ICANN Meetings in Lisbon Portugal
Transcript - GNSO Council Whois Discussion
25 March 2007
Note: Although transcript output is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>>BRUCE TONKIN: Hello. We are about to start the discussion on WHOIS.
>> Thank you, Bruce.
>> That's the Denise style.
>>BRUCE TONKIN: The Denise style is quite effective.
So I would like to hand over to Jordyn Buchanan, the chair of the WHOIS task force to just give a bit of a summary of where the WHOIS' task force has got to in the conclusion of its work. And then as a GNSO Council, I would like to have a bit of discussion about what we think the next steps might be and how we would convey those to the GAC in about an hour's time.
So the purpose of this meeting is to just try and get some alignment on how we see the process proceeding from here.
I will start with Jordyn, if you can perhaps give us an update of the final conclusions of the reports.
>>JORDYN BUCHANAN: Thanks, Bruce. I would be glad to do that.
So the WHOIS task force recently completed its work on its final report which was sent to the council and I think actually concludes the work of the task force as a result. In any case, the -- by a small majority of 7-6, so basically a tie between three constituencies on either side, was broken by our one Nominating Committee representative on the task force. On that basis, the report includes some policy recommendations that essentially codify the OPoC proposal that we have been talking about for some period of time and I will summarize that briefly in just a moment for those of you who might not be familiar with the proposal.
Because there was not a supermajority support for those policy recommendations, the report also includes the position that's held by the other three constituencies which is the Special Circumstances Proposal, and we will talk about that, too.
So for those of you not familiar, the OPoC proposal has a few elements. The first is that it removes the registrant's mailing address from public display within the WHOIS. That information would still be collected by registrars, but it would no longer be displayed in the WHOIS system.
The second sort of visible change is that it replaces the technical and administrative contacts that exist today with a new operational point of contact. For entities that actually have different people performing those functions today, you actually have the ability to list multiple operational points of contact. There would no longer be a distinction made within the WHOIS display as to different types of contacts. There would only be operational points of contact.
The third change is that for thick registries like dot org and dot info, it would remove contact information from display from the WHOIS information in those registries. The registrar WHOIS would be the only place to get contact information for -- yeah, for domain names. The registry WHOIS would continue to have some technical information like name servers and status and so on.
>>BRUCE TONKIN: So just for clarity, Jordyn, is the OPoC data in the dot org and dot info registry?
>>JORDYN BUCHANAN: I believe the -- so this may be a good question for further implementation work, but I believe that there is -- that the intent is that there is no change made to the data that would be sent to the registry. So there would still be a thick set of data sent to the registry. But it wouldn't be displayed by the registry. Does that make sense?
>>BRUCE TONKIN: Not really. I am confused.
>>JORDYN BUCHANAN: So the registrar would still send a complete set of data through each IEP, but the registry WHOIS would include a limited set of data similar to what you would see in com and net.
>>BRUCE TONKIN: That third statement is not correct. You are not removing the contact information from the registry --
>>JORDYN BUCHANAN: That's summarized incorrectly. Yes, from the WHOIS -- (multiple speakers).
>>BRUCE TONKIN: I think I would just edit both of these because I want something we can present to the GAC properly. But remove registrant mailing address from open --
>>JORDYN BUCHANAN: From public display.
>>BRUCE TONKIN: Unrestricted access or something.
>> What about the street address?
>>JORDYN BUCHANAN: Right. There would still be geographic information. It would still be displayed. It wouldn't be the actual address.
>>BRUCE TONKIN: A registrant street address is a good way to summarize it. What gets displayed then? Country or the city?
>>JORDYN BUCHANAN: Not the city. I think it would also remove the city. I think it is the state and the country would be displayed.
>>BRUCE TONKIN: Street? Province -- street and city, is that right? Removing street and city address but you are displaying the country name. Is that right?
>>JORDYN BUCHANAN: Country and the jurisdiction -- the state or province.
>>BRUCE TONKIN: Right, okay. Hopefully, that will come up in the example so that's clearer. And replace can technical administrative contacts, again, what we are really talking about is displaying -- because this is really a display issue, isn't it? Or an access issue? You are not actually replacing those contacts.
>>JORDYN BUCHANAN: That's correct. What really happens is there is the addition of the operational point of contact and then that is the only contact which is displayed in WHOIS.
>>BRUCE TONKIN: Yeah. So a new operational point of contact which will be -- is that right?
>>JORDYN BUCHANAN: Yes. That doesn't quite convey, though, that the admin and technical contacts would no longer be available.
>>BRUCE TONKIN: So admin and tech contacts. Okay. So you still have a registrar contact.
>>JORDYN BUCHANAN: That's correct. So our terms of reference didn't include any changes to the data collected.
>>BRUCE TONKIN: Yes.
>>JORDYN BUCHANAN: So in -- it may be that upon further consideration, someone might decide it is silly to collect an admin contact, a technical contact and an operational point of contact.
>>BRUCE TONKIN: Is this a product of (inaudible)? You are actually adding -- maybe it depends on what you convey to the registry, I suppose. You are not conveying this operational point of contact to the registry?
>>JORDYN BUCHANAN: So under the -- once again this the implementation detail we didn't get to. I think that could be conveyed to the registry or couldn't. It wouldn't be displayed by the registry so the value of that would be from an escrow perspective than for the WHOIS system itself.
>>BRUCE TONKIN: Admin tech no longer available for open, restricted access at the registrar or registry. That might be easier just to get because I think that just confuses the discussion. Is that right? Admin and tech contacts no longer available for open restricted access at the registrar or registry via the (inaudible). New operational point of contact, which would be made available for open, unrestricted access --
>>JORDYN BUCHANAN: So I do think it is significant that there have been no contacts. Even though there is some changes to the contact information displayed by registrars, there would be no contact information whatsoever displayed by registries.
>>BRUCE TONKIN: They are not displaying operational point of contact.
>>JORDYN BUCHANAN: They are not displaying their operational point of contact or the registrant name.
>>BRUCE TONKIN: The new operational point of contact would be made available for open restricted access by registrars? And Web access presumably?
>>JORDYN BUCHANAN: We didn't make any changes to the mechanism --
>>BRUCE TONKIN: I am editing this for public consumption. You want to make another point about a registry?
>>JORDYN BUCHANAN: At the registry level, there would be no legislature/registrant contact information. There is no contact information of any sort displayed by the registry.
>>BRUCE TONKIN: And you don't display OPoC either? It is pretty much registries display as currently for common names?
>>JORDYN BUCHANAN: I think that's a fair summary of it.
>>BRUCE TONKIN: So this example will help clarify, okay.
>>JORDYN BUCHANAN: In this example, I think it shows the -- but in any case, here is an example. This is me. This is an old address. I am bad and I haven't updated my choice contact information. Someone can go and file a complaint against this domain if they would really like.
But the -- this is domain name I registered a while ago, Jordyn.info. It has the registrant contact information as well as technical contact and it doesn't show an admin contact here right now because I think it is the same as the registrant.
And this just shows the information that's -- the changes from the OPoC proposal are essentially to hide the street address and leave some jurisdictional information available and it gets rid of the technical contact -- or replaces the title of the technical contact down below with an operational contact, which in a lot of cases would probably remain the same as the existing contacts.
So the second policy -- or set of policy recommendations that are going to be included -- that are included in the reports is the Special Circumstances Proposal. This was supported by three constituencies. And the approach made by the Special Circumstances Proposal is instead of making blanket changes to the information available through WHOIS, instead if certain special circumstances apply to a particular registrant, then they are essentially able to opt out of having their information displayed in the WHOIS.
So essentially the requirement here is if you have a reasonable belief that publishing the information would threaten your safety somehow -- so if you have a stalker or something like that -- then you would be able to go to a neutral third-party and state your claim under certain criteria that ICANN would set as part of this policy and, say, I have specific situation that requires that my information not be displayed and as a result I need to have privacy. If the third-party agreed that you had met the criteria, then all of your WHOIS contact information would be redacted instead of just the street address as is the case with the OPoC proposal.
And the important difference I alluded to earlier, if you have a general privacy concern, like I don't like it when people can see my name as a general concept, that doesn't qualify as a special circumstance. You wouldn't be able to have your information removed in that case. You would have to have a specific sort of concrete situation that qualified as a special circumstance.
The other important change included in the Special Circumstances Proposal is that inhibiting the current proxy services that are offered by some registrars and some currents affiliated with some registrars. These services essentially allow registrants to replace their contact information in WHOIS with that of a proxy or an agent or something like that. In some cases the proxy actually becomes the registrant through some convoluted contractual arrangement, makes it possible for the person that paid for the domain to use the domain name even though they are not officially the registrant of record. So this proposal would ban those sorts of arrangements.
So the next steps are the task force's work has basically concluded. We have transmitted our report to the council. The council now -- it is up to the council as to what it does next. The council could just vote and decide to approve the recommendations. They could modify them or approve further work such as a implementation team in order to look at some of the remaining implementation issues.
Along with this, the ICANN staff has also prepared some notes for the GNSO Council on the task force recommendations that identify some missions for clarification, further discussion, implementation issues and suggest a framework for further development of the proposal.
And that sort of gets to our state today.
>>BRUCE TONKIN: Okay. We will take the first one, then. I am just wondering, at the last council meeting we talked about clearly sort of identifying what the issues are. We essentially have two proposals, both of which have got roughly half the constituencies -- in fact, exactly half the constituencies supporting each of them which is a dead-lock position that can obviously be resolved with the Nominating Committee appointees to the council.
But I think that the council should at least attempt to have a look and see is there a way of getting additional constituencies to support one or another of these proposals.
So if we just start with the OPoC one first, perhaps representatives from the three constituencies that are opposing that would identify what changes would they want to see to accept that. Or are they just saying they will never in a million years support it.
Perhaps if I could ask someone from the intellectual property area, maybe Kristina who has now got her mouth full or Steve Metalitz who also has his mouth full. I am just interested to get a summary of what are the sort of top three or four things that you think would need to be fixed or added or changed or whatever.
>>STEVE METALITZ: Thank you, Bruce. I think our main concerns about the OPoC proposal are set forth in our constituency statement that was part of the final report. And then I think Kristina may have forwarded you a slightly updated version of that. But there are a lot of concerns about what the OPoC system is even intended to cover, since it only applies to operational problems.
You will recall, we had a lot of discussion within the council about what that covers and whether it covers legal problems arising from the content of a Web site to which the domain name resolves, for instance.
>>BRUCE TONKIN: So let's sort of capture those. I just want to kind of summarize some of these. Probably not spelling this right, anyway opposition to OPoC.
So you are saying unclear on -- what is it -- the role of operational contact? Is that essentially what you are asking or the responsibilities, perhaps?
>>STEVE METALITZ: Well, it is the scope of the responsibilities. Operational issues related to a domain name is what the OPoC is supposed to act upon, and that's not defined.
>>BRUCE TONKIN: And that's not what? Not defined. So that's something that can be clarified presumably?
>>STEVE METALITZ: It could be. If I can back up a second, I think you framed this in terms of what changes would have to be made for the IPC to support this, and I think we have to look at this in the contact of what's happened in the task force over the last six months to a year in which we've raised these issues and never gotten a satisfactory answer to these issues. So that's the first one is the scope of what OPoC covers.
The second is what is the OPoC supposed to do? Does the OPoC have a job description?
The third is are there any time frames within which the OPoC must act, assuming we know the scope of the issues to which the OPoC is -- on which the OPoC is responsible and what the OPoC is supposed to do, how quickly must he, she or it do those things.
The fourth area is what happens if the OPoC fails to act or fails to meet those time frames, what recourse is there.
And then the final area which I think -- I know we've heard from almost every constituency in the task force is what are the circumstances under which the registrant's actual contact information will be provided to those with a legitimate need for it? So, in other words, what are the circumstances in which you're not simply left with what is publicly available, which is the OPoC contact information.
So those are the main areas.
>>BRUCE TONKIN: Can I just sort of clarify that terminology you used, "actual contact information."
>>STEVE METALITZ: Of the registrant.
>>BRUCE TONKIN: Yeah. So if I give an example of a proxy service, just to clarify this language, because I want to make sure you are actually talking about -- whether you are talking about contact information or identity information because they are slightly different. I can create an e-mail address that reaches me which is called Steve@Brucetonkin.com. My e-mail address I typically use is Bruce.Tonkin@melbourneit.com.au. The fact that we send email to me at Steve@BruceTonkin, that is contact information. That E-mail gets to me. But that is not identity information because it doesn't have my name Bruce Tonkin in there. Perhaps that would clarify a little bit.
I think you are actually talking about identity information. Your identity information is typically what uniquely identifies that person which is more likely to be their home address or their passport number or something that's really identifying information that you can then -- there is probably lots of Bruce Tonkins in the world. Just the name Bruce Tonkin is not enough.
But if I give you Bruce Tonkin and my home address, that's enough to -- that's actually identity information that uniquely identified me.
>>STEVE METALITZ: I don't know that that's identity information. I would say that's contact information because it enables me to contact you. The problem is under the OPoC system, there can be very little useful contact information.
>>BRUCE TONKIN: That's what I am trying to understand.
>>STEVE METALITZ: It will say, Bruce Tonkin, New South Whales, Australia, and then the OPoC might be my address.
>>BRUCE TONKIN: Yep.
>>STEVE METALITZ: I don't know where you are.
>>BRUCE TONKIN: Right.
>>STEVE METALITZ: Or how to reach you but you have listed me as the OPoC. The question is how do we get to -- assuming that the registrar is collecting the same information that it collects today, what are the circumstances under which someone with a legitimate need for it gets access to that information.
>>BRUCE TONKIN: That's what I am still questioning. I see a difference between contact and identity. Contact information, my understanding is, OPoC is the contact information. It is saying --
>>STEVE METALITZ: It might be. In the example I gave, you know, you may -- you listed George W. Bush as your OPoC. He doesn't know how to get ahold of you. You have complied. The registrar has complied. Everybody has done what they are supposed to do under the system, but no one can contact you.
>>BRUCE TONKIN: Isn't that then -- so that comes back to -- if I can just highlight here -- what's going on? Let me just put this in red.
>>STEVE METALITZ: It is an example of that.
>>BRUCE TONKIN: Isn't that essentially what you are talking about? OPoC is the contact information. It is saying if you want to contact me, write to this address. Send an e-mail to this e-mail address. Ring this number, that's how to contact me.
I think what you are saying is if that doesn't resolve in contact or that information is false --
>>STEVE METALITZ: Yeah.
>>BRUCE TONKIN: Essentially it becomes the false WHOIS issue, doesn't it?
>>STEVE METALITZ: There could be two variants of this. One, in which the OPoC doesn't do what it is supposed to do, assuming we have defined what that is. That may not be OPoC's fault. OPoC may be unable to do that because it doesn't know how to contact you.
And the other example would be when the OPoC does what it is supposed to do, you are still not really contactable. All we know is that he has passed along something to you -- or he says he has. We know that you are Bruce Tonkin, New South Whales, Australia. But for the purposes of what we need, we need more information about you.
So that's the other variant of this fifth bullet.
>>BRUCE TONKIN: I am struggling with the actual contact information versus -- I can see the circumstances where actual identity information could be provided, which may not, by the way, be -- the address that you have given is often false anyway. Much more likely his IP address and other things and be able to identify -- we are talking about criminal prosecution scenarios, and I have been involved in a number of those. The WHOIS data really tells you that.
In fact, what they are actually doing is a number of things and I think law enforcement presentations on this topic -- they correlate the data. Somebody uses the same false choice data in a number of places and eventually slips up because they have something else attached to that and it identifies the owner.
I my the process for establishing identity is a bit difference for the process for contact. If we focus on the process for contact, I think what you are saying at the moment you don't see there is enough guarantees that contact will be established.
In other words, the name that's in there --
>>STEVE METALITZ: Yes. You will have less -- yeah, you will have less information -- again, we are assuming that the registrar is collecting the same information as he was collecting before. Under what circumstances is that information accessed?
>>BRUCE TONKIN: So I think maybe I will just --
>>STEVE METALITZ: I will not quibble whether it is contact information.
>>BRUCE TONKIN: No, no, I want to be clarifying the words. Rather than say that, I think circumstances where -- because we are still collecting the same information, okay? So circumstances where the admin and tech and full registrant information would be provided. So basically we are collecting the admin, the tech, and the registrar, all the information.
And then you are saying what circumstances would that be provided, I think, is the right way to word it.
>>STEVE METALITZ: That's fair enough.
>>BRUCE TONKIN: Okay. Are there more?
>>STEVE METALITZ: I think there are more --
>>KRISTINA ROSETTE: I would also add -- this carries on to some of them -- under the current proposal, there are situations where not only would it be very difficult for a party requesting or desiring the information to obtain that through the judicial system as proposed by certain proponents of OPoC; but even if they could find a court that would be willing to exercise jurisdiction, at least in the United States, they would be unable to serve the registrant with the notice that they are required to provide consistent with due process requirements.
Let's just give the example of the OPoC -- the registration -- the WHOIS record that Jordyn put up earlier before and just kind of work through that.
If, for example, the registration record identifies New York --
>>BRUCE TONKIN: Do you want the original?
>> No, the redacted one.
>>BRUCE TONKIN: This one?
>>KRISTINA ROSETTE: Right. Under OPoC, it should also include New York the state, but not the city. In this situation, you'd have a dual problem in a sense that New York is one of numerous states that has multiple judicial districts. So you would really have no way to determine which court you would want -- you would need to go into.
If, however, Jordyn -- the registration information identified Connecticut as where he lived, you could get jurisdiction in a federal court, for example, because there is only one judicial district in Connecticut and assuming you could satisfy all the other requirements and the court said, "fine, we are willing to exercise jurisdiction," there is no way to actually provide Jordyn with service and notice and the opportunity to be heard in the action that has been initiated against him because you can't comply with the requirements under U.S. law.
>>BRUCE TONKIN: I just want to make sure I am capturing this correctly just for the purpose of this demo.
So that's effectively New York State. That's New York State? New York is not very good. I am going to give something else that's not a city name as well. California, that will do. I am just correcting your WHOIS information. So run that one by me again.
So you are saying in this case it says that Jordyn lives in California, U.S.
>> Right.
>>BRUCE TONKIN: You are saying that is or is not enough information for a court?
>> Not enough.
>>BRUCE TONKIN: Why is that again?
>> Because in the United States -- again, let's just take the example of a trademark action. You are going to be proceeding under federal law in federal court. In order for the court to proceed, they not only have to have jurisdiction over the subject matter, which they would over the trademark issue because it is a matter of federal law but also personal jurisdiction over the person or entity against which the action is brought.
>>BRUCE TONKIN: Yes.
>> The problem is you can't demonstrate -- there is no way with this information to satisfy the personal jurisdiction requirement because California has got multiple federal judicial districts.
So you either have -- there is clearly no way -- even if you were to say, okay, we'll go with central district of California. It has got the most people in it. Statistically speaking that's most likely, the court will not buy that.
>>BRUCE TONKIN: What if it was city information as well as state?
>> That would be enough.
>>BRUCE TONKIN: That would be enough?
>> It would be enough.
>>BRUCE TONKIN: That could be considered.
>>KRISTINA ROSETTE: It would be enough for personal jurisdiction. It would not necessarily be enough for service. That's the due process requirement with regard to the registrant itself. In the sense that once I go forward in federal court, I file my complaint, I have an obligation to serve the defendant -- Jordyn, sorry -- with notice of the action so that he has the opportunity to be heard.
>>BRUCE TONKIN: That comes back to what Steve was saying. To give notice, you would send it to 575 8th Avenue, New York?
>>KRISTINA ROSETTE: Actually, no, you would have to -- under U.S. law, you have to serve them at their home if it is an individual.
>>BRUCE TONKIN: Which comes down to this identity -- a lot of the information you get is not home address information.
>>KRISTINA ROSETTE: Correct. If you have got a street address, a city and a state, in most cases you are able to determine what the home address is.
>>BRUCE TONKIN: By looking up the White Pages? What if -- that can be blocked out. Is that what you are saying? How would you -- if I add the city and the state how, do you get the home address?
>>STEVE METALITZ: It could be at the place of business. It is just that the register.com is not Jordyn's place of home.
>>KRISTINA ROSETTE: And they are not an authorized agent to accept service of process.
>>STEVE METALITZ: They are not authorized to accept service. It gets back to the question is what is the OPoC's job description? If the OPoC's job description was included to accept process of service on behalf of the registrant, then I think this issue would be resolved; but that's not part of the job description.
>>BRUCE TONKIN: You are saying if in the job description for the operational contact, you were to say part of the job description is to use those words again?
>>STEVE METALITZ: If the job description was to be able to be authorized to accept service of process for the registrant, then you would be able to do that, in Kristina's fact pattern. But if it didn't include that, then you would have the problem that she raised, which is you would need to find better address for Jordyn.
>>BRUCE TONKIN: David?
>>DAVID FARES: Since we are wallowing in legal technicalities, trademark lawyers for years and years have resolved these problems in two ways. One is in-rem actions and only the lawyers are interested in what that is. The other is John Doe actions, or I think in the U.K. they are called Anton Pillar actions. At least for trademark infringements there are ways of resolving these problems.
>>KRISTINA ROSETTE: If I could respond to that. I would hardly characterize the constitutional requirement of due process as a technicality. But aside from that, under the OPoC proposal itself, it essentially emasculates the in rem provisions of anti-cyber squatting Consumer Protection Act, which, as written by Congress, requires a potential plaintiff seeking to proceed under that statute in rem to provide the registrant with notice at their address. I mean, it doesn't say OPOC. It doesn't say agent; it says address.
>>BRUCE TONKIN: At what?
>>KRISTINA ROSETTE: At their address.
>>BRUCE TONKIN: Isn't address a contact? I don't understand. It doesn't say at home address. It just says address or is the Steve making a distinction between address of a business or something.
>>KRISTINA ROSETTE: Actually, in the statute itself it requires the owner, da ta da ta da, to send a notice of the alleged violation and intent to proceed under this paragraph to the registrant of the domain name at the postal and e-mail address provided by the registrant to the registrar and publishing notice of the action as the court may direct promptly after filing the action. You don't have the registrant's e-mail and postal e-mail address.
>>BRUCE TONKIN: It doesn't say personal -- I don't know. I have to obviously getting advice to look at that. Their address might be P.O. box, blah, blah, blah, blah.
>>KRISTINA ROSETTE: Correct.
>>BRUCE TONKIN: And generally what these proxy services do is they have a P.O. box. They don't usually have an address like Jordyn has got. It is usually a P.O. box. The e-mail gets put in the P.O. box and sorts that and sends it to the relevant place. That P.O. box is a valid address for service.
>>KRISTINA ROSETTE: For proceeding under this statute, yes.
>>BRUCE TONKIN: That's what I am trying to question. The way you read it, it seems OPoC would still meet that requirement. It is not asking for the identity.
>>KRISTINA ROSETTE: It is requiring the registrant.
>>BRUCE TONKIN: It said the address that the registrant provides to the registrar. And OPoC is an address --
>>Kristina Rosette: You have to provide the notice to the registrant at the postal e-mail address provided by the registrant to the registrar.
>>BRUCE TONKIN: And there is admin tech and registrar and there is all the information provided to the registrar by the registrant. We are not getting that information from nowhere. The registrant provides that information so you can post at that address.
What we are saying is the registrant would provide OPoC address and saying this is my address for sending notices.
>>KRISTINA ROSETTE: That's now how OPoC is currently described.
>>BRUCE TONKIN: Right. Just conceptually, I'm not sure right now we are in breach of that act. I agree it depends on how we clarify the definitions here but just conceptually, it is basically saying that you need -- that seems no different to any other --
>>KRISTINA ROSETTE: You would basically would have to have the OPoC not only willing to be agent for service of process but be willing to stand in the shoes of the registrant for purposes -- to basically act as the registrant for purposes of this act because you have to provide the notice to the registrant.
>>BRUCE TONKIN: No.
>>KRISTINA ROSETTE: Under the OPoC proposal you are providing the notice to the OPoC.
>> What if it is in care of Mailboxes Etc? Would Mailboxes Etc. somehow be liable as a result of that?
>>KRISTINA ROSETTE: You would have the name and the address.
>> Right. But it is some third-party entity is the address. It just happens to be the function they are providing --
>>BRUCE TONKIN: You are not replacing the name so you have got the name of the registrant and you got the address, which is the OPoC address. That is their address. That is the address -- there is no difference between that and a P.O. box number that registrants can provide anyone. Really, it is just a matter of saying is it the post office that's running that service or is it some other third-party that runs the mailbox. At the end of it is the mailing box.
>>KRISTINA ROSETTE: Then you get back into the issue we were just talking about. What obligation does the OPoC have? What guarantee that it actually happens?
>>BRUCE TONKIN: I agree that's the fundamental issue. Any other?
>> May I ask a question.
>>BRUCE TONKIN: I don't want to redebate the WHOIS task force. I just want to be completely clear on what it is, is the issue for the intellectual property constituency and certainly you can ask points of clarification.
>>AVRI DORIA: One is a point of clarification and another one is clarifying something that was said there. First of all, it is really interesting to see the sort of universification of U.S. law as what ICANN needs to deal with in terms of the WHOIS.
One of the things that I don't understand is once a court has said that there is something valid to be pursued, wouldn't that court be able to give the person that needed to send the due process the requisite legal paper to go to the registrar and say, give me the address.
You are basically saying that those of us that were arguing that due process is what you use -- you have gone to the court. The court has said, yep, you've got a reason to do something. You don't have enough information to serve your papers. Okay, the registrar has that information. It is not being removed from the registrar. It is just being removed from the public and at that point, you go to the registrar and say, give me the address so that due process can continue to be followed.
>> If I might follow on that. There has been several cases that exactly that has happened. Two cases in Holland this spring. It was a big victory for right holders and this way have been able to get detailed information from the registrars. It was one case that placed the way.
>>BRUCE TONKIN: Nigel?
>>NIGEL ROBERTS: Thank you for giving me the opportunity. I'm kind of confused about all this because I hear from intellectual property people that due process is important. I hear constitutional rights mentioned. I hear everything very, very U.S. centric.
But there are 30 countries and territories where protection of personal data is a law. It is the eight-day protection principles cannot bylaw be contravened.
Now the eighth one says you can't transfer data outside the European economic area in violation of any of the principles. This -- even the revised proposal is in violation of those principles.
Now, there is a confusion and always has been between recording personal data and publishing it. And I think that's intentional because I think what you want to do is bypass due process. You want to be able to say we can get the registration information just like that. It must be published to the world.
Now, you can get that from the registrars lawfully and with due process. In the U.K, there is something called a Norrich pharm (phonetic) account order. That is basically you go to the registrar and say you are innocently helping somebody commit a tort. Please give me the data of who that person is because you are the only person that can do it. If they don't, the court can compel you to do it.
As soon as you threaten that, people will voluntarily and in accordance with the law disclose that information. You can have automated ways to do it even, providing there is somebody who can device a system whereby you can verified the bona fide of somebody doing this.
Why do you need to publish this information?
>>BRUCE TONKIN: I don't want to get into that debate for a second. So --
>>JORDYN BUCHANAN: Bruce, can I make one quick point?
>>JORDYN BUCHANAN: I mean, Nigel raises a good point that there's a lot of laws, obviously, and we actually, I think, in the task force, tried to stay fairly far away from trying to make policies comply with laws, because --
>>NIGEL ROBERTS: But that's not what you're doing. I'm hearing the exact opposite of that.
>>JORDYN BUCHANAN: No, no, no. So I think that applies in both directions.
>>NIGEL ROBERTS: Yeah.
>>JORDYN BUCHANAN: It's very difficult to have a global ICANN policy and then try to say, "Oh, here's a law. Let's see, does it match this particular law?"
Because there will be many laws that will be in conflict and there will be no way to make a policy that's going to be a hundred percent consistent with all the laws in the world, and that's why we also created the law -- the national law exception procedure, so when we do run into situations where there's a conflict between the law and the ICANN policy, there's a way to resolve that situation.
>>BRUCE TONKIN: Okay. So I'm conscious of time, so I want to try and keep moving. Steve, are you finished on, you know, kind of your top five?
>>STEVE METALITZ: I am.
>>BRUCE TONKIN: Thank you. Philip, business constituency.
>>PHILIP SHEPPARD: Thanks, Bruce. Just as an opening comment, let me say that if there was a cyber squatters bad faith and rogue trades constituency, they would be voting in favor of the OPoC proposal. That may be one blunt way of expressing some concerns we have with that. But let me hand over to David Fares, who will give a much more precise and less blunt and perhaps more detailed list of why we don't -- why we have concerns.
>>BRUCE TONKIN: And particularly, adding to this list, as opposed to repeating this list, too, if you may, David.
>>DAVID FARES: Thank you, Philip, and thanks, Bruce. Actually, we share many of the concerns -- we share all of the concerns raised by the IPC. I would like to add a -- well, build upon one of the statements that -- one of the components that Steve raised, and then add another point, and that is, on the last point, circumstances where administration -- the administrative contact, technical and full registrant information would be made available.
There's no -- notwithstanding requests, there was no uniform process or standardized process created whereby legitimate rights -- legitimate stakeholders -- because we all need to remember that this is not just about IP issues. There are other issues that are legitimate for which the ICANN community needs access to the WHOIS database and the business community needs access to the WHOIS database. We've focused on the IP issues because you first asked the IPC, and I don't want -- I think you can go back in history and find all of the different uses made of WHOIS from the larger business community, so I just want to remind everyone that there are many more uses of the WHOIS database that are legitimate.
>>BRUCE TONKIN: So is it --
>>DAVID FARES: So I think just creating --
>>BRUCE TONKIN: So I've just put sort of no standard way to access. Is that --
>>DAVID FARES: That -- okay. So that builds upon --
>>BRUCE TONKIN: Circumstances, and then there's no standard --
If there were circumstances, you're saying that each registrar might have a different set of rules for you to follow to do that.
>>DAVID FARES: Right.
>>BRUCE TONKIN: Yeah.
>>DAVID FARES: And the second point I would like to make is that there's a very small additional requirement related to accuracy in the OPoC proposal, and if there's going to be restrict -- if there's not going to be public access to that data, there should be additional accuracy requirements imposed in the WHOIS policy.
>> [inaudible]
>>DAVID FARES: So that if there is a delay in our ability to access that information, we can ensure that that access is -- that information is accurate, so that there's no longer additional time burdens for us to be able to respond to the problems that we need to respond to.
>>BRUCE TONKIN: So -- yeah. I'll just -- I understand why. So need more accurate admin taken for registrar? Is that basically it, David?
>>DAVID FARES: Sorry?
>>BRUCE TONKIN: Have you finished?
>>DAVID FARES: [inaudible]
>>BRUCE TONKIN: Now, the ISPs, who do we have? Do we have anyone from the ISPs that oppose this? Good. We've got rid of one opposition.
[Laughter]
>> No. It's [inaudible]
[Laughter]
>> Sorry. I work for an Irish ISP. We're members also of the Irish ISP Association, which is associated with EurISPA.
In common with -- with Nigel, some of the stuff that you're talking about does scare me because you seem to be ignoring the European Union's stance on privacy.
>>BRUCE TONKIN: Yeah. Hang on. This is just -- what I'm finding -- the ISPs, actually, which you're a member of, has opposed this, so I'm not -- I'm not looking for reasons for it, at the moment.
>> No, that's okay.
[Laughter]
>>BRUCE TONKIN: So why do you, as an ISP, oppose this proposal?
>> The -- which part of the proposal, exactly?
>>BRUCE TONKIN: The concept of having an operational point of -- this -- basically, that's the proposal, and the ISPs have voted against that proposal, so I'm seeking clarification on what the -- their issues are.
>> Basically, as things stand, we already receive cease and desists and various other legal threats for things that are beyond our control, so, for example, in the IE ccTLD, which I know this does not relate to, but it does give you an example, we would be listed as the tech c for most of the domains that we hold. We would receive takedown notices on a regular basis from trademark lawyers, from solicitors all over the world, who basically look at the tech c contact and go, "Ooh, they're the tech c. Therefore, they must be responsible," even if the Web site is not hosted by ourselves and we do not control it directly.
>>BRUCE TONKIN: Yeah. We have the same problem as registrars, yeah.
>> Yes, of course.
>>BRUCE TONKIN: Yeah.
>> The issue -- the other issues that arise are that under the -- under this kind of proposal, you're trying to make -- give us an extra responsibility.
That --
>>BRUCE TONKIN: Give -- hang on. Who is the "us" there?
>> No. Well, "us" as in ISPs. You're trying to give --
>>BRUCE TONKIN: Where are you getting the extra responsibility?
>> Well, if you want us to be the point of contact --
>>BRUCE TONKIN: No, no, no. There's no requirement.
>> Yeah, but that's --
>>BRUCE TONKIN: That would be your decision as a commercial operation to do that. So the registrant must specify an operational --
>> [inaudible].
>>BRUCE TONKIN: Yeah. So that, in fact, it probably helps you, because the tech information that you're talking about wouldn't be displayed anymore.
>> Yeah, but if you -- I mean, the thing is, if it's -- from what I'm understanding from what you're saying today --
>>BRUCE TONKIN: Yeah.
>> -- you talked about this OPoC contact point.
>>BRUCE TONKIN: Yes.
>> Which would be the registrar.
>>BRUCE TONKIN: OPoC is basically --
>> Or is this --
>>BRUCE TONKIN: Just let me explain that the registrant specifies who their contact point would be. Now, a commercial company might choose to be that point of contact, but that's -- that's not a requirement.
So if you, as an ISP, wanted to be the point of contact, you could be, but that's up to you. And you'd probably charge an additional fee for it. But if you're just using your standard service, you would ask the registrant to put forward who their point of contact is, which could be their mother.
>>STEVE METALITZ: Bruce, could I make a correction to what you just said?
>>BRUCE TONKIN: Sure.
>> It wouldn't be the ISP's choice whether they were the point of contact; it's the registrant choice. So the registrant could list the ISP as the point of contact, whether the ISP wanted them to or knew about it or not.
>>BRUCE TONKIN: Ah, right. So that's -- that's -- that's an interesting point. So does that come back --
>>NIGEL ROBERTS: But that would be unlawful. You can't do that. Because you need the informed consent of anybody who is going to be listed. So you've got to --
>>STEVE METALITZ: Well, Nigel, you need the informed consent of anybody who is now listed in the WHOIS data --
>>NIGEL ROBERTS: Absolutely.
>>STEVE METALITZ: -- and that's the reason why all of your -- all you're saying about the European privacy directive has no basis, because today, there's not a single person in the -- there's not a single name in the gTLD WHOIS database that's not there with consent.
>>NIGEL ROBERTS: Okay. I --
[Overlapping speakers]
>>STEVE METALITZ: It's either with content or it's by violation of the RAA.
>>NIGEL ROBERTS: That's the point.
>> No, no.
>>BRUCE TONKIN: So hang on. We're not going to get into an argument. But basically, Steve, if I could just clarify your point, your point is at the moment, the proposal is not clear on how to deal with the fact that someone inserts false information in the OPoC. Whether they put in --
>>STEVE METALITZ: It's not false. It could be inaccurate information about where the ISP is located. It's the -- it's a unilateral decision by the registrant who they integrate as the OPoC. They don't have to tell them. They don't have to have their consent.
>>BRUCE TONKIN: Right. So that -- but that could be dealt with. You know, I agree that's the situation.
>>STEVE METALITZ: Yeah. In theory --
>>BRUCE TONKIN: What you're saying is they would have to warrant that they have the consent of whoever that OPoC proposal is. But, you know, that's the sort of thing that would -- to me, is an implementation issue.
>>JORDYN BUCHANAN: Can I actually just ask? Steve, do you perceive a difference between that and the situation today? Because like you could theoretically list some random person as the admin or the tech contact or even the registrant today.
>>STEVE METALITZ: Yes. Well, you --
>>BRUCE TONKIN: Which is the point David is making about wanting more accuracy.
>>JORDYN BUCHANAN: It may not be wise to. You'll lose control of the domain name, but you might want to say, "Oh, I don't want to get sued," when someone comes and, you know, gets mad that I'm putting up this bad content on here, so I'm just going to say that really, Steve Metalitz is doing it instead of me.
>>STEVE METALITZ: Right.
>>JORDYN BUCHANAN: There's nothing to stop me from doing that today.
>>STEVE METALITZ: Well, there's nothing to stop you from doing it. It is a violation of the registrar accreditation agreement.
>>JORDYN BUCHANAN: Sure.
>>BRUCE TONKIN: Right. So I think --
>> But it is a violation of the law.
>>BRUCE TONKIN: So I think we've captured roughly what I'm hearing is the main oppositions and we just sort of come back to different versions of this.
So if we go to the special circumstances proposal, so three constituencies were against that. Would someone from the registrars like to explain why the registrar constituency did not support that proposal?
>> [inaudible].
>>BRUCE TONKIN: Yes.
>> [inaudible]
>>BRUCE TONKIN: I want to be fair, so, however I asked it to the ISPs, I'm asking it to you.
[Laughter]
>>ROSS RADER: I'll try and be brief, because in fairness -- and this should probably be part of the record -- the registrar constituency wasn't consulted on this proposal because of timing considerations. We've been pretty uniform in our support of the operational point of contact proposal since its inception. So anyways --
>>BRUCE TONKIN: So your basic -- that's called the "not invented here" syndrome --
>>ROSS RADER: Sure. That's fair.
>>BRUCE TONKIN: So your opposition is essentially because you didn't invent it, therefore you oppose it.
>>ROSS RADER: That's fair, that's fair.
>>BRUCE TONKIN: That's a very common technical argument.
[Laughter]
>>ROSS RADER: Realizing that we can't implement two proposals, obviously. I think in order for us to seriously consider the special circumstances proposal, there would be three changes that would need to be brought into play. One, that registrants would not be required to opt out of being published. I think opt in is a necessary prerequisite.
>>BRUCE TONKIN: So just slow down. So you -- what's the change, or what's the issue?
>>ROSS RADER: That the -- the registrants under the special circumstances proposal are required to opt out of the publication of their data.
>>BRUCE TONKIN: So registrants --
>>ROSS RADER: That that onus should be reversed.
>>BRUCE TONKIN: -- should be opting -- so basically, there are special circumstances for opting in.
>>ROSS RADER: Correct.
>>BRUCE TONKIN: That seems -- that doesn't seem like a --
>> It's the unspecial circumstances proposal.
[Laughter]
>>BRUCE TONKIN: Yeah, it's the unspecial circumstances proposal, yeah.
I mean, I'm trying to sort of identify what -- you know, the gist of the special circumstances proposal. Let's just run by it again.
>>ROSS RADER: Well, let me -- let me -- I can add some further flavor to that, Bruce, I think that might help.
I think with -- the proposal essentially says that -- and I'm paraphrasing and I don't mean this to -- as any sort of disparagement.
>>BRUCE TONKIN: Yeah.
>>ROSS RADER: My read of it is that it essentially says that individual privacy for individual registrants -- or privacy rights for individual registrants is a privilege, not a right. What this would go a long way towards addressing would be allowing individuals to have their information published, if they chose. I doubt that that would be a very large class. I wouldn't extend that opt-out to commercial registrants, for instance. I think we can create tiers of registrants that have different rights within the WSIS.
>>BRUCE TONKIN: So maybe we can just separate that slightly.
>>ROSS RADER: Sure.
>>BRUCE TONKIN: So -- which could be a change to -- just let me get the context here.
So you're saying that, okay, for commercial registrants, but private individuals should be -- should be what? Private individuals should be able to -- I'm not quite sure how "opt-in" fits in with the current WHOIS.
>>ROSS RADER: The default option for data related to private individuals, or individual individuals --
>>BRUCE TONKIN: Yeah.
>>ROSS RADER: -- would be left undisclosed.
>>BRUCE TONKIN: So private individuals would be -- so basically, if I get this right, commercial registrants need special circumstances. Private individuals would be able to opt -- let's just leave it at "opt out" for a second.
>> The distinction is not between public and private; it's between legal and natural persons.
>> Yes.
>>ROSS RADER: Fair.
>>BRUCE TONKIN: So that should be natural -- natural persons? Is that the right word?
>> Yeah.
>> [inaudible].
>>BRUCE TONKIN: Just before we do, I just want to make sure I understand. I'm trying to capture this and then we can talk about it.
Natural persons. And what's the other one?
>>ROSS RADER: Legal.
>> Legal.
>>BRUCE TONKIN: Hang on. That doesn't make sense. A natural person is a legal person.
>> A natural person is a living, breathing human being.
>> I am an actual person.
>> Yeah. You are a natural person. I am a natural person.
>>BRUCE TONKIN: Yeah.
>> [inaudible].
>> If you were a company director or you are a business entity, you then became a legal person.
>> Corporation --
>> You become a corporation.
[Speakers are overlapping]
>> You're created out of a legal process versus a natural process.
[Speakers are overlapping]
>>BRUCE TONKIN: Yeah, it's not used in Australia, I must admit, the way you described it. We use the term "legal entity," and "legal entity" can either be a natural person or a company. They're both legal entities in Australia.
>> No. The distinction is between legal persons and a natural persons. A legal person is a living, breathing human being and -- sorry. A natural person is a living, breathing human being.
>>BRUCE TONKIN: Right.
>> A legal person is a body that can sue and be sued in its own name. There's a bunch of them. The queen is one. The corporation is one. A council -- town council.
>> A partnership.
>> A partnership is actually a collection of legal -- a collection of natural persons. A limited partnership is a legal entity.
>>BRUCE TONKIN: So we're going with legal person and natural person, then, are we?
>> Legal person and -- that isn't the words used in the directive and in all the laws of all the member states, legal persons and natural persons.
>> Yeah. I might mean something --
>> But the key to it --
[Speakers are overlapping]
>> If I can just make the point, the key to it is that the data protection laws do not apply to legal persons. You can do what you like with the data about legal persons. There are no restrictions whatsoever.
>>BRUCE TONKIN: Right. So basically, if I -- if we go to the gist of what the registrars are seeking, they're saying they're okay with special circumstances if it applies to legal persons; that that would need special circumstances to opt-out their data. Whereas natural persons would be able to opt out.
Have I got that right, Ross?
>>JORDYN BUCHANAN: No. It would be --
>>ROSS RADER: That's about right. That's about right.
>>JORDYN BUCHANAN: No. You have -- it's backwards still.
>>BRUCE TONKIN: I want to leave it at "opt out" for the minute just because of the thing about the current prices is there's sticky stuff being raised --
>> No. It's not an opt-out. It's just a fault.
>> What?
>> The default is --
>> Is opt out.
>>ROSS RADER: The default would be that natural persons would have the benefit of privacy under the special circumstances --
>>BRUCE TONKIN: Right. So --
>>ROSS RADER: -- and if it was proven that they are engaging in commercial activities or otherwise should not benefit from those protections, that they would lose those protections.
>>BRUCE TONKIN: So just let me slow that -- natural persons, by default, would not display -- would essentially be OPoC, I suppose, or would not display --
>> [inaudible].
>>BRUCE TONKIN: Yeah.
>> It would be pretty much be the same situation that you have with dot eu, where exactly status is set up.
>>BRUCE TONKIN: So natural persons, by default, would not have -- let's just call it personal data displayed for a second, just try to keep this simple.
Okay. Anything else --
>> I don't know if there's anybody here from dot uk, but the way the dot uk WHOIS operates is a good example, I've just been reminded, because they actually make the distinction slightly differently. They actually -- but if you're an individual, you're entitled to opt out of the WHOIS.
>>BRUCE TONKIN: Which is an opt-out process.
>> That's right.
>> But you choose that --
>> But you choose that at registration time.
>> Yeah.
>> So it's kind of semantics whether it's opt in or opt out --
>>BRUCE TONKIN: Yeah.
>> -- because it's decided at registration time.
>>BRUCE TONKIN: Yeah. So just put -- so again, I don't want to debate the concept. I want to just make sure that this is what the registrars would seek as a change on this. Is that essentially right, Ross?
>>ROSS RADER: That captures that one, yes.
>>BRUCE TONKIN: Yeah. And then questions of clarification on understanding, if you don't understand what Ross is asking. I'm not looking for a brainstorm to how to fix things at the moment.
Go ahead, David.
>>DAVID FARES: Just two things, and I'm sorry to digress, but privacy is being raised a lot here and I would just like to note that the special circumstances model is based on dot nl, which is in the -- in a member state of the EU, which must comply with the EU privacy directives. So I'm not -- you know, if they want to raise a policy issue that is outside of the context of legal obligations, that's fine, but I think we need to recall that it is subject to the EU data privacy directive and it is deemed compliant with it.
The --
>>BRUCE TONKIN: So -- so David, again, just in terms of discussing -- we're not having a debate here, so --
>>DAVID FARES: Well, I know, but -- and I agree, and I was really trying to step back from privacy and not engage in it, but they're referring to it a lot.
>>BRUCE TONKIN: Yeah. But I don't care, right? So basically, have you got a point of clarity for Ross? Because, you know, I'm not going to repeat the WHOIS debate. I'm just trying to get clear. What I'm asking -- it's just a process issue.
>>DAVID FARES: Okay.
>>BRUCE TONKIN: So are you unclear on what the registrars are asking for here?
>>DAVID FARES: Well, I was going to ask a question, but I don't think it's actually going to change --
>>BRUCE TONKIN: Okay. John and then -- then Margie.
>> Thank you.
>>BRUCE TONKIN: Go ahead, John.
>> I think you captured the main distinction you had originally. You're right, there's legal entities and they're split down the middle into organizations and into physical individuals, and the data protection -- data protection directive only copes with physical individuals. But there are rather large differences in the implementation between European countries, so you may have surprises coming along. But we're not -- but we are not -- we're not looking at that.
What I wanted to say is that I have had a rather strong reaction to the reference to the nl model.
>>BRUCE TONKIN: Yes. No, let's -- let's --
>> And I will not go into that.
>>BRUCE TONKIN: Yeah.
>> But I only want for the -- for the record to state that I do not think that that is a warranty for compliance with the EU --
>>BRUCE TONKIN: Yeah, but that's -- again, that's -- I stopped David, so let's not get into that debate on --
>> Yeah. I'm not taking it any further.
>> Just a clarification.
>>BRUCE TONKIN: Mike and then Margie.
>>MIKE RODENBAUGH: Yeah. Just how do you distinguish, again, between legal and natural persons, and are you really trying to get at commercial versus noncommercial? Because I think Nigel said, for example, that a partnership is a group of individuals.
>> It's very easy. It's very easy. Do they breathe.
>>BRUCE TONKIN: Hang on. One question --
>>MIKE RODENBAUGH: But I heard you say a few moments ago, for example, a partnership is a collection of individuals. Well, a partnership is often, by its nature, a business. It's essentially the same as a corporation. Anybody doing business with that entity --
>> A partnership is regarding data protection law and I'm -- I stand to be corrected, but it's my understanding -- as natural persons. And a limited liability partnership, which is a corporation, of sorts, is a legal person because it has an existence other than that of the component individuals. Okay?
>> I think this is solved in the law of companies, so there -- there's all types of subtle differences. It doesn't really matter too much, because you have that --
>>MIKE RODENBAUGH: Well, I respect that, but I think what you're trying -- and I have not been participating in the task force debates, as you know, but it seems to me that you're trying to get at commercial versus noncommercial, rather than legal versus natural.
>>NIGEL ROBERTS: No, no, no, no. The law --
>>BRUCE TONKIN: Hang on, Nigel. I just wanted to -- can we come through the chair, please? Just hold on. One at a time. We're not having cross-debates here.
So Mike, you were asking a question of clarification, right?
>>MIKE RODENBAUGH: That was it, essentially. Is that what you're trying to do is --
>>BRUCE TONKIN: And let Ross just answer that question.
>>ROSS RADER: I can answer that question. Actually, specifically I was referring to natural persons not engaging in commercial activities.
>>BRUCE TONKIN: So let's get that clarification.
>> [inaudible]
>>BRUCE TONKIN: Yeah. Thank you, Mike. So natural --
>> [inaudible]
>>BRUCE TONKIN: Ross, natural persons -- Ross?
>>JORDYN BUCHANAN: Not engaging in commercial --
>>BRUCE TONKIN: Natural persons not...
Yeah. I mean, any of these things obviously have implementation issues, but I'm just trying to get the gist of what the registrars [inaudible].
>> For the sake of the record, Mr. Chairman, that is not referring to the EU directive.
>>BRUCE TONKIN: No, we're not talking about anyone's directive here. We're talking about the registrars.
>>ROSS RADER: I'm neither an expert in the U.S. Constitution nor the European Union Constitution.
>> Just one clarification on that. I think the word "would" should be "should," because we're opposed to the special circumstances because under the special circumstances proposal, it -- it "would" not -- it "would" have that personal data displayed and we're saying it "should not."
>>BRUCE TONKIN: Okay. Any other -- and Dan?
>> Clarification.
>>BRUCE TONKIN: Yeah.
>> When you say that -- the first bullet needs a subject verb agreement or something. Legal persons need special circumstances?
>>ROSS RADER: I can't answer that question, Dan. I'm sorry, I'm not a grammar expert either.
>> I thought the special circumstances proposal only applied to individual registrants.
>>BRUCE TONKIN: But this is the change that Ross is seeking, right?
>> So is Ross saying he would support special circumstances only if it were available to legal persons?
>>ROSS RADER: I'm saying in a universe where we only have commercial registrants, I think we can probably deal with special circumstances, but that's not the universe that we're in, and I would like to see some additional consideration given to the privacy rights of individual persons not engaged in commercial activity.
>> I would suggest deleting the first bullet point from a registrar perspective because that's not an opposition to the special circumstances proposal, and if you want to just limit the bullets to the -- to the opposition points --
>>BRUCE TONKIN: I am trying to do that, yeah.
>> -- I would just go with the second one and leave it.
>> That's fine.
>>BRUCE TONKIN: Okay. So we have the -- now, we have any --
>> [inaudible]
>>BRUCE TONKIN: Yeah, go ahead, Philip.
>>PHILIP SHEPPARD: Does that -- I mean, did you mean -- if this were to be a set of circumstances under which the proposal becomes acceptable, then does that mean that typically this would be an application form check box, "Yeah, I'm a natural person not engaged in commercial activity," and would you, therefore, also accept a subsequent challenge mechanism when, suddenly, somebody -- a third party sees commercial activity and says, "Hey, wait a minute, this seems to be strange"?
>>ROSS RADER: I haven't thought about that. I don't know.
>>PHILIP SHEPPARD: Okay.
>>ROSS RADER: To me, that sounds a lot like the same set of provisions we have around accuracy, and I don't have any natural anti-reaction to that, so --
>>PHILIP SHEPPARD: Okay.
>>BRUCE TONKIN: Yeah. So let's not get into talking implementation. This is really just sort of the conceptual issues. And anything else, Ross?
>>ROSS RADER: The other issue that we would like to see changed would be the -- to not require the centralization of the data with a third party.
>>BRUCE TONKIN: And that's part of the special circumstances proposals?
>>ROSS RADER: Correct.
>>STEVE METALITZ: No, it is not. The data would be held by exactly the same parties it's held by now: Registrars, in the case of the thin registries; registries --
>>ROSS RADER: So let me rephrase that, then. The proposal, if I'm correct in my understanding of the proposal, requires a third party to administer the exceptions. We believe that the provisions of the registration agreement should continue to be enforced by the registrar community, not some set of third parties. So that would be an arrangement between the registrar and the registrants, as it would be under today's system. So that's what we're looking for then.
>> [inaudible].
>>STEVE METALITZ: But you understand data is still where it is.
>>ROSS RADER: I'm sorry. Yes.
>>STEVE METALITZ: It's who makes that decision.
>>BRUCE TONKIN: Yeah. So can I get that point on here? So what are you saying? That the registrars make the decision --
>>ROSS RADER: Not to require the centralization of the administration of the special circumstances.
>>BRUCE TONKIN: Of administration. Yes. So essentially, that there's some third party. What about if there was multiple parties, like a UDRP type scenario, and multiple providers of this exception process? Is that okay? Or are you saying you actually want it to be registrars?
It's a different point. Centralization is saying I've got one party that makes those decisions; distributed would be like UDRP: You've got a number of authorized providers. Or are you saying you want --
>>ROSS RADER: The activity should be conducted by registrars.
>>BRUCE TONKIN: Yeah. So it's not a centralization, so much as not requiring third parties, essentially.
>>ROSS RADER: You know, so similarly, as we apply the -- the criteria for whom can apply for a registration, for instance.
>>BRUCE TONKIN: So let me just get this right.
>>ROSS RADER: Sure.
>>BRUCE TONKIN: So not require a third party to make decisions on special circumstances. Registrars make that decision. Have I got that?
>>ROSS RADER: Yeah.
>>BRUCE TONKIN: Okay. Anything else?
>>ROSS RADER: The last --
>>MIKE RODENBAUGH: I have a clarification on that, actually.
>>ROSS RADER: Sure.
>>MIKE RODENBAUGH: So are you saying -- oh, never mind. You've just clarified it. That was what I was wondering. You're saying the registrars should be making the special circumstances determinations. That just surprises me that registrars would want to be making substantive determinations.
>>ROSS RADER: We make many of them.
>>BRUCE TONKIN: Okay. Any others?
>>ROSS RADER: The last, and I think this is a -- probably a flaw, if we look very closely at both proposals, so I think it would be equally applicable, with the exception that the OPoC proposal actually doesn't bump up against this one as heavily. But it's as it relates to the underlying requirements that WHOIS need be publicly accessible and freely available.
In a situation where the cost structure of the changes is relatively light, we're not as -- we're more inclined to support those sets of arrangements.
So the special circumstances proposal, in its current iteration, would seem to have the effect of greatly increasing the overheads associated with that. Therefore, if we can somehow look at special circumstances with the benefit of some sort of a charging model around WHOIS, that would make it much more palatable.
>>BRUCE TONKIN: So just get me that -- you want a charging model to cover costs of administration, is that right?
>>ROSS RADER: Correct.
>>BRUCE TONKIN: Anything else?
>>MIKE RODENBAUGH: So clarify on that. Does that mean that you intend to charge people who are seeking special circumstances a fee, Ross?
>>ROSS RADER: I don't have any --
>>MIKE RODENBAUGH: I'm just trying to figure out who you're intending to charge, and for what. Us? IP owners for looking up WHOIS or --
>>ROSS RADER: There's numbers of ways to get into cost recovery around that. One of them would be a user pays model, yes.
>>BRUCE TONKIN: Yeah. So I think what Ross is saying, then, is he wants a -- I guess a business model that covers his costs, and that would need work as to what's an acceptable business model, I suppose, yeah. Bob?
>> I wonder why we're arbitrarily saying there will be no proxy services. There's a vast amount of information on proxy services. Every corporation operating in a different state of the union has to register with someone like corporate services, and corporate services will receive -- accept process, service of process, within their jurisdiction. One of -- the big problem with proxy services supplied by a registrar is that the registrar is very seldom in the same judicial district or country as the registrant.
But I think we should again consider the possibility that there is a kind of proxy service which would be acceptable. That said, I just want you to think there -- a vast part of the world has no such thing as a street address, and you've arbitrarily used terminology which is nonfunctional.
There's no such thing as a street address in most -- much of the world.
>>BRUCE TONKIN: That's probably terminology that's in the registrar contract, if you will.
>> Well, then get it out.
>>BRUCE TONKIN: Yeah.
>> You know, most people say "address 1," "address 2," "address 3." You don't say "street address," because it's meaningless.
>>BRUCE TONKIN: Is that right that we actually use the term "street address"?
>> [inaudible]
>> It's almost like a quadrangle type of thing: A country, a state, a city, a district, a block, and a house number. But it's not a street address. Has nothing to do with the name of the street.
>>BRUCE TONKIN: Okay. So Dan's just clarified the contract uses "postal address." I just want to try and -- it's -- just trying to convey the concept, really, isn't it.
>>ROSS RADER: I think that would be something to pick up under implementation, Bruce, but more importantly, the point that Bob highlights would be that permitting proxy services would also be a prerequisite to our acceptance.
>>BRUCE TONKIN: So need to permit proxy services essentially is what Bob is saying.
>>JORDYN BUCHANAN: So where this is relevant in the OPoC proposal, too, I think it uses language as to what information is included. It doesn't say what we're taking out. So it actually --
>> Right. Opposition -- we oppose -- I think what Ross is saying is, the opposition is that proxy services may be appropriate, and so a complete ban on proxy services would -- is -- is not palatable, so that certainly may [inaudible]
>>BRUCE TONKIN: Okay.
>> See, a natural person should have -- could have his attorney be his proxy.
>>BRUCE TONKIN: That's kind of the debate we were having earlier, yeah.
Okay. So that's the registrars. The --
>> Bruce, could I just make -- ask a question.
>>BRUCE TONKIN: Yeah.
>> I think we're -- is it still the case that we're supposed to meet with the GAC in seven minutes and we're not in this building?
>>BRUCE TONKIN: Yeah. Yes. That's a good point.
>> So we need a few minutes to move over there.
>>BRUCE TONKIN: Yeah. I think we're nearly done on this, and I don't -- but I think this is important to sort of be able to capture this coherently before we go to the GAC.
Registries. Chuck, have you got any -- or David, what -- are there any additional oppositions that -- to the special circumstances proposal, or what things would you need changed before the registries would accept it?
>> Well, the registry constituency starts with the general proposition that privacy -- protection of privacy of personal data is a very important principle, whether it's called a right or anything else, and in detail, I'd say we agree with the points that have been made by the registrar constituency.
>>BRUCE TONKIN: Okay. And then the noncommercial constituency. Do we have Norbert?
>>NORBERT KLEIN: I think we have basically stated our position, and I just want to bring it into one concept. I think we are always very concerned when privacy is considered as a privilege and not as a right, as it is stated in so many laws of so many countries.
>>BRUCE TONKIN: Okay. So thank you for -- the various constituencies for clarifying their opposition.
So basically what we have, then, is -- is two proposals, and they both have constituencies in favor and against.
The question is: What does the council do next? I -- there's two alternatives, in my mind, both of which require some more work. I think the first alternative is -- is we create two very short focus working groups, like we did with the new gTLD work, and so we might have like a 60-day period and we say, okay, we're going to have the special circumstances working group and we're going to have the OPoC working group, and those two working groups will be fairly -- they'll be open, just the same rules as we have for the current working groups on IDNs and PRO and reserved words, and those two working groups then work through and try and address the -- these areas of opposition and see if -- if they can provide more clarity or improvement to at least get one or more additional constituencies across the line. Or alternatively, we do them one at a time, and we say because the OPoC proposal has a majority vote at the task force, we focus on that one first and set up a working group on that and see where that gets us.
,And then maybe reconsider the second one. But that's -- that's an idea. And, of course, Avri is probably going to suggest we could just have a vote on the proposals as they stand.
>>AVRI DORIA: Yeah, that's exactly what I was going to suggest, especially since there were NomCom appointees who weren't in the task force, and also, within the task force we weren't dealing with the same vote dynamics that one has within the council.
>>BRUCE TONKIN: Yeah.
>>MIKE RODENBAUGH: Bruce? Isn't there another alternative?
>>BRUCE TONKIN: Yeah. Go ahead. We don't have a lot of time to debate this, by the way, but we will debate it in the council meeting, but -- yeah.
>>MIKE RODENBAUGH: Right, but I -- you know, again, as someone who did not participate in the task force, what I see is I've seen people have had two different proposals and I've not seen much effort to try to merge them together --
>>BRUCE TONKIN: Yeah, I agree with that point, too.
[Speakers are overlapping]
>>MIKE RODENBAUGH: -- and find common points and I don't see that as mutually exclusive.
>> [inaudible] that's historically happened.
>>MIKE RODENBAUGH: That's -- I'm just saying what I see, so --
>>JORDYN BUCHANAN: So we did make an attempt to do that in the task force and the hybrid proposal got no constituencies supporting it, whereas these two have three each, so that's the problem.
>>MIKE RODENBAUGH: Okay.
>>BRUCE TONKIN: Anyway, that's all I -- we're not going to reach agreement on this point but it's food for thought. But all I'd be saying to the GAC is that we're going to think about it, and, you know, we'll talk about it in our council meeting later this week.
>>NIGEL ROBERTS: Could I suggest the one thing you can't do is do nothing. Both of these proposals are an improvement on the status quo.
>>BRUCE TONKIN: Sorry. What was that, Nigel?
>>NIGEL ROBERTS: Both of these proposals are an improvement on the current status. What you can't do is kick it into the loss grass and say no, and just not make a decision.
>>BRUCE TONKIN: Yes.
>>NIGEL ROBERTS: I want you to pick one of these two, even if it's the one I don't like.
>>BRUCE TONKIN: Fair enough.