No Such Weblog

The WHOIS workshop is beginning now in Montreal. It's being webcast; public comments can be sent to whois-comments@icann.org. Currently, Louis Touton is giving a general introduction.

According to this press release, the WHOIS service for .de is going to be rate-limited from 1 July.

Bruce Beckwith is giving some insight into registrar and registry WHOIS services. Some observations in addition to what he's just saying: The RAA's opt-out clause for bulk whois only concerned marketing uses, and was available only to individual registrants. Thick registry WHOISes actually publish data elements not mandatory for a registrar WHOIS, namely the registrant's phone number, fax number, and e-mail address.

Later on, Beckwith cleans up some misconceptions, e.g., bulk access as an alleged major source for spam. Points out that registry zone files which permit to identify changes to a TLD, together with query-based registrar whois, are making a major contribution to spam.

For further discussion: Restrict zone file access to legitimate uses? Can WHOIS access be limited for legitimate purposes? Many queries can be addressed by "domain available" or "domain not available" responses. Final question: "Should the same WHOIS information that was available 21 years ago be available now?"

Vint asks about zone file requirement. Beckwith: Contract requirement, anti-misuse clause, but can't enforce that. Touton: Requirement applies to all gTLD registries.

Bruce Tonkin about the registrar perspective. Starts with OECD privacy principles and purpose specification in RAA -- timely resolution of problem. Registrars require acccess to contact information in order to authorize transfers. Turning to common abuses. Wide-spread, not isolated incidents. Unsolicited renewal notices to mislead consumer to believing they are dealing with original supplier. Not: "we're cheaper, please change", but "we're your supplier. renew or lose." Consumer confusion. Marketing of related services. Domain appears in zone file -- registrants will need web hosting services. Marketing phone calls shortly after registration. ... Analogy with meeting travel: Choose airline yourself is the traditional thing. Alternative: ICANN collects information, puts it up on the net, 200 airlines call high-value customers. Travel industry uses first model. DNS industry uses second model.

Frauds to collect credit card information. Fake registrar web site. "You need to change your password. Please type in old password and credit card information to authenticate." Common model for scams. Work because customer is contacted with very specific data about their relationship with supplier.

Bulk access. About ten agreements for large registrars. No proof for abuse. Port 43 public WHOIS. 2 million queries, 137,000 locations per day. Regularly observe mass queries, not just occasional use of query-based interface.

Market price for WHOIS data: $30 for 30 million records. There is a problem.

Protection of directive also extends to publicized data. Not everything that might seem useful is legally permissible. Key issue for EU: Purpose of WHOIS. Original purpose (technical contact) is legitimate. Directive only allows use for original purpose or compatible uses -- expectation of user. Artcile 29 working party: Self-policing activities of private parties not compatible. Public sector has legal procedures. Private sector has problem. Want to protect right holders, but need to find a position which can do both things within the legal system and respecting legislation on data protection. Proportionality: Distinguish between data necessary for registration, and data that should be published. Look for less intrusive means to serve purpose. Is there a different possibility of serving purposes without having all information available on web site, to anybody who wants to have it? Two-step approach could be explored. Make data not available to general public, but only to those who really need it. Possible control after the fact. Discussion of uniformity? Collecting same data everywhewre is a problem -- only collect minimum data which are actually necessary. Public directories: General right not to have phone number included in public directory. Unlisted phone numbers in WHOIS?!? Some difficult problems with this; discussions are ongoing. ... Extended searchability: Article 29 WP opinion from 2002 on reverse directories. Not just opposing -- accuracy important issue. Keep in mind why individuals give inaccurate data -- feeling of insufficient protection. Bulk access not acceptable. Marketing uses not acceptable.

Need to respect law. Don't place registrars between rock and hard place. Keep in mind and involve data protection community in these discussions. Article 29 working party has approved opinion in time for this meeting; would be pleased to be involved in discussion.

Vint asks about choice -- nobody forced to register domain name. May incur obligations to rest of community when registering. Alonso-Blas: Having domain name may be important for many people, professional and personal activities. (...) Q. about law enforcement. Legislation in Europe has specific provisions for law enforcement. Exceptions that need to be implemented in natl law. Can consult data protection authorities if in doubt. Limited powers for law enforcement. Availability of information about identification of commercial activities. E-commerce directive; identification of data users. Not opposing to that. What data exactly needs to be collected and published? Different regimes for different cases?

Speaking as one of the victims of European and natl authorities. Consequences of privacy law for .nl registry policy. About SIDN -- statistics. Background: EU privacy directive, implemented in NL by personal data protection act. Legal analysis of other legislations: Telecommunication data directive and implementation in NL not applicable. NL tax legislation not relevant. Criminal act not relevant.

Extensive consultation in 2001. Alternative dispute resolution -- direct effects on use of WHOIS. Open up .nl? Only Dutch companies could register directly under .nl until this year. Opened up as result of consultation. WHOIS -- asked specific questions. What kind of detail needs to be provided? What's proper protection? Rate-limiting? Opt-out?

Two worlds with respect to WHOIS: Function v. protocol. Have to distinguish. Can't implement sophisitcated privacy things in transactionless RFC 954 WHOIS protocol. WHOIS not necessary for running the DNS. There are registries without. Have to specify other purpose or interest. Purpose of WHOIS use? "is" v. "whois" -- see much use of WHOIS to see whether domain name is available for registration.

Back to meaning of data protection act for WHOIS. Definition of "processing" of data is very broad. Includes collection, provisioning, deletion, and more. To implement data protection act, don't just focus on WHOIS, but on whole process. Double necessity criteria for processing of data. 1. Purpose must be legitimate. 2. Data has to be adequate. Data has to be within limits of purpose. ...

Informing registrant about processing. Make sure that security, auditing, tracking is in line with data protection act.

WHOIS not necessary for registry to fulfill functions. If you want to have WHOIS, there need to be other interests for which you provide data. NL: Four specific purposes for providing WHOIS. 1. Solve technical problems. 2. Check registration. 3. IP rights. 4. Combat harmful and illegal content.

Results: Specific clauses in contracts. Specific regulation on .nl regulation. Operational: General limitation on WHOIS queries (15 per IP per day). Exemption for registrars (5,000 per day and IP-range).

Details: Properly inform registrant about collection and publication. Opt-out possibility. Come up with good reason to use opt-out. 900 requests so far, 6 granted.

Regulation on processing: Translate roles in registration into roles in privacy regulations. ... Found a way to implement directive. Balanced with interests of local Internet community. Specific for Dutch circumstances. Others may define other purposes. Assessment of individual opt-out complicated.

Auerbach: Inconsistencies -- purpose vs. "automatic legitimacy"? State purpose? Boswinkel: Limited -- 15 queries per day.

Jane Mutimear (the chair of the IP constituency) just gave a talk on the need for WHOIS. One of her key reasons was asset management -- i.e., registrants using WHOIS in order to obtain information about their own registrations. This is a strawman in the WHOIS context -- the policy questions are not about information registrants want to be published, but about mandatory publication of data regardless of registrants' wishes.

Michael Donnohue of the OECD is talking about consumers using WHOIS searches to identify businesses and find contact points with those businesses. He argues that inaccurate WHOIS data could undermine users' trust in the Internet, and could cause them to turn away from doing business on the Internet. He also points to guidelines that entities doing commerce on the Internet should make contact information readily available.

This is another strawman argument: If consumers have to resort to a database which isn't widely known outside specialized circles in order to obtain contact information about a business, then the contact information is not readily available. I certainly wouldn't do business with a commercial site which has contact information available only in the WHOIS service.

A summary of the talk currently being given by the FTC's Maneesha Mithal is here.

ICANN has posted a draft request for proposals for the establishment of new sTLDs.

The GNSO council has just adopted the deletes task force's results as consensus policy.