ICANNWatch
 
  Inside ICANNWatch  
Submit Story
Home
Lost Password
Preferences
Site Messages
Top 10 Lists
Latest Comments
Search by topic

Our Mission
ICANN for Beginners
About Us
How To Use This Site
ICANNWatch FAQ
Slash Tech Info
Link to Us
Write to Us

  Useful ICANN sites  
  • ICANN itself
  • Bret Fausett's ICANN Blog
  • Internet Governance Project
  • UN Working Group on Internet Governance
  • Karl Auerbach web site
  • Müller-Maguhn home
  • UDRPinfo.com;
  • UDRPlaw.net;
  • CircleID;
  • LatinoamerICANN Project
  • ICB Tollfree News

  •   At Large Membership and Civil Society Participation in ICANN  
  • icannatlarge.com;
  • Noncommercial Users Constituency of ICANN
  • NAIS Project
  • ICANN At Large Study Committee Final Report
  • ICANN (non)Members page
  • ICANN Membership Election site

  • ICANN-Related Reading
    Browse ICANNWatch by Subject

    Ted Byfied
    - ICANN: Defending Our Precious Bodily Fluids
    - Ushering in Banality
    - ICANN! No U CANN't!
    - roving_reporter
    - DNS: A Short History and a Short Future

    David Farber
    - Overcoming ICANN (PFIR statement)

    A. Michael Froomkin
    - When We Say US™, We Mean It!
    - ICANN 2.0: Meet The New Boss
    - Habermas@ discourse.net: Toward a Critical Theory of Cyberspace
    - ICANN and Anti-Trust (with Mark Lemley)
    - Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution (html)
    - Form and Substance in Cyberspace
    - ICANN's "Uniform Dispute Resolution Policy"-- Causes and (Partial) Cures

    Milton Mueller
    - Ruling the Root
    - Success by Default: A New Profile of Domain Name Trademark Disputes under ICANN's UDRP
    - Dancing the Quango: ICANN as International Regulatory Regime
    - Goverments and Country Names: ICANN's Transformation into an Intergovernmental Regime
    - Competing DNS Roots: Creative Destruction or Just Plain Destruction?
    - Rough Justice: A Statistical Assessment of the UDRP
    - ICANN and Internet Governance

    David Post
    - Governing Cyberspace, or Where is James Madison When We Need Him?
    - The 'Unsettled Paradox': The Internet, the State, and the Consent of the Governed

    Jonathan Weinberg
    - Sitefinder and Internet Governance
    - ICANN, Internet Stability, and New Top Level Domains
    - Geeks and Greeks
    - ICANN and the Problem of Legitimacy

    Highlights of the ICANNWatch Archive
    (June 1999 - March 2001)


     
    Privacy WHOIS TF3 Report One-Sided and Off-base
    posted by jon on Monday July 05 2004, @12:40PM

    KathyK writes "I submitted the following comments to WHOIS Task Force 3. My deep concerns with TF3's report inspired me to work on these thoughts during the holiday weekend. Feel free to post your own thoughts to Task Force 3 by the close of business today, at whois-tf3-report-comments@gnso.icann.org.

    Kathryn Kleiman
    -------------------------------------------------
    Comments to WHOIS Task Force 3
    From Kathryn Kleiman

    I submit these comments to Task Force 3 as an individual. In writing them,
    I bring my experience as a co-founder of the Noncommercial Users
    Constituency and as a member of the WHOIS Task Force 2.

    1. I am saddened and surprised by the TF3 report online. It is not a
    product that in any way resembles the reports produced by WHOIS TF1
    or TF2.



    TF1 and TF2 recognized that there are three major communities
    involves in the WHOIS debate:

              - Data Subjects (domain name holders)
              - Data Users
              - Registration Industry (data collectors and processors).

    For six months all of these communities in TF1 and TF2 have debated,
    wrestled and worked together to arrive at Interim Reports that reflect a
    mid-point, a compromise and a way forward. Why didn't TF3 do the
    same? How can TF3 produce a report in which each and every
    recommendation is opposed by all of its data subject members and
    half of the registration industry?

    Please move forward only when you have agreement from all three
    communities above. This is the type of issue that can split ICANN,
    governments and the Internet community. We worked hard in the other
    Task Forces to find common ground on complex and controversial issues.
    You must the same. TF3 is not the exclusive province of the data users,
    such as the intellectual property and commercial interests. We have to
    work through all these issues together, and you have not done your job.

    2. The TF3 report lacks context and does not clearly acknowledge the
    role of the other task forces and its place in the three task force process.
    As you read TF3's work, it seems to stand alone, and that is not the case.
    As you know, privacy and accuracy are issues of deep concern in the
    WHOIS debate. ICANN has been warned not just by data subjects, but
    also by government representatives and leaders, that the WHOIS practice
    of publishing personal and "sensitive data" is a violation of national laws,
    including national data protection laws. Accuracy and privacy must move
    forward together.

    Because privacy is not considered in your scope, TF3 must discuss its
    out-of-scope limitations in its reports. It is widely speculated that
    adding privacy to the database will greatly further accuracy (and based on
    unlisted telephone number models, there is a good basis for making this
    speculation). Readers must know that there are options for accuracy other
    than "sticks" and penalties, and that such options could help accuracy
    advance in a positive manner. Even if you don't explore the issue, you must
    present its possibility and submit that you felt it was beyond your scope.
    Not everything has to be based on excessive penalties.

    3. TF3 must discuss its context. Right now, your report seems to exist in
    its own right. But that is not the way it was envisioned or presented to the
    Constituencies by Council. TF3 is one of three task forces, all looking at
    complicated parts of the privacy/accuracy/availability debate in the WHOIS
    area. TF3 must acknowledge the other two task forces, and that only after
    the findings and work of TF1 and TF2 is it appropriate to proceed with
    increased levels of accuracy in the WHOIS. Solve the personal
    data/sensitive data problem, and accuracy becomes far less controversial to
    the ICANN community, government leaders and data protection
    commissioners. Don't solve the privacy problem, and demands for
    increased accuracy will deeply divide ICANN's communities and
    governments. TF3 must discuss the larger process in which its
    recommendations will play out.

    4) TF3 must adopt much more neutral terminology throughout its report.
    Using the phrase "false WHOIS data" conveys a sense of negative intent,
    such as when a person adopts a "false persona." But inaccurate WHOIS
    data, on its face and without additional information, has no negative, false or
    intentional overtones. Inaccurate data can appear in the WHOIS database,
    as in any database, for an number of reasons including typos, later changes,
    software error, unintentional swaps (domain name A, but data from domain
    name B), inaccurate updates, hacking, etc. (I used to be a data security
    auditor, and saw many ways for inaccurate data to enter systems.) Neither
    TF3 nor ICANN has the right to presume the intent of the data subject until
    that intent is proven. Accordingly, it is incumbent on TF3 and ICANN to
    use neutral, not negative, language and change all references from "false
    WHOIS data" to "inaccurate WHOIS data."

    5) If TF3 recommendations go forward (see concerns below), then it
    should bound each recommendation to "technical and operational data"
    [TF2 terminology] or "non-sensitive data" [TF1 terminology]. If TF3 is
    going to proceed without data gathering and only on the basis of selected
    constituency statements, then it is incumbent that TF3 carefully stay within
    the bounds of ICANN's mandate and limit its recommendation to the
    technical and operational data of the domain name system.
    6) In response to the specific Recommendations of TF3, I respond below:

    Overall: To all recommendations, I have the same question: what is the
    basis for these recommendations? Where is the independent data you have
    gathered in your data gathering phase regarding problems in the ICANN
    data correction process, as recently revised? Where is the discussion, in
    each recommendation, of the downsides that it might offer? Where are the
    limits that stop unreasonable parties from making the WHOIS database a
    witch-hunt for the individual, organizations and even companies who are
    exercising their human rights to share controversial political, cultural and
    personal ideas and have created no technical or operational problem with
    their domain name use online?

    I object to each recommendation based on the above questions, and
    discuss a few below.

    #1 TF3's recommendation includes: "ICANN should devote additional
    resources to such a compliance program in order to provide adequate
    support."

    In a tight budget, why should ICANN devote further and additional
    resources to a process in which it seems to be heavily involved already?

    #3 TF3's recommendation includes: "Any Best Practices that are viewed as
    being mechanisms for improving data verification on a global basis should
    be developed by or under the direction of ICANN, soliciting the
    cooperation of responsible registrars, and disseminated to accredited
    registrars and other relevant parties as part of ICANN's ongoing
    educational and compliance initiatives."

    Best Practices must be developed with the solicitation and cooperation of
    all three communities -- data users, data subjects and the registration
    industry -- not just registrars. The deep concern this issue has raised in the
    last several ICANN meetings is proof enough that the issues are far
    reaching and the implications of deep concern for all.

    #4 TF3's recommendation includes: "Specific examination of registrar data
    collection and protection practices should be undertaken, including
    investigating all options for the identification and viability of possible: A)
    automated and manual verification processes that can be employed for
    identifying suspect domain name registrations containing plainly false or
    inaccurate data and for communicating such information to the domain
    name registrant; and b) readily available databases that could be used for or
    to assist in data verification, taking into account the wide variety of
    situations that exist from region to region."

    Why? Where is the data collected in the TF3 data gathering process that
    leads to this conclusion?
    This is one of the areas where stretching slightly outside your scope is a
    good idea. If providing basic privacy protections for domain name owners
    can dramatically increase accuracy, then the registration industry and
    ICANN can dramatically decrease costs. Why go the expensive way first?

    #5 TF3 recommends: ICANN should also consider including the ""last
    verified date" and "method of verification" as WHOIS data elements, as
    recommended by the Security and Stability Advisory Committee.

    This recommendation is clearly out of scope for TF3 and must be deleted
    or referred to TF2. As you know, your out-of-scope section specifically
    states: "The task force should not consider issues associated with changing
    the data elements that are collected. This is the subject of a separate task
    force."

    #6 This recommendation includes many new steps for Registrar to
    undertake for accuracy. Where is the data collected by TF3 that shows
    that current procedures are not working? Where is the warning that
    adopting these additional procedures, without finding protections against
    bulk access and to protect privacy (TF1 and 2) could cause even greater
    conflict with national law and national law enforcement (see concerns
    expressed to the ICANN community by George Papapavlou, EU, and
    Giovanni Buttarelli, Italy, at the Rome ICANN Meeting, among others).

    If TF3 chooses to go forward with this recommendation, it should expressly
    apply only to technical and operational WHOIS data labeled "non-
    sensitive" by TF1.

    #7 Where does recommendation #7 differ from existing practices?

    #8 TF3 recommends: "ICANN should consider requiring Registrars to
    verify at least two of the following three data elements provided by domain
    name registrants - phone, facsimile and email - and ensure that these
    elements function and that the Registrar receives a reply from these means
    of communication. Where none of the three data elements works, then the
    domain name should immediately be placed on hold. If only one of the
    means of communication works, then the domain name shall be placed on
    hold for a period of 15 days in which the domain name registrant shall
    correct all of the WHOIS data elements. If the domain name registrant fails
    to correct all of the WHOIS "

    Here, as in #6 above, TF3 must discuss the tension between privacy and
    accuracy, or it presents a distorted picture. Requiring this type of check,
    on people's home address and unlisted phone numbers, will greatly a
    greatly increased level of concern for domain name holders (data subjects)
    and their governments and data protection commissioners worldwide. TF3
    should expressly suggest that this recommendation be held until resolution
    of TF1 and TF2's issues, or expressly bound to technical contact data only.

    #9 TF3 recommends: "Where a domain name registration is canceled due
    to the non-functionality of WHOIS data elements - phone, facsimile, and
    email - the domain name can be reconnected for a fee to be set by the
    registrar. Upon reconnection of any domain name in circumstances where
    the domain name had been placed on hold or was immediately canceled,
    the Registrar shall verify all data elements before reconnecting the domain
    name. The Registrar should ensure that the reconnection charge it imposes
    is sufficient to cover the costs of the heightened verification it must perform
    in reconnecting a previously canceled domain."

    Until the privacy issues are resolved, this cancellation may be viewed as an
    additional cost for protecting the privacy guaranteed by national law. This
    raises problems, I am told, under national law. TF3 should be careful to
    include in its recommendations that the only costs associated with the
    reconnection of a domain name be fair, reasonable, not excessive, and
    waived should the registrant prove he/she was protecting right guaranteed
    by his/her national law or where the fault is that of the registrar (e.g, did not
    promptly update data).

    #10 Recommendation: "When a domain name registration is canceled (or
    suspended, etc.) for false contact data, all other registrations with identical
    contact data should be canceled (or suspended, etc.) in like fashion."

    Absolutely not. TF3 has not thought through the disastrous implications of
    this policy for domain name holders operating under proxies. There are
    now cases of proxy services which register thousands of domain names for
    honest individuals and small businesses, and then the proxy acts in a manner
    which is improper. Rather than solving the problem in a business-like and
    professional manner, TF3 recommends the willy-nilly cancellation of
    thousands of domain names. This is clearly not a well-thought out,
    well-researched or well-evaluated position. This resolution must
    deleted absent further, and comprehensive danger, of the full range
    of its implications. I also think such a recommendation, if followed, must
    be tied to some proof of technical or operational problem that the set of
    domain names has caused online.

    #11 Recommendation: "ICANN staff should undertake a review of the
    current registrar contractual terms and determine whether they are adequate
    or need to be changed in order to encompass improved data accuracy
    standards and verification practices as a result of the current PDP."

    No, ICANN staff should be asked by TF3 to evaluate current registrar
    contractual terms only after it receives the Council recommendations
    regarding all three WHOIS task forces and has a basis for determining
    the Council's recommendation for both accuracy and privacy standards.

    #12 Recommendation: "ICANN should develop and implement a
    graduated scale of sanctions that can be applied against those who are not
    in compliance with their contractual obligations or otherwise violating the
    contractual rights under these agreements."

    Only after ICANN has resolved the Catch-22 of national privacy laws and
    WHOIS collection and disclosure requirements should ICANN move
    forward with any revised type of sanctions. TF3 should say so."

     
      ICANNWatch Login  
    Nickname:

    Password:

    [ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]

     
      Related Links  
    · European Union
    · ICANN
    · KathyK
    · whois-tf3-report-comments@gnso .icann.org
    · More Privacy stories
    · Also by jon
     
    This discussion has been archived. No new comments can be posted.
    WHOIS TF3 Report One-Sided and Off-base | Log in/Create an Account | Top | 14 comments | Search Discussion
    Click this button to post a comment to this story
    The options below will change how the comments display
    Threshold:
    Check box to change your default comment view
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • 5 replies beneath your current threshold.

  • Search ICANNWatch.org:


    Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
    You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com