ICANN | General Counsel's Analysis of GNR's Request for Amendment to Registry Agreement | 26 November 2002
  ICANN Logo

General Counsel's Analysis of GNR's Request for Amendment to Registry Agreement
26 November 2002


General Counsel's Analysis of GNR's Request for Amendment to Registry Agreement


To the Board:

On 9 November 2002, I received the attached request from The Global Name Registry Limited (GNR), which operates the registry for the .name top-level domain under a registry agreement it entered with ICANN on 1 August 2001. The request seeks the revision of various of the appendices (mainly Appendix O) to the .name Registry Agreement to revise the manner in which, and the conditions under which, GNR provides public Whois data for .name. This memorandum summarizes my analysis of GNR's request for an amendment to the Whois provisions of the .name Registry Agreement and recommends approval of that request.

Background: Current GNR Whois Service

GNR operates .name as a "thick" registry, meaning that (a) registrars submit to the registry contact data they gather concerning registrants, administrative contacts, technical contacts, etc.; (b) GNR maintains that data in the .name registry; and (c) GNR makes the data available through a Whois service that covers all .name registrations.

Appendix O of the current .name Registry Agreement gives details of the Whois service implemented by GNR. The current .name Whois service allows queries to be made, seeking four different levels of detail. The three levels with the least detail are available in real time through a web page and a port 43 Whois service. The level with the most detail (the "Extensive" level) is requested by filling out a web page, after which a report with the extensive response is sent to the requestor by e-mail. These detailed specifications were developed during the negotiations of the .name Registry Agreement based on the GNR proposal, additional assurances it gave during the selection process, and its consultations with the United Kingdom information commissioner's office. (GNR operates the .name registry in the UK.)

Background: The GNR .name Whois Proposal

GNR launched the Whois service contemplated by the current agreement in January 2002. Since that time, various events have caused GNR to reevaluate whether it is appropriate to make some changes to the manner of providing Whois service. In part, this reevaluation has been prompted by GNR's desire to provide heightened confidence that its Whois service complies with the United Kingdom Data Protection Act of 1998 (the Act), which generally governs the manner in which GNR must process personal data and restricts its ability to transfer that information to countries outside of the European Economic Area. The changes proposed by GNR are also intended to address consumer concerns about personal privacy, which GNR has concluded are especially relevant to the attractiveness of registrations in .name, a TLD uniquely designed for use by individuals.

GNR's current request grows out of a proposal that it has discussed since February 2002 among various groups that use or are otherwise affected by Whois services, including members of the law enforcement community, intellectual property holders, privacy advocates, registry operators, registrars, and members of the technical community. GNR also has presented its proposal to the DNSO Whois Task Force. GNR has made various modifications in response to feedback it has received from these consultations.

GNR's proposal would be implemented by replacing Appendix O to the Registry Agreement (and making conforming revisions to various other appendices). The proposed replacement Appendix O specifies the particulars of the service that would be provided.

Under the revised specification, GNR would provide four levels of access to registrant information, each of which would be available from both a real-time web interface and a port 43 Whois interface. The presently employed e-mail delivery of Whois reports (which was intended to provide a level of authentication as to the recipient) would be discontinued. The two less detailed levels of Whois reports would provide relatively minimal details and would be available to members of the public without prearrangements. The two more detailed levels would involve password-controlled access, requiring those seeking the Whois data to make prearrangements including the entry of commitments that the Whois data will be used for appropriate purposes. The four levels of access (from most general to most detailed) are:

  • Free public access to non-personally identifiable "Summary" information (mainly useful to determine whether a domain name exists and its status);
  • Free public access to non-personally identifiable "Standard" information (provides somewhat more detail, but no personal information);
  • Password-protected access to "Detailed" personally identifiable information, not including the home telephone number or e-mail address of registrants, subject to an online authentication mechanism (such as the payment of a small fee) to deter marketing and other mass uses of the data; and
  • Free, password-protected access to "Extensive" information, including home phone and e-mail, subject to a written agreement with GNR precluding inappropriate uses of the data.

In addition, GNR's proposal includes a 24/7 support phone and e-mail service to respond to time-sensitive queries from network operators, etc., seeking contact information to assist in resolving technical issues (such as might be useful in dealing with distributed denial-of-service attacks). GNR will also provide a "messenger service", in which it will forward messages to .name registrants without revealing their personal information.

Background: Discussion of .name Whois Proposal to Date

In February 2002, GNR first consulted with a small group of individuals, representing a wide variety of interests within the global Internet community, including registrars, law enforcement, the intellectual property community and privacy advocates. These consultations led to several meetings in person and by phone between GNR and members of the same communities as well as members of the ISP and technical communities. In crafting its proposed amendment, GNR solicited extensive feedback from these groups regarding its goal of enhancing the privacy of the personal information of .name registrants without interfering with the needs of legitimate Whois searchers, while also providing increased confidence that the relevant requirements of the UK data protection laws are fully met.

In August 2002, GNR posted its proposal on both the DNSO Whois Task Force public list and the registrar constituency's discussion list. It was also posted on the DNSO General Assembly discussion list by Alexander Svensson. T these postings did not generate any discussion on these lists.

In October 2002, GNR formally briefed the DNSO Whois Task Force. After a question-and-answer session, members of the Task Force expressed the sentiment that the proposal involved a contractual matter between ICANN and GNR and should be considered expeditiously. I received letters of support for, or non-objection to, GNR's proposal from the three gTLD Registry Constituency representatives to the Names Council, Ken Stubbs (Registrar Constituency Names Council representative), and Steve Metalitz (President of the Intellectual Property Constituency).

In Shanghai at the end of October 2002, GNR briefed and sought final feedback from the Business Constituency and the Registrar Constituency. The matter that sparked most discussion was GNR's proposal to charge US$2 for five one-time-use passwords to be used in "Detailed" Whois searches. This proposed charge is intended to provide a practical disincentive to those who otherwise might violate the terms of the online click-through license for Detailed Whois search passwords by using the data for marketing purposes. Concerns were raised by registrars regarding this charge on the basis that it was inappropriate for GNR to profit from access to data which is gathered and placed in the .name registry by registrars. To address these concerns, GNR revised its proposal, as follows:

  • GNR may charge a fee of US$2 for the five one-time-use passwords for Detailed Whois Searches. GNR may, in its discretion, not charge the US$2 fee and require requestors instead to authenticate themselves using a credit card or other personally identifiable information. Within ninety days following its implementation of the Detailed Whois service, GNR will determine the extent to which the fee revenue (if any) exceeds its costs in implementing this service. GNR will distribute pro-rata excess revenues, if any, generated through Detailed searches with ICANN Registrars whose data is returned in response to a Detailed Whois query.

Whois Specification Under the Registry Agreement

The proposed modification to Appendix O would make various changes associated with converting the current Whois system, which has three levels of real-time access and one level for which Whois responses are delivered by e-mail, to a Whois system in which all four levels are provided in real-time, but in which the two more detailed levels of Whois data can only be obtained through password-controlled access.

Complete specifics are given in proposed modified Appendix O, but the most significant changes are in the two more detailed levels ("Detailed" and "Extensive"):

  • Detailed Whois
    • Access to Detailed Whois will require a password, which can be obtained when a searcher provides certain information about him or herself and pays a US$2 fee for five searches (or, alternatively at GNR's option, provides credit card authentication). At the time the passwords are obtained, the searcher must agree (through a click-through license) not to use the data for marketing purposes, spamming, or other improper or unlawful purposes.
      • Five passwords will be sent to the e-mail address designated by the searcher.
      • Each password will be valid for one search conducted within 24 hours.
    • The registrant's name and address (but not telephone number, fax number, or e-mail address) will be provided in response to Detailed Whois searches. Information about the administrative, technical, and billing contacts will be provided only to the extent that they differ from the registrant. Thus, telephone, fax, and e-mail information about registrants will not be available in response to Detailed Whois searches, even when the registrant is also the administrative, technical, or billing contact.
  • Extensive Whois
    • Currently, results of an Extensive Whois search are returned to the searcher by e-mail; under the proposal Extensive Whois data will be provided through web-based or port 43 Whois searches.
    • Access to Extensive Whois will be available only through use of a persistent password provided to searchers that enter a standardized agreement that includes an undertaking that the information will be used for specified purposes only, not including unsolicited e-mail, data mining, direct marketing, andother improper or unlawful purposes.

Considerations in Evaluating Proposed Amendments

Determining the appropriate process to follow when a registry operator seeks an amendment to its registry agreement presents countervailing considerations. These were discussed in my 17 April 2002 analysis of VeriSign's request to modify the .com and .net registry agreements. In that case VeriSign proposed to offer a new service (the Wait Listing Service) which would bear a fee and alter the rules by which names being deleted are allocated to new registrants. Although GNR's request arises in a somewhat different context than the VeriSign WLS proposal, the underlying considerations are quite similar:

On one hand, the registry operator is in a sole-source position in providing registry services; this position carries with it the potential for various types of harm to the legitimate interests of others.

On the other hand, requiring a consensus-development process for every new registry service could stifle innovation. Registry operators should be encouraged to introduce new services to the marketplace where no legitimate interests of others are being materially harmed.

To accommodate these countervailing considerations, in considering requests to amend a registry agreement to authorize charging for additional registry services, my judgment is that a preliminary "quick-look" evaluation should be made to determine whether it is plausible that the legitimate interests of others could be harmed by the proposed amendment. If no legitimate interest appears in danger of being harmed, then a streamlined procedure for approval should be followed. If, however, there are specific reasons to conclude that the legitimate interests of others are likely to be harmed, then ICANN's existing obligation to seek consensus whenever possible before acting suggests that it should invoke the formal consensus development mechanisms that currently exist prior to any decision by the ICANN Board.

In this case, GNR's proposal does not materially alter the existing Whois policy registry operators must follow, since all the elements of Whois data currently available for .name would continue to be available. Thus, GNR would continue to meet its basic obligation under subsection 3.10.1 of the .name Registry Agreement: "At its expense, [GNR] shall provide free public query-based access to up-to-date data concerning domain-name and nameserver registrations maintained by Registry Operator in connection with the Registry TLD. . . . " At the Extensive level, this data remains free of charge.

Rather than deviate from the basic Whois policy, GNR's proposal simply revises the mechanism through which its obligation to provide Whois data is fulfilled. It does this by requiring Whois searchers to enter into agreements not to misuse Whois data before they receive any personal data. This altered mechanism is particularly appropriate for the .name TLD, in which registrations are restricted (with very limited exceptions) to individuals registering their own names as domain names. In this context, it is particularly appropriate to provide practical assurance, more easily enforced than the current arrangements used in .name, that the personal data contained in the .name registry-level Whois will not be used in a manner that violates current ICANN policy, which prohibits use of Whois data to allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations. In providing this greater practical assurance, the proposed mechanism also gives a higher level of confidence that GNR's Whois service fully meets the requirements of the UK data-protection law.

In accord with the analysis quoted above, where a registry operator requests amendment of its registry agreement to introduce an innovative way of meeting the basic requirements of the applicable existing ICANN policy, the Board should not simply refer the matter to the (potentially protracted) consensus-development process, but should instead conduct a preliminary "quick-look" evaluation to determine whether it is plausible that the legitimate interests of others could be harmed by the proposed amendment. Only if a third party's legitimate interest appears in danger of being significantly harmed should formal resort to the policy-development process be made; otherwise a streamlined procedure for approval should be followed.

Based on the preliminary consultations among the parties likely to be affected, as well as with the DNSO Whois Task Force, GNR's proposal as currently presented appears not to threaten any significant harm to legitimate interests of third parties. Free public access to the same Whois data will still be available; the main difference is that GNR will implement enhanced practical assurances that the limitations on use of Whois data already recognized in ICANN policy will be observed. The one potential harm that was identified in the consultations – involving the possibility that GNR would profit inappropriately from use of data gathered by registrars – has been fully addressed by GNR's commitment to distribute any excess revenues to the affected registrars. Indeed, preliminary consultations have resulted in a significant showing of support by potentially affected parties, as demonstrated by the supporting statements by representatives of the gTLD Registry, Registrar, and Intellectual Property constituencies.

Supporting Materials

Recommendation

In view of the above analysis, I recommend that the Board approve the amendment to the Registry Agreement as requested by GNR.

Respectfully submitted,

Louis Touton
General Counsel


Comments concerning the layout, construction and functionality of this site
should be sent to webmaster@icann.org.

Page Updated 28-Nov-2002
©2002 The Internet Corporation for Assigned Names and Numbers. All rights reserved.