Regions Financial Corporation's Comment Letter

[Hope.Mehlman@xxxxxxxxxxx]

Regions Financial Corporation 
October 12, 2007
To:     Internet Corporation for Assigned Names and Numbers and GNSO 
Council
(email: whois-comments-2007@xxxxxxxxx)

Re:     Comment on GNSO Council Motions, WHOIS Task Force Report, WHOIS 
Outcomes Working Group Report, and ICANN Staff Overview of Recent GNSO 
Activity Concerning WHOIS

Regions Financial Corporation (Regions) welcomes the opportunity to 
comment on the reports and motions referenced above concerning the WHOIS 
database and related services (WHOIS) and, in particular, on the 
potentially harmful proposals that would restrict or eliminate access to 
the type of information collected, maintained and made publicly accessible 
through the WHOIS.
Regions participated in the Working Group (WG) that recently produced the 
WHOIS Outcomes Working Group Report (WG Outcomes Report), and is concerned 
that new proposals to radically restrict or eliminate access to the WHOIS 
will undermine its essential and legitimate functions in the fight against 
online fraud, illegal activities and infringement, and in support of other 
legitimate activities.  Regions and innumerable other financial 
institutions rely on the WHOIS as an essential tool to investigate and 
take timely measures to protect our customers from fraud (e.g., phishing 
and pharming) and identity theft, as well as to defend against 
cybersquatters and third-party infringers. 

Regions understands that three motions concerning the WHOIS have been 
released recently for public comment and may be voted on at the ICANN 
meetings in Los Angeles commencing on October 29, 2007.  In brief, these 
motions call for three very different outcomes with respect to the WHOIS:

(1)     support and implement the Operational Point of Contact (OPOC) 
proposal as a replacement for the WHOIS, and apply OPOC for all 
ICANN-accredited registrars and gTLD registries;

(2)     conduct a comprehensive study on the registration characteristics, 
uses and abuses of WHOIS data and take the results of this study into 
account before deciding any next steps in WHOIS policy development; or 

(3)     phase out current WHOIS contractual obligations for registries, 
registrars and registrants over the next year.
Of these alternatives, Regions strongly supports the second (2) motion 
requesting further study of the WHOIS before any further decisions on 
WHOIS policy are made.  The first (1) motion should not be supported at 
this time, because the currently envisaged OPOC approach ? as reflected in 
the lack of consensus on key issues ? is inadequate for implementation and 
would create a ?weak link? in the domain name system (DNS), allowing the 
OPOC to become an instrument for delay and obstruction, and aiding those 
who would perpetrate fraud on consumers and infringement of third-party 
rights.  The third (3) motion, calling for virtual elimination of the 
WHOIS, should be forcefully rejected because it presents an irresponsible 
proposal that would close down the existing WHOIS system regardless of the 
serious consequences.
In view of the upcoming vote that may be taken on these motions at the 
ICANN meetings, the balance of this comment is directed to them:
(1) The OPOC Proposal for the WHOIS is Inadequate and Should be Rejected
With respect to the first motion, Regions focuses its comments on the WG 
Outcomes Report, which is referenced in the first motion and reflects the 
most detailed consideration of the proposed OPOC approach to date. Regions 
supports the balance that the WG attempted to strike between privacy 
interests and meeting the legitimate needs of those who rely of the WHOIS 
as a tool to protect consumers and act against fraud and other illegal 
acts by registered name holders.  However, Region observes that the WG 
failed to achieve consensus on a number of issues that are essential to a 
workable, effective and prudent implementation of the OPOC proposal. Both 
the second and third motions in their full text also refer to this failure 
to achieve consensus.  See ICANN Staff Overview Report, pp.9-10.  Under 
the OPOC proposal, the contact information for an OPOC would be publicly 
available instead of the current WHOIS contact information for each 
registered name holder (including the administrative and technical 
contacts).  The OPOC system, therefore, fundamentally depends upon 
defining and enforcing the proper role, responsibilities and obligations 
of the OPOC as it becomes the linchpin for obtaining information and 
communicating with each registered name holder.  In this regard, the ICANN 
Staff Overview Report (p.4) accurately identifies several of the key areas 
of concern created by the OPOC approach: 
·       The OPOC could make contacting the registered name holder more 
difficult, time-consuming, expensive or less reliable;
·       Responsibilities and obligations of the OPOC would need to be 
clearly defined, including 
accelerated time frames for response; and
·       Mechanisms would be needed to encourage compliance and provide 
enforcement, including timely alternative mechanisms for access to 
unpublished information.
While the WG Outcomes Report attempted to make progress on these issues, 
it ultimately failed to reach consensus on the mechanisms needed for an 
OPOC proposal that would satisfactorily address these concerns and be 
capable of successful implementation.  Due to the lack of consensus, the 
various drafts of the Outcomes Report were eventually ?watered down? so 
that the Report in its final form fails to contain a coherent proposal, 
leaving gaps and ambiguities and too broad a scope for ?implementation 
options? left to the ICANN staff.  One important example demonstrates this 
point.  The Outcomes Report sets out certain responsibilities of the OPOC: 
(i) ?the OPOC must RELAY an information request to the Registrant in a 
timely manner? Time is often of the essence in preventing activities such 
as phishing and other forms of Internet financial abuse, criminal 
activity, intellectual property infringement and other types of fraud. 
Until detailed guidelines for response times have been defined (i.e., they 
were not defined in the Outcomes Report), the potential for delays and 
obstruction creates risks for consumers and other third parties.  These 
response-time rules need to be considered and defined before any OPOC 
proposal is ready for approval and implementation.
 (¶ 3.1); (ii) ?the OPOC must meet certain implementation requirements for 
relaying messages from the Requester to the Registrant? (¶ 3.1); and (iii) 
the OPOC must ?REVEAL the unpublished contact information of Registrants 
who are natural persons to a Requestor in certain limited circumstances? 
(¶ 3.2).  While Regions considers that specifying the RELAY and REVEAL 
responsibilities for an OPOC is a helpful start, the Outcome Report 
contains absolutely no agreement (or even suggestion) on the means by 
which these new responsibilities would be required and enforced, or on any 
sanctions against an OPOC for failure to implement them properly.  This is 
the case in spite of the fact that these issues were squarely before the 
WG producing the Report.  In fact, the Outcomes Report provides that there 
should be no accreditation of OPOCs (¶ 2.3), and suggests no other means 
(contractual or otherwise) by which the OPOC is verified or directly 
linked into the ICANN system and its chain of responsibilities.  Without 
accreditation or any set of sanctions, there is a serious risk posed by 
OPOCs who willfully disregard requirements.  Instead, it is left 
completely to a registered name holder ? the very party who could be 
engaged in illegal activity ? to enter into some form of undefined 
?consensual relationship? with the OPOC (¶2.4).  Those who would normally 
rely on the essential WHOIS services to obtain information and contact 
registered name holders will now encounter delays and potential 
obstruction.  Rather than sanction the OPOC when it fails to fulfill its 
responsibilities, the Outcomes Report leaves it to the Requestor now to 
take additional steps and turn to the Registrar (¶4) and make its request 
there.  The Outcomes Report does recognize that there are circumstances in 
which law enforcement agencies and private actors might need access to 
unpublished registrant data (¶6) and obtain it through a channel 
independent of the OPOC, but the practical mechanisms for this possibility 
remain undefined and subject to disagreement.
The OPOC approach would create new and serious risks in the DNS, 
interposing a new layer of bureaucracy and technical requirements.  This 
new layer would radically alter the existing system in which countless 
individuals, businesses and other organizations rely on the WHOIS data in 
support of legitimate functions including law enforcement, safeguarding 
the interests of the public, and combating fraud and infringement. 
Moreover, the new layer would introduce many risks if it is not 
implemented in a responsible manner with carefully defined roles, 
responsibilities and requirements, and with the proper resources for 
carrying out these elements.  Implementation of the OPOC system requires 
sound policy, accompanied by sufficient resources.  There should be no 
short-cuts, and no rash changes without appreciating implications for the 
DNS.  If proper implementation of an OPOC system would place new burdens 
on Registrars or Registrants, the answer is not to weaken the minimum 
elements of a responsible policy, but to recognize that the real cost for 
domain name registrations is higher than current prices charged.  However, 
the WG process, in view of some of significant disagreements on key 
requirements and resource questions, resulted in a final Outcomes Report 
that watered down necessary elements.   In sum, the privacy concerns of 
individual, non-commercial registrants are very important; however, the 
Outcomes Report has failed to propose a coherent OPOC system that improves 
the protection of these interests while maintaining the vital access to 
WHOIS registration data needed to support legitimate activities.
(2) Further Study of the WHOIS Should be Made
Regions considers that, in many important respects, those proposing 
dramatic change are underestimating the impact of making changes to the 
existing WHOIS system.  As noted above, countless individuals, businesses 
and other organizations rely on the WHOIS data to perform legitimate 
functions, as recognized by the Governmental Advisory Committee (GAC) in 
its statement of principles on WHOIS.  The existing WHOIS is an 
international and time-tested resource and service.  Changes should not be 
made before there is a better understanding of any problematic issues with 
the existing WHOIS, and a much more informed comprehension of the 
consequences of making changes.  It is for this reason that Regions 
supports the second (2) motion, that ICANN take the necessary steps to 
proceed with a comprehensive, objective study on the issues identified by 
the WHOIS Working Group, by the GAC, and by the GNSO Council. These issues 
include the characteristics of gTLD registrants, the uses and abuses of 
WHOIS data, and a review and analysis of the different proxy services 
available today.  No comprehensive, objective study has yet been made of 
these key factual issues, and future ICANN policy making would greatly 
benefit from the results of such a study.
(3) The Motion to Eliminate the WHOIS Should be Strongly Rejected
The third (3) motion, calling for virtual elimination of the WHOIS, should 
be rejected as an irresponsible proposal that would close down the 
existing WHOIS system, without regard to the fact that countless 
individuals, businesses and other entities rely on the WHOIS in support of 
legitimate activities including law enforcement, safeguarding the 
interests of the public, combating fraud, illegal activity and 
infringement.  This proposal should be taken seriously precisely because 
it represents such a drastic and unhelpful alternative.  Removing the 
WHOIS as a key online resource will bring grave consequences, and 
therefore the third motion should be rejected.
About Regions Financial Corporation
Regions Financial Corporation is a member of the S&P 100 Index and Forbes 
Magazine's "Platinum 400" list of America's best big companies. With 
nearly $140 billion in assets, Regions is one of the nation's largest 
full-service providers of consumer and commercial banking, trust, 
securities brokerage, mortgage and insurance products and services. 
Regions serves customers in 16 states across the South, Midwest and Texas, 
and through its subsidiary, Regions Bank, operates some 1,900 AmSouth and 
Regions banking offices and more than 2,400 ATMs. Its investment and 
securities brokerage, trust and asset management division, Morgan Keegan & 
Company Inc., provides services from more than 400 offices. Additional 
information about Regions and its full line of products and services can 
be found at www.regions.com.

______________________________________

 
Hope D. Mehlman
Associate General Counsel
Regions Financial Corporation
1901 Sixth Avenue North, 18th Floor 
Birmingham, Alabama 35203
Telephone: (205) 264-7790 | Facsimile: (205) 264-7751
Email: hope.mehlman@xxxxxxxxxxx
 
CONFIDENTIALITY NOTE: This email and any attachments may be confidential 
and protected by legal privilege. 
If you are not the intended recipient, be aware that any disclosure, 
copying, distribution or use of the e-mail or any
attachment is prohibited. If you have received this email in error, please 
notify us immediately by replying 
to the sender and deleting this copy and the reply from your system. Thank 
you for your cooperation.