Quite confusingly, it was published on 24th April, with a 30 day comment period. However, one needs to comment before 6 May if it wants the IRT to consider the comments. Strange tactics.

As others have pointed out, the effective 7 day comment period over this draft report is way too short. It may be wise that the ICANN board does not consider this report before the community has had a real opportunity to comment.

I totally support Michele Neylon’s comments on the whois model  contemplated by this report. It would be in breach with many privacy regulations throughout the world. Further, if the ability to comply with the whois recommendations, as set forth in this report, would become one of the evaluation criteria for the new gTLD applications, this would favour registry operators located in countries with little or no privacy laws. This would put at a competitive disadvantage those businesses which need to comply with local laws. Questions to the IRT:

• Did the IRT consider if their recommendations regarding the whois were actually compliant with relevant legislation throughout the world ?
• Will the ability to comply with the whois recommendations, as set forth in this report, be a part of the evaluation process of new gTLD applications ?

Regarding the IP clearinghouse, it is stated that “The recommendation should not result in unnecessary or undue costs, either to trademark owners or to legitimate users and consumers”. Does this mean that the registry operators will have to bear all the increase of their operating costs for protecting third parties interests? The net effect of this is that operators will need to shift the increasing cost among all their customers, including those who have no IP rights to protect. This will mean raising the unit price of domain names for every customer, making the TLD less attractive and potentially be a cause of registry failure. In the case of community-based TLDs that focus on a limited market through a not-for-profit model, this may simply mean that the potential costs  and legal risks may be disporportionate for them to bear.

There is a major concern that different levels of protection for marks may put the registry operator in a position to have to arbitrate between second level domain name  applications and become legally involved in disputes between third parties. Unlike trade marks, which can be multiple according to industrial sectors and geography, domain names are by nature globally unique. As technical operators, registries should have no business in deciding who is the legitimate intellectual right owner.

If such IP clearinghouse system is put in place, it should, at a minimum:

1. Be automated and implementable at a marginal cost by registries and registrars
2. Exempt the registry operators from further legal consequences if it has demonstrated that it queried the database at registration time.

In addition to the above, I think it would be only fair that whatever policies are decided as a consequence of this process are also made mandatory for the existing gTLDs. The new entrants should not be the only ones having to bear the weight and costs of these policies.

As usual on these matters, my registrar, Gandi,  has been at the forefront of user minded service and has set up an a free proxy service. This is fine: privacy should not be something for which one has to pay, especially of it is guaranteed by law. My new whois record for one of the domains I manage now looks like this:

Tech ID:PVW6-GANDI
Tech Name:Patrick Vande Walle
Tech Organization:
Tech Street1:Whois Protege / Obfuscated whois
Tech Street2:Gandi, 15 place de la Nation
Tech Street3:
Tech City:Paris
Tech State/Province:
Tech Postal Code:75011
Tech Country:FR
Tech Phone:+33.170377666
Tech Phone Ext.:
Tech FAX:+33.143730576
Tech FAX Ext.:
Tech Email:34a2773f812b49da3ab0513d28d86b82-401854@contact.gandi.net

Great ! Now my home address and private phone are no more visible on the Internet through the whois. No need to cheat.

This is damageable to the public but also to registries and registrars. As I reminded the GNSO several times in public consultations over the years, the data regarding natural persons is protected under the EU directive 2002/58/EC. This applies not only to data processed in the EU, but also to data belonging to EU citizens and processed abroad.

On the particular issue of the whois databases, the Article 29 working party issued a commentary in 2003. It makes it clear that the current public exposure of the registration details of natural persons is not acceptable. This was reminded in a letter sent to then ICANN Chairman Vint Cerf last year.

Hence, every registrar or gTLD registry with European customers that try to follow ICANN’s current policy on the whois are breaching the law.  In the end, it is an irresponsible attitude from the ICANN community to expose companies to possible judicial consequences. Maybe it is time to remind those who think the Internet is not subject to real world legislation that they are playing with fire.

After all, they say, “Privacy concerns with Whois that were identified years ago have already been addressed by in the marketplace“. In other words, if you want privacy for your domain name registration, you need to pay extra for proxy services.

I understand that the industry wants to always sell more services. That means money for them. However, those proxy services were developed as a workaround to the current whois system, which does not protect privacy, and in wait for a more global solution.

But of course, the main question is that privacy is a fundamental human right under article 12 of the Universal Declaration of Human rights. As far as I know, human rights are for everyone, not just for those who can pay for it. What is next ? Will we need to buy the right for freedom of expression or to organize in trade unions ?

First of all, the report does not include a comprehensive study of privacy laws in major countries around the world. Though a difficult exercise, it would allow to set the context in which the whois policy should be developed. It would be a waste of time to develop a policy that cannot be implemented because it breaches the law.

Several times in the report the assumption is made that the applicable law and jurisdiction is that of the registrar or registry. There is a growing trend, especially in Europe, to consider that the relevant law and jurisdiction for distance selling should be that of the buyer, especially if the buyer is an individual.

I am also surprised to see that “law enforcement agencies or intellectual property rights holders” are being put on the same level throughout the text, as if a private third party had the same legal and democratic legitimacy as a state agency. It seems quite logical that IP right holders have no more (or less) rights that any other complainant. As such, it should go through the same channel to exercise their right as any other 3rd party. This also allows to filter out groundless and frivolous complaints.

The “special circumstances” proposal is obviously the example of what should not be done. Who gets to decide what constitutes a “concrete and real interest in their personal safety or security that cannot be protected other than by suppressing that public access” ? What is the legitimacy of such body ? How does it scale on a worldwide basis ? Further, it does not address the need to protect individuals and companies from e-mail spam or phone harassment.

The OPoC proposal seems reasonable with a few adjustments. There should be a possibility for individuals to have an unlisted domain name, just like there are unlisted phone numbers. In such a case, the registrar or ISP could act as the OPoC.

As mentioned in the report, the accuracy of the whois data will improve when it will become less public and proper checks are made on who requests the data and for what purpose. A code of conduct, as mentioned in the OPoC proposal, is of little value if there are no incentives for it to be effectively enforced. There should be additional measures, like external audits and sanctions for those in breach with the code of conduct (suspension or revocation of the ICANN accreditation for registrars for example).

The bottom line is that we need a policy that can actually be implemented by registrars. Rather than looking at what we can agree on within the narrow ICANN community, we should be looking at what is realistically feasible within the existing legal frameworks and agree on a common denominator.