Access to Registrars' Data

Thomas Roessler <roessler@does-not-exist.org>
August 21, 2002

Access to registrars' data about domain name registrations is controlled by the Registrar Accreditation Agreement (RAA). This agreement is available in two versions from November 1999 (applicable to registrars accredited only for .com, .net, .org), and from May 2001 (applicable to registrars in .biz, .info, .name, and to electing registrars in .com, .net, .org). The rules on public access to these data can be found in section 3.3 (II.F) of the respective agreements.

Query-based Access

Availability of Data

Section 3.3.1 (II.F.1) of the RAA obligates registrars to provide, at their own expense, and to the public, web-based and port 43 query access to up-to-date (i.e., updated at least daily) data concerning all active Registered Names sponsored by Registrar for each TLD in which it is accredited.

Data elements

The name of the registered domain (3.3.1.1; II.F.1.a)
The names [old agreement: also the IP addresses] of the domain's name servers (3.3.1.2; II.F.1.b, II.F.1.c)
The identity of the sponsoring registrar (3.3.1.3; II.F.1.d)
The original creation date of the registration (3.3.1.4; II.F.1.e)
The expiration date of ther registration (3.3.1.5; II.F.1.f)
The name and postal address of the registrant (3.3.1.6, II.F.1.g)
The name, postal address, e-mail address, voice telephone number, and fax number of the technical contact (3.3.1.7, II.F.1.h)
The same data of the administrative contact (3.3.1.8, II.F.1.i)

The agreement contains a provision which allows appendices for specific TLDs to modify this list of requirements; no of the existing TLD-specific appendices make any use of that provision.

Use of WHOIS data

Section 3.3.5 (II.F.5) of the RAA determines the possible use of the data made available through query-based whois. This is expressed in terms of restrictions registrars may (or rather, may not) impose on data recipients.
Registrars may impose no restrictions besides those explicitly listed in the accreditation agreement or determined by an ICANN policy; until today, no such policy exists.
WHOIS data obtained by query-based WHOIS access may be used for any lawful purpose, with two exceptions:

Spamming. The 1999 RAA explicitly forbids use of WHOIS data for e-mail spam in this section, while the 2001 agreement also mentions telephone or facsimile advertising. Also, the 2001 agreement permits use of data for such solicitations to data recipient's own customers.
Automated high-volume processes which affect registry or registrar systems. The 1999 agreement only talks about Registrar (or its systems); this is generalized in the 2001 agreement.

Cross-registrar WHOIS / centralized database

Section 3.3.4 (II.F.4) of the RAA contains an obligation to registrars to cooperate in the establishment of a distributed, cross-registrar query-based WHOIS. Alternatively - if the Whois service implemented by registrars does not in a reasonable time provide reasonably robust, reliable, and convenient access to accurate and up-to-date data - it is the registrar's obligation to supply data from its database to facilitate the development of a centralized Whois database for the purpose of providing comprehensive Registrar Whois search capability.

Bulk Access

Availability of Data

Section 3.3.6 (II.F.6) imposes the additional obligation on registrars to make the same data subject to query-based access available in bulk. Bulk data are made accessible for download at least once per week (3.3.6.1; II.F.6.a), for an annual fee of at most USD 10,000 (3.3.6.2; II.F.6.b).

Use of Bulk Data

Paragraphs 3.3.6.3-3.3.6.5 (II.F.6.c-II.F.6.e) of the RAA describe the contents of registrars' access agreements. There are both conditions the registrar shall impose on data users, and conditions the registrar may impose on data users. This implies that registrars may not impose any other conditions on the use of bulk WHOIS data.
The effectiveness of these provisions is, however, limited by section 3.3.7 (II.F.7) of the RAA until the earlier of either establishment of a new ICANN policy on bulk access to WHOIS data, or demonstration, to the satisfaction of the United States Department of Commerce, that no individual or entity is able to exercise market power with respect to registrations or with respect to registration data used for development of value-added products and services by third parties.

The possible provisions of registrars' bulk access agreements are these:

Data may not be used for spamming. Paragraph 3.3.6.3 of the 2001 RAA includes e-mail, telephone and telefax, and has an exception for existing customers of the data recipient, while section II.F.6.c of the 1999 RAA is limited to e-mail; note the analogy to the restrictions on the use of WHOIS data obtained through the query-based access.This provision is mandatory (shall require) and not at the registrar's discretion.
Data may not be used for high-volume processes which affect registry or registrar systems. This is an optional provision (may require) in section II.F.6.d of the 1999 RAA, and a mandatory provision (shall require) in section 3.3.6.4 of the 2001 RAA. Note that the 1999 RAA's language is restricted to Registrar (or its systems), analogously to the provisions concerning the use of WHOIS data obtained from the query-based access, while the 2001 language is generalized.
Registrars may forbid the further sale and distribution of bulk WHOIS data by data recipients. Registrars may not forbid that data recipients use (sell, distribute) the data as part of value-added services and products. However, registrars may demand that these products and services do not permit the extraction of a substantial portion of the bulk data. (3.3.6.5, II.F.6.e)

Opt-out Provision

Section 3.3.6.6 (II.F.6.f) of the RAA provides that registrars may establish an opt-out policy; note that this is not mandatory. This opt-out policy - if established - is limited to individual domain name holders, and it only covers bulk acess for marketing purposes (except spamming, which is forbidden anyway - see above). The opt-out cannot be limited to third parties' marketing use of registration data: If registrants opt out of marketing use, Registrar may not use such data subject to opt-out for marketing purposes in its own value-added product or service.
It should be noted that this provision is stated as an explicit allowance to registrars. This implies that registrars may not establish any other policies with respect to the availability of WHOIS data. WHOIS data provided for bulk access (and supposed to be used for any non-marketing purpose) must be complete.

Information for Registrants

Section 3.7.7.4 (II.J.7.b) contains registrars' obligation to inform registrants about the purposes and intended recipients (or categories of recipients) of any personal data collected from the registrant. Personal data are defined, in section 1.6 (I.G) of the agreement, as data about any identified or identifiable natural person.