ALAC Responds to GNSO WHOIS Hypothesis Working Group Report
Introductory Note by the ICANN Staff
The original draft of this statement was prepared by ALAC Member Patrick Vande Walle. It was posted for comment by ALAC members in the first instance, in English, on 22 nd September 2008; it may be found at https://st.icann.org/alac-docs/index.cgi?statement_on_whois_hypothesis_working_group_studies_al_alac_st_0908_3. Comments made on the above page have informed Rev1 (this text).
The report to which this Statement pertains may be found at http://gnso.icann.org/issues/whois/whois-study-hypothesis-group-report-to-council-26aug08.pdf (in English only).
Rev2 of the Statement was approved by a vote of the ALAC on 14 th October 2008.
[End of introduction]
The At-Large Advisory Committee (ALAC) wishes to convey to the GGNSO Council the ALAC's views on the report prepared by the Whois Study Hypothesis Group, which can be found at following URL: The report to which this Statement pertains may be found at http://gnso.icann.org/issues/whois/whois-study-hypothesis-group-report-to-council-26aug08.pdf .
The ALAC wishes to thank the members of the ALAC community who participated in this statement: Carlton Samuels, Alan Greenberg, Danny Younger, Patrick Vande Walle and anonymous contributors.
We note there is no clear distinction in the document between whois services, as provided through whois servers compliant to RFC3192 and whois-like services provided through web-based systems. The differences are important in analyzing how the systems can be misused.
The text-based whois service suffers from its simplicity. It makes bulk data download easy. To the contrary, web based whois systems can be better tailored to limit bulk queries through captcha validations or other techniques.
With regard to the text-based version of whois, we note and agree with the writers of RFC 3912: "The WHOIS protocol has not been internationalised. The WHOIS protocol has no mechanism for indicating the character set in use. ... This inability to predict or express text encoding has adversely impacted the interoperability (and, therefore, usefulness) of the WHOIS protocol." RFC 3912 further elaborates that: "The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, integrity, and confidentiality. Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone. The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing".
With the above in mind, the ALAC considers that the text-based whois services do not serve the needs of the community anymore. This includes
- the support of non-ASCII character sets
- control of the granularity of displayed data
- The management of access rights and the auditing of accesses.
- The compliance of the Whois services with the legal requirements registrars and registries are subject to.
We urge the GNSO to consider a new whois-like service with would provide granular access rights to registrant information and proper auditing of accesses, as well as the support for non-ASCII character sets. In this respect, we draw the attention of the GNSO to the SSAC recommendation expressed in SSAC-033 http://www.icann.org/en/committees/security/sac033.pdf
More generally, the ALAC support the GNSO council's definition of the of the purpose of the whois, as expressed at the GNSO council meeting of 12 April 2006 : "The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver."
On the GNSO Whois hypothesis working group studies report, we would like to make the following comments:
Area 1 WHOIS Misuse Studies
Comment 21 and GAC data set 2: Other cases of misuse have been reported, like identifying political opponents and other people persecuted for their opinions.
Area 2 Compliance with data protection laws and theRegistrar Accreditation Agreement
If local laws allow a registrant (natural person) to oppose the publication of his/her data in databases like the public whois, he/she should still be allowed to register a domain name. Further analysis is needed to see if:
- Provisions under 3.3.1 and 3.3.6 of the Registrar Accreditation agreement are compatible with the local laws of the Registrar
- If the failure to comply with these provisions by a Registrar because of local laws can lead to the termination of the RAA for said Registrar.
Further analysis is needed regarding the export of registrant data from one country to another. It may be the case that a registrar located in country X is not allowed by law to export natural persons data to a registry in country Y. This matter is further complicated if the registry subcontracts the technical backend to an operator with its registered address in country Z and its data operations in yet another country.
With regard to gTLD registries, the ALAC notes that registry agreements include requirements for whois services which may be incompatible with the legal requirements some registries may be subject to under local law. Further analysis is needed to see if the inability for a registry to comply with ICANN's generally accepted whois requirement could be used as an eliminating criterion in the comparative evaluation process under new gTLD program. If this were the case, the ALAC fears it would distort the evaluation process in favour of registries located in countries or regions with less stringent privacy laws.
Area 3 Availability of privacy services
With regard to the cost of proxy services, it should be noted some registrars may be mandated to offer free proxy services to private individuals under local law.
Area 5 Impact of WHOIS data protection on crime and abuse
Regarding GAC comment 1, it is important to define what is "the legitimate use of gTLD WHOIS data" and who are those entities, who can invoke it and how.
Area 6 Proxy registrar compliance with law enforcement and dispute resolution requests
Regarding Steve Metalitz comment: It may be true that some registrars operating proxy/privacy services are not revealing registrant data when requested in a UDRP proceeding. These registrars may be prevented to do so under local law. UDRP is an arbitration process, not a legal process. Different rules may apply, depending on local law. Further analysis is needed to see if the UDRP process is compatible with the laws the registrars have to comply with.
Area 7 WHOIS data accuracy
As noted in the report, "The use of non-ASCII character sets in Whois records will detract from data accuracy and readability". This matches the comments we made in the preliminary note above. The whois hypothesis study group should investigate if alternative systems would allow better support for non-ASCII character sets, both in the domain names themselves and in the registrant data.
The original version of this document is the English text, available at: https://st.icann.org/alac-docs/index.cgi?statement_on_whois_hypothesis_working_group_studies_al_alac_st_0908_3. Where a difference of interpretation exists or is perceived to exist between a non-English edition of this document and the original text, the original shall prevail.