Information about http://gnso.icann.org/issues/whois/whois-study-hypothesis-group-report-to-council-26aug08.pdf
WHOIS Study Group Report to the GNSO Council 26 August 2008 …
Tags: 16 april, 26 august, 26 june, council vice chair, feasibility, gac, generic names, gomes, group volunteers, gtld, hypothesis, icann, jordi, ken stubbs, public comment, study group report, study hypotheses, study recommendations, time frames, whois,Pages: 11
Language: english
Created: Tue Aug 26 16:48:27 2008
Display cached document
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
WHOIS Study Group Report to the GNSO Council 26 August 2008
ICANN Generic Names Supporting Organisation
WHOIS Study Hypotheses Group Report to the
GNSO Council
Prepared by the WHOIS Study Hypothesis Group
26 August 2008
1
WHOIS Study Group Report to the GNSO Council 26 August 2008
WHOIS Study Hypotheses Group Report to the
GNSO Council
1. OVERVIEW AND BACKGROUND ...................................................... 3
2. WHOIS STUDY HYPOTHESES TABLE .............................................. 5
2
WHOIS Study Group Report to the GNSO Council 26 August 2008
1. Overview and background
On 26 June 2008, the GNSO Council voted to convene a Whois study hypothesis
group. The group was charged with reviewing the study recommendations offered
through the previous public comment period and the studies requested by the GAC
in its letter of 16 April 2008, and, based on those recommendations and that request,
prepare a concise list of hypotheses. The group was asked to deliver a report
containing the above with any supporting rationale to the Council.
The Council will then decide whether any potential studies should be further
considered, and if so, determine cost, feasibility, potential methodology, and
estimated time frames for testing. The text of the resolution can be found at:
http://gnso.icann.org/resolutions/#200806.
Following is the result of the work of that Whois hypotheses study group. Volunteers
for the Whois study hypotheses group are listed in the table below; key participants
are marked with an asterisk (*).
Chuck Gomes* GNSO Council vice chair and chair of group
Jordi Iparraguirre gTLD Registry C
Ken Stubbs gTLD Registry C
David Maher* gTLD Registry C
Adam Palmer PIR
Steve Metalitz* IPC
Lee Eulgen* IPC
Steve DelBianco* CBUC
Tony Harris* ISPC
Tim Ruiz* Registrar C
Paul Stahura Registrar C
James Bladel* Registrar C
Stéphane Van Gelder Registrar C
Eric Brunner-Williams* Registrar C
Olga Cavalli* NomCom appointee to GNSO Council
Avri Doria GNSO chair
Bertrand de la Chapelle GAC
Danny Younger
Beau Brendler
3
WHOIS Study Group Report to the GNSO Council 26 August 2008
Wendy Seltzer ALAC Liaison on the ICANN Board
Alan Greenberg* ALAC Liaison on the GNSO Council
Liz Gasster* staff
Patrick Jones staff
Glen de Saint Géry* GNSO Secretariat
4
WHOIS Study Group Report to the GNSO Council 26 August 2008
2. Whois Study Hypotheses Table
Hypotheses for Whois Studies as developed by the Whois Study Hypotheses
WG
Notes regarding the hypotheses:
Note (1): throughout this document the term "registrant" or "registrant data" refers to
what is sometimes called the "beneficial user" or customer of a proxy/privacy
service. In that regard, note the following from the Registrar Accreditation Agreement
(RAA) 3.7.7.3: "Any Registered Name Holder that intends to license use of a domain
name to a third party is nonetheless the Registered Name Holder of record and is
responsible for providing its own full contact information and for providing and
updating accurate technical and administrative contact information adequate to
facilitate timely resolution of any problems that arise in connection with the
Registered Name. A Registered Name Holder licensing use of a Registered Name
according to this provision shall accept liability for harm caused by wrongful use of
the Registered Name, unless it promptly discloses the identity of the licensee to a
party providing the Registered Name Holder reasonable evidence of actionable
harm." See http://www.icann.org/registrars/ra-agreement-17may01.htm.
Note (2): The Hypotheses Table below is intended to categorize, consolidate, and
add relevant detail to the hypotheses originally submitted. In some cases, as with the
GAC recommendations, the hypotheses needed to be inferred from the information
submitted. As Council considers which of these studies should be pursued, it will be
helpful to refer to the original study submissions (posted at
http://forum.icann.org/lists/whois-comments-2008/ ). These original submissions
include statements of how study results could lead to an improvement in WHOIS
policy. Many submitters also described the type of survey/study needed, including
data elements, data sources, population to be surveyed, and sample size. These
original submissions should be used by council and its consultants in designing
studies and deciding which are worthwhile to pursue. The GAC suggestions can be
found at: http://www.icann.org/correspondence/karlins-to-thrush-16apr08.pdf.
Note (3): Further work regarding some of the proposed studies should include
consultation with ICANN contract compliance staff to minimize overlap or duplication
with their work.
Note (4): The GAC has suggested that we collect two data sets, as follows:
5
WHOIS Study Group Report to the GNSO Council 26 August 2008
· the amount and source of traffic accessing WHOIS servers and the types and
numbers of different groups of users and what those users are using WHOIS
data for; and
· the types and extent of misuses of WHOIS data and what harm is caused by
each type of misuse, including economic, use of WHOIS data in SPAM
generation, abuse of personal data, loss of reputation or identity theft, security
costs and loss of data.
Note (5): In cases where the original hypothesis offered by a submitter was modified
by the group, effort was made to contact the submitter for input and feedback, and to
incorporate their views where possible. The Whois study group also provided the
GAC with draft hypotheses for the proposals they recommended, but given the
abbreviated time frame and the fact that the GAC does not meet on an intercessional
basis, no substantive response was received by the deadline for this report.
Study Hypotheses
WHOIS misuse studies
The hypotheses in Area 1 generally regard "public access to Whois",
but there are distinct aspects of public access that should be measured
separately in any studies designed:
Area 1 1) some registrars prevent automated email harvesting by allowing
public web-based access to Whois registrant data only after the user
deciphers a "captcha" image.
2) registrants who use proxy registration or other privacy services
should be measured separately from those registrants whose actual
information is open for public access.
Public access to WHOIS data is responsible for a material number of
cases of misuse that have caused harm to natural persons whose
registrations do not have a commercial purpose.
http://forum.icann.org/lists/whois-comments-2008/msg00001.html
1
Note: In any analysis of misuse, it is critical to determine whether the
data was, or could easily have been obtained from a source other than
Whois.
6
WHOIS Study Group Report to the GNSO Council 26 August 2008
The Whois database is used only to a minor extent to generate spam
and other such illegal or undesirable activities.
http://forum.icann.org/lists/whois-comments-2008/msg00017.html
Note: The methods employed by previous studies of Whois and the
results of those studies should be considered when designing
subsequent studies in this area. For example, ICANN's Security and
14
Stability Advisory Committee (SSAC) has already studied email spam
arising from Whois data, including an analysis of data protection
measures used by ICANN-accredited registrars. See "Is the WHOIS
service a source for email addresses for spammers?" at
http://gnso.icann.org/correspondence/ssac-whois-study-27oct07.pdf .
Other studies of Whois misuse can be found at:
http://gnso.icann.org/drafts/whois-available-data-points-04oct07.pdf.
Those using Whois data to facilitate illegal or undesirable activities
15 (such as spam) depend on port 43 access to Whois to obtain Whois
data. http://forum.icann.org/lists/whois-comments-2008/msg00018.html
There are significant abuses caused by public display of Whois.
Significant abuses would include use of WHOIS data in spam
generation, abuse of personal data, loss of reputation or identity theft,
security costs and loss of data (note definition is from GAC
recommendation 2). http://forum.icann.org/lists/whois-comments-
21 & GAC 2008/msg00026.html
data set 2
Note: As an example of such abuses, the original submitter noted that
public Whois databases are being used and mined regularly by direct
mail and related companies for their commercial benefit to compile
personal data which they then use, combine, sell and distribute as part
of massive lists and databases.
There are technical measures available that would effectively curtail
GAC 3 misuse of data published on WHOIS databases while preserving
legitimate use and open access to the databases.
Compliance with data protection laws and the Registrar
Accreditation Agreement
Area 2
NOTE: GAC #s 12, 13 and 14 are all interdependent and their
hypotheses are also interdependent.
7
WHOIS Study Group Report to the GNSO Council 26 August 2008
Two hypotheses:
1. Registrars do not have a uniform method of disclosing or obtaining
consent for collection of data for WHOIS purposes.
2. The methods employed by registrars to disclose and obtain consent
have not been adjudicated with regard to their consistency with
16 national law.
http://forum.icann.org/lists/whois-comments-2008/msg00019.html
Note: Because there may be significant variations in consent in
different jurisdictions, the analysis should be segmented by common
legal consent regimes.
(a) More restrictive Whois policies than the general ICANN Whois
requirements have been adopted by some of the 30 top ccTLDs.
(b) ccTLD operators report that Whois policies have been adopted in
22 order to become compliant with the data protection laws of the territory.
(c) ccTLDs are moving towards more restrictive WHOIS policies
motivated by national data protection laws.
http://forum.icann.org/lists/whois-comments-2008/msg00024.html
Some national data protection laws explicitly apply, or have been
adjudicated to apply, to information submitted by gTLD registrants and
23
made available via Whois. http://forum.icann.org/lists/whois-comments-
2008/msg00025.html
GAC 12 - As reported by gTLD registries or registrars, as reflected in
their contractual documents, or as adjudicated in relevant fora, the
WHOIS contractual obligations of gTLD registries and registrars are
governed by:
· the laws of their local jurisdiction, or
· the laws of the jurisdictions of their Registrants, or
· the laws of ICANN (California, U.S.), or
GAC 12,
· some other jurisdiction.
GAC 13,
GAC 14 &
GAC 13 - Those gTLD registries or registrars that are governed by a
GAC 15
local jurisdiction provide a contractual mechanism (or have had a
mechanism imposed upon them by law or binding decision) to resolve
any conflicts between the law applicable to their WHOIS requirements
and the law of any other jurisdiction.
GAC 14 - Incorporated into GAC 12.
GAC 15 - Out of scope for proposed studies of "key factual issues"
8
WHOIS Study Group Report to the GNSO Council 26 August 2008
Some Registrars are not obtaining agreement to terms required under
24 section 3.7.7 of the RAA. http://forum.icann.org/lists/whois-comments-
2008/msg00013.html
Area 3 Availability of privacy services
The cost of proxy services precludes some registrants from using
2 them. http://forum.icann.org/lists/whois-comments-
2008/msg00002.html
Whois at present allows resellers and registrars to offer privacy
5 services to differentiate themselves on value.
http://forum.icann.org/lists/whois-comments-2008/msg00005.html
A growing share of registrants is protecting the privacy of their Whois
GAC 7
data by using proxy registrations and/or privacy services.
A growing share of registrars and affiliates are offering proxy
GAC 8
registration and/or privacy services.
Area 4 Demand and motivation for use of privacy services
The majority of domain names registered by proxy/privacy services are
17 used for abusive and/or illegal purposes.
http://forum.icann.org/lists/whois-comments-2008/msg00020.html
18 - The majority of domain names registered by proxy/privacy
services are used for commercial purposes and not for use by natural
persons.http://forum.icann.org/lists/whois-comments-
2008/msg00021.html
19 - A disproportionate share of requests to reveal the identity of
registrants who use proxy services is directed toward registrations
18, 19, GAC made by natural persons.http://forum.icann.org/lists/whois-comments-
9 & GAC 10 2008/msg00022.html
GAC 9 - A growing and significant share of proxy/privacy service users
are legal persons.
GAC 10 - A growing and significant share of domains that are
registered using proxy/privacy services are used for commercial
purposes.
Area 5 Impact of WHOIS data protection on crime and abuse
There is a statistically significant correlation between more restrictive
ccTLD Whois policies and levels of cybercrime in a
6
domain.http://forum.icann.org/lists/whois-comments-
2008/msg00006.html
The legitimate use of gTLD WHOIS data is curtailed or prevented by
GAC 1
the use of proxy and privacy registration services.
9
WHOIS Study Group Report to the GNSO Council 26 August 2008
13. http://forum.icann.org/lists/whois-comments-2008/msg00016.html
a) The number of proxy registrations is increasing when compared with
the total number of registrations.
b) Proxy and private WHOIS records complicate the investigation and
disabling of phishing sites, sites that host malware, and other sites
perpetrating electronic crime as compared with non-proxy registrations
and non-private registrations.
13 & GAC c) Domain names registered using proxy or privacy services are
11 disproportionately associated with phishing, malware, and other
electronic crime as compared with non-proxy registrations or non-
private registrations.
d) (GAC 11) Domain names registered using proxy or privacy services
are disproportionately associated with fraud and other illegal activities
as compared with non-proxy registrations.
Restrictions on some or all of the legitimate uses of WHOIS have a
GAC 2
negative economic impact.
Proxy registrar compliance with law enforcement and dispute
Area 6
resolution requests
Some registrars are not revealing registrant data that is shielded by
proxy services when presented with requests that provide reasonable
3
evidence of actionable harm, as required under RAA 3.7.7.3.
http://forum.icann.org/lists/whois-comments-2008/msg00003.html
a. Some registrars operating proxy/privacy services are not revealing
registrant data when requested in a UDRP proceeding.
Metalitz
b. A party's use of a proxy/privacy registration service reduces the
Comment
party's ability to respond to a UDRP proceeding.
http://forum.icann.org/lists/whois-comments-2008/msg00012.html
a. Some proxy and privacy services do not promptly and reliably relay
information requests to and from actual registrants.
20 b. Some proxy and privacy services are failing to adhere to RAA
3.7.7.3 Suggest that this be consolidated with study suggestion #3.
http://forum.icann.org/lists/whois-comments-2008/msg00023.html
Registrants would be less likely to falsify their Whois data if the
sensitive information of private persons can be secured while giving
12
law enforcement access. http://forum.icann.org/lists/whois-comments-
2008/msg00015.html
Area 7 WHOIS data accuracy
Some Registrars knowingly tolerate inaccurate or falsified Whois data
so as to attract and retain registrations by spammers and other bad
8
actors, and do not face deterrent consequences for doing so.
http://forum.icann.org/lists/whois-comments-2008/msg00008.html
10
WHOIS Study Group Report to the GNSO Council 26 August 2008
The use of non-ASCII character sets in Whois records will detract from
data accuracy and readability.
Note: The hypothesis should be considered in light of the fact that this
is a proposed technical analysis and not a study. The original
submission for this item suggests a technical analysis in lieu of a
survey or statistical study. That is, a technical analysis of how the use
11 of non-ASCII characters in Whois data elements might increase risks
of inaccurate data, particularly through use of client-side software that
fails to properly check the syntax of fields that contain both ASCII and
non-ASCII strings. This analysis should examine and recommend
methods for web display and Port 43 retrieval of non-ASCII Whois
data, such that those accessing Whois can effectively read, recognize,
and reliably use the information to reach registrant contacts and name
server resources. http://forum.icann.org/lists/whois-comments-
2008/msg00014.html
A significant number of Registrars do not apply effective methods to
GAC 4 detect fraudulent domain name registrations, and do not take adequate
corrective measures when fraudulent information is detected.
A significant percentage of registrants who are legal entities are
providing inaccurate Whois data that implies they are natural persons.
GAC 5
Furthermore the percentage of registrants with such inaccuracies will
vary significantly depending upon the nation or continent of
registration. (These hypotheses could be combined with GAC 6.)
A significant percentage of registrants who are operating domains with
a commercial purpose are providing inaccurate Whois data that implies
GAC 6 they are acting without commercial purposes. Furthermore the
percentage of registrants with such inaccuracies will vary significantly
depending upon the nation or continent of registration. (These
hypotheses could be combined with GAC 5.)
11