Site Map

Please note:

You are viewing archival ICANN material. Links and information may be outdated or incorrect. Visit ICANN's main website for current information.

ICANN Whois Workshop in Montreal Real-Time Captioning

24 June 2003

Note: The following is the output of the real-time captioning taken during the ICANN Whois Workshop held 24 June 2003 in Montreal, Canada. Although the captioning output is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.


Vinton Cerf: good morning. I'm Vint Cerf. I'm now over the hill at 60 and one day and feeling like 16. So I hope the rest of you are similarly energized.

We have a full morning of material on Whois. There are many issues associated with that database. And I look forward to having these explicated for our consideration. And by "our," I mean all of us, not just the board.

Speaking of which, the board is free this morning to sit up on the dais. I will say tomorrow, however, that we have panel sessions scheduled, and we will have to vacate board seats to allow the panel to sit up here. So the board is free to either sit up here or in the audience or change your mind in the course of the presentations.

This morning is going to be managed by the group that put together the Whois presentations. So although I will be sitting over there, I will not run the meeting, but I'm sitting there so I can hear better. I have a little speaker and it helps a great deal.

So with that, I welcome you to the first of the public sessions, of which there will be three in this meeting in Montreal.

And I'd like to introduce our CEO, Paul Twomey, who has opening remarks. And he will introduce the rest of the Whois session.

So, Paul, take it away.

Paul Twomey: Thanks, Vint.

And good morning, everybody. I will just take one minute to say that I very much welcome this Whois workshop. It's something that's been discussed in the ICANN community for some time. And I would basically like to say two things: first of all, how much I appreciate two formal constituencies or formal parts of the ICANN structure, the GNSO and the EITF having somewhat independently pursued this issue coming together and working together to put together for us a comprehensive workshop covering both facts materials and issues from the marketplace and issues and perspectives from public policy. And so I think this morning and tomorrow morning will be a very interesting combination of those two, and I think they will be illuminating for all of us. I think that is also an indicator, I think, of the sorts of cooperation and discussion we need to see in ICANN 2.0.

What's important, I think, as we discuss today and tomorrow and as we think about any process going forward, is the opportunity for sharing of information, sharing of perspectives, discussion from the different parts of ICANN in real time so that the bottom-up process delivers us something closer to consensus rather than having perspectives developed inside the silos of particular constituencies which then end up on the plate of the board to try to be the resolving agent. So I think that's a very important and noteworthy development and a noteworthy, if you like, endorsement of the 2.0 philosophy and structure of ICANN.

Can I just finally say thank you very much to the program committee, and the members of the program committee are up on the board there now, available on the screen. I'd particularly like to thank Mike Roberts, who on very short notice agreed to chair the program committee. They have been very productive. They've had lots of discussions about what sort of program to put together. And I want to thank Mike for the great benefit that I have only just had to look at the e-mail traffic and not had to participate. So that's been very good for me. Mike, would you like to run the show.

Michael Roberts: thank you, Paul, and on behalf of the program committee and the GAC working group on Whois, I'd like to acknowledge the expert panelists and presenters that have willingly volunteered their time to help the community come to a fuller understanding of the many complex sides of Whois this morning.

We would like to say a few words about the structure of these two sessions, one this morning and another tomorrow morning. There's a good deal of information on the web site, you can link to it from the ICANN home page. And those of you who have machines can examine a good deal of written material that we have already posted there. Let me just say that the general format for these sessions is that this morning is one of a primarily tutorial nature in which we're going to get ten brief presentations on various aspects of Whois from individuals who are expert in the area about which they're going to speak.

At the end of the presentations this morning, we will have a public comment period primarily to help elucidate any issues of a factual nature and related to the presentations. Tomorrow morning, we have two panels which will delve into existing policy areas, views about the satisfactory or unsatisfactory nature of how Whois is functioning today, and also a very preliminary and you might say soft look at the solutions or changes, incremental or otherwise, going forward.

We will have a more lengthy public comment period tomorrow in which people who have views on what ought to be done will be welcome to present those, hopefully succinctly.

The order of presentation this morning I'm going to briefly review for you.

We have a brief break scheduled at 9:30. We have a full schedule. I would encourage the audience to be courteous with regard to taking breaks on their own, since we're not going to have a large break.

We will stop at the midway point after the fifth presentation for about 15 or 20 minutes. Then we'll begin and try to wrap up the formal presentation material as close to 11:15 or so as we can and then have a public period, comment period, until we close at noon.

The order of presentation this morning is, we will lead off with Louis Touton, who will briefly describe the status quo as it looks from the standpoint of established ICANN policy, the registrar accreditation agreement, and issues such as that. We'll then go to a presentation from Andy Newton on the current IETF development project on a protocol which goes by the intriguing name of "crisp."

Ray Plzak of ARIN will describe some of the non-name uses of Whois. People associate Whois, the public associates Whois very much with domain names. But, in fact, Whois is implemented in a number of areas that are important to the functioning of the Internet. And Ray will speak to us about that.

Bruce Beckwith will likewise describe the manner how Whois relates to management of registries and registrars across all of the TLDs. Bruce Tonkin is going to describe a gTLD perspective on how Whois is used and the management of Whois in that environment.

Diana Alonso Blas from the European Commission is going to give us some insights into privacy and data protection considerations in using Whois.

Bart Boswinkel from .nl is going to give us the perspective from a typical national registry operation and management.

Jane Mutimear, who is chair of the IPC group, is going to speak to us about intellectual property rights aspects of it.

Michael Donohue from OECD in Paris is going to speak to us about consumer protection uses.

And finally, Maneesha Mithal from the United States Federal Trade Commission will talk to us a little bit about law enforcement issues, that's both criminal and non-criminal. Law enforcement is by no means a single focus issue for Whois is the domain name system.

So that is a very brief overview of the presentations and the order of presentation this morning. And I'd like to turn the podium over at this time to Louis Touton. Thank you.

Louis Touton: Thank you, Mike.

And good morning, everyone.

As Mike mentioned, I am here to give a background on how we got to where we are today with respect to Whois, specifically, to briefly describe the history of Whois and ICANN's Whois policy. Secondly, to provide an overview of the current provisions in the registrar accreditation agreements, and to some degree the registry agreements concerning Whois. And also to discuss ICANN's experiences with a Whois data problem report system that we put in place in the last half of last year.

Whois is a protocol originally implemented on the Internet many, many years ago, at least in the early '80s and perhaps before.

Originally for technical uses, so that operators of the various computers that were hooked up on the Internet could ask for information about each other so they could get in touch if there was some type of technical problem in interoperating with another host on the computer.

Those technical uses have greatly expanded as the number of hosts and the level of mutual trust of technical operators and familiarity of technical operators has diminished.

Whois, however, being freely available to the public, soon acquired many other uses. And I have listed here some of them. Registration service providers, such as registrars, process transfers using Whois because they have to determine the identity of the currently listed registrant to verify that it's a legitimate transfer.

Law enforcement uses it to track down perpetrators of Internet crime.

Consumer protection agencies in a relate way use it to identify the jurisdiction of the registrant, to confer with other consumer protection agencies, and to take action against Internet fraud.

Consumers themselves, users of the Internet, use it to verify the identity of web site operators, in a related point and not here, and also as you'll see very prevalent, those seeking to suppress or source spam use Whois extensively.

Registrants check their own registration details, so it's a way for them to have visibility of what information the registrar has about them.

And copyright and trademark holders use it to identify persons infringing their rights in various ways.

The Whois provisions in ICANN's agreements started very early in ICANN's existence. At the Singapore meeting in March of 1999, there was discussion of the policies that ICANN should use in the implementation of the shared or competitive registration system that was going to be put in place later in 1999. And among the provisions approved at the Singapore meeting were a variety of contractual provisions dealing with the provision of Whois data and also protection of privacy of registrants with respect to that Whois data.

In 2001, when new TLD agreements were put in place, that is, new registry agreements put in place with operators at the registry level, there were also a series of agreements that very much tracked the older registrar accreditation requirements for the thick registries that were introduced in 2001, including biz, info, name, org, and now, pro. Org also got that same thickness or is migrating to that thickness now that it has been reallocated.

I am going to focus on the registrar accreditation agreements because I think that's of most burning interest. FIXEME Interests a basic requirement that registrars provide Whois data about the customer that is they sponsor in the various registries. So if you go to registrar and register louis.com, you give various data and they then maintain that data and display it once they secure the name in the registry.

The data is on this so-called query-based access is to be provided free to the public and it's to be provided through a web-based interface and a so-called port 43 interface, which is the more traditional Whois device that was around before the worldwide web came.

The elements that are required to be displayed in the current registrar accreditation agreement are the registrar name itself, what is the domain name; the name of the name servers that are being used or that have been delegated the authority to operate and support that particular domain; the identity of the registrar, which is often obvious from where you're going; the creation and expiration dates of the registration; and then elements of data about the registrant, the administrative contact, and the technical contact. With respect to the registrant, it is only their name and postal address. With respect to the administrative and technical contact, it's their name, postal address, telephone number, e-mail, and where available, their fax number.

These basic elements were designed to track the Whois system that was being used at Network Solutions at the onset of competition in June of 1999.

And that's, indeed, where they came from.

The registrar accreditation agreement requires that domain name holders, here referred to as registered name holders, shall provide accurate and updated information to their registrar and update them during the term as needed.

It also provides that the willful provision of inaccurate or unreliable information is grounds for the registrar to terminate the registration agreement. Also things that can lead to a termination are failure to update the information and failure to respond to a notice from the registrar asking you about your data within 15 days.

Now, the last slide I indicated was the rights that a registrar must reserve for itself to deal with inaccurate data with respect to a registrant.

3.7.8 speaks about what the registrar's obligations are to use those rights and other abilities it has in order to ensure that the data is accurate.

First, it's required to abide by any specifications or policies regarding verification and re-verification systems.

About a week ago, ICANN finally implemented its first type of verification system, which is called Whois data reminder policy. Which basically simply says that once a year, registrars should remind Whois registrants of what their data is on record and ask them to update it.

And then once they receive the updates, to make them.

In addition, registrars have an obligation, if they learn from any source that the data is inaccurate, to take reasonable steps to correct that data.

The registrar accreditation agreement also has a series of privacy-related provisions, which it has had since it was initially instituted in mid-'99.

These track the requirements of data protection laws around the world.

First, there's a notice requirement. Registrars must tell their customers the purposes for which the data is going to be used, who's going to receive the data, which portions of the data are required and which are voluntary, and how the customer can access and, as appropriate, correct the data.

Registrars also required to obtain in its registration agreement consent from the customer to this particular use of the data, and disclosure of the data, and, in addition, to require that the customer, that is, the registrant, represent that it has obtained the permission of any other person whose personal data is being displayed. The reason for this is that if, for example, a registrant registers a name and they put down a technical and administrative contact, they should go out and get the permission of the technical and administrative contact for their entry into the database and display of their data.

The registrar, on its part, agrees that it will observe the notices that it has given to the registrant about how the data will be used. If the registrar has told its customer that it won't sell the data to others, it must not sell the data to others, and so forth.

Because this is being operated in a competitive environment, the registrar is free to basically set many of the terms of how they will use the data with the thought that if particular registrants want to avoid having their data sold, for example, to others for marketing purposes, they have the ability to go to the registrars who offer those terms.

The registrars also agree to take reasonable precautions to avoid misuse or misdisclosure of the data, even in the absence of willful acts by the registrar.

In 1998-99, there was some concern regarding how to protect individuals who wanted their identity protected and still wanted a domain name. And there was developed the proxy registration of the registrar accreditation agreement, which basically says that instead of going directly to a registrar and standing up as a registrant and having your name recorded and put down in the public record, you can reach an arrangement with somebody else that they will stand in your place, take responsibility and have accountability for what happens to the domain under whatever terms you agree with them.

They put their name down in the Whois data, and they either are responsible for the domain and what happens on it, or if it's compatible with their agreement with you, they will disclose your name.

That provision is used by several services, a growing number of services today.

That's my summary of the registrar accreditation agreement. Let me just spend a little time talking about ICANN's activities and enforcement.

We have spent a fair portion of our time in the registrar compliance function in determining and encouraging compliance with the provisions of our agreements about Whois. And we've issued four advisories, which are still available on our web site under the registrar advisory section.

Notable among these, perhaps, and what I'm going to talk about in a moment, is the second of them, the additional steps to improve Whois data accuracy. In September 2002 and before, there was a growing concern that some registrars were no longer being responsive to complaints about data accuracy. And in looking at the problem, we concluded that a large part of it was, frankly, just confusion and not having a defined mechanism for reporting errors and tracking them.

So to help the registrars and the registrants in a smoother way to deal with inaccuracy reports, we implemented a centralized Whois inaccuracy report form on the Internic web site. It basically allows any member of the public to go and report a mistake or inaccuracy or out of datedness that they find on a registrar's web site. There's then an authentication mechanism so that we obtain the e-mail address of the reporter. That's then sent to the registrar with a ticket number. And the registrar is then responsible for following that up. And once they've resolved the situation, either by correcting the data, by determining the data is accurate or by whatever other outcome, to come back to the web site and to close the ticket.

We have also a tracking mechanism to monitor the number of open tickets and such things that indicate whether registrars have complied. So far we have received about 12,000 reports since September of 2002 about inaccurate data. Most of those reports deal with individuals trying to find the source of SPAM by looking up the domain and then find the contact data is inaccurate and so they've been frustrated in trying to deal with SPAM that they are receiving or that their customers are receiving.

And that's my presentation for today. Thanks very much.

(Applause.)

Michael Roberts: Thanks very much, Louis. We're now going to hear from Andrew Newton who is with Verisign, has been leading the protocol development area effort in Whois area.

I'm going to not give formal introductions of our speakers because in the interest of time and we've provided bios on the web site, and we invite you to review their credentials at your convenience.

Andrew Newton: Okay. My name is Andrew Newton. I'm a research engineer for Verisign naming and directory services but I'm here today to talk to you as a member of IETF working group and the people who are working in that effort. And in fact, my co-conspirator Leslie Daigle and I have written a paper that's in the background materials that goes into details of the perspective we're taking. It's not a technical document, so I'd appreciate it if you have any questions or anything, you'd read that.

So next slide. Thank you.

So the problems we have today with Whois are basically with the policies surrounding Whois, center on the fact that the protocol itself is a very old protocol and doesn't really specify a whole lot.

So we spend a lot of time these days in policy discussions, asking how do we implement this, and how do we get there. And instead of asking the real questions of what do we really want.

So the CRISP working group itself is working on a next-generation protocol to solve a lot of the problems that currently exist with Whois. And in the future, you're not going to have to ask how do we do this. The questions are going to be what do we want.

Next slide.

So in the past, we had this thing called Whois. It was specified with RFC 812 in 1982. That's over 20 years ago.

The title of the RFC is nicknamed Whois and it's registered with the IANA in a for port registration under the name of nicname, not Whois.

To give you an idea of how long ago this was RFC 812 specifies Whois over NCP not over IP.

So it talks about a protocol over an Internet that we do not have today.

By comparison, DNS was first described in an RFC came out a year after RFC 812 and the current RFC which most people go by which are 1034 and 1035 didn't come out until 1987.

RFC 954 is the current spec everybody uses and if you go back and read it, it actually dedicates more space, not a big document, but on who should be registered to milnet and arpanet in the Whois database.

So currently, what do we have? We have this thing called nicname Whois which is used by a lot of communities, not just domain registries and domain registrars. So there's domain registration data in Whois. There is IP address allocation data in Whois. There are people that have router policy specifications in Whois. And there are actually many, many more, many of which we do not know what they are. Some people keep abuse data in Whois. There's no place to go registry what kind of data you're putting into a Whois database.

So when you speak of Whois, there are a lot of communities who do not speak of it in the same terms that people who deal with domain names speak it.

So here are our present users. Today we have the following users of Whois when we're talking about Whois in context of domain names.

And I'm not going to go through all the list I have up here. But suffice it to say that it is far more than the number of users are a greater number than the note operators, the arpanet that the protocol was originally designed for.

If you look at the last one, there are several people who have enumerated the different types of users who use Whois but the last one says abusive users. And we have to keep in mind there are people out there who very ill -- they don't have very good intentions when they're trying to get this information.

So what's the future? Well, the IETF has been working on a set of protocols. The working group is called CRISP. It means the Cross Registry Internet Service Protocol. And essentially, it is a protocol dedicated for registries of Internet resources. And the working group is attempting to take what we have learned in the intervening 30 years since RFC 812 and apply them to the problems we have today.

So what are the CRISP goals? This is a subset of the goals. If you read the document in the background materials we enumerate many, many more of them but these are the ones that are pretty hot.

So there is access control, which is essentially about who gets to see what data. And being able to differentiate between the users who are accessing the data.

Internationalization, which allows users to have an experience beyond the ASCII world. And it allows clients to be localized, so users who are not native English speakers or what not can actually use the system with relative ease.

And one of the other things is decentralization. It's core to the working group. The information has to be aggregated, so the data should be decentralized and not in one repository, but there should be very, very good methods on how you get to that data.

I'm going to spend the rest of this presentation talking about a topic that's pretty hot in this community, and when it comes to Whois, and that's about who has the right to see what data. And that all boils down to authorization and authentication.

So what is authentication? It's the process by which you use who gets to see the information. But authorization are the rules and policies applied on who gets to see the information. So it dictates the authorization schemes. You get to say who gets to see what.

So what do we have for today's authentication with RFC 954? There's anonymous, which is what the protocol intended, which is that all users are equal.

There's another thing other people do which is use the source IP address of the client accessing the data. Keep in mind that the source IP address was never, ever intended to be an authentication mechanism and therefore there's a lot of people when people do that. You have people sitting behind proxies who have all sorts of issues when they're limited based on the IP address because they have to share it with many, many other people.

So but in the modern world, we have many, many more authentication mechanisms available to us today. And those authentication mechanisms allow us to have different authorization schemes. I've listed a couple here, the ones I'm going to talk about, you have ways of saying that I know who Alice is; therefore, Alice is allowed to see this data, or I know someone who knows Alice; therefore, Alice is allowed to see the data. Or I know the person who referred Alice to me; therefore, Alice is allowed to see the data.

Passwords. Passwords are an old idea but they're still useful in today's world. There's a lot of talk about how passwords are insecure, but there's a lot of methods that can be employed today to allow people to send passwords over an unencrypted channel without actually giving up the password to someone who may be sniffing their data. Essentially the user experience is the same.

Passwords allow for the user-based authorization scheme which is I know this person because they had the password; therefore, they can see whatever data I say that person can see.

There's another type of scheme, mechanism called one-time passwords. It's one of these mechanisms I was just talking about which was invented to allow you to send a password over an unencrypted session without exposing the password, but they have a unique characteristic associated with them in which you can only use them for a certain amount of times, like 20 times before it becomes invalid. What that allows you to do is it allows to you create an authorization scheme that says this person can only access the data 20 times, or as this person continues to authenticate to the system, their rights get diminished or enhanced, whatever the policy would be.

Then there's digital certificates. Digital certificates use a branch of mathematics called public key cryptography, and we're not going to go into how they work. But they allow you to do a lot of interesting things as far as authorization goes. They allow you to have the user-based authorization schemes, essentially saying if this is Alice's certificate, and then, you know, do what you need to do. Or the chain-based one, which is I may not know who Alice is but I know someone who does know who Alice is and they verified this. Therefore, I'm going to allow them to see the data.

You have attribute-based switches. I may not know who Alice is, but I do know that Alice is of a certain type of person and therefore may see the data.

Or you can do time base which is Alice -- the certificate has a time stamp on it which is only good for a certain duration of time.

And by the way, you can combine all these different authorization schemes and they're not mutually exclusive, so you could actually do iterations upon them.

So to explain to you certificate chains, essentially, x 509 certificates are already used in TLS and SSL are laid out in tree models, and from any one certificate back up to the top of the tree, you have what's called a chain of certificates.

So the way it works is the certificate is signed by the next node up in the tree, and if you want to do chain-based authorization you can say well, I don't know the actual user behind this certificate, but I do understand that this thing has been cryptographically signed by someone I do know, and that person is vouching for them.

Another thing you can do with certificates is since certificates themselves are secured via cryptography is you can put attributes in them and one attribute can say this person is of type x and they're allowed to see certain types of data. One attribute is time, so a certificate has a certain shelf life it's good for, a start and end date.

One of the other things that the CRISP group is working on is referrals and the protocol will be able to support them, also support passing data with referrals. And it will allow you to combine it with one of these other authentication mechanisms I've given you, be able to assign that data and say when you pass that from the client, from the client to the referent server, the referent server will be able to say because this person was passed to me from another server I'll be able to give you this data. So it will allow those kind of referee-based authorization schemes.

So in conclusion, the CRISP working group is working on a vastly improved protocol to solve the problems of today. And what we hope this brings is the ability for people to quit asking the question how do I implement this, and start asking the question what do I really want to do.

So thank you.

(Applause.)

Michael Roberts: We're going to have a short interrupt here to change this mic, and then we're going to have Ray Plzak from ARIN.

Do we have Ray in the audience? Looks like we're going to have to change our order of presentation. And have everybody hang on a second and we'll figure out who we'll have up next.

Vinton Cerf: have you done a Whois search for him recently?

: a WHEREIS.

Michael Roberts: can everybody hear us with this mic? So we're going to go ahead with Bruce Beckwith. We'll go back and pick up Ray.

Bruce Beckwith: Hi, good morning. My name is Bruce Beckwith. I'm the vice president of operations for the Public Interest Registry, the .org registry.

As you've heard from several speakers, Whois has many definitions and I'll be speaking about the domain name system as it relates to domain name registrations.

They've spoken about the early days and the fact information was collected from a technical perspective and was meant to be used for a technical perspective. The data that was collected was also rudimentary. And again let me walk you through some of the information and remind you that in the early days, truly, registrants typically did not have e-mail addresses. In fact, as the ISPs were coming online, many folks just didn't have an e-mail address because they used maybe the Internet at work or weren't really using it that much so they relied on their web hosters, on their ISPs to be the technical or billing contacts.

So depending on the model being used, the registrant didn't have much of an impact in terms of the actual registration. And in fact, if you remember prior to 1998, most registrations, at least through the end of (inaudible) registrar were done through e-mail templates and those were, for those that are technically capable, were easy to do but for those who didn't have an e-mail address, weren't even possible.

I'll remind you also about the different pieces of information that we now all conglomerate into what we call Whois.

Let's go back and remember 1999 as the registrar model became competitive, suddenly there was a need to have different registrars show the Whois information. And let's also go historically a little bit and remember that when the registrars went into a competitive model, the gTLD registry, which at the time was the NSI registry, had thin data. What that means is there was minimal data at the registry and all the registrars at that point had the data. Therefore, each registrar had a requirement to have a Whois service.

In addition to that, they started finding over time that the Whois service started being used an awful lot. Andy, in the prior presentation, discussed a lot of the different types of users, and you may remember at the bottom of his slide it actually said abusive user. And that has happened. So a lot of the registrars are now limiting the information that is available through Whois from an automated perspective. They put rate limiters in.

Bulk access was also a requirement. One of the reasons for that requirement was to give all registrars an even playing field.

So when you think of Whois, there are different, different, several different versions of Whois that one thinks about. There's the web based, there's a port 43 Whois, and also the bulk Whois.

On the bulk Whois, one of the requirements was to ask registrants did they or did they not want to be part of the bulk Whois file.

Also, registrars had to give out that bulk Whois to anyone who asked for it. And as you will note, some registrars make that very easy to come by, some registrars don't.

Let's then move to registry competition, which started in 2001. Now, with some of the new gTLD registries, namely at the time, .info, .biz, what have you. Suddenly there were two types of registries that existed, thin and thick registries. So the thick registries now started to have a requirement to also provide Whois information, both a web-based and port 43 variation.

Of note, PIR is in the midst now of moving from a thin to a thick registry; hence, we bridge both of the different criteria, and we'll be doing the conversion throughout the remainder of this year.

On Whois, it's important to note that a thick registry will provide much the same information that a registrar today provides with Whois. A thin registry, of course, provides that minimalist data. Ray, I think you'll be next. We changed order a little bit for you.

Ray Plzak: I'm outside working.

Bruce Beckwith: Of note also is that the global name registry, who is the .name registry has made some contract negotiations recently with their requirements for Whois, and the reason for that is the .name top-level domain by definition is for individuals, and individuals have a right for privacy.

So there are some differences now within the different registries, and what the requirements for Whois are.

Let's talk about how that data comes into the systems.

Typically the data is collected by the registrar. The registrar has a relationship with the customer.

The information is collected at the time of registration. The registrar also, as Louis mentioned in his discussion about the registrar accreditation agreement, goes ahead and updates the data. For those environments where there's a thick registry, the registrar has the requirement to send the information to the registry as well and to provide information through Whois.

Now, registrars in the thick environment also have the option of using the registry Whois, because again if you remember from the prior slide, the information is equivalent between the registry and registrar at the thick slide.

Registries on the other hand, now that the data has been collected by the registrar, have the requirement to provide a Whois. And again, you have the differences between the thin and the thick displays.

Now, some of the issues that have come up, one of the reasons for this presentation today, though today's presentation is more from an educational perspective and an operational perspective; tomorrow's is more on a policy basis. But some of the issues that have come up is this interest in Whois. If you remember a few minutes ago I touched on the historic reasons for Whois, and they were really from a technical perspective.

Today, we're using Whois for many different reasons that were not envisioned as Andy mentioned back in 1982, 21 years ago, nor, let alone, over the last several years.

And as you'll see, there are interests to keep Whois as it is, or even to expand it. And there are also interests that want to restrict Whois. And each one of these different interests, if you consider from their perspective, have legitimate reasons to try to achieve their goals.

One of the reasons why Whois information has become so interesting to so many people and now is starting to gather some steam in the public sector is because SPAM is being used tremendously now by marketers. And one of the misconceptions now is that SPAM is solely derived from Whois information. And of note should be that if you post to a public list, if you go ahead and buy from an online merchant that doesn't have specific privacy policies that will keep your data from being available, it is not uncommon to have automated processes, called robots, go ahead and scan the mailing list and decipher the information for what your e-mail address is, nor is it unusual to have that information being sold.

The other misconception is that bulk Whois is a genesis for much of the SPAM that comes out, and if you remember, some registrars don't even offer bulk Whois, so truly, that is not of much of a source for a lot of this information, for a lot of the spam.

What some of the realities are, however, is that the registry zone files, and those are the zone files that the registries produce and just as a quick refresher, the zone file that each registry produces are the domains that are currently active that are available for resolution.

So if you take the differences in the zone files from one day to the next or one time period to the next, you'll be able to identify the difference in domains. Once you know which domains have been added or deleted you can go ahead and do Whois queries and find out what the information is. Hence, that is used an awful lot by not only speculators but as well by spammers to some degree because they now know what information to look up and that is available today, the registry zone files are available for anyone who asks for them.

As well as once you have that information from the zone file, remember that each of the registries and registrars is required by contract to make that information available by a Whois at no charge.

I know that over the next two days, and certainly far after, there are going to be a lot of discussions on Whois. From an operational perspective, we'd like to suggest a couple of different items that should be looked at. And I'm sure they will be.

One is should zone files be available, registry zone files be available for the asking? For anyone? Or should there be some sort of restrictions? And these are not questions that have easy answers because there are many varied interests but they are questions that probably need to be addressed. Today, as I mentioned, registries must comply with any request for a zone file, and these are given out quite freely because there is absolutely no restriction.

Also, we've talked a little bit about, over the last couple of presentations, how available Whois information is, how available Whois information is actually on the web. Is it really important for many users to know Whois information or is it much more important if they want to register a domain name is this domain available or has it already been registered?

So as the research, as the studies, as the discussions go into Whois, it becomes important to look at truly, as an individual, and for the different classifications of users, what is the requirement for Whois? And I know Andy touched on this in the last presentation where he is suggesting that there are lots of technical solutions, but now we have to start wrapping some of the policy issues around that.

And last, in terms of issues that probably need to be looked at from an operational perspective, is the community starts needing to look at this Whois issue from the perspective of is it the same thing that was envisioned 21 years ago? Is it the same thing that was envisioned four years ago when registrars became competitive? And is it the same thing that was envisioned two years ago? The world has changed.

The world has changed from a social perspective, a terrorism perspective, and certainly a technical perspective.

So a question to consider as we move forward, should the same Whois information that was available 21 years ago be available today?

Thank you.

(Applause.)

Vinton Cerf: I have a question.

It's Vint Cerf over here.

Just for clarification, I had thought that zone file transfers were not absolutely required.

So I must have misunderstand that.

Bruce Beckwith: the zone file files, every registry has a requirement to make zone file files available to anyone who requests them.

And the contract requires in the contract that one not misuse the data.

But there is not much of a way to track the use of that data.

So it's very, very difficult to enforce.

Vinton Cerf: General counsel has a comment.

Louis Touton: Just for clarity, that requirement applies to all gTLD registries.

Bruce Beckwith: Right.

Thank you.

Michael Roberts: thank you very much, Bruce.

Let's see.

Do we have Ray in the room now? Can we have his presentation? Here we go, right here.

Ray's going to speak to us about some of the non-name uses of Whois.

Ray Plzak: apologize for lateness.

I was outside working and doing things, and I didn't think I needed to be here until 9:00.

So that's when I showed up.

There we go.

I'm Ray Plzak.

I am the president and CEO of ARIN.

And I'm presenting this presentation on behalf of the four IRRS, which are APNIC, ARIN, LACNIC, and the RIPENCC.

And as Mike mentioned, I'm going to discuss what was termed to be the non-name uses of Whois.

And in way of an overview, we are going to discuss what is Whois.

The types of registries is that exist in the addressing community, the evolution of Whois inside the RIRS.

Actually, that's quite simple. And then how the addressing community uses Whois today.

So what is Whois?

Well, as has been previously mentioned throughout, I suspect, it started out more or less as a community phone book.

And then found itself becoming a general-purpose registry directive service.

And the problem is that now you have conflicts because you have many different communities which have many different requirements.

And so the net result is that everybody says Whois is broken.

And what really has happened is that the original intent of what amounted to a community phone book has been used for something that was it was never intended to be used for.

So in one regard, the perspective of Whois being broke is not necessarily correct.

What is more probable is that the communities have to decide which directory services do they really want.

And is the one size fits all answer the correct answer? And I would suspect that it's not.

And, in fact, in a moment, I will show you that there are two types of uses of Whois in the addressing community which are completely distinct from each other.

And in a way, though, they both offer a directory service.

So there are two types of addressing community registries.

One is the one that I would think that probably most of you are familiar with, which is the registries that are operated by the regional Internet registries.

But there's a separate set, they are called the Internet routing registries.

And unless you are an operator and are involved with routing and pay attention to such things, you would not be even probably be aware of the IRR as opposed to the RIR.

The regional Internet registries do two things.

They allocate and are assigned IP addresses, and they assign autonomous system numbers.

The Internet routing registries, the IRR, on the other hand, maintain routing policy information.

And in a very clear and succinct way, what that means is that in this application of Whois, and you use port 43 to get to this information, you see associations between networks and autonomous systems, and, in essence, which autonomous systems, which providers, which ISPs are going to route which traffic.

And what they're going to accept and what they're going to deny.

This is not an official standard type of thing that everybody adheres to, but, by practice, many do adhere to this.

And so if you hear the term "routing filter," and filtering based upon, for example, the RADB, what you're hearing is that someone is using the information in the IRR to make decisions about how to route information across the Internet to the point either I will allow it to pass through my system or I will not allow it to pass through my system.

So, quite briefly, the IRRs basically started with Jon Postel's notebook.

And the dictum, if you want an IP address, go see Jon.

Of course, nobody could read Jon's notebook.

So the DDN NIC put up the Whois information in regards to address allocations.

And then as the IRRs were formed and evolved, all that information has been moved into the various IRR registries in their Whois's.

How do we in the addressing community use Whois? First, we keep track of address allocation or assignment records.

And that includes allocations from the IANA to the IRR.

From the IRR to an ISP or local Internet registry, LIR.

And then also from that ISP local Internet registry to their various customers.

And that customer, in turn, could also be talking to people downstream from them.

So there could be several layers of that last bullet.

We keep track of the assignment of autonomous system numbers.

And also, in the IRR Whois, you will find information pertaining to the DNS servers that are associated with the reverse mapping of the DNS so that when that function needs to be done, the information is recorded and is available.

Also, there's troubleshooting POC information.

Quite commonly, troubleshooting is normally thought of in terms of network operations.

However, registries also have POC information that refers to what may be called an abuse point of contact.

There are administrative points of contact, technical points of contact.

So there are various types of points of contact to information that is available in the IRR Whois.

And as I said, all of these things, as a reminder, are done through the IRR Whois.

And the last thing, of course, is the routing policy records, which are maintained by the IRRs.

Now, currently, the RIRs all have or are IRRs.

But in addition, there are other Internet routing registries.

There are ones that are common for the entire Internet. And also large ISPs maintain their own IRR-type information and do have a displayable Whois.

So, very briefly, and as a final discussion point, how does this work?

Well, the IANA will allocate address space to an IRR.

And that information is then contained in the IRR Whois.

There is no Whois that is maintained by the IANA.

You cannot do a Whois for address registries information and find it at the IANA.

There is a flat file that is maintained that has allocation information, but it is a very simplistic flat file.

The IRRs, in turn, provide information to the ISPs, LIRs.

And that information is maintained in the IRR Whois.

And the ISPs, in turn, provide address assignment allocations to their customers.

And that information is maintained in the IRR Whois, in some cases, it's mandatory.

And in so forth IRRs, it's optional.

And the ISPs or LIRs may also maintain their own Whois.

So that is, briefly, how the non-name uses, if you will, the address registries, do Whois.

So I am open for questions.

Vinton Cerf: Thank you very much, Ray, for that brief and succinct summary.

With regard to IP address assignments that go down from ISP to customer, can you say how much information is obtained and retained and maintained by the RIRs? Do the ISPs reflect this information back so that you can learn more about the refined allocations? Or is that something which is purely optional?

Ray Plzak: In the case of ARIN, that is actually an optional thing.

You have two ways to report what amounts to utilization information, if you have received a direct assignment or allocation from ARIN.

One way is to put the information back into the ARIN database.

The other way is to use a protocol, which is a nonstandard protocol, it's discussed in an informational RFC, it's called RWhois.

In addition, over the past year, we have been conducting an experiment with one of our larger ISPs in use of their routing registry Whois to report utilization information.

In the case of the other IRRs, in some cases, everything must go back and be reported back to the IRR.

Vinton Cerf: If I could follow up, the implication that we don't necessarily have very clear information about the assignment of IP addresses in the small, only, at least to the ISP level, but after that, it's a little harder to be sure the database is accurate.

Ray Plzak: that's correct.

The further down the allocation tree, if you will go, the more stale the data may become.

There is no requirement for the POC information, for example, to be reflected accurately back other than what you are looking -- but it's assumed that whatever you have, and that's the broad assumption that goes every place, with every Whois, is that what you're looking at is authentic.

And from a personal point of view, if anyone thinks that just because I get this information from Whois that it is authentic information, I can take legal action based upon that, that's a problem.

And probabilistically could put a liability upon the registries that have that data, even though they're not responsible for it because it's supposed to be provided to them by somebody else.

George Papapavlou: One more question.

Does this information, the Whois data held by the RIRs, is it of any interest to anybody else other than the RIRs and the LIRs? Are people coming to you from law enforcement (inaudible) and asking for this?

Ray Plzak: I can speak from ARIN's perspective.

We have received inquiries from law enforcement agencies inside the United States.

We have been subpoenaed to provide information in support of disputes over transfer of company assets.

And there is a very large community that is very interested in our database that are called spammers.

Because they can, by manipulating the databases that the name registries have and by also trying to do the same thing with the addressing registries, can, in effect, hijack addresses and hijack names.

And so that's a problem that's common to everyone.

So I would say that, yes, we all have the same people that want to see our data.

Got one more Mike.

Michael Roberts: Running a little late.

So I think we have to....

Yes, we're going to have a presentation now, one more presentation before the break, from Bruce Tonkin, who will speak about the Whois from the perspective of the gTLD registrars who are subject to the provisions of the registry accreditation agreement.

Bruce.

Bruce Tonkin: Okay.

Thanks, Mike.

My name's Bruce Tonkin from Melbourne IT.

And I'm with an ICANN-accredited registrar.

This presentation has been put together with information I've received probably from most of the top five or six registrars.

So it's a broad set of information rather than information targeted to a specific registrar.

First, just to review the purpose of Whois from a registrar's perspective, the OECD privacy guideline states that collected data should be relevant to a specific purpose and be accurate, complete, and up-to-date.

In our registration agreement with the registrant, we specify that the Whois information should be adequate to facilitate timely resolution of any problems that arise in connection with the domain name. That could be as a result of intellectual property issues, could be as a result of technical issues, like SPAM coming from a particular address.

It could be related to transfers of domain names between providers.

But that's the purpose, from our perspective.

What do registrars use Whois for as a user of the information?

Registrars require access to the contact information to seek authorizations for transfer. And that's part of the transfer policy that was recently approved by the board in April.

Also, in the case of a thin registry, like with the common net registries, the registrars maintain the Whois information themselves so as a domain name is transferred from one supplier to another, they also need to transfer the Whois information from one supplier to another.

So that's really the primary use from the point of view of a registrar.

What I'd like to point out now, though, is some of the abuses of Whois that we see fairly commonly.

And these are abuses that have been done on a fairly widespread scale, so they're not isolated incidences.

They've involved hundreds of thousands, in some cases millions of customers.

Far and away the most common abuse of Whois is through the sending of unsolicited renewal notices.

The Whois information is unique in the sense that not only does it provide the full contact data of the registrant, but also provides the date which the domain name expires.

And so that allows the sending of a very targeted e-mail to a customer which says, "your domain's about to be expired or it's about to be deleted." And because it's done in such a way that they know your contact data, the dates when your name was registered and when the name goes to expire, it could be made to look very official.

And the typical way this works is by trying to confuse the registrant into believing they are renewing their domain name with their original supplier.

These notices are not sent in the context typically of saying, "we'd like to renew your name because we're a better provider or we offer a cheaper price or we do it better in some way." It's not offered in a conventional solicitation for business.

It's offered in the sense that we are your existing supplier, this is a courtesy.

You need to renew your name.

In fact, your name's going to be deleted any second now.

It's very important that you renew as soon as possible.

And quite often, these notices are for prices well above the market rate.

And they lead to widespread confusion by the registrant and the registrant often rings up and says, "I thought I paid my renewal last week, and now I'm getting another renewal notice. I don't understand."

And that also leads to the issue that quite often, the expiry date information is not correct that is used on these notices.

The other secondary most common use of the Whois data is for marketing of related services to domain names.

And, again, this is highly correlated information, because by the combination of looking at names as they appear in the zone file and being able to do Whois checks, you can find out almost the instant that somebody registers a domain name, so you know exactly where they are in their life cycle.

You know they bought a domain name and then they have to do something else.

They might need to design a web site, they might need to get web hosting.

So quite commonly the users have the experience that they register a domain name and shortly afterwards they get a phone call from a company offering them web hosting or some other service.

The other point of correlation is perhaps when a domain name comes up for renewal, and, again, you can look at that information and say, well, this name is coming up for renewal.

It doesn't currently seem to be used at the moment.

Perhaps they might want to sell the domain.

Perhaps it's not being used and you're offering them a web hosting or e-mail forwarding service.

So, again, the information is so accurate that the suppliers in the market know exactly the sorts of services that the user might require.

To use an analogy here with perhaps the travel industry, and most of us have traveled here to this venue, and the way most of us did this is we had a choice, most of us probably used an airline to get here.

And most of us then had a choice of airline.

We could either go to a travel agent and that travel agent would try and find us the best price and the best deal for an airline, or we could go to the yellow pages and look up a list of airlines and we could ring a few, maybe go to a few different web sites, and make and exercise our choice to choose an airfare.

That's all based around consumer choice.

The alternative model might work something like that.

You register to attend the ICANN conference, and you put our current address where we live, our telephone numbers, and we specify where we want to go to, which is this ICANN venue.

And we specify the dates and times of travel.

And ICANN collects all this information and puts it up in a public registry.

And then all the airlines and travel agents can then look at that and then they'll go after the highest-value customers first, so they'll look at the person who wants the first-class airfare from Melbourne.

If I stuck my hand up for that, I will get 200 phone calls the first day.

Then they'll work their way through until they get to the person that's in Ottowa.

And that person has got a choice of catching the plane or a train.

So it's a lower-value customer.

He'll probably get contacted a couple weeks later after all the high-value customers are gone.

That's two alternative models of how the travel industry might work.

And the ICANN domain name industry works using the latter model, where the full list of customers is provided and the suppliers can then choose and go after the highest-value customers.

And the highest-value customers get huge amounts of unsolicited e-mail, notices, phone calls, postal notices, et cetera.

The other thing that happens less commonly but is probably even more scary is the growing use of fraud on the Internet.

And we've seen it.

Several of the largest registrars have been hit with these approaches.

And, essentially, they're using our customer base to send a notice from the registrar to all the customers, but it's actually completely branded as though it is the registrar.

It's copying the logos of the registrar, the look and feel of the web site is exactly the same.

And it's usually trying to scare you in some way.

It might even be something like we've just detected a security problem.

It's really important that you change your password.

Please enter your current domain name passwords and your credit card information now so that we can fix this problem.

So these things have been a result of law enforcement action.

But they're very hard to track down because it's very hard to track down the source of the organizations that are using these messages.

And they work like many other Internet scams.

But they are so effective because, again, the customer is contacted with very specific data that only -- that they believe only their supplier could possibly know.

And most of these registrants are unaware that Whois even exists.

They don't know that their information is publicly available.

In terms of the usage from the point of view of a registrar, there's been quite a lot of, I guess, effort recently in the Whois task forces around bulk access agreements.

But that is rarely the problem.

Most of the large registrars have around ten bulk access agreements.

We're not aware of much abuse that we have been able to prove.

We might have our suspicions.

But I am not yet to be a aware of a case where we have been able to approve that the Whois through a bulk access agreement has been misused.

Again, we're only talking about ten agreements, even for the largest registrars.

However, port 43 Whois we see massive usage.

An example -- I guess a top five registrar might be sort of two million queries a day maybe from about 130,000 separate locations.

So you can see clearly each location is probably obviously doing several queries.

The other thing we notice, some of the registrars monitor usage by IP address.

And they expect to see a bit of usage from other registrars.

But what they often see is that in any given week, there will be five or six new IP addresses that seem to be doing hundreds of thousands of queries rather than what you would expect as one or two queries for the purposes of the Whois, which is to deal with -- to facilitate contact with a registrant for issues surrounding the domain name.

The other thing is that I've also received offers to buy the Whois information.

An example of one that I heard yesterday, you can essentially buy 30 million Whois records for $30.

That's a lot cheaper than going to several registrars and paying $10,000 for the actual official bulk access agreement.

So certainly we do have a problem.

And we do believe that there needs to be policy action to solve this problem.

Thank you.

(Applause.)

Michael Roberts: Somewhat miraculously, we're essentially on time.

And so we'll take a break now until 9:45.

And we hope that everybody will come back promptly, because we'll begin at 9:45.

(Break.)

Michael Roberts: If you wouldn't mind taking your seats, we'd like to begin again.

In the interest of keeping the program on schedule, we are going to begin now, and our next presentation is going to be from Diana Alonso Blas, who is with the directorate general internal market of the European Commission in the data protection unit.

Would everyone please give her the benefit of the podium? Thank you.

Diana Alonso Blas: Thank you very much. I'm very happy to be here and have an opportunity to participate in this very interesting debate up to now. The data protection people have not always been involved in this discussion as much as they should. It might be part our fault. But it is now very important that we come into this discussion, and we try to involve ourselves as much as possible, certainly on the European side, because on the American side EPIC and others have been others but not from the European Commission up to now.

So I'm in the beautiful position of being after the coffee break, so everyone is drinking coffee somewhere but I will start anyway.

I am going to concentrate on the European perspective, my job in the European Commission. I have to say, however, there are very similar provisions in other parts of the world. We have the OECD guidelines that are implemented in many other countries in the world. We have similar liaisons in countries like Hungary, the Channel Islands, and others. So the issues for Europe will be similar issues in other countries as well.

In Europe we have several pieces of legislation. The first one is the directive 95/46 the general protection directive. That's one I'll talk in much more detail about. But there is also second directive which is very recent, 2002, the number of 58, which deals with the electronic communications. And this one is also very relevant because it contains a number of provisions that could have direct implications for the Whois discussion.

This directive has not been fully implemented in all the member states. The period of implementation only ends in October this year. But it has to be taken into account now already.

There are also many important documents of what we call the article 29 working party and that's a group of the European data protection authorities that are brought together and that they have the task of implementing and interpreting also the provisions of the directive. And they have dealt with many issues related to the Whois as well and to all the Internet discussions.

There is also the council of Europe convention that I mention here because it is not only European. It is open also to signing and ratification by any country in the world.

And very similar provisions.

On the next one, what are the concerns that we have about the Whois discussions? I think we have tried sometimes from a distance to contribute to this discussion in the past. The European Commission sent recent contributions to ICANN and also the Whois task force. It was always a common approach between the internal market as the director of general where I work and the colleagues of the information society who are the ones you know better because they're always involved in this discussion. And we have always tried to work very closely together in order to offer a common view regarding this issue.

The data protection authorities have also raised concerns regarding the Whois discussion, especially because they have received complaints of national level concerning the misuse of the Whois.

They have received different kinds of complaints. On one side, from individuals who complain about the misuse of the data. They have also received concerns from the registrars themselves who felt that they were caught between a rock and a hard place because whether they obeyed to the ICANN requirements, somehow they are not respecting the European legislation they have in place or if not they might be in a difficult position. So I think that's something we need to take very much into account.

I would also like to stress that European data protection authorities, article 29 working party has issued a paper on the 13th of June of this month that I have circulated and I hope it's available in the materials of this workshop in which they address specifically the data protection principles and their application to the Whois, and they come to a number of very interesting points. So I strongly recommend you to read it.

There is also the international working group on privacy in the telecommunication sector that has issued a common position on this issue already in May 2000. After that, they have also sent different letters to ICANN raising several concerns. The important thing is that this group is not only composed of the European data protection authority. It involves also experts from different groups, including academics and others. And it involves also people from outside Europe. So it's important to see that this is a group that has quite a broad composition.

Also citizens have raised complaints. Not only with the data protection authorities. We did receive a petition also to the European parliament done by a general citizen. I mention it because I think it's interesting, the reason why the citizen complained was not mainly data protection but because he thought that the publication of his name and personal data on the Whois was something that would limit his freedom of speech. Well, the thing has been raised in different papers also previously. So I think it's an important point.

So, indeed, there were increasing concerns for different reasons. The main one, I think, is because lately we have seen more and more registering their own domain names. I think it's important to make clear that there are very different issues at stake, when legal persons, companies, et cetera, registry the domain names and when individuals do so. There are different concerns that need to be taken into account and I think that's why this possible distinction between commercial and noncommercial could play an important role.

We were also a bit concerned about the fact that the reports of the Whois task force that we have read with a lot of interest seem to ignore, to a certain extent, at least, the real purpose of the Whois. And certainly the existing legal framework of the European union. We were a bit puzzled when we saw questions like what would you like to use the Whois data for. In our legislation, it doesn't work that way. Maybe we would like it to be like this, but it's not. We need to start by defining very completely, very detailed way what is the purpose we collect the data and then we have to assess whether the use of this data is compatible with that. And if it's not compatible, it cannot be used.

So in our legislation, it's much more difficult than this. And it doesn't allow this kind of flexibility.

So maybe to enter into the first point, I have mentioned the two directives. Do these directives apply to the Whois? I would say the first point I don't think has ever been discussed. There is clearly personal data involved in the Whois.

The definition will have a processing or directives is very broad, meaning it goes from the moment in which the data are collected to the moment in which they are accessed, used, published, et cetera, so all this is covered by the directives. And the point that has often been misunderstood is the fact that the data are also protected, even when they are in the public-available registry. Sometimes people say, well, but they are already on the Internet. Well, it doesn't really matter. They are still protected in the directives and the principles have to be respected.

So as a first conclusion, I would say that not everything that might seem useful or even desirable is legally possible. At least not under the present regime.

So the key issue, I think, is the question of the purpose. And as I have said, under our legislation, we need to very well define purpose for the Whois. I think that nobody has ever challenged the original purpose that has been raised also by the previous speakers, the issue of being a technical contact in case of problems. Nobody has ever challenged that legitimate purpose. The problem is, as I said, that we need to define very clearly what is the purpose. And it seems to me that what we see now more and more in this discussion is that we all know in practice the Whois is being used for many other purposes, but it's not clearly defined as such.

So I think we might have to be very honest on that and try to address this clearly and say what are the uses we want to make of it, if any. And then see, well, is this possible under the legislation we have. And are there possible solutions we can find.

So we need to describe first the purpose, clearly. And then we need to define what a compatible use is of that. And when discussing what is compatible, we often use the criterion is this a reasonable expectation for the user? Can the user who has a domain name register expect that his or her data will be used for any such a purpose?

So indeed, we might come to the situation in which we would like to use the data for a certain purpose, but this is not possible under our legislation. And there I have to say that the opinion of the article 29 working party has been rather critical in referring in this context to what they call self-policing policy of the private sector. Their view is this would not be compatible with the original purpose of the Whois.

I think it has been made clear in several discussions that the issue is mainly related to the private sector use of this data, not the public sector because for the public sector we do have already several possibilities under the directives for use of this data when necessary. There are existing legal procedures for that. The problem is much more for the private sector, and there I have to say, obviously, the European Commission has mixed emotions about it because we also have intellectual property interests and we obviously want to protect also the right holders but we need to find a position in which we can do both things within the legal system and respecting also the legislation and data protection. And this is not necessarily simple, but we'll need to discuss this further and see if any solution can be found.

So the principle of proportionality is one of the core issues. I think I have to make a distinction in the discussion between the data necessary for the registration itself and the data that should be published in the Whois. In particular, what the proportionality principle means is we look always for the less intrusive means to serve the purpose. So I think what we need to ask ourselves is are there other possibilities of serving the purposes we want to serve while not having all this information available on the web site or potentially available to anybody who wants to have it.

So in some countries, solutions have been found through the use of the Internet service providers. For instance, in France and in Germany and the UK, well, you will hear also the colleague from .nl who is going to talk after me who is going to present the specific situation in the Netherlands and the European Commission has proposed in several occasions, in several papers addressed to ICANN, WIPO and other organizations, some kind of a two-step approach, would make actually the data not available to the general public but only available to those who really need it with the possible control after it.

I'm not saying that this is a necessarily easy solution but it could be explored at least to see if this could be found.

So indeed, we need to process only data, the relevant and not excessive. This is something we would like you to keep in mind when discussing uniformity, meaning that if uniformity means collecting the same data everywhere, this same data would be more than what we now already collect in Europe, this would be a big problem in our legislation because we have the obligation of keeping the data to a minimum necessary.

And there are specific problems also regarding the telephone numbers and the general right not to be included in a directory. This is a right given by article 12.2 of the new directive on telecommunications. It is in any case, clear that the individual has the right not to have his telephone number listed in a public telephone book. What would obviously make a bit, let's say, strange at least that the same individual would have, then, the obligation to provide his phone number to be published on the Whois available to the general public.

The second part of the reasoning is even more complicated. Would it mean that this provision, in fact, implies that the individual has the right not to be included at all in the Whois? And to be honest, I'm not completely sure if this answer is correct or not. We are presently discussing this with the colleagues in charge of the information society. Most probably, we are going to ask also an opinion to the legal service to know what this exactly means.

But indeed, this will have to be kept in mind in discussion.

Possibly I would like to mention also, in this discussion whether this provision could be interpreted as such or not. We might have to keep in mind as well a recent judgment of the European court of Luxembourg that in a case related to Austria, said very clearly we should not interpret the data protection legislation restrictively but possibly the other way around to give sufficient rights to the individuals. So this could also play a role in this discussion.

So one of the issues that have also raised much concern is the question of making the Whois more searchable. The article 29 working party, the European data protection society, as I mentioned, have dealt with this already in 2002 in general terms, considering that the processing of personal data in various directories would not be fair, unlawful, unless the individual has the right to consent to it. And by consent, we don't mean opt out but opt in. So it should be very clear.

So on the other hand, I wouldn't like to give the impression that we oppose all the different proposals that have been presented. We do have quite good feelings about a number of the issues presented as well. Of course, accuracy is a very important issue, is also one of the principles of our directive. But we have to keep in mind, obviously, why are individuals giving not accurate data. And if the reason is they don't feel sufficiently protected we might have to address this first before asking them to make sure they provide accurate information.

Concerning bulk access, we would certainly support all possible limitations of that. The opinion of the European Commission is very clear on that. We think that bulk access should not be acceptable for any kind of purpose because it's not proportional at all and there are other means to serve these kinds of purposes. And it should be important to keep in mind also that the directive 2002, the electronic communications directive only allows the use of e-mail addresses for direct marketing with a specific consent, opt in, of the user.

So as a conclusion, I would like to say we need to respect the existing data protection framework in Europe. Indeed, we shouldn't place the registrars, as I said before, between a rock and a hard place. This would be clear compatibility between what they are asked to do by the contract and what they have to do according to the law.

We also need to look for privacy enhancing ways of running the Whois. I think in practical terms, they could be solutions that serve the purposes we want to serve while protecting the rights of the individuals and I think we need to all work together in trying to look for that.

And I would also like to ask you to keep in mind and to involve the data protection community in these discussions. I mean, it's the first time I'm here. I'm sure that many other colleagues from Europe would be happy to participate in these kind of discussions in the future.

And I think, certainly, that the article 29 working party, who have just approved an opinion in time for this meeting, would also be very pleased to be involved in this discussion.

Thank you very much.

(Applause).

Vinton Cerf: I'm sorry; will you entertain a question or two? Do we have time?

I would just want to suggest an idea that I'm not sure has come out in the presentations or the discussions. It seems to me that the registration of a domain name is not something which is forced on anyone. No one has to register a domain name.

When you do that, with whatever responsibility you choose, either as an individual or as a corporate officer or acting on behalf of an entity, whenever you do that, you may incur some obligations to the rest of the community that uses the domain name system.

So I'd like to suggest for your consideration that the Whois table is not simply a public directory which is randomly assembled, but, rather, it's a side effect of having accepted some obligations as a registrant. And I would distinguish that from, for example, the public directory listings of telephone numbers which are a consequence solely of having been assigned a phone number.

Perhaps those two could be distinguished.

Diana Alonso Blas: Well, I see your point, and I think that, in fact, that's the reason why many individuals make the difference between what are the consequences of registering a domain name when you do it for commercial purposes and then obviously you have a number of legal obligations. Also in Europe, you have to identify yourself, you have to registry yourself possibly for the chamber of commerce, et cetera, you have to pay tax. Of course it's not that you have the choice whether you want to do it or not. You have these legal obligations, and nobody is saying you shouldn't accept them as a part of it.

But I think the difference is for individuals who just want to have a web site for their own purposes of publishing whatever information they want to. And I think that in this kind of very Internet world, it would be kind of, let's say, not very open minded to say, well, individuals have the choice whether to registry a domain name or not. I think having a domain name can be pretty important for many people, for professional and personal activities nowadays. So it wouldn't be a real choice when you want to have it or not. Many people might need it for professional reasons or might want to have it because it's important also for the development.

So I think we need to make a difference between those who really use the domain names for certain commercial activities and therefore have a number of legal applications they have to respect, and one of them is to be registering different registrants who could be one of them who is Whois, and those who use it for personal use.

Karl Auerbach: I also have a question. Two questions have arisen during our discussions of privacy with respect to Whois, and one is the Internet is used to some extent, to a large extent for people to go into various forms of offering goods and services, and there's people who buy from them. And there's a degree of fraud going on. And there's a concern that those who are buying need the ability to validate the quality of the person they're buying from.

And my first question is how is that situation handled under the privacy laws in Europe? And my second question, which is related, is law enforcement. How do we know what kind of access to give to a law enforcement person? How do we know who a law enforcement person is? How do we know they're acting in their scope of authority? To what extent do we notify the data subject that the law enforcement is even looking at them?

Those are my questions.

Diana Alonso Blas: Well, I hope I remember them both but I will start with the first.

Well, I will start with the second because probably I remember it better. As to the law enforcement question, I would say our legislation in Europe has specific provisions for law enforcement. Article 13 of the directive has a number of exceptions that need to be implemented as national law. So indeed, if you're confronted with a situation in which you are not completely sure whether you are acting according to these rules, I would say, well, why don't you then contact the data protection of your country and make sure you're fully aware of the situation in which you can provide this information to the law enforcement or not.

So there are indeed provisions for that but make sure you are sufficiently informed and, indeed that, the law enforcement agency is acting according to the powers as well.

There are provisions for that.

As to the first one, I would say it is also so in Europe, according to many pieces of legislation of commercial law, also the e-commerce directive and other directives that individuals who undergo professional or commercial activities have to identify themselves. It is also on our data protection directive that when an individual collects information from a person, has to identify themselves. So we are in no way opposing that.

What we are saying is that, first, we have to make clear what exactly the data that needs to be collected and published in these cases, and second, that I think it has been said also by others there might not be one single solution that feeds all the cases, and we might need to think of different regimes for different kinds of uses and cases of people having a domain name. And I think to that extent the person following me will give a good example of different solutions that have been found.

Thank you.

Michael Roberts: Thank you very much, Diana. The next speaker is Bart Boswinkel from the Netherlands who will speak about Whois from the perspective of the national registries.

Bart Boswinkel: Sorry.

We tried it this morning.

(Pause.)

Again, this was Murphy's Law.

I tried it this morning and it worked.

So I'm sorry.

I'm speaking here as one of the victims of the European authorities and our national authorities.

(Laughter.)

Bart Boswinkel: I want to explain to you what we have done to, among others, implement the data protection directive which before that was implemented in Dutch law.

And I'll take you through that and some other background material and see how it changed into our naming policy, what consequences it has on our local community.

First of all, give you the short introduction of SIDN, the Dutch registry.

Then I will go into the backgrounds I just sketched.

Then I will go into what does it mean, Data Protection Act, for a registry in the European context.

And then I will go shortly into the new .nl naming policy as of 29th January of this year.

To give you short background on SIDN, we have about 900,000 domain names registered.

This month, we have a net growth of 16,000.

Every month, this is what we know, we have about 2- or 300,000 different registrants.

We have 1500 registrars, and there is approximately 10% net growth of the registrars every quarter.

Then SIDN has 22 FTE, about 25 people working there.

The background.

As you just heard, there is this EU general directive on the protection of personal data.

This is dated in '95.

And this has been implemented in the Netherlands in -- I won't pronounce it in Dutch -- but in the Personal Data Protection Act.

And this was done in 2001, I believe.

So we needed to get on speed with this Dutch Act on the Protection of Data.

In our case, we went through it and had another legal analysis of the specific other legislations on this.

What's just mentioned, the specific EU directive on personal data and telecommunication is not applicable.

This one is implemented in the Dutch Telecommunication Act.

And, among others, the Dutch tax legislation has no meaning for the Whois problem, nor does the Dutch Criminal Act. What makes it peculiar in the Netherlands is in 2001, we had an extensive discussion in the community.

Among others, we asked if the local Internet community wanted to have alternate dispute resolution implemented. Up until then, every domain conflicts over contested domain names had to go to court. This was one of the first questions. And this has direct effect on the use of Whois.

But I think this is clear. I will not go into details, then.

The second question we raised with our local Internet community, does the .nl name space, does it need to be opened up? Until this year, only Dutch companies and only Dutch companies could register directly on the .nl. As a result of the consultation of our local Internet community, this is opened up.

So this is implemented in our naming policy as well.

And the third question, which I will go into more details about is regarding the Whois.

And there were specific questions to our local Internet community, what kind of details you want to do we need to provide in our Whois?

What is the proper level of protection of privacy? Should it be opt in? Should it be opt out? Should we have a limit on queries? Should it be given only to specific groups? These were more detailed questions.

Now you see the quantitative restrictions and the number of queries is another one.

And opt out is another one, as I just mentioned.

Now, as a result, it was clear that we needed to change our naming policy.

Among others, for implementing the alternative dispute resolution and to open up for non-Dutch companies.

In this process, we need to do something with our Whois as a result of the consultation and to implement the legislation.

When we started, and even during the consultation, we ran across some different categories of questions.

And this is what we called the balancing of the perspectives.

Yeah, from a registry point of view very important question is, are we going to implement what the lawyers have been thinking of operationally and technically? And what does it mean?

The second one is, how do we deal with the solution we came up in our new naming policy? And to whom do we provide Whois information?

And the third one is, and I will go into more detail, what are the interests of the stakeholders?

First, we defined the issue as I just said.

This is the more technical operational.

One of the things we have encountered in discussions with the local Internet community is a misunderstanding or non-position on the Whois.

Some think of it as a function and that is, if you talk to lawyers especially, they think of it as a function.

Others think of it as a protocol.

And these two worlds are quite far apart.

In order to structure the discussion, you have to explain what are the effects of what you are seeing in the terms of protocol and this is from the technical perspective.

But the technicians need to know what some lawyers think of it functionally and how to translate this into technical operations.

One of the things we have encountered among the lawyers is, most of them are very much focused on providing Whois services on the web.

So if you, for instance, go to our web site, what you see there is you can have a Whois query, and then they think, okay, we can work on that.

What they forgot, and what they even didn't imagine, is what I have called command-line requests.

So these are these unique UNIX codes, I think it's port 43, to send in very massive Whois request.

And if you really want to protect privacy, you need to go through that direction.

But they're not aware of the existence of this way of sending a Whois request.

Another thing we encountered, and this has especially something to do with the UNIX or the Whois protocol itself, that is, transactionless.

And what I mean by this is, if you send in a Whois request, it gives an answer and then the query is stopped.

Now, what data protection officers really want is that you give them a warning, and then click the button and make a request, and then send it back in.

Now, if you do this at UNIX level on the command line, it's impossible.

You break up the protocol.

And we needed to explain this to all the lawyers involved and all other people involved.

If you want to implement this, will you break down the Whois.

Another thing, and this is very difficult to explain to IP lawyers sometimes, is, the Whois is not necessary for the DNS.

There are registries out there who don't have a Whois.

And they function very nicely.

They don't.

So in order to have a Whois, you have to specify other peculiar or other interests in order to comply with your Data Protection Act.

This was one of the things we encountered which was very difficult, and especially for IP lawyers, is they have to state their interest, why they want a Whois.

And this has consequences for your naming policy, as you will see later on.

Now, in the Netherlands, and this is, again, functional, besides the Whois, we have what we call an "is" function.

Now, to show you the difference, I have two examples.

This is an ordinary Whois query if you use the web site of SIDN.

You see some details. They're not relevant. It's our own domain name.

Yeah, this is what people think of ordinary Whois request.

And what we see a lot is that most people use the Whois to see if a domain name is free or what is the state of a domain name.

Now, for that matter, we have another function, which is called the "is." Now, I have specifically chosen this name because it shows you don't see any contact details in the "is" query.

And what we've done with this one is, this domain can't be registered.

That's why I have chosen this one.

But you see that it can't be registered because you have the information, domain is excluded for registration.

This is the kind of information you cannot provide within the Whois in an ordinary manner.

So, going back, to structure the whole issue of the Whois and going into more details about what does a Data Protection Act mean for a registry.

The first thing is, and as this has indicated, the definition of processing of data in Data Protection Acts is very broad, in Europe.

It includes the collection of data, the provisioning of data, and deletion of data, among others.

As a consequence, if you want to implement a Data Protection Act in your naming policy, you don't have to focus only on the Whois itself, but you have to focus on the whole process.

You start with the collection of data for whatever purpose you want.

So you start at the start of the chain, and it ends at providing this data in the Whois and even beyond that, if somebody wants to delete a domain name, what you do afterwards.

So you have to take care of all of these elements in the whole chain in your new naming policy.

Another thing, this has been touched upon as well, is what we have called what is in the Dutch literature the double necessity criteria for the processing of data.

First of all, and this is important as well, and this goes back to the collection, the purpose for processing, so the purpose for collection and, for instance, for providing, has to be legitimate.

This is very important.

So you can't just collect data for whatever purpose you want.

You have to state specifically for what purpose you want the data, either in your database or in your Whois.

The second one, and is that the data has to be adequate.

That means it has to be within the limits of the purpose.

So, for instance, if you want to provide data to direct marketing institutions, you have to specifically state in your naming policy that has been collected of the registrant is used for direct marketing purposes.

And this has another impact on the data and how you deal with it than, for instance, if it's only there for your own processing of registrations.

Now, a third consequence of implementing the Data Protection Act is that you need to inform the registrants about the processing and the purpose for processing.

It follows logically from what I have just said.

And a fourth aspect which is very important for a registry to take into consideration is, you need to check if your security auditing and tracing capabilities are in line with the Data Protection Act.

Now, as I just said a couple of minutes ago, the Whois is not necessary for a registry to fulfill its core functions.

So if you want to have a Whois, if you want to provide Whois information, there need to be other interests for which you provide these data.

As a result of the domain name debate in 2001, there are in fact four core purposes, four specific purposes for which you want to provide the Whois.

One is, and I think people feel very comfortable with this within the room, is to solve technical problems.

The second one, and this is more on a registrar level, but even on registrants' level, is you want to check your applications.

Do I have one? Is it registered correctly? Is the data that's been sent in, is that correct, yes or no?

The third one, and this is a result of the domain name debate as well, it is a legitimate purpose to provide Whois information for the protection of IP rights.

IP rights or IP rightholders do have a legitimate interest in having the information in order to protect their trademarks or the other rights they have.

And the fourth reason to provide the Whois information is to prevent and combat illegal and harmful content.

I think it speaks for itself.

Now, taking all these perspectives and interests into consideration, what was the result? What did it mean for the .nl naming policy?

First of all, there is a legal consequence.

As a result of implementing the data protection and the use of Whois, we have specific clauses in the registrants' agreement and specific clauses in the registrars' agreement and we do have specific regulation on the personal data in the .nl registry.

I will go into more details, but not too deep.

And second consequence, and this is more operational, which in some cases might be very costly is there is now a general limitation on Whois queries of 15 per IP per day.

Per IP address per day.

This was a result of the domain name debate itself.

The number itself, yeah, it could have been 10, it could have been 20.

But at the end of the day, you come up with a very low number which makes it possible, for instance, for IP lawyers to check if somebody has a typo of the name, yes or no.

And there is an exemption of the registrars because they need the Whois for their own business purposes.

And this is an added specific purpose.

And they have the possibility of 5,000 queries per day per IP range.

Going into the details, some of the details in the different contracts we have, one of the important things is that through the contract, we inform the registrant on the collection of personal data and we inform them that some of the data they send in or that's been kept to provide the service, is publicized in the Whois.

It's not all the information.

Some of the information.

What it provides for as well is a specific possibility for opt out.

And the opt out, it has a few consequences.

First of all, as a result of the domain name debate, the specific purposes for providing data in the Whois are stated.

These are legitimate interests.

And, in principle, what we say is, if you want to have a contract, fine, and we provide the Whois.

But the opt out is now this way: If your interest in privacy is -- how should I say it? -- you have more interest in your privacy than in the other legitimate interest, then we will not provide it.

Basically, we do provide and you have to come up with very, very good reasons to use the opt out.

Until now, we had about I think 900 requests.

There were just six granted.

But it has an impact on the registry to judge these.

And this is in the contract as there is a general limitation on Whois queries.

But this is the one we implemented operationally.

Now I want to go into more details into the SIDN regulation on processing of personal data.

What's in there is that you see what is the purpose for processing.

I'll go into more detail.

The role of the registrar and registrant, is defined in another way.

It is defined now in the terms of the Data Protection Act.

And this is one of the difficulties you will encounter if you want to implement Data Protection Act in terms of the registry/registrar model, is that the roles in the registering process are different than the roles as defined in the Data Protection Act.

So you have to make a translation of these two roles.

But I will not go into the details of it.

For that and what is in this regulation is that the data is included in the registration database and that the data is provided to the public.

Now, what is important, and going back, is this is the double necessity criteria, for what purpose do you want to process the data?

The general purpose is -- I think you can read it -- is just for processing the applications of registrants.

The second one is, if you want to change from one registrar to the other or you want to move your domain name or transfer it, it is necessary to check if you are the legitimate person who can make these changes. We want to provide and we want to facilitate registrars in their work. And it is for inclusion in the zone file. So that's more or less a technical reason. But this is stated explicitly. Now, this is just for the registry to function properly.

In order to provide the information into Whois, we have some specific purposes. And these are the specific purposes that came out of the domain name debate. I will not go into the details again of that.

But what was the result of the domain name debate as well is that our local Internet community didn't find it appropriate to use the data for marketing or other nonspecified legitimate purposes.

So if somebody, a direct marketing agency, comes to the .nl registry to ask for bulk Whois information, we will not give them the possibility to use it. Nor are registrars, although they don't have the information and thus aren't allowed to provide the information.

Okay. This is what we have done in the past. I want to end with some concluding remarks.

I hope it's clear that the Whois is a very broad problem and has consequences for a registry as a business; it has legal consequences; it has consequences for the public. That means registrant, the other stakeholders. And there is for the registry some technical issues involved.

And one of the things we have encountered, and I think this will go on in the debate we have here today and maybe tomorrow as well, people have different perceptions of the Whois. And it's very, very difficult to make clear to the other what you mean and what you are talking about.

Another one, and that's one of the reasons why I'm standing here, is there is no one-size-fits-all solution to Whois.

I think what might be clear is, we found a way to implement, at the end of the day, the data protection directive from the EU and balance it with interests in our local Internet community. And this balancing act is specific for the Dutch circumstances.

For instance, the specific use of the data probably in other registries in other parts of the world, you will define other specific purposes. As I have shown, we have a lot of registrars and it's very easy to become a registrar. So we can live with a limit of 5,000 queries a day. I think in the dot-com environment, this would cause a problem. So it's very clear you have to live with your local circumstances.

And what makes it very difficult for a registry, for instance, is the assessment of the individual opt out. These are cultural circumstances which determine what you within your environment think are legitimate reasons for opt out. And this has to be done against the assessments of the other interests, as we specified.

So this is really nitty-gritty work.

I thank you.

(Applause.)

Vinton Cerf: We have several questions.

I see Karl Auerbach.

Karl Auerbach: Well, the mic -- there it goes.

I thought I heard you say some inconsistent things.

I want to get clarification.

I thought I heard you say that when an intellectual property person makes an inquiry, they have to state the grounds and the reasons for their inquiry.

And yet later I heard you say that you confer automatic legitimacy upon anyone making a query based on the claim of intellectual property rights.

How do you resolve those or did I just mishear?

Bart Boswinkel: As I said, the Whois is not necessary for DNS.

And this is one of the reasons we started the whole process with our local Internet community what you think are legitimate interests.

And it was not taken for granted that IP interests are legitimate interests.

But as a result of the discussion, the community, our community, felt that IP addresses or the protection of IP rights is a legtimate interest, and this is the reason why we provide Whois information.

Karl Auerbach: But I have a follow-up.

You've mentioned that there was -- one making inquiry has to provide an explanation of why they are making the inquiry, state the facts upon which they believe their rights are being infringed.

Do intellectual property people have to say that?

Bart Boswinkel: No.

Again, I think maybe this was a fault in my explanation.

If we provide Whois information, this is limited, limited in the sense of you may make 15 inquiries a day.

That's it.

IP lawyers don't come to the registry to ask for more information.

The Balancing Act which I just explained is from a registrant who wants to have an opt out.

For instance, IP rights interest is a legitimate interest, as we concluded for this consultation process.

If somebody comes in and says, "I don't want IP lawyers on my back because I infringe them a lot,"

(Laughter.)

Bart Boswinkel: there is no legitimate interest for him to use the opt out.

And this is what we do.

We have one set of legitimate interests, as defined by the local Internet community, and on the other side, somebody, a specific registrant wants to opt out of the Whois.

And because we have stated this, his interest has to have very specific reasons why he doesn't want his information in Whois.

I could give you an example, for instance.

We have granted an opt out for a policeman who's doing undercover work.

And he wants to use the domain name for his e-mail addresses.

So he doesn't want to have his personal data in the Whois, because, as you can see, we provide a lot of information.

Maybe that (inaudible).

Vinton Cerf: I don't see any more. I don't see Amadeu's hand up, either.

Okay. Thank you. Michael.

Amadeu Abril I Abril: I'm tired.

Michael Roberts: Thanks very much. That was, I think, a very interesting and useful presentation.

Now we're now going to here from Jane Mutimear who will speak to us on intellectual property uses of Whois.

Jane Mutimear: Thank you. My name is Jane Mutimear. I'm a partner with Bird & Bird in London, and I'm president of the Intellectual Property Constituency.

I'm very grateful to the organizers for asking me to speak.

I wasn't quite so grateful when I first got the e-mail because it was asking me to speak about the IETF. I thought this might be a way of keeping me to my 15 minutes but Mike kindly pointed out it was meant to read IPR, which I know a little bit more about.

I'm going to be speaking about the uses which Intellectual Property Law is and intellectual property owners make of Whois just so people who don't deal with this on a day-to-day basis know what we get up to and why we think access to Whois is important.

As a start I'd like to debunk a few myths. This is based on some of the feedback I've got in various forums where we've been discussing the enforcement of intellectual property on the Internet.

A lot of people seem to think that intellectual property owners, they're just huge, big international corporations with unlimited budgets. They can find a way of enforcing their rights regardless.

Now, obviously, there are huge intellectual property organizations which own intellectual property on a worldwide basis, but there are also small companies to whom enforcement of their intellectual property is equally important to them.

I've also heard that enforcement of intellectual property on the Internet just assists intellectual property owners. And it does that, but it also helps prevent consumer fraud and confusion. And some of the examples I'm going to come on to in a minute will show you that.

And I've also heard it said that Whois doesn't really help you. Whois just helps you to harass the innocent, because anybody who is up to no good isn't going to put in their accurate details. Actually, that's surprisingly often not the case. We often get immediately in contact with the person who is infringing by using Whois. Or there's enough information there, which, then using other sources, leads us to the perpetrator.

So what do we use Whois for? We use it to find the registrant of a web site which is offering infringing products either for sale or at an amazing discount so we know it's not the real thing, or often for free.

I suppose where you've got something offered for free, one of the discussions I've heard go on is, well, for commercial purposes, maybe Whois is okay, but for noncommercial purposes, there should be no requirement.

Now, if you're offering a free download of software, is that a commercial purpose? The registrant isn't actually getting paid. He's quite entitled to turn around and say this is a public service I'm offering here; this isn't commercial.

And these are examples that either I or some of my other colleagues have dealt with over the past few months. These aren't particularly exciting examples. This is run of the mill stuff that we deal with on a day-to-day basis.

We had a month or so ago a client of ours who provides encryption software. They'd just come out with their new version, and then found it was available for free download on a site.

We used Whois, and it was accurate, and we got it taken down very quickly.

Another one of my colleagues is working on at the moment is a site which is devoted to a particularly famous doll, and it offers cheap versions of this doll which we believe are counterfeit, we're just sourcing some of them, and we're also very concerned because they run an affiliate program which encourages the young girls to provide the names and addresses of various of their little friends in order to win money. And we're concerned that these children are providing names and addresses of their friends in the belief they're actually dealing with the organization they know and trust.

And we heard another example a couple of months ago where a client of ours was threatened with an action by a consumer where the battery in their mobile phone had exploded whilst they were using it. It turned out that it was a counterfeit battery, which they had got off a web site selling various counterfeit products, and we located the registrant of that using Whois.

Now, we often deal with software or other copyright protected products are available not on a domain name but under an ISP, under a geocities tripod, for example, web site. And there we use Whois to contact the ISP, and so we can send a notice and take-down to them.

There are other examples where there's not actually anything being offered for sale on the web site which would infringe intellectual property rights, but the web site itself infringes.

For example, it's designed to look as if it's from one of our clients, an intellectual property owner. And this mirrors what Bruce was saying earlier about spoof sites for registrars. Registrars aren't the only ones who come across this. Many people do. If I click onto my next slide, this was a site which consumers were led to from an SMS message sent to all Vodafone users in the UK telling them in order to win one of the new Nokia picture phones to go into nokiagames.info and enter their information and then they stood a chance of winning a phone.

They go through to nokiagames.info. The background here is lifted from club Nokia, so if people are used to dealing with Nokia, they would recognize the club Nokia style. The photograph there is a Nokia photograph which is being used to advertise this phone to the public. And then on an insecure site asked you to enter into the name, address, bank details in order to win the phone.

The Whois details for this site was accurate. A letter to them explaining that we weren't awfully pleased about this sort of behavior resulted in it being taken down within, I think, two days.

And the other sort of infringement which we come across is where the domain name itself infringes the client's rights.

Just recently we had a well-known telecom company hyphen shares, but it was in German and I won't embarrass you with my German pronunciation, but if you went through on that web site, it took you through to hard core pornography and the client wasn't happy about that. Whois detail was not accurate but there was enough there, which using other sources, led us to the culprit and we got it taken down.

occasionally, although it's very rare, actually, that I come across this now, it's where a client is concerned about a domain name which is registered but it's not being used. I normally come across this now when there's a merger or takeover of two companies, and nobody has given much thought to what the two companies, if the merger goes ahead, is going to be called. Then they announce it on day one that the two companies have merged. Day two they start thinking about oh, I think we'll call ourselves the two companies' names put together and then they discover that somebody has registered them.

So, really, these are the main uses by intellectual property owners of Whois. And it's not the only way we trace people but it is a very important way we trace people. And we often get things resolved very quickly without actually having to go to court and all the expenses involved in that.

But another area which is very important to all companies, but in particular, companies with large brand portfolios, is portfolio management.

Portfolio management is a rather sophisticated term for "what the heck have we got and where the heck is it?"

Now, company's domain name portfolios have grown up haphazardly and that's because domain names are easy to register and relatively cheap to register. I've never had a conversation with a client and asked them do you have patent protection for this product and said well, gee, marketing might have got one or ask Bill in it, he does our patents but he left three weeks ago, I don't know who is doing it now.

People have a system and it's followed. Whereas with domain names, people are only relatively recently bringing in procedures for registering their domain names. And even then, if you've got a procedure and a policy, you've got to rely on people reading it and actually following it.

So what you tend to have is domain names scattered around the company, different people being the contacts, different ISPs being the contacts. Often old domain names which were registered with the ISP as the contact and then the ISPs change and no one has gotten around to dealing with these domain names.

And brand rich companies have the largest problems because they've often registered a lot of domain names in the names of their brands, and done by the manager responsible for that product and he's now gone on to something else and tracing what you've got is very important, because even though domain names are very easy to register, they can become very valuable assets to the company.

And Whois is used in order to try to figure out what companies have got and try to put it in an organized manner.

And Whois is used to check not only what companies have got but which registrar they used for that, whether they kept the contacts up-to-date, whether they've got the right name servers on there. Is that why the web site is not resolving, why the domain name is not resolving.

Now, for this, of course, reverse look up is very important. When I was trying to sort out Bird & Bird's domain names I really wanted to time in Bird & Bird as registrant and see what we owned. In the end I had to use the provider which could provide me with reverse lookup and I ended up having to type in two birds.com as the e-mail address to figure out which partners around the world had got up to registering our domain names.

Also, Whois is used by businesses to assist commerce. In any due diligence on a corporate acquisition, you have to list the company being sold has to give undertakings and warranties this is everything we own. Included in that now, you have all your patents, trademarks, and you have to list all your domain names. You actually have to be sure what you own, and also the company purchasing will need to do due diligence to see whether you really do own those and whether there's anything else which you do own which you're not declaring.

And also legitimate markets in domain names. When I'm clearing brand for a company, they'll say we've got five brands quite alike, which can we use and get registered? We will look at who owns the main domain names around that brand.

Now, if you come across a domain name which has been registered by someone for a few years but never used, there's quite a good chance that they'd be prepared to sell it to you so you could go ahead with that brand. You need to be able to contact them to say are you interested in selling this domain name to us.

And from the perspective of the person who is contacted, they want to know how valuable is this domain name? What other domain names are there out there around this domain name which would make it more valuable to the person approaching me?

And it's also used by liquidators who, when they go into an insolvent or bankrupt company figuring out what assets the company has in order to sell off in order to get the most they possibly can for the creditors, and they use Whois to see what the company owns.

That said, it's not all rosy at the moment, and we do experience problems with the Whois. There are problems with accuracy. And there's problems with the lack of centralization, it being split across different registrars and ccTLDs, because in different jurisdictions, they're .nl, .uk and others, are all ones they use and they don't think through there's different policies and approaches to these.

The lack of reverse lookup which is easily available hampers certainly for failure management. And problems with bulk Whois, because this is what gives the third-party providers the information which we need in order to give us reverse lookup, and the experiences with that not being available or being refused gives rise to problems.

Now, if Whois access is restricted so that it can't be used in the ways I've just described, this will hamper protection of intellectual property on the Internet. And that will lead to harming consumers' confidence, because it will be slower for us to take down sites like the nokiagames.info site.

Consumers need to be confident in e-commerce in order to be confident that they can use it and hand over their credit card details without unpleasant things happening to them.

And it will also seriously impact registrants' ability to manage their domain names. And I think it's likely to lead to domain losses, because registrants can't check what they've got and when it's going to expire and who they've got it registered with. And it will also lead to further fraudulent practices. Bruce was talking about the SPAM which registrants get saying your domain name is about to expire. Click here to renew and what you're actually doing is transferring it to them.

I had one of these just a few days ago and I was thinking "I really don't remember using this registrar. I hate this registrar. I'm sure I wouldn't have used them." and I thought actually, it was a domain name that I transferred from somebody else so maybe it was their registrar. Perhaps I should renew it.

And the way I checked is I went into Whois, looked up, and saw that they were not the registrar, and in fact it wasn't about to expire.

Now, if I hadn't been able to do that easily, I may well have panicked and thought, well, just to be on the safe side I better go through and renew it with these people.

And I think that's all I have to say.

(Applause).

Vinton Cerf: Are there questions? Amadeu was your hand up? Yes. Okay. And then Karl.

Amadeu Abril I Abril: One simple question. Well, it's not that simple. It's not well-intentioned to be honest.

(Laughter).

Amadeu Abril I Abril: Why do you need bulk Whois access instead of, for instance, zone file access where you can run the automated searches and the strings that will match intellectual property and then go for individual searches into the Whois for the names where you have discovered a problem?

Jane Mutimear: Let me say what we need it to provide and then maybe you can tell me whether this zone access type thing would exist.

For example, where I'm trying to find what domains Bird & Bird have registered, at the moment, I can't go onto web-based access and type in Bird & Bird as the registrant and have a list of what domain names we have. So that's why we go to a provider who has purchased the data from all the registrars through bulk Whois who then provide the reverse lookup facilities. So unfortunately, Bird & Bird is a terrible name when you're talking about searches, which is why I ended up having to do it another way, but let's say I was Nestle, putting in Nestle UK, Limited, and then having a search result showing me which domain names were registered in the name of Nestle UK, Limited.

We also use it when we have what we think is a cybersquatter and we want to check what else they have registered.

Now, sometimes it's completely obvious that somebody is a cybersquatter. Sometimes, particularly when a domain name hasn't been used and they could potentially have a legitimate interest, you look to see what else they've registered. If they've registered domain names which incorporate lots of other brand names, in different fields, chances are that they're not a legitimate user.

So those are the sorts of things which we need to be provided or we need somebody to be able to provide to us.

Now, whether the thing you're describing could do that, I'm not sure. But if it could, that's fine.

Amadeu Abril I Abril: You're right, it doesn't. But for a historical accident, searches by domain name holder were available on dot com and dot org until a company decided not to provide that anymore. Then you are forced to pay the $10,000 for the bulk Whois. But the net result we are discussing of this two-tiered result are perhaps a little well beyond what we were trying to solve. I am in favor of web-based domain holder searches, as I am in favor of being able to -- I mean at least availability, if not publicity, but that is of the historical changes of these domain names because this is something I haven't heard today. And for IP enforcement and the law enforcement, it's often very critical as well.

But you know the result of not being able to allow it to be web-based and then force it as a registrar to license the bulk Whois to anyone who asks and pays, it's a bit like burning down the house to roast the chicken.

Jane Mutimear: I can see there are problems with the bulk Whois from the registrar's perspective. What I was trying to do was explain the good things which come out of the bulk Whois from our perspective. Now, if they can be achieved in some other manner, you know, bulk Whois can go by the by as far as I'm concerned. As long as the sorts of uses which are legitimate which it currently gives rise to can still be met.

Vinton Cerf: Karl.

Karl Auerbach: Yeah, the first is I wanted to ask my first question, there used to be, a long time ago, a mechanism which used things called handles where I could type in ka 4 or my two handles, and get back the list of domain names I had. That system seems to have disappeared.

But the other thing is I'm looking, trying to come up with analytical frameworks to try to deal with this privacy issue and one which occurred to me while listening to you was that you were talking in many instances about getting at data which pertained to an existing business relationship to which you were a party, you and the registrar, you and the person you're merging with or acquiring or doing the due diligence on. They all have business relationships with the web star. And for example, you don't really need to use Whois. You could ask the partner you're acquiring to get a certificate of ownership from the registrar if they issued those sorts of things.

So I look at those things as getting at your own business data.

The third-party accesses, where you're looking in at something else and acting in some extent as a law enforcement capacity like where you were concerned about the data mining of children's addresses. And I'm really concerned about the extent to which you're using that as a justification sort of becoming a self-law enforcement agency and I'm concerned about how far you go down that path because at a certain point we become vigilantes and I think that's a bad thing to be.

Jane Mutimear: I think every country that I've dealt with gives intellectual property owners the right to enforce their rights.

Now, when we're going against these people who are downloading, who are offering client software for free download, if they turn around and say, no, we're not going to comply, then we can take them to court. Taking people to court is not becoming a vigilante. We are enforcing patents and rights by Whois. And people can be abusive in relation to their intellectual property rights in court. I don't really see that what we're doing when we're trying to enforce intellectual property rights on the Internet, particularly the sorts of examples I was giving there where there is an obvious consumer benefit from the fact that the copyright owner or the trademark owner will take action quickly.

I mean, it would be great if we lived in a world where I could just ring up the police and say, "Oh, there's something here I'm a bit concerned about," and it was dealt with by the next morning. But I'm not sure what it's like where you're from but it's not like that in the UK.

Karl Auerbach: Let me just follow up on that. Where you are protecting consumer rights is where I start getting concerned. It's like do I, in order to protect my own health, have the right to inquire into the medical records of everyone sitting out in the audience to make sure they don't have SARS? That logic goes to that extreme if one follows it.

Jane Mutimear: If you go back to why trademarks exist, trademarks exist to protect the consumer. A company isn't given a trademark as a reward for being terribly inventive in the same way that they're given a patent. People are allowed a trademark because in order to prevent other people from confusing the public.

What we're doing here when we're enforcing trademarks on the Internet essentially goes back to confusion of the public. If somebody is doing something which confuses the public by using somebody's trademark, then we have rights, or the owner has rights to prevent that.

And so when you say, when we start, consumer protection, you can't separate trademark enforcement from consumer protection because that's what trademarks are all about.

Vinton Cerf: Okay. I think we have one more question over here, Mike.

Do we have time?

Michael Roberts: No.

Vinton Cerf: We don't. Could we possibly put this into the open discussion?

Thomas Roessler: I'll ask it another time.

Michael Roberts: Thank you.

I think we are all ready now to have Michael Donohue speak to us from the perspective of the OECD's work on consumer protection.

Michael Donohue: Thank you.

And I'm not sure I want to ask who is really ready to have another presentation on Whois.

But I'll dig right in.

I'm Michael Donohue from the OECD, the Organization for Economic Cooperation and Development.

And maybe I'll say just a word about who the OECD is and how do we find ourselves here at an ICANN meeting and then dig oh-so-briefly into some of the consumer policy issues that may be relevant.

The OECD is an intergovernmental organization based in Paris.

We have 30 member countries.

And it's probably best known for its economic analysis and data.

But it also serves as an important public policy forum for government officials to come together to discuss issues relevant, particularly to electronic commerce these days.

Typically, it's not just the government officials who come together, but also representatives from businesses and consumer groups, other international organizations, some of whom are here today, and increasingly, nonmember countries who also participate in the work of the OECD.

In terms of our work relating to domain names, in June of last year, the GAC was kind enough to invite international organizations to share some of their expertise on areas that might be relevant to the work of ICANN.

So what I'm here to do is to talk about consumer protection, which is one of the areas that was mentioned in the GAC invitation.

I should note as well, though, the OECD has worked on Whois issues in the area from the perspective of revenue authorities as well, that is to say, the tax collectors also want to know who the online businesses are.

And also through an experience as a user of a domain name, or holder of a domain name, I should say, the OECD suffered from a cybersquatting attack about a year and a half ago and had some rather unfortunate experiences trying to track down the person because of some inaccurate Whois data.

Finally, OECD work on domain names goes back as far as 1996, when the OECD helped some pre-ICANN workshops, I guess, discussing administration of the domain name system.

Okay.

Let me move now to the consumer policy considerations on the importance of accurate and available Whois data.

There's an OECD paper that was just released on this topic earlier this month.

It's available on our web site.

And although I don't have -- wow, and it's even up on the screen.

So though I don't have a PowerPoint, all of the information that I am going to say ever so briefly is available in that paper.

One other preview is I should note that by focusing on the consumer perspective here, we are focusing on commerce.

The views that I am expressing here are limited to the use of domain names for web sites doing commerce with consumers.

In 1999, the OECD released a set of guidelines for protecting consumers in electronic commerce.

They were agreed after more than a year and a half of negotiation between the government officials, but also with businesses and consumers sitting there at the table.

The guidelines aimed to set out the core characteristics for effective consumer protection online.

They cover areas like fair business, advertising and marketing principles, online disclosures, which, of course, is the key for this issue, the payment process, education awareness, global cooperation, and dispute resolution.

The guidelines reflect the notion that easy identification of an online business is a key element for building consumer trust in the electronic marketplace.

Because a web site has no obvious physical presence, consumers are deprived of many of the usual cues that they have when they go to a traditional business.

When you go down the street, you can see that the store is there; you can expect that it will be there again if you have a problem and you need to return the merchandise.

Because web sites can go up and go down very quickly, clear identification of the business is key for building consumer trust.

So in this respect, the OECD guidelines call for online businesses to provide accurate, clear, easily accessible information about themselves to allow prompt, easy, and effective consumer communication with the business.

Now, while the obvious place to provide this contact information is the web site itself, Whois can serve as a very useful complement to the information provided there, where a savvy consumer has a notion that something may be up with the web site, they can quickly do a Whois search to find out if that information provided there matches that that is provided on the web site.

Conversely, businesses that provide false contact information can undermine the experience of a consumer that decides to conduct a Whois search.

Here again, the guidelines are relevant.

They state that businesses should not exploit the characteristics of electronic commerce to hide their true identity or location.

So where the results of a Whois search provide obviously false information, the consumer is going to be scared not just from doing business with that company, but in fact perhaps with doing business online at all.

A second but related area is the value of Whois in working to prevent Internet fraud.

And this is for the law enforcement folks who are charged with protecting consumers.

And the problem of false information has become an impediment to effectively identifying wrongdoers online.

And I know the next speaker, Maneesha Mithal, from the Federal Trade Commission will say much more about that with greater detail and animation.

I will note that the OECD guidelines again addressed this point, noting that online businesses should provide accurate, clear, and readily accessible information about themselves to allow the location of the business and its principles by law enforcement and regulatory officials.

We've already heard a little bit about data quality problems associated with Whois.

They're discussed a little bit in the paper.

In addition to the accuracy issues, there are, of course, issues about the availability of Whois data. Even within the small set of 30 OECD countries, there is considerable variation in the practices in the ccTLD space on public availability here.

I will not labor these points as they may not be unique to the consumer policy perspective.

So let me conclude, then, by reiterating that there is a consensus among consumer policy experts in OECD countries that businesses should provide accurate contact data when registering domain names for commercial purposes.

This data should be publicly available for quick and easy access by both consumers and by the government officials charged with protecting the consumers.

While there may be very legitimate uses for anonymity on the Internet, those uses do not include doing customers with the consumers.

Thank you.

(Applause.)

Vinton Cerf: Karl.

Karl Auerbach: I've been raising with increasing frequency recently the notion of an Internet business license.

I don't think ICANN's the body to issue that sort of thing.

But it's pretty common in most places that everybody who is engaged in some degree of commerce, from street vendors to large corporations, has some actual registration that consumers can go there and find it.

What I hear you say, in some extent, is you're asking us, ICANN, to become a consumer protection agency and issue those kind of licenses via the Whois database.

And I think that's beyond our scope.

I would suggest to you that perhaps you ought to undertake to become the issuer of these kind of business licenses if you think it's that important.

Michael Donohue: The paper describes the need for business identification arising out of the guidelines for consumer protection.

And they are addressed not just at governments, but at businesses as well.

And, really, the primary responsibility lies with the businesses to identify themselves to build consumer trust.

I don't think the paper suggests that we necessarily need a global registry for online businesses.

And I don't think that by suggesting that Whois data provides an important complement to what businesses provide directly on the site that we are suggesting that ICANN would be performing the same registration duty.

Vinton Cerf: And I don't see any other questions.

So let's proceed.

Thank you very much.

Michael Roberts: Our final speaker this morning will be Maneesha Mithal from the United States Federal Trade Commission, who will speak about law enforcement interests and uses of Whois data.

I would just like to remind people that all of the presentations that have been put up this morning, including the scribing, either are or will be put on the ICANN web site for archival and reference purposes.

Maneesha Mithal: Thanks, Mike.

I've been asked to speak today from a law enforcement perspective. And specifically, I am going to talk about the Federal Trade Commission in the United States, or the FTC, and how we, as one particular law enforcement agency, use the data in the Whois database.

Before I get into how we actually use the Whois database, I thought I'd give some brief background about the Federal Trade Commission for those of you who aren't familiar with the agency.

Then I will talk about four examples of how we use Whois data.

And finally, I'll summarize some testimony we gave before the U.S. Congress last year, summarizing our position with respect to public availability of Whois data.

So first, a little bit of background about the FTC.

We are the only agency in the United States that's empowered to protect consumers through our jurisdiction over both competition and consumer protection issues.

On the consumer protection side, we're charged with protecting consumers from unfair, fraudulent, or deceptive practices.

Now, the nice thing about our operative statute is that it's not limited to any particular medium.

50 years ago, we were using the same statutory language to go after fraudulent or deceptive practices in newspaper ads and magazine ads.

About 30 years ago, we started going after telemarketing fraud.

And close to 10 years ago, we started going after fraud on the Internet.

Now, I should note that we, at the Federal Trade Commission, only have civil law enforcement powers.

We do not have the power to impose criminal penalties or sanctions.

What we can do is we can go into court and get orders enjoining a company from committing fraudulent or deceptive practices.

And we also seek to make consumers whole.

So let's say 100 consumers have complained to us they've lost $1,000 each as a result of some fraudulent claim.

We can go into court and ask the court to freeze $10,000 worth of assets of the company so that we can return that money to consumers in the form of redress.

Next slide, please.

We believe that fighting Internet fraud is important both to address the consumer injury it causes directly and to build consumer confidence in the medium, because, after all, if consumers believe that the Internet is rampant with fraud, they will be less likely to do business online.

So since 1994, we have brought over 250 law enforcement actions involving Internet fraud against over 700 defendants.

And through these actions, we have been able to stop over $2.1 billion in consumer injury.

Now, before I go any further, I should define what I mean when I say "Internet fraud." By "Internet fraud," I mean any type of scam that's perpetrated either through a web site or through SPAM e-mail.

And we're looking at the kinds of fraud that directly harm consumers. We at the FTC are not really concerned as much with harm to competitors. Even on the competition side, we deal with protecting consumers -- any type of deceptive or fraudulent claim that harms consumers.

We've used this to go after get rich quick schemes, travel scams, health-related scams, unauthorized billing, unauthorized charges on credit cards, and also misrepresentations of compliance with privacy policies.

Now I'll go into the four main ways in which we use Whois data.

I think first and foremost, we use the Whois database to identify where a perpetrator is located.

A good example of this is a case we brought last year against a company called TLD Networks.

And TLD Networks was selling bogus domain names to U.S. and British consumers.

They were sending out SPAM e-mails and saying, "Be patriotic. Register your .usa or .brit domain name now." Of course, there were none.

So what this company would do is it would pocket the $49.95 consumers sent to register these domain names and then it would do nothing.

So we did a Whois lookup and found that the company was actually located in the U.K. We contacted our counterparts in the U.K., the Office of Fair Trading, and began to work with them.

We in partnership brought joint law enforcement actions.

We were able to shut down the web site, enjoin the company from future fraudulent or deceptive practices.

And we were able to preserve funds to return to consumers as consumer redress.

A second way in which we use Whois data is to serve process.

This is illustrated by a recent case we brought against a company that was sending out SPAM e-mails to consumers, and it was saying, "Congratulations. You have won a free Sony Playstation. All you have to do is go to this site, download some software, and you will win the Playstation."

And, of course, the consumers would download the software at exorbitant cost without disclosure.

And they would not win anything.

When we did the lookup, we found the site was registered to an entity in Spain.

We confirmed that.

But the ability to check that through the Whois database initially enabled us to get a leg up.

We started researching the service of process rules for Spain.

We used the Hague Convention on the service of process.

We were able to get a leg up on service of process because we got the information quickly.

Another way we use Whois data is to generate investigative leads.

Oftentimes, as different speakers have said and as we've said at the FTC, the information in the Whois database is inaccurate.

And a lot of times people will provide inaccurate contact details.

But sometimes we can get other information through the Whois database, such as the name of the registrar, the name of the web hosting company, and then send subpoenas to those third parties to try to get further information.

This happened in a recent case that we're actually still litigating against, a company called Premier Escrow Services.

This was basically a phony escrow service.

This company was buying and selling products on the Internet, and both as a buyer and seller, it was purporting to use this escrow service.

It said to consumers, if you're nervous about sending us the money directly, you can send it to this escrow service and we won't get it until you get the goods.

Of course, the escrow service didn't exist and the company would simply pocket the money.

We found that the Whois data provided was inaccurate.

The contact details were inaccurate.

But we were able to get some investigative leads through the registrar and the web hosting company.

One of the things you might be asking is why can't law enforcement agencies subpoena registrars and web hosting companies in any basis.

Why do we need the Whois database? I think there's two problems.

One is, with the subpoenas, it takes us a lot of time.

Internet fraud really happens at a very quick pace.

Somebody can set up a web site, defraud thousands of consumers overnight, shut down the web site, and move to another web site.

And so we find that if we send subpoenas, we get a little bit behind and it's much more useful to have the information readily available through the Whois database.

The other problem with sending subpoenas is that the Internet is global.

And a lot of times, the registrars and the web hosting companies will be located outside of the United States.

And we really don't have any practical mechanism to compel these companies outside the United States to provide us with information.

So that's another problem.

The fourth way in which we use Whois data is to conduct law enforcement surf days.

That is basically when law enforcement agencies from around the world get together for maybe a day or a week and they pick up a particular theme, such as get rich quick schemes.

And we surf the Internet for potentially misleading or deceptive claims, claims that are obviously misleading on their face, such as make $50,000 a day working at home, et cetera.

So what we do is we collect the information about those sites making potentially misleading or deceptive claims, and we do Whois lookups.

We find the e-mail addresses for those sites.

And we send warning letters saying that those sites may be violating the law.

And we find that the surf day is a fairly effective tool, because when we revisit the same sites a month later, we find that many of them have either modified their claims or the sites have been taken down.

So the Whois is a very useful tool for us to be able to do these law enforcement projects.

Just an anecdote here.

We recently did a surf for remove me or unsubscribe claims in SPAM e-mails.

And what we did was we took 200 e-mails and we tested the remove me or unsubscribe links in those e-mails.

And we found that of those 200 e-mails, 77 of the unsubscribe links did not work.

So we decided to send those sites warning letters saying that the failure to abide by an unsubscribe request can be considered fraudulent or deceptive practice.

And of those 77 e-mails that we sent, we sent the e-mails looking at the Whois database for those web sites, and then of those 77 e-mails, 16 of them were undeliverable.

So in that small sample we did, we found about 21% of the e-mail addresses in the Whois database were inaccurate.

Now, finally, I'd like to summarize some testimony we gave before the U.S. Congress last year.

And I think that we have a very unique perspective on these issues, because we're a law enforcement agency.

We are a consumer protection agency.

And we're also charged with protecting consumers from misrepresentations about privacy.

And so we have a really unique perspective.

So what we did in our testimony is we summarized some of the ways in which we use Whois data that I have just talked about.

We talked about some of the problems that we faced with inaccuracy in the Whois database.

We have lots of anecdotal examples of web sites registered to Mickey Mouse or God or Hacker or Donald Duck.

We also found Amanda Hugandkiss at 4 Skin Street in Amsterdam.

We gave some of these examples and included with three observations.

First, we said it was very important for law enforcement agencies to have access to all contact data about web site registrants.

Second, we said that the public should have access to Whois data about commercial web sites. And this follows largely on the reasoning that Michael just mentioned of the OECD paper, which basically says that consumers have a right to know who they are doing business with.

And there may be privacy concerns with respect to commercial sites.

But the transparency interests certainly outweigh those privacy concerns.

Then we also pointed out that for noncommercial sites, the balance between privacy and transparency might weigh a little bit differently.

And we acknowledged that and we didn't really take a formal position but said we wanted to continue to work with stakeholders on this issue.

And I think these meetings can go a long way to furthering that discussion.

The final thing I wanted to note, we didn't really say this explicitly in our testimony, but we have been on record as saying that for law enforcement purposes, search ability through various data fields is very helpful.

We often find that those persons that we are investigating will set up hundreds of web sites.

They will register hundreds of web sites to try to defraud consumers.

And even if they provide inaccurate information, they often provide consistent information across a lot of the web sites that they register.

And so it would be very useful for us to be able to have greater search ability of different data fields in the Whois database.

I know that's a controversial issue and I hope we will have more discussion about that at tomorrow's meeting as well.

Thank you.

(Applause.)

Michael Roberts: I'd like to ask our panelists to come up and take any open seat here at a mic.

We're going to have a question and answer from the floor and also there is an opportunity for remote participation.

For those who may be participating in this session by web cast, if you wish to direct a question to our panelists, the e-mail address is Whois-workshop@icann.org.

So as soon as we assembly the panel up here, there is a mic, and to be consistent with the purposes of this morning, as I mentioned at the beginning, it would be most useful if you would direct your questions at the panelists on the subject matter that they presented.

There will be an opportunity, a somewhat larger opportunity tomorrow to get into the question of where people come down from a policy or a position perspective on Whois.

We are trying to provide a foundation of factual information this morning on the various aspects of the uses of Whois.

And so if we can get our panelists assembled, we'll take some questions.

Give us about 30 seconds here.

Okay.

First question.

Yes, sir.

Ben Davis: Thank you, my name is Ben Davis.

I'm an at-large member.

A question I just had was, with regards to Whois and the levels of privacy, is part of the discussion the potential revenue streams from the selling of Whois data for, I guess, the registrars and the registries which determines the level of interest in privacy.

If you have high privacy, there's less information you can sell.

But low privacy, maybe there's more information that's interested in being sold. And I just wonder if that's not part of this discussion, too, because registries, registrars, et cetera, would seem to have to seek financing in the marketplace and the licenses they have, et cetera. Are there people willing to finance them? Would have some concern about what kind of access to data that could possibly be marketed would be there.

Maybe I'm completely off point.

But just was curious about that.

Is that a relevant concern?

Michael Roberts: Bruce?

Bruce Tonkin: That certainly is an issue.

It's an issue that comes from two perspectives.

One perspective is from a registrar point of view, there is a cost in providing the service.

And there are costs in managing access control as well.

So let's say we provide a Whois completely open (inaudible) which some of us do.

That is a high cost to us in terms of network bandwidth and infrastructure to support open (inaudible) but low-cost in terms of staff because there's nobody checking things.

An alternative model could be that you have every single access to that Whois separately controlled in that you have to fill in a form to request a particular Whois record.

That form gets checked.

And the process is completely manual.

So we probably wouldn't need much it infrastructure in order to staff that but we'd have higher staff costs.

That's on the cost side of the equation.

On the revenue side of the equation, I think registries and registrars operating in a fairly tight market in terms of margins, the new registries, you know, haven't perhaps had as many names registered, as they would have liked.

The registrars are in a highly competitive market.

And so both of those entities are looking for different ways of developing businesses.

And some of those businesses could be around advance searching services, et cetera.

But the business models, then, are constrained by whatever the policy is.

So whatever the policies are, the market will then determine what processes can be marketed within those policy constraints.

So, I mean, yes, there is commercial issues on both sides.

Michael Roberts: Thank you.

Would you keep this mic live, please?

For the purposes of our remote audience, would people asking questions please identify themselves.

Milton Mueller: Milton Mueller, (inaudible) University.

I'm very interested in the way the Whois policy affects the distribution of costs.

And, again, I think this is something that wasn't discussed adequately by any of the panelists except maybe Bruce.

And so I'm particularly interested in addressing this question to the people who are using Whois for law enforcement purposes or self-enforcement of their own property rights.

And I think those issues should be treated generically.

I don't think it really matters whether we're talking about an IP owner trying to enforce their property rights or a law enforcement agency.

The fundamental issue, people do bad things on the Internet and how do I identify them? Let me propose an analogy to you and I want to see how you react to it.

Suppose in implementing a database for driver's licenses, somebody made a mistakes and they made it completely open to the public over the Internet so anybody in the world could look up if they saw your driver's license, they could look up all of your contact information, including your home address.

Now, it would be obvious that some people would be able to use this capability for legitimate purposes for law enforcement purposes.

They would be able to report people who ran into them, report hit and run drivers easier, able to report abusers.

It was also possible that people would be able to abuse this information quite extensively.

Just to be specific, you might have a whole class of parking lot attendants who found this capability of looking up names and addresses from driver's licenses to be extremely useful and they would come before you and say, we've got to have this information.

It's got to be available to us.

My point is, I don't think it's logically correct to give us a parade of fraudsters and criminals that you have found using Whois data and then say that means we have to have this data completely accessible to anybody at any time.

That is not a logical conclusion.

What I'd like to say is, particularly addressing this issue of are there other ways for you to get that information, and are they cost effective? And I'm as concerned about the cost effectiveness of it as you are, because we want to be able to pursue fraud efficiently.

But I'm simply not convinced, no matter how bad the fraud or the crime is you're talking about, that you have to have completely open, public, and searchable data in order to identify bad people on the Internet.

Michael Roberts: Thank you.

Milton Mueller: That was a question, I think.

Michael Roberts: I think the panels tomorrow morning will get into that area pretty extensively.

And will certainly deal with your concerns about proportionate instrumentalities.

Bart Boswinkel: I just want to give a reaction on your statement or question that we got from the cc perspective. Maybe you can recall what I have just said, "criminal law is applicable for registry." So is taxation law. For instance, within the Netherlands, there are special provisions. And for that matter, they don't need the Whois. They come directly to the registry. And they have to fulfill certain legal terms in order to get these information. And we check them. But that means for that purpose you don't need the Whois.

Michael Roberts: Next.

Ruchika Agrawal: (inaudible) I think the most important point to realize today is that domain name registrants consist of businesses, individuals, media organizations, nonprofit groups, public interest groups, political organizations, religious organizations, support groups.

I think many of the panelists today focused on the commercial uses of the Internet.

So my first question is to Michael Donohue, if you could talk about the OECD privacy guidelines and how they can play a role in sensible Whois policies.

Michael Donohue: Thank you for that question.

In fact, I didn't speak much about the OECD privacy guidelines.

Michael Roberts: Speaking just a second, can the audience hear in the back? Because it seems to me we're not giving enough sound to the speaker.

Michael Donohue: Is that better?

Is that better?

I was here today speaking from the consumer's perspective, really, only.

And in that context, it seems clear that the transparency is the key, and protecting the professional contact information for businesses should give way to those transparency considerations.

But when you're talking about noncommercial uses, as you listed quite a few there, the privacy analysis may be quite different than that.

Thanks.

Ruchika Agrawal: (inaudible) the OECD privacy guidelines play a role in those other noncommercial uses of the Internet?

Michael Donohue: The guidelines were actually established back in 1980.

So they've been around quite a long time.

And many consider them to be an international standard for privacy protection.

On the other hand, they're out there for everyone to consider.

And I don't think the OECD secretariat has a monopoly on interpreting them in this context.

I think we can look forward to discussion over the next two days, both from the perspective of data protection laws, as well as the guidelines about how to address the privacy issues outside the commercial perspective.

Ruchika Agrawal: May I ask two more questions?

Michael Roberts: Can we get Bruce Tonkin's mic?

Bruce Tonkin: Just a comment that follows on from the question about the OECD privacy guidelines. One of the problems with the way Whois data is collected at the moment is that it's often not clear to the registrant what information they should provide, and quite often when the registrant is a company, they don't actually provide the company name as being the registrant name. They provide their personal name.

And that ends up with a lot of merging between private personal details and company details.

And we found, certainly in the Australian context in the .au regime, it's actually quite explicit that it needs to be the company name that is provided in the Whois, not the person's name. And then there's other areas of .au where the person's name is appropriate.

But one of the things you can do with privacy guidelines is to say we have certain rules regarding company usage of domain names, and the information that needs to be provided, and certain rules about individuals that are using domain names and what information is provided.

But right now, the Whois collection process, the actual collection process that the registrar uses, doesn't distinguish between those two cases. So that makes it hard to apply a lot of the privacy guidelines because it's hard to distinguish individuals from companies in Whois today.

Ruchika Agrawal: Can I ask one more question?

Michael Roberts: Yes ma'am.

Ruchika Agrawal: The next question is to Maneesha. I'm familiar with the FTC and I know you have a big campaign on identity and you have this list of things to do to protect for consumers and the steps they can follow to protect themselves from identity theft and one is do not give out personal identifiable information and all registrants, regardless of who they are, to globally public reveal their personally identifiable information and I would like an affirmative statement from the FTC, I've asked this question a number of times and you've always said we're thinking about it, but I'd like to get a response.

Maneesha Mithal: Thanks for asking that question. I think we have said, we have an identity theft community brochure and I don't think we've categorically said never share your personal information. I think people will share that information to get services and that's appropriate as long as they know whom they're dealing with and what's going to be done with that information. So I don't think our position on Whois is inconsistent with what we've recommended in the identity theft brochure.

Michael Roberts: Next question.

Alan Davidson: Hi, I'm Alan Davidson with the Center for Democracy and Technology, and I have lied on my Whois registrant information. The first time I lied when I registered a domain name was six years ago, actually, when I purchased a domain name for my girlfriend at the time. Perfect geek birthday present. I know, I know. And it sort of defied common sense to put her home address and home phone number, which I had myself worked so hard to get.

(Laughter).

Alan Davidson: Into a database that was going to be available publicly to the world. And I only mention that because I think it's important to underscore something Ruchika and others have said which is in many contexts we're talking about the registration and information that includes personal details about individuals who are registering perhaps for noncommercial purposes. Which was the case in this case.

And, you know, just to give context, at least within the United States, this comes at a time when people are tremendously concerned about their personal privacy. The survey data shows the number one impediment to e-commerce, number one concern I should say in individuals participating in e-commerce is concerns about personal privacy, there's tremendous worries about identity theft, data mining, government access to information, our own Federal Trade Commission, as was just indicated, has warned consumers in ways that I think are quite confusing to at least take great care in releasing their personal information.

And so I also wanted to mention this because I think it's to underscore in with accuracy of data. And if we do believe that there are reasonable purposes for access to some information, registrant information, our belief is that you will never get accuracy in this database from individuals unless there is some baseline guarantee that their privacy and security is going to be protected. I'm interested in getting a comment from the speakers, particularly the government speakers, about that issue particularly. Thank you.

Michael Roberts: Who wants to go first?

Maneesha Mithal: I can take a crack at that. I think we're sensitive to those concerns. Particularly in the noncommercial space, and I think as we said in our testimony, I don't think we have all the answers. But I think that between today, tomorrow, and further discussion, we can try to work on a solution.

Michael Roberts: Next question?

Alan Davidson: Could I ask a quick follow-up since I didn't get a good bite on that one? There are some pieces of information here that could be highly personal, I'm thinking about phone number for example. And in all the examples we heard today about reasons for access to information I never heard a good example of why people need access to something that might be somebody's home phone number, an administrative contact telephone number. I'd be interested in whether any of the panelists can justify that. It's not necessary for service of process or identifying somebody. In this electronic age it's not even necessary for even contacting somebody and is rarely used but does raise huge privacy concerns. Any thoughts from our IP persons about why we would need a home phone number?

Bart Boswinkel: Yeah. This is our experience; this is why we have this contact information in our Whois, is, especially in cases where there is technical foul-up and you have an e-mail address to reach the domain name holder, and there is something weird so you need an out of band contact detail in Whois in order to fix this.

This was the reason why we have this information.

Michael Roberts: Anyone else?

Bruce Tonkin: I guess a quick follow-up to that and I agree the telephone number is very useful from the point of view of a registrar. It's probably the difference between why are you collecting the telephone number as to why you are displaying the telephone number. We do need to separate the collection from the display.

Michael Roberts: Next question.

Mark Bohannon: My name is Mark Bohannon. I'm with the Software Information Industry Association. We represent a little over 600 companies that produce software, information services and engage in e-business.

Two-thirds of our businesses are small and medium sized enterprises; therefore the issue of fraud and confidence in the Internet is very, very important to them.

I know it's been said before, but Mike, I want to say thank you again to you and the program committee for somebody who has been thinking about these issues for a long time, I found today's session very, very good and I cannot thank you enough for putting this together, especially in the short amount of time you had.

My specific point goes back to Louis's presentation. Though this may, in fact, be a question for Bruce.

Louis, you pointed out that under provision 3.77 of the registrar accreditation agreement there are a number of obligations that registrars have involving updating, accuracy. But there was also a provision that in fact specifically requires the registrars to tell registrants the purposes for which their data is going to be used. Moreover, that provision also requires very specific consent on the part of the registrant to agree to those purposes so that, in fact, the registrar accreditation agreement does provide a broad-based consistent policy at a policy level to make sure that those kinds of issues which have been raised throughout the discussion and which I think are going to be very important as this discussion continues, to make sure that we have a common set of understandings here.

The question is, what efforts have been made and what efforts could be made to see how consistently registrars are implementing that policy so that the purposes for which Whois data has been used, now going back decades for a variety of purposes, what kind of information do we have about that and what can we be doing more to ensure that we have a consistent knowledge base upon which to work about how registrars are implementing them?

Louis Touton: Let me begin by responding on that. Early in the lifetime of the registrar accreditation program, back in '99 and 2000, registrars did not quickly uptake on providing data and obtaining consent and so forth. However, actually in preparation for speaking here today, last week we did a quick survey and found significantly, to my surprise, at least, that most registrars now do have an explicit privacy policy. And the other thing that was remarkable, two other things were remarkable about them. First of all, all of them begin with the sentence "your registrar respects your privacy" and the other thing is that it then proceeds to describe all of the uses they're going to make of your data, many of which are not connected with any Whois requirement.

So I think that it's not currently, at least in my perception, a problem with registrars not making the data available and even making it available in explicit privacy policy that concerned registrants can look to. It's perhaps more of a problem that is shared generally about privacy policies as that at the time of purchase, consumers don't have privacy first on their mind.

Karl Auerbach: Just a second. Actually, I have a follow-up to that. But to both of you. To the extent that there are consumer privacy protections in the RAA, should we be putting in explicit third-party beneficiary rights so that the consumers have a way of enforcing those rights?

Louis Touton: Let me follow-up on that.

Michael Roberts: Excuse me a second. We really ought to follow the order here that Bruce was going to speak to the issue from the audience and Diana also wanted to respond to that question.

Bruce Tonkin: I guess just from the perspective of a registrar and responding to what Louis said earlier, Louis basically said that the registration agreement allows the registrar to effectively create their own terms and conditions, and basically there's a minimum set of terms and conditions that need to be provided and a registrar can add to those.

And then Louis has pointed out that you might contain some of your terms and conditions regarding the use of the data in a privacy policy.

So those are all sort of legal compliance issues. And I think registrars are complying with that from a strictly legal point of view.

From a consumer point of view, though, I think the issue is that rarely does anybody read the terms and conditions. So when you buy a piece of software from someone like Microsoft, there are pages of very fine print, and I think most people don't look at that. They say yep, I need Microsoft Excel and I'll buy it.

I think the same thing applies, very rarely would anybody read all the terms and conditions.

And probably, privacy policies for most of us here are something we are aware of and it's something that certainly in Australia and other countries you have to provide those policies publicly, but there's still a time when someone might create a law that way and people reading those privacy policies, and I think very few people read those privacy policies today.

Mark Bohannon: I'm not sure I understand your point, though, because ICANN is a contractually-based relationship across the board. So if you don't enforce it through contracts, how are you going to enforce it?

Bruce Tonkin: The point I'm making is that the registrars are complying with the contracts.

Mark Bohannon: No, your other point which is I heard a criticism. By the way, Microsoft is not a member of our association, but I want to make sure I don't leave a misimpression here which is the heart of ICANN is, in fact, contractual relationships. So I'm a little concerned, I guess, to hear you criticizing the contractually-based approach when that isn't the heart of the association.

Bruce Tonkin: I'm not criticizing the contractually-based approach. I'm just pointing out that registrants themselves are not exercising the choices that are available to them simply because most registrants do not read the different terms and conditions. They probably go, for example, they might be looking for the best price and they're not actually looking at the terms and conditions.

Mark Bohannon: That's my experience in the market as well.

My point really went to getting a knowledge base to see, since there are very specific requirements on the registrar, about identifying the uses of information and getting specific consent, which is inherent in the RAA. What is the knowledge base, and Louis, I'd appreciate if you would give me that update?

Michael Roberts: Excuse me. Diana wanted to make a comment but let me point out that we've been advised we should not go into people's lunch hour because there's a busy program this afternoon. And we only have two minutes left in our allotted time.

For those of you who wanted to ask questions and aren't going to get to ask them this morning, there's both a public comment period tomorrow as well as the fact you're welcome to come up and talk to our panelists after we adjourn.

So now I'll go to Diana.

Diana Alonso Blas: Thanks, very much. Well, I would like to comment on a couple of issues the gentleman has raised. I don't know if you hear me but we have here some cable problems.

Concerning the issue of informing of the people, it could be, I'm sure you know much more about me than that, that there are specific provisions as to informing those who register domain names. But what we get from the data protection authorities and the complaints we receive is that individuals are not aware at all of the fact that data are going to be publicly available on the web site and on different ways of the Whois.

So this kind of information provision is not being done very properly.

The second issue that think is even more important is the question of consent. A consent is by definition something that only works out when it's freely given, a specific informant. So if people are not aware of the condition, and secondly, if they choose to say yes I want a domain name but then my data have to go obligatory or not, then I wouldn't say this consent is legal grounds for this process. In addition to that, you have other requirements, that concern proportionality and so forth, if not respected, makes it unlawful.

Mark Bohannon: As you know, the issue of consent has been a robust discussion between a number of different countries in the EU so I look forward to discussing that with you. But I think the point to go at whether it's publicly available or not goes to the knowledge base of what's included in the disclosures made to the various registrants. Those are two very good points and we look forward to looking at them with you.

Michael Roberts: We didn't anticipate having a mini debate. I'm going to disappoint the people in line because this is the last question today.

Brian Cute: It's a question for Jane Mutimear. It's focused on bulk Whois and in your presentation you stated reliance on bulk Whois. And you had a very interesting suggestion which was along the lines of would access to the zone files data be a satisfactory sort of substitute in the sense that the zone files would provide the primary consideration of searching a registered name or names that are of concern.

And the other thought is thinking forward and solutions-wise, it's been suggested, roughly, out of the registrar constituency, that one model would be protected access to legitimate users, like IP interests to Whois data. Would perhaps a combination of zone file data; registered name access and contact data through protected access satisfy the overall data needs of IP interests?

Jane Mutimear: That's something that we can discuss further, but I'm not sure whether my understanding of the data which would be available under the zone file scenario, which Amadeu was putting to me, would be sufficient for the purposes that bulk access is currently used for by IP owners.

The restricted access model could potentially work in relation to intellectual property interests. Now, how that would work in practice in relation to having approval of the people that were trying to go into access would work, I don't know. That's going to be very tricky.

But also, I don't know how it would work in relation to companies who are just trying to check what they've got, due diligence, consumers who are trying to check who they're dealing with by Whois lookup. They're not going to be helped by intellectual property owners being given special treatment.

Michael Roberts: Vint, is there anything you'd like to contribute here?

Well, thank you very much for your participation. We'll see you at 8:00 sharp tomorrow morning for the second installment of Whois workshop.

(Applause).

(12:05)

© Internet Corporation for Assigned Names and Numbers