RE: [gnso-dow123] Regarding accuracy issues and outcome of discussion in Cape Town

[Tim Ruiz <tim@xxxxxxxxxxx>]

Bruce,

I recall a few other issues discussed in regards to item 2, especially
if registrars are required to strictly apply it.

How do we protect against frivilous complaints? Should the party filing
the complaint be required to identify themselves? Should they become
responsible to some degree if the complaint turns out to be frivilous
or malicious? Is the registrar required to take the complaint on face
value, even if the contact data appears to be complete and accurate?
Should the third party filing the complaint be required to include a
specific reason why they believe the data to be inaccurate?

There is a huge risk here that registrars are being expected to take.
There has to be something in place to protect against this situation
putting one of them out of business.

Tim

 
-------- Original Message --------
Subject: [gnso-dow123] Regarding accuracy issues and outcome of
discussion in Cape Town
From: "Bruce Tonkin" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>
Date: Tue, March 08, 2005 5:12 am
To: gnso-dow123@xxxxxxxxxxxxxx

Hello All,

Given difficulties in making progress on the issue of improving the
accuracy of contact information displayed in the WHOIS service, a
breakfast meeting was held amongst interested individuals in Cape Town.
I recall this meeting as being constructive, but it appears everyone
thought someone else was taking notes.  I will ensure this doesn't
happen again.

As I understand it, this is the current status of discussion on
accuracy.   All those on task force 3 should feel free to correct or
improve my impressions.

(1) Although some in the ICANN community would like to see registrars
carry out verification of registrant contact information at the time of
registration, there was little support for doing so from the registrars.
The feeling was that most registrants provided accurate information in
good faith, and that it was a minority of registrants that deliberately
provided false information.  Requiring verification of contact data for
all registrations, would raise the cost of registrations for all
registrants.


(2) The focus of the discussion has more recently been on what to do
when an Internet user that wishes to get in contact with a registrant
can't do so because of inaccurate WHOIS information.

The current mechanisms essentially requires a registrar to contact a
registrant and ask them to correct the information.  If the registrant
does not reply within 15 days, a registrar may take further action.
The business processes vary greatly amongst registrars, and this makes
it difficult for an Internet user to understand what process should
occur after reporting inaccurate contact information.

>From what few notes I could find, I believe the following business
process was discussed in Cape Town.

A registrar would attempt to contact the registrant.
If the registrant did not respond within 15 days, the name would be put
on HOLD (ie removed from the zonefile and made in-active).
The registrant would then be advised by the registrar that if the
contact information is not updated, that the name would be cancelled
after an additional 15 (or possible 30) day period.

A registrar would be free to use one or more of the contact elements in
an attempt to contact the registrant.  The various methods used would
likely be a matter of agreement between the registrant and registrar.
E.g for low priced registrations a registrar may only use email, and the
registrant would be required to keep the email up-to-date and monitor
the email.  For higher priced registrations (e.g for larger corporates)
a registrar may use all means available to contact the registrant to get
the information corrected.


(3) The process described in (2) above is appropriate for dealing with
inaccurate contact information.   There is another issue in the
community that relates to the use of domain names for intellectual
property infringement (e.g to place a pirated copy of a new release
movie on the Internet) or for the purposes of committing a crime that
may harm many Internet users (e.g phishing scams aimed a banks).  In
such cases a 15 - 45 day process would be inadequate.   I believe these
issues are outside of the scope of ICANN (ie don't relate to security
and stability), however the issues do need to be addressed by the domain
name industry in collaboration with the intellectual property and law
enforcement community.  There are some processes such as the courts that
could be used (but even these processes may be too slow).  The meeting
in Cape Town identified this problem area as need further work.  

With respect to (3) above, it might be worth establish a working group
outside of the ICANN processes to consider some practical means of
addressing the issue.  E.g some registrars choose to include acceptable
use policies in their agreements and have been prepared to suspend or
cancel some names, other registrars have required third parties to
indemnify them from legal action if the registrar suspends of cancels a
name (this would assume the registrar believes that the third party has
sufficient funds to cover any costs incurred from a court action).

Regards,
Bruce Tonkin