Privacy vs availability of data I agreed to write up the discussion of this issue we had in the last telecon. The issue was the tradeoff between privacy protections and having sufficient information available for 1) legal or other official notification 2) resolution of technical problems 3) notification of dispute resolution action I don't think there is any other valid reason to make information available -- please correct me if I am wrong. We discussed two characteristics of individual fields in a record: 1) the level of visibility of a field, and 2) whether the field was required or not. In addition, the discussion hinted around but never actually touched the issue of the availability of aggregated data vs the availability of individual records. Visibility comes in several flavors: Completely visible means anyone can get the data through a widely available interface, without any authorization whatsoever required. Authorized visibility means that that the party that desires to see the data must be identified, and must have also have proper authorization. For example, WIPO would be authorized to see certain fields for resolution of trademark disputes. Fields that are "required" must be filled in before the record will be accepted by the SRS or by the registrar. Fields that are "optional" need not be filled in. There was some discussion of the philosophy of what actually could be "required" or not, given that people can make up things like "technical contact" information. A theory of enlightened self-interest was invoked -- by suitable arrangement of policy it would be in people's best interest to supply information. For example, if a customer does not supply a technical contact, then the policy could be that in case of a verified technical complaint, and absent a reachable technical contact, the domain will be simply shut off. Likewise, in dispute resolution cases, being unreachable to defend yourself would be a serious weakness in your defense, and perhaps cause the domain to be shut off, or for you to lose the domain. Expanding a bit on the above discussion, there are several ways that data might be made available: uncontrolled individual access -- fields available without authorization of any kind required. This means single queries only, through a whois type interface controlled individual access -- same basic access method as above, except that the user must be authenticated and authorized, and can therefore see certain fields that unauthorized individuals cannot see. uncontrolled bulk access -- access to a collection of certain fields across the entire database. Depending on which fields were made available, his kind of access would almost certainly run afoul of privacy laws in certain jurisdictions. Furthermore, the full database is extremely valuable -- millions of dollars, perhaps. controlled bulk access -- access to certain fields from the entire database to "authorized" users. This last kind of access is where most of the difficult issues occur: Who is authorized, and under what justification? Can Kent Crispin sign a form and get a copy of the database? Can Carl Oppedahl? Can Spamford? Can Sonnenschein, Nath, & Rosenthal? Thompson & Thompson? Who makes the decision about who has access? Presuming that there is some form or contract that must be signed to get access: What sanctions are there for unauthorized disclosure? Does CORE charge money for this service? Who is going to develop this form or contract? These are the required fields from the point of view of the ACP proceedings (Chris Gibson): 1. Domain name registered 2. Entity or Individual Registering Domain Name 2a. Applicant (individual or company name) 2b. Postal address 2c. City 2d. State 2e. Postal Code 2f. Country 2g. Country Code 2h: Name, address, fax and email address of designated contact or agent for purposes of notifications of dispute resolution procedures and service of process. [Could this information be held confidentially and be made available only to WIPO or a court in case of a dispute? - CG] [The fax and email address must clearly be optional, since many contacts won't have them - KC] 12. Purpose of Use of Domain Name (optional): 14. Optional 60-day waiting period. 16. Tick box to decline submission to arbitration. I believe the proposal was that - these fields be required before the registration is accepted; - that the registrars are, however, not required to check the validity of the fields; - that 2h would not be visible without "authorization"; - that all other fields are optional, but strongly encouraged via the "enlightened self-interest" model; - that contact information for technical and administrative contact will be visible via whois, but not available in bulk form under any circumstances; - that the billing contact information will not be visible to anyone but CORE and the active registrar. (I have extrapolated a little here.) I believe also that it is probably necessary to explicitly address privacy issues in the registration agreement; and specify which fields will be visible and to what degree, and what conditions must be met for each level of visibility. I have taken a first cut at this below. The agreement probably also needs a disclaimer that says that the privacy of any data supplied cannot be guaranteed. Here's my proposal for appendices B and C. The annotation: "O" means "Optional", "R" means "Required"; "W" means visible with whois, "A" means "Authorized required", "B" means available as authorized bulk data. Note that "uncontrolled bulk access" is not supported for any of these fields... APPENDIX B DATA REQUIRED FOR EACH SECOND LEVEL DOMAIN Complete Domain Name......: -- RWB Entity or Individual Using Domain Name Name..........: -- RWB Postal Address.............: -- RWB City.......................: -- RWB State......................: -- OWB [US specific?] Postal Code................: -- OWB Country ..................: -- RWB Country Code...............: ??? E-mail Address.............: OWB State or Country of Incorporation or Partnership (if applicable)................: OWB Name and Address of a designated agent for service of process where the Registrar is located (Applicant may designate the Registrar).............: RAB Administrative Contact NIC Handle (if known)......: OW (I)ndividual (R)ole........: OW Name.......................: OW Organization Name..........: OW Postal Address.............: OW City.......................: OW State......................: OW Postal Code................: OW Country......................: OW Country Code...............: OW Phone Number...............: OW Fax Number.................: OW E-Mail Address...............: OW Technical Contact NIC Handle (if known)......: OW (I)ndividual (R)ole........: OW Name.......................: OW Organization Name..........: OW Postal Address.............: OW City.......................: OW State......................: OW Postal Code................: OW Country....................: OW Country Code...............: OW Phone Number...............: OW Fax Number.................: OW E-Mail Address..............: OW Primary Name Server Primary Server Hostname....: RW ?B Primary Server Netaddress..: RW ?B Secondary Name Server(s) Secondary Server Hostname..: RW ?B Secondary Server Netaddress: RW ?B APPENDIX C REGISTRATION AGREEMENT AND APPLICATION FORM FOR ASSIGNMENT OF SECOND LEVEL DOMAIN NAME IN A GENERIC TOP LEVEL DOMAIN 1. Pursuant to the terms and conditions of the Memorandum of Understanding on the Generic Top Level Domain Name Space of the Internet Domain Name System ("gTLD-MoU") signed in Geneva on May 1, 1997, as amended, this is a request for registration of the following domain name (provide complete and exact domain name....: 2. Entity or Individual Requesting Registration of Domain Name ("Applicant") 2a. Name................: RWB 2b. Postal Address..: RWB 2c. City...................: RWB 2d. State..................: RWB 2e. Postal Code.......: RWB 2f. Country..............: RWB 2g.Country Code.....: RWB 2h. E-mail Address..: OWB 2g. State or Country of Incorporation or Partnership (if applicable)................: OAB 2h: Name, address, fax and e-mail address of a designated agent for (i) notifications concerning any Administrative Domain Name Challenge Panel ("ACP"), Mediation or Expedited Arbitration procedure to be administered by the WIPO Arbitration and Mediation Center and (ii) service of process where the Registrar is located. Applicant may designate the Registrar.............: RAB 3.Administrative Contact 3a. NIC Handle (if known)......: OW 3b. (I)ndividual (R)ole........: OW 3c. Name.......................: OW 3d. Organization Name..........: OW 3e. Postal Address.............: OW 3f. City.......................: OW 3g. State......................: OW 3h. Postal Code................: OW 3i. Country ..................: OW 3j. Country Code...............: OW 3k. Phone Number...............: OW 3l. Fax Number.................: OW 3m. E-mail Address...............: OW 4.Technical Contact 4a. NIC Handle (if known)......: OW 4b. (I)ndividual (R)ole........: OW 4c. Name.......................: OW 4d. Organization Name..........: OW 4e. Postal Address.............: OW 4f. City.......................: OW 4g. State......................: OW 4h. Postal Code................: OW 4i. Country.................: OW 4j. Country Code...............: OW 4k. Phone Number...............: OW 4l. Fax Number.................: OW 4m. E-mail Address.............: OW 5.Billing Contact 5a. NIC Handle (if known)......: R 5b. (I)ndividual (R)ole........: R 5c. Name.......................: R 5d. Organization Name..........: R 5e. Postal Address.............: R 5f. City.......................: R 5g. State......................: O [US specific?] 5h. Postal Code.............: O 5i. Country....................: R 5j. Country Code...............: ??? 5k. Phone Number...............: O (but strongly encouraged) 5l. Fax Number.................: O 5m. E-Mailbox..................: O (but strongly encouraged) 6. Primary Name Server 6a. Primary Server Hostname....: RW 6b. Primary Server Netaddress..: RW 7. Secondary Name Server(s) 7a. Secondary Server Hostname..: RW 7b. Secondary Server Netaddress: RW 8. Invoice Delivery (E)mail (P)ostal...........: R 9. FEES: An initial charge of __________will be made to register the domain name. This charge covers any updates required during the first ________ years. This application will not be processed unless and until the Registrar has received payment of the initial charge; the application and the CORE fee must be received by the Repository Operator before the registration takes effect. 10. RIGHTS OF THIRD PARTIES: Applicant certifies that, to her/his/its knowledge, the registration and use of the requested domain name does not violate any trademark or other rights of any other party. Applicant will indemnify Registrar, CORE, the Repository Operator, POC and WIPO against, and hold them harmless from, all costs, claims, liabilities and expenses (including attorneys fees) arising out of or in connection with any such violations. 11. INTENT TO USE THE DOMAIN NAME: Applicant affirms that he, she or it has a bona fide intent to use the domain name publicly within 60 days of registration, and to continue such use in the foreseeable future. 12. PURPOSE OF USE OF THE DOMAIN NAME: Applicant intends to use the domain name for the following purpose ............................................................................................................................... 13. REASON FOR REQUESTING THE PARTICULAR DOMAIN NAME: Applicant requests this domain name for the following reason (check one): _____ Conforms to Applicant's name or variation thereof _____ Conforms to Applicant's trademark or variation thereof _____ Other (provide explanation) 14. OPTIONAL 60-DAY WAITING PERIOD: _____ Applicant requests the 60-day waiting period. 15. DISPUTES BETWEEN APPLICANT AND A THIRD PARTY THAT ARE SUBMITTED BY THE THIRD PARTY TO THE ACP PROCEDURE: Applicant acknowledges that, by virtue of the provisions of the gTLD-MoU, any third party may challenge the assignment to, and registration and use by Applicant of the domain name before an Administrative Domain Name Challenge Panel ("ACP") in accordance with the WIPO ACP Rules. Applicant further acknowledges that the decisions of an ACP may determine rights of Applicant and/or other parties with respect to the assignment, registration and use of a particular domain name, and agrees to be bound by the ACP decisions. 16. DISPUTES BETWEEN APPLICANT AND A THIRD PARTY THAT ARE BROUGHT BY THE THIRD PARTY TO MEDIATION AND/OR ARBITRATION: Applicant agrees that any dispute, controversy or claim ("Claim") between Applicant and a third party, arising out of or relating to this application for, and registration and use of, the domain name shall, upon the filing of a Request for Mediation by the third party with the WIPO Center, be submitted to on-line mediation in accordance with the WIPO On-Line Mediation Rules. Applicant further agrees that, to the extent (a) any such Claim has not been settled pursuant to such mediation within 30 days of the commencement of the mediation, or (b) before the expiration of such 30 day period, either party fails to participate or to continue to participate in the mediation, the Claim shall, upon the filing of a Request for Arbitration by the third party, be referred to and finally determined by on-line arbitration in accordance with the WIPO On-Line Expedited Arbitration Rules. Such arbitration procedure shall not be implemented if Applicant declines mandatory submission to arbitration by checking the box below. The language to be used in the mediation or arbitration shall be English, unless the parties agree otherwise. Whether or not the parties decide that an in-person hearing is necessary, the place of arbitration shall be deemed to be, unless the parties agree otherwise, either the location of Applicant as indicated in the Registration Agreement or the location of the Registrar, at the option of the third party. __ Applicant declines mandatory submission to arbitration in the case of Claims referred to in the paragraph above. 17. DISPUTES BETWEEN APPLICANT AND A THIRD PARTY THAT ARE SUBMITTED BY THE THIRD PARTY TO COURT JURISDICTION: Applicant submits to the personal and subject matter jurisdiction and venue of a competent tribunal in the country where the Registrar resides for purposes of any action brought under applicable trademark law, unfair competition laws, or similar/related laws arising out of actual or intended use of the domain name applied for; and Applicant waives all rights to challenge such personal jurisdiction, subject matter jurisdiction and/or venue. 18. DISPUTES BETWEEN APPLICANT AND REGISTRAR AND/OR CORE: Applicant agrees that any dispute, controversy or claim between Applicant and Registrar and/or CORE arising out of or relating to this application or registration made upon this application are to be settled by arbitration in accordance with the WIPO On-Line Expedited Arbitration Rules. Unless otherwise agreed, the arbitral procedure shall be conducted in the English language. Whether or not the parties decide that an in-person hearing is necessary, the place of arbitration shall be deemed to be, unless the parties agree otherwise, the location of the Registrar. Applicant acknowledges that the Registrar and CORE are bound by the decisions and results of the ACP, Mediation and Arbitration procedures administered by the WIPO Arbitration and Mediation Center. 19. LAME DELEGATION: The domain name registration is subject to cancellation for lame delegation. 20. SURVIVAL OF OBLIGATIONS If this application is accepted, all obligations of Applicant pursuant to this application shall survive acceptance of the application and shall remain binding upon Applicant after the registration takes effect. 21. CERTIFICATION Applicant certifies that it has read the above Registration Application Form and completed it truthfully and accurately. Applicant agrees that the registration of the domain name is subject to the provisions of this Registration Application Form, and any other applicable registration conditions as may be established by CORE.