ICANN/DNSO
DNSO Mailling lists archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Registrar Advisory Concerning Whois Data Accuracy


At 02:44 PM 14/05/02 -0700, William X Walsh wrote:

>Sunday, May 12, 2002, 12:43:34 PM, Gary Osbourne wrote:
>
> > With this advisory, now they have to if anyone asks.
>
>No, they don't have to if someone simply asks.

First para, second sentence here:
http://www.icann.org/announcements/advisory-10may02.htm

----
  Registrars are required to obtain contact information from
  registrants, to provide it publicly by a Whois service, and
  to investigate and correct any reported inaccuracies in
  contact information for names they sponsor.
----

To investigate and correct *any* reported inaccuracies.
That doesn't sound too limiting or any different from
what I wrote.

Below that:

----
  Relevant Provisions of the Registrar Accreditation Agreement

  C. Registrar Obligation to Correct Inaccurate Data

  [...] Registrar shall, upon notification by any person of
  an inaccuracy in the contact information associated with a
  Registered Name sponsored by Registrar, take reasonable steps
  to investigate that claimed inaccuracy. [...]
----

'Any person' isn't too limiting, but I agree this limits it
somewhat to 'reasonable steps'. Below that the Registrar
advisory lays out what it considers to be reasonable steps:

----
  Obligation to Investigate and Correct Reported Inaccuracies

  Subsection 3.7.8 of the RAA obliges registrars to "take
  reasonable steps to investigate" any inaccuracy in Whois
  data upon notification from "any person." In order to
  facilitate compliance with this responsibility, registrars
  should establish a clear mechanism for receiving,
  investigating, and tracking reported inaccuracies in their
  Whois data. In the absence of a clearly designated contact
  or channel for receiving complaints about inaccurate Whois
  data, registrars are responsible for acting upon
  "notifications" that may be received by diverse, and even
  informal, means. This may make it difficult for registrars
  to fulfill their obligations.
----

I read this as a requirement for registrars to either set
up an automated system to accept complaints from "any
person" (which isn't very limiting, it *is* if someone
simply asks, as I said), or not set up an automated system
but still accept the complaints regardless of how they are
received (also not very limiting). The advisory goes on:

----
  [...] At a minimum, "reasonable steps" to investigate a
  reported inaccuracy should include promptly transmitting
  to the registrant the "inquiries" concerning the accuracy
  of the data that are suggested by RAA Subsection 3.7.7.2.
----

This begins by seeming to allow for an automated in/out
system whereby a received complaint could be forwarded
to the registrant for a response. The advisory doesn't
state whether the complainant's identity is kept private,
which seems a rather gaping oversight, unless the intent
is to leave it up to registrars. If the complainant's
identity is disclosed that might cut down on frivolous
complaints. Then again, the registrar would then have
to either leave it up to the complainant to use
accurate data or verify the complainant's identity
(this advisory seems to suffer from progressive faults).

Regardless, even such an automated process would
eventually get labor intensive as once the response
from the registrant was received it appears it would
have to be evaluated by a human. Further:

----
  The inquiries should be conducted by all commercially
  practicable means available to the registrar: by telephone,
  e-mail, and postal mail.
----

I'm unclear on the meaning of this. Are they saying that
one must use *all* these means? It seems so. But do they
then limit it by saying 'commercially practicable' ie:
if it isn't commercially practicable for the registrar
to use the telephone or postal mail (one hopes they
could afford email) to conduct enquiries, then they don't
have to. Presumably many registrars would then not do so.

Or does it mean by all the listed means *plus* anything
commercially practicable? Or does it mean on a case by
case basis? eg: the registrant is listed as being in my
city, I'll give him a call vs. the registrant is listed
as being in Antarctica, I'll limit it to email. Regardless,
this still implies the need for a human to spend time on it.

Finally, once the registrar receives the data from the
registrant, they have to analyze it, unless they don't
receive any:

----
  Cancellation of Registrations in the Event of Material
  Breach by the Registrant

  If the registrant fails to respond "for over fifteen
  calendar days to inquiries by Registrar concerning the
  accuracy of contact details", then pursuant to
  RAA Subsection 3.7.7.2 the registrant is in "material
  breach" of its registration agreement with the registrar.
  That subsection also provides that "willful provision of
  inaccurate or unreliable information" shall constitute
  a material beach of the registration agreement.
  [...] Accordingly, if the registrar's investigation
  results in a determination that the registrant is in
  material breach of its registration agreement, then in
  the absence of extenuating circumstances the registrar
  should cancel the domain registration.
----

As an aside, if I read this right, by not responding to
such a requrest within 15 calendar days, the registrant
should have his/her registration cancelled, as there
are probably no extenuating circumstances. Under the
proposed grace period if your domain registration
expired you'd have at least thirty days to rectify it.

If you have inaccurate WHOIS data you'd only have
fifteen days to rectify it. This doesn't make much
sense to me, as one of the main causes of inadvertent
expiration is no longer valid WHOIS info. Therefore
those wanting domains to drop so that they could be
picked up have an incentive to point out inaccuracies,
and they might not care whether they exist. /end aside

Assuming contact is made with the registrant, it is
then up to the registrar to decide whether there are
"extenuating circumstances" or whether there was
"willful provision of inaccurate or unreliable
information". This could be very labor extensive,
and also a potential liability for the registrar if
they cancel a domain and there is a dispute between
the former registrar and the registrant about what
constitutes "extenuating circumstances" or "willful
provision of inaccurate or unreliable information".
There could also be a liability if the complainant
is, for example, a lawyer and/or big corp wishing
to have a domain cancelled and the registrar doesn't
do so, for what it considers valid reasons. So
registrars would be better off in that sense to
spend time and resources on each case than to make
snap decisions.

The least time consuming and safest course for a
registrar might be to assume by default that there
are "extenuating circumstances" in each case.

That is, spend less time on inaccuracies reported
by netkook123@yahoo.com than those reported by
weasel23@massive-lawfirm.com. It also isn't
impossible to imagine that a registrar may come
to a different reading of the circumstances or
what constitutes willfulness, depending on who
is asking, though that would mean even more time
and resources spent by the registrar.

This isn't a black cloud for everyone though.
Namedrop services (or Verisign's WLS) should
benefit from having more names made available.
In fact the original registrant could use such
a service to get the name back again (under the
WLS they'd be *assured* of getting the name
back again!) and entering different, and not
necessarily accurate, WHOIS info. Repeat as
necessary.

>Otherwise a registrar could virtually bankrupt his
>competitors by hiring people to challenge
>registrations all day long.

Well, within certain not very limiting limits,
it does seem to say that they can do so 24
hours/day. And they probably wouldn't need to
hire too many people, it could be automated.

Apologies for length but perhaps someone could
have pointed out some of the above, and no doubt
more, in what seems a poorly thought out advisory.
Why was it not discussed in advance with (and
even amongst) representatives of affected parties?
This clearly didn't come out of an open,
transparent, bottom up process and it shows. -g

--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html



<<< Chronological Index >>>    <<< Thread Index >>>