Comments on WHOIS Policy Review Team Draft Report

[Andrew Sullivan <ajs@xxxxxxxxxxxxxxxxxx>]

Dear members of the WHOIS Policy Review Team,

I have read the WHOIS Policy Review Team Draft Report.  I appreciate
the effort that went into this report, and think that many of the
observations are a helpful contribution.  I welcome the opportunity to
provide comments.  I should note that, while I act as co-chair of some
working groups at the IETF, I do not speak on behalf of those working
groups or on behalf of anyone else.

The report makes some recommendations that are admirable in their
concreteness.  For example, if recommendation 1 is possible in
practice, it would likely benefit the Internet community, because it
would make the policies easier for people to obtain and understand.
Similarly, given the stated goals, the report's emphasis on producing
measures of the extent to which those goals are met is helpful.

Some of the goals, unfortunately, appear to rest on shaky foundations.
Much of the report (including recommendations 5 through 11 and part of
20) is concerned with the accuracy of WHOIS data, but it assumes
without much supporting argument the traditional model of a single,
unauthenticated service for registration data.  Where the report
examines this issue (Chapter 6, section B), it appears to consider
only the alternatives of full and unrestricted access or just some
sort of restrictions on the data.  The report does not examine in any
detail what the different use cases for WHOIS data might be and how
those could be separated into different classes of service.  Many of
the complaints people have about WHOIS (either the protocol, the
service, or the data) are tied to the WHOIS we have.  But that WHOIS
is merely an accident of history, as the report correctly notes.  Both
the protocol and the service were inherited from an early network that
was radically different from the modern Internet.  WHOIS was just a
tool needed to keep things working.

One reason for the many recurring complaints about WHOIS may be that
WHOIS is not a good solution to our problems.  We need to think about
what those problems really are before proposing solutions.  A
requirement for highly accurate data in today's WHOIS is a requirement
that any random person can access, anonymously and with trivial
effort, a great deal of personally identifying information about a
domain name registrant.  But several of the issues with WHOIS data
identified in the report are probably better solved by replacing the
WHOIS protocol completely, using a new protocol that allows
authenticated access to different amounts or kinds of data depending
on the source of the query.  Law enforcement complaints about
inaccurate data might be addressed by providing lookup credentials to
law enforcement agencies, instead of improving anonymously-accessible
data.  Law enforcement agencies could then have privileged access to
more detailed data at the expense of having their lookups logged or
subject to some sort of oversight or review.  Pursuing this line of
thinking might address both legitimate law enforcement needs and the
concerns about privacy.  It is not practically possible to offer these
kinds of services, however, without replacing the WHOIS protocol.

If the WHOIS protocol (and the service model that in practice follows
from it) is to be replaced with something more fitting to the modern
Internet environment, then the different problems in need of a
solution ought to be teased apart.  It may be that the team did not
undertake this sort of investigation because of the way the
Affirmation of Commitments refers to WHOIS.  That justification,
however, simply repeats the mistake (noted early in the report) of
conflating the WHOIS data with the WHOIS protocol and the WHOIS
service.  Therefore, before taking up recommendations to solve the
problem of bad WHOIS data, it seems preferable to figure out what
kinds of data would solve different classes of problem.  The need for
such an analysis is in fact hinted at in the report: "Just as there is
no shared understanding, or statement of the purpose of WHOIS, key
concepts, such as 'data accuracy' mean different things to different
stakeholders." (p 40)  Building such a shared understanding seems more
important than improving the data without such a shared understanding.

If the existing protocol and service model were replaced, some of the
incentives to provide bad registration data might go away.  Naturally,
fraudsters would still provide bad data.  But the very fact of the bad
data would then itself be useful information; today it is just as
likely to be an indication that registrants don't want their street
address or phone number easily accessible by random strangers.

The discussion of internationalization (including recommendations 18
and 20) would benefit by more carefully considering replacing the
WHOIS protocol, and by attending to distinctions that already exist.
Recommendation 18 especially seems to conflate what it is possible to
register in a registry with what it is possible to look up via the
WHOIS service.  The relevant registration protocols have been able to
collect internationalized registration data for a long time, and so it
is hard to understand why any study is needed on the gathering,
storing, or encoding of registration data.  Of course, it is
impossible to use the WHOIS protocol reliably to access data that uses
anything but ASCII.  But this problem is related to the WHOIS
protocol, and not the registration data itself.  At bottom, the issue
cannot be solved except by replacement of the WHOIS protocol.

Recommendation 17 is either unnecessary or else an extremely bad idea.
Despite the poor penetration of much of the RWhois specification (RFC
2167), the one thing that is widely implemented is the referral
mechanism.  If that mechanism is not working in some cases, it is just
a software bug, and does not need a policy response.  If
recommendation 17 is instead a suggestion for (re)centralization of
name registration data, then it is a bad idea.  The recommendation is
apparently for ICANN to provide a lookup service for name registration
data it does not control.  It will almost certainly cause inaccuracies
in the data, because two parties would maintain the same data
independently.  (If the idea is merely that ICANN should chase the
referrals in the WHOIS and provide the service, then the proposal is
again unnecessary, since existing WHOIS clients can already do this.)

Setting aside the recommendations, there are technical errors in the
document that undermine its authority.  In the interests of brevity,
these nits have been sent directly to the staff support contact for
the team, but they really ought to be fixed lest the report be
dismissed on the grounds of those mistakes.

I thank the team for producing this comprehensive report.  I hope that
these comments may help the team in its deliberations when finalizing
its draft.

-- 
Andrew Sullivan
ajs@xxxxxxxxxxxxxxxxxx