[comments-whois] whois tf report comments

[Paul Stahura <stahura@enom.com>]

Whois TF,

I guess there are honest registrants and dishonest registrants.
Honest registrants do not wish to enter accurate information due to privacy
concerns.
If any person on the planet could look at the 
license plate on my car and find out that: 
it is my car,
where I live, 
my phone number, 
my email address, 
my mechanic's phone, email address, and home address,
which dealership I purchased it through,
that I just purchased the car yesterday and probably need gas today, 
and when my car lease expires,
then I'd be motivated to provide crappy data, 
just to keep the marketers and used car salesmen at bay, 
not to mention your random stalkers.
If these TF measures are passed, I believe we will just end up with 
a better educated class of fraudsters.
A thief steels a car and puts someone else's license plate on it.
It will be difficult and costly to implement some of the functionality 
required but easy to defeat those measures if implemented.
The cost of implementation is on registrars which will then be spread across
all registrants, 
not placed on only dishonest registrants or the people who want the enhanced
search and accuracy.

1) The lowest hanging fruit is to require easily parsable whois data (such
as XML data) to 
be exchanged privately between registrars
to facilitate accurate whois data transfer when a name transfers.  
I don't know if the survey asked about this 
(who can remember what happened years ago anyway?), but I would bet that
many
inaccuracies are inserted inadvertently in the data by registrars 
incorrectly parsing other registrars whois output during a transfer.
This change has a very good cost/benefit ratio.

2) Requiring whois data to be verified at time of renewal will require
development and extra costs.
Registrants can change their data at any time currently and are already
required to keep it updated.  
I don't see how this will improve it much,
but a periodic reminder to update the whois is probably a good idea.

3) Whois searching.
There is no provision currently that mandates that registrar's whois data is
allowed to be searchable by any data elements besides domain name, therefore
there is nothing to "enforce".
Searching by other elements and returning multiple names and whois records
for each search
will place additional load on servers and cost money for each registrar to
develop.
It will also lead to more spamming, email and phone, because large numbers
of 
records can be gathered easily.
This will then lead to greater demand to insert false email address and 
phone number by honest registrants so that they will not be spammed.  
Demand by honest registrants for proxy whois will also increase to avoid
being spammed.
Searching by name server name or Ip address could be accomplished using the
zone file data.
If anyone wants to do that, get the zone file and build the search system
yourself.  
Why should registrars each be burdened with having to build it if anyone who
wants to can do it?

4) All these costs will be either absorbed by registrars or passed to honest
registrants.

5) Sanctions: what is the definition of "correct whois data"?
For example, phone numbers.
Is a correct phone number: 
1) a phone number that exists
2) one that, when called, the person confirms that they are the registrant
of example.com
Even this can be easily be defeated by fraudsters by for example entering
the 
phone number of a public phone or even a cell phone.

As for email addresses,
we've had email address, for example, in our whois of 
"no.valid.email@example.com" which is actually valid.
Is a "correct" email address one that:
1) has an MX record
2) the user exists on the mail server
3) the address belongs to the registrant proved by sending a code number and
having the registrant reply.
Most honest registrants will not wish to enter valid email address to avoid
being spammed, since the whois information is publicly available.  Dishonest
registrants could enter a temporarily valid email or an anonymous email
address to easily defeat the screening.  
Email and telephone "pings" are easily defeated by dishonest registrants.
Honest registrants will get the email address that was "pinged" by the 
registrar, "pinged" a bunch more by marketers.

Due to competition, registrars will be unable to pass the fines on to the
registrants with invalid whois,
so the fines will be borne by the vast majority of honest registrants with
valid data.

6) Do all the data elements for all the contacts need to be "correct" 
(whatever that is defined as) for the whois data to be "correct"?

7) I would guess that all public registrars probably have at least one
"incorrect" data element
in more than 3% of their whois.  This creates a liability, in for example,
Verisign registrar case
of more than 10 times their company value 
(9 million x .3 = 1 million x $1000 = 1 billion liability,
assuming that part of the company is valued at 100 million).
Would that potential liability be disclosed to shareholders?
Why wouldn't a registrar pick the status quo since the result is the same
(loss of accreditation),
but the penalties are less along the way there?

8) Bulk access.  The $10K cap should be eliminated for anyone who is not
authorized 
somehow by ICANN to get the bulk data. Instead of drafting registrars,
the volunteer set of entities granted the ability to pay a 
lowish price (<$10K?) for the data should be small. ICANN can then police
them
(and spank them if their output is used for "bad things") and they can
compete to do creative services.
No opt-out of being in the "authorized" bulk whois allowed. 

With this in place, the public port 43 and web interfaces should be
curtailed to not show
as much information.  This will increase the accuracy of the not shown info
by honest registrants.
Law enforcement and IP attys could then go to the bulk purchasers for
searching, etc.
Or they (Law enforcement and IP attys) can actually get authorized by 
ICANN and get the information themselves.

It is a privilege to be ICANN accredited.  
I know that, but I think this TF proposal puts
too much burden on registrars by people who do not have to pay.  
We need a system whereby the people who need particular whois information
functionality, 
for example, searching and super accurate data, pay for the searchability 
and the accuracy checking,  instead of mandating that others who don't 
need that functionality pay the costs of providing it. 
I think the "public drinking fountain" analogy that people talk about
applies.
Sure take a sip, but pulling up a truck is a no-no.
If you want tasty bottled water or a frappuccino, you should pay the person
who makes it.

I wish I had more time to refine this and write more.
The whois issue is a tough problem and I commend your efforts.
I'm happy to work with the TF or anyone to improve the TF recommendations.

Paul
eNom, Inc.