[dow3tf] TF3 - Best Practices Recommendations

["Brian Darville" <BDARVILLE@xxxxxxxxx>]

Here is a rough draft of some best practices recommendations and procedures for moving forward.  Please review these and send me any comments.

Best Practices

The surveys conducted by Task Force 3 did not result in any meaningful level of response that could serve as a basis for assessing best practices for improving data accuracy and verification.  Nevertheless, the Task Force compiled a list of preliminary recommendations for potential best practices and for further assessment of best practices. 

1)	ICANN should work with all relevant parties to create a uniform, predictable, and verifiable mechanism for ensuring compliance with the WHOIS-related provisions of the present agreements, and should devote adequate resources to such a compliance program.  The Registrar Accreditation Agreement makes the requirements clear.  See http://gnso.icann.org/issues/whois-privacy/raa-whois-16dec03.shtml.  However, this agreement is only as good as the level of compliance with it, and recent decisions by US courts indicate that only ICANN can enforce these agreements.  See Register.com v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004)

2)	A Best Practices document geared toward improving data verification on a global basis should be developed through a continuing ICANN sponsored program.  ICANN should consider retaining an independent third party which could, on a confidential basis, gather the critical underlying data germane to assessing current data verification practices in the registrar and other relevant industries, as well as from selected ccTLDs.

3)	Automated verification processes should be employed for identifying suspect registrations containing plainly false or inaccurate data and for communicating this fact to the domain name registrant.

4)	Manual verification processes should be employed to identify domain name registrations that, on their face, appear to contain inaccurate or false data.  Presentations at the ICANN Rome Meeting made clear that such manual review and verification could be performed in a cost-effective manner.

5)	Where available automated address and contact databases should be consulted and used to check or verify apparently suspect addresses.

6)	Consideration should be given to inclusion of the "last verified date" and "method of verification" as Whois data elements, as recommended by the Security and Stability Advisory Committee.  

7)	ICANN should require registrars to develop, in consultation with other interested parties, "best practices" concerning the "reasonable efforts" which should be undertaken to investigate reported inaccuracies in contact data (RAA Section 3.7.8).  See http://www.dnso.org/dnso/notes/20030219.WhoisTF-accuracy-and-bulkaccess.html. 

8)	ICANN should ask each registrar to present a plan, by a date certain, for substantially improving the accuracy of Whois data that it collects.  The plans will be made publicly available except to the extent that they include proprietary data.  The plans should include at least the following features:

o	identification and public disclosure of a contact point for receiving and acting upon reports of false Whois data;

o	how the registrar will train employees and agents regarding the Whois data accuracy requirements;
  
o	how the registrar will take reasonable steps to screen submitted contact data for falsity, which steps may include use of automated screening mechanisms, manual checking, including spot-checking, and verification of submitted data;

o	when false data comes to the registrar's attention, whether through a third-party complaint or otherwise, how the registrar will treat other registrations in which the contact data submitted is substantially identical to that in the registration that has come to the registrar's attention;

o	how the registrar monitors the extent to which contact data submitted to it through re-sellers or other agents is false or significantly incomplete, and what the consequences are for re-sellers or agents whose performance is unacceptable;

o	 how the registrar evaluates compliance by its current registrants with the obligation to provide accurate and current contact data;

o	how the registrar measures performance in improving the quality of the Whois data it manages.

9)	Procedures should be considered for facilitating updates of or correction to Whois data including expedited priority handling of such requested updates.

10)	Once fully developed, ICANN should evaluate the pending IRIS protocol being developed by the CRISP working group.  

11)	Contracts should be amended to ensure that there is effective enforcement of the contractual requirements germane to domain name registration and the provision of accurate Whois data.  The RAA and gTLD registry agreements should be modified to provide for a regime of graduated or intermediate sanctions for patterns of violations by a registrar of the Whois data accuracy obligations of those agreements.  (This recommendation is without prejudice to the possibility that such a regime would also be appropriate for encouraging compliance with other provisions of these agreements.)

12)	The PDP with regard to the issues addressed by TF3 should mutate into an ongoing effort with the following goals:

o	Research and dissemination of information on practicable and cost-effective methods used to improve the quality of identifying and contact data submitted by customers in online transactions outside the realm of gTLD domain name registration 

o	Development of best practices within the realm of gTLD domain name registration for improving the accuracy, currency, and reliability of contact data in the Whois database 

13)	ICANN staff should undertake a review of the current registrar contractual terms and draft any changes needed to reflect the new policies and procedures ultimately adopted as the result of the current PDP. 

**********************

Regards,

Brian Darville
Oblon, Spivak
(703) 412-6426
bdarville@xxxxxxxxx