Although I support most of the proposed comments, I disagree with recommendation 14. As an individual registrant, I agree that proxy services are useful and should be accepted. I am as uncomfortable as anyone with publishing my physical address, telephone number and direct e-mail. I can certainly understand why my discomfort could be someone else's physical danger - consider those who are supposed to be protected against violence by court order, or live in countries where protection of law is problematic. And because I use unique e-mail and postal addresses for my contact information, there is no question of the fact that I have received non-trivial quantities of e-mail and postal spam that could only have been sourced from my WHOIS listings. Dealing with that can be more than annoying - I haven't fallen victim to the official looking "renewal bills" scams, but I know people who have. On the other hand, proper operation of the network does require that it be possible to reach the persons responsible for the devices/services connected to it. It must be possible to contact postmaster & abuse for assistance stopping spam - and to notify server operators of inappropriate behavior of their systems (and sometimes people). Whether it's the fact that a bad actor has made them part of a botnet, a hardware failure is causing routing issues, a subscriber is harassing a family member, or the fact that a service is down - it really is important to be able to reach the responsible person(s). And being able to track back to the country/ISP can be a useful tool for tuning some firewalls when under attack. Note that while postmaster/abuse are required by RFC for those who operate mail servers, not all domains do. Whois is the only 'guaranteed' means of contacting the owner of any domain/ip address. This is not limited to non-commercial sites, though it is particularly difficult for non-commercial users to get through - I've had recent difficulties contacting several fortune 50 companies via their whois - though they have the resources to be responsible actors. Given that, it seems to me that it is appropriate to require that registrants provide accurate and effective contact information - proxies being acceptable so long as the delay through the proxy is reasonable. (Say, minutes thru e-mail, and a first-class/registered letter 1 business day + 1 additional first-class delivery time.) Some standards for proxies maintaining the confidentiality of information provided would also be helpful - individual consumers certainly have less ability to evaluate/influence service providers than ICANN does. There is no reason that a proxy has to be in a registrants country - this can be important in keeping people safe from bad 'governmental' actors. I would support not requiring the publication of telephone numbers for individual/small registrants. Not all of us have them, many people now have just mobile services, time zones make use problematic (especially where accurate geographical information is not provided) and telephone provides another vector for harassment. Requiring either telephone or e-mail would be acceptable - as timely communication is required, and some people have only one or the other. However, where I disagree is the notion of accepting fraudulent or no contact information. This is unacceptable. Contact information is not just a matter of protecting domain name ownership, despite the fact that ICANN and this group seem to reduce all issues to that issue. When one registers a domain name, one becomes part of the network and takes responsibility for all services delivered from that name. Providing contact information is critical for others to provide feedback on (and often help with) discharging those responsibilities. This is clearly more of an issue for those who operate their own servers (routers, etc) - but those who don't still have a responsibility to pick vendors who operate responsibly and respond to issues. So I believe that even individuals who just use their domains for websites/email and outsource their services to their ISP or other third party must be reachable via Whois data. Privacy is a serious issue for me - and many others. Proxy services provide a reasonable compromise between the need for privacy and the need for everyone to cooperate in providing a stable network. Standards and rules for those services is a reasonable subject for discussion - and the non-commercial (especially small/individual) registrant would gain considerably by unified actions to get them. However, fraudulent/blank contact information is not something we should endorse, encourage or tolerate. Given the acceptance of proxy services, I see no reason to protect domain registrants who provide invalid contact information in whois from action under UDRP. Rather, it's one bit of leverage that the community has to encourage accurate contact information. Naturally, honest errors that are quickly resolved and failures of proxy services to deliver should not be held against the registrant. Exactly how that's defined is another project - though the latter would be facilitated by standards for proxy services and a means for a registrant to identify proxy providers audited to those standards. As for postal verification - isn't it as simple as sending a postcard with a verification code to the registrant, and requiring that the code be returned by e-mail or website within a reasonable time? If the address is valid, the postcard goes through. If not, obviously the channel is not reliable... I hope that the proposed comments can be refined to incorporate these observations. Timothe Litt ACM Distinguished Engineer --------------------------------------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. -----Original Message----- From: NCSG-NCUC [mailto:[log in to unmask]] On Behalf Of Konstantinos Komaitis Sent: Thursday, July 21, 2011 04:27 To: [log in to unmask] Subject: Re: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team Discussion Paper This is great - thank you very much Wendy for leading us on this. WHOIS issues are very important and it is brilliant that we get to submit comments. Thanks again. KK Dr. Konstantinos Komaitis, Senior Lecturer, Director of Postgraduate Instructional Courses Director of LLM Information Technology and Telecommunications Law University of Strathclyde, The Law School, Graham Hills building, 50 George Street, Glasgow G1 1BA UK tel: +44 (0)141 548 4306 http://www.routledgemedia.com/books/The-Current-State-of-Domain-Name-Regulat ion-isbn9780415477765 Selected publications: http://hq.ssrn.com/submissions/MyPapers.cfm?partid=501038 Website: www.komaitis.org -----Original Message----- From: Wendy Seltzer [mailto:[log in to unmask]] Sent: Τετάρτη, 20 Ιουλίου 2011 7:45 μμ To: [log in to unmask]; [log in to unmask] NCSG Policy Subject: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team Discussion Paper I propose these as NCUC comments to the WHOIS Review Team <http://www.icann.org/en/public-comment/whoisrt-discussion-paper-09jun11-en. htm> The comment deadline is July 23 -- Saturday. Thanks to Milton, Avri, Brenden, and Konstantinos for input. If there is interest in sending these as NCSG, I would be happy to update the references. I'll submit Friday. --Wendy NCUC is pleased to share these comments on the WHOIS Review Team's discussion paper. The NCUC includes among its constituents many individual and non-profit domain name registrants and Internet users, academic researchers, and privacy and consumer advocates who share concerns about the lack of adequate privacy protections in WHOIS. We believe ICANN can offer better options for registrants and the Internet-using public, consistent with its commitments. > 4. How can ICANN balance the privacy concerns of some registrants with > its commitment to having accurate and complete WHOIS data publicly > accessible without restriction? and > 10. How can ICANN improve the accuracy of WHOIS data? Privacy and accuracy go hand-in-hand. Rather than putting sensitive information into public records, some registrants use "inaccurate" data as a means of protecting their privacy. If registrants have other channels to keep this information private, they may be more willing to share accurate data with their registrar. The problem for many registrants is indiscriminate public access to the data. The lack of any restriction means that there is an unlimited potential for bad actors to access and use the data, as well as legitimate users and uses of these data. At the very least, WHOIS access must give natural persons greater latitude to withhold or restrict access to their data. That position, which is consistent with European data protection law, has even been advanced by the U.S. Federal Trade Commission and F.B.I. ICANN stakeholders devoted a great deal of time and energy to this question in GNSO Council-chartered WHOIS Task Forces. At the end of the Task Force discussion in 2006, the group proposed that WHOIS be modified to include an Operational Point of Contact (OPOC): <http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm> Under the OPOC proposal, "accredited registrars [would] publish three types of data: 1) Registered Name Holder 2) Country and state/province of the registered nameholder 3) Contact information of the OPoC, including name, address, telephone number, email." Registrants with privacy concerns could name agents to serve as OPoC,thereby keeping their personal address information out of the public records. NCUC recommends reviewing the documents the WHOIS Task Force produced relating to the OPOC proposal, including the final task-force report on the purpose of WHOIS: <http://gnso.icann.org/issues/whois-privacy/tf-report-15mar06.htm>, Ross Rader's slides from a presentation on the subject, <http://gnso.icann.org/correspondence/rader-gnso-sp-04dec06.pdf> and the report on OPoC <http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm> The GNSO in October 2007 accepted the WHOIS task-force report and concluded the PDP. <http://gnso.icann.org/meetings/minutes-gnso-31oct07.html> >5. How should ICANN address concerns about the use of privacy/proxy services and their impact on the accuracy and availability of the WHOIS data? ICANN should recognize that privacy and proxy services fill a market need; the use of these services indicates that privacy is a real interest of many domain registrants. Concerns about the use of these services is unwarranted. >12. Are there barriers, cost or otherwise, to compliance with WHOIS policy? Even with the provisions for resolving conflicts with national law, WHOIS poses problems for registrars in countries with differing data protection regimes. Registrars do not want to wait for an enforcement action before resolving conflicts, and many data protection authorities and courts will not give rulings or opinions without a live case or controversy. ICANN's response, that there's no problem, does not suit a multi-jurisdictional Internet. > 14. Are there any other relevant issues that the review team should be > aware of? Please provide details. Consider allowing registrants greater choice: a registrant can get a domain with no WHOIS information at all, at the registrant's peril if the domain is challenged and he/she is unable to respond. This is already the de facto circumstance for domains registered with false information, so why not make it an official option? Proposals for verification (pre- or post-registration) of name and address information are completely unworkable for standard gTLDs, although they might be proposed by registries looking to differentiate. There is no standard address format, or even any standard of physical addressing that holds across the wide range of geographies and cultures ICANN and registrars serve. Inaccurate WHOIS data should not be used as conclusive evidence of bad faith, especially in the context of ICANN's policies such as the UDRP. Although within the UDRP, the need to identify a registrant is vital, WHOIS details should not be used to make outright determinations concerning abusive registrations of domain names. -- Wendy Seltzer -- [log in to unmask] +1 914-374-0613 Fellow, Princeton Center for Information Technology Policy Fellow, Berkman Center for Internet & Society at Harvard University http://cyber.law.harvard.edu/seltzer.html https://www.chillingeffects.org/ https://www.torproject.org/ http://www.freedom-to-tinker.com/