[At-Large] 9th Circuit Court ruling on ICANN Contract.

John R. Levine johnl at iecc.com
Sun Jan 9 18:37:04 UTC 2011

Sigh.  In what fantasy world do you imagine that there is a process to 
implement this?

Also, in this world, we routinely identify and turn off a thousand 
or more domains at a time used by criminals, so make sure it scales.

If you're saying I have to post a $100,000 bond to track down a pillz 
spammer, no thanks.

On the other hand, if you're proposing that people have to appear in 
person to a government official and verify their identity before they can 
register a domain, that's not a bad idea.


>> For years I have advocated that penetration of domain registrations
>> should require the person making the request do several things:
>>     1. They should announce their identity, personal and organizational
>> (including contact information), and proofs of that identity, which
>> would be recorded, permanently, into an access log.
> As long as the same requirements are put on registrants (also see
> point 6).
>>     2. A bond (small, perhaps $100) should be posted to indemnify the
>> data subject should the access be ill founded, vexatious, or made with
>> reckless disregard of facts known, or readily knowable to, the accessor.
>>    (There are lots of ways that this requirement could be streamlined to
>> accommodate the needs of consumers - for example the bond could be
>> waived for the first 10 accesses during any 12 month period.)
> The same for the registrant, he should also post a bond. If any
> allegations are found to be justified, there should be punitive
> measures in place.
>>     3. They should make a concise and concrete accusation, into the
>> permanent log, that states why they believe rights they process towards
>> the domain name are being violated.  This accusation must be backed by
>> evidence.  This accusation could act as an estoppel against the accessor
>> making contrary assertions at a later date
> Semi agreed. Those accusations should be recorded and be held for at
> least a period of five years. The records of accusations should be
> available to to all parties; law enforcement, recognized anti-abuse
> groups, registrars, registries etc). Just remember the accusation may
> not only be against the domain name, but may span a range of issues
> (botnets herders, fake shopfronts ...)
> Should the accusation be found to be correct, the registrar or his
> agent shall upon request by the accuser, also supply all other domain
> names registered to the same party. This may also be used at other
> registrars/privacy proxies and like.
>>     4. They should be required to enter into a legally binding agreement,
>> with the data subject being granted explicit third party beneficiary
>> rights of enforcement, that constrains the use of the data obtained so
>> that it may not be further disseminated or used for any other purpose
>> than to initiate a dialog with the data subject on the question whether
>> the accusation is well founded or specious.
> The data should also be allowed to be shared with legal authorities
> and recognized anti-abuse groups, along with any pertinent data (also
> accusation in point 3). A response is required from the data subject
> in 24 to 48 hrs maximum for a legal person, 7 days for a natural
> person. If no such response is forthcoming, the data will be made
> available as if an affirmative response was received.
> Should the registration data be found to be grossly inaccurate (bogus
> registration details, identity theft etc) then all domains linked to
> those grossly inaccurate registration details will immediately be
> suspended. This requirement will be mandatory and span all registrars
> and registries.
> Should a proxy have been used that accept registrations for domains
> where no registration data is required of the registrant, only the
> funds for the domain, that proxy provider will be held liable for any
> harm done by that domain (we have been seeing a lot of these providers
> of late)
> The proxy provider itself may not be registered via another proxy
> provider. A proxy provider must have a physical address at the stated
> location.
>>     5. The data subject should be given notice of the access, including
>> the identity of the accessor and the content of the accusation.  The
>> data subject would have the right to make that accusation and the
>> identity of the accessor public.
> Not sure how that would work for law enforcement and like legitimate
> bodies.
>>     6. On a periodic basis the log of access should be processed so that
>> the name of each accessor, and the number of accesses made, is published
>> to the public.  This will help identify access trolls.
> Naturally the accessor has the same rights as the registrant. As such
> he is also allowed to use proxy providers. Based on the work some
> inquirers do ,they might have more reason to use such mechanism as
> mere personal privacy, rather personal safety.

More information about the At-Large mailing list