RE: [nc-impwhois] Melbourne IT WHOIS implementation comments

[Steve Metalitz <metalitz@iipa.com>]

Bruce,

Following up on our discussion on today's call, I think the proposal you
have made on the contact/correction process is a very positive contribution.
I would suggest the following changes.

(1)  Steps (a) and (b) could be combined -- the e-mail sent to the
registrant's contact points could include the challenged Whois entries which
the registrant is asked to review and change/correct/confirm.  

(2)  I am not clear about the circumstances in which a registrar would not
use e-mail as the first means of contact. In any event, the contractual
period is currently 15 days so perhaps the implementation proposals should
be restricted to that, without prejudice to a possible future change in the
time period if the data and experience justify it.  

(3)  The use of a commercially reasonable verification/validation utility
(whether in-house to the registrar or suplied by a third party) that meets
specified (to be developed) criteria sounds right to me. My only
recommendations are that (1) the utility  should be employed beginning with
the response given by the registrant to the complaint, rather than waiting
another cycle until the complainant challengers the revised/"corrected" data
(cf. the OECD "Nic-God" experience), and (2) the cost of using the facility
should not be imposed on the complaining party.  I welcome the input of
others about quanitifying what the cost for a commercially reasonable (i.e.,
not 100% comprehensive) facility might be.

(4)  Certainly there would be problems if there are a lot of frivolous or
malicious complaints.  I don't think that has proven to be a problem so far
(based on Dan Halloran's presentation after he had reviewed every complaint
that had been submitted to the Internic site up to the time of the Shanghai
meeting).  However, to at least forestall this possibility, a registrar
should have the flexibility to reject a complaint that does not set forth
any basis for believing that the Whois data is false.  (In a similar vein,
of course, the registrar also needs the flexibility to act more decisively
in a case in which the Whois data is obviously false.)  

I hope this serves to clarify my comments at the endof our conference call
and provides some useful input to the report that I understand you are
drafting.  

Thanks for your efforts on this important topic.

Steve Metalitz       


-----Original Message-----
From: Bruce Tonkin [mailto:Bruce.Tonkin@melbourneit.com.au]
Sent: Thursday, January 16, 2003 3:16 AM
To: nc-impwhois@dnso.org
Subject: [nc-impwhois] Melbourne IT WHOIS implementation comments


Hello All,

Here are some Melbourne IT comments on implementation of the WHOIS
recommendations.

ACCURACY

(1) Transfers Task Force Recommendation (WHOIS update at renewal)
"Registrars must require Registrants to review and validate all WHOIS data
upon renewal of a registration. (effectively an extension of RAA clause
3.7.7.1 above) The specifics of required validation remain to be determined
by this Task Force or another appropriate body."

This is implementable IF:
- the registrar presents the WHOIS data to the registrant at time of renewal
(via website, fax, or postal message) = REVIEW
- the registrant is required to confirm that the data is still current, or
update the information, and warrant that the information is still correct =
VALIDATE

It is not feasible for the Registrar to validate the data (e.g make phone
calls to registrant, ring post office to confirm address exists etc).  A
registrar may optionally use various heuristic techniques to do some data
validation (e.g check that a USA city existing within a particular USA
state) - but such techniques are not applicable uniformly across the globe.
In general it is in the registrars best interests to get accurate data as it
increases the chance of a successful renewal - so there are commercial
incentives here for clever registrars.

I suggest rewording to:
"Upon renewal of a domain name, a registrar must present to the Registrant
the current WHOIS information, and remind the registrant that provision of
false WHOIS information can be grounds for cancellation of their domain name
registration.  Registrants must review their WHOIS data, make any
corrections, and warrant that the data is correct to the Registrar."


(2) Transfers Task Force recommendation (Redemption Grace Period issue)
"When registrations are deleted on the basis of submission of false contact
data or non-response to registrar inquiries, the redemption grace period --
once implemented -- should be applied. However, the redeemed domain name
should not be included in the zone file until accurate and verified contact
information is available. The details of this procedure are under
investigation in the Names Council's deletes task force."

The principle is OK.
The wording of "accurate and verified" needs to be updated in the context of
the recommendation that relates to correction of data following a complaint.
See below:


(3) Transfers Task Force recommendation (Data correction following a
complaint)
"When registrars send inquiries to registrants regarding the accuracy of
data under clause 3.7.8 of the RRA, they should require not only that
registrants respond to inquiries within 15 days but that the response be
accompanied by documentary proof of the accuracy of the "corrected" data
submitted, and that a response lacking such documentation may be treated as
a failure to respond."

This recommendation is not implementable in its current form.

Implementation of this will depend on the business model of the individual
registrar and the level of service/price paid for the domain name.  For
example a registrar that charges $6 for a domain name, would likely only
send an email message to the registrant to update the information.  A
registrar that charges $1000 for a domain name to a large corporate client
would likely use every means possible to contact the registrant (phone call,
send letter, send a staff member to visit in person etc).

The 15 day period also relates to the implementation.  It should be extended
to 30 days if the registrar chooses to use postal mail to communicate with
the registrant.

In terms of requiring documentary proof - other than just storing the
documentary proof - registrars are not authentication agencies (they collect
information and store it in a registry) - they do not have skilled staff
capable of detecting whether a document is real or a forgery, nor could they
be expected to have staff with knowledge of all types of documents across
all countries.

The recommendation needs to identify a cost effective minimum
implementation.

There are two components:
- contact of the registrant
- correction of information

Contacting the registrant is a common problem for registrars at the time of
renewal, and various methods are used.  Most registrars use a final step of
placing the name in REGISTRAR HOLD status (the name is locked and removed
from the zonefile).

I will suggest the minimum implementation:

IN RESPONSE TO A COMPLAINT ABOUT WHOIS DATA

First phase:
CONTACT phase
- registrar sends an email to all contact points available in the WHOIS (e.g
registrant, admin, technical and billing) to request the information be
corrected
- if no response is received after 15 days the name should be placed in
REGISTRAR-HOLD status (or equivalent)
- the registrar can continue to try to contact the registrant using various
other means, but normally the registrant of an active name will contact the
registrar themselves
- the name would remain in REGISTRAR-HOLD status until the contact
information is updated, or the name is deleted from the registry for lack of
renewal
- this protects the registrant from any attempts at domain name hijacking,
and also protects the community from any unsatisfactory practices resulting
from the use of the domainname for a website or email

CORRECTION phase 
- registrar must present to the Registrant the current WHOIS information,
and remind the registrant that provision of false WHOIS information can be
grounds for cancellation of their domain name registration.  Registrants
must review their WHOIS data, make any corrections, and warrant that the
data is correct to the Registrar.
- if within 60 days of updating the information, an independent
authenticating party provides confirmation (a list of accredited
authenticating parties to be defined, and a mechanism for them to securely
communicate with registrars electronically) that the contact information is
still incorrect - then the name will be placed on REGISTRAR-HOLD (or
equivalent) until that authenticating party certifies that the information
is correct.  The cost of the authenticating party would be borne by the
complainant.  This clearly separates the registrar role of data collection
and not authentication.
- ICANN will need to accredit authentication parties in the same way that
UDRP providers are accredited.  
- The data accuracy complainant will need to pay the costs of the
authenticating party verifying that the contact information is incorrect.  
- The Registrant will need to pay the costs of an authenticating party to
verify the corrected information.  Could be a different authenticating party
to the one used by the data accuracy complainant.
- a Registrar will be entitled to charge for the costs of updating WHOIS
information via an accredited authentication agency (as their is likely to
be manual processes involved).


Thus I suggest the following rewording of this recommendation:

"(a) Upon receiving a complaint about WHOIS accuracy, a registrar must at a
minimum send an email to all contact points available in the WHOIS
(including registrant, admin, technical and billing) requesting the WHOIS
contact information be updated.  If no response is received after 15 days a
Registrar must place a name in REGISTRAR-HOLD (or equivalent) status, until
the registrant has updated the WHOIS information.   If a registrar uses
postal means to communicate with the registrant, then the 15 days is
extended to 30 days before the name is placed in REGISTRAR-HOLD status.

(b) Once contact is established, the registrar must present to the
Registrant the current WHOIS information, and remind the registrant that
provision of false WHOIS information can be grounds for cancellation of
their domain name registration.  Registrants must review their WHOIS data,
make any corrections, and warrant that the data is correct to the Registrar.

(c) If within 60 days of the contact information being updated, an
accredited authentication agency informs the Registrar that the data is
incorrect, then the name will be placed in REGISTRAR-HOLD status until the
registrant provides contact information that has been verified by an
accredited authentication agency.


BULK ACCESS
Melbourne IT supports the recommendation.  Some further clarification of the
definition of
"marketing activities" would be useful.

Regards,
Bruce Tonkin