Access to Registrars' Data
Thomas Roessler <roessler@does-not-exist.org>
August 21, 2002
Access to registrars' data about domain name registrations is controlled
by the Registrar Accreditation Agreement (RAA). This agreement is available
in two versions from November
1999 (applicable to registrars accredited only for .com, .net, .org),
and from May 2001
(applicable to registrars in .biz, .info, .name, and to electing registrars
in .com, .net, .org). The rules on public access to these data can be found
in section 3.3
(II.F)
of the respective agreements.
Query-based Access
Availability of Data
Section 3.3.1
(II.F.1)
of the RAA obligates registrars to provide, at their own expense, and to the
public, web-based and port 43 query access
to up-to-date (i.e., updated at
least daily) data concerning all active Registered Names sponsored
by Registrar for each TLD in which it is accredited.
Data elements
The agreement contains a provision which allows appendices for specific
TLDs to modify this list of requirements; no of the existing TLD-specific
appendices make any use of that provision.
Use of WHOIS data
Section 3.3.5
(II.F.5)
of the RAA determines the possible use of the data made available through
query-based whois. This is expressed in terms of restrictions registrars
may (or rather, may not) impose on data recipients.
Registrars may impose no restrictions
besides those explicitly listed in the accreditation agreement or determined
by an ICANN policy; until today, no such policy exists.
WHOIS data obtained by query-based WHOIS access may be used for any lawful purpose, with two exceptions:
- Spamming. The 1999 RAA explicitly forbids use of WHOIS data for
e-mail spam in this section, while the 2001 agreement also mentions telephone
or facsimile advertising. Also, the 2001 agreement permits use of data
for such solicitations to data recipient's own customers.
- Automated high-volume processes which affect registry or registrar
systems. The 1999 agreement only talks about Registrar (or its systems); this is generalized
in the 2001 agreement.
Cross-registrar WHOIS / centralized database
Section 3.3.4
(II.F.4)
of the RAA contains an obligation to registrars to cooperate in the establishment
of a distributed, cross-registrar query-based WHOIS. Alternatively - if the Whois service implemented by
registrars does not in a reasonable time provide reasonably robust, reliable,
and convenient access to accurate and up-to-date data - it
is the registrar's obligation to supply data from its database to facilitate the development of a centralized
Whois database for the purpose of providing comprehensive Registrar Whois
search capability.
Bulk Access
Availability of Data
Section 3.3.6
(II.F.6)
imposes the additional obligation on registrars to make the same data subject
to query-based access available in bulk. Bulk data are made accessible for
download at least once per week (3.3.6.1;
II.F.6.a),
for an annual fee of at most USD 10,000 (3.3.6.2;
II.F.6.b).
Use of Bulk Data
Paragraphs 3.3.6.3-3.3.6.5
(II.F.6.c-II.F.6.e)
of the RAA describe the contents of registrars' access agreements. There
are both conditions the registrar shall
impose on data users, and conditions the registrar may impose on data users. This implies
that registrars may not impose any other conditions on the use of bulk WHOIS
data.
The effectiveness of these provisions is, however, limited by section 3.3.7
(II.F.7)
of the RAA until the earlier of either establishment of a new ICANN policy
on bulk access to WHOIS data, or demonstration,
to the satisfaction of the United States Department of Commerce, that no
individual or entity is able to exercise market power with respect to registrations
or with respect to registration data used for development of value-added
products and services by third parties.
The possible provisions of registrars' bulk access agreements are these:
- Data may not be used for spamming. Paragraph 3.3.6.3
of the 2001 RAA includes e-mail, telephone and telefax, and has an exception
for existing customers of the data recipient, while section II.F.6.c
of the 1999 RAA is limited to e-mail; note the analogy to the restrictions
on the use of WHOIS data obtained through the query-based access.This provision
is mandatory (shall require) and
not at the registrar's discretion.
- Data may not be used for high-volume processes which affect registry
or registrar systems. This is an optional provision (may require) in section II.F.6.d
of the 1999 RAA, and a mandatory provision (shall require) in section 3.3.6.4
of the 2001 RAA. Note that the 1999 RAA's language is restricted to Registrar (or its systems), analogously
to the provisions concerning the use of WHOIS data obtained from the query-based
access, while the 2001 language is generalized.
- Registrars may forbid the
further sale and distribution of bulk WHOIS data by data recipients. Registrars
may not forbid that data recipients
use (sell, distribute) the data as part of value-added services and products.
However, registrars may demand
that these products and services do not permit the extraction of a substantial portion of the bulk data.
(3.3.6.5,
II.F.6.e)
Opt-out Provision
Section 3.3.6.6
(II.F.6.f)
of the RAA provides that registrars may
establish an opt-out policy; note that this is not mandatory. This opt-out
policy - if established - is limited to individual domain name holders, and
it only covers bulk acess for marketing
purposes (except spamming, which is forbidden anyway - see above).
The opt-out cannot be limited to third parties' marketing use of registration
data: If registrants opt out of marketing use, Registrar may not use such data subject
to opt-out for marketing purposes in its own value-added product
or service.
It should be noted that this provision is stated as an explicit allowance
to registrars. This implies that registrars may not establish any other policies with
respect to the availability of WHOIS data. WHOIS data provided for
bulk access (and supposed to be used for any non-marketing purpose) must be complete.
Information for Registrants
Section 3.7.7.4
(II.J.7.b)
contains registrars' obligation to inform registrants about the purposes and
intended recipients (or categories of recipients) of any personal data collected
from the registrant. Personal data are defined, in section 1.6
(I.G)
of the agreement, as data about any identified
or identifiable natural person.