Emily,
Thank you for your note and, more importantly, for all the hard work you and your team have put into this effort. I apologize for the delay in responding. It's not been for lack of interest or attention; in fact, it's precisely because this is an important effort that I want to work out with you what the next steps need to be. You've asked for both a telephone briefing and a face to face briefing to the Board. I think these will be useful and we should do them, but I want to look both deeper and farther ahead. I want to make sure we ensure that the recommendations are reviewed carefully and either accepted or responded to, and for those recommendations that are accepted there will be effective implementation. Your report is but the first part of the overall process.
Another aspect that has been on my mind applies to reports in general, not just to yours. Having received reports from many different expert groups over the years, I've observed two problems that sometimes occur. One is weaknesses in writing or reasoning within a report, e.g. missing steps between factual data and conclusions, assumptions that the reader is more familiar with the subject matter, etc. The other weakness that sometimes occurs is an expert group goes beyond its mandate or purview and makes recommendations that are outside its scope. In the past we've been scared to push back on reports lest we be seen as influencing the report. I'd like to find a way to include a quality review cycle to address the weaknesses I listed but without attempting to influence the judgment or recommendations of the expert team. We haven't yet gotten this built into our cycle, so I'm struggling a bit with this. I had wanted to get a small set of people together to read and comment on your report from this perspective, but it hasn't happened yet. So, to avoid having more time pass, I'll share my comments with you and we'll move forward. See below for my comments.
Returning to the main point, I think we need to work out what the steps will be after you brief the Board. You have a list of 20 recommendations in the last section of the report. For the sake of argument, let's suppose we agreed wholeheartedly with all of these, what should happen next? Quite a lot of work will be required, and perhaps more to the point, quite a lot of coordination and buy in from others will be required. The Board doesn't have the power to unilaterally compel the set of changes you're recommending.
I've copied Diane and Denise on this note. Diane can help get a call to the Board scheduled and Denise can begin the discussion about next steps. Let's work on these.
Thanks,
Steve
==================================================================================================
Crocker's comments on the WHOIS Review Team Final Report (Draft), 5 December 2011
The report is very good and contains a lot of useful information and, of course, twenty recommendations worthy of careful consideration. The following comments are focused on specific weaknesses and are not a criticism of the overall report. They are intended to improve the accuracy and readability of the report not to argue with the facts or recommendations.
Chapter 1, section A: I believe the original purpose of whois was to provide points of contact for the hosts that were on the network. In the early days, hosts were multi-user machines, and their administrators were roughly comparable to the operators of small ISPs. These were not points of contact for each individual. The whois system morphed over time, but the formal definition and the protocols supporting it didn't change except to become more distributed in order to scale.
Chapter 1, section B: "It is likely that it was selected for use in this context because it existed and was well understood. In all probability, it was selected by default." (1) It would be easy to check the facts. Almost all of the relevant people are still available. (2) What's the relevance of this statement? This in contrast with what?
Chapter 1, section C: "ICANN has adopted the age-old tradition of 'the study' in lieu of or [as] a precursor to action." This seems pejorative to me.
Chapter 1, section D: "Rather, it is an attempt to concisely present in a balanced and fair manner the very real truth that the current system is broken and needs to be repaired." While I don't disagree, I don't think the report has presented a proper foundation. The whois system is intended to provide contact information for a purpose, or perhaps or multiple purposes. The accuracy of that information is an important part of the story, but it's not the whole story. What needs are not being met? I think it's important to lay out the purposes of this information and how those purposes are not being met. With that in hand I think it will be a lot more clear what it means to say the current system is broken and it will also be much clearer how to fix it. To give a specific, concrete example, why is a proxy registration harmful? Suppose the proxy service promptly and reliably passes on all message directed to the technical, administrative and/or owner points of contact. Under what circumstances would that be insufficient? I believe it depends on the purpose you have in mind for contacting the registrant. If you have in mind telling him you think the domain name or the content on his web site is infringing on someone else's intellectual property and that if he doesn't respond the domain name will be removed from service, do you actually need the registrant's true name? On the other hand, if the registrant's web site contains child pornography, then you may well need to find the person physically so you arrest him. Even in this case, a proxy may be sufficient if it's possible for appropriate law enforcement personnel to reach the actual registrant via the proxy.
I'm not trying to argue for one outcome or another. My point here is that the purpose(s) of whois are not laid out clearly enough and hence it's not clear exactly what it means to say it's broken and hence even less clear how to fix it.
This lack of clarity is repeated throughout the report, and I think the report would be considerably stronger and more helpful if this were fleshed out.
Chapter 1, section G, recommendation 5. This recommendation calls for "reducing the number of unreachable WHOIS registrations ... by 50% within 12 months and by 50% again over the following 12 months." What is the number of unreachable whois registrations now?
Recommendation 17: "Thin registry" is mentioned but not yet defined.
Chapter 2, section A: The list of people on the WHOIS Review Team is impressive, but I didn't see very many people who were likely to supply the technical depth and understanding of the history that you would have needed. Were there outside advisers?
Chapter 3, section A: "There are now over 900 gTLD Registrars..." This is accurate in a very narrow sense. It would be a service to the reader to include a much better picture. First, the very large majority of these 900 registrars are shell companies that exist solely to provide threads to be used in the drop-catch process. They're not particularly relevant to the whois issue. Further, another largish clump of registrars are run by domainers. The names registered through them are not active on the net in ways that are relevant to this report. (Or, perhaps they are relevant, but only for a specific purpose such as determining who's holding a name that infringes on a trademark.) Yet further, even among the remaining registrars, there are important distinctions and segments. Just a few, starting with GoDaddy, are very large. The top several account for the vast majority of the registrations. Meanwhile, the resellers drastically change the numbers in the opposite direction and also play a prominent role in any analysis of what the problems are. It would be useful if this report included a good description of what the registrar and reseller landscape actually looks like.
Chapter 3, section B: "Modern WHOIS Policy is buried in the contracts of the current Registry and Registrar Agreements." What was WHOIS and WHOIS policy prior to ICANN?
"As discussed above, the .COM and .ORG Registries, both run by VeriSign..." I think you meant NET, not ORG. (Also, Verisign no longer uses camel case.)
Chapter 4, section D: What constitutes "wholly accurate"? What impact does this inaccuracy have? (These questions are a continuation of the primary question asked above about the purpose of the whois data.)
"Just as there is no shared understanding or statement of the purpose of WHOIS..." To me, this is the key. It seems to me important to put the purpose of WHOIS squarely on the table and deal with the multiple purposes and multiple understandings of what the problems are.
Chapter 5, "the issue of non-Latin scripts" -- What is the issue?
"ad hoc solutions" might be interpreted as a pejorative term
"the community needs to urgently address the following issues:
1. What data is needed from the registrant,
2. How this data will be represented in the data model, and
3. How this data will be accessed through registration data services."
I don't think this is sufficient. I'd add:
4. By whom?
5. For what purpose?
This last question controls the accuracy question, i.e. is the data accurate enough for the purpose?
"... a consistent policy across ccTLDs and gTLDs would make it much easier for consumers and law enforcement to use WHOIS data." Yes, but the diversity also provides a richer set of practices to study and learn from.
Chapter 6, "... effective in meeting the needs of law enforcement and promoting consumer trust." These phrases should be expanded and explicated.
Chapter 6, section A: "Having a failsafe avenue to contact administrators..." What is the difference between inaccurate information and an unresponsive registrant?
"Even this is not a significant concern for many registrants when only a small proportion of domain names lead to web sites that the registrant has a vested interest in maintaining uninterrupted access." So why does accuracy matter?
Chapter 6, section B, "knock on effects" -- What does this term mean?
Chapter 6, section B, "lack of due diligence" -- What does this mean here? This seems like a different matter
"Another issue identified by the review team relates to the ability of consumers to access WHOIS data. ... over 80% of consumers are unaware of WHOIS..." -- This is an entirely different issue and it should be put in a different part of the report. This is perhaps a really good example of one of the many distinct "purposes."
"... the Intellectual Property Constituency argued that:
ICANN is subject to a commitment 'to having accurate and complete WHOIS' ... ICANN is not required to implement national safeguards for individuals' privacy..." -- This statement seems fatuous or perhaps disingenuous and hence puts the Intellectual Property Constituency in an unnecessarily bad light. Is this a fair presentation of their position?
"Comparison with ccTLD Practices" -- This section is very good.
On Jan 9, 2012, at 4:43 AM, Emily Taylor wrote:
Hi Steve
And a very Happy New Year to you and your family. I'm sure this year will be a challenging one for ICANN, but if I may say so, I think that your recent statements as Chairman have done much to calm the waters.
I'm writing as Chair of the WHOIS Review Team, to explain the reasons why we have requested some time with the Board to discuss our draft report.
The draft was published in December 2010, and is currently out for public comment. We will be holding a public forum in Costa Rica.
You may recall that the WHOIS Review Team was formed under the Affirmation of Commitments. Its membership was selected by Rod and Heather, and it was formally constituted in late 2010. We held our first formal face to face meeting in January 2011. We published our report in early December, with 20 recommendations that we hope the Board will adopt. Our plan is to finalise the report following Costa Rica, to be published in April.
As you may be aware, the draft report and recommendations have been referred to with approval by both the Federal Trade Commission and in Larry Strickling's most recent letter to ICANN.
During the course of 2011, the Review Team undertook extensive outreach within the ICANN Community. We met with the GAC, various GNSO constituencies including the Registries, Registrars, IPC, BC, and NCUC, also with ALAC, and ccNSO. We also invited both signatories of the Affirmation of Commitments to give us an early briefing, so that we could better understand each party's objectives in calling for a review of WHOIS. We had a very helpful briefing with Larry Strickling, but unfortunately it was not possible for ICANN's Chief Executive to find the time. However, I would say that the ICANN staff were generous with their time, open and professional throughout the Review.
I made a number of requests to Peter for us to meet with the Board during 2011, to give a progress report and seek the Board's input. Unfortunately, due to other demands on the Board's time, it proved impossible to schedule any time together.
Denise and I discussed the idea of doing a phone briefing with the Board. I believe that by having this contact in good time prior to the Costa Rica meeting, we will all be giving ourselves the best chances of success by:
- Guiding the Board through the salient points in the report, and introducing the recommendations
- Hearing any concerns or comments that you may have early in the public comment process, so that the Review Team has time to consider them prior to Costa Rica
- We are conscious that we have had no communication at Board level with ICANN, one of the signatories of the AoC, throughout our review, and believe that it would be appropriate to have some dialogue before our work is finalised, especially as our recommendations are directed at the Board.
I would also be happy to have a short phone call 1:1 with you, in order to provide an informal briefing, and discuss the most effective way of introducing the report to the Board.
With best wishes,
Emily Taylor
Chair,
WHOIS Review Team
--
