Two controversial issues which were on the agenda of the Montreal ICANN meetings creating some irritation: the way of planning to create a country code support organization (ccNSO), and the discussions around the purpose and operation of WHOIS—the database of registrants of domains.

Without going into the history of the ccTLDs withdrawing from their former role within the DNSO and moving towards a self organized structure, there is an obvious conflict revolving around the term “binding” that ICANN and the GAC want to see in defining the ccNSO. One European ccTLD manager put it bluntly: “We are not under the law of California!”

ccTLD administrators work under the responsibility of the laws of their respective countries, and are responsible, first of all, to their local internet communities. Apart from elements that relate to the stability and interoperability of the Internet, everything else should, first of all, be considered to be local. “Binding” elements carry the notion of enforcement and are contrary to the Internet tradition of working by consensus. “Best Practices” which have developed within the ccTLD community will be the main tool for working towards extending common ground—what has been developed and has been accepted my many as useful should, through peer pressure, not through contractual enforcement, lead to better practice throughout the community.

In spite of the fact that the planning towards the ccNSO had been accompanied by a special assistance group which included ICANN board members—it had been accepted that contractual relations between ccTLDs and ICANN would not be a condition for membership in the ccNSO—the differences in perception were obvious in an Open Meeting of the GAC, dealing also with ccNSO plans. One ccTLD administrator characterized the Bylaw draft related to the ccNSO still to be autocratic in its insistence to accept binding policies while the framework and scope of such policies is not yet defined. The understanding of the ccNSO as a support organization for cooperation and coordination has also the support of some GAC members; ICANN board member statements still appealing to accept binding commitments seemed to fail to grasp the depth of the constraints and resentment of being under external rule.

The WHOIS Workshop revealed similar gaps: there is no agreement about a common basis. The Final Report of the GNSO Council’s WHOIS Task Force Accuracy and Bulk Access was questioned by Diana Alonso Blas, Data Protection, European Commission, as not taking European legal constraint on data privacy into account, and not dealing seriously with the question of the legitimate purpose of data collection and data sharing: Not everything that is possible, useful, and desirable is also legal. Data collection has to be kept to a minimum necessary, and its disclosure again should be kept to the minimal necessary purposes. Where additional data are collected, an opt-in system plus explanations of the purpose of additional data collected should be provided—opt-out provisions are less protective and therefore less appropriate.

Intellectual Property and US Federal Trade Commission representatives claimed that their use of the WHOIS data serves foremost for consumer protection. To restrict the extent of data available and bulk accessibility would lessen consumer confidence in being protected from fraud and misuse. Convincing arguments why, for example, the phone numbers of registrants have to be made publicly accessible were not answered convincingly. After it was also explained that WHOIS data cannot be used for spamming, another panelist reported that he had just seen an offer to buy 30 million WHOIS data scooped from zone files for US$30—instead of the usual US$10.000, the price for bulk access.

The WHOIS discussion will continue into the second day of the ICANN Public Forum. Probably the business centered approach on the one hand, and the philosophy and legislation for the protection of personal data in old Europe will again be in the center of the debate. Nobody questions that there are certain minimal data requirements for the administration of registered domains, and that commercial entities doing business have to be clearly and publicly identifiable.”