No Such Weblog | Contact

Last update: Sun Aug 17 22:48:44 CEST 2003





Another call beginning with a symphony of conference system beeps. Mike Roberts moderates.

Mike Roberts: Last week, general feeling to have a second call with ad hoc group of interested parties. Focus on presentations about analytical and factual presentations; 10-15 minutes each. First presentation on port 43. Have brief Q & A after talks; clarifications, not arguments. Second presentation: IETF effort to revise WHOIS RFC; Andrew Newton gives run-down. Third, Maneesha Mithal (FTC) describing manner in which WHOIS is used in consumer protection work. Then, US PTO on trademark and brand issues. Comments from registrars dealing with law enforcement. Paul Twomey posted announcement of planning committee for Montreal Workshop.

Barbara Simons: Surprised that this doesn't deal with privacy; central issue. Mike Roberts wants to take discussion off-line; workshop as proper forum.

Elene Broitman on port 43. Will start with overview of examples of why they're concerned. Has distributed sampling of kinds of problems they are seeing; will put together more material for Montreal workshop. Fourty (or fourteen?) companies have used mined public WHOIS access instead of using bulk access. Have then contacted registrants for variety of reasons. Trying to social-engineer credit card information out of users. Fraudulently misrepresent that name is about to expire, try to get name transferred. E-Mail solicitations for new products and services, often mis-represent as being related to registrar. Because of accessability of WHOIS database, spammers have gone after registrants immediately after registration of new name. Attempt to defraud consumers. Going after registrants by e-mail, phone, direct mail. Intrusive, unwanted. Perception that registrars concerned because of possible client loss to cheaper registrars due to spamming. Wants to highlight that sample shows that most of the fraud associated with mining isn't done to get transfers. Most done to deceive consumers to get credit card information. Renewal (?). New products and services, trying to make them believe they are required to get these products and services. Some perpretrators have been sued, have gotten court injunctions against them. Legal remedy available, but slow. In meantime, spam and fraud proceeds quickly. Consumer protection through legal remedies insufficient.

A(lan|dam) Bernstein. What is WHOIS? Information source provided differently by each registry and each registrar. Thick vs. thin. ... Port 43 and web-based are most common presentations. One problem: What information to show, what information does user want to see? Presenter: As little as possible. Recipient: As much as possible. Take step back. Where do spammers get domain names used in queries from? TLD zone files. Restrict access to information which domain names are newly registered. Limit public access to thin registration information, thick only available to law enforcement, IP, registrars. How to implement? Run on well-known existing port 43? Different port? Extend protocol? There are already extensions. ... Who maintains list of who is entitled to get thick information? Maintain list at registrars. Lots of work to get on all lists. Alternative: Have central authority? IP address, username/password, ... Third possibility: Access Control Lists maintained by central authority and registrars? Who wins? ... Removal of users who violate terms of use. Need industry-wide definitions of whom to identify as law enforcement, IP, ...

Elana: Port43-like tiered access. ...

Mike Heltzer: Basic question, from non-technical perspective. Two ways to get access. Either web, or bulk. Difference between port 43 and web-based? Bernstein makes analogy with Windows Explorer and DIR, explains concent of TCP port. Elana: Web is basically same as port 43.

Ken Stubbs: Concerned about definition he's heared. Nothing in user groups covered consumers. Regularly uses WHOIS to verify legitimacy of people offering goods and services. Buying decision based on legitimacy of information. Thinks that there has to be ability for consumers to use WHOIS for ascertaining legitimacy. Elana: Valid issue. There may be better and other ways to get at that information, maybe not WHOIS. Further discussion needed.

Mike Palage: Point of clarification, has mis-heared Elana.

Robin Layton: One issue identified by GAC working group is consumer protection. Glossary which defines terms would be great for Montreal.

Steve Metalitz: If port 43 and web-based are the same thing, then argument for restricting port 43 is really about saying individual Internet users would have limited access to Web-based and port 43. Bernstein: Yes. But: Individual users, not individual IP owners etc.

Barbara Simons: How to define IP owner? Owns copyrights. Does that give her rights with non-copyright holders lack? Who should be responsible in case of abuse? Stalking. Roberts: Excellent questions. Q & A limited to factual questions about presentations. Mike: Relevance? Ruchika: Significant. Mike: Points to Montreal for addressing issues. Marilyn: Excellent questions. Raise by e-mail? Add to list of questions which must be answered. Barbara: Definition. ...

Sabine Dolderer: Following out of interest, since ccTLD. Thin vs. thick -- defined according who provides information (registry v. registrar)? Look at source of information. Different data sets provided from registries. Elana: Attempted not to define it any further. Highlight issues. Sabine: When she heared Ken Stubbs, he talked about consumers as information users. From her perspective, consumer as registrant and data subject. Consent of registrant for specific purpose of publication needed. Important for European registrars. If it's registrant or registrar is in Europe, information provided for special purpose? Mike: Need to be picked up in study and future work.

Leslie Daigle: IETF. Open standardization. Participation by individuals, not organizations. Standards published as RFCs. Freely available. Standardization work in working groups, organized by IESG. Areas. WGs are chartered. Agreement in WG. IETF Last Call opportunity for volunteer participants to review. IESG manages approval process. When IESG is satisfied about review, publication. Levels of standard: PROPOSED STANDARD, DRAFT STANDARD, STANDARD. Level of experience with standard, proven interoperability. Other types of RFCs: Experimental, Informational, Best Current Practice. WGs formed when interested individuals put together coherent proposal. Not research, not boiling oceans. IESG selects WG chair. Individuals can publish RFCs, most common Informational or Experimental. RFC 954 specifies WHOIS. DRAFT STANDARD. Not specified enough to provide for interoperability to go to full STANDARD. Specifies port 43. Move to different port because of backward compatibility. IDN deployment issues! IETF does not do policy-setting. Technical standards. IETF is loosely grouped collection of individuals. Voluntary participation. ... WHOIS problems not unique to domain registration area. Other protocols and services which are going to run into same access requirements and problems. Need technical solution to provide kind of service required with i18n, privacy, access. IETF: Technical support. Not specifying who is a legitimate party which needs access. This effort should focus on policy questions.

Mike: Motivation for CRISP? Leslie: Andy Newton and herself interested in looking into generalized problem.

Andrew Newton: Sent out powerpoint presentation. Presentation as member of WG. ... Many different registries (notion includes registrars) use WHOIS. Not just domain name space. But currently focused on domain name space. Work product has to be extensible for other uses. ENUM will face exact same problems. ... Referrals. Pass state in referrals. Use DNS to locate data. Not covered: Escrow was discussed. Data serialization. Escrow has greater requirements which don't have to do with technical capabilities, serialization. ... Protocol talks about allowing multiple levels for access. Not working on specifying what these levels are. Define mechanisms to implement policy, but don't mandate policy. Decentralization principle. Uniform queries and responses. I18n. Not backwards-compatible with port 43. Would be difficult, gateways etc. CRISP not about provisioning. Consensus on requirements, draft-05. ... Functional and feature requirements. ... Requirements under IESG review. Two technical proposals: IRIS, FIRS. Judge against requirements specified. RIRs have given feed-back on requirements, are reviewing technical proposals. Specifics: IRIS is XML-based, using BEEP, SASL. FIRS LDAP-based. While LDAP has basic authentication. Also use SASL for authentication. SASL framework for authentication, security, used by many protocols. Hashes, one-time passwords, challenge-response. What does this mean to policy? Building better lock. Does not distribute keys. Bridge gap between protocol and policy. Document.

Marilyn: Thanks to presenters. Helpful to those who are not strongly technical, don't have detailed understanding, thanks. Wants to hear more about policy document mentioned. Wants to know more on relationship between policy and IETF process. Policy should be done in ICANN PDP. Leslie: No disagreement. Lay out toolset. Existing documents describe toolset. Not the thing policy people want to dive into. Document they are thinking about should bridge worlds. Describe kinds of policies possible to implement with tool set.

Elana: Is CRISP WG working on matters broader than WHOIS? A little crisper distinction between protocols? Andy: CRISP is working on requirements for protocol. Who gets bulk WHOIS or not is not a topic. Both proposed protocols use SASL. Framework. Uses SSL, TLS. Can be used for server- and client-side authentication. Leslie: Not sure she understood question. WHOIS overloaded term. Elana: Other registry-related issues? Leslie: Focused on protocol. Other kinds of registries may have similar uses.

Alan Davidson: Do requirements include or preclude tracking, audit? Notice requirement? Andy: Requirements about giving unstructured textual notices (...?) State tracking may be used for auditing. Auditing out of WG charter. Goes into policy aspects. Leslie: Neither includes, nor precludes.

Maneesha Mithal form FTC: How do they use WHOIS in their investigations? FTC background first. Uses, Summarize testimony in congress. Protect consumers. No criminal law enforcement powers. Civil law enforcement. Can take companies to court, get court orders. Need WHOIS for investigation and asset tracking. Since 1994, over 250 law enforcement actions on Internet fraud. More than a billion dollars in damage prevented. How to use WHOIS data? Track down fraud operator. .USA, .BRIT names as example. Tradk company down through WHOIS, located in Britain. Money refunded to consumers. Second use: Serving process. Investigative: Fake page. WHOIS pointed to registrar. Asked for payment information, could freeze assets. Fourth, law enforcement surf days. Find possibly deceptive sites, send e-mail warning sites. Effective: Significant percentage of sites either taken down, or have modified content. Clean up web from fraudulent or deceptive practices. Four main uses for WHOIS data. Testified on subject last may. Testimony available at Inaccuracy concerns. Concerns focused on commercial web sites. Summarized with three points: Law enforcement agencies should have access to all WHOIS data. Public should have access to WHOIS data about commercial sites. For non-commercial or individual sites, there are privacy concerns with public availability of information. Continue to work with community.

(Connection dropped; missing a contribution from Sabine Dolderer.)

Steve Metalitz: How to define commercial? Maneesha: Line between purposes not yet clear. Discuss in Montreal. There are clear cases.

Ruchika: Protecting registrants part of consumer protection. Identity theft recommendations of FTC suggest that information currently contained with WHOIS not be disclosed in general. Trade-off between privacy protection and accuracy.

Becky Burr: Curious about experience in surfs: How frequently is information they encounter available / accurate? Maneesha: Example. Testing unsubscribe/removeme links. Send out 77 letters, 16 came back because of invalid e-mail addresses.

Sabine Dolderer: Experience that many people don't give real e-mail address in WHOIS. False addresses because of false data, or because of mis-use? Maneesha: See high percentage of inaccuracies in investigation since targets might wish to evade law enforcement.

Barbara Simons: Would Saddam's law enforcement have been entitled to full information? How to classify non-commercials who raise funds through selling gimmicks? Maneesha: Good question; non-commercial which isn't would be commercial.

(Missing a question about legislation attempts.)

USPTO representative, talking extremely quickly. Advisor to US DoC on IP issues related to DNS. International treaty obligations. WTO TRIPS agreements. Adequate and effective enforcement mechanisms for IP. PTO believes that WHOIS is key component in enforcement. Trademarks must be policed by holder. ... Enforcement by right holders key; even for criminal action, investigative work done by right holders. Law enforcement doesn't have resources. WHOIS database key in policing trademarks and fighting infringement. Remarks on importance of trademarks. Fast reaction essential to prevent damage. ... Importance of WHOIS for private policing. Relying solely on public law enforcement not possible. USG has contractual obligations. Accuracy. Immediately need accurate data.

(Discussion on switching providers.)

George Kirikos: IP owners aren't only ones to enforce private rights. Defamation and the like. Asks about domains by proxy system. Suitable compromise?

USPTO has advocated that as way forward in immediate future. Mainly concerned with taking web site down. That works with domains by proxy.

Wendy Seltzer: John Doe actions for enforcement? Why need name before infringement proven? Everyone who has written e-mail is copyright holder. "Any IP holder has right ..." could quickly expand to anyone.

USPTO: Doesn't understand first question. Second question: USPTO part of interagency team. Workshop will look at this. Gives her constituency's point.

Wendy: "John Doe" -- procedure of filing complaint against "John Doe", identified by activity. Proceed with lawsuit even if you don't know infringer. Judge determines infringement, before infringer is known. E.g., defamation v. legitimate opinion in discussion board.

USPTO: Law enforcement secondary to IP right. Timeliness issue. Anonymous fine as long as they can take down web site. Immediate access to responsible party important. Doesn't have to be the person behind this.

Ross Rader: Data sets other than domain name WHOIS useful in this regard? USPTO: Interested in looking at any place where they can get information to let go dark. Eventually have to get information to start lawsuit, or send cease and decist letter/e-mail. Can't solely rely on criminal law enforcement.

Barbara Simons: What if site goes dark, but was not infringing? Answer: Reverse cybersquatting? Action in civil court? Q: Cost? A: Web site operator's problem.

Marilyn detects area where questions should be recorded.

Rick Wesson: Liability issues. If you take site down as operator because of perceived issue brought to you by law enforcement agency, you could be liable if you shouldn't have taken site down. USPTO: In US, notice and takedown available in DMCA. In case of ISPs, there's shield of liability. Protection available for ISP.

Ruchika Agrawal, clarifying question: Are registrars or ISPs in position where they have to ??? whether to take down site? USPTO: DMCA has procedures to determine that. Metalitz can answer better. Ruchika: Thinks there's middle ground. Privacy v. IP wrong way to see this. Middle ground is OECD privacy guidelines. Accuracy one of the principles. Keep distinction between IP and law enforcement in mind. Not the same thing. USPTO: IPers enforcing their own rights.

Alan Davidson: If govt seeks access to data, notice has to be provided to subject. Search warrant. Concept of deferred notice in order not to jeopardize investigation. Reaction? USPTO hasn't addressed this. Interested in idea. Immediate notice is a problem, jumping servers. Deferred notice could address that. Willing to explore.

Steve Metalitz: Far afield from call focus. DMCA applicable in some cases, not others. Important: Finding out infringing party. Problem John Doe approach: Untimely, WHOIS access can prevent lawsuit. Notice in some cases leads to temporary resolution. Existing WHOIS system compatible with OECD guidelines.

Becky Burr: DMCA doesn't particularly help with liability in trademark or consumer protection areas. Liability issues floating around. Curious what happens when you have domains by proxy in thick registry arrangement. How clear where you go to to have something taken down? ISP, registrar, registry? USPTO: Explore.

Ruchika: Existing WHOIS system not compatible with OECD guidelines.

Marilyn: Proposes to share information, post information. Helpful on specific topics. Start generating some concrete ideas for types of topics for Montreal? List not full community list. Not substitute for work supposed to go on in workshop, PDPs. Perhaps people could generate useful ideas. Knowledgeable experts who could present?

Next call at 9 a.m., next Thursday.

Fri Jun 6 15:59:47 CEST 2003 #





This is the personal blog of Thomas Roessler.

It's mostly used for comments regarding ICANN, and matters of ICANN's Generic Names Supporting Organization and At-Large Advisory Committee (ALAC).