Derek, Wendy and all, No offense to you Derek, but I believe you and Wendy are essentially saying the same thing in different ways. As one that has lead the charge regarding Whois privacy AND Accuracy sense 2002, I can attest personally and professionally to both your and Wendy's contentions. What astonishes me is that the ICANN staff and Bod cannot seem to come to terms with the reality of the mess that they originally created, when at one time there was ONE Whois [ centralized model ]. Now there are many and none are accurate/up to date. such is not excusable nor in any way acceptable to have gone on for so long now... From where I sit anyway this clearly points to a lack of competent leadership on the part of ICANN. Your issue with Whois seems to focus on security related aspects as they relate to accuracy. And I agree, those elements are interwoven. So is however privacy. Without registrants Whois and registration data being private to a degree and that degree limits only LEA's having unrestricted access to the full Whois record of any registration, than the security of the registrant is in jeopardy as may be the security of any of that registrants business customers including governments or other government agencies. therefore I don't believe we want to take that much of a risk with a completely open Whois structure or access. Nor do I believe that LEA's or governments and/or government agencies desire such a potential security risk either. -----Original Message-----

From: Derek Smythe <derek@aa419.org> Sent: Apr 6, 2008 3:29 PM To: Wendy Seltzer <wendy@seltzer.com> Cc: alac@atlarge-lists.icann.org Subject: Re: [At-Large] [NA-Discuss] Community Input Requested on Two Draft Statements from ALAC to the ICANN Board

Wendy Seltzer wrote:

...

Trade WHOIS accuracy for WHOIS privacy. When inaccuracy is the way to preserve privacy, it's better than forced accuracy. ... ...

* WHOIS Accuracy and Reporting. We all know that WHOIS is very inaccurate. This is a very serious problem and considerable effort needs to be made to improve this situation. Multiplying the number of gTLDs as is proposed when the existing database is inaccurate is just asking to make a big problem worse – and the existing reporting system is already not fit for purpose. ICANN is not living up to its obligations with respect to WHOIS – fixing this should be a headline compliance activity in the Operational Plan for 2008/2009. Whilst we are limiting our comments here to compliance activities related to the operational planning cycle, this should not be understood to mean that our concerns related to WHOIS are limited to data accuracy. Our previous statements on the policy aspects of WHOIS remain valid.

Wendy

I respectfully disagree. Whois accuracy severely impacts end users in enforcing their legal rights and hampers effective .

I am also sticking my neck out here, but not all inaccurate whois is submitted in an attempt at pure privacy. Many domains that are abused to spam, scam and phish etc end users, have fake whois. This is by design. This issue is also briefly mentioned in ICANN advisory dated 3 April 2003, http://www.icann.org/announcements/advisory-03apr03.htm , which is sadly hardly ever enforced.

I have a lot of evidence of how existing WHOIS privacy mechanisms are being abused to simply prolong a fraudulent domain's existence endangering more clueless end users. Under the privacy protection we find more fake whois details fort many domains. WHOIS privacy is a very sharp two sided sword.

As an example of why we need whois details currently: Right now a big corporate is giving away free domains. At AA419.org we noticed a disproportionate large number of registrants from small towns across America shown in domains spoofing banks, government agencies and other businesses. We contacted numerous of these registrants who in turn had no knowledge of these domains; 4X year old teachers, estate agents etc. We have contacted the big corporate and registrar in an attempt to address this issue. The domains are "disabled" in the corporate's system. However the result of the ID theft is clearly visible in WHOIS without the victims' permission. Without verifiable whois this problem would have been denied (as was originally attempted) and the problem invisible. This situation is still ongoing. I am talking far in excess of a thousand domains in a year! Yet this is just the tip of the iceberg ...

To really represent end users, current issues and procedures should be fixed first. If not, the problem is merely disguised and we would all be worse off at the end of the day. It is a sad fact that much more money is lost due to internet fraud and abuse than merely WHOIS being visible.

Long term I would love general WHOIS privacy, however not at the price of partially disarming those currently doing what they do to make the Internet a safer place - it is not only LEA's I am referring to, though they would have the same problem.

Personally I have numerous domains with whois protection, but my whois details are 100% correct for those domains and I am using an available acknowledged privacy mechanism. I accept responsibility for them. These mechanisms are available to other users as well, if privacy is a concern to them - with the exception of the initially much abused .us TLD. However nobody is forced to use a .us domain. We do have choices.

In a nutshell, there is also a reason why whois is sometimes not accurate on many domains: To evade responsibility illegal activities. How do you protect against that?

To fix, we have to fully understand the implications of each action. Sadly not all internet registrants are as honorable as we would wish. Whatever WHOIS system emerges has to acknowledge this fact.

Best regards,

Derek Smythe http://www.aa419.org Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827