Sorry, you need to enable JavaScript to visit this website.
Skip to main content

WHOIS Task Forces 123 Teleconference Transcription

Last Updated:
Date

WHOIS Task Forces 1, 2, 3

Teleconference Transcription

1 March 2005

Participants:
Bruce Tonkin - GNSO Chair
Jeff Neuman - Co -Chair
Jordyn Buchanan - Co - Chair

Marilyn Cade
David Fares

David Maher

Antonio Harris

Paul Stahura

Ross Rader

Ken Stubbs



Stephan Welzel - Presenter - DENIC

Philip Colebrook - Presenter - Global Names Registry

Kim von Arx - Presenter - CIRA

Jonathan Nevett - Presenter - Networksolutions

Tim Ruiz - Presenter - Domains by Proxy

Martin Garthwaite - E-Nom







Visitors

Grant Forsyth GNSO Council

Markus Heyder

Ryan Lehning

Eric Larsen

Joy Johnson

John Rodriguez

Joe West

John Wright


ICANN GNSO Policy Officer - Maria Farrell

ICANN Staff manager: Barbara Roseman

GNSO Secretariat: Glen de Saint Géry - absent


Coordinator Good afternoon, and thank you for standing by. At this time all participants are in a listen-only mode until the question and answer session of the conference. Today’s conference is being recorded. If you have any objections, you may disconnect at this time. Your host for today is Jordan Buchanan. Sir, you may begin.

J. Buchanan Thanks, everyone, and thanks for joining us. As hopefully you all know, we are going to be having a series of presentations or discussions from various registrars and registry operators who either have interesting whois policies or provide some sort of proxy service or privacy service. The six entities that we have lined up for today are Denic; Cira; dot-ca; The Global Name Registry; and then three registrars who provide privacy services, Networksolutions, E-nom and Domains by Proxy, which I guess is technically not a registrar but affiliated with a good ID group of registrars.

Because this is quite late in Europe, we’re going to start with our European presenters, and in particular, we are going to start with Stephan Welzel of Denic, and we’ll try to do Q&A after each of the presenters. We’ll also try to make some time maybe at the end of the conference for general discussion. So I’m going to just go ahead and turn it over to Stephan to tell us a little bit about Denic’s whois implementation and how they differentiate between data port 43, port 80 versus what they provide to registrars and any other interesting tidbits that he’d like to provide to us.

 

S. Welzel Okay, thank you, so I’m Stephan Welzel. I’m general counsel to Denic, the dot-de registry, and I’ll try to be very brief, and I think I can be very brief because our whois routes are amazingly uncomplicated I would say. First, I would like to tell you which data we actually asked the registrants to provide. That is of course the name and the postal address of the main name holder or registrant as you would say in the gTLD environment. Also, the name of the postal address of the administrative contact. For the administrative contact, we also ask for the phone number, the fax number and the e-mail address, and then for the technical contact, that would be the actual technical contact and then the zone contact, we also ask for name, postal address, phone and fax numbers and e-mail address. That’s the data we then have for every registrar to maintain, but that’s not the data everyone can look up in our whois. We have some restrictions there. What people can look up in the public whois is the name and the address of the registrant and all the contacts. Then in addition to that, the phone and fax number and e-mail address of the technical and the zone contact, so not for the administrative contact. We have the administrative contact’s phone number and fax number and e-mail address, but you won’t find that in the whois.

 

We have two kinds of public whois, the port 80 or Web whois. You find the data there I just mentioned. We actually have implemented a two-step process to access this data. When you type a domain name into the whois, first you get a Web site that tells you only whether that domain name is registered or not, and if you’re interested in getting the actual data for that domain name, you need to click on an exact button, and with that, you accept some rules. It’s a little text that says you cannot use the data for business purposes and stuff like that. That’s frankly pretty much symbolic, but still it’s something that we implemented. Actually, statistics show that the vast majority of people that use the Web whois don’t even take this second step, so the vast majority of people are just interested in finding out whether a domain is registered or not.

 

For the port 43 whois, the same rules apply. The only difference is that these restrictions on the useage of the data are just being sent when this port 43 connection is set up for the first time. After that, people get the data without any additional steps to be taken.

 

The whois for our registrars, which are members is a bit different at least partly. For the domain names that a registrar administers himself for their customers, he has access to all data we have stored for those domain names. That means including phone number, fax number and e-mail address of the admin contact. For domain names administered by other registrars, the registrars get the same data as are given in the public whois.

 

That’s actually what we are doing with our whois. I could perhaps say a few words on why we are doing it this way. I don’t think that I need to explain why we believe there should be a whois and why we think it’s necessary. I could tell you something about the legal restrictions. Of course we have a Data Protection Act. We have to because there are EU directors on that. This Data Protection Act says you cannot make data available to the third parties—third parties will also be the public—unless this is necessary to meet your obligations from a contract. That’s probably not what would be applicable here, but you also can make data available to third parties when this is necessary to protect or preserve your own interests. That’s what we refer to. It’s necessary to have a whois because it’s in the interest of the registry and the community, because people need to be able to find out who the holder of a domain name is, who the contacts are for a certain domain name.

 

On the other hand—and that is possibly a German specialty—we have a law that requires everyone who has a commercial Web site, and a commercial Web site you already have when you just have some Amazon ICANN on it that’s linked to Amazon. Amazon in this case there is linked to a commercial Web site. When you have a commercial Web site, you need to put your name and address and phone number and fax number and e-mail address on it. That is required by law. So we say, and the Data Protection Authorities go along with this, most people that have a domain name will have a Web site, and in principal, when one has a Web site, then his or her personal data has to be on that Web site anyway. So there’s nothing wrong with whois. Whether the data’s also available in our whois doesn’t make much of a difference. It is not quite accurate to argue this way, but this is what we do, and this is again what also the data protection authorities accept. So that’s basically it.

 

J. Buchanan Great, thanks, Stephen. Before I open it up for general question and answer, can I just ask two questions for clarification for you? First of all, you mentioned that when people were attempting to access the data through port 43, the first time they tried, you somehow implemented a mechanism to get to the agreement to the terms. How is that implemented, do you know?

 

S. Welzel If it’s via port 43, then we do not get their agreement by some action. We just sent them the data and add some text saying there are restrictions, you cannot use them for commercial purposes whatever.

 

J. Buchanan Okay, and so the same data is saying regardless the information’s accessed over a port 43 or port 80, is that?

 

S. Welzel With the port 80, in the first step, you get a Web site that says you cannot use it for certain purposes. Then you need to click on the button that says, “I accept,” and then you get the data. So it’s a two-step process there.

 

J. Buchanan The actual data is an identical set of data that’s provided at the end of the process for port 80 and port 43?

 

S. Welzel Yes.

J. Buchanan Great, and my follow-up question would be, since you provide a richer set of data to your registrars, I presume your contracts with them may limit the purposes that they can use the data for once they obtain it.

S. Welzel We provide more data than you get from our public whois only with regard to the domain names that are being administered by that certain registrar. We don’t have any special rule on that in the contract with the registrars because we assume that the registrars know this data about their customers anyway.

 

J. Buchanan Thank you. Hopefully we can now open this up for any other questions from the participants involved.

Coordinator Thank you. One moment, please, for our first question. At this time, there are no questions.

J. Neuman Jordan, if I can ask a question.

J.Buchanan Yes, absolutely.

J. Neuman Stephen, it’s Jeff Neuman. The question I want to ask is, is there any kind of special way that you deal with law enforcement or other entities, lawyers, attorneys who request more information?

 

S. Welzel Firstly, obviously, they have access to the public whois. Secondly, if they want to know more than they get from the public whois, they can ask us. If they can convince us by writing a short sentence on what this is all about that they need that data, they get it. That also by the way applies to any other part. If anyone can show that he has a legitimate interest in learning more than he can obtain from the whois, then there’s no data protection problem with giving that additional information to that person, and we indeed give it to them.

J. Neuman How do you usually give it to them just …?

S. Welzel It depends. If we know who that is, then we e-mail it. Otherwise, we feel more comfortable when we get the request in writing, and then we usually end in writing. This is actually more frequently being used by intellectual property lawyers than by law enforcement agencies.

J. Neuman Have there been any complaints that the information is not quick enough or any complaints from law enforcement or IT attorneys?

S. Welzel Not to my knowledge, no because the threshold actually is not very high, in particular, not for law enforcement agencies. So they say we are dealing with someone who whatever has a fraudulent Web site and we want to know since when he registered that domain name. That’s sufficient. We don’t want to learn any details. We just need to know they really need that information.

 

J. Neuman Last question, so it’s all done manually? There’s no automated way to …

 

S. Welzel That’s being dealt with manually then, yes. Perhaps I can add this. We have perhaps I would say no more than ten requests like this per month.

 

Coordinator Mr. Buchanan, we do have some questions. Would you like to take them at this time?

J. Buchanan Yes, please.

Coordinator Thank you. Our first question comes from Ryan Lehning .

R. Lehning Just a clarification on the data that’s made available. You said the only e-mail address is for the tech contacts, is that right?

S. Welzel And the zone contact.

R. Lehning So e-mail addresses are not available for admin contact and … not through the registrar?

S. Welzel Correct. We have this also called domain name guidelines that are available in English also in the Web site.

Coordinator Our next questions from Marilyn Cade.

M. Cade I think actually most of my questions have been answered, but I did have a general question. Tell me what a zone contact is.

S. Welzel That’s the person that is supposed to be responsible for the zone. I can read from the domain name guidelines. Zone contact looks after the name service for the domain.

Coordinator Our next question comes from Ken Stubbs.

K. Stubbs The question I would have would be basically around disclosure in the registration agreement. First of all, I’m assuming that the registration agreement for dot-de domains is consistent in its form throughout all of the registrars. If it isn’t, how much leeway is a registrar allowed?

Secondly, does the registration agreement specifically disclose that the registry has at its option the ability to decide whether or not to disclose the registrant’s data? Are there any guidelines given in the registration agreement as to what basis the registry uses for making its decision whether or not to disclose this data to third parties?

S. Welzel The first question, the registration agreement is the same for all registrants because for dot-de domain names, the registration contract is between the registrant and the registry directly. So it’s the same for all.

The second question, in the terms and conditions, we point out that there is a public whois, so we do not ask for the consent of the registrant. We just give the information that the data will be published in the whois. That is sufficient according to German data protection law. There’s nothing about additional information that we give out in case someone asks for it and can prove that he has a legitimate interest because that is something that is required by law anyway, and there’s no necessity to point that out to people. It’s actually obvious anyway.

Coordinator Our next question comes from Markus Heyder.

M. Heyder Yes, I want to get back to the requirement on the German law for commercial Web sites to post their contact information on the Web site itself. Does that classification rely on self classification by the registrars or the Web site operators? Or how does that work?

S. Welzel That’s the law that says if you have a commercial Web site—and we have court decisions on that—that’s the reason why I know that already one commercial link makes a Web site commercial in that way. At the end of the day, and in each individual case, that could only be decided by court in the end. We don’t care about individual cases. This is just an overall argument saying most people have a Web site. Most Web sites have at least a commercial link, at least one commercial link, and therefore, people have to put their data on their Web site anyway so whois doesn’t make any difference.

Coordinator At this time, there are no additional questions.

J. Buchanan Thank you. Thanks very much for your time, Stephen, and this has been very enlightening. The task force I’m sure is very appreciative of the time you’ve taken late in the evening there in Germany.

S. Welzel You’re welcome. Thanks for having me. Most of this you can find on the Web site in English. That would be Denic.de., and if you have any additional questions, I’m happy to answer them via e-mail.

 

J. Buchanan Our next presenter today will be Philip Colebrook from The Global Name Registry. Hi, Philip. GNR has negotiated an interesting whois policy with ICANN, which hopefully Philip can speak a little bit about. You can also let us know, Philip, the status of its implementation. If you would, that would be very helpful.

 

P. Colebrook Sure thing. First, I’ll give a bit of a background firstly. For those who aren’t aware, dot-name is a gTLD registry designed for individuals who are … registry offering a full whois service. Initially whois specifications were in the formats of other standard and extensive search. Standard search was available both on port 43 and Web-based, with the extensive being available on Web base. Those split the searches into essentially two different search results, one which didn’t contain the registrant’s phone, fax numbers and e-mail addresses and one which did. Those are the main differences between the two.

 

We engaged in discussion with the information commissioner, whois responsible for overseeing the Data Protection Act in the UK. This Act lays down principles derived from European directors on privacy on how basic control such as global net registries should treat the private information of individuals. Of course these discussions are also going on with ICANN when you try just one goal post of compliance with a local jurisdiction, it can affect the other, which in our case is contractual requirements.

 

I think the ICANN board gave us a sense in the end of 2002 to revise whois specification. This specification actually broke down the search into four different fields. The initial search is a summary search available to the public at no cost. It’s a very basic search, many providing information as to whether its main product or whether other products e-mail forwarding to … registration exists in the registrations data.

 

Hidden classification of search is a fact search again available to the public at no cost. This provides information relating to the registrar, admin, billing, tech contacts with fields being name, address, phone number and e-mail contacts, and the creation and expiration date, but not provide registrant information of the type of e-mail, phone and fax contact.

 

Third classification of the revised whois specification is a detailed search, and this involves a password. The password is obtained once an online application form is completed. The whois contains an appendix of our agreement with ICANN, the option of registry charging a nominal amount for this or using other methods for passing out its viable information. I’ll come to that stage of our development in a moment, but from our perspective at the moment, actually charging is fraught with difficulties, not least of which is that we actually end up dealing with more personal information in terms of credit cards. Credit card numbers are different.

 

Further aspects of a detailed search involve specification by the applicant that they’re not using the search for spamming, marketing, and they’re using it for lawful purpose. This detailed search provides further information including the registrant address and admin contact phone numbers, which were not previously available.

 

The final search is the extensive search, giving the most complete list of details. The applicant has to again enter into an online agreement with GNR, and this provides a persistent password and continuous access. The applicant has to agree that the access is for specific purposes, which may include enforcement of legal rights and law enforcement, therefore catering for people such as law enforcement bodies or IP interests. There is also a provision in the agreement where the applicant agrees not to share the information to outsiders, restricting the distribution of the whois information. In our registry, we’ve explicitly stated in the agreement, the registry will revoke the access if the use is in breach of the specified purposes. The information revealed by the extensive search gives complete information, registrant's e-mail, phone number and fax number.

 

Dot name is a bit of peculiar position in that we do have a gTLD tied to that individual so there will very often be direct correlation between individuals and the actual whois records associated with facts in many cases. Admin, tech and billing will actually be the same as the registrar contact.

 

We’re still in the process of development of the revise to a specification currently operating the original whois specification. Things are moving very fast. Change is happening quickly in the area of privacy in the EU and also in the UK. We maintain content with the information commissioner. There’s not such an enforcement position, but rather it provides us with advice and guidance. Of course, we are following very closely the work of the whois task forces. Coming back to something I mentioned previously, there is the balancing act involved here. Trying to keep all the sectors happy is something that is at the forefront of our mind. Therefore, we are following closely developments, for example, of a technical side such as the CRISP virus protocol.

 

Generally speaking, we feel that the revised specification does actually provide for legitimate use of whois information, depending on the actual applicant. We think that cases for law enforcement requirement and IP interest, and have indications that it does actually satisfy the local requirements, both in the UK and in the EU generally.

 

We’re also noting that privacy developments are happening in other jurisdictions, which will feed into the work of the task force. So we follow those as well. At the moment, it’s difficult for me, in the absence of actual further output from whois task forces and the results of the policy development process to give a specific idea of when we’ll be implementing a revised whois specification. We really do look for guidance from the Whois task force for this. That’s really a brief background, Jordan, on that. I’ll be happy to answer any questions that anyone may have.

 

J. Buchanan That’s very helpful. We would like to open it up for questions again. While we wait, Jeff, do you have any questions that you’d like to pose?

 

J. Neuman Yes, just a clarification … of the Commissioner, did they ever indicate that the current whois is in violation of the UK privacy laws? In other words, if you were to display everything, have they ever said that would be unacceptable?

 

P. Colebrook No, we ran through discussions in 2002 which led to whois two, and of course those were based on the existing whois data base. We were given guidance that we did need to move to … provide the information available … out further, but when we outlined results of extensive searches under the current system versus standard searches, for example, in December 2004, we had 30 extensive searches versus two million of the standard searches, so the information commissioner was apprised of the fact that the specification occurring at the moment does significantly restrict access to registrant’s personal details.

J. Neuman The only other question I had is, do you differentiate between port 43 and Web-based?

P. Colebrook Sure. Port 43 actually under the revised specification wouldn’t provide results of the detailed or extensive search with the registrant’s e-mail, phone number and fax number would provide results for the standard search. So in many respects, very similar to the situation as present where port 43 access simply provides the standard search results without registrant e-mail, phone/fax details.

Coordinator At this time, there are no audio questions.

J. Buchanan Actually, let me pose one more briefly myself, and Phil, as you mentioned that in the revised specification there is some sort of different—do you intend to say that there’s different treatment explicitly for like IP interests or law enforcement?

P. Colebrook No, those were the examples that really come to the forefront of my mind in terms of people who would be seeking the specific information. No, it’s people certifying that they have a specific purpose, including the enforcement of legal rights. So no, it’s not specifically restricted to IP interests or law enforcement, although certainly they would be I imagine the bulk of users.

J. Buchanan Sure, and other than that declaration, you wouldn’t make any attempt to validate the purpose?

P. Colebrook Currently, we reviewed extensive search entries, and from memory, most, if not all, have been filled in completely. Certainly in the absence of correct certification or details, we would have no hesitation in restricting access on that basis.

J. Buchanan Sorry, let me re-explain my question. Not that you don’t validate what they’ve entered is complete. You don’t necessarily—as you said, it was a law enforcement investigation. You wouldn’t try to validate that they are actually law enforcement.

P. Colebrook As a practical measure, certainly yes.

J. Buchanan Do we still have no questions, Michelle?

Coordinator There are no additional questions.

 

J. Buchanan We’ll give everyone about 30 seconds to queue up, and otherwise, Philip, I think we will thank you very much for your time.

J. Neuman I’m sorry, this is Jeff. Is there an estimated timeframe as to when it will come up, this whois two?

P. Colebrook When the actual implementation will be done. We did have some idea last year. However, as we’ve been following the whois task force work more closely, and it has extended. Unfortunately, Jeff, I can’t actually give a specific date to you, no.

Coordinator We do have one question. Would you like to take this?

J. Buchanan Please.

Coordinator Thank you. Marilyn Cade, your line is open.

M. Cade We I think say thanks to you often as we continue to hear about your progressive evolution in this phase, and I appreciate the fact that dot-name is done informative briefings for the previous task force as well as this one. You probably have more experience in the gTLD space than perhaps some of the other registries right now. We had talked a little bit about the fact that you do have the ability to charge, but you haven’t implemented that, and you explained one problem being you would then have more person identifiable information. Initially, I thought there were also issues about what the charge might be and that there would be a reliance on credit cards for that process.

 

P. Colebrook That’s correct, Marilyn. The charging issues obviously were reflected in appendix o as approved by the board as far as distribution of any income that comes from them … to the registrar that made the search in the case of port 43. Aside from the actual revenue gathering, making … for implementing credit cards collection under these circumstances and in this jurisdiction prove to be problematic to a certain extent. Unfortunately, I don’t have access or in front of me all of the relevant details of when those discussions were held. It was a little before my time, but certainly, if you have any further queries relating to the specific aspect, I will be very happy to discuss it with you.

M. Cade Yes, I think it would be helpful. We may come back to you perhaps at another time, but people tend to think this would be easy to implement. We’d need to really better understand that.

P. Colebrook Yes, as did we. It is something you think you’ve found a remedy here, but it does open up other issues. Certainly, I would be happy to assist the task force in the future should you desire.

J. Buchanan Thanks very much, Phil. Do we have any other questions at this time?

Coordinator There are no additional questions.

J. Buchanan So with that, Philip, I would like to thank you very much for your time once again on behalf of the task force and your insight. I think as Marilyn indicated, that name has a very interesting perspective in the gTLD space here, and it’s very fascinating to hear about it.

Our next presentation is coming from Cira, and it will be provided by Kim Von Arx. I hope I’m saying that right. I sent around a PowerPoint that Kim provided to the task force, and now Kim’s going to talk to you.

K. Von Arx Yes, hello. I’m the general counsel and the director of policy development at Cira in Canada, and this presentation which I actually prepared here. Well, I prepared that some time ago actually for a center for the legal and regulatory group down there, and based upon the timeframe in which I’m supposed—or at least the time which I have to talk about this, I’m just going to go very quickly through this and give you in essence just the highlights of our new policy and compare this very quickly to our old. Then after that, I’m just going to give you I think as far as understanding what your interest then is to the responses and reactions by for example IP and law enforcement, other groups overall.

So to just quickly go through the second page, my PowerPoint just gives you a general outline of what the entire talk would be about, and first of all, the old whois, which is in essence the same as it is currently under the gTLD, the workers playing almost everything, which we’re collecting. Then after that, I just wanted to quickly touch upon the Personal Information Protection Electronics Document Act, which is very similar to the privacy directive in the European Union, and then the relevant statutes which were then enacted in some other countries in Europe. Then just very generally our method as to how we actually approached this entire consultation or this attempt to change to whois. Then our new proposals to it, and then just quickly some responses, and of course I’m open for questions.

 

I said the old whois, or actually the current one even which we are using is in essence exactly the same one as the gTLD one. Then sometime in 2003 actually, the Personal Information Electronic Documents Act, which we call here PIEDA or PIPEDA in short, came about, which is as I said very similar to the European Privacy Directorate, and it is obviously protecting the individual’s personal information.

 

So the basic idea behind that is that everybody whose information is being collect and then possibly used, disclosed, will have to actually provide consent or informed consent to that particular use or disclosure. One of the conditions is that you cannot per se provide certain services with the condition that they have to provide you with the consent unless it is absolutely reasonable and necessary to do so.

 

In addition to that, our most recent, but recently ever since the Act came into effect for the private sector, the Privacy Commissioner here, the Federal Privacy Commissioner here, stated that even organizations of smaller size, for example, employees between five to twelve, may very well be subject or protected under the First Information Protection Electronic Documents Act.

 

So in essence it is a very burdensome statute. I don’t know whether you have heard from some European registries. I just very quickly listened into, so I assume that my predecessor or my previous speaker was from the UK and probably touched upon the European privacy directive, and I’m sure you are very familiar with the various privacy approaches in various countries. I don’t want to go into any more detail about that. So that’s just moving down to our method.

 

The first thing we wanted to do is actually just find out what people actually knew about privacy and about whois in general. So we did a public survey, interviewed various people and actually also invited various stakeholders and interest groups and known entity organizations to comment on various aspects of privacy and the whois in general. Thereafter, we actually then started to develop, based on the information we then gathered, we actually seemed further down just a couple of tables, we then started to develop a privacy draft policy which we then wanted to consult on, and we just recently completed actually our consultation. We’re still receiving some reports, so it’s actually some suggestions from various people, no particular organizations, actually, the IP and law enforcement organizations which provide or have provided various suggestions as to how the privacy of the whois policy could be proved in general, but overall, we perceive that as quite a significant level of support in favor of the policy apart from the usual lobbying groups who are against this kind of approach to the whois in general. The problem that we’re having overall is anyway, we are forced in essence by the law anyway to very much pursue the approach that we have taken now albeit I do know that there are some obviously some leeway we can still take, and we’re still now currently analyzing all the suggestions we have received.

 

This quickly leads me actually down to what our whois actually does. We in essence are dividing our registrants between two categories for the purposes of whois, which is individuals and organizations. In … organizations, there is actually sub-category as well. Anyway, at least individuals, they can, or they are actually just automatically not displayed in the whois unless they actually explicitly consent and tell us that they do want to be displayed in the whois.

 

So the only thing we actually displayed for individuals is the domain name, the registrar, the DNS entries and the various stage which actually are associated with it, for example, expiry date and the last change date. For organizations, we still display the exact information that we displayed prior to that or we’re displaying right now without any holding back of any information whatsoever.

 

In regard to organizations, we do have one exception. There are—and we haven’t actually now currently developed the process by which an organization can actually apply for it—we do have a process for which an organization can apply to not have the information disclosed for whatever reason they might actually feel that they are entitled not to have it disclosed. The reasons why we actually came up with that exclusion are actually twofold. One is because as I mentioned before, the privacy commissioner’s statement that there are certain organizations which are of relatively small size are also entitled under PIPEDA to the protection of their personal information. So if there’s an organization which can certainly show us that they are only an organization of five employees, and then therefore they are protected under certain criteria of PIPEDA, then they may meet those requirements.

In addition to that, of course there are certain other entities which may require certain privacy aspects to their existence and albeit it’s probably not the best example because they might very well just actually hide their name, but for example, battered women organizations which certainly doesn’t necessarily want to have their entire contact details displayed out on the Internet for everybody to see. They may very well be eligible to not have the information displayed.

In regards to registrars are own certified registrars. They would have still access to obviously their own registrants who have all of the information which they’ve collected in the first place themselves. In addition to that, they will have access to registrants for whom they are not the registrars for certain particular purposes. That would be actually implemented by the way it would just have to go through a certain check box system where they just say … we’re accessing information based on whatever criteria. For example, for transfer of domain names or transference of domain name from one registrar to another or from one registrant to another registrant by way of another registrar transfer, and for example, mergers, or whatever other transactions may require access to registrants information for whom the registrar is not the registrar of record.

So in addition to that, of course there are certain exceptions that there are certain organizations or certain reasons for other organizations to access the information, and for that, of course, we are requiring actually some kind of judicial order anyway or judgment, which actually allows some organizations to obtain the information in general. We do however for dispute resolution purposes currently one policy rules and procedures, which stipulates that a party which is pursuing or thinking about pursuing a dispute resolution proceeding is entitled to obtain all the domain names that they’re associated with one particular registrant. Obviously, if you no longer display certain names, they can no longer do that, but what we are going to change, we’re going to change that particular policy to if there is somebody who wants to pursue a certain domain name because they believe that a certain domain name has been registered in bad faith or again stating within our policies and procedures, they can then pursue within the dispute resolution policy in the rules, and they can then submit a domain name and say that any name that is associated with that registrant that is associated with that domain name, they would like to actually obtain all the domain names that are associated with that particular registrant. So what we would then supply to them is all the names of the domain names that are actually associated with that particular registrant. If they do then want to actually … a CDRP, a dispute resolution process, they would then access or approach the individual service providers who then in turn would access or actually contact us and obtain the content details for that particular registrant, and then they would send out the respective complaints and documentation that are required.

I think that actually covers all of the most pertinent aspects of the policy overall, and like I said, we did a public consultation so far, and we’ve had in favor about 86. I think we’ve gotten a few more in, so it might be now somewhere in the 90s, and again, we’ve had somewhere in the low 30s, mid-30s, and those were mainly law enforcement and IP rights holders and some citizens and actually some registrants. The main reason why registrants were actually going to this from what I understand is because they don’t understand yet how this entire process would be implemented and as far as understanding what actually is the impact to their overall operations to some significant degree. So we would have to obviously prepare this quite effectively and thoroughly before we can launch this and impose it upon our registrars.

That is it. In regards to the arguments which were actually put forth against it, and one of the main arguments which actually was always put forth obviously is that data would prevent law enforcement for that matter, IP rights orders or rights holders in general, to obtain of course the information on the Web, and therefore would increase their effort or their time commitment to obtain information. Quite often of course we’ve gotten the information that if they had to do that, they would then suddenly have to inundate us with subpoenas and other enforcement orders, whoever it might be, whichever department of the Government, for example, it might be or some other law enforcement agency to obtain the information.

Of course IP rights orders, their main argument was that would cost their clients actually a significant amount of money to obtain the appropriate court documents to obtain the information. That’s pretty much it, and I’m certainly happy to respond to any questions.

J. Buchanan Thanks, Kim. So Michelle, we would like to open it up for questions again. I’ll actually start off by asking the first question once again … That is, how do you differentiate between individuals and organizations for the purposes of determining what data is displayed?

K. Von Arx It’s actually more a self-determination by the registrant. In essence, as you can imagine, anybody could theoretically become a registered domain name under his or her own name and then still run the business or actually run some kind of Web site for an organization on that particular domain name. So it is in essence a self-determination.

J. Buchanan Is there some sort of field when they register, like a check box, that’s organization or individual?

K. Von Arx That’s correct. Actually, the thing is, the way our system works, because the only people or the only organizations or persons who can actually register Canadian domain names are any organizations or entities which have a link to Canada, which includes obviously citizens of Canada, a permanent resident of Canada, country of Canada or any organization which is a foreign organization which does have a registered trademark in Canada.

So when you actually apply or when you sign up for a domain name, you have to pick from a list of almost 18 different legal types, and actually we’re trying to reduce those to hopefully four or five. So at the moment there are about 18 different legal ties which range from like I said a citizen, permanent resident, aboriginal people, aboriginal groups, churches, associations and registered trademark holders of Canada. That’s how we actually distinguish between those, and then within those 18 groups, and they’re about four of those which would be categorized under the big heading of individuals, and then the rest of the groups would be categorized under the big heading of organizations.

J. Buchanan Okay, thanks, Kim. Are there other questions?

Coordinator Yes, our first question comes from Ryan Lehning.

R. Lehning Just a couple of questions. I think this is following up on the last question, but there’s no way to differentiate between individuals and organizations. That’s correct? What I’m getting at is that a person who works for a large company could register the domain name on behalf of herself or on behalf of the large company using her own name and be called an individual in that context so that even a Web site for Coke, cocacola.com, if I registered it as an individual, there would be essentially no registrant or very much information at all in the database.

K. Von Arx That’s correct.

R. Lehning Even though the actual domain name is pointing to a well-known trademark for a huge company.

K. Von Arx That’s correct.

R. Lenhning The next question is, do you continue to collect the same information that you’ve collected under the previous policy?

K. Von Arx We would, yes. Actually, most likely we are intending to actually collect a little bit more, but yes, generally speaking, we are still at least collecting this much.

R. Lehning You’re collecting more information than you did?

K. Von Arx Not yet, and until we actually do that, it’s probably going to take awhile because the thing that we actually are doing currently, the only information we’re collecting is the registrant’s name, their legal type, the administrative contact details, which includes the name and the contact details as well as the technical contact details, but we’ve never actually collected the registrant’s contact details. Now in the future, hopefully within the next two or three years, we’re planning currently around it to possibly collect registrant information and contact details, but this is actually set apart from the whois itself. Anyway, for the purposes of your particular question, we are still going to continue to collect the same information.

 

I just wanted to follow up on the question overall when you raised the issue as to the distinction between individual and organizations. I do understand what obviously the overall dilemma with that is, that as you said correctly that Coca-Cola or IBM could very well have actually individually having registered the domain name, and then there’s virtually no information displayed in the whois. Obviously, the first thing with that is that those large organizations in general are starting at least to develop the idea that this is really some kind of possible IP rights or at least some kind of rights which they should at least secure within their own name. That’s just a separate topic altogether, but in any event, while we were certainly thinking about this, and we were considering what we could do about this, and we certainly considered … approach for example where they actually said you either are engaged in commercial or non-commercial activity, but the main problem which we had with that overall is just the idea that if we went down that particular road, we opened the huge can of worms by suddenly making a determination as to how you use a particular domain name and possibly what actually even the content of certain Web sites. That is exactly the area which I think at least from a legal and policy point of view are certainly at least quite sensitive and dangerous, and so for the time being, we certainly don’t want to go down that path. So to just tell you how we actually got to that particular conclusion.

Coordinator Our next question comes from Ken Stubbs.

K. Stubbs Yes, I apologize if this is something you’ve covered that I missed, but I believe you said that the responsibility of sale with the registrant to self-declare as to whether or not the domain was being registered by an individual versus a corporation or organization that might be required to disclose or provide more additional data. Am I correct there?

K. Von Arx That’s correct, yes.

K. Stubbs The next step is, is there any enforcement mechanism when there is a determination made that in fact at the time the individual registered the domain, the registration information that was provided i.e. the category, was either misleading or the information was intentionally false with respect to the category. I think you know what I’m getting at.

K. Von Arx I certainly know what you’re asking, and I’m … say no. There is no intention to actually enforce or look behind the intention of every registration.

K. Stubbs So for all intents and purposes, it’s strictly more or less a decision on the part of the registrant as to how much information they want to provide. If there’s no enforcement, then the party for all intents and purposes could provide information that was basically much more sparse than was originally—let’s put it this way—that was originally intended for the underlying nature of the registrant. In other words, if I took an individual registration for in fact a business selling let’s say illegal cable box converters or something like that, the only enforcement mechanism might possibly be the courts that could force the domain to be taken down. Is that correct?

K. Von Arx Actually, yes. You’re quite correct about that. Even right now, the only way that—for example, we don’t touch domain names unless we get a court order telling us that we have to take it down. Even if we get a complaint that there is a domain name which utilizes or actually sells for example illegal content, however horrific it might be, we do not touch that. The main reason for that is because we are not in the business of policing content of Web site or the use of domain names unless it is clearly in violation of our own policies for example, obviously … whatever, if it doesn’t meet our very own internal policies, but we certainly don’t touch the legality of illegality of domain names and the use thereof because that sort of puts us now suddenly into the position of adjudicator, and that’s certainly something which we don’t want to do because then somebody makes an allegation, and then we actually have to go out there and do the fact finding and then make the adjudication. That certainly is not the most efficient way to go about it in making those kind of judgment calls. So absolutely we pass that off to a third party in order to make sure that there is at least a more effective justice executed than if we did it ourselves.

K. Stubbs So in effect then there’s no obligation on the part of any of your credited registrars to determine or to at least advise the registrant of the nature of this. For all intents and purposes of what you’re saying is you’ll take anything anybody gives you—I’m not criticizing, I just want to make sure that I clearly understand it—I mean I don’t understand the underlying basis for that other than avoiding the work that you were talking about and putting yourself in that position. I just want to make sure that I’m clear on that, that for all intents and purposes, there’s no policing—I don’t like to use the word policing—there’s no real enforcement mechanism, nor is there any remedy for intentional misrepresentation in a registration.

K. Von Arx Just generally speaking, I have to just back up a little. The first thing is, and we’re not going to change that either. What we actually do here is when a registration comes through our system, we have actually at least one or two people who look at every single registration and the contact details and all the information that comes with the registration. They actually physically look at it to make a determination as to whether it meets our requirement or not. So for example if somebody actually registered as Snow White and the Seven Dwarves, then that just gets chucked. So that’s absolutely one of our test mechanisms for the accuracy of the information overall.

In terms of later on audits, we still have for example in our registrant agreement in same on actually post the registrars for example, there is the obligation that they have to make sure that the information that is supplied to us is at any time and all times accurate. By the information being accurate, we are only referring to for example the actual contact details, which really do refer to the particular individual, particular party. What I understand you’re most likely probably alluding to is more the actual use of the domain name whether it is for example used as an individual for whatever family album, family Web site, or whether it’s being used as whatever it is, a Coca-Cola commercial Web site.

K. Stubbs Actually, I’m more concerned about the examples of domains being used for phishing and for obtaining information illegally, principally identity theft and so forth. Maybe you’re not seeing as much of that let’s say in Canada as we are in the U.S. here, but on a regular basis, I constantly get phished, and it’s extremely difficult in some cases to get those domains taken down even if you can prove that the domain clearly is not being used by the party who they’re acting fraudulently on behalf of.

So if you got an e-mail from the Royal Bank of Canada, and it’s hypothetically a Canadian domain name that is clearly being used for illegal purposes. What you’re telling me is you won’t do anything unless you have some sort of a legal order for you to do that.

K. Von Arx That’s right, and actually, the phishing problems we certainly have here probably not as prominently as it is in the States or elsewhere, but we certainly do have quite significant problems with that as well. On top of that of course, we just recently just a couple of days ago actually, we were still faced with an issue where some prominent parliamentarians here, their names were registered by some other radical organization which is now currently using the domain names, which are associated with the parliamentarian’s names for some other political purposes which are not in line with their political view.

K. Stubbs I understand.

K. Von Arx Of course we were contacted by the lawyers of the parliamentarians, and they certainly ordered us to take them down, but our issue is overall no, we cannot get into the business of that especially if you don’t look all the way back to when there were various ISPs which introduced their own mail lists and obviously e-mail overall. There were some of course which was guaranteed that there’s never ever going to be anything illegal or defamatory on their mailing lists and e-mails. Then of course they were probably 99.999% correct, but then there’s one that is 0.001% or there’s one e-mail which went through that cost them and suddenly the continued success, and they just went completely belly up.

So there’s always the issue of becoming a publisher versus only a single ISP. In general I try to do only the conduit of transferring certain information. That’s at least from a soft key analogy which we in general are adopting or have adopted. I do absolutely understand what you’re saying, but this is just sort of exact in line with what we’ve done for the last four years.

J. Buchanan Thanks is Jordan. Unfortunately, we’re running a little bit—

K. Stubbs I apologize for taking up so much time there, Jordan.

J. Buchanan No problem, Ken. Fortunately, it doesn’t look like there are other questions, and we are running a little bit short on time, so Kim, I’m going to have to thank you very much for your time and your insights, and with that, we’re going to move on to the next presenter. Thanks again, Kim.

K. Von Arx Thank you. Bye.

J. Buchanan Now that we’ve had three presentations from registries, the next three presentations are from either registrars or affiliates of registrars who offer privacy services. I’m hoping that there may be a little bit of overlap here so we can make up a little bit of the time we’re behind, but I’m going to start with Jonathan Nevett of Network Solutions to talk about their privacy offering, and we also have Domains by Proxy and E-Nom later on the call. Jonathan.

J. Nevett Hey, Jordan, can you hear me?

J. Buchanan Yes, now I can.

J. Nevett I’ll keep this real brief. Essentially we have what we call a private registration product that we sell to our domain customers. If anyone has Internet access at their desk right now, if you go to whois and you look up at novaaffiliatemarketing.com, you can see what one of our private registration customer’s snapshot will look like. Essentially, unlike some of the other private registration-type products out there, we don’t offer a proxy service where we become the actual registrant. What we do is we’ll keep the existing registrant’s name up, and then list a Network Solutions P.O. Box and contact information so if anyone needs to contact those customers, they’ll do it through us. We’ll serve as a quasi-agent for the registrant, but we do not take the place of the registrant. If someone wants to contact one of our private registration customers, they could do it by e-mail, and we have a rotating e-mail address where every ten days it will change, which helps prevent spamming. Then we’ll just automatically forward those e-mails to the actual registrant, or we set up as I mentioned a P.O. Box that will accept U.S. mail and then forward that on to our customers. Then we also list a phone number where if anyone wants to reach the registrant, they could call the number, and then they’ll receive information on how to contact the registrant either by e-mail or postal mail.

So you see the snapshot and how it works. As far as our agreement with our customers, we have a separate section of our service agreement which relates just to this private registration product, essentially goes through the terms and conditions, the most important part of which is that if we get any kind of third party claims about infringement or any of the legal issues, or if there’s law enforcement activity or any threat in the legal action, we reserve the right to withdraw their private registration service and disclose the contact information. We obviously reserve a large section of that for us to protect ourselves as an entity and also protect any of these third parties that may have a legitimate claim against one of our private registration customers. That’s all I have to talk about, but I’m happy to answer any questions about how our service works. You’ll probably hear from the other registrars, how they do it, and I think you’ll hear from at least one of them that does it via proxy versus the way we do it.

J. Buchanan Thanks, Jonathan. So we can go ahead and open this up for questions.

Coordinator Thank you.

J. Buchanan I’ll play my historical role of asking the first question, Jonathan.

J. Neuman You beat me to it there, Jordan.

J. Buchanan Followed by Jeff, and my question is, Jonathan, I see in the example that you gave actually so there is still an address and a phone number listed as well. What happens if I send mail to that or if I call that phone number?

J. Nevett If you send mail to the address, we will forward it to the registrant. We’ll forward it to the registrant, and then if you call the number that we have, we’re not going to forward the phone call, but what we’ll do is explain on the phone call, you’ll get an operator, and the operator will explain how the third party can either write or e-mail to the actual registrant, and they’ll go through the process where we would just forward that on.

J. Buchanan Thanks. Jeff?

J. Neuman Just on that, do you have a separate e-mail address for each registrant so you’re able to separate out?

J. Nevett Yes, we have a separate e-mail address for each registrant, and it rotates every ten days. It’s an admin contact or a tech contact. Separate e-mail addresses.

 

J. Neuman The only way you’ll actually disclose that information is by …

 

J. Nevett No. There are scenarios that we lay out in our service agreement. It’s not necessarily a subpoena. Depending on the circumstance, it could be a letter or something else. Like I said, we reserve the big right for ourselves to waive the private registration service if we need to.

J. Neuman So if an IT attorney wanted to know or law enforcement just wanted to know the identity without sending anything to the registrant, what kind of processes do you all have?

J. Nevett We’ll examine it on a case-by-case basis and see what they’re asking for and what information they’re providing.

J. Buchanan Hey, Michelle, start questions.

Coordinator Certainly. Our first question comes from Steve Metalitz.

S. Metalitz This is Steve Metalitz. I have two brief questions, and I apologize if either of them is answered in your presentation which I don’t have access to. First, in the ordinary course, if someone sends an e-mail to the address that is provided on the private registration service, what happens to that? Is it auto forwarded, or is it looked at at all by Network Solutions?

J. Nevett It’s filtered for spam, and then auto forwarded to the registrant.

S. Metalitz My next question is, in the case where you decide to kick somebody out of the private registration service, what data then goes in to the whois? What data would then be accessible in whois?

J. Nevett The actual data that they provided us in the registration process.

 

S. Metalitz So you ask registrants to provide the same contact information whether they are seeking to be in the private registration service or not?

J. Nevett Yes, that’s right.

Coordinator At this time, there are no additional questions.

J. Buchanan Thanks for your time, and Jeff, maybe at some point, our dot-U.S. customers could get the service back because we think it’s a good service.

J. Nevett Duly noted.

J. Buchanan I had to throw it in. Thanks, Jonathan. So the next presentation we have on a very similar topic or very similar service although there may be differences will be Tim Ruiz representing Domains by Proxy.

T. Ruiz Thank you, Jordan. Just let me clear up one thing. I’m not representing Domains by Proxy. I’m representing the GoDaddy Group of registrars. Certainly, Domains by Proxy is a service we use. It’s a sister company in the GoDaddy Group, so I just want to make that clear. What precipitated Domains by Proxy primarily was concerns over individual’s privacy. I don’t know how many of you follow Bob Parsons’ blog, but there’s an interesting post up there today in regards to that and how Domains by Proxy was conceived. In the instance he relates there was in regards to a lady who was being stalked. So that’s the background behind what got us thinking about a service like Domains by Proxy, of course today, any individual organization or business can use Domains by Proxy to keep their person identifiable or contact information private and not a public whois.

The way Domains by Proxy works is through the main registration process. The customer who would have become the registrant, actually at one point elects to allow Domains by Proxy or requests Domains by Proxy to become the registrant of the domain name. So the domain name is actually registered in the name of Domains by Proxy. They are the registrant, and then subsequently, the customer agrees or license the use of the domain name from Domains by Proxy. There is a very detailed agreement on how that works, but basically it gives the customer the full benefits of domain name registration without becoming the domain name registrant and having their contact information become public. So they can cancel the domain name at their choosing. They can completely manage the DNS, attach e-mail services, hosting, etc. the same as if they had been the registrant, but again, with Domains by Proxy actually being a registrant of the name.

What we then display in the whois is the Domains by Proxy contact information, which is Domains by Proxy as the registrant, the admin contact and the technical contact, their address, and then a unique e-mail address that is created per domain. So a particular customer might have several domains that are using the Domains by Proxy service or use Domains by Proxy as the registrant, but each one of those would have a different e-mail address based on the domain name. E-mail to that address is passed through. It’s spam filtered using our proprietary technology and then actually forwarded to the appropriate party. Mail that comes to the Domains by Proxy address for that domain name, if that mail is certified mail or it’s traceable mail, then it is forwarded on to the appropriate party. Otherwise, it’s considered junk mail, and phone calls very similar to what Jon’s describing, how Network Solutions handles that. If a customer calls, and they’re looking for what they consider to be the registrant, we try to tell them here’s how you can write to the e-mail address or here’s where to send mail. If it’s illegal or some sort of dispute issue, then they might be forwarded on to the legal department for Domains by Proxy.

n the agreement, the customer of course is required to keep the contact information that they store with Domains by Proxy. It’s all the same contact information they would have normally provided through registration of a domain name. They’re required to keep that up to date. Any changes to that information, they’re required to notify Domains by Proxy within five days. If Domains by Proxy has any question or issue or concern over the efficacy of that data, they are required to respond to those inquiries within five days, and failure to do so in either event would result in the cancellation of their Domains by Proxy service.

Again, it’s a pretty broad section. It’s section four in the Domains by Proxy agreement that’s available on the Web site, so I won’t go into detail about it, but again, it’s broad. It’s to allow Domains by Proxy the ability to take action when reasonably necessary in canceling a Domains by Proxy registration or at least canceling the account. If the person using the domain name’s involved in spam, illegal activities, if we should receive a court order from law enforcement, or if they’re involved in child pornography, clear violations of trademark rights or other intellectual property rights, would all be reasons why Domains by Proxy may take quick and immediate action to cancel their service with any one customer.

Sometimes of course those areas are a little bit gray. They’re harder to discern. So probably most cases, a dialogue takes place between the complainant unless it has to do with a court order. We file that immediately, but otherwise, a dialogue takes place between the complainant and the Domains by Proxy customer in order to try to resolve the situation before action is taken. But if it would help, I could provide that agreement to the list, or it can be seen pretty easily in the legal section at domainsbyproxy.com. I guess that’s pretty much the service and the way it works, and I’ll try to answer any questions that you’ve got.

J. Buchanan Thanks, Tim, and Michelle, I guess we can once again open up for questions.

Coordinator One moment please.

J. Buchanan While we’re waiting the moment, Tim, let me ask you. So if a Domains by Proxy registration is canceled because one of the various recent reasons that you listed, since Domains by Proxy is the registrant, does that mean that the domain is just deleted, or does that transfer of registrant happen at that point and the name’s returned to the person entered into the original agreement with Domains by Proxy.

T. Ruiz There’s a potential that it could just be canceled, but the customer actually agrees that the registration of the domain will revert to them, and their contact information would be come publicly available in the whois.

J. Buchanan Do we have other questions, Michelle?

Coordinator Yes, our first question comes from Steve Metalitz.

S. Metalitz Tim, thank you for the presentation. I just have one question. If someone believes that there is an infringement of intellectual property rights associated with the registration, how would they proceed to try to get the full contact information? Who would they contact in order to start the process that you talked about?

T. Ruiz They could either call the number that’s listed in the contact information, or they could write to Domains by Proxy’s legal complaints department. That address is clearly available on the Web site. Of course, it’s actually the address in the contact information as well that’s displayed for the domain name, and the phone number is there, too.

S. Metalitz But if they wanted to start the process quickly, the only way they could do that is to call that number where the operator is located?

T. Ruiz Right, and that call should be forwarded. If it’s in regards to a legal matter or a legal concern, that call should be forwarded to the legal department for further discussion.

Coordinator At this time, there are no additional questions. Actually, one question just came up. Bruce Tonkin, your line is open.

B. Tonkin Yes, this is Bruce Tonkin speaking. I just had a question for fed by Steve Metalitz’s end and for the two proxy providers, but what are the legal requirements? If you’re an intellectual property or some other group that’s wanting to send a legal letter to the holder of the domain name, what are the requirements for delivering that letter? Is it possible for you to use one of these proxy services, or is it the case that you need to have their actual details to formally serve a legal notice? I just want to understand the legal construct.

T. Ruiz Bruce, this is Time. I don’t know quite how to answer the question. I can tell you what we do if we were to receive a certified letter like that to the Domains by Proxy address for that domain. It would be forwarded straight on to the actual customer whois using that domain name.

B. Tonkin Tim, is there any guarantee that you do that? I’m just interested if the legal company were sending a letter through Domains by Proxy, is Domains by Proxy guaranteeing in some way that it will pass that on, in other words, if the person sending the letter had some confidence that that won’t happen.

T. Ruiz I guess there’s nothing that we guarantee to the sender. Of course … would be many, but that is certainly part of our agreement with our Domains by Proxy customer that that will occur. The only mail that doesn’t get forwarded on is if it’s not otherwise traceable in some way.

B. Tonkin Can Steve Metalitz help us answer the question whether that’s adequate from a legal point of view as the sender? Probably he has to come and ask a question to do that.

J. Buchanan I think actually, Bruce, do you have any other questions, and if not, we can encourage Steve to maybe re-ask the question if he feels like he would want to answer that?

Coordinator Steve Metalitz, your line is open.

S. Metalitz I’m sorry, I didn’t know how to get the line open. I don’t think there’s any single answer to Bruce’s question. It depends on the purposes for which you were sending the notice. The question is are you putting the registrant on notice so that any future fringing activity will be willful or with knowledge of infringement? So obviously you want to reach the actual registrant and not rely upon it being passed through by the proxy. I suppose the agreement that the registrant has with the proxy could address this question, but I don’t know if it does.

T. Ruiz I think the thing to keep in mind is probably like Steve said, it’s probably different answers depending on the service you’re talking about. Domains by Proxy is the registrant, so in some way, they are the ones legally responsible. At least up to that point, when that notice first comes or there’s the initial concern with any infringement, perhaps the Network Solutions a little different because the original customer becomes the registrant of the domain name. So that might be a different situation.

J. Buchanan Tim, let me ask actually briefly. I don’t know if you can comment on this, but are there circumstances in which Domains by Proxy has become engaged in litigation because someone didn’t know who to sue, and so they sued Domains by Proxy instead?

T. Ruiz Yes.

J. Buchanan Any other questions at this time?

Coordinator There are no additional questions.

J. Buchanan So thanks, Tim. We’ll now move on to our final presenter of the day, whois Paul Stahura from eNom.

P. Stahura Actually, Martin Garthwaite is going to be making the presentation.

J. Buchanan Is he on your same line, Paul?

P. Stahura Yes.

J. Buchanan Okay, great. Martin is next.

M. Garthwaite Hi, this is actually a presentation of the service provided to eNom by Whois Privacy Protection, Inc. It’s very similar to the Domains by Proxy service where Whois Privacy Protection, Inc. is listed as the registrant and address, phone and fax numbers are provided. An e-mail address is provided. Communications which are set to that contact information is forwarded on to the contact information provided by the underlying registrant. When complaints are received, we have a very low threshold for turning over the underlying information of the party. Basically anybody mentioning the word copyright or trademark or bought or anything can be sent the underlying contact information, and if the complaint is escalated, then we’ll turn off the service so that it’s available generally in the whois though I would note that most people are satisfied to just receive it in response to their initial e-mail.

There is really not a whole lot to add on what’s been said before. I would say that I’m intimately involved in the abuse complaints that we get in general on copyright complaints, trademark complaints, phishing scams, and I’ve never seen a phishing scam complaint that had whois privacy protection on it. All of those complaints relate to domain names that are registered in the names of real people. Typically, they’re the victim of credit card theft. They’re identity theft victims to begin with, and I guess I’ll stop there and open it up for questions.

The other point that was made there is, is that forwarding address a sufficient address in terms of legal process, and I guess I would say that in general my reaction to that was that the whois contact information isn’t a registered agent anyway. So the service of process is determined by local court rules, and if a court can’t reach a party, there are ways to affect service of process. I guess the whois isn’t designed to be a registered agent in any event, but our experience is that it’s a service that allows people who have a legitimate reason to keep their identity secret, it provides for that. It provides means for third parties to contact them, and then it provides means for third parties to find out who that underlying party is with very little effort. I guess I’ll open it up to questions there.

J. Buchanan Great, thanks, Martin. Do we have any questions?

Coordinator Yes, our first question comes from Steve Metalitz.

 

S. Metalitz I just have the same question I had really for Tim, which is how would someone who believes their intellectual property rights have been violated, how would they invoke this complaint abuse process? Is there an e-mail address they actually send to? Is there someone they contact?

M. Garthwaite There are various e-mail addressees they can use. There’s a whois privacy protect e-mail address, there’s an eNom address, and if they send a fax or a letter to the contact information, we open up all that stuff up before we forward it on, and if we find the complaint in the correspondence, then we’ll typically respond right then as well.

S. Metalitz What would be the preferred way to start that process, or do you have a preference?

M. Garthwaite That preferred way for us is via e-mail, certainly, to one of our … contact points.

S. Metalitz Are those the ones that are listed on your Web site?

M. Garthwaite Yes, it is.

Coordinator There are no additional questions at this time.

J. Buchanan This is the first time I don’t have a question, either, so that was very instructive. Do you have any questions, Jeff?

J. Neuman No, I think between those three presenters, I think not.

J. Buchanan Actually, since I see that I think our former presenters on this topic are still on the line, let me ask, do you guys have any sense between the three of you or individually how what portion of names that these services are applied to eventually become the subject of some sort of complaint?

T. Ruiz Jordan, this is Tim. I don’t have any data on that specifically. No, I can only say it’s a popular service. We do get probably daily complaints of one form or another, so we deal with it on a daily basis, but I couldn’t give you any hard facts.

J. Nevett Yes, same with us. This is Jon. I don’t think it’d be that many, though, but I don’t have any hard data.

M. Garthwaite This is Martin, eNom’s Whois Privacy Protect, and we have a large number of names that use the service, people that are registering for names for one reason or another, and we have very few complaints about the underlying registrants. I think we forward two or three items legitimate mail on through the system. That’s not counting e-mails, but two or three items of physical mail per week, and we probably turn off the service maybe once or twice a month. We give out the underlying contact information two or three times a month. Actually, I thought there was going to be much more work coming out of it, and it’s relatively quiet. We’ve never been sued. Whois Privacy Protect has never been sued as a party, and that’s a lot.

J. Buchanan Thanks, Martin. I think Jeff actually does have a question now.

J. Neuman This question’s for Network Solutions, GoDaddy and eNom. I’m assuming that all three of your services, this is a value added service, so it’s … charged for it? It’s not a default, is that correct?

J. Nevett This is Jon. We charge for it.

T. Ruiz This is Tim, we charge for it, yes.

M. Garthwaite ENom charges as well, and we’re offering it due to competitive pressures. There’s a lot of people that do the same thing. There’re resellers of eNom that were doing it even before we started. There are third parties that aren’t even resellers of eNom that do it, and then there were other registrars. So it’s a fact of life that law firms do it for their clients.

J. Neuman To be fair, aside from just having a value add service, do you think that there’s any other reasons why you would charge? I’m trying to throw a softball to you all as to why you charge other than just making money. Do you find that if you charge, more honest people enter into these types of service?

 

J. Nevett We’re only speculating, but I would say that would be true.

 

M. Garthwaite Yes, it’s funny. The people that are doing crimes on the Internet, they’re using stolen credit cards, and we find that all the major problems that relate to domain names stem back to an identity theft victim, and they’re listed right there in the whois. For whatever reason, they don’t bother to click the box to select Whois Privacy Protect and add another charge on to this credit card they’ve stolen. I don’t know where to go at that.

J. Neuman If this gives away competitive information, then obviously I don’t want you guys to disclose it, but you have a certain percentage of names that you would classify take advantage of this service. Again feel free not to answer if you think it’s competitive.

J. Nevett I think I’ll accept your invitation not to answer.

T. Ruiz I’ll only say that if the question is how many actually take advantage of it, I’ll just say it’s a lot.

M. Garthwaite I think we’ll say it’s a large number of names, but it’s a small percent.

J. Neuman If we were to ... if we were to send around a question with a way to make it anonymous, would you answer the percentage so that wouldn’t be attributable?

J. Nevett Sure.

J. Neuman I’m just trying to get some stats for the task force in anonymous ways to see how many people or what percentage of registrants take advantage of this type of service.

J. Nevett That sounds like a reasonable request, Jeff, but we would need to see the questionnaire of course.

J. Neuman Right.

T. Ruiz … of GoDaddy.

J. Neuman I’ve got to figure out how we do it anonymously.

J. Buchanan Great. Michelle, am I correct that there’s no other questions at this time?

Coordinator There are no additional questions.

J. Buchanan Okay, so with that I think we will wind down this call. It’s gone on for nearly two hours, and I realize that’s a substantial amount of time for everyone to have spent on the call. Hopefully this was educational, and I see that we have had a lot of activity on the list over the past few days. I certainly encourage that trend. We do also have a call planned for next week where we’re hoping to see the first outline of a staff report. Actually, the first half of a staff report, and we’re actually expecting an outline from the staff this week for that outline of the report.

So I will try to inquire with the staff as to where that outline is and let everyone know on the list. Other than that, I think we’ll wrap this up, and I’ll thank everyone for their time and especially our presenters that may remain on the call. Thank you. Thanks, Michelle.

Coordinator You’re welcome. This concludes the conference. You may disconnect at this time.