WHOIS Workshop, day two, session one

The first of the panels is up on the stage. First question — “is it working?” Jeff Neumann from the gTLD registries notes that it’s probably working as it was originally designed to work. Sarah Deutsch: Question is like “is the space shuttle flyi…

The first of the panels is up on the stage. First question — “is it working?” Jeff Neumann from the gTLD registries notes that it’s probably working as it was originally designed to work. Sarah Deutsch: Question is like “is the space shuttle flying.” Still picking up the wreckage. Huge problems. The way people need it now it’s not working. Inaccuracy. Verizon sees legitimate tensions between large corporations with business interests, ip owners, and sensitive privacy concerns. Points to recent verizon/RIAA case. Accuracy. Too much fraud. … Third-party registration through proxy services — ISPs can provide that. Tiered access interesting if technical issues can be worked out. Major tension — congress may turn to WHOIS when done with spam. Legislative solution that’s not as palatable to people in this room as well as working out the issues here. Tom Keller: Still working quite well for original intent — can look up technical contact. Law enforcement etc. are totally different things — should this be fulfilled by service such as WHOIS? Laws to which registrars and partners have to abide by. Can provide data firsthand to law enforcement. Misconception that you have to force people to display the data if they want to have a registration. Wichard (WIPO): From IP perspective, WHOIS is not all bad. Quite important, crucial function. Help prevent and resolve IP conflicts in the DNS. Shortcomings. Inaccuracy. Fragmented access — need portal. Need search services.

Second round. Other services? Wichard: Not aware of any other readily available source in addition to WHOIS databases. Value-added services based on bulk access. Nothing available. Can inaccuracy be overcome by increased enforcement? Could improve, but won’t prevent inaccurate data. Ability to enforce RAA? Question to ICANN itself. But, conceptually, yes. RAA contains enforcement mechanisms. (Wichard gives an incorrect account of 3.7.7.2.) Does not apply to ccTLDs. Donohue: Is there an alternative? Yes, of course. Primary place to look to identify online business is the web site itself. Businesses should be identifying. Unfortunately, not the practice. Not interested in providing accurate contact information right on the web site. WHOIS data key to successfully locating site operator. Enforcement agencies who are trying to police may have other tools — subpoena etc –, but slow; cross-border issues. For consumer, if web si9te is not helpful, there may be no other reasonable alternative for trying to locate the owner of the site. With respect to questions about RAA, OECD has done paper on consumer policy considerations on the importance of accurate and available whois data. One of the suggested approaches at the end talks about the possibility that where a domkain name holder has provided false contact information, that the domain name be suspended and rather than making that optional that that be a mandatory requirement; one of the ways RAA may be amended in order to help improve accuracy. Re ability to properly police, question for ICANN. Recent efforts have been helpful; whether they’re enough, is an open question. LoGalbo (DoJ): Law enforcdement needs open whois data to fight crimes. Fraud, piracy, child pornography. Every other source requires legal process. Simplest form is subpoena, sometimes have to get court order. Difference between getting subpoena and serving it and direct, immediate access is night and day. Mithal yesterday talked about FTC surf days. Very effective means of law enforcement; impossible without full access to the WHOIS database. Traditionally, hnave to open a case file in order to even request subpoena. Depend on actions of party. Sometimes need to make motion in court to compel compliance with subpoena. Injecting delay and costs and resources. Heard Maneesha talk about the need for speed wrt fraud. Relevant for other types of crime. Cross-border: Legal process creates substantial delay and complexity. Tools available need updating. Technology has outstripped law in this context. Streamlining the methods for international cooperation is laborious, involves institutional changes. Treaties etc. COE cybercrime convention. No alternative to open, public whois service. On enforcement, need intermediate remedy, sth more realistic than total revocation. Hard for ICANN to police RAA when only option is nuclear. … Andy Müller-Maguhn: LE asks for public access? Accredited access for LE agencies instead of public access? LoGalbo: No. As soon as it’s unpublic or accredited, then process requirements arise. Slowdown, delay. Important that others have access. IP holders. Consumers. LE cannot do it all. Hundreds of civil claims. … Alonso Blas. Will try to be short. Be very clear — need to balance different interests. Make sure that those who really need to get access should have access to the information. On the other side, have to balance the need to protect human rights, including protection of privacy. If there is another solution that gives those who need access access while protecting individuals, look for that. Solution proposed by Andy could be one. Proportionality. RAA policing? necessary to police whole package of obligations, not just accuracy, but also privacy. Need to improve privacy provisions. Policing part of it without the other would not be fair for individual. Neumann: Question for LE — If provision or display of WHOIS is violation of law for registry or registrar, is that acceptable to catch others that are breaking the law? Needs to be considered. Have heard for years the importance of whois information etc. Question: Does registry or registrar break law to provide whois information so you can catch others who break the law. Get law changed before requiring registry to break law. LoGalbo: Can’t disagree. If you think you have law which doesn’t make access available, change that law. Analysis backwards — bring law in line with reality, not change RAA. Sarah Deutsch: LoGalbo made point that database be open because more convenient than subpoena. Convenience isn’t all. Fair process needed. Complying with subpoenas complicated and expensive. Having information available is easier than having subpoenas.

Alan Wong: Expectations not anticipated when system was put in place. Balancing, changes to RAA? Tom Keller. There are contracts. Have to display certain data. Privacy rules are not allowing to do that. Bound to local law, and still wnat to conduct business. Would change of RAA reflect needs better? Guess so. Start PDP, include opening clause which states that you have to provide WHOIS in accordance with local law. Neuman: The way WHOIS exists today, can’t balance. Does not believe in globally unified solution. Restructure WHOIS to remove cdcertain data elements, thinks globally acceptable solution possible. … Alonso Blas: Big problems to comply with both RAA and national legislation problems. Problem has also been raised by individuals who are raising complaints. Take into account not only interests at stake of the different parties, but also rights of individual. A number of issues could be addressed by modifying RAA. Many improvements could be done. Involve all interested parties in the discussions. Involve more actively data protection community and authorities throughout the globe. If we are trying to look for a solution that could be in the short run, last thing to undertake is modifying loegislation of 30 countries to make this possible. Try to find a solution in which all find balance between different interests at stake while respecting the situation. Wichard: ccTLDs have found ways to strike balance in countries with strong privacy regulation. .de, .nl.

Third-party registration services? Paul Stahura has run beta-test. Can privacy concerns be resolved? Implications of services for people who need access. Stahura: Yes, but only part of the solution. Balance between all the forces. Company has a large number of resellers. Demand from resellers to implement third-party solution, because a lot of registrants don’t want to put their WHOIS information in the public service. … Maybe part of the solution is to provide tiered access. Give access to proxy data in public tier, real information in private tier? … Alonso-Blas: Won’t resolve all problems, will improve situation, but won’t solve everything. … Need system that allows quick access to those who need it. Audit trails. Sarah Deutsch: Proxy services very promising. Analogy to unlisted numbers in telephone system. Stahura: Information behind proxy would probably be more accurate. Good guys are gaming the system not to make information public. Bad guys are always gaming the system. Tiered access could make more accurate information available to law enforcement. LoGalbo: Reiterate law enforcement concerns. In order to avoid the problem of legal process — either data has to be made public, or agreement to proxy services has to make clear name holder’s explicit consent for law enforcement to get data. Consent has to be voluntary, but prerequisite cannot be “serve a subpoena.” Can’t just be LE that has access. ISPs have to have access to solve technical problems. Consumers need access. IP holders need access to real data. Restricting access just to LE is not going to serve number of other important interests. Wichard: Proxy services are an option under the RAA. RAA allows third-party registration. Third party often is an ISP. Condition: Third party accept liability or promptly discloses identity of true owner. Have some experience with this in UDRP administration, but it usually works out. Tom Keller: In many countries, privacy is not a service, but a right. Why should it be protected by a special service? Does not really serve the purpose.

Best solution for everyone is not available. But is there a second-best solution? Protect privacy for non-commercial domain names, while making commercial available? Have different TLDs with different WHOIS rules? Tom Keller: Registration of domain name is fully automated. Hard to figure out what person is going to do with domain name. Existing domain holders to be driven out? Not workable. Neumann: Top-level domains are created because of business plan. … WRT differentiating between non-commercial, commercial — courts have difficulty with that. Alonso Blas: Don’t find solution which satisfies everybody. Find solution which is workable. In theory, could be possible to find a distinction. … LoGalbo: Agree with concerns about distinction between commercial and noncommercial registrant. … Domain which is just addressing non-commercial activities, but has less transparency, would be safe harbor for perversions exercised non-commercially.

Papapavlou wraps up: System works for original purposes. Doesn’t work for purposes which came up more recently. Issues to be addressed: Accuracy and accessibility. No strong arguments against accuracy, in particular when anonymity can be provided in some circumstances. Not possible to distinguish between commercial, noncommercial and put them into separate boxes. Difficult. Other sources? Effort might be substantial. Balance requirement. What’s excessive effort with respect to purpose still needs to be determined. One the one hand, legitimate requests which call for improving accessibility and accuracy. Have human rights adequately protected. Cost element involved. Good balance needs to be found. Main target for future.

Readily available contact information.

Michael Donnohue of the OECD is talking about consumers using WHOIS searches to identify businesses and find contact points with those businesses. He argues that inaccurate WHOIS data could undermine users’ trust in the Internet, and could cause t…

Michael Donnohue of the OECD is talking about consumers using WHOIS searches to identify businesses and find contact points with those businesses. He argues that inaccurate WHOIS data could undermine users’ trust in the Internet, and could cause them to turn away from doing business on the Internet. He also points to guidelines that entities doing commerce on the Internet should make contact information readily available.

This is another strawman argument: If consumers have to resort to a database which isn’t widely known outside specialized circles in order to obtain contact information about a business, then the contact information is not readily available. I certainly wouldn’t do business with a commercial site which has contact information available only in the WHOIS service.

Using WHOIS for asset management.

Jane Mutimear (the chair of the IP constituency) just gave a talk on the need for WHOIS. One of her key reasons was asset management — i.e., registrants using WHOIS in order to obtain information about their own registrations. This is a strawman …

Jane Mutimear (the chair of the IP constituency) just gave a talk on the need for WHOIS. One of her key reasons was asset management — i.e., registrants using WHOIS in order to obtain information about their own registrations. This is a strawman in the WHOIS context — the policy questions are not about information registrants want to be published, but about mandatory publication of data regardless of registrants’ wishes.

Bark Boswinkel — ccTLD perspective.

Speaking as one of the victims of European and natl authorities. Consequences of privacy law for .nl registry policy. About SIDN — statistics. Background: EU privacy directive, implemented in NL by personal data protection act. Legal analysis of …

Speaking as one of the victims of European and natl authorities. Consequences of privacy law for .nl registry policy. About SIDN — statistics. Background: EU privacy directive, implemented in NL by personal data protection act. Legal analysis of other legislations: Telecommunication data directive and implementation in NL not applicable. NL tax legislation not relevant. Criminal act not relevant.

Extensive consultation in 2001. Alternative dispute resolution — direct effects on use of WHOIS. Open up .nl? Only Dutch companies could register directly under .nl until this year. Opened up as result of consultation. WHOIS — asked specific questions. What kind of detail needs to be provided? What’s proper protection? Rate-limiting? Opt-out?

Two worlds with respect to WHOIS: Function v. protocol. Have to distinguish. Can’t implement sophisitcated privacy things in transactionless RFC 954 WHOIS protocol. WHOIS not necessary for running the DNS. There are registries without. Have to specify other purpose or interest. Purpose of WHOIS use? “is” v. “whois” — see much use of WHOIS to see whether domain name is available for registration.

Back to meaning of data protection act for WHOIS. Definition of “processing” of data is very broad. Includes collection, provisioning, deletion, and more. To implement data protection act, don’t just focus on WHOIS, but on whole process. Double necessity criteria for processing of data. 1. Purpose must be legitimate. 2. Data has to be adequate. Data has to be within limits of purpose. …

Informing registrant about processing. Make sure that security, auditing, tracking is in line with data protection act.

WHOIS not necessary for registry to fulfill functions. If you want to have WHOIS, there need to be other interests for which you provide data. NL: Four specific purposes for providing WHOIS. 1. Solve technical problems. 2. Check registration. 3. IP rights. 4. Combat harmful and illegal content.

Results: Specific clauses in contracts. Specific regulation on .nl regulation. Operational: General limitation on WHOIS queries (15 per IP per day). Exemption for registrars (5,000 per day and IP-range).

Details: Properly inform registrant about collection and publication. Opt-out possibility. Come up with good reason to use opt-out. 900 requests so far, 6 granted.

Regulation on processing: Translate roles in registration into roles in privacy regulations. … Found a way to implement directive. Balanced with interests of local Internet community. Specific for Dutch circumstances. Others may define other purposes. Assessment of individual opt-out complicated.

Auerbach: Inconsistencies — purpose vs. “automatic legitimacy”? State purpose? Boswinkel: Limited — 15 queries per day.