Marc,

Thanks!  This is helpful and definitely worth further discussion.

My fear about the new RDRS is that it won’t yield the information that’s needed.

Steve

Sent from my iPhone

On Mar 11, 2023, at 12:04 PM, Anderson, Marc <mcanderson@verisign.com> wrote:



Steve,

 

Those numbers don’t track with my understanding of Whois query volume.  Out of curiosity, I checked the .com numbers from the registry reports available publicly on ICANN’s web site.  This is what I found pulling the month of November going back to 2014:

 

Date

Port 43 queries

Nov 2022

77,081,654,896

Nov 2021

56,381,322,300

Nov 2020

52,092,331,062

Nov 2019

59,150,125,511

Nov 2018

52,430,829,599

Nov 2017

48,871,520,265

Nov 2016

30,300,083,611

Nov 2015

18,054,232,543

Nov 2014

4,876,226,670

 

That is a very unscientific sampling of the registry port 43 query volumes for one large gTLD.  Based on this I’d say that 5 billion a month is considerably less then we could expect across all TLDs, and that the volume has not decreased post GDPR, but rather continues to go up.  Even though contact data is in many cases redacted, there is still a great deal of data that is publicly available in Whois / RDAP that is of value and continues to be queried at high levels.

 

This is an interesting data point, but I’m not sure that it is helpful to us, as our focus is on non-public registration data.  Hopefully the SSAD Light (new name TBD) will help shed light on the volume of requests for non-public registration data and the outcomes of those requests.

 

Best,

Marc

 

 

 

 

From: GNSO-EPDPP2-SmallTeam <gnso-epdpp2-smallteam-bounces@icann.org> On Behalf Of Steve Crocker
Sent: Friday, March 10, 2023 5:04 PM
To: Paul McGrady <paul@elstermcgrady.com>
Cc: gnso-epdpp2-smallteam@icann.org
Subject: [EXTERNAL] Re: [GNSO-EPDPP2-SmallTeam] EPDP Phase 2 Small Team meeting at ICANN76

 

Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 

Paul,

 

Your comment and question are entirely appropriate.  I don't have the kind of data you're asking for and that I too would ask for if someone else said this, so I'll accept the label of "Crocker's opinion."  That said, I understand the total number of whois queries prior to GDPR was on the order of five billion per month.  That includes queries for what we would now consider public as well as non-public data, and it includes both the ccTLDs and gTLDs.

 

Five billion is a big number.  I don't know what the current query level is, but I believe it is less.  And not just a little bit less, but hugely less.  I'd guess it's closer to 1/1000 of the prior level.

 

As a general, you can't change a key part of any system by a factor of a thousand without making a major impact.  Where did those five billion queries per month go?  What were people doing with them, and what are they doing instead?

 

I haven't seen any attempt to provide a sensible understanding.  It still needs to be done.

 

Thanks,

 

Steve

 

 

On Fri, Mar 10, 2023 at 4:44 PM Paul McGrady <paul@elstermcgrady.com> wrote:

Thank Steve.  I would be interested in any data or studies that you have seen that support this proposition:

 

“It has taken several years to reach this point.  In the meantime, those who had made use of the Whois system for legitimate purposes have evolved toward using other methods to meet their needs.  An evaluation of the RDRS must include the broader picture in order to understand where the RDRS -- or any other replacement of the Whois system -- will fit in the overall ecosystem.  In the extreme, ne could argue that the world has gotten along well enough without any systematic solution for access to non public registration data, so there's no need to do anything.  Any attempt to define measures of success will need to address this situation.”

 

If you have no data or studies, can you just confirm that we are in the zone of your personal opinion?  That still carries weight, of course, but this reads as fact claims and I would be very interested in any factual support you may have.  I doubt those who have been phished, defrauded, or trafficked think “the world has gotten along well enough” but that is, of course, in the zone of my opinion.

 

Safe travels,

Paul

 

 

 

From: GNSO-EPDPP2-SmallTeam <gnso-epdpp2-smallteam-bounces@icann.org> On Behalf Of Steve Crocker
Sent: Friday, March 10, 2023 12:43 PM
To: Marika Konings <marika.konings@icann.org>; gnso-epdpp2-smallteam@icann.org
Subject: Re: [GNSO-EPDPP2-SmallTeam] EPDP Phase 2 Small Team meeting at ICANN76

 

Marika, et al,

 

I will be in the air headed to Cancún tomorrow during this meeting.  I remain very interested and will stay involved, but I cannot attend tomorrow.  I will read the transcript as soon as it's available.

 

My understanding is the board has approved the implementation of the system, now renamed as the Registration Data Request System, but has asked that the criteria and measures of success be defined.  My concerns about this system include the following.

  1. There has been no work toward developing a set of guidelines or agreements on what requests will be honored.  The formal stance from ICANN Org is that each registrar will have to make its own determination for each and every request.

    It's easy to understand ICANN Org's position: it avoids all liability in case someone objects to particular disclosures.  On the other hand, this process doesn't scale well.  Both the requesters and the registrars will benefit if there is at least some degree of order and certainty.

    We can expect that as requesters and registrars gain experience with this system, they will begin to see patterns that have worked previously.  Requesters will tend to tailor their requests to match prior successful queries, and they will likely tend to avoid making requests that are similar to previously failed attempts.  Similarly, on the registrar side of this equation, registrars will likely streamline their internal processing to reduce the cost and time of handling requests that are comfortably similar to previously honored requests.

    The above scenario can be improved quite a bit if the requesters share information with each other, if the registrars share information with each other, and if the requesters and registrars jointly share information.

    Thus, the first improvement to make is to either create or ask the requesters and registrars to create processes for sharing information and developing guidelines or agreements that will streamline the processes on both sides.
  2. The current design of the RDRS does not include APIs to allow the requesters and registrars to automate the interaction between their systems and the RDRS.  This is a fundamental error in system design.
  3. Use of the RDRS is optional for requesters.  They will continue to be permitted to make requests directly to registrars.  Indeed, some requesters have private arrangements with some registrars.  It will be somewhat challenging to assess the success of the RDRS without some understanding of the requests to registrars that are taking place without going through the RDRS.
  4. Participation in the RDRS is optional for registrars.  A similar comment applies regarding determination of the success of the effort.
  5. It has taken several years to reach this point.  In the meantime, those who had made use of the Whois system for legitimate purposes have evolved toward using other methods to meet their needs.  An evaluation of the RDRS must include the broader picture in order to understand where the RDRS -- or any other replacement of the Whois system -- will fit in the overall ecosystem.  In the extreme, ne could argue that the world has gotten along well enough without any systematic solution for access to non public registration data, so there's no need to do anything.  Any attempt to define measures of success will need to address this situation.

I hope these points will be helpful as the small team resumes its interactions.

 

See you in Cancún.

 

Steve

 

 

On Fri, Mar 10, 2023 at 9:59 AM Marika Konings <marika.konings@icann.org> wrote:

Dear All,

 

As you will have hopefully seen, the next meeting of the EPDP Phase 2 small team meeting will take place Saturday 11 March from 13.15 – 14.30 local time (18.15 – 19.30 UTC) in room Gran Cancun 2. For those not attending the ICANN meeting in person, you will be able to find the remote participation details here: https://icann76.sched.com/event/1J2Kp/gnso-epdp-phase-2-ssad-implementation-of-whois-disclosure-system.

 

The proposed agenda for the meeting is as follows:

 

  1. Welcome (Sebastien Ducos - small team lead)
  2. ICANN org update on status of implementation & open issues / questions for small team
  3. ICANN org & small team discussion
  4. Confirmation of action items and next steps

 

You can find the recent correspondence on this topic from the ICANN Board to the GNSO Council here: https://gnso.icann.org/sites/default/files/policy/2023/correspondence/sinha-to-ducos-06mar23-en.pdf.  The Board resolution is available at: https://www.icann.org/en/board-activities-and-meetings/materials/approved-resolutions-special-meeting-of-the-icann-board-27-02-2023-en.

 

Looking forward to seeing you in person or virtually,

 

Marika

_______________________________________________
GNSO-EPDPP2-SmallTeam mailing list
GNSO-EPDPP2-SmallTeam@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdpp2-smallteam

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.