[nc-whois] Re: [nc-impwhois] Melbourne IT WHOIS implementation comments

[Ken Stubbs <kstubbs@digitel.net>]

fyi...

take a look at the whois for microsoft.com

your example is not too far from reality
1. incorrect address
2. no contact name for snail mail l

if an email went unanswered a very embarassing situation could be created
here if the 15 day guideline was strictly adhered to...


----- Original Message -----
From: "Tim Ruiz" <tim@godaddy.com>
To: <Bruce.Tonkin@melbourneit.com.au>
Cc: <nc-impwhois@dnso.org>
Sent: Thursday, January 16, 2003 7:35 AM
Subject: Re: [nc-impwhois] Melbourne IT WHOIS implementation comments


> Bruce,
>
> ACCURACY
> I agree with your suggestions regarding 1 and 2. And excellent suggestion
> regarding 3.
>
> I would also suggest that further definition of a valid "complaint about
> WHOIS accuracy" is needed. I'm concerned about frivolous submission of
> complaints that could quickly overwhelm a registrar's current resources to
> deal with them in a timely manner. Some complaints we receive are simply
> based on the fact that the complainant received no response to their
> attempts to email someone.
>
> For example, someone could submit a complaint about the accuracy of the
> WHOIS data of Microsoft.com. If the sponsoring registrar's employees
> dealing with these complaints use the email method, then if someone at
> Microsoft does not respond within 15 days the domain could potentially be
> put on hold. I cringe at the thought of the potential litigation that
would
> ensue as a result.
>
> That is an extreme example, but very possible. Large organizations with
> floods of communication to deal with on a daily basis may not be
> immediately responsive to emails or postal communications. Large
registrars
> who face floods of WHOIS accuracy complaints will certainly handle it
> through a production line like process and may not always catch
potentially
> high profile complaints.
>
> I suggest that any complaint about WHOIS accuracy be accompanied by
> documentary proof of the inaccuracy, such as from one of the accredited
> authentication agencies. If a complaint is received without documentary
> proof, then the process in 3 would be optional.
>
> Tim
>
>  -------- Original Message --------
>    Subject: [nc-impwhois] Melbourne IT WHOIS implementation comments
>    From: "Bruce Tonkin" <Bruce.Tonkin@melbourneit.com.au>
>    Date: Thu, January 16, 2003 1:15 am
>    To: <nc-impwhois@dnso.org>
>
>    Hello All,
>
>    Here are some Melbourne IT comments on implementation of the WHOIS
>    recommendations.
>
>    ACCURACY
>
>    (1) Transfers Task Force Recommendation (WHOIS update at renewal)
>    "Registrars must require Registrants to review and validate all WHOIS
>    data upon renewal of a registration. (effectively an extension of RAA
>    clause 3.7.7.1 above) The specifics of required validation remain to
>    be determined by this Task Force or another appropriate body."
>
>    This is implementable IF:
>    - the registrar presents the WHOIS data to the registrant at time of
>    renewal (via website, fax, or postal message) = REVIEW - the
>    registrant is required to confirm that the data is still current, or
>    update the information, and warrant that the information is still
>    correct = VALIDATE
>
>    It is not feasible for the Registrar to validate the data (e.g make
>    phone calls to registrant, ring post office to confirm address exists
>    etc).  A registrar may optionally use various heuristic techniques to
>    do some data validation (e.g check that a USA city existing within a
>    particular USA state) - but such techniques are not applicable
>    uniformly across the globe.  In general it is in the registrars best
>    interests to get accurate data as it increases the chance of a
>    successful renewal - so there are commercial incentives here for
>    clever registrars.
>
>    I suggest rewording to:
>    "Upon renewal of a domain name, a registrar must present to the
>    Registrant the current WHOIS information, and remind the registrant
>    that provision of false WHOIS information can be grounds for
>    cancellation of their domain name registration.  Registrants must
>    review their WHOIS data, make any corrections, and warrant that the
>    data is correct to the Registrar."
>
>
>    (2) Transfers Task Force recommendation (Redemption Grace Period
>    issue) "When registrations are deleted on the basis of submission of
>    false contact data or non-response to registrar inquiries, the
>    redemption grace period -- once implemented -- should be applied.
>    However, the redeemed domain name should not be included in the zone
>    file until accurate and verified contact information is available. The
>    details of this procedure are under investigation in the Names
>    Council's deletes task force."
>
>    The principle is OK.
>    The wording of "accurate and verified" needs to be updated in the
>    context of the recommendation that relates to correction of data
>    following a complaint.  See below:
>
>
>    (3) Transfers Task Force recommendation (Data correction following a
>    complaint) "When registrars send inquiries to registrants regarding
>    the accuracy of data under clause 3.7.8 of the RRA, they should
>    require not only that registrants respond to inquiries within 15 days
>    but that the response be accompanied by documentary proof of the
>    accuracy of the "corrected" data submitted, and that a response
>    lacking such documentation may be treated as a failure to respond."
>
>    This recommendation is not implementable in its current form.
>
>    Implementation of this will depend on the business model of the
>    individual registrar and the level of service/price paid for the
>    domain name.  For example a registrar that charges $6 for a domain
>    name, would likely only send an email message to the registrant to
>    update the information.  A registrar that charges $1000 for a domain
>    name to a large corporate client would likely use every means possible
>    to contact the registrant (phone call, send letter, send a staff
>    member to visit in person etc).
>
>    The 15 day period also relates to the implementation.  It should be
>    extended to 30 days if the registrar chooses to use postal mail to
>    communicate with the registrant.
>
>    In terms of requiring documentary proof - other than just storing the
>    documentary proof - registrars are not authentication agencies (they
>    collect information and store it in a registry) - they do not have
>    skilled staff capable of detecting whether a document is real or a
>    forgery, nor could they be expected to have staff with knowledge of
>    all types of documents across all countries.
>
>    The recommendation needs to identify a cost effective minimum
>    implementation.
>
>    There are two components:
>    - contact of the registrant
>    - correction of information
>
>    Contacting the registrant is a common problem for registrars at the
>    time of renewal, and various methods are used.  Most registrars use a
>    final step of placing the name in REGISTRAR HOLD status (the name is
>    locked and removed from the zonefile).
>
>    I will suggest the minimum implementation:
>
>    IN RESPONSE TO A COMPLAINT ABOUT WHOIS DATA
>
>    First phase:
>    CONTACT phase
>    - registrar sends an email to all contact points available in the
>    WHOIS (e.g registrant, admin, technical and billing) to request the
>    information be corrected - if no response is received after 15 days
>    the name should be placed in REGISTRAR-HOLD status (or equivalent) -
>    the registrar can continue to try to contact the registrant using
>    various other means, but normally the registrant of an active name
>    will contact the registrar themselves - the name would remain in
>    REGISTRAR-HOLD status until the contact information is updated, or the
>    name is deleted from the registry for lack of renewal - this protects
>    the registrant from any attempts at domain name hijacking, and also
>    protects the community from any unsatisfactory practices resulting
>    from the use of the domainname for a website or email
>
>    CORRECTION phase
>    - registrar must present to the Registrant the current WHOIS
>    information, and remind the registrant that provision of false WHOIS
>    information can be grounds for cancellation of their domain name
>    registration.  Registrants must review their WHOIS data, make any
>    corrections, and warrant that the data is correct to the Registrar. -
>    if within 60 days of updating the information, an independent
>    authenticating party provides confirmation (a list of accredited
>    authenticating parties to be defined, and a mechanism for them to
>    securely communicate with registrars electronically) that the contact
>    information is still incorrect - then the name will be placed on
>    REGISTRAR-HOLD (or equivalent) until that authenticating party
>    certifies that the information is correct.  The cost of the
>    authenticating party would be borne by the complainant.  This clearly
>    separates the registrar role of data collection and not
>    authentication. - ICANN will need to accredit authentication parties
>    in the same way that UDRP providers are accredited.   - The data
>    accuracy complainant will need to pay the costs of the authenticating
>    party verifying that the contact information is incorrect.   - The
>    Registrant will need to pay the costs of an authenticating party to
>    verify the corrected information.  Could be a different authenticating
>    party to the one used by the data accuracy complainant. - a Registrar
>    will be entitled to charge for the costs of updating WHOIS information
>    via an accredited authentication agency (as their is likely to be
>    manual processes involved).
>
>
>    Thus I suggest the following rewording of this recommendation:
>
>    "(a) Upon receiving a complaint about WHOIS accuracy, a registrar must
>    at a minimum send an email to all contact points available in the
>    WHOIS (including registrant, admin, technical and billing) requesting
>    the WHOIS contact information be updated.  If no response is received
>    after 15 days a Registrar must place a name in REGISTRAR-HOLD (or
>    equivalent) status, until the registrant has updated the WHOIS
>    information.   If a registrar uses postal means to communicate with
>    the registrant, then the 15 days is extended to 30 days before the
>    name is placed in REGISTRAR-HOLD status.
>
>    (b) Once contact is established, the registrar must present to the
>    Registrant the current WHOIS information, and remind the registrant
>    that provision of false WHOIS information can be grounds for
>    cancellation of their domain name registration.  Registrants must
>    review their WHOIS data, make any corrections, and warrant that the
>    data is correct to the Registrar.
>
>    (c) If within 60 days of the contact information being updated, an
>    accredited authentication agency informs the Registrar that the data
>    is incorrect, then the name will be placed in REGISTRAR-HOLD status
>    until the registrant provides contact information that has been
>    verified by an accredited authentication agency.
>
>
>    BULK ACCESS
>    Melbourne IT supports the recommendation.  Some further clarification
>    of the definition of "marketing activities" would be useful.
>
>    Regards,
>    Bruce Tonkin
>
>
>
>
>