[Rt4-whois] Reviewing the Comments from ICANN Community

Wed Aug 31 15:11:51 UTC 2011

Comments inline:

On Aug 30, 2011, at 1:16 PM, <kathy at kathykleiman.com<mailto:kathy at kathykleiman.com>> <kathy at kathykleiman.com<mailto:kathy at kathykleiman.com>> wrote:

Hi All,
I hope all is well. My family and I have survived the earthquake and
hurricane on the East Coast this past week -- and are hoping for easier
conditions in the future :-)!

Like you, I am in the midst of my due diligence preparing for our meeting
on Thursday (with the disclaimer that I may not be able to attend due to
the change of date and my travel schedule). I am preparing my email
comments to share with the group.

As promised, I did my "deep dive" on the comments we received in June/July
to our Discussion Paper. I complement the many groups that submitted
interesting and informative comments -- a lot of work was spent responding
to our queries.

To Olof, I say Thank You!  His comment summary, and especially his sorting
of the comments question by question is excellent. I urge you to review
the document at
http://www.icann.org/en/public-comment/report-comments-whoisrt-discussion-paper-05aug11-en.pdf

However, a few commenters asked us to look at things a little differently.
They asked us to include questions we had not asked, and history we had
not included. Some have very long histories in the Whois Arena, as part of
GAC, ALAC, Registrars and NCUC.  ** I created a short summary of these
comments -- and some addition, important, points and questions they raise.

I have tried to shorten and summarize with quotes (as Olof did -- thanks
for the example, Olof!) --- below and attached.
Best, Kathy
------------- expanding our inquiry -- comment highlights ----------

AN EXPANDED VIEW OF THE WRT QUESTIONS
(Responses to WRT Discussion Paper)

Introduction: While Olof did an outstanding job of summarizing the
questions by sorting them according to their responses to our 14
questions, certain issues fell between the cracks – largely because groups
and communities asked us to look at questions beyond those we had chosen
to ask.  This paper takes a short look at what others asked us to see –
including overstretching the purpose of Whois, significant policy work in
the limitations of Whois, and the importance of history and historical
perspective in our work.  Thanks for taking a fast look at these
summaries—and feel free to return to the full comments (found at
http://forum.icann.org/lists/whoisrt-discussion-paper/).

1.      Christopher Wilkinson, former GAC & GAC Secretariat (EU) on purpose of
Whois:

“I rather doubt that the initial purposes of the Whois protocol and
database extended to their current utilisation. It would appear that
rather more is expected of Whois than it is capable of delivering in view
of the legacy of past practice and the current and prospective scale of
the Internet.” (In Discussion Paper Comments)

I am not aware of any evidence that WHOIS, protocol or data delivery, is
incapable of operating at Internet scale. In fact, we have an existence proof
of the opposite.

I hope we review these comments in light of our scope<https://community.icann.org/display/whoisreview/Scope+and+Roadmap+of+the+WHOIS+RT> and recall that our primary
charge is to Policy assess policy, not protocol. Simple as it is, WHOIS the protocol
is capable of delivering, at scale, most any information that policy dictates.

Whatever the problems of WHOIS, they are not related to databases or
protocol as suggested in the excerpted paragraph.

2.      At Large Advisory Committee on the need to view the issues differently:

“It is our view that this Team must treat with and declare (1) whether the
WHOIS construct as originally devised and for the purpose intended is
still necessary, (2) whether the WHOIS dataset as originally determined
remains fit to its original purpose, and (3) whether the several
identifiable uses made of both the WHOIS data and processes that have
expanded the original intent are useful and in the public interest.”

At Large Advisory Committee on the need to consider types of use in our
compliance schemes: “Neither is it rational for the same risk in class or
kind to be ascribed to all domains; domains used primarily for support of
business transactions on the Web have a higher risk of consequential
fraudulent activities than do those used for more personal or
informational pursuits. As such, certain adjustments in approach to
compliance and our expectations of the impact from compliance might
benefit from a change in the philosophical construct of compliance and the
processes used to affect the assurance of compliance.”

At Large Advisory Committee on the need to consider cycles of registration
in our compliance schemes:

“We believe that the all&#8208;round public interest may be better served
by recognizing that the risks from the fraudulent actions of bad actors
are not the same throughout the WHOIS data cycle but tend to be cyclical –
higher following the establishment of new domains and decreasing
thereafter.” (In Discussion Paper Comments)

3.      Noncommercial Users Constituency on Why Privacy and Accuracy are Not at
Odds:

“Privacy and accuracy go hand-in-hand. Rather than putting sensitive
information into public records, some registrants use "inaccurate" data
as a means of protecting their privacy. If registrants have other
channels to keep this information private, they may be more willing to
share accurate data with their registrar.”

“The problem for many registrants is indiscriminate public access to the
data. The lack of any restriction means that there is an unlimited
potential for bad actors to access and use the data, as well as
legitimate users and uses of these data.”

Noncommercial Users Constituency on Why the Operational Point of Contact
Proceeding Marks a Critical Point of Agreement in the GNSO on a narrow
purpose to Whois:

“ICANN stakeholders devoted a great deal of time and energy to this
question in GNSO Council-chartered WHOIS Task Forces. At the end of the
Task Force discussion in 2006, the group proposed that WHOIS be modified
to include an Operational Point of Contact (OPOC):
<http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>”

“Under the OPOC proposal, "accredited registrars [would] publish three
types of data:
1) Registered Name Holder
2) Country and state/province of the registered nameholder
3) Contact information of the OPoC, including name, address, telephone
number, email."

“Registrants with privacy concerns could name agents to serve as
OPoC,thereby keeping their personal address information out of the
public records.” (In Discussion Paper Comments)

4.      Why Registrars under Tucows leadership strongly sought a balance to
simply Whois data, while improving it.

Slides of Ross Rader, of Registrars Constituency and registrar Tucows,
discussing goals and advantages of Operational Point of Contact, endorsed
and a multi-year GNSO team. These slides and ideas were reference by
Elliot Noss, Pres of Tucows at the Registrars/WRT meeting in San Fran as
well as by the NCUC in the recent comment period.

Goals (Operational Point of Contact- Powerpoint Slides)
“• to simply Whois data output
• reduce facilitation of domain related scams, illegal data mining,
phishing and identity theft
• maintain or increase the value of Whois for all stakeholders
• provide solid foundation for enhanced access to data by key stakeholders
• promote data accuracy” (Link to slides in NCUC Discussion Paper Comments)

5.      Dr. Mueller:  Why technical History is important – because it shows us
where we stopped thinking about purpose and goals.

Dr. Milton Mueller asks us to examine his academic paper on the Whois
issues, and considers history to be a very important factor – before and
during ICANN.  Here are some highlights.

“This article examines how the Internet’s
Whois service has evolved into a surrogate
identity system. The Whois service allows any
Internet user to type a domain name into a Web
interface and be immediately returned the name
and contact details of whoever has registered
the domain. It is used by police to bring down
Web sites committing crimes; its information is
harvested by spammers and marketers seeking
to send their solicitations; it is used by people
curious to know who is behind a Web site or
e-mail address; above all, it is used by trademark
and copyright attorneys to keep an eye on
their brands in cyberspace…

“We recount the story of Whois because it
forces us to re-examine our understanding of
the relationship between technological systems
and global governance institutions. To understand
the importance of the Whois service, one
need only think of the license plate of an automobile
on the road, and imagine that anyone
who saw the license plate would be able to type
it into a computer and be returned the name of
the car owner and his or her street address, telephone
number, and e-mail address.

“That is what Whois does to domain name registrants. It
links the vehicle for navigating the complex
arena of cyberspace (domains) to a responsible
individual, a location, or a jurisdiction.
Of course in the real world, access to drivers’
license databases is restricted to law enforcement
authorities and motor vehicle departments. It is
not difficult to imagine both the benefits—and
the trouble—that might be caused by free,
anonymous, unrestricted public access to drivers’
license databases. No doubt some additional
crimes would be solved and perhaps some
amazing new information services could be
developed by a Google of the future. No doubt,
also, incidents of road rage and stalking would
be taken to new heights. The same concerns
apply to Whois. In addition to facilitating
accountability on the Internet, open access to
registrant contact data raises privacy issues and
concerns about abuse of sensitive personal data
by spammers, stalkers, and identity thieves.

The author fails to point out that license plates are also a source of revenue and indicate
that a vehicle, at least in some cases, meets certain safety standards and has passed
one or more inspections. There are a variety of reasons for requiring licenses plates, among them
identifying the owner of a vehicle. A license plate is an indicia; the vehicle
is registered. Similarly a postmark is an indicia; postage has been paid.

In most jurisdictions, vehicle operators are also required to have a license and a registration
form that in all cases carry information identifying the driver and owner of the vehicle in question.
Some jurisdictions require evidence of insurance which also identifies both the driver and vehicle,
and additionally provides the insurance carrier's name and the account number for the vehicle/driver.
That card potentially carries other information like spouse, domestic partner, children ,etc.

Most jurisdictions require that operators exchange the information contained in these documents
and file reports with authorities in certain cases. Regardless, individuals involved in accidents are
required to exchange certain identifying information, contained on the above-mentioned documents.
No intervention by law enforcement is required.

The information hidden behind a license plate is not, per se, limited to access by law enforcement as
the author suggests. Rather that information is to anyone at least in certain situations.

Comparison of Whois to other registration systems, like business licenses might be more appropriate.
Many jurisdictions require businesses to display licenses. These licenses typically include names
and addresses and must be displayed "conspicuously". Similarly cosmetologists are required to display
their license, that typically includes name and address, at their primary workstation. Access to the
information in these licenses is intended to be public, to anyone entering the establishment or
seeking services. Access is not restricted in any way.

By misstating the facts of vehicle licensing (registration) and ignoring to point out other registration
models, the author leads the reader to the conclusion that access to identifying information in the
"real world" is commonplace and therefor need be restricted in the virtual world.

While there are legitimate needs to protect (some) individuals virtual space, blanket protections are not
the norm in the real world. The issue is more complex than the author would have the reader believe.

“… Defaults tilt the playing
field toward one option by giving the
specified value the benefit of inertia…a Whois directory originated
as a feature of the Internet when it was a smallscale,
closed, scientific network. As the Internet
evolved into a large-scale, public, commercial
system, the Whois capability remained in place
by default.

This is true.

(Historical evolution)

“The first RFCs make it clear that the Whois
protocol was intended to make available to
users a general directory of other ARPANET/
Internet users. At the time, ARPANET was
what we would now call an intranet that

RFC 812, the first standardization of WHOIS states, when speaking of the NICNAME/WHOIS
server, "It is one of a series of ARPANET/Internet name services maintained

by the Network Information Center (NIC) ..."

Even in 1982, when the RFC was published,

linked a few hundred computer scientists and
researchers at less than a hundred geographically
distributed sites. A critical fact about this
directory, then, is that it was intended to serve a
closed, relatively homogeneous, and—compared
to today’s Internet—very small group of networked
computer users.8 The early standards
documents do not specify exactly what the purpose
of this directory was. One can infer from

>From RFC 812, "The server ... delivers the full name, U.S. mailing address, telephone number, and network mailbox for ARPANET users."

context that it served a variety of purposes, and
was seen as a convenience to the community of
defense contractors involved in building the
early Internet. Another critical fact is that for
most users, participation in the directory was
encouraged, but was not operationally, legally,

Actually the language in RFC 812 is "strongly encourages" and "requests
that ... all individuals capable of sending traffic across the ARPANET, be registered..."

Further, in RFC 954, the language  "MILNET TAC users must be registered in the database."
was added and we see the first requirement for inclusion in a WHOIS database with full
identifying information, in 1985.

or contractually required.9 It may be that the
request to register in the centralized Whois
database was made to facilitate technical coordination,
but this is not documented in the
RFC, and evidence supporting this has not
been found anywhere else. The RFC states

Did the author consult with any of the Internet pioneers?

only that the purpose is to provide “a directory
service” (RFC 954, 1985, p. 1) to the network
users…

“Phase 2: Internet Opened to the Public and to Commerce
While the number of host computers connected
to it grew rapidly, the Internet was still a closed
community of specialized users throughout the
1980s. From 1991 to 1995, a critical change
occurred: The Internet was opened to commercial
users and to the general public. This change was
accelerated by the creation and deployment of the
World Wide Web (WWW) and user-friendly
Web browsers, which made the Internet usable
and interesting to ordinary members of the public.
The number of computers connected to the Internet
exceeded 1.3 million before the end of 1992,
and was somewhere between 6 and 8 million by
the middle of 1995.10 This was no longer a “community”
of computer scientists and researchers,
but a mass, heterogeneous public engaged in commerce
and in public and personal communication.
It was also an increasingly contentious and litigious
public… During this tornado of change, the Whois
service that was implemented between 1982
and 1985 remained in place. The user base of
the Internet was no longer closed, no longer
homogeneous, no longer situated within a noncommercial
community, and no longer relatively
small and manageable. But the technical
protocol and the practices supporting a directory
of Internet users remained the same. The
only significant change was that the burden of
supplying the Whois service shifted from
defense contractor Stanford Research Institute
to civilian National Science Foundation contractor
Network Solutions, Inc. As the Internet
moved from the small, noncommercial, and
closed world of the 1980s to the open, public,
and commercial world of the mid-1990s, no
one made a conscious decision to retain the
open-access Whois service of RFC 954; Whois
was an unnoticed default value.

If memory serves, the Green Paper that served as the basis for what we now know as
ICANN and the rest of IG, specifically mentioned WHOIS and that trademark specialists
did not feel it contained sufficient capability to meet their needs.

The author's assertion that Whois was the default choice may be correct. However, it
certainly was noticed as indicated by the record.

Should we decide to include the author's remarks or provide a link to his paper, I suggest
that we will need to do a further review of the content.

Our review is fact-based.

(In Discussion Paper Comments)

Final note from KK: I look forward to our discussion!
<New Issues Raised in Comments.docx>_______________________________________________
Rt4-whois mailing list
Rt4-whois at icann.org<mailto:Rt4-whois at icann.org>
https://mm.icann.org/mailman/listinfo/rt4-whois