ICANN Brussels Law Enforcement Amendments to the RAA Monday, 21 June 2010 >> Ladies and gentlemen, if you'd please take your seats, we'll begin our next session. Again, if you'd please take your seats, we'll begin our next session. Please make sure all ring tones are off on your phones. Thank you. >>CHERYL LANGDON-ORR: Thank you, ladies and gentlemen. If you're in the gold hall this afternoon, you're here for the RAA improvements session, so please take your seats. My name is Cheryl Langdon-Orr. I'm the current chair of the At- Large Advisory Committee, and I'm joined by a very distinct panel this afternoon to discuss some of the issues that we've come across in the wonderful world of RAA amendments, and Steve is going to be talking to us about that in just one moment. Just to give you an idea of what we're doing this afternoon, we have representatives from law enforcement and they're going to give their perspective on some of the issues that they would clearly like to see as RAA amendments, and we have the registrar perspective. We're wanting to give at least 30 minutes for interactive session at the end of their presentations from the floor, so while you're listening to their presentations, if you'd like to jot down some notes and come to the microphone, and we're also -- when I call for the questions from the floor, and we are also accepting questions from remote participation. And Margie will be reading those to the record. So without too much adieu, seeing as we're almost 10 minutes behind as scheduled, I'm going to cede some of my enormous five minutes worth of time to Steve Metalitz. Go ahead. >>STEVE METALITZ: Thank you very much, Cheryl. I'm Steve Metalitz, with the intellectual property constituency, and I'm really presenting the initial report of a drafting team that was set up -- a joint drafting team that involved people from the GNSO and from the at-large. And it was a -- I think a good effort in working together to identify some common goals, and we've put out an initial report that is now available for public comment, and I think the last slide gives you the information about where you can find it. Public comment runs through July 9th and we're very eager to get your thoughts on this. Let me talk a little bit about how we got here. As you may recall, back in March of 2007 the then-CEO of ICANN called for a comprehensive review of the registrar accreditation agreement. This was stimulated by the meltdown of the RegistryFly registrar, and over a two-year period, a new form of the registrar accreditation agreement was developed, and it was finally approved by the GNSO Council in March 2009. We had a speaker from the floor earlier today who suggested that everybody was equally happy with that outcome. It wasn't the case. Some people felt the new RAA didn't go nearly far enough, and so as a result, when the GNSO approved it said, "We approve this but we also want to go ahead and look at possibilities of amendments to the RAA and also possible -- a possible registrant rights and responsibilities charter." So that was the mandate that was given. We started work in the fall of 2009, and as I said, the results have just been published. I'm going to talk about -- we had two response -- two tasks and they were done by separate sub-teams. I was the chair of sub-team B. The chair of sub-team A, Beau Brendler is not with us. >>CHERYL LANGDON-ORR: Yes, he is. >>STEVE METALITZ: He is with us. Well, he can certainly answer any questions that come up about this topic. And that was the development of a rights and responsibilities charter. The registrar accreditation agreement has -- already has a provision that says if there is a statement of rights and responsibilities of registrants, then all the registrars have to link to that, but there hasn't been such a statement available up till now. What Beau's sub-team did was come up with a draft of this charter. It's the annex to the initial report. And it basically deals with the current provisions in the RAA, putting them in simplified language based on a draft that was prepared by the staff. The next steps are shown there, and following the public comment period. The participants in that sub-team also worked on an aspirational charter put forward by the at-large community describing some of the rights that it was believed should be afforded to registrants, and I'll just -- I think the next slide shows you what is included there. That's also included as part of this report, and it talks about what should be considered for -- perhaps would be reflected in future amendments to the registrar accreditation agreement. But the draft charter that's in the chart is really reflecting the existing registrar accreditation agreement. Now, to sub-team B. We really had two main jobs. One was to identify topics for possible amendments to the registrar accreditation agreement, and the other was to recommend a process for moving toward an amended RAA. So we looked for suggestions about topics and we got some very good submissions. We've listed here the main sources that we worked from. One was the -- there was a detailed submission from ICANN staff reflecting the input of the compliance staff, but also all the other elements of the staff. A group of six or seven law enforcement agencies from around the world gave us some very detailed suggestions, and you're going to hear about some of that later on in the panel. A working group of the intellectual property constituency made a number of suggestions. And then Danny Younger, an at-large member, also gave some very detailed suggestions. So these were the -- mainly the -- what we were working with, and we organized them into a matrix and ultimately came up with a list of high-priority topics. Let me just mention a few things that you won't see on this list, and why you won't see them. Some of the suggestions we received weren't really about the provisions of the registrar accreditation agreement. Rather, they were about the standards for getting accredited in the first place. The investigations or due diligence that would need to be done on entities that wanted to be accredited as registrars. A lot of the law enforcement suggestions were in this area. Our sub-team thought this was an extremely important point, but of course our remit was not in that area. It was after you've been accredited, what are the responsibilities that you have under the agreement. So we didn't include any of these on our list, but we understand that the ICANN staff is revising the registrar accreditation application. That will be released soon, as I understand it. And we hope that many of the suggestions that were made in this area will be reflected there. Second, as we went through the list of suggestions, there were a number of cases where people said, "This isn't really something where we necessarily need an amendment to the registrar accreditation agreement. This is a tool that would enable better enforcement of the existing agreement." In other words, it was more of a compliance issue, rather than a substantive contract matter. So we -- we considered this, and particularly we considered the views of the compliance staff from ICANN, the contract compliance staff. And so a number of issues that were -- we thought were important were left off of our list of high-priority topics, because it was considered they were -- they seemed to be compliance matters under the existing agreement. Now, we did recommend in our report that there be a next phase, and that after some period of time we see whether the new compliance tools that are provided by the 2009 version of the agreement really do help to address these problems. If they do, great. If they don't, then potentially these could be back on the table as possible amendments to the RAA. And finally, we were asked to flag any issues that really were more appropriate for development of a consensus policy through the policy development process at the GNSO, rather than for inclusion in a contract. We did identify a few such issues that were currently being worked on in the policy development process, and we excluded those from our final list as well. We were still left with a pretty big list, and the first time we went through it, we found we had far too many high-priority items to really present, so we went through it a second time and we ended up with the list that you see -- a list of 12 topics, and you'll see them on this slide and the next slide. I'm not going to go through every one of these, because we really don't have time for that. I'd be glad to answer questions. And I -- again, I would encourage you to look at the report, where this is spelled out in more detail, with a cross-reference to the matrix of all the suggestions that we received. So it explains it in a little more detail. But let me just mention a few of these. First, a prohibition on registrar cybersquatting. We're not talking here about a prohibition in the contract on registrants engaging in cybersquatting. They're prohibited from doing that and there's a UDRP method for dealing with it. But the problem is, there is evidence is that registrars themselves are engaged in cybersquatting through the use of domain names that they own. So it was felt that this should be clearly prohibited in the registrar accreditation agreement, and if there's a pattern of this, that a registrar should lose its accreditation. So that's that -- the first issue. The next couple of issues deal with malicious activity, malicious conduct. First, that registrars ought to have a duty in the contract to investigate those reports that they sieve from credible third parties about malicious activities, and secondly, that they designate a technically competent point of contact on these malicious conduct issues, available 24/7 so that when, for example, a phishing exploit is identified, regarding a domain name that a certain registrar has registered, there be someone that someone can go to. The next category, 4, 5, and 6, deal primarily with privacy and proxy registration services. These are already provided for, to some extent, in the existing RAA. We're -- what these suggestions really cluster around are better regulation of these services, building on that basic framework that's in the RAA now. The conditions under which, for example, if someone comes to an operator of a proxy service with what the current agreement calls "reasonable evidence of actionable harm," that provider has to either disclose the actual registrant -- in other words, its licensee -- or else it has to take legal responsibility for whatever misbehavior is going on there. So these are different aspects of this. Some of these services are offered really as -- by alter egos of accredited registrars, so that - - there could be a certain set of rules in that circumstance. Others are operated by entities that the registrar really has no business relationship with, so there might be -- there would be different rules there. But that's the general thrust of everything in that category. Next is to define the circumstances under which the registrar is required to cancel the registration, if there's false WHOIS data provided. Currently, the registrar is allowed to cancel in that circumstance, but the feeling was it should be spelled out when they're required to do so. Top priority 8 deals with the registration process. There was a lot of discussion about whether registrars should be required to verify the contact information of registrants, and one point that was raised that we thought was important to consider here was if there was a standard -- a preexisting standard that would assist in verification of registrants, that should be -- perhaps that should be made mandatory. The PCI compliance would be necessary whenever registrars were accepting credit cards for registration and so that might be a convenient way to -- to deal with this. The next one, Number 9, the 2009 RAA did make registrars responsible in some circumstances for the acts of resellers. Unfortunately, it neglected to determine the term "reseller," and the registrars pointed out that there could be issues there, so that's really the reason for that priority item. Number 10 and 11 really deal with better disclosure about registrars themselves, making sure that -- that people can reach the registrar, that they disclose information about their officers. This is -- I mean, it's a due diligence issue but it could also apply during the term of a registrar accreditation. And also greater disclosure of affiliates and multiple accreditations, which is important for compliance purposes. The last item up there on our top priority list is really the clarification of registrar responsibilities in connection with UDRP proceedings. Basically, the idea there was to consider more -- clearer time lines. Registrars have obligations throughout the UDRP process, but putting in some time lines and greater specificity could be beneficial. We -- the topics that we couldn't fit in our high-priority list, we called medium priority, and I'm not going to go through all of these, but these, again, are the ones that many people on the sub-team felt they were important but they didn't quite make the cut, so that's all spelled out in our report. As I said, the other task sub-team B had was to recommend the next steps in the process of consider -- how to get to an amended RAA, and this was an area unlike the list of topics where there was really quite general support for inclusion of these items on a list of topics, not -- we're not -- this is not a recommendation that all these items be included in a revised RAA, but just that these are the most important topics to consider for RAA amendments. The -- on the question of process, we didn't have that kind of unanimity. There was agreement on a lot of features of how this should be done, including requirements that the parties negotiating this agreement should report out to the public periodically and provide text that's under -- under study, so that they could get input from the GNSO and others, from the -- from the ALAC on these issues. Using the categories that have now become more or less standard in the GNSO world to describe strength of support or the degree of consensus, the report shows that there is strong support for including in these negotiations some observers representing the interests of affected nonparties. The parties to the agreement are the registrars -- each registrar -- and ICANN. But many -- there are many parties that have a lot at stake in this. Registrants, intellectual property owners, antiphishing and people that are dealing with malicious abuse situations, law enforcement. So the strong support position is that those people -- or someone representing those interests -- should be observers, but not -- even if they're not actually parties to the negotiation. There was substantial opposition from the registrars in our group that there should not be observers in the negotiations, that going into the room it should be simply the registrars and the ICANN staff, which is the process that was followed last time. And the reason many people on our group opposed that is that they think that that was contributed to an unsatisfactory result last time. Obviously not everyone agrees. Some sub-team members felt that the strong support position really didn't go far enough, and that the third parties actually should be full participants in the negotiations. So I've put up here just what's in the strong -- strong support, as I said. Many of these points were consensus points, but the question of who goes into the room and what their role is in the room was really the area where there was a divergence of opinion. So I think that concludes the walk-through, sub-team A, sub-team B and I'll turn it back over to our moderator. >>CHERYL LANGDON-ORR: Who isn't going to take the microphone very long. While you hand the baton of the clicker on to the law enforcement team, who comprise Bobby Flaim, Paul Hoare, and Luc Beirens and JAAP Van Oss, I hope I haven't brutalized your names too badly. I'm sorry? >> (Speaker is off microphone). >>CHERYL LANGDON-ORR: Well, sorry. Radomir Jansky. Right. I can only do my best. And I do come from Asia-Pacific, so I will go down on bended knee later and apologize humbly on the stage, if need be. Are you ready to go, Bobby? Go ahead. Thank you. >>ROBERT FLAIM: Hi. My name is Bobby Flaim. I work for the FBI. Today, we just wanted to, you know, thankful for the opportunity, but I just want to let you know even though I'm from the FBI and you're going to hear from SOCA, the Belgian police and EU, we have various law enforcement here. From the United States, we have the FBI, we have the Secret Service, the DEA, NIC MIC, FTC. In U.K., we have SOCA. We also have the German Federal Police, the Belgian Federal Police, the Dutch Federal Police, OPTA, the Japanese Federal Police, Brazilian Federal Police, Europol, New Zealand Federal Police, Indonesia civil authorities, Francopol, and Radomir from EU. Any and all of these people can speak on these recommendations and we've referred to our Belgian and EU colleagues since they are the host country. Our law enforcement due diligence recommendations are part of a comprehensive initiative that global law enforcement is undertaking to be very proactive and preventive in its approach to crime. We all know the best approach to crime is preventing crime, not in tracing crime or bringing criminals to justice. So this is part of our approach here. Like Steve said, our due diligence recommendations that have been published actually have two parts. One concerns the registrar accreditation agreement. The other part concerns due diligence recommendations to ICANN itself and how they accredit registrars and registries, especially in light of the potential of new generic top-level domain names, so that's -- those are the two things right there in our proactive approach. That's on the domain name side. On the IP side, we also have established working groups with the RIRs to also have due diligence concerning the allocation of IP addresses. IPv4 and also, more importantly, IPv6. We're also establishing cross-border international working groups to deal with both of these problems on the domain name side and the IP side, so it really is a comprehensive approach. These recommendations are based on the fact that we are seeing massive criminality that are costing hundreds of millions of dollars of damages and that's what the FBI sees. This is coming from botnets, phishing, Fast Flux, child pornography, and even national security matters. So this is based on substantive cases. It's not something that is driven by any other motivation other than what we are seeing and what we are trying to prevent. We have listed all of these here. We'll go through them a little bit later on. But just so you know, we've also received letters of support from various organizations for our recommendations. We've received letters of support from the GA high-tech crime group, Interpol, the messaging anti-abuse working group, the London Action Plan. This is also going to be debated at GAC. What we're doing is not new. It's something that has gone on for many years and we decided that the appropriate time was now to make sure that we voiced our concerns and made sure that we were part of the process to make sure that we're acting within the ICANN system. We've dealt with the GAC. We're dealing with the RA working group. We have meetings with the ccNSO. We're going to meet directly with the registrars. So we are very proactive. We're trying to be very comprehensive, work within the system, work with registrars, work with ICANN directly, so that we can be the best informed and do the best job. We have a very solemn responsibility for the protection of the public, and that's what we're -- that's our only concern, and that is what we are trying to do here. And that's what these recommendations reflect. We've had -- we had talks about DNSSEC. That's another preventive measure. This is what we're trying to accomplish on a different level, and we want to make sure that we do it the right way. Some of the things that the recommendations highlight, in particular to the RAA, is we just want to make sure that the information that the registrant is providing is validated, to making sure that criminals aren't taking advantage of the domain name system or the registration, the domain name registration process. So that's all I have to say, and I'll just pass the microphone to my colleague, Paul Hoare, from SOCA. I'm sorry, it's going to be Luc from the Belgian federal police. >>LUC BIERENS: Yes. Good afternoon. So I'm playing at home. Now, the federal computer crime unit, to be a part of the federal judicial police in Belgium and my unit is focusing on organized cybercrime and on attacks on critical infrastructure. Now, I also have five minutes, so I start with the conclusions, to be sure that we will have these conclusions. [Laughter] We support the amendments, but we also want to show that there are already good practices in the field, and I think we have to work together, law enforcement and registry, registrants, and the whole industry, to solve a mutual problem, is the best way to go ahead, instead of enforcing something in a legal way. So now good practices in Belgium. We are working together with the registries DNS.be and EURID. They both have an other legal framework, whether it's by law for EURID or terms of conditions of DNS.be. Now, we're working as a law enforcement agency and when we detect suspicious domain names that are in use, we go to them always with an order of the federal prosecutor to cooperate. We went to them, for example, in the case where there were 13 domain names used by a botnet and then we got back from them it's not only 13, there are 165. And we couldn't block them immediately. Which means that this part of the botnet was no longer working. Now, I know they are using quite a lot of domain names, but it's a way of disrupting their infrastructure. I've had quite a lot of remarks of people saying, "Okay, yeah, blocking domain names might be a problem. We might be liable." How many times did we block something in a false way? Two times on several hundreds of domain names that were blocked. And when we contacted those guys, they said, "Okay, thank you for informing us that the domain name is being abused for criminal purposes," and they were up and running again within a few hours. Now, we are not only going to identify these criminals in cyberspace. We are doing quite more, and it's more interesting to be able to stop this criminality, to prevent further victimizations if we can prevent a lot of people going to phishing Web sites or using all kind of criminal -- the criminals using the end users' computer systems by disrupting the botnets. That's what we would like to do. So if we can disrupt these criminals' infrastructure, we are far ahead of what we are doing now is only handling incidents. And don't forget, we are all -- also want to protect the identity of citizens which identity is being abused in domain name registrations. It's not all -- always Mickey Mouse and Disney World. We have had the famous people, politicians, musicians, hockey players, and whatever, their identity is being abused, and we want to work on that also. Now, it's in most cases where we are asking for who registered the domain name, very often it's about child pornography or extremist Web sites, but phishing Web sites are causing quite more damage, economical damage, because they are being abused for e-banking transactions, e-transactions anyway, or getting access to system administrations. And the maintenance of botnets is based -- the addressing within those botnets is based on Fast Fluxing, which needs a lot of domain names, so what did we see when we were doing investigations is that they are registering serial domain names, names without any meaning. A few characters and then a few numbers, which don't make any sense. And very often they are abusing campaigns, commercial campaigns, that say, "Okay, we offer you a one-year registration for free." They only use it for a few days. So for them, it's like, wow, I get it for free. What causes us more problems is the proxy registration where we cannot -- no longer see the identification of the registrant. And very often, if people are paying for their registration, they are using stolen credit card data. Now, what do we need is to identify who is behind these domain name registrations or get a trail. If you don't have the real name, perhaps you have other information that can lead us to these criminals. Blocking of these domain names, just to disrupt the infrastructure. The speed of delivery of data and the speed of blocking of domain names is of crucial importance. If it takes three weeks to block a domain name, then it's no longer needed because they use it only for a few days. So that's where we have to work together is to get it very quickly done. And keep it at a low cost for law enforcement as well as for the industry. Now, the real trace -- the traces in real life are cyberspace. If it's a bogus identity, if our procedures didn't -- were not too good, so that we have the good identity, then the bogus identity might be an identity of some other victim being his identity abused. But the other traces are eventually telephone numbers, e-mail addresses that were used to confirm a registration, or eventually the IP addresses that can lead us to somewhere -- somebody in cyberspace. The balance between identification and privacy -- oh. I -- it's a pity. I was working on my laptop. And I have the button in my -- so I did see it. So probably you put that on the Web site and you can all enjoy my presentation afterwards. [Laughter] So the balance between identification and privacy, if we're working within a legal framework, it's clear that police just cannot come to you and ask for information. They have to be working in the legal framework, the legal authorities that are authorized to do so will come with a document. Now, protecting the privacy of individuals is okay, so hide their information, making them pay for that. It's a business model. I don't know if in the European Union it would be accepted. Making law enforcement pay for this data to obtain. There I have a problem as law enforcement. Last week, we had a child abuse case in which we had to identify 40,000 domain names. 40,000. If you make us pay, let's say, $10, for a one-domain name identification, we are bankrupt before we can start the case. And then where we had the opportunity in the past to have -- for every domain name -- the identification, we could work fast, and now with this proxy registrations, it's for us very difficult to go after these domain names, because the international legal procedures are very slow. So very often we become ineffective. And then to close my presentation -- I'm going back. Sorry? I heard a lot of people talking about reliability if you are blocking domain names. It can be that we are blocking, and rightly, a domain name but -- and it can cause damage. But if we are not blocking domain names, the criminals' infrastructure is keeping up and running and they are causing quite an economical damage to the industry, our industry, your industry, and to the citizen and that's what we want to prevent. Thank you for your attention. >>CHERYL LANGDON-ORR: Thank you, Luc, and thank you, Bobby. Any other speakers in the group want to go? Go ahead, Paul. >>PAUL HOARE: Paul Hoare from Service Organized Crime Agency in the U.K. I won't speak for long. Some of you heard me before. Just a few points. Both of the guys on my left and right talked about the fiscal damage from crime. This is not just fiscal. If the people from NIC MIC and the child abuse protection charities were here, they would tell you this is about human suffering. It is not just about money. The Internet is an enabler for all kinds of industry, all kinds of crime: Drugs, firearms, human, trafficking the whole gamut. What I would say is cyber security is on the agenda of all the governments of the world. It has grown significantly -- over the last 12 months, it has gone on the agenda of all the governments of world. If any of you were in Seoul on the DNS abuse forum, I talked on the DNS abuse forum about the need for industries to find solutions to some of the problems that we face, and. I think at the time, I said there was a finite window of opportunity for that to happen before governments inevitably regulate or legislate or actually try to solve the problems which a lot of the times the laws that are passed don't actually solve. That window was that. It is now that (indicating). So I would encourage engagement from everybody who has a vested interest in this because the window is closing. And that's not the agenda of anybody on this panel. That's driven by political necessity within government. If anybody has been observing the GAC discussions over the last few days and the last few months, you will know that's on the agenda for governments all around. Luc ably demonstrates some of the organized crime abuse. The DNS is a key enabler for attacks. The evidence for that is too numerous to mention on this panel, but certainly anyone on here and any of my colleagues that are here would be happy to share our experiences and our knowledge with anybody who would like to know more about it, although a lot of it is Open Source. What I would say there is very, very good practice amongst some of the registries and registrars out there. The RAA amendments that we've put forward, the main thrust of this is that we believe that the industry needs mandatory minimum standards because, otherwise, the good practice which some registries and registrars have, all it does is it displaces criminals to those with less strict regimes and less strict audits. Know your customer. The question somebody asked: How do you do this? Knowing your customer is not a new phenomenon for e-commerce or for the commercial world, the industrial world. There are numerous examples within an industry of much good and affordable practice, which is in place to actually know your customer. So I'm not going to sign up to it. It's impossible. And there are online business models. What we are trying to ensure is the accuracy of registration details which has benefits for everybody but certainly from a law enforcement point of view, in order to track down the people who are the threat to the Internet, we need to know who they are or at least have some idea where to start looking for them. And that's in everybody's interest, I think. And my last point would be about privacy and freedom of the Internet, which I know is a concern of everybody. That's something that a lot of people think we're trying to stifle. Far from it. Luc has talked about proxy registration. The availability of privacy and proxy registration is intrinsically built into these amendments because privacy is very important. It is very important. Certain individuals very much need privacy, and we respect that. But what we say about proxy registration is the proxy should be traceable themselves so that law enforcement with due process should be able to trace the proxies. And all I would say -- and I will hand it over to my EU colleague -- is far from wanting to stifle the growth of the Internet, what we want to do with these RAA amendments is actually protect it. Thank you. >>CHERYL LANGDON-ORR: Go ahead. I'm not going to attempt to mangle your name again, I promise. >> RADOMIR JANSKY: Thanks very much. Hello. So my name is Radomir Jansky. It is not that complicated. I can understand it is probably unusual for many of you. I deal with cyber crime in the European Commission, director general, justice freedom security which, by the way, will in two weeks split into two DGs, home affairs and justice. I would like to make a couple of points. Thanks very much for inviting me on this panel. I would just like to make a couple of points regarding recommendations. The European Commission believes that the online world should not be a lawless territory, as probably most of you, and would like to stress the need to ensure the rule of law and the respect of fundamental rights by all actors who operate on the Internet. With that in mind, the European Commission expresses its support to the law enforcement recommended amendments to ICANN's registrar accreditation agreements, the RAA, and the strong message they send. As in the offline world, those who by operating a Web site act publicly, offer services, share information, sell goods or interact in all possible ways with the public. In this case, an unknown number of individuals at a global level may benefit from their activities and at the same time bear responsibility for their acts. So they have to respect the law and the rights of other individuals, users or third parties. Law enforcement authorities have to be in a position to fulfill their function. Basic elements to secure those objectives are that all potential users of the Internet are in a position to identify and to contact those responsible for a Web domain and that law enforcement authorities can obtain additional information under the conditions set out in the law in the exercise of the official authority vested in them. Accuracy of information processed by ICANN, in particular the contact information for IP address assignments or domain name administrators of top-level domains held in the WHOIS database play an essential role in that regard. Following these law enforcement recommended amendments to ICANN's registrar accreditation agreement, which as has already been mentioned been supported by the GA, Interpol, and the Council of Europe, would be an extremely important step but by no means the only one that the European Union expects from ICANN. In matters involving the collection processing and dissemination of personal data, the respect of data protection rule is not only a requirement imposed on the data controller, it is a condition for success and a means to ensure the free-flow of information. This includes a clear definition of purpose for the processing of personal data, the data are adequate, relevant and not excessive with regard to those purposes as well as that they are accurate and kept up to date. These principles should be clearly reflected in the RAAs. Thank you very much. >>CHERYL LANGDON-ORR: Thank you. Moving straight down the line now to Mason Cole and the registrars' views. >>MASON COLE: Thank you, Cheryl. My name is Mason Cole. I'm chair of the registrar stakeholder group. To my right, is my colleague of Michele Neylon of Blacknight in Ireland. Thank you for the opportunity to talk about the registrars and potential RAA amendments. So I wanted to move the discussion up just a level, if I may, off of the agreement itself because I think it might set a bit of context about what we're all trying to collaborate to do here. The discussion about amendments to the RAA or potential new policies really is about solving difficulties on the Internet as they relate to the domain name system. And registrars clearly have no quarrel with solving difficulties. We encounter them daily ourselves in the course of running our businesses. We want to solve problems. We want to catch criminals. We agree that the Internet is no place for lawlessness. We want to prevent illegal activity. As I said, at times we're victims ourselves of criminal behavior. Now, the RAA could be a tool for solving those problems or other avenues could be available as well. The RAA is sometimes viewed as a policy tool when in reality it should not be. I was gratified to hear some of the folks here from the law enforcement community to say that perhaps there's an idea where there's an ongoing working group for law enforcement and registrars and registries. I think that's an outstanding idea, and we should do it. So what registrars are interested in doing is solving -- taking a look at all available options for solving online crime, not necessarily just doing so through the accreditation agreement. So it's important to remember as well when we talk about changes to a legal agreement between two parties that document the way those two parties interact with one another on a business and technical basis, that sometimes even the slightest changes have -- can have significant operational impact. And "operational impact" means things like what sort of money does it cost to put these things in place? How many people do we have to hire to put those changes into place? What is the cost to our customers who are all here to make the Internet a better place for? How are those cost perhaps passed down to registrants? What impact does this have on the security and stability not only of the Internet but on law enforcement's efforts, on our efforts to run our businesses, on registries' efforts to run their businesses? It is important to registrars to make sure that the community considers not -- many of these agreements look very good on paper and they are very good and the intentions behind them are well-founded. They need to be considered in a full manner so that the impact on all parties are carefully considered. So the registrars wanted to detail a bit about what their objectives are through the discussion of the RAA. It is important to understand both in a quantified and documented way what problems are experienced by the community and what role the registrars have in solving those problems. It's important to us to understand in as great a level of detail, as much as we can, about that. Just about a month ago I had a very productive discussion with Paul and Bobby -- and I might add it was the first time that the registrars and the law enforcement agencies had an opportunity really to talk deeply about some of the problems that are experienced by the law enforcement community in trying to prevent online crime. But it gave us perspective on what sorts of problems the law enforcement community does have. And we've invited the law enforcement agencies to present their point of view at our stakeholder group meeting tomorrow so all the registrars here in attendance can understand more about the perspective of the law enforcement community. We also want to constructively explore methods to address those issues via multiple means. Perhaps it is the RAA. Perhaps it is a PDP that goes through the GNSO process. Or perhaps it is just an opportunity for registrars and law enforcement or other stakeholders to collaborate. So we do want to encourage a community -- the community itself to approach registrars with their concerns and look at that process as one of collaboration, whether they necessarily leap to the RAA as an automatic fix for what the problem may be. I think you'll find that registrars in the aggregate are more than happy to cooperate with concerned parties in the community, and we'd like the opportunity to do so. As I mentioned, the operational stability and security not only of the Internet but of our own businesses as well are important considerations. And it is important for us to be able to rely on a reasonable environment for us to provide products and services to our customers, make hiring decisions, manage resources, et cetera. The next slide. Thank you. So here's what the registrars are doing. We're engaging with multiple parties and stakeholder groups to understand perspectives. As I mentioned, we had a productive discussion with the FBI and the U.K. serious crimes unit. We had a very good discussion yesterday with the GAC. We've talked with ALAC, with registries, with the intellectual property constituency and with ICANN staff. And we're all working in good faith to understand what the community's concerns are and how registrars can help resolve their concerns. As I mentioned, the amendments need to have careful consideration from all sides to make sure that consequences for proposals are well understood, both those that are going to be immediately visible and those that may not be immediately visible. A process point, the registrars think that the RAA has a bit of vagueness and probably is inadequate in terms of how to actually go about the amendment process. And that probably needs to be updated. We're in conversations with the community about how to do that. So under the current process, it is important also to remember that the registrars under the 2009 agreement, approximately 90% of currently active domain name registrations are covered by the 2009 agreement. And that's -- we'd like to have 100% obviously. 90% is a good start. We have another four years left from the date of the first signing of that registrar accreditation agreement before other policies could be binding if the accreditation agreement is amended. It is important to take whatever time is afforded by us while recognizing that it's important to act quickly in a law enforcement setting, if that's warranted. But it's important to take the time that's afforded to us to understand the impact on everyone in the community of the proposed RAA changes. Cheryl? Yes, thank you. >>CHERYL LANGDON-ORR: Thank you. Go ahead to Michele. >>MASON COLE: Yep, all done. >>CHERYL LANGDON-ORR: Do you have slides? Do you have slides? You're finished? Michele is not going to talk? I can't believe Michele is not going to talk. >>MASON COLE: When I can't answer a question, Michele is here to save me. >>CHERYL LANGDON-ORR: I don't think we need to open the floor to questions right now. I rather hold that. Sorry. I have obviously missed what you are asking. Mason, make yourself clear to me because I don't understand what I've done wrong. >>MICHELE NEYLON: It is very simple, Cheryl. Basically, Mason and I decided it was simpler if Mason went through the registrar -- >>CHERYL LANGDON-ORR: So you're not going to talk? >>MICHELE NEYLON: I'm more than happy to answer any questions. >>CHERYL LANGDON-ORR: But only in the answering questions. You see, translation didn't make it to this end of the table. Thank you. Excellent. And now that we're finished, we're actually well back into time and we are going to open the floor for questions. So there's two microphones. And I encourage you to identify yourselves and who you are speaking on behalf of, if you are speaking on behalf of anyone but yourself. And, please, go ahead. >> GARTH BRUEN: Hello. My name is Garth Bruen, CEO of KnujOn.com. If anybody were to go to our Web site, the would see we just released a major report and audit of registrar compliance and a review of illicit activity within the gTLD space. And a lot of the RAA amendments deal with the issue of WHOIS access and accuracy. And if you were to read our report, you would see that 80 registrars are currently blocking WHOIS access. That includes both Port 43 and Web access. We have ten registrars who have filed false WHOIS for their own domains, their operational domains, that they use to register other parties. And we've got registrar privacy services that are in themselves complete phantoms. We've tried to find them. We've tried to track them down. They don't exist. It is a dead end. So what we see is we see law enforcement trying to shore up that the information is accurate, and we see the registrar behavior of expanding this black hole where nobody can get to the information. So we'd like to see these problems corrected first under the current RAA. And it is very, very important for criminal thwarting -- for thwarting criminals. If you focus on the basic compliance structure, you can cure a lot of these problems. But the current compliance structure is not being taken seriously. I would like to talk about the specific issue of illicit online traffic, specifically traffic in bogus, counterfeit, diverted, stolen pharmaceuticals. It is a huge underground industry, multi-billion dollar industry. And it is being shored up by certain registrars. They are not just providing sites, but they are providing the backbone structure for these networks including name servers, transaction processing sites, everything you can possibly imagine. As just one question at the end specifically, I would like to know why Moniker is using privacy services for the registration of their own domains. Thank you. >>CHERYL LANGDON-ORR: Thank you, Garth. I don't think anyone on the panel is rushing forward to answer that specific question at the end. So we'll move to the other microphone. >> RICHARD COX: Thank you, good afternoon. Richard Cox from the Spamhaus Project. Most of you will have heard of the Spamhaus Project and hopefully for the right reasons. We have been dealing with cybercrime longer than ICANN has been in existence. We are perhaps the oldest cybercrime investigating agency. Spam and cybercrime have now coincided and are one problem together. It is not surprising that we have concerns about the situation with the RAA. Now, we do strongly support the proposals from law enforcement. Of course, with compliance as it stands at the moment, as you just heard from the previous speaker, they probably aren't going to have the effect we need them to have. When we talk about what we need them to have, let me just explain what the threat is quite apart from the exploitation of children. I think we would all be pretty well on the same side on that one. But when there is now a Trojan out there that you accidentally go to a Web site for what you think are perfectly good reasons, it installs itself on your PC, that's not the end of it. What that Trojan does is monitor all your key strokes. It identifies your bank. It identifies your password. And while you are out making the coffee, it is logging on to your bank with the credentials you've just put in yourself to transfer money off to St. Petersburg in Russia. That's the Zeus Trojan if you haven't guessed and recognized it. With that sort of thing going on and with the fast flux and the double fast flux system of hosting, which has taken the whole issue of responsibility from hosting away from the hosting provider and putting it in the lap of the registrars where -- Let's be frank. It was never intended to be, registrars weren't intended to be doing that, nobody came into the job thinking they were going to have to actually regulate this sort of capacity. But they're the only people who have got the control. Okay? So we need to get that stuff taken down fast. We've heard the number of domains they register. I think that was a rather low estimate in some cases, well into the thousands at any one time. They rotate them so -- I mean, think of it this way. If it takes a registrar a day to take down the domain, they only got to register 365 and they keep going for a whole year. Now you heard how many they have been registering. How much damage is that going to do? There has to be a rapid take-down service. What is the point of having a domain system like dot com where you can register a domain and get it up and online in a matter of minutes if it is going to take that more than that number of weeks to get it shut down, as is the case with some registrars? Now, I said "some registrars" and I did it deliberately because I had the privilege a few weeks ago of being at the registrar summit in Scottsdale, Arizona, where we saw the registrars that do want to get it right. Mason was there. He was one of them. I congratulate them all on what they were achieving. The registrars we are talking about are probably not in the western half of the world. There are a lot of people who are accepting money from criminals and working very closely with them. And ICANN's credibility, to my mind, depends on its ability to deal with that threat and to deal with it rapidly because they've all got ways around the present enforcement procedure. Let me give you an example. We heard that some privacy services have got invalid addresses. Yes, one run by one of the biggest registrars there is says clearly no postal mail accepted. If you go to their address, there is no connection with them there. If you telephone their number, you get voice mail which tells you to go away. That's allowed to continue? That's such a flagrant abuse. Let's think about Russia and perhaps a few other countries. All these registrars are signing the RAA saying that they will take down domains under certain circumstances. But in some countries, they can't. They are fraudulently signing the RAA because they know they cannot comply with its terms. Why does ICANN allow that to continue? Surely one of the first things to go in the new RAA should be a statement that the person signing it is not precluded from complying with it by the jurisdiction they're in. And let's talk about WHOIS services. Yes, some block them, as the last speaker said. But some will say, "Yes, you can have WHOIS, five today and five tomorrow." That's no good to an investigator. If you're looking for the sort of snowshoe spam cases or some of the fast flux situations, you need to be able to do a WHOIS on several hundred quickly. And the registrars that block that know perfectly well why they are doing that, because the criminals will bring their registrations to them. Now, look, it's not that this can't be solved. We haven't got an impossible situation here. Look what Rodney Joffe has done for .BIZ. When you get an abusive situation on that TLD, you don't. Why? Because it's part of their business plan to do it right. We congratulate them on what they have achieved, and we don't see why any other TLD should be any different. Essentially, it's all down to the business plan. If we had a compliance system which has got the ability to say, "Okay, registrar access failed to comply with its obligations as regard domain," why we will take down domain, why we will build registrar X for the costs of our doing so, that will as soon sort out the rogue registrars. And I would add one final comment. We can't expect law enforcement to do it all. They are very limited in their budgets, very limited in their staffing, very highly skilled in their staffing but there is just not enough of them. We do our best to help. But it is important that the community at- large is able to communicate with registrars, is able to notify them of a problem and get a fast action. And then we can leave law enforcement to deal with the prosecutable cases, which, of course, they then do very well. But they can't do it all. Thank you for your time. >>CHERYL LANGDON-ORR: Thank you. And a very strong plea, to say the least, for minimum mandatory standards which I'm going to toss to the other end of the table, if you do want to respond, because you are both white hat wearers, I assume. Did you want to respond in any way to that? I think it was just a good case for minimum mandatory standards. >>MASON COLE: I'm sorry, I didn't quite get the whole question? >>CHERYL LANGDON-ORR: Did you want to respond to that, or do you want to leave it as a good case for minimum mandatory standards? >>MASON COLE: The KnujOn report? >>CHERYL LANGDON-ORR: No what Spam has just said. >>MASON COLE: No. I think we will defer on that at the moment. >>CHERYL LANGDON-ORR: We will move over to this move. >> My name is Bob Bruen also from KnujOn. I want to know if you are aware of the decision by the Ninth Circuit Court of Appeals in October in the Kilbride case where they specifically said privacy services, you Number 4 on the list at the beginning, is material falsifications of the WHOIS records and against the CAN-SPAM Act, which means if you are providing it or doing it, you are breaking the law. And if ICANN is allowing that to go on and participating in it, they're probably breaking the law as well. What that means is, they also said that if the WHOIS record is materially falsified, that is also against the CAN-SPAM Act. You need to address this at some point fairly soon. Most people aren't picking up on this, but you put yourself in legal liability beyond just any discussions we may have. Are any of you aware of this decision? Have you taken it into to any of your priority areas? It is an American thing, I understand. >> PAUL HOARE: I was going to say, that's very useful for the guy on my left. It is of no use to me at all. >> BOB BRUEN: Not necessarily. >>PAUL HOARE: I will think the point is, there is an opportunity here to use terms and conditions which are global and to have some kind of regime globally which we can all respond to which can affect all crime. The danger is if this doesn't happen, you will get desperate legislation all over the world. And new guys who are multinational and have several jurisdictions that they operate in can be very confusing for you because we will have all kinds of legislations. And it will be easier if we have one system that suits all. >> BOB BRUEN: Agreed. But still the WHOIS records in the United States have to be accurate according to the CAN-SPAM Act in the Ninth Circuit Court of Appeals. That starts to break into the problem of WHOIS data accuracy overall and the privacy services. It will just push them offshore, I guess. >> ROBERT FLAIM: And, yes, since I'm American here, we are aware of that and that's being considered. >>CHERYL LANGDON-ORR: Over to you, Wendy. >>WENDY SELTZER: Thank you, Wendy Seltzer here, GNSO Councillor from the noncommercial stakeholders group. I'm speaking for myself, although I believe many in my stakeholder group share these positions. And I'm speaking for the legitimate registrants of noncommercial and minority and challenging speech, the people who want a stable online home for their criticism of oppressive governments, for their parody, for their criticism of intellectual property rights holders that stays within the law, parodies of copyrighted works, for example, or funny take-offs on trademarks that pose no likelihood of confusion for the purchase of commercial goods, for the activists in Iran who are trying to support the Green Revolution with Web sites for group communications, people who want to speak but do not want to disclose their identities in places where there are oppressive governments or oppressive intellectual property opponents can find them and who in the United States, where I come from, have a First Amendment right to speak anonymously, and who around the world have rights to privacy not to have their personal information displayed to all-comers in WHOIS databases or displayed behind a thin veil at the knock on a privacy or proxy provider's services but who actually who have the right to due process, to a demonstration that there is a real cause of action and real fact against them before their identities are disclosed. So I'm concerned about these proposed amendments and the high- priority topics that seem to impose a form of intermediary liability on registrars where I think it's totally inappropriate. For a long time, I've run the Chilling Effects Clearinghouse, a project that looks at cease and desist letters sent regarding object line activity. Many of those cease and desist letters sent to the intermediaries, such as Google hosting the blogger service and many of those cease and desist letters which cause the take-down of material by the intermediaries because take-down provides a quick, risk-free way to avoid liability, whereas responding, engaging with the complainant, allowing the end user to respond to the complaint is costly to the intermediary. And so that form of intermediary liability, even with the safe harbors that the U.S. Digital Millennium Copyright Act gives to ISPs and hosts, results in take-downs of legitimate material as well as of infringing material. And so I'm concerned that imposing obligations on registrars are make it more costly to host challenging speech. If they get lots of complaints about a parity domain or a protest domain, will the cost of hosting that material go up? Will the anonymity of those offering that material be in jeopardy because it's just easier to make that problem go away by taking down the domain, by inviting the registrant to go elsewhere, or by revealing the information that the registrant has provided in confidence to a proxy service. And so that there are ways of addressing these problems. People can go to an attorney to register a domain, but not under these amendments, where it would seem that even the attorney would have to register as a proxy provider and go through vetting in order to be able to register names on behalf of others. And people -- essentially, I'm concerned that we're setting up a regime that is biased against the noncommercial challenging, but legitimate, speaker, and that that perspective isn't represented in the proposed amendments, and I look forward to filing extensive public comment with my concerns and proposed alternate directions.institute. >>CHERYL LANGDON-ORR: Thank you, Wendy. And Steve's indicated he'd like to respond. [Applause] >>STEVE METALITZ: Thank you, Wendy. You've raised a lot of important issues there. I just want to make two points. One is that with regard to proxy registrations, I don't think there's any proposal in here -- and I know this report has just come out and everyone hasn't read the whole thing, but in terms of proxy registrations, this -- there's nothing in here really about imposing any new liability. Every gTLD domain name registrar, for every registration it has ever made, has been subject to a -- in a gTLD has been subject to a provision of its contract with ICANN that says if it's offering a proxy service as an alter ego, that registrar has already been subject to liability under the agreement ever since 1999. What we're -- if it doesn't -- when it's presented with reasonable evidence of actionable harm -- disclose the identity of its licensee. Now, the -- what we're talking about is trying to clarify some of those terms, make -- give greater certainty to what the obligations are. I think that's -- you'll see as you read through this, one thing that is not in these recommendations is the idea of accreditation of proxy registrations. Although that is part of the law enforcement proposals. So I would just encourage people to look -- to look carefully through the specific recommendations and we do -- certainly do look forward to public comments. >>CHERYL LANGDON-ORR: Thank you, Steve. Any other comments? Go ahead, Paul. >>PAUL HOARE: I think the only thing I'd say from a law enforcement point of view is you won't find anybody on this panel or within this room who would disagree at all with the freedom of speech and the democratic right of people to speak out and say what they feel. What we're suggesting is that -- is the proxy registrations are accredited so that we can actually run down criminals, not people who are exercising their rights of free speech. And there's no suggestion within those suggested -- within those amendments that proxy registration services should be offering up that material on anything apart from under due process. >>CHERYL LANGDON-ORR: Nothing from you, Bobby? Are you happy with it? >>ROBERT FLAIM: No. I would agree. I mean, obviously we want to protect free speech. The problem that we've had with proxy services - - and I have done some survey amongst the 56 FBI field offices -- is that there is a lot of criminality that does use proxy services to hide their names. You know, some of them are ongoing cases, some of them are national security cases involving like terrorism, child pornography, phishing, botnets, all of that. So we do have an issue with proxy registrations where criminals are using them. We're not here in the business of protecting criminals, so I would have to add that as a -- as a counterpoint to that. >>CHERYL LANGDON-ORR: Thank you. I'm going to this microphone. Then we do have a question from remote, so I'm going to ask that to be taken after this microphone. Then we'll go to you. Thank you. Go ahead. >>PHILIP SHEPPARD: The gentleman behind me wants to make a follow- up. Would you allow that, moderator, or don't you have the time? The last conversation -- >>CHERYL LANGDON-ORR: Yes, as long as it's not a long follow-up. >>PHILIP SHEPPARD: I would give him 45 seconds maximum, actually. He's gone. >>CHERYL LANGDON-ORR: Go ahead. I just assumed you were in the line, sorry. >>PHILIP SHEPPARD: Sorry. >>CHERYL LANGDON-ORR: But if you want to come to do the follow-up, fine. >> (Speaker is off microphone). >> I just have a clarification. What we've been doing is complaining about commercial enterprises, not personal, and they're separate. And commercial enterprises are always public and the people who are taking money for spam or whatever are now commercial enterprises. Not any of this is an attack on individuals unless they want to hide as an individual. So it is a big difference. >>ROBERT FLAIM: And we have that in our law enforcement recommendations as well. >>PHILIP SHEPPARD: Thank you. On another point, it's Philip Sheppard, from AIM, Europe Brands Association. I'd like to follow up on a very wise comment made earlier by Paul Hoare when he said that cybercrime and its associated issues of fraud are exercising the minds of government globally. He is not wrong. I come from an industry which in my trade association that represents extraordinarily successful branded goods companies. They're extraordinarily successful for two reasons, one of which is they have the right product and they get it to the right market. And the second is, they are masters at managing the idiotic complexity they have inherited by national laws that have been passed for consumer protection and many other reasons over the last century which make doing business in this world on the global scale extraordinarily complicated and costly. We are in a new industry. We do not yet suffer from the iniquity from the fragmentation this has led to, but we are on the verge of seeing incompatible legislation that would impose huge costs on this industry and make your life as registrars extraordinarily complicated to deal with. You have the opportunity of leading, getting it right at this stage, and doing only that which is sensible to do within the RAA in this field, and indeed in parallel having working groups talk about other things that are not appropriate to do in the RAA. But I would caution you that if you're looking at this as hard-nosed business people, we're not even asking you just to do the right thing, we're asking you to do the lowest-cost thing for your business. >>CHERYL LANGDON-ORR: Go ahead, Mason. >>MASON COLE: Thank you, Philip. I think we appreciate that point of view. I agree that -- I guess I would quibble a bit with the idea that we look at this in all aspects as hard-nosed business people. We don't. Every concern that's been raised here, we have either heard before or we're happy to entertain. I agree with you that it's -- it's important to work within ICANN boundaries to do what's necessary to take care of the industry without needlessly passing costs on to our customers. I mean we compete in multiple ways as registrars, and the idea that we need to pass down costs or obligation to registrants, the customers that we spend a great deal of time and money to try to acquire, is not something that we want to default to in any scenario. I agree, too, that there's a danger of unanticipated consequences by having nations enact laws that are meant to protect consumers but in the end just confuse the issue. I want to make clear that registrars want tools available to them to cooperate with law enforcement to go after the bad guys. We don't want to help them. We want to -- we want to help put them away. But we want to do so in a balanced approach that doesn't imperil the rights of registrants or otherwise make the industry overburdensome. >>CHERYL LANGDON-ORR: Thank you. Go ahead. >>KATITZA RODRIGUEZ: Thank you. My name is Katitiza Rodriguez. I'm a member of the noncommercial constituency and I'm talking in my personal capacity, but I think many of my members could -- we agree on our proposal. We have been told that this proposal targets the fight against child pornography, terrorism, and other threats and crimes, and we all have concerns about those crimes. But the proposal that is being tabled, the proposed amendments to the RAA, include other provisions that affect all users, including innocent people who are registering a domain name. And I want to clarify. For instance, this proposal includes data retention provisions that foster the creation of a process for collecting and storage of all registrant personal information, even the innocent people, for purposes that are not related to the service in question. For instance, the proposal requires the collections of IP addresses, some kind of browser data as well as data about add-on services, purchases, that are gathered through the domain registration process. Article 29 working party, an influential advisory body formed by privacy officials in 27 European countries and the European privacy supervisor have clarified the definition of IP addresses are considered personal data. This means that the data -- that personal data is subject to European privacy law and other legislations in Asia, national legislations in Asia and Latin America. Also, an experiment called Panopticlick shows that the overwhelming majority of Internet users could be uniquely fingerprinted and tracked using only the configuration version of some browsers, once it's made available to the Web site. This type of systems information should be regarded as identifying, and therefore protected in much the same way that IP address is. I think that the report should take into account the limitations of the rules the obligations that registrants should have in the collection of personal information. For example, international privacy standards like the Convention 108 as well as the European data protection directive or the OECD privacy guidelines. We have read in the proposals that for instance there are some letters from law enforcement agencies in the collection of this information, but there is no called-for comment from the data protection authorities. Even for the Council of Europe as a body just -- just was a summary of conclusions of a meeting, an event, but we don't have like the opinion of the body itself, and I think they should get involved in this discussion because we are talking about the collection and registration of data of all registrants' domain names. Thank you. >>CHERYL LANGDON-ORR: Thank you. And there's a few challenges coming towards law enforcement there. Go ahead. >>RADOMIR JANSKY: Let me just briefly comment. I think I share your views on the fact that data protection has to be respected, and I have not omitted this in my comment. I think this is a work in progress. We have not concluded anything here. We have just said that we think that law enforcement concerns are very valid at this stage, and at the same time we are saying in the European Union that he has data protection matters, so we should have a balanced approach, and this is our position. So if this is a call to deal with this, yes, we will. Thank you very much. >>CHERYL LANGDON-ORR: Thank you. Steve? >>STEVE METALITZ: Yeah. I did want to mention that -- just reiterate that this is -- the initial report has been posted for public comment. It includes as an annex the law enforcement proposals, but it has a number of other aspects. And also will be, you know, including in the comment record, if you will, the statements that are made here. >>CHERYL LANGDON-ORR: Thank you. This is part of the process and it is a continuing dialogue, as you can see up and down the table, as well as around. Margie, can I get the ones from online? Thank you. >>MARGIE MILAM: Sure. There's a question online from Jorge. His question is: How are you planning to deal with crooks-friendly ccTLDs that do not have and will not have a contract with ICANN? That's the question to the panel. >>CHERYL LANGDON-ORR: Okay. Bobby or Paul? Paul? >>PAUL HOARE: It's a very valid question, because certainly some of my colleagues at the end of the table will tell you that registrars work on paper-thin margins, and if some -- some registrars are forced to do this, then others will gain a commercial advantage. Myself and Bobby are talking to the ccNSO later in the week. Not -- certainly not to suggest that the ccNSO take these up and come under ICANN's remit, but these -- these suggestions are good practice for the whole industry. They're not -- they're not just aimed at the gTLDs. We're not singling out the gTLDs that are on -- we're talking about here, but this is the opportunity that is in front of us to lay these proposals in front of ICANN, to leave as some kind of change. Certainly if these proposals are taken on by the new gTLDs, that will be the first step in -- in the whole TLDs coming up -- being influenced in the similar kind of due diligence, because it's good practice. It needs to happen across the world. >>CHERYL LANGDON-ORR: Thank you. Bobby, and then I'll go to Michele. >>ROBERT FLAIM: I was just going to add to that. In dealing with the national police forces of the countries that we are also encouraging them to deal directly with their ccTLDs as well, to make sure that they're engaged in best practices. >>MICHELE NEYLON: As far as we're concerned, we're a registrar that is obviously dealing with the gTLDs, but the bulk of our business up until relatively recently was actually in ccTLDs. The basic fact is that, sure, there is going to be online fraud, there is going to be online crime. From the registrar perspective, we don't want people using dodgy credit cards, dodgy PayPal accounts, using third parties' contact details, all this, because that causes a massive headache for us. And ultimately it affects our business, affects our bottom line and affects our companies' reputations. The last thing that any reasonable minded registrar wants is to be known as a safe haven for criminals, be they peddling in gTLDs or ccTLDs. I mean ultimately all a domain is is a simple way to map an IP address to something that a human being can actually relate to. Whether that happens to be a cc or a g doesn't really matter. So the kind of stuff that some of the law enforcement people have been talking about, it's the kind of thing that some of us have already implemented. There are concerns with respect to privacy. There are concerns with respect to gathering more data than is really required, in order to actually conduct business in the same manner, so that I can process a registration request quickly and everything else, but, you know, just because ICANN has no direct impact on what we may do with the cc's, don't be fooled into thinking that we within the registrar community aren't going to do it anyway. Any of you who want to place an order via our Web site now for anything will probably get challenged because your comment -- your IP address might appear to come from somewhere that our fraud checks might consider to be slightly dubious and we'll ask you to validate yourselves. Now, that does cost us business, but ultimately I don't get screaming telephone calls from my bank going, "What the hell are you doing"? So, you know, this is -- we're pragmatic. Now, obviously when you're dealing with the Internet, you're dealing with global businesses and some of the other speakers, both from the floor and on the panel, have mentioned issues that we're dealing with with registrars and everything else in countries where, let's just say that their frameworks are a little bit more open and less conducive to helping people in law enforcement actually do their jobs. There's nothing we can do about that, but all we can do is -- is do what we do and do it in a manner that everybody is working together. And I love the idea of registrars being able to work with - - with law enforcement because as Mason said, the RAA is a contract. Cybercrime changes and updates very, very quickly. The guys from Spamhaus would be able to speak to that. They use different vectors, they use different methods. If you put something into a contract, it's going to take years for it to be changed. It's going to take far too long. And by the time you've actually put it in there, they've already moved on. And they've moved on about three or four times, 10 times, whatever. Whereas if we can -- we within the registrar community can engage with law enforcement, be that formally or informally, I'm all for it. >>CHERYL LANGDON-ORR: Terrific. Going over to you, Beau. Thank you. >>BEAU BRENDLER: Yeah. Hi, I'm Beau Brendler with at-large, and I also cochaired the group A with Michele. I guess I had a couple of things I wanted to say. One is to try to learn from the genesis of this whole group, I don't want to go too much into inside baseball, but it would be nice if the process next time made a little bit more sense to those of us doing it in the sense that we found ourselves in group A basically the meat of our work -- and group B certainly had a much more difficult task, but the meat of our work in group A was simply getting the RAA transferred into language that people could actually understand. And so as a result, kind of what emerged from group A is this thing called aspirational ideas for the next RAA, which is a very watery, weak kind of statement that kind of upset a lot of people in -- or a number of the people in the at-large that are involved with this, in that, you know, what is an aspirational document about the RAA? I mean the RAA is technically, in a sense, a contract with customers and end users, so what those people want to see in that document is not aspirational. It needs to be the meat of what the next iteration of the document says. So I'm not blaming anybody or trying to hammer on the registrars or anything like that. I'm just saying the process of how this group came together and how it produced some of its things needs a rethink if trust and transparency are going to be, you know, ongoing values we embrace more about how documents get produced. The other thing I wanted to say is if there's going to be a working group among registrars and law enforcement, that needs to include the at-large. People in the at-large, people in the noncommercial stakeholders group, we would love to be a part of that. I mean, I come from a very law enforcement, I guess, bias of how I look at things in ICANN, because I write and, you know, a lot of people write to me and say, "Can you help me with this, can you help me with that, this is a problem." So my view is very pro law enforcement, but we need to move forward with the way that all of those groups are better connected on the issues than they were in this group. I think a lot of us in the at-large community and in the user community would probably much prefer to get behind the lists of the top 10 items that were made for the GNSO to consider. That's not the slide that's up there now, but if somebody wants to put that up there, that would be great. I think that's a much better document for us to look at going forward than this aspirational nonsense. So that's the point I want to make. >>CHERYL LANGDON-ORR: Thank you very much, Beau. And I think what we are seeing here is the benefit of good dialogue and the benefit of discussing things earlier and having shared knowledge and understanding. I'm going to actually close off with you as the last question. Unless -- sorry. Sir, you were -- you've already spoken, sorry. Yeah. Okay. >> (Speaker is off microphone). >>CHERYL LANGDON-ORR: Oh, okay. Two more. Both of you as the last section. Go ahead, please. >>ASHWIN SASONGKO: Thank you. I'm Ashwin from Indonesia. I will try to talk in my personal capacity. I will make it as brief as possible, since I am one of the last persons here standing between you and a coffee break. There are two points I would like to mention here. The first is very simple. This morning I was watching TV and it shows the oil spill in the U.S. The message for me is very clear. It is okay to increase the oil production as long as you can handle the safety. Otherwise, you will get a bit of oil and a lot of pollution. The same in the Internet. We can increase its activities, as we have discussed for many days here, as long as we can also handle the safety. Otherwise, we may get -- we may get a bit of Internet business development and a lot of crimes. That's not what we want, the same as the oil spill our friend from FBI has near his house. Sorry about that. Now, having said the above, we must also remember that Internet is used globally, both by less developed countries as well as by highly developed countries. Now, if FBI in the U.S. has a problem, can you imagine in many other less developed countries how the problem is? I mean, at least in the movies, you know, you can always see how high technology FBI use. You know, in LAPD and CSI, whatever, they always show, you know, how high technology is used in FBI, and yet our friend here from FBI cannot track the name in the Internet. Can you imagine in other less developed countries even where computers is difficult things to find? Now, finally, I believe that some amendments to make sure that crime can be reduced should be available as soon as possible. At least I should know who I am communicating with in the Internet. So I hope in the meeting tomorrow that our registrar association mention the way all people can work together to find a way for identification of who the hell you are in the document. A dog, a cat, or something. Now, finally, this is just a matter of a way of thinking, you see. In the case of oil -- in the case of oil spill, I mean, if the world organization relating to oil and pollutions cannot find a way out, then certainly President Obama will find a way out. Otherwise, we will have a problem to go to the U.S. because it's full with pollution and so on. So the same in the Internet. If our world global organization cannot find a way out to reduce crime, then certainly the country which has a crime problem will do that. And so I think it's -- we have to work all together and I would like to see amendment to this available to all of us and accepted globally that can be here as soon as possible. Thank you. >>CHERYL LANGDON-ORR: Thank you. And indeed working together I think is very much what we would all benefit from. Go ahead. >>JEAN-CHRISTOPHE VIGNES: Jean-Christophe Vignes from EuroDNS and a member of the registrar constituency, speaking here in my personal capacity. I'm fortunate to be operating from a small country, Luxembourg, which means among other things that I'm on a first-name basis with the responsible law enforcement officer for cybercrime and phishing. That makes me able to talk to them and to have them understand what the problem we're facing as a registrar in that contrary to what was said before, we are not in the business of helping criminals but we are willing to help law enforcement as much as we can. The problem is that some of us don't have that luxury and what I'd like to comment on is that more often than not, we are not helped in our fight against criminals, but confused with various opposing legal issues. One example of that is privacy. You mentioned private services for privacy which obviously can be regulated because these are private businesses. The problem, as we can see in Europe, is that privacy is -- privacy in WHOIS is sometimes warranted by the competent -- sorry, by the competent law enforcement bodies. We are often faced with registries imposing strict privacy rules where we appear as protecting bad actors, where we are, in fact -- where, in fact, our hands are tied because of such regulations. It's all well and good to say that registrars should help law enforcement and that the RAA must be adopted to help such situation. The problem is, shouldn't the legal framework -- well, start the process? I want to help as much as I can, but I also would like not to be against the probable rock and the hard place between privacy authority on the one hand and cybercrime on the other, among other things. >>CHERYL LANGDON-ORR: No responses? I think there's -- yes. Go ahead, Mason. >>MASON COLE: That's a good point, J.C. I'm afraid sometimes registrars do find themselves between conflicting but well -- well- meaning but conflicting agendas. Our registrar does some business in Europe as well. We're not Europe-centered but I know Michele could probably speak with more authority on that, but these are the kinds of issues that unfortunately have to be considered when you mandate new provisions in any kind of an agreement. Whether or not that puts you in conflict with your -- the nation that you're doing business in or where your customers are or similar considerations. Michele, you may know more that than I do. >>MICHELE NEYLON: I mean, J.C. covers a lot of the points. The problems we see a lot of the times is you're trying to balance -- something I already kind of mentioned in passing but the idea of, you know, if somebody wants to legitimately register a domain, use that domain as Wendy mentioned, I think, about freedom of speech. I mean, we've seen this happen with our clients in the past where somebody will try to muzzle one of our clients by making out that they're doing something possibly saying that's illegal when actually all they're doing is they're looking for an excuse to shut them up because they're saying something critical. And that's only just the mild stuff. And as a -- as a company based within the European Union 100%, we have to respect the data privacy laws, whereas we'd love to be able to work with law enforcement. But somebody, I think, suggested the idea of us taking complaints from the community, and I'm sorry, I can't do that. I can't take a complaint from some random third party. I need to be able to take it from somebody that I can trust, as it were. So for example, if one of the law enforcement agencies were to submit a complaint, fine. I can trust that. But I can't take a complaint from some guy walking down the street who doesn't happen to like a Web site. Because unfortunately that's what you get as well. So it's an awkward balance. >>CHERYL LANGDON-ORR: Go ahead, Paul. >>PAUL HOARE: I think certainly for E.U. law enforcement agencies, privacy can only be breached in explicit situations with explicit conditions. I think a lot of the problem is sometimes the legal -- the legal departments or firms are completely risk-averse, where data protection is concerned, where privacy is concerned, and certainly over the last few days, we've -- people have raised this is against European data protection without actually having examined the full -- the full consequences and the full detail of the submission. I think privacy is one of those balances we need to have, but it's difficult in the EU because it is a very emotive issue. >>CHERYL LANGDON-ORR: Thank you. As I was going to say, I would like you to respond actually, seeing as you are being challenged with the difficult area to work with. >> We always have to strike the balance. Yes, it is true, it is difficult. The data protection, it is going to stay. There is no way we can go around this. Today we are supporting law enforcement concerns. At the same time, we are saying, yes, data protection has to be respected. I'm not saying we have an magic formula for that today. It doesn't mean for one we have to ignore the other. No, we have to strike a balance, and we haven't perhaps reached it today yet. But it is a work in progress, and it starts today. >>CHERYL LANGDON-ORR: Well, I would like to ask any of the panelists if they have any last comments because we really do need to wrap up now. Hopefully just a tiny, tiny one. Paul and then Mason. >>PAUL HOARE: I just wanted to mention, Mason talked about it being four years before this comes into play, if it is accepted. The Internet is a very rapidly changing situation and animal. And I think while we don't want to rush into any knee-jerk processes, we need to have processes that will work faster than four years. What we actually put into place will be out of date in four years' time. One of my colleagues from the child abuse coalition yesterday talked about in 2005, there were 2,000 images across the world of 200 victimized children. And in 2010, there are million images with tens of thousands of victimized children. The criminals will increase exponentially, and I think the whole system needs to be quicker. >>CHERYL LANGDON-ORR: Mason, just before you -- Steve wanted to respond specific to that point. >>STEVE METALITZ: I think it is a bit of an oversimplification, the four-year period. Even if an agreement does not expire before then, ICANN can and has in the past very successfully offered incentives to registrars to come into compliance with the new agreement earlier. I think it is a legitimate point, but I think it isn't -- and I think Paul raises a very good issue there. But I think there probably are ways to at least ameliorate that problem, if not totally eliminate it. >>MASON COLE: I agree, Paul, with your observations on the increase in online crime. We've seen it ourselves in our business and in observing the Internet in general. At the registrar summit GoDaddy put on a few weeks ago, we heard some extremely disturbing statistics and stories about online crime, particularly as it related to child abuse, things that would just -- they break your heart. So I agree with you. The idea that there needs to be a mechanism of some kind to address rapidly developing crime may or may not be something in conjunction with the RAA itself. I'm not sure what the right answer is. I truly am not. But I appreciate that we're having a discussion to begin with. Whatever the answer is, registrars would like to find a way to predictably help law enforcement combat crime and at the same time predictably run their own companies and protect the interests of all their registrant customers. >>CHERYL LANGDON-ORR: On that high point, I would like to ask the audience to thank the panelists and, indeed, all of the speakers from the floor because, in a way, you have all been panelists here this afternoon. Thank you one and all. [Applause] And just in a microsecond's worth of summing up, we've had calls to strengthen urgently. We have had calls to go cautiously. We have had calls to change direction, and we've had calls to reverse. Overall, I don't think this is confusion. I think this is an indication that our conversations need not be quite so focused on single directions. And what we have here is intentions to find ways to get to solutions. One of those discussions is in the initial report posted at the URL you see in front of you. I would encourage you all to make use of the time, and the public comment closes on the 9th of July. This is part of the dialogue. It is a stage in a process. Thank you one and all. And thank you very much to the scribes and the assistant staff who we've kept after their normal working hours. And I applaud all the work you've done today. Thank you, scribes. Thank you, interpreters. Thank you, team. Thank you, all. [Applause]