Comments inline: On Aug 30, 2011, at 1:16 PM, <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> wrote: Hi All, I hope all is well. My family and I have survived the earthquake and hurricane on the East Coast this past week -- and are hoping for easier conditions in the future :-)! Like you, I am in the midst of my due diligence preparing for our meeting on Thursday (with the disclaimer that I may not be able to attend due to the change of date and my travel schedule). I am preparing my email comments to share with the group. As promised, I did my "deep dive" on the comments we received in June/July to our Discussion Paper. I complement the many groups that submitted interesting and informative comments -- a lot of work was spent responding to our queries. To Olof, I say Thank You! His comment summary, and especially his sorting of the comments question by question is excellent. I urge you to review the document at http://www.icann.org/en/public-comment/report-comments-whoisrt-discussion-pa... However, a few commenters asked us to look at things a little differently. They asked us to include questions we had not asked, and history we had not included. Some have very long histories in the Whois Arena, as part of GAC, ALAC, Registrars and NCUC. ** I created a short summary of these comments -- and some addition, important, points and questions they raise. I have tried to shorten and summarize with quotes (as Olof did -- thanks for the example, Olof!) --- below and attached. Best, Kathy ------------- expanding our inquiry -- comment highlights ---------- AN EXPANDED VIEW OF THE WRT QUESTIONS (Responses to WRT Discussion Paper) Introduction: While Olof did an outstanding job of summarizing the questions by sorting them according to their responses to our 14 questions, certain issues fell between the cracks – largely because groups and communities asked us to look at questions beyond those we had chosen to ask. This paper takes a short look at what others asked us to see – including overstretching the purpose of Whois, significant policy work in the limitations of Whois, and the importance of history and historical perspective in our work. Thanks for taking a fast look at these summaries—and feel free to return to the full comments (found at http://forum.icann.org/lists/whoisrt-discussion-paper/). 1. Christopher Wilkinson, former GAC & GAC Secretariat (EU) on purpose of Whois: “I rather doubt that the initial purposes of the Whois protocol and database extended to their current utilisation. It would appear that rather more is expected of Whois than it is capable of delivering in view of the legacy of past practice and the current and prospective scale of the Internet.” (In Discussion Paper Comments) I am not aware of any evidence that WHOIS, protocol or data delivery, is incapable of operating at Internet scale. In fact, we have an existence proof of the opposite. I hope we review these comments in light of our scope<https://community.icann.org/display/whoisreview/Scope+and+Roadmap+of+the+WHO...> and recall that our primary charge is to Policy assess policy, not protocol. Simple as it is, WHOIS the protocol is capable of delivering, at scale, most any information that policy dictates. Whatever the problems of WHOIS, they are not related to databases or protocol as suggested in the excerpted paragraph. 2. At Large Advisory Committee on the need to view the issues differently: “It is our view that this Team must treat with and declare (1) whether the WHOIS construct as originally devised and for the purpose intended is still necessary, (2) whether the WHOIS dataset as originally determined remains fit to its original purpose, and (3) whether the several identifiable uses made of both the WHOIS data and processes that have expanded the original intent are useful and in the public interest.” At Large Advisory Committee on the need to consider types of use in our compliance schemes: “Neither is it rational for the same risk in class or kind to be ascribed to all domains; domains used primarily for support of business transactions on the Web have a higher risk of consequential fraudulent activities than do those used for more personal or informational pursuits. As such, certain adjustments in approach to compliance and our expectations of the impact from compliance might benefit from a change in the philosophical construct of compliance and the processes used to affect the assurance of compliance.” At Large Advisory Committee on the need to consider cycles of registration in our compliance schemes: “We believe that the all‐round public interest may be better served by recognizing that the risks from the fraudulent actions of bad actors are not the same throughout the WHOIS data cycle but tend to be cyclical – higher following the establishment of new domains and decreasing thereafter.” (In Discussion Paper Comments) 3. Noncommercial Users Constituency on Why Privacy and Accuracy are Not at Odds: “Privacy and accuracy go hand-in-hand. Rather than putting sensitive information into public records, some registrants use "inaccurate" data as a means of protecting their privacy. If registrants have other channels to keep this information private, they may be more willing to share accurate data with their registrar.” “The problem for many registrants is indiscriminate public access to the data. The lack of any restriction means that there is an unlimited potential for bad actors to access and use the data, as well as legitimate users and uses of these data.” Noncommercial Users Constituency on Why the Operational Point of Contact Proceeding Marks a Critical Point of Agreement in the GNSO on a narrow purpose to Whois: “ICANN stakeholders devoted a great deal of time and energy to this question in GNSO Council-chartered WHOIS Task Forces. At the end of the Task Force discussion in 2006, the group proposed that WHOIS be modified to include an Operational Point of Contact (OPOC): <http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>” “Under the OPOC proposal, "accredited registrars [would] publish three types of data: 1) Registered Name Holder 2) Country and state/province of the registered nameholder 3) Contact information of the OPoC, including name, address, telephone number, email." “Registrants with privacy concerns could name agents to serve as OPoC,thereby keeping their personal address information out of the public records.” (In Discussion Paper Comments) 4. Why Registrars under Tucows leadership strongly sought a balance to simply Whois data, while improving it. Slides of Ross Rader, of Registrars Constituency and registrar Tucows, discussing goals and advantages of Operational Point of Contact, endorsed and a multi-year GNSO team. These slides and ideas were reference by Elliot Noss, Pres of Tucows at the Registrars/WRT meeting in San Fran as well as by the NCUC in the recent comment period. Goals (Operational Point of Contact- Powerpoint Slides) “• to simply Whois data output • reduce facilitation of domain related scams, illegal data mining, phishing and identity theft • maintain or increase the value of Whois for all stakeholders • provide solid foundation for enhanced access to data by key stakeholders • promote data accuracy” (Link to slides in NCUC Discussion Paper Comments) 5. Dr. Mueller: Why technical History is important – because it shows us where we stopped thinking about purpose and goals. Dr. Milton Mueller asks us to examine his academic paper on the Whois issues, and considers history to be a very important factor – before and during ICANN. Here are some highlights. “This article examines how the Internet’s Whois service has evolved into a surrogate identity system. The Whois service allows any Internet user to type a domain name into a Web interface and be immediately returned the name and contact details of whoever has registered the domain. It is used by police to bring down Web sites committing crimes; its information is harvested by spammers and marketers seeking to send their solicitations; it is used by people curious to know who is behind a Web site or e-mail address; above all, it is used by trademark and copyright attorneys to keep an eye on their brands in cyberspace… “We recount the story of Whois because it forces us to re-examine our understanding of the relationship between technological systems and global governance institutions. To understand the importance of the Whois service, one need only think of the license plate of an automobile on the road, and imagine that anyone who saw the license plate would be able to type it into a computer and be returned the name of the car owner and his or her street address, telephone number, and e-mail address. “That is what Whois does to domain name registrants. It links the vehicle for navigating the complex arena of cyberspace (domains) to a responsible individual, a location, or a jurisdiction. Of course in the real world, access to drivers’ license databases is restricted to law enforcement authorities and motor vehicle departments. It is not difficult to imagine both the benefits—and the trouble—that might be caused by free, anonymous, unrestricted public access to drivers’ license databases. No doubt some additional crimes would be solved and perhaps some amazing new information services could be developed by a Google of the future. No doubt, also, incidents of road rage and stalking would be taken to new heights. The same concerns apply to Whois. In addition to facilitating accountability on the Internet, open access to registrant contact data raises privacy issues and concerns about abuse of sensitive personal data by spammers, stalkers, and identity thieves. The author fails to point out that license plates are also a source of revenue and indicate that a vehicle, at least in some cases, meets certain safety standards and has passed one or more inspections. There are a variety of reasons for requiring licenses plates, among them identifying the owner of a vehicle. A license plate is an indicia; the vehicle is registered. Similarly a postmark is an indicia; postage has been paid. In most jurisdictions, vehicle operators are also required to have a license and a registration form that in all cases carry information identifying the driver and owner of the vehicle in question. Some jurisdictions require evidence of insurance which also identifies both the driver and vehicle, and additionally provides the insurance carrier's name and the account number for the vehicle/driver. That card potentially carries other information like spouse, domestic partner, children ,etc. Most jurisdictions require that operators exchange the information contained in these documents and file reports with authorities in certain cases. Regardless, individuals involved in accidents are required to exchange certain identifying information, contained on the above-mentioned documents. No intervention by law enforcement is required. The information hidden behind a license plate is not, per se, limited to access by law enforcement as the author suggests. Rather that information is to anyone at least in certain situations. Comparison of Whois to other registration systems, like business licenses might be more appropriate. Many jurisdictions require businesses to display licenses. These licenses typically include names and addresses and must be displayed "conspicuously". Similarly cosmetologists are required to display their license, that typically includes name and address, at their primary workstation. Access to the information in these licenses is intended to be public, to anyone entering the establishment or seeking services. Access is not restricted in any way. By misstating the facts of vehicle licensing (registration) and ignoring to point out other registration models, the author leads the reader to the conclusion that access to identifying information in the "real world" is commonplace and therefor need be restricted in the virtual world. While there are legitimate needs to protect (some) individuals virtual space, blanket protections are not the norm in the real world. The issue is more complex than the author would have the reader believe. “… Defaults tilt the playing field toward one option by giving the specified value the benefit of inertia…a Whois directory originated as a feature of the Internet when it was a smallscale, closed, scientific network. As the Internet evolved into a large-scale, public, commercial system, the Whois capability remained in place by default. This is true. (Historical evolution) “The first RFCs make it clear that the Whois protocol was intended to make available to users a general directory of other ARPANET/ Internet users. At the time, ARPANET was what we would now call an intranet that RFC 812, the first standardization of WHOIS states, when speaking of the NICNAME/WHOIS server, "It is one of a series of ARPANET/Internet name services maintained by the Network Information Center (NIC) ..." Even in 1982, when the RFC was published, linked a few hundred computer scientists and researchers at less than a hundred geographically distributed sites. A critical fact about this directory, then, is that it was intended to serve a closed, relatively homogeneous, and—compared to today’s Internet—very small group of networked computer users.8 The early standards documents do not specify exactly what the purpose of this directory was. One can infer from

From RFC 812, "The server ... delivers the full name, U.S. mailing address, telephone number, and network mailbox for ARPANET users."

context that it served a variety of purposes, and was seen as a convenience to the community of defense contractors involved in building the early Internet. Another critical fact is that for most users, participation in the directory was encouraged, but was not operationally, legally, Actually the language in RFC 812 is "strongly encourages" and "requests that ... all individuals capable of sending traffic across the ARPANET, be registered..." Further, in RFC 954, the language "MILNET TAC users must be registered in the database." was added and we see the first requirement for inclusion in a WHOIS database with full identifying information, in 1985. or contractually required.9 It may be that the request to register in the centralized Whois database was made to facilitate technical coordination, but this is not documented in the RFC, and evidence supporting this has not been found anywhere else. The RFC states Did the author consult with any of the Internet pioneers? only that the purpose is to provide “a directory service” (RFC 954, 1985, p. 1) to the network users… “Phase 2: Internet Opened to the Public and to Commerce While the number of host computers connected to it grew rapidly, the Internet was still a closed community of specialized users throughout the 1980s. From 1991 to 1995, a critical change occurred: The Internet was opened to commercial users and to the general public. This change was accelerated by the creation and deployment of the World Wide Web (WWW) and user-friendly Web browsers, which made the Internet usable and interesting to ordinary members of the public. The number of computers connected to the Internet exceeded 1.3 million before the end of 1992, and was somewhere between 6 and 8 million by the middle of 1995.10 This was no longer a “community” of computer scientists and researchers, but a mass, heterogeneous public engaged in commerce and in public and personal communication. It was also an increasingly contentious and litigious public… During this tornado of change, the Whois service that was implemented between 1982 and 1985 remained in place. The user base of the Internet was no longer closed, no longer homogeneous, no longer situated within a noncommercial community, and no longer relatively small and manageable. But the technical protocol and the practices supporting a directory of Internet users remained the same. The only significant change was that the burden of supplying the Whois service shifted from defense contractor Stanford Research Institute to civilian National Science Foundation contractor Network Solutions, Inc. As the Internet moved from the small, noncommercial, and closed world of the 1980s to the open, public, and commercial world of the mid-1990s, no one made a conscious decision to retain the open-access Whois service of RFC 954; Whois was an unnoticed default value. If memory serves, the Green Paper that served as the basis for what we now know as ICANN and the rest of IG, specifically mentioned WHOIS and that trademark specialists did not feel it contained sufficient capability to meet their needs. The author's assertion that Whois was the default choice may be correct. However, it certainly was noticed as indicated by the record. Should we decide to include the author's remarks or provide a link to his paper, I suggest that we will need to do a further review of the content. Our review is fact-based. (In Discussion Paper Comments) Final note from KK: I look forward to our discussion! <New Issues Raised in Comments.docx>_______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org<mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois

Apologies. I've done my best to delimit my comments by <wcs> ... </wcs>. I have also amended my comments, where content was dropped and to clarify points I made. On Aug 31, 2011, at 8:11 AM, Bill Smith wrote: Comments inline: On Aug 30, 2011, at 1:16 PM, <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> wrote: Hi All, I hope all is well. My family and I have survived the earthquake and hurricane on the East Coast this past week -- and are hoping for easier conditions in the future :-)! Like you, I am in the midst of my due diligence preparing for our meeting on Thursday (with the disclaimer that I may not be able to attend due to the change of date and my travel schedule). I am preparing my email comments to share with the group. As promised, I did my "deep dive" on the comments we received in June/July to our Discussion Paper. I complement the many groups that submitted interesting and informative comments -- a lot of work was spent responding to our queries. To Olof, I say Thank You! His comment summary, and especially his sorting of the comments question by question is excellent. I urge you to review the document at http://www.icann.org/en/public-comment/report-comments-whoisrt-discussion-pa... However, a few commenters asked us to look at things a little differently. They asked us to include questions we had not asked, and history we had not included. Some have very long histories in the Whois Arena, as part of GAC, ALAC, Registrars and NCUC. ** I created a short summary of these comments -- and some addition, important, points and questions they raise. I have tried to shorten and summarize with quotes (as Olof did -- thanks for the example, Olof!) --- below and attached. Best, Kathy ------------- expanding our inquiry -- comment highlights ---------- AN EXPANDED VIEW OF THE WRT QUESTIONS (Responses to WRT Discussion Paper) Introduction: While Olof did an outstanding job of summarizing the questions by sorting them according to their responses to our 14 questions, certain issues fell between the cracks – largely because groups and communities asked us to look at questions beyond those we had chosen to ask. This paper takes a short look at what others asked us to see – including overstretching the purpose of Whois, significant policy work in the limitations of Whois, and the importance of history and historical perspective in our work. Thanks for taking a fast look at these summaries—and feel free to return to the full comments (found at http://forum.icann.org/lists/whoisrt-discussion-paper/). 1. Christopher Wilkinson, former GAC & GAC Secretariat (EU) on purpose of Whois: “I rather doubt that the initial purposes of the Whois protocol and database extended to their current utilisation. It would appear that rather more is expected of Whois than it is capable of delivering in view of the legacy of past practice and the current and prospective scale of the Internet.” (In Discussion Paper Comments) <wcs> I am not aware of any evidence that WHOIS, protocol or data delivery, is incapable of operating at Internet scale. In fact, we have an existence proof of the opposite. I hope we review these comments in light of our scope<https://community.icann.org/display/whoisreview/Scope+and+Roadmap+of+the+WHO...> and recall that our primary charge is to Policy assess policy, not protocol. Simple as it is, WHOIS the protocol is capable of delivering, at scale, most any information that policy dictates. Whatever the problems of WHOIS, they are not related to databases or protocol as suggested in the excerpted paragraph. </wcs> 2. At Large Advisory Committee on the need to view the issues differently: “It is our view that this Team must treat with and declare (1) whether the WHOIS construct as originally devised and for the purpose intended is still necessary, (2) whether the WHOIS dataset as originally determined remains fit to its original purpose, and (3) whether the several identifiable uses made of both the WHOIS data and processes that have expanded the original intent are useful and in the public interest.” At Large Advisory Committee on the need to consider types of use in our compliance schemes: “Neither is it rational for the same risk in class or kind to be ascribed to all domains; domains used primarily for support of business transactions on the Web have a higher risk of consequential fraudulent activities than do those used for more personal or informational pursuits. As such, certain adjustments in approach to compliance and our expectations of the impact from compliance might benefit from a change in the philosophical construct of compliance and the processes used to affect the assurance of compliance.” At Large Advisory Committee on the need to consider cycles of registration in our compliance schemes: “We believe that the all‐round public interest may be better served by recognizing that the risks from the fraudulent actions of bad actors are not the same throughout the WHOIS data cycle but tend to be cyclical – higher following the establishment of new domains and decreasing thereafter.” (In Discussion Paper Comments) 3. Noncommercial Users Constituency on Why Privacy and Accuracy are Not at Odds: “Privacy and accuracy go hand-in-hand. Rather than putting sensitive information into public records, some registrants use "inaccurate" data as a means of protecting their privacy. If registrants have other channels to keep this information private, they may be more willing to share accurate data with their registrar.” “The problem for many registrants is indiscriminate public access to the data. The lack of any restriction means that there is an unlimited potential for bad actors to access and use the data, as well as legitimate users and uses of these data.” Noncommercial Users Constituency on Why the Operational Point of Contact Proceeding Marks a Critical Point of Agreement in the GNSO on a narrow purpose to Whois: “ICANN stakeholders devoted a great deal of time and energy to this question in GNSO Council-chartered WHOIS Task Forces. At the end of the Task Force discussion in 2006, the group proposed that WHOIS be modified to include an Operational Point of Contact (OPOC): <http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>” “Under the OPOC proposal, "accredited registrars [would] publish three types of data: 1) Registered Name Holder 2) Country and state/province of the registered nameholder 3) Contact information of the OPoC, including name, address, telephone number, email." “Registrants with privacy concerns could name agents to serve as OPoC,thereby keeping their personal address information out of the public records.” (In Discussion Paper Comments) 4. Why Registrars under Tucows leadership strongly sought a balance to simply Whois data, while improving it. Slides of Ross Rader, of Registrars Constituency and registrar Tucows, discussing goals and advantages of Operational Point of Contact, endorsed and a multi-year GNSO team. These slides and ideas were reference by Elliot Noss, Pres of Tucows at the Registrars/WRT meeting in San Fran as well as by the NCUC in the recent comment period. Goals (Operational Point of Contact- Powerpoint Slides) “• to simply Whois data output • reduce facilitation of domain related scams, illegal data mining, phishing and identity theft • maintain or increase the value of Whois for all stakeholders • provide solid foundation for enhanced access to data by key stakeholders • promote data accuracy” (Link to slides in NCUC Discussion Paper Comments) 5. Dr. Mueller: Why technical History is important – because it shows us where we stopped thinking about purpose and goals. Dr. Milton Mueller asks us to examine his academic paper on the Whois issues, and considers history to be a very important factor – before and during ICANN. Here are some highlights. “This article examines how the Internet’s Whois service has evolved into a surrogate identity system. The Whois service allows any Internet user to type a domain name into a Web interface and be immediately returned the name and contact details of whoever has registered the domain. It is used by police to bring down Web sites committing crimes; its information is harvested by spammers and marketers seeking to send their solicitations; it is used by people curious to know who is behind a Web site or e-mail address; above all, it is used by trademark and copyright attorneys to keep an eye on their brands in cyberspace… “We recount the story of Whois because it forces us to re-examine our understanding of the relationship between technological systems and global governance institutions. To understand the importance of the Whois service, one need only think of the license plate of an automobile on the road, and imagine that anyone who saw the license plate would be able to type it into a computer and be returned the name of the car owner and his or her street address, telephone number, and e-mail address. “That is what Whois does to domain name registrants. It links the vehicle for navigating the complex arena of cyberspace (domains) to a responsible individual, a location, or a jurisdiction. Of course in the real world, access to drivers’ license databases is restricted to law enforcement authorities and motor vehicle departments. It is not difficult to imagine both the benefits—and the trouble—that might be caused by free, anonymous, unrestricted public access to drivers’ license databases. No doubt some additional crimes would be solved and perhaps some amazing new information services could be developed by a Google of the future. No doubt, also, incidents of road rage and stalking would be taken to new heights. The same concerns apply to Whois. In addition to facilitating accountability on the Internet, open access to registrant contact data raises privacy issues and concerns about abuse of sensitive personal data by spammers, stalkers, and identity thieves. <wcs> The author fails to point out that license plates are also a source of revenue and indicate that a vehicle, at least in some cases, meets certain safety standards and has passed one or more inspections. There are a variety of reasons for requiring licenses plates, among them identifying the owner of a vehicle. A license plate is an indicia; the vehicle is registered. Similarly a postmark is an indicia; postage has been paid. In most jurisdictions, vehicle operators are also required to have a license and a registration form that in all cases carry information identifying the driver and owner of the vehicle in question. Some jurisdictions require evidence of insurance which also identifies both the driver and vehicle, and additionally provides the insurance carrier's name and the account number for the vehicle/driver. That card potentially carries other information like spouse, domestic partner, children ,etc. Most jurisdictions require that operators exchange the information contained in these documents and file reports with authorities in certain cases. Regardless, individuals involved in accidents are required to exchange certain identifying information, contained on the above-mentioned documents. No intervention by law enforcement is required. The information hidden behind a license plate is not, per se, limited to access by law enforcement as the author suggests. Rather that information is to anyone at least in certain situations. Comparison of Whois to other registration systems, like business licenses might be more appropriate. Many jurisdictions require businesses to display licenses. These licenses typically include names and addresses and must be displayed "conspicuously". Similarly cosmetologists are required to display their license, that typically includes name and address, at their primary workstation. Access to the information in these licenses is intended to be public, to anyone entering the establishment or seeking services. Access is not restricted in any way. By misstating the facts of vehicle licensing (registration) and ignoring to point out other registration models, the author leads the reader to the conclusion that access to identifying information in the "real world" is commonplace and therefor need be restricted in the virtual world. While there are legitimate needs to protect (some) individuals virtual space, blanket protections are not the norm in the real world. The issue is more complex than the author would have the reader believe. </wcs> “… Defaults tilt the playing field toward one option by giving the specified value the benefit of inertia…a Whois directory originated as a feature of the Internet when it was a smallscale, closed, scientific network. As the Internet evolved into a large-scale, public, commercial system, the Whois capability remained in place by default. <wcs> This is true. [added] ... to a point. </wcs> (Historical evolution) “The first RFCs make it clear that the Whois protocol was intended to make available to users a general directory of other ARPANET/ Internet users. At the time, ARPANET was what we would now call an intranet that <wcs> RFC 812, the first standardization of WHOIS states, when speaking of the NICNAME/WHOIS server, "It is one of a series of ARPANET/Internet name services maintained by the Network Information Center (NIC) ..." Even in 1982, when the RFC was published, [added] the ARPANET was *architecturally* identical to the Internet today. The number of connected machines/users was quite different but the ARPANET was in fact a network of networks - the definition of the Internet. [something like the above was dropped from my original message] </wcs> linked a few hundred computer scientists and researchers at less than a hundred geographically distributed sites. A critical fact about this directory, then, is that it was intended to serve a closed, relatively homogeneous, and—compared to today’s Internet—very small group of networked computer users.8 The early standards documents do not specify exactly what the purpose of this directory was. One can infer from <wcs>

From RFC 812, "The server ... delivers the full name, U.S. mailing address, telephone number, and network mailbox for ARPANET users."

[added] Reading the early RFCs (812 and 954) it is a simple matter to ascertain the purpose, to make available to any individual with access to the NICNAME/WHOIS service with the information provided by "any [registeerd] individua capable of sending traffic across the ARPANET". While there was no firm requirement that all individuals be registered RFC 812 clear states that if you are registered, the server will deliver your contact details. </wcs> context that it served a variety of purposes, and was seen as a convenience to the community of defense contractors involved in building the early Internet. Another critical fact is that for most users, participation in the directory was encouraged, but was not operationally, legally, <wcs> Actually the language in RFC 812 is "strongly encourages" and "requests that ... all individuals capable of sending traffic across the ARPANET, be registered..." Further, in RFC 954, the language "MILNET TAC users must be registered in the database." was added and we see the first requirement for inclusion in a WHOIS database with full identifying information, in 1985. </wcs> or contractually required.9 It may be that the request to register in the centralized Whois database was made to facilitate technical coordination, but this is not documented in the RFC, and evidence supporting this has not been found anywhere else. The RFC states <wcs> Did the author consult with any of the Internet pioneers? </wcs> only that the purpose is to provide “a directory service” (RFC 954, 1985, p. 1) to the network users… “Phase 2: Internet Opened to the Public and to Commerce While the number of host computers connected to it grew rapidly, the Internet was still a closed community of specialized users throughout the 1980s. From 1991 to 1995, a critical change occurred: The Internet was opened to commercial users and to the general public. This change was accelerated by the creation and deployment of the World Wide Web (WWW) and user-friendly Web browsers, which made the Internet usable and interesting to ordinary members of the public. The number of computers connected to the Internet exceeded 1.3 million before the end of 1992, and was somewhere between 6 and 8 million by the middle of 1995.10 This was no longer a “community” of computer scientists and researchers, but a mass, heterogeneous public engaged in commerce and in public and personal communication. It was also an increasingly contentious and litigious public… During this tornado of change, the Whois service that was implemented between 1982 and 1985 remained in place. The user base of the Internet was no longer closed, no longer homogeneous, no longer situated within a noncommercial community, and no longer relatively small and manageable. But the technical protocol and the practices supporting a directory of Internet users remained the same. The only significant change was that the burden of supplying the Whois service shifted from defense contractor Stanford Research Institute to civilian National Science Foundation contractor Network Solutions, Inc. As the Internet moved from the small, noncommercial, and closed world of the 1980s to the open, public, and commercial world of the mid-1990s, no one made a conscious decision to retain the open-access Whois service of RFC 954; Whois was an unnoticed default value. <wcs> If memory serves, the Green Paper that served as the basis for what we now know as ICANN and the rest of IG, specifically mentioned WHOIS and that trademark specialists did not feel it contained sufficient capability to meet their needs. The author's assertion that Whois was the default choice may be correct. However, it certainly was noticed as indicated by the record. Should we decide to include the author's remarks or provide a link to his paper, I suggest that we will need to do a further review of the content. Our review is fact-based. </wcs> (In Discussion Paper Comments) Final note from KK: I look forward to our discussion! <New Issues Raised in Comments.docx>_______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org<mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois

On 8/30/11 10:16 PM, "kathy@kathykleiman.com" <kathy@kathykleiman.com> wrote:

Hi All, I hope all is well. My family and I have survived the earthquake and hurricane on the East Coast this past week -- and are hoping for easier conditions in the future :-)!

Like you, I am in the midst of my due diligence preparing for our meeting on Thursday (with the disclaimer that I may not be able to attend due to the change of date and my travel schedule). I am preparing my email comments to share with the group.

As promised, I did my "deep dive" on the comments we received in June/July to our Discussion Paper. I complement the many groups that submitted interesting and informative comments -- a lot of work was spent responding to our queries.

To Olof, I say Thank You! His comment summary, and especially his sorting of the comments question by question is excellent. I urge you to review the document at http://www.icann.org/en/public-comment/report-comments-whoisrt-discussion- paper-05aug11-en.pdf

However, a few commenters asked us to look at things a little differently. They asked us to include questions we had not asked, and history we had not included. Some have very long histories in the Whois Arena, as part of GAC, ALAC, Registrars and NCUC. ** I created a short summary of these comments -- and some addition, important, points and questions they raise.

I have tried to shorten and summarize with quotes (as Olof did -- thanks for the example, Olof!) --- below and attached. Best, Kathy ------------- expanding our inquiry -- comment highlights ----------

AN EXPANDED VIEW OF THE WRT QUESTIONS (Responses to WRT Discussion Paper)

Introduction: While Olof did an outstanding job of summarizing the questions by sorting them according to their responses to our 14 questions, certain issues fell between the cracks ­ largely because groups and communities asked us to look at questions beyond those we had chosen to ask. This paper takes a short look at what others asked us to see ­ including overstretching the purpose of Whois, significant policy work in the limitations of Whois, and the importance of history and historical perspective in our work. Thanks for taking a fast look at these summaries‹and feel free to return to the full comments (found at http://forum.icann.org/lists/whoisrt-discussion-paper/).

1. Christopher Wilkinson, former GAC & GAC Secretariat (EU) on purpose of Whois:

³I rather doubt that the initial purposes of the Whois protocol and database extended to their current utilisation. It would appear that rather more is expected of Whois than it is capable of delivering in view of the legacy of past practice and the current and prospective scale of the Internet.² (In Discussion Paper Comments)

2. At Large Advisory Committee on the need to view the issues differently:

³It is our view that this Team must treat with and declare (1) whether the WHOIS construct as originally devised and for the purpose intended is still necessary, (2) whether the WHOIS dataset as originally determined remains fit to its original purpose, and (3) whether the several identifiable uses made of both the WHOIS data and processes that have expanded the original intent are useful and in the public interest.²

At Large Advisory Committee on the need to consider types of use in our compliance schemes: ³Neither is it rational for the same risk in class or kind to be ascribed to all domains; domains used primarily for support of business transactions on the Web have a higher risk of consequential fraudulent activities than do those used for more personal or informational pursuits. As such, certain adjustments in approach to compliance and our expectations of the impact from compliance might benefit from a change in the philosophical construct of compliance and the processes used to affect the assurance of compliance.²

At Large Advisory Committee on the need to consider cycles of registration in our compliance schemes:

³We believe that the all‐round public interest may be better served by recognizing that the risks from the fraudulent actions of bad actors are not the same throughout the WHOIS data cycle but tend to be cyclical ­ higher following the establishment of new domains and decreasing thereafter.² (In Discussion Paper Comments)

3. Noncommercial Users Constituency on Why Privacy and Accuracy are Not at Odds:

³Privacy and accuracy go hand-in-hand. Rather than putting sensitive information into public records, some registrants use "inaccurate" data as a means of protecting their privacy. If registrants have other channels to keep this information private, they may be more willing to share accurate data with their registrar.²

³The problem for many registrants is indiscriminate public access to the data. The lack of any restriction means that there is an unlimited potential for bad actors to access and use the data, as well as legitimate users and uses of these data.²

Noncommercial Users Constituency on Why the Operational Point of Contact Proceeding Marks a Critical Point of Agreement in the GNSO on a narrow purpose to Whois:

³ICANN stakeholders devoted a great deal of time and energy to this question in GNSO Council-chartered WHOIS Task Forces. At the end of the Task Force discussion in 2006, the group proposed that WHOIS be modified to include an Operational Point of Contact (OPOC): <http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm>²

³Under the OPOC proposal, "accredited registrars [would] publish three types of data: 1) Registered Name Holder 2) Country and state/province of the registered nameholder 3) Contact information of the OPoC, including name, address, telephone number, email."

³Registrants with privacy concerns could name agents to serve as OPoC,thereby keeping their personal address information out of the public records.² (In Discussion Paper Comments)

4. Why Registrars under Tucows leadership strongly sought a balance to simply Whois data, while improving it.

Slides of Ross Rader, of Registrars Constituency and registrar Tucows, discussing goals and advantages of Operational Point of Contact, endorsed and a multi-year GNSO team. These slides and ideas were reference by Elliot Noss, Pres of Tucows at the Registrars/WRT meeting in San Fran as well as by the NCUC in the recent comment period.

Goals (Operational Point of Contact- Powerpoint Slides) ³€ to simply Whois data output € reduce facilitation of domain related scams, illegal data mining, phishing and identity theft € maintain or increase the value of Whois for all stakeholders € provide solid foundation for enhanced access to data by key stakeholders € promote data accuracy² (Link to slides in NCUC Discussion Paper Comments)

5. Dr. Mueller: Why technical History is important ­ because it shows us where we stopped thinking about purpose and goals.

Dr. Milton Mueller asks us to examine his academic paper on the Whois issues, and considers history to be a very important factor ­ before and during ICANN. Here are some highlights.

³This article examines how the Internet¹s Whois service has evolved into a surrogate identity system. The Whois service allows any Internet user to type a domain name into a Web interface and be immediately returned the name and contact details of whoever has registered the domain. It is used by police to bring down Web sites committing crimes; its information is harvested by spammers and marketers seeking to send their solicitations; it is used by people curious to know who is behind a Web site or e-mail address; above all, it is used by trademark and copyright attorneys to keep an eye on their brands in cyberspaceŠ

³We recount the story of Whois because it forces us to re-examine our understanding of the relationship between technological systems and global governance institutions. To understand the importance of the Whois service, one need only think of the license plate of an automobile on the road, and imagine that anyone who saw the license plate would be able to type it into a computer and be returned the name of the car owner and his or her street address, telephone number, and e-mail address.

³That is what Whois does to domain name registrants. It links the vehicle for navigating the complex arena of cyberspace (domains) to a responsible individual, a location, or a jurisdiction. Of course in the real world, access to drivers¹ license databases is restricted to law enforcement authorities and motor vehicle departments. It is not difficult to imagine both the benefits‹and the trouble‹that might be caused by free, anonymous, unrestricted public access to drivers¹ license databases. No doubt some additional crimes would be solved and perhaps some amazing new information services could be developed by a Google of the future. No doubt, also, incidents of road rage and stalking would be taken to new heights. The same concerns apply to Whois. In addition to facilitating accountability on the Internet, open access to registrant contact data raises privacy issues and concerns about abuse of sensitive personal data by spammers, stalkers, and identity thieves.

³Š Defaults tilt the playing field toward one option by giving the specified value the benefit of inertiaŠa Whois directory originated as a feature of the Internet when it was a smallscale, closed, scientific network. As the Internet evolved into a large-scale, public, commercial system, the Whois capability remained in place by default.

(Historical evolution)

³The first RFCs make it clear that the Whois protocol was intended to make available to users a general directory of other ARPANET/ Internet users. At the time, ARPANET was what we would now call an intranet that linked a few hundred computer scientists and researchers at less than a hundred geographically distributed sites. A critical fact about this directory, then, is that it was intended to serve a closed, relatively homogeneous, and‹compared to today¹s Internet‹very small group of networked computer users.8 The early standards documents do not specify exactly what the purpose of this directory was. One can infer from context that it served a variety of purposes, and was seen as a convenience to the community of defense contractors involved in building the early Internet. Another critical fact is that for most users, participation in the directory was encouraged, but was not operationally, legally, or contractually required.9 It may be that the request to register in the centralized Whois database was made to facilitate technical coordination, but this is not documented in the RFC, and evidence supporting this has not been found anywhere else. The RFC states only that the purpose is to provide ³a directory service² (RFC 954, 1985, p. 1) to the network usersŠ

³Phase 2: Internet Opened to the Public and to Commerce While the number of host computers connected to it grew rapidly, the Internet was still a closed community of specialized users throughout the 1980s. From 1991 to 1995, a critical change occurred: The Internet was opened to commercial users and to the general public. This change was accelerated by the creation and deployment of the World Wide Web (WWW) and user-friendly Web browsers, which made the Internet usable and interesting to ordinary members of the public. The number of computers connected to the Internet exceeded 1.3 million before the end of 1992, and was somewhere between 6 and 8 million by the middle of 1995.10 This was no longer a ³community² of computer scientists and researchers, but a mass, heterogeneous public engaged in commerce and in public and personal communication. It was also an increasingly contentious and litigious publicŠ During this tornado of change, the Whois service that was implemented between 1982 and 1985 remained in place. The user base of the Internet was no longer closed, no longer homogeneous, no longer situated within a noncommercial community, and no longer relatively small and manageable. But the technical protocol and the practices supporting a directory of Internet users remained the same. The only significant change was that the burden of supplying the Whois service shifted from defense contractor Stanford Research Institute to civilian National Science Foundation contractor Network Solutions, Inc. As the Internet moved from the small, noncommercial, and closed world of the 1980s to the open, public, and commercial world of the mid-1990s, no one made a conscious decision to retain the open-access Whois service of RFC 954; Whois was an unnoticed default value.

(In Discussion Paper Comments)

Final note from KK: I look forward to our discussion!