Steve Crocker's comments on the WHOIS Policy Review Team Final Report

[Alice Jansen <alice.jansen@xxxxxxxxx>]

Crocker's comments on the WHOIS Review Team Final Report (Draft), 5 December 
2011

The report is very good and contains a lot of useful information and, of 
course, twenty recommendations worthy of careful consideration.  The following 
comments are focused on specific weaknesses and are not a criticism of the 
overall report.  They are intended to improve the accuracy and readability of 
the report not to argue with the facts or recommendations.

Chapter 1, section A: I believe the original purpose of whois was to provide 
points of contact for the hosts that were on the network.  In the early days, 
hosts were multi-user machines, and their administrators were roughly 
comparable to the operators of small ISPs.  These were not points of contact 
for each individual.  The whois system morphed over time, but the formal 
definition and the protocols supporting it didn't change except to become more 
distributed in order to scale.

Chapter 1, section B: "It is likely that it was selected for use in this 
context because it existed and was well understood.  In all probability, it was 
selected by default."  (1) It would be easy to check the facts.  Almost all of 
the relevant people are still available.  (2) What's the relevance of this 
statement?  This in contrast with what?

Chapter 1, section C: "ICANN has adopted the age-old tradition of 'the study' 
in lieu of or [as] a precursor to action."  This seems pejorative to me.

Chapter 1, section D: "Rather, it is an attempt to concisely present in a 
balanced and fair manner the very real truth  that the current system is broken 
and needs to be repaired."  While I don't disagree, I don't think the report 
has presented a proper foundation.  The whois system is intended to provide 
contact information for a purpose, or perhaps or multiple purposes.  The 
accuracy of that information is an important part of the story, but it's not 
the whole story.  What needs are not being met?  I think it's important to lay 
out the purposes of this information and how those purposes are not being met.  
With that in hand I think it will be a lot more clear what it means to say the 
current system is broken and it will also be much clearer how to fix it.  To 
give a specific, concrete example, why is a proxy registration harmful?  
Suppose the proxy service promptly and reliably passes on all message directed 
to the technical, administrative and/or owner points of contact.  Under what 
circumstances would that be insufficient?  I believe it depends on the purpose 
you have in mind for contacting the registrant.  If you have in mind telling 
him you think the domain name or the content on his web site is infringing on 
someone else's intellectual property and that if he doesn't respond the domain 
name will be removed from service, do you actually need the registrant's true 
name?  On the other hand, if the registrant's web site contains child 
pornography, then you may well need to find the person physically so you arrest 
him.  Even in this case, a proxy may be sufficient if it's possible for 
appropriate law enforcement personnel to reach the actual registrant via the 
proxy.

I'm not trying to argue for one outcome or another.  My point here is that the 
purpose(s) of whois are not laid out clearly enough and hence it's not clear 
exactly what it means to say it's broken and hence even less clear how to fix 
it.

This lack of clarity is repeated throughout the report, and I think the report 
would be considerably stronger and more helpful if this were fleshed out.

Chapter 1, section G, recommendation 5.  This recommendation calls for 
"reducing the number of unreachable WHOIS registrations ... by 50% within 12 
months and by 50% again over the following 12 months."  What is the number of 
unreachable whois registrations now?

Recommendation 17: "Thin registry" is mentioned but not yet defined.

Chapter 2, section A: The list of people on the WHOIS Review Team is 
impressive, but I didn't see very many people who were likely to supply the 
technical depth and understanding of the history that you would have needed.  
Were there outside advisers?

Chapter 3, section A: "There are now over 900 gTLD Registrars..." This is 
accurate in a very narrow sense.  It would be a service to the reader to 
include a much better picture.  First, the very large majority of these 900 
registrars are shell companies that exist solely to provide threads to be used 
in the drop-catch process.  They're not particularly relevant to the whois 
issue.  Further, another largish clump of registrars are run by domainers.  The 
names registered through them are not active on the net in ways that are 
relevant to this report.  (Or, perhaps they are relevant, but only for a 
specific purpose such as determining who's holding a name that infringes on a 
trademark.)  Yet further, even among the remaining registrars, there are 
important distinctions and segments.  Just a few, starting with GoDaddy, are 
very large.  The top several account for the vast majority of the 
registrations.  Meanwhile, the resellers drastically change the numbers in the 
opposite direction and also play a prominent role in any analysis of what the 
problems are.  It would be useful if this report included a good description of 
what the registrar and reseller landscape actually looks like.

Chapter 3, section B: "Modern WHOIS Policy is buried in the contracts of the 
current Registry and Registrar Agreements."  What was WHOIS and WHOIS policy 
prior to ICANN?

"As discussed above, the .COM and .ORG Registries, both run by VeriSign..."  I 
think you meant NET, not ORG.  (Also, Verisign no longer uses camel case.)

Chapter 4, section D: What constitutes "wholly accurate"?  What impact does 
this inaccuracy have?  (These questions are a continuation of the primary 
question asked above about the purpose of the whois data.)

"Just as there is no shared understanding or statement of the purpose of 
WHOIS..."  To me, this is the key.  It seems to me important to put the purpose 
of WHOIS squarely on the table and deal with the multiple purposes and multiple 
understandings of what the problems are.

Chapter 5, "the issue of non-Latin scripts" -- What is the issue?

"ad hoc solutions" might be interpreted as a pejorative term

"the community needs to urgently address the following issues:

1. What data is needed from the registrant,

2. How this data will be represented in the data model, and

3. How this data will be accessed through registration data services."

I don't think this is sufficient.  I'd add:

4. By whom?

5. For what purpose?

This last question controls the accuracy question, i.e. is the data accurate 
enough for the purpose?

"... a consistent policy across ccTLDs and gTLDs would make it much easier for 
consumers and law enforcement to use WHOIS data."  Yes, but the diversity also 
provides a richer set of practices to study and learn from.

Chapter 6, "... effective in meeting the needs of law enforcement and promoting 
consumer trust."  These phrases should be expanded and explicated.

Chapter 6, section A: "Having a failsafe avenue to contact administrators..."  
What is the difference between inaccurate information and an unresponsive 
registrant?

"Even this is not a significant concern for many registrants when only a small 
proportion of domain names lead to web sites that the registrant has a vested 
interest in maintaining uninterrupted access."  So why does accuracy matter?

Chapter 6, section B, "knock on effects" -- What does this term mean?

Chapter 6, section B, "lack of due diligence" -- What does this mean here?  
This seems like a different matter

"Another issue identified by the review team relates to the ability of 
consumers to access  WHOIS data. ... over 80% of consumers are unaware of 
WHOIS..." -- This is an entirely different issue and it should be put in a 
different part of the report.  This is perhaps a really good example of one of 
the many distinct "purposes."

"... the Intellectual Property Constituency argued that:

ICANN is subject to a commitment 'to having accurate and complete WHOIS' ... 
ICANN is not required to implement national safeguards for individuals' 
privacy..." -- This statement seems fatuous or perhaps disingenuous and hence 
puts the Intellectual Property Constituency in an unnecessarily bad light.  Is 
this a fair presentation of their position?

"Comparison with ccTLD Practices" -- This section is very good.

----
Submitted by ICANN Staff on behalf of Steve Crocker