WHOIS Workshop, day two, session one
The first of the panels is up on the stage. First question -- "is it working?" Jeff Neumann from the gTLD registries notes that it's probably working as it was originally designed to work. Sarah Deutsch: Question is like "is the space shuttle flying." Still picking up the wreckage. Huge problems. The way people need it now it's not working. Inaccuracy. Verizon sees legitimate tensions between large corporations with business interests, ip owners, and sensitive privacy concerns. Points to recent verizon/RIAA case. Accuracy. Too much fraud. ... Third-party registration through proxy services -- ISPs can provide that. Tiered access interesting if technical issues can be worked out. Major tension -- congress may turn to WHOIS when done with spam. Legislative solution that's not as palatable to people in this room as well as working out the issues here. Tom Keller: Still working quite well for original intent -- can look up technical contact. Law enforcement etc. are totally different things -- should this be fulfilled by service such as WHOIS? Laws to which registrars and partners have to abide by. Can provide data firsthand to law enforcement. Misconception that you have to force people to display the data if they want to have a registration. Wichard (WIPO): From IP perspective, WHOIS is not all bad. Quite important, crucial function. Help prevent and resolve IP conflicts in the DNS. Shortcomings. Inaccuracy. Fragmented access -- need portal. Need search services.
Second round. Other services? Wichard: Not aware of any other readily available source in addition to WHOIS databases. Value-added services based on bulk access. Nothing available. Can inaccuracy be overcome by increased enforcement? Could improve, but won't prevent inaccurate data. Ability to enforce RAA? Question to ICANN itself. But, conceptually, yes. RAA contains enforcement mechanisms. (Wichard gives an incorrect account of 3.7.7.2.) Does not apply to ccTLDs. Donohue: Is there an alternative? Yes, of course. Primary place to look to identify online business is the web site itself. Businesses should be identifying. Unfortunately, not the practice. Not interested in providing accurate contact information right on the web site. WHOIS data key to successfully locating site operator. Enforcement agencies who are trying to police may have other tools -- subpoena etc --, but slow; cross-border issues. For consumer, if web si9te is not helpful, there may be no other reasonable alternative for trying to locate the owner of the site. With respect to questions about RAA, OECD has done paper on consumer policy considerations on the importance of accurate and available whois data. One of the suggested approaches at the end talks about the possibility that where a domkain name holder has provided false contact information, that the domain name be suspended and rather than making that optional that that be a mandatory requirement; one of the ways RAA may be amended in order to help improve accuracy. Re ability to properly police, question for ICANN. Recent efforts have been helpful; whether they're enough, is an open question. LoGalbo (DoJ): Law enforcdement needs open whois data to fight crimes. Fraud, piracy, child pornography. Every other source requires legal process. Simplest form is subpoena, sometimes have to get court order. Difference between getting subpoena and serving it and direct, immediate access is night and day. Mithal yesterday talked about FTC surf days. Very effective means of law enforcement; impossible without full access to the WHOIS database. Traditionally, hnave to open a case file in order to even request subpoena. Depend on actions of party. Sometimes need to make motion in court to compel compliance with subpoena. Injecting delay and costs and resources. Heard Maneesha talk about the need for speed wrt fraud. Relevant for other types of crime. Cross-border: Legal process creates substantial delay and complexity. Tools available need updating. Technology has outstripped law in this context. Streamlining the methods for international cooperation is laborious, involves institutional changes. Treaties etc. COE cybercrime convention. No alternative to open, public whois service. On enforcement, need intermediate remedy, sth more realistic than total revocation. Hard for ICANN to police RAA when only option is nuclear. ... Andy Müller-Maguhn: LE asks for public access? Accredited access for LE agencies instead of public access? LoGalbo: No. As soon as it's unpublic or accredited, then process requirements arise. Slowdown, delay. Important that others have access. IP holders. Consumers. LE cannot do it all. Hundreds of civil claims. ... Alonso Blas. Will try to be short. Be very clear -- need to balance different interests. Make sure that those who really need to get access should have access to the information. On the other side, have to balance the need to protect human rights, including protection of privacy. If there is another solution that gives those who need access access while protecting individuals, look for that. Solution proposed by Andy could be one. Proportionality. RAA policing? necessary to police whole package of obligations, not just accuracy, but also privacy. Need to improve privacy provisions. Policing part of it without the other would not be fair for individual. Neumann: Question for LE -- If provision or display of WHOIS is violation of law for registry or registrar, is that acceptable to catch others that are breaking the law? Needs to be considered. Have heard for years the importance of whois information etc. Question: Does registry or registrar break law to provide whois information so you can catch others who break the law. Get law changed before requiring registry to break law. LoGalbo: Can't disagree. If you think you have law which doesn't make access available, change that law. Analysis backwards -- bring law in line with reality, not change RAA. Sarah Deutsch: LoGalbo made point that database be open because more convenient than subpoena. Convenience isn't all. Fair process needed. Complying with subpoenas complicated and expensive. Having information available is easier than having subpoenas.
Alan Wong: Expectations not anticipated when system was put in place. Balancing, changes to RAA? Tom Keller. There are contracts. Have to display certain data. Privacy rules are not allowing to do that. Bound to local law, and still wnat to conduct business. Would change of RAA reflect needs better? Guess so. Start PDP, include opening clause which states that you have to provide WHOIS in accordance with local law. Neuman: The way WHOIS exists today, can't balance. Does not believe in globally unified solution. Restructure WHOIS to remove cdcertain data elements, thinks globally acceptable solution possible. ... Alonso Blas: Big problems to comply with both RAA and national legislation problems. Problem has also been raised by individuals who are raising complaints. Take into account not only interests at stake of the different parties, but also rights of individual. A number of issues could be addressed by modifying RAA. Many improvements could be done. Involve all interested parties in the discussions. Involve more actively data protection community and authorities throughout the globe. If we are trying to look for a solution that could be in the short run, last thing to undertake is modifying loegislation of 30 countries to make this possible. Try to find a solution in which all find balance between different interests at stake while respecting the situation. Wichard: ccTLDs have found ways to strike balance in countries with strong privacy regulation. .de, .nl.
Third-party registration services? Paul Stahura has run beta-test. Can privacy concerns be resolved? Implications of services for people who need access. Stahura: Yes, but only part of the solution. Balance between all the forces. Company has a large number of resellers. Demand from resellers to implement third-party solution, because a lot of registrants don't want to put their WHOIS information in the public service. ... Maybe part of the solution is to provide tiered access. Give access to proxy data in public tier, real information in private tier? ... Alonso-Blas: Won't resolve all problems, will improve situation, but won't solve everything. ... Need system that allows quick access to those who need it. Audit trails. Sarah Deutsch: Proxy services very promising. Analogy to unlisted numbers in telephone system. Stahura: Information behind proxy would probably be more accurate. Good guys are gaming the system not to make information public. Bad guys are always gaming the system. Tiered access could make more accurate information available to law enforcement. LoGalbo: Reiterate law enforcement concerns. In order to avoid the problem of legal process -- either data has to be made public, or agreement to proxy services has to make clear name holder's explicit consent for law enforcement to get data. Consent has to be voluntary, but prerequisite cannot be "serve a subpoena." Can't just be LE that has access. ISPs have to have access to solve technical problems. Consumers need access. IP holders need access to real data. Restricting access just to LE is not going to serve number of other important interests. Wichard: Proxy services are an option under the RAA. RAA allows third-party registration. Third party often is an ISP. Condition: Third party accept liability or promptly discloses identity of true owner. Have some experience with this in UDRP administration, but it usually works out. Tom Keller: In many countries, privacy is not a service, but a right. Why should it be protected by a special service? Does not really serve the purpose.
Best solution for everyone is not available. But is there a second-best solution? Protect privacy for non-commercial domain names, while making commercial available? Have different TLDs with different WHOIS rules? Tom Keller: Registration of domain name is fully automated. Hard to figure out what person is going to do with domain name. Existing domain holders to be driven out? Not workable. Neumann: Top-level domains are created because of business plan. ... WRT differentiating between non-commercial, commercial -- courts have difficulty with that. Alonso Blas: Don't find solution which satisfies everybody. Find solution which is workable. In theory, could be possible to find a distinction. ... LoGalbo: Agree with concerns about distinction between commercial and noncommercial registrant. ... Domain which is just addressing non-commercial activities, but has less transparency, would be safe harbor for perversions exercised non-commercially.
Papapavlou wraps up: System works for original purposes. Doesn't work for purposes which came up more recently. Issues to be addressed: Accuracy and accessibility. No strong arguments against accuracy, in particular when anonymity can be provided in some circumstances. Not possible to distinguish between commercial, noncommercial and put them into separate boxes. Difficult. Other sources? Effort might be substantial. Balance requirement. What's excessive effort with respect to purpose still needs to be determined. One the one hand, legitimate requests which call for improving accessibility and accuracy. Have human rights adequately protected. Cost element involved. Good balance needs to be found. Main target for future.
