2023-09180. Introduction of Accountable Measures Regarding Access to Personal Information of .us Registrants  

  • Start Preamble

    AGENCY:

    National Telecommunications and Information Administration, Department of Commerce.

    ACTION:

    Request for comments.

    SUMMARY:

    The United States Department of Commerce's (Department) National Telecommunications and Information Administration (NTIA) administers the contract for the country code top-level domain (ccTLD) for the United States, “.us” (usTLD). NTIA seeks input from interested parties on the introduction of accountability measures regarding access to the personal information of usTLD registrants. NTIA's policy goal regarding access to domain registration data is to ensure that the usTLD protects the privacy of its usTLD registrants while also enabling third parties to access usTLD domain registration data for legitimate purposes.

    DATES:

    Submit comments on or before May 31, 2023.

    ADDRESSES:

    You may submit comments, identified by docket number and/or RIN number, by any of the following methods:

    Federal Rulemaking website: Go to https://www.regulations.gov and search for Docket ID NTIA–2023–0006.

    Email comments to: usTLD@ntia.gov.

    Mail comments to: National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4701, Attn: Susan Chalmers, Washington, DC 20230. Comments submitted by mail may be in hard copy (paper) or electronic ( e.g., CD–ROM, disk, or thumb drive).

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Please direct questions regarding this Notice to Susan Chalmers, Telecommunications Policy Specialist, at the address listed in the ADDRESSES section of this notice by electronic or regular mail as listed above, or by telephone (202) 281–5218. Please direct media inquiries to NTIA's Office of Public Affairs, press@ntia.gov or (202) 482–7002.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    The usTLD serves as an online home for American business, individuals, and localities for the benefit of the nation's internet community. NTIA administers the contract governing the operation of the usTLD, the most recent of which was awarded in 2019 to Registry Services, LLC (the Contractor).

    NTIA requires the Contractor to maintain a publicly accessible registration database of usTLD domain name registrations.[1] The Contractor currently provides a WHOIS directory service [2] that allows users to retrieve usTLD domain name registration data directly and without any form of authentication from its comprehensive central usTLD registrant database of real usTLD registrant data.[3] This data includes important contact information: individual names, physical addresses, telephone numbers, and email addresses of all usTLD registrants.

    Historically, NTIA has authorized public access to the usTLD registration data (WHOIS service) permitting internet users to retrieve the usTLD registrant data for legitimate purposes ( e.g., law enforcement investigations, consumer protection, cybersecurity research, intellectual property rights protection and enforcement). In addition, the usTLD registrant data is accessible on an anonymous basis. The data (especially the personal information) may be accessed and used for abusive purposes ( e.g., to spam, phish, harass, dox, or otherwise cause the registrant harm).[4]

    In response to concerns about the potential for abuse of usTLD registrant data, NTIA is considering a proposal from its Contractor to create an Accountable WHOIS Gateway System (the System) to provide public access to usTLD registrant information. This proposal was created based upon recommendations developed by the usTLD community. Under the Contractor's proposal, the System would be designed to reduce the potential for abuse by eliminating anonymous and unaccountable access to usTLD registrant data. The System would require those seeking access to the usTLD registration data to provide their name, an email address, and to accept the Terms of Service (TOS). The TOS would require the user to agree not to misuse the data. Users would also be required to identify, from a pre-selected list, a legitimate, non-marketing purpose for accessing the information. This list would be developed according to industry best practice in consultation with the usTLD community and approved by NTIA. Unredacted WHOIS data would then automatically be returned in near-real-time to the user via email. Queries would be rejected only if the user did not provide a name and email address or failed to select (or provide) a legitimate purpose and accept the TOS.

    The System would also permit users to identify a legitimate purpose outside of the pre-selected list. The Contractor using usTLD community developed and NTIA approved standards would manually review these requests and deliver, via email, unredacted data within two (2) business days for any non-abusive purpose unrelated to Start Printed Page 26527 marketing. The System would also provide a mechanism to expedite emergency requests.

    The Contractor would maintain auditable records of its receipt of and response to WHOIS access requests for personal data, including the number of access requests received, and the declared legitimate purposes. The Contractor would also maintain records to audit complaints of technical abuse or TOS violations. These audit records would be made publicly available in fully de-identified and aggregated form for analysis, enabling additional data driven policy development by NTIA and the usTLD community.

    Non-personal information relating to the domain name would remain available for retrieval via anonymous query. This information includes domain name and ID, registrar WHOIS server, registrar URL, updated date, creation date, registry expiry date, registrar, registrar IANA ID, and registrar abuse contact (email and phone number).

    To address the unique needs of law enforcement and other similarly situated entities, the Contractor would establish a portal for authenticated law enforcement users, which would grant such users near real-time access to personal information. The Contractor would continue to work with law enforcement authorities and others to ensure that investigatory confidentiality and unique other needs with respect to access and confidentiality are fully met.

    Request for Comment

    NTIA seeks public comments regarding the proposed Accountable WHOIS Gateway System (System). Comments that contain references, studies, research, or other empirical evidence or data that are not widely published should include copies of the referenced materials with the submitted comments. While the public is welcome to submit comments regarding the questions below and other issues relating to the proposal, we ask that comments generally be limited to issues regarding access to WHOIS in the usTLD. Specifically, NTIA seeks input on the following questions:

    1. In general, what are your views on the public availability of the usTLD domain name registration data to anonymous users? Has public access by anonymous users to usTLD registration data, especially personal information, resulted in exposing registrants to spam, phishing, doxxing, identity theft and other online/offline harms? If such abuses have occurred, please provide illustrative examples. And, whether or not you are aware of examples of such abuse, do you believe that there is a significant risk of such abuse occurring in the future, if the current system remains unchanged (and if so, why)?

    2. Do you believe the current system of anonymous access to usTLD domain name registration data should remain unchanged? If so, why?

    3. What legitimate purposes for access to usTLD domain name registration data should be included in the System's pre-defined list? Please provide a rationale for each category recommended.

    4. Are there policies and practices developed or employed by other ccTLDs regarding WHOIS access that could be incorporated into the usTLD space? Please be specific in your response.

    5. Should the System distinguish between personal and non-personal registration data, and if so, how?

    6. Should usTLD registrants be notified when their data is accessed through the System? If so, why, when or in what circumstances?

    7. Under what circumstances, if any, should the Contractor require certain requestors to furnish a warrant when requesting access to usTLD registration data?

    8. The Contractor has proposed that the System provide special access to recognized and authenticated law enforcement and similar entities. Please provide feedback on this concept. If this proposal is adopted, how should it work? Are there best practices in other similar situations or other TLDs that could be used for such a special access portal? What steps should be taken, if any, to ensure the confidentiality of law enforcement requests through the System?

    9. What entities in addition to law enforcement, if any, should have special access to usTLD registration data through an authenticated portal? Why?

    10. What accountability and/or enforcement mechanisms should be put in place in the case of breach of the System's TOS by those that access the registration data?

    11. Do you foresee any challenges to implementation of the System, or elements thereof, for example in distinguishing between personal and non-personal registration data, enforcement of System misuse, etc? If so, how might these challenges be addressed?

    12. Should the Accountable WHOIS Gateway System be offered as an opt-in or opt-out service for current and new usTLD domain name registrants?

    Start Signature

    Stephanie Weiner,

    Acting Chief Counsel.

    End Signature End Supplemental Information

    Footnotes

    2.  A WHOIS directory is a database of all the registered domains in a particular zone. It contains information about the domain name registrant including the registrant contact information such as address, email, phone number, etc.

    Back to Citation

    3.  Under this proposal privacy and proxy services would remain prohibited under the usTLD as currently required by the .us contract.

    Back to Citation

    4.   See e.g., Andrew Alleman, Reminder: there's no Whois privacy for .us domain names—Domain Name Wire | Domain Name News at. The Contractor has also received a number of complaints outlining these issues.

    Back to Citation

    [FR Doc. 2023–09180 Filed 4–28–23; 8:45 am]

    BILLING CODE 3510–60–P

Document Information

Published:
05/01/2023
Department:
National Telecommunications and Information Administration
Entry Type:
Notice
Action:
Request for comments.
Document Number:
2023-09180
Dates:
Submit comments on or before May 31, 2023.
Pages:
26526-26527 (2 pages)
Docket Numbers:
Docket Number: 230412-0099
RINs:
0660-XC05
PDF File:
2023-09180.pdf