[nc-impwhois] Melbourne IT WHOIS implementation comments

["Bruce Tonkin" <Bruce.Tonkin@melbourneit.com.au>]

Hello All,

Here are some Melbourne IT comments on implementation of the WHOIS recommendations.

ACCURACY

(1) Transfers Task Force Recommendation (WHOIS update at renewal)
"Registrars must require Registrants to review and validate all WHOIS data upon renewal of a registration. (effectively an extension of RAA clause 3.7.7.1 above) The specifics of required validation remain to be determined by this Task Force or another appropriate body."

This is implementable IF:
- the registrar presents the WHOIS data to the registrant at time of renewal (via website, fax, or postal message) = REVIEW
- the registrant is required to confirm that the data is still current, or update the information, and warrant that the information is still correct = VALIDATE

It is not feasible for the Registrar to validate the data (e.g make phone calls to registrant, ring post office to confirm address exists etc).  A registrar may optionally use various heuristic techniques to do some data validation (e.g check that a USA city existing within a particular USA state) - but such techniques are not applicable uniformly across the globe.  In general it is in the registrars best interests to get accurate data as it increases the chance of a successful renewal - so there are commercial incentives here for clever registrars.

I suggest rewording to:
"Upon renewal of a domain name, a registrar must present to the Registrant the current WHOIS information, and remind the registrant that provision of false WHOIS information can be grounds for cancellation of their domain name registration.  Registrants must review their WHOIS data, make any corrections, and warrant that the data is correct to the Registrar."


(2) Transfers Task Force recommendation (Redemption Grace Period issue)
"When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should not be included in the zone file until accurate and verified contact information is available. The details of this procedure are under investigation in the Names Council's deletes task force."

The principle is OK.
The wording of "accurate and verified" needs to be updated in the context of the recommendation that relates to correction of data following a complaint.  See below:


(3) Transfers Task Force recommendation (Data correction following a complaint)
"When registrars send inquiries to registrants regarding the accuracy of data under clause 3.7.8 of the RRA, they should require not only that registrants respond to inquiries within 15 days but that the response be accompanied by documentary proof of the accuracy of the "corrected" data submitted, and that a response lacking such documentation may be treated as a failure to respond."

This recommendation is not implementable in its current form.

Implementation of this will depend on the business model of the individual registrar and the level of service/price paid for the domain name.  For example a registrar that charges $6 for a domain name, would likely only send an email message to the registrant to update the information.  A registrar that charges $1000 for a domain name to a large corporate client would likely use every means possible to contact the registrant (phone call, send letter, send a staff member to visit in person etc).

The 15 day period also relates to the implementation.  It should be extended to 30 days if the registrar chooses to use postal mail to communicate with the registrant.

In terms of requiring documentary proof - other than just storing the documentary proof - registrars are not authentication agencies (they collect information and store it in a registry) - they do not have skilled staff capable of detecting whether a document is real or a forgery, nor could they be expected to have staff with knowledge of all types of documents across all countries.

The recommendation needs to identify a cost effective minimum implementation.

There are two components:
- contact of the registrant
- correction of information

Contacting the registrant is a common problem for registrars at the time of renewal, and various methods are used.  Most registrars use a final step of placing the name in REGISTRAR HOLD status (the name is locked and removed from the zonefile).

I will suggest the minimum implementation:

IN RESPONSE TO A COMPLAINT ABOUT WHOIS DATA

First phase:
CONTACT phase
- registrar sends an email to all contact points available in the WHOIS (e.g registrant, admin, technical and billing) to request the information be corrected
- if no response is received after 15 days the name should be placed in REGISTRAR-HOLD status (or equivalent)
- the registrar can continue to try to contact the registrant using various other means, but normally the registrant of an active name will contact the registrar themselves
- the name would remain in REGISTRAR-HOLD status until the contact information is updated, or the name is deleted from the registry for lack of renewal
- this protects the registrant from any attempts at domain name hijacking, and also protects the community from any unsatisfactory practices resulting from the use of the domainname for a website or email

CORRECTION phase 
- registrar must present to the Registrant the current WHOIS information, and remind the registrant that provision of false WHOIS information can be grounds for cancellation of their domain name registration.  Registrants must review their WHOIS data, make any corrections, and warrant that the data is correct to the Registrar.
- if within 60 days of updating the information, an independent authenticating party provides confirmation (a list of accredited authenticating parties to be defined, and a mechanism for them to securely communicate with registrars electronically) that the contact information is still incorrect - then the name will be placed on REGISTRAR-HOLD (or equivalent) until that authenticating party certifies that the information is correct.  The cost of the authenticating party would be borne by the complainant.  This clearly separates the registrar role of data collection and not authentication.
- ICANN will need to accredit authentication parties in the same way that UDRP providers are accredited.  
- The data accuracy complainant will need to pay the costs of the authenticating party verifying that the contact information is incorrect.  
- The Registrant will need to pay the costs of an authenticating party to verify the corrected information.  Could be a different authenticating party to the one used by the data accuracy complainant.
- a Registrar will be entitled to charge for the costs of updating WHOIS information via an accredited authentication agency (as their is likely to be manual processes involved).


Thus I suggest the following rewording of this recommendation:

"(a) Upon receiving a complaint about WHOIS accuracy, a registrar must at a minimum send an email to all contact points available in the WHOIS (including registrant, admin, technical and billing) requesting the WHOIS contact information be updated.  If no response is received after 15 days a Registrar must place a name in REGISTRAR-HOLD (or equivalent) status, until the registrant has updated the WHOIS information.   If a registrar uses postal means to communicate with the registrant, then the 15 days is extended to 30 days before the name is placed in REGISTRAR-HOLD status.

(b) Once contact is established, the registrar must present to the Registrant the current WHOIS information, and remind the registrant that provision of false WHOIS information can be grounds for cancellation of their domain name registration.  Registrants must review their WHOIS data, make any corrections, and warrant that the data is correct to the Registrar.

(c) If within 60 days of the contact information being updated, an accredited authentication agency informs the Registrar that the data is incorrect, then the name will be placed in REGISTRAR-HOLD status until the registrant provides contact information that has been verified by an accredited authentication agency.


BULK ACCESS
Melbourne IT supports the recommendation.  Some further clarification of the definition of
"marketing activities" would be useful.

Regards,
Bruce Tonkin