ICANN Public Forum in Bucharest Real-Time Captioning
28 June 2002 - Early-Morning Session on Whois
Note: The following is the output of the real-time captioning taken during the early-morning session of the ICANN Public Forum on Whois, held 28 June 2002 in Bucharest, Romania. Although the captioning output is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
ICANN Public Forum
Bucharest, Romania
Friday, 28 June 2002
Early-Morning Session on Whois
Andrew McLaughlin Introduction
Karen Elizaga .name Whois Status and Proposals
>>Vinton Cerf: Okay. Are we ready to come to order? It's 7:30, and we have a lot to do today to get done by 1:00.
All right. So I’d like to call the meeting to order and begin with a presentation on Whois. And I’d like to call on Andrew McLaughlin to make that presentation.
>>Andrew McLaughlin: Thanks, Vint. Good morning.
We've got a four-part presentation this morning. I’m going to start off. We are going to be addressing the question of Whois, Whois data in the DNS. After my short introduction, we're going to look at two case studies, first from the dot name registry, about its efforts to craft the registry Whois policy. Then we'll hear from a registrant that happens to be the OECD, hear about a recent experience they had grappling with inaccurate data. Then we're going to hear from the DNSO's Whois task force, Marilyn, Tony, and Steve Metalitz, who are going to talk to their recommendations of their task force.
For the board, this is really a kind of a prelude to what we think will be serious attention in Shanghai to the Whois issue, addressing Whois in a systematic way is something that ICANN has had on its policy plate for a while. The reform effort has slowed us down a bit, but we're still on track to get something done in Shanghai. A Whois overview. One of the things which is evident is that Whois data, and I’ll assume everybody knows what we're talking about, this is contact data for domain registrations. It also includes contact information for IP address registrations.
It's a somewhat separate topic. But we'll be touching I’ll touch on it briefly. Anyway, Whois Whois implicates a pretty complex matrix of interests. This is a what I have on the screen now is a very nonexhaustive but illustrative chart of different people with interests in Whois and what they say their interests might be.
You always have to start with the network operators, since the Whois data was developed originally as a way for operators to relatively quickly and easily find out who is running a particular host on the Internet. If it was doing bad things, you need to be able to track it down. A good example of this in recent days is in cases of distributed denial of service attacks, it can be extremely useful to be able to find out who is responsible for the slave machines that are inadvertently running the attack software. Whois allows you to identify where the packets might be coming from and then figure out who the registrant is and then get in contact with them, or at least to get in contact with their upstream provider.
We we also have to focus on law enforcement. At every juncture that Whois has been talked about, law enforcement agencies have made clear that Whois information gives them very useful a very useful ability to track down the people who are doing illegal things on the Internet.
Of course, they very often encounter spoofed data. Whois data doesn't always help you, but it's one of the first services that they turn to. In the case of child pornography, for example, they say that they very regularly can find at least some information about the responsible machines on the Internet.
They'll also say that it's just simply more timely and efficient to have a public database rather than having to go through some kind of private system. Consumer protection agencies make fairly similar use. Indeed, they say it's often helpful simply to find out the country that the machine's registrations, given machine's registrations are with so they can make a referral in the given case to a relevant agency within the country.
Quite a different interest, we can say, is held by what you might call dissident speakers. In other words, people who want use the Internet for some kind of unsanctioned or unpopular speech, their interest is in not disclosing their identity to repressive government. Or not to put themselves in they would say their interest is in nondisclosure of their data.
Consumers, we think very often, want to verify the identity of a web site operator. There's an interest in transparency. If somebody is trying to do a commercial service on the Internet, it may be useful to find out if the Whois data conforms with what they say they are, who they say they are.
Registrants at the same time have an interest in privacy, in avoiding being spammed. One of the big problems, of course, in the world we live in is that unsolicited commercial communications can very often be targeted by using Whois data. On the other hand, registrants can use Whois data to easily check things like their domain registration date, the status of the the domain, and to find out what whether their information is current and updated and accurate.
Trademark and copyright owners use it as sort of private law enforcers to identify cyber squatters, identify pirates of intellectual property. A good example of that is the US digital millennium copyright act provides a notice and take-down procedure in order to enforce notice and take-down for illegal content on the Internet, you have to know who to send your notice to.
And, finally, some certificate authorities have noted that the Whois data is quite useful and would be even more useful if it was accurate, in order to issue digital certificates.
So, Whois implementations at the registry level generally come in the thick or thin variety. .com, .net and .org are thin, which is to say they have a two-level Whois, which is to say the registry points to you the registrar, and the registrar, in a distributed sense, provides the contact information for each registrant. A contrasting model is the thick registry in which the the thick Whois in which the registry provider provides the whole kit and caboodle of information.
So these are five themes that you should be thing about between now and Shanghai:
The first one is the accuracy of the data. In other words, what degree of verification is required, and by whom. The consequences for the provision of inaccurate data, both for the registrant and perhaps for whoever is supposed to be verifying, such as a registrar. There are willful inaccuracies, there are also inadvertent inaccuracies. It may sometimes be hard to tell the difference. The final consequence can range from nothing to the loss of the registration and the deletion of the domain.
So theme number two would be access to the data. In other words, is it provided, as we usually say, free to the public in realtime or in some other fashion other than realtime, online access, and perhaps other than for free. In general, in .com, .net, and .org and the other gTLDs, port 43 Whois access is required. Only, I think, about 85 or so of the ccTLDs provide such a service. There are very often and in the case of the ICANN-accredited registries, they are required to be web-based accesses a web-based mechanism for access to the database as well. A critical point is third-party bulk access. We have said that is an important way that no single registrar could lock up all of its data. But, of course, the registrars are unhappy about having to give their customer data, essentially, to their competitors, because we provide in .com, .net, and .org, for example, a flat third-party bulk access provision, which does not differentiate between a requester. As long as you pay for it, you can get access to it. And a number of online search services, for example, for intellectual property or law enforcement agencies, say that they'd like to be able to get the entire body of data to provide for paying customers much more robust research services. So the access questions are really about restrictions. Do you restrict by two classes of people or according to the purposes for which you seek the access?
Theme number three is the difference between gTLDs and ccTLDs, very common ICANN problem. Or issue, anyway. We don't have any real research into ccTLDs on Whois issues. And in gTLDs, very much so. The degree of harmonization depends upon the degree at which the degree to which ICANN is the relevant policymaker for ccTLDs on that issue.
Finally, data privacy legislation. We'll hear from dot name about that issue. And the question for ICANN one of the questions for ICANN is registrar compliance and sanctions for noncompliance.
Right now, really, our only sanction for a noncomplying registrar is the loss of their accreditation. And that's a fairly severe sanction. I would say, if I can generalize from the ICANN staff's experience, registrars very often will come into compliance when we get in touch with them, even more than very often, I would say, consistently. But we don't always hear about the problems. And and know that they're taking place.
Looking to the future, as you all may remember, one of the elements of the VeriSign contract is a requirement that they undertake research into a universal Whois service. And they've held a number of consultations. And you can see the notes on those consultations at uwho.verisignlabs.com. They've got a draft available on March 1st which has a terrific amount of information about the different options for Whois and suggestions on how to go forward. It's, you know, the kind of document that would be an RFC across all registries.
And the you know, big question for the future is what you know, whether there is a har- whether it's possible to harmonize the Whois data fields across gTLDs and ccTLDs. Another big question is whether to shift away from the current port 43 Whois services to something using xml schema, just about any Internet techie will tell you that's a vastly preferable way to do it in the year 2002. But some work would have to be done before it could be implemented.
Finally, one thing not to forget is the question of IP address registration Whois. In other words, starting from an IP address, can you figure out a responsible party for the network that that machine is on? For example, ARIN uses the rWhois protocol, which is the referral, it allows the Whois service to work its way down the hierarchy until it reaches a reasonable conclusion. This is really an RIS/ASO issue. They've been talking about whether or not they need to be more aggressive about mandating the inclusion of Whois data, the provision of Whois data by IP address registrants. At this point, it's quite easy to track down the RIR member, and in some cases, you can get another level or two below that. But it's not always possible to get to a relevant network level if you have a really problem.
So with that, I’m going to turn the microphone over to Karen Elizaga from the dot name registry.
>>Karen Elizaga: good morning. Thank you, Andrew.
Thank you all for getting up a little bit earlier this morning to give me the opportunity to talk about dot name Whois.
What I’m going to talk to you about this morning is the various issues and considerations that we faced as a new registry setting up a new Whois structure. I’ll tell what you we came up with. Then I’ll talk to you about what we've learned since launch. We launched our registry in December of last year and have learned quite a bit about the way Whois is used and the concerns that our constituents, our registrants, have about the current Whois structure.
And then we'll talk about the new ideas that we have come up with and would like to think about going forward.
Setting up a new registry, clearly there are various, many issues, many of them diametrically opposed. First and foremost, for in particular, for our name space, is privacy protection. We believe that for a personal name space, there's slightly different concerns. There's a different consideration when you're talking about individual information as opposed to the information of, for example, a company or a large organization.
And you have the issue of data mining. None of us, none of the registries, clearly, wants our Whois information to be mined by marketers or other companies. We also thought about technological measures that we could use and implement in order to prevent abuse. For example, we've implemented a tar-pitting system that slows the access to results down if we find that someone is trying to mine our database. Then we thought about the accountability of searchers. If we make them accountable for their actions on Whois, can we prevent abuse? And we do think we can. Or at least deter abuse.
Aand, finally, most important for any of our registries, I think, is the accuracy of Whois data. If data's not accurate, what's the use? So the bottom line is, we, in thinking about all of these issues, we wanted to balance the legitimate issue legitimate needs of Whois users with the privacy of our individual registrants.
So what did we come up with? The current structure of Whois is slightly different from the traditional Whois structure. We came up with a system that gives you four different levels of Whois: summary, standard, detailed, and extensive.
Our summary results simply gives you the least amount of information. It basically tells you does a dot name exist. Standard results, you get a little bit more information, but you don't get any personal information. You get i.d. codes that map to the information that is actually in the database. Registrar code register ID, technical ID, as well as the creation and expiration date of a dot name.
Then you have detailed results, which is considered to be our public Whois. Anyone can access it, and there's no real limitation on getting the information. Here you have the what is considered the more traditional Whois, which is registrant, admin, tech, and billing information. But the unique thing about the dot name structure is you don't get registrant e-mail or phone number.
However, in the next layer, you do get this information. You get the very traditional you get the very traditional Whois information, including registrant and e-mail information, as well as a list of other domains that are held by a particular registrant.
The unique thing about this layer of Whois is that you actually get this information by e-mail. What we do is we ask the requester, instead of the requester getting it right there, right then through the database, the requester is asked to provide name, address, an e-mail address, so that we know who's asking for this information, because the information is slightly more sensitive. and, finally, the requester gets the information by e-mail. Which is generated almost almost instantaneously.
So we've learned a few things after implementing our registry and the Whois system. We found that Whois is actually not consistent, we don't believe, with the name space that is used by individuals for personal expression. In particular, unlike a company or a large organization, the domain name registrant in dot name is largely and is meant to be an individual. So there's really only one point of contact. And we've also found that there is continued and increasing expressions of concern about privacy, both by data subjects and lawmakers globally.
So what do we want to do with this information? Well, our goal here is to protect personal privacy and enhance the protection of personal privacy without compromising the ready availability of high-quality, meaning accurate, Whois data for those with legitimate needs. So we have some ideas that we're kind of examining right now. One is that we want to enhance the accountability of searchers. We want to learn more about what these searchers are using Whois for. So we think that a good way of doing this is actually getting searchers to articulate a purpose for which they're using our Whois data.
We also want to consider creating a trail for casual users through a payment mechanism. We're not looking at this as a revenue-generating mechanism, but, rather, a way to ensure that a casual user is truly intent on using this Whois information for a legitimate purpose. For example, if we decide that we're going to charge $1 or $2 for a Whois search, it would likely discourage marketers from searching 100,000 or 200,000 names on our database. It would also discourage a criminal from using Whois as a way to find out information on a target stalk a stalking target, because we believe that this criminal will think twice about leaving a trail by credit card.
We also want to facilitate the appropriate use of Whois. Password access for regular users would be available. We would also implement an e-mail user interface if someone did not want to have to get access to a password. We'd like to tailor the information return to specific and legitimate needs of searchers rather than providing them with excessive information. We want to give them exactly what they want rather than more than they need.
Then we would consider 24 by 7 technical support by phone and e-mail in the event of emergencies, such as a denial of service, to make sure that if people can't get the Whois information in a particular structure, they can get it directly through our support team.
We want to make data mining less attractive. And we can do this in a couple of ways. One is requiring searchers to enter into contracts with us that articulate the purpose for which they use Whois. And we'd like to think about imposing speed bumps, technical and financial speed bumps, meaning we would enhance the existing tar-pitting system by adding other other facets to our Whois system. And as I talked about, you know, financial speed bumps to discourage misuse of who is. Finally we'd like to see about increasing accuracy of our data. And we believe that through enhanced privacy of the data, that is one step to getting to increased accuracy.
Thank you.
>>Vinton Cerf: There are some questions.
>>Karen Elizaga: I’m sorry.
>>Vinton Cerf: Andy.
>>Andy Mueller-Maguhn: I just wanted to point out that you can even save your 24/7 service because denial of service attack cannot be by an e-mail address, it has to be based by a computer using an IP number.
So denial of service is not possible by an e-mail address. So that's bullshit. Excuse me. That's technically....
>>Karen Elizaga: Okay. Well, that's something that
>>Vinton Cerf: The chair apologizes.
>>Andy Mueller-Maguhn: Instead of bullshit, it's technically not possible.
>>Vinton Cerf: The chair apologizes for the crude language of his fellow Board member.
Thank you, Andy.
I do have a question, also.
And I see Amadeu has. You mentioned ID's in the I think it was the standard.
>>Karen Elizaga: Uh-huh, correct.
>>Vinton Cerf: response. Are those identifiers assigned globally or they isn't by dot name?
>>Karen Elizaga: They're internal codes for us, yes.
>>Vinton Cerf: Thank you. Amadeu.
>>Amadeu Abril i Abril: Thanks, Karen. Regarding the mechanism were you mentioning for protecting some relevant personal data of the registrant, I haven't seen, or perhaps I misunderstood, the possible use of (inaudible) for contacts. the (inaudible) the registry itself, the registrar, or third parties that simply have the duty to contact the registrar in case there's a third-party request regarding either law enforcement or (inaudible) content or whatever. But someone who can put the data there, but having the obligation to finding the registrant individual request.
>>Karen Elizaga: We've certainly thought about that, and that's something we could implement, but I think, actually, that adds quite a bit of difficulty for a lot of different parties.
First is for the registrant. That's actually quite expensive. We've looked into various companies that offer that service, and I’m not sure that if a registrant really truly wants to be anonymous, I think they can do that by enlisting the services of that kind of a third-party provider.
But it does add a layer of difficulty for people to get to that information with legitimate purposes. For example, you know, if someone is has a law enforcement issue, law enforcement can't get to that information in an expedient manner. So certainly that's something we can consider, but i just think it adds a bit of difficulty there.
>>Andy Mueller-Maguhn: Just, I raise a question, do you have a mechanism to ensure that it's really law enforcement or not someone just who claims to be that? So how do you assure abuse of that kind of interface?
>>Karen Elizaga: You're talking about the third-party interface or –
>>Andy Mueller-Maguhn: Mm-hmm.
>>Karen Elizaga: Current? We haven't implemented a third-party service. In other words, we never stand a proxy for anyone because of the liability issues. And so that's an issue for the third-party provider.
>>Vinton Cerf: Amadeu.
>>Amadeu Abril i Abril: Very short question, Karen. How do the trail of those requesting by these short e-mail form access to Whois data, if you do? And the second question is do you provide to registrars information regarding who has asked for Whois data?
>>Karen Elizaga: Yes. The information is in our database. I don't know at what time we purge it, and I don't think we actually thought about that in our very young existence.
We do not tell people if that their information has been searched through the extensive system. And that's because of, again, issues of if there is an investigation of someone, we don't want to be compromising any sort of legal investigation.
>>Vinton Cerf: Okay. Thank you very much, Karen.
>>Karen Elizaga: Thank you.
>>Andrew McLaughlin: Next up, we have David Small who is legal counsel at the OECD but really is appearing in a capacity as registrant who has a well-documented set of experiences with the Whois system.
>>David Small: Thank you, Andy.
Thank you for the board giving me this opportunity to present the experience. Let me say for me to understand this experience, I think you should appreciate that the OECD did not deal with this problem through the part of the OECD that knows ICANN and knows Internet. We approached this registrant experience authentically through somebody, myself, whose only familiarity with Internet is that I occasionally used it. And so it's a very authentic experience, and the experiences I had, the learning curve I went through is somebody who has no membership in this very specialized community.
The OECD is a public international organization. We do work in very many public policy fields. And over the last six years, we have developed our web site as a major outreach tool, it's a major research too many for academics, for journalists, for policymakers in a variety of fields: environment, economics, education, health. We've invested heavily in the site. It's become very successful. We have two domain names that give access to it because we have two official languages, and so we have our English language acronym, OECD, and we have our French acronym, OCDE.
On December 17, we were part of the organization was surprised to receive information from the catholic university, someone to clicked on the link and got an offering of pornography. The web people came to the legal office to see what we could do about it and that's when our adventure began. We looked up they told me about Whois, and we looked up Whois and we found out that some outfit called "domain for sale" in armenia, with an e-mail address elazy.com had this name; they had had it for a few days. It had an administrative and technical contact, Mr. Philip O'Neill, whose listed address was with the American Institute of Architects on New York avenue in Washington, DC and had a phone number and a fax. And I thought, my goodness, his institution is going to be very unhappy that somebody there is using his office, phone and fax to run a scam. So I picked up the phone and called the number, and i got a voice mail which identified Mr. O'Neill as the network and information resources manager of the American Institute of Architects and he would be away until January 3rd.
Before I could reach Mr. O'Neill, I did some surfing of the web and I found out there were a lot of victims of this particular scam whose stories were on the web. This is a notorious I found I was dealing with a notorious cybersquatter who buys up web sites, loads them with pornography and offers to sell them. He had victimized a variety of children's web sites, the Hewlett-Packard, the ESPN Network, Professional Association of Chemists, the Catholic Archdiocese of Brooklyn. We were not alone.
On January 3rd, I had my ITN, my network colleague come to my office and we made a call to Washington and I very politely introduced myself to Mr. O'Neill as from OECD and he was obviously perplexed as to why we would be calling and I said it's about my web site. He said "oh, no, let me get my general counsel on the phone." He said first let me thank you for being polite to me. You're the fifth victim to call me in recent weeks. They usually start screaming. We were victimized by these same people. We could not wait several months to get our domain name back and we paid $3,000 to get it back right away. Since then, these people who have a sense of humor started listing Mr. O'Neill as their administrative and technical contact on new registrations. Well, having discovered all this, I said, my goodness, something is really out of whack. let me call the registrar.
First of all, we had tried to deal with our own registrar, which was VeriSign, and we put a paper out, which is available to ICANN, it's on the web as well, which details all of this. And our registrar simply dealt with us very defensively in terms of demonstrating that the mistake which led to deregistration was our responsibility.
So I turned to the registrar for the domain for sale because I had somebody involved in a fraud, widespread fraud, notorious, and who had put in information which was blatantly false, willfully false, malicious. It was a prank, hurting the reputation of an institution and of a responsible person at that institution. When I got a customer service person at NameScout, and he explained to me very sincerely, very nicely that unless my name had been lost by a hacker hacking my account and stealing my name, my domain name, there was nothing I could do, I should really turn to VeriSign.
Well, I’m an inquisitive person so I looked up their terms of service agreement on the web and I quickly found this was simply not true. There were several provisions in this contract which could be used. One is that they could, within the first 30 days, terminate the registration for any reason whatsoever. Secondly, they could terminate if there services were being used for any purpose which they deemed to be improper. Three, they could terminate willfully for false information. Fourth they could terminate if, on a request for update or correction, this was not done within 15 days. These are independent grounds.
So I called him back and said I think you got it wrong. There are a number of grounds you could use if you wanted to. And he said, "I’m sorry, you'll have to put your complaint in writing and send it to our administrative office." I said can you give me the name of a person to talk with? He said no. You have to write this.
So I spent a couple of hours writing a message, careful message, and I sent it to admin at NameScout, and I got the name of a person at a different address, something called Momentous which I gather is one of the companies of Mr. Hall. And I began a discussion with this person who asserted that the only thing they could do is notify the registrant that there had been a complaint and give them an opportunity to correct or update the information and if they didn't do it within 15 days of course it would be the registration would be terminated, but they couldn't give it back to me. It would have to go into the pool and I would have to take my chances. I said I argued. I said this is but this is willfully false information, and she said I’m sorry, it doesn't matter. Willfully false information, any information complaint, it must be treated by giving them an opportunity to correct.
This, by the way, later, their lawyers changed their view on that, but it was a long time in coming for them to change that view. So they sent a request for change of information. I said whom are you going to send it to? They said we're going to send it to the administrative contact. I said, okay, that's fine. The administrative contact, Mr. O'Neill and his general counsel had offered to help me in any way they could.
They did send it to the administrative contact, and the administrative contact sent a message back, which they cleared with me before they sent it, which said, "this information is not accurate. We don't know who these people are, we have no idea who they are."
I thought, at this point, I was going to have my name back very quickly, and in fact I told my public affairs people that's what would happen. I was very confident. I had also looked up Mr. Hall's c.v. on the web and I thought I was dealing with somebody who had an interest in the Internet functioning well, and I thought the company would, once they were looking at this in a reasonable way, take reasonable action.
The day and I was, at this point, in discussion with lawyers for the company. The day the information came back from the administrative contact that it was wrong, also somebody at somebody at the e-mail address, admin@elazy.com had changed the Whois information. The change in Whois information is to replace all reference to Mr. O'Neill with the following information: domain name for sale, address the same, address for contact, domain for sale, technical contact, domain for sale. Position of the contact, present.
So the correction of the information was that the registrant domain for sale had an administrative contact named domain for sale who occupied the position of domain for sale. NameScout said there is no question now of terminating this registration because the registrant has corrected his Whois filing.
I was flabbergasted. I said this is false on the face of it. How can you do this? I’m sorry. Then I said your correct also says that you can terminate if you deem your services to be used for an improper service. They said yes. I said why don't you do that. They said we doesn't know it's an improper purpose.
I said please explain to me. Do you consider pornographic cybersquatting extortion to be an improper purpose or not? They said oh, well, mmm, well, yes, I guess we consider that improper. I said then what is the problem? They said we doesn't know that's what they're doing. I said do you have a computer available to you? Let me give you, again, the domain name. Why don't you log on and the thing speaks for itself. You get the first screen and you know what it is. You've got an offer of pornographic services, and you get an opportunity to click on another section of the screen if you're interested in buying the site. It also tells you what the minimum price is that they would consider it. They said oh, I’m sorry, you understand, we as a registrar, have no responsibility for the content of sites, and, therefore, we cannot look at this.
I said then what is a proper use of your service? You can't look at this? "No, we can't look at this." Okay.
Well, I was pretty amazed and I guess they were feeling a little bit guilty and they said, "Look, if you can come up with some other inaccuracy I’m go back to the client and see if they'll be willing to terminate." So I called the phone number and the phone number didn't work, and I came back to them with that and they said okay, my client has now said that they will terminate for the material breach of having an improper phone number provided you do three things: you agree to hold my client to indemnify him for his legal costs to date, which is by the way still (inaudible) for a couple of weeks at great cost to me and my organization, that you agree to hold us harmless from a breach of contract suit, which I said no problem.
I have no concern that these people are going to come crawling out from under their rock to sue you or anyone, I’ll do that but not first. What's the third?
They said my client has 113 registrations currently from this registrant, and would be concerned that that business would be taken elsewhere. So if we're going to do this by the way "doing this," is meeting their obligations under the accreditation agreement we would like you to hold us harmless to up to two years' loss of business. I said no way. No way. No way. I’m sorry.
>>Vinton Cerf: Excuse me. I’m struggling a little bit with the clock, I want to confess I’m utterly fascinated by this whole story but I’m concerned.
>>David Small: This story is written so you can read it. I went through this. Ultimately, I since they were not they went through two or three corrected update procedures. I hired an attorney in Armenia who got affidavits from the government that there was no such business at this address.
I sent them in. Their lawyer said that doesn't prove anything, that doesn't prove that some people living at that address aren't doing business as a domain for sale. I said that wouldn't prove that wouldn't establish you have a contract with domain for sale. They're a fiction. They refused to lift a finger to take reasonable steps to investigate. They put all the burden on me. They did not assess or show any willingness to assess the evidence I put under their nose. And if it hadn't been for the fact that finally the cybersquatter got tired of changing his filing, and offered to give it back to me free, which he did, and I took it, this would have still gone on.
Now, i came out of this very convinced that the problem is the solution for this problem and for a lot of the concerns, I think, that not only registrants but even law enforcement and other officials have is already there in the structure. You have an accreditation agreement, registrar accreditation agreement system that contains standard, it could be perfected but it's reasonably clear if they were interpreted and applied in good faith, and if registrars understood that there was some business risk to them and their business license in failing to do that, the problem would go away.
I had a conversation this is yesterday when I spoke and Mr. Hall spoke. We met each other for the first time and had a conversation later, and it's easy, once we had human contact, to agree fairly quickly on what could be done. His attitude at the beginning of the conversation was that they can't they had no absolute proof of these various things and they can't make these judgments, and it's up to me, the registrant, to have done this. I said no, it's not, that's not what the contract structure is. And I said I have to go and hire a lawyer in Armenia to get an affidavit. You didn't appreciate even that evidence. You have the contractual right to simply request the named registrant to provide evidence. And that's all you had to do.
When I asked you, when I came to you with a complaint, you should have gone and said, "Please confirm the correct and provide evidence of your address, your existence as a legal person," so forth. I said you apply for a credit card, you have to give some evidence. They could give a utility bill to show that they're at this address, they're a company, there are privacy issues.
This is what needs to be done. Interpretation, enforcement, responsibility accepted by the registrar.
>>Vinton Cerf: Thank you very, very much. I’m sorry you couldn't be go on further, but this was a serve example of why we need to do something.
>>David Small: Could I just say two things. One, the paper is available online on the OECD site, but the secretariat has it. Secondly, the secretary general of the OECD has recently sent a letter to ICANN which raises this issue and calls upon ICANN to take advantage of the opportunity and to meet its responsibility as a registrar accrediting agency to see that the many the several registrars who now have over 2500 registrations from this cybersquatter clean up their roles and if they don't, it could lead to the termination of their registration.
>>Vinton Cerf: Thank you.
>>Andrew McLaughlin: Next up is Marilyn Cade, Tony Harris, and Steven Metalitz.
While she's coming up we received one online comment. It's from a physician in Nigeria, the offer is for 1.25 million. I just want to note that this is an e-mail address that went up yesterday.
>>Stuart Lynn: That would solve our budget problems.
>>Vinton Cerf: Actually, ask him to increase the amount by the factor of a thousand and I’ll talk to him. (Laughter.) It will be fun to see what other offers come in.
>>Marilyn Cade: Let me start while I bring my computer back up here by doing a couple of introductions. I believe that the Board, and I know many of the folks in the audience, had an opportunity to see the Powerpoint presentation that we put together summarizes the status for our task force. I just want to introduce my co-chair, Tony Harris, who is here.
>>Tony Harris: Good morning.
>>Marilyn Cade: And the members of the task force, Steve Metalitz, Ram Mohan, and Karen Elizaga, who are here. We're going to just go quickly into discussing our findings but I would like to note a couple of key points that the task force is charged with examining whether it is time to change the policy on Whois.
Based on the data so far and the survey results, I think you're going to get a preview of what you should expect to see in the final recommendation. So we're giving you we're publishing the final report, it's out on the web, we'll be making the data available for other people to look at.
The data is anonymous so that it can be shared very widely and others will be able to examine what it says as well. And then we'll be publishing in more detail an elaboration on the recommendations that you're going to see.
Coming across pretty clearly is a significant, significant concern about the accuracy area, and the marketing of data, resale of data, and the various uses that the bulk access is put to. You're going to see that as we go through our recommendations.
And for any of you who are interested in more detail, we'll be more than happy to take you through our 88-page report in glowing detail.
First of all, I said this before, and I really want to reiterate this phrase. The task force finds and will continue to reiterate that Whois is a critical resource for all users, regardless of the category that you are using Whois for, it's very highly valued by the user.
Secondly, the current consensus supports the data elements, the query access, and nonmarketing uses of the data.
There is very strong support for uniformity, consistency, accuracy, restoring searchability across the entire database of Whois, across the various registrars, so that a user can have a portal which takes them to multiple places just to search for Whois data.
There's a very strong concern, as I said, for marketing uses, bulk data, and a mixed review for third-party services. I seem to be excuse me.
I’m going to turn the presentation to Steven Metalitz to talk about our first finding.
>>Steven Metalitz: thank you very much.
I’m Steve Metalitz representing the intellectual property constituency on this task force, and briefly, you already heard a good case study of the problems with the accuracy of Whois data. We found in our survey, which by the way, had over 3,000 respondents, it was a very well participated in survey, that this is an issue that crosses all the different categories.
Many of the respondents were harmed or inconvenienced by inaccurate Whois data. You just heard an example. ICANN has already taken some steps, the issuance of the registrar advisory last month, but there's much more that could be done. It's an issue of enforcing the existing contractual provisions that the registrars operate under, and if that doesn't adequately deal with the problem, then looking at potentially changes to those. And one issue that was identified, of course, is that right now it's an all-or-nothing enforcement tool, and perhaps that needs to be that needs to be modified.
I’d like to turn it over at this point to Ram Mohan who will summarize the draft recommendations on you know for the and consistency.
>>: Ram Mohan: Thank you, Steve. The task force found that clearly uniform data format and uniformity of data elements, two separate but linked issues, they do need to be discussed and handled separately. The task force recommends
>>Vinton Cerf: Excuse me, I’m sorry. It is difficult to read up here. If you could make this normal presentation format, it would probably be more easily read. Yes, thank you.
>>: Ram Mohan: Is that better?
The task force recommends that uniform Whois data elements be provided across all gTLDs. That doesn't exist today. And the findings from the survey, over 2,000 of the responses that were presented showed very strong support for uniform Whois data elements to be provided across all gTLDs.
In addition, we believe that uniform data formats across gTLD and ccTLD environments should be evaluated further. We're not clear that respondents clearly and fully understand the characteristics of ccTLD environments. There seems to be a better understanding of the characteristics of Whois in the gTLD environments.
The task force has separate deliberations, intends to conduct separate deliberations with the objective of identifying the best way to make progress towards the goal of uniformity. And we're taking into account specific aspects of differences in TLD environments as well as specific concerns about use of information across different TLD environments. And the value accountability and transparency across a domain name system.
And clearly, the survey results show that there are significant public-interest concerns about, "a," the uniformity of the data that's provided in the Whois, not just in gTLD but in ccTLDs as well. And there's strong support that's insofar from the survey results on providing a centralized access point to Whois destination across gTLD and ccTLDs.
It is important to recognize, we believe, that access, who accesses the information, under what terms they access information and what limitations are placed on the use of information that's been accessed. These issues are very important in terms of consistency across gTLD and ccTLD registries. I turn it back to Steve.
>>Steve Metalitz: Thank you. The third area deals with searchability, which is a rather complex topic. Basically, how can you just search on the domain name, as Mr. Small did, to find out who was who allegedly had control of the domain, or can you search on other data elements.
There are really two aspects of this problem. One is a .com, .net, .org aspect, because there was searchability on a number of data elements prior to the introduction of competition in the registration business. That no longer is available. And that needs to be restored. There is very strong support for that in the survey. And this deals with the environment where, as Andrew's presentation noted, it's a thin registry system, so that the data is actually held by all the different registrars.
The second aspect to this is to try to get to a to competitive cross-registry Whois services, get to a variety of services where you can search across all of the databases. And part of the answer to that, in our view, is to facilitate the bulk access to Whois data for the purpose of compiling that type of service. So those are our main searchability recommendations. I think Karen
>> Telephone: Hello.
>>Vinton Cerf: Hang on. We're just getting
>>John Crain: Sorry about that, ladies and gentlemen. That is an incoming conference call. I’ll sort this out. Hello, operator, could you put us directly to the conference call, as we're on the speakers.
>> Operator: Sure.
>>John Crain: Sure.
>>Marilyn Cade: Let me (inaudible) do a quick wrap-up, but focus right now on one of the most significant findings that we can point to where there's absolutely complete clarity that the respondents are concerned about marketing and about resale of the data, and about bulk access, the two aspects to bulk access.
They're more comfortable with the use with the continuation of bulk access for nonmarketing purposes. And that comes across very clearly. And so that would be the use of the resale of the data so that third-party services that perhaps the Thomson & Thomson or someone like that might use to build a service that they then search the data.
No comfort at all with the use of the data for resale, for a big concern comes across about the fact that people are using the data for marketing, not just bulk resale, but also data mining as well.
We still have a significant amount of work to do in understanding the privacy implications generally and the we will be discussing differentiated access to the Whois database for different elements. That is something that we will be spending a fair amount of time on. We also intend to ask for consultation with a number of the ccTLDs to try to get a better understanding of this set of issues involving Whois in the ccTLDs environment.
There will be, in our recommendations, definitely a recommendation for an examination of the Whois policy. I can't tell you right now how exactly how far it will go, but you'll see a clear indication that given just the concerns about marketing, resale, and bulk access, that there will be a need to examine the policy.
The changes that appear to be needed will have costs associated with them. so one of the things that we hope to do is to look at what the kinds of steps are that can be taken by the registrars and what steps can be taken to empower the registrant to do a better job of updating their own data.
We believe a significant amount of the error in the Whois may be actually registrant-generated initially, perhaps because they registrars don't use the same forms. And people do make errors in just filling the data in. You're not rejected if you put erroneous information in different fields for instance. So you can get data, you can get errors through that mechanism. A number of as we all know, a huge number of registrations are actually done by third parties, intermediaries, ISPs, corporate registrars, et cetera. So we have a value chain here that we have to think about in terms of how do we educate people about what they do to help make sure that the data is correct. People are not updating the data when it ages. And that needs to be looked at in terms of are there steps the registrars can take without a huge amount of cost to just advise the registrants, remind them of the need to go in and correct that data.
Then we come to the areas of misuse of the data, where people are purposely putting false information in, and they do it sometimes for a good reason, that is, they're concerned about privacy of their from their own perspective as an individual. And many times they do it for a not-good reason. And that is because they intend to confuse someone or to make themselves inaccessible when they need to be contacted for other purposes. We'll be talking with the staff about what changes require consensus policy. And we published our time line before, so I won't take your time up on that now.
>>Vinton Cerf: Thank you very much, Marilyn.
>>Andrew McLaughlin: I just wanted to say thanks to the participants. Miraculously, we have come in at just about an hour. And I especially want to thank the task force members. They had a lot of information and really did a great job of editing themselves down to the time frame. So thanks.
>>Vinton Cerf: Thank you very much, Andrew, and to all of the presenters.
It's very clear that this problem is very complex. Looking at this from the perspective of about 30 years, it's plain that the introduction of personal use of the Internet, as well as the introduction of competitive commercial services, has transformed the nature of Whois itself, the contents, and the interest that people have in it from the very institutional structure that it was before, where no one had a personal registrations, it was always some university, some research lab that had a few big computers that were being shared to a far more complex environment. So first let me thank the task force for taking on the job of trying to figure this out. And second, thanks to the presenters for being up at this hour in the morning and being lucid and very interesting.
With that, we'll close the discussion on Whois for this time and move on now to the rest of the formal board meeting.
(ICANN Board Meeting follows.)