From: Bruce Tonkin 
Sent: Saturday, 28 June 2003 9:49 AM
To: jo.lim@auda.org.au
Subject: Regarding WHOIS policy review

Hello Jo,

a.. how much data should be disclosed on WHOIS? 

The registrant email address should no
longer be displayed publicly (see also submission by Dirk Hunter), and Simon Job).  
The registrant email address can be used for unsolicited marketing messages targetted 
at selling domain name services (registration and renewal) and related services (e.g 
web hosting, email services).  I have attached a presentation that was used for the 
ICANN conference that covers some of the issues associated with email addresses being 
readily available.  (note I expect ICANN will put it on its website soon).

WHOIS Registrar Experiences - powerpoint presentation a.. is the WHOIS query limit (20 per hour) appropriate? I think this is reasonable, although the central registry should attempt to correlate long term data mining (e.g 20 per hour over a several month period). a.. should bulk access to WHOIS data be permitted in certain circumstances? No, there are other solutions to meet most of the circumstances above. For example, ina UDRP dispute that is lodged, auDA could itself have access to a tool to check for mutiple registrations by a single registrant as evidence of bad faith registration and provide this as evidenced to the UDRP dispute. Once bulk access to WHOIS data is provided, it can be hard to police what happens to it over the longer term. Many organisations are still working off the bulk WHOIS data that was obtained a couple of years ago due to various security breaches, and this information seems to have been widely circulated in the industry. Law enforcement uses should be dealt with via specific request to auDA, rather than the provision of WHOIS data cross referencing that may invade the privacy of registrants. Contact of registrant =============== The public WHOIS service should be used to: - identify the legal holder of the domain name licence - identify the nameservers associated with the domain name - identify the registrar associated with the domain name - identify the technical contact associated with the domain name The circumstances where a registrant would need to be contacted include: - to authorise a transfer (the information is available from the registry given the correct domain name password) - to contact the registrant for a technical problem, the following should be used in order of priority: - the technical contact email address - the technical contact associated with a nameserver - the registrar - to contact the registrant regarding a legal issue (the registrar should be contacted) In most cases the registrant will be able to be contacted using information on the reigstrant's website, in the company database (for companies), and in the telephone book (for individual registrants). Note most technical issues surrounding a domain name are in the control of the web hosting provider or ISP rather than the registrant directly. I recommend that auDA trial removing the registrant email address, and then examine solutions for any of the scenarios when a registrant needs to be contacted that are in addition to the ones already covered above. The registrar can act as the final form of contact (and hence be able to restrict the amount of spam etc that is sent to the registrant), where other contact methods fail. There are various techniques for managing such contact by a registrar (e.g a registrar could automate the solution using one time use email addresses, that make automated spam solutions difficult, or the information could be displayed via a webpage as an image instead of machine readable text). (see also submission by Simon Job). auDA could work with the registry and registrars to examine various technical solutions to ensure that the email address is not publicly available, but that those that have a legitimate need for the address can be accommodated. The above puts the control with the registrant so that the registrant can control the amount of contact information displayed via their website (see Tim Carroll submission). Regards, Bruce Tonkin