GNSO / GAC Principles on WHOIS Working Session Lisbon Note: The following is the output of transcribing from an audio recording of the GNSO Council discussion on the GAC Principles relating to WHOIS at the meeting in Lisbon on 29 March 2007. Although the transcription is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the meeting, but should not be treated as an authoritative record The GAC principles are available at: Attendees: ICANN Staff Observers Absent: >>BRUCE TONKIN: Yeah, we're just about to start the discussion on WHOIS principles from the GAC. And the time is 5:45 p.m. Portugal time on Thursday. So, basically, the GAC has said to the council to continue its efforts to develop consensus-based policies. So I think we are doing that. This is something that's worth considering, though. I am starting to get communication floating around as though we're not developing consensus-based proposals, based on the resolution yesterday, which is not true. We're in fact does that very thing. This says also, "GAC is committed to continuing consultations on WHOIS and providing additional advice." So that, you know, again, the door is open there to get advice, I suppose especially on any solution that gets proposed. Consultations. So the GAC principles. "The purpose of this document is to identify a set of general public policy issues and proposed principles relating to gTLD WHOIS services, in line with the recommendations of Tunis. Trees principles are intended to guide the work within ICANN and to inform the board of the consensus views of the GAC. The GAC recognizes that the original function of the WHOIS service is to provide a lookup service to Internet users. As the Internet has evolved, WHOIS data is now used in support of a number of other legitimate activities." So this is interesting in that I guess, essentially, they're about to define what's -- whoops, I didn't -- define what is legitimate. So, "The legitimate activities include supporting the security and stability of the Internet by providing contact points for network operators and administrators, including ISPs," this is interesting, "and certified computer Internet response teams." I find that interesting that they've used the word "certified" there, because there's a lot of -- as a registrar, we get lots of groups coming to us with various complaints. And they're pretty much self-formed. They're not really certified. >>OLOF NORDLING: I think we should also keep in mind, I think you lost a footnote on your document. >>BRUCE TONKIN: Could well have. >>OLOF NORDLING: Which says, "Subject to applicable national law," just for comment. >>BRUCE TONKIN: So footnote to where? Sorry. >>AVRI DORIA: Footnote to "legitimate." >>BRUCE TONKIN: Ah, legitimate. And the footnote is "subject to applicable national law." Let me just put that in explicitly. >>AVRI DORIA: Because for something to be legitimate, there has to be a law. >> Well, -- >>BRUCE TONKIN: Yes? Avri. >>AVRI DORIA: It's in the word. It's in the word! [ Laughter ] >>BRUCE TONKIN: Subject to applicable national law. Thanks for picking that one up, Olof. Okay. Let's see what these are. "Supporting the security and stability, providing contact points for network operators and administrators, including ISPs." So just this question -- this is probably something where people on the WHOIS task force might be able to assist. But in the current WHOIS, you have an admin and a tech contact. And I think the tech contact is intended to be the contact point for these people. And then we have this old part of the proposal which is essentially saying we use one point of contact. Was the intent that that's the default point of contact, but that people may provide additional points of contact? Was that -- Who was on the WHOIS task force? Anyone here? Avri? Or is Maria here? >>MARIA FARRELL: Yeah, right here. >>BRUCE TONKIN: Where's Maria? Maria, do you want to sit near a mike, because you probably know more about WHOIS than anyone else. What was your understanding of the technical point of contact and why that was removed? (No audio) -- clarification as well. >>AVRI DORIA: It wasn't removed. It was just no longer needed to be displayed. And that the OPoC -- In other words, the WHOIS task force didn't have the right to remove anything. It was only talking about what was displayed. So it added the OPoC. And it was declared as something that needed to be displayed. And the administrative and technical contact were basically deprecated as things that needed to be displayed. >>BRUCE TONKIN: Okay. So I just want to make -- I'm just really asking questions of clarification. So the concept, then, Avri, in that proposal is that the tech data is collected, and a means of access needs to be provided to that tech contact by these people. Is that the sense of what the task force was thinking? >>AVRI DORIA: The OPoC report was the one that was required to be able to provide the reliable link, even to a technical contact. So the technical content wasn't actually removed from anything, but it wasn't what was the main concern. It was the OPoC that was the main concern. >>BRUCE TONKIN: All right. So what you're saying -- so I just want to get this clear, because I want to know whether the recommendations support this or not. So you're saying, again, you've got the single point of contact, and that single point of contact, if it's a technical issue, that point of contact -- so it's a bit -- considered the equivalent of ringing Yahoo!'s reception or something and saying, "I've got a problem with my domain name," and relying on them forwarding the call to the right party? >>AVRI DORIA: But that's where we have the question that the resolution and the council is sort of saying, well, what exactly is this OPoC supposed to do when they get the technical call? The requirement link wasn't made strong enough. It was sort of seen as an implementation detail. But -- yeah. >>BRUCE TONKIN: Okay. That's fine. So the first one's kind of dealing with tech people. The second one is allowing users to determine the availability. Now, this one is actually nothing to do with WHOIS. So my -- it's probably worth going back and telling the GAC that we have these things called check availability that are not related to WHOIS in any way. >>AVRI DORIA: I think a lot of people use it, because if you try to do it on the Web or some other way as a user, you end up convincing someone else to grab it before you do. >>BRUCE TONKIN: There's the perception of that, is there? >>AVRI DORIA: Right. >>BRUCE TONKIN: What makes them think that WHOIS isn't also used in the same way? >>AVRI DORIA: That I didn't know. >>BRUCE TONKIN: Because they're no different. I can track both activities equally easily if I was choosing to do so. In other words, the WHOIS search is the same thing. It's a database query. >>CHUCK GOMES: In fact, WHOIS in some cases might not be updated as quickly as your name availability source. >>BRUCE TONKIN: That's right. Because WHOIS is often delayed. I think it's just worth -- this is just one of those things of lack of understanding in some parts of the community about that. In other words, there's this perception that WHOIS is used for that. That's not its intended use and there are better ways of doing it. >>AVRI DORIA: But I think a lot of people -- and, yes, we don't have the statistician here, so it's purely anecdotal. But I am careful to say that my evidence is anecdotal when I think it is -- that anecdotally, a lot of people do use it that way. >>BRUCE TONKIN: Yeah. And by the way, the new proposal doesn't change this. Because, obviously, if there's a record, there's a record. So the current recommendations are still consistent with this. >>PHILIP SHEPPARD: I would suggest it's probably more known as a means of doing that because of the nature of the data there than other mechanisms; huh? >>BRUCE TONKIN: So how would you -- how do you check -- I mean, you're probably right, Avri, and that's a fair comment. Where do you go to check availability of domain names, Philip? >>PHILIP SHEPPARD: I don't check a lot of the availability of domain names, actually, not being a domainer myself. >>BRUCE TONKIN: You've never registered a domain name. >>PHILIP SHEPPARD: I have registered a domain name, yeah. Well, I would either do a search on whatever my starting point is or -- >>BRUCE TONKIN: Exactly. So you're not using WHOIS, then? >>PHILIP SHEPPARD: I've done both, personally, yeah. >>BRUCE TONKIN: Because wait most registrars' sites are built, WHOIS is this little link off in five-point font off on the side. And the main thing that you're drawn to is the search box. And you type in the search box. That's actually not using WHOIS. It's doing a realtime check of the registry. >>KRISTINA ROSETTE: Bruce, for what it's worth, pretty much, I know that I rely exclusively on WHOIS -- >>BRUCE TONKIN: Do you? >>KRISTINA ROSETTE: -- to check domain name availability. >>BRUCE TONKIN: Right. And -- that's interesting. And why is that? is that because you're effectively doing, like, a trademark search, are you, and seeing if that name is taken in different places? >>KRISTINA ROSETTE: Yeah. Because in most cases, I'm more interested in knowing -- my presumption is that somebody has it, and I want to know who, rather than checking name availability. >>BRUCE TONKIN: That's not -- that's not the same thing. Checking availability is, I want to register this name right now. >>KRISTINA ROSETTE: Right. I don't do that. I go to the bottom of, like, the little WHOIS link and go that way. >>BRUCE TONKIN: That's not checking availability. You're checking to see who owns it. Yeah. Different function. All I'm saying is that availability, there there's a misconception that WHOIS is intended for availability. It's not. >>CHUCK GOMES: It doesn't really matter that that was -- >>BRUCE TONKIN: Doesn't matter, because it's still covered. >>CHUCK GOMES: -- whether that was the intent or not. There's still a better way of doing it. >>BRUCE TONKIN: All I'm saying, Kristina, is I think it's worth educating the community about the right way to check availability, because WHOIS is often out of date, and you could look in there and it looks like it's available when it's not, for example. >>AVRI DORIA: I must admit that most of the people that I know who do that are people like me who live with a Unix shell that's open. And WHOIS is quicker. And then if it's available there, then you can go check further. And if it's not, well, then you worry about it. >>BRUCE TONKIN: Sure. >>AVRI DORIA: Yeah. >>BRUCE TONKIN: If you're using command line interfaces, I can see that. I can give you an API that you can use to go to an (inaudible), and you'll be able to do the same thing. >>AVRI DORIA: Please do. >>BRUCE TONKIN: Okay. But I think whatever the recommendations are so far, there's nothing that's not consistent with that second one. The third one is, "Assisting law enforcement authorities" -- the only reason I raise it is that I find it funny that it comes up in the context of WHOIS, because WHOIS is about who owns the name or who's the contact for the name as opposed to availability. 3, assisting law enforcement investigations, counter terrorism, international -- I guess this is probably an important concept, isn't it? Because that's what we've heard a few times, say that they need WHOIS because it's difficult to do otherwise across boundaries, country boundaries. And then specialized nongovernmental entities. So in Australia, they would be things like the ACCC and so on. Okay. That's fine. What's ICTs? >> (inaudible). >>BRUCE TONKIN: Oh, okay. Just a -- >>AVRI DORIA: That's what governments call all the stuff. >>BRUCE TONKIN: What do they call it? Information what? >>AVRI DORIA: Information and communications technologies. >>BRUCE TONKIN: Okay. I mean, ultimately, this stuff is going to be forwarded on to the WHOIS working group. I think it's just important that we understand at least what's covered and what's not so far in the proposal. So, obviously, this needs to be specified as to how network operators get to contact the right person. Yep. >>MARIA FARRELL: Yeah, just for what it's worth, I think the issues that are covered in that point number 4 are lifted more or less from the Council of Europe convention on cybercrime. So it's kind of identifying that very particular set of issues that has got a convention to do with it. >>BRUCE TONKIN: By the way, just now that I recollect, because it's interesting, the new gTLDs actually didn't have anything about morality or racial, did it in the new gTLD guidelines? >>CHUCK GOMES: (inaudible). >>BRUCE TONKIN: So I'm wondering whether we might drop that out of the new gTLD. Because that's probably going to be the hardest thing to -- >> Yes. >>BRUCE TONKIN: Because this is one of the ones I was looking to see what they put in. Their focus all seems to be around geographic and community groups, doesn't it? >>AVRI DORIA: They also talked about human rights and the hate groups. >>BRUCE TONKIN: Oh, I see. You think that's covered in that one, Avri? >>LIZ WILLIAMS: And religious significance. >>BRUCE TONKIN: Let's just go back and pick that up. I hadn't picked up the subtlety of that. >>LIZ WILLIAMS: (inaudible). >>BRUCE TONKIN: Because I'd rather use their language than ours in that area. So you're saying that one there, Avri, is the one that we've got under moral rights or something? >>AVRI DORIA: Yeah. >>CHUCK GOMES: You've also got the religious significance part. >>PHILIP SHEPPARD: And interestingly enough, that was a deletion from their earlier draft. >> Yep. >>PHILIP SHEPPARD: Because the earlier draft did have a hatred clause. And that's gone. >>BRUCE TONKIN: Did have a what? >>LIZ WILLIAMS: Promotion of hatred. >>PHILIP SHEPPARD: A hatred clause in -- similar to what we're seeing in the WHOIS. But it's gone. >>BRUCE TONKIN: I think these are different, because the sensitivities is where we're saying if you're going for something like -- that's almost the name of religion, or at least the way I'm capturing it in our process. >>CHUCK GOMES: They still have it in a sense (inaudible) fundamental human rights and the dignity and work of the human person and equal rights of men and women. That would certainly fit the -- >>BRUCE TONKIN: Mm. >>JON BING: That's a reference to the United Nations declaration, isn't it? >>LIZ WILLIAMS: Yeah. >>BRUCE TONKIN: Now, is that something that could be managed by a dispute process? Jon? I mean, if we used those words and someone complains on that basis, is that something that you can handle with a dispute process, in other words, that there's sufficient clarity in that universal declaration that that can be used? >>JON BING: And one should think so, because there is a committee attached to the United Nations that handles these type of disputes. It's not very highly -- perhaps not very highly recognized, but there is such a committee. >>BRUCE TONKIN: Can you give me an example of a dispute. >>JON BING: Well, it's slightly difficult for me, actually, because the European Court of Human Rights is so much closer to my associations. And they have a -- the human -- the European Convention of Human Rights is, of course, basic to all European legislations and have very much the same wording as the Universal Declaration of Human Rights, the social charter. They're parallel texts. But because the European one is slightly stronger and more operational and you are bound by that, you want to go to the U.N. only for references. But there would be any type of -- it would be the freedom of speech would be highly -- >>BRUCE TONKIN: When you say "disputes resolved," just give me an example of the dispute. Is this when someone's said something in the media or -- I'm just trying to understand what a dispute consists of. >>JON BING: It would be abuse -- somebody who abused his freedom of speech. It could be infringement of privacy rights, the government coming into your home or something like that. It can be -- yeah. It has to be slightly -- very major to be brought before the court. I'm trying to think of a good example of an Article 8. But I can't give that you, I think. >>BRUCE TONKIN: All right. >>JON BING: I'll give you when I come -- >>BRUCE TONKIN: When you think of it. But this would be good, because I think that is much better if we can use something like that instead of our current wording, which is -- whatever it is, moral rights or something and other. >>AVRI DORIA: Yeah, I would prefer -- >>PHILIP SHEPPARD: Bruce, Bruce, Bruce, we've got -- we're already capturing that in our discussion text in our gTLDs report, exactly that same phrasing. >>BRUCE TONKIN: Yeah. I'm just suggesting making that the recommendation, in the recommendation we've got. >>PHILIP SHEPPARD: Well, no, I think what we've got already in our earlier recommendation text is actually more operational than this. And I think that was part of the reason why we got there. This is the very highest level that moves down to where we've got to and that is proved operationally in other areas, whereas this is -- is just -- is stratospheric level stuff. >>BRUCE TONKIN: But that's okay, as long as there's a dispute process that goes with it. >> Yeah. >>PHILIP SHEPPARD: I -- >>BRUCE TONKIN: I don't think people are going to argue about the fact that strings must not be -- the way I'd word it is, "String must not be contrary to the Universal Declaration of Human Rights," is the way I'd word it, and then the dispute process is whatever this court thing is that adjudicates on that. >>PHILIP SHEPPARD: It's so much -- >>BRUCE TONKIN: I'm an engineer. Sorry. >> TED (inaudible). >>BRUCE TONKIN: That's right. >>PHILIP SHEPPARD: I think this is so much vaguer than where we are at the moment. We mentioned this as a starting point for the discussion. We need to look at this in context where we've gotten to. I don't think it's -- >>BRUCE TONKIN: How about we deal with it this way, Philip: I think I'd like to see someone come up with a dispute process for that recommendation that we've got at the moment, which is recommendation 6. And if that -- if there's a dispute process that's sensible around that and someone other than ICANN that does it, 'cause what I'm really looking for is someone other than ICANN that does this stuff. And we use whatever words that group wants to use, is my sort of approach to it. >>AVRI DORIA: Yeah, I would certainly like to try and take a crack at a dispute resolution that referred to the Universal Declaration of Human Rights as opposed to what we've got now. I think that would be a worthwhile exercise. >>BRUCE TONKIN: Okay. Let's take that offline. But I just -- of why, it just occurred to me suddenly that I hadn't seen the moral, racist-type stuff. Okay. Back to WHOIS. >>LIZ WILLIAMS: Sorry. Avri, you'll give me something? Or you're asking -- >>BRUCE TONKIN: Avri's going to create a dispute resolution model around human rights. [ Laughter ] >>AVRI DORIA: I was saying -- I was saying I would like to participate in doing that. >> No, no, no. >>BRUCE TONKIN: No, that's not what you said. >>AVRI DORIA: I said would I like to take a crack at it. You're right, I did say I would like to take a crack at it. >>LIZ WILLIAMS: We heard you, Avri. >>AVRI DORIA: Anyone that wants to help is welcome. >>BRUCE TONKIN: Okay. So this is -- 'cause this is where we are starting to look at these words. 'Cause this is a lot more detailed than what's in the new gTLD principles. "Assisting in combating abuses of communication technologies for acts motivated by racism, racial discrimination, xenophobia, related intolerance, hatred, violence," it's got every horrible thing you can think of in here, obviously. Assisting in combating. Doesn't say existing who, though, does it? Okay. >> That convention needs to (inaudible). >>BRUCE TONKIN: Yeah, so GAC recognizes regional function as the Internet has evolved, WHOIS data is now used in support of legitimate activities, including supporting security, allowing users, assisting law enforcement, assisting in combating rights. So they're saying a legitimate use of the WHOIS is assisting in combating against all that stuff. "Facilitating inquiries and steps to conduct trademark clearances." So this is the intellectual property clause. Okay. So if we look at all the different stuff, this is -- this is the illegal acts stuff. So what have we got? We've got security and stability, availability, law enforcement, stopping illegal stuff happening on the Internet, intellectual property. And this is the consumer one, isn't it? This is sort of the stuff that came from the U.S. consumer protection -- whatever it was called, FTC -- what's your consumer protection? Is it FTC, is it? >> Yeah. >>BRUCE TONKIN: That's something that came out from them. Helping users identify persons or entities responsible for content and services online. Okay. So this is assisting -- So this is the business users constituency. So you guys are all covered. You've got the I.P., the business users. Right, so that's the seven of them. So I think the thing is that whatever comes out is, that WHOIS working group's got to basically address how the needs of each of these groups is supported by whatever the recommendations are. >>AVRI DORIA: And then they get the rest of the -- (inaudible). >>BRUCE TONKIN: This is pretty similar to what I presented this morning, basically. There's misuse, and there's privacy and stuff. >>PHILIP SHEPPARD: Does that suggest that in the fleshing out of terms of reference which lead from our resolution yesterday, we're going to have a -- >>BRUCE TONKIN: That's a good point. What we can do. >>PHILIP SHEPPARD: -- reference to this? >>BRUCE TONKIN: Yeah, I think that's right, Philip. I think we should do that. We've got to sort of create a statement of work. But I think it would be useful to try and reference as much of this as we can when we're doing it. >>AVRI DORIA: Do you have to actually reference bits of it, or can you just sort of include it by reference? >>BRUCE TONKIN: I can. But I think it's still worth picking the relevant bits, yeah. I'm particularly thinking with some of that stuff here in terms of uses. That's all. I think it's worth -- at the moment in the resolution yesterday, we had legitimate users. And this is actually enumerating that. Because I chose the wording deliberately, because I thought, luckily, the GAC was being helpful. Okay, so they're acknowledging that there are concerns about the data. Section 2 above. Okay. So that's all that stuff. Okay. So what have they done? They've -- it's a bit hard to tell this when I'm doing it in big font. So the first section's just, what, a statement of facts, is it? >> It's a collection of uses. >> It's a (inaudible). >>BRUCE TONKIN: Yeah, so these are the public policy aspects. And then they go on to make rec- -- then they have principles, do they? So these are the principles, starting at 3. Okay. So this is where they're having a go at the definition. So I think -- my view is that, ultimately, we'll need to go back and look at the definition. But I think we first need to -- I think the working group needs to focus on the -- you know, the changes to WHOIS, I think, is where I'd suggest they focus on. And then once they've done that and we've got that in a form that we've got reasonable consensus around, I think we can go back and then look at, you know, the definition that we have. This is the one that -- that is consistent, I guess, with the who- -- the current policy, isn't it? Don't we have a policy saying you need to conform with applicable laws? >> (inaudible). >>BRUCE TONKIN: Yeah, it's difficult to avoid, that's right. No, you can't avoid it, Jon. You just avoid the national location where that law applies by not residing there. >>AVRI DORIA: Yeah, we've often said that, you know, it's a foregone conclusion that ICANN -- I mean, that people have to obey the national laws. And while that is true of the individuals, what I think ICANN says when it's saying it is that they also care that people do. In other words, ICANN could take an attitude that, "We don't care what law you break. That's your problem in your country. But it won't matter to us." And that's not ICANN's position. >>BRUCE TONKIN: Okay. >>AVRI DORIA: But they could take that position. >>BRUCE TONKIN: So I -- this is interesting. I quite like this wording, actually. It's "provide sufficient" -- this is pretty similar to most privacy laws that I've seen. Because you've got to collect data that's -- that is sufficient for the need that you're collecting it. You don't let them just sort of collect everybody's personal data, like date of birth, if it's not required for the task sort of thing. So it needs to be sufficient, accurate, and subject to national safeguards for privacy. So that's cool. So supporting stability -- it's interesting -- I like this wording here. They're obviously focusing on the fact that, you know, it's worldwide. >>KRISTINA ROSETTE: Bruce, I would also -- I mean, I think they also -- let me revise that. The -- one of the messages that I heard from the woman from RCMP yesterday was "timely." >>BRUCE TONKIN: Yes. That's a fair comment, too. Yeah. And we've heard that a number of times, too, Kristina. So, yeah. And I think that's particularly an issue across the board. Because I've pushed that issue in the past. And I think within a particular country, they've got quite strong powers, and they can get relevant processes going and make it happen. But they can't do it across national borders, essentially. Okay. We just need to cooperate with each other. A very sensible recommendation. >>PHILIP SHEPPARD: I think for me, the key thing they're saying is, actually, I think 3.1 is perhaps the most interesting part of this set of principles. Because of the earlier part of the document basically attempted to describe, okay, WHOIS was originally intended for "X." It's currently being used for all these things that we're listing. And in their principles, they're saying, "And all those things are obviously legitimate uses, so please accommodate them." >>BRUCE TONKIN: Should reflect. >>PHILIP SHEPPARD: Yes. And then they're saying -- and quite rightly so -- there is a privacy thing, which is, do this, but only the data that is sufficient for -- for those purposes, and no more. So that's the limiting thing here. >>BRUCE TONKIN: The what? Sorry, Philip. >>PHILIP SHEPPARD: The -- having said, "And all those uses, all those new uses are legitimate," -- >>BRUCE TONKIN: Yep. >>PHILIP SHEPPARD: -- they're then saying, "However, only collect data sufficient to allow those new uses, and no more," because that's your privacy clause. >>BRUCE TONKIN: Yes. >>PHILIP SHEPPARD: And that's, I think, the structure of what they're saying. >>BRUCE TONKIN: And this is where the balance comes in. And so if you look at what we've asked the working group to do, we're saying, you know, do we need to do something? Can we distinguish between the types of people? 'Cause interesting here, they haven't used natural persons; they've used individuals. But I don't know whether that's significant or not. Jon. >>JON BING: No. Just to emphasize that one of the major principles in the European data protection legislation is what they call the purpose limitation principle. So from the purpose, you derive a limitation of the data to be gathered. And that is what's, I think -- >>BRUCE TONKIN: Yeah, that is, I guess, what you were saying, Philip, that -- >>PHILIP SHEPPARD: Yes. >>BRUCE TONKIN: And that's the purpose of data collection. But then you still have to put safeguards in to stop it being misused, essentially, which is the comment they've got up here about their -- they believe -- I think this is a fair recognition that we don't seem to have seen from some parties in the past, that there is legitimate concerns around misuse of data. So this is an interesting one here, too. I think they -- accuracy is always an issue with any database. And I think the key thing here is how do you reduce the incidence of deliberately false WHOIS information. >>MIKE RODENBAUGH: I mean, the only way to do that is by registrant verification, isn't it? Better methods to verify? >>BRUCE TONKIN: Yeah. I tend to think that one thing that's not that difficult from a cost point of view is probably at least e-mail verification. Because that's typically not done at the moment. In other words, someone types in an e-mail address. You send an e-mail to them, and then they reply, which is pretty common with subscription. You know, if you -- if I, I don't know, subscribe to a newsletter or something, usual that's what they do. We typically don't do that as registrars, though. But that would at least -- it's relatively low cost for e-mail. You can obviously increase the cost by calling someone back on the phone number. But that's adding to the cost quite substantially. >>MIKE RODENBAUGH: There's a variety of different methods I think we can look at. We were having this discussion in our B.C. meeting with the Microsoft -- Cynthia from Microsoft, in particular, had quite a few ideas about that. >>BRUCE TONKIN: Of reducing deliberately false data? >>MIKE RODENBAUGH: About registrant verification generally, the methods that you could use. >>BRUCE TONKIN: Give me some examples. >>MIKE RODENBAUGH: Oh, I'd rather defer and wait. But it involved the phone, like you said; e-mail. There's organizations in the middle that can provide that between the credit card. You can go to the credit card that's being used to pay, that way. >>BRUCE TONKIN: Yeah, but let me tell you how that gets -- [ Laughter ] >>MIKE RODENBAUGH: I'm not suggesting we debate any of those. I'm just suggesting that the WHOIS group can take a look at the various alternatives. >>BRUCE TONKIN: Yes. Quite often the data does match the stolen credit card, yes. >>AVRI DORIA: And that's going to vary by country, too. I mean, what you can and can't do is going to vary by country. >>BRUCE TONKIN: Yeah, go ahead, Maria. >>MARIA FARRELL: Yeah, just when I've been looking at this document, it's very helpful, but it kind of -- it still leaves it to the WHOIS working group to square this impossible circle. Because what it does is it starts off by enumerating the current uses and the current legitimate uses of WHOIS. And then, basically, in the next section, it says these should be reflected in the definition, purpose, and operation of WHOIS, so, effectively, current uses equal the purpose of it, which, as Jon would say, from a data protection point of view, probably is backwards. Which is neither here nor there, but then it asks us to effectively, looking at what we've got in section 3, which is a bunch of things that effectively contradict each other, to figure out how to make WHOIS fulfill all these purposes, you know, by reflect- -- by observing national laws, and yet facilitation continues, timely access, et cetera. So, you know, it's helpful that it gives us more information about how they think. I don't think it really helps us to figure out what we should do. >>BRUCE TONKIN: I don't know -- >>MARIA FARRELL: Maybe I'm being pessimistic. >>BRUCE TONKIN: I think are you being pessimistic. I think it's a fairly clear statement of what they think legitimate activities are, which actually helps rather a lot at the moment. Because there's a lot more activities than that that use WHOIS. >>AVRI DORIA: Bruce, I think if you look at it like an engineering requirement statement, -- >>BRUCE TONKIN: Yes. >>AVRI DORIA: -- what it's basically saying is, the WHOIS service should meet the following requirements, and you guys have got to build a tool, an operational environment -- >>BRUCE TONKIN: Exactly. >>AVRI DORIA: -- that meets those. So this is WHOIS tool version 3 in a revised WHOIS service. But it really reads like a requirements document to me. >>BRUCE TONKIN: Which -- It does. And that's what I like about it. >>AVRI DORIA: I figured that. >>BRUCE TONKIN: Yeah. Because it's a lot clearer on that. And then it allows to you address it in terms of solutions. Because you can say, okay, we're providing this level of data for just open -- you know, anybody. And then we're saying we provide this level of data for these guys, if you fit into one of these categories. And then we have this mechanism to deal with individual protection. Because that's important there, that it's not just any data; it's individuals' privacy that you then go down to the third level, if you like. >>AVRI DORIA: And the last point is, most users' requirements documents are impossible when you first look at them. >>BRUCE TONKIN: So then you prioritize, and then you remove the requirements that are too expensive to implement. >>AVRI DORIA: I said "when you first look at them." >>BRUCE TONKIN: That's right. Okay. But I think this is something that needs to be dealt with in the policy. Now, I think the approach at the moment is that the e-mail address verification is done after a complaint, I think. No, after the data is updated after a complaint. And I'm only speaking personally, because I know registrars probably don't agree with this. But I tend to think you need to perhaps strengthen it up-front to at least get the e-mail address right. Because that's the primary mechanism we use to communicate. >>AVRI DORIA: Kind of like we do when we subscribe to a mailing list. >>BRUCE TONKIN: Yeah. That's what I'm suggesting, yeah. So what the registrars are saying is they only do that after there's been a complaint and when they get the data updated, as opposed to doing it for every registration. But, you know, newsletter mailing lists and things like that are pretty widely used in the Internet. I mean, it does add an issue there. It does have a financial impact, because people have spam filters and the e-mail that goes out doesn't get picked up and all those sort of things. So it certainly has an impact. >>AVRI DORIA: And it has no real -- >>BRUCE TONKIN: But it's just a matter of how you want to balance it. >>AVRI DORIA: And it has no real effect, because I can quickly create a Gmail or some other account, get my verification, and then Dutch the account. So -- >>BRUCE TONKIN: Yeah, and then the data -- and then the address doesn't work anymore. >>AVRI DORIA: Exactly. >>BRUCE TONKIN: What do you reckon -- I mean, Yahoo! obviously has all sorts of -- well, large numbers of small business users, I suppose. But do you think it should be by default that you do a check for their e-mail address? Or just in response to a complaint? >>MIKE RODENBAUGH: I have to speak personally on that. But, yes, I do think that you should at least verify the e-mail address. Yes, it's still going to get gamed, but it will also improve the accuracy at very low cost, I think. You know, you just warn the user, the registrar needs to warn the user that they need to expect this e-mail and go get it, you know. I don't think spam filters kill things. They just move them to a different folder. You can find them. >>AVRI DORIA: And in many places, if you have gamed the e-mail, it'll fall into that same repetitive -- I mean, people use the same names thing. And in some countries, you'll have committed a crime in doing the false information on the e-mail account. So.... >>BRUCE TONKIN: Yeah, and the only other thing I would say, having, you know, looked at various abuses is, actually, the e-mail address works. It's 'cause the credit card doesn't do anything with the e-mail address. It's a stolen credit card, the address details match that stolen credit card, but the e-mail address works. And it's usually an e-mail address with a, you know, suitable provider that there's no cost involved in the transaction, let's say. In other words, it's a free e-mail address from somebody. Kristina. >>KRISTINA ROSETTE: Just kind of following up on your comment -- and I realize that it may have been kind of offhand -- but if it is the case that, you know, of all of the information it's usually the e-mail address that's correct, then why would we consider the e-mail address to be deliberately false WHOIS information. >>BRUCE TONKIN: Well, that's right. That's what I'm just saying. Yeah, this is the thing. It's -- >>KRISTINA ROSETTE: Because in most cases, you know, for the purposes -- and I'm -- for the wide range of purposes that I use WHOIS, in many cases, the e-mail address is least relevant to me. Because if the e-mail address is correct, it could be anything. And it doesn't necessarily mean -- you know, could be Mickey Mouse at, you know, Mouseketeers at Gmail.com. >>BRUCE TONKIN: It doesn't tell you anything about the person. >>KRISTINA ROSETTE: It doesn't tell you whether the rest of it is false or not. That's my point. >>BRUCE TONKIN: Yeah. Because it's not false. In fact, it's correct. And the only thing that verification does, I suppose, is check for errors in the e-mail address, which is more common. People commonly -- what a lot of registration processes do is get to you type the e-mail address in twice, because they figure the first time around, you're probably going to misspell something. And if you can get it done twice correctly, then it's probably right. But usually they have a life e-mail address. But just picking up what the antiphishing person was saying the other day, which is also true, is that that correct e-mail address does correlate across registrations, though. So you can see that these five registrations have all got different other stuff, but the e-mail address is common, so you know it's probably the same entity. Like, even if it is a -- I'm just conscious, because since I mentioned a free provider, I'm going to get myself in trouble with whoever provides that service. But, typically, it will be some junk at whatever free provider address it is, but that junk is often used across lots of registrations, yeah. So, yeah, maybe it means that it's not worth doing -- the verification up-front probably just verifies that it works, it's correct from that point of view. But, yeah. "The ICANN community" -- this is the Marilyn Cade clause. Gather what information? That's nice. I understand that. But this is a -- >>CHUCK GOMES: That's the Suzanne Sene suggestion that she shared with the GAC. >>BRUCE TONKIN: Yeah, but they got -- which she got from Marilyn. >>CHUCK GOMES: At the beginning of the processes; right. >>BRUCE TONKIN: It was what she got from Marilyn, yeah. Marilyn drafted this, gave it to Suzanne, and that's how it got there. Yeah, I don't think that adds a lot of value at this stage, just the way it's worded -- I don't mind getting more information, but, again, what information. It comes back to the comment I was making when we were talking about criteria for council members and things. You've got to specify, what are you looking for. Are we looking at incidents of accuracy? The interesting thing is, I think if you did that, it's probably relatively good compared to other comparable databases when you're measuring over 40 million registrations or something. >>MARIA FARRELL: It seems a bit -- >>PHILIP SHEPPARD: I suspect the purpose -- >>MARIA FARRELL: Sorry, Phil. Go ahead. >>PHILIP SHEPPARD: I suspect the purpose behind this is attempting to inform. I mean, the whole point in the whole exercise we're doing is this balancing act between privacy and access and the public interest. And I suspect the purpose behind the request is to try to inform the relative harm on either side, you know. In other words, the relative harm for those list of public interests that are there, versus the relative harm in terms of abuse of privacy. >>BRUCE TONKIN: Yeah. >>PHILIP SHEPPARD: So that's the -- that's the attempt -- >>BRUCE TONKIN: Yeah, I understand you're trying to balance those two things. But I think the rest of these recommendations are fairly clear in that they say, "Here are some legitimate uses. And we acknowledge there's some misuse." And I don't think that changes the work you do in the WHOIS task force. But, separately, I think it is useful to know, I would like ICANN to do some statistical work and actually get someone to craft it properly in terms of crafting the requesting the work. But you can, I think, statistically do some analysis on WHOIS data and at least identify, based on the data, whether it appears to be an individual's data or a company's data, for example, which could be useful. Now, all that will do is tell you information about the data. But you've also got to realize that will probably show a disproportionately high use of individuals. And the reason for that is that a lot of people when they register a domain name use their individual name instead of their company name when they fill in the details. And so it's actually a company. But it'll actually come up as, you know, Bruce Tonkin at 120 King Street, Melbourne, which is the address of the company office. >>CHUCK GOMES: Well, also, you're going to have proxy registrations in there, too. Will they be treated as a company? Probably depending on how the proxy registration is registered. >>BRUCE TONKIN: So you've got to write the request fairly carefully. But I think that's some data that you could do just to identify the number of individuals there as a sample. And I think that would be useful with respect to the third element that we're working on, is, can you distinguish individuals versus companies. What are we using, natural persons versus -- >>PHILIP SHEPPARD: We had both. >>AVRI DORIA: Yeah, we actually haven't figured out which we're using yet. I think there's another piece to this, which is, if you're defining, which we are, a whole new service or something, you want to basically define certain metrics and certain things that you can use to see how you've done and to tune it as time goes on. It's recognizing how complicated the balancing's going to be, and whatever gets created needs a metric to see how it's working and to see if it needs to be further discussed and changed in future. >>BRUCE TONKIN: So let's just -- I just want to sort of give a little bit of an example. But I'll get people to just throw some names up and I'll look up the WHOIS. We'll just see a very fast, random sample as to how many of them have a company name versus an individual. >>KRISTINA ROSETTE: Before we do that, I just have a quick suggestion. I would imagine that -- and, granted, it's self-selection, -- but possibly a good place for staff to start would be the WHOIS data problem reports. Because those would identify who the registrant is identified as being and what address they're identified as having and what the problem is with the domain name, with the WHOIS data. >>BRUCE TONKIN: So what that would tell you is the proportion of complaints. So this -- that's the thing, you've got to be very careful when you're representing data what it is. >>KRISTINA ROSETTE: Right, right, right. >>BRUCE TONKIN: So that's not a representative sample of WHOIS; -- >>KRISTINA ROSETTE: Right. >>BRUCE TONKIN: -- it's a representative sample of WHOIS complaints. >>KRISTINA ROSETTE: Exactly. >>BRUCE TONKIN: Right. As long as you characterize it that way, that's fine. >>KRISTINA ROSETTE: Yeah, absolutely. >>MARIA FARRELL: We've actually done quite a bit of research on this already. Dave Piscitello, the SSAC fellow, presented some research that he'd done from -- I think it was August and September last year, to the task force, the WHOIS task force. And he had gone through I think it was about 3,000 registrations in Virginia, I think it was, and he went through them. And it was a very particular -- it was in the U.S. And he gave that data in a very detailed way. So we can recirculate that -- I'm wondering, can we at least meet some of the requests here by simply writing that as a paper rather than as a presentation? He came up with about one in seven registrants were individual registrations. >>BRUCE TONKIN: I'll give you a classic example, because I've just chosen Kristina, and there she is. So the registrant information for Kristina is actually Mercer Bank or whatever; right? Now, that sounds fine. It's funny, it doesn't have anything to do with Kristina. And you look at that. And this is clearly a commercial pay-per-click site. So that would be a classic case of, yeah, that's not really the kind of individual -- So if I'm doing a survey of WHOIS, I'll get a lot of that. It'll be an -- so you'll end up with a high portion of natural persons in the WHOIS, would be my guess, higher than you'd expect, just because they're not typically structured using companies and things. >>MARIA FARRELL: Yeah, but the research that we actually did cross-referenced individual registrations against address details that he was able to find in the local Yellow Pages and White Pages. So, and he actually went by hand and went through about 7- or 800 of these things, having pulled them down to -- >>BRUCE TONKIN: 7- or 800 of what, though? >>MARIA FARRELL: Registrations, from about 3,000. The methodology has gone out of my head at this moment. But he actually picked quite a big sample and cross-referenced it against other data to find out how many of these individual registrations were in that particular set. >>BRUCE TONKIN: So you're saying there's some data that we can use. >>MARIA FARRELL: Yes. >>BRUCE TONKIN: But I guess I'm just saying, to inform some of the discussion about feasibility of some of these things, I think there is some statistically significant stuff you could do that would provide some data. You could do some statistically significant stuff around accuracy about whether somebody is a company or a registrant as appears in the WHOIS data, as opposed to what's behind that. So I think that is useful. But I think we've got to very clearly articulate the question and then get an idea of, I suppose, cost for doing that, which could be useful. And then the useful thing is, if we did something like that, then what you want to do is the same thing again in a year's time and see if it's changed. 'Cause the other thing I think you'd see is that the number of individuals is increasing as a percentage. Again, that will be a little bit skewed by whether you consider a domainer to be acting in their individual capacity or not. But.... (inaudible) Security and Stability Committee. But, yeah, most of the domainers use real data, because it's valuable names, you know. Yeah. >> (inaudible). >>BRUCE TONKIN: That's all right. He's (inaudible). It's like asking police. You know, for them, everybody in the world is a criminal. >> Bruce (inaudible). >>BRUCE TONKIN: No. Pretty much done. I just want to have a quick look at that report that -- It might be presentations, is it? >>CHUCK GOMES: While he's doing that, Glen, do we know when our next council meeting is? >>GLEN DE SAINT GERY: I'm just busy (inaudible). It will probably be on the (inaudible). 12th of April. 12th of April. >> At what time? >>GLEN DE SAINT GERY: The time changes, so it will be 12:00 p.m. (inaudible), which is 8:00, which is very early for you in (inaudible). >> Thank you. >>GLEN DE SAINT GERY: You've changed places with Bruce now. (inaudible) in L.A., it will be (inaudible). >>AVRI DORIA: What time did you say UTC? >>GLEN DE SAINT GERY: 12:00. >>AVRI DORIA: 12:00 UTC. >>CHUCK GOMES: How about the meeting in May? >>GLEN DE SAINT GERY: And the meeting in May (inaudible). >>AVRI DORIA: She said 12:00 UTC. >>CHUCK GOMES: 24th? >>GLEN DE SAINT GERY: Yes. (inaudible) on the 17th of May. >>CHUCK GOMES: The reason I was asking is also for the reserved names working group, 'cause Liz and I were talking about timing on that. >>GLEN DE SAINT GERY: The 17th of June -- >>AVRI DORIA: We're four hours off of UTC at the moment on the East Coast. >>CHUCK GOMES: Well, we've got to be -- of course, we may need a special meeting, anyway. But if we want to get the recommendations for new TLDs to the board with time for them to consideration, it's got to be -- well, how much in advance does it have to be? >>LIZ WILLIAMS: It has to be done by the (inaudible). >>CHUCK GOMES: That's not 30 days. >>LIZ WILLIAMS: Try to get it within 30 days. >>CHUCK GOMES: Oh, within 30 days. Gotcha. I didn't hear you. >>GLEN DE SAINT GERY: Then we have the meeting just before (inaudible). >>LIZ WILLIAMS: We've got a lot to get done, so I suggest we do it. >>BRUCE TONKIN: So let's just pick up some of the stuff that Dave did here in the security committee. He's basically saying personal contacts, he did 5,000 records. He said 9% were personal contacts, 6% were a domain name business. So I assume he's talking about domainers there. 3%, home-operated business. And 14% he couldn't work out. Then he -- then of the 4,000 records used in the study, 24% were missing the phone number. It's kind of -- these are pretty bad errors, really, because this is not -- you know, this is missing the data. >>LIZ WILLIAMS: Yeah, as opposed to -- >>BRUCE TONKIN: Because that's something -- that should be more of a compliance thing. If a particular registrar has got that much but no data -- (inaudible). >>BRUCE TONKIN: So -- it's on the ICANN Web site. But yeah. >>CHUCK GOMES: The fax stat probably isn't too surprising. >>BRUCE TONKIN: You don't have to articulate that. But the other ones seem to be -- some of those are pretty high. >> What was that percentage of business users again? >>BRUCE TONKIN: This is -- this is incomplete records out of the total number. This one here was -- >>AVRI DORIA: 60-some-odd percent, wasn't it? 56% were business? A lot of them didn't have faxes. >>KRISTINA ROSETTE: Just out of curiosity, very frequently, if I'm pulling up a name, if I'm grabbing a name through a SnapNames auction, it will be registered in my own name as the registrant, but it'll have my company name and address. Under his, how he did it, would he have classified that as a business? Do you know? >>BRUCE TONKIN: Don't know. He's actually -- I'll send this around. He essentially explained what he was doing. But other than that, you can just send him an e-mail. He'll tell you. >>CHUCK GOMES: Bruce, there is one more thing, and we haven't even got enough councillors here to act on it. But we -- April 12th is going to be too late to take action on the reserved names working group extension. So what's the -- Do you think you can do that by e-mail? >>BRUCE TONKIN: You tell me what you want us to do. >>CHUCK GOMES: Well, I sent around, if you're online -- it's not a full motion. I didn't try to craft a full motion. But I sent around a -- at least the work language there in outline format, so you can take a look at that. And that was basically in response to the guidance that we -- that you gave us on Saturday. Saturday, Sunday, whenever. >>BRUCE TONKIN: Yeah, I'll have a quick look, yeah. I mean, I'm not -- I don't know that it needs to -- I don't know that you necessarily need to convene the group. It's up to you, I guess. >>CHUCK GOMES: Well, there are some areas that we're going to need more work before -- The ones that are just going to be reworded, you're right. >>BRUCE TONKIN: Yeah, that's what I was thinking. >>CHUCK GOMES: But that's not -- if you'll look through the categories there, there's -- there are several of them that -- you know, when it's just restating the recommendation, that's one thing. But -- and there are several in that category. But single- and two-character reserved names, there is some refining of the guidelines. Geographical and geopolitical are going to need a little work there. And gTLD names at the second level. >> (inaudible) just one comment that I had. (inaudible). >>CHUCK GOMES: Is that a question to me or the group? >> It's a question I'm asking (inaudible). Besides suggest policies the council would adopt within a PDP; right? >>BRUCE TONKIN: Yeah, I -- there are some slight variations in that, but yeah. If we're actually creating it as a policy, it does need to go through all the sort of public review processes and things of a PDP. If we're creating as a guideline for the initial drafting, there is a names group, rather, as we're asking staff, and saying, come up with a list, and here's the list, that's kind of the way the working group has drafted at the moment. But if a policy becomes -- it becomes binding on everybody, registry, registrars, and ICANN, and so then for it to become binding, it goes through a process where we -- you know, we have a number of public reports and stuff. I mean -- >>MIKE RODENBAUGH: I don't understand what (inaudible) -- does that mean we're just not discussing it anymore? >>BRUCE TONKIN: Which is out of scope? >>MIKE RODENBAUGH: Registry-specific names and other reserved names. >>CHUCK GOMES: First of all, they don't apply to all registries. And reserved names (inaudible) were always -- they were (inaudible) in that respect. >>MIKE RODENBAUGH: But if you don't say something about it now, then you can continue the process where some registries can reserve lists, there's no real requirements on reserving lists -- >>CHUCK GOMES: (inaudible) there is, and so forth. Again, like I said in the working group, what's wrong with that? >>MIKE RODENBAUGH: Well, I think what's wrong with that is, we're putting -- you know, TLDs are intended for a community. We should know how a domain space is going to be used, to a certain extent. And what we're seeing is some registries are holding a long list of names, with no plan -- very valuable names -- with no plan, even years later now in the case of dot travel, to release them. >>CHUCK GOMES: Not very many years later with dot travel. (inaudible). >>AVRI DORIA: Why isn't it within their business case? >>KRISTINA ROSETTE: I don't want to put words in your mouth, but what -- my take on it, and correct me -- jump in where I'm wrong -- but at a certain point, depending upon how far from kind of their base name or mark, whatever the basis is, the reserve name is the more likely you are, I think, to run into a situation where you could have a potential TLD applicant that's going to pull in some of those names. >>AVRI DORIA: That wouldn't -- >>CHUCK GOMES: I don't follow what you're saying. >>KRISTINA ROSETTE: I'm thinking about the long list that I saw somewhere, that was -- and I forget which registry it was. >>CHUCK GOMES: Yeah, Afilias had a list, a really long list. >>KRISTINA ROSETTE: Okay, that might have been the one, that might have been the one where I was thinking it had so many variations and combinations with generic words that you could end up in a situation where, if somebody would want whatever one of those generic words is as a TLD, but then you guys punted that question, my group did. >>CHUCK GOMES: Not necessarily. There was some discussion about whether that would be in that group. But, again, I'm not sure it is. >>KRISTINA ROSETTE: Right. Right, right, right. Right. But that's kind of the point, which I guess was not the point you were making. Never mind. >>MIKE RODENBAUGH: (inaudible) transparency during the application process, at least the general intention to reserve (inaudible) name. So it's not all left out to (inaudible) after ICANN makes a decision whether to grant an application. And then before -- and then there's a requirement after the contract comes out that the registry come up with a plan as to when domains are going to be released so that they're not reserved -- >>CHUCK GOMES: So what you're suggesting is something for the new TLD process, not a reserved names list. >>MIKE RODENBAUGH: Okay. (inaudible). >>AVRI DORIA: But are those actually, properly speaking, reserved names? I mean, reserved names seems to be the names that ICANN defines as names that can't be given out. Whereas these are names that seem to be -- I mean, I'm not normally one to speak up for business plans, but it seems to be something that would be within the prerogative of someone's business plan of beyond the names that are prohibited by ICANN, what they do with the rest of them. >>MIKE RODENBAUGH: Well, so long as there's some transparency that that's their plan, I think at least if I were judging -- (No audio). >>AVRI DORIA: -- business plans generally available? I mean, I know ICANN has verify, but those things aren't published; right? (inaudible). >>AVRI DORIA: The application with the business plan is not published? >>BRUCE TONKIN: They have been historically published, yeah. >>AVRI DORIA: Okay. >>CHUCK GOMES: We cut back on, remember, that whole requirement, the operational plan, the business, and financial, and so forth. It's not a comprehensive business plan, like -- >>AVRI DORIA: Because it does -- >>CHUCK GOMES: -- in other rounds. >>AVRI DORIA: Because I guess I see the balance as, I do see it as part of the business plan of that. And so if it is published -- if the rest of the business plan has to be visible, then, yeah, it would make sense that this was, too. And I think it falls within that same category of consideration. >>BRUCE TONKIN: Yeah. >>AVRI DORIA: Because it is a business thing. And it's, are you showing your plan and how you plan to sell things. And if you need to do that, then, yeah, I would agree with you, it needs to fall into that kind of category. >>BRUCE TONKIN: Okay. Well, I'd like to close this meeting down, because I've -- my brain's past the point where I can even engage. I suggest that, Chuck, I'll have a look at that motion on the list. And if it makes sense, I'll just, you know, allow council members, if they have any concerns, to express it on the mailing list. If it looks reasonable, I think we'll just go ahead and do it, just like we have done with observers. And I think the extension is within the intent of what the council would want to do, I think. >>CHUCK GOMES: I'll wait to hear. >>BRUCE TONKIN: So wait to hear from me on that front. So at this point, I'll close the meeting, and we can turn off the audio recording, so you can let fly now. (Meeting concluded.) |
GNSO Transcript
Last Updated:
Date