Last update: Sun Aug 17 22:48:44 CEST 2003
The agenda of today's conference: Reasons we are here / history; a view of the problem; uses and users; the registrar proposal; can we get there from here? Extensive notes inside; errors, typos and misunderstandings are mine. (Update: Fixed some typos. Also, a formal transcript will be made available by the call's organizers. -- 030530, 9pm CEST, tlr. Update 2: Thomas Barret from Encirca writes to make some corrections to a comment by him which I had wrongly attributed to Robert Connelly. -- 030602)
Ross Rader: Thanks for joining. WHOIS is big issue. Begging for resolution. Feeling that this needs strong cross-constituency dialogue. Get positions out in the open and in the ICANN process. Mike Roberts will moderate.
Mike: Welcome. Large call. Stop periodically, give people who'd like to speak an opportunity to get onto queue. Glen and Marilyn will help handle that. Draft agenda should be known. Rather detailed for a call with that many people on it. Three major chunks: Issue -- to what extent is existing ICANN WHOIS policy and practice not adequate; go in what direction, and why? Second major area -- what options and alternatives are in the ICANN solution space? ICANN solution space is not legislative, but consensus space. Come out with something everybody is prepared to live with. What alternatives out there? Third -- how can participants in this call make Montreal discussions more productive? Establish base assumptions, maybe resolve some contentions? Opening remarks. Important to keep in mind that today's WHOIS structure is the same as 15 years ago in ARPANET, research-oriented, few hosts. ICANN agreements was drafted in early 1999, captured original status quo as practiced by Postel with IANA hat on throughout the 90s. Suggestions since the beginning that WHOIS needed to be changed. DNSO task forces to examine problem, look at possible changes and solutions. Questions about WHOIS are moving target. Main reason for that is vast changes to environment since 80s. Commercialization etc. WHOIS in the view of many doesn't meet needs. Don't just meet needs of larger Internet, but also meet interests of more complex Internet in the future. Call is part of process leading to Montreal. Ongoing process: Forming president's standing committee on privacy. GAC has indicated intent to sponsor WHOIS workshop in Montreal. GNSO is contemplating formation of Steering Committee. Establish work plan for PDP. Louis Touton published useful analysis of where we are within the GNSO. Next steps; scope issues. Brief summary of where we are and how we got here. Hands over to Marilyn and Ross.
Marilyn: Explain why she's involved. Had had a number of conversations with many of participants. Much concern that communications across all the interested parties was very important. No format for that dialogue. Open calls or similar really important. ...
Ross: Said a lot of what he wanted to say. Registrars have been talking about problem for an extensive period of time. Biggest problem recognized today is lack of positive work on actually solving problems. Not from a GNSO perspective, but from individual perspectives. Failed to bridge gaps between positions. Will work positively towards resolving issue. Move towards getting this done in a manner which takes care of everybody.
Karl Auerbach (hard to understand): (Historical remarks.) Two distinct WHOIS databases, DNS and a distinct one for IP addresses. Suggests that the IP-based one is far more useful. IETF effort to add formality to query and response format. Privacy Karl's primary concern. Tough issue. Balancing issue. Not a matter of absolutes. Weigh: Why to have the database? Social needs for publishing information? Fundamental question: Why is information being gathered in the first place? From point of view of person who discloses, there are lots of ancilliary uses. But what's the intent for disclosing the information in the mind of the data subject? Intent is merely to obtain a domain name, not to protect third parties' rights. This substantially constrains privacy discussion. Demonstrated need for access to data?
Margie Milam (markmonitor; speaking quickly): Trademark protection, infringement. Value-added services based on bulk whois. Concerned that changes in policy may make it more difficult to provide the value-added services. Not just them, but others to provide these services. Difficulties accessing information. Solution needs to permit IP owners and service providers to IP owners to protect their rights. ... Must make sure that access to information currently is available. Number of registrars make bulk access more difficult. ...
Thomas Barret (Encirca): Large number of customers are trademark owners. Three problems that are not addressed today. Port 43 data mining policy not bulk whois. ... Consumer side: Consumers should be able to use temporary or registrar contacts, provided registrar knows true identity. Registrar has right to know who's accessing their data.
George Kirikos: Tracking down abuses; IP vs. DNS based WHOIS services. Freely available WHOIS helps in transfer situations. Accurate WHOIS, information about legally responsible party, helps encourage responsible behaviour. Greater transparency helps. Having greater privacy would shift cost from abusers to victims. Have a legal contact, so people who want greater privacy can give proxy for low cost. Points to GoDaddy's domainsbyproxy offer. Solution to privacy issue?
Elana Broitman: register.com's interest in joining call. On the one hand, interest in transparency and accurate WHOIS. Large corporate clients, i.e., IP customer base. Company and customers have been main victims of data-mining. Points to Verio case. Bulk WHOIS and mining of public whois. Attempts to defraud customers, get them to send credit card information. Balance needs to be struck to protect legitimate users, and protect privacy. Legal means not adequate to address abuse, because more slow than abuse itself.
Mike Roberts: Immediate remedies within ICANN process? Elana: Either immediate, or by design.
Tom Dalleva (BulkRegister): Definition of both mechanisms and reasons people need to access WHOIS. There's no clear definitions, so everyone may be talking about same or different things at the same time. What's the difference between bulk, port 43, zone file access, what's reasons behind that access? User, transfer, IP community. Really important to define. Then talk about how to control, protect etc. access. BulkRegister interested from product perspective (have products for IP community), and from registrar perspective; similar to register.com's view. Problem: Block and have access?
Margie Milam: Focus on problems with bulk WHOIS, and on mining issue, port 43. Same comment as Tom.
Brian Cute: Registrar conversations. Believe there is a solution. Believe it's closer than farther. Understand IP and law enforcement needs. Push from registrars to get PDP going. Applicable law. Privacy law. Purpose. Get consent in proper fashion. Relationship with customers. Marketing clearly resulting from WHOIS abuse. All WHOIS data susceptible to abuse. What's out is out.
Mike Roberts: Saying that some ability to restrict access is needed? Brian: Yes. Hopefully in greater detail later in the call.
Barbara Simons: First on earlier comments. Domains by proxy not an acceptable alternative to having real privacy. Remind people that service was originally created for technical reasons, not for trademark etc. enforcement. Non-technical reasons ancillary. Lead to additional problems. Stalking -- see California driver's license registry problems. May also happen with WHOIS. Lawsuit. (?) Not just US, but international concerns. OECD guidelines. International consensus. OECD principles. Look at these issues. (Lots of beeps.) Need to deal with privacy issues. Need to deal with OECD guidelines.
Mike Roberts: Issue to address is status quo, millions of records, proposals to change status quo. Discussion with Barbara about law and contract law. Roberts: People bound by contract with ICANN.
Elliot Noss: Comment on process, not so much at form. Obvious that this is an issue which interests broad number of people. PDP; significant topic. Encourages everyone to spend time to be specific and submit or make public positions. Be specific what you want to see in a solution about privacy. Be specific what you require for intellectual property protection. Law Enforcement. Registrars. Everybody. Make public how a solution should deal with specific interest.
Rob Hall: Need to be clear on what everyone wants. Data mining biggest concern. Wants WHOIS freely available to human. Not to machines (through port 43). Only reason for port 43 machine-to-machine is transfers between registrars, could be solved differently.
Steve Metalitz: In response to initial question (current policy and practice not adequate): Basically adequate, but not fully implemented. Bulk access. Accuracy. Advice and disclosure to registrants about publication. Framework adequate. Timely to look at it, and see what adjustments needed. Two issues: Data mining. Interested in learning about technical means to deal with this. Specify what problem is. Going back through Karl's comment: Glossary, set of agreed definitions could come out of this process; would be useful starting point for futuree discussion.
Mike Heltzer: Steve identified issue he wants to raise. Implementation, compliance with RAA. INTA annual meeting: Bulk WHOIS issue was primary concern to trademark owners in attendance. Helpful and useful in tracking down cybersquatters. Implement and enforce! Hears a lot about tiered access, opt-in for individuals, mandatory for coporate. Particularly difficult, potentially dangerous. From law-enforcement and intellectual property angle, individuals just like corporations can be devious. Who is individual? Who is corporation? How to confirm? Problematic.
Mike Palage: Agrees it's a complex problem. Doesn't think problem will be resolved in short term. Until comprehensive solution is agreed upon and implemented, RAA must be enforced. 3.6.6, appendix W to Verisign agreement (universal WHOIS lookup). Bulk access different from abusive mining. Opt-out mechanisms in place since 1999. Rcom v. Verio: Verio didn't have bulk access. GoDaddy v. Verisign (?) 160 accredited registrars. Top 10 registrars: bulk access is a concern. 11-160: Data mining is a concern. Explore methods to make sure a human is looking at data.
Ray (?): RIR perspective: Bulk WHOIS v. data mining. Bulk whois is available, but still experiencing data mining. Privacy concerns have been discussed; discussion ongoing. Which points of contact to display, and what information in that context. Free access contributing to responsible behaviour: Don't see evidence. Free access, and there's still irresponsible behaviour. Technical aspects etc. RIRs have been working together on common WHOIS format. Looking at higher level of allocations (IANA perspective). Actively engaged in IETF CRISP working group. Remark on port 43 hard to understand.
Karl Auerbach wants to disagree with Metalitz on framework. Too many presumptions that access is legitimate. ... Everyone should articulate legal right prior to access. Doesn't believe in blanket access for trademark holders. They have legitimate rights, but not more legitimate than anyone else. Right now, just blanket assumptions that trademark owners have specific rights to access.
Esther Dyson: Not a one-size-fits-all problem. ... Look for framework, not grand solution.
Ruchika Agrawal: In response to agenda item question, doesn't think policy environment is adequate. Unbalanced starting point. OECD privacy guidelines as common starting point.
Ken Stubbs: Spent almost an hour identifying the fact that there's numerous perspectives. Becoming clear that arriving at solutions is not something to be done quickly. Serious issues on table. Need to be resolved. Mike Palage, Rob Hall, Mike Heltzer, Steve Metalitz have identified issues. Need to deal with immediate problems.
Mark (last name not understood): Metalitz was diplomatic. In technology implementation, end user involvement is critical success factor. Key issues relate to privacy. Disclosing party's perspective critical. ...
Robin Layton with GAC hat on, not on behalf of DoC: GAC working group on WHOIS has identified initially four areas of public policy WRT whois they'd like to look at. Privacy. Intellectual Property. Consumer Interests. Law Enforcement (civil or criminal). Working on workshop for Montreal. Some thought on collaborating with GNSO on organizing two public forums (Tuesday and Wednesday morning).
Next major agenda item: Options within ICANN space? Consensus solutions to perceived problems? Both process and outcome. There's a suggestion to two-track this, short-term fixes and long-term solutions.
Ray (?): Emphasize one size not gonna fit all. Names solution not necessarily applicable to address world. ... Work incrementally.
George Kirikos: Survey how people use WHOIS. Lots of data. Start with lower-hanging fruit. Data mining easy to solve. Remove or limit port 43 access. Suggests approaches to make robotic interpretation of data more difficult.
Rob Courtney: Echo and emphasize idea which came up different times. Addressing privacy questions by looking at tiered access. Hopeful to find a way that casual user can get appropriate information, but trademark holder or law enforcement can get more complete information. Also emphasize notion of audit trail. How's data used? Data mining, access for appropriate and inappropriate reasons. Give users opportunity to understand how data is being used. Don't want to undermine legitimate uses.
Mike Roberts: Audit trail information not published, but shared between name holder and registrar? Rob: Yes. That's what they have in mind. Law enforcement talks about delaying sharing of information, but seems open.
Karl Auerbach: Process comment. (Avoid assumption that certain rights are legitimate.) Doesn't believe consensus process will work, since data subjects' voices aren't heared. Hears that this will take years to be resolved. ... Developemnt of industry may lead in bad directions unless deal with this quickly.
Mike Roberts: Remedy outside ICANN? Karl: Yes, data subjects may make use of more traditional approaches; legislation. Roberts: That would open up another front in WHOIS wars.
Tom Barret (?; hard to understand): Legitimate uses of port 43? Talk about data mining. Illegal datamining. Is there legal WHOIS data mining, through 43 or any other access? Only legitimate access to port 43 is registrar transfer. Registrars can address this by exchanging IP addresses. Would anyone argue that there are other legitimate port 43 accesses, legitimate data mining? Temporary contact data? (Registrar phone number, registrar address.)
Margie Milam: In favor of leaving bulk whois the same. Would like to see bulk whois policy actually enforced. Isn't enforced at the moment. Suggest study on bulk whois and data mining. Re legitimacy of IP interests. Similar to law enforcement interest. IP gets involved before law enforcement. Cybersquatters registering names of banks, defrauding customers. IP owners very interested in privacy, because they want to protect consumers. Access to both port 43 and bulk. Would have a problem from IP perspective with telling registrant that someone looks at their information. In cybersquatting situation that may lead to transfer to international registrar, making things more difficult.
Barbara Simons: Can see legitimate cases in which information about access shouldn't get to registrant. But: Law enforcement should be involved in case of illegal activities. IP people should not have law enforcement capabilities. Re-iterate that privacy is a right. Elaborates on this. OECD guidelines. Accuracy included. Audit trail.
Marilyn wants clarification: Hears people describe registrant like they were homogeneous. Please make clear about what registrants you talk. Barbara: Mostly concerned about individuals, non-profits, human rights groups. Information already out there doesn't mean you shouldn't try to make it less available.
Maneesha Mithal (FTC): Thinks she's only law enforcement rep on call. Wears FTC hat. Use WHOIS data all the time in Internet investigation. Need access to data. FTC has unique perspective. Law enforcement, consumer protection, privacy. Sensitive to concerns. Lot of enforcement in privacy area. (examples) In all investigation, WHOIS is first stop. Would be ironic if they wouldn't get access for privacy reasons when trying to protect privacy. Lots of talk about OECD privacy guidelines. International consensus that consumer protection guidelines are important (?). Final comment on audit trails. Would be problematic to give target of investigation notice. Targets transfer assets abroad when they get notice.
Elliot Noss: Interesting statement before him. Experience in dealing with FTC and law enforcement is much smoother than dealing with IP interests. Wants to react strongly to two remarks. IP representation, two-tracking. IP not outnumbered in comments. As a registrar, understand very well IP, commercial interests. See and live every day the problems faced by individual registrants. Registration leads to fraudulent solicitations re domain name. Small businesses miss renewal amidst this. Happens daily. A big problem to solve. Need clean-sheet look. Issues re ICANN contract enforcement which many people would like to deal with differently. WHOIS is suit which doesn't fit the owner. Urges IP interests: Instead of defending bulk access, appropriately lay out nature of specific needs how any system would be able to identify who legitimate user would be. Don't push this back to community. Propose. Registrars not against IP -- scratch their heads how to address their needs, while respecting non-IP registrants. Not on two sides of an issue. IP has responsibility to pick up and carry a couple buckets itself.
Paul Stahura: Articulate people on call, really good. Looking forward to having more discussions. Supports removal of port 43 access. Limit WHOIS output to only humans or authorized computers. Would solve big chunk of problems. ... Get rid of port 43 requirement, rest can then get handled. On bulk whois. Restrict requirement to same authorized entities. OK with keeping $ 10,000 price. Add requirement for authorized entity. On privacy front, market starts to handle this. Domains by proxy and friends.
Tony Harris wants to add footnote: In line with Argentina privacy law, Argentina ccTLD will go to tiered access approach. No information on details yet, but happy to share when public.
Rick Wesson: CRISP. Will address many comments discussed today. CRISP requirements document covers most items raised today, except a few mentioned by Karl Auerbach. Hopes that someone from different constituencies be nominated to document requirements. Feed that back to IETF group. Q: port 43? Rick: Not port 43, different port.
Ruchika: Registrant notification about access. Law enforcement different from others.
Brian Cute: Bulk whois. Appropriate to individually talk about public access, port 43, bulk. Distinct issues. Bulk whois: Raises privacy concerns. EU commission contribution to WHOIS Task Force. Opt-out exists for bulk (this isn't accurate -tlr). But EU commission says it's not sufficient. ... (missing part of Cute's comment -tlr)
Mike Roberts: Registrant-driven opt-out? Cute: Just an observation with regard to earlier remarks on opt-out satisfying privacy concerns. EU commission statement.
Ken Stubbs: Arrive at balance, so appropriate information be available when domain is used in commercial endeavour. Balance between privacy and abuse of privacy by people trying to shield commercial enterprises. Second: Can't just stop the ship in the middle of nowhere. ...
Mike Palage: Agree with Elliot on small businesses. Illegal data miners vs. bulk access abuse? Asks Elliot. Elliot: People known in the industry as aggressive direct marketers trying to use bulk access. Palage: Bulk whois primarily an issue for large registrars, mining important for all.
Tim Ruiz: Observation. Echoing concerns by Elliot, Paul. IP representatives wanting to participate in process as long as nothing changes. Comments like perceiving themselves the same as law enforcement; need bulk access -- doesn't reflect attitude to work here to solve problems. Registrars realize there is need in IP community for some of this information. Want to work with IP community to provide information if necessary. Work with law enforcement. Concern: Important that everyone demonstrates they want to be part of the solution, not just maintain status quo. Points to growth of domains by proxy and similar services. Sticking to status quo with respect to bulk access isn't part of solution. Sticking to one-size-fits-all isn't part of solution.
Elana Broitman: Whoever is mining WHOIS is entity using domain name. Try to find ways of containing companies by using mechanisms within registration system. ... Heared a lot on call about need for WHOIS for various purposes (IP, LE, consumer protection, ...). Worthwile to explore what other mechanisms or sources of information are available to these interests. Other sources may actually address needs better than WHOIS does. Final point: Hope to come out of call with momentum forward.
Metalitz: Legitimate uses for port 43 access? There are. If closed off, need to look if alternatives equally effective. Data mining? More about slamming, less about spamming. Gatekeeping, tiered access proposals: System would be costly, imply exercise of judgment, liability for that judgment. Law enforcement: Civil and criminal! Much enforcement through private action, don't disadvantage. General business uses, due diligence etc. Take these into account.
Denise Michel: From end user perspective, clear articulation of needs would make Montreal more productive. Start collecting clear articulation of needs of various interest groups. Potential solutions have been floated -- collect those. How may these be dealt with inside ICANN? Always challenging.
(?): LE and IP have need for access. Important to emphasize distinction. Law enforcement has greater need for quick access.
Marilyn: Topic greatly misunderstood. Role of trademark holder in investigation of consumer fraud important topic.
Ross Rader: Productive call, more organized than expected. Will help having a transcript. Lot of good ideas as opposed to just good positions. Thanks.
Mike Roberts: Number of articulate points of view advanced. Several things at once. Number of voices in favor of incremental change. Some people say current system is flawed, WHOIS being used in ways it wasn't designed to. Have to go back to first principles, re-design WHOIS. IETF is redesigning technical standard. Doesn't address whole range. National government and national legislature, law enforcement perspectives. Using WHOIS. Efforts not entirely well-coordinated. Strive to get straight process. Echoing Touton's point from two weeks ago.
Brief discussion about having another call before Montreal, in hope to make Montreal meeting more substantive. Set up a mailing list? Wesson: Map issues to CRISP draft? Ross has set up mailing list.
Fri May 30 15:56:59 CEST 2003 #