[At-Large] 9th Circuit Court ruling on ICANN Contract.

Karl Auerbach karl at cavebear.com
Sat Jan 8 23:53:10 UTC 2011

On 01/08/2011 02:37 PM, Roberto Gaetano wrote:

> I believe that the registration of a domain requires the owner of the domain
> to correctly identify oneself to the registering authority, but that this
> information does not need necessarily to be public.
> ...the example of car registration: a car owner is obliged
> to provide complete and accurate information to the registration authority,
> but this information is not necessarily public. Actually, I am not aware of
> any national car registry in which you can access this information without
> proving that you need it, and qualify yourself.
> I have not yet heard a convincing argument on why the domain names have to
> be treated differently.

You've hit on an important point.  But first let me make a minor detour...

<begin detour>

If you check the registration of my primary automobile you won't find my 
name anywhere.  There are layers of corporate identities between my name 
and the name on my automobile registration.

That is neither illicit nor does it oppose the social policies that 
justify automobile registration.

"Ownership" is a distinct concept from that of "control".  There are 
quite legitimate reasons why ownership (or control) might be indirected 
through layers of intermediaries.  Moreover, there are cases, such as 
when a person has acquired an automobile on the basis of a loan there 
are separate and distinct legal and beneficial ownership rights.

<end detour>

The drum beat for privacy busting private regulation of domain name 
registrations is driven by the desire by various people, some driven by 
good intent (such as the anti-spam community), some driven by more 
selfish motives (such as the intellectual property protection [as 
distinguished from the intellectual property creation] industry).  Those 
groups would dispense with the nuisance of balanced due-process to the 
data subject.

It is long past time to introduce some balance back into the equation:

For years I have advocated that penetration of domain registrations 
should require the person making the request do several things:

   1. They should announce their identity, personal and organizational 
(including contact information), and proofs of that identity, which 
would be recorded, permanently, into an access log.

   2. A bond (small, perhaps $100) should be posted to indemnify the 
data subject should the access be ill founded, vexatious, or made with 
reckless disregard of facts known, or readily knowable to, the accessor. 
  (There are lots of ways that this requirement could be streamlined to 
accommodate the needs of consumers - for example the bond could be 
waived for the first 10 accesses during any 12 month period.)

   3. They should make a concise and concrete accusation, into the 
permanent log, that states why they believe rights they process towards 
the domain name are being violated.  This accusation must be backed by 
evidence.  This accusation could act as an estoppel against the accessor 
making contrary assertions at a later date.

   4. They should be required to enter into a legally binding agreement, 
with the data subject being granted explicit third party beneficiary 
rights of enforcement, that constrains the use of the data obtained so 
that it may not be further disseminated or used for any other purpose 
than to initiate a dialog with the data subject on the question whether 
the accusation is well founded or specious.

   5. The data subject should be given notice of the access, including 
the identity of the accessor and the content of the accusation.  The 
data subject would have the right to make that accusation and the 
identity of the accessor public.

   6. On a periodic basis the log of access should be processed so that 
the name of each accessor, and the number of accesses made, is published 
to the public.  This will help identify access trolls.


More information about the At-Large mailing list