Last update: Sun Aug 17 22:48:44 CEST 2003
Donna Wentworth is blogging the ILAW event, again. (This will be the second time I'll be following the notes -- ironically, I missed the March session because I was at the other end of the same beach.)
Mon Jun 30 22:32:46 CEST 2003 #
... has already begun in Montreal: It's about the role of the GAC, with interesting implications for ICANN's contractual structure.
John Berryhill articulates optimism with respect to the appearance of an evaluation of the introduction of new gTLDs. He joins the cheerful Wendy Seltzer and (of course) the GNSO's CBUC which, while probably interested in learning from new developments, sticks to its principles for a responsible (and competitive) growth of the DNS.
Mon Jun 30 12:27:44 CEST 2003 #
Lawrence Solum has also been blogging from Montreal.
Sun Jun 29 17:46:05 CEST 2003 #
... so you can get the work done. One of the more disappointing aspects of the Montreal meeting was the lack of social events (i.e., opportunities for informal chat with many other participants): The only central event took place on Monday evening, and it lasted for precisely two hours. Other than that, the meeting broke up into little groups for the evenings -- which certainly was fun, but less productive than, say, the open-for-all Verisign event in Rio.
Sun Jun 29 12:52:23 CEST 2003 #
ICANN's draft RFP on the establishment of new sTLDs came as a surprise during the Montreal meeting -- in particular the part of it which would restrict this new round to those whose applications for sponsored gTLDs failed in the 2000 round of new gTLD additions. This seems remarkably at odds with what one would have expected after the public forum discussions in both Amsterdam last December, and in Rio this March.
Observations and comments on this so far: Milton Mueller reporting from Montreal; ICANN's public comment forum on the issue (RSS feed here and in the sidebar); Wendy Seltzer hitting the nail right on its top.
Sat Jun 28 15:41:13 EDT 2003 #
The board has just adopted the ccNSO bylaw provisions by acclamation, after some discussion about a last-minute amendment which had been introduced by Andy MÃ¼ller-Maguhn, but was not adopted. The board is now having a break, in anticipation of "considerable" debate about the new sTLD RFP.
Thu Jun 26 09:22:08 EDT 2003 #
The correct address for submitting comments to the WHOIS workshop is WHOIS-WORKSHOP@ICANN.ORG. Apologies for blogging a wrong address earlier on.
Wed Jun 25 09:41:13 EDT 2003 #
The first of the panels is up on the stage. First question -- "is it working?" Jeff Neumann from the gTLD registries notes that it's probably working as it was originally designed to work. Sarah Deutsch: Question is like "is the space shuttle flying." Still picking up the wreckage. Huge problems. The way people need it now it's not working. Inaccuracy. Verizon sees legitimate tensions between large corporations with business interests, ip owners, and sensitive privacy concerns. Points to recent verizon/RIAA case. Accuracy. Too much fraud. ... Third-party registration through proxy services -- ISPs can provide that. Tiered access interesting if technical issues can be worked out. Major tension -- congress may turn to WHOIS when done with spam. Legislative solution that's not as palatable to people in this room as well as working out the issues here. Tom Keller: Still working quite well for original intent -- can look up technical contact. Law enforcement etc. are totally different things -- should this be fulfilled by service such as WHOIS? Laws to which registrars and partners have to abide by. Can provide data firsthand to law enforcement. Misconception that you have to force people to display the data if they want to have a registration. Wichard (WIPO): From IP perspective, WHOIS is not all bad. Quite important, crucial function. Help prevent and resolve IP conflicts in the DNS. Shortcomings. Inaccuracy. Fragmented access -- need portal. Need search services.
Second round. Other services? Wichard: Not aware of any other readily available source in addition to WHOIS databases. Value-added services based on bulk access. Nothing available. Can inaccuracy be overcome by increased enforcement? Could improve, but won't prevent inaccurate data. Ability to enforce RAA? Question to ICANN itself. But, conceptually, yes. RAA contains enforcement mechanisms. (Wichard gives an incorrect account of 126.96.36.199.) Does not apply to ccTLDs. Donohue: Is there an alternative? Yes, of course. Primary place to look to identify online business is the web site itself. Businesses should be identifying. Unfortunately, not the practice. Not interested in providing accurate contact information right on the web site. WHOIS data key to successfully locating site operator. Enforcement agencies who are trying to police may have other tools -- subpoena etc --, but slow; cross-border issues. For consumer, if web si9te is not helpful, there may be no other reasonable alternative for trying to locate the owner of the site. With respect to questions about RAA, OECD has done paper on consumer policy considerations on the importance of accurate and available whois data. One of the suggested approaches at the end talks about the possibility that where a domkain name holder has provided false contact information, that the domain name be suspended and rather than making that optional that that be a mandatory requirement; one of the ways RAA may be amended in order to help improve accuracy. Re ability to properly police, question for ICANN. Recent efforts have been helpful; whether they're enough, is an open question. LoGalbo (DoJ): Law enforcdement needs open whois data to fight crimes. Fraud, piracy, child pornography. Every other source requires legal process. Simplest form is subpoena, sometimes have to get court order. Difference between getting subpoena and serving it and direct, immediate access is night and day. Mithal yesterday talked about FTC surf days. Very effective means of law enforcement; impossible without full access to the WHOIS database. Traditionally, hnave to open a case file in order to even request subpoena. Depend on actions of party. Sometimes need to make motion in court to compel compliance with subpoena. Injecting delay and costs and resources. Heard Maneesha talk about the need for speed wrt fraud. Relevant for other types of crime. Cross-border: Legal process creates substantial delay and complexity. Tools available need updating. Technology has outstripped law in this context. Streamlining the methods for international cooperation is laborious, involves institutional changes. Treaties etc. COE cybercrime convention. No alternative to open, public whois service. On enforcement, need intermediate remedy, sth more realistic than total revocation. Hard for ICANN to police RAA when only option is nuclear. ... Andy MÃ¼ller-Maguhn: LE asks for public access? Accredited access for LE agencies instead of public access? LoGalbo: No. As soon as it's unpublic or accredited, then process requirements arise. Slowdown, delay. Important that others have access. IP holders. Consumers. LE cannot do it all. Hundreds of civil claims. ... Alonso Blas. Will try to be short. Be very clear -- need to balance different interests. Make sure that those who really need to get access should have access to the information. On the other side, have to balance the need to protect human rights, including protection of privacy. If there is another solution that gives those who need access access while protecting individuals, look for that. Solution proposed by Andy could be one. Proportionality. RAA policing? necessary to police whole package of obligations, not just accuracy, but also privacy. Need to improve privacy provisions. Policing part of it without the other would not be fair for individual. Neumann: Question for LE -- If provision or display of WHOIS is violation of law for registry or registrar, is that acceptable to catch others that are breaking the law? Needs to be considered. Have heard for years the importance of whois information etc. Question: Does registry or registrar break law to provide whois information so you can catch others who break the law. Get law changed before requiring registry to break law. LoGalbo: Can't disagree. If you think you have law which doesn't make access available, change that law. Analysis backwards -- bring law in line with reality, not change RAA. Sarah Deutsch: LoGalbo made point that database be open because more convenient than subpoena. Convenience isn't all. Fair process needed. Complying with subpoenas complicated and expensive. Having information available is easier than having subpoenas.
Alan Wong: Expectations not anticipated when system was put in place. Balancing, changes to RAA? Tom Keller. There are contracts. Have to display certain data. Privacy rules are not allowing to do that. Bound to local law, and still wnat to conduct business. Would change of RAA reflect needs better? Guess so. Start PDP, include opening clause which states that you have to provide WHOIS in accordance with local law. Neuman: The way WHOIS exists today, can't balance. Does not believe in globally unified solution. Restructure WHOIS to remove cdcertain data elements, thinks globally acceptable solution possible. ... Alonso Blas: Big problems to comply with both RAA and national legislation problems. Problem has also been raised by individuals who are raising complaints. Take into account not only interests at stake of the different parties, but also rights of individual. A number of issues could be addressed by modifying RAA. Many improvements could be done. Involve all interested parties in the discussions. Involve more actively data protection community and authorities throughout the globe. If we are trying to look for a solution that could be in the short run, last thing to undertake is modifying loegislation of 30 countries to make this possible. Try to find a solution in which all find balance between different interests at stake while respecting the situation. Wichard: ccTLDs have found ways to strike balance in countries with strong privacy regulation. .de, .nl.
Third-party registration services? Paul Stahura has run beta-test. Can privacy concerns be resolved? Implications of services for people who need access. Stahura: Yes, but only part of the solution. Balance between all the forces. Company has a large number of resellers. Demand from resellers to implement third-party solution, because a lot of registrants don't want to put their WHOIS information in the public service. ... Maybe part of the solution is to provide tiered access. Give access to proxy data in public tier, real information in private tier? ... Alonso-Blas: Won't resolve all problems, will improve situation, but won't solve everything. ... Need system that allows quick access to those who need it. Audit trails. Sarah Deutsch: Proxy services very promising. Analogy to unlisted numbers in telephone system. Stahura: Information behind proxy would probably be more accurate. Good guys are gaming the system not to make information public. Bad guys are always gaming the system. Tiered access could make more accurate information available to law enforcement. LoGalbo: Reiterate law enforcement concerns. In order to avoid the problem of legal process -- either data has to be made public, or agreement to proxy services has to make clear name holder's explicit consent for law enforcement to get data. Consent has to be voluntary, but prerequisite cannot be "serve a subpoena." Can't just be LE that has access. ISPs have to have access to solve technical problems. Consumers need access. IP holders need access to real data. Restricting access just to LE is not going to serve number of other important interests. Wichard: Proxy services are an option under the RAA. RAA allows third-party registration. Third party often is an ISP. Condition: Third party accept liability or promptly discloses identity of true owner. Have some experience with this in UDRP administration, but it usually works out. Tom Keller: In many countries, privacy is not a service, but a right. Why should it be protected by a special service? Does not really serve the purpose.
Best solution for everyone is not available. But is there a second-best solution? Protect privacy for non-commercial domain names, while making commercial available? Have different TLDs with different WHOIS rules? Tom Keller: Registration of domain name is fully automated. Hard to figure out what person is going to do with domain name. Existing domain holders to be driven out? Not workable. Neumann: Top-level domains are created because of business plan. ... WRT differentiating between non-commercial, commercial -- courts have difficulty with that. Alonso Blas: Don't find solution which satisfies everybody. Find solution which is workable. In theory, could be possible to find a distinction. ... LoGalbo: Agree with concerns about distinction between commercial and noncommercial registrant. ... Domain which is just addressing non-commercial activities, but has less transparency, would be safe harbor for perversions exercised non-commercially.
Papapavlou wraps up: System works for original purposes. Doesn't work for purposes which came up more recently. Issues to be addressed: Accuracy and accessibility. No strong arguments against accuracy, in particular when anonymity can be provided in some circumstances. Not possible to distinguish between commercial, noncommercial and put them into separate boxes. Difficult. Other sources? Effort might be substantial. Balance requirement. What's excessive effort with respect to purpose still needs to be determined. One the one hand, legitimate requests which call for improving accessibility and accuracy. Have human rights adequately protected. Cost element involved. Good balance needs to be found. Main target for future.
Wed Jun 25 08:18:25 EDT 2003 #
The GNSO council has just adopted the deletes task force's results as consensus policy.
Tue Jun 24 14:36:02 EDT 2003 #
ICANN has posted a draft request for proposals for the establishment of new sTLDs.
Tue Jun 24 11:37:15 EDT 2003 #
A summary of the talk currently being given by the FTC's Maneesha Mithal is here.
Tue Jun 24 11:31:46 EDT 2003 #
Michael Donnohue of the OECD is talking about consumers using WHOIS searches to identify businesses and find contact points with those businesses. He argues that inaccurate WHOIS data could undermine users' trust in the Internet, and could cause them to turn away from doing business on the Internet. He also points to guidelines that entities doing commerce on the Internet should make contact information readily available.
This is another strawman argument: If consumers have to resort to a database which isn't widely known outside specialized circles in order to obtain contact information about a business, then the contact information is not readily available. I certainly wouldn't do business with a commercial site which has contact information available only in the WHOIS service.
Tue Jun 24 11:16:43 EDT 2003 #
Jane Mutimear (the chair of the IP constituency) just gave a talk on the need for WHOIS. One of her key reasons was asset management -- i.e., registrants using WHOIS in order to obtain information about their own registrations. This is a strawman in the WHOIS context -- the policy questions are not about information registrants want to be published, but about mandatory publication of data regardless of registrants' wishes.
Tue Jun 24 11:07:41 EDT 2003 #
Speaking as one of the victims of European and natl authorities. Consequences of privacy law for .nl registry policy. About SIDN -- statistics. Background: EU privacy directive, implemented in NL by personal data protection act. Legal analysis of other legislations: Telecommunication data directive and implementation in NL not applicable. NL tax legislation not relevant. Criminal act not relevant.
Extensive consultation in 2001. Alternative dispute resolution -- direct effects on use of WHOIS. Open up .nl? Only Dutch companies could register directly under .nl until this year. Opened up as result of consultation. WHOIS -- asked specific questions. What kind of detail needs to be provided? What's proper protection? Rate-limiting? Opt-out?
Two worlds with respect to WHOIS: Function v. protocol. Have to distinguish. Can't implement sophisitcated privacy things in transactionless RFC 954 WHOIS protocol. WHOIS not necessary for running the DNS. There are registries without. Have to specify other purpose or interest. Purpose of WHOIS use? "is" v. "whois" -- see much use of WHOIS to see whether domain name is available for registration.
Back to meaning of data protection act for WHOIS. Definition of "processing" of data is very broad. Includes collection, provisioning, deletion, and more. To implement data protection act, don't just focus on WHOIS, but on whole process. Double necessity criteria for processing of data. 1. Purpose must be legitimate. 2. Data has to be adequate. Data has to be within limits of purpose. ...
Informing registrant about processing. Make sure that security, auditing, tracking is in line with data protection act.
WHOIS not necessary for registry to fulfill functions. If you want to have WHOIS, there need to be other interests for which you provide data. NL: Four specific purposes for providing WHOIS. 1. Solve technical problems. 2. Check registration. 3. IP rights. 4. Combat harmful and illegal content.
Results: Specific clauses in contracts. Specific regulation on .nl regulation. Operational: General limitation on WHOIS queries (15 per IP per day). Exemption for registrars (5,000 per day and IP-range).
Details: Properly inform registrant about collection and publication. Opt-out possibility. Come up with good reason to use opt-out. 900 requests so far, 6 granted.
Regulation on processing: Translate roles in registration into roles in privacy regulations. ... Found a way to implement directive. Balanced with interests of local Internet community. Specific for Dutch circumstances. Others may define other purposes. Assessment of individual opt-out complicated.
Auerbach: Inconsistencies -- purpose vs. "automatic legitimacy"? State purpose? Boswinkel: Limited -- 15 queries per day.
Tue Jun 24 10:15:01 EDT 2003 #
Protection of directive also extends to publicized data. Not everything that might seem useful is legally permissible. Key issue for EU: Purpose of WHOIS. Original purpose (technical contact) is legitimate. Directive only allows use for original purpose or compatible uses -- expectation of user. Artcile 29 working party: Self-policing activities of private parties not compatible. Public sector has legal procedures. Private sector has problem. Want to protect right holders, but need to find a position which can do both things within the legal system and respecting legislation on data protection. Proportionality: Distinguish between data necessary for registration, and data that should be published. Look for less intrusive means to serve purpose. Is there a different possibility of serving purposes without having all information available on web site, to anybody who wants to have it? Two-step approach could be explored. Make data not available to general public, but only to those who really need it. Possible control after the fact. Discussion of uniformity? Collecting same data everywhewre is a problem -- only collect minimum data which are actually necessary. Public directories: General right not to have phone number included in public directory. Unlisted phone numbers in WHOIS?!? Some difficult problems with this; discussions are ongoing. ... Extended searchability: Article 29 WP opinion from 2002 on reverse directories. Not just opposing -- accuracy important issue. Keep in mind why individuals give inaccurate data -- feeling of insufficient protection. Bulk access not acceptable. Marketing uses not acceptable.
Need to respect law. Don't place registrars between rock and hard place. Keep in mind and involve data protection community in these discussions. Article 29 working party has approved opinion in time for this meeting; would be pleased to be involved in discussion.
Vint asks about choice -- nobody forced to register domain name. May incur obligations to rest of community when registering. Alonso-Blas: Having domain name may be important for many people, professional and personal activities. (...) Q. about law enforcement. Legislation in Europe has specific provisions for law enforcement. Exceptions that need to be implemented in natl law. Can consult data protection authorities if in doubt. Limited powers for law enforcement. Availability of information about identification of commercial activities. E-commerce directive; identification of data users. Not opposing to that. What data exactly needs to be collected and published? Different regimes for different cases?
Tue Jun 24 09:57:09 EDT 2003 #
Bruce Tonkin about the registrar perspective. Starts with OECD privacy principles and purpose specification in RAA -- timely resolution of problem. Registrars require acccess to contact information in order to authorize transfers. Turning to common abuses. Wide-spread, not isolated incidents. Unsolicited renewal notices to mislead consumer to believing they are dealing with original supplier. Not: "we're cheaper, please change", but "we're your supplier. renew or lose." Consumer confusion. Marketing of related services. Domain appears in zone file -- registrants will need web hosting services. Marketing phone calls shortly after registration. ... Analogy with meeting travel: Choose airline yourself is the traditional thing. Alternative: ICANN collects information, puts it up on the net, 200 airlines call high-value customers. Travel industry uses first model. DNS industry uses second model.
Frauds to collect credit card information. Fake registrar web site. "You need to change your password. Please type in old password and credit card information to authenticate." Common model for scams. Work because customer is contacted with very specific data about their relationship with supplier.
Bulk access. About ten agreements for large registrars. No proof for abuse. Port 43 public WHOIS. 2 million queries, 137,000 locations per day. Regularly observe mass queries, not just occasional use of query-based interface.
Market price for WHOIS data: $30 for 30 million records. There is a problem.
Tue Jun 24 09:17:21 EDT 2003 #
Bruce Beckwith is giving some insight into registrar and registry WHOIS services. Some observations in addition to what he's just saying: The RAA's opt-out clause for bulk whois only concerned marketing uses, and was available only to individual registrants. Thick registry WHOISes actually publish data elements not mandatory for a registrar WHOIS, namely the registrant's phone number, fax number, and e-mail address.
Later on, Beckwith cleans up some misconceptions, e.g., bulk access as an alleged major source for spam. Points out that registry zone files which permit to identify changes to a TLD, together with query-based registrar whois, are making a major contribution to spam.
For further discussion: Restrict zone file access to legitimate uses? Can WHOIS access be limited for legitimate purposes? Many queries can be addressed by "domain available" or "domain not available" responses. Final question: "Should the same WHOIS information that was available 21 years ago be available now?"
Vint asks about zone file requirement. Beckwith: Contract requirement, anti-misuse clause, but can't enforce that. Touton: Requirement applies to all gTLD registries.
Tue Jun 24 08:52:06 EDT 2003 #
According to this press release, the WHOIS service for .de is going to be rate-limited from 1 July.
Tue Jun 24 08:46:57 EDT 2003 #
Tue Jun 24 08:29:35 EDT 2003 #
Mon Jun 23 11:57:23 EDT 2003 #
Board and GAC are meeting publicly in the hotel basement; the room was extended by some seats when it started filling.
On today's agenda: GAC and Board have an open meeting, from 2pm to 4pm at Level B of the hotel; also, the ccTLDs are holding meetings all day.
Sun Jun 22 08:15:36 EDT 2003 #
New on ICANN's web site: Nominating Committee Announces Nominees to be Seated at MontrÃ©al Meeting.
Mon Jun 16 21:04:25 CEST 2003 #
Some time on ICANN's public forum in Montreal will be dedicated to the infrastructure which is supposed to underpin the ALAC. ICANN is soliciting public comments on this.
Mon Jun 16 11:00:43 CEST 2003 #
The agenda for the WHOIS workshop has been posted. This version doesn't have the speakers' names, yet, and might still be modified. The workshop will take place on Tuesday and Wednesday, from 0800 until 1200.
Mon Jun 16 09:13:22 CEST 2003 #
The Article 29 Working Party has adopted an Opinion on the application of the data protection principles to the WHOIS directories. The document is aimed at contributing to the discussion process in Montreal.
Mon Jun 16 08:57:42 CEST 2003 #
This RSS feed contains recent updates to the ICANN site. It covers the latest announcements, correspondence, minutes and the like, as long as ICANN is following its usual convention to include a timestamp with the file name of the relevant documents.
Sun Jun 15 22:45:47 CEST 2003 #
According to this article, the person who was behind a redirection of Al-Jazeera's Web site during the Iraq war has pleaded guilty. The "hack" apparently consisted in impersonating Al-Jazeera's administrative contact, and getting Network Solutions to turn over control over the domain registration.
Fri Jun 13 14:05:28 CEST 2003 #
Joining late, this time. Ruchika Agrawal approaches the end of her talk as I join, asks whether uniform policy for all classes of registrants is appropriate; discusses OECD privacy principles. Mentions inaccuracies when there are no proper privacy protections in place. FTC recommendations on what not reveal to reduce risk of identity theft. Conflict with gobally accessible, publicly available WHOIS as required by the RAA.
Writes Sven MÃ¶rs on the whois-coordination list: It goes without saying that any contractual obligations (e.g. in a registrar accreditation agreement) can not overrule existing and applicable legislation. ... Any future ICANN procedure or rules for Whois should take the existing privacy legislation into account - not only in the best interest of the registrants but also of the *registrars* many of whom might otherwise be left with the choice to either being in conflict with the national privacy legislation of their respective country or in breach of the registar accreditation agreement.
Wed Jun 11 18:38:08 CEST 2003 #
There'll be another WHOIS conference call tomorrow at 9 a.m. EST. The call will focus on privacy aspects of WHOIS. Speakers include Ruchika Agrawal from EPIC, Alan Davidson from CDT, ICANN director Karl Auerbach, Wendy Seltzer (ALAC and EFF), and Sven MÃ¶rs from the Berlin state privacy commissioner's office.
Wed Jun 11 18:00:29 CEST 2003 #
Another call beginning with a symphony of conference system beeps. Mike Roberts moderates.
ICANN has posted a Preliminary Report from the Board's Special Meeting on 2 June. The compressed version: The board followed the Reconsideration Committee's recommendations on the pending reconsideration requests; made technical amendments to the bylaws; approved the .biz redemption grace period; adopted a two-track approach to WIPO2 (option C from the General Counsel's briefing); approved ccTLD agreements for .tj, .pw and .ky; approved some board governance matters; approved travel funding for nom-com selected ALAC and GNSO Council members to Montreal; and made arrangements for the transition which will occur when Louis Touton leaves ICANN.
Tue Jun 3 23:04:06 CEST 2003 #
Here is the software I'm currently using to turn a number of ICANN-related mailing list archives into RSS feeds. The script can deal with most common mhonarc configurations and with pipermail archives (as used by mailman). If it can't cope with an archive you want to turn into an RSS feed, it's relatively easy to customize. Thanks go to Wendy Seltzer and Bret Fausett for contributing code and asking the right questions.
(Note that this script works by actually walking through the list archives using HTTP. If you have direct control over an mhonarc installation's configuration, there's a more resource-friendly alternative.)
Mon Jun 2 00:26:27 CEST 2003 #