Non-Commercial Users Constituency Statement on WHOIS Task Force 3
WHOIS Task Force 3 (TF3) deals with the accuracy of WHOIS data, established to
determine the best mechanisms to improve the quality of the data. The Non-Commercial
Users Constituency (NCUC) approach to Task Force 3 is guided by the following principles:
- First, the NCUC does not believe that accuracy of WHOIS data is unconditionally
desirable. These task forces were established with the assumption for task force 3
that accuracy is desirable in all cases and regardless of the extent of the WHOIS data
elements. The NCUC recognizes the need to protect such extensive and public data
from identity theft and spam and to protect freedom of speech. Submission of
personally identifiable contact data should be a choice, not a requirement. Many
people are indeed forced to enter incorrect data in order to protect themselves.
- Second, the NCUC thinks it imperative that ICANN recognize the well-established
data protection principle that the purpose of data and data collection processes must
be well-defined before policies regarding its use and access can be established. The
purpose of WHOIS originally was identification of domain owners for purposes of
solving technical problems. The purpose was _not_ to provide law enforcement or
other self-policing interests with a means of circumventing normal due process
requirements for access to contact information. None of the current WHOIS Task
Forces are mandated to revise the purpose. Therefore, the original purpose must be
assumed until and unless ICANN initiates a new policy development process to
change it.
- Third, registrants should be allowed to protect their personally identifiable
information, a protection recognized by the European Data Protection Directive,
Article 29 Working Party, by the OECD Privacy Guidelines and by data protection
legislation across the world. As George Papapavlou and Giovanni Buttarrelli pointed
out, it is possible that WHOIS data accuracy requirements may indeed be breaking
many of these laws. The NCUC submits that accuracy is desirable solely to the
extent necessary to serve the purpose of the data collection and the interest of the
data subject; accordingly, technical information should be accurate. However, there
should be no penalization for inaccurate data entry given that the extent and the
accessibility of the data currently required goes well beyond the purpose of data
collection. As Papapavlou discussed, when there are various options to achieve a
purpose, priority must be given to the least privacy-intrusive option.
- Fourth, while this task force was established with privacy defined as out of scope,
privacy is key to accuracy of data entry. Data protection principles have to be
implemented and enforced as a whole. The best way to improve the accuracy is to
provide privacy and security. Show registrants that their data will be safeguarded,
that their e-mail accounts will be protected from spam and that they themselves will
be protected from stalkers and other criminals, and they will be more likely to enter
accurate data. Users will continue to feel the need to protect their privacy by their
own means, to defend themselves, if the policies of WHOIS data do not.
- Finally, if there is a way to facilitate accuracy of data for those who wish to submit
accurate data, in other words opt-in, the NCUC would be supportive. We are
against, however, calls to require accurate data entry and penalize or even criminalize
those who choose not to. This task force has reached out to various companies in
order to collect data on verification procedures, but has found this process difficult
(ironically, because companies are concerned with the privacy of their policies and
procedures). The responses submitted to the TF3 questionnaire are sparse. We do
not have enough data to allow Task Force 3 to reach any conclusion of best practices
for verifying accuracy. However, this Task Force has received testimony that
domain name holders in numerous cases are having a very difficult time updating,
revising and changing their own data. This is currently the most important issue
facing the task force: that the data subjects themselves cannot update their domain
name information. Further, it is a violation of the EU Privacy Directive.
Accordingly, this TF must first take on clear proposals for revisions of the
procedures by which registrars, thick registries, and resellers handle instructions from
domain name holders to update and/or correct domain name data. These
procedures must include: clear instructions to domain name holders on how to
update their information; special email addresses for expedited and priority handling
of such updates; and TF3-proposed revisions to the Registrars Accreditation
Agreement to insure that the EU Privacy Directive rules on the ability of domain
name holders to update and policy the accuracy of their own data is ensured and
followed.
Task Force 3 Preliminary Report