Offlist to:Re: [At-Large] Clarification of SSAC position re Board's postion on ALAC letter on

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Robert,

  Thank you for forward ing this.  Steve, thank you for
giving permission for Robert fo doing so.

  I have a few remarks regarding Steves thoughtful 
and kindly comments and/or remarks.

 First I would like to ask Steve and Chris Disspain that
I would be appriciative if they could prevail on 
whomever is responsible for the org.au registry to 
please police your registrants and particularly the
registrars whom effect registrations for org.au, a bit 
more closely, as I grow tired and irritated with continuing 
in recieving spam, and numerous phishing attempt Email
from various registrants in that zone/name space. I am sure
that US based LEA's and other users would appriciate it!
FYI, I am reporting those spam and phishing attempts as
well as the occisional odd errant postings to me that
contain refrences to Child poronography to the proper
US federal government authorities for their review and
hopeful eventual action accordingly.

  Second, it seems self evident that the ICANN SSAC is
far too unresponsive and therfore ineffective in addressing
known security anomalies and risks as well as obvious basic
standards violations by registries and registrars which are 
accredited by ICANN.  

  Third, I sympathize with the privacy aspects and concerns
to which Steve speaks to in his remarks and comments, as such
is important to registrant safty as well as security on a
very personal level.



-----Original Message-----
>From: Robert Guerra <lists@xxxxxxxxxxxxxxx>
>Sent: Apr 8, 2008 7:16 AM
>To: ALAC Worldwide <alac@xxxxxxxxxxxxxxxxxxxxxxx>
>Subject: [At-Large] Clarification of SSAC position re Board's postion on       
>ALAC letter on "front-running"
>
>Steve Crocker from SSAC, has ok'd  that I forward the following email  
>for ALAC.
>
>regards
>
>Robert
>---
>
>
>Begin forwarded message:
>
>> From: Steve Crocker <steve@xxxxxxxxxxxx>
>> Date: April 5, 2008 1:35:58 PM GMT-04:00
>> To: Avri Doria <avri@xxxxxxx>, Robert Guerra  
>> <rguerra@xxxxxxxxxxxxxx>, Chris Disspain <ceo@xxxxxxxxxxx>
>> Cc: Steve Crocker <steve@xxxxxxxxxxxx>, ICANN SSAC <ssac@xxxxxxxxx>,  
>> ICANN Board of Directors <icann-board@xxxxxxxxx>
>> Subject: [ssac] Clarification of SSAC position re Board's postion on  
>> ALAC letter on "front-running"
>>
>> Avri,
>>
>> Thanks for referring your note to me for comment.  I'll try to  
>> clarify our thinking on this matter.  There are several different  
>> dimensions, each of which deserves a few moments of attention, so  
>> this note is a bit long.  I've tried to structure it for easy  
>> navigation.   The sections that follow are:
>>
>> o Background correspondence
>>
>> o Discussion of whether front running exists and SSAC's finding to  
>> date and our next steps
>>
>> (Mixed results and lots of controversy.  More work needed.)
>>
>> o Discussion of whether whether is prohibited, irrespective of  
>> whether it exists
>>
>> (Big surprise, at least to me, is that we don't seem to have either  
>> an explicit prohibition nor even a shared ethic within the community.)
>>
>> o Discussion of what parts of the ICANN family should be involved,  
>> and a process issue?  (And, in particular, what's SSAC's role.)
>>
>> (This is a "consumer protection" and, perhaps, a "privacy" issue.   
>> Does this have a distinct and unambiguous home?)
>>
>>
>> I have cc'd the Board and SSAC, and I invite you, Robert Guerra to  
>> share it with the GNSO, the ALAC and the ccNSO, respectively.  (I  
>> don't mind if it's shared even more widely, but I think these are  
>> the primary constituencies involved at the moment. )
>>
>> Cheers,
>>
>> Steve
>>
>> = 
>> = 
>> = 
>> = 
>> = 
>> = 
>> = 
>> = 
>> ======================================================================
>>
>> BACKGROUND CORRESPONDENCE and DOCUMENTS
>>
>> Here's your note to me.
>>
>> On Apr 5, 2008, at 6:10 AM, Avri Doria wrote:
>>> FYI
>>>
>>> Begin forwarded message:
>>>> From: Avri Doria <avri@xxxxxxx>
>>>> Date: 5 April 2008 09:46:08 GMT+02:00
>>>> To: Council GNSO <council@xxxxxxxxxxxxxx>
>>>> Subject: [council] Board's postion on ALAC letter on "front-running"
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I have put this on the list of topic for our next agenda.  It  
>>>> might be worth having some preliminary discussions on list.
>>>>
>>>> References:
>>>> - ALAC letter: 
>>>> <http://gnso.icann.org/mailing-lists/archives/council/msg04857.html 
>>>> >
>>>> - Discussion under 11 Other business: 
>>>> <http://www.icann.org/minutes/prelim-report-27mar08.htm 
>>>> >   Board's Disposition:  "The Chair determined that emergency  
>>>> action is not required today but the matter will be referred to  
>>>> the GNSO for additional information or policy development if  
>>>> necessary, but not an emergency action."
>>>>
>>>>
>>>> My first questions:
>>>>
>>>> - Do we want/need to request an issues report?
>>>> - Do we want to request advice from SSAC on the degree to which  
>>>> this is a threat to Stability and Security as stated in the ALAC  
>>>> letter.  SAC22 of Oct 07 
>>>> <http://www.icann.org/committees/security/sac022.pdf 
>>>> >  spoke of it as being possibly contrary to core values but I do  
>>>> not read their report as calling it a threat.  Though the report  
>>>> does seem to indicate that further investigation of issues  
>>>> surrounding the practice could be investigated further.
>>>>
>>>> thanks
>>>>
>>>> a.
>>
>> The ALAC letter referred to above asks the Board to take immediate  
>> action to curtail "domain hold," "cart-hold" and/or "cart-reserve"  
>> activities such as Network Solutions and others have recently begun.
>>
>> You also reference SSAC report SAC 022.  That report is the first of  
>> two of our reports (SAC 022 and SAC 024) so far on front running.  See
>>
>> http://www.icann.org/committees/security/sac022.pdf
>> http://www.icann.org/committees/security/sac024.pdf
>>
>> In SAC 022, we pointed out that checking the availability of a  
>> domain name can be a sensitive act which may disclose an interest in  
>> or a value ascribed to a domain name and we suggested to potential  
>> registrants that domain name availability lookups should be  
>> performed with care.  We also noted there does not appear to be a  
>> strong set of standards and practices to conclude whether monitoring  
>> availability checks is an acceptable or unacceptable practice, and  
>> we called for both public comment and policy development within the  
>> appropriate bodies.
>>
>> In SAC 024, we reported that after receiving more than 100 inputs  
>> over a two and half month period, we were unable to develop  
>> definitive evidence that front running is actually taking place.   
>> However, in discussions with Network Solutions regarding their newly  
>> instituted practice of placing a hold on names being checked for  
>> possible registration, Jon Nevett suggested that one or more  
>> registries are possibly selling that information to domain name  
>> tasters.  The chain has a couple of steps.  When a potential  
>> registrant types in a name at NSI's web site to check for its  
>> availability in one domain, e.g. within .com, NSI, like many other  
>> registrars, automatically checks whether that name is available in  
>> several other domains.  They do so by forwarding the name to each of  
>> the respective registries, and this provides an opportunity for one  
>> or more of those registries to pass along that stream of queries to  
>> a business partner who may be interested in registering it while the  
>> original customer is still thinking about it.  Here are Mr. Nevett's  
>> comments in the transcript of the SSAC meeting in New Delhi on  
>> February 13, 2008, http://delhi.icann.org/files/Delhi-WS-SSAC-13Feb08.txt 
>>  .
>>
>>> So what's been happening -- and we have information about this --  
>>> is domain name tasters register names in vast bulk and then they  
>>> taste the names and only keep a very small percentage of the names  
>>> that warrant purchasing because of traffic or pay per click.  So  
>>> the domain name tasters are looking for various sources of data.   
>>> They look for bulk data wherever they can find it.  The theory is  
>>> that there were certain ccTLD registries that because when a  
>>> customer comes to almost all registrars Web sites and asks for a  
>>> name, [the registrar] will look at various dozens of different TLDs  
>>> and see if the name is available.  So one of the ccTLDs, for  
>>> example, or maybe a gTLD, will be selling the data to front runners  
>>> and tasters.  So the tasting line is probably synonymous with the  
>>> front-runner line.  So what happens is they register these names in  
>>> advance of customers, and then they taste it.
>>
>>
>> As you noted in your message, the Board declined to take emergency  
>> action and referred the matter to the GNSO for possible policy  
>> development.  (See the last section of this note for a comment on  
>> policy development.)
>>
>>
>> ======================================================================
>>
>> DOES FRONT RUNNING EXIST?
>>
>> As noted above, the data is inconclusive.  Jay Daley, CTO of  
>> Nominet, reported he had looked closely at this question some time  
>> ago and concluded it simply wasn't happening.  Others have suggested  
>> privately that it really does happen on a fairly significant scale.   
>> Because there is a very high level of tasting, it may be hard to  
>> sort out how many instances of apparent front running are just due  
>> to "background radiation."  And then we have Mr. Nevett's assertion  
>> that one or TLDs is actively involved in this process.
>>
>> We expect to explore this a bit further.  We are still formulating  
>> specific plans on how to proceed, and we are open to suggestions and  
>> offers for how to gather information efficiently, effectively, and  
>> accurately.
>>
>> =====================================================================
>>
>> IS FRONT-RUNNING PROHIBITED and DOES IT AFFECT SECURITY OR STABILITY?
>>
>> As we noted in SAC 022, we do not see any coherent and specific  
>> framework that suggests front-running is prohibited.  I believe the  
>> Registrar Accreditation Agreement has language related to the proper  
>> use of registration data, but that applies only after a registration  
>> is complete.
>>
>> Practices and expectations vary from field to field.  In certain  
>> professions, particularly law and medicine -- and my experience is  
>> primarily in the U.S. -- there are very strong rules governing the  
>> privacy of information provided by a client or patient.  There are  
>> also strong rules governing the protection of customer information  
>> among stockbrokers.  If I ask my stockbroker about a particular  
>> stock, it's considered unethical for him to use that information to  
>> buy or sell that stock for himself or to help others to do so.   
>> However, in our industry, I have not seen any similar explicit  
>> statement of principle nor an explicit set of rules prohibiting  
>> front-running and related practices.  Thus, even if we were to find  
>> reliable, concrete information that front-running is taking place,  
>> it's not clear there is any basis for stopping it.
>>
>> "Security and Stability" is a mantra invoked with specialty gravity,  
>> and there is sometime debate about whether a specific issues does or  
>> does not fall into this category.  I think it's hard to argue that  
>> front-running, if it exists, is affecting the overall security or  
>> stability of the domain name system, although one might imagine  
>> fairly severe consequences if the practice existed and affected a  
>> very large fraction of the potential registrants instead of only a  
>> relatively small number.  I emphasized "system."  From any  
>> particular user's perspective, if someone has swiped a name he is  
>> looking at, the impact on him or his business could be very  
>> substantial.  Is that a "security" matter or a " consumer  
>> protection" matter, and is there a strict distinction between the two?
>>
>> I would argue that if there is a structural bias against consumers,  
>> that it's appropriate to consider that to be a weakness in the  
>> security of the system.  On the other hand, if a consumer has been  
>> dealt with unfairly by a particular party, and there's no general  
>> bias built into the system, that's a specific consumer protection  
>> issue.  I'm not sure whether everyone else would choose to draw the  
>> lines in the same place.
>>
>> There is a secondary and slightly subtle element of security here.   
>> Efficient and effective markets depend on reliable information and  
>> trustworthy behavior.  If there is a general perception that a  
>> market is dangerous, the market may shrink and the results for the  
>> buyers and sellers who are in the market may be inequitable.   
>> Building and preserving confidence in a market is thus an important  
>> aspect of "security."
>>
>> I don't think we've thought enough about this as a community, and I  
>> would like to see some deeper thought and discussion.
>>
>> Returning to the specific matter of front-running, I find it odd and  
>> dangerous that our framework of core values, principles, rules and  
>> contracts does not address such practices explicitly.  I think this  
>> is a weakness in our overall framework and should be fixed.
>>
>> =====================================================================
>>
>> WHO SHOULD BE INVOLVED?
>>
>> I don't see any single group as being the sole owner of these  
>> issues.  We certainly don't view this as the sole purview of SSAC  
>> and we would be delighted if others are involved.  The GNSO has a  
>> natural role because the registrars and registries are primary  
>> actors.  At the same time, the people most strongly affected by  
>> weaknesses in the process are potential registrants, and it's not  
>> clear who speaks for them.  ALAC, in its letter to Board, is  
>> certainly taking a strong position.  And this issue is not limited  
>> to the gTLDs and ICANN-accredited registrars.  The ccTLD community  
>> presumably has the same issues.
>>
>> In our reports to the Board, we suggested other groups look at these  
>> issues.  Dan Halloran recently drew our attention to section 1.c in  
>> By-Laws Annex A: GNSO Policy-Development Process:
>>
>> Advisory Committee Initiation. An Advisory Committee may raise an  
>> issue for policy development by action of such committee to commence  
>> the PDP, and transmission of that request to the GNSO Council. 
>> (http://www.icann.org/general/bylaws.htm#AnnexA 
>> )
>>
>> With some chagrin, I admit we hadn't realized there was a direct  
>> channel for SSAC to forward to the GNSO a formal request for the  
>> GNSO to commence the PDP.  Would you find it helpful for us to send  
>> our recommendations to you in this form?
>>
>> Irrespective of whether we send you a formal recommendation, I hope  
>> this note has provided some useful information.  We will be happy to  
>> discuss it further if you desire.
>>
>> Thanks,
>>
>> Steve Crocker
>> SSAC Chair

Thank you  for your cooperation in advance,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827