<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
<META content="MSHTML 6.00.2800.1578" name=GENERATOR></HEAD>
<BODY id=role_body style="FONT-SIZE: 10pt; COLOR: #000000; FONT-FAMILY: Arial"
bottomMargin=7 leftMargin=7 topMargin=7 rightMargin=7><FONT id=role_document
face=Arial color=#000000 size=2>
<DIV>
<DIV><FONT style="BACKGROUND-COLOR: transparent" face=Arial color=#000000
size=2>All, I support what Robin, </FONT><FONT
style="BACKGROUND-COLOR: transparent" face=Arial color=#000000 size=2>Avri and
Wendy have written. It adhers to the purpose of Whois approved by the GNSO
Council and it moves things in the right direction. </FONT></DIV>
<DIV> </DIV>
<DIV>The fact is that neither phone numbers nor email addresses have any
mandatory publication -- not for companies or individuals or the range of
noncommercial and hobby interests in between. If we did have mandatory
publication requirements for phone numbers and email addresses, then I am
certain you would find business and IP creating a range of uses and arguing that
they are all crucial to their profit -- as they do today with Whois.
The fact is that with unlisted and partially listed phone numbers, email and
chatroom identifies, business and IP must make due with supoenas and due process
(and they seem to survive and still have a profit).</DIV>
<DIV> </DIV>
<DIV>Danny, I don't have a problem with supoenas and due process. Years
ago, the US government wanted AT&T, then the monopoly telephone provider in
the US to provide unlimited access to wiretap calls in the US. The General
Counsel (a former trial attorney at Nuremberg) said No. He said that the
telephone system would only thrive if people and businesses believed their
privacy would be protected and he negotiated the US wiretap laws that set a
standard and model for privacy in the communication system.</DIV>
<DIV> </DIV>
<DIV>We don't have that balance of privacy and process in the Whois system and
we badly need I see no reason for Whois to be different. Law
enforcement needs to get thousands of subpoenas for unlisted numbers, to wiretap
calls and to direct ISPs to hand over the identities behind email and chat room
names. It is the way we protect human rights organizations, individuals,
political and community organizations (even unpopular ones) and even businesses
(who often suffer from unfair competition practices). That's the balance and the
protection of privacy. </DIV>
<DIV> </DIV>
<DIV>I think this proposal gets it right, and I think it is consistent with the
decision made by the entire convened NCUC meeting in Marrakech -- a group with
even more policy authority than the policy committee. We spent a lot of
time on this issue and we agreed that due process and subpoenas should be the
position of the NCUC. This proposal should, of course, be presented for
discussion, as it is here. But to me it adheres to the principles this
constituency has supported with huge amount of blood, sweat and tears for close
to half a decade.</DIV>
<DIV> </DIV>
<DIV>Best, Kathy</DIV>
<DIV><FONT style="BACKGROUND-COLOR: transparent" face=Arial color=#000000
size=2>,<BR><BR>Today, Avri Doria of NomCom, Wendy Seltzer of ALAC, and myself
have made <BR>a proposal to no longer publish whois data on the net. The
"Stability <BR>and Security proposal" is attached and below. Ross Rader of the
<BR>Registrars also supports this proposal. It should cause a
stir.....<BR><BR>Since Biz & IPR continue to make proposals to frustrate
privacy and the <BR>security of Internet users, we thought we'd make a proposal
of our own.<BR><BR>Robin<BR><BR>====================<BR><BR>RETHINKING THE ROLE
OF ICANN AND THE GTLD WHOIS TO ENHANCE THE SECURITY <BR>AND STABILITY OF THE
DNS<BR><BR><BR>A PROPOSAL FOR THE GNSO TASK FORCE ON WHOIS
SERVICES<BR><BR>PREPARED DECEMBER, 2006<BR><BR>BACKGROUND<BR><BR>I) The purpose
of Whois<BR><BR>It is widely accepted that the primary original uses of the gTLD
Whois <BR>service is to use it for the purpose of coordinating technical actors
as <BR>they seek to resolve operational issues related to the security and
<BR>stability of the DNS and a well-functioning internet.<BR><BR>Present day
examples of this are many;<BR><BR>● Network operators and service providers use
Whois data to prevent or <BR>detect sources of security attacks of their
networks and servers;<BR>● Emergency response and network abuse teams use Whois
data to identify <BR>sources of spam and denial of service attacks and
incidents;<BR>● Commercial internet providers use Whois data to support
technical <BR>operations of ISPs and network administrators;<BR>● ISPs and Web
hosting companies use Whois data to identify when a <BR>domain name has been
deleted, and remove redundant DNS information from <BR>ISP name
servers<BR><BR>The importance of this original purpose was reaffirmed in the
GNSO <BR>council's recommended definition on the purpose of Whois:<BR><BR>"The
purpose of the gTLD Whois service is to provide information <BR>sufficient to
contact a responsible party for a particular gTLD domain <BR>name who can
resolve, or reliably pass on data to a party who can <BR>resolve, issues related
to the configuration of the records associated <BR>with the domain name within a
DNS name server."<BR><BR>The scope of use has increased considerably beyond this
over time, a <BR>subject that has already been substantially considered by the
GNSO Whois <BR>Task Force and Council. The scope of use of the internet has also
<BR>changed over time, as have the management tools used to administer these
<BR>uses.<BR><BR>In each of these examples, the truly useful information is not
the <BR>contact information for the domain name registrant in question, it is
<BR>the name server information for the name in question. Unfortunately,
<BR>neither is reliable or truly useful in any real way because
<BR>authoritative information about DNS resources doesn’t live in a gTLD
<BR>database, it lives inside the DNS itself.<BR><BR>The validity of the data in
a gTLD Whois database has no impact on the <BR>operational integrity of the
DNS.<BR><BR>Due to this disconnect between these two systems, network systems
<BR>managers rarely rely on gTLD Whois service when they seek to investigate
<BR>or resolve serious network operations and technical coordination issues.
<BR>An entirely different set of tools and resources that relies on
<BR>authoritative data have evolved that support the requirements of these
<BR>types of users. For example, a network administrator might use “dig” or
<BR>“nslookup” to determine the source of a DNS problem or the network
<BR>location of a mail server being abused to send spam email. All of these
<BR>tools are publicly available at no charge, internet standards based, and
<BR>in widespread use.<BR><BR>Furthermore, from a network management
perspective, not only is the data <BR>in the DNS more authoritative (and
therefore useful), it is also more <BR>comprehensive. A typical DNS record can
include information about the <BR>network location of any and all web servers,
email servers and other <BR>resources associated with a specific domain name –
at all sub-levels <BR>associated with the specific DNS entry (i.e., the second,
third and <BR>fourth levels of the domain hostname). The gTLD whois service
contains <BR>none of this important information.<BR><BR>When DNS data is used in
conjunction with the IP Address Whois data <BR>sourced from providers like ARIN
or RIPE, a network administrator is <BR>able to form a fully authoritative view
of not only the services <BR>associated with a specific domain name, but also
the identity of the <BR>entity that physically hosts those resources and how to
contact that <BR>entity. All of this data exists outside the gTLD Whois
system.<BR><BR>II) ICANN’s Role<BR><BR>The scope and authority of ICANN’s
policy-making responsibilities is <BR>limited by its bylaws;<BR><BR>The mission
of The Internet Corporation for Assigned Names and Numbers <BR>("ICANN") is to
coordinate, at the overall level, the global Internet's <BR>systems of unique
identifiers, and in particular to ensure the stable <BR>and secure operation of
the Internet's unique identifier systems. In <BR>particular, ICANN:<BR><BR>1.
Coordinates the allocation and assignment of the three sets of unique
<BR>identifiers for the Internet, which are:<BR><BR>a. Domain names (forming a
system referred to as "DNS");<BR><BR>b. Internet protocol ("IP") addresses and
autonomous system ("AS") <BR>numbers; and<BR><BR>c. Protocol port and parameter
numbers.<BR><BR>2. Coordinates the operation and evolution of the DNS root name
server <BR>system.<BR><BR>3. Coordinates policy development reasonably and
appropriately related <BR>to these technical functions.<BR><BR>ICANN’s role is
primarily that of a technical coordinator and developer <BR>of policy to support
that coordination.<BR><BR>III) ICANN’s Scope<BR><BR>There are many other uses of
gTLD Whois - most or all of which have been <BR>documented by the GNSO Whois
Task Force . Creating policy to manage, <BR>influence, prevent or encourage most
of this use is out of scope for ICANN.<BR><BR>IV) Technical coordination in the
real world<BR><BR>Most technical coordination of DNS administration, abuse and
network <BR>management issues occurs without ICANN’s involvement. Private sector
<BR>coordination is more likely through CERT, NANOG, Reg-OPS and other
<BR>forums, than those operated by ICANN. These initiatives are often ad hoc
<BR>and key players do often not understand the importance and value of
<BR>participation. This is an area where small improvements in the overall
<BR>level of cooperation between the various initiatives would lead to
<BR>substantial improvement in the overall security of the internet and DNS
<BR>infrastructure.<BR><BR><BR>POLICY IMPLICATIONS<BR><BR>Given that the
original beneficiaries of the gTLD Whois service have <BR>developed superior
alternate methods of coordinating their activities, <BR>and that the remaining
uses of this service are out of scope relative to <BR>ICANN’s scope and mission,
and that the abuse of this data has caused a <BR>significant barrier to the
security of millions of Internet users, we <BR>propose the following;<BR><BR>1)
that ICANN waive all Whois publication requirements for gTLD <BR>registries and
registrars;<BR>a. If the Whois publication requirements cannot be waived for the
<BR>registries and registrar, then registrars should be limited to only
<BR>publishing contact information for the person or entity responsible for
<BR>managing the authoritative DNS server;<BR><BR>2) that ICANN immediately
undertake to create a study of where it might <BR>best contribute to
coordinating the network management activities of <BR>registration interests,
network operators and service providers and law <BR>enforcement agencies. This
should be done with the goal of ensuring that <BR>emergency response and
technical abuse prevention is well coordinated <BR>and the overall interests of
internet users are appropriately protected <BR>by a secure and functional domain
name system.<BR><BR>3) That ICANN undertake to develop a statement of best
practices that <BR>registration interests should apply when working with law
enforcement <BR>interests, network operators and other legitimate parties
concerned with <BR>public safety, legislative enforcement, network management
and abuse, <BR>and the protection of critical information technology
infrastructure.</FONT></DIV></DIV>
<DIV></DIV>
<DIV> </DIV></FONT></BODY></HTML>