1) If we want to go further on this, and I do think it is a relevant to do so, I would advise that we also request the "plaintiff" to explain and document how end users credentials of another network end up being disclosed on their web servers and pages, and based on

Hello Bruce and all, I wish to acknowledge the right of reply given to Go Daddy on this list, and say that that was not the intent of the author of the initial message that was forwarded to this list (on the request of the NCUC chair, not the author.) Rather, the author wanted the constituency to discuss the broader policy issues that could be considered based on the experience of that specific case, and then if relevant, raise them with the Council. I am pasting below a public exchange (on NCUC list) I had with Harold Feld in that regard, after forwarding your message with GoDaddy's response to the constituency. Though the name of the registrar is mentioned, please understand the spirit of this exchange as being concerned with broadly applicable policy measures. [> Mawaki] their

policy provisions what actions they have or should have taken against the person/service responsible of such misuse. Why nothing has been done in that regard, and contact has not been made with MySpace to inform them of whatever steps were taken to resolve that issue. As an end user, I wouldn't like to see my identity credentials in a network service that I use be disclosed by any organization be it an NCUC member.

[Harold] I am concerned less with the specifics of this case then with the process generally. While it is useful to receive full information on this particular incident, I believe it more important to focus on the general concern that this leaves far too much power in the hands of registrars. Even if Go Daddy behaved entirely correctly, the next registrar may not. I would also very much like to know how Go Daddy determined what harm would result from elimination of the name. How did Go Daddy satisfy itself that it's actions would not have caused significant harm to innocent parties? Or did it really believe that the potential harm of the released information was so great that it justified immediate action regardless. And, if this is the case, what procedures did it have in place to restore service to innocent third parties.

2) ICANN has responsibility to do something there, while it should avoid micro-regulation and micro-management. At least because all this industry is highly geographically distributed, and there is a void in many countries to that effect (the former explaining the latter, maybe.) As for issues such as the grace period, etc. ICANN could have a safeguard policy that would require a minimum of notice to be given and steps to be taken before any drastic measure such as shutting down a website. If necessary, provision could be made for the principle of subsidiarity wherever there might be conflict with national regulations.

Indeed, what the appropriate steps are is another conversation. It may simply be enough to put registrars on notice that such behavior will arouse regulatory scrutiny. It may be worthwhile to make a formal request, either by the NCUC to the Registrar Constituency or requesting that the GNSO make such a request, that the Registrar community adopt a "best practices" document. Or some form of enforcement action via the ICANN process to prevent a name deletion may be necessary. Like Sitefinder, the question is not merely "what was the right thing to do here," but "what is the process for ensuring that the right result happens consistently in the future." This need not take the form of regulation (although that might ultimately prove necessary). But it seems to me that it warrants rather more than "how do you even suspect a registrar might act inappropriately." Best regards, Mawaki --- Bruce Tonkin <Bruce.Tonkin@melbourneit.com.au> wrote:

Hello All,

Earlier this week there was a posting about a specific case of action taken by a registrar over a domain name. I don't think the Council list is the appropriate place for discussing specific disputes, but rather the list should be used to highlight general issues that apply to multiple situations which may require policy action.

Given that there is a public posting on this list, I gave the Registrar, GoDaddy, the right of reply.

See below.

Regards, Bruce Tonkin

-----Original Message----- From: Tim Ruiz, Vice President, Corporate Development & Policy, GoDaddy

We believe, under the circumstances, that we took the appropriate action. This was not about "a controversial speaker" or freedom of speech. This was about inappropriately acquired MySpace credentials being made public. The posted credentials exposed tens of thousands, many no doubt minors, to potential harm. The site publisher could not be reached and we took the appropriate action as allowed under our Registration Agreement and Terms of Service. We stand behind our actions.

The author of this note, and the NCUC chair that decided to forward it to the Council list, have indicted us in the very same manner they are accusing us of. They have not even attempted to contact us for an explanation, and have ignored our own response to the CNET News.com article. In fairness, we ask that the Council also consider our response, as well as the responses of others who have taken a different view of our actions.

GoDaddy Response:

http://news.com.com/5208-1025_3-0.html?forumID=1&threadID=24518&messageID=232062&start=-1

As awful as this article describes GoDaddy...:

http://news.com.com/5208-1025_3-0.html?forumID=1&threadID=24518&messageID=232289&start=-1

Im sick...:

http://news.com.com/5208-1025_3-0.html?forumID=1&threadID=24518&messageID=232213&start=-1

Am I in the Twilight zone here???:

http://news.com.com/5208-1025_3-0.html?forumID=1&threadID=24518&messageID=232031&start=-1

(This response is apparently from a MySpace user as indicated from a post on her blog, linked to in the above response.)

Tim Ruiz Vice President Corporate Development & Policy GoDaddy.com ---------------------------------------------------------

-----Original Message----- From: owner-council@gnso.icann.org [mailto:owner-council@gnso.icann.org] On Behalf Of GNSO.SECRETARIAT@GNSO.ICANN.ORG Sent: Monday, 29 January 2007 7:35 PM To: 'Council GNSO' Subject: [council] [Fwd: [Fwd: [NCUC-DISCUSS] Recent Actions By Go Daddy]]

The Chair of the NCUC has asked that the mail below be circulated on the

Council list.

Thank you. Glen

-------- Original Message -------- Subject: [NCUC-DISCUSS] Recent Actions By Go Daddy Date: Fri, 26 Jan 2007 10:53:30 -0500

I would like to draw attention to the recent actions of the Go Daddy registrar in its decision to pull a .org domain name at the request of social networking site myspace.com because a third party had placed on the site a list of passwords and accounts of myspace users. http://news.com.com/2100-1025_3-6153607.html

This strikes me as a serious abuse of power by a registrar, and should alarm the users of this constituency. If registrars can exercise such unrestrained authority over registrants, then no controversial speaker is safe.

If there is not already a procedure for addressing this, I would strongly urge this constituency to take appropriate action.

Harold Feld

-- Carlos A. Afonso diretor de planejamento Rits - Rede de Informa��es para o Terceiro Setor *************************************************************** Projeto Sacix - Apoio t�cnico a iniciativas de inclus�o digital com software livre, mantido pela Rits em colabora��o com o Coletivo Digital. Para mais informa��es: www.sacix.org.br www.rits.org.br www.coletivodigital.org.br ***************************************************************

-- Glen de Saint G�ry GNSO Secretariat - ICANN gnso.secretariat[at]gnso.icann.org http://gnso.icann.org