ICANN | Montreal Whois Workshop Real-Time Captioning

ICANN Whois Workshop in Montreal
Real-Time Captioning
25 June 2003

Note: The following is the output of the real-time captioning taken during the ICANN Whois Workshop held 25 June 2003 in Montreal, Canada. Although the captioning output is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

Vinton Cerf: Good morning, everyone. My name is Vint Cerf, Chairman of the Board of ICANN. And I'm pleased to open up this second session of the Whois workshop.

We will spend about four hours, I guess, this morning going through more material in a panel discussion, and then later in the day, we will have the traditional open forum for comments from the attendees here at ICANN. So with that morning introduction, I will turn this over to Michael Roberts. If you want to introduce the first session, Mike.

Michael Roberts: Good morning. It's my pleasure to introduce to you the Chairman of the Government Advisory Committee, Sharil Tarmizi, who will kick things off this morning.

Sharil Tarmizi: Thank you, Mike. Good morning, all. I hope we're all awake. I'm about half awake. Good morning, Vint and fellow GAC colleagues. It's nice to be here.

I'd like to welcome you to the second day of our workshop on Whois. Yesterday, we had a series of very informative sessions to explain how the Whois database works and the various uses of and interests related to the Whois database. I think we all received valuable education on the complexities and the questions in this area. And I hope that the tutorials have answered many of our factual questions. I know for me, certainly it's helped me in my understanding a little bit.

This morning's panel or panels will build on these tutorials. Both panels will be looking at the policy goals, which are often in tension. These public policy goals include law enforcement's access to Whois data, the role of Whois data in enforcing intellectual property rights, concerns about privacy, date mining and other consumer rights and protection issues such as freedom of speech and spam.

On each panel, we have representatives from the varied public policy interests, law enforcement, intellectual property, consumer interests, and privacy. In addition, we have representatives of registrars, registries, and ISPs, I believe, who are dealing with Whois on a day-to-day basis.

Our goal this morning is to move the discussion forward to better understand the competing public policy goals in using the Whois database, and also to explore possible solutions in addressing all of these goals. And that's not necessarily easy.

Our first panel will address how the various public policy goals can be balanced within the existing Whois system. For example, does the status quo work? If it doesn't, how can it be improved to satisfy our concerns?

As I understand it, our second Whois panel will be addressing new approaches to a Whois system. If the current system is not working, what other models might better balance our public policy goals? Are there existing mechanisms that might be useful? And how would these new models work?

These panels promise to be very provocative and will, I hope, lay the groundwork for reaching consensus on these issues. As a matter of procedure, questions during the panels will be asked by our discussants, who are seated in front of you, who are members of the Governmental Advisory Committee's Whois working group.

Do you need me to identify them, so that you know? I think you know them.

At the end of these sessions, we will have an open question and answer question, as Vint had said, which I'm sure will generate another lively debate.

So without further ado, I would like to introduce my colleague, Mr. George Papapavlou, of the EU, our moderator for the first panel.

Thank you very much, Vint, and thank you, Mike.

George Papapavlou: Thank you very much, Sharil.

Good morning, ladies and gentlemen. I am very pleased to see quite a number already in this room at this early time of the day and after the main work of all the constituencies has finished. So I'm glad to see that many of you are still here and interested in coming and discussing with us.

We had a very interesting session yesterday, and I hope we will have an equally interesting session today. We will have approximately one hour to discuss a number of questions. We have two discussants that will ask the questions, two members of the Governmental Advisory Committee, Alan Wong from Hong Kong is on my left, and Antenor Correa from Brazil is on my right.

And we have a number of distinguished panelists that I will introduce to you immediately. The process that we will follow is that we will go one question after the other. Not all the questions are addressed to all panelists. Depending on the nature of the question, some panelists are expected to be more interested than others. But, of course, that's not to preclude other panelists to give an answer if they so wish.

The important thing is that we keep to the timing. As I said, we have approximately between 60 and 70 minutes. We need to end by about 9:30. And then there will follow a break. Then we will have a second panel. And then we will have the public forum discussion in the end. Therefore, it is not possible to have questions from the floor during the panels. There will be plenty of time at the end.

So let me introduce you to our panelists this morning.

From left to right: At the far left is Tom Keller, who is with Schlund & Parnter AG, a large web-casting company based in Germany. He will give us the registrant's viewpoint.

Next to him is Jeff Neuman, Director of Policy at Neustar, who will give us a registry viewpoint.

Next is Diana Alonso Blas, who, as you know, was one of our speakers yesterday, exceptionally for her and for Michael Donohue, because foreseen panelists could not make it, we said we would use people from the tutorials. And we thank both Diana and Michael for agreeing to do both things. Diana is an official legal and policy officer in the European Commission, specializing in privacy and data protection issues.

Then is Sarah Deutsch, who is Vice President and Associate General Counsel for Verizon Communications. She will give us an ISP perspective.

Alan Wong I already introduced to you. He is a Director of Information Technology and Services in Hong Kong, Alan Wong.

Antenor Correa is Software and General Services Manager for the Ministry for Science and Technology in Brazil.

Next to him is Christian Wichard, who works for the World Intellectual Property Organization. He is the head of the legal development section at the Arbitration and Mediation Center of the WIPO. Obviously, he will address IPR perspectives.

Michael Donohue you know from yesterday is in the OECD, specializing in consumer matters, he is a consumer policy analyst.

And further down is Paul Stahura, who is the founder and CEO of ENOM, one of the large registrars. And he will give us the perspective of a third party Whois registration provider.

And, finally, at the very far right is John Logalbo, who is a trial attorney with the U.S. Department of Justice, computer crime and IP section, and will obviously give us the law enforcement perspective.

So without further delay, I think we can start with our questions. I will ask Alan Wong to start by asking the first question.

Alan Wong: Thank you, George. Good morning, everybody. This panel is focused on the current Whois system. I want to begin by asking the registrar on our panel, Jeff Neuman, and also our ISP, Sarah Deutsch, a number of questions.

Is the current Whois system working? What tensions exist in balancing the various public policy objectives of Whois, such as providing accurate and available data, while recognizing that publication of all data may pose privacy and consumer concerns?

Perhaps start with Jeff. Yes.

Jeff Neuman: Sure. I can answer this question.

Actually, I represent a registry. I can give the registry perspective, or would you like Mr. Keller, who represents the registrar perspective? I can certainly answer the question, if you'd like.

Alan Wong: Well, what do you think? Registrar or registry?

Jeff Neuman: Sure. With respect to whether the current Whois system is working, I think it depends on how you define is it working. I would say the answer to that question is, yes, the system is working exactly as it was designed to work.

From a technical standpoint, each of the registries that are required to display Whois information, and now I am talking about generic top-level domain registries, are displaying that information, are taking the information they get from the registrars, who ultimately get that information from the registrants, and display that information.

With respect to, you know, the tensions that exist in balancing the public policy objectives, from a registry standpoint, you need to look at Whois from several different standpoints. And any proposed solution.

You obviously need to consider the legal and policy implications. But you also need to consider technical implications, as well as business feasibility. There are a number of ideas that have come forth both during initial discussions within the community as well as even at this meeting here, and will be discussed later on.

And what we would ask from a registry standpoint is that when these solutions are explored, that even the greatest policy and legal solution needs to consider the costs that are involved and the costs of developing the system, maintaining the system, and enforcing or implementing the system. So I think those are the tensions that, from a registry standpoint, that we see.

Alan Wong: Sarah, what do you think?

Sarah Deutsch: I guess the question is, is the Whois system working? It would be like asking, is the space shuttle flying? We are still picking up the wreckage. There are huge problems. Whatever Whois was originally designed to do, the way people need it now, it clearly is not working. It's filled with inaccurate information, consumers can't find the real owners of web sites, trademark owners can't find infringers, law enforcement can't easily use the Whois database. And criminals are kind of using it as an ever-changing digital shell game. People are gaming the Whois database in a way that makes it unworkable.

So in between public policy issues, Verizon, I think, is in a unique position as an ISP to see that there are legitimate tensions between large corporations with business interests, IP owners, and sensitive privacy concerns. And you know, Verizon has been in a lawsuit with the recording industry.

So we are actively trying to protect our consumers' privacy. So we realize there are these issues at stake. And we think the issues, really, with Whois boil down to two basic policy objectives. One is the issue of the accuracy of the Whois database. And the second issue is the availability of Whois data.

On the accuracy issue, we really think that there can be no compromise. Whois data has to become accurate. There are just too many instances of fraud occurring in this space from cybersquatting to spam, to counterfeiting to all sorts of consumer fraud. Although there is a percentage of people who need or want to remain anonymous, the fact is these people are sharing the same Whois space with a larger number of people who have bad motives to misuse the Whois database. So it really benefits everyone to have accurate Whois data.

And then the question boils down to how can we get to the question of access. And that's, again, how do we do that. There are lots of alternatives. One is for people who want to remain anonymous; you can register with your ISP and remain anonymous through them. At least some of us are still trying to protect your identity.

But I think the difference is that we do have people's real identity. So if law enforcement or others serve us with a valid subpoena, we can comply, but at the same time, people can remain anonymous. We're very interested in exploring the idea of using the proxy services, again, with companies that have responsible practices. And I think the idea of tiered access is very interesting if the technical issues can be worked out.

One of the major tensions, I think, that still exists is what's going to happen with the Whois database. I think if this issue is not resolved in ICANN, when Congress finishes turning its tension from spam, which includes provisions about false domain name headers, they will turn their tension to Whois. And there would be maybe a legislative solution that's not as palatable to people in this room as well as working the issues out here.

Alan Wong: Thank you, Sarah.

George Papapavlou: Would any other member of the panel want to -- yes, Tom.

Thomas Keller: Yeah, hello. If you're talking about Whois, I guess we have to differentiate between certain things.

First thing, what we have is what's intended purpose of Whois was, and right now, what we are actually using it for. If we're talking about the purpose of intent, it's still working quite good, because you still can look up the technical content. That's all Whois used to be about.

When we talk about different things, like law enforcement, IP enforcement, whatever it is that's using Whois now, they are totally different things and we should spend some time on it, you know, whether these services should be fulfilled by such a service as Whois.

Before we are talking about how to do that, first of all, we should take into consideration that there are laws out there in certain parts of the world which have to be abided to by, for example, registrars and partners. So before we talk about extensive rights for IP owners, for law enforcement, we have to look down what happens in the certain countries and certain nations, what kind of laws do they have. And can we provide the data firsthand. Because it has been said during several times yesterday that Whois itself has nothing to do with the domain name registration. And it's just a misconception that you think that you have to force people to display the data if they want to have a registration.

That's it.

George Papapavlou: Thank you. Very interesting. Any other comments before we -- Christian.

Christian Wichard: Just a very quick one.

Whois, from an IP perspective, as we've heard yesterday, is not all bad. It is still quite important. It serves a crucial function also for IP owners. And the function is to prevent and to resolve IP conflicts or to help prevent and help resolve IP conflicts in the domain name system. It certainly has its shortcomings. And several of these shortcomings have already been mentioned. And they have also been explored and examined in the WIPO Internet domain name process.

Let me mention three quickly. First problem, obviously, is the problem of inaccurate data. Second problem is the problem of fragmented access to Whois data. There is no centralized access that would allow searches across all available Whois databases. And the third problem is that Whois databases still offer very restrictive search facilities. You can basically only search for the very exact domain name, not much beyond that.

So those are the shortcomings from an IP perspective. But as a general rule, I think the Whois is important and it at least partly serves an important purpose.

George Papapavlou: Okay.

I propose that we move to the second question, which I will ask Antenor to ask.

Antenor Correa: Well, to give a bit of a follow-up on the answer that was given by Christian, it seemed that accuracy of information is an important issue from several perspectives. So I do want to pose a few questions to three of our panelists. Christian, John Logalbo, and Michael.

The first question would be, if you who are representatives that you use mostly Whois data can obtain if this information can be obtained from other sources in order to address the issue of inaccuracy that are present in the current system, that was identified.

That second question is concerned with accuracy again. Can the concerns regarding inaccuracy of data in existing Whois database be overcome by increasing enforcement requirements in RAA. And does ICANN have the ability to properly police the RAA to the extent necessary to protect all parties or all the interests of the parties involved? And, finally, how can such enforcement be facilitated, if ICANN cannot address it properly?

I think Christian can start answering this, if you may, please.

Christian Wichard: Thank you.

Well, as to the question whether there are other services, I'm not really aware of any other readily available source. In addition to Whois databases, there are value-added services, which then, in turn, often mostly rely on bulk access to Whois data. Otherwise, nothing really seems to be readily available. You can always hire a research service or you can try to hire a detective, but that's probably not an option for small- and medium-sized IP owners.

The question whether concerns regarding inaccuracy can be overcome by increased enforcement of requirements, well, increased enforcement will certainly improve this situation, even though it will probably not completely prevent inaccurate Whois data. Whether ICANN has the ability to properly police the RAA is finally a question to ICANN itself. But I think, at least conceptually, the answer should be yes, at least as far as the gTLDs are concerned. And the reason for this rather positive answer lies, I think, in the contractual structure of the domain name system. ICANN can require registrars by contract to comply with the terms and conditions of the Registrar Accreditation Agreement. And this Registrar Accreditation Agreement even contains, as a means of last resort, an inbuilt enforcement mechanism, because ICANN has a right to terminate the registrar accreditation agreement if a registrar fails to cure a breach of the agreement within, I think, 15 working days after being notified by ICANN.

I think there has already been one such case. The problem in this respect is that this, of course, does not apply to the ccTLDs. How can this enforcement be facilitated? That was also one of the questions.

Well, facilitation of enforcement could take the way of putting verification procedures in place, as ICANN has recently started to do. For example, by facilitating third-party complaints about inaccurate Whois data, and monitoring whether these complaints are adequately addressed by the concerned registrant.

Another option is to request registrars to regularly verify the accuracy of Whois data and understand that ICANN has just recently put a Whois data verification policy in place.

Michael Donohue: Thanks. From the consumer perspective, the question is, is there an alternative to Whois, is kind of a funny one because the answer is of course there is. The primary place you should look to identify an online business is to the web site itself.

The businesses should be identifying saying who they are, how to get in contact with them right on the web site.

Unfortunately, that's not always the practice, and particularly for businesses that are interested in engaging in deceptive or fraudulent commercial practices, they may not be interested in providing accurate contact information right on their web site.

And in such cases, then Whois data may be absolutely key to successfully locating who's operating the site.

Enforcement agencies who are trying to police this may have other tools available, subpoenas, et cetera, but typically, those will take too much time in order to be effective in practice, and then there are also cross-border issues that deal with those. And for consumers themselves, when the web site is not helpful, there really may be no other reasonable alternative at all for trying to locate the owner of the site.

With respect to the questions about the RAA, as I noted yesterday, the OECD has done a paper on consumer policy considerations on the importance of accurate and available Whois data. And one of the suggested approaches at the end talks about the possibility that where a domain name holder has provided false contact information, that the domain name be suspended and rather than making that optional that that be a mandatory requirement; that that's one of the ways that the RAA might be amended in order to help improve the accuracy of data.

Finally, on the question of whether ICANN has the ability to properly police, I think that's a question for ICANN. I think the recent efforts that they've taken to improve enforcement here have been helpful, and whether they're enough I think is an open question.

Thanks.

John Logalbo: On the first question, whether those who use Whois data can obtain the information from other sources, I want to say very bluntly on behalf of law enforcement, and other constituencies as well, the short answer is no. Law enforcement needs open, publicly accessible Whois data to fight crimes like fraud, piracy, even hacking or child pornography, and others need it to vindicate civil claims as well.

Every other source for this kind of information, and there's many of these sources have been touched on, including going to the ISP, the web hosting company, credit card processors that the bad guys use, so you're following the money trail, or even a proxy agent for the registered domain, every one of those sources involves law enforcement getting data from a third party, and that almost always requires legal process.

The simplest form of that process is a subpoena, but there are other more complicated forms depending on the sensitivity of the information sought, up to and including court orders.

The difference between getting a subpoena and serving it on a third party and direct, immediate access to the database from a desktop is night and day.

Maneesha Mithal at the FTC talked yesterday about the FTC's surf days where agents look for fraudulent or deceptive web sites and follow-up with warnings and cease and desist letters. Very effective means of law enforcement; impossible without full access to the Whois database.

And in more intensive, traditional law enforcement investigations, you've got to open a case file in order to even request a subpoena. And once you've got it and you've served it on a party, you're now dependent on the actions of that party. Sometimes law enforcement or a prosecutor needs to make a motion in court to compel compliance with a subpoena. So even in the best of circumstances, you're talking about injecting delay and costs and resources in the form of manpower into the investigative process.

You also heard Maneesha talk yesterday about the need for speed when you're chasing fraud on the Internet. And that's obviously true for other types of crimes as well.

And everyone also has touched on the second concern. Let me flesh this out a little bit.

Once the investigation crosses international borders, requiring formal legal process, which is what we're talking about as an alternative to Whois access, creates very substantial delay and complexity. The tools available to law enforcement in this context need updating. Technology has clearly outstripped the law in this context.

And streamlining the methods of international cooperation is a very laborious process, involving government-to-government institutional changes at the highest levels. Treaties, bilateral arrangements and so forth.

And anyone here who was involved in the negotiations for the Council of Europe Cybercrime Convention can tell you just how difficult that process is.

So to take away a tool like Whois that cuts through the layers of complexity and delay in international investigations in particular would be very damaging to law enforcement.

So in my view, there are no satisfactory alternatives to open, public access to the Whois database, by law enforcement agencies and by others.

And on the second question, I am, by no means, an expert. I have not been involved in the ICANN process. But it seems to me that as between ICANN and the registrars, some kind of intermediate remedy ought to be available, something more realistic than a total revocation of a registrar's accreditation. I think it's hard for ICANN to police the accreditation agreement when the only thing it has is the equivalent of the atomic bomb. Obviously, registrars should be required to keep up the initial verification at a minimum and reverification pursuant to reminders every year or so, and the idea that was also posed here, requiring responses to third-party complaints I think is a very good one.

And finally if the name holder fails to comply with requests, I think a temporary take down or suspension of the domain should be considered.

Andy Mueller-Maguhn: Excuse me, a small question for clarification. You said asked for public access to the Whois database. Could it be accredited access for public agencies instead of public access?

John Logalbo: The answer is no, and I would like to clarify this further. I'm not sure this is the appropriate point. But it's important for law enforcement that the access be public because as soon as it is unpublic or accredited, then issues arise whether law enforcement needs a form of legal process. And for the reasons that many of the participants have outlined here, once you get into requiring legal process for acquiring this data, then things get much slower, there's delay, and you're basically in a losing battle chasing criminals who move very fast with technology.

The other aspect is that it's very important for law enforcement that others have access to the Whois database. Not just law enforcement agencies. It's extremely important that intellectual property rights holders have access, it's important that consumers have access as Michael Donohue has pointed out several times, because law enforcement cannot do it all. There are hundreds of civil claims established in the law that can only be enforced by private parties going to court. And to take away the initial step for private parties to investigate those claims would place a burden on law enforcement that the current system cannot handle.

George Papapavlou: I'm sorry, I cannot take questions I said in the beginning. The questions will only be asked in the public forum. That's because we only have a very short time for the panel discussion.

Karl Auerbach: Just a quick clarification. You said the criminals or the accused criminals?

George Papapavlou: I think this question can be asked in the public forum. It is noted. The public forum, more panelists will be here and they will be answering the questions. We need to proceed.

Any member of the panel wanting to make any comment? Yes, Diana, and then Jeff.

Diana Alonso Blas: Thank you very much, George. I will try to be short. How can I put it in a polite way. I think we have to be very clear in the fact that we need to balance different interests, and I want to make sure that those who really need to get access to the information should have access to the information.

But on the other side, I think we have to balance the need to protect the human rights of people, including the right of protection of privacy.

If there is another solution that would still give those who need access while protecting the individuals, we'll have to look for that.

And I think the solution that was proposed on the other side of the table by Andy Mueller could be one, make sure there is a restricted by sure access to those who need it. So I think we need to look for a proportionality solution that will allow those who need it to have it but without compromising the rights.

As to the second part of the question, the question of how far can ICANN police the whole package and so forth, I think it would be necessary to police the whole package of obligations that we have, not only the question of accuracy, but also the privacy provisions that are included already, and there is also a clear need to improve these privacy provisions. But to police a part of them without the other would not be very fair for the individuals, I would say.

Jeff Neuman: Just a quick question for law enforcement, and since I'm up here representing registries, not just .biz that's located in the United States but also other registries located elsewhere in the world, the question for law enforcement, since they clarified their answer to say open, public access, and I obviously don't expect an answer now and it's one we need to explore, but if the provision or the display of Whois information is a violation of law for the registry or registrar, is that acceptable to catch others that are breaking the law?

So I think that really needs to be considered, and we all understand, and have heard for years the importance of Whois information for IP owners, for law enforcement, for consumers organizations, and the list goes on and on. But now the question is, as a registry, do we break the law to provide this Whois information so that you may catch others who break the law? And maybe the solution is going and trying to get the law changed in that country or countries before requires a registry or registrar to break that law.

John Logalbo: Can I address that question since it was addressed to law enforcement? Very briefly, I can't disagree with anything you've said. If you think that giving the kind of information that's necessary for law enforcement and others will place you in jeopardy of breaking the law in your jurisdiction, then the law needs to be changed. And we've heard here several times that just because something is desirable or useful, it doesn't mean that it's legal.

I certainly accept that, but I submit that analysis is backwards. If something is not only useful and desirable but necessary, and I think that law enforcement and others having access to the Whois data is necessary, then the law needs to be brought into correspondence with reality. And I think that to some extent, technology again has outstripped these legal frameworks. And that's just the natural way of the world. Technology moves much faster than any national legislature does. And so if we need to talk about law reform, I think that should be on the table as well.

George Papapavlou: Sarah, I would like to have this as the last remark for these questions.

Sarah Deutsch: Very quickly, I noted that John made the point that he would prefer the Whois database be open because it's faster and more convenient to get the information directly from Whois rather than from the subpoena process. I don't think the convenience issue is something that really hits home with me as a good argument. We are subject to subpoenas and we comply with them but on the other hand the Whois database we have to remember was developed as an accessible database. People are putting themselves out on the web as offering either products or services when they have an active web site on Whois. But at the same time I can tell you supplying with subpoenas is extremely burdensome, takes a lot of staff time. So from a registry/registrar perspective I would think you would want to be out of the debate. It would be easier to have the information out there and accessible rather than being in the middle of law enforcement disputes, which is always a difficult place to be.

George Papapavlou: I think what we have heard will provide very interesting input for our public forum discussion later on. But we need to proceed with the following questions so we have time for this part of our workshop this morning. So I would like to ask Alan to ask the following set of questions.

Alan Wong: Thank you, George. It's quite clear that the expectations of various parties who want to use the Whois database were not anticipated when the whole system was put in place many years ago.

We've already touched upon the sensitive issues of the use of Whois database for purposes which are not those which were envisaged in the past. And the privacy concerns of the registrants.

I would like to explore these issues and also hear from a privacy advocate. I would ask Tom, Jeff and Diana the following questions: can those who collect and public Whois data balance the local law requirements against ICANN accreditation agreements, the Whois requirements.

The second question is can the concerns regarding the existing Whois system be addressed by modifications of the RAA? Who should decide what modifications are necessary to balance privacy concerns against the competing public policy concern of ICANN's ability. Who could decide, who should decide? Maybe Tom, could you start with answering these questions?

Thomas Keller: Yes, thank you. Starting with the first question, whether we can balance it or not, I guess to what it all comes down is that we do have contracts with ICANN which poses certain obligations on us and it's very far reaching at that point that you say that you have to, for example, have to display certain data like e-mail address and telephone number. And on the other hand, in certain places in the world you have privacy rules, which are not allowing to do exactly that.

Schlund is a company who is collecting data and displaying data really has a chance to balance these needs because we are bound to our local law and we still want to conduct business. It comes down to if we change the RAA, would this reflect our needs better? I guess so. I don't know to what extent we might have to change that. But it could be a process put to the PDP if we do it at ICANN, like we used to, and maybe have an open clause which states that you have to provide certain access to data, you have to display that, but you should not be in breach of your local law.

Jeff Neuman: I guess I'll be more controversial. With the question of can those who collect and publish Whois data balance local law requirements against ICANN accreditation requirements, I would say the way that Whois exists today, I would say the answer is no. Plain and simple. Not the way that Whois is defined today, with the display personally identifiable information, information such as phone numbers and e-mail.

I do not believe there can be globally a unified solution where this type of information is being collected and displayed.

If we restructure Whois where certain personally identifiable information is taken out of databases, for example e-mail addresses and phone numbers, then I think we can talk about a solution that can be globally accepted.

With respect to can they be addressed by modification to the RAA, can the concerns be addressed; I think it all depends on which concerns. If you talk about privacy concerns, again, I think that may be addressable by taking out certain personally identifiable information. If you're talking about from an IP law enforcement and stricter enforcement mechanisms, I'm not sure that can be addressed by the RAA. I think you would need an incredible organization with many enforcement personnel to be able to enforce those procedures.

And so I don't think that changes to the RAA, even through a policy development process, would improve those mechanisms.

Diana Alonso Blas: Thank you. I think that the answer to the first question would be the same as the one just given here by my neighbor. I think the big problem in trying to comply with both the accreditation agreement and the requirements they have in national legislation, and the problem has been raised not only by those having to comply, like Steve here next to me, but by individuals who are raising complaints about the infringement of the personal rights.

So I think in this discussion we have to take into account not only the interests at stake of the different parties but also the rights of the individuals who are not very much represented here but have also to be heard.

So I think there are problems with that.

I think to a great extent, a number of issues could be addressed by modifying the RAA. I'm not sure that everything could be addressed but I'm sure many improvements could be done.

I would think that what we certainly need to do is to make sure that we involve all interested parties in the discussion, and I would strongly encourage to involve more actively the data protection community and the data protection authorities all through the world, not only the European ones obviously. I'm maybe reacting a little bit to the comment given in the previous question. I think if we are trying to look for a solution that could be in the short run, the last thing we need to undertake is to modify in the legislation of our 30 countries to make this possible. So why don't we try to find a solution in which we all find a balance between the different interests at stake while respecting the situation as it is.

George Papapavlou: Thank you. Any other members of the panel wanting to make a comment? Yes, Christian.

Christian Wichard: A quick comment, and I'll be brief, I promise. It's about balancing local law against Whois requirement.

I think it is not all black and white. It does not mean local law does not necessarily prohibit providing public access of Whois data. And it is not always necessary to change local law to do that.

Now, an example is many of those who do not provide Whois data are not necessarily based in those countries that have the most elaborate data protection laws, whereas, ccTLDs for example that are based in countries with elaborate data protection laws have found a way to strike a balance between those laws and providing access to Whois data, as we heard yesterday from .nl for example, other examples are .au or other ccTLDs. So I don't think it is all black and white. Thank you.

George Papapavlou: Thank you, Christian. Anybody else? No? It seems not.

In that case, Antenor, proceed with the following question.

Antenor Correa: Let's move to hopefully another burning issue as well. The third party registration services. Here we have (inaudible) from ENUM. He is running a test for third-party registration services, and also is partners with third-party registration providers. So I pose a question to him and also to Diana, and both of them could comment on the following issues.

Can privacy concerns be resolved by use of third-party registration services? And the second will be what are the implications of such services for people who need access to Whois data?

Please.

Paul Stahura: So I guess the answer to the first part is yes, but it's only part of the solution.

There's a balance between all the forces, and my company has a large number of resellers, and we're getting demand from my resellers for ourselves to implement a third-party solution, because whether they were good registrants or bad registrants, they don't want to put their Whois information in the public Whois to be shown publicly. No matter what, the people who are trying to hide, kind of the bad guys, they for sure don't want to put their Whois information out there.

So we're getting demand from most of our resellers to implement a proxy service. And I think the proxy services are getting more and more popular because people don't want their Whois information shown publicly. And I think maybe the solution of the problem or part of the solution is to provide a tiered access so that registrants who have privacy concerns could use the third-party proxy services, and whereas, maybe law enforcement could get access to the data that's behind the proxy service via some kind of special access.

And I wasn't aware of the problem; it has to be public in order not to get a subpoena. I don't know the solution to that one. That would be a tough one.

But we have to provide our Whois information in bulk format now to anybody who asks for it. And I don't see why the law enforcement can't be one of the people who ask for it.

George Papapavlou: Just remind our colleagues that that's one of the subjects in the following session so we will be discussing this more in depth later on.

Antenor Correa: Can Diana please comment on this.

Diana Alonso Blas: Thank you. Well, I'm not sure that third-party registration services would solve all the problems, but I think they would improve the situation very much, and would solve, certainly, the problems of some people who do not want to have their data displayed publicly.

I'm not saying this is the only solution. I found the presentation of our Dutch colleague Bart Boswinkel also very interesting with several options that could solve a number of problems but this in any case would go in the right direction, I would say.

As to the second part of the question, what are the implications for the different services, I think what is necessary is to provide a system that allows quick access to those who need it. And that is not complicate or does not involve all kind of complicated formal administrative steps and so forth.

And what it could be also very useful is to build some kind of audit trails that would make possible to control later on if the access has been granted, was correct or not. And what is also necessary is to agree very much in advance on what are the conditions in which access can be granted. But I think solution could be found that would allow those who need the data to have it, while still protecting the others.

George Papapavlou: Would anybody -- yes.

Sarah Deutsch: I just wanted to say that I think the proxy services are very promising.

If you look at Whois and the analogy of telephone numbers, if people did not want people to find out their phone number and they could simply populate the Telco's databases with fake phone numbers, we'd find the phone system wasn't working so we'd have this process of unlisted numbers.

And the proxy service could be the equivalent of an unlisted number.

I would add it would be very important to have companies who run these kind of protective services have very responsible operating practices, to have access to absolutely accurate information behind that wall, and to make sure that they give access to those with a legitimate need to know.

Paul Stahura: I'd like to add one more thing I forgot.

I believe that with the proxy services, the information behind the proxy, I think, would be more accurate, because people game the system.

If they know their information is going to be public, they're probably more likely to put in bad information so that the public doesn't know the real information.

That's the good guys.

The bad guys everything always put in crappy information.

But at least the information accuracy level would increase, I think, with proxy.

And therefore, if we had the tiered access behind that, and that law enforcement or other people who pass the bar on accessing the information, therefore that those people will get access to more accurate information.

John Logalbo: If I may, I just want to reiterate the law enforcement concerns on this point. I don't, again, want to venture an opinion on whether proxy registration might ultimately be the solution. But I want to make clear what law enforcement interests are here.

First, in order to avoid the problem of requiring law enforcement to get legal process, and I think that that is a serious detriment to investigations, there have to be one of two things present in the proxy system. And that is, either the data has to be made public in the sense that I expressed before, and that is, people with a need have to be able to get at it quickly; or, the agreement for proxy services has to make clear that there is explicit consent of the name holder for law enforcement and others to get at the data, if necessary, if requested. And that consent has to be voluntary, and at the same time has the prerequisite for consent cannot be serve a subpoena. Because that defeats the whole purpose.

And the second point I want to reiterate, it can't be just law enforcement agencies that have access to the real data about the name holder. ISPs have to have access to the real data in order to solve technical problems. And I don't know how that can be done if the telephone number or e-mail address of a technical contact is withheld.

Consumers need access to the real data, and intellectual property holders, among others, need access to the real data. So any system that restricts access just to law enforcement is not going to serve a number of other very important interests.

George Papapavlou: I see Christian. Yes.

Christian Wichard: Just a piece of information. These proxy services are already in option under the present RAA. The present registrar accreditation agreement allows third-party registration, allows a registrant to provide the address of a third party, which most or very often is an ISP, provided there is one condition, provided that this third party either accepts liability for any harm caused by wrongful use of the domain name, or promptly discloses the identity of the true owner of the domain name.

I think, then, the formulations upon unreasonable evidence of unreasonable harm. So this would not require a subpoena, because it makes access to Whois data more cumbersome. We have some experience with this kind of third-party registration in the administration of the UDRP. But in the end, it normally works out.

Thank you. I see Tom.

Thomas Keller: Before we think about proxy services as a solution, I just want to point out that privacy in most (inaudible) is not a service but is a right a person has. So I don't know why it should be protected by a special service, which has to be offered by a registrar, for example.

So what would happen at the end of the day is that, for example, on the (inaudible) you couldn't raise funds, you couldn't impose a fee on it. So we had to do it on our own cost. And that's, in certain ways, unacceptable. And it does not really serve the purpose.

George Papapavlou: Okay. Thank you all for all of these interesting remarks. I think we are doing well with time, and we have a last set of questions, which will need to be asked.

Alan Wong: Thank you, George.

You don't have to be very clever to see that it is very difficult, if not impossible, to find a solution that will satisfy everyone. My question is, are there any second-best solutions? Let's discuss one possible modification to the current Whois system that has been raised in the past.

Should there be modified roots for noncommercial domain names to protect privacy while providing contact data or commercial domain names? And does that approach address all interested parties' needs? And related to this is, how would such modified roots be enforced? Could the special domain be created for noncommercial domain names? They would have different Whois roots. Who you would you define commercial versus noncommercial? I'd like to ask Tom, Jeff, and Diana, in turn, to comment on these issues.

Tom. Thank you.

Thomas Keller: Thank you.

I guess most problems we would have if you want to complement something like that is how do you differentiate between what is a commercial use and what is not. So if you register a domain name, most of the time it's 100% automatic process and you really don't have no idea what will it be a web site which is used for that domain name or is the domain name used for e-mail service? And if it is used for e-mail service, is it commercial e-mail service or not? So we're talking about a name space, which is really hard to figure out actually what that person is trying to do with that domain name. So I don't really think that this will help.

Talking about a domain name and a special domain name only for noncommercials kinds of brings up what happens with all the domain holders who already have domain names now. Do they have to give up their substantial privacy rights and move on to a new domain name? It would be like, you know, someone would have to move out of his house, you know, just to protect his rights. And something doesn't seem right to me, actually.

Alan Wong: Not workable from your point of view?

Thomas Keller: Yeah.

Alan Wong: Jeff.

Jeff Neuman: I've heard this proposed many times, too. And from an unsponsored registry standpoint, with .biz, and as this one would be, it would be an unsponsored one, because it would just be a noncommercial domain, you know, top-level domains are created because of a viable business plan, not out of rules, not out of rules to escape being another TLD's.

I'm not sure of any registry operator that would want to take on a top-level domain that was just for people to hide their Whois information, not take that back. There would be a number of registries that would want to do that, but you would attract what I call the four s's, the spammers, the Scammers, the Squatters, and the Speculators. While that would make a lot of money for a registry operator, it certainly is not the type of top-level domain that I think any of us envision or want to create. And with respect to differentiating between commercial and noncommercial users within a TLD, you know, courts around the world have enough difficulty determining what's commercial and what's noncommercial.

For example, in the United States, trademark law is dependent on whether there is a mark that's used commercially or not commercially. And, you know, the courts have enough difficulty interpreting the exact meaning of that. I don't know where I would begin interpreting what the difference between those would be.

Alan Wong: So another doubter?

Jeff Neuman: Right.

Alan Wong: Diana.

Diana Alonso Blas: Thank you.

I have, obviously, seen before arguments having been brought forward by my neighbors here. On the other hand, I think what you said in your introduction is right. I don't think we will find a solution that will be perfect for everybody. And we'll have to find some kind of compromise that is workable for, well, as much as possible.

I mean, I have the impression that this idea of distinguishing commercial and noncommercial could be a step in the right direction, at least the European data protection authorities consider this a good solution, because the issues related to data protection are obviously very different when you are talking about individuals who have a specific rights and when you are talking about legal persons who are not protected by the legislation. So it could be possible to find, at least in theory, a distinction.

This would, obviously, raise a lot of problems as to, indeed, determining who belongs to which category. But to a certain extent, this already exists. I would say there are different legal requirements for those who proceed commercial activities in order to get identification; we have different pieces of legislation in place, like the e-commerce directive and others. So we do have a number of legal requirements they have to comply with. This would be one more in the sense that they will have to identify themselves as being commercial activities and not just purely for personal use.

So I think, to a certain extent, it wouldn't be a bad idea. But, indeed, I realize it's tricky. But I think it could be workable, or at least is something that would need to be explored.

Alan Wong: so you don't dismiss at this moment? Okay. Thank you.

George Papapavlou: Just a quick point to make.

What Diana said, in our e-commerce directive, to give sufficient information to the consumers. Although we don't have special top-level domains for commercial web sites, we have special obligation for commercial web sites.

Anybody else? Yes, John.

John Logalbo: I just want to say from a law enforcement perspective, we wholeheartedly agree with the problems of trying to draw a distinction between commercial and noncommercial that the representatives of the registrars and registries, and also Alan with his four s's analogy provided.

I think you're going to create extremely serious problems for registrars in trying to determine what is commercial and what is noncommercial. That concept is certainly found in U.S. law. I have been exposed to it in the context of obscenity law, where the distinction is drawn whether activities are conducted for profit or not. And to ask a registrar to get involved in the activities of the name holder to try to determine whether they're for-profit or not for profit is extremely difficult.

And this is going to arise in the most egregious kinds of contexts, such as child pornography, where those who indulge in that particularly perverted pastime are not interested necessarily in making money; they're interested in swapping images and so forth. So is that commercial? Is that noncommercial? And certainly it's a domain devoted to noncommercial activity in that sense is going to run the risk of being a safe haven for that kind of activity.

George Papapavlou: Thank you. No further comments. I see no. This brings us to almost the end of our first session.

I will try to not really draw conclusions, but to indicate some points, which I think, have come out from this session.

I think that there is a view that the Whois system may, to some extent, work, to the extent that it addresses its original purposes. But may not work for additional purposes, which have come up in more recent times, including very important, legitimate purposes, of course. And therefore some improvements may be necessary.

The main two issues I take to be addressed are the issue of accuracy and the issue of accessibility. I think I have not heard any strong arguments against accuracy, especially if one has possibilities for specific cases to be dealt with where anonymity may be required and where the third-party proxy services could play a good role.

On the last point, I think most people would advise that it would not be possible to distinguish between commercial, noncommercial and put them in separate sort of boxes. This would be very difficult.

On the issue of whether information could be available from other sources or not, I think that although it could be available from other sources and through other processes, the effort might be substantial. However, there is obviously a balance requirement here, a proportionality requirement.

So what exactly is excessive effort with regard to the purpose I think still needs to be determined. It's one of the things that have to be addressed in the future.

Yes, I think this would be my conclusions. I mean, on the one hand, we have legitimate requests, which call for improving the accessibility and accuracy. We have also legitimate requests in favor of having human rights adequately protected. There is a cost element involved. We need to find the balance, a good balance of all these interests. And I think this will be our main target for the future.

This is what I would like to conclude. With this, I will ask anybody who wants to say something from the panel, which doesn't seem to be the case. I would close the morning session.

Thank all of the panelists for their very useful contributions. Let's take a break and come back. Is it 9:30, Mike, or -- 9:30? So that we start with the second session.

Vinton Cerf: I'm sorry. We start the second session at 9:30. Okay. Yes.

George Papapavlou: At 9:30.

Vinton Cerf: Very good. Thank you very much.

(Applause.)

Panel 2

Robin Layton: Good morning. We'd like to start our second panel now, please.

This panel is focusing on new approaches to administration of a Whois database. I'm Robin Layton, I'm the U.S. representative to the Governmental Advisory Committee and the convener of the GAC's Whois working party.

I'm not going to go through the procedures again. My colleague from the EU explained them very eloquently for the first panel. I also thought they did an excellent job of fleshing out many of the issues surrounding Whois from a public policy standpoint. And we hope to build on that in this panel.

I'd like to introduce the people on the panel and the discussants who are from the Governmental Advisory Committee. Starting from the left, we have Ross Rader. He's the Director of Innovation and Research for Tucows, an ICANN accredited registrar and leading distributor of digital products and services to Internet services providers. He is here for registrars.

And next to him is Willie Black, Willie is the executive chairman and founding Director of Nominet UK, and Willie is here representing the registry point of view.

Next we have Alan Davidson. Alan is the Executive Director at the Center for Democracy and Technology, working to promote civil liberties online. He is here as our privacy advocate.

Next to him is Henning Grote. Henning works for the Deutsche Telekom AG, Europe's largest Teleco, as deputy director of DT's network information center, he's responsible for technology scouting and developing technology strategy in this area.

Henning is representing our ISP perspective.

To my left is Pablo Hinojosa. He is one of my fellow GAC members and comes from the government of Mexico.

To my right is Tom Dale. Tom is a discussant and is representing the government of Australia in the GAC.

To his right is Steven Metalitz. Steve is a partner in the Washington, D.C. law firm of Smith and Metalitz LLP. He has served as a counsel to the Copyright Coalition on domain names since its establishment in 1999. Steve is representing intellectual property interests.

Maneesha Mithal is an Assistant Director to the Federal Trade Commission International Division of Consumer Protection. Her expertise includes Internet fraud, the Whois database, Internet jurisdiction, and alternative dispute resolution for online consumer transactions. And she is representing consumer interests.

To her right is Margie Milam. Margie is the general counsel of EmarkMonitor, Inc., an ICANN accredited registrar based in Boise, Idaho. EmarkMonitor, Inc. is a provider of corporate domain registration and brand protection services for corporations and law firms. Margie is representing bulk access service providers.

And to her right is Patrick Beardmore. Patrick is the Computer Forensic Investigating Officer for the UK Office of Fair Trading, which uses Whois as a tool for law enforcement. He is responsible for digital evidence within the Cartels Investigate branch and provides the department with advice and support regarding consumer protection and Internet issues.

I think we're going to launch into our first question and I'm going to ask Tom Dale to start off us, please.

Tom Dale: Good morning, Robin, everyone.

In this panel we're looking at new solutions to the Whois system and problems, and particularly in achieving public policy goals so I'd like to ask a number of the panelists, first off, from the perspective of law enforcement, IP, consumer interests, and privacy as well, if they could give us their proverbial two-minute speech on if an overhaul of the current Whois system is necessary to balance what appear to be competing interests of law enforcement, intellectual property, consumer issues and privacy interests. The two-minute elevator speech, ladies and gentlemen. Perhaps Steven Metalitz could start off.

Steven Metalitz: Thank you very much. In answer to the question, is an overhaul needed, I think if that means do we need fundamental change in the Whois system and why we have it, I think my answer would be no. But that doesn't mean that we can't improve it in a number of ways. And from the intellectual property perspective, we're certainly eager to engage in that discussion.

I think this is an appropriate time, perhaps, to raise this question that we've heard many times about whether the purpose of Whois has changed since its inception, and that it's now being used for purposes that the allegation is made that it's being used for purposes unrelated to those that existed at its inception.

I think that approach underestimates the continuity we've seen over time. And if I can harken back to yesterday morning and the first workshop and Louis Touton said the purpose of Whois is to track down people doing bad things and identify them, for IP, that is our primary purpose and one Jane Mutimear talked about in her presentation today.

So I think there's more continuity than some people think and I hope we don't make it a dogma that Whois is totally changed and we need to tear it up and start over.

Tom Dale: I'll ask Pat Beardmore from the UK office of Fair Trading for his views.

Pat Beardmore: This is my first visit to such an event. Hopefully it won't be my last. Overhaul is a strong word; it's a good word. I would agree that I think there's a consensus that changes have to be made. Whether overhaul is the right word to use, I'm not so sure. I'm not so sure that Whois is in need of a complete rewriting, as it were.

Having said that, I have been impressed, struck by the strength of feeling, as this is my first event. One thing you may want to do when you attend these is sit at the back and if you watch heads move, when people say something you agree with, you don't know it but you're nodding and stamping your feet. There's obviously a lot of strong feelings on a lot of issues to do with Whois and in line with that, and we're not here for fun, this event has been organized because there are issues with Whois. So I think change is inevitable. Whether the change comes in the form of a complete overhaul, I'm not so sure.

Tom Dale: Thank you very much, Pat. Could I ask Alan Davidson from the Center for Democracy and Technology to give his view on the matter?

Alan Davidson: I guess the short answer would be yes, we believe Whois is in need of a substantial change. I appreciate the chance to be here, and as we heard from some people with regard to the highly personal, noncommercial information that can be found for many registrants in the Whois database, current Whois policy is on a collision course with national privacy laws, with accepted international privacy standards, and with the rising tide of concern out there of privacy and security.

This is not a unique problem in the sense that the kind of work our group does in the United States, we face all the time these kind of policy issues where, in the context of government access to information, the context of corporate use of information, where there are reasonable desires for information that must be balanced with important privacy concerns.

Currently, the Whois policy does not provide that adequate privacy balance; our belief is that it is not working, increasingly not working for lots of different players. It is not accurate as we've heard, and it will not be accurate unless registrants feel their privacy and security is protected. So we think there are balanced solutions that are much more consistent with broad access to the Internet and the DNS that I think many of us seek.

Tom Dale: Thanks, Alan. Finally, could I ask Maneesha from the FTC to give her views on the matter?

Maneesha Mithal: Thanks, Tom. I apologize but I'm required to say that the views I'm about to express today are my own and do not necessarily reflect the views of the Federal Trade Commission or the U.S. Government.

With that being said, I think I agree with what the majority of panelists have said so far. I don't know that I would characterize it as an overhaul but I do agree that change is necessary.

One of the major concerns from our perspective as a consumer protection enforcement agency is that inaccuracy of the data in the Whois database is a major problem, as I explained in my remarks yesterday.

Now, I am sensitive to the concerns raised by privacy advocates that people might intentionally be putting in false information to protect their personal privacy. So I would like to see us all try to resolve the privacy concerns. And I think once we do that, there can really be no argument that we shouldn't vigorously enforce the registrar accreditation agreements to ensure greater accuracy in the information in the Whois database.

Robin Layton: Thank you. Would anyone else on the panel like to venture an opinion on this topic? Then I'd like to ask Pablo to ask the next question, please.

Pablo Hinojosa: Good morning. One approach that has been suggested for Whois database is should certain persons get access to limited data while others with involvement in law enforcement get more complete access to Whois data? Here our privacy advocates, Alan, law enforcement advocates, Pat, and IP representatives, Steven, I would like to ask you the following chain of questions. Should there be tiered access to all Whois databases? If you think that, we would be interested in knowing, in your perspective, what would be the best way to administer tiered access, and what types of information would be available in the various tiers and to whom would each tier be available?

Alan Davidson: Shall I start? Okay.

Robin Layton: Let's start with Alan, please.

Alan Davidson: I think tiered access is a very attractive idea worth pursuing and it's exactly the sort of idea that gets at striking a reasonable balance between some of the desired needs for information that have been put forward, reasonable requests for information, and the real privacy concerns that exist. Because if you begin to dissect the privacy concerns, they come down to the question should all data collected in Whois be available to all people for all purposes? And I think we could mitigate many of the privacy concerns by taking the most sensitive data and making it only available to some people in some circumstances.

It helps a lot from the privacy point of view if you can provide mechanisms like audits to find out if the data is being misused, notice to end users about what information has been requested about them, enforcement against misuse.

The general idea here is that this is not a perfect solution, but it creates a speed bump for access.

I think the kind of system that many of us contemplate is something like what is being implemented for .name where there's a set of information that is publicly available, but it may not include the most sensitive fields that may include something like a person's home phone number or home address or e-mail. It may include the registrant's identity, maybe their country. Maybe even some technical contact information if that's considered important for technical reasons.

But the point would be that we would come up with a mechanism that the broader set of more sensitive information would only be available after going through some process.

I would say that in terms of administering it, that process needs to be very lightweight. It needs to be something that is scalable, it's got to be something that's easy and cheap to implement by registrars and registries. It's also got to be something compatible with ICANN's very thin mission, which is not to be a major policy oversight body.

So we would want to set something up where the requirements are easy to understand and I think the .name example may be a good one.

To be frank, I'm not sure that this tiered access would meet all of the privacy imperatives, for example, of the various data protection laws and the OECD guidelines, but I think it's a good start, and especially if we could couple it with some other approaches, like better domain by proxy or revisiting the bulk Whois rules. You might come up with a package of things that would do a lot to protect privacy but still allow for some reasonable level of access.

Robin Layton: Steve, would you like to comment?

Steven Metalitz: Yes, thank you. I would agree with much of what Alan just said. I think tiered access is something that should be looked at. And we also have this experiment with .name. Unfortunately, at this point it is an experiment, which has yielded no data yet because the tiered access has not been implemented. But perhaps that will teach us something that we may be able to apply.

I would add, though, really just make two additional points. One is among the other criteria that Alan mentioned about being lightweight and being scalable and so forth, if this is going to work, it has to be a system that works very fast, and that doesn't delay access to the data for those in the tier that are entitled to get it more than a minimal amount.

We heard something about that in the first panel from law enforcement and others. I'd like to add one other perspective, which I don't think, is directly represented on any of these panels, and that is the security side of this. We had a very interesting report at the Shanghai meeting from Steve Crocker and the security and stability advisory committee mentioned that accurate Whois data and very quick access to it is essential for responding to intrusions and other security problems. And if you're going to have a tiered system, it's got to be one where those users of the data can get access to it very quickly with a minimum of fuss.

Now, the second point I would make is I don't think we should underestimate the very real transactional costs that are involved here, and also the costs that may be borne by e-commerce and the society as a whole if you make it difficult for individuals who may not have any special status to have access to the full range of Whois data, whether they be consumers concerned about who they're dealing with online, whether they be parents concerned about the sites they're child might be visiting. I think we heard on the first panel that public access is very important even in terms of law enforcement.

So before we restrict that through a tiered system, I think we have to be very careful about how those costs will be absorbed.

Robin Layton: Pat, could you give us a comment on this, please.

Pat Beardmore: Yes, certainly. Tiered access. Well, you've taken some of my points already. Fast, yes. Easy, yes. Cheap, yes.

A couple of points. Just to reinforce what was said in the previous session. Even if every law enforcement body in the whole world who wanted to access the Whois database had a mega-fast terminal sitting at their desk, the fact that the information was no longer public brings in a whole new tier of not bureaucracy, that's unfair but administration which is designed to protect that data.

Now, from a UK's point of view, just to give you some examples, that could be anything from filling out a five- or six-page form, piece of paper, not an online form, it could be getting a signature from someone much higher up within your law enforcement body, it could be having to go to court to get a court order, or it could be having to go to a criminal magistrate's court or high court to get a warrant.

Now, all of those would be required before the law enforcement officer could then sit at the terminal and maybe get Whois information within 30 seconds.

Now, I'm not saying in itself that that justifies not having tiered access. What I'm saying is it's important for all of us to understand the extra burden that would be placed upon the law enforcement community even if we had that wonderfully fast service.

And one final point is that I'm a little concerned at the fact that this phrase "law enforcement" is just used without any clarification, unless I missed something that was on an earlier event. Law enforcement doesn't simply consist of police forces carrying badges and warrants all around the world. There are many shapes and colors of law enforcement agency. I've just written down, you've got customs, tax, environmental health, social security investigators, consumer protection, medicines agencies. Have we really thought about the implications for every law enforcement body to have access at this tiered level?

Again, just finally, from a UK's point of view, consumer protection is handled at local council level. That's almost 200 different consumer protection bodies just within UK who would want access at a tiered level. So if we multiply that by all the, obviously, different countries around the world, I'd just want people to be aware of what a massive challenge that would be to introduce that type of infrastructure.

Robin Layton: I wonder if Ross and Willie have anything to add to this as those who would have to administer this type of system?

Ross Rader: On the question of tiered access, I look at this as a tool in our toolbox. It's important to look at this not as a magic bullet or magic solution that's going to address all needs and fix all problems. We've got many other tools we need to look at to start solving some of these problems. Digital certificates, for instance. Tiered access Whois databases, and on and on and on.

There are a number of things that we can put together which will ultimately help us solve all of these problems. But I don't think that looking to the DNS, the Whois or tiered access system or not tiered access is appropriate.

If we start looking at what tools we need in the toolbox and what we want them to do I think we'll have a much more productive engagement as we figure out what we want to do. For instance, what do we want the output of the ITF to look like, for instance? They're working on several technologies that are very suitable for these purposes.

That would be my only real comment on that.

Willie Black: Thanks very much again for inviting me. I obviously am not involved at the gTLD side of this, but in the UK, we had our own policy-making debate on how to deal with Whois, and we have the advantage of having a slightly thicker registry. So we've taken it as one of the core jobs of the registry to be responsible for the Whois. And, you know, I think that's been an advantage over the slightly thinner com, net and org ones. That's a different debate.

We have worked with the balance between the privacy and the public policy requirements by having a debate with both sides, and actually going out to fairly widespread public consultation, and we came down with a balance that if you're a private individual and you're nontrading, then you can have an opt out, but we will keep real information there and we will make it available to the appropriate authorities should they ask in a written form.

Now, what would help us a lot is to have a single point of contact. As my colleague from the Office of Fair Trading has said, there are many, many bodies that might have a legitimate need for this information. And none of us can really tell whether it's a legitimate request or not. But if we have an authenticated place that we can go to that will say, yes, the person who has just asked for that is legitimate, they've gone through a process, you can reveal it, that would help us a lot.

I think I said at a meeting at the Federal Trade Commission that if somebody served a federal subpoena Nominet I probably couldn't tell the difference between that and an ice cream wrapper, with all respect and neither would people in the U.S. know what a UK one looked like.

That's a real problem for a registry is to know when to give the information away and to whom.

So I think we should look at this single point of contact, this SPOC mechanism, maybe even interlinking SPOCs in different countries so there is a chain, it may be done electronically, maybe not, using certificates and digital certificates.

That's the news from our side; we tried to do a bit of a tiered access. We've allowed people to opt out, and we will make the information available. And I think that's given the consumers confidence that if they do register their personal information, it will be kept fairly off the public record.

We only publish name and address anyway. We don't have telephone numbers or fax numbers or e-mail addresses, which of course is the big gateway to spam. So we've been a little bit of a balance between the two sides. And we look forward to seeing other tools developed. If we can use them to help, we will.

Robin Layton: Thank you, and I'm wondering if, Margie, would you like to say something?

Margie Milam: Yes, I would. Bulk access is a useful policy that serves an important need because it is used by information service providers to develop reports for intellectual property purposes and for law enforcement purposes and there's companies out there like LexisNexis who sell information.

Why is this a separate basis from tiered access? The reason it's necessary is because there's value added service providers have the ability to search the database in a manner that isn't typically available through the public access. These companies have developed software programs that can search multi-fields and deliver reports that are clear and provide the information that a seeker is looking for.

And so I would want to make sure that the policy takes into account the ability for bulk access to enable that service to continue.

Robin Layton: Maneesha, you had a comment?

Maneesha Mithal: Thanks. From the perspective of Consumer Protection Law Enforcement Agency, I don't think we're opposed to tiered access, per se. But I think we would have two main concerns. One is that we would be concerned that consumers might be getting less information than they have now, particularly for commercial web sites. So any tiered access system should take into account the fact that consumers have certain needs for information.

And the second concern is I don't think law enforcement should have less access than they have now to the Whois database. And I take the point that Willie raised and some of the others have raised about how do you authenticate who an appropriate law enforcement is. And I wouldn't want to get concerns on that front to interfere with the process of law enforcement getting the Whois data.

And then I guess the other point I wanted to mention is that it seems like overhauling the whole Whois system to create tiered access is akin to using a sledgehammer to crack a peanut when maybe a nutcracker would do. I think that in what we've heard between yesterday and today, there seems to be consensus that there is less of a privacy concern with disclosing information about commercial web sites. It seems that the current system is working fairly well for commercial web sites, and nobody really has an objection to that.

What people do seem to have a concern about is the noncommercial web sites. So maybe one idea that I'd just like to throw out there is to bifurcate the discussion. Instead of trying to change the whole system when there is consensus as to a lot of it, why not just take that slice where there is concern and then try to work out a solution for that, maybe have a separate domain and have tiered access in that domain.

There's all sorts of things that we could imagine that would resolve that concern without overhauling the whole Whois system.

Robin Layton: Henning, would you like to get your two cents in on this as well?

Henning Grote: Thank you very much. Thanks for inviting me.

Well, I just want to broaden the coalition that's sympathetic with the idea of the tiered access. From an ISP's perspective, an ISP that's operating an LIR and an unaccredited registrar, we look at the Whois as a means, a tool to care of the functioning of the Internet, just like Jeff Neuman on the first panel had this morning.

There are lots of just recently, in the last few years, developed very legitimate uses and requests for the data that are collected on the ISP or registrar's level. But these legitimate interests should not hamper the functioning and the work for which we use the Whois as we have it today to control and maintain the Internet functionality.

So the tiered access would, for the ISP and for us as a registrar, an LIR, would be very adequate to work with, and would also be adequate to not bring us into legal limbo. For example, the issue was bulk access, we just mentioned. That's another very tricky issue, because even to have data, let's say, exported out of our legislation is something that's very doubtful. Based on the principles of operation of Internet systems and the DNS, we today have kind of that, it's more or less tolerated. But we do not feel very comfortable with the bulk access, indeed. So that's another issue.

Just to wrap it up, we are very sympathetic with the approach of tiered access, because the work that has been done in the IETF right now, let's say CRISP, for example, might be an excellent approach to solve lots of these new interests and requests in the midterm.

In the short term, we would like to go the tiered access way of bulk access, of when we like to discuss this issue, we have very strong feelings that we would like that approach being (inaudible) out.

Thank you.

Robin Layton: Tom, would you like to move on to the next question, please.

Tom Dale: Thank you, Robin. I'd love to.

Another specific proposal that's been raised in this debate is the concept of providing some sort of notification to registrants that their Whois data is being requested by whoever. Obviously, there's a degree of potential end user and consumer and privacy empowerment in that sort of notification.

On the other hand, it may raise specific issues for the conduct of law enforcement investigations. So I'd like to ask some of the panelists what they think about notification to registrants of such requests.

Perhaps, Steve, you could start.

Steve Metalitz: Thank you.

This idea has been raised by a number of participants, notably, Alan Davidson, who I'm sure will give an eloquent defense of it. It surprises me a little bit that a privacy group is in favor of letting web site operators have a free list of those who consulted Whois data about them, perhaps for commercial purposes.

I think those who were concerned about site operators placing cookies on your computer or those who were concerned about whether a consumer should have the ability to block caller ID information would also have the same concern about letting a commercial web site find out everybody that was interested enough in them check their Whois data.

But leaving that to one side, I think there are a number of very practical questions about this, some of which I'm sure will be addressed by the law enforcement representatives.

I think what would be very valuable, and I think perhaps can be done within the framework of the existing agreement, is that there should be some kind of audit trail, some kind of data preservation policy about Whois use that could be accessible under the proper circumstances in cases of abuse or when there's a suspicion of abuse. Because it's obvious that Whois access can be abused and put to very improper purposes. So having some type of audit trail, I think, would be very valuable.

But in terms of a general rule that people would no longer be able to use Whois without having that information disclosed to the registrants, I think, would have a number of problems.

Tom Dale: Alan.

Alan Davidson: Steve raises a very good point. But let me step back a half a point.

I think those are real concerns about how notice might work. But I also think notice, the ability for a registrant to find out who is asking for information about them is one of the major potential privacy benefits of doing some kind of tiered access system.

Just to give an analogy, and I apologize, because it's from U.S. law. But that's what I'm most familiar with.

We have a very strong requirement in our Constitution, for example, that when a search warrant to go into somebody's home to seize information is obtained, it must be served, notice contemporaneously must be given to the target of that search warrant. And the reason for that is because, I think, our constitution in the United States reflects the understanding that the person who's in the best position to protect against abuse or misuse is the person who is the target of the search.

And so when the police come to my home and knock on the door and say "we have a search warrant here that says we're allowed to take your computer," I can then look at it and run to the courthouse and challenge it if it's a mistake. I can say to the police would have come to the door, "You have the wrong Alan Davidson. You're looking for Alan Davidson who is down the street who is a noted peer-to-peer user or drug dealer" or whatever it is.

The point is that notice can be a very empowering tool for users, because it gives them the ability to find out who is asking for information about them. And it also puts a chill, we believe, on the misuse of information. I think people will think twice about using Whois for inappropriate purposes if they know that the target of the request will be able to find out about it.

There are lots of ways to balance things so that notice doesn't need to jeopardize an ongoing investigation. It could be deferred. It could be a periodic notice. There could be lots of different ways to do this. But I think notice is a very important and empowering tool.

Tom Dale: Pat, can I ask you the question?

Pat Beardmore: Yes. Thanks for that. I was getting a bit worried.

I'm glad you came in at the end and gave the caveat about getting in the way of the investigation. I don't think you have to be an experienced law enforcement officer to realize how important covert or undercover law enforcement investigation is.

When I saw the possibility of this questioning coming up, I thought, come on, let's get back to basics here. We are investigating people; we have reasonable grounds, have committed a crime here. And the idea of them immediately getting notice of the fact that I have requested the Whois data, I was surprised that was even on the agenda.

Now, having said that, if we compare it to the idea of giving a copy of an entry or search warrant, then, obviously, that's a different kettle of fish completely. In that, of course, as soon as the front door is knocked or, in worse cases, the sledgehammer goes through the front door, the person being investigated has a pretty good idea they are being investigated. So as long as they are aware they are being investigated, I have no initial problems at all with them getting some sort of notification. And they shouldn't be surprised. They should almost be expecting it if they realize they have done something wrong via their web site.

In terms of having some sort of audit trail, then, again, I have no problems with that at all. Any experienced officer should automatically be creating an audit trail along every investigation they're doing anyway, because they are investigating it with a view to creating primary evidence that will be admissible in court. And as part of that, the onus is on them to prove the audit trail, prove where all that information has come from. And make it available for the defense as well. So no problem with the audit trail. No problem with making that information available. But at a later date. But, obviously, hopefully, it goes without saying, not so it gets in the way of an effective investigation.

Maneesha Mithal: I'd like to add to that, if I may.

I think we would vehemently oppose any simultaneous disclosure that we were doing Whois searches on a particular company.

I think there's two main reasons. One is, especially when we're dealing with the Internet, it's very easy for people to move their operations offshore, beyond the reach of our powers. And even more importantly from a consumer perspective, once a target is given notice of our investigation, in our experience, they'll often transfer their assets abroad beyond the reach of U.S. courts.

One of our main missions is to get money back in the hands of consumers who have been defrauded. And if an investigative target moves the money offshore, that money is beyond our reach.

Robin Layton: Would anyone else like to add something?

Alan Davidson: I wanted to chime in to say I think deferred notice is a very attractive idea. And I think 60 days, 90 days, these are things we're used to dealing with in the law enforcement context. Without some kind of notice in a tiered access system, there's a huge question about who is going to enforce this thing. The people who are in the best position to enforce against abuse are users. And without their ability to know who's asking for data against them, they can't do it.

If the Federal Trade Commission would like to take on the role of being the enforcer to look at these audit trails and make sure Whois is being used properly, that would be great. But I think the most lightweight thing we can come up with is some kind of notice, even if it's deferred.

Margie Milam: I sort of have a problem with this notice concept. The way I look at Whois is it's a record of ownership, not unlike the public records for ownership of real estate. When someone searches the county records for real estate, is there a notice provided to the owner of the real estate? I don't think so. I mean, it seems that this is a different analogy than the search warrant concept, where you're searching for nonpublic information. And I think that distinction needs to be understood.

Robin Layton: Would anyone else like to -- Alan, you can have one more word.

Alan Davidson: I'm not clear that this is public information. I think that's exactly the debate that we're having today. Thank you.

Robin Layton: All right. I think we're going to move on to the next question.

Pablo Hinojosa: I would insist on question about tiered access. And this follows part of what Alan was saying, his first intervention. And it's about tiered access, if it can be said for noncommercial domains.

And my question is, how do you think it could be possible to keep commercial domains out? And this goes to mostly ISP, registrars, et cetera.

Henning Grote: Thank you for that question.

Well, I find it a grueling perspective if we need to try to distinguish between commercial and noncommercials. There are two aspects.

We heard one aspect discussed on the first panel this morning, how should an ISP, registrar, LIR, you name it, any business who is collecting Whois data, how should any entity be able to distinguish, honestly, between commercial and noncommercial?

I think the rationale behind that question is to have a -- let's say one port with higher privacy and one port with, well, less privacy. So it's another question. Well, as an ISP, should not reflect that much on that. Might be it's something more for a philosophical debate.

But the question is whether the right of privacy, not giving a safe haven for crooks or something like that, but waiving basic rights of privacy should be discussed further. Just more a philosophical question besides the more practical question.

Thank you.

Willie Black: Yeah.

I say at many meetings that it's only in comics that the crooks go around with a bag marked "swag", on a stripey jumper. The fact is that if it's a crook and he wants to get into a commercial domain because he knows he will be safe there, he will say he's doing noncommercial.

It's obvious. The good guys are honest, and they make the right declarations, and the bad guys don't. So I would say it's utterly impossible to segregate commercial and noncommercial unless you're going to almost check every web site to see if somebody really is trading or not. So I think the idea of splitting noncommercials in any enforceable way into separate spaces is impossible.

By all means, we can have separate spaces for people who self-declare them to be nontrading. It might be useful. But that isn't going to enforce anything.

Alan Davidson: I am very sympathetic to the idea about trying to separate commercial and noncommercial, especially because I think there has been consensus that it's in the noncommercial context purely where this privacy issue really arises.

Having looked at it a lot, I think it is extremely difficult, I think it would be extremely difficult for ICANN to try to make some kind of meaningful distinction between commercial and noncommercial that would scale well across internationally.

I mean, a human rights group in Africa that sells tee shirts on their web site or a lone proprietor in Asia may not have the same understanding we have in U.S. law about what commercial speech means. So as attractive as this is, I just don't think it scales well.

Another interesting data point I have been trying to find out, you know, just how much of this activity out there is noncommercial.

And even if the gTLD setting, I have been told, for example, by some people at VeriSign that they estimate that as much as a third of their retail dot-com and dot net users would self-identify themselves as noncommercial, and the majority of those people, of retail registrants in dot-com and dot net are actually providing personal or home information in their registration information.

Now, that's just my anecdotal description of this. I think it would be very useful to get more data about that. But I think it's clear that there's a lot of different user conceptions about what noncommercial means out there.

Ross Rader: If I could jump in on this one.

I think the DNS is probably the most absolutely worst place where we could try and make this distinction. Until I need a domain name to send out a piece of e-mail, to undertake a commercial or noncommercial transaction or until I need a domain name to set up a web site to engage in a commercial or noncommercial transaction, trying to make that distinction is going to be very meaningless.

If we look at other areas, for instance, though, such as the data that the certificate authorities collect on commercial users, and look at how we can use that data and cooperate with those other parties that operate services in other areas of the Internet, we might get down to something that might be meaningful and useful.

But to put it into the magic box of the DNS and the Whois because we can is really just inappropriate, I think.

Pablo Hinojosa: Well, I have a last question.

It's about should there be new gTLDs offered with stricter vetting of registrants, like .pro or .edu in exchange for higher levels of privacy protection for Whois information?

And if so, who should administer these new gTLDs? Also registries, registrants, ISPs.

Ross Rader: I think that's a question we need to ask the marketplace and maybe allow some people from the audience to put up their hand as to whether they would be willing to run something like that. And if they don't get it right, maybe ask somebody else to do it and let the market kind of take care of those demands. I think privacy can sell, I think there's a strong demand for it. We just need to give operators the opportunity to get into the marketplace, I think.

Willie Black: Within .uk, we have two or three second-level spaces that are what you might call restricted in gov.uk, ac.uk for academia, ltd and plc.uk which has to be the name of the company that registered companies have. They're just not popular. You get about 1% of the total number who want to go through this particular accreditation. The government departments are limited in number. The academic institutions are limited. And, really, the bulk of users don't really want to be there.

But I think it's easy to do it if you are prepared to put the cost and effort into doing the vetting. But from the user's perspective out there, I don't think they can ever rely on this verification.

Would you rely on the -- I'm sorry, I'm saying this because I don't know much about what .pro is going to do about doctors and lawyers. But would you actually rely just on the fact that they were a genuine lawyer? I'm sorry. No matter how much the .pro people actually do the vetting, I would still do an independent vetting before I would rely on it.

The DNS is not really designed for that. And that would be stretching it, I think.

Alan Davidson: Can I just add, this is not a very attractive solution for a lot of the reasons we were just talking about how hard it is to make the commercial/noncommercial distinction.

I think we should be wary of creating a privacy ghetto, which becomes the only place that you can go to get privacy is this particular domain where you may have to pay extra because this kind of verification could be very costly. And I don't think it's fair to ask people to give up the identities that they have already created for themselves online in order to protect their privacy. It's okay to ask people to take steps to protect their privacy.

I see Esther sighing in the front row. This one doesn't appear to be the right answer.

And I think we're putting a lot on the DNS, as Ross and Willie have both said, to try and make this distinction for us.

Steve Metalitz: The only thing I'd have to add on this is that, obviously, if you have a sponsored top-level domain where there is some gatekeeping done in terms of registrants, not everyone can register in dot museum. You have to be a museum or affiliated with a museum. When that's done up-front, that obviously takes some of the pressure off Whois because some of the same functions can be served in the gatekeeping department.

A, is there a market demand for that? And, B, is there a way to import that type of mechanism into more of a mass market top-level domain? I don't know.

But I was very interested in the discussion yesterday about CRISP, about authentication and authorization technologies. They were talking about using it for Whois queries but you could also do something similar for registrants.

And if you had a system like that in which you had a higher degree of confidence, obviously, maybe not enough to go have brain surgery with somebody that was in there, but without any further checking, but some higher degree of confidence that people who are registering or institutions that are registering in a particular space had particular characteristics and could be located and could be accountable for what goes on, that obviously takes some pressure off Whois. Whether it's a practical option in the current environment, I don't know.

Robin Layton: If there are no other comments, Tom, do you want to move to the next question.

Tom Dale: Thanks, Robin.

I'd like to ask, starting off, our registrar and registry representatives on the panel about possible roles for government in any new models of Whois. I realize the term "government" also elicits a certain reaction within an ICANN fora. But we have to ask the question some time, so let's get over it.

A couple of examples that the panel members might like to respond to is a more direct role for government in administering or overseeing a new TLD for noncommercial registrations, if there were viable. And since some views have been expressed on that already, is there a role for setting data collection standards, which are, either set by or agreed with appropriate government agencies? Who is going to enforce penalties for noncompliance of such standards? At the global level as opposed to the national level, how can any of these models be made to work within acknowledged government, legal, and sovereign frameworks?

Perhaps Ross Rader might like to start.

Ross Rader: That's a big mouthful of questions there.

I think it's important that we, as a community, take a really practical view of this, and I think governments can be included in that. For instance, registrars don't, I believe, adequately understand the interplay between the Registrar Accreditation Agreements, the national law, and the international treaties, and all of these things that surround how this data can and cannot be used and who can use it and who cannot.

It's a big bunch of questions that we have. Our constituency meeting was held on Monday. And we were unable to get the government input into that meeting to help us address those questions. Help us understand, for instance, what we need to do. And perhaps we can build systems that cannot put you in a position of being a regulator or administrator, but as a user of a system that you are your constituents can use.

Willie Black: Yeah, I can try to start on some of these.

I mean, of course, our reaction is that I don't think governments would do this any better than we do. A nice example from the U.K. is the company's house register, which is limited companies. If you are a director of a company in the U.K., by law, your home address has to be available on the public register.

That's even worse than what we do with the Whois. And so, you know, if that is the kind of legislation that would be applied, then I think there would be a big outcry. There's already a bit of an outcry on the company's house, particularly if your company happens to work in a sensitive area where people might like to come and lob something into your house. And, you know, governments have not come to us and said, "we need to do something." I don't think they really want to. So maybe you have to ask the government people around, "would you ever want to do this at the present time?"

And with respect to penalties, yeah, that's one where it's very tempting. If you misdeclare to our vehicle licensing people your address or you don't update it, in theory, you can be fined, I think it's a thousand pounds or something. It would be probably quite nice for us if we could fine people for having supplied the wrong data.

But do you think you're actually going to get it? And also, again, it's the ones that are not honest that make the false declarations, and the poor innocent guy who forgot to put something at the end of his address, you know, are you going to penalize that person? So, really, to apply that kind of governmental control to the Whois, I think, is nigh impossible. And it wouldn't help the system very much.

Steve Metalitz: Let's be candid about this.

The alternative to government doing something is to do something privately through contractual agreements. And we have contracts in place. And one of the big problems is that people aren't doing what they said they would do. Bruce Beckwith went through this in his presentation yesterday. The bulk access obligations are not being met.

The obligation to provide Whois data in the first place is being met very spottily among many of the registrars. There isn't even compliance with the UDRP in a disturbing number of cases.

There are just many, many ways in which the contracts are not operating. And people are not doing what they said they would do. Naturally, I think, that increases pressures on government to step in and enact public law when people enter into private agreements and just won't comply with them.

And I understand, I keep hearing about the tension between the contracts and national laws. Well, most of the national laws that people are talking about predate these contracts. These contracts date from 2001 in the current version, 1999 in the original version; the data protection directive was in effect long before that. People walked into this with their eyes open. They knew what they were getting into as far as bulk access is concerned. And I think the fact that the compliance has been so minimal in some of these areas, first it tempts governments to come in where maybe they shouldn't and don't have a role to play. And second, I think it just makes it that much harder to talk about changes to the system, because if the system is going to be changed and we're going to have new agreements in which people pledge to do different things, we should at least have some confidence that people will do and companies will do what they say they're going to do.

And the track record in recent times under the ICANN system is not very encouraging.

Margie Milam: I'd like to follow up on comments, because part of the concern in bringing in the government is we don't want too much regulation. On the other hand, as we discussed in the prior panel, the contractual obligations under the ICANN agreements simply don't provide an enforcement mechanism in certain circumstances.

So, for example, with the bulk access provisions in which many registrars simply refuse to comply, if you're trying to purchase bulk access, you don't have the ability to enforce the ICANN contract. And the reason for that is that the ICANN contracts basically say that there is no third-party beneficiary that can enforce the rights.

So there may be ways of amending the contracts to allow for enforceability so that you don't have to include the government in the enforcement.

Maneesha Mithal: I think on some level the idea of governments imposing some sort of civil or criminal penalties on those who provide false Whois data is very appealing, and I think it is akin to what Willie mentioned about the licensing system. You have to have a license plate. If you falsify the information or if you don't have one, you're subject to fines.

And I think the Whois system can be an analogy.

But I think the one difference is in the Internet world we're talking about a global system. And so I don't think it would be that effective for one country to enact laws providing for civil or criminal penalties for failing to provide accurate Whois data. So I think there needs to be an internationally coordinated approach that national law just won't address.

Alan Davidson: I can't speak really to the question about registrars and registries and their contracts, but just from the point of view of individuals, I think perhaps we should ask ourselves is part of the reason why individuals may not be complying with the obligations that we think we're imposing on them may be because those obligations are widely believed to be unreasonable.

And in some circumstances, putting personal information into a public database just may not make sense for individuals, and they are going to disobey that, and I think we should really think carefully about trying to impose some kind of harsh penalties on people for trying to protect their privacy, their basic privacy rights. And there's been some sword rattling going on about national law, let's get a national law passed to do this. I think those kinds of national laws would face a lot of opposition, even in the United States from groups who really care about privacy.

We would do much better by trying to work this out, some kind of self-regulatory system. We talked about solutions that make a lot of sense, tiered access being one of them. I'm hard pressed to hear that filling out a form is too much of a hurdle for law enforcement in order to get very sensitive personal information.

Ross Rader: If I could add to that, I think noncompliance is something you see across the board, whether with registrars, registries, users, but also with licensees, applicants, failing to disclose what they'll be using the data for, with whom they're trading the data, et cetera, et cetera. So there's really more on the table than simply noncompliance.

Willie Black: A point about bulk access, because we tried, in fact we still do it a little bit, give bulk access what we call public registrar subscription service. So it's basically what you can see on the public Whois and we just gave the whole database under contract to appropriate trademark watching people, people who would actually sign up to contract.

And of course, again, the whole thing gets messed up by somebody coming along, making the declaration, and then misusing the data.

And with bulk Whois, once you've done it once, all you need to do is make the declaration, take the data and you've got another spam database for six months, and then you shut down the company and come back in a new guise and ask for another new contract.

Yes, you can enforce it. Once it's been done, you can see the guys have breached your contract. There's nothing you can do about it. They've taken the data once, you've discovered it and they've misused it.

Bulk access is not easy to deal with, so whoever is designing the bulk access, please take care.

Henning Grote: So just one remark, just a few words concerning the basic question, role of the governments, private sector interaction. What we just discussed, as I see it, also from the ISPs and from the registrars' perspective, it's all private sector, period.

The role of the governments, as I understand it, and a role that would also be very serving to the communities, to the national legislations, to everybody, is then to agree on this very basic framework that has to be addressed.

Just to give an example, if there might come into existence something like this tiered access, what are the procedures on the government side, on the legal side to enhance the law enforcement processes in detail, for example, for cross-border cooperation and all that.

These are all issues that ISPs and registrants don't want to deal with.

So to make it short, the role of the government would be a very serve and cooperative one if it's really in the basic framework. Well, indeed it's our job to do this right, and within a framework and in cooperation.

Robin Layton: I'd like to wrap up this session by asking each panelist in one or two sentences how they would characterize a new approach to the Whois system that would best balance competing public policy goals. Let's start with Ross and just move through. Thank you.

Ross Rader: I guess, you know, I'd summarize with the restatement of what I opened up with.

I think as a community, we need to work together on this, first and foremost. Taking a short-term view is not as appropriate as taking a long-term view. And really, if I would advocate one point that each of you would take away it would be to think of what your requirements are for these tools, and then allow the technicians to build those tools.

And while they're building those tools, let's take a look at what policies we need to govern the use of those tools once they're completed.

We've got all the parts. We just need to put it together. And I think we can, and it's not going to be easy, it's not going to be quick, but we can solve the problem. We're not talking about sending people to mars. We're talking about a public database.

Willie Black: Yeah. Of course, with all humility, I would rather think that we've done quite a good job in .uk to balance the things, so I would obviously recommend that you look at our experience.

It isn't perfect, because you cannot actually satisfy both the requirements at the same time. There is a compromise. And we try to get that compromise. So that's the first thing to do, look for the middle path.

The other maxim is crooks are crooks. They don't care if they breach contract law. They don't actually care if they breach other bits of criminal law at times to get what they want. And whatever is designed, you must remember that they will do that.

And I think lastly, I would commend the slightly thicker registry. I think you can solve problems by having the registry take the role of dealing with the Whois rather than having a competitive environment. It shouldn't really be competitive among registrars to deal with Whois. I think it's a core function of the registry.

But, you know, maybe you're too far down the line on that to try to back out from that particular one. But that's just some thoughts.

Alan Davidson: I think, you know, in summary, there needs to be more consideration of privacy interests both to promote accuracy and to comply with international standards of privacy, common sense, and national law. And I think we can do that.

There is a combination of tools that are out there, a lot of experience in how to deal with those tools that can be used. Tiered access is one of them, audit, notice, better domain by proxy, which we didn't talk a lot about, potential changes to bulk access, that could do a much better job of balancing.

And those tools can provide a lot of access and reasonable circumstances while doing a lot to protect privacy.

I think the line in the sand of it must not create any burden on those who want access is just not tenable. To say that it's too much of a burden to fill out a form in order to get people's personal private information, it's just not the most impressive argument.

I think that, finally, I would just say that whatever we do must be consistent with ICANN's mission. And particularly its attempt to try to be a thin organization that doesn't try to get into the policy setting space or minimizes its role in that space. This is a very policy issue. I think staying away from things like ICANN trying to come up with a master list of every law enforcement agency in the world or who is a bona fide IP enforcement agency, those kinds of things should be avoided, and I think they can be avoided by coming up with some very thin structures that will do a lot to protect privacy and balance it with these other reasonable needs.

Henning Grote: Although we experience very often some back firing in general, I think in lots of parts of the areas, ICANN has worked and we all as a private sector has worked, there have been an appropriate job has been done. Nonetheless, it has to be checked, really, and that's echoing what Ross just said. What is needed? What do you really need? What kind of attributes in such a public database?

And balance that against a reliable legal framework for these private operations. And it's a very, very easy and clear necessity for LIR operators, registrars, and so on and so forth, that, for example, just need a unified approach, who just need a unified tool set, not a whole array of different protocols, suites, tools, whatever you want.

So just let's go on with work. Thank you.

Steven Metalitz: Thank you. I agree that we need to ramp up the discussion here, and I think we should be guided, I'll just suggest, by four criteria as we look at changes to the Whois system.

First, we should recognize that Whois advances some very important objectives of promoting transparency and accountability on the Internet. And those objectives have not become less important with the growth of the Internet and the development of e-commerce; they've become more important.

So if we're going to build confidence in the online world, I think we have to have a system that continues to advance those objectives.

Second is the enforcement question. Whatever we come up with has to be enforceable, there has to be enforcement mechanisms, and there's no sense in changing the rules if they're not going to be observed any more assiduously than the current rules are sometimes being observed.

The third, I think, which we haven't talked much about, is the role of technology. I think we've heard earlier in this workshop about some technological tools that might help ameliorate some of these problems of abuse of Whois. I know technology is not going to solve these problems by itself, but I think it has a role to play.

And finally, I don't want to impair Willie's humility any, but I think we might learn something from some of the CC's about the fact that sometimes there's really no substitute for making some tough decisions on a manual basis. We heard about how .nl, how they handle the opt-out process. It's very different from what we have come to see about the opt-out process, for example, in bulk access. They actually apparently look at every request for opt out and judge it on its merits. And we had a very good presentation in the Whois task force a year or so ago about how .ca works on improving the accuracy of Whois data by having somebody look at applications, registrations as they come in.

Now, I know that many registrars and registries don't like the idea that everything can't be automated and sometimes you actually have to look at what you're doing and make tough decisions, but that may well be what's required in order to achieve the appropriate balance here.

And I just wanted to thank, also, the organizers of this panel and the whole workshop for what I think has been a very excellent program.

Maneesha Mithal: Thanks. I think I may be in the minority here, but I think there can be a commercial/noncommercial distinction. Willie mentioned that there's, in .uk an opt-out option for noncommercial registrants, there's a commercial/noncommercial registration, and there's a whole body of law that deals with the distinction between commercial and noncommercial.

And so for the commercial sites, I would recommend status quo with better enforcement to ensure accuracy. And for noncommercial sites, I think maybe there could be -- and this is just an idea I'm throwing out there -- there could be a new gTLD created for noncommercial sites where there would be more gate keeping. There's precedent for that in the .name space and .pro and .museum.

And I guess another idea would be you could have people self-declaring whether they're commercial or noncommercial, and then you could have some sort of system where if somebody points out to the registrar that a noncommercial site is engaging in commercial trading, that site could be taken down or there could be some sort of expedited procedure for getting that site down.

So those are just some ideas, but I think the bottom line is the public should have access to all Whois data for commercial sites. Law enforcement should have access to Whois data for all sites, and I think we can go from there.

Margie Milam: I'd like to echo Maneesha's comments as well. With respect to bulk Whois, I could see a bifurcation of commercial and noncommercial because there are uses in the commercial world for information in the bulk access approach.

With respect to personal consent, you could consider an approach where notice is sent out to the registrants and asking them for a formal consent to opt into the Whois record.

I am surprised with some of the comments today that no one's focused on the fact that individuals might actually want their information publicly available so that they can keep track of their registrant data, they can make sure that it's not going to expire, and there very well may be instances where persons want their Whois information publicly available.

I'd also like to think about the concept with bulk Whois to eliminate spamming concerns, because I know that is a significant concern in the industry, and particularly among registrars, that the bulk Whois provisions could eliminate the e-mail access and then that way it reduces the incentive for someone to purchase the information to develop a marketing list. So that's something that might be a solution that could work for the industry.

And finally I want to emphasize the fact that we would need to couple the changes with enforceability because we don't want to have a repeat of the experiences we have today.

Pat Beardmore: Thank you. A couple of things. I don't want to start the Willie Black fan club going here.

(Laughter).

Pat Beardmore: I could start it, if you like, but I want to confirm, and I think it is pure coincidence we're on the same board but I've been working with the .uk umbrella in terms of law enforcement for about four or five years now and it does actually work. Even though we can't access certain data directly from Nominet by the Whois network, they do show great cooperation in working with law enforcement in trying to get us the data we want, obviously legally but quickly as well. And I do appreciate that.

One final thought is that I think there's a danger that law enforcement, if we keep banging the drum, and it is important about having the data available quickly, trying to keep it public ideally, keeping our heads down, et cetera, but at the same time I wouldn't want law enforcement to be seen as isolationist. We don't work in a plastic bubble, and it is important that we do our best to see other arguments in the same way that I would hope that you are doing your best to see the law enforcement arguments as well. And hopefully by going through that process we can eventually come to some sort of agreeable system.

Robin Layton: I think this has been a really useful discussion. I think there seems to be some consensus that the privacy concerns are more on noncommercial concerns and tiered access might be a concept as long as it's easy, cheap and scalable. And we've also heard that ccTLDs may give us some useful lessons in how we might look at these issues.

There are still many unresolved issues. There are problems to explore with tiered access. Would it pose a burden on law enforcement? How would we authenticate law enforcement officials or other authorized users? Does it satisfy data privacy laws? And if it applies only to noncommercial, how do we distinguish between the two?

It's also unclear that there are better solutions out there, such as setting aside a new gTLD. We've heard comments on both sides of that issue with greater privacy, or whether more government input is needed.

I think one of the reasons we're all participating in ICANN is that we're here to try to explore as much as possible private sector solutions with public input and public policy concerns taken. So we want to work towards a solution that will balance all of these interests in this fora.

I want to thank all the panelists for what I think has been a marvelous setting out of the issues. That was our goal today. We weren't trying to necessarily resolve anything. We just wanted to get everything out on the table, and I think you've done an excellent job with that.

We will break now. We'll come back at 11:00 for open public discussion.

All of the panelists from both panels this morning will be up here on the dias and be able to field questions. Thank you very much.

(Applause).

Michael Roberts: I think that we ought to try to begin the public question and answer session, please. Everyone take their seats. Can we have all of the panelists take a seat behind a mic up here?

Vint Cerf: Mike, I'd like to make a request of the board members who may be participating in this part of the discussion. I'd like to ask the board members to treat themselves as if they are simply members of the audience and queue up at the microphone to ask questions, just like everybody else. Thank you.

Amadeu Abril I Abril: Here I am.

Michael Roberts: Let me make a few more comments by way of introduction to this session. We had a certain amount of confusion yesterday about the e-mail address for comments from the remote. The e-mail address that is being monitored is Whois-workshop@icann.org.

Second, we used to have a practice in ICANN of having a large countdown clock that we put up on the screen. We haven't been doing that, and we're not going to revive it this morning, but there's a great deal of interest in the subject, and I'd very much like to ask those who have questions or comments to observe a two-minute rule on those questions and comments.

So are the panelists prepared to field questions here? Looks to me like they're all ready. And Amadeu, I'm sure that you have a very good question for them.

Amadeu Abril I Abril: Well, in alphabetical order, I'm Amadeu Abril I Abril, sometime board member now who is an observer for the last year. I will not do the usual things about the workshop, it's been very useful, but I still have some problems, and let's go for the problems.

First, a confession. Sometimes it's very comforting not to have you as citizens, not to be a U.S. resident and to be here in Montreal and across the border because it's quite frightening to listen to John Logalbo from the Department of Justice say things like legal process is slow. I was told in law school it was slow because there are some guarantees to be provided sometimes. And guarantees are also important, not only speed.

But anyway, registrars should somehow check the data. Well, this is slow. Like legal process.

And third, if you have problems with complying with local legislation, tell your local government to change the legislation. Thanks for the advice, but it should be reversed. I would tell the U.S. government to change the legislation. If you are so worried about fraud -- and you should be, because the vast majority of the percentage of the fraud, spam, comes from, what I say, this country and other regions, why don't you enforce legislation to force this information to be on the web site and e-mails and any commercial activity, and then you find those people will provide this information.

The DNS is not a universal solution for everything. It may be a solution but it's not the only one and you have many other tools, not only registers, registrars, and ICANN.

Second thing, and this is the most important part, this workshop has been very useful, but we will need from now on to be more careful. That is, Whois is nothing. Whois is a set of data. And we need to find a solution. If Whois should be public or not, we should discuss for each single piece of data where it should be.

In the old times, before ICANN in the IHC days, we're preparing a list of what the registrar has to ask, what the registrar has to send to the registry; for instance, credit card, billing information must be required by the registrar but it must not be made publicly available, not sent to any third party.

Then regarding what the registry has, what part has to be publicly available? And today, we should change the question, what should be publicly available that is Whois -- what should be published, and what should be made available on request?

Perhaps this new part, what should be made available on request, is the most difficult part because then we need implementation procedures. But for each single data, to assert the need for having the data, the risks of having the data, and then the relative cost and balance, you k