[At-Large] R: Same discussion over again? The recurring WhoIs issue

Roberto Gaetano roberto_gaetano at hotmail.com
Thu Jan 24 13:54:11 UTC 2013 

Evan,

My answers below, after your questions.


> -----Messaggio originale-----
> Da: at-large-bounces at atlarge-lists.icann.org [mailto:at-large-
> bounces at atlarge-lists.icann.org] Per conto di Evan Leibovitch
> Inviato: giovedì 24 gennaio 2013 13:22
> A: At-Large Worldwide
> Oggetto: Re: [At-Large] Same discussion over again? The recurring WhoIs
> issue
> 
> Thanks for this, Roberto.
> 
> I am perfectly happy with this scheme, with a few comments.
> 
> 
>    - What protections and mechanisms would exist to ensure that WHOIS data
>    remain accurate over time?

The best way would be to do the check when WhoIs data are changed.
However, in most cases authorized individuals (for instance, the registrant
itself) are allowed to modify data via a web form.
While it is possible, although costly, to request checking at the moment of
the domain name registration (after all it is a transaction where generally
money changes hands), changes in the data are always (in my experience)
free. To require a costly operation by the registrar when the registrants
does something for free will be unacceptable.
So we have to live with the fact that WhoIs become inaccurate over time.
The other way to look at it is that WhoIs data might become inaccurate over
time not because of a change, but because of lack thereof. Typical case,
change of address not reported in the WhoIs.
I understand that there is a mechanism already in place that allows
reporting of inaccurate WhoIs data by users. I think that we have no other
choice than to rely on this.
The point is to involve the registrar in the correction. The correction can
be done by the registrar itself or might (and this will probably be the way
the majority goes) end up in the registrar sending an (automatic) email to
the registrant. The contract between registrar and registrant must have
enforcement clauses, like suspension of the name in case of unwillingness to
cooperate by the registrant.

> 
>    - If you say "this does not mean that a Registrar will be sanctioned if
>    an entry is incorrect", then what is the mechanism for enforcing
accuracy?
>    What happens if a domain (or a large number of domains under a
registrar)
>    is or becomes wildly inaccurate? If there is no explicit responsibility
>    there appears to be no incentive for bad actors to improve.

Thanks for pointing out my lack of clarity. I really wanted to write "... a
Registrar will be *automatically* sanctioned if an entry is incorrect".
What I mean is that, if an error or incorrect entry is detected, the
registrar will be notified and the correction mechanism that I described
above will be initiated.
The registrar will be sanctioned if it fails to take action. In simple
words, the registrar will not be guilty of hosting wrong data, but will only
be guilty of refusing/failing to correct them.


> 
>    - Instead of "vigilanties", I would suggest "private investigators", a
>    concept that is already established in some jurisdictions.

Whatever is chosen, is OK for me, the important thing would be to have a
unique term that identifies this category of organizations, including those
who acta s contractors from private parties and those who act for the public
benefit.

I hope this clarifies my thoughts,
R.



> 
> 
> 
> On 24 January 2013 04:35, Roberto Gaetano
> <roberto_gaetano at hotmail.com>wrote:
> 
> > I think that over the years I have heard the same discussions, with
> > the same argumentation, many times.
> >
> > I had therefore planned not to reply.
> >
> > However, since I have already broken this plan with my previous
> > message, I might as well provide my full version (which is not much
> > different from the conclusions of the WG).
> >
> > First of all, I do not enter in the gun registry issue, because this
> > is a local issue, and must be fully on the authority of the local laws.
> > Different
> > countries (maybe even different States in the US) have different
> > legislation, and there is no need for a globally uniform approach. But
> > for the Internet, as global resource, things are different, and
> > therefore more complicated.
> >
> > My approach can be summarized in the following points:
> >
> > .         WhoIs data *must* be complete and accurate. There's no point
in
> > even having a WhoIs if we cannot rely on its content
> >
> > .         The entity that accepts the registration (generally it will be
> > the
> > Registrar or the resellers that act anyway under the authority of the
> > Registrar) are responsible for completeness and accuracy of data. Of
> > course, this is an additional burden on Registrars, but if it is
> > enforced in the whole system it will not cause competitive advantage
> > by some.
> >
> > .         ICANN must have the authority (and the means) of enforcing the
> > completeness and correctness of the data. This does not mean that a
> > Registrar will be sanctioned if an entry is incorrect, it means that
> > procedures have to be defined to deal with these cases. We have to
> > understand that data can be complete and accurate at the creation, but
> > might become inaccurate in time.
> >
> > .         WhoIs information will be of two types: public and restricted.
We
> > can even think of using the experience of social networks to define
> > what is public and what not, for instance we can allow a nickname to
> > be public and the real name being hidden, if the result of the PDP is
> > going in this direction.
> >
> > .         Information on organization and individuals are not
necessarily
> > the same. In particular, the public and private part might differ. Of
> > course, in some jurisdiction it is OK to have a completely fake
> > organization, but this is a problem that we cannot solve as it impacts
> > local legislation. I assume that those "fake" organizations will be
> > clustered among a small subset of Registrars, and since the Registrar
> > is known...
> >
> > .         LEAs have full access to Registrant's data. ICANN maintains a
> > list
> > of the organizations that have full access (it can be slightly wider
> > than LEAs themselves, it will include probably ICANN itself, the
> > Registries, the RIR, and others. GAC will have access to the list and
> > has the authority to determine whether an organization operating in
> > the country they represent is authorized or not. International LEAs,
> > like Europol and Interpol, are a limited number anyway.
> >
> > .         Local organizations like vigilantes can get the right to
access
> > data if they are recognized and authorized by a LEA. The LEA is fully
> > responsible for the actions of the entities to whom they have
> > delegated authority, as well of keeping complete and accurate data of
> > them. ICANN, in particular the compliance department, has full access
> > to the complete data of these organizations that act under LEAs'
> > authority. These data are otherwise restricted (unless the
> > organization itself wants to make them, or part thereof, public).
> >
> > .         A private citizen will have access only to the public part of
the
> > WhoIs data. To access the restricted part, he/she must do so via a LEA
> > or authorized vigilante (I am using this term for lack of a better
> > term). I am working under the assumption that there will be
> > organizazions, like SpamHaus, who will be accessible by private
> > citizen to perform requests in their behalf and that will be more
responsive
> than the official LEAs.
> >
> > Of course, there are problems. For instance, privacy is not fully
> > guaranteed. We have the potential case of refugees from a regime whose
> > data can be detected by a LEA operating under that very regime.
> > However, I believe that we cannot solve this problem because it would
> > never be acceptable that a LEA, by its very nature, cannot access the
> > WhoIs data. We have to think about other means to exert the right of
> > free speech in a way that does not necessarily implies the
> > registration of a domain name. I am sure that in the world there exist
> > already so many cases of fighters for freedom who have obtained
> > substantial results without registering domain names.
> >
> > I know I am not making friends here, but I have the right to free
> > speech as well. The consequence is that I have to be ready to accept
> flames.
> >
> > Cheers,
> >
> > Roberto
> >
> >
> >
> > _______________________________________________
> > At-Large mailing list
> > At-Large at atlarge-lists.icann.org
> > https://atlarge-lists.icann.org/mailman/listinfo/at-large
> >
> > At-Large Official Site: http://atlarge.icann.org
> >
> 
> 
> 
> --
> Evan Leibovitch
> Toronto Canada
> 
> Em: evan at telly dot org
> Sk: evanleibovitch
> Tw: el56
> _______________________________________________
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
> 
> At-Large Official Site: http://atlarge.icann.org

More information about the At-Large mailing list