[registrars] Congressional Hearing
Rick Wesson
wessorh at ar.com
Fri Feb 13 17:07:08 UTC 2004
Elana & Brian:
my comments are inline...
The undersigned registrars commend the Subcommittee for highlighting
the issue of Whois accuracy. It is a complex topic of importance to
governments, intellectual property interests, the Internet sectors, and
individuals and organizations registering domain names. Because Whois
data must be available to third parties under current ICANN policies,
both privacy and accuracy concerns are involved. Registrars
respectfully submit the information below to round out the various
issues related to data accuracy.
The Bill
The current draft of the bill seems to impose additional liability on
persons who knowingly provide false data who register a domain name,
the "registrants" or their representatives acting on their behalf. It
does not, as we understand it, impose new or additional liability on
registrars; rather, it seems to target bad actors who have already been
found by a court to have violated provisions of the Lanham Act and the
Copyright Act. Therefore, given our understanding of the bill, we are
not taking a position to oppose the bill. In fact, we support the
bill's goal of improving data accuracy.
Something that just about everyone who wrote for CircleId did seem to
understand, no new crimes are created by this law. Mearly additional tools
and penalties for current crimes.
What is the Whois
[snip]
Current Safeguards
Even while working through this process, various registrars already use
accuracy processes, including:
* updating a registrant's data upon notice;
* taking down a registration if inaccurate information is not cured in
a timely manner;
* sending notifications to all customers reminding them to update their
data or face the risk of the registration being taken down or put on
hold; and
* checking credit cards prior to registration to minimize fraud.
These are all great things but do nothing to address the lack of data
quality in the whois database. Since the whois can be constantly updated
any update may contain invalid data. Just because you request a domain
have its contacts data updated does not mean the data is accurate.
Despite such precautions, the savvy cyber squatter can sneak through.
He can use stolen credit cards or credit cards that are in good
standing; provide apparently valid information, and update it to other
seemingly valid addresses when prompted. But, credit card companies'
privacy rules prohibit use of their data for other purposes, such as
Whois verification. There simply is no guarantee that persons intent on
registering a domain name with invalid data can be stopped and anyone
who offers automated filters cannot claim to have found a comprehensive solution.
In the above you simply state "There simply is no guarantee that persons
intent on registering a domain name with invalid data can be stopped..." I
would like you to prove this assertion, or simply provide any shred of
evidence to support it. Your argument is transparent -- only the
status-quo works -- won't stand up to analytical methods to dispel
conjecture such as this. In other words holding this position might
require me to publish a white paper I've been sitting on which makes your
arguments seem rather silly.
Privacy
What seems to help, actually, is increased privacy protection on the
Whois database. Many individuals and even corporations today seek
greater privacy - to avoid spam, to safeguard addresses, and for many
other valid reasons (illustrated below). Recent legal cases illustrate
the great harm caused by the unscrupulous taking and use of openly
available Whois data.
Privacy in the whois database is available to all for $4.00 USD each.
Such efforts to increase privacy should not be confused with complete
anonymity, however. A responsible registrar that increases its
customers' privacy would also be able to provide legitimate interests,
such as trademark holders and law enforcement, with access to the
information they need. The benefit for all parties is that greater
privacy would encourage registrants, who are justifiably concerned
about unfettered free-for-all access to their emails or phone numbers,
to provide accurate data if it is protected.
Free access to privacy does nothing to address accuracy of the data since
no one will analyze the registrant data. Your assumption that privacy
increases data accuracy are unfounded and can be simply proved wrong. Bad
actors will still have the capability to register with false information
though it will be much harder to find them as the fraudulent data will be
hidden. Your privacy argument mearly pushes the responsibility for
determining accuracy on law-enforcement.
While we do not oppose this bill, we believe that its goals would be
strengthened if paired with legislation facilitating greater privacy.
Yea, you always gotta include a statement like the above =)
Illustration of Fraud Problems Associated with Mining the Whois
Database
Registrants have been hit by fraudulent, abusive and annoying
solicitations directed at their contact information mined from the
public Whois database. Below is only a sample of the many instances in
which scam companies have mined the Whois database.
The issues span the gamut from outright fraud to steal credit card
information, to fear-instilling "renewal" notices, to annoying and
unwanted spam solicitations. Few instances of Whois abuse involve
simple, non-deceptive transfer solicitations. Too many registrants
have fallen victim to credit card schemes, or have paid registration
fees to unscrupulous marketers who pass themselves off as the
registrar, using deceptive marketing techniques, only later to learn
that they have paid a non-refundable fee to a shady company.
Highlights (or more accurately, low points) include:
[snip]
While your examples are initially compelling simple math proves that your
examples, while all true, amount to annoyances. The costs to the public,
registrars and registries are miniscule to the fraud perpetrated on the
Internet every day. If your examples were costing the anyone of the actors
in the millions every day I'm sure the issues would be addressed; However,
since your examples are self-centered industry pain that amounts to mabe
[and i'm stretching things] to damage in the hundreds-of-thousands on an
annual basis, well that a cost of doing business.
If you could find some examples of industry pain in the level of millions
per day, as is fraud carried out on the Internet, I'm sure they would have
more relevance on this topic.
best,
-rick
On Wed, 11 Feb 2004, Elana Broitman wrote:
> You all may remember Brian Cute's recent posting on last week's US Congressional hearing on Whois accuracy. We believe that given the risk that the US Congress will use this hearing and the draft bill to also push for more unfunded requirements on registrars, it is critical to set the record straight. Literally in the US legislative system, Congressional documents (records of hearings, etc.) influence how new laws and regulations are interpreted. Therefore, we recommend that registrars submit for the hearing record the attached document that provides a view that the Congress did not hear last week - that new accuracy requirements can be expensive and that privacy is an equally important component of improving the Whois database.
>
> Because the Congress keeps the record open for only a short time frame, we don't have time to take a vote, but would like to get the document signed by as many registrars as will respond by close of business on Thursday.
>
> Thank you for your attention to this and please feel free to comment or send edits.
>
> Best, Elana Broitman and Brian Cute
> <<submission to ip subcommittee march 4.doc>>
>
More information about the registrars
mailing list