ICANN Whois Workshop in Montreal
Real-Time Captioning
24 June 2003
Note: The following is the output of the real-time captioning taken during the ICANN Whois Workshop held 24 June 2003 in Montreal, Canada. Although the captioning output is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
Vinton Cerf: good morning. I'm Vint Cerf. I'm now over the hill at 60 and one day and feeling like 16. So I hope the rest of you are similarly energized.
We have a full morning of material on Whois. There are many issues associated with that database. And I look forward to having these explicated for our consideration. And by "our," I mean all of us, not just the board.
Speaking of which, the board is free this morning to sit up on the dais. I will say tomorrow, however, that we have panel sessions scheduled, and we will have to vacate board seats to allow the panel to sit up here. So the board is free to either sit up here or in the audience or change your mind in the course of the presentations.
This morning is going to be managed by the group that put together the Whois presentations. So although I will be sitting over there, I will not run the meeting, but I'm sitting there so I can hear better. I have a little speaker and it helps a great deal.
So with that, I welcome you to the first of the public sessions, of which there will be three in this meeting in Montreal.
And I'd like to introduce our CEO, Paul Twomey, who has opening remarks. And he will introduce the rest of the Whois session.
So, Paul, take it away.
Paul Twomey: Thanks, Vint.
And good morning, everybody. I will just take one minute to say that I very much welcome this Whois workshop. It's something that's been discussed in the ICANN community for some time. And I would basically like to say two things: first of all, how much I appreciate two formal constituencies or formal parts of the ICANN structure, the GNSO and the EITF having somewhat independently pursued this issue coming together and working together to put together for us a comprehensive workshop covering both facts materials and issues from the marketplace and issues and perspectives from public policy. And so I think this morning and tomorrow morning will be a very interesting combination of those two, and I think they will be illuminating for all of us. I think that is also an indicator, I think, of the sorts of cooperation and discussion we need to see in ICANN 2.0.
What's important, I think, as we discuss today and tomorrow and as we think about any process going forward, is the opportunity for sharing of information, sharing of perspectives, discussion from the different parts of ICANN in real time so that the bottom-up process delivers us something closer to consensus rather than having perspectives developed inside the silos of particular constituencies which then end up on the plate of the board to try to be the resolving agent. So I think that's a very important and noteworthy development and a noteworthy, if you like, endorsement of the 2.0 philosophy and structure of ICANN.
Can I just finally say thank you very much to the program committee, and the members of the program committee are up on the board there now, available on the screen. I'd particularly like to thank Mike Roberts, who on very short notice agreed to chair the program committee. They have been very productive. They've had lots of discussions about what sort of program to put together. And I want to thank Mike for the great benefit that I have only just had to look at the e-mail traffic and not had to participate. So that's been very good for me. Mike, would you like to run the show.
Michael Roberts: thank you, Paul, and on behalf of the program committee and the GAC working group on Whois, I'd like to acknowledge the expert panelists and presenters that have willingly volunteered their time to help the community come to a fuller understanding of the many complex sides of Whois this morning.
We would like to say a few words about the structure of these two sessions, one this morning and another tomorrow morning. There's a good deal of information on the web site, you can link to it from the ICANN home page. And those of you who have machines can examine a good deal of written material that we have already posted there. Let me just say that the general format for these sessions is that this morning is one of a primarily tutorial nature in which we're going to get ten brief presentations on various aspects of Whois from individuals who are expert in the area about which they're going to speak.
At the end of the presentations this morning, we will have a public comment period primarily to help elucidate any issues of a factual nature and related to the presentations. Tomorrow morning, we have two panels which will delve into existing policy areas, views about the satisfactory or unsatisfactory nature of how Whois is functioning today, and also a very preliminary and you might say soft look at the solutions or changes, incremental or otherwise, going forward.
We will have a more lengthy public comment period tomorrow in which people who have views on what ought to be done will be welcome to present those, hopefully succinctly.
The order of presentation this morning I'm going to briefly review for you.
We have a brief break scheduled at 9:30. We have a full schedule. I would encourage the audience to be courteous with regard to taking breaks on their own, since we're not going to have a large break.
We will stop at the midway point after the fifth presentation for about 15 or 20 minutes. Then we'll begin and try to wrap up the formal presentation material as close to 11:15 or so as we can and then have a public period, comment period, until we close at noon.
The order of presentation this morning is, we will lead off with Louis Touton, who will briefly describe the status quo as it looks from the standpoint of established ICANN policy, the registrar accreditation agreement, and issues such as that. We'll then go to a presentation from Andy Newton on the current IETF development project on a protocol which goes by the intriguing name of "crisp."
Ray Plzak of ARIN will describe some of the non-name uses of Whois. People associate Whois, the public associates Whois very much with domain names. But, in fact, Whois is implemented in a number of areas that are important to the functioning of the Internet. And Ray will speak to us about that.
Bruce Beckwith will likewise describe the manner how Whois relates to management of registries and registrars across all of the TLDs. Bruce Tonkin is going to describe a gTLD perspective on how Whois is used and the management of Whois in that environment.
Diana Alonso Blas from the European Commission is going to give us some insights into privacy and data protection considerations in using Whois.
Bart Boswinkel from .nl is going to give us the perspective from a typical national registry operation and management.
Jane Mutimear, who is chair of the IPC group, is going to speak to us about intellectual property rights aspects of it.
Michael Donohue from OECD in Paris is going to speak to us about consumer protection uses.
And finally, Maneesha Mithal from the United States Federal Trade Commission will talk to us a little bit about law enforcement issues, that's both criminal and non-criminal. Law enforcement is by no means a single focus issue for Whois is the domain name system.
So that is a very brief overview of the presentations and the order of presentation this morning. And I'd like to turn the podium over at this time to Louis Touton. Thank you.
Louis Touton: Thank you, Mike.
And good morning, everyone.
As Mike mentioned, I am here to give a background on how we got to where we are today with respect to Whois, specifically, to briefly describe the history of Whois and ICANN's Whois policy. Secondly, to provide an overview of the current provisions in the registrar accreditation agreements, and to some degree the registry agreements concerning Whois. And also to discuss ICANN's experiences with a Whois data problem report system that we put in place in the last half of last year.
Whois is a protocol originally implemented on the Internet many, many years ago, at least in the early '80s and perhaps before.
Originally for technical uses, so that operators of the various computers that were hooked up on the Internet could ask for information about each other so they could get in touch if there was some type of technical problem in interoperating with another host on the computer.
Those technical uses have greatly expanded as the number of hosts and the level of mutual trust of technical operators and familiarity of technical operators has diminished.
Whois, however, being freely available to the public, soon acquired many other uses. And I have listed here some of them. Registration service providers, such as registrars, process transfers using Whois because they have to determine the identity of the currently listed registrant to verify that it's a legitimate transfer.
Law enforcement uses it to track down perpetrators of Internet crime.
Consumer protection agencies in a relate way use it to identify the jurisdiction of the registrant, to confer with other consumer protection agencies, and to take action against Internet fraud.
Consumers themselves, users of the Internet, use it to verify the identity of web site operators, in a related point and not here, and also as you'll see very prevalent, those seeking to suppress or source spam use Whois extensively.
Registrants check their own registration details, so it's a way for them to have visibility of what information the registrar has about them.
And copyright and trademark holders use it to identify persons infringing their rights in various ways.
The Whois provisions in ICANN's agreements started very early in ICANN's existence. At the Singapore meeting in March of 1999, there was discussion of the policies that ICANN should use in the implementation of the shared or competitive registration system that was going to be put in place later in 1999. And among the provisions approved at the Singapore meeting were a variety of contractual provisions dealing with the provision of Whois data and also protection of privacy of registrants with respect to that Whois data.
In 2001, when new TLD agreements were put in place, that is, new registry agreements put in place with operators at the registry level, there were also a series of agreements that very much tracked the older registrar accreditation requirements for the thick registries that were introduced in 2001, including biz, info, name, org, and now, pro. Org also got that same thickness or is migrating to that thickness now that it has been reallocated.
I am going to focus on the registrar accreditation agreements because I think that's of most burning interest. FIXEME Interests a basic requirement that registrars provide Whois data about the customer that is they sponsor in the various registries. So if you go to registrar and register louis.com, you give various data and they then maintain that data and display it once they secure the name in the registry.
The data is on this so-called query-based access is to be provided free to the public and it's to be provided through a web-based interface and a so-called port 43 interface, which is the more traditional Whois device that was around before the worldwide web came.
The elements that are required to be displayed in the current registrar accreditation agreement are the registrar name itself, what is the domain name; the name of the name servers that are being used or that have been delegated the authority to operate and support that particular domain; the identity of the registrar, which is often obvious from where you're going; the creation and expiration dates of the registration; and then elements of data about the registrant, the administrative contact, and the technical contact. With respect to the registrant, it is only their name and postal address. With respect to the administrative and technical contact, it's their name, postal address, telephone number, e-mail, and where available, their fax number.
These basic elements were designed to track the Whois system that was being used at Network Solutions at the onset of competition in June of 1999.
And that's, indeed, where they came from.
The registrar accreditation agreement requires that domain name holders, here referred to as registered name holders, shall provide accurate and updated information to their registrar and update them during the term as needed.
It also provides that the willful provision of inaccurate or unreliable information is grounds for the registrar to terminate the registration agreement. Also things that can lead to a termination are failure to update the information and failure to respond to a notice from the registrar asking you about your data within 15 days.
Now, the last slide I indicated was the rights that a registrar must reserve for itself to deal with inaccurate data with respect to a registrant.
3.7.8 speaks about what the registrar's obligations are to use those rights and other abilities it has in order to ensure that the data is accurate.
First, it's required to abide by any specifications or policies regarding verification and re-verification systems.
About a week ago, ICANN finally implemented its first type of verification system, which is called Whois data reminder policy. Which basically simply says that once a year, registrars should remind Whois registrants of what their data is on record and ask them to update it.
And then once they receive the updates, to make them.
In addition, registrars have an obligation, if they learn from any source that the data is inaccurate, to take reasonable steps to correct that data.
The registrar accreditation agreement also has a series of privacy-related provisions, which it has had since it was initially instituted in mid-'99.
These track the requirements of data protection laws around the world.
First, there's a notice requirement. Registrars must tell their customers the purposes for which the data is going to be used, who's going to receive the data, which portions of the data are required and which are voluntary, and how the customer can access and, as appropriate, correct the data.
Registrars also required to obtain in its registration agreement consent from the customer to this particular use of the data, and disclosure of the data, and, in addition, to require that the customer, that is, the registrant, represent that it has obtained the permission of any other person whose personal data is being displayed. The reason for this is that if, for example, a registrant registers a name and they put down a technical and administrative contact, they should go out and get the permission of the technical and administrative contact for their entry into the database and display of their data.
The registrar, on its part, agrees that it will observe the notices that it has given to the registrant about how the data will be used. If the registrar has told its customer that it won't sell the data to others, it must not sell the data to others, and so forth.
Because this is being operated in a competitive environment, the registrar is free to basically set many of the terms of how they will use the data with the thought that if particular registrants want to avoid having their data sold, for example, to others for marketing purposes, they have the ability to go to the registrars who offer those terms.
The registrars also agree to take reasonable precautions to avoid misuse or misdisclosure of the data, even in the absence of willful acts by the registrar.
In 1998-99, there was some concern regarding how to protect individuals who wanted their identity protected and still wanted a domain name. And there was developed the proxy registration of the registrar accreditation agreement, which basically says that instead of going directly to a registrar and standing up as a registrant and having your name recorded and put down in the public record, you can reach an arrangement with somebody else that they will stand in your place, take responsibility and have accountability for what happens to the domain under whatever terms you agree with them.
They put their name down in the Whois data, and they either are responsible for the domain and what happens on it, or if it's compatible with their agreement with you, they will disclose your name.
That provision is used by several services, a growing number of services today.
That's my summary of the registrar accreditation agreement. Let me just spend a little time talking about ICANN's activities and enforcement.
We have spent a fair portion of our time in the registrar compliance function in determining and encouraging compliance with the provisions of our agreements about Whois. And we've issued four advisories, which are still available on our web site under the registrar advisory section.
Notable among these, perhaps, and what I'm going to talk about in a moment, is the second of them, the additional steps to improve Whois data accuracy. In September 2002 and before, there was a growing concern that some registrars were no longer being responsive to complaints about data accuracy. And in looking at the problem, we concluded that a large part of it was, frankly, just confusion and not having a defined mechanism for reporting errors and tracking them.
So to help the registrars and the registrants in a smoother way to deal with inaccuracy reports, we implemented a centralized Whois inaccuracy report form on the Internic web site. It basically allows any member of the public to go and report a mistake or inaccuracy or out of datedness that they find on a registrar's web site. There's then an authentication mechanism so that we obtain the e-mail address of the reporter. That's then sent to the registrar with a ticket number. And the registrar is then responsible for following that up. And once they've resolved the situation, either by correcting the data, by determining the data is accurate or by whatever other outcome, to come back to the web site and to close the ticket.
We have also a tracking mechanism to monitor the number of open tickets and such things that indicate whether registrars have complied. So far we have received about 12,000 reports since September of 2002 about inaccurate data. Most of those reports deal with individuals trying to find the source of SPAM by looking up the domain and then find the contact data is inaccurate and so they've been frustrated in trying to deal with SPAM that they are receiving or that their customers are receiving.
And that's my presentation for today. Thanks very much.
(Applause.)
Michael Roberts: Thanks very much, Louis. We're now going to hear from Andrew Newton who is with Verisign, has been leading the protocol development area effort in Whois area.
I'm going to not give formal introductions of our speakers because in the interest of time and we've provided bios on the web site, and we invite you to review their credentials at your convenience.
Andrew Newton: Okay. My name is Andrew Newton. I'm a research engineer for Verisign naming and directory services but I'm here today to talk to you as a member of IETF working group and the people who are working in that effort. And in fact, my co-conspirator Leslie Daigle and I have written a paper that's in the background materials that goes into details of the perspective we're taking. It's not a technical document, so I'd appreciate it if you have any questions or anything, you'd read that.
So next slide. Thank you.
So the problems we have today with Whois are basically with the policies surrounding Whois, center on the fact that the protocol itself is a very old protocol and doesn't really specify a whole lot.
So we spend a lot of time these days in policy discussions, asking how do we implement this, and how do we get there. And instead of asking the real questions of what do we really want.
So the CRISP working group itself is working on a next-generation protocol to solve a lot of the problems that currently exist with Whois. And in the future, you're not going to have to ask how do we do this. The questions are going to be what do we want.
Next slide.
So in the past, we had this thing called Whois. It was specified with RFC 812 in 1982. That's over 20 years ago.
The title of the RFC is nicknamed Whois and it's registered with the IANA in a for port registration under the name of nicname, not Whois.
To give you an idea of how long ago this was RFC 812 specifies Whois over NCP not over IP.
So it talks about a protocol over an Internet that we do not have today.
By comparison, DNS was first described in an RFC came out a year after RFC 812 and the current RFC which most people go by which are 1034 and 1035 didn't come out until 1987.
RFC 954 is the current spec everybody uses and if you go back and read it, it actually dedicates more space, not a big document, but on who should be registered to milnet and arpanet in the Whois database.
So currently, what do we have? We have this thing called nicname Whois which is used by a lot of communities, not just domain registries and domain registrars. So there's domain registration data in Whois. There is IP address allocation data in Whois. There are people that have router policy specifications in Whois. And there are actually many, many more, many of which we do not know what they are. Some people keep abuse data in Whois. There's no place to go registry what kind of data you're putting into a Whois database.
So when you speak of Whois, there are a lot of communities who do not speak of it in the same terms that people who deal with domain names speak it.
So here are our present users. Today we have the following users of Whois when we're talking about Whois in context of domain names.
And I'm not going to go through all the list I have up here. But suffice it to say that it is far more than the number of users are a greater number than the note operators, the arpanet that the protocol was originally designed for.
If you look at the last one, there are several people who have enumerated the different types of users who use Whois but the last one says abusive users. And we have to keep in mind there are people out there who very ill -- they don't have very good intentions when they're trying to get this information.
So what's the future? Well, the IETF has been working on a set of protocols. The working group is called CRISP. It means the Cross Registry Internet Service Protocol. And essentially, it is a protocol dedicated for registries of Internet resources. And the working group is attempting to take what we have learned in the intervening 30 years since RFC 812 and apply them to the problems we have today.
So what are the CRISP goals? This is a subset of the goals. If you read the document in the background materials we enumerate many, many more of them but these are the ones that are pretty hot.
So there is access control, which is essentially about who gets to see what data. And being able to differentiate between the users who are accessing the data.
Internationalization, which allows users to have an experience beyond the ASCII world. And it allows clients to be localized, so users who are not native English speakers or what not can actually use the system with relative ease.
And one of the other things is decentralization. It's core to the working group. The information has to be aggregated, so the data should be decentralized and not in one repository, but there should be very, very good methods on how you get to that data.
I'm going to spend the rest of this presentation talking about a topic that's pretty hot in this community, and when it comes to Whois, and that's about who has the right to see what data. And that all boils down to authorization and authentication.
So what is authentication? It's the process by which you use who gets to see the information. But authorization are the rules and policies applied on who gets to see the information. So it dictates the authorization schemes. You get to say who gets to see what.
So what do we have for today's authentication with RFC 954? There's anonymous, which is what the protocol intended, which is that all users are equal.
There's another thing other people do which is use the source IP address of the client accessing the data. Keep in mind that the source IP address was never, ever intended to be an authentication mechanism and therefore there's a lot of people when people do that. You have people sitting behind proxies who have all sorts of issues when they're limited based on the IP address because they have to share it with many, many other people.
So but in the modern world, we have many, many more authentication mechanisms available to us today. And those authentication mechanisms allow us to have different authorization schemes. I've listed a couple here, the ones I'm going to talk about, you have ways of saying that I know who Alice is; therefore, Alice is allowed to see this data, or I know someone who knows Alice; therefore, Alice is allowed to see the data. Or I know the person who referred Alice to me; therefore, Alice is allowed to see the data.
Passwords. Passwords are an old idea but they're still useful in today's world. There's a lot of talk about how passwords are insecure, but there's a lot of methods that can be employed today to allow people to send passwords over an unencrypted channel without actually giving up the password to someone who may be sniffing their data. Essentially the user experience is the same.
Passwords allow for the user-based authorization scheme which is I know this person because they had the password; therefore, they can see whatever data I say that person can see.
There's another type of scheme, mechanism called one-time passwords. It's one of these mechanisms I was just talking about which was invented to allow you to send a password over an unencrypted session without exposing the password, but they have a unique characteristic associated with them in which you can only use them for a certain amount of times, like 20 times before it becomes invalid. What that allows you to do is it allows to you create an authorization scheme that says this person can only access the data 20 times, or as this person continues to authenticate to the system, their rights get diminished or enhanced, whatever the policy would be.
Then there's digital certificates. Digital certificates use a branch of mathematics called public key cryptography, and we're not going to go into how they work. But they allow you to do a lot of interesting things as far as authorization goes. They allow you to have the user-based authorization schemes, essentially saying if this is Alice's certificate, and then, you know, do what you need to do. Or the chain-based one, which is I may not know who Alice is but I know someone who does know who Alice is and they verified this. Therefore, I'm going to allow them to see the data.
You have attribute-based switches. I may not know who Alice is, but I do know that Alice is of a certain type of person and therefore may see the data.
Or you can do time base which is Alice -- the certificate has a time stamp on it which is only good for a certain duration of time.
And by the way, you can combine all these different authorization schemes and they're not mutually exclusive, so you could actually do iterations upon them.
So to explain to you certificate chains, essentially, x 509 certificates are already used in TLS and SSL are laid out in tree models, and from any one certificate back up to the top of the tree, you have what's called a chain of certificates.
So the way it works is the certificate is signed by the next node up in the tree, and if you want to do chain-based authorization you can say well, I don't know the actual user behind this certificate, but I do understand that this thing has been cryptographically signed by someone I do know, and that person is vouching for them.
Another thing you can do with certificates is since certificates themselves are secured via cryptography is you can put attributes in them and one attribute can say this person is of type x and they're allowed to see certain types of data. One attribute is time, so a certificate has a certain shelf life it's good for, a start and end date.
One of the other things that the CRISP group is working on is referrals and the protocol will be able to support them, also support passing data with referrals. And it will allow you to combine it with one of these other authentication mechanisms I've given you, be able to assign that data and say when you pass that from the client, from the client to the referent server, the referent server will be able to say because this person was passed to me from another server I'll be able to give you this data. So it will allow those kind of referee-based authorization schemes.
So in conclusion, the CRISP working group is working on a vastly improved protocol to solve the problems of today. And what we hope this brings is the ability for people to quit asking the question how do I implement this, and start asking the question what do I really want to do.
So thank you.
(Applause.)
Michael Roberts: We're going to have a short interrupt here to change this mic, and then we're going to have Ray Plzak from ARIN.
Do we have Ray in the audience? Looks like we're going to have to change our order of presentation. And have everybody hang on a second and we'll figure out who we'll have up next.
Vinton Cerf: have you done a Whois search for him recently?
: a WHEREIS.
Michael Roberts: can everybody hear us with this mic? So we're going to go ahead with Bruce Beckwith. We'll go back and pick up Ray.
Bruce Beckwith: Hi, good morning. My name is Bruce Beckwith. I'm the vice president of operations for the Public Interest Registry, the .org registry.
As you've heard from several speakers, Whois has many definitions and I'll be speaking about the domain name system as it relates to domain name registrations.
They've spoken about the early days and the fact information was collected from a technical perspective and was meant to be used for a technical perspective. The data that was collected was also rudimentary. And again let me walk you through some of the information and remind you that in the early days, truly, registrants typically did not have e-mail addresses. In fact, as the ISPs were coming online, many folks just didn't have an e-mail address because they used maybe the Internet at work or weren't really using it that much so they relied on their web hosters, on their ISPs to be the technical or billing contacts.
So depending on the model being used, the registrant didn't have much of an impact in terms of the actual registration. And in fact, if you remember prior to 1998, most registrations, at least through the end of (inaudible) registrar were done through e-mail templates and those were, for those that are technically capable, were easy to do but for those who didn't have an e-mail address, weren't even possible.
I'll remind you also about the different pieces of information that we now all conglomerate into what we call Whois.
Let's go back and remember 1999 as the registrar model became competitive, suddenly there was a need to have different registrars show the Whois information. And let's also go historically a little bit and remember that when the registrars went into a competitive model, the gTLD registry, which at the time was the NSI registry, had thin data. What that means is there was minimal data at the registry and all the registrars at that point had the data. Therefore, each registrar had a requirement to have a Whois service.
In addition to that, they started finding over time that the Whois service started being used an awful lot. Andy, in the prior presentation, discussed a lot of the different types of users, and you may remember at the bottom of his slide it actually said abusive user. And that has happened. So a lot of the registrars are now limiting the information that is available through Whois from an automated perspective. They put rate limiters in.
Bulk access was also a requirement. One of the reasons for that requirement was to give all registrars an even playing field.
So when you think of Whois, there are different, different, several different versions of Whois that one thinks about. There's the web based, there's a port 43 Whois, and also the bulk Whois.
On the bulk Whois, one of the requirements was to ask registrants did they or did they not want to be part of the bulk Whois file.
Also, registrars had to give out that bulk Whois to anyone who asked for it. And as you will note, some registrars make that very easy to come by, some registrars don't.
Let's then move to registry competition, which started in 2001. Now, with some of the new gTLD registries, namely at the time, .info, .biz, what have you. Suddenly there were two types of registries that existed, thin and thick registries. So the thick registries now started to have a requirement to also provide Whois information, both a web-based and port 43 variation.
Of note, PIR is in the midst now of moving from a thin to a thick registry; hence, we bridge both of the different criteria, and we'll be doing the conversion throughout the remainder of this year.
On Whois, it's important to note that a thick registry will provide much the same information that a registrar today provides with Whois. A thin registry, of course, provides that minimalist data. Ray, I think you'll be next. We changed order a little bit for you.
Ray Plzak: I'm outside working.
Bruce Beckwith: Of note also is that the global name registry, who is the .name registry has made some contract negotiations recently with their requirements for Whois, and the reason for that is the .name top-level domain by definition is for individuals, and individuals have a right for privacy.
So there are some differences now within the different registries, and what the requirements for Whois are.
Let's talk about how that data comes into the systems.
Typically the data is collected by the registrar. The registrar has a relationship with the customer.
The information is collected at the time of registration. The registrar also, as Louis mentioned in his discussion about the registrar accreditation agreement, goes ahead and updates the data. For those environments where there's a thick registry, the registrar has the requirement to send the information to the registry as well and to provide information through Whois.
Now, registrars in the thick environment also have the option of using the registry Whois, because again if you remember from the prior slide, the information is equivalent between the registry and registrar at the thick slide.
Registries on the other hand, now that the data has been collected by the registrar, have the requirement to provide a Whois. And again, you have the differences between the thin and the thick displays.
Now, some of the issues that have come up, one of the reasons for this presentation today, though today's presentation is more from an educational perspective and an operational perspective; tomorrow's is more on a policy basis. But some of the issues that have come up is this interest in Whois. If you remember a few minutes ago I touched on the historic reasons for Whois, and they were really from a technical perspective.
Today, we're using Whois for many different reasons that were not envisioned as Andy mentioned back in 1982, 21 years ago, nor, let alone, over the last several years.
And as you'll see, there are interests to keep Whois as it is, or even to expand it. And there are also interests that want to restrict Whois. And each one of these different interests, if you consider from their perspective, have legitimate reasons to try to achieve their goals.
One of the reasons why Whois information has become so interesting to so many people and now is starting to gather some steam in the public sector is because SPAM is being used tremendously now by marketers. And one of the misconceptions now is that SPAM is solely derived from Whois information. And of note should be that if you post to a public list, if you go ahead and buy from an online merchant that doesn't have specific privacy policies that will keep your data from being available, it is not uncommon to have automated processes, called robots, go ahead and scan the mailing list and decipher the information for what your e-mail address is, nor is it unusual to have that information being sold.
The other misconception is that bulk Whois is a genesis for much of the SPAM that comes out, and if you remember, some registrars don't even offer bulk Whois, so truly, that is not of much of a source for a lot of this information, for a lot of the spam.
What some of the realities are, however, is that the registry zone files, and those are the zone files that the registries produce and just as a quick refresher, the zone file that each registry produces are the domains that are currently active that are available for resolution.
So if you take the differences in the zone files from one day to the next or one time period to the next, you'll be able to identify the difference in domains. Once you know which domains have been added or deleted you can go ahead and do Whois queries and find out what the information is. Hence, that is used an awful lot by not only speculators but as well by spammers to some degree because they now know what information to look up and that is available today, the registry zone files are available for anyone who asks for them.
As well as once you have that information from the zone file, remember that each of the registries and registrars is required by contract to make that information available by a Whois at no charge.
I know that over the next two days, and certainly far after, there are going to be a lot of discussions on Whois. From an operational perspective, we'd like to suggest a couple of different items that should be looked at. And I'm sure they will be.
One is should zone files be available, registry zone files be available for the asking? For anyone? Or should there be some sort of restrictions? And these are not questions that have easy answers because there are many varied interests but they are questions that probably need to be addressed. Today, as I mentioned, registries must comply with any request for a zone file, and these are given out quite freely because there is absolutely no restriction.
Also, we've talked a little bit about, over the last couple of presentations, how available Whois information is, how available Whois information is actually on the web. Is it really important for many users to know Whois information or is it much more important if they want to register a domain name is this domain available or has it already been registered?
So as the research, as the studies, as the discussions go into Whois, it becomes important to look at truly, as an individual, and for the different classifications of users, what is the requirement for Whois? And I know Andy touched on this in the last presentation where he is suggesting that there are lots of technical solutions, but now we have to start wrapping some of the policy issues around that.
And last, in terms of issues that probably need to be looked at from an operational perspective, is the community starts needing to look at this Whois issue from the perspective of is it the same thing that was envisioned 21 years ago? Is it the same thing that was envisioned four years ago when registrars became competitive? And is it the same thing that was envisioned two years ago? The world has changed.
The world has changed from a social perspective, a terrorism perspective, and certainly a technical perspective.
So a question to consider as we move forward, should the same Whois information that was available 21 years ago be available today?
Thank you.
(Applause.)
Vinton Cerf: I have a question.
It's Vint Cerf over here.
Just for clarification, I had thought that zone file transfers were not absolutely required.
So I must have misunderstand that.
Bruce Beckwith: the zone file files, every registry has a requirement to make zone file files available to anyone who requests them.
And the contract requires in the contract that one not misuse the data.
But there is not much of a way to track the use of that data.
So it's very, very difficult to enforce.
Vinton Cerf: General counsel has a comment.
Louis Touton: Just for clarity, that requirement applies to all gTLD registries.
Bruce Beckwith: Right.
Thank you.
Michael Roberts: thank you very much, Bruce.
Let's see.
Do we have Ray in the room now? Can we have his presentation? Here we go, right here.
Ray's going to speak to us about some of the non-name uses of Whois.
Ray Plzak: apologize for lateness.
I was outside working and doing things, and I didn't think I needed to be here until 9:00.
So that's when I showed up.
There we go.
I'm Ray Plzak.
I am the president and CEO of ARIN.
And I'm presenting this presentation on behalf of the four IRRS, which are APNIC, ARIN, LACNIC, and the RIPENCC.
And as Mike mentioned, I'm going to discuss what was termed to be the non-name uses of Whois.
And in way of an overview, we are going to discuss what is Whois.
The types of registries is that exist in the addressing community, the evolution of Whois inside the RIRS.
Actually, that's quite simple. And then how the addressing community uses Whois today.
So what is Whois?
Well, as has been previously mentioned throughout, I suspect, it started out more or less as a community phone book.
And then found itself becoming a general-purpose registry directive service.
And the problem is that now you have conflicts because you have many different communities which have many different requirements.
And so the net result is that everybody says Whois is broken.
And what really has happened is that the original intent of what amounted to a community phone book has been used for something that was it was never intended to be used for.
So in one regard, the perspective of Whois being broke is not necessarily correct.
What is more probable is that the communities have to decide which directory services do they really want.
And is the one size fits all answer the correct answer? And I would suspect that it's not.
And, in fact, in a moment, I will show you that there are two types of uses of Whois in the addressing community which are completely distinct from each other.
And in a way, though, they both offer a directory service.
So there are two types of addressing community registries.
One is the one that I would think that probably most of you are familiar with, which is the registries that are operated by the regional Internet registries.
But there's a separate set, they are called the Internet routing registries.
And unless you are an operator and are involved with routing and pay attention to such things, you would not be even probably be aware of the IRR as opposed to the RIR.
The regional Internet registries do two things.
They allocate and are assigned IP addresses, and they assign autonomous system numbers.
The Internet routing registries, the IRR, on the other hand, maintain routing policy information.
And in a very clear and succinct way, what that means is that in this application of Whois, and you use port 43 to get to this information, you see associations between networks and autonomous systems, and, in essence, which autonomous systems, which providers, which ISPs are going to route which traffic.
And what they're going to accept and what they're going to deny.
This is not an official standard type of thing that everybody adheres to, but, by practice, many do adhere to this.
And so if you hear the term "routing filter," and filtering based upon, for example, the RADB, what you're hearing is that someone is using the information in the IRR to make decisions about how to route information across the Internet to the point either I will allow it to pass through my system or I will not allow it to pass through my system.
So, quite briefly, the IRRs basically started with Jon Postel's notebook.
And the dictum, if you want an IP address, go see Jon.
Of course, nobody could read Jon's notebook.
So the DDN NIC put up the Whois information in regards to address allocations.
And then as the IRRs were formed and evolved, all that information has been moved into the various IRR registries in their Whois's.
How do we in the addressing community use Whois? First, we keep track of address allocation or assignment records.
And that includes allocations from the IANA to the IRR.
From the IRR to an ISP or local Internet registry, LIR.
And then also from that ISP local Internet registry to their various customers.
And that customer, in turn, could also be talking to people downstream from them.
So there could be several layers of that last bullet.
We keep track of the assignment of autonomous system numbers.
And also, in the IRR Whois, you will find information pertaining to the DNS servers that are associated with the reverse mapping of the DNS so that when that function needs to be done, the information is recorded and is available.
Also, there's troubleshooting POC information.
Quite commonly, troubleshooting is normally thought of in terms of network operations.
However, registries also have POC information that refers to what may be called an abuse point of contact.
There are administrative points of contact, technical points of contact.
So there are various types of points of contact to information that is available in the IRR Whois.
And as I said, all of these things, as a reminder, are done through the IRR Whois.
And the last thing, of course, is the routing policy records, which are maintained by the IRRs.
Now, currently, the RIRs all have or are IRRs.
But in addition, there are other Internet routing registries.
There are ones that are common for the entire Internet. And also large ISPs maintain their own IRR-type information and do have a displayable Whois.
So, very briefly, and as a final discussion point, how does this work?
Well, the IANA will allocate address space to an IRR.
And that information is then contained in the IRR Whois.
There is no Whois that is maintained by the IANA.
You cannot do a Whois for address registries information and find it at the IANA.
There is a flat file that is maintained that has allocation information, but it is a very simplistic flat file.
The IRRs, in turn, provide information to the ISPs, LIRs.
And that information is maintained in the IRR Whois.
And the ISPs, in turn, provide address assignment allocations to their customers.
And that information is maintained in the IRR Whois, in some cases, it's mandatory.
And in so forth IRRs, it's optional.
And the ISPs or LIRs may also maintain their own Whois.
So that is, briefly, how the non-name uses, if you will, the address registries, do Whois.
So I am open for questions.
Vinton Cerf: Thank you very much, Ray, for that brief and succinct summary.
With regard to IP address assignments that go down from ISP to customer, can you say how much information is obtained and retained and maintained by the RIRs? Do the ISPs reflect this information back so that you can learn more about the refined allocations? Or is that something which is purely optional?
Ray Plzak: In the case of ARIN, that is actually an optional thing.
You have two ways to report what amounts to utilization information, if you have received a direct assignment or allocation from ARIN.
One way is to put the information back into the ARIN database.
The other way is to use a protocol, which is a nonstandard protocol, it's discussed in an informational RFC, it's called RWhois.
In addition, over the past year, we have been conducting an experiment with one of our larger ISPs in use of their routing registry Whois to report utilization information.
In the case of the other IRRs, in some cases, everything must go back and be reported back to the IRR.
Vinton Cerf: If I could follow up, the implication that we don't necessarily have very clear information about the assignment of IP addresses in the small, only, at least to the ISP level, but after that, it's a little harder to be sure the database is accurate.
Ray Plzak: that's correct.
The further down the allocation tree, if you will go, the more stale the data may become.
There is no requirement for the POC information, for example, to be reflected accurately back other than what you are looking -- but it's assumed that whatever you have, and that's the broad assumption that goes every place, with every Whois, is that what you're looking at is authentic.
And from a personal point of view, if anyone thinks that just because I get this information from Whois that it is authentic information, I can take legal action based upon that, that's a problem.
And probabilistically could put a liability upon the registries that have that data, even though they're not responsible for it because it's supposed to be provided to them by somebody else.
George Papapavlou: One more question.
Does this information, the Whois data held by the RIRs, is it of any interest to anybody else other than the RIRs and the LIRs? Are people coming to you from law enforcement (inaudible) and asking for this?
Ray Plzak: I can speak from ARIN's perspective.
We have received inquiries from law enforcement agencies inside the United States.
We have been subpoenaed to provide information in support of disputes over transfer of company assets.
And there is a very large community that is very interested in our database that are called spammers.
Because they can, by manipulating the databases that the name registries have and by also trying to do the same thing with the addressing registries, can, in effect, hijack addresses and hijack names.
And so that's a problem that's common to everyone.
So I would say that, yes, we all have the same people that want to see our data.
Got one more Mike.
Michael Roberts: Running a little late.
So I think we have to....
Yes, we're going to have a presentation now, one more presentation before the break, from Bruce Tonkin, who will speak about the Whois from the perspective of the gTLD registrars who are subject to the provisions of the registry accreditation agreement.
Bruce.
Bruce Tonkin: Okay.
Thanks, Mike.
My name's Bruce Tonkin from Melbourne IT.
And I'm with an ICANN-accredited registrar.
This presentation has been put together with information I've received probably from most of the top five or six registrars.
So it's a broad set of information rather than information targeted to a specific registrar.
First, just to review the purpose of Whois from a registrar's perspective, the OECD privacy guideline states that collected data should be relevant to a specific purpose and be accurate, complete, and up-to-date.
In our registration agreement with the registrant, we specify that the Whois information should be adequate to facilitate timely resolution of any problems that arise in connection with the domain name. That could be as a result of intellectual property issues, could be as a result of technical issues, like SPAM coming from a particular address.
It could be related to transfers of domain names between providers.
But that's the purpose, from our perspective.
What do registrars use Whois for as a user of the information?
Registrars require access to the contact information to seek authorizations for transfer. And that's part of the transfer policy that was recently approved by the board in April.
Also, in the case of a thin registry, like with the common net registries, the registrars maintain the Whois information themselves so as a domain name is transferred from one supplier to another, they also need to transfer the Whois information from one supplier to another.
So that's really the primary use from the point of view of a registrar.
What I'd like to point out now, though, is some of the abuses of Whois that we see fairly commonly.
And these are abuses that have been done on a fairly widespread scale, so they're not isolated incidences.
They've involved hundreds of thousands, in some cases millions of customers.
Far and away the most common abuse of Whois is through the sending of unsolicited renewal notices.
The Whois information is unique in the sense that not only does it provide the full contact data of the registrant, but also provides the date which the domain name expires.
And so that allows the sending of a very targeted e-mail to a customer which says, "your domain's about to be expired or it's about to be deleted." And because it's done in such a way that they know your contact data, the dates when your name was registered and when the name goes to expire, it could be made to look very official.
And the typical way this works is by trying to confuse the registrant into believing they are renewing their domain name with their original supplier.
These notices are not sent in the context typically of saying, "we'd like to renew your name because we're a better provider or we offer a cheaper price or we do it better in some way." It's not offered in a conventional solicitation for business.
It's offered in the sense that we are your existing supplier, this is a courtesy.
You need to renew your name.
In fact, your name's going to be deleted any second now.
It's very important that you renew as soon as possible.
And quite often, these notices are for prices well above the market rate.
And they lead to widespread confusion by the registrant and the registrant often rings up and says, "I thought I paid my renewal last week, and now I'm getting another renewal notice. I don't understand."
And that also leads to the issue that quite often, the expiry date information is not correct that is used on these notices.
The other secondary most common use of the Whois data is for marketing of related services to domain names.
And, again, this is highly correlated information, because by the combination of looking at names as they appear in the zone file and being able to do Whois checks, you can find out almost the instant that somebody registers a domain name, so you know exactly where they are in their life cycle.
You know they bought a domain name and then they have to do something else.
They might need to design a web site, they might need to get web hosting.
So quite commonly the users have the experience that they register a domain name and shortly afterwards they get a phone call from a company offering them web hosting or some other service.
The other point of correlation is perhaps when a domain name comes up for renewal, and, again, you can look at that information and say, well, this name is coming up for renewal.
It doesn't currently seem to be used at the moment.
Perhaps they might want to sell the domain.
Perhaps it's not being used and you're offering them a web hosting or e-mail forwarding service.
So, again, the information is so accurate that the suppliers in the market know exactly the sorts of services that the user might require.
To use an analogy here with perhaps the travel industry, and most of us have traveled here to this venue, and the way most of us did this is we had a choice, most of us probably used an airline to get here.
And most of us then had a choice of airline.
We could either go to a travel agent and that travel agent would try and find us the best price and the best deal for an airline, or we could go to the yellow pages and look up a list of airlines and we could ring a few, maybe go to a few different web sites, and make and exercise our choice to choose an airfare.
That's all based around consumer choice.
The alternative model might work something like that.
You register to attend the ICANN conference, and you put our current address where we live, our telephone numbers, and we specify where we want to go to, which is this ICANN venue.
And we specify the dates and times of travel.
And ICANN collects all this information and puts it up in a public registry.
And then all the airlines and travel agents can then look at that and then they'll go after the highest-value customers first, so they'll look at the person who wants the first-class airfare from Melbourne.
If I stuck my hand up for that, I will get 200 phone calls the first day.
Then they'll work their way through until they get to the person that's in Ottowa.
And that person has got a choice of catching the plane or a train.
So it's a lower-value customer.
He'll probably get contacted a couple weeks later after all the high-value customers are gone.
That's two alternative models of how the travel industry might work.
And the ICANN domain name industry works using the latter model, where the full list of customers is provided and the suppliers can then choose and go after the highest-value customers.
And the highest-value customers get huge amounts of unsolicited e-mail, notices, phone calls, postal notices, et cetera.
The other thing that happens less commonly but is probably even more scary is the growing use of fraud on the Internet.
And we've seen it.
Several of the largest registrars have been hit with these approaches.
And, essentially, they're using our customer base to send a notice from the registrar to all the customers, but it's actually completely branded as though it is the registrar.
It's copying the logos of the registrar, the look and feel of the web site is exactly the same.
And it's usually trying to scare you in some way.
It might even be something like we've just detected a security problem.
It's really important that you change your password.
Please enter your current domain name passwords and your credit card information now so that we can fix this problem.
So these things have been a result of law enforcement action.
But they're very hard to track down because it's very hard to track down the source of the organizations that are using these messages.
And they work like many other Internet scams.
But they are so effective because, again, the customer is contacted with very specific data that only -- that they believe only their supplier could possibly know.
And most of these registrants are unaware that Whois even exists.
They don't know that their information is publicly available.
In terms of the usage from the point of view of a registrar, there's been quite a lot of, I guess, effort recently in the Whois task forces around bulk access agreements.
But that is rarely the problem.
Most of the large registrars have around ten bulk access agreements.
We're not aware of much abuse that we have been able to prove.
We might have our suspicions.
But I am not yet to be a aware of a case where we have been able to approve that the Whois through a bulk access agreement has been misused.
Again, we're only talking about ten agreements, even for the largest registrars.
However, port 43 Whois we see massive usage.
An example -- I guess a top five registrar might be sort of two million queries a day maybe from about 130,000 separate locations.
So you can see clearly each location is probably obviously doing several queries.
The other thing we notice, some of the registrars monitor usage by IP address.
And they expect to see a bit of usage from other registrars.
But what they often see is that in any given week, there will be five or six new IP addresses that seem to be doing hundreds of thousands of queries rather than what you would expect as one or two queries for the purposes of the Whois, which is to deal with -- to facilitate contact with a registrant for issues surrounding the domain name.
The other thing is that I've also received offers to buy the Whois information.
An example of one that I heard yesterday, you can essentially buy 30 million Whois records for $30.
That's a lot cheaper than going to several registrars and paying $10,000 for the actual official bulk access agreement.
So certainly we do have a problem.
And we do believe that there needs to be policy action to solve this problem.
Thank you.
(Applause.)
Michael Roberts: Somewhat miraculously, we're essentially on time.
And so we'll take a break now until 9:45.
And we hope that everybody will come back promptly, because we'll begin at 9:45.
(Break.)
Michael Roberts: If you wouldn't mind taking your seats, we'd like to begin again.
In the interest of keeping the program on schedule, we are going to begin now, and our next presentation is going to be from Diana Alonso Blas, who is with the directorate general internal market of the European Commission in the data protection unit.
Would everyone please give her the benefit of the podium? Thank you.
Diana Alonso Blas: Thank you very much. I'm very happy to be here and have an opportunity to participate in this very interesting debate up to now. The data protection people have not always been involved in this discussion as much as they should. It might be part our fault. But it is now very important that we come into this discussion, and we try to involve ourselves as much as possible, certainly on the European side, because on the American side EPIC and others have been others but not from the European Commission up to now.
So I'm in the beautiful position of being after the coffee break, so everyone is drinking coffee somewhere but I will start anyway.
I am going to concentrate on the European perspective, my job in the European Commission. I have to say, however, there are very similar provisions in other parts of the world. We have the OECD guidelines that are implemented in many other countries in the world. We have similar liaisons in countries like Hungary, the Channel Islands, and others. So the issues for Europe will be similar issues in other countries as well.
In Europe we have several pieces of legislation. The first one is the directive 95/46 the general protection directive. That's one I'll talk in much more detail about. But there is also second directive which is very recent, 2002, the number of 58, which deals with the electronic communications. And this one is also very relevant because it contains a number of provisions that could have direct implications for the Whois discussion.
This directive has not been fully implemented in all the member states. The period of implementation only ends in October this year. But it has to be taken into account now already.
There are also many important documents of what we call the article 29 working party and that's a group of the European data protection authorities that are brought together and that they have the task of implementing and interpreting also the provisions of the directive. And they have dealt with many issues related to the Whois as well and to all the Internet discussions.
There is also the council of Europe convention that I mention here because it is not only European. It is open also to signing and ratification by any country in the world.
And very similar provisions.
On the next one, what are the concerns that we have about the Whois discussions? I think we have tried sometimes from a distance to contribute to this discussion in the past. The European Commission sent recent contributions to ICANN and also the Whois task force. It was always a common approach between the internal market as the director of general where I work and the colleagues of the information society who are the ones you know better because they're always involved in this discussion. And we have always tried to work very closely together in order to offer a common view regarding this issue.
The data protection authorities have also raised concerns regarding the Whois discussion, especially because they have received complaints of national level concerning the misuse of the Whois.
They have received different kinds of complaints. On one side, from individuals who complain about the misuse of the data. They have also received concerns from the registrars themselves who felt that they were caught between a rock and a hard place because whether they obeyed to the ICANN requirements, somehow they are not respecting the European legislation they have in place or if not they might be in a difficult position. So I think that's something we need to take very much into account.
I would also like to stress that European data protection authorities, article 29 working party has issued a paper on the 13th of June of this month that I have circulated and I hope it's available in the materials of this workshop in which they address specifically the data protection principles and their application to the Whois, and they come to a number of very interesting points. So I strongly recommend you to read it.
There is also the international working group on privacy in the telecommunication sector that has issued a common position on this issue already in May 2000. After that, they have also sent different letters to ICANN raising several concerns. The important thing is that this group is not only composed of the European data protection authority. It involves also experts from different groups, including academics and others. And it involves also people from outside Europe. So it's important to see that this is a group that has quite a broad composition.
Also citizens have raised complaints. Not only with the data protection authorities. We did receive a petition also to the European parliament done by a general citizen. I mention it because I think it's interesting, the reason why the citizen complained was not mainly data protection but because he thought that the publication of his name and personal data on the Whois was something that would limit his freedom of speech. Well, the thing has been raised in different papers also previously. So I think it's an important point.
So, indeed, there were increasing concerns for different reasons. The main one, I think, is because lately we have seen more and more registering their own domain names. I think it's important to make clear that there are very different issues at stake, when legal persons, companies, et cetera, registry the domain names and when individuals do so. There are different concerns that need to be taken into account and I think that's why this possible distinction between commercial and noncommercial could play an important role.
We were also a bit concerned about the fact that the reports of the Whois task force that we have read with a lot of interest seem to ignore, to a certain extent, at least, the real purpose of the Whois. And certainly the existing legal framework of the European union. We were a bit puzzled when we saw questions like what would you like to use the Whois data for. In our legislation, it doesn't work that way. Maybe we would like it to be like this, but it's not. We need to start by defining very completely, very detailed way what is the purpose we collect the data and then we have to assess whether the use of this data is compatible with that. And if it's not compatible, it cannot be used.
So in our legislation, it's much more difficult than this. And it doesn't allow this kind of flexibility.
So maybe to enter into the first point, I have mentioned the two directives. Do these directives apply to the Whois? I would say the first point I don't think has ever been discussed. There is clearly personal data involved in the Whois.
The definition will have a processing or directives is very broad, meaning it goes from the moment in which the data are collected to the moment in which they are accessed, used, published, et cetera, so all this is covered by the directives. And the point that has often been misunderstood is the fact that the data are also protected, even when they are in the public-available registry. Sometimes people say, well, but they are already on the Internet. Well, it doesn't really matter. They are still protected in the directives and the principles have to be respected.
So as a first conclusion, I would say that not everything that might seem useful or even desirable is legally possible. At least not under the present regime.
So the key issue, I think, is the question of the purpose. And as I have said, under our legislation, we need to very well define purpose for the Whois. I think that nobody has ever challenged the original purpose that has been raised also by the previous speakers, the issue of being a technical contact in case of problems. Nobody has ever challenged that legitimate purpose. The problem is, as I said, that we need to define very clearly what is the purpose. And it seems to me that what we see now more and more in this discussion is that we all know in practice the Whois is being used for many other purposes, but it's not clearly defined as such.
So I think we might have to be very honest on that and try to address this clearly and say what are the uses we want to make of it, if any. And then see, well, is this possible under the legislation we have. And are there possible solutions we can find.
So we need to describe first the purpose, clearly. And then we need to define what a compatible use is of that. And when discussing what is compatible, we often use the criterion is this a reasonable expectation for the user? Can the user who has a domain name register expect that his or her data will be used for any such a purpose?
So indeed, we might come to the situation in which we would like to use the data for a certain purpose, but this is not possible under our legislation. And there I have to say that the opinion of the article 29 working party has been rather critical in referring in this context to what they call self-policing policy of the private sector. Their view is this would not be compatible with the original purpose of the Whois.
I think it has been made clear in several discussions that the issue is mainly related to the private sector use of this data, not the public sector because for the public sector we do have already several possibilities under the directives for use of this data when necessary. There are existing legal procedures for that. The problem is much more for the private sector, and there I have to say, obviously, the European Commission has mixed emotions about it because we also have intellectual property interests and we obviously want to protect also the right holders but we need to find a position in which we can do both things within the legal system and respecting also the legislation and data protection. And this is not necessarily simple, but we'll need to discuss this further and see if any solution can be found.
So the principle of proportionality is one of the core issues. I think I have to make a distinction in the discussion between the data necessary for the registration itself and the data that should be published in the Whois. In particular, what the proportionality principle means is we look always for the less intrusive means to serve the purpose. So I think what we need to ask ourselves is are there other possibilities of serving the purposes we want to serve while not having all this information available on the web site or potentially available to anybody who wants to have it.
So in some countries, solutions have been found through the use of the Internet service providers. For instance, in France and in Germany and the UK, well, you will hear also the colleague from .nl who is going to talk after me who is going to present the specific situation in the Netherlands and the European Commission has proposed in several occasions, in several papers addressed to ICANN, WIPO and other organizations, some kind of a two-step approach, would make actually the data not available to the general public but only available to those who really need it with the possible control after it.
I'm not saying that this is a necessarily easy solution but it could be explored at least to see if this could be found.
So indeed, we need to process only data, the relevant and not excessive. This is something we would like you to keep in mind when discussing uniformity, meaning that if uniformity means collecting the same data everywhere, this same data would be more than what we now already collect in Europe, this would be a big problem in our legislation because we have the obligation of keeping the data to a minimum necessary.
And there are specific problems also regarding the telephone numbers and the general right not to be included in a directory. This is a right given by article 12.2 of the new directive on telecommunications. It is in any case, clear that the individual has the right not to have his telephone number listed in a public telephone book. What would obviously make a bit, let's say, strange at least that the same individual would have, then, the obligation to provide his phone number to be published on the Whois available to the general public.
The second part of the reasoning is even more complicated. Would it mean that this provision, in fact, implies that the individual has the right not to be included at all in the Whois? And to be honest, I'm not completely sure if this answer is correct or not. We are presently discussing this with the colleagues in charge of the information society. Most probably, we are going to ask also an opinion to the legal service to know what this exactly means.
But indeed, this will have to be kept in mind in discussion.
Possibly I would like to mention also, in this discussion whether this provision could be interpreted as such or not. We might have to keep in mind as well a recent judgment of the European court of Luxembourg that in a case related to Austria, said very clearly we should not interpret the data protection legislation restrictively but possibly the other way around to give sufficient rights to the individuals. So this could also play a role in this discussion.
So one of the issues that have also raised much concern is the question of making the Whois more searchable. The article 29 working party, the European data protection society, as I mentioned, have dealt with this already in 2002 in general terms, considering that the processing of personal data in various directories would not be fair, unlawful, unless the individual has the right to consent to it. And by consent, we don't mean opt out but opt in. So it should be very clear.
So on the other hand, I wouldn't like to give the impression that we oppose all the different proposals that have been presented. We do have quite good feelings about a number of the issues presented as well. Of course, accuracy is a very important issue, is also one of the principles of our directive. But we have to keep in mind, obviously, why are individuals giving not accurate data. And if the reason is they don't feel sufficiently protected we might have to address this first before asking them to make sure they provide accurate information.
Concerning bulk access, we would certainly support all possible limitations of that. The opinion of the European Commission is very clear on that. We think that bulk access should not be acceptable for any kind of purpose because it's not proportional at all and there are other means to serve these kinds of purposes. And it should be important to keep in mind also that the directive 2002, the electronic communications directive only allows the use of e-mail addresses for direct marketing with a specific consent, opt in, of the user.
So as a conclusion, I would like to say we need to respect the existing data protection framework in Europe. Indeed, we shouldn't place the registrars, as I said before, between a rock and a hard place. This would be clear compatibility between what they are asked to do by the contract and what they have to do according to the law.
We also need to look for privacy enhancing ways of running the Whois. I think in practical terms, they could be solutions that serve the purposes we want to serve while protecting the rights of the individuals and I think we need to all work together in trying to look for that.
And I would also like to ask you to keep in mind and to involve the data protection community in these discussions. I mean, it's the first time I'm here. I'm sure that many other colleagues from Europe would be happy to participate in these kind of discussions in the future.
And I think, certainly, that the article 29 working party, who have just approved an opinion in time for this meeting, would also be very pleased to be involved in this discussion.
Thank you very much.
(Applause).
Vinton Cerf: I'm sorry; will you entertain a question or two? Do we have time?
I would just want to suggest an idea that I'm not sure has come out in the presentations or the discussions. It seems to me that the registration of a domain name is not something which is forced on anyone. No one has to register a domain name.
When you do that, with whatever responsibility you choose, either as an individual or as a corporate officer or acting on behalf of an entity, whenever you do that, you may incur some obligations to the rest of the community that uses the domain name system.
So I'd like to suggest for your consideration that the Whois table is not simply a public directory which is randomly assembled, but, rather, it's a side effect of having accepted some obligations as a registrant. And I would distinguish that from, for example, the public directory listings of telephone numbers which are a consequence solely of having been assigned a phone number.
Perhaps those two could be distinguished.
Diana Alonso Blas: Well, I see your point, and I think that, in fact, that's the reason why many individuals make the difference between what are the consequences of registering a domain name when you do it for commercial purposes and then obviously you have a number of legal obligations. Also in Europe, you have to identify yourself, you have to registry yourself possibly for the chamber of commerce, et cetera, you have to pay tax. Of course it's not that you have the choice whether you want to do it or not. You have these legal obligations, and nobody is saying you shouldn't accept them as a part of it.
But I think the difference is for individuals who just want to have a web site for their own purposes of publishing whatever information they want to. And I think that in this kind of very Internet world, it would be kind of, let's say, not very open minded to say, well, individuals have the choice whether to registry a domain name or not. I think having a domain name can be pretty important for many people, for professional and personal activities nowadays. So it wouldn't be a real choice when you want to have it or not. Many people might need it for professional reasons or might want to have it because it's important also for the development.
So I think we need to make a difference between those who really use the domain names for certain commercial activities and therefore have a number of legal applications they have to respect, and one of them is to be registering different registrants who could be one of them who is Whois, and those who use it for personal use.
Karl Auerbach: I also have a question. Two questions have arisen during our discussions of privacy with respect to Whois, and one is the Internet is used to some extent, to a large extent for people to go into various forms of offering goods and services, and there's people who buy from them. And there's a degree of fraud going on. And there's a concern that those who are buying need the ability to validate the quality of the person they're buying from.
And my first question is how is that situation handled under the privacy laws in Europe? And my second question, which is related, is law enforcement. How do we know what kind of access to give to a law enforcement person? How do we know who a law enforcement person is? How do we know they're acting in their scope of authority? To what extent do we notify the data subject that the law enforcement is even looking at them?
Those are my questions.
Diana Alonso Blas: Well, I hope I remember them both but I will start with the first.
Well, I will start with the second because probably I remember it better. As to the law enforcement question, I would say our legislation in Europe has specific provisions for law enforcement. Article 13 of the directive has a number of exceptions that need to be implemented as national law. So indeed, if you're confronted with a situation in which you are not completely sure whether you are acting according to these rules, I would say, well, why don't you then contact the data protection of your country and make sure you're fully aware of the situation in which you can provide this information to the law enforcement or not.
So there are indeed provisions for that but make sure you are sufficiently informed and, indeed that, the law enforcement agency is acting according to the powers as well.
There are provisions for that.
As to the first one, I would say it is also so in Europe, according to many pieces of legislation of commercial law, also the e-commerce directive and other directives that individuals who undergo professional or commercial activities have to identify themselves. It is also on our data protection directive that when an individual collects information from a person, has to identify themselves. So we are in no way opposing that.
What we are saying is that, first, we have to make clear what exactly the data that needs to be collected and published in these cases, and second, that I think it has been said also by others there might not be one single solution that feeds all the cases, and we might need to think of different regimes for different kinds of uses and cases of people having a domain name. And I think to that extent the person following me will give a good example of different solutions that have been found.
Thank you.
Michael Roberts: Thank you very much, Diana. The next speaker is Bart Boswinkel from the Netherlands who will speak about Whois from the perspective of the national registries.
Bart Boswinkel: Sorry.
We tried it this morning.
(Pause.)
Again, this was Murphy's Law.
I tried it this morning and it worked.
So I'm sorry.
I'm speaking here as one of the victims of the European authorities and our national authorities.
(Laughter.)
Bart Boswinkel: I want to explain to you what we have done to, among others, implement the data protection directive which before that was implemented in Dutch law.
And I'll take you through that and some other background material and see how it changed into our naming policy, what consequences it has on our local community.
First of all, give you the short introduction of SIDN, the Dutch registry.
Then I will go into the backgrounds I just sketched.
Then I will go into what does it mean, Data Protection Act, for a registry in the European context.
And then I will go shortly into the new .nl naming policy as of 29th January of this year.
To give you short background on SIDN, we have about 900,000 domain names registered.
This month, we have a net growth of 16,000.
Every month, this is what we know, we have about 2- or 300,000 different registrants.
We have 1500 registrars, and there is approximately 10% net growth of the registrars every quarter.
Then SIDN has 22 FTE, about 25 people working there.
The background.
As you just heard, there is this EU general directive on the protection of personal data.
This is dated in '95.
And this has been implemented in the Netherlands in -- I won't pronounce it in Dutch -- but in the Personal Data Protection Act.
And this was done in 2001, I believe.
So we needed to get on speed with this Dutch Act on the Protection of Data.
In our case, we went through it and had another legal analysis of the specific other legislations on this.
What's just mentioned, the specific EU directive on personal data and telecommunication is not applicable.
This one is implemented in the Dutch Telecommunication Act.
And, among others, the Dutch tax legislation has no meaning for the Whois problem, nor does the Dutch Criminal Act. What makes it peculiar in the Netherlands is in 2001, we had an extensive discussion in the community.
Among others, we asked if the local Internet community wanted to have alternate dispute resolution implemented. Up until then, every domain conflicts over contested domain names had to go to court. This was one of the first questions. And this has direct effect on the use of Whois.
But I think this is clear. I will not go into details, then.
The second question we raised with our local Internet community, does the .nl name space, does it need to be opened up? Until this year, only Dutch companies and only Dutch companies could register directly on the .nl. As a result of the consultation of our local Internet community, this is opened up.
So this is implemented in our naming policy as well.
And the third question, which I will go into more details about is regarding the Whois.
And there were specific questions to our local Internet community, what kind of details you want to do we need to provide in our Whois?
What is the proper level of protection of privacy? Should it be opt in? Should it be opt out? Should we have a limit on queries? Should it be given only to specific groups? These were more detailed questions.
Now you see the quantitative restrictions and the number of queries is another one.
And opt out is another one, as I just mentioned.
Now, as a result, it was clear that we needed to change our naming policy.
Among others, for implementing the alternative dispute resolution and to open up for non-Dutch companies.
In this process, we need to do something with our Whois as a result of the consultation and to implement the legislation.
When we started, and even during the consultation, we ran across some different categories of questions.
And this is what we called the balancing of the perspectives.
Yeah, from a registry point of view very important question is, are we going to implement what the lawyers have been thinking of operationally and technically? And what does it mean?
The second one is, how do we deal with the solution we came up in our new naming policy? And to whom do we provide Whois information?
And the third one is, and I will go into more detail, what are the interests of the stakeholders?
First, we defined the issue as I just said.
This is the more technical operational.
One of the things we have encountered in discussions with the local Internet community is a misunderstanding or non-position on the Whois.
Some think of it as a function and that is, if you talk to lawyers especially, they think of it as a function.
Others think of it as a protocol.
And these two worlds are quite far apart.
In order to structure the discussion, you have to explain what are the effects of what you are seeing in the terms of protocol and this is from the technical perspective.
But the technicians need to know what some lawyers think of it functionally and how to translate this into technical operations.
One of the things we have encountered among the lawyers is, most of them are very much focused on providing Whois services on the web.
So if you, for instance, go to our web site, what you see there is you can have a Whois query, and then they think, okay, we can work on that.
What they forgot, and what they even didn't imagine, is what I have called command-line requests.
So these are these unique UNIX codes, I think it's port 43, to send in very massive Whois request.
And if you really want to protect privacy, you need to go through that direction.
But they're not aware of the existence of this way of sending a Whois request.
Another thing we encountered, and this has especially something to do with the UNIX or the Whois protocol itself, that is, transactionless.
And what I mean by this is, if you send in a Whois request, it gives an answer and then the query is stopped.
Now, what data protection officers really want is that you give them a warning, and then click the button and make a request, and then send it back in.
Now, if you do this at UNIX level on the command line, it's impossible.
You break up the protocol.
And we needed to explain this to all the lawyers involved and all other people involved.
If you want to implement this, will you break down the Whois.
Another thing, and this is very difficult to explain to IP lawyers sometimes, is, the Whois is not necessary for the DNS.
There are registries out there who don't have a Whois.
And they function very nicely.
They don't.
So in order to have a Whois, you have to specify other peculiar or other interests in order to comply with your Data Protection Act.
This was one of the things we encountered which was very difficult, and especially for IP lawyers, is they have to state their interest, why they want a Whois.
And this has consequences for your naming policy, as you will see later on.
Now, in the Netherlands, and this is, again, functional, besides the Whois, we have what we call an "is" function.
Now, to show you the difference, I have two examples.
This is an ordinary Whois query if you use the web site of SIDN.
You see some details. They're not relevant. It's our own domain name.
Yeah, this is what people think of ordinary Whois request.
And what we see a lot is that most people use the Whois to see if a domain name is free or what is the state of a domain name.
Now, for that matter, we have another function, which is called the "is." Now, I have specifically chosen this name because it shows you don't see any contact details in the "is" query.
And what we've done with this one is, this domain can't be registered.
That's why I have chosen this one.
But you see that it can't be registered because you have the information, domain is excluded for registration.
This is the kind of information you cannot provide within the Whois in an ordinary manner.
So, going back, to structure the whole issue of the Whois and going into more details about what does a Data Protection Act mean for a registry.
The first thing is, and as this has indicated, the definition of processing of data in Data Protection Acts is very broad, in Europe.
It includes the collection of data, the provisioning of data, and deletion of data, among others.
As a consequence, if you want to implement a Data Protection Act in your naming policy, you don't have to focus only on the Whois itself, but you have to focus on the whole process.
You start with the collection of data for whatever purpose you want.
So you start at the start of the chain, and it ends at providing this data in the Whois and even beyond that, if somebody wants to delete a domain name, what you do afterwards.
So you have to take care of all of these elements in the whole chain in your new naming policy.
Another thing, this has been touched upon as well, is what we have called what is in the Dutch literature the double necessity criteria for the processing of data.
First of all, and this is important as well, and this goes back to the collection, the purpose for processing, so the purpose for collection and, for instance, for providing, has to be legitimate.
This is very important.
So you can't just collect data for whatever purpose you want.
You have to state specifically for what purpose you want the data, either in your database or in your Whois.
The second one, and is that the data has to be adequate.
That means it has to be within the limits of the purpose.
So, for instance, if you want to provide data to direct marketing institutions, you have to specifically state in your naming policy that has been collected of the registrant is used for direct marketing purposes.
And this has another impact on the data and how you deal with it than, for instance, if it's only there for your own processing of registrations.
Now, a third consequence of implementing the Data Protection Act is that you need to inform the registrants about the processing and the purpose for processing.
It follows logically from what I have just said.
And a fourth aspect which is very important for a registry to take into consideration is, you need to check if your security auditing and tracing capabilities are in line with the Data Protection Act.
Now, as I just said a couple of minutes ago, the Whois is not necessary for a registry to fulfill its core functions.
So if you want to have a Whois, if you want to provide Whois information, there need to be other interests for which you provide these data.
As a result of the domain name debate in 2001, there are in fact four core purposes, four specific purposes for which you want to provide the Whois.
One is, and I think people feel very comfortable with this within the room, is to solve technical problems.
The second one, and this is more on a registrar level, but even on registrants' level, is you want to check your applications.
Do I have one? Is it registered correctly? Is the data that's been sent in, is that correct, yes or no?
The third one, and this is a result of the domain name debate as well, it is a legitimate purpose to provide Whois information for the protection of IP rights.
IP rights or IP rightholders do have a legitimate interest in having the information in order to protect their trademarks or the other rights they have.
And the fourth reason to provide the Whois information is to prevent and combat illegal and harmful content.
I think it speaks for itself.
Now, taking all these perspectives and interests into consideration, what was the result? What did it mean for the .nl naming policy?
First of all, there is a legal consequence.
As a result of implementing the data protection and the use of Whois, we have specific clauses in the registrants' agreement and specific clauses in the registrars' agreement and we do have specific regulation on the personal data in the .nl registry.
I will go into more details, but not too deep.
And second consequence, and this is more operational, which in some cases might be very costly is there is now a general limitation on Whois queries of 15 per IP per day.
Per IP address per day.
This was a result of the domain name debate itself.
The number itself, yeah, it could have been 10, it could have been 20.
But at the end of the day, you come up with a very low number which makes it possible, for instance, for IP lawyers to check if somebody has a typo of the name, yes or no.
And there is an exemption of the registrars because they need the Whois for their own business purposes.
And this is an added specific purpose.
And they have the possibility of 5,000 queries per day per IP range.
Going into the details, some of the details in the different contracts we have, one of the important things is that through the contract, we inform the registrant on the collection of personal data and we inform them that some of the data they send in or that's been kept to provide the service, is publicized in the Whois.
It's not all the information.
Some of the information.
What it provides for as well is a specific possibility for opt out.
And the opt out, it has a few consequences.
First of all, as a result of the domain name debate, the specific purposes for providing data in the Whois are stated.
These are legitimate interests.
And, in principle, what we say is, if you want to have a contract, fine, and we provide the Whois.
But the opt out is now this way: If your interest in privacy is -- how should I say it? -- you have more interest in your privacy than in the other legitimate interest, then we will not provide it.
Basically, we do provide and you have to come up with very, very good reasons to use the opt out.
Until now, we had about I think 900 requests.
There were just six granted.
But it has an impact on the registry to judge these.
And this is in the contract as there is a general limitation on Whois queries.
But this is the one we implemented operationally.
Now I want to go into more details into the SIDN regulation on processing of personal data.
What's in there is that you see what is the purpose for processing.
I'll go into more detail.
The role of the registrar and registrant, is defined in another way.
It is defined now in the terms of the Data Protection Act.
And this is one of the difficulties you will encounter if you want to implement Data Protection Act in terms of the registry/registrar model, is that the roles in the registering process are different than the roles as defined in the Data Protection Act.
So you have to make a translation of these two roles.
But I will not go into the details of it.
For that and what is in this regulation is that the data is included in the registration database and that the data is provided to the public.
Now, what is important, and going back, is this is the double necessity criteria, for what purpose do you want to process the data?
The general purpose is -- I think you can read it -- is just for processing the applications of registrants.
The second one is, if you want to change from one registrar to the other or you want to move your domain name or transfer it, it is necessary to check if you are the legitimate person who can make these changes. We want to provide and we want to facilitate registrars in their work. And it is for inclusion in the zone file. So that's more or less a technical reason. But this is stated explicitly. Now, this is just for the registry to function properly.
In order to provide the information into Whois, we have some specific purposes. And these are the specific purposes that came out of the domain name debate. I will not go into the details again of that.
But what was the result of the domain name debate as well is that our local Internet community didn't find it appropriate to use the data for marketing or other nonspecified legitimate purposes.
So if somebody, a direct marketing agency, comes to the .nl registry to ask for bulk Whois information, we will not give them the possibility to use it. Nor are registrars, although they don't have the information and thus aren't allowed to provide the information.
Okay. This is what we have done in the past. I want to end with some concluding remarks.
I hope it's clear that the Whois is a very broad problem and has consequences for a registry as a business; it has legal consequences; it has consequences for the public. That means registrant, the other stakeholders. And there is for the registry some technical issues involved.
And one of the things we have encountered, and I think this will go on in the debate we have here today and maybe tomorrow as well, people have different perceptions of the Whois. And it's very, very difficult to make clear to the other what you mean and what you are talking about.
Another one, and that's one of the reasons why I'm standing here, is there is no one-size-fits-all solution to Whois.
I think what might be clear is, we found a way to implement, at the end of the day, the data protection directive from the EU and balance it with interests in our local Internet community. And this balancing act is specific for the Dutch circumstances.
For instance, the specific use of the data probably in other registries in other parts of the world, you will define other specific purposes. As I have shown, we have a lot of registrars and it's very easy to become a registrar. So we can live with a limit of 5,000 queries a day. I think in the dot-com environment, this would cause a problem. So it's very clear you have to live with your local circumstances.
And what makes it very difficult for a registry, for instance, is the assessment of the individual opt out. These are cultural circumstances which determine what you within your environment think are legitimate reasons for opt out. And this has to be done against the assessments of the other interests, as we specified.
So this is really nitty-gritty work.
I thank you.
(Applause.)
Vinton Cerf: We have several questions.
I see Karl Auerbach.
Karl Auerbach: Well, the mic -- there it goes.
I thought I heard you say some inconsistent things.
I want to get clarification.
I thought I heard you say that when an intellectual property person makes an inquiry, they have to state the grounds and the reasons for their inquiry.
And yet later I heard you say that you confer automatic legitimacy upon anyone making a query based on the claim of intellectual property rights.
How do you resolve those or did I just mishear?
Bart Boswinkel: As I said, the Whois is not necessary for DNS.
And this is one of the reasons we started the whole process with our local Internet community what you think are legitimate interests.
And it was not taken for granted that IP interests are legitimate interests.
But as a result of the discussion, the community, our community, felt that IP addresses or the protection of IP rights is a legtimate interest, and this is the reason why we provide Whois information.
Karl Auerbach: But I have a follow-up.
You've mentioned that there was -- one making inquiry has to provide an explanation of why they are making the inquiry, state the facts upon which they believe their rights are being infringed.
Do intellectual property people have to say that?
Bart Boswinkel: No.
Again, I think maybe this was a fault in my explanation.
If we provide Whois information, this is limited, limited in the sense of you may make 15 inquiries a day.
That's it.
IP lawyers don't come to the registry to ask for more information.
The Balancing Act which I just explained is from a registrant who wants to have an opt out.
For instance, IP rights interest is a legitimate interest, as we concluded for this consultation process.
If somebody comes in and says, "I don't want IP lawyers on my back because I infringe them a lot,"
(Laughter.)
Bart Boswinkel: there is no legitimate interest for him to use the opt out.
And this is what we do.
We have one set of legitimate interests, as defined by the local Internet community, and on the other side, somebody, a specific registrant wants to opt out of the Whois.
And because we have stated this, his interest has to have very specific reasons why he doesn't want his information in Whois.
I could give you an example, for instance.
We have granted an opt out for a policeman who's doing undercover work.
And he wants to use the domain name for his e-mail addresses.
So he doesn't want to have his personal data in the Whois, because, as you can see, we provide a lot of information.
Maybe that (inaudible).
Vinton Cerf: I don't see any more. I don't see Amadeu's hand up, either.
Okay. Thank you. Michael.
Amadeu Abril I Abril: I'm tired.
Michael Roberts: Thanks very much. That was, I think, a very interesting and useful presentation.
Now we're now going to here from Jane Mutimear who will speak to us on intellectual property uses of Whois.
Jane Mutimear: Thank you. My name is Jane Mutimear. I'm a partner with Bird & Bird in London, and I'm president of the Intellectual Property Constituency.
I'm very grateful to the organizers for asking me to speak.
I wasn't quite so grateful when I first got the e-mail because it was asking me to speak about the IETF. I thought this might be a way of keeping me to my 15 minutes but Mike kindly pointed out it was meant to read IPR, which I know a little bit more about.
I'm going to be speaking about the uses which Intellectual Property Law is and intellectual property owners make of Whois just so people who don't deal with this on a day-to-day basis know what we get up to and why we think access to Whois is important.
As a start I'd like to debunk a few myths. This is based on some of the feedback I've got in various forums where we've been discussing the enforcement of intellectual property on the Internet.
A lot of people seem to think that intellectual property owners, they're just huge, big international corporations with unlimited budgets. They can find a way of enforcing their rights regardless.
Now, obviously, there are huge intellectual property organizations which own intellectual property on a worldwide basis, but there are also small companies to whom enforcement of their intellectual property is equally important to them.
I've also heard that enforcement of intellectual property on the Internet just assists intellectual property owners. And it does that, but it also helps prevent consumer fraud and confusion. And some of the examples I'm going to come on to in a minute will show you that.
And I've also heard it said that Whois doesn't really help you. Whois just helps you to harass the innocent, because anybody who is up to no good isn't going to put in their accurate details. Actually, that's surprisingly often not the case. We often get immediately in contact with the person who is infringing by using Whois. Or there's enough information there, which, then using other sources, leads us to the perpetrator.
So what do we use Whois for? We use it to find the registrant of a web site which is offering infringing products either for sale or at an amazing discount so we know it's not the real thing, or often for free.
I suppose where you've got something offered for free, one of the discussions I've heard go on is, well, for commercial purposes, maybe Whois is okay, but for noncommercial purposes, there should be no requirement.
Now, if you're offering a free download of software, is that a commercial purpose? The registrant isn't actually getting paid. He's quite entitled to turn around and say this is a public service I'm offering here; this isn't commercial.
And these are examples that either I or some of my other colleagues have dealt with over the past few months. These aren't particularly exciting examples. This is run of the mill stuff that we deal with on a day-to-day basis.
We had a month or so ago a client of ours who provides encryption software. They'd just come out with their new version, and then found it was available for free download on a site.
We used Whois, and it was accurate, and we got it taken down very quickly.
Another one of my colleagues is working on at the moment is a site which is devoted to a particularly famous doll, and it offers cheap versions of this doll which we believe are counterfeit, we're just sourcing some of them, and we're also very concerned because they run an affiliate program which encourages the young girls to provide the names and addresses of various of their little friends in order to win money. And we're concerned that these children are providing names and addresses of their friends in the belief they're actually dealing with the organization they know and trust.
And we heard another example a couple of months ago where a client of ours was threatened with an action by a consumer where the battery in their mobile phone had exploded whilst they were using it. It turned out that it was a counterfeit battery, which they had got off a web site selling various counterfeit products, and we located the registrant of that using Whois.
Now, we often deal with software or other copyright protected products are available not on a domain name but under an ISP, under a geocities tripod, for example, web site. And there we use Whois to contact the ISP, and so we can send a notice and take-down to them.
There are other examples where there's not actually anything being offered for sale on the web site which would infringe intellectual property rights, but the web site itself infringes.
For example, it's designed to look as if it's from one of our clients, an intellectual property owner. And this mirrors what Bruce was saying earlier about spoof sites for registrars. Registrars aren't the only ones who come across this. Many people do. If I click onto my next slide, this was a site which consumers were led to from an SMS message sent to all Vodafone users in the UK telling them in order to win one of the new Nokia picture phones to go into nokiagames.info and enter their information and then they stood a chance of winning a phone.
They go through to nokiagames.info. The background here is lifted from club Nokia, so if people are used to dealing with Nokia, they would recognize the club Nokia style. The photograph there is a Nokia photograph which is being used to advertise this phone to the public. And then on an insecure site asked you to enter into the name, address, bank details in order to win the phone.
The Whois details for this site was accurate. A letter to them explaining that we weren't awfully pleased about this sort of behavior resulted in it being taken down within, I think, two days.
And the other sort of infringement which we come across is where the domain name itself infringes the client's rights.
Just recently we had a well-known telecom company hyphen shares, but it was in German and I won't embarrass you with my German pronunciation, but if you went through on that web site, it took you through to hard core pornography and the client wasn't happy about that. Whois detail was not accurate but there was enough there, which using other sources, led us to the culprit and we got it taken down.
occasionally, although it's very rare, actually, that I come across this now, it's where a client is concerned about a domain name which is registered but it's not being used. I normally come across this now when there's a merger or takeover of two companies, and nobody has given much thought to what the two companies, if the merger goes ahead, is going to be called. Then they announce it on day one that the two companies have merged. Day two they start thinking about oh, I think we'll call ourselves the two companies' names put together and then they discover that somebody has registered them.
So, really, these are the main uses by intellectual property owners of Whois. And it's not the only way we trace people but it is a very important way we trace people. And we often get things resolved very quickly without actually having to go to court and all the expenses involved in that.
But another area which is very important to all companies, but in particular, companies with large brand portfolios, is portfolio management.
Portfolio management is a rather sophisticated term for "what the heck have we got and where the heck is it?"
Now, company's domain name portfolios have grown up haphazardly and that's because domain names are easy to register and relatively cheap to register. I've never had a conversation with a client and asked them do you have patent protection for this product and said well, gee, marketing might have got one or ask Bill in it, he does our patents but he left three weeks ago, I don't know who is doing it now.
People have a system and it's followed. Whereas with domain names, people are only relatively recently bringing in procedures for registering their domain names. And even then, if you've got a procedure and a policy, you've got to rely on people reading it and actually following it.
So what you tend to have is domain names scattered around the company, different people being the contacts, different ISPs being the contacts. Often old domain names which were registered with the ISP as the contact and then the ISPs change and no one has gotten around to dealing with these domain names.
And brand rich companies have the largest problems because they've often registered a lot of domain names in the names of their brands, and done by the manager responsible for that product and he's now gone on to something else and tracing what you've got is very important, because even though domain names are very easy to register, they can become very valuable assets to the company.
And Whois is used in order to try to figure out what companies have got and try to put it in an organized manner.
And Whois is used to check not only what companies have got but which registrar they used for that, whether they kept the contacts up-to-date, whether they've got the right name servers on there. Is that why the web site is not resolving, why the domain name is not resolving.
Now, for this, of course, reverse look up is very important. When I was trying to sort out Bird & Bird's domain names I really wanted to time in Bird & Bird as registrant and see what we owned. In the end I had to use the provider which could provide me with reverse lookup and I ended up having to type in two birds.com as the e-mail address to figure out which partners around the world had got up to registering our domain names.
Also, Whois is used by businesses to assist commerce. In any due diligence on a corporate acquisition, you have to list the company being sold has to give undertakings and warranties this is everything we own. Included in that now, you have all your patents, trademarks, and you have to list all your domain names. You actually have to be sure what you own, and also the company purchasing will need to do due diligence to see whether you really do own those and whether there's anything else which you do own which you're not declaring.
And also legitimate markets in domain names. When I'm clearing brand for a company, they'll say we've got five brands quite alike, which can we use and get registered? We will look at who owns the main domain names around that brand.
Now, if you come across a domain name which has been registered by someone for a few years but never used, there's quite a good chance that they'd be prepared to sell it to you so you could go ahead with that brand. You need to be able to contact them to say are you interested in selling this domain name to us.
And from the perspective of the person who is contacted, they want to know how valuable is this domain name? What other domain names are there out there around this domain name which would make it more valuable to the person approaching me?
And it's also used by liquidators who, when they go into an insolvent or bankrupt company figuring out what assets the company has in order to sell off in order to get the most they possibly can for the creditors, and they use Whois to see what the company owns.
That said, it's not all rosy at the moment, and we do experience problems with the Whois. There are problems with accuracy. And there's problems with the lack of centralization, it being split across different registrars and ccTLDs, because in different jurisdictions, they're .nl, .uk and others, are all ones they use and they don't think through there's different policies and approaches to these.
The lack of reverse lookup which is easily available hampers certainly for failure management. And problems with bulk Whois, because this is what gives the third-party providers the information which we need in order to give us reverse lookup, and the experiences with that not being available or being refused gives rise to problems.
Now, if Whois access is restricted so that it can't be used in the ways I've just described, this will hamper protection of intellectual property on the Internet. And that will lead to harming consumers' confidence, because it will be slower for us to take down sites like the nokiagames.info site.
Consumers need to be confident in e-commerce in order to be confident that they can use it and hand over their credit card details without unpleasant things happening to them.
And it will also seriously impact registrants' ability to manage their domain names. And I think it's likely to lead to domain losses, because registrants can't check what they've got and when it's going to expire and who they've got it registered with. And it will also lead to further fraudulent practices. Bruce was talking about the SPAM which registrants get saying your domain name is about to expire. Click here to renew and what you're actually doing is transferring it to them.
I had one of these just a few days ago and I was thinking "I really don't remember using this registrar. I hate this registrar. I'm sure I wouldn't have used them." and I thought actually, it was a domain name that I transferred from somebody else so maybe it was their registrar. Perhaps I should renew it.
And the way I checked is I went into Whois, looked up, and saw that they were not the registrar, and in fact it wasn't about to expire.
Now, if I hadn't been able to do that easily, I may well have panicked and thought, well, just to be on the safe side I better go through and renew it with these people.
And I think that's all I have to say.
(Applause).
Vinton Cerf: Are there questions? Amadeu was your hand up? Yes. Okay. And then Karl.
Amadeu Abril I Abril: One simple question. Well, it's not that simple. It's not well-intentioned to be honest.
(Laughter).
Amadeu Abril I Abril: Why do you need bulk Whois access instead of, for instance, zone file access where you can run the automated searches and the strings that will match intellectual property and then go for individual searches into the Whois for the names where you have discovered a problem?
Jane Mutimear: Let me say what we need it to provide and then maybe you can tell me whether this zone access type thing would exist.
For example, where I'm trying to find what domains Bird & Bird have registered, at the moment, I can't go onto web-based access and type in Bird & Bird as the registrant and have a list of what domain names we have. So that's why we go to a provider who has purchased the data from all the registrars through bulk Whois who then provide the reverse lookup facilities. So unfortunately, Bird & Bird is a terrible name when you're talking about searches, which is why I ended up having to do it another way, but let's say I was Nestle, putting in Nestle UK, Limited, and then having a search result showing me which domain names were registered in the name of Nestle UK, Limited.
We also use it when we have what we think is a cybersquatter and we want to check what else they have registered.
Now, sometimes it's completely obvious that somebody is a cybersquatter. Sometimes, particularly when a domain name hasn't been used and they could potentially have a legitimate interest, you look to see what else they've registered. If they've registered domain names which incorporate lots of other brand names, in different fields, chances are that they're not a legitimate user.
So those are the sorts of things which we need to be provided or we need somebody to be able to provide to us.
Now, whether the thing you're describing could do that, I'm not sure. But if it could, that's fine.
Amadeu Abril I Abril: You're right, it doesn't. But for a historical accident, searches by domain name holder were available on dot com and dot org until a company decided not to provide that anymore. Then you are forced to pay the $10,000 for the bulk Whois. But the net result we are discussing of this two-tiered result are perhaps a little well beyond what we were trying to solve. I am in favor of web-based domain holder searches, as I am in favor of being able to -- I mean at least availability, if not publicity, but that is of the historical changes of these domain names because this is something I haven't heard today. And for IP enforcement and the law enforcement, it's often very critical as well.
But you know the result of not being able to allow it to be web-based and then force it as a registrar to license the bulk Whois to anyone who asks and pays, it's a bit like burning down the house to roast the chicken.
Jane Mutimear: I can see there are problems with the bulk Whois from the registrar's perspective. What I was trying to do was explain the good things which come out of the bulk Whois from our perspective. Now, if they can be achieved in some other manner, you know, bulk Whois can go by the by as far as I'm concerned. As long as the sorts of uses which are legitimate which it currently gives rise to can still be met.
Vinton Cerf: Karl.
Karl Auerbach: Yeah, the first is I wanted to ask my first question, there used to be, a long time ago, a mechanism which used things called handles where I could type in ka 4 or my two handles, and get back the list of domain names I had. That system seems to have disappeared.
But the other thing is I'm looking, trying to come up with analytical frameworks to try to deal with this privacy issue and one which occurred to me while listening to you was that you were talking in many instances about getting at data which pertained to an existing business relationship to which you were a party, you and the registrar, you and the person you're merging with or acquiring or doing the due diligence on. They all have business relationships with the web star. And for example, you don't really need to use Whois. You could ask the partner you're acquiring to get a certificate of ownership from the registrar if they issued those sorts of things.
So I look at those things as getting at your own business data.
The third-party accesses, where you're looking in at something else and acting in some extent as a law enforcement capacity like where you were concerned about the data mining of children's addresses. And I'm really concerned about the extent to which you're using that as a justification sort of becoming a self-law enforcement agency and I'm concerned about how far you go down that path because at a certain point we become vigilantes and I think that's a bad thing to be.
Jane Mutimear: I think every country that I've dealt with gives intellectual property owners the right to enforce their rights.
Now, when we're going against these people who are downloading, who are offering client software for free download, if they turn around and say, no, we're not going to comply, then we can take them to court. Taking people to court is not becoming a vigilante. We are enforcing patents and rights by Whois. And people can be abusive in relation to their intellectual property rights in court. I don't really see that what we're doing when we're trying to enforce intellectual property rights on the Internet, particularly the sorts of examples I was giving there where there is an obvious consumer benefit from the fact that the copyright owner or the trademark owner will take action quickly.
I mean, it would be great if we lived in a world where I could just ring up the police and say, "Oh, there's something here I'm a bit concerned about," and it was dealt with by the next morning. But I'm not sure what it's like where you're from but it's not like that in the UK.
Karl Auerbach: Let me just follow up on that. Where you are protecting consumer rights is where I start getting concerned. It's like do I, in order to protect my own health, have the right to inquire into the medical records of everyone sitting out in the audience to make sure they don't have SARS? That logic goes to that extreme if one follows it.
Jane Mutimear: If you go back to why trademarks exist, trademarks exist to protect the consumer. A company isn't given a trademark as a reward for being terribly inventive in the same way that they're given a patent. People are allowed a trademark because in order to prevent other people from confusing the public.
What we're doing here when we're enforcing trademarks on the Internet essentially goes back to confusion of the public. If somebody is doing something which confuses the public by using somebody's trademark, then we have rights, or the owner ha