[registrars] Report on WHOIS discussions on 11/12 September in Marina Del Ray

[Bruce Tonkin]

Hello All,

A joint meeting was held with registry operators and registrars at the
ICANN offices on Thursday 11 September to discuss WHOIS issues (around
20 people attended including ICANN staff), and the outcomes were further
discussed in the registrar meeting in Marina del Ray on Friday 12
September 2003.

On Thursday the main views seemed to be:

(1) That the amount of data collected under the contracts was a
reasonable compromise between the preferences of intellectual property
and law enforcement (that want more data), and the preferences of some
individuals that want to provide less data (untraceable anonymous
registrations).  Changing the data collected was therefore not a
priority for the registrars present.

(2) There was a view that the amount of information displayed for
anonymous access (via port 43, crisp, or web based) should be restricted
to at least the:
- zonefile information
- registrar name
- registrant name
- one form of contact at the choice of the registrant (could be postal,
fax, phone, or email)

Note anonymous access is where the person requesting the information is
not identified in any way.

Some registries and registrars wanted the information restricted further
to purely the zonefile information and the identity of the sponsoring
registrar.  However there are others in the community that believe that
Internet users have a right to know the basic identity of the entity
that holds a particular domain name from a consumer protection point of
view.



(3) It was recognized that (2) above would require contractual change
and strong debate within the ICANN community.  The immediate requirement
then was that we need to limit data mining of the present information
that is contractually required to be displayed (effectively most of the
information collected must be displayed for anonymous public access
under the present contractual agreements) for use in unsolicited
marketing.
The present forms of data access are:
- anonymous port-43 access
- anonymous web based access
- bulk WHOIS via signed agreement with typically a $10,000 charge per
registry or registrar
- zonefile information via signed agreement at no charge
It was noted that the a combination of the zonefile and anonymous
port-43/web based access effectively eliminated the protections
developed for bulk WHOIS access.

The feeling was that port-43 was difficult to provide controls against
automated electronic data mining - apart from placing query rate limits,
and black-listing IP addresses that heavily query the interface.  It was
pointed out that registrars are presently not restricted from severely
limiting the query rate, although the registries to have contractual
performance requirements.

With respect to interactive web page access, it is possible to protect
against automated query tools by using GIF images etc that are difficult
to process using optical character recognition software.

It was proposed that registrars could restrict port-43 access to only
identified users (ie via the creation of a whitelist of allowable IP
addresses).  Registrars could jointly develop a set of criteria that
would be applied to accept identified users (in such a way that would
not be seen as anti-competitive).

Registrars could continue to use various mechanisms to ensure that the
interactive web page would continue to be available to anonymous users
via human readable as distinct from machine readable formats.

There was some debate on whether changes to port-43 access could be
introduced without contractual changes (this was on the basis that as
long as anonymous users continued to have access to EITHER port-43 or
interative WHOIS that the contractual requirement would be met, as
distinct from requiring access to BOTH interfaces).

ICANN staff did raise the issue that some software was dependent on
simple text based protocols such as port-43 WHOIS for a range of
applications.  E.g many ISPs use port-43 queries in various parts of
their automated systems.  It was suggested that any change would require
sufficient notice to Internet users, and a sufficient outreach campaign
to allow Internet users to update their systems.  There is also the
issue of accessibility of interactive web page systems tat rely on
humans that have vision - ie still need to provide an accessible service
for those that may have some form of disability.

It was also confirmed that services that used agents (e.g like the
Domains by Proxy service of GoDaddy) to protect a registrants identity
were acceptable.

In future different protocols such as CRISP could provide enhanced
services to users such as intellectual property users that would not
require the wide distribution of the bulk WHOIS information, although
this would need to be done in such a way that ensured that there was a
competitive market for the provision of search services (ie it would not
be acceptable for a registrar or registry to restrict access to the bulk
information so that they or their subsidiary were the only company
capable of providing search services).

**********************************************8

Further discussions at the registrar constituency on 12 September
highlighted that many registrars were unclear on what they could or
could not do with respect to limiting data mining.  Registrars discussed
various techniques to make the WHOIS information available via port-43
or we pages unreadable to machines (and hence resistant to data mining)
- ie only readable by a human.  There were also further discussion on
how to identify valid users of full electronic access to WHOIS
information.  Elana Broitman provided a presentation that listed three
main options:
- display WHOIS information as a non machine readable GIF
- restrict access to computer readable WHOIS based on source IP address
- limit the amount of information displayed to the public.

Part of a solution that restricted access to WHOIS lookups should also
address the issue of access to the zonefile which provides the seed data
for manually accessing the WHOIS.  Verisign reported that there were
over 900 zonefile access agreements for the .com and .net zonefiles
(note there is no charge for access).  It is typical for marketing
companies to compare daily zonefiles, to come up with a list of new
prospects to phone, fax, post or email.   

Rick Wesson gave a summary of CRISP that will provide far more
capability to offer a range of value added services compared to the
present port-43 WHOIS service (which is an IETF standard) or interactive
Web page service (which varies by registrars and registries).  It has
the capability to exchange data in standard formats, allow
authentication (and potentially charging) of persons accessing the
service, and also provide a standard way of requesting searches.

A teleconference with members of the intellectual property community
highlighted:
- there was support for registrars to investigate techniques to limit
data mining provided it didn't limit access for intellectual property
purposes
- there was a concern that registrars did not validate registrant data
- it was pointed out that the 95% of users that are using the Internet
responsibly already provide accurate data and the accuracy of this data
could be improved by the new ICANN directive to remind registrants to
update their data at least once per year.
- the 5% of users that don't want to provide accurate data to avoid
intellectual property action or law enforcement will always avoid any
mechanisms that registrars could use to validate the data (ie the cost
to prevent deliberate false information would be prohibitive compared to
the cost to the user to avoid the protection mechanisms)
- for this latter case it was agreed that other mechanisms may need to
be considered for dealing with these cases, and this could be subject to
further discussion and policy analysis.  The present mechanisms for
dealing with these cases was to allow registrars to delete a name if the
registrant did not respond.



Conclusions:
- the highest priority issue seemed to be to investigate how to restrict
data mining of the present data that must be provided to the public via
contract - this was seen as a short term objective
- the second issue was changing the amount of data that must be
displayed to the general public - this was a longer term objective
- the third issue was how to further address the accuracy issues raised
by the intellectual property and law enforcement community in a cost
effective manner