DNSO Archives: [registrars]

I’ll put something together. A tiered access approach is a good idea, as long as the ultimate policy that provides for it includes the ability to recoup the ongoing costs of enabling it.

Tim

-----Original Message-----
From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org] On Behalf Of Elana Broitman
Sent: Wednesday, June 11, 2003 7:01 AM
To: Donny Simonton; Tim Ruiz; Registrars@dnso.org
Subject: RE: [registrars] Some observations

Donny and Tim - for purposes of the Montreal workshop (and possibly later for the GNSO Council task force), your research would be really instructive. So, I'm wondering if you can send anything written about the test domain that Intercosmos did, and the legal articles that Tim came across.

Also, Tim, do you have suggestions for short-mid term solutions for port43 limiting? Proxy domains are only a short term solution or provide a good service for a section of the market. I've outlined a tiered access approach. Anything else would be helpful.

No matter who presents in Montreal, if we all gather our data, it will provide a more comprehensive picture of what registrars face.

Thanks, Elana

-----Original Message-----
From: Donny Simonton [mailto:donny@intercosmos.com]
Sent: Wednesday, June 11, 2003 8:43 AM
To: 'Tim Ruiz'; Registrars@dnso.org
Subject: RE: [registrars] Some observations

Tim,

I completely agree with you that port 43 whois access is one of the main reasons the spam problem is as bad as it is today. For example about 6 months ago, I setup a test domain with a specific email address that was never used anywhere else. I have tracked every email that I have received and I have received 239 emails in those 6 months. I have received emails from all types of services including one domain name registrar. So in my opinion public access to port 43 should go away! It’s become one of the largest public sources of spam without us even realizing it.

The bulk whois access was always a waste IMHO. $10,000 for a few hundred thousand contacts. Could you imagine Microsoft selling a list of all of their customers for $10,000. There would be a senate hearing about it or something similar.

Donny

From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org] On Behalf Of Tim Ruiz
Sent: Wednesday, June 11, 2003 7:19 AM
To: Registrars@dnso.org

Web Based Whois Services - Public Access
We provide a web based whois, as required by our RAA. We have decided to make it near live, although that is not required. The reason is that our customers have indicated a need for it. For example, if they are applying for a digital certificate and need to make changes that are immediately visible to the certificate authority, they can make those changes and refer the authority to our web whois, where those changes are visible almost immediately.

If a registrar should choose to make their web whois more flexible, search by last name, geographic location, etc. they could certainly do so, and even charge for that (like WhoBIZ for example) if they like. There is nothing preventing that. It would be simpler to do with a web interface than it would be with port 43.

Web based Whois services can also be made relatively secure from scripting/data mining.

This is all the general public really needs to meet Mike's concern about verifying the actual registrant, admin, etc. of a domain name. There is also the potential to make it as flexible as desired without any new technology, and could provide an opportunity for registrars to recover some of the cost of providing this access.

Bulk Whois - Appearances Only
I don't agree with Mike that this is simply a matter of enforcement right now. I do agree with Ross' response on that topic. Also, it has already been made clear that the major registrars have a huge number of opt-outs and any bulk Whois they would provide might be half the data at best.

In addition, proxy services are going to continue to grow. Domains By Proxy is offered by Go Daddy and Wild West Domains, ProtectFly is offered by Registerfly (a large eNom reseller), and I don't think that will be the end of it. So the half of the data that a bulk whois licensee does receive is likely to have a significant number of proxied domains.

Bottom line, bulk whois is not going to get anyone what they really think they need from it.

IF the bulk whois requirement continues to exist then:

1) It should be available only to appropriate parties (Law Enforcement, Registrars, verifiable IP interests, certificate authorities, etc.) with appropriate non-disclosure requirements based on their intended use of the data.

2) It should not be used for marketing purposes of ANY kind.

3) It should not be allowed to be incorporated into any value added products or services that are directly accessible to anyone other than the licensee.

4) Registrars should be allowed to charge an appropriate fee based on number of records provided and perhaps even on intended use. If someone is going to make money, even indirectly, on customers we spent huge dollars to acquire, we should get something out of it. What's your current CPA? And to expect a registrar with millions of records to provide that data on a weekly basis for the same annual fee that a registrar with a few thousand is ridiculous. The $10,000 annual fee ($192.31 a week) should be just the baseline, and go up from there.

5) Registrars should be allowed latitude in the models they develop to provide bulk access.

6) Registrars should not be required to provide any whois data, directly or indirectly, that they are not considered authoritative for.

Port 43 - A Data Miner's Dream
Anyone who would argue that port 43 is not a significant source for data mining must have a hidden agenda. Any registrar who monitors their port 43 knows better. We can identify most of the registrars who access our port 43. We know the level of transfers that go to these registrars. After filtering out those queries, how do we account for the other 80,000,000 or more queries we get?

1. Improper data mining. I don't think I have heard any registrar claim that data mining port 43 is THEE primary source of Spam. What we do know is that it IS a significant source. And in the context of what we are dealing with here, that problem should not be ignored. Why would we ignore it simply because it is not the primary source of Spam. We have an opportunity to make a dent in reducing Spam. Why wouldn't we want to do something about it?

And spam isn't the only mis-use of this data. It is also used to acquire bulk access without paying the fee. At least two major law suits over the last few years have been about just that. Sending unsolicited postal mail from improperly acquired bulk data may not be considered Spam, but our customers didn't view it as anything less when it happened to them.

2. Cross registrar public Whois services. We don't mind allowing access for other Registrars who provide a public service of this type. It provides a valuable service to our industry and helps to facilitate portability. If a registrant can view their current whois data before a transfer request it can help to alleviate problems later when things don't match up. Most registrars who provide this type of service also protect their service from potential scripting and data mining.

What we don't like is providing access to anyone who decides to throw up a cross registrar whois service and then sells advertising there, charges for the privilege, etc. When a third party makes a profit out of accessing this data through an infrastructure we have to provide and support, we would at least like our cut. Registrars should not be expected to continue to provide all of these services on their own nickel.

Port 43 needs to change. I don't care what port it becomes, or if we manage this one differently. I like the capabilities that CRISP has to offer, and a lot of other suggestions I have heard from this group on this subject. But I'm not as concerned with the technical how-to as I am with the policy. It's the policy that HAS to change. High speed automated access to this data needs to be restricted.

Question: There is no SLA portion to the port 43 requirement in our RAA. Has anyone given any thought to providing a minimum level of service to meet the RAA requirement, and another one that is fee based? I don't see anything preventing that.

Assumptions
Registrars are going to be required to continue providing some form of public ally accessible whois service.

There are parties who have a legitimate need to access this data in more than a one-off fashion.

Some of the suggestions above will help to minimize improper access to this data. It does not really address the issue of privacy. Should this data be public ally accessible at all? That is another debate.

Tim