[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Guidelines (and a note on ICANN itself)

Although there are legitimate issues involved with having one central
organization run the entire Internet - whether that organization is
ICANN or anything else - the fact remains that the DNS system does
require a root server for the domains somewhere.  While this
functionality can be better provided by a series of servers all acting
as the root, there must be some way to ensure that these servers all
point to the same name servers for any given domain (either directly or
indirectly).  ICANN is one way of ensuring this, and it appears to be
the one most likely to happen.

However, I think that ICANN could be improved by placing the Names
Council in charge of it (once the council is formed, of course), rather
than allowing ICANN to veto, or just plain ignore, anything the Names
Council recommends.  That would help to safeguard against abuses that
the Corporation as currently proposed, not responsible to anyone (with
the possible eventual exception of its majority shareholders), would be
tempted to try.  No matter how noble the intent of the Corporation's
initial members, the only known, practical, long term guard against the
greed of a few, is the wisdom of many.

This may seem to propose that the Names Council be made the ultimate
"government" of the Internet.  Such is not my proposal.  Given the
realities of the 'Net, the best government for most issues has proven to
be anarchy.  However, for those few issues where anarchy can not be
sustained - for instance, administration of the root DNS servers - the
next best alternative is an organization that fairly represents the
interests of all who are affected by the Internet.  The Names Council,
as currently proposed, has the potential to be such an organization, and
to keep that status over time.  ICANN itself does not, at least in the
long run, as explained in the previous paragraph.

With that in mind, here are my responses to the specific questions in
the guidelines:

1.  This is one way of doing things.  Given that it could work, I would
have to see viable alternatives in order to comment on whether it was
appropriate.  There is one problem: inter-TLD competition gives rise to
the possibility of malfunction, either through mistake or mischief, if
one or more TLD registry administrators attempt to deny access to a TLD.
I suggest that there be a meta-registry, not financially affiliated with
any registry or registrar, to ensure that all TLDs are available to all
users.  (For example: ICANN could be the meta-registry, and Network
Solutions a registry or registrar, only so long as none of ICANN's
executives, directors, or other people-in-charge work for Network
Solutions, and vice versa.)

2.  No, at least not in the same sense as registrars.  It would be
better to have registrars assume all accreditation responsibilities for
any resellers they care to authorize.  That way, if a reseller starts
acting against whatever interests the registry chooses to enforce, it
would be up to the registrar to deal with the reseller first.  If the
registrar fails to deal with the problem effectively, then the registrar
can be removed as if the registrar had been doing the disapproved act
itself.  (Thus, a registrar could not get away with covertly operating a
shell company as a reseller doing bad deeds, only to have the reseller
absorb any resulting penalties if the reseller continues to act despite
the registrar's publicized efforts to stop it.)  This would inherently
work to prevent the formation of large, monolithic registrars acting as
middlemen for resellers: such an organization would have to keep track
of too many resellers to police them all, and one bad reseller would
bring down the entire registrar.

3.  As used today, that is definitely a key issue.  I think I can safely
take it as obvious fact that the vast majority of Internet connections
today - Web, e-mail, and all other types - depend, at some stage, on
resolving the IP address of a human entered domain name via DNS.  The
continued infusion of the Internet into the lives of ordinary people, in
the sense that they do not know the Internet as thoroughly as the ones
who built it, will almost certainly increase this proportion (albeit not
by a high percent - say, from 99.99% to 99.9999%).  The 'Net can,
technically, function without DNS, but disruption of that system would
fundamentally disrupt the way the 'Net is used, at least for a short
while - and even a short disruption could cause major damage.
    That having been said, the prospect of user revolt if the system is
mismanaged is perhaps the most significant threat, given the current
public perception of ICANN.  As Alternic demonstrated, it only takes a
few technically knowledgeable, and sufficiently disgruntled, people to
disrupt the system.  Most of those who are upset with ICANN's current
plans are sufficiently knowledgeable to stage a highly public, and
highly disruptive, protest if they feel ICANN is unresponsive.  Although
such a protest is by no means certain in any case, changes (or - for the
short term only - publicly announced plans for changes) to ICANN's
governance, similar to those suggested at the top of this letter, will
reduce the chance of such a protest to practically zero.

4.  I think those would be sufficient - although the phrasing of this
question suggests that there may be a maximum limit on the number of
registrars.  In my opinion, such a limit should not be artificially

5.  No, and even these may be too many.  The further any human, or
group of humans, tries to legislate morality, the more ineffective and
inappropriate the rules become.  However, zero legislation is just as
bad as excess, in some cases.  I think the proposed list strikes a
reasonably fair balance...provided, of course, that the list can be
adjusted up or down as any flaws become evident in practice.

6.  At the start.  Registries that no one can connect to provide an even
bigger disservice than similar registrars, and any corrupt registries
are likely to fight tooth and nail - possibly to the point of inciting
revolt, as discussed in my answer to 3 - to be grandfathered in if
requirements they do not meet are introduced after they become
registries, thus allowing them to ignore such requirements (for as long
as they can get away with it, at least).

7.  Objective requirements are preferable to subjective ones, in this
case, since one can argue whether, say, "1 employee per 100 applications
per month" is appropriate based on data, unlike "sufficient
employees".  There does not seem to be much difference between "safe
harbors" and absolute minimums, except that "safe harbors" allows for
equivalents, which is desirable.  Also, keep in mind when updating these
requirements that not all registries and registrars will be commercial
entities.  For example, all volunteer non-profit organizations - for
instance, a community 'Net provider - have no employees, and thus could
never satisfy the employee requirement unless their volunteers counted
as employees.

8.  Although specified levels are a good idea - again, providing
objective criteria rather than subjective - $500,000 for everyone is
far, *FAR* too high.  Better to have the required insurance level based
on the number of customers a registrar has.  Estimating liability risks
is probably not a good idea: one could easily mis-estimate, and this
could easily be used as a tool to exclude competitors from certain parts
of the world by setting limits far above what the local economy can

9.  Again, a specific threshold would be preferable.  And, again, the
suggested level is *WAY* too high - it would cut off practically
everyone except the largest corporations and governments.  (This would
even prevent some smaller countries, with less capital to spare, from
being the registrars for their own domains - clearly not a desirable
scenario.)  Again, setting levels based on country is probably not a
good idea.  However, setting it based on business model is: one that
plans to sell to risky ventures should probably have more of a reserve
than a non-profit that only services long-standing "community pillar"
type organizations.

10.  Yes, although 3.c should probably be dropped since it could be
used as a harassment tool: to keep a competitor out, sue just before the
competitor's application goes in, on a trumped-up fraud charge.  This is
unfortunately common practice in other industries, but why leave an
opening for such abuse here?

11.  Yes.  However, considering that the vast majority of this reduction
would be the deterrence and rejection of fraudulent operators, I do not
see this as a problem.

12.  Yes...or, at least, the amount of confidence that is placed in said
process.  Outside agencies with established reputations would seem to be
the best bet for now, at least until after ICANN proves itself under the
new system (several years, at the least: worldwide trust, unlike
technology, does not yet move on Internet time).

13.  It should be handled by ICANN - or, at least, by the same agencies
that handle registry accreditation.  Trusting a company to create its
own competitors, without giving the company extreme incentives to create
such competitors, has never worked well in the past, and I see no reason
why this case would be any different.

14.  Mostly yes, although it would be more maintainable and extensible
to replace IV.7.a with, "The registry shall grant full access to the
registration data to all registrars, including its own registrar
operations, for the TLD(s) that the registry administers, within the
limits set by the rest of Section IV."  I highly doubt that merely
saying that, say, Network Solution's registrar operations would not have
unusual access to their registry operations will work, or be practically

15.  See 14.

16.  See 14.

17.  Yes, so long as the registrar and registry also have whois entries
(so, if fraudulent entries start appearing, the data can be traced
back).  You note that some data need not be submitted to the registry
if someone else operates the whois database, but you should probably
explicitly specify that that data be sent to the operator of the whois
database.  In fact, for clarity's sake, you may wish to split IV.3.a
into two items, one listing the data that must be sent to the registry
operator, and another listing the data that must be sent to the whois
operator.  (These data submissions could, of course, be sent as one
submission when the registry operator is the whois operator.)

18.  Monthly will do, for now.  Unfortunately, only experience is likely
to shed light on what is an appropriate period.  However, it seems
unlikely that this could pose an undue burden on any registrar.

19.  Probably not.  A limited set of "who are my active customers" makes
sense, but unlimited data backups have the potential to impose undue
data warehousing costs on registrars and ICANN...costs that actually
might exceed the benefit gained, in this case.

20.  Yes, absolutely.  That someone is registered is a public fact not
subject to ownership.  A compilation of, say, the administrative
addresses of a particular registrar's customers is a mailing list that,
if unscrupulous registrars are allowed to "own" and sell it, will be
used to facilitate unsolicited (and, worse, untargeted - no matter how
much anyone involved in the transaction wishes it were) commercial

21.  Whois data should be freely available to all.  Whois, unlike DNS,
is a service best governed by anarchy.  (In practice, when it matters,
whois data can always be compared across multiple servers.  For these
checks, it would help if ICANN's whois server was freely accessible to
all.  Fraudulent or ineffective whois databases will become known as
such, and not used.  This will likely take a form similar to the
Realtime Blackhole List.)  Of course, this means that whois data will
have to be limited to data not protected by privacy laws, but that
should be little problem for registrars that collect only the basic
whois data set.  (Also, ICANN should maintain, as part of its
meta-registry duties, a complete whois database that serves as a mirror
for each registry's whois server, and each registry should maintain a
complete whois database for its TLD, even if said registry is also a
registrar.  This would reduce concerns about registrar hoarding of whois
data, remove the necessity for a whois server at the registrar level,
and provide backups in case any registry or registrar is temporarily or
permanently disabled.)

22.  Network Solutions should not have any say over who gets to compete
with it and who does not.  That decision should be left completely up to
other agencies - for instance, ICANN.  The "shared registration system"
license proposal should be scrapped or altered, as it has no merit when
Network Solutions controls who gets the licenses (at least, no merit
compared to someone else giving the licenses).  Other than than, see 14.

23.  This seems appropriate for now, although this seems to be the most
probable candidate for revision as people find and invent loopholes in

24.  Yes, assuming the holder assumes responsibility for taking action
if the anonymous party refuses to do so when required.

25.  A number of law enforcement officials would disagree, but I say
yes.  Although they might argue that anonymity encourages crime, it
should be pointed out that in practically all cases, the holder can be
arrested if it refuses to relay law enforcement to whoever it is holding
for...assuming that the officials already have authority to go after
the anonymous party.  (No warrant, no address...but then, no warrant,
and the party could refuse to answer questions, take measures to
interfere with monitoring, et cetera.)

26.  No.  Any such requirements should be listed in these guidelines
directly; to do otherwise needlessly obfuscates matters.

27.  See 26.  ICANN (modified as suggested at the top of this letter)
would have a diverse enough view to set these standards.

28.  See 5.  The same problem applies here.

29.  Given my answer to 26, enforcement by ICANN (with loss of
accreditation as the punishment, and review by the Names Council) seems
logical...but only for breaches of conduct so gross that they
significantly threaten DNS as a whole.  (Some might complain about "one
size fits all" punishment, but this "government" should be kept simple.
There are a number of ways already in place to punish minor crimes of
conduct, most of them enforced by the miscreant's home government.
ICANN does not need to concern itself with these, and should not even
consider doing so: they are not ICANN's function.)

30.  No.  That should be up to the registrar.

31.  Yes.  There are too many to list here, but primarily, this would
render impossible any non-profit models that involve no exchange of
money at any point.  (Note that "non-profit model" and "business model"
are not mutually exclusive terms.)  Once a registrar has received (and
filed with its registry and ICANN) all necessary data for a SLD, it
should be free to activate the SLD immediately if desired.

32.  No.  To limit it to a length of time invites decay of reliability
once that time elapses.

33.  Depends.  As stated, it would probably be best to wait for the
final WIPO report before considering the recommendations.  Even then,
keep in mind that they are only recommendations.

34.  These seem a bit high, but tolerable, especially the testbed fees
(considering that they are explicitly intended to test the system, and
thus place a greater strain on ICANN's resources).

35.  No, especially not at this level.  Even the non-profits that give
away SLDs should be able to put up with a nominal fee - and $1 per SLD
per year is rather nominal.

36.  Absolutely.  There are fixed costs associated with each
accreditation, but the registrars that handle the most applications
(which will almost definitely be the ones making the most money) will
use ICANN's resources more than a registrar that only handles less than
10 SLDs.

37.  Again, these fees seem a bit high, but tolerable.  (Since this fee
forms the initial entry barrier along with the application fee, keeping
the two of them combined to under $5000 - or, at least, viewing them as
a combined fee when setting them - would be advisable.)  Adjusting the
level based on country would seem to invite trouble - see 8.

38.  No, SLD registration-years seems to be a fair judge for this
portion of the fees.  What else would be a variable in ICANN's per-
registrar costs?

39.  Not under the current scheme.  Again, those who give a lot of SLDs
out are likely to make some profit per SLD (even non-profits would gain
fame and trust, which can be used to commercial gain), so why not ask
them for a cut of the take?  Caps would only seem to benefit huge
registrars, with thousands or millions of SLDs, at the expense of
smaller ones - which would discourage competition.

40.  They are specific enough.  The section about protecting third
parties should be dropped: it is not ICANN's business to protect third
parties.  ICANN exists solely for the Internet's sake.  Other
organizations - primarily governments - already exist to protect third
parties; they can force the offender to cease operating as a registrar
if they so choose.

41.  Not at the present time.  Some may be added if and when more paths
objectionable practices are found in practice, but for now, these
criteria will suffice.

42.  Yes - provided that the fifteen days is measured from when the
registrar receives notice.  (Otherwise, one possible abuse is to send
notice via a courier - say, the U.S. Post Office - that may take fifteen
days or more to arrive.)

43.  No.  Any practice "obviously" not worthy of arbitration can and
should be deemed as such only by the arbitrator.

44.  The United Nations would seem an appropriate venue here.  It can
impose jurisdiction on many parts of the world.  On the other hand, a
misbehaving registrar based in some nation opposed to the U.S.A. (for
instance, at the time of this writing, Iraq) would be unlikely to
recognize the jurisdiction of a Los Angeles court.

45.  No, especially if registrars already accredited must pass the
new standards as well.  (This should not be used as an excuse to require
new accreditation fees, however...or, if it is, then no more than once
per year, especially considering the already high accreditation fees.)

46.  Yes, on any grounds the complaining party chooses to dispute on.
(Assuming, of course, that said party pays all costs of arbitration if
their claim is found to be without merit by the arbitrator.)

47.  No.  Non-discriminating registrars, unless somehow prevented from
forming, will naturally attract the business of anyone discriminated
against by their current registrar.

48.  No.  Anyone looking for such can merely ignore any registrar that
does not offer it.

49.  No.  This is a test.  Anyone who is more interested in profit than
in making sure the system works well can wait until the test is done,
just as if the test never existed.

50.  Yes.  See 49.

51.  The listed secondary criteria seem adequate for this purpose.

Thank you for reading these comments, but please keep in mind that these
answers were given under the assumption that ICANN submits to the
governance of a representative organization, such as the Names Council.
ICANN, in its current form, can not maintain the public trust forever;
when it accumulates enough mistakes, there will be user protest, and
ultimately revolt.  That would disrupt the stability of DNS, and thus
the Internet.  Maintaining these stabilities is ICANN's purpose.
Therefore, failure of ICANN to convert as recommended constitutes
failure to do the job it was created for.  (Just because ICANN is a
corporation, and thus must be concerned with funding itself, does not
mean that it needs to be run by an organization ultimately accountable
only to ICANN itself.)