ICANN/DNSO
DNSO Mailling lists archives

[nc-impwhois]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [nc-impwhois] Melbourne IT WHOIS implementation comments


Bruce,

ACCURACY
I agree with your suggestions regarding 1 and 2. And excellent suggestion
regarding 3.

I would also suggest that further definition of a valid "complaint about
WHOIS accuracy" is needed. I'm concerned about frivolous submission of
complaints that could quickly overwhelm a registrar's current resources to
deal with them in a timely manner. Some complaints we receive are simply
based on the fact that the complainant received no response to their
attempts to email someone.

For example, someone could submit a complaint about the accuracy of the
WHOIS data of Microsoft.com. If the sponsoring registrar's employees
dealing with these complaints use the email method, then if someone at
Microsoft does not respond within 15 days the domain could potentially be
put on hold. I cringe at the thought of the potential litigation that would
ensue as a result.

That is an extreme example, but very possible. Large organizations with
floods of communication to deal with on a daily basis may not be
immediately responsive to emails or postal communications. Large registrars
who face floods of WHOIS accuracy complaints will certainly handle it
through a production line like process and may not always catch potentially
high profile complaints.

I suggest that any complaint about WHOIS accuracy be accompanied by
documentary proof of the inaccuracy, such as from one of the accredited
authentication agencies. If a complaint is received without documentary
proof, then the process in 3 would be optional.

Tim

 -------- Original Message --------
   Subject: [nc-impwhois] Melbourne IT WHOIS implementation comments
   From: "Bruce Tonkin" <Bruce.Tonkin@melbourneit.com.au>
   Date: Thu, January 16, 2003 1:15 am
   To: <nc-impwhois@dnso.org>

   Hello All,

   Here are some Melbourne IT comments on implementation of the WHOIS
   recommendations.

   ACCURACY

   (1) Transfers Task Force Recommendation (WHOIS update at renewal)
   "Registrars must require Registrants to review and validate all WHOIS
   data upon renewal of a registration. (effectively an extension of RAA
   clause 3.7.7.1 above) The specifics of required validation remain to
   be determined by this Task Force or another appropriate body."

   This is implementable IF:
   - the registrar presents the WHOIS data to the registrant at time of
   renewal (via website, fax, or postal message) = REVIEW - the
   registrant is required to confirm that the data is still current, or
   update the information, and warrant that the information is still
   correct = VALIDATE

   It is not feasible for the Registrar to validate the data (e.g make
   phone calls to registrant, ring post office to confirm address exists
   etc).  A registrar may optionally use various heuristic techniques to
   do some data validation (e.g check that a USA city existing within a
   particular USA state) - but such techniques are not applicable
   uniformly across the globe.  In general it is in the registrars best
   interests to get accurate data as it increases the chance of a
   successful renewal - so there are commercial incentives here for
   clever registrars.

   I suggest rewording to:
   "Upon renewal of a domain name, a registrar must present to the
   Registrant the current WHOIS information, and remind the registrant
   that provision of false WHOIS information can be grounds for
   cancellation of their domain name registration.  Registrants must
   review their WHOIS data, make any corrections, and warrant that the
   data is correct to the Registrar."


   (2) Transfers Task Force recommendation (Redemption Grace Period
   issue) "When registrations are deleted on the basis of submission of
   false contact data or non-response to registrar inquiries, the
   redemption grace period -- once implemented -- should be applied.
   However, the redeemed domain name should not be included in the zone
   file until accurate and verified contact information is available. The
   details of this procedure are under investigation in the Names
   Council's deletes task force."

   The principle is OK.
   The wording of "accurate and verified" needs to be updated in the
   context of the recommendation that relates to correction of data
   following a complaint.  See below:


   (3) Transfers Task Force recommendation (Data correction following a
   complaint) "When registrars send inquiries to registrants regarding
   the accuracy of data under clause 3.7.8 of the RRA, they should
   require not only that registrants respond to inquiries within 15 days
   but that the response be accompanied by documentary proof of the
   accuracy of the "corrected" data submitted, and that a response
   lacking such documentation may be treated as a failure to respond."

   This recommendation is not implementable in its current form.

   Implementation of this will depend on the business model of the
   individual registrar and the level of service/price paid for the
   domain name.  For example a registrar that charges $6 for a domain
   name, would likely only send an email message to the registrant to
   update the information.  A registrar that charges $1000 for a domain
   name to a large corporate client would likely use every means possible
   to contact the registrant (phone call, send letter, send a staff
   member to visit in person etc).

   The 15 day period also relates to the implementation.  It should be
   extended to 30 days if the registrar chooses to use postal mail to
   communicate with the registrant.

   In terms of requiring documentary proof - other than just storing the
   documentary proof - registrars are not authentication agencies (they
   collect information and store it in a registry) - they do not have
   skilled staff capable of detecting whether a document is real or a
   forgery, nor could they be expected to have staff with knowledge of
   all types of documents across all countries.

   The recommendation needs to identify a cost effective minimum
   implementation.

   There are two components:
   - contact of the registrant
   - correction of information

   Contacting the registrant is a common problem for registrars at the
   time of renewal, and various methods are used.  Most registrars use a
   final step of placing the name in REGISTRAR HOLD status (the name is
   locked and removed from the zonefile).

   I will suggest the minimum implementation:

   IN RESPONSE TO A COMPLAINT ABOUT WHOIS DATA

   First phase:
   CONTACT phase
   - registrar sends an email to all contact points available in the
   WHOIS (e.g registrant, admin, technical and billing) to request the
   information be corrected - if no response is received after 15 days
   the name should be placed in REGISTRAR-HOLD status (or equivalent) -
   the registrar can continue to try to contact the registrant using
   various other means, but normally the registrant of an active name
   will contact the registrar themselves - the name would remain in
   REGISTRAR-HOLD status until the contact information is updated, or the
   name is deleted from the registry for lack of renewal - this protects
   the registrant from any attempts at domain name hijacking, and also
   protects the community from any unsatisfactory practices resulting
   from the use of the domainname for a website or email

   CORRECTION phase
   - registrar must present to the Registrant the current WHOIS
   information, and remind the registrant that provision of false WHOIS
   information can be grounds for cancellation of their domain name
   registration.  Registrants must review their WHOIS data, make any
   corrections, and warrant that the data is correct to the Registrar. -
   if within 60 days of updating the information, an independent
   authenticating party provides confirmation (a list of accredited
   authenticating parties to be defined, and a mechanism for them to
   securely communicate with registrars electronically) that the contact
   information is still incorrect - then the name will be placed on
   REGISTRAR-HOLD (or equivalent) until that authenticating party
   certifies that the information is correct.  The cost of the
   authenticating party would be borne by the complainant.  This clearly
   separates the registrar role of data collection and not
   authentication. - ICANN will need to accredit authentication parties
   in the same way that UDRP providers are accredited.   - The data
   accuracy complainant will need to pay the costs of the authenticating
   party verifying that the contact information is incorrect.   - The
   Registrant will need to pay the costs of an authenticating party to
   verify the corrected information.  Could be a different authenticating
   party to the one used by the data accuracy complainant. - a Registrar
   will be entitled to charge for the costs of updating WHOIS information
   via an accredited authentication agency (as their is likely to be
   manual processes involved).


   Thus I suggest the following rewording of this recommendation:

   "(a) Upon receiving a complaint about WHOIS accuracy, a registrar must
   at a minimum send an email to all contact points available in the
   WHOIS (including registrant, admin, technical and billing) requesting
   the WHOIS contact information be updated.  If no response is received
   after 15 days a Registrar must place a name in REGISTRAR-HOLD (or
   equivalent) status, until the registrant has updated the WHOIS
   information.   If a registrar uses postal means to communicate with
   the registrant, then the 15 days is extended to 30 days before the
   name is placed in REGISTRAR-HOLD status.

   (b) Once contact is established, the registrar must present to the
   Registrant the current WHOIS information, and remind the registrant
   that provision of false WHOIS information can be grounds for
   cancellation of their domain name registration.  Registrants must
   review their WHOIS data, make any corrections, and warrant that the
   data is correct to the Registrar.

   (c) If within 60 days of the contact information being updated, an
   accredited authentication agency informs the Registrar that the data
   is incorrect, then the name will be placed in REGISTRAR-HOLD status
   until the registrant provides contact information that has been
   verified by an accredited authentication agency.


   BULK ACCESS
   Melbourne IT supports the recommendation.  Some further clarification
   of the definition of "marketing activities" would be useful.

   Regards,
   Bruce Tonkin





<<< Chronological Index >>>    <<< Thread Index >>>