[Federal Register Volume 88, Number 83 (Monday, May 1, 2023)]
[Notices]
[Pages 26526-26527]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-09180]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration

[Docket Number: 230412-0099]
RIN 0660-XC058


Introduction of Accountable Measures Regarding Access to Personal 
Information of .us Registrants

AGENCY: National Telecommunications and Information Administration, 
Department of Commerce.

ACTION: Request for comments.

-----------------------------------------------------------------------

SUMMARY: The United States Department of Commerce's (Department) 
National Telecommunications and Information Administration (NTIA) 
administers the contract for the country code top-level domain (ccTLD) 
for the United States, ``.us'' (usTLD). NTIA seeks input from 
interested parties on the introduction of accountability measures 
regarding access to the personal information of usTLD registrants. 
NTIA's policy goal regarding access to domain registration data is to 
ensure that the usTLD protects the privacy of its usTLD registrants 
while also enabling third parties to access usTLD domain registration 
data for legitimate purposes.

DATES: Submit comments on or before May 31, 2023.

ADDRESSES: You may submit comments, identified by docket number and/or 
RIN number, by any of the following methods:
    Federal Rulemaking website: Go to https://www.regulations.gov and 
search for Docket ID NTIA-2023-0006.
    Email comments to: [email protected].
    Mail comments to: National Telecommunications and Information 
Administration, U.S. Department of Commerce, 1401 Constitution Avenue 
NW, Room 4701, Attn: Susan Chalmers, Washington, DC 20230. Comments 
submitted by mail may be in hard copy (paper) or electronic (e.g., CD-
ROM, disk, or thumb drive).

FOR FURTHER INFORMATION CONTACT: Please direct questions regarding this 
Notice to Susan Chalmers, Telecommunications Policy Specialist, at the 
address listed in the ADDRESSES section of this notice by electronic or 
regular mail as listed above, or by telephone (202) 281-5218. Please 
direct media inquiries to NTIA's Office of Public Affairs, 
[email protected] or (202) 482-7002.

SUPPLEMENTARY INFORMATION: The usTLD serves as an online home for 
American business, individuals, and localities for the benefit of the 
nation's internet community. NTIA administers the contract governing 
the operation of the usTLD, the most recent of which was awarded in 
2019 to Registry Services, LLC (the Contractor).
    NTIA requires the Contractor to maintain a publicly accessible 
registration database of usTLD domain name registrations.\1\ The 
Contractor currently provides a WHOIS directory service \2\ that allows 
users to retrieve usTLD domain name registration data directly and 
without any form of authentication from its comprehensive central usTLD 
registrant database of real usTLD registrant data.\3\ This data 
includes important contact information: individual names, physical 
addresses, telephone numbers, and email addresses of all usTLD 
registrants.
---------------------------------------------------------------------------

    \1\ .us Contract, C.4.2(iv), page 11, available at: https://ntia.gov/files/ntia/publications/us_contract_june_28_2019.pdf.
    \2\ A WHOIS directory is a database of all the registered 
domains in a particular zone. It contains information about the 
domain name registrant including the registrant contact information 
such as address, email, phone number, etc.
    \3\ Under this proposal privacy and proxy services would remain 
prohibited under the usTLD as currently required by the .us 
contract.
---------------------------------------------------------------------------

    Historically, NTIA has authorized public access to the usTLD 
registration data (WHOIS service) permitting internet users to retrieve 
the usTLD registrant data for legitimate purposes (e.g., law 
enforcement investigations, consumer protection, cybersecurity 
research, intellectual property rights protection and enforcement). In 
addition, the usTLD registrant data is accessible on an anonymous 
basis. The data (especially the personal information) may be accessed 
and used for abusive purposes (e.g., to spam, phish, harass, dox, or 
otherwise cause the registrant harm).\4\
---------------------------------------------------------------------------

    \4\ See e.g., Andrew Alleman, Reminder: there's no Whois privacy 
for .us domain names--Domain Name Wire [verbar] Domain Name Newsat. 
The Contractor has also received a number of complaints outlining 
these issues.
---------------------------------------------------------------------------

    In response to concerns about the potential for abuse of usTLD 
registrant data, NTIA is considering a proposal from its Contractor to 
create an Accountable WHOIS Gateway System (the System) to provide 
public access to usTLD registrant information. This proposal was 
created based upon recommendations developed by the usTLD community. 
Under the Contractor's proposal, the System would be designed to reduce 
the potential for abuse by eliminating anonymous and unaccountable 
access to usTLD registrant data. The System would require those seeking 
access to the usTLD registration data to provide their name, an email 
address, and to accept the Terms of Service (TOS). The TOS would 
require the user to agree not to misuse the data. Users would also be 
required to identify, from a pre-selected list, a legitimate, non-
marketing purpose for accessing the information. This list would be 
developed according to industry best practice in consultation with the 
usTLD community and approved by NTIA. Unredacted WHOIS data would then 
automatically be returned in near-real-time to the user via email. 
Queries would be rejected only if the user did not provide a name and 
email address or failed to select (or provide) a legitimate purpose and 
accept the TOS.
    The System would also permit users to identify a legitimate purpose 
outside of the pre-selected list. The Contractor using usTLD community 
developed and NTIA approved standards would manually review these 
requests and deliver, via email, unredacted data within two (2) 
business days for any non-abusive purpose unrelated to

[[Page 26527]]

marketing. The System would also provide a mechanism to expedite 
emergency requests.
    The Contractor would maintain auditable records of its receipt of 
and response to WHOIS access requests for personal data, including the 
number of access requests received, and the declared legitimate 
purposes. The Contractor would also maintain records to audit 
complaints of technical abuse or TOS violations. These audit records 
would be made publicly available in fully de-identified and aggregated 
form for analysis, enabling additional data driven policy development 
by NTIA and the usTLD community.
    Non-personal information relating to the domain name would remain 
available for retrieval via anonymous query. This information includes 
domain name and ID, registrar WHOIS server, registrar URL, updated 
date, creation date, registry expiry date, registrar, registrar IANA 
ID, and registrar abuse contact (email and phone number).
    To address the unique needs of law enforcement and other similarly 
situated entities, the Contractor would establish a portal for 
authenticated law enforcement users, which would grant such users near 
real-time access to personal information. The Contractor would continue 
to work with law enforcement authorities and others to ensure that 
investigatory confidentiality and unique other needs with respect to 
access and confidentiality are fully met.

Request for Comment

    NTIA seeks public comments regarding the proposed Accountable WHOIS 
Gateway System (System). Comments that contain references, studies, 
research, or other empirical evidence or data that are not widely 
published should include copies of the referenced materials with the 
submitted comments. While the public is welcome to submit comments 
regarding the questions below and other issues relating to the 
proposal, we ask that comments generally be limited to issues regarding 
access to WHOIS in the usTLD. Specifically, NTIA seeks input on the 
following questions:
    1. In general, what are your views on the public availability of 
the usTLD domain name registration data to anonymous users? Has public 
access by anonymous users to usTLD registration data, especially 
personal information, resulted in exposing registrants to spam, 
phishing, doxxing, identity theft and other online/offline harms? If 
such abuses have occurred, please provide illustrative examples. And, 
whether or not you are aware of examples of such abuse, do you believe 
that there is a significant risk of such abuse occurring in the future, 
if the current system remains unchanged (and if so, why)?
    2. Do you believe the current system of anonymous access to usTLD 
domain name registration data should remain unchanged? If so, why?
    3. What legitimate purposes for access to usTLD domain name 
registration data should be included in the System's pre-defined list? 
Please provide a rationale for each category recommended.
    4. Are there policies and practices developed or employed by other 
ccTLDs regarding WHOIS access that could be incorporated into the usTLD 
space? Please be specific in your response.
    5. Should the System distinguish between personal and non-personal 
registration data, and if so, how?
    6. Should usTLD registrants be notified when their data is accessed 
through the System? If so, why, when or in what circumstances?
    7. Under what circumstances, if any, should the Contractor require 
certain requestors to furnish a warrant when requesting access to usTLD 
registration data?
    8. The Contractor has proposed that the System provide special 
access to recognized and authenticated law enforcement and similar 
entities. Please provide feedback on this concept. If this proposal is 
adopted, how should it work? Are there best practices in other similar 
situations or other TLDs that could be used for such a special access 
portal? What steps should be taken, if any, to ensure the 
confidentiality of law enforcement requests through the System?
    9. What entities in addition to law enforcement, if any, should 
have special access to usTLD registration data through an authenticated 
portal? Why?
    10. What accountability and/or enforcement mechanisms should be put 
in place in the case of breach of the System's TOS by those that access 
the registration data?
    11. Do you foresee any challenges to implementation of the System, 
or elements thereof, for example in distinguishing between personal and 
non-personal registration data, enforcement of System misuse, etc? If 
so, how might these challenges be addressed?
    12. Should the Accountable WHOIS Gateway System be offered as an 
opt-in or opt-out service for current and new usTLD domain name 
registrants?

Stephanie Weiner,
Acting Chief Counsel.
[FR Doc. 2023-09180 Filed 4-28-23; 8:45 am]
BILLING CODE 3510-60-P