[ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team Discussion Paper

Thu Jul 21 14:17:17 CEST 2011

Although I support most of the proposed comments, I disagree with
recommendation 14.

As an individual registrant, I agree that proxy services are useful and
should be accepted.  I am as uncomfortable as anyone with publishing my
physical address, telephone number and direct e-mail.  I can certainly
understand why my discomfort could be someone else's physical danger -
consider those who are supposed to be protected against violence by court
order, or live in countries where protection of law is problematic.  And
because I use unique e-mail and postal addresses for my contact information,
there is no question of the fact that I have received non-trivial quantities
of e-mail and postal spam that could only have been sourced from my WHOIS
listings.  Dealing with that can be more than annoying - I haven't fallen
victim to the official looking "renewal bills" scams, but I know people who
have.

On the other hand, proper operation of the network does require that it be
possible to reach the persons responsible for the devices/services connected
to it.  It must be possible to contact postmaster & abuse for assistance
stopping spam - and to notify server operators of inappropriate  behavior of
their systems (and sometimes people).  Whether it's the fact that a bad
actor has made them part of a botnet, a hardware failure is causing routing
issues, a subscriber is harassing a family member, or the fact that a
service is down - it really is important to be able to reach the responsible
person(s).  And being able to track back to  the country/ISP can be a useful
tool for tuning some firewalls when under attack.  Note that while
postmaster/abuse are required by RFC for those who operate mail servers, not
all domains do.  Whois is the only 'guaranteed' means of contacting the
owner of any domain/ip address.

This is not limited to non-commercial sites, though it is particularly
difficult for non-commercial users to get through - I've had recent
difficulties contacting several fortune 50 companies via their whois -
though they have the resources to be responsible actors.

Given that, it seems to me that it is appropriate to require that
registrants provide accurate and effective contact information - proxies
being acceptable so long as the delay through the proxy is reasonable.
(Say, minutes thru e-mail, and a first-class/registered letter 1 business
day + 1 additional first-class delivery time.)  Some standards for proxies
maintaining the confidentiality of information provided would also be
helpful - individual consumers certainly have less ability to
evaluate/influence service providers than ICANN does.  There is no reason
that a proxy has to be in a registrants country - this can be important in
keeping people safe from bad 'governmental' actors.

I would support not requiring the publication of telephone numbers for
individual/small registrants.  Not all of us have them, many people now have
just mobile services, time zones make use problematic (especially where
accurate geographical information is not provided) and telephone provides
another vector for harassment.  Requiring either telephone or e-mail would
be acceptable - as timely communication is required, and some people have
only one or the other.  

However, where I disagree is the notion of accepting fraudulent or no
contact information.  This is unacceptable.  Contact information is not just
a matter of protecting domain name ownership, despite the fact that ICANN
and this group seem to reduce all issues to that issue.  When one registers
a domain name, one becomes part of the network and takes responsibility for
all services delivered from that name.  Providing contact information is
critical for others to provide feedback on (and often help with) discharging
those responsibilities.

This is clearly more of an issue for those who operate their own servers
(routers, etc) - but those who don't still have a responsibility to pick
vendors who operate responsibly and respond to issues.  So I believe that
even individuals who just use their domains for websites/email and outsource
their services to their ISP or other third party must be reachable via Whois
data. 

Privacy is a serious issue for me - and many others.  Proxy services provide
a reasonable compromise between the need for privacy and the need for
everyone to cooperate in providing a stable network.  Standards and rules
for those services is a reasonable subject for discussion - and the
non-commercial (especially small/individual) registrant would gain
considerably by unified actions to get them.  However, fraudulent/blank
contact information is not something we should endorse, encourage or
tolerate.  

Given the acceptance of proxy services, I see no reason to protect domain
registrants who provide invalid contact information in whois from action
under UDRP.  Rather, it's one bit of leverage that the community has to
encourage accurate contact information.  Naturally, honest errors that are
quickly resolved and failures of proxy services to deliver should not be
held against the registrant.  Exactly how that's defined is another project
- though the latter would be facilitated by standards for proxy services and
a means for a registrant to identify proxy providers audited to those
standards.

As for postal verification - isn't it as simple as sending a postcard with a
verification code to the registrant, and requiring that the code be returned
by e-mail or website within a reasonable time?  If the address is valid, the
postcard goes through.  If not, obviously the channel is not reliable...

I hope that the proposed comments can be refined to incorporate these
observations.

Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

-----Original Message-----
From: NCSG-NCUC [mailto:NCSG-NCUC-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
Konstantinos Komaitis
Sent: Thursday, July 21, 2011 04:27
To: NCSG-NCUC-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team
Discussion Paper

This is great - thank you very much Wendy for leading us on this. WHOIS
issues are very important and it is brilliant that we get to submit
comments.

Thanks again.

KK

Dr. Konstantinos Komaitis,

Senior Lecturer,
Director of Postgraduate Instructional Courses Director of LLM Information
Technology and Telecommunications Law University of Strathclyde, The Law
School, Graham Hills building, 50 George Street, Glasgow G1 1BA UK
tel: +44 (0)141 548 4306
http://www.routledgemedia.com/books/The-Current-State-of-Domain-Name-Regulat
ion-isbn9780415477765
Selected publications:
http://hq.ssrn.com/submissions/MyPapers.cfm?partid=501038
Website: www.komaitis.org

-----Original Message-----
From: Wendy Seltzer [mailto:wendy at seltzer.com]
Sent: Τετάρτη, 20 Ιουλίου 2011 7:45 μμ
To: NCSG-NCUC-DISCUSS at LISTSERV.SYR.EDU; ncsg-policy at n4c.eu NCSG Policy
Subject: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team
Discussion Paper

I propose these as NCUC comments to the WHOIS Review Team
<http://www.icann.org/en/public-comment/whoisrt-discussion-paper-09jun11-en.
htm>
The comment deadline is July 23 -- Saturday. Thanks to Milton, Avri,
Brenden, and Konstantinos for input.

If there is interest in sending these as NCSG, I would be happy to update
the references. I'll submit Friday.

--Wendy

NCUC is pleased to share these comments on the WHOIS Review Team's
discussion paper. The NCUC includes among its constituents many individual
and non-profit domain name registrants and Internet users, academic
researchers, and privacy and consumer advocates who share concerns about the
lack of adequate privacy protections in WHOIS. We believe ICANN can offer
better options for registrants and the Internet-using public, consistent
with its commitments.

> 4. How can ICANN balance the privacy concerns of some registrants with 
> its commitment to having accurate and complete WHOIS data publicly 
> accessible without restriction?
and
> 10. How can ICANN improve the accuracy of WHOIS data?

Privacy and accuracy go hand-in-hand. Rather than putting sensitive
information into public records, some registrants use "inaccurate" data as a
means of protecting their privacy. If registrants have other channels to
keep this information private, they may be more willing to share accurate
data with their registrar.

The problem for many registrants is indiscriminate public access to the
data. The lack of any restriction means that there is an unlimited potential
for bad actors to access and use the data, as well as legitimate users and
uses of these data.

At the very least, WHOIS access must give natural persons greater latitude
to withhold or restrict access to their data. That position, which is
consistent with European data protection law, has even been advanced by the
U.S. Federal Trade Commission and F.B.I.

ICANN stakeholders devoted a great deal of time and energy to this question
in GNSO Council-chartered WHOIS Task Forces.  At the end of the Task Force
discussion in 2006, the group proposed that WHOIS be modified to include an
Operational Point of Contact (OPOC):
<http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>

Under the OPOC proposal, "accredited registrars [would] publish three types
of data:
1) Registered Name Holder
2) Country and state/province of the registered nameholder
3) Contact information of the OPoC, including name, address, telephone
number, email."

Registrants with privacy concerns could name agents to serve as OPoC,thereby
keeping their personal address information out of the public records.

NCUC recommends reviewing the documents the WHOIS Task Force produced
relating to the OPOC proposal, including the final task-force report on the
purpose of WHOIS:
<http://gnso.icann.org/issues/whois-privacy/tf-report-15mar06.htm>, Ross
Rader's slides from a presentation on the subject,
<http://gnso.icann.org/correspondence/rader-gnso-sp-04dec06.pdf> and the
report on OPoC
<http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>
The GNSO in October 2007 accepted the WHOIS task-force report and concluded
the PDP.
<http://gnso.icann.org/meetings/minutes-gnso-31oct07.html>

>5. How should ICANN address concerns about the use of privacy/proxy
services and their impact on the accuracy and availability of the WHOIS
data?

ICANN should recognize that privacy and proxy services fill a market need;
the use of these services indicates that privacy is a real interest of many
domain registrants.  Concerns about the use of these services is
unwarranted.

>12. Are there barriers, cost or otherwise, to compliance with WHOIS policy?

Even with the provisions for resolving conflicts with national law, WHOIS
poses problems for registrars in countries with differing data protection
regimes. Registrars do not want to wait for an enforcement action before
resolving conflicts, and many data protection authorities and courts will
not give rulings or opinions without a live case or controversy. ICANN's
response, that there's no problem, does not suit a multi-jurisdictional
Internet.

> 14. Are there any other relevant issues that the review team should be 
> aware of? Please provide details.

Consider allowing registrants greater choice: a registrant can get a domain
with no WHOIS information at all, at the registrant's peril if the domain is
challenged and he/she is unable to respond. This is already the de facto
circumstance for domains registered with false information, so why not make
it an official option?

Proposals for verification (pre- or post-registration) of name and address
information are completely unworkable for standard gTLDs, although they
might be proposed by registries looking to differentiate.
There is no standard address format, or even any standard of physical
addressing that holds across the wide range of geographies and cultures
ICANN and registrars serve.

Inaccurate WHOIS data should not be used as conclusive evidence of bad
faith, especially in the context of ICANN's policies such as the UDRP.
Although within the UDRP, the need to identify a registrant is vital, WHOIS
details should not be used to make outright determinations concerning
abusive registrations of domain names.

--
Wendy Seltzer -- wendy at seltzer.org +1 914-374-0613 Fellow, Princeton Center
for Information Technology Policy Fellow, Berkman Center for Internet &
Society at Harvard University http://cyber.law.harvard.edu/seltzer.html
https://www.chillingeffects.org/
https://www.torproject.org/
http://www.freedom-to-tinker.com/