[alac] Draft statement on Whois TF3

[Vittorio Bertola <vb@xxxxxxxxxxxxxx>]

This is my first try on a position statement for Whois TF3, which we 
actually were to submit by March 19th (but don't worry, everybody is 
late). I just drafted it and didn't even have time to re-read it, so 
please point out all stupid statements.
=====

This statement reflects the views of the At Large Advisory Committee on 
the matters that are subject to the work of GNSO's Whois Task Force 3.

First of all, we express our appreciation for the difficult work that the 
Task Force has been doing.

We think that, to be able to solve a problem, you should first investigate 
the reasons why it happens. In this case, you could roughly divide the 
registrants whose data are inaccurate into four categories:
1. Those who purposedly provide inaccurate data for fraudulent reasons.
2. Those who purposedly provide inaccurate data to protect their privacy.
3. Those who mistakenly provide inaccurate data.
4. Those who provide accurate data at registration, but then fail to keep 
them up to date so that the information becomes inaccurate.

Until now, the general discussion on accuracy has been almost completely 
focused on the first category – and we think this is an error. The purpose 
of the Whois system is not to provide bullet-proof identification for 
those who register domains and operate services on top of them, but rather 
to provide quick contact information for those domain holders who want to 
be contacted. Turning the Whois system into a certified directory of 
domain name owners would go beyond its purpose and, as practice shows, is 
practically incompatible with its spirit and architecture.

Also, at the present state of technology and of operational practices, 
costs of very secure authentification of world-wide registrants for all 
domain name registrations would be high and would possibly destroy the 
domain name market as we know it today. We think it might be more 
cost-effective (and also more respectful of basic civil rights of people) 
to seek after fraudulent registrants once they actually commit a fraud, 
rather than to presume that all registrants are to commit frauds and so 
should be carefully screened in advance.

Finally, we point out that there is no verification system, other than 
requiring a person to physically show up and exhibit a secure proof of 
identity such as a passport or national ID document, that could tell 
between true personal data and plausible, but fake, personal data. If 
going down the path of imposing stricter and stricter checks on data as 
they are submitted by the registrant during the registration process, 
after spending lots of time and lots of money on them, we might actually 
discover that no benefit has arisen in terms of fraud prevention, but that 
the stricter checks have caused a huge increase in crimes like identity 
theft, which by the way are made easier by the very existence of the 
public and anonymously accessible Whois system.

Said this, we think that an increased accuracy in the Whois database, if 
limited to those registrants who actually agree to provide their data, 
would be highly desirable. This is why we think that future activities in 
the field of enhanced accuracy should not focus on the first category of 
the above list, but rather on the other three.

We will not discuss here the issue of privacy protection, which is the 
subject of another task force; we just stress that the overwhelming 
majority of those who purposedly provide inaccurate data does so for 
privacy protection reasons, rather than for fraudulent intentions. Just 
allowing these people not to disclose their data to the public, but just 
to the registrar, would actually avoid most cases of wilful inaccuracy.

The third category is, according to our experience, somewhat small – also 
because this kind of errors is clerical and can easily be fixed in case 
there is actual need to contact the owner. Once the registrant's desire to 
publish their data is ascertained, some simple automated verifications 
could be made by the registrar's system, to warn the registrant about 
possible errors.

However, creating an automatical verification algorithm for all countries 
and scripts of the world might prove very difficult and prone to errors 
for less common countries; the current practical examples only come from 
TLDs and environments with geographically limited registrants. On the 
other hand, systems which provide automatical verification only for 
residents of some countries could be acceptable only as long as they do 
not prevent or make it unreasonably harder for residents of “unverifiable” 
countries to register domains. This is why we think that the output of 
this automated verification algorithms should only be used as a warning to 
the registrant, but should not prevent the registrant from submitting data 
that might seem incorrect, as they could possibly be absolutely correct.

We also note that requiring Roman-script information for registrants of 
those countries who do not use Roman characters would be unduly 
discriminating them in access to gTLDs. All registrants should be asked to 
provide their data only in their local language and script, and just as an 
option they could be asked whether they want to provide Romanized data as 
well. Requiring the ability to type in Roman script to register domains in 
global generic TLDs is unacceptable.

Finally, we think that much could be done to improve the situation of the 
fourth category – those registrants who would be happy to provide accurate 
information, but who fail to keep it up to date. In fact, experience shows 
that updating Whois data is a long and difficult process for registrants. 
In many cases, the registrant has to send faxes, make phone calls, and 
suffer other costs while devoting a significant amount of time; in other 
cases, the authentication mechanism used by registries or registrars is 
based on the e-mail address (or on a username/password couple which, if 
forgot, will be resent to the current e-mail address), so that a change in 
the e-mail address of the registrant will make him/her unable to manage 
the information, and will make these domains orphan. If you add this to 
the fact that keeping personal data up to date in a public Whois registry 
certainly cannot be the first worry of a registrant when he's changing 
address, phone number or e-mail address, you realize that this is possibly 
the easiest cause of inaccuracy in Whois databases.

Also, in many cases the registrant is only the last link in a long chain 
of interactions that starts with a registry, then goes through an 
ICANN-accredited registrar, a domain name reseller, a web hosting company, 
or even an “Internet-savvy” friend who does the job for the registrant. We 
think that this is an unavoidable consequence of the average registrant 
turning from a skilled engineer in a small Internet, as it was when Whois 
was designed, to a non-technical average person in a mass Internet. It is 
very difficult to create the awareness of the existence and purpose of the 
Whois database for non-technical persons on a mass scale, and we think 
this is another reason why we should never expect the Whois to be a 
terribly accurate list of all registrants.

However, for this category the problem possibly lies in the lack of simple 
online systems for the registrant to edit his/her data in the database at 
no cost. Thus we think that one of the two following solutions should be 
tried:
1. Requiring registries to directly deal with registrants' update 
requests, by supplying them a virtual certificate or account at 
registration, plus offline procedures to recover access if such account is 
lost;
2. Changing the architecture of the Whois database from centralized to 
distributed.

Since the first option would raise many concerns in terms of business 
models, customer ownership, and cost recovery, the second could possibly 
be more interesting. After all, the very reason for which the DNS system 
was created, replacing the old centralized hosts table, was the 
impossibility of keeping this centralized table up to date. We should 
simply apply the same principle and move the data at the edge of the 
network, by embedding Whois servers into DNS server implementations. Whois 
queries could then be sent directly to the authoritative name servers for 
the domain, and only if no reply is received, the registry could be used 
as a fall-back. This way, registrants would be able to keep their Whois 
information up to date as easily as they keep their zone files up to date, 
and even if this would not completely solve the problem, it would possibly 
cause a dramatic increase in the number of Whois records that are actually 
kept updated.

We thus recommend a shift in the focus of accuracy-related discussions, so 
to deal with those types of inaccuracy that can and should actually be 
solved, rather than dealing with world-wide verification and law 
enforcement systems that are not practically conceivable at the present 
social and political state of our planet, and that would anyway have to be 
discussed at other political levels.
--
.oOo.oOo.oOo.oOo vb.
Vittorio Bertola - vb [a] bertola.eu.org
http://bertola.eu.org/    <-- Vecchio sito, nuovo toblog!