Here's the draft report the WHOIS task force is considering <http://forum.icann.org/lists/gnso-dow123/docUOzrntSDL0.doc> Currently, every domain name registrant is required to enter "accurate" information in the publicly available WHOIS database, including name, address, telephone number, and email address. Those who wish not to have this personal information displayed publicly must pay extra to registrars for "proxy" services which often allow their information to be revealed anyhow when someone challenges the domain registrant's speech. I believe there are serious free speech, privacy, and anonymity concerns with the current system. ALAC could submit comments to the Task Force and the GNSO. (As Danny Younger has noted, there are procedural problems with the PDP's lack of opportunity to consider public comment, as well as substantive problems with the proposals.) Since the debate has changed little since I sent this message in December, I re-send it to spark discussion on this policy issue: <http://forum.icann.org/lists/alac/msg02529.html> Notes on WHOIS: The WHOIS draft report reports the majority view for an "Operational Point of Contact" (OPOC), which would have registrants replace the administrative and technical contacts with one or more OPOC, who could be the registrant or a third party delegated by the registrant. This would enable better contactability and allow the registrant to remove personally identifying information from public display. "The purpose of the operational point of contact is to resolve, or to reliably pass on data to resolve, operational issues relating to a domain name." Registrants would be required to list their own name and country, but would be able to keep other information out of the publicly available WHOIS. (Under both proposals, the information would still be collected.) A minority supported the IP constituency's "Special Circumstances" proposal, under which individual non-commercial registrants could protect privacy only if they "can demonstrate that they have a reasonable basis for concern that public access to specific data about themselves (e.g., name, address, e-mail address, telephone number) that would otherwise be publicly displayed in Whois would jeopardize a concrete and real interest in their personal safety or security that cannot be protected other than by suppressing that public access. An individual would be able to hold special circumstance designation for only a limited number (e.g., 5) gTLD domain names at a time." Proxy services would be disallowed under this proposal. The TF will also discuss recommendations made earlier on compliance with national law, which may require registrars to provide privacy options. Questions: Why (in the special circumstances proposal) are we asking individuals to pay extra for basic privacy rights? How does WHOIS policy accommodate the needs of individual Internet users as domain name registrants? as users of Internet services? Is public display of personal data compatible with national data protection law and public policy? I think we should resist the distinction between commercial and non-commercial registrants because it is unworkable in practice: Is the activist who sells t-shirts to carry his message, or adwords to pay for site hosting a "commercial" user? I have recommended an additional option, that a domain name could be suspended if the registrant did not want to reveal personally identifying information. Enforcement interests (stopping a domain-hosted scam, for example) could be realized even before the registrant was identified, while law enforcement would have all the ordinary tools available to it once it demonstrated there was reason to believe the activity was unlawful. -- Wendy Seltzer -- wendy@seltzer.org phone: 718.780.7961 // fax: 718.780.0394 // cell: 914.374.0613 Visiting Assistant Professor of Law, Brooklyn Law School Fellow, Berkman Center for Internet & Society http://cyber.law.harvard.edu/seltzer.html http://www.chillingeffects.org/