<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [nc-impwhois] Melbourne IT WHOIS implementation comments
I was called away and not able to make the call today. But it sounds as
though there is a presumption that only complaints that come from ICANN's
online WHOIS complaint form are considered valid complaints. I would
certainly have no objection to this "funnel" for these complaints. That
would leave registrars with more discretion in how to deal with complaints
from other sources. Also, that should then be made clear in the
implementation report.
I agree that it should be the burden of the complainant to
prove/demonstrate/document the inaccuracy when making the complaint.
However, the challenge process should also not be designed without any cost
or responsibility on the part of the complainant should they choose to use
it.
The cost of any process/utility to VALIDATE international contact data for
ACCURACY should not be underestimated. Were specific assignments made to
start this analysis? If so, I am more than willing to assist. I'm also a
bit confused about why 100% is not the goal. I have heard that a couple of
times now. In the X% of cases where VALIDATION of ACCURACY is not possible,
do presume innonence or guilt?
Tim
-------- Original Message --------
Subject: RE: [nc-impwhois] Melbourne IT WHOIS implementation comments
From: Steve Metalitz <metalitz@iipa.com>
Date: Thu, January 16, 2003 3:58 pm
To: "'Bruce Tonkin'" <Bruce.Tonkin@melbourneit.com.au>, nc-
impwhois@dnso.org
Bruce,
Following up on our discussion on today's call, I think the proposal
you have made on the contact/correction process is a very positive
contribution. I would suggest the following changes.
(1) Steps (a) and (b) could be combined -- the e-mail sent to the
registrant's contact points could include the challenged Whois entries
which the registrant is asked to review and change/correct/confirm.
(2) I am not clear about the circumstances in which a registrar would
not use e-mail as the first means of contact. In any event, the
contractual period is currently 15 days so perhaps the implementation
proposals should be restricted to that, without prejudice to a
possible future change in the time period if the data and experience
justify it.
(3) The use of a commercially reasonable verification/validation
utility (whether in-house to the registrar or suplied by a third
party) that meets specified (to be developed) criteria sounds right to
me. My only
recommendations are that (1) the utility should be employed beginning
with the response given by the registrant to the complaint, rather
than waiting another cycle until the complainant challengers the
revised/"corrected" data (cf. the OECD "Nic-God" experience), and (2)
the cost of using the facility should not be imposed on the
complaining party. I welcome the input of others about quanitifying
what the cost for a commercially reasonable (i.e., not 100%
comprehensive) facility might be.
(4) Certainly there would be problems if there are a lot of frivolous
or malicious complaints. I don't think that has proven to be a
problem so far (based on Dan Halloran's presentation after he had
reviewed every complaint that had been submitted to the Internic site
up to the time of the Shanghai meeting). However, to at least
forestall this possibility, a registrar should have the flexibility to
reject a complaint that does not set forth any basis for believing
that the Whois data is false. (In a similar vein, of course, the
registrar also needs the flexibility to act more decisively in a case
in which the Whois data is obviously false.)
I hope this serves to clarify my comments at the endof our conference
call and provides some useful input to the report that I understand
you are drafting.
Thanks for your efforts on this important topic.
Steve Metalitz
-----Original Message-----
From: Bruce Tonkin [mailto:Bruce.Tonkin@melbourneit.com.au]
Sent: Thursday, January 16, 2003 3:16 AM
To: nc-impwhois@dnso.org
Subject: [nc-impwhois] Melbourne IT WHOIS implementation comments
Hello All,
Here are some Melbourne IT comments on implementation of the WHOIS
recommendations.
ACCURACY
(1) Transfers Task Force Recommendation (WHOIS update at renewal)
"Registrars must require Registrants to review and validate all WHOIS
data upon renewal of a registration. (effectively an extension of RAA
clause 3.7.7.1 above) The specifics of required validation remain to
be determined by this Task Force or another appropriate body."
This is implementable IF:
- the registrar presents the WHOIS data to the registrant at time of
renewal (via website, fax, or postal message) = REVIEW
- the registrant is required to confirm that the data is still
current, or update the information, and warrant that the information
is still correct = VALIDATE
It is not feasible for the Registrar to validate the data (e.g make
phone calls to registrant, ring post office to confirm address exists
etc). A registrar may optionally use various heuristic techniques to
do some data validation (e.g check that a USA city existing within a
particular USA state) - but such techniques are not applicable
uniformly across the globe. In general it is in the registrars best
interests to get accurate data as it increases the chance of a
successful renewal - so there are commercial incentives here for
clever registrars.
I suggest rewording to:
"Upon renewal of a domain name, a registrar must present to the
Registrant the current WHOIS information, and remind the registrant
that provision of false WHOIS information can be grounds for
cancellation of their domain name registration. Registrants must
review their WHOIS data, make any
corrections, and warrant that the data is correct to the Registrar."
(2) Transfers Task Force recommendation (Redemption Grace Period
issue) "When registrations are deleted on the basis of submission of
false contact data or non-response to registrar inquiries, the
redemption grace period -- once implemented -- should be applied.
However, the redeemed domain name should not be included in the zone
file until accurate and verified contact information is available. The
details of this procedure are under
investigation in the Names Council's deletes task force."
The principle is OK.
The wording of "accurate and verified" needs to be updated in the
context of the recommendation that relates to correction of data
following a complaint. See below:
(3) Transfers Task Force recommendation (Data correction following a
complaint)
"When registrars send inquiries to registrants regarding the accuracy
of data under clause 3.7.8 of the RRA, they should require not only
that registrants respond to inquiries within 15 days but that the
response be accompanied by documentary proof of the accuracy of the
"corrected" data submitted, and that a response lacking such
documentation may be treated as a failure to respond."
This recommendation is not implementable in its current form.
Implementation of this will depend on the business model of the
individual registrar and the level of service/price paid for the
domain name. For example a registrar that charges $6 for a domain
name, would likely only send an email message to the registrant to
update the information. A registrar that charges $1000 for a domain
name to a large corporate client would likely use every means possible
to contact the registrant (phone call, send letter, send a staff
member to visit in person etc).
The 15 day period also relates to the implementation. It should be
extended to 30 days if the registrar chooses to use postal mail to
communicate with the registrant.
In terms of requiring documentary proof - other than just storing the
documentary proof - registrars are not authentication agencies (they
collect information and store it in a registry) - they do not have
skilled staff capable of detecting whether a document is real or a
forgery, nor could they be expected to have staff with knowledge of
all types of documents across all countries.
The recommendation needs to identify a cost effective minimum
implementation.
There are two components:
- contact of the registrant
- correction of information
Contacting the registrant is a common problem for registrars at the
time of renewal, and various methods are used. Most registrars use a
final step of placing the name in REGISTRAR HOLD status (the name is
locked and removed from the zonefile).
I will suggest the minimum implementation:
IN RESPONSE TO A COMPLAINT ABOUT WHOIS DATA
First phase:
CONTACT phase
- registrar sends an email to all contact points available in the
WHOIS (e.g registrant, admin, technical and billing) to request the
information be corrected
- if no response is received after 15 days the name should be placed
in REGISTRAR-HOLD status (or equivalent)
- the registrar can continue to try to contact the registrant using
various other means, but normally the registrant of an active name
will contact the registrar themselves
- the name would remain in REGISTRAR-HOLD status until the contact
information is updated, or the name is deleted from the registry for
lack of renewal
- this protects the registrant from any attempts at domain name
hijacking, and also protects the community from any unsatisfactory
practices resulting from the use of the domainname for a website or
email
CORRECTION phase
- registrar must present to the Registrant the current WHOIS
information, and remind the registrant that provision of false WHOIS
information can be grounds for cancellation of their domain name
registration. Registrants must review their WHOIS data, make any
corrections, and warrant that the data is correct to the Registrar.
- if within 60 days of updating the information, an independent
authenticating party provides confirmation (a list of accredited
authenticating parties to be defined, and a mechanism for them to
securely communicate with registrars electronically) that the contact
information is still incorrect - then the name will be placed on
REGISTRAR-HOLD (or equivalent) until that authenticating party
certifies that the information is correct. The cost of the
authenticating party would be borne by the complainant. This clearly
separates the registrar role of data collection and not
authentication.
- ICANN will need to accredit authentication parties in the same way
that UDRP providers are accredited.
- The data accuracy complainant will need to pay the costs of the
authenticating party verifying that the contact information is
incorrect. - The Registrant will need to pay the costs of an
authenticating party to verify the corrected information. Could be a
different authenticating party to the one used by the data accuracy
complainant.
- a Registrar will be entitled to charge for the costs of updating
WHOIS information via an accredited authentication agency (as their is
likely to be manual processes involved).
Thus I suggest the following rewording of this recommendation:
"(a) Upon receiving a complaint about WHOIS accuracy, a registrar must
at a minimum send an email to all contact points available in the
WHOIS (including registrant, admin, technical and billing) requesting
the WHOIS contact information be updated. If no response is received
after 15 days a Registrar must place a name in REGISTRAR-HOLD (or
equivalent) status, until the registrant has updated the WHOIS
information. If a registrar uses postal means to communicate with
the registrant, then the 15 days is extended to 30 days before the
name is placed in REGISTRAR-HOLD status.
(b) Once contact is established, the registrar must present to the
Registrant the current WHOIS information, and remind the registrant
that provision of false WHOIS information can be grounds for
cancellation of their domain name registration. Registrants must
review their WHOIS data, make any corrections, and warrant that the
data is correct to the Registrar.
(c) If within 60 days of the contact information being updated, an
accredited authentication agency informs the Registrar that the data
is incorrect, then the name will be placed in REGISTRAR-HOLD status
until the registrant provides contact information that has been
verified by an accredited authentication agency.
BULK ACCESS
Melbourne IT supports the recommendation. Some further clarification
of the definition of
"marketing activities" would be useful.
Regards,
Bruce Tonkin
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|