ICANN/GNSO GNSO Email List Archives

[registrars]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [registrars] Congressional Hearing



Elana & Brian:

my comments are inline...


   The undersigned registrars commend the Subcommittee for highlighting
   the issue of Whois accuracy.  It is a complex topic of importance to
   governments, intellectual property interests, the Internet sectors, and
   individuals and organizations registering domain names.  Because Whois
   data must be available to third parties under current ICANN policies,
   both privacy and accuracy concerns are involved.  Registrars
   respectfully submit the information below to round out the various
   issues related to data accuracy.

   The Bill

   The current draft of the bill seems to impose additional liability on
   persons who knowingly provide false data who register a domain name,
   the "registrants" or their representatives acting on their behalf.  It
   does not, as we understand it, impose new or additional liability on
   registrars; rather, it seems to target bad actors who have already been
   found by a court to have violated provisions of the Lanham Act and the
   Copyright Act.  Therefore, given our understanding of the bill, we are
   not taking a position to oppose the bill.  In fact, we support the
   bill's goal of improving data accuracy.

Something that just about everyone who wrote for CircleId did seem to
understand, no new crimes are created by this law. Mearly additional tools
and penalties for current crimes.

   What is the Whois

   [snip]

   Current Safeguards

   Even while working through this process, various registrars already use
   accuracy processes, including:

   * updating a registrant's data upon notice;
   * taking down a registration if inaccurate information is not cured in
     a timely manner;
   * sending notifications to all customers reminding them to update their
     data or face the risk of the registration being taken down or put on
     hold; and
   * checking credit cards prior to registration to minimize fraud.

These are all great things but do nothing to address the lack of data
quality in the whois database. Since the whois can be constantly updated
any update may contain invalid data. Just because you request a domain
have its contacts data updated does not mean the data is accurate.


   Despite such precautions, the savvy cyber squatter can sneak through.
   He can use stolen credit cards or credit cards that are in good
   standing; provide apparently valid information, and update it to other
   seemingly valid addresses when prompted.  But, credit card companies'
   privacy rules prohibit use of their data for other purposes, such as
   Whois verification. There simply is no guarantee that persons intent on
   registering a domain name with invalid data can be stopped and anyone
   who offers automated filters cannot claim to have found a comprehensive solution.


In the above you simply state "There simply is no guarantee that persons
intent on registering a domain name with invalid data can be stopped..." I
would like you to prove this assertion, or simply provide any shred of
evidence to support it. Your argument is transparent -- only the
status-quo works -- won't stand up to analytical methods to dispel
conjecture such as this. In other words holding this position might
require me to publish a white paper I've been sitting on which makes your
arguments seem rather silly.



   Privacy

   What seems to help, actually, is increased privacy protection on the
   Whois database.  Many individuals and even corporations today seek
   greater privacy - to avoid spam, to safeguard addresses, and for many
   other valid reasons (illustrated below).  Recent legal cases illustrate
   the great harm caused by the unscrupulous taking and use of openly
   available Whois data.

Privacy in the whois database is available to all for $4.00 USD each.

   Such efforts to increase privacy should not be confused with complete
   anonymity, however.  A responsible registrar that increases its
   customers' privacy would also be able to provide legitimate interests,
   such as trademark holders and law enforcement, with access to the
   information they need.  The benefit for all parties is that greater
   privacy would encourage registrants, who are justifiably concerned
   about unfettered free-for-all access to their emails or phone numbers,
   to provide accurate data if it is protected.

Free access to privacy does nothing to address accuracy of the data since
no one will analyze the registrant data. Your assumption that privacy
increases data accuracy are unfounded and can be simply proved wrong. Bad
actors will still have the capability to register with false information
though it will be much harder to find them as the fraudulent data will be
hidden. Your privacy argument mearly pushes the responsibility for
determining accuracy on law-enforcement.

   While we do not oppose this bill, we believe that its goals would be
   strengthened if paired with legislation facilitating greater privacy.

Yea, you always gotta include a statement like the above =)

   Illustration of Fraud Problems Associated with Mining the Whois
   Database

   Registrants have been hit by fraudulent, abusive and annoying
   solicitations directed at their contact information mined from the
   public Whois database. Below is only a sample of the many instances in
   which scam companies have mined the Whois database.

   The issues span the gamut from outright fraud to steal credit card
   information, to fear-instilling "renewal" notices, to annoying and
   unwanted spam solicitations.  Few instances of Whois abuse involve
   simple, non-deceptive transfer solicitations.  Too many registrants
   have fallen victim to credit card schemes, or have paid registration
   fees to unscrupulous marketers who pass themselves off as the
   registrar, using deceptive marketing techniques, only later to learn
   that they have paid a non-refundable fee to a shady company.

   Highlights (or more accurately, low points) include:

   [snip]

While your examples are initially compelling simple math proves that your
examples, while all true, amount to annoyances. The costs to the public,
registrars and registries are miniscule to the fraud perpetrated on the
Internet every day. If your examples were costing the anyone of the actors
in the millions every day I'm sure the issues would be addressed; However,
since your examples are self-centered industry pain that amounts to mabe
[and i'm stretching things] to damage in the hundreds-of-thousands on an
annual basis, well that a cost of doing business.

If you could find some examples of industry pain in the level of millions
per day, as is fraud carried out on the Internet, I'm sure they would have
more relevance on this topic.

best,


-rick



On Wed, 11 Feb 2004, Elana Broitman wrote:

> You all may remember Brian Cute's recent posting on last week's US Congressional hearing on Whois accuracy.  We believe that given the risk that the US Congress will use this hearing and the draft bill to also push for more unfunded requirements on registrars, it is critical to set the record straight.  Literally in the US legislative system, Congressional documents (records of hearings, etc.) influence how new laws and regulations are interpreted.  Therefore, we recommend that registrars submit for the hearing record the attached document that provides a view that the Congress did not hear last week - that new accuracy requirements can be expensive and that privacy is an equally important component of improving the Whois database.
>
> Because the Congress keeps the record open for only a short time frame, we don't have time to take a vote, but would like to get the document signed by as many registrars as will respond by close of business on Thursday.
>
> Thank you for your attention to this and please feel free to comment or send edits.
>
> Best, Elana Broitman and Brian Cute
>  <<submission to ip subcommittee march 4.doc>>
>



<<< Chronological Index >>>    <<< Thread Index >>>