domain registration.

Also, I suggest that it is more likely that registrants keep their
data updated if they are asked to give them in one and only one place.
So, at least in the mid term, it should be established a system not to
duplicate contact data across the various TLDs, for example in one of
the following ways:
·	Creation of a centralized "Identity Registry" (for individuals
and organizations) to which all WHOIS databases point with a standard
identity handle, and which all registries use to store and retrieve
the contact data;
·	Introduction of standard cross-TLD identity handles in all
WHOIS databases, so that, when registering a domain, the registrant
can point to his contact data as already provided to the
registrar/registry of another TLD.
This of course requires complete standardization of the data set
required to identify individuals and organizations in the DNS system.

Finally, I note that having an accurate WHOIS database under the
registry's control does not imply that such database has to be made
fully and easily available to whoever desires to read it. The Task
Force Report should stress that this point deserves better
consideration in all future agreements and policy-making processes. I
will deal with more detail with privacy issues when commenting section
C - but I have to note that the current, total lack of privacy about
the registrants' personal information is a strong incentive for people
and companies to purposedly provide invalid or incorrect contact data.
Given the scale of the DNS and the difficulty in checking the
veridicity of personal information for entities scattered around the
whole world, I think that even the introduction of penalties of any
kind will not particularly help to get better accuracy in WHOIS
information if a certain degree of guaranteed privacy is not
introduced. (And by the way, in many countries it is extremely dubious
that a WHOIS system that does not offer such privacy guarantees abides
by the privacy protection laws.)


B.	Uniformity of data formats

As already stated, I think that uniformity of data formats is a
necessary precondition to get better accuracy in WHOIS data.

Especially for individuals and companies that own domains across a
number of different TLDs, it is practically impossible to cope with
the huge number of different data sets, input systems and local
conventions that are currently used. So the agreement by all gTLD and
ccTLD registries upon an uniform set of data to identify DNS entities
is absolutely necessary. ICANN should try to foster such agreement,
work with all gTLD and ccTLDs to reach it, and later force its
adoption (with reasonable phase-in times) in its contracts with gTLD
and ccTLD registries.


C.	Better searchability of WHOIS databases

Personally, I absolutely cannot see any need for better searchability
of WHOIS databases, and especially for queries that might return more
than one domain name at a time. In fact, I only see the need for
reducing the access to WHOIS databases, to enforce a higher degree of
privacy protection, and to avoid the current widespread use of WHOIS
information for unsolicited e-mail and other unwanted marketing uses.
Such higher degree of protection is clearly requested by the Internet
community, as shown by the responses to the Task Force survey.

Registrants should be able to choose whether their personal data are
to be publicly accessed through WHOIS queries, or not; they should
have the option of accepting public distribution of their data, within
a separate opt-in part of the registration agreement, when registering
the domain. The implementation of this option should be required to
registrars and registries; in fact, the absence of this option is very
likely to make the whole WHOIS system illegal, at least under the laws
of the European Union. The only exception to this should be the
availability of a technical contact point e-mail (and, optionally,
telephone and fax numbers), which should be made available via WHOIS
queries on a per-domain basis; this can be justified (also in front of
the law) as a necessary instrument for providing the DNS service.
Also, the availability and functionality of the postmaster@domain
e-mail address should be required in all domain registration
agreements.

In any case where access to other WHOIS data (for example, the
identity of the registrant) is necessary for law enforcement purposes,
there already are laws that give law enforcement agencies the
necessary instruments to access such information even if it is not
accessible via WHOIS queries. In fact, to speed this up, registries
could be required to establish separate, private accesses, to be
reserved to officers of the appropriate law enforcement bodies, that
can offer full access and searchability to their databases. 



D.	Marketing use of WHOIS data

Generally speaking (and as required by many national privacy laws),
registrants have to be provided with options to opt in or out from any
kind of usage, distribution and processing of their data that is not
strictly necessary to supply the DNS service; these options must be
clearly stated, separated from the core of the domain registration
agreement, and it must be absolutely clear to customers that they can
register the domain name even if they do not accept to provide their
personal information for these additional uses.

This means that, for example, all registrars should be required to
structure their registration forms, either Web- or paper-based, with
separate options for opting in to any kind of bulk access - even if
not aimed at marketing purposes - or marketing usage of their data.
Registrars and registries must not be able to refuse registrations due
to the user's wish not to opt in to these additional uses.
-- 
vb.               [Vittorio Bertola - v.bertola [a] bertola.eu.org]<------
----------------------> http://bertola.eu.org/ <--------------------------