[At-Large] 9th Circuit Court ruling on ICANN Contract.

Derek Smythe derek at aa419.org
Sun Jan 9 17:48:27 UTC 2011

Mostly agreed Karl, good ideas you have, but some pointers since the 
person making the request has the same rights as the registrant:

On 2011/01/09 01:53, Karl Auerbach wrote:
> On 01/08/2011 02:37 PM, Roberto Gaetano wrote:
>> I believe that the registration of a domain requires the owner of the domain
>> to correctly identify oneself to the registering authority, but that this
>> information does not need necessarily to be public.
>> ...the example of car registration: a car owner is obliged
>> to provide complete and accurate information to the registration authority,
>> but this information is not necessarily public. Actually, I am not aware of
>> any national car registry in which you can access this information without
>> proving that you need it, and qualify yourself.
>> I have not yet heard a convincing argument on why the domain names have to
>> be treated differently.
> You've hit on an important point.  But first let me make a minor detour...
> <begin detour>
> If you check the registration of my primary automobile you won't find my
> name anywhere.  There are layers of corporate identities between my name
> and the name on my automobile registration.
> That is neither illicit nor does it oppose the social policies that
> justify automobile registration.

A natural vs a legal person, both quite acceptable, however never a 
fictious person as we find in domain registrations.

> "Ownership" is a distinct concept from that of "control".  There are
> quite legitimate reasons why ownership (or control) might be indirected
> through layers of intermediaries.  Moreover, there are cases, such as
> when a person has acquired an automobile on the basis of a loan there
> are separate and distinct legal and beneficial ownership rights.
> <end detour>
> The drum beat for privacy busting private regulation of domain name
> registrations is driven by the desire by various people, some driven by
> good intent (such as the anti-spam community), some driven by more
> selfish motives (such as the intellectual property protection [as
> distinguished from the intellectual property creation] industry).  Those
> groups would dispense with the nuisance of balanced due-process to the
> data subject.

I would love to know the ratio of IP vs anti-fraud (spam is a bit 
yesterday, let's expand it to other nefarious domain uses as well) 
domain issues. I will not dwell into the overlapping area of IP and 
fraudulent abuse such as bank spoof domains and other lookalike names.

> It is long past time to introduce some balance back into the equation:
> For years I have advocated that penetration of domain registrations
> should require the person making the request do several things:
>     1. They should announce their identity, personal and organizational
> (including contact information), and proofs of that identity, which
> would be recorded, permanently, into an access log.
As long as the same requirements are put on registrants (also see 
point 6).

>     2. A bond (small, perhaps $100) should be posted to indemnify the
> data subject should the access be ill founded, vexatious, or made with
> reckless disregard of facts known, or readily knowable to, the accessor.
>    (There are lots of ways that this requirement could be streamlined to
> accommodate the needs of consumers - for example the bond could be
> waived for the first 10 accesses during any 12 month period.)

The same for the registrant, he should also post a bond. If any 
allegations are found to be justified, there should be punitive 
measures in place.

>     3. They should make a concise and concrete accusation, into the
> permanent log, that states why they believe rights they process towards
> the domain name are being violated.  This accusation must be backed by
> evidence.  This accusation could act as an estoppel against the accessor
> making contrary assertions at a later date

Semi agreed. Those accusations should be recorded and be held for at 
least a period of five years. The records of accusations should be 
available to to all parties; law enforcement, recognized anti-abuse 
groups, registrars, registries etc). Just remember the accusation may 
not only be against the domain name, but may span a range of issues 
(botnets herders, fake shopfronts ...)

Should the accusation be found to be correct, the registrar or his 
agent shall upon request by the accuser, also supply all other domain 
names registered to the same party. This may also be used at other 
registrars/privacy proxies and like.

>     4. They should be required to enter into a legally binding agreement,
> with the data subject being granted explicit third party beneficiary
> rights of enforcement, that constrains the use of the data obtained so
> that it may not be further disseminated or used for any other purpose
> than to initiate a dialog with the data subject on the question whether
> the accusation is well founded or specious.

The data should also be allowed to be shared with legal authorities 
and recognized anti-abuse groups, along with any pertinent data (also 
accusation in point 3). A response is required from the data subject 
in 24 to 48 hrs maximum for a legal person, 7 days for a natural 
person. If no such response is forthcoming, the data will be made 
available as if an affirmative response was received.

Should the registration data be found to be grossly inaccurate (bogus 
registration details, identity theft etc) then all domains linked to 
those grossly inaccurate registration details will immediately be 
suspended. This requirement will be mandatory and span all registrars 
and registries.

Should a proxy have been used that accept registrations for domains 
where no registration data is required of the registrant, only the 
funds for the domain, that proxy provider will be held liable for any 
harm done by that domain (we have been seeing a lot of these providers 
of late)

The proxy provider itself may not be registered via another proxy 
provider. A proxy provider must have a physical address at the stated 

>     5. The data subject should be given notice of the access, including
> the identity of the accessor and the content of the accusation.  The
> data subject would have the right to make that accusation and the
> identity of the accessor public.

Not sure how that would work for law enforcement and like legitimate 

>     6. On a periodic basis the log of access should be processed so that
> the name of each accessor, and the number of accesses made, is published
> to the public.  This will help identify access trolls.

Naturally the accessor has the same rights as the registrant. As such 
he is also allowed to use proxy providers. Based on the work some 
inquirers do ,they might have more reason to use such mechanism as 
mere personal privacy, rather personal safety.

> 	--karl--
> _______________________________________________
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
> At-Large Official Site: http://atlarge.icann.org


More information about the At-Large mailing list