ICANN has sollicited comments on the whois task force report. I have sent the following:
First of all, the report does not include a comprehensive study of privacy laws in major countries around the world. Though a difficult exercise, it would allow to set the context in which the whois policy should be developed. It would be a waste of time to develop a policy that cannot be implemented because it breaches the law.
Several times in the report the assumption is made that the applicable law and jurisdiction is that of the registrar or registry. There is a growing trend, especially in Europe, to consider that the relevant law and jurisdiction for distance selling should be that of the buyer, especially if the buyer is an individual.
I am also surprised to see that “law enforcement agencies or intellectual property rights holders” are being put on the same level throughout the text, as if a private third party had the same legal and democratic legitimacy as a state agency. It seems quite logical that IP right holders have no more (or less) rights that any other complainant. As such, it should go through the same channel to exercise their right as any other 3rd party. This also allows to filter out groundless and frivolous complaints.
The “special circumstances” proposal is obviously the example of what should not be done. Who gets to decide what constitutes a “concrete and real interest in their personal safety or security that cannot be protected other than by suppressing that public access” ? What is the legitimacy of such body ? How does it scale on a worldwide basis ? Further, it does not address the need to protect individuals and companies from e-mail spam or phone harassment.
The OPoC proposal seems reasonable with a few adjustments. There should be a possibility for individuals to have an unlisted domain name, just like there are unlisted phone numbers. In such a case, the registrar or ISP could act as the OPoC.
As mentioned in the report, the accuracy of the whois data will improve when it will become less public and proper checks are made on who requests the data and for what purpose. A code of conduct, as mentioned in the OPoC proposal, is of little value if there are no incentives for it to be effectively enforced. There should be additional measures, like external audits and sanctions for those in breach with the code of conduct (suspension or revocation of the ICANN accreditation for registrars for example).
The bottom line is that we need a policy that can actually be implemented by registrars. Rather than looking at what we can agree on within the narrow ICANN community, we should be looking at what is realistically feasible within the existing legal frameworks and agree on a common denominator.