At-Large Advisory Committee Request for Comments on the WHOIS Database
The ALAC is recommending changes to improve notification and consent for the use of individuals’ contact data in the WHOIS system. Responding to a report issued by the Generic Names Supporting Organization’s (GNSO’s) “WHOIS task forces,” the ALAC is suggesting ways of making the proposed WHOIS policy more clear, enhancing registrants’ experience, and strengthening mandatory disclosure on how individuals’ information will be used. Send your comments for public posting to the GNSO and At-Large forum.
The GNSO initiated a process to develop new policy on use of contact data in the WHOIS system in October 2003. Three separate task forces – each with an At-Large liaison – were addressing these issues, and the ALAC has provided advice on: restricting access to WHOIS data for marketing purposes; review of data collected and displayed; and improving accuracy of collected data.
The three task forces issued a “Combined Whois Task Force Preliminary Report” for public comment on 23 April 2005. The report includes recommendations on improving notification and consent for the use of contact data in the WHOIS system, including disclosures to registrants regarding availability and third-party access to personal data associated with domain names. Specifically, the report recommends:
- Registrars must ensure that disclosures regarding availability and third-party access to personal data associated with domain names actually be presented to registrants during the registration process. Linking to an external web page is not sufficient.
- Registrars must ensure that these disclosures are set aside from other provisions of the registration agreement if they are presented to registrants together with that agreement. Alternatively, registrars may present data access disclosures separate from the registration agreement. The wording of the notice provided by registrars should, to the extent feasible, be uniform.
- Registrars must obtain a separate acknowledgement from registrants that they have read and understand these disclosures. This provision does not affect registrars' existing obligations to obtain registrant consent to the use of their contact information in the WHOIS system.
The ALAC is expressing support for the concept of mandatory disclosure that underlies the task forces’ recommendations and is suggesting specific ways to improve it.
ICANN’s Generic Names Supporting
Organization (GNSO) initiated a policy development process in October
2003 to address three issues relating to the WHOIS database. Three separate
task forces – each with a liaison from the ALAC – are addressing
these issues, and the ALAC has provided advice on:
Access to WHOIS Data For Marketing Purposes (WHOIS Task Force 1)
of Data Collected and Displayed (WHOIS Task Force 2)
Accuracy of Collected Data (WHOIS Task Force 3)
ALAC advice submitted to the task forces thus far is summarized below
(with links to the full text of the ALAC submission). Brief descriptions
of each task force’s work (and links) also are included below.
*Please share your views on the ALAC’s advice
and the work of the task forces. Comments submitted will be publicly posted.*
The deadline for public comments on the three Whois task forces' preliminary
reports has been extended until 5 July 2004. The public comments and policy
recommendations will then be compiled into a final report, which is expected
by 19 July 2004 (all dates subject to change).
Restricting Access to WHOIS Data For Marketing Purposes (WHOIS
Task Force 1)
Task Force Purpose: This task force is charged with
building on a previous GNSO
recommendation to prohibit the use of bulk access WHOIS data for marketing
by directly addressing the issue of marketing uses of WHOIS data obtained
through Port 43 and web-based access. Through the use of "data mining"
processes, large numbers of WHOIS records are easily available for marketing
purposes, generally on an anonymous basis (the holders of this information
are unknown). The purpose of this task force is to determine what contractual
changes (if any) are required to allow registrars and registries to protect
domain name holder data from data mining for the purposes of marketing
The focus is on the technological means that may be applied to achieve
these objectives and whether any contractual changes are needed to accommodate
here for a detailed description of Task Force 1’s work.
ALAC Advise: The ALAC has recommended a simple two-tiered system –
one for public access and a second for authenticated access. Under “Tier
1 – public access” users who access a future WHOIS-like system
anonymously would get access to non-sensitive information concerning a
domain name registration (“non-sensitive information” would
be defined in detail by Task
Force 2. Under “Tier 2 - authenticated access” users who
want to access a more complete data set (to be defined in detail by Task
Force 2) need to reliably identify themselves, and indicate the purpose
for which they want to access the data.
* Click here
for the complete text of the ALAC’s submission to Task Force 1.*
Review of Data Collected and Displayed (WHOIS Task Force 2)
Task Force Purpose: This task force is addressing domain
name holders’ concern about privacy, both in terms of data that
is collected and held about them, and in terms of what data is made available
to other parties. The objective of the task force is to determine:
a) What is the best way to inform registrants of what information about
themselves is made publicly available when they register a domain name
and what options they have to restrict access to that data and receive
notification of its use?
b) What changes, if any, should be made in the data elements about
registrants that must be collected at the time of registration to achieve
an acceptable balance between the interests of those seeking contact-ability,
and those seeking privacy protection?
c) Should domain name holders be allowed to remove certain parts of
the required contact information from anonymous (public) access, and
if so, what data elements can be withdrawn from public access, by which
registrants, and what contractual changes (if any) are required to enable
this? Should registrars be required to notify domain name holders when
the withheld data is released to third parties? If registrants have
the ability to withhold data from public, anonymous access will this
increase user incentives to keep the contact information they supply
current and accurate.
here for a detailed description of Task Force 2’s work.
ALAC Advise: The ALAC has recommended that the mandatory
collection and display of personal information about registrants be reduced
as far as possible. What information is actually required for placing
a domain name registration should be a matter of registrars' business
models, and of applicable law, not of ICANN policy. The ALAC considers
the removal of the following data elements from registrars' and registries
WHOIS services (in a tiered model, from *all* tiers) a priority:
- Registrant name, address, e-mail address, and phone number, unless
registrant has requested that this information be made available.
- Administrative contact name, address, e-mail address, and phone number,
unless registrant (or admin-c) has requested that this information be
- Billing contact. These data are traditionally not published by registrars,
but are included in many thick registries' public WHOIS services.
For the purposes of a tiered access system (see recommendations for Task
Force 1), the ALAC recommends that the following information be included
in a public tier: registrar of record; name servers; status of domain
name; and contact data, if the data subject specifically requests that
these data be included in the public tier.
* Click here
for the complete text of the ALAC’s submission to Task Force 2.*
Improving Accuracy of Collected Data (WHOIS Task Force 3)
Task Force Purpose: The purpose of this task force is
to develop mechanisms to improve the quality of contact data that must
be collected at the time of registration, in accordance with the registrar
accreditation agreement (in particular clauses
3.3.1 and 18.104.22.168), and the relevant registry agreement (e.g Unsponsored
TLD Agreement: Appendix O (.biz)). Click
here for a detailed description of Task Force 3’s work.
The ALAC votes AGAINST all recommendations made in the proposed TF3 report.
For purposes of giving advice, we respectfully suggest that the report,
in its current state, not be presented for public comment, but rather
be substantially revised.
The document put up for a vote on TF3 is not even suitable as a basis
for public comment or decision-making on the Council and Board levels:
Such a document would have to discuss the Task Force's inputs and deliberations,
it would have to compare the recommendations made to the baseline policy
and practice effective today, and it would also have to include discussion
of the effects (and side effects) of the recommendations made. Making
the addressees and status (consensus policy?) of individual recommendations
transparent would also contribute to enabling an informed discussion of
the proposals made.
Specific to the area of WHOIS accuracy, it would also be helpful to compare
any recommendations made to the results of the DNSO Whois Task Force's
and Implementation Committees work from 2002/2003, and to make sure that
the considerable body of public comment and community discussion is taken
into account that was generated back then.
We think that, to be able to solve a problem, you should first investigate
the reasons why it happens. In this case, you could roughly divide the
registrants whose data are inaccurate into four categories:
- Those who purposely provide inaccurate data for fraudulent reasons.
- Those who purposely provide inaccurate data to protect their privacy.
- Those who mistakenly provide inaccurate data.
- Those who provide accurate data at registration, but then fail to
keep them up to date so that the information becomes inaccurate.
The ALAC suggests it might be more cost-effective (and also more respectful
of basic civil rights of people) to pursue fraudulent registrants once
they actually commit a fraud, rather than to presume that all registrants
are to commit frauds and so should be carefully screened in advance. The
ALAC thinks that an increased accuracy in the WHOIS database, if limited
to those registrants who actually agree to provide their data, would be
highly desirable. This is why we think that future activities in the field
of enhanced accuracy should not focus on the first category of the above
list, but rather on the other three.
The ALAC recommends a shift in the focus of accuracy-related discussions
to deal with those types of inaccuracy that can and should actually be
solved, rather than dealing with world-wide verification and law enforcement
systems. In particular, to address category 4, the ALAC recommends further
consideration of changing the architecture of the WHOIS database from
centralized to distributed. After all, the very reason for which the DNS
system was created -- replacing the old centralized hosts table -- was
the impossibility of keeping this centralized table up to date. We should
simply apply the same principle and move the data at the edge of the network,
by embedding WHOIS servers into DNS server implementations. WHOIS queries
could then be sent directly to the authoritative name servers for the
domain, and only if no reply is received, the registry could be used as
a fallback. This way, registrants would be able to keep their WHOIS information
up to date as easily as they keep their zone files up to date, and even
if this would not completely solve the problem, it would possibly cause
a dramatic increase in the number of WHOIS records that are actually kept
* Click here
for the complete text of the ALAC’s submission to Task Force 3.*
Links to reports and other background information are listed below.
At-Large Advisory Committee
Advice to GNSO Task Forces (26 March 2004)
- Whois Workshop (Carthage) material (27 October 2003)
Workshop (Montreal) material
ALAC Calls for Progress
on WHOIS Privacy (29 October 2003)
Staff Manager's Issues Report on Privacy Issues Related to Whois
(13 May 2003)
Rio de Janeiro Meeting Topic: Whois Accuracy and Bulk Access (11
on the WHOIS Task Force's Final Report on Accuracy and Bulk Access
(11 March 2003)
Report of the GNSO Council's Whois Task Force Accuracy and Bulk Access
(6 February 2003)
Report of the Names Council's WHOIS Task Force (30
of the GNSO Council's WHOIS Implementation Committee (30
Received by the Task Force in Response to the Final Report (19
WHOIS Task Force Archives