Re: [gnso-whois-wg] Proposed final version of the group's output report v1.8

[Christopher Gibson <cgibson@xxxxxxxxxxx>]

Dear Philip and others,

I am sorry this comment comes just after you closed
the comment period. 

I want to commend you for serving as chair of the
Whois Working Group, moving forward in the face of
difficult issues and wide-ranging opinions.  I
support the balance that the Outcomes Report (v.
1.8) attempts to strike between data
protection/privacy interests and meeting the needs
of legitimate parties to act against fraud and other
illegal acts by certain Registrants, and acknowledge
the thoughtful elements that have been formulated in
the Report (e.g., such as the distinction between
natural/legal person and its operational
consequences for Whois display; and defining the
Relay, Reveal, Remedy functions for OPOCs). 
However, I continue to have strong concerns that the
proposed OPOC system, as reflected in the remaining
âAgreedâ points in the Report, fails to form a
coherent whole, includes a number of points that are
problematic, and avoids arriving at decisions on
certain difficult issues, instead leaving too a
broad scope for the âimplementation optionsâ
(e.g., the devil is now in the details).  In sum, I
regret that I cannot support the Report and consider
that the better option would be to follow-up on the
suggested items for study in Section 8, as well as
conducting the study requested by the GAC in
paragraph 4.2 of its Whois Principles.  In
particular, a comprehensive study examining any use
and misuse generated by the existing Whois system,
as well as the feasibility and cost-effectiveness of
a proposed OPOC system, should be conducted before
any further discussion on OPOC policy or
implementation takes place.
 

The OPOC system would interpose a new layer of
bureaucracy and technical requirements into the
DNS.  This new layer would radically alter the
existing system in which countless individuals,
businesses and other organizations rely on the Whois
registration data to perform legitimate functions,
as recognized by the GAC.  In many respects, I
believe the Working Group has consistently
underestimated the impact of making changes to the
existing Whois system.  Moreover, the new layer
would introduce many risks if it is not implemented
in a responsible manner with carefully defined
roles, responsibilities and requirements, and with
the proper resources for carrying out these
elements.  The current Report would permit the OPOC
to be a âweak linkâ in the DNS, becoming an
instrument to delay, obstruct and aid those who
would perpetrate fraud on consumers (e.g., phishing)
or infringement of third-party rights. 
Implementation of the OPOC system requires sound
policy, accompanied by sufficient resources.  There
should be no short-cuts, and no rash changes without
appreciating implications for the DNS.  If proper
implementation of an OPOC system would place new
burdens on Registrars or Registrants, the answer is
not to weaken the minimum elements of a responsible
policy, but to recognize that the real cost for
domain name registrations is higher than current
prices charged.  However, the Working Group process,
in view of some of significant disagreements on
requirements and resource questions, has resulted in
a final Report that watered down necessary elements
to the system, leaving gaps and ambiguities.
 
Several detailed comments:
 

-       I would agree that the OPOC should have a
consensual relationship with the Registrant (section
2.2) and that this relationship should be reflected
in an enforceable contract.  However, this Agreed
element is seriously undermined by (i) lack of
agreement on required verification (section 2.3),
(ii) imposing the responsibility to obtain consent
on the Registrant (section 2.4), and (iii) failing
to agree that consent of the OPOC to its
responsibilities must be obtained before enabling a
web site to resolve based on the registered name. 
This is an area in which various drafts of the
Outcomes Report have been watered down, so that the
current draft does not contain a coherent proposal. 
Given the existing chain of responsibilities
established by ICANN for the DNS, the Registrars
should have a more significant role in confirming
verification and that the OPOC consents to a set of
defined responsibilities.  This would be consistent
with the Agreed statements in lines 322-324 that the
RAA needs to be amended to reflect these
responsibilities.  Without this practical link,
there is no way to enforce OPOC obligations (such as
those Agreed in section 3.1, lines 516-521) and the
Report fails to acknowledge this problem.
 

-       Section 2.3 states that a system of
accreditation for OPOCs is neither practical nor
scalable.  I continue to think that proper
accreditation is important for OPOCs.
 

-       I agree to sections 2.5 and 3.1 (and the
implementations under 3.1, including definition of
âreasonable evidence of actionable harmâ).  I
agree with section 3.2 for the Reveal function and
the Agreed statement at lines 610-614 & 616.  While
I agree with sections 4 (lines 678-687), this
section says nothing about sanctions against OPOCs
who fail to perform their responsibilities.  An
accreditation system would have assisted in the
sanctioning OPOCs.  Without accreditation (or any
other set of sanctions), there is a serious risk
posed by OPOCs who willfully disregard requirements.
 

-       I agree with sections 5.2 and section 6.5
(lines 846-852).  I agree that the OPOC
implementation should be contingent upon the
development of broadly supported means of Access as
described in section 6.
 

-       Reference is made to timeliness in several
places: lines 616, 669 and 806-807.  While I agree
with the principle that âtimelyâ should be
interpreted as a time line that is proportionate to
the harm, the definition of detailed response times
has been left for implementation.  Time is often of
the essence in preventing activities such as
phishing and other forms of Internet financial
abuse, criminal activity, copyright infringement and
other types of fraud.  Until detailed guidelines for
response times have been defined, the potential for
delays and obstruction creates risks for consumers
and other third parties.  These response-time rules
need to be considered and defined before any OPOC
proposal is ready for approval and implementation.
 

-       Section 6.7 states it is Agreed there should
be no assumption that Access services would be
entirely free of cost to Accessors, while the
implementation option refers to Registrars charging
a nominal fee for Access services.  While the option
of nominal fee for Access can be considered, the
other option is that the cost for registering a
domain name should be increased to reflect the true
cost in terms of potential harm to innocent third
parties and the services needed to offset those
harms.
 

In sum, the data protection/privacy concerns of
individual, non-commercial registrants are very
important.  However, the Outcomes Report has failed
to propose a coherent OPOC system that improves the
protection of these interests while maintaining the
vital access to Whois registration data needed to
support legitimate activities.

Chris Gibson

---- Original message ----

  Date: Mon, 20 Aug 2007 10:09:20 +0200
  From: "Philip Sheppard" <philip.sheppard@xxxxxx>
  Subject: [gnso-whois-wg] Proposed final version of
  the group's output report v1.8
  To: <gnso-whois-wg@xxxxxxxxx>
  >
  >Please note comments on v 1.8 are now closed.
  >The group's final report will be distributed
  shortly.
  >Many thanks
  >Philip
  >