Message from Louis Touton to Marilyn Cade
-------- Original Message --------
Subject: [RE: [nc-whois] FYI - ALAC discussions on 15 days issue]
Date: Thu, 30 Jan 2003 21:02:00 -0800
From: Louis Touton <email@example.com>
CC: Dan Halloran <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org
In our recent telephone conversation, we discussed that it might be useful to the Whois-policy-development process to summarize the currently effective requirements concerning what has been referred to as the "15-day period." Some of the comments about the requirements indicate that the current requirements are misunderstood, even by sophisticated analysts. (Compare, for example, Bret Fausett's 8 January 2002 comment on the Task Force's Whois report at <http://dnso.dnso.org/dnso/dnsocomments/comments-whois/Arc02/msg00021.html> with his 11 January correction to that comment, noting that he had confused two different 15-day periods. The correction is copied at the bottom of this message.) Perhaps some level of confusion is inevitable concerning agreements that have many provisions with complex interworkings. A clear understanding of the current requirements, however, should be helpful in assessing the merits of various suggested policy changes.
Subsection 188.8.131.52 of the current (May 2001) registrar accreditation agreement requires that registrars include in the registration agreements they enter with their customers a provision that *permits* the registrar to cancel a domain-name registration in either of three circumstances:
1. The customer's "willful provision of inaccurate or unreliable information";
2. The customer's "willful failure promptly to update information provided to" the registrar; or
3. The customer's "failure to respond for over fifteen calendar days to inquiries by Registrar concerning the accuracy of contact details".
Condition (3) above, it should be noted, is only triggered when the customer fails to respond to an inquiry; it is not triggered when the customer responds to the inquiry but does not complete any corrections to inaccurate or out-of-date Whois data within 15 days. Unlike conditions (1) and (2), which require willful transgressions on the part of the customer, condition (3) is triggered without a specific showing that the customer's failure to respond is willful, in recognition that the ability to prove willfulness tends to be frustrated by a customer's refusal to engage in dialog with the registrar.
Subsection 184.108.40.206 of the registrar accreditation agreement does not *require* a registrar to cancel a registration in the event a customer fails to respond within 15 days. The current contractual structure of requiring the registrar to retain the *right* to cancel if the customer fails to respond in 15 days, but not requiring the registrar to *exercise that right* is intended to give the registrar the flexibility to use good judgment to determine what action should be taken upon a customer's failure to respond to an inquiry about a Whois inaccuracy. According to the theory of the current registrar accreditation agreement, the appropriate course of conduct for a registrar varies depending on a variety of factors--including the materiality and severity of the inaccuracy, the customer's past conduct with respect to correcting inaccuracies, the extent of harm to third parties, etc. Where an inaccuracy is minor (e.g., an incorrect postal code), appears inadvertent (e.g., transposed digits), and harms no third party (e.g., readily available means of contacting and locating the customer are provided by the data that is given), the case for immediate action is weak. The contractual design is that in such cases the registrar, which after all is motivated to promote good relations with its customer, will not act precipitously. Where, on the other hand, it appears that a customer has deliberately provided severely false Whois data and third parties are being significantly harmed by the maintenance of the registration with the inaccurate data, prompt action by the registrar is appropriate. Under the theory of the current registrar accreditation agreement, the registrar is given discretion to act as appropriate in the particular circumstance of the particular case.
The provision of the registrar accreditation agreement limiting the registrar's discretion is subsection 3.7.8, which states in part:
Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.
This requirement that registrars "take reasonable steps" is intended to reinforce the flexibility afforded to registrars that do not receive responses from their customers. As noted above, the time that a registrar should wait for a response from its customer varies according to the nature of the inaccuracy and the circumstances from which it arose. The current provision is based on the conclusion that a requirement of reasonable action by the registrar is better than a fixed timetable, while assuring that the registrar has the ability to cancel after 15 days of no response in very serious cases.
These features of the registrar accreditation agreement are discussed in the 10 May 2002 "Registrar Advisory Concerning Whois Data Accuracy", posted at <http://www.icann.org/announcements/advisory-10may02.htm>, which states in part:
Once a registrar receives notification of an inaccuracy, Subsection 3.7.8 requires the registrar to take "reasonable steps" to investigate and correct the reported inaccuracy. The term "reasonable steps" is not defined within the agreement; precisely what constitutes reasonable steps to investigate and correct a reported inaccuracy will vary depending on the circumstances (e.g., accepting unverified "corrected" data from a registrant that has already deliberately provided incorrect data may not be appropriate). At a minimum, "reasonable steps" to investigate a reported inaccuracy should include promptly transmitting to the registrant the "inquiries" concerning the accuracy of the data that are suggested by RAA Subsection 220.127.116.11. The inquiries should be conducted by all commercially practicable means available to the registrar: by telephone, e-mail, and postal mail.
Under this guidance, ICANN reviews registrar compliance based on a standard of reasonable conduct by the registrar in the circumstances. Where, for example, a registrar appears to "to routinely ignore reports of inaccurate and incomplete contact data in its Whois database", ICANN has taken enforcement action by presenting the registrar a formal notice of breach. See Letter from Louis Touton to Bruce Beckwith (3 september 2002) <http://www.icann.org/correspondence/touton-letter-to-beckwith-03sep02.htm>. Where such a notice of breach is presented, subsection 5.3.4 of the Registrar Accreditation Agreement gives the registrar 15 working days to cure the breach before proceedings to terminate the accreditation can proceed. This 15-working-day period, however, is a different one than the 15-calendar-day period after which cancellation of a registration becomes possible under a registration agreement due to a customer's failure to respond to the registrar's inquiry about Whois inaccuracies.
I hope the above is helpful to the Task Force's review and development of recommendations for Whois policy improvements.
-------- Original Message --------
Subject: RE: [nc-whois] FYI - ALAC discussions on 15 days issue
Date: Thu, 30 Jan 2003 22:16:27 -0500
From: "Cade,Marilyn S - LGCRP" <email@example.com>
To: "Thomas Roessler" <firstname.lastname@example.org>, <email@example.com>
CC: "Louis Touton (E-mail)" <firstname.lastname@example.org>, "Bruce Tonkin
A new data point.
I think that we may be misintrepreting wht the present requirement is.
Let's get the ICANN staff to tell us what the present obligation is..
I've cc'd Louie and if he can just online explain what the present obligation is, we can work from there.
I'd like to make a brief follow-up comment and clarification to the post I submitted earlier this week:
First, I understand that there are two provisions of the Registrar Accreditation Agreement that provide fifteen (15) day response periods for different actions. Section 18.104.22.168 requires registrars to include in their registration agreements with registrants a response requirement for queries about data accuracy. Section 5.3.4 provides registrars fifteen (15) days to respond to notices of breach from ICANN. In my original comment, I implied that Section 5.3.4 (which ICANN invoked in September, 2002 to cure whois problems at Verisign Registrar) was what was driving short response deadlines from registrars to registrants.
While I appreciate that the correct section for registrant response deadlines is Section 22.214.171.124, the interplay between the two sections may still be a cause of some registrars asking their registrants to respond to registrar queries in a shorter time frame. At least my registrar viewed the requirement of Section 126.96.36.199 as a maximum response time, leaving it free to set a short time for my response. Possible solutions might be (a) to provide registrar a longer response time under Section 5.3.4 (so they didn't feel required to make response time from their registrants even shorter) or (b) to set a minimum response time for registrants under Section 188.8.131.52, so registrars so longer have discretion to set a shorter time.
Second, in my original post I wrote that it was my understanding that ICANN logged only the IP address of the complainant. I now understand that ICANN not only requires the name and e-mail address of the complainant but that it also already utilizes the kind of confirming methodology that I suggested. That's good news. At the same time, additional steps should be taken to discourage fraudulent complaints. On some level, fairness would indicate that some sort of symmetry should apply between the sort of data that a registrant must provide for the whois database and what a complainant must provide to make a complaint. Similarly, it wouldn't be unreasonable to require the complainant to provide as much authentication to the given registrar about his or her identity as the registrant would have to provide to confirm his or hers in responding to the complaint.
I also encourage ICANN and members of the Whois task force to think further about ways to discourage fraud, not only in the whois database, but also in complaints about the whois database.