[Rt4-whois] Proxy provider recommendation 112311 susan draft(2).doc [SEC=UNCLASSIFIED]
Susan Kawaguchi
susank at fb.com
Mon Nov 28 04:34:20 UTC 2011
Hi Peter,
Please see my responses in red.
Susan
From: Nettlefold, Peter [mailto:Peter.Nettlefold at dbcde.gov.au]
Sent: Sunday, November 27, 2011 7:54 PM
To: Susan Kawaguchi; Seth M Reiss; 'Emily Taylor'
Cc: rt4-whois at icann.org
Subject: RE: [Rt4-whois] Proxy provider recommendation 112311 susan draft(2).doc [SEC=UNCLASSIFIED]
Hello again all,
Thanks for your quick response Susan.
Thanks also for posting the relevant RAA language. As I read it, nowhere does it say that the registered name holder assumes all rights and responsibilities. Instead, it states that they assume some responsibilities (like providing their own contact information). It also says that they shall accept other responsibilities (liability for harm), but only if certain undefined conditions are met. It seems to me that the RAA's endorsement of proxies, in combination with a clause that seeks to add caveats around the acceptance of liability, is a likely contributor to the current problems.
I would agree with you that ICANN has contributed to this problem but mainly this comes from not addressing the issue in a clear and concise manner.
This goes to your point about ICANN and the law. I fully agree that ICANN cannot make law. Even if it could, then that law would still be open to interpretation. That said, ICANN has a significant role in setting the policy and expectations in this area. To reuse my earlier example, if I was a registrar and I had registered a domain name that had been used for criminal purposes, I expect that I would feel far more comfortable turning up in court with a version of the current RAA under my arm than one that unambiguously said that I had assumed full responsibility.
I agree but I do not think that proxy service providers rely on 3.7.7.3 as they are not parties to the RAA. It would be quite an argument for a proxy service provider that is not an ICANN accredited registrar but is controlled by one to argue that they are parties to the RAA. James might be able to give us a better perspective on this.
One question on the detail of the proposed recommendations: is the proposal to only regulate those services provided by registrars? If so, what would happen to other proxy providers? Since we are relying on the registrars to disclose their relationship with the proxy service providers that they have a controlling interest in there is no action required by the unaffiliated proxy providers. My impression is those are the few and far between.
Since ICANN really has no controls over proxy service providers I think we have several choices
1) Create language in the RAA that makes it very clear that the Registered Name Holder is responsible for the domain name. (basically what we agreed to in Dakar)
2) Not allow them at all, in effect categorize proxy registrations as invalid WHOIS. This would be very problematic as proxy registration services have sprung up from a valid market demand.
3) Create a situation in which the proxy service providers want to engage in best practices. This would require rewarding the good players. If registrars could say their proxy services are recommended or approved by ICANN then they may receive more business or use some other creative incentive.
4) Rely on litigation to fix the problem and that would not involve ICANN at all. I think this would push the proxy servers providers into countries in which litigation is challenging. We see cybersquatters in Panama and small Caribbean islands now I think we may see the same thing in this industry.
5) ? no idea but I wish I had a good answer....
I cannot think of an answer to this sticky issue that would completely resolve it but I just cannot live with not making an attempt.
Cheers,
Peter
From: Susan Kawaguchi [mailto:susank at fb.com]
Sent: Monday, 28 November 2011 1:15 PM
To: Nettlefold, Peter; Seth M Reiss; 'Emily Taylor'
Cc: rt4-whois at icann.org
Subject: RE: [Rt4-whois] Proxy provider recommendation 112311 susan draft(2).doc [SEC=UNCLASSIFIED]
Hi Peter,
I appreciate your comments.
In my experience, the current language in the 2009 RAA 3.7.7.3 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the current contact information provided by the licensee and the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.
has not been tested in the US courts as far as I know let alone in every major jurisdiction in the world. If we move forward with the recommendation that we agreed upon in Dakar my opinion is that the best we can expect is for litigation to clarify this in a local court. There will be no urgency or incentive for a proxy service provider to change behavior and act responsibly. The proxy service provider is considered the Registered Name Holder now and most do not respond promptly to a request for the licensee's contact information so if the following is removed from 3.7.7.3
unless it promptly discloses the current contact information provided by the licensee and the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm
Also what is the definition of "reasonable evidence of actionable harm" ? I think that would differ by jurisdiction
I do not have any faith that it will change the status quo.
I wish I was able to argue this more eloquently in Dakar but I feel that since most proxy services are controlled by an ICANN accredited registrar they should be held to at least the most minimum standard to respond within a specified time to an inquiry.
I sent the following revised language to Kathy and James earlier today for their input.
Proxy Recommendation
>From 2009 RAA 1.20 "Affiliated Registrar" is another ICANN accredited registrar that operates under a common controlling interest.
Definitions
Affiliate retail proxy service provider is an entity that operates under a common controlling interest of a registrar. "
Retail proxy service provider - provides a proxy service with little or no knowledge of the entity or individual requesting the service beyond their ability to pay and their agreement to the general terms and conditions.
Limited proxy service provider - provides a proxy service for an entity or individual in which there is an ongoing business relationship bound by a contract that is specific to the relationship.
Recommendation
1) a registrar is required to disclose their relationship with a Retail proxy service provider to ICANN. A retail proxy service provider should follow best practice guidelines developed by the community (ICANN, GNSO or whatever group would be most likely to address this issue) . The best practices may include the following:
a. standardised relay and reveal processes and timeframes;
a.1) establish a standardized process for requesting contact information for a proxy registration
a.2) 24 hour response to provide requested contact information when requested by Law Enforcement;
a.3) 5 day business response when requested by a non LE third party[j1]
[j1]<http://email12.secureserver.net/#_msocom_1>
b. guidance on the appropriate level of publicly available information on the registrant;
c. maintenance of a dedicated and available abuse point of contact;
d. public disclosure of contact details and the physical address of the retail proxy service provider; and
e. retail proxy service providers to validate registrant contact information.
a clear definition of the meaning of the proxy - Proxy Services register the domain name, is the registered name holder but license it to another for use
2. Now 4? The best practice guidelines should be developed in close consultation with the GAC, privacy advocates, law enforcement, and other interested stakeholders.
3. Now 5? ICANN should develop an incentive for the retail proxy service providers that adopt the best practice guidelines within a specified time frame.
I have also included comments under your comments below.
Best regards,
Susan
From: Nettlefold, Peter [mailto:Peter.Nettlefold at dbcde.gov.au]
Sent: Sunday, November 27, 2011 5:30 PM
To: Seth M Reiss; Susan Kawaguchi; 'Emily Taylor'
Cc: rt4-whois at icann.org
Subject: RE: [Rt4-whois] Proxy provider recommendation 112311 susan draft(2).doc [SEC=UNCLASSIFIED]
Hello all,
Thanks to Susan and Seth for keeping this important conversation moving.
It seems clear that this is one of the most difficult parts of our report, in part because we are having to consider and balance two important, high-profile and sometimes conflicting needs.
I've put comments directly into your email Susan, in a different font and colour, to try to explain my thinking on your points. I've tried to do this as simply and clearly as possible, and hope that by being so direct we can get closer to the heart of the issue.
I hope this explains where I'm coming from, and helps to move this conversation forward.
Cheers,
Peter
From: Seth M Reiss [mailto:seth.reiss at lex-ip.com]
Sent: Sunday, 27 November 2011 3:41 AM
To: 'Susan Kawaguchi'; Nettlefold, Peter; 'Emily Taylor'
Cc: rt4-whois at icann.org
Subject: RE: [Rt4-whois] Proxy provider recommendation 112311 susan draft(2).doc [SEC=UNCLASSIFIED]
Susan
If the chain of legal responsibilities were clarified, don't you think there would be an immediate chilling effect on the industry? Only those registrars willing to go out of business as a result of entering into a retail proxy relationship with a naughty registrant would continue the retail proxy practice. The responsible ones I would expect to stop the practice.
Seth
From: rt4-whois-bounces at icann.org [mailto:rt4-whois-bounces at icann.org] On Behalf Of Susan Kawaguchi
Sent: Friday, November 25, 2011 7:24 PM
To: Nettlefold, Peter; Emily Taylor
Cc: rt4-whois at icann.org
Subject: Re: [Rt4-whois] Proxy provider recommendation 112311 susan draft(2).doc [SEC=UNCLASSIFIED]
Hello Peter,
I am not proposing to change the privacy service recommendations although I did use language from the agreed upon recommendation since I thought it was a good place to start. Also I do not understand why there is concern with regulating proxy registrations and no concern with regulating privacy registrations.
To my mind, in important ways these two types of services are quite distinct. In the case of a privacy service, it should be clear from the WHOIS record (inaccuracy aside) who is legally responsible for a domain from the outset. There should be no question as to finding a responsible entity on who to serve notice etc, as this data is not hidden/withheld with a privacy service. What a privacy service should instead do is restrict sensitive personal information about that responsible entity from general public availability. With a proxy service, in the current regime, the identity of the responsible entity is not clear, and it appears that this aspect has been gamed or otherwise abused. It is also not clear to me what the situation would be even if this were more tightly regulated. As soon as we say, 'you're responsible, except...', it seems that we risk some form of uncertainty, delay and gaming. If we want to do that, we would need to be very careful about how we address those risks.
I did raise this before the November 9th call but was not able to participate on that call so I understand your concern that is this may appear last minute. II have given this so much thought over the last 6 months and you saw how uncomfortable I was with not addressing the proxy issues in our discussions in Dakar.
My concern with the 'last minute' issue is not that it hasn't come up (I hope I didn't suggest that), and as you know I am very interested to make sure we get this right. It's just that we're discussing actual text very late in the piece - and again, I want to make sure we get it right.
I simply do not feel that recommending to ICANN that they completely ignore the proxy issue is the way we should be proceeding.
I don't think we're proposing that ICANN 'ignore' proxies. We all acknowledge that they will likely exist in one form or another regardless of what we do: the question is on what basis. In Dakar, we agreed that we would recommend that ICANN not only remove the current provisions which endorse proxies, but also make an affirmative statement to clarify the legal chain of responsibilities - i.e. from ICANN's point of view, the buck stops with the registered name holder. Rather than ignoring, I would see this as saying something like: 'if you're out there doing this, ICANN sees you as legally responsible'. Many courts around the world do not care what ICANN considers legal or illegal, ICANN cannot create law.
My aim with this recommendation is to target the proxy services run by a registrar. They have a direct contractual relationship with ICANN. The argument that we do not understand all the contractual agreements involved in a proxy service makes sense for deeply integrated proxy services where the registrant and service have agreed upon contractual elements. The "retail" proxy service which is offered to anyone who will pay and agreed to the TOS for the most part are owned or controlled by a registrar. Although, we have to be careful to not try and regulate any other business the registrar may enter into the proxy service directly relates to the most critical information of the domain name registration which should be controlled by ICANN.
I'm interested in whether a 'retail' proxy service would continue to offer the same sorts of service if they were held responsible for the domain. What would a registrar do if a domain they had registered in their own name was used for criminal purposes, and the RAA no longer explicitly offered the option of pointing the finger elsewhere, but instead affirmatively stated that they were responsible?
The NORC study estimates that proxy registrations may be used in as much as 25% of the .com registrations. That is a significant number. Currently, several registrars run proxy services that are responsive and professional. GoDaddy is the gold standard from my experience. They have very well defined processes and when you run into a proxy registration that is a concern I know exactly what I have to do to request the information. The registrant is protected but if they are acting badly then there is a standardized process for receiving the website owners information.
Below I pulled out from your email
"Much of this revolves around the question of whether tighter regulation of proxies is needed, or whether simply removing the endorsement and clarifying the chain of legal responsibilities would be more effective."
Clarifying the chain of legal responsibilities leaves little recourse for someone impacted by a domain name serving content with a proxy service registration on the WHOIS. If the proxy service provider does not want to reveal the information ( as many refuse to do now) then the only recourse is to file litigation against the proxy service provider.
If we went ahead with our Dakar recommendations, I expect that filing against the registered name holder would be the first action instead of the last recourse. Filing litigation against a registrant is always the last resort. I have been involved with domain name enforcement actions for over 12 years but only involved in 2 litigations. Currently we have a typo squatting litigation and with over 100 domain name registrations that are proxy registrations. Just a few of the proxy service providers have been beating down our doors to provide the licensee contact information.
Then when the WHOIS record changes midstream, they are forced to go back to court to amend the complaint. It is extremely burdensome and expensive.
Would this still be the case? If ICANN clarified that the responsible entity was the registered name holder, and removed any caveats etc, what would be the basis for changing the WHOIS record midstream?
There has been some litigation that has held the proxy service provider legally responsible but nothing that has had a chilling effect on the industry.
If in the current ambiguous contractual environment some proxy service providers have been held legally responsible, wouldn't what we have proposed significantly increase the likelihood of that? Wouldn't this in turn have a flow on 'chilling' effect on the use of proxies?
I cannot open James document on my laptop but once I have a copy I will review his latest revisions.
Best regards,
Susan
From: Nettlefold, Peter [mailto:Peter.Nettlefold at dbcde.gov.au]
Sent: Thursday, November 24, 2011 9:59 PM
To: Emily Taylor
Cc: Susan Kawaguchi; rt4-whois at icann.org
Subject: RE: [Rt4-whois] Proxy provider recommendation 112311 susan draft(2).doc [SEC=UNCLASSIFIED]
Thanks Emily, that's very useful, and I think I understand where its coming from.
I have a few follow on questions, as I'm trying to understand the big picture/strategy, and to try to work through the new proposal fully as this is a key area of interest for me. To be honest, I'm a bit nervous about reopening such a major issue so late in the piece, with only limited time to think through and discuss all the implications. That said, I'm not opposed, just cautious.
In terms of questions: is the intention to retain our 'privacy' recommendations from Dakar? i.e. so that we would in effect have three different arrangements: i.e. privacy, 'known' proxies, and 'unknown' proxies? I ask this because if we are to recommend the establishment of parallel 'known proxy' and 'privacy' regimes, we would need to clearly explain and justify any differences between the two (I note that many of the recommendations we agreed for privacy services have been adopted for the proposed proxy recommendations). I expect that a key question we would face is why we were advocating for two different types of privacy-related services? In what circumstances are privacy services not sufficient? Understanding the reason for this may address some of my concerns.
Separate to the question of privacy services, we also need to consider the implications of endorsing proxy services. In Dakar, we discussed at length the risks of ICANN explicitly acknowledging (and effectively endorsing) the practice of completely limiting access to a registrant's identity. I had thought that was one of the reasons why we agreed that ICANN should not endorse this practice, and instead that we would argue that:
* the full rights and responsibilities of the registrant should accrue to the registered name holder; and
* ICANN should endorse and regulate 'privacy' services which could limit the availability of sensitive personal data, without completely obfuscating the registrant's identity.
This approach seemed to address the privacy concerns expressed by a range of stakeholders, and to clarify (perhaps for the first time) the chain of contractual rights and responsibilities.
Much of this revolves around the question of whether tighter regulation of proxies is needed, or whether simply removing the endorsement and clarifying the chain of legal responsibilities would be more effective. In effect, the new proposal is to advocate the replacement of one mechanism which attempts to regulate proxies (i.e. the current RAA provisions) with another. The intent is obviously to have a tighter set of regulations this time, to reduce gaming/abuse etc. At one level this seems logical, but I am concerned that by introducing doubt into the chain of rights and responsibilities, anything we then do will be like trying to patch a leak that we in effect created. Given that both previous versions of the RAA have tried the endorsement/regulation route with very limited success, I think we would need a strong case to propose a third attempt at this approach as the best way to go. Do we think that this is something we can achieve in practice, and why is it better than the simpler alternative?
I hope I'm not making this unnecessarily complicated - I just want to make sure that we don't make a rushed change that has not been fully discussed.
I look forward to the views of other team members on this issue.
Cheers,
Peter
From: Emily Taylor [mailto:emily at emilytaylor.eu]
Sent: Thursday, 24 November 2011 8:30 PM
To: Nettlefold, Peter
Cc: Susan Kawaguchi; rt4-whois at icann.org
Subject: Re: [Rt4-whois] Proxy provider recommendation 112311 susan draft(2).doc [SEC=UNCLASSIFIED]
Hi Peter
As it's Thanksgiving, our US colleagues will (should) be offline for a couple of days.
My understanding from last night's call is that our proposal is to combine these proxy recommendations with the ones from Dakar. In other words, instead of saying "we never acknowledge proxies" we say this. Susan explained that they are currently working on defining what is meant by a proxy, and as you rightly point out there are different flavours of proxy. There is the "deep" arrangement based on an ongoing trusting relationship (eg solicitor, client) where a proxy might not be obvious. My understanding is that we're not attempting to lift the veil on these. They are not viewed as problematic.
What is viewed as within the ambit of these new draft recommendations are the higher volume, commercialised proxy services, where there is not really a pre-existing relationship between registrant and proxy provider, but this is a low cost add on at the point of registration. The two parties don't really know each other that well. These are the ones we're hoping to describe in our definitions, and they are the target of these recommendations.
I hope that this makes it clear, but obviously I do recommend you listen to Susan's description of their thinking from the audio when it's up.
Thanks
Emily
On 24 November 2011 02:32, Nettlefold, Peter <Peter.Nettlefold at dbcde.gov.au<mailto:Peter.Nettlefold at dbcde.gov.au>> wrote:
Hi Susan and all,
Thanks very much to all who worked on this new series of recommendations.
I'm sorry I missed the teleconference this morning, but just wanted to see if I understand this proposal correctly.
In short, is this a supplement to the position we agreed in Dakar? i.e. will the situation generally be that the registered name holder assumes all rights and responsibilities (as we discussed in Dakar), but in a special subset of cases (i.e. where the registrar clearly knows that a 'proxy' is being used) then some special rules apply?
Or to put it another way, will we be recommending that there should be special new rules for 'known' proxies (however defined), and in all other cases we do not acknowledge proxies?
I'm sorry if this was discussed this morning, but I'm just trying to understand the position.
As there isn't a recording up yet that I've seen, any advice on whether other team members have already commented on this would be appreciated.
Cheers,
Peter
From: rt4-whois-bounces at icann.org<mailto:rt4-whois-bounces at icann.org> [mailto:rt4-whois-bounces at icann.org<mailto:rt4-whois-bounces at icann.org>] On Behalf Of Susan Kawaguchi
Sent: Thursday, 24 November 2011 6:18 AM
To: rt4-whois at icann.org<mailto:rt4-whois at icann.org>
Subject: [Rt4-whois] Proxy provider recommendation 112311 susan draft(2).doc
Hello All,
I apologize for the delay in sending this and that it is still in rough draft. The attached document contains Kathy's revisions and comments to my original proposed recommendation. I have added proposed definitions for the terms we are struggling with. These came out of discussions between James and I.
I feel that we must provide a clear recommendation on the proxy issue but I personally seem to keep moving towards drafting policy. I am hoping we will have time to discuss on the call today as I have several questions for the team.
Susan
-------------------------------------------------------------------------------
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
This message has been content scanned by the Axway MailGate.
MailGate uses policy enforcement to scan for known viruses, spam, undesirable content and malicious code. For more information on Axway products please visit www.axway.com<http://www.axway.com>.
-------------------------------------------------------------------------------
_______________________________________________
Rt4-whois mailing list
Rt4-whois at icann.org<mailto:Rt4-whois at icann.org>
https://mm.icann.org/mailman/listinfo/rt4-whois
--
[Image removed by sender.]
76 Temple Road, Oxford OX4 2EZ UK
t: +44 (0)1865 582 811 * m: +44 (0)7540 049 322
emily at emilytaylor.eu<mailto:emily at emilytaylor.eu>
www.etlaw.co.uk<http://www.etlaw.co.uk>
Emily Taylor Consultancy Limited is a company registered in England and Wales No. 730471. VAT No. 114487713.
-------------------------------------------------------------------------------
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
This message has been content scanned by the Axway MailGate.
MailGate uses policy enforcement to scan for known viruses, spam, undesirable content and malicious code. For more information on Axway products please visit www.axway.com.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
This message has been content scanned by the Axway MailGate.
MailGate uses policy enforcement to scan for known viruses, spam, undesirable content and malicious code. For more information on Axway products please visit www.axway.com.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
This message has been content scanned by the Axway MailGate.
MailGate uses policy enforcement to scan for known viruses, spam, undesirable content and malicious code. For more information on Axway products please visit www.axway.com.
-------------------------------------------------------------------------------
________________________________
[j1]<http://email12.secureserver.net/#_msoanchor_1>We should not be overly prescriptive and attempt to develop the Best Practices in this report. For example DBP is already circulating Best Practices outside of ICANN, and some of our proposals meet or exceed those listed here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm.icann.org/pipermail/rt4-whois/attachments/20111128/6c959d49/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 823 bytes
Desc: image001.jpg
Url : http://mm.icann.org/pipermail/rt4-whois/attachments/20111128/6c959d49/image001.jpg
More information about the Rt4-whois
mailing list