WHOIS Review Team Discussion
While I don't have specific answers (or maybe I do) to each and every question posed in the "WHOIS Review Team Discussion Paper", I would like to make sure my thoughts are shared with the community. I have been a member of the Internet community since the early '90s, working for many networking companies like Cabletron, Banyan, Racal-Datacom, Racal-Interlan, etc. My own company has implemented various protocols and other networking products over the years. In all the years I've been on the Internet, I've been a proponent of fighting spam, and in more recent years, fighting phishing. To that end, the WHOIS database has been a CRITICAL resource for contacting various parties and service providers to report hacking victims or abusive users. The WHOIS database is a SINGLE STANDARDIZED resource that makes it possible to track down the owners or operators of hacked and abused systems. In my personal opinion, anyone who offers "privacy" services to domain owners should only do so when *they are willing* to take on the responsibility of the contacts themselves. I don't mind if someone doesn't want their name and address publicly listed in the WHOIS database, but I do mind when the information in the WHOIS record is nothing more than a bunch of non-working phone numbers or email addresses, or otherwise just dead-end's, leaving me no way to contact the owner of the domain in an efficient and standardized manner! I'll try to answer some of the posed questions from my own point of view: (forgive me if I mistype the questions - I can't cut-and-paste from the PDF file for some reason) 1. What measures should ICANN take to clarify its existing WHOIS policy?ICANN should make explicit the INTENT of the WHOIS policy. We've all known that ICANN agreements with registrars require the registrar to collect and present valid owner contact information for each domain under its jurisdiction, but WHY? Does ICANN only care about "domain registration" issues? Are the contacts only to be used if the registration or DNS for a domain is having problems? Or is the intention of having correct data necessary so third parties such as myself can contact the domain holders whose domain may be experiencing some problem (DNS, hijacking, abuse from a domain's user/customer, hacked or abused services [i.e. phishing sites])?? I'd like to recommend it take on the broader definition! 2. How should ICANN clarify the status of the high level principles set out in the Affirmation of Commitments and the GAC Principles on WHOIS? Can't really say since I haven't read them.3. What insight can country code TLDs (ccTLDs) offer on their response to domestic laws and how they have or have not modified their ccTLD WHOIS policies? If a given country has stricter privacy laws than the United States, that should have no impact on WHOIS policies controlled by ICANN that are based on US law (i.e. .COM and .NET). I don't understand companies that feel they need "privacy" in their WHOIS records, especially in the US. If you're a legitimate business, you have no reason to hide your identity. It's only the shady businesses and scams that need their privacy to hide from the authorities! As far as personal use domains, as I stated before, I don't mind if a registrar provides a form of privacy to the owner, but the information in the WHOIS record MUST contain a valid email address and phone number for immediate access to someone (a registrar's employee is fine) who can either take action on technical or security issues directly with regards to the domain, or at least be able to get in touch with the actual domain owner in a timely manner (within a few hours, tops). 4. How can ICANN balance the privacy concerns of some registrants with its commitment to having accurate and complete WHOIS data publicly accessible without restriction. See my answers to 3.5. How should ICANN address concerns about the use of privacy/proxy services and their impact on the accuracy and availability of the WHOIS data? ICANN should REQUIRE that the email addresses and phone numbers are accurate in that they go to a REAL person, be it the actual domain owner, an employee at the registrar, or some third party who has agreed to supply support for the domain. It's criminal to put an auto-responder on an admin or technical contact that replies with "You must go to <some web site> in order to contact the owner of the domain"! And it's irresponsible for a technical contact to have a simple pattern-matching spam/phish filter on their mailbox, as that may prevent people from sending them information about one of their own domains that has been hijacked or otherwise hacked! 6. How effective are ICANN's current WHOIS related compliance activities? >From my limited experience, not very effective. While some registrars follow up with their domain owners and get updated info when the domain is flagged, other registrars simply don't care if the information is correct and don't seem to care that their agreement with ICANN requires them to have accurate information for all domains they sponsor! And when I get the notice 45 days after reporting a domain, and I click on the "the information hasn't been corrected" link, I see no followup or other action taken by ICANN to attempt to get the information corrected! 7. Are there any aspects of ICANN's WHOIS commitments that are not currently enforceable? I don't know since I'm not aware of all the commitments, but ICANN MUST be willing to CANCEL its agreement with a registrar if that registrar fails to comply with the terms of the agreement. The biggest example of this is the blatant misuse of the WHOIS database for commercial exploit by "Domain Registry of America". For years, DROA has been using the WHOIS database as their personal mailing list, at first creating what appeared to be misleading "renewal notices" that even one of my own users fell for (and had to be reversed after we complained), but even still sending out notices that except for a few words or passages, give every impression that the domain owner needs renew their domain as if DROA were their registrar. They encourage the domain owner to act quickly with phrases like "You must renew your domain name to retain exclusive rights to it on the Web", which is completely true, but creates a false sense of urgency. I JUST RECEIVED ONE OF THESE LETTERS FROM _DOMAIN REGISTRY OF AMERICA_ TODAY FOR ONE OF MY DOMAINS!!!! ICANN should have canceled all agreements with DROA A LONG TIME AGO!!! If ICANN isn't willing to cut ties with its most blatant violator of ICANN regulations, I have little reason to believe they will do anything about the smaller matters. 8. What should ICANN do to ensure its WHOIS commitments are effectively enforced? For starters, CANCEL ALL AGREEMENTS WITH DROA!! Secondly, be willing to take action when necessary. Don't be like the government and create rules if you're not willing to enforce those rules and stand up to those who would take advantage of your inaction! 9. Does ICANN need any additional power and/or resources to effectively enforce its existing WHOIS commitments? Additional resources? Maybe. Additional power? No, ICANN already has all the power it needs to pull the plug on registrars and domain holders that are not willing to comply with long established rules for domain ownership. 10. How can ICANN improve the accuracy of WHOIS data?By enforcing its current regulations and canceling agreements with registrars that are not willing to uphold their end of the deal. It need to remind the registrars that the registrar is empowered to cancel domain registrations for domain holders that refuse to comply with the requirements for accurate and complete data. 11. What lessons can be learned from approaches taken by ccTLDs to the accuracy of WHOIS data? I don't know. How good are ccTLDs at enforcing their registrar's commitments?? And what impact does that have on WHOIS accuracy? 12. Are there barriers, cost or otherwise, to compliance with WHOIS policy? The only barrier I know of is ICANN's unwillingness to take real action against registrars that don't take real action with their non-compliant domain holders. 13. What are the consequences or impacts of non-compliance with WHOIS policy? For me, I know it makes it extremely difficult (or impossible) to contact owners of hacked or compromised servers when I run across phishing sites on compromised servers. The same difficulty exists when trying to contact people whose servers are being used to send out spam and other abuses on their network or servers. I'm sure I'm not the only one who is EXTREMELY FRUSTRATED by the lack of consistent and accurate WHOIS data. 14. Are there any other relevant issues that the review team should be aware of? Please provide details. I'd be very happy if you could just fix the current system. I think if the WHOIS Review Team would at least create an explicit description of their intentions for the WHOIS data, it would go a long way towards knowing exactly who is in compliance and who is not? Spell out exactly WHY the current Registrar Agreements include language to require that the WHOIS data be complete and accurate?? _*The longer ICANN takes to start fixing the WHOIS compliance issue, the more effort and resources it will take to get the registrars and domain holders to come into compliance with the existing regulations.*_ Sincerely, Patrick Klos President Klos Technologies, Inc. |