Dear Review Team Members, Please see below input received from Rob Golding. As you might recall, Rob was participating remotely in your session with the RySG and RrSG. Thank you, Very best regards Alice

On 6/22/11 9:30 AM, "Rob Golding" <rob.golding@othellotech.net> wrote:

...

I'm "remote", but we have a complete response to all the whois questions ... numbered as per their points - its 2.30am in the UK ...

...

1) The unfortunate situation we find ourselves in, is that the WHOIS element has been vastly skewed from its original purpose. LEAs wish it to be a single stop shop for identifying criminals (rarely the case), mass-marketers (read: spammers) simply mine it for more hapless victims, goverments and others cannot simply comprehend that a domain registration is entirely separated from the services offered from FQDNs at that domain.

ICANN and by extension registrar _must_ re-iterate the appropriate responsibilities of each party regarding WHOIS. i.e. the actual data is the responsibility of the registrant, the registrar must provide universal access to it, ICANN oversees that the registrar sends reminders and does actually provide access to the data.

This has additional knock-on effects which must be recognised in other ICANN dealings and policies; e.g. as the registrant is responsible for the data in the WHOIS service, LEAs/Governments cannot impose _publisher_ restrictions or crimes upon registrars.

ICANN must also impress upon other stakeholders i.e. the GAC and LEAs, that the WHOIS service and the data contained therein, is at best informational. Data held in the WHOIS cannot be construed to imply relationships, contracts etc. and that registrars are ultimately responsible to their commercial customers - which is not necessarily the party named in WHOIS.

2) Simply put, ICANN should set and stand-by an agreed use for the WHOIS service. Originally its purpose was clear, and greatly aided in the technical operation of the internet. That purpose was significantly muddled to the point where it is almost useless for its original purpose.

3) We have daily exposure to the WHOIS policies for .uk, which is tightly coupled both contractually and legally with the UK legal system. This makes controlling the data and purpose significantly easier as there are enforcible contract terms (with the named registrant) to delete/suspend the registration in the event of poor data quality. Due to the disseparate nature of the gTLD system this is either poorly defined or non-existant. At this late stage it would be considered unfair and/or impossible to impose this kind of restrictions and penalties for the vast populus.

4) This is simple. ICANN already requires the registrars to escrow unprotected data. This public WHOIS data may be protected at the registrant's request. Other users (i.e. LEAs) should show appropriate court orders for access to the protected data when there is a clear need.

5) It shouldn't. As long as the registrar is fufilling its escrow obligations, privacy services are a commercial consideration between them and their customers. There are already established legal methods for revealing this data.

6) They aren't; registrars still regularly block/restrict and/or disable RADAR registered connections. Registrants are still allowed to provide clearly incorrect data.

7) In two words, Data Quality. Registrars must rely on the information provided by their customers. Largely there is no international method for validation - and even so would drastically increase costs to do so. We do not have any kind of international verification for postal codes to city for example. Whilst there are systems and validations for each nation-state's system, this is not universal.

8) Swift and effective notification and consequences imposed when required. We recognise the need for a fair amount of time to remedy breaches - less so for registrants to change details but more so for correcting software defects at the registrars. However, unless the consequences are universally understood as certain - there will always be certain quarters that will flaunt the rules. Even if a majority of registrar commit to a unified code of conduct, we would be committing commercial suicide as registrants would flock to those allowing them to flaunt the rules or avoid their registration being removed for false data.

9) ICANN compliance with the registrars must complete their work in a timely manner. If this requires more resources then fine. However it cannot 'obtain' any new powers to enforce rules on registrants. It is not a 3rd party to the commercial contracts. This element of compliance must be handled by registrars, however unless it is employed 100% it will never be effective.

10) I doubt it can.

11) No ccTLD has cracked this issue.

12) Yes; the more compliant a registrar attempts to become, the more costs they incur - in development, customer contact or commercial deficit (losing business to other registrars who simply don't care).

13) Largely nothing. There are still on-going compliance issues causing daily problems for transfers between registrars. Maybe after six to nine months will a registrar lose their accreditation - but usually this is over fees rather than compliance.