ICANN Whois Workshop in Montreal Real-Time Captioning
25 June 2003
Note: The following is the output of the real-time captioning taken during the ICANN Whois Workshop held 25 June 2003 in Montreal, Canada. Although the captioning output is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
Vinton Cerf: Good morning, everyone. My name is Vint Cerf, Chairman of the Board of ICANN. And I'm pleased to open up this second session of the Whois workshop.
We will spend about four hours, I guess, this morning going through more material in a panel discussion, and then later in the day, we will have the traditional open forum for comments from the attendees here at ICANN. So with that morning introduction, I will turn this over to Michael Roberts. If you want to introduce the first session, Mike.
Michael Roberts: Good morning. It's my pleasure to introduce to you the Chairman of the Government Advisory Committee, Sharil Tarmizi, who will kick things off this morning.
Sharil Tarmizi: Thank you, Mike. Good morning, all. I hope we're all awake. I'm about half awake. Good morning, Vint and fellow GAC colleagues. It's nice to be here.
I'd like to welcome you to the second day of our workshop on Whois. Yesterday, we had a series of very informative sessions to explain how the Whois database works and the various uses of and interests related to the Whois database. I think we all received valuable education on the complexities and the questions in this area. And I hope that the tutorials have answered many of our factual questions. I know for me, certainly it's helped me in my understanding a little bit.
This morning's panel or panels will build on these tutorials. Both panels will be looking at the policy goals, which are often in tension. These public policy goals include law enforcement's access to Whois data, the role of Whois data in enforcing intellectual property rights, concerns about privacy, date mining and other consumer rights and protection issues such as freedom of speech and spam.
On each panel, we have representatives from the varied public policy interests, law enforcement, intellectual property, consumer interests, and privacy. In addition, we have representatives of registrars, registries, and ISPs, I believe, who are dealing with Whois on a day-to-day basis.
Our goal this morning is to move the discussion forward to better understand the competing public policy goals in using the Whois database, and also to explore possible solutions in addressing all of these goals. And that's not necessarily easy.
Our first panel will address how the various public policy goals can be balanced within the existing Whois system. For example, does the status quo work? If it doesn't, how can it be improved to satisfy our concerns?
As I understand it, our second Whois panel will be addressing new approaches to a Whois system. If the current system is not working, what other models might better balance our public policy goals? Are there existing mechanisms that might be useful? And how would these new models work?
These panels promise to be very provocative and will, I hope, lay the groundwork for reaching consensus on these issues. As a matter of procedure, questions during the panels will be asked by our discussants, who are seated in front of you, who are members of the Governmental Advisory Committee's Whois working group.
Do you need me to identify them, so that you know? I think you know them.
At the end of these sessions, we will have an open question and answer question, as Vint had said, which I'm sure will generate another lively debate.
So without further ado, I would like to introduce my colleague, Mr. George Papapavlou, of the EU, our moderator for the first panel.
Thank you very much, Vint, and thank you, Mike.
George Papapavlou: Thank you very much, Sharil.
Good morning, ladies and gentlemen. I am very pleased to see quite a number already in this room at this early time of the day and after the main work of all the constituencies has finished. So I'm glad to see that many of you are still here and interested in coming and discussing with us.
We had a very interesting session yesterday, and I hope we will have an equally interesting session today. We will have approximately one hour to discuss a number of questions. We have two discussants that will ask the questions, two members of the Governmental Advisory Committee, Alan Wong from Hong Kong is on my left, and Antenor Correa from Brazil is on my right.
And we have a number of distinguished panelists that I will introduce to you immediately. The process that we will follow is that we will go one question after the other. Not all the questions are addressed to all panelists. Depending on the nature of the question, some panelists are expected to be more interested than others. But, of course, that's not to preclude other panelists to give an answer if they so wish.
The important thing is that we keep to the timing. As I said, we have approximately between 60 and 70 minutes. We need to end by about 9:30. And then there will follow a break. Then we will have a second panel. And then we will have the public forum discussion in the end. Therefore, it is not possible to have questions from the floor during the panels. There will be plenty of time at the end.
So let me introduce you to our panelists this morning.
From left to right: At the far left is Tom Keller, who is with Schlund & Parnter AG, a large web-casting company based in Germany. He will give us the registrant's viewpoint.
Next to him is Jeff Neuman, Director of Policy at Neustar, who will give us a registry viewpoint.
Next is Diana Alonso Blas, who, as you know, was one of our speakers yesterday, exceptionally for her and for Michael Donohue, because foreseen panelists could not make it, we said we would use people from the tutorials. And we thank both Diana and Michael for agreeing to do both things. Diana is an official legal and policy officer in the European Commission, specializing in privacy and data protection issues.
Then is Sarah Deutsch, who is Vice President and Associate General Counsel for Verizon Communications. She will give us an ISP perspective.
Alan Wong I already introduced to you. He is a Director of Information Technology and Services in Hong Kong, Alan Wong.
Antenor Correa is Software and General Services Manager for the Ministry for Science and Technology in Brazil.
Next to him is Christian Wichard, who works for the World Intellectual Property Organization. He is the head of the legal development section at the Arbitration and Mediation Center of the WIPO. Obviously, he will address IPR perspectives.
Michael Donohue you know from yesterday is in the OECD, specializing in consumer matters, he is a consumer policy analyst.
And further down is Paul Stahura, who is the founder and CEO of ENOM, one of the large registrars. And he will give us the perspective of a third party Whois registration provider.
And, finally, at the very far right is John Logalbo, who is a trial attorney with the U.S. Department of Justice, computer crime and IP section, and will obviously give us the law enforcement perspective.
So without further delay, I think we can start with our questions. I will ask Alan Wong to start by asking the first question.
Alan Wong: Thank you, George. Good morning, everybody. This panel is focused on the current Whois system. I want to begin by asking the registrar on our panel, Jeff Neuman, and also our ISP, Sarah Deutsch, a number of questions.
Is the current Whois system working? What tensions exist in balancing the various public policy objectives of Whois, such as providing accurate and available data, while recognizing that publication of all data may pose privacy and consumer concerns?
Perhaps start with Jeff. Yes.
Jeff Neuman: Sure. I can answer this question.
Actually, I represent a registry. I can give the registry perspective, or would you like Mr. Keller, who represents the registrar perspective? I can certainly answer the question, if you'd like.
Alan Wong: Well, what do you think? Registrar or registry?
Jeff Neuman: Sure. With respect to whether the current Whois system is working, I think it depends on how you define is it working. I would say the answer to that question is, yes, the system is working exactly as it was designed to work.
From a technical standpoint, each of the registries that are required to display Whois information, and now I am talking about generic top-level domain registries, are displaying that information, are taking the information they get from the registrars, who ultimately get that information from the registrants, and display that information.
With respect to, you know, the tensions that exist in balancing the public policy objectives, from a registry standpoint, you need to look at Whois from several different standpoints. And any proposed solution.
You obviously need to consider the legal and policy implications. But you also need to consider technical implications, as well as business feasibility. There are a number of ideas that have come forth both during initial discussions within the community as well as even at this meeting here, and will be discussed later on.
And what we would ask from a registry standpoint is that when these solutions are explored, that even the greatest policy and legal solution needs to consider the costs that are involved and the costs of developing the system, maintaining the system, and enforcing or implementing the system. So I think those are the tensions that, from a registry standpoint, that we see.
Alan Wong: Sarah, what do you think?
Sarah Deutsch: I guess the question is, is the Whois system working? It would be like asking, is the space shuttle flying? We are still picking up the wreckage. There are huge problems. Whatever Whois was originally designed to do, the way people need it now, it clearly is not working. It's filled with inaccurate information, consumers can't find the real owners of web sites, trademark owners can't find infringers, law enforcement can't easily use the Whois database. And criminals are kind of using it as an ever-changing digital shell game. People are gaming the Whois database in a way that makes it unworkable.
So in between public policy issues, Verizon, I think, is in a unique position as an ISP to see that there are legitimate tensions between large corporations with business interests, IP owners, and sensitive privacy concerns. And you know, Verizon has been in a lawsuit with the recording industry.
So we are actively trying to protect our consumers' privacy. So we realize there are these issues at stake. And we think the issues, really, with Whois boil down to two basic policy objectives. One is the issue of the accuracy of the Whois database. And the second issue is the availability of Whois data.
On the accuracy issue, we really think that there can be no compromise. Whois data has to become accurate. There are just too many instances of fraud occurring in this space from cybersquatting to spam, to counterfeiting to all sorts of consumer fraud. Although there is a percentage of people who need or want to remain anonymous, the fact is these people are sharing the same Whois space with a larger number of people who have bad motives to misuse the Whois database. So it really benefits everyone to have accurate Whois data.
And then the question boils down to how can we get to the question of access. And that's, again, how do we do that. There are lots of alternatives. One is for people who want to remain anonymous; you can register with your ISP and remain anonymous through them. At least some of us are still trying to protect your identity.
But I think the difference is that we do have people's real identity. So if law enforcement or others serve us with a valid subpoena, we can comply, but at the same time, people can remain anonymous. We're very interested in exploring the idea of using the proxy services, again, with companies that have responsible practices. And I think the idea of tiered access is very interesting if the technical issues can be worked out.
One of the major tensions, I think, that still exists is what's going to happen with the Whois database. I think if this issue is not resolved in ICANN, when Congress finishes turning its tension from spam, which includes provisions about false domain name headers, they will turn their tension to Whois. And there would be maybe a legislative solution that's not as palatable to people in this room as well as working the issues out here.
Alan Wong: Thank you, Sarah.
George Papapavlou: Would any other member of the panel want to -- yes, Tom.
Thomas Keller: Yeah, hello. If you're talking about Whois, I guess we have to differentiate between certain things.
First thing, what we have is what's intended purpose of Whois was, and right now, what we are actually using it for. If we're talking about the purpose of intent, it's still working quite good, because you still can look up the technical content. That's all Whois used to be about.
When we talk about different things, like law enforcement, IP enforcement, whatever it is that's using Whois now, they are totally different things and we should spend some time on it, you know, whether these services should be fulfilled by such a service as Whois.
Before we are talking about how to do that, first of all, we should take into consideration that there are laws out there in certain parts of the world which have to be abided to by, for example, registrars and partners. So before we talk about extensive rights for IP owners, for law enforcement, we have to look down what happens in the certain countries and certain nations, what kind of laws do they have. And can we provide the data firsthand. Because it has been said during several times yesterday that Whois itself has nothing to do with the domain name registration. And it's just a misconception that you think that you have to force people to display the data if they want to have a registration.
George Papapavlou: Thank you. Very interesting. Any other comments before we -- Christian.
Christian Wichard: Just a very quick one.
Whois, from an IP perspective, as we've heard yesterday, is not all bad. It is still quite important. It serves a crucial function also for IP owners. And the function is to prevent and to resolve IP conflicts or to help prevent and help resolve IP conflicts in the domain name system. It certainly has its shortcomings. And several of these shortcomings have already been mentioned. And they have also been explored and examined in the WIPO Internet domain name process.
Let me mention three quickly. First problem, obviously, is the problem of inaccurate data. Second problem is the problem of fragmented access to Whois data. There is no centralized access that would allow searches across all available Whois databases. And the third problem is that Whois databases still offer very restrictive search facilities. You can basically only search for the very exact domain name, not much beyond that.
So those are the shortcomings from an IP perspective. But as a general rule, I think the Whois is important and it at least partly serves an important purpose.
George Papapavlou: Okay.
I propose that we move to the second question, which I will ask Antenor to ask.
Antenor Correa: Well, to give a bit of a follow-up on the answer that was given by Christian, it seemed that accuracy of information is an important issue from several perspectives. So I do want to pose a few questions to three of our panelists. Christian, John Logalbo, and Michael.
The first question would be, if you who are representatives that you use mostly Whois data can obtain if this information can be obtained from other sources in order to address the issue of inaccuracy that are present in the current system, that was identified.
That second question is concerned with accuracy again. Can the concerns regarding inaccuracy of data in existing Whois database be overcome by increasing enforcement requirements in RAA. And does ICANN have the ability to properly police the RAA to the extent necessary to protect all parties or all the interests of the parties involved? And, finally, how can such enforcement be facilitated, if ICANN cannot address it properly?
I think Christian can start answering this, if you may, please.
Christian Wichard: Thank you.
Well, as to the question whether there are other services, I'm not really aware of any other readily available source. In addition to Whois databases, there are value-added services, which then, in turn, often mostly rely on bulk access to Whois data. Otherwise, nothing really seems to be readily available. You can always hire a research service or you can try to hire a detective, but that's probably not an option for small- and medium-sized IP owners.
The question whether concerns regarding inaccuracy can be overcome by increased enforcement of requirements, well, increased enforcement will certainly improve this situation, even though it will probably not completely prevent inaccurate Whois data. Whether ICANN has the ability to properly police the RAA is finally a question to ICANN itself. But I think, at least conceptually, the answer should be yes, at least as far as the gTLDs are concerned. And the reason for this rather positive answer lies, I think, in the contractual structure of the domain name system. ICANN can require registrars by contract to comply with the terms and conditions of the Registrar Accreditation Agreement. And this Registrar Accreditation Agreement even contains, as a means of last resort, an inbuilt enforcement mechanism, because ICANN has a right to terminate the registrar accreditation agreement if a registrar fails to cure a breach of the agreement within, I think, 15 working days after being notified by ICANN.
I think there has already been one such case. The problem in this respect is that this, of course, does not apply to the ccTLDs. How can this enforcement be facilitated? That was also one of the questions.
Well, facilitation of enforcement could take the way of putting verification procedures in place, as ICANN has recently started to do. For example, by facilitating third-party complaints about inaccurate Whois data, and monitoring whether these complaints are adequately addressed by the concerned registrant.
Another option is to request registrars to regularly verify the accuracy of Whois data and understand that ICANN has just recently put a Whois data verification policy in place.
Michael Donohue: Thanks. From the consumer perspective, the question is, is there an alternative to Whois, is kind of a funny one because the answer is of course there is. The primary place you should look to identify an online business is to the web site itself.
The businesses should be identifying saying who they are, how to get in contact with them right on the web site.
Unfortunately, that's not always the practice, and particularly for businesses that are interested in engaging in deceptive or fraudulent commercial practices, they may not be interested in providing accurate contact information right on their web site.
And in such cases, then Whois data may be absolutely key to successfully locating who's operating the site.
Enforcement agencies who are trying to police this may have other tools available, subpoenas, et cetera, but typically, those will take too much time in order to be effective in practice, and then there are also cross-border issues that deal with those. And for consumers themselves, when the web site is not helpful, there really may be no other reasonable alternative at all for trying to locate the owner of the site.
With respect to the questions about the RAA, as I noted yesterday, the OECD has done a paper on consumer policy considerations on the importance of accurate and available Whois data. And one of the suggested approaches at the end talks about the possibility that where a domain name holder has provided false contact information, that the domain name be suspended and rather than making that optional that that be a mandatory requirement; that that's one of the ways that the RAA might be amended in order to help improve the accuracy of data.
Finally, on the question of whether ICANN has the ability to properly police, I think that's a question for ICANN. I think the recent efforts that they've taken to improve enforcement here have been helpful, and whether they're enough I think is an open question.
John Logalbo: On the first question, whether those who use Whois data can obtain the information from other sources, I want to say very bluntly on behalf of law enforcement, and other constituencies as well, the short answer is no. Law enforcement needs open, publicly accessible Whois data to fight crimes like fraud, piracy, even hacking or child pornography, and others need it to vindicate civil claims as well.
Every other source for this kind of information, and there's many of these sources have been touched on, including going to the ISP, the web hosting company, credit card processors that the bad guys use, so you're following the money trail, or even a proxy agent for the registered domain, every one of those sources involves law enforcement getting data from a third party, and that almost always requires legal process.
The simplest form of that process is a subpoena, but there are other more complicated forms depending on the sensitivity of the information sought, up to and including court orders.
The difference between getting a subpoena and serving it on a third party and direct, immediate access to the database from a desktop is night and day.
Maneesha Mithal at the FTC talked yesterday about the FTC's surf days where agents look for fraudulent or deceptive web sites and follow-up with warnings and cease and desist letters. Very effective means of law enforcement; impossible without full access to the Whois database.
And in more intensive, traditional law enforcement investigations, you've got to open a case file in order to even request a subpoena. And once you've got it and you've served it on a party, you're now dependent on the actions of that party. Sometimes law enforcement or a prosecutor needs to make a motion in court to compel compliance with a subpoena. So even in the best of circumstances, you're talking about injecting delay and costs and resources in the form of manpower into the investigative process.
You also heard Maneesha talk yesterday about the need for speed when you're chasing fraud on the Internet. And that's obviously true for other types of crimes as well.
And everyone also has touched on the second concern. Let me flesh this out a little bit.
Once the investigation crosses international borders, requiring formal legal process, which is what we're talking about as an alternative to Whois access, creates very substantial delay and complexity. The tools available to law enforcement in this context need updating. Technology has clearly outstripped the law in this context.
And streamlining the methods of international cooperation is a very laborious process, involving government-to-government institutional changes at the highest levels. Treaties, bilateral arrangements and so forth.
And anyone here who was involved in the negotiations for the Council of Europe Cybercrime Convention can tell you just how difficult that process is.
So to take away a tool like Whois that cuts through the layers of complexity and delay in international investigations in particular would be very damaging to law enforcement.
So in my view, there are no satisfactory alternatives to open, public access to the Whois database, by law enforcement agencies and by others.
And on the second question, I am, by no means, an expert. I have not been involved in the ICANN process. But it seems to me that as between ICANN and the registrars, some kind of intermediate remedy ought to be available, something more realistic than a total revocation of a registrar's accreditation. I think it's hard for ICANN to police the accreditation agreement when the only thing it has is the equivalent of the atomic bomb. Obviously, registrars should be required to keep up the initial verification at a minimum and reverification pursuant to reminders every year or so, and the idea that was also posed here, requiring responses to third-party complaints I think is a very good one.
And finally if the name holder fails to comply with requests, I think a temporary take down or suspension of the domain should be considered.
Andy Mueller-Maguhn: Excuse me, a small question for clarification. You said asked for public access to the Whois database. Could it be accredited access for public agencies instead of public access?
John Logalbo: The answer is no, and I would like to clarify this further. I'm not sure this is the appropriate point. But it's important for law enforcement that the access be public because as soon as it is unpublic or accredited, then issues arise whether law enforcement needs a form of legal process. And for the reasons that many of the participants have outlined here, once you get into requiring legal process for acquiring this data, then things get much slower, there's delay, and you're basically in a losing battle chasing criminals who move very fast with technology.
The other aspect is that it's very important for law enforcement that others have access to the Whois database. Not just law enforcement agencies. It's extremely important that intellectual property rights holders have access, it's important that consumers have access as Michael Donohue has pointed out several times, because law enforcement cannot do it all. There are hundreds of civil claims established in the law that can only be enforced by private parties going to court. And to take away the initial step for private parties to investigate those claims would place a burden on law enforcement that the current system cannot handle.
George Papapavlou: I'm sorry, I cannot take questions I said in the beginning. The questions will only be asked in the public forum. That's because we only have a very short time for the panel discussion.
Karl Auerbach: Just a quick clarification. You said the criminals or the accused criminals?
George Papapavlou: I think this question can be asked in the public forum. It is noted. The public forum, more panelists will be here and they will be answering the questions. We need to proceed.
Any member of the panel wanting to make any comment? Yes, Diana, and then Jeff.
Diana Alonso Blas: Thank you very much, George. I will try to be short. How can I put it in a polite way. I think we have to be very clear in the fact that we need to balance different interests, and I want to make sure that those who really need to get access to the information should have access to the information.
But on the other side, I think we have to balance the need to protect the human rights of people, including the right of protection of privacy.
If there is another solution that would still give those who need access while protecting the individuals, we'll have to look for that.
And I think the solution that was proposed on the other side of the table by Andy Mueller could be one, make sure there is a restricted by sure access to those who need it. So I think we need to look for a proportionality solution that will allow those who need it to have it but without compromising the rights.
As to the second part of the question, the question of how far can ICANN police the whole package and so forth, I think it would be necessary to police the whole package of obligations that we have, not only the question of accuracy, but also the privacy provisions that are included already, and there is also a clear need to improve these privacy provisions. But to police a part of them without the other would not be very fair for the individuals, I would say.
Jeff Neuman: Just a quick question for law enforcement, and since I'm up here representing registries, not just .biz that's located in the United States but also other registries located elsewhere in the world, the question for law enforcement, since they clarified their answer to say open, public access, and I obviously don't expect an answer now and it's one we need to explore, but if the provision or the display of Whois information is a violation of law for the registry or registrar, is that acceptable to catch others that are breaking the law?
So I think that really needs to be considered, and we all understand, and have heard for years the importance of Whois information for IP owners, for law enforcement, for consumers organizations, and the list goes on and on. But now the question is, as a registry, do we break the law to provide this Whois information so that you may catch others who break the law? And maybe the solution is going and trying to get the law changed in that country or countries before requires a registry or registrar to break that law.
John Logalbo: Can I address that question since it was addressed to law enforcement? Very briefly, I can't disagree with anything you've said. If you think that giving the kind of information that's necessary for law enforcement and others will place you in jeopardy of breaking the law in your jurisdiction, then the law needs to be changed. And we've heard here several times that just because something is desirable or useful, it doesn't mean that it's legal.
I certainly accept that, but I submit that analysis is backwards. If something is not only useful and desirable but necessary, and I think that law enforcement and others having access to the Whois data is necessary, then the law needs to be brought into correspondence with reality. And I think that to some extent, technology again has outstripped these legal frameworks. And that's just the natural way of the world. Technology moves much faster than any national legislature does. And so if we need to talk about law reform, I think that should be on the table as well.
George Papapavlou: Sarah, I would like to have this as the last remark for these questions.
Sarah Deutsch: Very quickly, I noted that John made the point that he would prefer the Whois database be open because it's faster and more convenient to get the information directly from Whois rather than from the subpoena process. I don't think the convenience issue is something that really hits home with me as a good argument. We are subject to subpoenas and we comply with them but on the other hand the Whois database we have to remember was developed as an accessible database. People are putting themselves out on the web as offering either products or services when they have an active web site on Whois. But at the same time I can tell you supplying with subpoenas is extremely burdensome, takes a lot of staff time. So from a registry/registrar perspective I would think you would want to be out of the debate. It would be easier to have the information out there and accessible rather than being in the middle of law enforcement disputes, which is always a difficult place to be.
George Papapavlou: I think what we have heard will provide very interesting input for our public forum discussion later on. But we need to proceed with the following questions so we have time for this part of our workshop this morning. So I would like to ask Alan to ask the following set of questions.
Alan Wong: Thank you, George. It's quite clear that the expectations of various parties who want to use the Whois database were not anticipated when the whole system was put in place many years ago.
We've already touched upon the sensitive issues of the use of Whois database for purposes which are not those which were envisaged in the past. And the privacy concerns of the registrants.
I would like to explore these issues and also hear from a privacy advocate. I would ask Tom, Jeff and Diana the following questions: can those who collect and public Whois data balance the local law requirements against ICANN accreditation agreements, the Whois requirements.
The second question is can the concerns regarding the existing Whois system be addressed by modifications of the RAA? Who should decide what modifications are necessary to balance privacy concerns against the competing public policy concern of ICANN's ability. Who could decide, who should decide? Maybe Tom, could you start with answering these questions?
Thomas Keller: Yes, thank you. Starting with the first question, whether we can balance it or not, I guess to what it all comes down is that we do have contracts with ICANN which poses certain obligations on us and it's very far reaching at that point that you say that you have to, for example, have to display certain data like e-mail address and telephone number. And on the other hand, in certain places in the world you have privacy rules, which are not allowing to do exactly that.
Schlund is a company who is collecting data and displaying data really has a chance to balance these needs because we are bound to our local law and we still want to conduct business. It comes down to if we change the RAA, would this reflect our needs better? I guess so. I don't know to what extent we might have to change that. But it could be a process put to the PDP if we do it at ICANN, like we used to, and maybe have an open clause which states that you have to provide certain access to data, you have to display that, but you should not be in breach of your local law.
Jeff Neuman: I guess I'll be more controversial. With the question of can those who collect and publish Whois data balance local law requirements against ICANN accreditation requirements, I would say the way that Whois exists today, I would say the answer is no. Plain and simple. Not the way that Whois is defined today, with the display personally identifiable information, information such as phone numbers and e-mail.
I do not believe there can be globally a unified solution where this type of information is being collected and displayed.
If we restructure Whois where certain personally identifiable information is taken out of databases, for example e-mail addresses and phone numbers, then I think we can talk about a solution that can be globally accepted.
With respect to can they be addressed by modification to the RAA, can the concerns be addressed; I think it all depends on which concerns. If you talk about privacy concerns, again, I think that may be addressable by taking out certain personally identifiable information. If you're talking about from an IP law enforcement and stricter enforcement mechanisms, I'm not sure that can be addressed by the RAA. I think you would need an incredible organization with many enforcement personnel to be able to enforce those procedures.
And so I don't think that changes to the RAA, even through a policy development process, would improve those mechanisms.
Diana Alonso Blas: Thank you. I think that the answer to the first question would be the same as the one just given here by my neighbor. I think the big problem in trying to comply with both the accreditation agreement and the requirements they have in national legislation, and the problem has been raised not only by those having to comply, like Steve here next to me, but by individuals who are raising complaints about the infringement of the personal rights.
So I think in this discussion we have to take into account not only the interests at stake of the different parties but also the rights of the individuals who are not very much represented here but have also to be heard.
So I think there are problems with that.
I think to a great extent, a number of issues could be addressed by modifying the RAA. I'm not sure that everything could be addressed but I'm sure many improvements could be done.
I would think that what we certainly need to do is to make sure that we involve all interested parties in the discussion, and I would strongly encourage to involve more actively the data protection community and the data protection authorities all through the world, not only the European ones obviously. I'm maybe reacting a little bit to the comment given in the previous question. I think if we are trying to look for a solution that could be in the short run, the last thing we need to undertake is to modify in the legislation of our 30 countries to make this possible. So why don't we try to find a solution in which we all find a balance between the different interests at stake while respecting the situation as it is.
George Papapavlou: Thank you. Any other members of the panel wanting to make a comment? Yes, Christian.
Christian Wichard: A quick comment, and I'll be brief, I promise. It's about balancing local law against Whois requirement.
I think it is not all black and white. It does not mean local law does not necessarily prohibit providing public access of Whois data. And it is not always necessary to change local law to do that.
Now, an example is many of those who do not provide Whois data are not necessarily based in those countries that have the most elaborate data protection laws, whereas, ccTLDs for example that are based in countries with elaborate data protection laws have found a way to strike a balance between those laws and providing access to Whois data, as we heard yesterday from .nl for example, other examples are .au or other ccTLDs. So I don't think it is all black and white. Thank you.
George Papapavlou: Thank you, Christian. Anybody else? No? It seems not.
In that case, Antenor, proceed with the following question.
Antenor Correa: Let's move to hopefully another burning issue as well. The third party registration services. Here we have (inaudible) from ENUM. He is running a test for third-party registration services, and also is partners with third-party registration providers. So I pose a question to him and also to Diana, and both of them could comment on the following issues.
Can privacy concerns be resolved by use of third-party registration services? And the second will be what are the implications of such services for people who need access to Whois data?
Paul Stahura: So I guess the answer to the first part is yes, but it's only part of the solution.
There's a balance between all the forces, and my company has a large number of resellers, and we're getting demand from my resellers for ourselves to implement a third-party solution, because whether they were good registrants or bad registrants, they don't want to put their Whois information in the public Whois to be shown publicly. No matter what, the people who are trying to hide, kind of the bad guys, they for sure don't want to put their Whois information out there.
So we're getting demand from most of our resellers to implement a proxy service. And I think the proxy services are getting more and more popular because people don't want their Whois information shown publicly. And I think maybe the solution of the problem or part of the solution is to provide a tiered access so that registrants who have privacy concerns could use the third-party proxy services, and whereas, maybe law enforcement could get access to the data that's behind the proxy service via some kind of special access.
And I wasn't aware of the problem; it has to be public in order not to get a subpoena. I don't know the solution to that one. That would be a tough one.
But we have to provide our Whois information in bulk format now to anybody who asks for it. And I don't see why the law enforcement can't be one of the people who ask for it.
George Papapavlou: Just remind our colleagues that that's one of the subjects in the following session so we will be discussing this more in depth later on.
Antenor Correa: Can Diana please comment on this.
Diana Alonso Blas: Thank you. Well, I'm not sure that third-party registration services would solve all the problems, but I think they would improve the situation very much, and would solve, certainly, the problems of some people who do not want to have their data displayed publicly.
I'm not saying this is the only solution. I found the presentation of our Dutch colleague Bart Boswinkel also very interesting with several options that could solve a number of problems but this in any case would go in the right direction, I would say.
As to the second part of the question, what are the implications for the different services, I think what is necessary is to provide a system that allows quick access to those who need it. And that is not complicate or does not involve all kind of complicated formal administrative steps and so forth.
And what it could be also very useful is to build some kind of audit trails that would make possible to control later on if the access has been granted, was correct or not. And what is also necessary is to agree very much in advance on what are the conditions in which access can be granted. But I think solution could be found that would allow those who need the data to have it, while still protecting the others.
George Papapavlou: Would anybody -- yes.
Sarah Deutsch: I just wanted to say that I think the proxy services are very promising.
If you look at Whois and the analogy of telephone numbers, if people did not want people to find out their phone number and they could simply populate the Telco's databases with fake phone numbers, we'd find the phone system wasn't working so we'd have this process of unlisted numbers.
And the proxy service could be the equivalent of an unlisted number.
I would add it would be very important to have companies who run these kind of protective services have very responsible operating practices, to have access to absolutely accurate information behind that wall, and to make sure that they give access to those with a legitimate need to know.
Paul Stahura: I'd like to add one more thing I forgot.
I believe that with the proxy services, the information behind the proxy, I think, would be more accurate, because people game the system.
If they know their information is going to be public, they're probably more likely to put in bad information so that the public doesn't know the real information.
That's the good guys.
The bad guys everything always put in crappy information.
But at least the information accuracy level would increase, I think, with proxy.
And therefore, if we had the tiered access behind that, and that law enforcement or other people who pass the bar on accessing the information, therefore that those people will get access to more accurate information.
John Logalbo: If I may, I just want to reiterate the law enforcement concerns on this point. I don't, again, want to venture an opinion on whether proxy registration might ultimately be the solution. But I want to make clear what law enforcement interests are here.
First, in order to avoid the problem of requiring law enforcement to get legal process, and I think that that is a serious detriment to investigations, there have to be one of two things present in the proxy system. And that is, either the data has to be made public in the sense that I expressed before, and that is, people with a need have to be able to get at it quickly; or, the agreement for proxy services has to make clear that there is explicit consent of the name holder for law enforcement and others to get at the data, if necessary, if requested. And that consent has to be voluntary, and at the same time has the prerequisite for consent cannot be serve a subpoena. Because that defeats the whole purpose.
And the second point I want to reiterate, it can't be just law enforcement agencies that have access to the real data about the name holder. ISPs have to have access to the real data in order to solve technical problems. And I don't know how that can be done if the telephone number or e-mail address of a technical contact is withheld.
Consumers need access to the real data, and intellectual property holders, among others, need access to the real data. So any system that restricts access just to law enforcement is not going to serve a number of other very important interests.
George Papapavlou: I see Christian. Yes.
Christian Wichard: Just a piece of information. These proxy services are already in option under the present RAA. The present registrar accreditation agreement allows third-party registration, allows a registrant to provide the address of a third party, which most or very often is an ISP, provided there is one condition, provided that this third party either accepts liability for any harm caused by wrongful use of the domain name, or promptly discloses the identity of the true owner of the domain name.
I think, then, the formulations upon unreasonable evidence of unreasonable harm. So this would not require a subpoena, because it makes access to Whois data more cumbersome. We have some experience with this kind of third-party registration in the administration of the UDRP. But in the end, it normally works out.
Thank you. I see Tom.
Thomas Keller: Before we think about proxy services as a solution, I just want to point out that privacy in most (inaudible) is not a service but is a right a person has. So I don't know why it should be protected by a special service, which has to be offered by a registrar, for example.
So what would happen at the end of the day is that, for example, on the (inaudible) you couldn't raise funds, you couldn't impose a fee on it. So we had to do it on our own cost. And that's, in certain ways, unacceptable. And it does not really serve the purpose.
George Papapavlou: Okay. Thank you all for all of these interesting remarks. I think we are doing well with time, and we have a last set of questions, which will need to be asked.
Alan Wong: Thank you, George.
You don't have to be very clever to see that it is very difficult, if not impossible, to find a solution that will satisfy everyone. My question is, are there any second-best solutions? Let's discuss one possible modification to the current Whois system that has been raised in the past.
Should there be modified roots for noncommercial domain names to protect privacy while providing contact data or commercial domain names? And does that approach address all interested parties' needs? And related to this is, how would such modified roots be enforced? Could the special domain be created for noncommercial domain names? They would have different Whois roots. Who you would you define commercial versus noncommercial? I'd like to ask Tom, Jeff, and Diana, in turn, to comment on these issues.
Tom. Thank you.
Thomas Keller: Thank you.
I guess most problems we would have if you want to complement something like that is how do you differentiate between what is a commercial use and what is not. So if you register a domain name, most of the time it's 100% automatic process and you really don't have no idea what will it be a web site which is used for that domain name or is the domain name used for e-mail service? And if it is used for e-mail service, is it commercial e-mail service or not? So we're talking about a name space, which is really hard to figure out actually what that person is trying to do with that domain name. So I don't really think that this will help.
Talking about a domain name and a special domain name only for noncommercials kinds of brings up what happens with all the domain holders who already have domain names now. Do they have to give up their substantial privacy rights and move on to a new domain name? It would be like, you know, someone would have to move out of his house, you know, just to protect his rights. And something doesn't seem right to me, actually.
Alan Wong: Not workable from your point of view?
Thomas Keller: Yeah.
Alan Wong: Jeff.
Jeff Neuman: I've heard this proposed many times, too. And from an unsponsored registry standpoint, with .biz, and as this one would be, it would be an unsponsored one, because it would just be a noncommercial domain, you know, top-level domains are created because of a viable business plan, not out of rules, not out of rules to escape being another TLD's.
I'm not sure of any registry operator that would want to take on a top-level domain that was just for people to hide their Whois information, not take that back. There would be a number of registries that would want to do that, but you would attract what I call the four s's, the spammers, the Scammers, the Squatters, and the Speculators. While that would make a lot of money for a registry operator, it certainly is not the type of top-level domain that I think any of us envision or want to create. And with respect to differentiating between commercial and noncommercial users within a TLD, you know, courts around the world have enough difficulty determining what's commercial and what's noncommercial.
For example, in the United States, trademark law is dependent on whether there is a mark that's used commercially or not commercially. And, you know, the courts have enough difficulty interpreting the exact meaning of that. I don't know where I would begin interpreting what the difference between those would be.
Alan Wong: So another doubter?
Jeff Neuman: Right.
Alan Wong: Diana.
Diana Alonso Blas: Thank you.
I have, obviously, seen before arguments having been brought forward by my neighbors here. On the other hand, I think what you said in your introduction is right. I don't think we will find a solution that will be perfect for everybody. And we'll have to find some kind of compromise that is workable for, well, as much as possible.
I mean, I have the impression that this idea of distinguishing commercial and noncommercial could be a step in the right direction, at least the European data protection authorities consider this a good solution, because the issues related to data protection are obviously very different when you are talking about individuals who have a specific rights and when you are talking about legal persons who are not protected by the legislation. So it could be possible to find, at least in theory, a distinction.
This would, obviously, raise a lot of problems as to, indeed, determining who belongs to which category. But to a certain extent, this already exists. I would say there are different legal requirements for those who proceed commercial activities in order to get identification; we have different pieces of legislation in place, like the e-commerce directive and others. So we do have a number of legal requirements they have to comply with. This would be one more in the sense that they will have to identify themselves as being commercial activities and not just purely for personal use.
So I think, to a certain extent, it wouldn't be a bad idea. But, indeed, I realize it's tricky. But I think it could be workable, or at least is something that would need to be explored.
Alan Wong: so you don't dismiss at this moment? Okay. Thank you.
George Papapavlou: Just a quick point to make.
What Diana said, in our e-commerce directive, to give sufficient information to the consumers. Although we don't have special top-level domains for commercial web sites, we have special obligation for commercial web sites.
Anybody else? Yes, John.
John Logalbo: I just want to say from a law enforcement perspective, we wholeheartedly agree with the problems of trying to draw a distinction between commercial and noncommercial that the representatives of the registrars and registries, and also Alan with his four s's analogy provided.
I think you're going to create extremely serious problems for registrars in trying to determine what is commercial and what is noncommercial. That concept is certainly found in U.S. law. I have been exposed to it in the context of obscenity law, where the distinction is drawn whether activities are conducted for profit or not. And to ask a registrar to get involved in the activities of the name holder to try to determine whether they're for-profit or not for profit is extremely difficult.
And this is going to arise in the most egregious kinds of contexts, such as child pornography, where those who indulge in that particularly perverted pastime are not interested necessarily in making money; they're interested in swapping images and so forth. So is that commercial? Is that noncommercial? And certainly it's a domain devoted to noncommercial activity in that sense is going to run the risk of being a safe haven for that kind of activity.
George Papapavlou: Thank you. No further comments. I see no. This brings us to almost the end of our first session.
I will try to not really draw conclusions, but to indicate some points, which I think, have come out from this session.
I think that there is a view that the Whois system may, to some extent, work, to the extent that it addresses its original purposes. But may not work for additional purposes, which have come up in more recent times, including very important, legitimate purposes, of course. And therefore some improvements may be necessary.
The main two issues I take to be addressed are the issue of accuracy and the issue of accessibility. I think I have not heard any strong arguments against accuracy, especially if one has possibilities for specific cases to be dealt with where anonymity may be required and where the third-party proxy services could play a good role.
On the last point, I think most people would advise that it would not be possible to distinguish between commercial, noncommercial and put them in separate sort of boxes. This would be very difficult.
On the issue of whether information could be available from other sources or not, I think that although it could be available from other sources and through other processes, the effort might be substantial. However, there is obviously a balance requirement here, a proportionality requirement.
So what exactly is excessive effort with regard to the purpose I think still needs to be determined. It's one of the things that have to be addressed in the future.
Yes, I think this would be my conclusions. I mean, on the one hand, we have legitimate requests, which call for improving the accessibility and accuracy. We have also legitimate requests in favor of having human rights adequately protected. There is a cost element involved. We need to find the balance, a good balance of all these interests. And I think this will be our main target for the future.
This is what I would like to conclude. With this, I will ask anybody who wants to say something from the panel, which doesn't seem to be the case. I would close the morning session.
Thank all of the panelists for their very useful contributions. Let's take a break and come back. Is it 9:30, Mike, or -- 9:30? So that we start with the second session.
Vinton Cerf: I'm sorry. We start the second session at 9:30. Okay. Yes.
George Papapavlou: At 9:30.
Vinton Cerf: Very good. Thank you very much.
Robin Layton: Good morning. We'd like to start our second panel now, please.
This panel is focusing on new approaches to administration of a Whois database. I'm Robin Layton, I'm the U.S. representative to the Governmental Advisory Committee and the convener of the GAC's Whois working party.
I'm not going to go through the procedures again. My colleague from the EU explained them very eloquently for the first panel. I also thought they did an excellent job of fleshing out many of the issues surrounding Whois from a public policy standpoint. And we hope to build on that in this panel.
I'd like to introduce the people on the panel and the discussants who are from the Governmental Advisory Committee. Starting from the left, we have Ross Rader. He's the Director of Innovation and Research for Tucows, an ICANN accredited registrar and leading distributor of digital products and services to Internet services providers. He is here for registrars.
And next to him is Willie Black, Willie is the executive chairman and founding Director of Nominet UK, and Willie is here representing the registry point of view.
Next we have Alan Davidson. Alan is the Executive Director at the Center for Democracy and Technology, working to promote civil liberties online. He is here as our privacy advocate.
Next to him is Henning Grote. Henning works for the Deutsche Telekom AG, Europe's largest Teleco, as deputy director of DT's network information center, he's responsible for technology scouting and developing technology strategy in this area.
Henning is representing our ISP perspective.
To my left is Pablo Hinojosa. He is one of my fellow GAC members and comes from the government of Mexico.
To my right is Tom Dale. Tom is a discussant and is representing the government of Australia in the GAC.
To his right is Steven Metalitz. Steve is a partner in the Washington, D.C. law firm of Smith and Metalitz LLP. He has served as a counsel to the Copyright Coalition on domain names since its establishment in 1999. Steve is representing intellectual property interests.
Maneesha Mithal is an Assistant Director to the Federal Trade Commission International Division of Consumer Protection. Her expertise includes Internet fraud, the Whois database, Internet jurisdiction, and alternative dispute resolution for online consumer transactions. And she is representing consumer interests.
To her right is Margie Milam. Margie is the general counsel of EmarkMonitor, Inc., an ICANN accredited registrar based in Boise, Idaho. EmarkMonitor, Inc. is a provider of corporate domain registration and brand protection services for corporations and law firms. Margie is representing bulk access service providers.
And to her right is Patrick Beardmore. Patrick is the Computer Forensic Investigating Officer for the UK Office of Fair Trading, which uses Whois as a tool for law enforcement. He is responsible for digital evidence within the Cartels Investigate branch and provides the department with advice and support regarding consumer protection and Internet issues.
I think we're going to launch into our first question and I'm going to ask Tom Dale to start off us, please.
Tom Dale: Good morning, Robin, everyone.
In this panel we're looking at new solutions to the Whois system and problems, and particularly in achieving public policy goals so I'd like to ask a number of the panelists, first off, from the perspective of law enforcement, IP, consumer interests, and privacy as well, if they could give us their proverbial two-minute speech on if an overhaul of the current Whois system is necessary to balance what appear to be competing interests of law enforcement, intellectual property, consumer issues and privacy interests. The two-minute elevator speech, ladies and gentlemen. Perhaps Steven Metalitz could start off.
Steven Metalitz: Thank you very much. In answer to the question, is an overhaul needed, I think if that means do we need fundamental change in the Whois system and why we have it, I think my answer would be no. But that doesn't mean that we can't improve it in a number of ways. And from the intellectual property perspective, we're certainly eager to engage in that discussion.
I think this is an appropriate time, perhaps, to raise this question that we've heard many times about whether the purpose of Whois has changed since its inception, and that it's now being used for purposes that the allegation is made that it's being used for purposes unrelated to those that existed at its inception.
I think that approach underestimates the continuity we've seen over time. And if I can harken back to yesterday morning and the first workshop and Louis Touton said the purpose of Whois is to track down people doing bad things and identify them, for IP, that is our primary purpose and one Jane Mutimear talked about in her presentation today.
So I think there's more continuity than some people think and I hope we don't make it a dogma that Whois is totally changed and we need to tear it up and start over.
Tom Dale: I'll ask Pat Beardmore from the UK office of Fair Trading for his views.
Pat Beardmore: This is my first visit to such an event. Hopefully it won't be my last. Overhaul is a strong word; it's a good word. I would agree that I think there's a consensus that changes have to be made. Whether overhaul is the right word to use, I'm not so sure. I'm not so sure that Whois is in need of a complete rewriting, as it were.
Having said that, I have been impressed, struck by the strength of feeling, as this is my first event. One thing you may want to do when you attend these is sit at the back and if you watch heads move, when people say something you agree with, you don't know it but you're nodding and stamping your feet. There's obviously a lot of strong feelings on a lot of issues to do with Whois and in line with that, and we're not here for fun, this event has been organized because there are issues with Whois. So I think change is inevitable. Whether the change comes in the form of a complete overhaul, I'm not so sure.
Tom Dale: Thank you very much, Pat. Could I ask Alan Davidson from the Center for Democracy and Technology to give his view on the matter?
Alan Davidson: I guess the short answer would be yes, we believe Whois is in need of a substantial change. I appreciate the chance to be here, and as we heard from some people with regard to the highly personal, noncommercial information that can be found for many registrants in the Whois database, current Whois policy is on a collision course with national privacy laws, with accepted international privacy standards, and with the rising tide of concern out there of privacy and security.
This is not a unique problem in the sense that the kind of work our group does in the United States, we face all the time these kind of policy issues where, in the context of government access to information, the context of corporate use of information, where there are reasonable desires for information that must be balanced with important privacy concerns.
Currently, the Whois policy does not provide that adequate privacy balance; our belief is that it is not working, increasingly not working for lots of different players. It is not accurate as we've heard, and it will not be accurate unless registrants feel their privacy and security is protected. So we think there are balanced solutions that are much more consistent with broad access to the Internet and the DNS that I think many of us seek.
Tom Dale: Thanks, Alan. Finally, could I ask Maneesha from the FTC to give her views on the matter?
Maneesha Mithal: Thanks, Tom. I apologize but I'm required to say that the views I'm about to express today are my own and do not necessarily reflect the views of the Federal Trade Commission or the U.S. Government.
With that being said, I think I agree with what the majority of panelists have said so far. I don't know that I would characterize it as an overhaul but I do agree that change is necessary.
One of the major concerns from our perspective as a consumer protection enforcement agency is that inaccuracy of the data in the Whois database is a major problem, as I explained in my remarks yesterday.
Now, I am sensitive to the concerns raised by privacy advocates that people might intentionally be putting in false information to protect their personal privacy. So I would like to see us all try to resolve the privacy concerns. And I think once we do that, there can really be no argument that we shouldn't vigorously enforce the registrar accreditation agreements to ensure greater accuracy in the information in the Whois database.
Robin Layton: Thank you. Would anyone else on the panel like to venture an opinion on this topic? Then I'd like to ask Pablo to ask the next question, please.
Pablo Hinojosa: Good morning. One approach that has been suggested for Whois database is should certain persons get access to limited data while others with involvement in law enforcement get more complete access to Whois data? Here our privacy advocates, Alan, law enforcement advocates, Pat, and IP representatives, Steven, I would like to ask you the following chain of questions. Should there be tiered access to all Whois databases? If you think that, we would be interested in knowing, in your perspective, what would be the best way to administer tiered access, and what types of information would be available in the various tiers and to whom would each tier be available?
Alan Davidson: Shall I start? Okay.
Robin Layton: Let's start with Alan, please.
Alan Davidson: I think tiered access is a very attractive idea worth pursuing and it's exactly the sort of idea that gets at striking a reasonable balance between some of the desired needs for information that have been put forward, reasonable requests for information, and the real privacy concerns that exist. Because if you begin to dissect the privacy concerns, they come down to the question should all data collected in Whois be available to all people for all purposes? And I think we could mitigate many of the privacy concerns by taking the most sensitive data and making it only available to some people in some circumstances.
It helps a lot from the privacy point of view if you can provide mechanisms like audits to find out if the data is being misused, notice to end users about what information has been requested about them, enforcement against misuse.
The general idea here is that this is not a perfect solution, but it creates a speed bump for access.
I think the kind of system that many of us contemplate is something like what is being implemented for .name where there's a set of information that is publicly available, but it may not include the most sensitive fields that may include something like a person's home phone number or home address or e-mail. It may include the registrant's identity, maybe their country. Maybe even some technical contact information if that's considered important for technical reasons.
But the point would be that we would come up with a mechanism that the broader set of more sensitive information would only be available after going through some process.
I would say that in terms of administering it, that process needs to be very lightweight. It needs to be something that is scalable, it's got to be something that's easy and cheap to implement by registrars and registries. It's also got to be something compatible with ICANN's very thin mission, which is not to be a major policy oversight body.
So we would want to set something up where the requirements are easy to understand and I think the .name example may be a good one.
To be frank, I'm not sure that this tiered access would meet all of the privacy imperatives, for example, of the various data protection laws and the OECD guidelines, but I think it's a good start, and especially if we could couple it with some other approaches, like better domain by proxy or revisiting the bulk Whois rules. You might come up with a package of things that would do a lot to protect privacy but still allow for some reasonable level of access.
Robin Layton: Steve, would you like to comment?
Steven Metalitz: Yes, thank you. I would agree with much of what Alan just said. I think tiered access is something that should be looked at. And we also have this experiment with .name. Unfortunately, at this point it is an experiment, which has yielded no data yet because the tiered access has not been implemented. But perhaps that will teach us something that we may be able to apply.
I would add, though, really just make two additional points. One is among the other criteria that Alan mentioned about being lightweight and being scalable and so forth, if this is going to work, it has to be a system that works very fast, and that doesn't delay access to the data for those in the tier that are entitled to get it more than a minimal amount.
We heard something about that in the first panel from law enforcement and others. I'd like to add one other perspective, which I don't think, is directly represented on any of these panels, and that is the security side of this. We had a very interesting report at the Shanghai meeting from Steve Crocker and the security and stability advisory committee mentioned that accurate Whois data and very quick access to it is essential for responding to intrusions and other security problems. And if you're going to have a tiered system, it's got to be one where those users of the data can get access to it very quickly with a minimum of fuss.
Now, the second point I would make is I don't think we should underestimate the very real transactional costs that are involved here, and also the costs that may be borne by e-commerce and the society as a whole if you make it difficult for individuals who may not have any special status to have access to the full range of Whois data, whether they be consumers concerned about who they're dealing with online, whether they be parents concerned about the sites they're child might be visiting. I think we heard on the first panel that public access is very important even in terms of law enforcement.
So before we restrict that through a tiered system, I think we have to be very careful about how those costs will be absorbed.
Robin Layton: Pat, could you give us a comment on this, please.
Pat Beardmore: Yes, certainly. Tiered access. Well, you've taken some of my points already. Fast, yes. Easy, yes. Cheap, yes.
A couple of points. Just to reinforce what was said in the previous session. Even if every law enforcement body in the whole world who wanted to access the Whois database had a mega-fast terminal sitting at their desk, the fact that the information was no longer public brings in a whole new tier of not bureaucracy, that's unfair but administration which is designed to protect that data.
Now, from a UK's point of view, just to give you some examples, that could be anything from filling out a five- or six-page form, piece of paper, not an online form, it could be getting a signature from someone much higher up within your law enforcement body, it could be having to go to court to get a court order, or it could be having to go to a criminal magistrate's court or high court to get a warrant.
Now, all of those would be required before the law enforcement officer could then sit at the terminal and maybe get Whois information within 30 seconds.
Now, I'm not saying in itself that that justifies not having tiered access. What I'm saying is it's important for all of us to understand the extra burden that would be placed upon the law enforcement community even if we had that wonderfully fast service.
And one final point is that I'm a little concerned at the fact that this phrase "law enforcement" is just used without any clarification, unless I missed something that was on an earlier event. Law enforcement doesn't simply consist of police forces carrying badges and warrants all around the world. There are many shapes and colors of law enforcement agency. I've just written down, you've got customs, tax, environmental health, social security investigators, consumer protection, medicines agencies. Have we really thought about the implications for every law enforcement body to have access at this tiered level?
Again, just finally, from a UK's point of view, consumer protection is handled at local council level. That's almost 200 different consumer protection bodies just within UK who would want access at a tiered level. So if we multiply that by all the, obviously, different countries around the world, I'd just want people to be aware of what a massive challenge that would be to introduce that type of infrastructure.
Robin Layton: I wonder if Ross and Willie have anything to add to this as those who would have to administer this type of system?
Ross Rader: On the question of tiered access, I look at this as a tool in our toolbox. It's important to look at this not as a magic bullet or magic solution that's going to address all needs and fix all problems. We've got many other tools we need to look at to start solving some of these problems. Digital certificates, for instance. Tiered access Whois databases, and on and on and on.
There are a number of things that we can put together which will ultimately help us solve all of these problems. But I don't think that looking to the DNS, the Whois or tiered access system or not tiered access is appropriate.
If we start looking at what tools we need in the toolbox and what we want them to do I think we'll have a much more productive engagement as we figure out what we want to do. For instance, what do we want the output of the ITF to look like, for instance? They're working on several technologies that are very suitable for these purposes.
That would be my only real comment on that.
Willie Black: Thanks very much again for inviting me. I obviously am not involved at the gTLD side of this, but in the UK, we had our own policy-making debate on how to deal with Whois, and we have the advantage of having a slightly thicker registry. So we've taken it as one of the core jobs of the registry to be responsible for the Whois. And, you know, I think that's been an advantage over the slightly thinner com, net and org ones. That's a different debate.
We have worked with the balance between the privacy and the public policy requirements by having a debate with both sides, and actually going out to fairly widespread public consultation, and we came down with a balance that if you're a private individual and you're nontrading, then you can have an opt out, but we will keep real information there and we will make it available to the appropriate authorities should they ask in a written form.
Now, what would help us a lot is to have a single point of contact. As my colleague from the Office of Fair Trading has said, there are many, many bodies that might have a legitimate need for this information. And none of us can really tell whether it's a legitimate request or not. But if we have an authenticated place that we can go to that will say, yes, the person who has just asked for that is legitimate, they've gone through a process, you can reveal it, that would help us a lot.
I think I said at a meeting at the Federal Trade Commission that if somebody served a federal subpoena Nominet I probably couldn't tell the difference between that and an ice cream wrapper, with all respect and neither would people in the U.S. know what a UK one looked like.
That's a real problem for a registry is to know when to give the information away and to whom.
So I think we should look at this single point of contact, this SPOC mechanism, maybe even interlinking SPOCs in different countries so there is a chain, it may be done electronically, maybe not, using certificates and digital certificates.
That's the news from our side; we tried to do a bit of a tiered access. We've allowed people to opt out, and we will make the information available. And I think that's given the consumers confidence that if they do register their personal information, it will be kept fairly off the public record.
We only publish name and address anyway. We don't have telephone numbers or fax numbers or e-mail addresses, which of course is the big gateway to spam. So we've been a little bit of a balance between the two sides. And we look forward to seeing other tools developed. If we can use them to help, we will.
Robin Layton: Thank you, and I'm wondering if, Margie, would you like to say something?
Margie Milam: Yes, I would. Bulk access is a useful policy that serves an important need because it is used by information service providers to develop reports for intellectual property purposes and for law enforcement purposes and there's companies out there like LexisNexis who sell information.
Why is this a separate basis from tiered access? The reason it's necessary is because there's value added service providers have the ability to search the database in a manner that isn't typically available through the public access. These companies have developed software programs that can search multi-fields and deliver reports that are clear and provide the information that a seeker is looking for.
And so I would want to make sure that the policy takes into account the ability for bulk access to enable that service to continue.
Robin Layton: Maneesha, you had a comment?
Maneesha Mithal: Thanks. From the perspective of Consumer Protection Law Enforcement Agency, I don't think we're opposed to tiered access, per se. But I think we would have two main concerns. One is that we would be concerned that consumers might be getting less information than they have now, particularly for commercial web sites. So any tiered access system should take into account the fact that consumers have certain needs for information.
And the second concern is I don't think law enforcement should have less access than they have now to the Whois database. And I take the point that Willie raised and some of the others have raised about how do you authenticate who an appropriate law enforcement is. And I wouldn't want to get concerns on that front to interfere with the process of law enforcement getting the Whois data.
And then I guess the other point I wanted to mention is that it seems like overhauling the whole Whois system to create tiered access is akin to using a sledgehammer to crack a peanut when maybe a nutcracker would do. I think that in what we've heard between yesterday and today, there seems to be consensus that there is less of a privacy concern with disclosing information about commercial web sites. It seems that the current system is working fairly well for commercial web sites, and nobody really has an objection to that.
What people do seem to have a concern about is the noncommercial web sites. So maybe one idea that I'd just like to throw out there is to bifurcate the discussion. Instead of trying to change the whole system when there is consensus as to a lot of it, why not just take that slice where there is concern and then try to work out a solution for that, maybe have a separate domain and have tiered access in that domain.
There's all sorts of things that we could imagine that would resolve that concern without overhauling the whole Whois system.
Robin Layton: Henning, would you like to get your two cents in on this as well?
Henning Grote: Thank you very much. Thanks for inviting me.
Well, I just want to broaden the coalition that's sympathetic with the idea of the tiered access. From an ISP's perspective, an ISP that's operating an LIR and an unaccredited registrar, we look at the Whois as a means, a tool to care of the functioning of the Internet, just like Jeff Neuman on the first panel had this morning.
There are lots of just recently, in the last few years, developed very legitimate uses and requests for the data that are collected on the ISP or registrar's level. But these legitimate interests should not hamper the functioning and the work for which we use the Whois as we have it today to control and maintain the Internet functionality.
So the tiered access would, for the ISP and for us as a registrar, an LIR, would be very adequate to work with, and would also be adequate to not bring us into legal limbo. For example, the issue was bulk access, we just mentioned. That's another very tricky issue, because even to have data, let's say, exported out of our legislation is something that's very doubtful. Based on the principles of operation of Internet systems and the DNS, we today have kind of that, it's more or less tolerated. But we do not feel very comfortable with the bulk access, indeed. So that's another issue.
Just to wrap it up, we are very sympathetic with the approach of tiered access, because the work that has been done in the IETF right now, let's say CRISP, for example, might be an excellent approach to solve lots of these new interests and requests in the midterm.
In the short term, we would like to go the tiered access way of bulk access, of when we like to discuss this issue, we have very strong feelings that we would like that approach being (inaudible) out.
Robin Layton: Tom, would you like to move on to the next question, please.
Tom Dale: Thank you, Robin. I'd love to.
Another specific proposal that's been raised in this debate is the concept of providing some sort of notification to registrants that their Whois data is being requested by whoever. Obviously, there's a degree of potential end user and consumer and privacy empowerment in that sort of notification.
On the other hand, it may raise specific issues for the conduct of law enforcement investigations. So I'd like to ask some of the panelists what they think about notification to registrants of such requests.
Perhaps, Steve, you could start.
Steve Metalitz: Thank you.
This idea has been raised by a number of participants, notably, Alan Davidson, who I'm sure will give an eloquent defense of it. It surprises me a little bit that a privacy group is in favor of letting web site operators have a free list of those who consulted Whois data about them, perhaps for commercial purposes.
I think those who were concerned about site operators placing cookies on your computer or those who were concerned about whether a consumer should have the ability to block caller ID information would also have the same concern about letting a commercial web site find out everybody that was interested enough in them check their Whois data.
But leaving that to one side, I think there are a number of very practical questions about this, some of which I'm sure will be addressed by the law enforcement representatives.
I think what would be very valuable, and I think perhaps can be done within the framework of the existing agreement, is that there should be some kind of audit trail, some kind of data preservation policy about Whois use that could be accessible under the proper circumstances in cases of abuse or when there's a suspicion of abuse. Because it's obvious that Whois access can be abused and put to very improper purposes. So having some type of audit trail, I think, would be very valuable.
But in terms of a general rule that people would no longer be able to use Whois without having that information disclosed to the registrants, I think, would have a number of problems.
Tom Dale: Alan.
Alan Davidson: Steve raises a very good point. But let me step back a half a point.
I think those are real concerns about how notice might work. But I also think notice, the ability for a registrant to find out who is asking for information about them is one of the major potential privacy benefits of doing some kind of tiered access system.
Just to give an analogy, and I apologize, because it's from U.S. law. But that's what I'm most familiar with.
We have a very strong requirement in our Constitution, for example, that when a search warrant to go into somebody's home to seize information is obtained, it must be served, notice contemporaneously must be given to the target of that search warrant. And the reason for that is because, I think, our constitution in the United States reflects the understanding that the person who's in the best position to protect against abuse or misuse is the person who is the target of the search.
And so when the police come to my home and knock on the door and say "we have a search warrant here that says we're allowed to take your computer," I can then look at it and run to the courthouse and challenge it if it's a mistake. I can say to the police would have come to the door, "You have the wrong Alan Davidson. You're looking for Alan Davidson who is down the street who is a noted peer-to-peer user or drug dealer" or whatever it is.
The point is that notice can be a very empowering tool for users, because it gives them the ability to find out who is asking for information about them. And it also puts a chill, we believe, on the misuse of information. I think people will think twice about using Whois for inappropriate purposes if they know that the target of the request will be able to find out about it.
There are lots of ways to balance things so that notice doesn't need to jeopardize an ongoing investigation. It could be deferred. It could be a periodic notice. There could be lots of different ways to do this. But I think notice is a very important and empowering tool.
Tom Dale: Pat, can I ask you the question?
Pat Beardmore: Yes. Thanks for that. I was getting a bit worried.
I'm glad you came in at the end and gave the caveat about getting in the way of the investigation. I don't think you have to be an experienced law enforcement officer to realize how important covert or undercover law enforcement investigation is.
When I saw the possibility of this questioning coming up, I thought, come on, let's get back to basics here. We are investigating people; we have reasonable grounds, have committed a crime here. And the idea of them immediately getting notice of the fact that I have requested the Whois data, I was surprised that was even on the agenda.
Now, having said that, if we compare it to the idea of giving a copy of an entry or search warrant, then, obviously, that's a different kettle of fish completely. In that, of course, as soon as the front door is knocked or, in worse cases, the sledgehammer goes through the front door, the person being investigated has a pretty good idea they are being investigated. So as long as they are aware they are being investigated, I have no initial problems at all with them getting some sort of notification. And they shouldn't be surprised. They should almost be expecting it if they realize they have done something wrong via their web site.
In terms of having some sort of audit trail, then, again, I have no problems with that at all. Any experienced officer should automatically be creating an audit trail along every investigation they're doing anyway, because they are investigating it with a view to creating primary evidence that will be admissible in court. And as part of that, the onus is on them to prove the audit trail, prove where all that information has come from. And make it available for the defense as well. So no problem with the audit trail. No problem with making that information available. But at a later date. But, obviously, hopefully, it goes without saying, not so it gets in the way of an effective investigation.
Maneesha Mithal: I'd like to add to that, if I may.
I think we would vehemently oppose any simultaneous disclosure that we were doing Whois searches on a particular company.
I think there's two main reasons. One is, especially when we're dealing with the Internet, it's very easy for people to move their operations offshore, beyond the reach of our powers. And even more importantly from a consumer perspective, once a target is given notice of our investigation, in our experience, they'll often transfer their assets abroad beyond the reach of U.S. courts.
One of our main missions is to get money back in the hands of consumers who have been defrauded. And if an investigative target moves the money offshore, that money is beyond our reach.
Robin Layton: Would anyone else like to add something?
Alan Davidson: I wanted to chime in to say I think deferred notice is a very attractive idea. And I think 60 days, 90 days, these are things we're used to dealing with in the law enforcement context. Without some kind of notice in a tiered access system, there's a huge question about who is going to enforce this thing. The people who are in the best position to enforce against abuse are users. And without their ability to know who's asking for data against them, they can't do it.
If the Federal Trade Commission would like to take on the role of being the enforcer to look at these audit trails and make sure Whois is being used properly, that would be great. But I think the most lightweight thing we can come up with is some kind of notice, even if it's deferred.
Margie Milam: I sort of have a problem with this notice concept. The way I look at Whois is it's a record of ownership, not unlike the public records for ownership of real estate. When someone searches the county records for real estate, is there a notice provided to the owner of the real estate? I don't think so. I mean, it seems that this is a different analogy than the search warrant concept, where you're searching for nonpublic information. And I think that distinction needs to be understood.
Robin Layton: Would anyone else like to -- Alan, you can have one more word.
Alan Davidson: I'm not clear that this is public information. I think that's exactly the debate that we're having today. Thank you.
Robin Layton: All right. I think we're going to move on to the next question.
Pablo Hinojosa: I would insist on question about tiered access. And this follows part of what Alan was saying, his first intervention. And it's about tiered access, if it can be said for noncommercial domains.
And my question is, how do you think it could be possible to keep commercial domains out? And this goes to mostly ISP, registrars, et cetera.
Henning Grote: Thank you for that question.
Well, I find it a grueling perspective if we need to try to distinguish between commercial and noncommercials. There are two aspects.
We heard one aspect discussed on the first panel this morning, how should an ISP, registrar, LIR, you name it, any business who is collecting Whois data, how should any entity be able to distinguish, honestly, between commercial and noncommercial?
I think the rationale behind that question is to have a -- let's say one port with higher privacy and one port with, well, less privacy. So it's another question. Well, as an ISP, should not reflect that much on that. Might be it's something more for a philosophical debate.
But the question is whether the right of privacy, not giving a safe haven for crooks or something like that, but waiving basic rights of privacy should be discussed further. Just more a philosophical question besides the more practical question.
Willie Black: Yeah.
I say at many meetings that it's only in comics that the crooks go around with a bag marked "swag", on a stripey jumper. The fact is that if it's a crook and he wants to get into a commercial domain because he knows he will be safe there, he will say he's doing noncommercial.
It's obvious. The good guys are honest, and they make the right declarations, and the bad guys don't. So I would say it's utterly impossible to segregate commercial and noncommercial unless you're going to almost check every web site to see if somebody really is trading or not. So I think the idea of splitting noncommercials in any enforceable way into separate spaces is impossible.
By all means, we can have separate spaces for people who self-declare them to be nontrading. It might be useful. But that isn't going to enforce anything.
Alan Davidson: I am very sympathetic to the idea about trying to separate commercial and noncommercial, especially because I think there has been consensus that it's in the noncommercial context purely where this privacy issue really arises.
Having looked at it a lot, I think it is extremely difficult, I think it would be extremely difficult for ICANN to try to make some kind of meaningful distinction between commercial and noncommercial that would scale well across internationally.
I mean, a human rights group in Africa that sells tee shirts on their web site or a lone proprietor in Asia may not have the same understanding we have in U.S. law about what commercial speech means. So as attractive as this is, I just don't think it scales well.
Another interesting data point I have been trying to find out, you know, just how much of this activity out there is noncommercial.
And even if the gTLD setting, I have been told, for example, by some people at VeriSign that they estimate that as much as a third of their retail dot-com and dot net users would self-identify themselves as noncommercial, and the majority of those people, of retail registrants in dot-com and dot net are actually providing personal or home information in their registration information.
Now, that's just my anecdotal description of this. I think it would be very useful to get more data about that. But I think it's clear that there's a lot of different user conceptions about what noncommercial means out there.
Ross Rader: If I could jump in on this one.
I think the DNS is probably the most absolutely worst place where we could try and make this distinction. Until I need a domain name to send out a piece of e-mail, to undertake a commercial or noncommercial transaction or until I need a domain name to set up a web site to engage in a commercial or noncommercial transaction, trying to make that distinction is going to be very meaningless.
If we look at other areas, for instance, though, such as the data that the certificate authorities collect on commercial users, and look at how we can use that data and cooperate with those other parties that operate services in other areas of the Internet, we might get down to something that might be meaningful and useful.
But to put it into the magic box of the DNS and the Whois because we can is really just inappropriate, I think.
Pablo Hinojosa: Well, I have a last question.
It's about should there be new gTLDs offered with stricter vetting of registrants, like .pro or .edu in exchange for higher levels of privacy protection for Whois information?
And if so, who should administer these new gTLDs? Also registries, registrants, ISPs.
Ross Rader: I think that's a question we need to ask the marketplace and maybe allow some people from the audience to put up their hand as to whether they would be willing to run something like that. And if they don't get it right, maybe ask somebody else to do it and let the market kind of take care of those demands. I think privacy can sell, I think there's a strong demand for it. We just need to give operators the opportunity to get into the marketplace, I think.
Willie Black: Within .uk, we have two or three second-level spaces that are what you might call restricted in gov.uk, ac.uk for academia, ltd and plc.uk which has to be the name of the company that registered companies have. They're just not popular. You get about 1% of the total number who want to go through this particular accreditation. The government departments are limited in number. The academic institutions are limited. And, really, the bulk of users don't really want to be there.
But I think it's easy to do it if you are prepared to put the cost and effort into doing the vetting. But from the user's perspective out there, I don't think they can ever rely on this verification.
Would you rely on the -- I'm sorry, I'm saying this because I don't know much about what .pro is going to do about doctors and lawyers. But would you actually rely just on the fact that they were a genuine lawyer? I'm sorry. No matter how much the .pro people actually do the vetting, I would still do an independent vetting before I would rely on it.
The DNS is not really designed for that. And that would be stretching it, I think.
Alan Davidson: Can I just add, this is not a very attractive solution for a lot of the reasons we were just talking about how hard it is to make the commercial/noncommercial distinction.
I think we should be wary of creating a privacy ghetto, which becomes the only place that you can go to get privacy is this particular domain where you may have to pay extra because this kind of verification could be very costly. And I don't think it's fair to ask people to give up the identities that they have already created for themselves online in order to protect their privacy. It's okay to ask people to take steps to protect their privacy.
I see Esther sighing in the front row. This one doesn't appear to be the right answer.
And I think we're putting a lot on the DNS, as Ross and Willie have both said, to try and make this distinction for us.
Steve Metalitz: The only thing I'd have to add on this is that, obviously, if you have a sponsored top-level domain where there is some gatekeeping done in terms of registrants, not everyone can register in dot museum. You have to be a museum or affiliated with a museum. When that's done up-front, that obviously takes some of the pressure off Whois because some of the same functions can be served in the gatekeeping department.
A, is there a market demand for that? And, B, is there a way to import that type of mechanism into more of a mass market top-level domain? I don't know.
But I was very interested in the discussion yesterday about CRISP, about authentication and authorization technologies. They were talking about using it for Whois queries but you could also do something similar for registrants.
And if you had a system like that in which you had a higher degree of confidence, obviously, maybe not enough to go have brain surgery with somebody that was in there, but without any further checking, but some higher degree of confidence that people who are registering or institutions that are registering in a particular space had particular characteristics and could be located and could be accountable for what goes on, that obviously takes some pressure off Whois. Whether it's a practical option in the current environment, I don't know.
Robin Layton: If there are no other comments, Tom, do you want to move to the next question.
Tom Dale: Thanks, Robin.
I'd like to ask, starting off, our registrar and registry representatives on the panel about possible roles for government in any new models of Whois. I realize the term "government" also elicits a certain reaction within an ICANN fora. But we have to ask the question some time, so let's get over it.
A couple of examples that the panel members might like to respond to is a more direct role for government in administering or overseeing a new TLD for noncommercial registrations, if there were viable. And since some views have been expressed on that already, is there a role for setting data collection standards, which are, either set by or agreed with appropriate government agencies? Who is going to enforce penalties for noncompliance of such standards? At the global level as opposed to the national level, how can any of these models be made to work within acknowledged government, legal, and sovereign frameworks?
Perhaps Ross Rader might like to start.
Ross Rader: That's a big mouthful of questions there.
I think it's important that we, as a community, take a really practical view of this, and I think governments can be included in that. For instance, registrars don't, I believe, adequately understand the interplay between the Registrar Accreditation Agreements, the national law, and the international treaties, and all of these things that surround how this data can and cannot be used and who can use it and who cannot.
It's a big bunch of questions that we have. Our constituency meeting was held on Monday. And we were unable to get the government input into that meeting to help us address those questions. Help us understand, for instance, what we need to do. And perhaps we can build systems that cannot put you in a position of being a regulator or administrator, but as a user of a system that you are your constituents can use.
Willie Black: Yeah, I can try to start on some of these.
I mean, of course, our reaction is that I don't think governments would do this any better than we do. A nice example from the U.K. is the company's house register, which is limited companies. If you are a director of a company in the U.K., by law, your home address has to be available on the public register.
That's even worse than what we do with the Whois. And so, you know, if that is the kind of legislation that would be applied, then I think there would be a big outcry. There's already a bit of an outcry on the company's house, particularly if your company happens to work in a sensitive area where people might like to come and lob something into your house. And, you know, governments have not come to us and said, "we need to do something." I don't think they really want to. So maybe you have to ask the government people around, "would you ever want to do this at the present time?"
And with respect to penalties, yeah, that's one where it's very tempting. If you misdeclare to our vehicle licensing people your address or you don't update it, in theory, you can be fined, I think it's a thousand pounds or something. It would be probably quite nice for us if we could fine people for having supplied the wrong data.
But do you think you're actually going to get it? And also, again, it's the ones that are not honest that make the false declarations, and the poor innocent guy who forgot to put something at the end of his address, you know, are you going to penalize that person? So, really, to apply that kind of governmental control to the Whois, I think, is nigh impossible. And it wouldn't help the system very much.
Steve Metalitz: Let's be candid about this.
The alternative to government doing something is to do something privately through contractual agreements. And we have contracts in place. And one of the big problems is that people aren't doing what they said they would do. Bruce Beckwith went through this in his presentation yesterday. The bulk access obligations are not being met.
The obligation to provide Whois data in the first place is being met very spottily among many of the registrars. There isn't even compliance with the UDRP in a disturbing number of cases.
There are just many, many ways in which the contracts are not operating. And people are not doing what they said they would do. Naturally, I think, that increases pressures on government to step in and enact public law when people enter into private agreements and just won't comply with them.
And I understand, I keep hearing about the tension between the contracts and national laws. Well, most of the national laws that people are talking about predate these contracts. These contracts date from 2001 in the current version, 1999 in the original version; the data protection directive was in effect long before that. People walked into this with their eyes open. They knew what they were getting into as far as bulk access is concerned. And I think the fact that the compliance has been so minimal in some of these areas, first it tempts governments to come in where maybe they shouldn't and don't have a role to play. And second, I think it just makes it that much harder to talk about changes to the system, because if the system is going to be changed and we're going to have new agreements in which people pledge to do different things, we should at least have some confidence that people will do and companies will do what they say they're going to do.
And the track record in recent times under the ICANN system is not very encouraging.
Margie Milam: I'd like to follow up on comments, because part of the concern in bringing in the government is we don't want too much regulation. On the other hand, as we discussed in the prior panel, the contractual obligations under the ICANN agreements simply don't provide an enforcement mechanism in certain circumstances.
So, for example, with the bulk access provisions in which many registrars simply refuse to comply, if you're trying to purchase bulk access, you don't have the ability to enforce the ICANN contract. And the reason for that is that the ICANN contracts basically say that there is no third-party beneficiary that can enforce the rights.
So there may be ways of amending the contracts to allow for enforceability so that you don't have to include the government in the enforcement.
Maneesha Mithal: I think on some level the idea of governments imposing some sort of civil or criminal penalties on those who provide false Whois data is very appealing, and I think it is akin to what Willie mentioned about the licensing system. You have to have a license plate. If you falsify the information or if you don't have one, you're subject to fines.
And I think the Whois system can be an analogy.
But I think the one difference is in the Internet world we're talking about a global system. And so I don't think it would be that effective for one country to enact laws providing for civil or criminal penalties for failing to provide accurate Whois data. So I think there needs to be an internationally coordinated approach that national law just won't address.
Alan Davidson: I can't speak really to the question about registrars and registries and their contracts, but just from the point of view of individuals, I think perhaps we should ask ourselves is part of the reason why individuals may not be complying with the obligations that we think we're imposing on them may be because those obligations are widely believed to be unreasonable.
And in some circumstances, putting personal information into a public database just may not make sense for individuals, and they are going to disobey that, and I think we should really think carefully about trying to impose some kind of harsh penalties on people for trying to protect their privacy, their basic privacy rights. And there's been some sword rattling going on about national law, let's get a national law passed to do this. I think those kinds of national laws would face a lot of opposition, even in the United States from groups who really care about privacy.
We would do much better by trying to work this out, some kind of self-regulatory system. We talked about solutions that make a lot of sense, tiered access being one of them. I'm hard pressed to hear that filling out a form is too much of a hurdle for law enforcement in order to get very sensitive personal information.
Ross Rader: If I could add to that, I think noncompliance is something you see across the board, whether with registrars, registries, users, but also with licensees, applicants, failing to disclose what they'll be using the data for, with whom they're trading the data, et cetera, et cetera. So there's really more on the table than simply noncompliance.
Willie Black: A point about bulk access, because we tried, in fact we still do it a little bit, give bulk access what we call public registrar subscription service. So it's basically what you can see on the public Whois and we just gave the whole database under contract to appropriate trademark watching people, people who would actually sign up to contract.
And of course, again, the whole thing gets messed up by somebody coming along, making the declaration, and then misusing the data.
And with bulk Whois, once you've done it once, all you need to do is make the declaration, take the data and you've got another spam database for six months, and then you shut down the company and come back in a new guise and ask for another new contract.
Yes, you can enforce it. Once it's been done, you can see the guys have breached your contract. There's nothing you can do about it. They've taken the data once, you've discovered it and they've misused it.
Bulk access is not easy to deal with, so whoever is designing the bulk access, please take care.
Henning Grote: So just one remark, just a few words concerning the basic question, role of the governments, private sector interaction. What we just discussed, as I see it, also from the ISPs and from the registrars' perspective, it's all private sector, period.
The role of the governments, as I understand it, and a role that would also be very serving to the communities, to the national legislations, to everybody, is then to agree on this very basic framework that has to be addressed.
Just to give an example, if there might come into existence something like this tiered access, what are the procedures on the government side, on the legal side to enhance the law enforcement processes in detail, for example, for cross-border cooperation and all that.
These are all issues that ISPs and registrants don't want to deal with.
So to make it short, the role of the government would be a very serve and cooperative one if it's really in the basic framework. Well, indeed it's our job to do this right, and within a framework and in cooperation.
Robin Layton: I'd like to wrap up this session by asking each panelist in one or two sentences how they would characterize a new approach to the Whois system that would best balance competing public policy goals. Let's start with Ross and just move through. Thank you.
Ross Rader: I guess, you know, I'd summarize with the restatement of what I opened up with.
I think as a community, we need to work together on this, first and foremost. Taking a short-term view is not as appropriate as taking a long-term view. And really, if I would advocate one point that each of you would take away it would be to think of what your requirements are for these tools, and then allow the technicians to build those tools.
And while they're building those tools, let's take a look at what policies we need to govern the use of those tools once they're completed.
We've got all the parts. We just need to put it together. And I think we can, and it's not going to be easy, it's not going to be quick, but we can solve the problem. We're not talking about sending people to mars. We're talking about a public database.
Willie Black: Yeah. Of course, with all humility, I would rather think that we've done quite a good job in .uk to balance the things, so I would obviously recommend that you look at our experience.
It isn't perfect, because you cannot actually satisfy both the requirements at the same time. There is a compromise. And we try to get that compromise. So that's the first thing to do, look for the middle path.
The other maxim is crooks are crooks. They don't care if they breach contract law. They don't actually care if they breach other bits of criminal law at times to get what they want. And whatever is designed, you must remember that they will do that.
And I think lastly, I would commend the slightly thicker registry. I think you can solve problems by having the registry take the role of dealing with the Whois rather than having a competitive environment. It shouldn't really be competitive among registrars to deal with Whois. I think it's a core function of the registry.
But, you know, maybe you're too far down the line on that to try to back out from that particular one. But that's just some thoughts.
Alan Davidson: I think, you know, in summary, there needs to be more consideration of privacy interests both to promote accuracy and to comply with international standards of privacy, common sense, and national law. And I think we can do that.
There is a combination of tools that are out there, a lot of experience in how to deal with those tools that can be used. Tiered access is one of them, audit, notice, better domain by proxy, which we didn't talk a lot about, potential changes to bulk access, that could do a much better job of balancing.
And those tools can provide a lot of access and reasonable circumstances while doing a lot to protect privacy.
I think the line in the sand of it must not create any burden on those who want access is just not tenable. To say that it's too much of a burden to fill out a form in order to get people's personal private information, it's just not the most impressive argument.
I think that, finally, I would just say that whatever we do must be consistent with ICANN's mission. And particularly its attempt to try to be a thin organization that doesn't try to get into the policy setting space or minimizes its role in that space. This is a very policy issue. I think staying away from things like ICANN trying to come up with a master list of every law enforcement agency in the world or who is a bona fide IP enforcement agency, those kinds of things should be avoided, and I think they can be avoided by coming up with some very thin structures that will do a lot to protect privacy and balance it with these other reasonable needs.
Henning Grote: Although we experience very often some back firing in general, I think in lots of parts of the areas, ICANN has worked and we all as a private sector has worked, there have been an appropriate job has been done. Nonetheless, it has to be checked, really, and that's echoing what Ross just said. What is needed? What do you really need? What kind of attributes in such a public database?
And balance that against a reliable legal framework for these private operations. And it's a very, very easy and clear necessity for LIR operators, registrars, and so on and so forth, that, for example, just need a unified approach, who just need a unified tool set, not a whole array of different protocols, suites, tools, whatever you want.
So just let's go on with work. Thank you.
Steven Metalitz: Thank you. I agree that we need to ramp up the discussion here, and I think we should be guided, I'll just suggest, by four criteria as we look at changes to the Whois system.
First, we should recognize that Whois advances some very important objectives of promoting transparency and accountability on the Internet. And those objectives have not become less important with the growth of the Internet and the development of e-commerce; they've become more important.
So if we're going to build confidence in the online world, I think we have to have a system that continues to advance those objectives.
Second is the enforcement question. Whatever we come up with has to be enforceable, there has to be enforcement mechanisms, and there's no sense in changing the rules if they're not going to be observed any more assiduously than the current rules are sometimes being observed.
The third, I think, which we haven't talked much about, is the role of technology. I think we've heard earlier in this workshop about some technological tools that might help ameliorate some of these problems of abuse of Whois. I know technology is not going to solve these problems by itself, but I think it has a role to play.
And finally, I don't want to impair Willie's humility any, but I think we might learn something from some of the CC's about the fact that sometimes there's really no substitute for making some tough decisions on a manual basis. We heard about how .nl, how they handle the opt-out process. It's very different from what we have come to see about the opt-out process, for example, in bulk access. They actually apparently look at every request for opt out and judge it on its merits. And we had a very good presentation in the Whois task force a year or so ago about how .ca works on improving the accuracy of Whois data by having somebody look at applications, registrations as they come in.
Now, I know that many registrars and registries don't like the idea that everything can't be automated and sometimes you actually have to look at what you're doing and make tough decisions, but that may well be what's required in order to achieve the appropriate balance here.
And I just wanted to thank, also, the organizers of this panel and the whole workshop for what I think has been a very excellent program.
Maneesha Mithal: Thanks. I think I may be in the minority here, but I think there can be a commercial/noncommercial distinction. Willie mentioned that there's, in .uk an opt-out option for noncommercial registrants, there's a commercial/noncommercial registration, and there's a whole body of law that deals with the distinction between commercial and noncommercial.
And so for the commercial sites, I would recommend status quo with better enforcement to ensure accuracy. And for noncommercial sites, I think maybe there could be -- and this is just an idea I'm throwing out there -- there could be a new gTLD created for noncommercial sites where there would be more gate keeping. There's precedent for that in the .name space and .pro and .museum.
And I guess another idea would be you could have people self-declaring whether they're commercial or noncommercial, and then you could have some sort of system where if somebody points out to the registrar that a noncommercial site is engaging in commercial trading, that site could be taken down or there could be some sort of expedited procedure for getting that site down.
So those are just some ideas, but I think the bottom line is the public should have access to all Whois data for commercial sites. Law enforcement should have access to Whois data for all sites, and I think we can go from there.
Margie Milam: I'd like to echo Maneesha's comments as well. With respect to bulk Whois, I could see a bifurcation of commercial and noncommercial because there are uses in the commercial world for information in the bulk access approach.
With respect to personal consent, you could consider an approach where notice is sent out to the registrants and asking them for a formal consent to opt into the Whois record.
I am surprised with some of the comments today that no one's focused on the fact that individuals might actually want their information publicly available so that they can keep track of their registrant data, they can make sure that it's not going to expire, and there very well may be instances where persons want their Whois information publicly available.
I'd also like to think about the concept with bulk Whois to eliminate spamming concerns, because I know that is a significant concern in the industry, and particularly among registrars, that the bulk Whois provisions could eliminate the e-mail access and then that way it reduces the incentive for someone to purchase the information to develop a marketing list. So that's something that might be a solution that could work for the industry.
And finally I want to emphasize the fact that we would need to couple the changes with enforceability because we don't want to have a repeat of the experiences we have today.
Pat Beardmore: Thank you. A couple of things. I don't want to start the Willie Black fan club going here.
Pat Beardmore: I could start it, if you like, but I want to confirm, and I think it is pure coincidence we're on the same board but I've been working with the .uk umbrella in terms of law enforcement for about four or five years now and it does actually work. Even though we can't access certain data directly from Nominet by the Whois network, they do show great cooperation in working with law enforcement in trying to get us the data we want, obviously legally but quickly as well. And I do appreciate that.
One final thought is that I think there's a danger that law enforcement, if we keep banging the drum, and it is important about having the data available quickly, trying to keep it public ideally, keeping our heads down, et cetera, but at the same time I wouldn't want law enforcement to be seen as isolationist. We don't work in a plastic bubble, and it is important that we do our best to see other arguments in the same way that I would hope that you are doing your best to see the law enforcement arguments as well. And hopefully by going through that process we can eventually come to some sort of agreeable system.
Robin Layton: I think this has been a really useful discussion. I think there seems to be some consensus that the privacy concerns are more on noncommercial concerns and tiered access might be a concept as long as it's easy, cheap and scalable. And we've also heard that ccTLDs may give us some useful lessons in how we might look at these issues.
There are still many unresolved issues. There are problems to explore with tiered access. Would it pose a burden on law enforcement? How would we authenticate law enforcement officials or other authorized users? Does it satisfy data privacy laws? And if it applies only to noncommercial, how do we distinguish between the two?
It's also unclear that there are better solutions out there, such as setting aside a new gTLD. We've heard comments on both sides of that issue with greater privacy, or whether more government input is needed.
I think one of the reasons we're all participating in ICANN is that we're here to try to explore as much as possible private sector solutions with public input and public policy concerns taken. So we want to work towards a solution that will balance all of these interests in this fora.
I want to thank all the panelists for what I think has been a marvelous setting out of the issues. That was our goal today. We weren't trying to necessarily resolve anything. We just wanted to get everything out on the table, and I think you've done an excellent job with that.
We will break now. We'll come back at 11:00 for open public discussion.
All of the panelists from both panels this morning will be up here on the dias and be able to field questions. Thank you very much.
Michael Roberts: I think that we ought to try to begin the public question and answer session, please. Everyone take their seats. Can we have all of the panelists take a seat behind a mic up here?
Vint Cerf: Mike, I'd like to make a request of the board members who may be participating in this part of the discussion. I'd like to ask the board members to treat themselves as if they are simply members of the audience and queue up at the microphone to ask questions, just like everybody else. Thank you.
Amadeu Abril I Abril: Here I am.
Michael Roberts: Let me make a few more comments by way of introduction to this session. We had a certain amount of confusion yesterday about the e-mail address for comments from the remote. The e-mail address that is being monitored is Whoisfirstname.lastname@example.org.
Second, we used to have a practice in ICANN of having a large countdown clock that we put up on the screen. We haven't been doing that, and we're not going to revive it this morning, but there's a great deal of interest in the subject, and I'd very much like to ask those who have questions or comments to observe a two-minute rule on those questions and comments.
So are the panelists prepared to field questions here? Looks to me like they're all ready. And Amadeu, I'm sure that you have a very good question for them.
Amadeu Abril I Abril: Well, in alphabetical order, I'm Amadeu Abril I Abril, sometime board member now who is an observer for the last year. I will not do the usual things about the workshop, it's been very useful, but I still have some problems, and let's go for the problems.
First, a confession. Sometimes it's very comforting not to have you as citizens, not to be a U.S. resident and to be here in Montreal and across the border because it's quite frightening to listen to John Logalbo from the Department of Justice say things like legal process is slow. I was told in law school it was slow because there are some guarantees to be provided sometimes. And guarantees are also important, not only speed.
But anyway, registrars should somehow check the data. Well, this is slow. Like legal process.
And third, if you have problems with complying with local legislation, tell your local government to change the legislation. Thanks for the advice, but it should be reversed. I would tell the U.S. government to change the legislation. If you are so worried about fraud -- and you should be, because the vast majority of the percentage of the fraud, spam, comes from, what I say, this country and other regions, why don't you enforce legislation to force this information to be on the web site and e-mails and any commercial activity, and then you find those people will provide this information.
The DNS is not a universal solution for everything. It may be a solution but it's not the only one and you have many other tools, not only registers, registrars, and ICANN.
Second thing, and this is the most important part, this workshop has been very useful, but we will need from now on to be more careful. That is, Whois is nothing. Whois is a set of data. And we need to find a solution. If Whois should be public or not, we should discuss for each single piece of data where it should be.
In the old times, before ICANN in the IHC days, we're preparing a list of what the registrar has to ask, what the registrar has to send to the registry; for instance, credit card, billing information must be required by the registrar but it must not be made publicly available, not sent to any third party.
Then regarding what the registry has, what part has to be publicly available? And today, we should change the question, what should be publicly available that is Whois -- what should be published, and what should be made available on request?
Perhaps this new part, what should be made available on request, is the most difficult part because then we need implementation procedures. But for each single data, to assert the need for having the data, the risks of having the data, and then the relative cost and balance, you know, with some statistic way, where the most important thing lies. Because if not, it will be like this morning here saying well, we need public Whois because sometimes we need to find a technical contact. Nobody discuss the technical contact. Even the telephone should be there. But this has nothing to say about my personal address or telephone number.
For instance, in the old days, everything that was gathered was published. In this room, responsible for the Spanish NIC, for a tradition they published everything, even the vat number, the fiscal number, tax number which for individuals is the national identity card. Who needs that for technical reasons? But it's there. Right?
So we should be doing this three lists: what should the registrar ask, what should be on the registry list and what's published. And if we keep talking about Whois in general, we won't find a solution.
Third thing, the Whois bulk access. I completely disagree with Margie about the remarks she made. The bulk access is a disaster. It's a result of the peace treaty which was signed at that time with member solutions back in '99 and it's the same disaster of the decentralized Whois, and the most disastrous thing is this 10,000 fee. By the way, and I have a question for Diana regarding the European registrars. As I said yesterday, I advise all of them not to comply with the RAA, even if this is risky. And the reason is because I think how this is written now; it is contrary to most European data protection laws. And this is more risky than not complying with the RAA.
The last thing is an ICANN joke, is the GAC publishing the Whois on their task forces? That would be very useful.
Michael Roberts: Would any member of the panel like to comment on that much longer than two minute comment?
John Logalbo: Since I was mentioned specifically, I'd like to comment. I forgot my disclaimer, and I thank Maneesha for articulating it, but the views that I express here today are my own and not that of the Department of Justice or the United States government.
Of course law enforcement needs to comply with constitutional safeguards, and that goes without saying, should go without saying. But the availability of Whois data has proven to be very useful and very important for law enforcement around the world. And to place roadblocks procedurally or otherwise in the face of law enforcement's access to that data is a serious detriment. And I want to make sure that everyone here understands the interests of law enforcement before we engage in a balancing of those interests against privacy and anonymity.
I should also say that anyone who knows me understands that I come from a background in which there is no question that I believe privacy and anonymity are core values. I was an in-house attorney for PSI Net for many years and I worked closely with the Center for Democracy and Technology on many issues and I have great respect for Alan Davidson. So I'm not coming at this solely from the perspective of law enforcement in terms of my own background. I do think it's my role here to articulate the concerns of law enforcement and make sure it's given appropriate weight. I think that's all I'll say.
Diana Alonso Blas: Yes, to answer the question of Amadeu, it is clear that no matter what the contracts say, if they are in contradiction with the existing legal framework, I will certainly not advise to comply with them.
Obviously, this creates problems. It means that the contracts or whatever obligations arising from the contracts are there will have to be revised in the light of the existing legal framework. And I think the main problem is exactly in the question of bulk access. It is clear that the new directive, 2002/58, impose clear legislation and clear obligations that make impossible bulk access under the existing European legal regime. So that's something that will have to be studied carefully and revised, and obviously I do not advise anybody to implement rules that are against the legal framework, because I think this will create only more problems.
Alan Davidson: Can I jump in to say quickly, I think many of us appreciate the law enforcement perspective here, and at least speaking from my own personal experience, the people in our U.S. Justice Department, and as John indicated, his branch, take their constitutional obligations and legal obligations very seriously and we appreciate that.
And I don't think we need to question any of that to have a real conversation about how to meet, you know, very real desires and needs for information and balance that with consumer expectations about privacy.
Perhaps my role in some ways is to try to articulate the fact that there are these large numbers of registrants, they're not just commercial registrants or evil-doers. They are individuals, human rights groups, noncommercial organizations who have a real interest in protecting privacy. And I do believe that there is, therefore, a way to make a balance here that's going to meet law enforcement needs and actually do some good -- it may not make things as simple or easy. As Amadeu says in some cases a little bit of a speed bump is required, but it doesn't need to be a huge one.
Michael Roberts: Other panel comments? Next question, would you please identify yourself.
David Fares: Yes.
David Fares from the U.S. Council for International Business.
The two panels this morning clearly demonstrated that different government agencies have different views on the Whois issue, most notably, the differences between the data protection authorities and the law enforcement agencies.
I have a very simple question, and that is: have the governments begun to engage in an interagency dialogue so that there is a consistent government position on this issue? And it would include, I believe, law enforcement agencies, data protection authorities, and other relevant interested agencies.
Michael Roberts: Thank you. Comment? Maneesha.
Maneesha Mithal: I can speak for the U.S.
There is an interagency group on Whois.
Robin Layton leads that at the Department of Commerce. And it includes people from the patent and trademark office and from the Federal Trade Commission.
And over the last couple months, we have met with the various groups of people who have wanted to talk to us, including intellectual property interests, registrars and registries, and privacy advocates.
So that's the process in the United States.
Michael Roberts: Other panel comments? Andy.
Andy Mueller-Maguhn: Andy Mueller-Maguhn, currently still on the board.
And let's say in accordance to the fact that we have today the 100th birthday of George Orwell, I urge you to dedicate this session to him and mention one thing.
By our respect for law enforcement needs, there is the sentence; I guess it was Abraham Kaplam, that if you take a hammer in your hand, the whole world starts looking like nails.
So I have respect for people who want to prevent crimes and need access to that data. But this data here is much, much more from the impact side of what it means to the people who use the Internet as a communication tool. This is far beyond economic use; this is about cultural and social life of a society. If you're able to participate in a communication means without being fearing to be punished for communicating. And I really think you should take that into consideration as well, because you're forming here parameters of a society and not only access for law enforcement needs.
So I think it may be not astonishing. After all, from a European point of view, I read about the United States justice system. Nothing made me astonishing. But it made me a little bit sad hearing the Department of Justice representative saying that he would not (inaudible) access for law enforcement, now it has to be in public access and to be access for this and that and that.
So I think access for law enforcement needs should have to follow rules as well as everyone else here in the room has to follow rules, so that we have a society we can agree to live on.
Michael Roberts: Steve.
Steve Metalitz: I would agree that when you have a hammer, everything looks like a nail. When you are in an organization that deals with registration of domain names, everything looks like registration of a domain name.
And to suggest that this debate has to do with whether or not people can use the Internet as a communication tool, whether they can participate in a communication tool without being punished I think overlooks the fact that people can have a very robust presence online and participate in this communication tool without ever registering a domain name in a gTLD at the second level. Millions of people do this every day. And if you want to participate, you do not have to register and put your name into the Whois database.
There are many other ways to do it. And we need to think a little bit outside the echo chamber here, even though the people in this organization are focused on registration of domain names there's a much bigger online world out there.
Michael Roberts: Other panel comments?
John Logalbo: I'd like to comment very briefly just so my remarks are not misunderstood.
When I urge that the Whois database should be publicly accessible, the reason I take that position is because anything short of public access raises two problems.
Problem number one is edging toward requirements that law enforcement obtain formal legal process in order to get at the database. And that, I think, would be disastrous for law enforcement.
Problem number two is, it's not just law enforcement that needs access to this information. It's consumers, and it is intellectual property holders.
Those are two among the most prominent groups that everybody understands immediately why they need access. So I'm not suggesting that other approaches may not work. And I think that Alan Davidson in particular may be on to something with his vision of tiered access.
But I'm not prepared at this point to back off the idea that public access is the bottom line at which we should start, and then let's see if we can preserve the reasons why, I think, public access is necessary if we move to something like tiered access, as Alan describes, a speed bump and not an obstacle to access.
Andy Mueller-Maguhn: Sir, what you are saying actually is that law enforcement has a problem with fulfilling rules? Is that what you said? Yes, that is what you said.
Michael Roberts: Are there other?
John Logalbo: What I have said, if people understood my remarks and listened to them, is that using formal legal process, particularly when you cross international borders, injects a huge amount of delay and complexity in investigations. And those investigations, particularly when you are talking about electronic crimes, like hacking, like piracy, like child pornography, cannot afford that kind of delay. The investigations will fail if we have to rely on MLATs and other forms of treaty obligations in order to track down the bad guys across international boundaries.
I'm not saying let's dispense with constitutional safeguards or legal rules. I'm saying, practically, we need to use the technology that's available to identify and track people who are doing very serious harm to the public.
Michael Roberts: Other comments?
Alan Davidson: Can I just jump in and say I think we should recognize we sort of live in the golden age of Whois and wiretapping in some ways, which is that by historical accident, in some ways, this database designed for a few hundred entries for technical reasons has grown into this wonderful tool for a lot of people. And I just think we need to put that into context and say I understand the desire to have this information. I do think that there is a way to work it out so that it won't be as easy as it is right now, but it doesn't necessarily need to be prohibitively difficult.
And, in fact, law enforcement does have to go through some of these hurdles and some other situations to try to get other kinds of information. This has become easy. We don't need to make it hard, but it won't necessarily be this easy.
Michael Roberts: Esther.
Esther Dyson: Thanks.
I'm going to try and make some constructive comments.
But they're not -- Esther Dyson. Sorry.
From the ALAC. There is no clear answer. And I think everyone on this panel is speaking very eloquently in favor of some clear answer, someone else is talking about the need for balance. The fact is, we cannot get balance in the large. And we need to start thinking about how to get balance in the small, solve some of the tough problems that ends up being something akin to Alan Davidson's tiered access.
But if you look at the long-term history of ICANN, its mission was to help create a market, not necessarily a one-size-fits-all solution, but a market in which different kinds of solutions for different kinds of problems, for different kinds of cultures could coexist with some consistency at the bottom.
So I think what we need to try to do is set up a set of different kinds of regimes for different situations and make those clear. Part of what makes the market work is not just money and not just pricing, but clarity of the rules and have three or four different rule sets, call them tiered access and things that they apply to and try and make those work rather than try to find a balance that simply does not exist. The world does not exist to make law enforcement efficient.
On the other side, it does not exist to let everybody in the world have access to speak. They should be able to, but that's also not the preeminent goal.
And let's create a much more complicated system, which means, instead of everybody agreeing together, creating practical working groups and coming out with real solutions and then trying them out.
Michael Roberts: Comments from the panel? All right. Let everybody keep identifying themselves for the remote audience.
Andrew McLaughlin: This is Andrew McLaughlin from ICANN and Harvard Law School.
Let me propose a metric by which you all might measure some of the ideas that have been thrown out. In particular, I want to suggest something that you should judge the tiered access and the commercial/noncommercial distinctions against. And that is the following use of the Whois database.
Forget about law enforcement, forget about consumers, forget about some of the fuzzier interests. As we all know, one of the biggest threats to communications on the Internet today is the distributed denial of service attack. In the case of a DDoS attack, the attacker places Trojan horse software on many hosts around the Internet, those hosts then hammer on the victim.
If you are in the network operation center or you're the techie running the victim's network, you will use the Whois database, first you will do a reverse lookup on the IP addresses that are hitting you. You'll find the host names that are associated with that IP address, you will then use the DNS Whois database to figure out if you can find contact information for the people that are associated with the domain names that are associated with the IP addresses that are hitting you. There are many ways to fight DDoS attacks. This is not the only one, but it is an important one, and a lot of techies rely on that Whois data for that purpose.
So let me suggest that as you think about compromise solutions for Whois, you should keep in mind whether you are going to be withdrawing from the technical people who run networks the capability to contact people whose hosts are participating in DDoS attacks.
And I will suggest to you that the commercial/noncommercial distinction fails that test. Tiered access may or may not fail. I don't know enough about the details. I don't think any of us do, to know whether that is true. But my suggestion is you take into account that scenario, that particular use as a baseline against which to measure any particular solutions to the Whois database.
Michael Roberts: Comments. Jeff.
Jeff Neuman: I think that's a good point.
But wouldn't that also be solved if you just had a technical contact and not necessarily the registrant contact with all of the registrant's home information, phone number, e-mail address? I understand your point. But it really justifies why there should be a technical contact but not necessarily any others.
Michael Roberts: Sarah.
Sarah Deutsch: Yeah, I mean, I think it's an excellent point and as an ISP, we've had lots of situations where were subject to denial of service attacks, spammers. So I disagree. Just having the technical contact might be helpful. But because the Whois information changes and technical contacts change, it's good to have a full set of information so you can know who to contact.
We had a spammer recently who took down three of our eight servers, and the Whois data was dead. Luckily, we could track them, after many months, through their IP address, filed a John Doe lawsuit and wound up stopping that person. But there are plenty of people who engage in these other attacks that we can never find because Whois is essentially a dead-end.
Michael Roberts: Let's go around, first. Ross.
Ross Rader: I think your point is well taken, Andrew. I share that concern, but I would spin it on its head.
As we speak into as Steve called it the echo chamber, there are techies out there building protocols today to address these problems. I'm more concerned that unless the policy committee or community starts learning how to either, A, build protocols; or, B, participate in the building of those protocols, that we're the ones that are going to be left behind and we're the ones who are going to be left without a solution.
And we're going to be faced with the problems such as the ones you describe and not knowing how to deal with them or what tools we will have available to us.
Alan Davidson: First of all, I think a tiered access approach could be consistent with what you're talking about if you take something like the .name idea of basically that anybody can sign up and get a user name and password to get access to the database.
It could be a very quick and easy process in the context of an attack like that, it's an extra step, yes, but it could be a quick one to get that access.
The other idea is, as we have heard, maybe if this is the real need, maybe we can try and find a way to have some measure of information in a technical contact that might be publicly available.
Let me just say, I think part of it is this really underscores why we need to spend some more time trying to figure out what the real needs are we want to meet. From the consumer point of view there is a shell game going on. This very legitimate need to stop DDoS attacks is morphed into a public availability of all fields all time.
It's very good to have examples like that to drill down and say what needs to be public and what do we put behind at least a veil so there's some process to get it.
John Logalbo: I would just like to say that I think you've touched on a very important point, and I agree with Sarah that it may not necessarily be solved simply by having the technical contacts readily available.
Michael Roberts: Jeff. Andrew, I think we're going to go to the next person.
Timothy Lowe: Thank you.
My name's Timothy Lowe. I'm a private citizen ICANN member at large.
My question or comment has to do with these previous comments we have almost hit on the point of the last day and today. And that is that the Whois database was created and designed for a specific purpose, the public technical management of public networks. That was what it was for.
And then a constituency has discovered this information and found it's almost what they want and now they want to change it so it is what they want. I think we have to go back to basics and say what is it this constituency wants? What kind of information? And then build a tool that does that. But don't break the tool that exists that was made for a specific purpose. The right tool for the right job, the analogy about the hammer and the sledgehammer and the peanut, there's two different peanuts here.
There's the technical side that the Whois database was created for. And then there's this information, this data that this constituency would like to have. They're not the same peanut. So maybe you could find out what you want to know and then tell the techies and they'll design it for you.
Michael Roberts: Comment? Steve?
Steve Metalitz: I would just like to say again that I think if you look at this in context, I don't think that we have a situation where there was a specific purpose and now there's a much different purpose. The specific purpose in the earliest days, and that you would need to contact someone for would be a technical problem. Today, we have a lot bigger category of people who are operating sites. We have a lot bigger category of things that can go wrong. And we have a lot larger category of people who are interested in finding the person responsible if things do go wrong.
So, obviously, it's grown. But I don't think that it's really fundamentally changed. But I agree that we need to make sure that it's adaptable to the needs of today.
Michael Roberts: Anyone else? Next person.
Wendy Seltzer: Sure.
Wendy Seltzer, here from the Electronic Frontier Foundation.
And while I have lots of questions, I'll keep it to one brief one, which is, why does due process suddenly vanish when we're talking about online speech? Domain names are important tools of online communication and publishing. While they're not absolutely essential, they are necessary to securing a recognizable place online. And we have a centuries-long tradition of procedural protections for important rights. To many of the people speaking online, privacy or anonymity are important rights.
So it doesn't make sense to me to hear that it's too much trouble to fill out a request or to specify the purpose for which a law enforcement interest needs access before the identifying information is disclosed.
In other media, we don't have prior disclosure requirements before you're permitted to get a sheet of paper in order to write a leaflet. And for the political activists and human rights activists and personal web loggers who want to publish online, I don't think we should have those prior disclosure requirements, either.
Michael Roberts: Comments from the panel? Diana.
Diana Alonso Blas: Well, just to say that what this lady is stating is something that we hear pretty often from other citizens and other individuals, at least at the European level, and the fact that these people are not very much represented in the process doesn't mean that we don't have to take into account their concerns.
And I think the points made are very fair.
Michael Roberts: John.
John Logalbo: I don't recall hearing anyone here say that due process vanishes in the online world.
And if you look at the Electronic Communications Privacy Act, for example, you see that there's a lot of due process and a lot of it is very complicated and very difficult to comply with, particularly, for example, a Title III order for the interception of actual e-mail content. So the due process protections exist.
The question is, should we start building in all of those due process protections to a database, which heretofore has been publicly available?
And I'm suggesting that would be very damaging to law enforcement, depending on the level of process you determine is due for us to find out who's behind a web site. And I think that there may be ways of establishing speed bumps for law enforcement.
But it's got to be clear that if it becomes an obstacle and if it requires subpoenas and if it requires international MLAT cooperation, it's going to be very destructive to pursuing law enforcement investigations.
The question is what process is due for what particular pieces of information. That's the way ECPA has been structured. And I think that's appropriate to carry that over in thinking about Whois.
Michael Roberts: Steve.
Steve Metalitz: I think we need to focus on what's at issue here.
It's not about speech. It's about anonymous speech because, obviously, people have these sites, their speech is out there and there's no one restricting them from accessing that speech. The kinds of speech that, of course, the intellectual property interests are concerned about are the kinds of speech that were shown in Jane Mutimear's presentation yesterday, the speech of people who create spoof sites and collect personally identifiable information from children and who give away or sell counterfeit and pirated materials online. They are speaking, and the question is, or should it be made much more difficult to find out who it is that's speaking in that situation.
So I think anonymous speech certainly has its place, but it also has to be put into that context.
Michael Roberts: We have several. Alan.
Alan Davidson: Just two quick comments.
One was to say, this is a database that has historically been publicly available. But it's also a database where people have historically publicly lied. And I think we are trying to do something about that. They lie because they don't think the requirements of the database are reasonable.
But also, I think we should recognize there's a trend here over time, just as there's a trend of greater desire to get access to this information, there's a trend of greater use of this database, greater registration, as the Internet has become an important part of social, political, and economic life.
And it would be a very small vision of the DNS and of what ICANN is trying to achieve if we said, well, this is not a place for individuals; if people want to speak privately, they should just go and get third-level domains from some other supplier.
I don't think we want a world where there are those kinds of gatekeepers on access to the Internet or DNS. It's not to say DNS access is a public right. But it's a very small access of DNS access if we don't try to make it accessible to many individuals out there.
And I just also wanted to respond; this is not about anonymous speech. This is about coming up with reasonable privacy protections for people who would like to participate in the DNS and who would like to do it without having their private information in noncommercial setting revealed to the world.
Michael Roberts: Ross.
Ross Rader: I just had a quick comment.
I have heard this a few times. I wanted to make a correction for the record that Whois is not a database of web sites. Yahoo! is a database of web sites. So if we want to start drilling down on who's behind a web site and who is responsible for these things, perhaps we should talk about Yahoo!'s services and not really what's going on in Whois.
Michael Roberts: Anyone else? Next question.
Ruchika Agrawal: Ruchika Agrawal.
I have three points.
My first one is, as a law-abiding citizens of the United States, I refuse to concede that speed is second to due process. With the needs of today, identity theft is a real concern. And I think we all know someone who has had to deal with the consequences of identity theft.
The FTC states on their web site, and I welcome to you go there, they say don't give up personal information, and if you do give up personal information, know who is collecting it, why they are collecting it and how they are going to use it. And domain name registrants, I am talking about for the main part noncommercial, are stripped of that ability.
My third point is, to Steve's point earlier about honesty in our discussion about candidness, and I will speak about this from the viewpoint of a noncommercial constituency representative on the Whois task force, which recently became defunct.
Now, the Whois task force published a report, and the noncommercial constituency published a dissenting opinion. And every dissenting opinion, the Whois task force still called it a consensus policy. Now, that is dishonest. And that may be more of a reflection of the Chair or of the process. But I have to comment on that.
Michael Roberts: Go ahead.
Maneesha Mithal: Yes, I would also like to welcome everybody to go to the FTC web site.
And we do say to be careful who you give your personal information to, to know who you are giving it to, and to know the uses of the information for which you are giving.
And I think providing information pursuant to a contract with a registrar where the registrar tells you that the information is publicly available, that would satisfy those criteria that we have on the FTC web site.
Michael Roberts: Go ahead.
Thomas Keller: Well, just in that respect, I want to mention that it might be possible in certain legislations. But, to us, you have always ruled that you can opt in certain registers. And this is clearly not satisfying the rules. This should not be about whether you have a domain name you have to display, but you still have rights. So we should at least have an opt out. So it's not satisfying the rules, not the European rules, at least.
Michael Roberts: Thank you.
Would the panelists please make sure the mic is close to them? Because it's not going in the sound system very well for some of you. Go ahead.
Margie Milam: Yeah.
I'd also like to comment about the consumer fraud issue.
Whois play as very important role in determining who is behind consumer fraud. There's a lot of people out there that will set up domain names using a famous trademark and then they'll lure customers to reveal their private information, and the primary way of determining who is behind that is by looking at the Whois record.
So we want to keep that in mind.
Michael Roberts: Thank you. Anyone else? All right. Go ahead.
Ken Stubbs: Good morning.
My name is Ken Stubbs, and I am speaking as an individual, private consumer. Just a couple of observations.
First of all, there is a clear distinction, as I see it, between using DNS for commercial purposes and soliciting goods and services and contributions and funds from individual users. And using the Internet to express views, opinions, and advocacies.
My personal opinion is, as a consumer, I use the service on a regular basis to ascertain legitimacy of people who are soliciting for goods, services, and contributions. I need to be able to have a methodology, and that, for me, right now, is the most convenient. Maybe we need new tools, as Ross has said.
And I recognize full well, as Willie said, that crooks are crooks and that the information placed in there if someone is sophisticated enough may very well be totally deceptive. But the point is, it is a service that works for me many times. And for many consumers.
I believe very strongly that anyone who is using the Internet or who intends on using the DNS to offer good services or solicit for contribution of funds needs to step over a larger line. And that line means that they have to acknowledge the fact that they're willing to provide that information. Someone who is using the Internet for private purposes, personal purposes, or advocacies, I think that's an entirely different situation.
I think we have to acknowledge the young lady that just spoke with regard to consumer issues, I just want to have the ability to make sure that the people I'm doing business with or I'm looking at doing business with, I have some benchmark to start working with.
So I hope we consider that this has to be available for commercial aspects.
Michael Roberts: Alan.
Alan Davidson: First of all, I concur with a lot of that. And I think from a consumer perspective, that makes a lot of sense. That's why I think it is completely conceivable that you could come up with a tiered access mechanism that was open to anybody, including a motivated consumer who wanted to sign up and get access to more detailed Whois information.
First of all, you might include some public information that would get you perhaps a good part of the way towards what you're looking for, like the identity of a registrant or the country that they're from, as a starting point. And then you could imagine allowing any consumer who is motivated to sign up for this, I think that would be important, because I think it's almost impossible to imagine how you would distinguish between legitimate, for example, intellectual property holders and illegitimate ones.
I think for tiered access to scale, I think the most attractive way to do it would be to make it available to all comers.
Let me just make one other point.
I am also extremely sympathetic to your point about those who hold themselves out to do business on the Internet. And I would just note that there are a lot of different national approaches to this. And, for example, in some countries or regions, there's a requirement that a web site must publish identification information. That may be, we don't have to solve all of these problems at ICANN or through the DNS. But I do think that tiered access can help a lot.
Ken Stubbs: Thanks.
Michael Roberts: Other comments from the panel?
Diana Alonso Blas: Thanks. I would like to go in the same direction of Alan and saying, indeed, I recognize what this individual is raising is a very fair point. And I think nobody challenges the need for those carrying out commercial and noncommercial activities to be identified. The question is whether Whois is the best way, which would be facilitating the life of this gentleman and others. We have in Europe at least a different legal system, which through the e-commerce directive and other legislation anybody who is carrying out commercial and other activities through the Internet would have to properly identify themselves through the contacts with you and through the web site and so forth. That probably would be more user friendly than having to go through the Whois and start searching for it. But indeed, one way or another, you should be able to get this information.
Ken Stubbs: I would like to comment and say unfortunately we're dealing in the global environment, and I recognize the solutions and the tools that Ross referred to earlier that we're looking at developing in the future, we have to remember they have to be global and the application of policies in many ways in the gTLD space has to be take a global scope. Thank you.
Michael Roberts: Let me make a procedural comment. We have about ten minutes left in the scheduled program. I think there's no particular reason to have a hard stop at noon, but in the interest of our panelists who have airplane flights and other commitments, we're not going to go very far beyond noon. So perhaps no one else should get in the queue now.
We have a question from e-mail that we're about to have read.
Thomas Roessler: Well, Dan and I were just discussing who should read it because the e-mail had been sent to myself so I would read the e-mail and reserve another slot for myself, if I may.
This e-mail is from George K., and he said he'd love to hear more comments from the panel members on (inaudible) proxy type compromise with multiple providers. For instance, even the Electronic Frontier Foundation.
For instance, even the Electronic Frontier Foundation could provide a service if they felt the market wasn't being served well by current providers. This would have a slightly lower level of transparency yet maintain high accountability compared with the status quo. It's also a cost effective solution, allowing those domain name owners who wish greater anonymity, I suppose, to simply pay a dollar, five or ten. Obviously if they do not value their privacy even at a dollar, five or ten dollars then their privacy concerns, quote unquote, aren't too important. George believes this compromise offers the greatest economic efficiency of any plan and is market-based, building monolithic structures to deal with tiered access would be much more costly.
Michael Roberts: Any comments from the panel about that?
Thomas Keller: I want to comment on that saying what I already said on the panel; that is, privacy is not considered as a service. And it's nothing I want to pay for it's a private person. It is something, which is my born right to have. That's my comment to that.
Michael Roberts: Steve.
Steven Metalitz: One thing that would be helpful with regard to the proxy registration option is to have more data. There are services out there. I don't have any sense of how popular they are. In other words, is there a demand for this? And this is, again, under the existing registrar accreditation agreement.
We do have some data. For those who may not know this, the Whois task force did conduct a survey and published the results last year. It has many flaws and it has many shortcomings, but on the other hand, 3,000 people took the time to tell us what they thought about Whois, why they needed it, what they used it for, how they would like to see it change. And that's probably 15 times the number of people in this room.
So I think it has a lot of useful data in it. And one question that was asked there is whether they would be interested in a proxy service. There was some interest, but it would be interesting to find out how the services that exist now, what demand they are really finding.
Alan Davidson: When I first looked at this problem a few years ago I thought this would be the best solution, because it's very market driven. It does create these privacy concerns as we just heard. But for whatever reason, you know, there hasn't been a tremendous development of marketplace offerings or demand for this. And I don't completely know why. I concur with Steve; it would be good to find out more.
I think that part of the problem is that there's a lack of clarity about when disclosure happens in proxy. So how protected is my information, really, if it's just turned over anytime anybody asks, that's not a lot of extra protection.
Then there are liability questions that make it unlikely we'll see offerings that are only five or ten dollars, but instead turn out to be prohibitively expensive.
But it's a great idea, should be part of the tool kit, and I hope we can learn more about it.
Jeff Neuman: Yeah, I think it's one thing to look at the demand for the service, but you also have to consider that probably, and this is just an estimate, 90% of the people that register domain names don't even know that their information is made public.
So to sell a proxy service to 90% of the population that doesn't even know that their information is being made public, you know, I would never use that result to make some sort of conclusion as to the utility of such service or whether there is not a need for such service.
Henning Grote: Just another comment. I just want to echo what Tom and Alan in particular just said. It is a right, and to define a kind of service out of it, it's, well, okay. But the basic question is, just going back to what Steve just said, the issue of the question in the Whois questionnaire, I just would like to think about that in the way, well, there is a proposal for a solution to a problem. And the offered solution was the proxy. Maybe nobody thought that far then back in that days when the questionnaire was put together.
But the underlying question is do you want a solution to your privacy problem? And the question stated, well, it was a proxy.
So I'm not sure that most people are very sympathetic with the proxy, but instead are very sympathetic to have this problem solved. That would be my interpretation of the question.
Michael Roberts: Go ahead, Thomas.
Thomas Roessler: Good morning. Thomas Roessler here, speaking on his own behalf but being a member of the ALAC and this time it's my opinion.
What I'm hearing yesterday and today frequently mixes two aspects of Whois. Whois as a tool for third parties who have a need to access data, and Whois as a service to the data subject.
What I've been hearing yesterday from Jane Mutimear was, in a way, amazing and a policy discussion. What she was telling us on the aspect of asset management and Whois as a tool for asset management was registrants request for service, for the service to publish registrants' own information. We don't need to have a policy discussion about that, because if you fulfill this request, you are leaving the data subject in control of its information, of the disclosure. This is just not a problem, not an issue.
And what I would like to ask is that in the upcoming policy discussions that there should be very high level of clarity for what users is mandatory disclosure of information important and for what users can the disclosure be left to the data subject?
To give another example, involves consumer uses of Whois to find out who is behind an online business. Now, if a consumer has the sophistication to actually access the Whois database, he also has the sophistication not to do business with an entity with which does not make this information available publicly.
I just don't see how mandatory public availability of information about businesses is actually needed. I think a good business will do it voluntarily, will make the information available voluntarily, and I certainly would object against any conclusion which could end up with saying we have this requirement for businesses, and because we can't distinguish between commercial and noncommercial registrants, or between commercial and individual registrants, we also have to impose that requirement on individuals. I don't think we even have the requirement for the commercials; we shouldn't have it for the individuals either.
Michael Roberts: Thank you.
We've reached the end of the time allotted for this session. And I'm going to allow the speakers who are there to speak. I'd ask them to be very brief.
Paul Twomey has some remarks to make about where we go from here, and I'm sure that people that are in the room would like to hear those before they go.
Sotiris Sotiropoulos: Sotiris Sotiropoulos, individual at-large member.
I'm here to present some of the concerns of the membership of the ICANN at-large.org which is primarily a mailing list which is organizing itself into a viable at large mechanism for the purpose of presenting at-large input to ICANN. Some of the concerns submitted to me from members and observers of our group are as follows. In the interest of brevity at this I will forgo voicing my own concerns as individuals more able than myself have done so and I must commend the panel on the quality of today's decision and I do appreciate the Nominet approach.
Name servers, expiry date and name of the company I think is sufficient information for public display.
In any case, Danny Younger, our unofficial list gadfly wrote I have an unlisted telephone number. I pay a fee for this service and have many good reasons for using such a service. I seek an equivalent service for the same reasons in the domain name system. Unlisted phone numbers do not deter law enforcement officials from accessing telephone company records when required. And neither will unlisted domains deter those with a right to examine the domains contact data.
Publication of private contact data should be permission based. ICANN adhesion contracts abrogate those rights to privacy.
Echoing those sentiments, Richard Henderson writes, that is a major concern of my own. I have argued this case on the GA list and if people abuse their domains, then injured parties should pursue the offenders through normal legal processes. Individual registrants should not have their private contact details posted unless they wish them to be so. There is a danger of harassment, and like Danny, my phone number dolls not appear in any public phone book, and yet it is supposed to be appear in a public Whois list. Why can't these details be retained securely and only be released to a complainant if there is a court order? A registrants' right to privacy should be established in principle throughout the industry.
Able Whisman states this statement is kindly read and posted on my behalf. I'd like to emphasize that it is spoken on my behalf and does not represent any constituency other than a general user congregation. I have been a member of the Whois task force and have a great many times addressed my concerns listed below to this task force; however, the industry representation on the task force prevented positive results from this participation.
I do, however, feel that the industry participation on the task force and the DGNSO present a clear problem with Whois and many arguments used are industry specific and have nothing to do with the major concerns of users of the Internet and domain owners all over the world.
Rules are, quote, unquote, bent to address the industry's concerns and solutions are looked for within the frame of a result for the respective industry concerned. Simple effective measures are overlooked for the greater good of serving the industry when it comes to Whois and Whois data mining.
The basic tool for the task force was a questionnaire that was somewhat unprofessionally constructed but whose results were, after some crunching, quite clear, the general domain owner was opposed to the display publicly of his data online, freely available. Arguments for the availability of Whois data were mainly focused on industry interests and law enforcement. Its main propagator, the IP constituency, claim the need for fast access to this data. Currently, the trend is to go to a tiered access -
Michael Roberts: I'm going to interrupt you. If you'd like to have your statement in the record, we'd be happy to take it but you're in about four minutes and counting.
Sotiris Sotiropoulos: Very well. It's just about done.
Michael Roberts: All right.
Sotiris Sotiropoulos: By even adding the probable need for deeper searches and more direct searches, search on domain name owner to see all the domains owned in one go for instance without looking into further invasion of privacy rules and laws and the development of those laws around the world.
I will cut it short there.
Michael Roberts: Thank you very much.
Sotiris Sotiropoulos: Thank you.
Milton Mueller: Milton Mueller, Syracuse University.
The only person who addressed it directly was Maneesha, and that is are we assuming a global solution when we may have to have a very heterogeneous local solution.
It seems to me that the assumption that seems to be prevalent, and I just want to raise this explicitly to find out whether this is an assumption, is that you think that ICANN can set policy for how Whois is structured and that that will be uniformly applied throughout the system, the domain name system, and then we will have all of these problems, these balances worked out.
Let me suggest that's not a realistic viewpoint. Number one, we have ccTLDs who already have heterogeneity in their Whois policies. Number two, we have differences in national laws, which must be adhered to, so maybe ICANN's contracts need to adjust to that heterogeneity rather than vice versa. And number three the question of individual choice I think needs to be raised. I think, in fact, there's a lot of consumers, individual consumers, noncommercial consumers, who don't care whether their Whois data is displayed and there may be people who do, and I don't see anything wrong with allowing heterogeneity in approaches to that.
So can we address whether you are assuming a global solution or not?
Michael Roberts: Do I have any brief -- Jeff.
Jeff Neuman: Just a brief comment, because we run a gTLD.
If possible, for that particular gTLD, I would like to have a global solution, because it's very difficult to operate a gTLD and have letters come from different countries and different citizens of different countries and having to comply with every single policy directive of every country of the world.
So if there is a way that this ICANN policy process could result in some sort of consensus solution that is accepted by many of the countries of the world, then that is something, as a gTLD operator, I would like to see.
Ross Rader: It's a really good point, Milton, and I think it's important that we look at building predictable frameworks that allow for local variances, whether they will be ccTLDs or gTLDs or with resellers, registrars, registries, or with noncommercials or commercials.
If we can't think more than six feet in front of us, then perhaps we do have a problem. But I think we can pull that off and get to that point where we've got a solution that takes into account what you're describing.
Henning Grote: I'm adding to that a more technical aspect.
Michael Roberts: Speak closer to the mic, Henning.
Henning Grote: I'll try to. Better?
A more technical aspect. Globally, when we develop a protocol that hopefully solves the necessities of all stakeholders, yes, I very much prefer a global solution. And this global solution on the protocol level has to have the ability to apply to local policies on the next level.
That's the main issue.
Michael Roberts: We're beginning to lose members of our panel so Roberto you're next, I hope very briefly.
Roberto Gaetano: Roberto Gaetano, I will keep within the two minutes, getting in back to the old tradition of the house.
My first comment is an invitation to make a distinction between anonymity and public availability. That has been stressed by other people before.
Okay. Even if we get to the point in which the Whois information is not allowed to be anonymous or fake, that doesn't mean automatically we have to extend they have to be publicly available, especially in bulk mode.
The second thing is I would like to make an analogy with car registration. In almost every country, all the countries as far as I know, when you register a car, you have to provide complete and accurate information about yourself and just in case for law enforcement, because you might be fined and so on and so forth, or in case you have an accident. That doesn't mean that that information is publicly available.
Now, if, let's say, a multinational company wants to know how many cars they own and what colors they are and so on and so forth, I don't think that the best answer that we can give is to oblige every car registration authority in every country to provide bulk access to the data and allow this international company to download the database and to check whether there are cars that they own.
Yet yesterday, that's exactly what we have heard; you are unable to remember which are the domain names that are registered in your name. And so what are you going to do? You're going to get a query on the Whois in order to find out what you are unable to keep records in your place.
And then the second analogy, still with the car industry, if the car registration data will be publicly available, because some ICANN of cars has decided so, well, I, for some reason, would like to provide that information to be an anonymous of the ownership of a car because I'm going to use that car in a particular situation, so on and so forth. It doesn't mean necessarily it is unlawful.
Well, the answer is, well, actually, you don't really need to own a car if you don't want to provide, to disclose that information publicly, or what you have to do is not own a car at all.
That would seem not very good remark, yet from Steven Metalitz, that's what we have heard today. You are not obliged to have a domain name. You can have a happy life without.
Karl Auerbach: Yeah, I'm Karl Auerbach, and it's worth noting that today is the hundredth birthday of George Orwell. And I would suggest that were he in the audience today and heard these presentations, particularly from the representatives of the U.S. government, he might update the title of his book by 19 years to 2003.
We are hearing that personal civil rights which were established painfully and with a lot of blood are being overridden merely on convenience and on mere accusation.
The second point is the famous computer scientist John Van Noyman says why be precise when you don't really know what you're talking about? Well, I'm hearing a lot of people who don't really know what they're talking about. There are multiple Whois databases. We are not being very clear about which one we're talking about.
Generally we talk about the DNS one, but when convenient, like when saying we're tracking down distributed denial of service attacks, we don't happen to mention the more useful database is the one maintained about IP addresses.
We have to be clear about what we're talking about. We have to be clear that registration in the IP addresses tend to be more reliable because they tend to be maintained by third parties in a delegation. Same is not true for DNS, and those who file the denial of service attacks at 3:00 in the morning are very well aware of this distinction and are well aware of the distinction in the quality of databases.
The third point, this is my last point, is a lot of us have talked about what amounts to verifying that a business is who they claim they are. ICANN should not be in the business -- or one of its job should not be issues what amounts to a business license. States do that. There are companies that have established groups on the web such as trustee, which are third parties that actually deal with vendors to set up credentials, and if we educated consumers to not do business with those who refuse to properly identify themselves, I claim that Ken Stubbs' problem would be solved.
Michael Roberts: Thank you. Next.
Ross Rader: Before Doug talks, I want to note for the record I was using Yahoo! as an example only.
Doug Barton: I was about to say my name is Doug Barton, and I'm here to speak for myself. My problem is a unique one because at different times in my life and sometimes during the same day, I am both a producer and consumer of Whois information. And recorder, for that matter.
So I'd like to quickly address my perspective from each of those elements.
And first, I'd like to acknowledge that Amadeu hit it right on the head. The real questions that we need to address are what information should the registrants be required to provide, where should that information be recorded, where should it be published, and who should have access to that published information. And trying to lump those four problems into something called Whois is only doomed to failure.
So let me quickly run through my different roles. First of all, as a private registrant, I publish my accurate information in the Whois because if there's a problem with any of my domain names, I want people to be able to contact me.
Secondly, as a commercial registrant, I do the same thing, and for the same reason.
However, I think Margie made a good point in that commercial entities have a higher threshold of providing accurate information, even though it places a tremendous burden on the registrars to determine what is commercial and what is noncommercial use.
Third, as someone who records registrant information, I can affirm with unquestionable certainty that this issue is of tremendous importance to my registrants. The fact that they have to provide information to us is sometimes troublesome to them. The fact that that information is subsequently published worldwide is of tremendous source of concern.
Third, as someone who needs to track down problems with troublesome domains and troublesome IP space, the one thing that I need is accurate knowledge of how to contact the registrant; not necessarily accurate knowledge of who the registrant is.
And finally, as someone who is concerned with intellectual property issues, I have exactly the same need in that realm as well.
So the conclusion that I've come to in analyzing the situation, and unfortunately, it's a wildly unpopular conclusion, is that ultimately, this burden falls on the registrars. The only thing I need, as a person who needs to contact registrants is to know how to contact them accurately. And so ultimately, other than in the case of commercial users, and once again, that's Margie's tar baby, but I would be satisfied with a mechanism by which I contact the registrar and let them know here's who I am, here's the problems I'm having, please contact your registrant, let them know about these problems, and if they would like to contact me, great; if they aren't interested in contacting me, I'm happy with that as well as long as they fix the problem.
Michael Roberts: Thank you. Any comment? Next person.
Mark Palermo: I'm Mark Palermo. I work for the American Society of Composers, Authors, and Publishers, but I'm not speaking on behalf of that organization.
That organization is concerned with the intellectual property rights of its members, most of whom are individual songwriters. And we're also, I think, concerned with the quality of cultural life and freedom of expression.
First of all, on the distinction between commercial and noncommercial, it's very difficult to make, obviously, and there are plenty of individual noncommercial pirates running web sites. Second, as to the issue of privacy, there are legitimate expectations of privacy, but I think we need to look at perhaps what tier of operation those apply to. A leaflet is one thing. My e-mail to somebody is one thing. But when you claim real estate on a global, public platform, I think the domain owner has a less legitimate claim that their privacy in that context is a basic human right.
There is no perfect system. No government legal system is perfect. I make no apology for the United States system. There's a lot of good stuff in there. And any solution that ICANN comes up with will be likely imperfect. Law enforcement alone is not the only legitimate purpose to have access to the Whois information. Any checks and balances need watch dogs. That includes human rights groups. They need access to Whois information. Investigative journalists need access to Whois information. The DNS run by a hate group ought to have publicly accessible Whois information.
Michael Roberts: Thank you.
Joe Alagna: My name is Joe Alagna.
I work for CentralNic although these are my personal views and may or may not reflect my company's opinion.
I think that privacy is and should be a right. Of course, in America, it's our right. And it should be around the world. However, I also think we always need to remember that registering a domain name is a voluntary act in any case.
I also think we need to remember that Whois data must be public in some capacity, with the exception of bulk access. The best solutions will come in the form of voluntary and possibly contractual industry agreements and rules.
And I think that there's just two things that are very important. Number one is full disclosure. I live in the United States, but I happened upon a cigarette box today here in Montreal, which I found amusing. It has "cigarettes are highly addictive" in about 5-point type on the top of the box. I know there are rules about contractual disclosure in real estate and all different industries.
I think that we should look at methods of distributing that disclosure via e-mail to administrative, technical, and, you know, whatever contacts are in the Whois database. And I think we should have some rules about the way we disclose that information about what you are doing is going to be in a worldwide public database.
And I just think that those individuals that register domain names and haven't done it every day need to understand that and if you balance it and let them know there are private proxy services that we certainly can build or many that exists today, I think the balance of those two provide some very effective private solutions.
So that's basically my comment. I thought that that was important to share.
Michael Roberts: Thank you very much.
Unless the panel has some final comments to make, we're going to turn the microphone over to Paul Twomey for some closing remarks.
Alan Davidson: I do think this notice point that a couple people made is totally critical, which is that people I think don't really have an understanding.
But that alone does not solve the problem.
I think the best way to make Whois work both for registrants and for those who want access to the information is to have a much clearer understanding of what the purposes of the database are, much better privacy and security rules so that people feel comfortable putting their information in there and there's totally a balance here available to us.
We're going to have to do a lot of work to make it thin and not get ICANN into too many things that are outside of its scope.
But there are middle-ground solutions that I think are reasonable for everybody.
Michael Roberts: Before Paul takes the mic, let me just say that the entire transcript of yesterday and today's sessions will be posted on the web site on the Whois page in about a week or so when it's ready.
Paul Twomey: Thanks, Mike.
If I could just say a few words in closing.
First of all, I'd like to say that I think the last two mornings has been a very good indication of the breadth of contribution across different constituencies in this part of the ICANN framework. And I think it's been a very valuable two days. I've certainly learned a lot, and I think other people have as well. And I'm often reminded of the story about the blind people looking at elephants that people often tell. This has been a very good example of people with different perspectives with the Whois issue sharing it with each other and learning new things.
I would like to particularly thank the panel members yesterday and today for their participation and their preparations. I very much appreciate that. I'd like particularly to thank the program committee who helped put together the session. And I can tell you that was not an easy task and it wasn't a nonlaborous task.
So I'd like to thank (inaudible) Marilyn Cade, Steve Crocker, Sabine Dolderer, (inaudible) George Papapavlou, Ray Plzak, Thomas Roessler, and I particularly would like to thank Michael Roberts, who, again, has shown his capacity to bring diverse views to a single point.
Where do we go from here? I think what we have achieved in these last two days is a very good discussion of an issue that's been around for some time. But we've discussed it in terms of what are the issues, what are the problems.
I am asking the chairs of the GNSO, the Governmental Advisory Committee, I'm also asking the IAB Liaison if they will come together with me and help plot out a program for joint meetings between their particular ongoing groups, the GAC as a working group, there's a working group, a steering group in the GNSO, if they'll come together and plot out a program of joint meetings with an aim towards two things: a prioritization of issues to be addressed or issues that need to be further explored, and a work program for the exploring of those issues together, with the aim that that would be done intersessionally, but we would have another report from that joint meeting framework in Carthage.
A further comment.
The focus has been on Whois generally, but particularly on gTLDs. With the following caveats.
If there is a ccNSO within ICANN and in that ccNSO and its leadership considers this to be within scope, I would like also to include the ccNSO leadership as part of the chair of the GAC, the GNSO, and the IAB liaison to come together on this joint meeting program.
But I leave that fully in the hands of the ccNSO or the proto-ccNSO if it's around.
My final observation is this: I think this is an interesting test not only on an important issue for ICANN; it's an interesting test for ICANN 2.0.
ICANN 2.0 had at the heart of a lot of what you said about the reform about ensuring that there was bottom-up policy development and that the people got to speak to each other and hear each other across the constituencies.
Part of what I think the staff needs to do to support you is, if you will, force you to talk to each other.
So one of the things as President I don't want to see, really, is these issues continue to be discussed purely in individual sustains or organization silos, because the result is that it ends up in the board's table in the request of some form of Solomon-like judgment, which I don't think is appropriate.
So therefore I really am exhorting the members of the different constituencies and supporting organizations to, as well as pursuing their own supporting organization initiatives, to really come together and see if we can get a joint meeting, a joint program developed between here and Carthage.
Vinton Cerf: We will be reconvening for the public forum again at 1:00.