[council] Fwd: Clarification of SSAC position re Board's postion on ALAC letter on "front-running"

[Avri Doria <avri@xxxxxxx>]

Hi,

After I sent my message to this list, I forwarded a copy to Steve for  
his information.  This is his reply to that message.
a.

Begin forwarded message:

> From: Steve Crocker <steve@xxxxxxxxxxxx>
> Date: 5 April 2008 19:35:58 GMT+02:00
> To: Avri Doria <avri@xxxxxxx>, Robert Guerra  
> <rguerra@xxxxxxxxxxxxxx>, Chris Disspain <ceo@xxxxxxxxxxx>
> Cc: Steve Crocker <steve@xxxxxxxxxxxx>, ICANN SSAC <ssac@xxxxxxxxx>,  
> ICANN Board of Directors <icann-board@xxxxxxxxx>
> Subject: Clarification of SSAC position re Board's postion on ALAC  
> letter on "front-running"
> Avri,
>
> Thanks for referring your note to me for comment.  I'll try to  
> clarify our thinking on this matter.  There are several different  
> dimensions, each of which deserves a few moments of attention, so  
> this note is a bit long.  I've tried to structure it for easy  
> navigation.   The sections that follow are:
> o Background correspondence
>
> o Discussion of whether front running exists and SSAC's finding to  
> date and our next steps
> (Mixed results and lots of controversy.  More work needed.)
>
> o Discussion of whether whether is prohibited, irrespective of  
> whether it exists
> (Big surprise, at least to me, is that we don't seem to have either  
> an explicit prohibition nor even a shared ethic within the community.)
> o Discussion of what parts of the ICANN family should be involved,  
> and a process issue?  (And, in particular, what's SSAC's role.)
> (This is a "consumer protection" and, perhaps, a "privacy" issue.   
> Does this have a distinct and unambiguous home?)
>
> I have cc'd the Board and SSAC, and I invite you, Robert Guerra to  
> share it with the GNSO, the ALAC and the ccNSO, respectively.  (I  
> don't mind if it's shared even more widely, but I think these are  
> the primary constituencies involved at the moment. )
> Cheers,
>
> Steve
>
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> ======================================================================
> BACKGROUND CORRESPONDENCE and DOCUMENTS
>
> Here's your note to me.
>
> On Apr 5, 2008, at 6:10 AM, Avri Doria wrote:
> > FYI
> >
> > Begin forwarded message:
> > > From: Avri Doria <avri@xxxxxxx>
> > > Date: 5 April 2008 09:46:08 GMT+02:00
> > > To: Council GNSO <council@xxxxxxxxxxxxxx>
> > > Subject: [council] Board's postion on ALAC letter on "front-running"
> > >
> > >
> > > Hi,
> > >
> > > I have put this on the list of topic for our next agenda.  It  
> > > might be worth having some preliminary discussions on list.
> > > References:
> > > - ALAC letter: <http://gnso.icann.org/mailing-lists/archives/council/msg04857.html 
> > > >
> > > - Discussion under 11 Other business: <http://www.icann.org/minutes/prelim-report-27mar08.htm 
> > > >   Board's Disposition:  "The Chair determined that emergency  
> > > action is not required today but the matter will be referred to  
> > > the GNSO for additional information or policy development if  
> > > necessary, but not an emergency action."
> > >
> > > My first questions:
> > >
> > > - Do we want/need to request an issues report?
> > > - Do we want to request advice from SSAC on the degree to which  
> > > this is a threat to Stability and Security as stated in the ALAC  
> > > letter.  SAC22 of Oct 07 <http://www.icann.org/committees/security/sac022.pdf 
> > > >  spoke of it as being possibly contrary to core values but I do  
> > > not read their report as calling it a threat.  Though the report  
> > > does seem to indicate that further investigation of issues  
> > > surrounding the practice could be investigated further.
> > > thanks
> > >
> > > a.
> The ALAC letter referred to above asks the Board to take immediate  
> action to curtail "domain hold," "cart-hold" and/or "cart-reserve"  
> activities such as Network Solutions and others have recently begun.
> You also reference SSAC report SAC 022.  That report is the first of  
> two of our reports (SAC 022 and SAC 024) so far on front running.  See
> http://www.icann.org/committees/security/sac022.pdf
> http://www.icann.org/committees/security/sac024.pdf
>
> In SAC 022, we pointed out that checking the availability of a  
> domain name can be a sensitive act which may disclose an interest in  
> or a value ascribed to a domain name and we suggested to potential  
> registrants that domain name availability lookups should be  
> performed with care.  We also noted there does not appear to be a  
> strong set of standards and practices to conclude whether monitoring  
> availability checks is an acceptable or unacceptable practice, and  
> we called for both public comment and policy development within the  
> appropriate bodies.
> In SAC 024, we reported that after receiving more than 100 inputs  
> over a two and half month period, we were unable to develop  
> definitive evidence that front running is actually taking place.   
> However, in discussions with Network Solutions regarding their newly  
> instituted practice of placing a hold on names being checked for  
> possible registration, Jon Nevett suggested that one or more  
> registries are possibly selling that information to domain name  
> tasters.  The chain has a couple of steps.  When a potential  
> registrant types in a name at NSI's web site to check for its  
> availability in one domain, e.g. within .com, NSI, like many other  
> registrars, automatically checks whether that name is available in  
> several other domains.  They do so by forwarding the name to each of  
> the respective registries, and this provides an opportunity for one  
> or more of those registries to pass along that stream of queries to  
> a business partner who may be interested in registering it while the  
> original customer is still thinking about it.  Here are Mr. Nevett's  
> comments in the transcript of the SSAC meeting in New Delhi on  
> February 13, 2008, http://delhi.icann.org/files/Delhi-WS-SSAC-13Feb08.txt 
>  .
> > So what's been happening -- and we have information about this --  
> > is domain name tasters register names in vast bulk and then they  
> > taste the names and only keep a very small percentage of the names  
> > that warrant purchasing because of traffic or pay per click.  So  
> > the domain name tasters are looking for various sources of data.   
> > They look for bulk data wherever they can find it.  The theory is  
> > that there were certain ccTLD registries that because when a  
> > customer comes to almost all registrars Web sites and asks for a  
> > name, [the registrar] will look at various dozens of different TLDs  
> > and see if the name is available.  So one of the ccTLDs, for  
> > example, or maybe a gTLD, will be selling the data to front runners  
> > and tasters.  So the tasting line is probably synonymous with the  
> > front-runner line.  So what happens is they register these names in  
> > advance of customers, and then they taste it.
>
> As you noted in your message, the Board declined to take emergency  
> action and referred the matter to the GNSO for possible policy  
> development.  (See the last section of this note for a comment on  
> policy development.)
>
> ======================================================================
>
> DOES FRONT RUNNING EXIST?
>
> As noted above, the data is inconclusive.  Jay Daley, CTO of  
> Nominet, reported he had looked closely at this question some time  
> ago and concluded it simply wasn't happening.  Others have suggested  
> privately that it really does happen on a fairly significant scale.   
> Because there is a very high level of tasting, it may be hard to  
> sort out how many instances of apparent front running are just due  
> to "background radiation."  And then we have Mr. Nevett's assertion  
> that one or TLDs is actively involved in this process.
> We expect to explore this a bit further.  We are still formulating  
> specific plans on how to proceed, and we are open to suggestions and  
> offers for how to gather information efficiently, effectively, and  
> accurately.
> =====================================================================
>
> IS FRONT-RUNNING PROHIBITED and DOES IT AFFECT SECURITY OR STABILITY?
>
> As we noted in SAC 022, we do not see any coherent and specific  
> framework that suggests front-running is prohibited.  I believe the  
> Registrar Accreditation Agreement has language related to the proper  
> use of registration data, but that applies only after a registration  
> is complete.
> Practices and expectations vary from field to field.  In certain  
> professions, particularly law and medicine -- and my experience is  
> primarily in the U.S. -- there are very strong rules governing the  
> privacy of information provided by a client or patient.  There are  
> also strong rules governing the protection of customer information  
> among stockbrokers.  If I ask my stockbroker about a particular  
> stock, it's considered unethical for him to use that information to  
> buy or sell that stock for himself or to help others to do so.   
> However, in our industry, I have not seen any similar explicit  
> statement of principle nor an explicit set of rules prohibiting  
> front-running and related practices.  Thus, even if we were to find  
> reliable, concrete information that front-running is taking place,  
> it's not clear there is any basis for stopping it.
> "Security and Stability" is a mantra invoked with specialty gravity,  
> and there is sometime debate about whether a specific issues does or  
> does not fall into this category.  I think it's hard to argue that  
> front-running, if it exists, is affecting the overall security or  
> stability of the domain name system, although one might imagine  
> fairly severe consequences if the practice existed and affected a  
> very large fraction of the potential registrants instead of only a  
> relatively small number.  I emphasized "system."  From any  
> particular user's perspective, if someone has swiped a name he is  
> looking at, the impact on him or his business could be very  
> substantial.  Is that a "security" matter or a " consumer  
> protection" matter, and is there a strict distinction between the two?
> I would argue that if there is a structural bias against consumers,  
> that it's appropriate to consider that to be a weakness in the  
> security of the system.  On the other hand, if a consumer has been  
> dealt with unfairly by a particular party, and there's no general  
> bias built into the system, that's a specific consumer protection  
> issue.  I'm not sure whether everyone else would choose to draw the  
> lines in the same place.
> There is a secondary and slightly subtle element of security here.   
> Efficient and effective markets depend on reliable information and  
> trustworthy behavior.  If there is a general perception that a  
> market is dangerous, the market may shrink and the results for the  
> buyers and sellers who are in the market may be inequitable.   
> Building and preserving confidence in a market is thus an important  
> aspect of "security."
> I don't think we've thought enough about this as a community, and I  
> would like to see some deeper thought and discussion.
> Returning to the specific matter of front-running, I find it odd and  
> dangerous that our framework of core values, principles, rules and  
> contracts does not address such practices explicitly.  I think this  
> is a weakness in our overall framework and should be fixed.
> =====================================================================
>
> WHO SHOULD BE INVOLVED?
>
> I don't see any single group as being the sole owner of these  
> issues.  We certainly don't view this as the sole purview of SSAC  
> and we would be delighted if others are involved.  The GNSO has a  
> natural role because the registrars and registries are primary  
> actors.  At the same time, the people most strongly affected by  
> weaknesses in the process are potential registrants, and it's not  
> clear who speaks for them.  ALAC, in its letter to Board, is  
> certainly taking a strong position.  And this issue is not limited  
> to the gTLDs and ICANN-accredited registrars.  The ccTLD community  
> presumably has the same issues.
> In our reports to the Board, we suggested other groups look at these  
> issues.  Dan Halloran recently drew our attention to section 1.c in  
> By-Laws Annex A: GNSO Policy-Development Process:
> Advisory Committee Initiation. An Advisory Committee may raise an  
> issue for policy development by action of such committee to commence  
> the PDP, and transmission of that request to the GNSO Council. (http://www.icann.org/general/bylaws.htm#AnnexA 
> )
> With some chagrin, I admit we hadn't realized there was a direct  
> channel for SSAC to forward to the GNSO a formal request for the  
> GNSO to commence the PDP.  Would you find it helpful for us to send  
> our recommendations to you in this form?
> Irrespective of whether we send you a formal recommendation, I hope  
> this note has provided some useful information.  We will be happy to  
> discuss it further if you desire.
> Thanks,
>
> Steve Crocker
> SSAC Chair