[gnso-dow123] Current registrar obligation with respect to WHOIS notification and its shortfall
Hello All,
I have been reviewing the data collected by Maria on the various terms
and conditions of each domain name agreement offered by registrars.
It is important to note that registrars don't actually "sell" domain
names.
Registrars enter into an agreement with Registered Name Holders, where
the registrar provides a service to register a domain name in a
registry, and the Registered Name Holder has a right to use that name
for a period of time. The Registered Name Holder is effectively paying
for a service rather than a name. Thus all Registered Name Holders
should choose the right "service" for their needs, and the service is
defined by the terms and conditions of the agreement.
The terms and conditions of the agreement may allow a registrar to sell
the personal data for a profit.
So:
(1) A registrar MUST provide a WHOIS service where personal data that is
collected is public displayed.
(2) A registrar has an obligation to collect certain information from
the registrant.
(3) A Registered Name Holder must provide accurate and reliable contact
details.
(4) A Registrar must inform the Registered Name Holder the purposes for
which Personal Data is collected (clause 3.7.7.4.1) , as well as the
intended recipients of the data (clause 3.7.7.4.3).
There is a relationship between the above requirements, but note that a
Registrar may collect data for purposes OTHER THAN defined in (1) and
(2) above.
When you look at the terms and conditions of the registrar agreements
with respect to requirement (4), the existance of (1) is often not
specifically defined - and in some cases is not included at all.
E,.g a registrar may say that they collect the data for purposes of
contacting the Registered Name Holder with respect to eh Name, but not
mention that all the data is made publicly available via the WHOIS
service.
It would seem that at least with respect to requirements (1) and (2)
above, that item (4) should require the registrar to explicitly include
information on (1) and (2).
Some registrars do explicitly mention the WHOIS service in their terms
and conditions (this is typically the larger registrars),
E.g "ICANN requires "registrar" to make certain information available to
the public. This information is made public via an interactive web
pages and a "port-43" WHOIS service.
but others are more general or even wrong- e.g
"registrar will not share information with a third party either for free
or by selling it"
I note that the proposed recommendation 1 of the WHOIS task force
recommendation is roughly equivalent to the existing 3.7.7.4.2.
An improvement may be to change it to read:
"Registrars must ensure that discloses regarding the availability of
personal data via the WHOIS service for public access be presented to
registrants during the registration process."
This makes it much more explicit that information may be available for
free public access via WHOIS. In some of terms and conditions
collected by Maria this is not clear.
Regards
Bruce