The Public Voice
 
NewsEventsTake ActionIssues & ResourcesAbout Us
 
News  

Non-Commercial Users Constituency Statement on WHOIS Task Force 1


Whois Task Force 1 (TF1) deals with the relatively narrow issue of restricting marketing users' access to Whois data through means other than bulk access under license. NCUC notes, however, that the results of Whois TF1 may have implications for the other task forces, and vice versa. Our approach to TF1 takes this into account and will be guided by the following principles:

1. First and foremost, NCUC thinks it imperative that ICANN recognize the well-established data protection principle that the purpose of data and data collection processes must be welldefined before policies regarding its use and access can be established. The purpose of Whois originally was identification of domain owners for purposes of solving technical problems. The purpose was _not_ to provide law enforcement or other self-policing interests with a means of circumventing normal due process requirements for access to contact information. None of the current Whois Task Forces are mandated to revise the purpose of the Whois directory. Therefore, the original, technical purpose must be assumed until and unless ICANN initiates a new policy development process to change it.

2. Second, based on input from the community NCUC does not believe it is possible to develop technical mechanisms that can restrict port 43 or port 80 access only to a specific type of purpose; e.g., "nonmarketing uses." Access restrictions imposed by TF1 will inevitably apply to any Whois userregardless of purpose. Moreover, restricting Port 43 access while leaving Port 80 open will only drive the automated processes to Port 80. Therefore we question whether TF1 can achieve anything of value.

3. Third, given the limited scope of TF1, we think it important for the task force to refrain from making judgments about the legitimacy of, justifications for, or "need" for any non-marketing uses. It is outside the scope of TF1 to make any such determinations. Accordingly, we will oppose any access restriction policy based on classification of users.

4. Fourth, we note that automated scripts or programs using port 43 are effectively a substitute for bulk access. According to George Papapavlou of the European Union, under data protection law bulk access is a "disproportionate, privacy infringing step, unless a very convincing, specific case can be made which has to be followed by due process. This applies not only to marketing but to any purpose." Therefore, a policy determination on port 43 access is best made in conjunction with a determination on bulk access, even though this is ruled out of scope by the task force's description of work.

5. Fifth, the best way to stop abuse of ports 43 or 80 is to get data that is valuable to spammers out of the public Whois database. Data that is in Whois will be accessible to lots of people; therefore, privacy concerns require getting data out of Whois or reducing access to it for all. This is, of course, a matter for Whois Task force 2, dealing with data elements.

6. Our participation in the entire Whois process will try to make sure that minor modifications in port 43 (or 80) access do not become an excuse for doing nothing else to protect Internet users' privacy.



Supplemental Statement submitted on May 9, 2004

NCUC opposes on principle the concept of a "White List" of authorized report of TF1, or that the lack of consensus on this idea be noted. If the latter route is taken, we ask that the following analysis of the reasons against the concept be afforded equal treatment in the report with the description of a White list and any reasons advanced for it.

Analysis
As we understand it, a "White List" is intended to give certain approved users the right to access sensitive data via port 43 (or other means). Organizations would apply for approval and once they were placed on the White list they could search, store and download sensitive Whois data, without any further restriction. This concept is unacceptable to NCUC for the following reasons:

1. The concept is impractical. Creating such a list would add a huge operational burden to ICANN. There are hundreds of millions of Internet users and they come from every geographic region and language group, and involve data use purposes ranging from academic research to IP enforcement. ICANN would in effect be setting up a global certification process that had to be able to respond to all this diversity. If ICANN did this task conscientiously, the administrative burden would be huge. Not only would it have to investigate the legitimacy of each applicant, it should in principle also be able to constantly monitor the behavior of approved entities to make sure that they were not abusing their privileges. It would have to be willing to withdraw the privilege, and handle disputes and appeals relating to that. If ICANN did not do this task conscientiously, if it simply added entities pro forma to the list whenever they applied, then there is no reason to create the list at all. Anyone and everyone could get the status, which is no different than opening up all Whois information to everyone.

2. The concept is discriminatory. The right to access Whois data must be balanced against the privacy rights of the domain name registrants. Once the proper balance is struck, all Internet users should have the same rights to access Whois data under the same terms and conditions. Intellectual property interests have no greater claim on that information than anyone else. The White List, in our opinion, is designed to create a two-class world of the spied-upon users, who have no rights, and privileged, surveillance- authorized users, who are permitted to spy on registrants.

3. The concept violates international privacy norms. A White List would give any approved user the equivalent of bulk access to Whois zone files. According to George Papapavlou of the European Union, under data protection law bulk access is a "disproportionate, privacy infringing step, unless a very convincing, specific case can be made which has to be followed by due process. This applies not only to marketing but to any purpose." In other words, no one has the right to fish through sensitive personal data just to see if they can find anything of interest. But a White List would grant this right.

4. The White List concept is unnecessary. Under the proposals supported by registrars, NCUC, and ALAC, the concept of a known user with a known purpose making a request for each individual domain name she wants to investigate can give legitimate users and purposes access to the information they need without creating a centralized administrative entity and without violating privacy.



Task Force 1 Preliminary Report

 
 
Current News
Archive
The Megaphone
(Newsletter of the Public Voice)

 
 
Top  
Home