ICANN/GNSO GNSO Email List Archives

[council]


<<< Chronological Index >>>    <<< Thread Index >>>

[council] Fwd: Clarification of SSAC position re Board's postion on ALAC letter on "front-running"

  • To: Council GNSO <council@xxxxxxxxxxxxxx>
  • Subject: [council] Fwd: Clarification of SSAC position re Board's postion on ALAC letter on "front-running"
  • From: Avri Doria <avri@xxxxxxx>
  • Date: Sat, 5 Apr 2008 19:50:07 +0200
  • List-id: council@xxxxxxxxxxxxxx
  • References: <89F447B3-DDCA-4B1E-9031-E8BDEC12D868@shinkuro.com>
  • Sender: owner-council@xxxxxxxxxxxxxx

Hi,

After I sent my message to this list, I forwarded a copy to Steve for his information. This is his reply to that message.

a.

Begin forwarded message:

From: Steve Crocker <steve@xxxxxxxxxxxx>
Date: 5 April 2008 19:35:58 GMT+02:00
To: Avri Doria <avri@xxxxxxx>, Robert Guerra <rguerra@xxxxxxxxxxxxxx>, Chris Disspain <ceo@xxxxxxxxxxx> Cc: Steve Crocker <steve@xxxxxxxxxxxx>, ICANN SSAC <ssac@xxxxxxxxx>, ICANN Board of Directors <icann-board@xxxxxxxxx> Subject: Clarification of SSAC position re Board's postion on ALAC letter on "front-running"

Avri,

Thanks for referring your note to me for comment. I'll try to clarify our thinking on this matter. There are several different dimensions, each of which deserves a few moments of attention, so this note is a bit long. I've tried to structure it for easy navigation. The sections that follow are:

o Background correspondence

o Discussion of whether front running exists and SSAC's finding to date and our next steps

(Mixed results and lots of controversy.  More work needed.)

o Discussion of whether whether is prohibited, irrespective of whether it exists

(Big surprise, at least to me, is that we don't seem to have either an explicit prohibition nor even a shared ethic within the community.)

o Discussion of what parts of the ICANN family should be involved, and a process issue? (And, in particular, what's SSAC's role.)

(This is a "consumer protection" and, perhaps, a "privacy" issue. Does this have a distinct and unambiguous home?)


I have cc'd the Board and SSAC, and I invite you, Robert Guerra to share it with the GNSO, the ALAC and the ccNSO, respectively. (I don't mind if it's shared even more widely, but I think these are the primary constituencies involved at the moment. )

Cheers,

Steve

= = = = = = = = ======================================================================

BACKGROUND CORRESPONDENCE and DOCUMENTS

Here's your note to me.

On Apr 5, 2008, at 6:10 AM, Avri Doria wrote:
FYI

Begin forwarded message:
From: Avri Doria <avri@xxxxxxx>
Date: 5 April 2008 09:46:08 GMT+02:00
To: Council GNSO <council@xxxxxxxxxxxxxx>
Subject: [council] Board's postion on ALAC letter on "front-running"


Hi,

I have put this on the list of topic for our next agenda. It might be worth having some preliminary discussions on list.

References:
- ALAC letter: <http://gnso.icann.org/mailing-lists/archives/council/msg04857.html > - Discussion under 11 Other business: <http://www.icann.org/minutes/prelim-report-27mar08.htm > Board's Disposition: "The Chair determined that emergency action is not required today but the matter will be referred to the GNSO for additional information or policy development if necessary, but not an emergency action."


My first questions:

- Do we want/need to request an issues report?
- Do we want to request advice from SSAC on the degree to which this is a threat to Stability and Security as stated in the ALAC letter. SAC22 of Oct 07 <http://www.icann.org/committees/security/sac022.pdf > spoke of it as being possibly contrary to core values but I do not read their report as calling it a threat. Though the report does seem to indicate that further investigation of issues surrounding the practice could be investigated further.

thanks

a.

The ALAC letter referred to above asks the Board to take immediate action to curtail "domain hold," "cart-hold" and/or "cart-reserve" activities such as Network Solutions and others have recently begun.

You also reference SSAC report SAC 022. That report is the first of two of our reports (SAC 022 and SAC 024) so far on front running. See

http://www.icann.org/committees/security/sac022.pdf
http://www.icann.org/committees/security/sac024.pdf

In SAC 022, we pointed out that checking the availability of a domain name can be a sensitive act which may disclose an interest in or a value ascribed to a domain name and we suggested to potential registrants that domain name availability lookups should be performed with care. We also noted there does not appear to be a strong set of standards and practices to conclude whether monitoring availability checks is an acceptable or unacceptable practice, and we called for both public comment and policy development within the appropriate bodies.

In SAC 024, we reported that after receiving more than 100 inputs over a two and half month period, we were unable to develop definitive evidence that front running is actually taking place. However, in discussions with Network Solutions regarding their newly instituted practice of placing a hold on names being checked for possible registration, Jon Nevett suggested that one or more registries are possibly selling that information to domain name tasters. The chain has a couple of steps. When a potential registrant types in a name at NSI's web site to check for its availability in one domain, e.g. within .com, NSI, like many other registrars, automatically checks whether that name is available in several other domains. They do so by forwarding the name to each of the respective registries, and this provides an opportunity for one or more of those registries to pass along that stream of queries to a business partner who may be interested in registering it while the original customer is still thinking about it. Here are Mr. Nevett's comments in the transcript of the SSAC meeting in New Delhi on February 13, 2008, http://delhi.icann.org/files/Delhi-WS-SSAC-13Feb08.txt .

So what's been happening -- and we have information about this -- is domain name tasters register names in vast bulk and then they taste the names and only keep a very small percentage of the names that warrant purchasing because of traffic or pay per click. So the domain name tasters are looking for various sources of data. They look for bulk data wherever they can find it. The theory is that there were certain ccTLD registries that because when a customer comes to almost all registrars Web sites and asks for a name, [the registrar] will look at various dozens of different TLDs and see if the name is available. So one of the ccTLDs, for example, or maybe a gTLD, will be selling the data to front runners and tasters. So the tasting line is probably synonymous with the front-runner line. So what happens is they register these names in advance of customers, and then they taste it.


As you noted in your message, the Board declined to take emergency action and referred the matter to the GNSO for possible policy development. (See the last section of this note for a comment on policy development.)


======================================================================

DOES FRONT RUNNING EXIST?

As noted above, the data is inconclusive. Jay Daley, CTO of Nominet, reported he had looked closely at this question some time ago and concluded it simply wasn't happening. Others have suggested privately that it really does happen on a fairly significant scale. Because there is a very high level of tasting, it may be hard to sort out how many instances of apparent front running are just due to "background radiation." And then we have Mr. Nevett's assertion that one or TLDs is actively involved in this process.

We expect to explore this a bit further. We are still formulating specific plans on how to proceed, and we are open to suggestions and offers for how to gather information efficiently, effectively, and accurately.

=====================================================================

IS FRONT-RUNNING PROHIBITED and DOES IT AFFECT SECURITY OR STABILITY?

As we noted in SAC 022, we do not see any coherent and specific framework that suggests front-running is prohibited. I believe the Registrar Accreditation Agreement has language related to the proper use of registration data, but that applies only after a registration is complete.

Practices and expectations vary from field to field. In certain professions, particularly law and medicine -- and my experience is primarily in the U.S. -- there are very strong rules governing the privacy of information provided by a client or patient. There are also strong rules governing the protection of customer information among stockbrokers. If I ask my stockbroker about a particular stock, it's considered unethical for him to use that information to buy or sell that stock for himself or to help others to do so. However, in our industry, I have not seen any similar explicit statement of principle nor an explicit set of rules prohibiting front-running and related practices. Thus, even if we were to find reliable, concrete information that front-running is taking place, it's not clear there is any basis for stopping it.

"Security and Stability" is a mantra invoked with specialty gravity, and there is sometime debate about whether a specific issues does or does not fall into this category. I think it's hard to argue that front-running, if it exists, is affecting the overall security or stability of the domain name system, although one might imagine fairly severe consequences if the practice existed and affected a very large fraction of the potential registrants instead of only a relatively small number. I emphasized "system." From any particular user's perspective, if someone has swiped a name he is looking at, the impact on him or his business could be very substantial. Is that a "security" matter or a " consumer protection" matter, and is there a strict distinction between the two?

I would argue that if there is a structural bias against consumers, that it's appropriate to consider that to be a weakness in the security of the system. On the other hand, if a consumer has been dealt with unfairly by a particular party, and there's no general bias built into the system, that's a specific consumer protection issue. I'm not sure whether everyone else would choose to draw the lines in the same place.

There is a secondary and slightly subtle element of security here. Efficient and effective markets depend on reliable information and trustworthy behavior. If there is a general perception that a market is dangerous, the market may shrink and the results for the buyers and sellers who are in the market may be inequitable. Building and preserving confidence in a market is thus an important aspect of "security."

I don't think we've thought enough about this as a community, and I would like to see some deeper thought and discussion.

Returning to the specific matter of front-running, I find it odd and dangerous that our framework of core values, principles, rules and contracts does not address such practices explicitly. I think this is a weakness in our overall framework and should be fixed.

=====================================================================

WHO SHOULD BE INVOLVED?

I don't see any single group as being the sole owner of these issues. We certainly don't view this as the sole purview of SSAC and we would be delighted if others are involved. The GNSO has a natural role because the registrars and registries are primary actors. At the same time, the people most strongly affected by weaknesses in the process are potential registrants, and it's not clear who speaks for them. ALAC, in its letter to Board, is certainly taking a strong position. And this issue is not limited to the gTLDs and ICANN-accredited registrars. The ccTLD community presumably has the same issues.

In our reports to the Board, we suggested other groups look at these issues. Dan Halloran recently drew our attention to section 1.c in By-Laws Annex A: GNSO Policy-Development Process:

Advisory Committee Initiation. An Advisory Committee may raise an issue for policy development by action of such committee to commence the PDP, and transmission of that request to the GNSO Council. (http://www.icann.org/general/bylaws.htm#AnnexA )

With some chagrin, I admit we hadn't realized there was a direct channel for SSAC to forward to the GNSO a formal request for the GNSO to commence the PDP. Would you find it helpful for us to send our recommendations to you in this form?

Irrespective of whether we send you a formal recommendation, I hope this note has provided some useful information. We will be happy to discuss it further if you desire.

Thanks,

Steve Crocker
SSAC Chair











<<< Chronological Index >>>    <<< Thread Index >>>