General Counsel's Analysis of GNR's Request
for Amendment to Registry Agreement
General Counsel's Analysis of GNR's Request for Amendment to Registry Agreement
On 9 November 2002, I received the attached request from The Global Name Registry Limited (GNR), which operates the registry for the .name top-level domain under a registry agreement it entered with ICANN on 1 August 2001. The request seeks the revision of various of the appendices (mainly Appendix O) to the .name Registry Agreement to revise the manner in which, and the conditions under which, GNR provides public Whois data for .name. This memorandum summarizes my analysis of GNR's request for an amendment to the Whois provisions of the .name Registry Agreement and recommends approval of that request.
GNR operates .name as a "thick" registry, meaning that (a) registrars submit to the registry contact data they gather concerning registrants, administrative contacts, technical contacts, etc.; (b) GNR maintains that data in the .name registry; and (c) GNR makes the data available through a Whois service that covers all .name registrations.
Appendix O of the current .name Registry Agreement gives details of the Whois service implemented by GNR. The current .name Whois service allows queries to be made, seeking four different levels of detail. The three levels with the least detail are available in real time through a web page and a port 43 Whois service. The level with the most detail (the "Extensive" level) is requested by filling out a web page, after which a report with the extensive response is sent to the requestor by e-mail. These detailed specifications were developed during the negotiations of the .name Registry Agreement based on the GNR proposal, additional assurances it gave during the selection process, and its consultations with the United Kingdom information commissioner's office. (GNR operates the .name registry in the UK.)
GNR launched the Whois service contemplated by the current agreement in January 2002. Since that time, various events have caused GNR to reevaluate whether it is appropriate to make some changes to the manner of providing Whois service. In part, this reevaluation has been prompted by GNR's desire to provide heightened confidence that its Whois service complies with the United Kingdom Data Protection Act of 1998 (the Act), which generally governs the manner in which GNR must process personal data and restricts its ability to transfer that information to countries outside of the European Economic Area. The changes proposed by GNR are also intended to address consumer concerns about personal privacy, which GNR has concluded are especially relevant to the attractiveness of registrations in .name, a TLD uniquely designed for use by individuals.
GNR's current request grows out of a proposal that it has discussed since February 2002 among various groups that use or are otherwise affected by Whois services, including members of the law enforcement community, intellectual property holders, privacy advocates, registry operators, registrars, and members of the technical community. GNR also has presented its proposal to the DNSO Whois Task Force. GNR has made various modifications in response to feedback it has received from these consultations.
GNR's proposal would be implemented by replacing Appendix O to the Registry Agreement (and making conforming revisions to various other appendices). The proposed replacement Appendix O specifies the particulars of the service that would be provided.
Under the revised specification, GNR would provide four levels of access to registrant information, each of which would be available from both a real-time web interface and a port 43 Whois interface. The presently employed e-mail delivery of Whois reports (which was intended to provide a level of authentication as to the recipient) would be discontinued. The two less detailed levels of Whois reports would provide relatively minimal details and would be available to members of the public without prearrangements. The two more detailed levels would involve password-controlled access, requiring those seeking the Whois data to make prearrangements including the entry of commitments that the Whois data will be used for appropriate purposes. The four levels of access (from most general to most detailed) are:
In addition, GNR's proposal includes a 24/7 support phone and e-mail service to respond to time-sensitive queries from network operators, etc., seeking contact information to assist in resolving technical issues (such as might be useful in dealing with distributed denial-of-service attacks). GNR will also provide a "messenger service", in which it will forward messages to .name registrants without revealing their personal information.
In February 2002, GNR first consulted with a small group of individuals, representing a wide variety of interests within the global Internet community, including registrars, law enforcement, the intellectual property community and privacy advocates. These consultations led to several meetings in person and by phone between GNR and members of the same communities as well as members of the ISP and technical communities. In crafting its proposed amendment, GNR solicited extensive feedback from these groups regarding its goal of enhancing the privacy of the personal information of .name registrants without interfering with the needs of legitimate Whois searchers, while also providing increased confidence that the relevant requirements of the UK data protection laws are fully met.
In August 2002, GNR posted its proposal on both the DNSO Whois Task Force public list and the registrar constituency's discussion list. It was also posted on the DNSO General Assembly discussion list by Alexander Svensson. T these postings did not generate any discussion on these lists.
In October 2002, GNR formally briefed the DNSO Whois Task Force. After a question-and-answer session, members of the Task Force expressed the sentiment that the proposal involved a contractual matter between ICANN and GNR and should be considered expeditiously. I received letters of support for, or non-objection to, GNR's proposal from the three gTLD Registry Constituency representatives to the Names Council, Ken Stubbs (Registrar Constituency Names Council representative), and Steve Metalitz (President of the Intellectual Property Constituency).
In Shanghai at the end of October 2002, GNR briefed and sought final feedback from the Business Constituency and the Registrar Constituency. The matter that sparked most discussion was GNR's proposal to charge US$2 for five one-time-use passwords to be used in "Detailed" Whois searches. This proposed charge is intended to provide a practical disincentive to those who otherwise might violate the terms of the online click-through license for Detailed Whois search passwords by using the data for marketing purposes. Concerns were raised by registrars regarding this charge on the basis that it was inappropriate for GNR to profit from access to data which is gathered and placed in the .name registry by registrars. To address these concerns, GNR revised its proposal, as follows:
The proposed modification to Appendix O would make various changes associated with converting the current Whois system, which has three levels of real-time access and one level for which Whois responses are delivered by e-mail, to a Whois system in which all four levels are provided in real-time, but in which the two more detailed levels of Whois data can only be obtained through password-controlled access.
Complete specifics are given in proposed modified Appendix O, but the most significant changes are in the two more detailed levels ("Detailed" and "Extensive"):
Determining the appropriate process to follow when a registry operator seeks an amendment to its registry agreement presents countervailing considerations. These were discussed in my 17 April 2002 analysis of VeriSign's request to modify the .com and .net registry agreements. In that case VeriSign proposed to offer a new service (the Wait Listing Service) which would bear a fee and alter the rules by which names being deleted are allocated to new registrants. Although GNR's request arises in a somewhat different context than the VeriSign WLS proposal, the underlying considerations are quite similar:
In this case, GNR's proposal does not materially alter the existing Whois policy registry operators must follow, since all the elements of Whois data currently available for .name would continue to be available. Thus, GNR would continue to meet its basic obligation under subsection 3.10.1 of the .name Registry Agreement: "At its expense, [GNR] shall provide free public query-based access to up-to-date data concerning domain-name and nameserver registrations maintained by Registry Operator in connection with the Registry TLD. . . . " At the Extensive level, this data remains free of charge.
Rather than deviate from the basic Whois policy, GNR's proposal simply revises the mechanism through which its obligation to provide Whois data is fulfilled. It does this by requiring Whois searchers to enter into agreements not to misuse Whois data before they receive any personal data. This altered mechanism is particularly appropriate for the .name TLD, in which registrations are restricted (with very limited exceptions) to individuals registering their own names as domain names. In this context, it is particularly appropriate to provide practical assurance, more easily enforced than the current arrangements used in .name, that the personal data contained in the .name registry-level Whois will not be used in a manner that violates current ICANN policy, which prohibits use of Whois data to allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations. In providing this greater practical assurance, the proposed mechanism also gives a higher level of confidence that GNR's Whois service fully meets the requirements of the UK data-protection law.
In accord with the analysis quoted above, where a registry operator requests amendment of its registry agreement to introduce an innovative way of meeting the basic requirements of the applicable existing ICANN policy, the Board should not simply refer the matter to the (potentially protracted) consensus-development process, but should instead conduct a preliminary "quick-look" evaluation to determine whether it is plausible that the legitimate interests of others could be harmed by the proposed amendment. Only if a third party's legitimate interest appears in danger of being significantly harmed should formal resort to the policy-development process be made; otherwise a streamlined procedure for approval should be followed.
Based on the preliminary consultations among the parties likely to be affected, as well as with the DNSO Whois Task Force, GNR's proposal as currently presented appears not to threaten any significant harm to legitimate interests of third parties. Free public access to the same Whois data will still be available; the main difference is that GNR will implement enhanced practical assurances that the limitations on use of Whois data already recognized in ICANN policy will be observed. The one potential harm that was identified in the consultations involving the possibility that GNR would profit inappropriately from use of data gathered by registrars has been fully addressed by GNR's commitment to distribute any excess revenues to the affected registrars. Indeed, preliminary consultations have resulted in a significant showing of support by potentially affected parties, as demonstrated by the supporting statements by representatives of the gTLD Registry, Registrar, and Intellectual Property constituencies.
In view of the above analysis, I recommend that the Board approve the amendment to the Registry Agreement as requested by GNR.
Comments concerning the layout, construction and functionality of this site
should be sent to firstname.lastname@example.org.