RJGlass | America@Large wrote:

It is this reason that we should discuss this issue and encourage ICANN follow a certain path. This highlights the responsibility to our constituency. This is not just a legal issue, it's beyond that. Rather, there are moral ramifications across borders.

The GNSO is about to come to yet another impasse on the Whois issue at the upcoming meeting. Recognizing this, I have proposed a motion to the GNSO Council that essentially states "Recognizing that there is no community consensus on Whois policy, the GNSO recommends that ICANN sunset all Registry/Registrar whois requirements [within one year? or something like that..]" If carried and accepted by the board, I believe this motion would have the effect of changing the incentives for the intellectual property, law enforcement and intransigent registry/registrar community such that they would be more threatened by losing their precious status quo and therefore more inclined to engage in good faith policy negotiations with one another. This is not happening now. I fully expect that this motion will also fail to pass. However, I believe it will be important for the ICANN Board and the GNSO to hear clearly that ICANN is failing to protect the rights and interests of registrants and users. They must hear that it is no longer tolerable to sacrifice the interests of registrants and users in order to placate the Hollywood and Washington. ICANN needs more than encouragement on this issue. It needs to hear from a strong, clear and unified voice that the status quo is no longer acceptable and in the absence of measurable progress, must immediately curb the rampant privacy abuse that comes from the maintenance of this unnecessary and unwanted service. For those of you that remain unconvinced that Whois abuse is commonplace, here is a great blog post by an unlicensed data miner who feels secure enough in the current regulatory environment to come out of the closet and offer subscription based access to your data... http://blog.domaintools.com/2007/10/registrant-search/ -r

John L wrote:

Were it to pass, the people who use WHOIS data would just sue to maintain the status quo. The position of the US DOC (the position which matters the most) is quite clear from the requirements they put in the .US rebid so ICANN's track record of caving to legal threats would remain unbroken.

Let them sue. I'm sure my government would love this.

it's not abuse that the info itself is public.

No, of course not. But its the accessibility and anonymity that fosters the abuse. Anyways, not really point. The example my link pointed to was of a service that consists of illegitimately scraped Whois data going back many, many years that now serves to provide contact information for natural persons completely outside of the scope and purpose for which it was originally collected.

A good place for negotiations to start would be for the anti-data crowd to admit that there are indeed legitimate reasons to use WHOIS info, and there is not a basic right to register a domain. (If there were such a right, we wouldn't be charging for them.) That's been sorely lacking so far.

I don't think anyone has ever denied a) nor claimed b). The issue comes down to whether or not those legitimate uses can or should be accommodated through the public Whois system. I don't see any reason why this is the cause. The ISP and Hosting industries have proven that it is possible to accommodate legitimate uses of customer data without making it publicly accessible on an anonymous basis. Its no wonder progress has been so difficult on this issue - the starting point for the anti-privacy crowd is simply so outrageous that it can't be reasonably addressed. -r

anti-privacy? -----Original Message----- From: na-discuss-bounces@atlarge-lists.icann.org [mailto:na-discuss-bounces@atlarge-lists.icann.org] On Behalf Of RJGlass | America@Large Sent: Monday, October 22, 2007 10:02 AM To: ross@tucows.com Cc: NA Discuss Subject: Re: [NA-Discuss] Getting the WHOIS word out to users I agree Ross, Finally !! On 10/19/07, Ross Rader <ross@tucows.com> wrote: John L wrote: > Were it to pass, the people who use WHOIS data would just sue to > maintain the status quo. The position of the US DOC (the position which > matters the most) is quite clear from the requirements they put in the > .US rebid so ICANN's track record of caving to legal threats would > remain unbroken. Let them sue. I'm sure my government would love this. > it's not abuse that the info itself is public. No, of course not. But its the accessibility and anonymity that fosters the abuse. Anyways, not really point. The example my link pointed to was of a service that consists of illegitimately scraped Whois data going back many, many years that now serves to provide contact information for natural persons completely outside of the scope and purpose for which it was originally collected. > A good place for negotiations to start would be for the anti-data crowd > to admit that there are indeed legitimate reasons to use WHOIS info, and > there is not a basic right to register a domain. (If there were such a > right, we wouldn't be charging for them.) That's been sorely lacking so > far. I don't think anyone has ever denied a) nor claimed b). The issue comes down to whether or not those legitimate uses can or should be accommodated through the public Whois system. I don't see any reason why this is the cause. The ISP and Hosting industries have proven that it is possible to accommodate legitimate uses of customer data without making it publicly accessible on an anonymous basis. Its no wonder progress has been so difficult on this issue - the starting point for the anti-privacy crowd is simply so outrageous that it can't be reasonably addressed. -r ------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/na-discuss_atlarge-lists .icann.org Visit the NA-RALO Wiki at https://st.icann.org/naralo/ ------ -- ------------------------- AmericaAtLarge.org RJPacific.com DDMF.org *** Scanned

anti-privacy?

There is a long-standing meme in the pro-phish/porn/terror* camp that the interests of the relative handful of individual domain registrants trump the interests of everyone else. That's one of the key reasons that WHOIS reforms go nowhere. Rereading Ross' message, it looks to me like he considers a domain registration basically just a little private agreement between the registrant and the registrar or registry, and it's really nobody else's business, which is why he characterizes everyone else as free riders. The problem is that it's more like a building permit, which some people use to build a backyard gazebo and some use to build a backyard toxic waste dump. I'm sure my friends in law enforcement would be more amused than annoyed to hear that they're free riders when they clean up the messes that registrations enable, but it's not a position that is defensible in the long run. R's, John * - we have lots more hot button insults to throw around, so let's not.

On 22-Oct-07, at 10:22 AM, John L wrote:

it's really nobody else's business, which is why he characterizes everyone else as free riders.

Actually, its just the intellectual property types that I lump in as free riders. They make no net contribution to the overall framework. While LE, etc. don't actually contribute directly in the form of $$, etc. you quite rightly point out that the registration system is made "better" with their participation. Unfortunately, the intellectual property crowd has co-opted law enforcement in this discussion, and it is impossible to disentangle their respective demands - the last round of discussions was purposely scoped to attempt to bring law enforcement et al., closer to the discussion so that they could speak for themselves. Unfortunately, the intellectual property crowd hijacked the entire discussion and we didn't get near the input from them that we needed to in order to make the compromises that might get them onside. For instance, coming out of the Portugal meeting, we had strong consensus around encrypting personal data but giving law enforcement and other "problem solvers" access to the keys necessary to decrypt it. I believe this approach nicely solved for both the privacy and access issues. Suffice to say the intellectual property crowd didn't like it because they largely wouldn't qualify for the same access as law enforcement/anti-phish, etc. That all said, the practical reality is that registrars continue to quietly work with law enforcement, anti-phish, etc. to get them the real data that they need to solve real problems. I suspect that this would continue even in the absence of Whois as the really helpful data that registrars and host providers have aren't covered by the ICANN contracts and requires an ad hoc, case by case approach in order to be obtained. I predict that we will quickly find out how we can live without Whois when registrars start to apply for exemptions under the National Law policy that the board is considering. U.S. based registrars will be able to continue to offer Whois, but most others simply won't. We'll have no choice but to figure out how to work together when this happens. From a user perspective, this is an important development because it will mark the movement of control from ICANN's contracts and consensus policies to various national jurisdictions. Not that anyone is ever exempt from following their national law, but this will be the first time that the process has failed to find a compromise that allowed ICANN policy to co-exist with the various national laws that users and suppliers are subject to. I don't view this as a good thing for users in the long run. If you think that it is difficult to navigate the registration agreements and contracts now, wait until the extra dimension of national law considerations comes into play in a real way. -ross

Its not difficult, Bret. The only issue is convincing ICANN/Registries/Registrars that it's important to take that view and make it so. If the data is kept private, the registrars would of course still be able to contact their customers and 'law enforcement' would still be able to issue warrants to obtain that data. To jump on the bandwagon, in the post 9-11 era, it is much easier for law enforcement and such to obtain warrants and data as they no longer have to prove anything, rather just make a request. Of course there will still be abuses. Registrants that want to hide will still give false data, law enforcement will still be wrong half the time, and the real thieves will still hack into the systems and steal the data. But at least it won't be readily available to everyone for global abuse. - RJGlass A@L On 10/22/07, Bret Fausett <bfausett@internet.law.pro> wrote:

From my perspective as a user with several domain name registrations, I don't understand why it is so difficult to craft a policy that will allow law enforcement and network administrators to contact me about illegal conduct or network issues and yet still prevent people who might wish me ill from driving to my house.

Bret ------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org

http://atlarge-lists.icann.org/mailman/listinfo/na-discuss_atlarge-lists.ica... Visit the NA-RALO Wiki at https://st.icann.org/naralo/ ------

-- ------------------------- AmericaAtLarge.org RJPacific.com DDMF.org

If the public thinks having a public WHOIS will stop spam, #1 they're misled, #2 they'll support it.

Sorry to disturb the discussion by injecting some facts here, but last week I was at a joint meeting in Washington of MAAWG, which is the where the anti-abuse people from large ISPs all over the world meet, and LAP, which is where civil and criminal anti-abuse law enforcement get together. Real people at ISPs and law enforcement really use the current WHOIS, crummy though it is, to figure out who's abusing their networks, track them down, and more than you might realize, put them in jail. They would of course prefer if registrars made a nominal attempt to verify the junk that their customers put into WHOIS, but the current WHOIS is way more useful to them than no WHOIS at all, or the pessimal OPOC proposal which puts an unverified alleged contact in front of the current unverified info.

There are technical solutions to spam

Man, that is so 1995. If there were technical solutions to spam, don't you think we would have solved it by now? We have a bunch of technical stuff in the pipeline to help authenticate real mail, but the approaches to increasingly organized and criminal spammers are primarily social, political, and legal, not technical. R's, John

You're right, it's easy to imagine proposals far worse than OPOC, but ...

The OPOC proposal simply merges the existing Admin, Technical and Billing contacts into a single contact called the Operational Contact. Nothing more and nothing less.

Really? According to your slides from Sao Paulo, it also redacts most of the registrant info and adds yet to be defined hoops to jump through to get access to it.

There's no need to have three contact types in this day and age any more than its necessary to print my home phone number in this public directory.

I don't think combining the contacts was contentious. The issue was and is removing the useful into from public WHOIS. The reason this has gone nowhere is that all of the proposals have been purely worse than the status quo for the people who use WHOIS. If there were a reasonable tradeoff, e.g., redact some but verify it so once you get to the redacted stuff it's more likely to be right, there could be some productive negotiations. R's, John PS: I understand why registars are not thrilled about proposals that require more work on every registration.

Unfortunately, that tradeoff was already made, when "accuracy" was mandated years ago with the implicit promise that the privacy side would be put in place shortly after.

Well, at this point I think we can all agree that in practice we have neither. That should be a point of departure. R's, John

I've never seen evidence that the public thinks that a public WHOIS will actually stop spam, as you put it. What I have seen factual evidence of is a) the public does not value the privacy of domain name registrants over access to a resource that may help them, or law enforcement on their behalf, solve problems of fraud; b) that the public believes, in a transactional environment, you're entitled to have some idea who you are dealing with. Maybe, in a future where there are hundreds more domains, some could require a higher authentication bar for registrants and more usable public data to create environments where users are/feel more secure. In a sense, this has already happened (ask the general pbulic what their impressions are of a .com address vs. a .biz, or a .org, for example), but I don't get the idea that a lot of consumers know which domains to steer clear of. I hope that another organization I work with, StopBadware.org, might be able to present some data on "bad" domains where a lot of drive-by downloads of malware take place. I can tell you, doing investigations, I have used WHOIS on many occasions to either assist a consumer or to make a recommendation to consumers about a Web site or business to avoid. It's imperfect, there are a lot of problems, and sometimes it's a dead end, but more often, it helps. The ICANN's security committee people are working directly with the Anti-Phishing Working Group, and have discussed working with and briefing consumer organizations on that ongoing work and involving them in it. I also know the ICANN hierarchy has asked for further study of the spam/phishing/privacy and WHOIS debate. I would guess that Dave Piscitello of the SSAC would give a briefing on some of this on a teleconference and/or in person in LA if we were to ask. Beau Brendler ________________________________ From: John L [mailto:johnl@iecc.com] Sent: Tue 10/16/2007 8:30 PM To: RJGlass | America@Large Cc: Brendler, Beau; NA Discuss Subject: Re: [NA-Discuss] Getting the WHOIS word out to users

If the public thinks having a public WHOIS will stop spam, #1 they're misled, #2 they'll support it.

Sorry to disturb the discussion by injecting some facts here, but last week I was at a joint meeting in Washington of MAAWG, which is the where the anti-abuse people from large ISPs all over the world meet, and LAP, which is where civil and criminal anti-abuse law enforcement get together. Real people at ISPs and law enforcement really use the current WHOIS, crummy though it is, to figure out who's abusing their networks, track them down, and more than you might realize, put them in jail. They would of course prefer if registrars made a nominal attempt to verify the junk that their customers put into WHOIS, but the current WHOIS is way more useful to them than no WHOIS at all, or the pessimal OPOC proposal which puts an unverified alleged contact in front of the current unverified info.

There are technical solutions to spam

Man, that is so 1995. If there were technical solutions to spam, don't you think we would have solved it by now? We have a bunch of technical stuff in the pipeline to help authenticate real mail, but the approaches to increasingly organized and criminal spammers are primarily social, political, and legal, not technical. R's, John *** Scanned