Introduction of Accountable Measures Regarding Access to Personal Information of .us Registrants, 26526-26527 [2023-09180]
Download as PDF
<![CDATA[
26526
Federal Register / Vol. 88, No. 83 / Monday, May 1, 2023 / Notices
be reimbursed for their time. As a
Federal Advisory Committee, the
Board’s membership is required to be
balanced in terms of viewpoints
represented and the functions to be
performed as well as the interests of
geographic regions of the country and
the diverse sectors of U.S. society.
The SAB meets in person three times
each year, exclusive of teleconferences
or subcommittee, task force, and
working group meetings. Board
members must be willing to serve as
liaisons to SAB working groups and/or
participate in periodic reviews of the
NOAA Cooperative Institutes and
overarching reviews of NOAA’s research
enterprise.
Nominations: Interested persons may
nominate themselves or third parties.
Applications: An application is
required to be considered for board
membership, regardless of whether a
person is nominated by a third party or
self-nominated. The application package
must include: (1) the nominee’s full
name, title, institutional affiliation, and
contact information, including mailing
address; (2) the nominee’s area(s) of
expertise; (3) a short description of their
qualifications relative to the kinds of
advice being solicited by NOAA in this
Notice; and (4) a current resume
(maximum length four [4] pages).
David Holst,
Chief Financial Officer/Administrative
Officer, Office of Oceanic and Atmospheric
Research, National Oceanic and Atmospheric
Administration.
[FR Doc. 2023–09156 Filed 4–28–23; 8:45 am]
BILLING CODE 3510–KD–P
DEPARTMENT OF COMMERCE
National Telecommunications and
Information Administration
[Docket Number: 230412–0099]
RIN 0660–XC058
Introduction of Accountable Measures
Regarding Access to Personal
Information of .us Registrants
National Telecommunications
and Information Administration,
Department of Commerce.
ACTION: Request for comments.
AGENCY:
The United States Department
of Commerce’s (Department) National
Telecommunications and Information
Administration (NTIA) administers the
contract for the country code top-level
domain (ccTLD) for the United States,
‘‘.us’’ (usTLD). NTIA seeks input from
interested parties on the introduction of
accountability measures regarding
lotter on DSK11XQN23PROD with NOTICES1
SUMMARY:
VerDate Sep<11>2014
17:10 Apr 28, 2023
Jkt 259001
access to the personal information of
usTLD registrants. NTIA’s policy goal
regarding access to domain registration
data is to ensure that the usTLD protects
the privacy of its usTLD registrants
while also enabling third parties to
access usTLD domain registration data
for legitimate purposes.
DATES: Submit comments on or before
May 31, 2023.
ADDRESSES: You may submit comments,
identified by docket number and/or RIN
number, by any of the following
methods:
Federal Rulemaking website: Go to
https://www.regulations.gov and search
for Docket ID NTIA–2023–0006.
Email comments to: usTLD@ntia.gov.
Mail comments to: National
Telecommunications and Information
Administration, U.S. Department of
Commerce, 1401 Constitution Avenue
NW, Room 4701, Attn: Susan Chalmers,
Washington, DC 20230. Comments
submitted by mail may be in hard copy
(paper) or electronic (e.g., CD–ROM,
disk, or thumb drive).
FOR FURTHER INFORMATION CONTACT:
Please direct questions regarding this
Notice to Susan Chalmers,
Telecommunications Policy Specialist,
at the address listed in the ADDRESSES
section of this notice by electronic or
regular mail as listed above, or by
telephone (202) 281–5218. Please direct
media inquiries to NTIA’s Office of
Public Affairs, press@ntia.gov or (202)
482–7002.
SUPPLEMENTARY INFORMATION: The
usTLD serves as an online home for
American business, individuals, and
localities for the benefit of the nation’s
internet community. NTIA administers
the contract governing the operation of
the usTLD, the most recent of which
was awarded in 2019 to Registry
Services, LLC (the Contractor).
NTIA requires the Contractor to
maintain a publicly accessible
registration database of usTLD domain
name registrations.1 The Contractor
currently provides a WHOIS directory
service 2 that allows users to retrieve
usTLD domain name registration data
directly and without any form of
authentication from its comprehensive
central usTLD registrant database of real
usTLD registrant data.3 This data
1 .us Contract, C.4.2(iv), page 11, available at:
https://ntia.gov/files/ntia/publications/us_contract_
june_28_2019.pdf.
2 A WHOIS directory is a database of all the
registered domains in a particular zone. It contains
information about the domain name registrant
including the registrant contact information such as
address, email, phone number, etc.
3 Under this proposal privacy and proxy services
would remain prohibited under the usTLD as
currently required by the .us contract.
PO 00000
Frm 00011
Fmt 4703
Sfmt 4703
includes important contact information:
individual names, physical addresses,
telephone numbers, and email addresses
of all usTLD registrants.
Historically, NTIA has authorized
public access to the usTLD registration
data (WHOIS service) permitting
internet users to retrieve the usTLD
registrant data for legitimate purposes
(e.g., law enforcement investigations,
consumer protection, cybersecurity
research, intellectual property rights
protection and enforcement). In
addition, the usTLD registrant data is
accessible on an anonymous basis. The
data (especially the personal
information) may be accessed and used
for abusive purposes (e.g., to spam,
phish, harass, dox, or otherwise cause
the registrant harm).4
In response to concerns about the
potential for abuse of usTLD registrant
data, NTIA is considering a proposal
from its Contractor to create an
Accountable WHOIS Gateway System
(the System) to provide public access to
usTLD registrant information. This
proposal was created based upon
recommendations developed by the
usTLD community. Under the
Contractor’s proposal, the System would
be designed to reduce the potential for
abuse by eliminating anonymous and
unaccountable access to usTLD
registrant data. The System would
require those seeking access to the
usTLD registration data to provide their
name, an email address, and to accept
the Terms of Service (TOS). The TOS
would require the user to agree not to
misuse the data. Users would also be
required to identify, from a pre-selected
list, a legitimate, non-marketing purpose
for accessing the information. This list
would be developed according to
industry best practice in consultation
with the usTLD community and
approved by NTIA. Unredacted WHOIS
data would then automatically be
returned in near-real-time to the user via
email. Queries would be rejected only if
the user did not provide a name and
email address or failed to select (or
provide) a legitimate purpose and
accept the TOS.
The System would also permit users
to identify a legitimate purpose outside
of the pre-selected list. The Contractor
using usTLD community developed and
NTIA approved standards would
manually review these requests and
deliver, via email, unredacted data
within two (2) business days for any
non-abusive purpose unrelated to
4 See e.g., Andrew Alleman, Reminder: there’s no
Whois privacy for .us domain names—Domain
Name Wire | Domain Name Newsat. The Contractor
has also received a number of complaints outlining
these issues.
E:\FR\FM\01MYN1.SGM
01MYN1
Federal Register / Vol. 88, No. 83 / Monday, May 1, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES1
marketing. The System would also
provide a mechanism to expedite
emergency requests.
The Contractor would maintain
auditable records of its receipt of and
response to WHOIS access requests for
personal data, including the number of
access requests received, and the
declared legitimate purposes. The
Contractor would also maintain records
to audit complaints of technical abuse
or TOS violations. These audit records
would be made publicly available in
fully de-identified and aggregated form
for analysis, enabling additional data
driven policy development by NTIA and
the usTLD community.
Non-personal information relating to
the domain name would remain
available for retrieval via anonymous
query. This information includes
domain name and ID, registrar WHOIS
server, registrar URL, updated date,
creation date, registry expiry date,
registrar, registrar IANA ID, and
registrar abuse contact (email and phone
number).
To address the unique needs of law
enforcement and other similarly
situated entities, the Contractor would
establish a portal for authenticated law
enforcement users, which would grant
such users near real-time access to
personal information. The Contractor
would continue to work with law
enforcement authorities and others to
ensure that investigatory confidentiality
and unique other needs with respect to
access and confidentiality are fully met.
Request for Comment
NTIA seeks public comments
regarding the proposed Accountable
WHOIS Gateway System (System).
Comments that contain references,
studies, research, or other empirical
evidence or data that are not widely
published should include copies of the
referenced materials with the submitted
comments. While the public is welcome
to submit comments regarding the
questions below and other issues
relating to the proposal, we ask that
comments generally be limited to issues
regarding access to WHOIS in the
usTLD. Specifically, NTIA seeks input
on the following questions:
1. In general, what are your views on
the public availability of the usTLD
domain name registration data to
anonymous users? Has public access by
anonymous users to usTLD registration
data, especially personal information,
resulted in exposing registrants to spam,
phishing, doxxing, identity theft and
other online/offline harms? If such
abuses have occurred, please provide
illustrative examples. And, whether or
not you are aware of examples of such
VerDate Sep<11>2014
17:10 Apr 28, 2023
Jkt 259001
abuse, do you believe that there is a
significant risk of such abuse occurring
in the future, if the current system
remains unchanged (and if so, why)?
2. Do you believe the current system
of anonymous access to usTLD domain
name registration data should remain
unchanged? If so, why?
3. What legitimate purposes for access
to usTLD domain name registration data
should be included in the System’s predefined list? Please provide a rationale
for each category recommended.
4. Are there policies and practices
developed or employed by other ccTLDs
regarding WHOIS access that could be
incorporated into the usTLD space?
Please be specific in your response.
5. Should the System distinguish
between personal and non-personal
registration data, and if so, how?
6. Should usTLD registrants be
notified when their data is accessed
through the System? If so, why, when or
in what circumstances?
7. Under what circumstances, if any,
should the Contractor require certain
requestors to furnish a warrant when
requesting access to usTLD registration
data?
8. The Contractor has proposed that
the System provide special access to
recognized and authenticated law
enforcement and similar entities. Please
provide feedback on this concept. If this
proposal is adopted, how should it
work? Are there best practices in other
similar situations or other TLDs that
could be used for such a special access
portal? What steps should be taken, if
any, to ensure the confidentiality of law
enforcement requests through the
System?
9. What entities in addition to law
enforcement, if any, should have special
access to usTLD registration data
through an authenticated portal? Why?
10. What accountability and/or
enforcement mechanisms should be put
in place in the case of breach of the
System’s TOS by those that access the
registration data?
11. Do you foresee any challenges to
implementation of the System, or
elements thereof, for example in
distinguishing between personal and
non-personal registration data,
enforcement of System misuse, etc? If
so, how might these challenges be
addressed?
12. Should the Accountable WHOIS
Gateway System be offered as an opt-in
or opt-out service for current and new
usTLD domain name registrants?
Stephanie Weiner,
Acting Chief Counsel.
BILLING CODE 3510–60–P
Frm 00012
Fmt 4703
CONSUMER FINANCIAL PROTECTION
BUREAU
Combined Community Bank Advisory
Council and Credit Union Advisory
Council Meeting
Consumer Financial Protection
Bureau.
ACTION: Notice of public meeting.
AGENCY:
Under the Federal Advisory
Committee Act (FACA), this notice sets
forth the announcement of a public
combined meeting of the Community
Bank Advisory Council (CBAC or
Council) and the Credit Union Advisory
Council (CUAC or Council) of the
Consumer Financial Protection Bureau
(CFPB or Bureau). The notice also
describes the functions of the Councils.
DATES: The meeting date is Wednesday,
May 17, 2023, from approximately 1:00
p.m. to 2:30 p.m., eastern daylight time.
This meeting will be held virtually and
is open to the general public. Members
of the public will receive the agenda
and dial-in information when they
RSVP.
SUMMARY:
Kim
George, Outreach and Engagement
Associate, Section for Advisory Board
and Councils, Office of Stakeholder
Management, at 202–450–8617, or
email: CFPB_CABandCouncilsEvents@
cfpb.gov. If you require this document
in an alternative electronic format,
please contact CFPB_Accessibility@
cfpb.gov.
FOR FURTHER INFORMATION CONTACT:
SUPPLEMENTARY INFORMATION:
I. Background
Section 2 of the CBAC and CUAC
charters provides that pursuant to the
executive and administrative powers
conferred on the CFPB by Section 1012
of the Dodd-Frank Wall Street Reform
and Consumer Protection Act (DoddFrank Act), the Director of the CFPB
renews the discretionary Community
Bank Advisory Council and the Credit
Union Advisory Council under agency
authority in accordance with the
provisions of the Federal Advisory
Committee Act (FACA), as amended, 5
U.S.C. 10.
Section 3 of the CBAC and CUAC
charters states that the purpose of the
CBAC and the CUAC is to advise the
CFPB in the exercise of its functions
under the Federal consumer financial
laws as they pertain to community
banks and credit unions with total
assets of $10 billion or less.
II. Agenda
[FR Doc. 2023–09180 Filed 4–28–23; 8:45 am]
PO 00000
26527
Sfmt 4703
The CBAC and the CUAC will discuss
broad policy matters related to the
E:\FR\FM\01MYN1.SGM
01MYN1
]]>Agencies
[Federal Register Volume 88, Number 83 (Monday, May 1, 2023)]
[Notices]
[Pages 26526-26527]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-09180]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration
[Docket Number: 230412-0099]
RIN 0660-XC058
Introduction of Accountable Measures Regarding Access to Personal
Information of .us Registrants
AGENCY: National Telecommunications and Information Administration,
Department of Commerce.
ACTION: Request for comments.
-----------------------------------------------------------------------
SUMMARY: The United States Department of Commerce's (Department)
National Telecommunications and Information Administration (NTIA)
administers the contract for the country code top-level domain (ccTLD)
for the United States, ``.us'' (usTLD). NTIA seeks input from
interested parties on the introduction of accountability measures
regarding access to the personal information of usTLD registrants.
NTIA's policy goal regarding access to domain registration data is to
ensure that the usTLD protects the privacy of its usTLD registrants
while also enabling third parties to access usTLD domain registration
data for legitimate purposes.
DATES: Submit comments on or before May 31, 2023.
ADDRESSES: You may submit comments, identified by docket number and/or
RIN number, by any of the following methods:
Federal Rulemaking website: Go to https://www.regulations.gov and
search for Docket ID NTIA-2023-0006.
Email comments to: [email protected].
Mail comments to: National Telecommunications and Information
Administration, U.S. Department of Commerce, 1401 Constitution Avenue
NW, Room 4701, Attn: Susan Chalmers, Washington, DC 20230. Comments
submitted by mail may be in hard copy (paper) or electronic (e.g., CD-
ROM, disk, or thumb drive).
FOR FURTHER INFORMATION CONTACT: Please direct questions regarding this
Notice to Susan Chalmers, Telecommunications Policy Specialist, at the
address listed in the ADDRESSES section of this notice by electronic or
regular mail as listed above, or by telephone (202) 281-5218. Please
direct media inquiries to NTIA's Office of Public Affairs,
[email protected] or (202) 482-7002.
SUPPLEMENTARY INFORMATION: The usTLD serves as an online home for
American business, individuals, and localities for the benefit of the
nation's internet community. NTIA administers the contract governing
the operation of the usTLD, the most recent of which was awarded in
2019 to Registry Services, LLC (the Contractor).
NTIA requires the Contractor to maintain a publicly accessible
registration database of usTLD domain name registrations.\1\ The
Contractor currently provides a WHOIS directory service \2\ that allows
users to retrieve usTLD domain name registration data directly and
without any form of authentication from its comprehensive central usTLD
registrant database of real usTLD registrant data.\3\ This data
includes important contact information: individual names, physical
addresses, telephone numbers, and email addresses of all usTLD
registrants.
---------------------------------------------------------------------------
\1\ .us Contract, C.4.2(iv), page 11, available at: https://ntia.gov/files/ntia/publications/us_contract_june_28_2019.pdf.
\2\ A WHOIS directory is a database of all the registered
domains in a particular zone. It contains information about the
domain name registrant including the registrant contact information
such as address, email, phone number, etc.
\3\ Under this proposal privacy and proxy services would remain
prohibited under the usTLD as currently required by the .us
contract.
---------------------------------------------------------------------------
Historically, NTIA has authorized public access to the usTLD
registration data (WHOIS service) permitting internet users to retrieve
the usTLD registrant data for legitimate purposes (e.g., law
enforcement investigations, consumer protection, cybersecurity
research, intellectual property rights protection and enforcement). In
addition, the usTLD registrant data is accessible on an anonymous
basis. The data (especially the personal information) may be accessed
and used for abusive purposes (e.g., to spam, phish, harass, dox, or
otherwise cause the registrant harm).\4\
---------------------------------------------------------------------------
\4\ See e.g., Andrew Alleman, Reminder: there's no Whois privacy
for .us domain names--Domain Name Wire [verbar] Domain Name Newsat.
The Contractor has also received a number of complaints outlining
these issues.
---------------------------------------------------------------------------
In response to concerns about the potential for abuse of usTLD
registrant data, NTIA is considering a proposal from its Contractor to
create an Accountable WHOIS Gateway System (the System) to provide
public access to usTLD registrant information. This proposal was
created based upon recommendations developed by the usTLD community.
Under the Contractor's proposal, the System would be designed to reduce
the potential for abuse by eliminating anonymous and unaccountable
access to usTLD registrant data. The System would require those seeking
access to the usTLD registration data to provide their name, an email
address, and to accept the Terms of Service (TOS). The TOS would
require the user to agree not to misuse the data. Users would also be
required to identify, from a pre-selected list, a legitimate, non-
marketing purpose for accessing the information. This list would be
developed according to industry best practice in consultation with the
usTLD community and approved by NTIA. Unredacted WHOIS data would then
automatically be returned in near-real-time to the user via email.
Queries would be rejected only if the user did not provide a name and
email address or failed to select (or provide) a legitimate purpose and
accept the TOS.
The System would also permit users to identify a legitimate purpose
outside of the pre-selected list. The Contractor using usTLD community
developed and NTIA approved standards would manually review these
requests and deliver, via email, unredacted data within two (2)
business days for any non-abusive purpose unrelated to
[[Page 26527]]
marketing. The System would also provide a mechanism to expedite
emergency requests.
The Contractor would maintain auditable records of its receipt of
and response to WHOIS access requests for personal data, including the
number of access requests received, and the declared legitimate
purposes. The Contractor would also maintain records to audit
complaints of technical abuse or TOS violations. These audit records
would be made publicly available in fully de-identified and aggregated
form for analysis, enabling additional data driven policy development
by NTIA and the usTLD community.
Non-personal information relating to the domain name would remain
available for retrieval via anonymous query. This information includes
domain name and ID, registrar WHOIS server, registrar URL, updated
date, creation date, registry expiry date, registrar, registrar IANA
ID, and registrar abuse contact (email and phone number).
To address the unique needs of law enforcement and other similarly
situated entities, the Contractor would establish a portal for
authenticated law enforcement users, which would grant such users near
real-time access to personal information. The Contractor would continue
to work with law enforcement authorities and others to ensure that
investigatory confidentiality and unique other needs with respect to
access and confidentiality are fully met.
Request for Comment
NTIA seeks public comments regarding the proposed Accountable WHOIS
Gateway System (System). Comments that contain references, studies,
research, or other empirical evidence or data that are not widely
published should include copies of the referenced materials with the
submitted comments. While the public is welcome to submit comments
regarding the questions below and other issues relating to the
proposal, we ask that comments generally be limited to issues regarding
access to WHOIS in the usTLD. Specifically, NTIA seeks input on the
following questions:
1. In general, what are your views on the public availability of
the usTLD domain name registration data to anonymous users? Has public
access by anonymous users to usTLD registration data, especially
personal information, resulted in exposing registrants to spam,
phishing, doxxing, identity theft and other online/offline harms? If
such abuses have occurred, please provide illustrative examples. And,
whether or not you are aware of examples of such abuse, do you believe
that there is a significant risk of such abuse occurring in the future,
if the current system remains unchanged (and if so, why)?
2. Do you believe the current system of anonymous access to usTLD
domain name registration data should remain unchanged? If so, why?
3. What legitimate purposes for access to usTLD domain name
registration data should be included in the System's pre-defined list?
Please provide a rationale for each category recommended.
4. Are there policies and practices developed or employed by other
ccTLDs regarding WHOIS access that could be incorporated into the usTLD
space? Please be specific in your response.
5. Should the System distinguish between personal and non-personal
registration data, and if so, how?
6. Should usTLD registrants be notified when their data is accessed
through the System? If so, why, when or in what circumstances?
7. Under what circumstances, if any, should the Contractor require
certain requestors to furnish a warrant when requesting access to usTLD
registration data?
8. The Contractor has proposed that the System provide special
access to recognized and authenticated law enforcement and similar
entities. Please provide feedback on this concept. If this proposal is
adopted, how should it work? Are there best practices in other similar
situations or other TLDs that could be used for such a special access
portal? What steps should be taken, if any, to ensure the
confidentiality of law enforcement requests through the System?
9. What entities in addition to law enforcement, if any, should
have special access to usTLD registration data through an authenticated
portal? Why?
10. What accountability and/or enforcement mechanisms should be put
in place in the case of breach of the System's TOS by those that access
the registration data?
11. Do you foresee any challenges to implementation of the System,
or elements thereof, for example in distinguishing between personal and
non-personal registration data, enforcement of System misuse, etc? If
so, how might these challenges be addressed?
12. Should the Accountable WHOIS Gateway System be offered as an
opt-in or opt-out service for current and new usTLD domain name
registrants?
Stephanie Weiner,
Acting Chief Counsel.
[FR Doc. 2023-09180 Filed 4-28-23; 8:45 am]
BILLING CODE 3510-60-P
