[council] Fwd: Clarification of SSAC position re Board's postion on ALAC letter on "front-running"
Avri Doria
avri at acm.org
Sat Apr 5 17:50:07 UTC 2008
Hi,
After I sent my message to this list, I forwarded a copy to Steve for
his information. This is his reply to that message.
a.
Begin forwarded message:
> From: Steve Crocker <steve at shinkuro.com>
> Date: 5 April 2008 19:35:58 GMT+02:00
> To: Avri Doria <avri at acm.org>, Robert Guerra
> <rguerra at privaterra.org>, Chris Disspain <ceo at auda.org.au>
> Cc: Steve Crocker <steve at shinkuro.com>, ICANN SSAC <ssac at icann.org>,
> ICANN Board of Directors <icann-board at icann.org>
> Subject: Clarification of SSAC position re Board's postion on ALAC
> letter on "front-running"
>
> Avri,
>
> Thanks for referring your note to me for comment. I'll try to
> clarify our thinking on this matter. There are several different
> dimensions, each of which deserves a few moments of attention, so
> this note is a bit long. I've tried to structure it for easy
> navigation. The sections that follow are:
>
> o Background correspondence
>
> o Discussion of whether front running exists and SSAC's finding to
> date and our next steps
>
> (Mixed results and lots of controversy. More work needed.)
>
> o Discussion of whether whether is prohibited, irrespective of
> whether it exists
>
> (Big surprise, at least to me, is that we don't seem to have either
> an explicit prohibition nor even a shared ethic within the community.)
>
> o Discussion of what parts of the ICANN family should be involved,
> and a process issue? (And, in particular, what's SSAC's role.)
>
> (This is a "consumer protection" and, perhaps, a "privacy" issue.
> Does this have a distinct and unambiguous home?)
>
>
> I have cc'd the Board and SSAC, and I invite you, Robert Guerra to
> share it with the GNSO, the ALAC and the ccNSO, respectively. (I
> don't mind if it's shared even more widely, but I think these are
> the primary constituencies involved at the moment. )
>
> Cheers,
>
> Steve
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
>
> BACKGROUND CORRESPONDENCE and DOCUMENTS
>
> Here's your note to me.
>
> On Apr 5, 2008, at 6:10 AM, Avri Doria wrote:
>> FYI
>>
>> Begin forwarded message:
>>> From: Avri Doria <avri at acm.org>
>>> Date: 5 April 2008 09:46:08 GMT+02:00
>>> To: Council GNSO <council at gnso.icann.org>
>>> Subject: [council] Board's postion on ALAC letter on "front-running"
>>>
>>>
>>> Hi,
>>>
>>> I have put this on the list of topic for our next agenda. It
>>> might be worth having some preliminary discussions on list.
>>>
>>> References:
>>> - ALAC letter: <http://gnso.icann.org/mailing-lists/archives/council/msg04857.html
>>> >
>>> - Discussion under 11 Other business: <http://www.icann.org/minutes/prelim-report-27mar08.htm
>>> > Board's Disposition: "The Chair determined that emergency
>>> action is not required today but the matter will be referred to
>>> the GNSO for additional information or policy development if
>>> necessary, but not an emergency action."
>>>
>>>
>>> My first questions:
>>>
>>> - Do we want/need to request an issues report?
>>> - Do we want to request advice from SSAC on the degree to which
>>> this is a threat to Stability and Security as stated in the ALAC
>>> letter. SAC22 of Oct 07 <http://www.icann.org/committees/security/sac022.pdf
>>> > spoke of it as being possibly contrary to core values but I do
>>> not read their report as calling it a threat. Though the report
>>> does seem to indicate that further investigation of issues
>>> surrounding the practice could be investigated further.
>>>
>>> thanks
>>>
>>> a.
>
> The ALAC letter referred to above asks the Board to take immediate
> action to curtail "domain hold," "cart-hold" and/or "cart-reserve"
> activities such as Network Solutions and others have recently begun.
>
> You also reference SSAC report SAC 022. That report is the first of
> two of our reports (SAC 022 and SAC 024) so far on front running. See
>
> http://www.icann.org/committees/security/sac022.pdf
> http://www.icann.org/committees/security/sac024.pdf
>
> In SAC 022, we pointed out that checking the availability of a
> domain name can be a sensitive act which may disclose an interest in
> or a value ascribed to a domain name and we suggested to potential
> registrants that domain name availability lookups should be
> performed with care. We also noted there does not appear to be a
> strong set of standards and practices to conclude whether monitoring
> availability checks is an acceptable or unacceptable practice, and
> we called for both public comment and policy development within the
> appropriate bodies.
>
> In SAC 024, we reported that after receiving more than 100 inputs
> over a two and half month period, we were unable to develop
> definitive evidence that front running is actually taking place.
> However, in discussions with Network Solutions regarding their newly
> instituted practice of placing a hold on names being checked for
> possible registration, Jon Nevett suggested that one or more
> registries are possibly selling that information to domain name
> tasters. The chain has a couple of steps. When a potential
> registrant types in a name at NSI's web site to check for its
> availability in one domain, e.g. within .com, NSI, like many other
> registrars, automatically checks whether that name is available in
> several other domains. They do so by forwarding the name to each of
> the respective registries, and this provides an opportunity for one
> or more of those registries to pass along that stream of queries to
> a business partner who may be interested in registering it while the
> original customer is still thinking about it. Here are Mr. Nevett's
> comments in the transcript of the SSAC meeting in New Delhi on
> February 13, 2008, http://delhi.icann.org/files/Delhi-WS-SSAC-13Feb08.txt
> .
>
>> So what's been happening -- and we have information about this --
>> is domain name tasters register names in vast bulk and then they
>> taste the names and only keep a very small percentage of the names
>> that warrant purchasing because of traffic or pay per click. So
>> the domain name tasters are looking for various sources of data.
>> They look for bulk data wherever they can find it. The theory is
>> that there were certain ccTLD registries that because when a
>> customer comes to almost all registrars Web sites and asks for a
>> name, [the registrar] will look at various dozens of different TLDs
>> and see if the name is available. So one of the ccTLDs, for
>> example, or maybe a gTLD, will be selling the data to front runners
>> and tasters. So the tasting line is probably synonymous with the
>> front-runner line. So what happens is they register these names in
>> advance of customers, and then they taste it.
>
>
> As you noted in your message, the Board declined to take emergency
> action and referred the matter to the GNSO for possible policy
> development. (See the last section of this note for a comment on
> policy development.)
>
>
> ======================================================================
>
> DOES FRONT RUNNING EXIST?
>
> As noted above, the data is inconclusive. Jay Daley, CTO of
> Nominet, reported he had looked closely at this question some time
> ago and concluded it simply wasn't happening. Others have suggested
> privately that it really does happen on a fairly significant scale.
> Because there is a very high level of tasting, it may be hard to
> sort out how many instances of apparent front running are just due
> to "background radiation." And then we have Mr. Nevett's assertion
> that one or TLDs is actively involved in this process.
>
> We expect to explore this a bit further. We are still formulating
> specific plans on how to proceed, and we are open to suggestions and
> offers for how to gather information efficiently, effectively, and
> accurately.
>
> =====================================================================
>
> IS FRONT-RUNNING PROHIBITED and DOES IT AFFECT SECURITY OR STABILITY?
>
> As we noted in SAC 022, we do not see any coherent and specific
> framework that suggests front-running is prohibited. I believe the
> Registrar Accreditation Agreement has language related to the proper
> use of registration data, but that applies only after a registration
> is complete.
>
> Practices and expectations vary from field to field. In certain
> professions, particularly law and medicine -- and my experience is
> primarily in the U.S. -- there are very strong rules governing the
> privacy of information provided by a client or patient. There are
> also strong rules governing the protection of customer information
> among stockbrokers. If I ask my stockbroker about a particular
> stock, it's considered unethical for him to use that information to
> buy or sell that stock for himself or to help others to do so.
> However, in our industry, I have not seen any similar explicit
> statement of principle nor an explicit set of rules prohibiting
> front-running and related practices. Thus, even if we were to find
> reliable, concrete information that front-running is taking place,
> it's not clear there is any basis for stopping it.
>
> "Security and Stability" is a mantra invoked with specialty gravity,
> and there is sometime debate about whether a specific issues does or
> does not fall into this category. I think it's hard to argue that
> front-running, if it exists, is affecting the overall security or
> stability of the domain name system, although one might imagine
> fairly severe consequences if the practice existed and affected a
> very large fraction of the potential registrants instead of only a
> relatively small number. I emphasized "system." From any
> particular user's perspective, if someone has swiped a name he is
> looking at, the impact on him or his business could be very
> substantial. Is that a "security" matter or a " consumer
> protection" matter, and is there a strict distinction between the two?
>
> I would argue that if there is a structural bias against consumers,
> that it's appropriate to consider that to be a weakness in the
> security of the system. On the other hand, if a consumer has been
> dealt with unfairly by a particular party, and there's no general
> bias built into the system, that's a specific consumer protection
> issue. I'm not sure whether everyone else would choose to draw the
> lines in the same place.
>
> There is a secondary and slightly subtle element of security here.
> Efficient and effective markets depend on reliable information and
> trustworthy behavior. If there is a general perception that a
> market is dangerous, the market may shrink and the results for the
> buyers and sellers who are in the market may be inequitable.
> Building and preserving confidence in a market is thus an important
> aspect of "security."
>
> I don't think we've thought enough about this as a community, and I
> would like to see some deeper thought and discussion.
>
> Returning to the specific matter of front-running, I find it odd and
> dangerous that our framework of core values, principles, rules and
> contracts does not address such practices explicitly. I think this
> is a weakness in our overall framework and should be fixed.
>
> =====================================================================
>
> WHO SHOULD BE INVOLVED?
>
> I don't see any single group as being the sole owner of these
> issues. We certainly don't view this as the sole purview of SSAC
> and we would be delighted if others are involved. The GNSO has a
> natural role because the registrars and registries are primary
> actors. At the same time, the people most strongly affected by
> weaknesses in the process are potential registrants, and it's not
> clear who speaks for them. ALAC, in its letter to Board, is
> certainly taking a strong position. And this issue is not limited
> to the gTLDs and ICANN-accredited registrars. The ccTLD community
> presumably has the same issues.
>
> In our reports to the Board, we suggested other groups look at these
> issues. Dan Halloran recently drew our attention to section 1.c in
> By-Laws Annex A: GNSO Policy-Development Process:
>
> Advisory Committee Initiation. An Advisory Committee may raise an
> issue for policy development by action of such committee to commence
> the PDP, and transmission of that request to the GNSO Council. (http://www.icann.org/general/bylaws.htm#AnnexA
> )
>
> With some chagrin, I admit we hadn't realized there was a direct
> channel for SSAC to forward to the GNSO a formal request for the
> GNSO to commence the PDP. Would you find it helpful for us to send
> our recommendations to you in this form?
>
> Irrespective of whether we send you a formal recommendation, I hope
> this note has provided some useful information. We will be happy to
> discuss it further if you desire.
>
> Thanks,
>
> Steve Crocker
> SSAC Chair
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/council/attachments/20080405/ff9d17f3/attachment.html>
More information about the council
mailing list