SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC79752 PDF
ACCURACY AND INTEGRITY OF
THE WHOIS DATABASE
SUBCOMMITTEE ON COURTS, THE INTERNET,
AND INTELLECTUAL PROPERTY
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
MAY 22, 2002
Serial No. 70
Page 2 PREV PAGE TOP OF DOCPrinted for the use of the Committee on the Judiciary
Available via the World Wide Web: http://www.house.gov/judiciary
COMMITTEE ON THE JUDICIARY
F. JAMES SENSENBRENNER, JR., WISCONSIN, Chairman
HENRY J. HYDE, Illinois
GEORGE W. GEKAS, Pennsylvania
HOWARD COBLE, North Carolina
LAMAR SMITH, Texas
ELTON GALLEGLY, California
BOB GOODLATTE, Virginia
STEVE CHABOT, Ohio
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
CHRIS CANNON, Utah
LINDSEY O. GRAHAM, South Carolina
SPENCER BACHUS, Alabama
JOHN N. HOSTETTLER, Indiana
MARK GREEN, Wisconsin
RIC KELLER, Florida
DARRELL E. ISSA, California
MELISSA A. HART, Pennsylvania
JEFF FLAKE, Arizona
MIKE PENCE, Indiana
Page 3 PREV PAGE TOP OF DOCJ. RANDY FORBES, Virginia
JOHN CONYERS, Jr., Michigan
BARNEY FRANK, Massachusetts
HOWARD L. BERMAN, California
RICK BOUCHER, Virginia
JERROLD NADLER, New York
ROBERT C. SCOTT, Virginia
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
SHEILA JACKSON LEE, Texas
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
TAMMY BALDWIN, Wisconsin
ANTHONY D. WEINER, New York
ADAM B. SCHIFF, California
PHILIP G. KIKO, Chief of Staff-General Counsel
PERRY H. APELBAUM, Minority Chief Counsel
Subcommittee on Courts, the Internet, and Intellectual Property
HOWARD COBLE, North Carolina, Chairman
HENRY J. HYDE, Illinois
Page 4 PREV PAGE TOP OF DOCELTON GALLEGLY, California
BOB GOODLATTE, Virginia, Vice Chair
WILLIAM L. JENKINS, Tennessee
CHRIS CANNON, Utah
LINDSEY O. GRAHAM, South Carolina
SPENCER BACHUS, Alabama
JOHN N. HOSTETTLER, Indiana
RIC KELLER, Florida
DARRELL E. ISSA, California
MELISSA A. HART, Pennsylvania
HOWARD L. BERMAN, California
JOHN CONYERS, Jr., Michigan
RICK BOUCHER, Virginia
ZOE LOFGREN, California
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
TAMMY BALDWIN, Wisconsin
ANTHONY D. WEINER, New York
BLAINE MERRITT, Chief Counsel
DEBRA ROSE, Counsel
CHRIS J. KATOPIS, Counsel
Page 5 PREV PAGE TOP OF DOCMELISSA L. MCDONALD, Full Committee Counsel
ALEC FRENCH, Minority Counsel
C O N T E N T S
MAY 22, 2002
The Honorable Howard Coble, a Representative in Congress From the State of North Carolina, and Chairman, Subcommittee on Courts, the Internet, and Intellectual Property
The Honorable Howard Berman, a Representative in Congress From the State of California, and Ranking Member, Subcommittee on Courts, the Internet, and Intellectual Property
The Honorable J. Howard Beales, III, Director, Federal Trade Commission
Mr. Steven J. Metalitz, Vice President and General Counsel, Smith & Metalitz, LLP, on behalf of Copyright Coalition On Domain Names
Page 6 PREV PAGE TOP OF DOCMr. Cameron Powell, Vice President and General Counsel, SnapNames
Mr. Michael D. Palage, Esquire
Statements Submitted for the Hearing Record
The Honorable Howard Berman, a Representative in Congress From the State of California, and Ranking Member, Subcommittee on Courts, the Internet, and Intellectual Property
Material Submitted for the Hearing Record
Letter and recent publication from The Berkman Center For Internet & Society
ACCURACY AND INTEGRITY OF
THE WHOIS DATABASE
WEDNESDAY, MAY 22, 2002
Page 7 PREV PAGE TOP OF DOCHouse of Representatives,
Subcommittee on Courts, the Internet,
and Intellectual Property,
Committee on the Judiciary,
The Subcommittee met, pursuant to call, at 10:02 a.m., in Room 2141, Rayburn House Office Building, Hon. Howard Coble [Chairman of the Subcommittee] presiding.
Mr. COBLE. Good morning, ladies and gentlemen. The Subcommittee will come to order.
Mr. Berman I think, is en route. Since you all are here at the designated time we will go ahead and start the wheel turning. I am sure Howard will be here subsequently.
The Whois database refers to a series of information directories providing the identity of a Web site's origin or operator. Regrettably, the Internet all too often is a crime scene and is riddled with bogus domain registration information leaving law enforcement at a loss to protect the public. This is not a novel issue for the Subcommittee. As many of you know, we review this subject each year in light of its importance.
In December, the Ranking Member, Mr. Berman of California, and I undertook an informal oversight investigation. We sent letters to approximately 50 registrars asking some very simple questions about their respective domain name policies to further review the issues involved. The response was disappointing with respect to the quantity of replies but the content as well. It seems that the policies in place at many of the registrars did not seem to adequately address the concerns that we and many others have about fraudulent domain registrations.
Page 8 PREV PAGE TOP OF DOC
In all fairness, as you all know, this is a complicated subject that is quickly evolving. This morning we will hear from a range of experts in their fields to help us understand the many issues pertaining to the accuracy and integrity of the Whois database. This is an issue of great importance to Mr. Berman and me; and, the scheduling permitting, it is my hope that this summer we will be able to schedule additional hearings to review the finer aspects of how developments impact the public. This is a subject we review annually and will continue to scrutinize.
At last year's hearing I explained that I was reluctant to introduce legislation, given the state of the Whois database. However, my disappointment has led me to change my mind on this. Earlier this month, Mr. Berman and I introduced one bill that attempts to improve the quality of the Whois database's information. It is possible that additional legislation may be a necessary remedy to guarantee the public an accurate and reliable Internet and Whois system.
Mr. Berman is on his way. In the interest of time, if you all will permit me to introduce our panel, and then we will recognize Mr. Berman when he arrives.
Our first witness today is the Honorable Howard Beales, who serves as the Director of the Federal Trade Commissionstrike that. I assume that the other Members have no opening statements. Didn't mean to ignore you all. Good to have the gentlemen from Virginia and Tennessee as well as the gentleman from Texas sitting in with us.
Mr. Howard Beales, who serves as the Director of the Federal Trade Commission's Bureau of Consumer Protection. Appointed by FTC Chairman Tim Muris in June, 2001, Mr. Beales has experience in both academia and government. His major areas of expertise and interest include law and economics, the economic and legal aspects of marketing and advertising, and other aspects of Government regulation of the economy.
Page 9 PREV PAGE TOP OF DOC
Mr. Beales began his career at the FTC in 1977 as an economist specializing in consumer protection problems. He was named as Assistant to the Director of the Bureau of Consumer Protection, the first economist to hold that position, and later served as the Associate Director for Policy and Evaluation in the Bureau. He developed policy in a number of key areas, including the Commission's Deception and Advertising Policy Statements.
Mr. Beales left the FTC in 1987 for a year-long stint at the Office of Management and Budget. As a branch chief at OMB's Office of Regulatory Affairs, he managed the review of regulations proposed by several Cabinet departments. An Associate Professor of Strategic Management and Public Policy at George Washington University from 1988 until his recent appointment, he has published numerous scholarly articles on advertising and other aspects of consumer protection regulation.
Mr. Beales was born in Nebraska and reared in Mississippi. He graduated magna cum laude and Phi Beta Kappa from Georgetown University. He has a Ph.D in Economics from the University of Chicago.
Folks, as I have said to you all in previous hearings, sometimes the introductions can be lengthy indeed, but for the benefit of the uninformed who may not know what these witnesses have accomplished in their dossier I think it is important that you all know that.
Howard, why don't I suspend? I have already introduced Mr. Beales. Let me recognize the distinguished gentleman from California for his opening statement. Then I will recognize the remaining panelists.
Page 10 PREV PAGE TOP OF DOC
Mr. BERMAN. Mr. Chairman, I think I will, given my tardinessI was at the press conference announcing an unrelated piece of legislation, and it went longer. I apologize for being late.
Mr. COBLE. You are not running for the Senate, are you?
Mr. BERMAN. No. That is why I was wondering why I am there.
But, basically, I think what I will do is ask unanimous consent that my statement be made part of the record and allow to you continue.
Then there are issues I do want to raise regarding the problem with false domain name and false contact information that I think are very serious in the context of piracy and infringement, pornography, fraud, consumer protection that make it much more difficult to enforce our laws with this false contact information, but I think I will get into that. The witnesses will speak to it in the questioning.
So thank you, Mr. Chairman.
Mr. COBLE. Without objection.
[The prepared statement of Mr. Berman follows in the Appendix]
Mr. COBLE. I mentioned previously, Mr. Berman, about yours and my bill that we previously introduced.
Page 11 PREV PAGE TOP OF DOC
Our second witness is Mr. Steven J. Metalitz, who is a partner in the Washington, DC, law firm of Smith & Metalitz and specializes in intellectual property, privacy and information law. He is testifying on behalf of the Copyright Coalition on Domain Names. He provides legal counseling and policy advocacy primarily for clients in the publishing, recording, motion picture, software and database industries.
Since November of 2000, Mr. Metalitz has served as President of the Intellectual Property Constituency, known as IPC, of the Domain Name Supporting Organization of ICANN. In this role he is a principal global spokesman for the interests of copyright and trademark owners in the management of the domain name system.
Mr. Metalitz is a member of the District of Columbia and South Carolina bars and currently teaches copyright law at George Washington University here in Washington.
Our third witness is Mr. Cameron Powell, Vice President of Business Development and General Counsel for SnapNames.com. SnapNames is a leading Internet company for a variety of domain and registration services and in addition publishes a well-known report entitled, State of the Domain.
Prior to joining SnapNames, Mr. Powell was employed by two start-up companies. In addition, he has practiced law as an intellectual property lawyer and litigator at Foley & Lardner, the Nation's tenth-largest law firm; as a trial lawyer in the Attorney General's Honor Program at the U.S. Department of Justice; and as a judicial clerk to a chief Federal judge.
Page 12 PREV PAGE TOP OF DOC Furthermore, Mr. Powell has taught intellectual property at the George Washington University Law Center. He holds a BS in Business Administration, summa cum laude, from the University Colorado at Boulder and a J.D. from Harvard Law School.
The Subcommittee is also grateful to have Mr. Michael Palage with us. Mr. Palage offers the Subcommittee the benefit of his expertise regarding this subject matter. Currently, he serves as chair of the ICANN Registrar Constituency; and, in addition, he is an intellectual property lawyer and entrepreneur. As the principal of Palage Consulting, he provides technical and business consultation services to small technology and Internet companies. He currently sits on the board of several companies which focus on the domain and registration services.
Prior to this, he was in private practice at the Philadelphia i.p. Firm of Seidel, Gonda, Lavorgna & Monaco. In addition to all of his other accomplishes, Mr. Palage was awarded a patent concerning a computerized business method.
He earned a degree in electrical engineering from Drexel University in 1990 and is a 1995 graduate of the Temple University School of Law, both of which are located in the great city of Philadelphia. He is a member of the Pennsylvania and Florida bars.
We have written statements from all of the witnesses on this panel, which I ask unanimous consent to submit into the record in their entirety.
I say to Mr. Berman, when I asked if you were going to be a senatorial candidate, I think you would be a good senator, but I wasn't trying to accelerate your departure from this side.
Page 13 PREV PAGE TOP OF DOC
Good to have you all with us. Good to have those in the audience with us.
We try to adhere to the 5-minute rule here, as you all have been previously informed. When you see the red light illuminate into your eyes, you will know that the 5 minutes have elapsed. So if all can comply with that, we will be appreciative.
Mr. COBLE. Mr. Beales, we will commence with you.
STATEMENT OF THE HONORABLE J. HOWARD BEALES, III, DIRECTOR, FEDERAL TRADE COMMISSION
Mr. BEALES. Thank you, Mr. Chairman. I am pleased to be here today to discuss the importance of accurate domain
Mr. COBLE. Pull that mike a little closer.
Mr. BEALES. Thank you, Mr. Chairman. I am pleased to be here today to discuss the importance of accurate domain registration information in the Whois database for our consumer protection mission.
At the FTC, fighting Internet fraud is one of our top priorities. Since 1994, the FTC has brought more than 225 Internet-related law enforcement actions against 688 defendants, stopping consumer injury that we have estimated at more than $2.1 billion.
Page 14 PREV PAGE TOP OF DOC It is hard to overstate the importance of accurate Whois data to our Internet investigations. In all of our investigations against Internet companies one of the first tools FTC investigators use to identify wrongdoers is the Whois database. We cannot easily sue fraudsters if we cannot find them. We cannot determine which agency can best pursue them if we are unable to figure out the country in which they are located.
The pace of Internet fraud makes it necessary to obtain rapidly the basic identifying information about the operator of a Web site. The existing Whois database does not serve this function as well as it could. Indeed, one survey on e-commerce issues by the Australian Taxation Office found that 10 to 15 percent of the data in the Whois database is inaccurate.
FTC investigations are being hampered by registration that is not only false but sometimes blatantly so. For example, Whois information for TabooSisters.com, a Web site that was targeted in one of our cases, indicated that the domain name was registered to a company located at 4 Skin Street in Amsterdam, with Amanda Hugandkiss listed as the administrative contact.
In another case, a Whois query for a Web site operated by the defendants provided a street address with Here There, California, with a zip code of 10001 for the administrative and technical contact.
These examples do not appear to be isolated incidents. An informal sampling of Whois queries conducted by FTC staff turned up a number of domain names with facially false address information, registered to Hacker, FBI, Mickey Mouse, even God.
Page 15 PREV PAGE TOP OF DOC Several recent searches have turned up false phone numbers, all 5s or all 8s. One recent search for Whois information listed the organization, administrative, technical and zone contact as a long string of Xes. Another listed U.S. address information for a business that in fact operated from another continent.
This accuracy problem is compounded when registrars fail to suspend domain names promptly when registrants willfully provided inaccurate contact information. Under the accreditation agreement between registrars and ICANN, registrars must collect information from registrants and post such information in a Whois service. Suspension of a domain name for willful failure to provide accurate contact information is within the discretion of the registrar. Their failure to suspend a domain name can allow anonymous fraudsters to remain online and have their sites viewed by thousands of consumers in a short period of time.
There is some room for improvement in the accreditation agreements that could address our concern.
First, it would be extremely useful if registrars could weed out blank or incomplete registration forms as well as some of the obviously false information that undermine the integrity of the Whois database.
Second, it would be very useful if registrars could be required to suspend a domain registration upon willful failure to provide accurate contact information or failure to correct inaccurate contact information until the accurate information is obtained. The current agreements leave cancellation of a domain registration in these circumstances to the registrar's discretion.
Page 16 PREV PAGE TOP OF DOC
We believe it is worth examining whether registrars should have additional obligations to suspend registrations for failure to provide accurate information and to implement reasonable up-front verification procedures for accuracy of contact information that is provided.
Finally there are trade-offs between transparency of domain registrant information and personal privacy. The FTC has a unique perspective on these issues since we are a law enforcement agency that has committed substantial resources to protecting consumers' privacy. There are legitimate privacy interests at stake for Web sites, especially those developed for personal or for political reasons. At the same time, there are often legitimate reasons for making such information available to law enforcers and the public.
For commercial Web sites, we believe that the balance weighs heavily in favor of public disclosure of basic registrant contact information. Once a company decides to sell products on the Internet, it should be accountable to the public so the public can determine who the company is and where it operates from. The OECD guidelines on electronic commerce affirm these principles.
In conclusion, we look forward to working with this Subcommittee and all international stakeholders as they move forward to improve accuracy of Whois information. One important first step is to publicize the problem, and hearings such as this one are an important part of that process.
Thank you for the opportunity to participate.
Page 17 PREV PAGE TOP OF DOC Mr. COBLE. Thank you, Mr. Beales.
[The prepared statement of Mr. Beales follows:]
PREPARED STATEMENT OF HOWARD BEALES
Mr. Chairman, I am Howard Beales, Director of the Bureau of Consumer Protection at the Federal Trade Commission. I am pleased to be here today to discuss the importance of accurate domain registration information in the Whois database to our consumer protection mission.(see footnote 1) As you know, the Whois database is the popular name for a combination of information directories containing registration information about website operators.
The FTC's consumer protection efforts include fighting Internet fraud. Because fraudulent website operators can defraud consumers quickly and disappear quickly, we need to move just as quickly to find them and stop them. The Whois databasewhen it is accuratecan help law enforcers quickly identify wrongdoers and their location, halt their conduct, and preserve money to return to defrauded consumers. Inaccurate Whois data, however, help Internet scam artists remain anonymous and stymie law enforcement efforts.(see footnote 2)
The testimony will begin with a general overview of the FTC and its enforcement authority, the challenges we have faced in fighting Internet fraud, and how we work to overcome those challenges. Second, we will discuss the importance of the Whois database to these efforts and the problems we encounter when Whois information is inaccurate. Third, we will address current registrar practices with respect to Whois information. Finally, the testimony will close with a few words about the balancing of privacy interests of domain registrants and the interest of other stakeholders in the transparency of Whois information.
Page 18 PREV PAGE TOP OF DOC
I. THE FTC'S FIGHT AGAINST INTERNET FRAUD
A. The FTC's Law Enforcement Authority
The FTC is an independent agency charged with protecting consumers and promoting a competitive marketplace. The cornerstone of the Commission's mandate is Section 5 of the Federal Trade Commission Act, which prohibits ''unfair methods of competition'' and ''unfair or deceptive acts or practices.''(see footnote 3) The FTC focuses on stopping actions that threaten consumers' opportunities to exercise informed choice. The FTC halts deception through civil actions filed by its own attorneys in federal district court, as well as through administrative cease and desist actions.(see footnote 4)
B. The Challenges Posed by Internet Fraud
The Internet and e-commerce have seen dramatic growth. The number of American adults with Internet access has grown, by one estimate, from approximately 88 million in mid-2000 to more than 174 million in March 2002.(see footnote 5) The Census Bureau of the Department of Commerce estimated that in the fourth quarter of 2001, not adjusted for seasonal, holiday, and trading-day differences, online U.S. retail sales were more than $10 billion, an increase of 13.1 percent from the fourth quarter of 2000. Total e-commerce sales for 2001 were estimated at $32.6 billion, an increase of 19.3 percent from 2000.(see footnote 6)
Page 19 PREV PAGE TOP OF DOC Unfortunately, but not surprisingly, the e-commerce boom of the last several years has created fertile ground for fraud. In 2001, close to 50,000 complaintsroughly 41 percent of all complaints logged into the FTC's fraud database, Consumer Sentinel, by various organizations that yearwere Internet-related.(see footnote 7)
There is real danger that the benefits of the Internet may not be fully realized if consumers identify the Internet with fraud operators. We need to act quickly to stop fraud, both to protect consumers and to protect consumer confidence in e-commerce. We have therefore made fighting Internet fraud a top priority. Since 1994, the FTC has brought more than 225 Internet-related law enforcement actions against 688 defendants and respondents, stopping consumer injury estimated at more than $2.1 billion.
The Commission faces a host of novel challenges in its efforts to combat fraud and deception online. Traditional scamssuch as pyramid schemes and false product claimsthrive on the Internet. A colorful, well-designed Web site imparts a sleek new veneer to an otherwise stale fraud; and the reach of the Internet also allows an old-time con artist to thinkand actglobally. Moreover, the architecture of the Internet itself has given rise to new high-tech scams that were not possible before the development of the Internet. Both traditional scams and the innovative ones exploit the global reach and instantaneous speed of the Internet. In addition, the Internet enables con artists to cloak themselves in anonymity, which makes it necessary for law enforcement authorities to act much more quickly to stop newly-emerging deceptive schemes before the perpetrators disappear. And because the Internet transcends national boundaries, law enforcement authorities must be more creative and cooperative to successfully combat online fraud.
Page 20 PREV PAGE TOP OF DOC
C. THE FTC'S EFFORTS TO FIGHT INTERNET FRAUD
Given the speed with which Internet fraudsters can con consumers, the Commission has worked to identify problems and go after perpetrators rapidly. In light of the challenges posed by the borderless nature of the Internet, the Commission has worked to gather information from international sources and cooperate with its foreign counterparts through multilateral and bilateral efforts. Some of the tools we have used to accomplish these goals include the following:
Databases: To gather information quickly, the Commission has developed Consumer Sentinel, a web-based consumer complaint database that is accessible to more than 420 law enforcement organizations in the U.S., Canada and Australia.(see footnote 8) In 2001, numerous organizations in the U.S. and Canada contributed more than 200,000 consumer complaints to Consumer Sentinel.(see footnote 9) These complaints can help us identify trends and target fraudsters quickly and efficiently.
International Cooperation: The Commission cooperates with its international counterparts to meet the challenges posed by cross-border fraud. The FTC is a member of the International Marketing Supervision Network (IMSN), a group of 30 consumer protection enforcement agencies that meets twice a year to discuss cross-border cooperation.(see footnote 10) Fifteen IMSN countries have launched econsumer.gov, a public website where consumers can file cross-border e-commerce complaints online that are accessible to law enforcement agencies in the member countries. The site is available in English, French, Spanish and German.(see footnote 11) Complaints from econsumer.gov can help us identify trends and fraudsters on an international level. The FTC has also signed consumer protection cooperation agreements with Canada, the U.K. and Australia, which has enhanced our cooperation with these countries.(see footnote 12)
Page 21 PREV PAGE TOP OF DOC
Surf Days: The Commission also coordinates law enforcement Surf Days to help identify international fraudsters. During a typical surf day, law enforcers at the federal, state, local and international levels ''surf'' the Internet for a specific type of claim or solicitation that is likely to violate the law. When a suspect site is identified, the page is downloaded and saved as potential evidence. Frequently, the operator of the site is sent a warning that explains the law and provides a link to educational information. Often, investigators obtain the e-mail or postal address from Whois information in order to send such warnings. A law enforcement team later revisits the previously warned sites to determine whether they have remedied their questionable claims or solicitations. Sites that continue to make unlawful claims are targeted for possible law enforcement action. Surf days achieve visible results: to date, more than 250 law enforcement agencies and consumer organizations around the world have joined the FTC in approximately 33 surf days; collectively, they have identified more than 6,000 Internet sites making dubious claims. In each of these efforts, a significant percentage of the Web site operators who received a warning came into compliance with the law, either by taking down their sites or by modifying their claims or solicitations.
Sweeps: The FTC also coordinates law enforcement sweeps, both domestically and internationally, and here too Whois information can play an important role. In our experience, ''sweeps'' of a particular area can generate substantial publicity, which can in turn provide meaningful consumer education and further deter fraudulent conduct in that area. In ''Operation Top Ten Dot Cons,'' for example, law enforcement agencies from nine countries announced 251 law enforcement actions against online companies. More recently, the FTC announced earlier this month that it had joined forces with 12 other U.S. and Canadian agencies to form an International Netforce targeting deceptive spam and Internet fraud. The agencies brought 63 law enforcement actions against Web-based scams, ranging from auction fraud to bogus cancer cure sites, and sent more than 500 warning letters to senders of deceptive spam.(see footnote 13)
Page 22 PREV PAGE TOP OF DOC
Internet Training: Recognizing that law enforcement officials have to be one step ahead of the technology used by scam artists, the FTC has also hosted Internet training seminars. Since FY 2001, the Commission has educated more than 1,750 law enforcement personnel from more than 20 countries, 38 states, 23 U.S. federal agencies, and 19 Canadian agencies.
Internet-Based Tools: The Commission also provides its staff with the tools they need to investigate high-tech fraud quickly, anonymously, and efficiently. The FTC's Internet Lab is an important example. With high speed computers that are separate from the agency's network and equipped with current hardware and software, the Lab allows staff to investigate fraud and deception in a secure environment and to preserve evidence for litigation. Staff often conducts Whois searches in the Internet lab.
III. THE IMPORTANCE OF WHOIS Data
You have asked us to discuss the importance of accurate Whois data to our work. Such a discussion necessarily takes place against the backdrop of discussions about ICANN reform. Interested stakeholders are actively discussing various reform proposals.
It is hard to overstate the importance of accurate Whois data to our Internet investigations. In all of our investigations against Internet companies, one of the first tools FTC investigators use to identify wrongdoers is the Whois database. We cannot easily sue fraudsters if we cannot find them. We cannot even determine which agency can best pursue them if we are unable to figure out the country in which they are located.
Page 23 PREV PAGE TOP OF DOC The pace of Internet fraud makes it necessary to obtain rapidly the basic identifying information about the operator of a website. The existing Whois database does not serve this function as well as it could. Indeed, one survey on e-commerce issues by the Australian Taxation Office found that 10 to 15 percent of the data in the Whois database is inaccurate.(see footnote 14)
A. FTC Experience with Inaccurate Whois Data
FTC investigations are being hampered by registration information that is not only false, but sometimes blatantly so. For example, Whois information for ''taboosisters.com,'' a website targeted in FTC v. Pereira,(see footnote 15) indicated that the domain name was registered to a company located at ''4 Skin'' Street in Amsterdam, with ''Amanda Hugandkiss'' listed as the administrative contact. In FTC v. J.K. Publications, Inc.,(see footnote 16) a Whois query for a website operated by the defendants provided a street address of ''here there, ca 10001'' for the administrative and technical contacts.
These examples do not appear to be isolated incidents. An informal sampling of Whois queries conducted by FTC staff turned up a number of domain names with facially false address information registered to ''hacker,'' 'FBI,'' ''Bill Clinton,'' ''Mickey Mouse,'' and ''God.'' Several recent searches have turned up false phone numbers such as 555 5555555 and 888 8888888. One recent search for Whois information listed the organization, administrative, technical and zone contact as ''xxxxxxxxxxxxxx.'' Another listed U.S. address information for a business that in fact operated from another continent.
Page 24 PREV PAGE TOP OF DOC
Besides hampering our law enforcement investigations, inaccurate Whois data decreases the effectiveness of our Surf Days. As described above, the FTC and its law enforcement partners often ''surf'' the Internet for particular types of claims and send warning messages to sites that make potentially deceptive or misleading claims, following up later to determine if enforcement action is appropriate. Surfers rely on Whois data to find addresses for this purpose. If the Whois data are not accurate, the utility of the Surf Day as a law enforcement tool is diluted.
Problems with inaccurate Whois data were illustrated in a surf conducted by the FTC and its law enforcement partners in connection with the recent ''International Netforce'' initiative described above. One part of this initiative was a surf to test compliance with ''remove me'' or ''unsubscribe'' options.(see footnote 17)
The object of the surf was to test whether ''remove me'' or ''unsubscribe'' options in spam were being honored. From e-mail forwarded to the FTC's database of unsolicited commercial e-mails by the participating agencies, we culled more than 200 e-mails that purported to allow recipients to remove their name from a spam list. The agencies set up dummy e-mail accounts to test the pledges. We discovered that most of the addresses to which they sent the requests were invalid. Most of the ''remove me'' requests did not get through. Based on information gathered, the FTC sent 77 letters warning spammers that deceptive ''removal'' claims in unsolicited e-mail are illegal. We sent the letters to addresses listed in the Whois database. Interestingly, 16 of the 77 letters, or approximately 21 percent, were sent back to us because the addresses we obtained from the Whois database were inaccurate. We have notified the registrars of this inaccuracy and have encouraged them to take appropriate action.(see footnote 18)
Page 25 PREV PAGE TOP OF DOC
The importance of law enforcement officials having access to accurate contact information for commercial website operators has also been recognized internationally. In 1999, the Organization for Economic Cooperation and Development (OECD), an international organization consisting of 30 countries, issued consensus Guidelines on Consumer Protection in Electronic Commerce. These Guidelines recommend that ''businesses engaged in electronic commerce with consumers should provide accurate, clear and easily accessible information about themselves sufficient to allow, at a minimum . . . location of the business and its principals by law enforcement and regulatory officials.''(see footnote 19) Where this information is not provided on the registered websites, the Whois database can provide an important supplementary resource for law enforcers.
B. REGISTRAR RESPONSIVENESS
The problem of inaccurate Whois information is compounded when registrars fail to act promptly to suspend domain names registered by registrants who have willfully provided inaccurate contact information. Under Registrar Accreditation Agreements between registrars and ICANN, registrars must collect contact information from registrants and post such information on a Whois service.(see footnote 20) Suspension of a domain name for willful failure to provide accurate contact information is within the discretion of the registrar.(see footnote 21) However, registrars have little incentive to suspend a domain name. Their failure to suspend a domain name can allow anonymous fraudsters to remain online and have their sites viewed by thousands of consumers in a short period of time.
Page 26 PREV PAGE TOP OF DOC Here is an anecdote illustrating how difficult it can be to suspend a domain name. At the most recent meeting of the OECD's Committee on Consumer Policy, which FTC Commissioner Mozelle Thompson now chairs, OECD staff presented a paper on its experience trying to contact a cybersquatter.(see footnote 22) The OECD had let its registration for its French language site www.ocde.org lapse. A cybersquatter bought the domain name and used it to post a pornographic site with an offer to sell the domain name.(see footnote 23) The Whois database indicated that the site had been registered by ''Domain For Sale,'' located in Armenia, but the administrative and technical contact was an employee of the American Institute of Architects in Washington, D.C. The OECD called this individual and found that Domain For Sale had falsely listed him as a contact. The OECD demonstrated to the registrar that Domain For Sale had willfully provided false contact information. Rather than suspend Domain For Sale's registration, the registrar sent an e-mail to Domain For Sale, giving it fifteen days to correct its registration.
Domain For Sale modified its registration information, but the new information was on its face incomplete, as it did not list a person as a contact for the company, in violation of the Registrar Accreditation Agreement.(see footnote 24) The registrar offered to de-register Domain For Sale only if OECD would indemnify the registrar for any breach of contract claim, the registrar's legal expenses in responding to OECD's complaint, and two years potential loss of registration business from Domain For Sale, which had 113 registrations with that particular registrar. The OECD refused and submitted affidavits from Armenian government officials stating that there was no legal entity registered at the address Domain For Sale had listed as its contact information. Only after some additional correspondence between the OECD and the registrar over a period of about one month was the registrar prepared to return the name to the OECD.
Page 27 PREV PAGE TOP OF DOC
According to the OECD, the registrar failed to suspend the registration even after the OECD had twice shown that the registrant willfully submitted false contact information. Thus, OECD did not have access to www.ocde.org for almost two months.(see footnote 25) By analogy, if a fraudulent website remains posted for a two-month period, it could cause consumers substantial injury.
IV. CURRENT REGISTRAR PRACTICES WITH RESPECT TO WHOIS Information
Current registrar practices with respect to accuracy of Whois information vary, depending on the type of registrar at issue. All registrars for generic Top Level Domains (gTLDs), including .com, .net, .org, .biz, .info and .name, are required to comply with ICANN's Registrar Accreditation Agreement.(see footnote 26) This Agreement contains provisions requiring registrars to collect accurate contact information from registrants and post such information on a Whois site. ICANN does not currently have any contractual provisions in place for most country code Top Level Domains (ccTLDs), such as .uk for the United Kingdom or .de for Germany. Registrar practices for these ccTLDs vary widely.(see footnote 27) The following discusses each of these areas in turn.
A. Generic TLDs
ICANN's Registrar Accreditation Agreements with the gTLD registrars include some noteworthy provisions that illustrate ICANN recognition of the benefits of accurate Whois data. For example, the Agreement specifies that ''a Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure promptly to update information provided to Registrar, or its failure to respond for more than fifteen calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for cancellation of the Registered Name registration.''(see footnote 28) The Accreditation Agreement also requires that, if registrars are notified of an inaccuracy in the registration information, they should ''take reasonable steps to investigate that claimed inaccuracy.''(see footnote 29)
Page 28 PREV PAGE TOP OF DOC
The FTC Bureau of Consumer Protection letter to the ICANN DNSO Names Council dated August 6, 2001, mentioned earlier, had asked ICANN to work with registrars to implement and enforce the provisions of its Registrar Accreditation Agreement that ensure the completeness and accuracy of Whois data. There is some room for improvement in the Registrar Accreditation Agreements that could address our concerns.(see footnote 30)
First, it would be extremely useful if registrars would weed out blank or incomplete registration forms, as well as some of the obviously false information that undermines the integrity of the Whois database. Second, it would very be useful to us if registrars could be required to suspend a domain registration upon wilful failure to provide accurate contact information, or failure to correct inaccurate contact information, until accurate information is obtained. The current ICANN Registrar Accreditation Agreements leave cancellation of a domain registration in these circumstances to the registrar's discretion.(see footnote 31) This policy is problematic for two important reasons. As noted above, registrars have little incentive to suspend a domain name. Without a suspension requirement, scam artists are free to perpetrate fraud anonymously. In addition, registrars that adopt relaxed policies on accurate contact information may attract businesses seeking anonymity, creating havens for bad actors to shield their true identity from law enforcement and others. The OECD experience described above shows the consequences of lack of registrar cooperation: when registrars refuse to suspend domain registrations, websites operating for nefarious purposes can continue to operate on the Internet unchecked.
Although the Registrar Accreditation Agreements contain many important provisions for ensuring accuracy of domain registration information, these provisions have not solved the problem of inaccurate data described above. We believe it is worth examining whether registrars should have additional obligations to suspend registrations for failure to provide accurate information under Section 220.127.116.11 of the Registrar Accreditation Agreement and to implement reasonable up-front verification procedures for accuracy of contact information provided.(see footnote 32)
Page 29 PREV PAGE TOP OF DOC
B. Country-Code TLDs
Websites operating from the two-letter country-code top-level domains (ccTLDs) are likely to become increasingly important to our Internet fraud efforts. Websites operating from ccTLDs are viewable by U.S. consumers, and an increasing number of our actions involve foreign-based websites targeting U.S. consumers.
Registration of domain names within ccTLDs is administered by country-code registry managers. The rules and policies for registering domain names in the ccTLDs vary significantly, and the ccTLD registry managers do not have uniform rules on collection and publication of contact information for domain registrants.(see footnote 33) Thus, the policies on disclosure of Whois information for domains registered with ccTLDs vary widely, and unavailability of such information can hinder our investigations. For example, the public Whois database for the .uk TLD (United Kingdom) only provides name of the registrar and no contact information for the domain registrant.(see footnote 34) The .ie (Ireland) public Whois service only provides the name of the person who registered the website, but no contact information.(see footnote 35) The .cn Whois service for China provides virtually no public information.(see footnote 36)
ICANN's existing ccTLD Sponsorship Agreements with Australia and Japan state that ccTLD registry managers should obtain, maintain and provide public access to accurate and up-to-date contact information for domain name registrants consistent with ICANN policies.(see footnote 37) Neither of these agreements prescribes detailed rules for what information should be collected and what information should be published. The Australian ccTLD registry manager seems to provide contact information, including name, address, telephone number, fax number and e-mail address, for the registrant, whereas the Japanese ccTLD registry manager seems to only provide the name of the registrant.(see footnote 38) ICANN's model ccTLD Sponsorship Agreement and ICANN's Governmental Advisory Committee Principles for Delegation and Administration of ccTLDs Presented contain the same provision as the .jp (Japan) and .au (Australia) ccTLD sponsorship agreements on public access to contact information of registrants.(see footnote 39)
Page 30 PREV PAGE TOP OF DOC
It would be extremely useful for our law enforcement purposes for the ccTLD registry managers to implement measures to improve accuracy and accessibility of Whois data for ccTLD registrants. For the reasons that we have outlined, we will continue to work with businesses, consumer groups, governments, international organizations and other stakeholders to advocate internationally the importance of collecting accurate contact details for ccTLD registrants to assist law enforcers in their efforts to protect consumers from Internet fraud.(see footnote 40)
V. PRIVACY ISSUES
Finally, there are tradeoffs between transparency of domain registrant information and personal privacy. The FTC has a unique perspective on these issues, given that we are a law enforcement agency that has committed substantial resources to protecting consumers' privacy.(see footnote 41) There are legitimate privacy interests at stake for websites, especially those developed for personal or political purposes. At the same time, there are often legitimate reasons for making such information available to law enforcers and/or the public.
For commercial websites, we believe the balance weighs in favor of public disclosure of basic registrant contact information. Once a company decides to sell products on the Internet, it should be accountable to the public so that the public can determine who the company is and where it operates from. The OECD Guidelines on Electronic Commerce cited above affirm these principles. The Guidelines state that consumers should have information about commercial websites ''sufficient to allow, at a minimum, identification of the business . . . [and] prompt, easy and effective consumer communication with the business.(see footnote 42) This provision represents a consensus among the 30 member countries of the OECD as to the minimum information that consumers should be able to obtain about businesses operating websites. Because some online businesses do not provide sufficient identifying information on their websites, Whois information can provide consumers with a useful supplement.
Page 31 PREV PAGE TOP OF DOC
With respect to websites registered by individuals, such as websites registered under the .name Top Level Domain,(see footnote 43) or websites registered for non-commercial purposes, there are different considerations to balance. On one hand, these individuals and website operators have legitimate privacy concerns. On the other hand, a fraudster should not be permitted to hide from law enforcement authorities simply by registering under the .name TLD or by claiming registration for non-commercial purposes. It is also important in this context to consider both the question of what disclosure to the public is warranted and the question of what disclosure to law enforcement is warranted. We are continuing to work through international organizations, businesses and consumer groups to develop workable solutions that balance the privacy interests with the interests in transparency of Whois data.(see footnote 44)
In short, our Internet fraud enforcement efforts require quick identification of problems, quick identification of perpetrators, and the ability to gather information about international entities and organizations. Accurate Whois data is essential to these efforts, and inaccurate data can significantly frustrate them. We look forward to continuing to work with this Subcommittee and all international stakeholders toward improving accuracy of Whois information.
Mr. Chairman, the FTC greatly appreciates this opportunity to testify. I would be happy to answer any questions that you and other Members may have.
Page 32 PREV PAGE TOP OF DOC
Mr. COBLE. Mr. Metalitz.
STATEMENT OF STEVEN J. METALITZ, SMITH & METALITZ, LLP, ON BEHALF OF COPYRIGHT COALITION ON DOMAIN NAMES
Mr. METALITZ. Thank you, Mr. Chairman, Mr. Berman, Members of the Subcommittee. I appreciate this opportunity to present the views of the Copyright Coalition on Domain Names, and I want to thank you for once again using the oversight jurisdiction of this Subcommittee to spotlight some of the problems with the Whois database.
Mr. Beales has already talked about what the Whois database is and how it is used in enforcement of consumer protection laws. We have a similar story to tell with regard to enforcement of the copyright laws.
The copyright industries, as this Subcommittee knows, are an extremely important part of the U.S. economy, growing faster thanmuch faster than the rest of the economy. This industry threatened by online piracy, and a key tool that we use to combat online piracy is Whois. This is the feature of the domain name system that makes available contact data on those who register domain names. We also use it to implement the notice and take-down procedures of the Digital Millennium Copyright Act, which originated in this Subcommittee 4 years ago.
It is no exaggeration to say that all Internet users need Whois, and they need it because it helps to provide the transparency and accountability on the Internet that is needed to build consumer confidence in this medium of electronic commerce. But Whois can't do its job if the data it contains is false, incomplete, inaccurate or out of date; and all too often all of those adjectives apply. Mr. Beales has given several examples, we have some in our testimony, and I am sure the other witnesses will provide them as well. So I won't go through the gory details of some of these. But I think it is clear, as Mr. Beales has said, that it is not an isolated problem.
Page 33 PREV PAGE TOP OF DOC
Now, most Whois data is accurate. The problem is that, among the small minority of domain name registrants who are up to no good, whether they are cyberpirates or cybersquatters on trademark names or they are carrying out consumer fraud, they face no impediment whatever to submitting false Whois data; and they face virtually no adverse consequences for doing so. This is the reason why the data quality in Whois is so poor today. Obviously, this is the fault of registrants who are submitting false contact data, but this data is being accepted without any question or without any attempt at verification.
In the legacy top-level domains, by which I mean dot com, dot net, and dot org, and that is the focus of the statement, this responsibility rests on the registrars. As Mr. Beales has pointed out, there are provisions in the agreements that every registrar, all 150 or so of them, have signed with ICANN that require them to take some steps to improve data quality, to screen out bad contact data and to respond promptly to complaints about bad contact data and to revoke the registrations of those who submit it.
It is painfully obvious that these legal obligations are not being met. Most registrars do not seem to have established a mechanism for even receiving complaints of false contact data.
Some registrars have very recently taken steps to reverify some of the Whois data, but that is not a widespread practice. The sanction provided by the agreements for this behavior, cancellation of the domain name registration, is almost never applied; and, as we understand the results of the survey that this Subcommittee undertook, the results you received were the same as what we are seeing here.
Page 34 PREV PAGE TOP OF DOC
It is hard to escape the conclusion that most registrars don't care about the quality of the Whois data they collect, and they feel under no compulsion to improve it or even to respond to questions even from this Subcommittee about it. This is also borne out by some of these studies that we referenced in our testimony from the OECD and from the ICANN's own domain name support organization.
So what should be done about this problem? Well, on the registrar's side, we think there is a three-point plan that they have to adopt. They have to screen out the bad data, they have to check out the data that they have received, and they have to toss out of their registries the entities that are submitting bad contact data.
They could do this all voluntarily. Unfortunately, so far there is little indication that they are interested in pursuing this course.
Legislation is certainly one option that ought to be considered, but we have to look very carefully at what the consequences of that legislation might be.
I think at this point the buck stops with ICANN. ICANN has entered into these agreements. It is past time for it to enforce these agreements. In the past 2 weeks since this hearing was announced, ICANN has issued a registrar advisory that tries to spell out what the ICANN accredited registrars are supposed to do in this area. We think it leaves a great deal to be desired, but it certainly is a good first step.
ICANN right now is undergoing a restructuring and reform debate, and one key issue there is the confidence of governments in the work of ICANN. I think one of the things ICANN can do to bolster that confidence is to really take some proactive steps to enforce the agreements it has entered into with these registrars and to move to clean up the Whois database.
Page 35 PREV PAGE TOP OF DOC
Thank you very much.
Mr. COBLE. Thank you, Mr. Metalitz.
[The prepared statement of Mr. Metalitz follows:]
PREPARED STATEMENT OF STEVEN J. METALITZ
Chairman Coble, Representative Berman, and members of the Subcommittee:
Thank you for this opportunity to present the views of the Copyright Coalition on Domain Names (CCDN) on the accuracy and integrity of Whois data. Since 1999, our coalition has brought together the leading organizations representing copyright owners, whose common goal is to preserve and enhance the critical role of the domain name registration system in combating the scourge of online copyright piracy and promoting legitimate electronic commerce in works of authorship. CCDN participants include leading industry trade associations such as the Business Software Alliance (BSA), the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and the Software and Information Industry Association (SIIA); the two largest organizations administering the performance right in musical compositions, ASCAP and BMI; and major copyright-owning companies such as AOL Time Warner and the Walt Disney Company. I appear this morning as counsel to CCDN.
I also serve as president of the Intellectual Property Constituency (IPC), the international group organized under the auspices of the Internet Corporation for Assigned Names and Numbers (ICANN) and its Domain Names Supporting Organization, to advise ICANN on intellectual property issues generally, including trademark as well as copyright matters. While this testimony has not been formally approved by the IPC, it is consistent with the public policy positions that group has taken.
Page 36 PREV PAGE TOP OF DOC
Before turning to the specific issue which is the focus of this morning's hearing, may I first express our appreciation to the members of this Subcommittee, and especially its leadership, Mr. Coble and Mr. Berman, for your wise stewardship of the U.S. copyright law and your leadership in ensuring that American creativity is fostered through strong copyright protection and effective enforcement, both here and abroad. That stewardship and leadership are important ingredients that have allowed the U.S. copyright industries to contribute so much to the U.S. economy and global competitiveness. The numbers in the latest economic study issued last month by the International Intellectual Property Alliance (IIPA) tell a powerful story about the copyright industries: nearly five million U.S. jobs, more than half a trillion dollars contributed to Gross Domestic Product, and close to $90 billion in exports and foreign sales, a new record and far more than almost any other industry sector. The story behind that story is the work of this subcommittee, both in keeping copyright law up to date with technological changes - most recently through enactment of the Digital Millennium Copyright Act (DMCA) in 1998 - and in conducting careful oversight of its enforcement.
WHOIS: ITS IMPORTANCE TO COPYRIGHT OWNERS AND ALL INTERNET USERS
As this subcommittee knows only too well, online piracy of all kinds of copyrighted material poses a real danger to the remarkable U.S. success story summarized in the latest IIPA statistics. A key tool that intellectual property owners use to combat online piracy and cybersquatting is called ''Whois.'' This feature of the domain name system makes available the contact data on those who register domain names. Every pirate site has an address on the Internet; and through Whois and similar databases, virtually every Internet address can be linked to contact information about the party who registered the domain name corresponding to the site; about the party who hosts the site; or the party who provides connectivity to it.
Page 37 PREV PAGE TOP OF DOC
Copyright owners use this critical information in a number of ways to protect their intellectual property. Sometimes we approach the site operator directly, with a demand that piratical activity cease. In the case of unauthorized public performances and other uses of musical compositions, ASCAP and BMI generally contact the site operator and offer a license to cover those performances or uses, which provides a means for the operator to avoid further liability. Sometimes Whois data is used primarily to correlate the activity at one pirate site with another that may be registered by the same or a related entity. This information is compiled for later use in civil or criminal enforcement proceedings, including settlement discussions. But perhaps the most important use of Whois data is to enable the operation of a key element of the DMCA, the ''notice and takedown'' procedure provided by 17 USC §512.
As you know, under notice and takedown, the copyright owner (or its representative) notifies an Internet Service Provider (ISP) of infringing activity taking place on a site which the ISP hosts or to which it provides connectivity. The DMCA gives the ISP a strong incentive, in the form of sharply reduced exposure to legal remedies, if it expeditiously ''takes down'' or cuts off access to the site in question. Over the past three and one-half years, notice and takedown, whether carried out strictly within the steps set out in the DMCA or through more informal channels, has been an effective means by which copyright owners and responsible ISPs have cooperated to combat online piracy. This mechanism, which has been successfully invoked tens of thousands of times since enactment of the DMCA, could not function properly without ready access to Whois information. Whois and related DNS directory services allow copyright owners quickly and reliably to identify the ISP to whom a DMCA notification should be directed in order to start the notice and takedown procedure. Without accurate and accessible Whois data, it would be much more difficult for copyright owners to find out who is the proper recipient of a DMCA notification in a timely and cost effective manner.
Page 38 PREV PAGE TOP OF DOC
I certainly don't want to give the impression that copyright owners are the only ones who are concerned about public access to Whois. Nothing could be further from the truth. Access to domain name registrant contact data is critical to trademark owners as well, in their efforts to combat cybersquatting and the promotion of counterfeit products online. In addition, the value of unrestricted public access to Whois data extends far beyond the intellectual property arena, into network operations and security functions, consumer protection, law enforcement, and protection of children from inappropriate online content. It is no exaggeration to say that all Internet users need WHOIS to provide essential transparency and accountability on the Internet. If the Internet is to thrive as a medium for legitimate commerce and for ubiquitous communication, we all have a stake in preserving and enhancing unrestricted public access to Whois.
THE PROBLEM OF WHOIS DATA QUALITY
But Whois cannot perform these critical functions if the data it contains is false, incomplete, inaccurate, or out of date. Anyone who is familiar with the Whois database knows the problems with Whois data quality. All too often, the data we access in Whois is clearly bogus on a first glance, listing fictitious cities, states and countries, phone numbers consisting entirely of letters or repeated ''5'' 's, and the like. In even more cases, the most rudimentary investigation would demonstrate the falsity of Whois data.
Let me provide just a couple of examples. The first concerns the domain name for a site purporting to make available a product that will allow the unrestricted copying of commercially released DVD's - a blatant violation of the DMCA. In Whois, the registrant lists its name and address as follows:
Page 39 PREV PAGE TOP OF DOC
DVD Copy HQ
1000 Lavaland LN
1Flabberville, CA 90807 USA
A brief visit to a resource such as www.whitepages.com reveals, within seconds, that there is no Flabberville, CA, and no Lavaland Lane in the city (Long Beach, CA) corresponding to the zip code provided. This clearly false contact data accepted by the domain name registrar means that Whois cannot, in this instance, fulfill the important function of providing transparency and accountability for intellectual property owners, consumers, law enforcement officials, and others who would have a very lively interest in tracking down the party committing these illegal acts.
The second example involves the efforts of the Organization for Economic Cooperation and Development (OECD) to recover the domain name corresponding to the French-language version of its acronym - ocde.org - after a registrar mistakenly cancelled its registration by OECD and a second registrar allowed a pornographer and cybersquatter to take it over. It took the OECD, a prestigious intergovernmental organization that brings together virtually the entire developed world, two months and considerable expenditure of staff and outside counsel resources before it was able to reclaim the pilfered domain name. I will not repeat the full tale here, which involves a registrant who apparently hijacked not only the domain name, but also the contact information of a number of innocent bystanders, such as an Armenian family in Yerevan and a Washington, DC professional association executive, which he submitted to Whois in connection with his registration. This registrant was a serial Whois abuser, whose victims included (according to OECD's investigation) ''Hewlett Packard, ESPN, a small town in Idaho, a former San Francisco Forty-Niners quarterback, an Australian football club, children's web sites in the US and Italy, [and] a chemistry professionals' discussion site.'' I encourage subcommittee members to visit http://www.oecd.org/pdf/M00027000/M00027316.pdf to review all the gory details.
Page 40 PREV PAGE TOP OF DOC
I want to emphasize that bogus Whois data is the exception, not the rule. Just as the vast majority of domain name registrants are perfectly legitimate entities and individuals who use their Internet presence in completely unobjectionable ways, so most registrants provide accurate and complete Whois data and make reasonable efforts to keep it up to date. The problem is that among the small minority of domain name registrants who are up to no good - whether they are cybersquatters, copyright pirates, or perpetrators of other kinds of online scams, rip-offs or crimes - there is no impediment whatever to the submission of false Whois data, and virtually no adverse consequences for doing so. It is no surprise, therefore, that within this small minority of Whois abusers we find a disproportionate number of those who establish an online presence for illegitimate, malign and illegal purposes.
WHOIS DATA QUALITY: WHO IS RESPONSIBLE?
It is time to pose our own Whois question: Who is responsible for the deplorable data quality of Whois? In the first instance, of course, it is domain name registrants who are submitting blatantly false data. But that data is being accepted without question or any attempt at verification. The party responsible for this critical omission varies depending on the Top Level Domain (TLD) in question.
In the so-called legacy Top Level Domains - .com, .net and .org - the registrars, who are accredited by ICANN, not only collect registrant contact data at the time a domain name is registered, but are also responsible for maintaining, and providing access to, a Whois database containing that information on their registrants.
Page 41 PREV PAGE TOP OF DOC In the new Top Level Domains created by ICANN over the past two years - such as .info, .biz and .name - contact data is collected by the registrars, but is transmitted to the TLD registry, the keeper of the authoritative database of registrations throughout the particular TLD in question. In these environments, it is the registry that is responsible for maintaining and providing public access to a centralized Whois database covering the entire TLD.
Finally, in the country code TLDs - the two-letter suffixes corresponding to one of more than 250 countries, territories, or other recognized geographic entities - Whois practices vary widely, not only as to which party collects and maintains registrant contact data, but also as to whether these data are entered into a Whois database and whether that database is accessible to the public.
For simplicity, in this statement we focus on the situation in the legacy TLDs, which account for the vast majority of domain name registrations.
THE ROLE OF ACCREDITED DOMAIN NAME REGISTRARS
As I have already noted, domain name registrars must be accredited, and must enter into a Registrar Accreditation Agreement (RAA) with ICANN. The RAA contains several provisions dealing with Whois data quality. Section 18.104.22.168 requires domain name registrants to give the Registrar, at the time of registration, ''accurate and reliable contact details, and [to] promptly correct and update them during the term of . . . registration.'' Section 22.214.171.124 makes willful breaches of this obligation ''a basis for cancellation of the . . . registration.'' Section 3.7.8 of the RAA adds two other critical obligations. First, it requires registrars to ''take reasonable steps to investigate'' claims of inaccurate Whois data when they are brought to their attention ''by any person,'' and to ''take reasonable steps to correct'' any inaccuracy in registrant contact data of which the registrar learns. Second, this provision empowers ICANN to establish ''specifications or policies . . . requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information . . . or (b) periodic re-verification of such information.'' Registrars are required, under this provision of the RAA to ''abide by'' any such ICANN-established policies.
Page 42 PREV PAGE TOP OF DOC
It is painfully obvious that these legal obligations are not being met. While registrars may be telling registrants that they must provide and keep current accurate contact data, they seem to be doing virtually nothing to enforce this obligation. Most registrars do not seem to have established any mechanism for even receiving complaints of false contact data, much less acting on such complaints, as the RAA requires them to do. One or more registrars seem to have very recently taken some steps to re-verify some Whois data, but the practice does not appear to be routine or widespread. Even though the Whois databases of many registrars are replete with blatantly bogus contact data that must have been supplied willfully, the sanction provided by the RAA for such behavior - cancellation of the domain name registration associated with the false data - is almost never applied. And until this past week, ICANN had neither issued any policies to facilitate the improvement of Whois data quality, nor taken any proactive steps to enforce the Whois data quality obligations that registrars are already subject to under the RAA.
As we understand it, the results of the survey of U.S.-based accredited registrars undertaken by this Subcommittee confirm this dismal picture. Two years ago, after the first registrars were accredited by ICANN under RAA's that contained nearly identical obligations, CCDN attempted to survey all accredited registrars on this issue, asking them, for example, to identify their contact person for receiving complaints of false Whois data. Only one registrar even bothered to respond to CCDN. We understand that the response rate even to a questionnaire issued by a subcommittee of the U.S. House of Representatives was not much better. It is hard to escape the conclusion that most registrars don't care about the quality of the Whois data they collect and make available, and feel under no compulsion to improve it or even to respond to questions about it.
Page 43 PREV PAGE TOP OF DOC CCDN would like to direct the subcommittee's attention to two other reports that may shed some light on the Whois data quality problem. First, I will refer again to the OECD's report. A recurring theme of this saga is the profound indifference of the registrar to the fact that the new registrant supplied clearly false contact data, and the persistent reluctance of the registrar to take any action to exercise its power under the RAA to cancel the registration so the OECD could reclaim it. Unfortunately, the OECD's story does not appear to be atypical. As the OECD paper concludes, ''The system provides no incentive for the registrar to exercise any degree of diligence or to help reduce the victim's period of losses or recovery costs, even when its contract gives it every ability to do so.''
Second, an online survey undertaken by a task force of ICANN's Domain Name Supporting Organization provides one of the first attempts at systematic data collection regarding who uses Whois, how they use it, and how they believe the system can be improved. This survey, which generated over 3000 responses over a period of several weeks in the summer of 2001, is in no sense a scientific sample - respondents were self-selected - but its results are nonetheless highly informative. The Task Force issued a preliminary report on these responses in March, with a final report expected by June. Among other issues, the survey asked whether respondents had been ''harmed or inconvenienced'' by ''inaccurate, incomplete, or out of date'' Whois data. Nearly half the respondents - 44% - reported harm or inconvenience. The data is currently undergoing further analysis, which may provide a more detailed explanation of the problems encountered.
In short, the evidence is strong that lax policies of registrars and insufficient oversight by ICANN are allowing a safe haven for clearly false contact data within the Whois databases of the legacy TLDs. Within this safe haven, the opportunities for consumer fraud, cybersquatting, and online piracy abound. Conversely, until steps are taken to improve the situation, the full potential for electronic commerce cannot be realized, because the conditions for a high level of public confidence in the medium are not fully in place.
Page 44 PREV PAGE TOP OF DOC
TOWARD A SOLUTION TO THE WHOIS DATA QUALITY PROBLEM
The solution to this problem lies with the parties responsible for the current system: registrants, registrars, and ICANN. The current system gives registrants little incentive to provide accurate and complete contact data and to keep it current. The best incentive may be the threat that a failure to meet these obligations will lead to cancellation of the domain name. That threat is empty today because such cancellations almost never occur.
To get a handle on this problem, registrars must adopt a three-point plan for dealing with registrants who provide false contact data: screen them out, check them out, and toss them out. Simple off-the shelf tools are available that would allow registrars to automatically screen out and reject registration applications (at least from U.S.-based registrants) that contain blatantly false contact data, such as addresses, zip codes, and telephone area codes that do not match up. If registrars would use these, the bar to registrations based on such data would be raised significantly at the outset of the registration process.
Second, registrars must undertake a more intensive verification and re-verification process on at least a sample of registrations. Even this process could be automated to some extent, through the use of e-mail pinging programs and the like, although in some cases human intervention may be required to verify the information contained in the Whois database. Such spot-checks would catch much of the false Whois data that manages to slip through the initial screening process.
Finally, registrars must vigorously exercise the authority the RAA already gives them to cancel registrations based on false contact data or data that cannot be verified. Each registrar should establish and publicize a contact person for receiving reports of false Whois data, and should implement a system with strict timetables for investigating these reports and canceling the corresponding registrations of those for which complaints prove valid.
Page 45 PREV PAGE TOP OF DOC
Ideally these desperately needed reforms could be developed and implemented voluntarily by registrars through adherence to a code of best practices. Unfortunately, there is little indication that registrars are interested in pursuing this course or that they could successfully achieve significant improvements this way. It would also be possible for Congress to legislate incentives for registrants to submit accurate contact data and for registrars to make serious efforts to improve Whois data quality. However, if such legislation were needed, it would have to be carefully crafted to avoid any unintended consequences. In addition, its applicability to registrars and registrants located outside the United States would be open to question. With these constraints in mind, however, we believe that a legislative response is certainly worthy of careful consideration.
THE ROLE OF ICANN
Ultimately, the buck now stops at ICANN. It has entered into enforceable agreements with registrars on Whois data quality issues; it is past time for it to enforce those agreements aggressively. In the agreements, it has reserved the authority to issue supplemental binding policies on Whois data quality, which the registrars are obligated to carry out. Now is the time for ICANN to issue those policies and to require registrars to abide by them.
Last Friday, ICANN issued a ''Registrar Advisory Concerning Whois Data Accuracy,'' which may be found at http://www.icann.org/announcements/advisory-10may02.htm. CCDN believes this is a good first step toward reminding ICANN-accredited registrars about their obligations regarding Whois data quality, and toward spelling out what the registrars need to do to fulfill these obligations. The tone of the Registrar Advisory is quite low-key, however; it speaks in terms of what ICANN ''suggests'' and what it thinks registrars ''will find'' to be the most efficient way of meeting their obligations. To give one example, the Advisory states that ''accepting unverified 'corrected' data from a registrant that has already deliberately provided incorrect data may not be appropriate.'' This is exactly the problem that the OECD encountered in its efforts to identify the cybersquatter of ocde.org, and we are hard pressed to imagine any situation in which it would be ''appropriate'' for a registrar to accept unverified and equally bogus data from a serial Whois abuser. This is just the sort of situation in which ICANN should exercise its authority to issue a ''specification or policy'' regarding verification of submitted contact data, and should take swift action against registrars that fail to implement the policy.
Page 46 PREV PAGE TOP OF DOC
Only if the soft words of last week's Registrar Advisory are followed up with firm actions against non-compliant registrars will it be clear that this good first step is leading down the right path for cleaning up the Whois database. As the OECD observed in its report, ''improvements need to be made and could be made within the current self-regulatory ICANN system.'' The time for ICANN to make those improvements is now.
WHOIS IN THE CCTLDS
As CCDN has told this subcommittee before, one of our most serious concerns has to do with the status of Whois in the country code Top Level Domains. These ccTLDs are, on the whole, growing faster than the gTLDs, but their Whois access policies vary widely. Some ccTLDs do provide free, publicly accessible Whois data on a basis comparable or even superior to that offered in the gTLD environment. Most, however, do not. Some charge a fee for this basic registrant contact data; some require Whois requesters to meet some sort of special qualifications in order to obtain access; some drastically restrict the data elements made available via Whois, or refuse to deliver Whois results online; some simply do not provide Whois access at all. Until more ccTLDs provide real-time public access to Whois data on terms similar to those applicable in the gTLD environment, the issue of Whois data quality in the ccTLDs cannot be comprehensively assessed, much less resolved.
The clear solution to this problem would be for ccTLDs to take on the same obligations with regard to Whois that now apply in the gTLD world. Although CCDN and the entire IPC have long supported this goal, we recognize that for a number of reasons, progress has been slow. We are disturbed, however, by recent indications that ICANN is so eager to sign agreements with ccTLDs that the content of those agreements with respect to Whois obligations has been watered down.
Page 47 PREV PAGE TOP OF DOC
ICANN has now signed ten agreements with gTLD registries (.com, .net, .org, .biz, .info, .name, .pro, .museum, .coop, and .aero). All these provide obligations with regard to public access to Whois (and Whois data quality) that are similar to those summarized above in the Registrar Accreditation Agreements. In recent months, however, ICANN has, for the first time ever, signed agreements with two Top Level Domain registries that do not contain any immediate obligation to make Whois data publicly available or to maintain its quality. These agreements, with the ccTLDs for Australia (.au) and Japan (.jp), set an unacceptable precedent: that ICANN may no longer insist upon the accountability and transparency provided by publicly accessible Whois as a condition for granting recognition to registry operators. CCDN recently wrote to ICANN's leadership to express its concerns about these two ccTLD agreements. We have provided a copy of this letter to the subcommittee and will update you on the responses we receive.
ICANN is currently engaged in a heated internal debate concerning restructuring, reform and evolution. This is an important debate whose outcome could help determine the future viability of this ambitious experiment in private sector self-governance of the domain name system. CCDN and its members believe that ICANN's central role in setting policy concerning the Domain Name System should be preserved, and we are participating actively in the ICANN restructuring debate. One critical factor in the outcome of this debate will be the degree to which ICANN elicits the respect, support and participation of governments around the world, and in particular the U.S. government. If ICANN takes firmer steps down the path toward improvement of Whois data quality in the legacy gTLDs, and if it moves to promote greater public accessibility to Whois data in the ccTLD environment, it will certainly buttress its case for meriting the requisite level of support and participation from the U.S. government. CCDN strongly encourages it to do so.
Page 48 PREV PAGE TOP OF DOC
Thank you once again for the opportunity to present the views of the Copyright Coalition on Domain Names. I would be glad to try to answer any questions you may have.
Mr. COBLE. Mr. Powell.
STATEMENT OF CAMERON POWELL, VICE PRESIDENT AND GENERAL COUNSEL, SNAPNAMES
Mr. POWELL. I want to thank the Chairman, Congressman Berman and Members of the Subcommittee for inviting our testimony on the domain industry's obstacles to Whois accuracy.
Because my company's mission is actually to provide innovative solutions for the domain industry, we have seen the hard way how the domain industry, driven by politics rather than market demand, is currently structured not to foster innovation but to thwart it. I include there innovations that could have made the Whois much more accurate already.
I am also told by intellectual property owners and law enforcement officials that they need to be able to do searches on accurate data in order to track cybersquatters, copyright violators, criminals and to inventory company assets and avoid inadvertent expirations. The only way to reconcile these needs with the need for consumer privacy is for third parties to build a Whois that is accurate but that is also accessible, unified and searchable. In fact, an accessible, unified and searchable database is the best way to achieve the accuracy you want, but it can only be provided by third parties who are supported by mandates from either this body or ICANN.
Page 49 PREV PAGE TOP OF DOC
SnapNames conservatively estimates there are at least 1 million inaccurate Whois records in com, net and org alone. The consequences of not being able to find and correct them include safe harbor for wrongdoers and inadvertent expirations for domain name owners.
Why does inaccurate information get put into the Whois? That is simple. It is put there by registrants who either give inaccurate addresses in order to hide their identities or to avoid telemarketing spamming and other privacy violations.
Why is inaccurate Whois data allowed to remain in the Whois? Well, this is a much more interesting question.
First, the legal mandates on registrars are rather vague and never enforced. The penalties against bad-faith registrants can only charitably be called slaps on the wrist. And ICANN's consensus process will never change these facts because of the second reason for inaccurate Whois databases: Some registrars just don't want to correct Whois inaccuracies. They don't want to correct them because the bulk of their money comes from cybersquatters.
There are, surprisingly, no prohibitions against servicing cybersquatters in this fashion. It reflects an increasing trend among registrars to give grey market preferential treatment to cybersquatters and speculators at the expense of mainstream consumers like your constituents.
Third, most registrars who do want to keep accurate Whois databases simply can't afford to. It is technically possible but just very expensive.
Page 50 PREV PAGE TOP OF DOC
Finally, third-party providers like our company aren't allowed to enable correction of bad addresses because registrars won't give us the Whois access we would need to make inaccurate Whois records detectable in the first place. The registrars'reaction is not unreasonable. Their customers have been burned too often by spammers, by telemarketers and by their own competitors, all using what are essentially the registrars' own customer lists, the Whois.
Unfortunately, without being able to access the data, parse it and by parsing the data fields allow searchabilty by any data field, we can't detect bad data using either address correction software or the work of IP owners who can detect it through searches on domain names or addresses or cybersquatters of interest.
In short, the solution to greater accuracy includes, quite simply, greater access by third parties who can unify and parse the data to make it searchable so that bad data is detectable in the first place.
Now because most registrars can't or won't clean up their Whois, third parties need to be allowed to respond to market demands and clean it up themselves. And because no individual registrar would ever be allowed by its competitors to aggregate all Whois data into a searchable unified Whois, only a third party can unify, parse and allow that searchability.
So our recommendations then to this Subcommittee are as follows: First, ensure registrar compliance with the existing Whois access requirements. There is rampant noncompliance. I can give you information on that.
Page 51 PREV PAGE TOP OF DOC
Second, to encourage registrars to provide that access, eliminate the mandate for registrars to give their precious customer lists to their competitors.
Third, ensure that no registrar is able to sell its resources on the gray market to give preferential treatment to certain customers at the expense of mainstream customers.
Fourth, ICANN's agreements need enforcement teeth against both registrars and registrants; and ICANN should have a litigation budget.
Finally, we need to change the way ICANN's communitarian consensus process, which ICANN's president has acknowledged is completely ineffective, not only blocks policy reform but, worst of all, market-based solutions and innovations of the sorts we would like to see.
Again, we thank the Subcommittee for its time and attention today.
Mr. COBLE. Thank you, Mr. Powell.
[The prepared statement of Mr. Powell follows:]
PREPARED STATEMENT OF CAMERON POWELL
Mr. Chairman, Congressman Berman, and members of the Subcommittee:
Page 52 PREV PAGE TOP OF DOC I commend the subcommittee for holding this important hearing, and I thank you for inviting our testimony today. My name is Cameron Powell; I am here today in my capacity as Vice President and General Counsel of SnapNames, a technology developer for domain name industry infrastructure that's headquartered in Portland, Oregon. Our company also publishes State of the Domain, a monthly report providing data and trend analysis for our industry, now read by more than 2,600 subscribers.
The matter of accuracy in the Whois database is critical to all who have an interest in the use of domain names as an Internet navigation tool, which today, represents a significant majority of American businesses, intellectual property owners, and end-users of the Internet. It is, however, important to note that there are other serious issues relating to the Whois that are developing in paralleland sometimes more rapidlyand that must be addressed in order to make any actions to ensure an accurate database fully effective and enforceable.
Therefore, in addition to the critical issue of accuracy, I'll address the reasons that innovative companies and technology developers should, for the sake of IP owners, corporations, and the stability of commerce on the Internet, be able to provide the industry with critical Whois tools that will effect an accurate, searchable, non-threatening and useful database. I'll also address the correctable political reasons such companies can't do so now, and what this body can do to assist the industry in allowing more efficient innovation that will be ultimately beneficial to all end-users.
I. THESIS: ENTIRELY SOLUBLE WHOIS-RELATED PROBLEMS THREATEN ECOMMERCE,
Page 53 PREV PAGE TOP OF DOCIP RIGHTS, AND LAW ENFORCEMENT
Today, the Whois databases are plagued by a serious, growing, and yet frustratingly correctable problem with:
the integrity of the databases;
the accuracy of the databases; and, importantly,
access to the databases for legitimate purposes.
At the highest level of analysis, the reasons for Whois deficiencies are as follows:
1) Up to now, there have been no enforced, legal requirements to make the Whois better than it is, or at least not to make it worse;
2) No regulatory authority has yet stepped in to impose any such requirements or enable their enforcement;
3) Business incentives alone are insufficient to motivate those registrars whose business models rely on serving a select few; and
4) The domain name industry is left to police itself through a paralyzing so-called consensus process. The futility of consensus in an innovative, capitalist society is illustrated in the fact that ICANN's consensus process has, so far, and by ICANN's own statement, arrived at no innovation, no reform, not even a policy, and that ICANN itself has openly advocated a new and different approach to policy development. Worse, given that the main participants in the consensus process do not (and could not be expected to) consider the public interest, consensus is akin to putting foxes in charge of agreeing to security policies for the henhouseor, in this case, the public interest.
Page 54 PREV PAGE TOP OF DOC
Whois problems prevent Internet end-users, registrants, intellectual property owners, attorneys, law enforcement officials, ICANN, and domain name registrars and registries from using the database for legitimate purposes that do not unduly impact privacy rights or the proprietary rights of the registrars.
With its recent bills proposing criminalization of fraudulently provided registration data, Congress has done some valuable work for the betterment of the Whois database. This action is both relevant and timely. In the matter of national security, for example, law enforcement officials indicate repeatedly that the Internet is an active front in the war on terrorism, and it is well known that an accurate and searchable Whois database can be one of many tools for tracking down threatening organizations. The domain name community has an opportunity to become more involved in developing fair standards that help ensure user accountability together with enforcement mechanisms for their breech.
The problem of course is not limited to national security. Unfortunately, there exist pervasive and pernicious problems that impede intellectual property protection and legitimate law enforcement use of the Whois.
Allow me to summarize a number of current issuessome of them potentially very seriousthat must be understood before considering forms and methods of corrective action. Indeed, many of these issues could be reaching crisis.
As an example, it is entirely plausible that as early as this summer, there could be more registrars going out of business than can be bought up. At that time, members of this committee could begin to receive angry calls from constituents all over their districts complaining that the constituents' websites have suddenly disappeared because the industry has no provisions for escrowing Whois data against catastrophe.
Page 55 PREV PAGE TOP OF DOC
Let me outline other challenges:
1) Tracking down cybersquatters
Today, IP owners have unnecessarily weak capabilities to track down cybersquatters or the copyright pirates who've been estimated to cause well in excess of $22 billion in losses each year. (Statement of Steven J. Metalitz, International Intellectual Property Alliance, before House Judiciary Committee's Subcommittee on Courts, Internet, and Intellectual Property, March 22, 2001 (page 62) (''March 2002 Hearing''.) Trademark owners have unnecessary difficulty proving the patterns of prior bad acts that are crucial to a finding of bad faith under the Anti-Cybersquatting Protection Act, allow recovery of intellectual property, and permit reimbursement of attorneys' fees.
2) Tracking domain name inventory
Today, corporations have no way to make an inventory of all of their domain assets, without regard to whether the corporate agent doing the searching remembers registering the name or knows it exists; without regard to the registrar or the employee who did the registration. As one result, they cannot know all that they own and do all the things companies can do when they know what and where their assets are.
3) Preventing inadvertent expirations
As another result, domain names expire inadvertently every day, shutting down e-commerce and non-profits, sometimes sending domain names into the hands of pornographers, and setting off frantic and expensive legal battles. This is preventable, but not without regulatory help for businesses like ours.
Page 56 PREV PAGE TOP OF DOC
There are technical solutions to all of these problems. Our company, perhaps among others, has already solved them for COM, NET, and ORG. The .PRO and .BIZ registries, which are thick registries, have proposed solving them for their TLDs. But in COM, NET, and ORG, where the data is held by 100 different registrars, we're stymied because not all registrars have business incentives to deal with wrongdoers, and there are no requirements for these registrars to do the trivial work that would help companies like ours help your constituents to do so. To be able to provide solutions to corporations, domain name owners, and law enforcement, companies like ours need help.
But left unchecked, these issues will continue to harm the databases' integrity and accuracy, prevent reliable and legitimate data use, likely harm e-commerce, and potentially detract from the stability of the Internet. The good news is that every currently identified Whois-related problem is technically correctable, provided innovative businesses' barriers to doing so are removed.
II. HISTORY AND CONTEXT
The current state of the many disparate and unconnected Whois databases, critical elements of the domain name system, is a good example of the law of unintended consequences.
As you may know, Network Solutions, Inc. (NSI), the original operator of the COM, NET, and ORG (''CNO'') TLDs, operated as a ''thick'' registry, which meant that NSI held all customer and domain-related fields in its own database, including the administrative, technical and zone/billing contact (see Appendix 1).
Page 57 PREV PAGE TOP OF DOC
In late 1999, when the U.S. Department of Commerce and ICANN opened up CNO registration services for competition, this Humpty Dumpty that is the thick Whois had a great fall, split into what is now 100 pieces, and no one has put it back together again. Under the theory that the registry should not have access to the registrars' customer data, Network Solutions (now VeriSign Global Registry Services), was made a ''thin'' registry, meaning registry-level Whois data included only data about a name's sponsoring registrarand the critical customer data would be held exclusively by registrars.
(This policy has been slightly modified as it applies specifically to the recently-introduced new generic top-level domains (gTLDs, including BIZ, INFO and NAME); in these instances, thick Whois data is maintained at the registry level, though the customer information therein is considered by all involved to be proprietary to registrars. In fact, their creation as thick registries suggests that the goals behind the splitting of the CNO Whois data could also have been accomplished by contractual means, rather than by technical separation.)
The Whois for COM, NET, and ORG has never been the same.
III. CURRENT PROBLEMS: ACCURACY, ACCESS, ESCROW
This subcommittee is interested in the topic of data accuracy and integrityindeed, vital to the efficacy of the Whois database. However, we must also suggest that it's critical to address Whois access, because if there is no meaningful access by third parties, those third parties can never clean up inaccurate data in the first place, and can never give IP owners and law enforcement the capabilities that they could and should have. A related issue of rapidly-growing importance of Whois escrow, a preventive measure many registrars have not taken, and which threatens the stability of e-commerce for the very real people in your respective home districts.
Page 58 PREV PAGE TOP OF DOC
Let's begin with accuracy.
Why does the Whois database have so much false or inaccurate data? It is inaccurate because:
Bad-faith registrants make it so, and our company isn't allowed to provide IP owners with the necessary, searchable Whois to find all such instances of bad faith registrations;
False information goes uncorrected and registrars who exist solely to serve speculatorsand there are more than a fewhave no business reasons, indeed only a disincentive, to make such corrections, which would often require deleting the names of their own customers that knowingly provided the false information;
Good-faith registrants merely make mistakes that go uncorrectedagain, because we're not allowed to provide the address authentication and hygiene that would fix the mistakes.
The rate of these inaccuracies is significant enough to warrant attention. According to our own statistical sampling of registrations from the BIZ and INFO gTLD registries:
Percentage with identical digits in phone number field: 4.7%
Percentage with identical digits in ZIP code field: 6.5%
Page 59 PREV PAGE TOP OF DOC
Percentage with invalid ZIP codes: 4.0%
Average percentage with mismatched cities or states to ZIP codes: 7.0%
By our estimates, if even half of the above rates of error were present in COM, NET and ORG (CNO) registrations, more than 800,000 CNO names would be considered inaccurate. While this represents less than 3% of all names, you can be sure that if someone has taken the trouble to list false information for a name, it's either because they don't want to get junk-mail or they are hiding something. In either event, both the excess of junk-mail generated through Whois mining and the ability of wrongdoers to hide their identities in the Whois are proper concern for this subcommittee.
One of the many consequences of inaccurate Whois data is that we and others are impeded from developing tools capable of preventing a wide range of dangers, including:
Infringement against intellectual property and trademarks
Online theft and e-commerce fraud
Inhibition of law enforcement efforts or even threats to national security
Why can't Whois inaccuracies be fixed? First, it is extremely expensive for registrars, many of them already struggling, to prevent or respond to inaccuracies on their own. (If Congress wants verification of addresses upfront, then it must be prepared for a massive slow-down in registration processing, which will affect commerce, and it must make verification an enforceable mandate, so that registrars who do verify and must charge far higher prices for domain names are not put of business by those who don't verify and continue to charge only $8.) Second, the business models of a handful of registrars, which favor providers of false information, give them no business incentive to make their Whois accurate. And finally, the industry has no back-up requirement that data be provided to third parties who will verify and clean up the data and allow its ready searchability, spreading or even eliminating the one-time cost so that each registrar doesn't have to incur the entire cost itself, if at all.
Page 60 PREV PAGE TOP OF DOC
Because registrars' Whois databases represent a master list of their current and potential repeat customers, most have responded to the incentive to maintain quality databases that will enable them to send regular reminders to renew. Registrars do also have the legal and technical ability to cancel a registration if it is determined to be fraudulent or inaccurate. But many lack the personnel resources to do so, and those that exist largely to serve a select few and freeze out the general public lack the will to do so. Why enforce any sanctions against your bread and butter?
(This problem of registrars favoring speculators at the expense of the public interest is not limited to Whois, and would merit a discrete hearing in its own right: the same registrars, and more to boot, also give high-paying speculators exclusive and preferential access to the CNO registry for the greatest source of good domain names available: the nearly 1 million previously-registered domain names that expire every month, including those churches' domain names that expire and are secured by pornographers. Regular people, IP owners, have virtually no ability to acquire or retrieve these valuable names, and the reason is certain registrars' preferential treatment of a select few at the expense of the mainstream public, which is entirely locked out.)
Unfortunately, non-compliant registrars have no real legal incentive to become compliant. ICANN's only available enforcement is total de-accreditationa severe, and for the registrants at the affected registrar, Draconian solution. So ICANN simply levies no sanction, but in doing so, it signals that it has no enforcement capability at all. To help monitor and remedy Whois accuracy issues, ICANN needs lesser, graduated penalties, perhaps fines for registrars' willful failure to correct registration information submitted in bad faith, and further fines for willful failure to delete domains whose Whois remains uncorrected (and perhaps also penalties for those who complain about such registrations in bad faith). It also is critical that ICANN, in whatever its post-reform model may be, be adequately funded for the technology and personnel necessary to provide sufficient detection, investigation, and enforcement.
Page 61 PREV PAGE TOP OF DOC
2) Access for legitimate purposes.
Though Whois accuracy is a serious issue that deserves attention and corrective action, an equally important, if not more pressing, issue is that of access. A fully accurate database is of no practical use if it is not meaningfully accessible. And today, registrars' Whois databases for COM, NET, and ORG are not meaningfully accessible in, for example, the way described by others who have testified here in the past:
At launch, the RegistryPro centralized Whois database would be publicly available, and IPR (intellectual property rights) holders would be able to use the query service to search for cyber squatters. To further support IPR holders' ability to protect their rights, RegistryPro would build enhanced searchability to enable IPR holders [to] search for more derivations of their name, in more fields, and yield a greater number of matches.
Statement of Elana Broitman, Register.com, March 2001 Hearing (page 39) (emphasis added).
[T]he ''Whois'' database will initially be searchable by domain name and the registrant's name. Neulevel is also working on developing a fee-based system whereby IP owners will be able to search other fields in the ''Whois'' database, both through key words and Boolean-type searches.
Statement of Jeff Neumann, Neulevel, Inc., March 2001 Hearing (page 45) (emphasis added).
Among the chief goals of copyright and trademark owners are . . . to increase the reliability and usefulness of Whois access, both by improving the quality and accessibility of Whois data and by enhancing its searchability.
Page 62 PREV PAGE TOP OF DOC
Statement of Steven J. Metalitz, March 2001 Hearing (page 65) (emphasis added); see also Metalitz at pages 6970 (listing all searchable fields IP owners need).
Finally, ICANN's Registrar Accreditation Agreement for COM, NET, and ORG already contemplates third parties integrating just these capabilities into a value-added tool such as what has been called a searchable Universal (or Unified) Whois:
126.96.36.199 Registrar's access agreement may require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.
But a unified database searchable by multiple fields is not available in COM, NET, and ORG. And it won't be without action from Congress or ICANN. If the data can't be accessed, it can't be aggregated, and if it can't be aggregated:
Third parties can't parse the different formats and build search tools to help law enforcement and IP owners can't search it;
Third parties can't help end-users verify and clean the data; and
Third parties can't help registrars escrow data against the potential demise of a registrar.
Page 63 PREV PAGE TOP OF DOC
Specifically, Attorneys, Law Enforcement, and IP Owners:
Want tobut cannotsearch on individual Whois fields in order to locate defendants or find evidence of their prior bad acts in registrations, in order to obtain findings of bad faith under the ACPA and attorneys' fees and costs:
Identify and locate copyright infringers and pirates;
Are impeded in law enforcement by numerous egregiously bogus sets of Whois data;
Want to know the availability and uniqueness of domains prior to branding and trademark application;
In mergers and acquisitions of companies, or purchases of domain names, need to be able to search the history of a domain registration record (its historical Whois) and its attached website; and
Need to be able to find correct addresses for defendants, find other sites (owned by a common registrant) that may also contain illegalities, and aid in criminal investigations.
Corporations, IP Owners, All Registrants:
Can't inventory and track domain name assets in order to maintain and protect those assets against ignorance of the existence of those assets, theft, employee conversion and departure, and high rates of inadvertent expiration. (Our data and experience show that ignorance, even more than the lack of an additional ''redemption period'' as recently proposed by ICANN, is the primary cause of inadvertent expirations.(see footnote 45));
Page 64 PREV PAGE TOP OF DOC
Suffer from mistakesuncorrectable due to lack of notificationin Whois addresses, resulting in inadvertent expirations;
Can't determine which websites have been pointed at their own, as gmsucks.com was pointed at ford.com (now a subject of ongoing litigation);
Are forced into a false choice between their own privacy and their own ability to conduct law enforcement (false because paying for each search result in a unified Whois search tool would be prohibitively expensive for telemarketers, and access could additionally be restricted to law enforcement personnel); and
Rampant non-compliance by registrars and registrants with the RAA's Whois accuracy requirements(see footnote 46) leaves constituents of ICANN and Congress unable to enforce laws and protect assets.
IV. WHY THE WHOIS DATA IS NOT MEANINGFULLY ACCESSIBLE: THE TECHNOLOGY AND REVENUE OPPORTUNITIES FOR A UNIVERSAL WHOIS EXIST, BUT THE BUSINESS AND POLITICAL WILL MAY NOT
We have cleared the technical hurdles to gathering, parsing, normalizing, searching, and cleaning up Whois data. The greatest obstacle to industry innovation on a Universal Whois is some of the data holders (registrars and registries) themselves.
The intransigence of some of the registrars is not incomprehensible. They have all too often seen their precious customer data become victim to the predations of spammers, telemarketersand other registrars. Registrars have seen little but abuse of the ICANN mandate that all registrars must provide a bulk Whois for up to $10,000, as other registrars or resellers have simply bought the data and lured away their customers, sometimes with patently misleading campaigns.
Page 65 PREV PAGE TOP OF DOC
So, registrars have erected numerous obstacles to Whois uses. Unfortunately, these obstacles so far are blind to whether the use is legitimate or not, and so throw out the baby with the bath water. These obstacles include:
Registrars free-forming their own policies on Whois availability and usage, including:
i. Bulk Whois restrictions different from those permitted by ICANN
ii. Port 43 server access restrictions different from those permitted by ICANN
To limit predation from other registrars, some registrars greatly decrease the size of the Bulk Whois they provide, despite the RAA's clear language stating (a) customers must ''elect'' to opt out and (b) customers may only elect to opt out of use of their registrations in Bulk Whois data to be used for ''marketing purposes''i.e., registrars may not themselves opt customers out, and not any and all legitimate purposes.
Some remove selected fields from their Whois records, including mandatory expiration and creation dates.
Some randomize Whois formats and the order of content for each query (from subtle to prominent)with no impact on usage by spammers, but with great disruption to legitimate usages.
Some use the RAA's allowance of an ''up to $10,000'' charge for their Whois(see footnote 47) to insist on $10,000 even when they hold relatively few domain namesthus effectively preventing the very public access ICANN (and the public) desire: who can afford to pay $1,000,000 for all 100 registrars' data?
Page 66 PREV PAGE TOP OF DOC
Some fail to provide any guidance as to what might constitute ''excessive'' querying by third parties, indiscriminately and without explanation blocking the queries of those third parties, negating the concept of the ICANN-mandated ability to query a Port 43 server.
And some do not even have Port 43 look-up capability, or have hardware insufficient to support efficient Port 43 access.
A more narrow tailoring of registrar reactions is in order: one that prevents abuse of the Whois while allowing IP and law enforcement the access they need, and permitting registrars to add critical new revenue streams. We discuss these at the end of this document.
The escrow mandated in the Registrar Accreditation Agreement (RAA)(see footnote 48) is still non-existent at most registrars, leaving many consumers and businesses at risk of name loss, website shut-down, and related consequences impacting the stability of the Internet and the commerce and flow of information on it. ICANN has mandated it, but neither ICANN nor most registrars has done anything about that mandate.
We strongly encourage Congress to support ICANN and its reform effort in a way that encourages the domain name industry to immediately take the following steps:
Page 67 PREV PAGE TOP OF DOC
1. Diminish the role of self-interested trade associations in policy and innovation, and the blocking thereof. Reform and innovation should not be as susceptible as they are today to being hijacked by ''consensus'' processes where those who benefit from an undesirable practice are able to permanently filibuster solutions to it. ICANN needs policy decision-making by fewer trade associations and more representatives of the public interest. And trade associations should have no anti-competitive role whatsoever, as they do not in any other industry in capitalism, in approving or disapproving competitive innovations or alternative business solutions, as they do today.
2. Enforce address verification and correction. The requirement to respond to an incorrect address by allowing the registrant fifteen days to correct it, or to delete the name if it isn't corrected or is obviously fraudulent, is already in the RAA, and it's every complainant's nightmare. A few days before this hearing, on May 10, 2002, ICANN did send an advisory relevant to verification, but the problem of ICANN's inability to enforce its advisory remains. ICANN must be given the resources and tools for a credible enforcement effort.
3. Ensure Port 43 Query Compliance. ICANN should issue an Advisory, as it has done in the past for arguably less important matters, demanding that registrars make their Port 43 restrictions mirror the exact language of the RAA's allowable restrictions. Further, limitations on query amount or rate must be technically reasonable and not simply a way to block such queries by technical means where contractual means would not permit it. Real sanctions are necessary for non-compliance.
4. Address Bulk Whois Access Compliance. ICANN should issue an Advisory demanding that registrars make their Bulk Whois restrictions mirror exactly the RAA's allowable restrictions. Real sanctions are necessary for non-compliance.
Page 68 PREV PAGE TOP OF DOC
5. Issue clearly defined standards for content and presentation of Whois data-what anti-spam scrambling of the data is allowed, and what is not. Real sanctions are necessary for non-compliance.
6. Address escrow requirements immediately. With nearly one in four of the largest 25 registrars looking for buyers, one can be sure a far higher percentage of the smaller 75 are looking for buyers. How many will go out of business this year, without being bought, and without any Whois data in escrow? This is a time-bomb. It could become an issue very soon.
7. Give ICANN a litigation budget.
8. Insert enforcement teeth into ICANN's agreements and give ICANN graduated penalties. To regulate the Wild West the domain name industry has become, ICANN needs some lesser penalties, including (but not limited to) submission to more intensive and regular monitoring or auditing of use of common resources, and graduated fines to dissuade improper behavior.
9. Mandate third-party (non-competitive) access to Whois data to be used for the sole, legitimate purposes of escrow, hygiene, and searchability, and eliminate the mandate for registrars to give their Whois to their competitors. Because a primary reason the Whois data is hard to access is that registrars are trying to defend it from competitors, registrars simply shouldn't be required to give each other their priceless customer data, as they are today. We can think of no compelling justification for the requirement, and its consequences block critical innovations. (Nor do customers or registrars want the Whois used as a resource for spamming or telemarketing.)
Page 69 PREV PAGE TOP OF DOC
Instead, registrars should be made to provide their Bulk Whois data to neutral third partiesnon-competitorswho will agree to use the data solely for the purpose of escrowing, cleansing, or building searchable fee-based databases out of it. Because each registrar charging $10,000 wouldn't get the project off the ground, registrars should be required to provide their Whois data to one or more third parties, for unified Whois use, on reasonable terms. These third parties would allow others to search the resulting unified database only under certain conditions (possibly with lesser or greater levels of access depending on a user's prior authorization) but at least at per-record prices that would make mining the database for marketing purposes prohibitively expensive. Users could be tracked and abuses recorded and penalized. While a public Whois look up on registrars' websites should remain free, though difficult to abuse via high-speed harvesting, no third party provider can do the necessary aggregation, parsing, and normalization of over 100 Whois formats, and then build a powerful Boolean search tool for the data, without being able to charge for its efforts. Competition will define the appropriate pricing.
It is our belief that with proper energy and support, ICANN and participants in the domain name industry are fully capable of addressing these Whois-related issues in a manner that is both efficient and complete.
Again, we thank the Subcommittee for its time and attention to this critical matter.
Page 70 PREV PAGE TOP OF DOC Mr. COBLE. Mr. Palage.
STATEMENT OF MICHAEL D. PALAGE, ESQUIRE
Mr. PALAGE. Good morning. Thank you, Mr. Chairman and Members of the Subcommittee, for this opportunity to offer my industry perspective on the accuracy and access to Whois data and its impact on third parties that rely upon it.
My name is Michael Palage. I am actively involved in domain name policy issues based upon the following roles which I currently serve: as chair of the ICANN Registrar Constituency; as a trademark and policy consultant to Afilias, the registry operator for dot info; and as a founding member of the dot us Policy Council.
The Whois is broken. In its current embodiment it fails to meet the needs of intellectual property owners, law enforcement, consumer and privacy advocates and registration authorities.
In my testimony today I will touch on three points: number one, problems associated with false and inaccurate data; second, the cause of this data and the difficulties in correcting it once it has been identified; and, three, registration authority concerns regarding Whois data initiatives.
The effect of false and inaccurate Whois data has been well documented, ranging from the inability of law enforcement to timely investigate and prosecute illegal activity to domain name motors that are unable to timely and properly renew and transfer their domain names.
Page 71 PREV PAGE TOP OF DOC
False and inaccurate Whois data fuels into two categories: willful or unintentional.
The first and most egregious category is domain name registrants that knowingly provide inaccurate Whois data. This conduct is most often associated with individuals, businesses or organizations involved in illegal activities such as cybersquatting and piracy. This category of offenders is most problematic because it prevents law enforcement and intellectual property owners from taking appropriate and timely action against registrants engaged in illegal activity.
The second category of domain name registrants associated with inaccurate Whois data are registrants that initially provided inaccurate data but which over time has become inaccurate. These registrants can usually be tracked down with minimal effort and do not pose a significant threat to third parties.
One of the problems with the current system is that there are no uniform procedures or mechanisms in place for third parties to follow when they have an inquiry regarding inaccurate Whois data. Instead, intellectual property owners and law enforcement personnel are required to identify and comply with individual mechanisms of over 150 registrars.
On May 10th, ICANN released a Registrar Advisory Concerning Whois Data Accuracy. This advisory was intended to assist ICANN accredited registrars in understanding their obligations under the existing ICANN accreditation agreement.
Page 72 PREV PAGE TOP OF DOC Notwithstanding this positive step, there are still other mechanisms that should be explored to provide a more unified process for third parties to report false or inaccurate registration data.
Domain name registration authorities, including both registrars and registrees, have a vested interest to work with all parties involved in this debate to provide full, open and accurate access to Whois data for those parties that need it. However, it is important to understand some of the following concerns that registration authorities have:
First, prescreening of data. The prescreening of Whois data at this time remains a technically and economically nonviable solution. You must focus on standardizing the process for identifying and correcting false or inaccurate data once it has been brought to the attention of an ICANN registrar through third parties.
The second is the ICANN Board resolution 02.45. An important step to mitigate some the effects of false and inaccurate Whois data was taken by the ICANN Board. This resolution provided for the convening of a technical steering group to develop a proposal for implementing a redemption grace period. This redemption grace period was designed to prevent the accidental deletion of the domain names such as happened in the OECD case.
A third important concern is spam and slamming. Unfettered access to the Whois data has resulted in a proliferation of questionable marketing practices by third parties that threatens to undermine legitimate users from maintaining accurate Whois data. The hostility surrounding these questionable market practices continues to escalate and erode user confidence.
Page 73 PREV PAGE TOP OF DOC In conclusion, there has been a series of positive steps taken to date to address some of the immediate problems and concerns associated with false and inaccurate Whois data. These include the ICANN Registrar Advisory, the ICANN Board resolution, the continued communication between the intellectual property community and registration authorities, and efforts by ICANN registrars to verify their data. These positive steps do not indicate an end to a journey, merely its beginning.
Issues that loom on the horizon and which will directly impact the permanent solution to Whois data include the following: a successful restructure of ICANN and the design and adoption of uniform mechanisms for third parties to report claims of false or inaccurate data and outreach to all Internet users that are affected by the Whois policies.
Thank you for the opportunity to participate today.
Mr. COBLE. Thank you, Mr. Palage.
[The prepared statement of Mr. Palage follows:]
PREPARED STATEMENT OF MICHAEL D. PALAGE
Mr. COBLE. I commend you gentlemen for complying with the 5-minute rule. You done good, as we say in the rural south. But we apply the 5-minute rule to ourselves as well. If we were not able to exhaust our questioning the first round, there will be a second round of questioning.
Page 74 PREV PAGE TOP OF DOC Mr. Palage, you represent the registrar community. Can you explain why the Subcommittee received such a poor response to our inquiry? I think we sent out 50 and received about a dozen in response. In your view, does that indicate an unwillingness for them to change their practices or to work with the Government?
Mr. PALAGE. I don't think it indicates an unwillingness. I think it is outreach. The registrars met in Dulles, Virginia, in February; and we askedthis particular question was asked to those that attended. There were about 48 registrars that attended. It is important, when understanding the registrar constituent, there are approximately 150 registrars, only about 40 of them actively participate within the registrar constituency. So unless I had a list of what registrars you sent that out to, it is possible that they do not actively participate within ICANN. It is voluntary.
So if Chris or any of the other Committee Members would provide me this list, I would be able to engage in meaningful outreach within the constituency.
Mr. COBLE. I see no violation of my privacy problem there. I don't think they would object to our doing that, because you are a team member. I think that might be a good idea.
Mr. Beales and Mr. MetalitzMr. Beales, you touched on this. To emphasize it, I want to revisit it. One question always arises when discussing the Whois database and that is this: privacy. Is there a conflict, in your opinion, between maintaining Internet privacy for consumers and an accurate and reliable Whois database?
Page 75 PREV PAGE TOP OF DOC Mr. BEALES. Well, I think there is certainly a tension with respect to Web sites that are registered by individuals such as those under the dot name top-level domain. On the one hand, they have an interest in legitimate privacy concerns. On the other hand, we don't want to let fraudsters hide behind that simply by asserting that they are individual or noncommercial Web sites.
I think what is probably most important is to distinguish between general access and law enforcement access, that law enforcement has a legitimate need to look behind some of thesome people who might appear and may have a legitimate privacy interest to see whether that is real or whether it is a ''dot con'' that is hiding.
Mr. COBLE. Mr. Metalitz.
Mr. METALITZ. I think Mr. Beale's characterization as tension rather than conflict is one that I would agree with. I think the solution that he proposes or that he talks about in his testimony may not be realistic. It is very hard to draw a clear line between an individual and noncommercial domain name that is one that is being used for commercial purposes.
Individuals do commit cybersquatting. Individuals do commit copyright piracy. Or someone claiming to be an individual, some entity claiming to be an individual can register a domain name for many purposes. So it is very difficult to know when a domain name registrant steps over the line and, if you will, forfeits any right to privacy that they might have.
Page 76 PREV PAGE TOP OF DOC I think a more realistic solution is to recognize that there are many, many ways for individuals to have a very robust presence online without registering a domain name. But it they choose to register a domain name they should know that the information they provide has to be accurate, they have to be accountable, and it should be available to the public.
I also would question the distinction between law enforcement access and general access. Copyright owners think that we are enforcing legal rights as well when we obtain access to Whois data on sites that are committing copyright piracy. At least in the U.S. We don't expect the Federal Government and the taxpayers to incur that expense for us of enforcing our rights.
Mr. COBLE. Mr. Palage, you want to weigh in on this? I put the question to the other two gentlemen. Do you all have any comment to add?
Mr. POWELL. I think there is a resolvable tension between privacy and access. One of those is that free access can continue to be available on a particular registrar's Web site one domain name at a time.
The real problem with privacy is when a registrar is forced to give bulk access, all 1 million, all 5 million of its domain names to any comer, anybody who is willing to pay them $10,000, anybody who might be engaging in telemarketing or spamming with that information.
So I think what you need is to give bulk access primarily or maybe only to entities who are restricted from using it for marketing purposes and the only purpose would be to buildto aggregate all 100 registrars' active registration data. These entities would parse each field so that you can do a search by domain name, or by the name of a cybersquatter, and find out everything that persons owns, even by a fax number, or come up with a list of every domain that falls into that category across all registrars.
Page 77 PREV PAGE TOP OF DOC
That would cost some money to put together. There would be a search cost associated with that, just as there is now by Thomson & Thomson and NetBenefit and a few other entities who do provide searchable Whois databases on a smaller scale.
Mr. COBLE. My time has expired. Mr. Palage, I will give you a bite at that on the second round.
The gentleman from California, Mr. Berman.
Mr. PALAGE. Within the registrar constituency
Mr. COBLE. I will come back to you on my second round. Thank you.
Mr. BERMAN. Thank you, Mr. Chairman.
By and large, for the person who chooses to get a domain name and have a Web site, what is so different about that person than the person who wants to open a brick and mortar business and by city law is required to get a permit with accurate information? I mean, I am trying to understand the privacythe legitimate privacy interest of that individual that would justify the total failure of the registrars to get serious about complying with what I understand to be their obligations and their agreements that got them accredited; and I am trying to better understand what ICANN is doing to actually enforce this.
Page 78 PREV PAGE TOP OF DOC
Maybe I will just start with Mr. Palage. You essentially state that registrars shouldn't be obligated to prescreen contact data. You state this isn't technically or economically feasible. I don't understand why you say that.
Mr. PALAGE. Could I give you specific examples?
Mr. BERMAN. Let me finish. I mean, I have a funny feeling that the registrars verify the credit card number of the registrants when they pay. I mean, you do the things necessary to make sure that you are getting the money when you agree to register the domain name. Why can't you check the name on the card as well? Why can't you check whether fields have been filled in or whether zip codes are valid numbers?
They do that now at gas stations when I give my credit card. Verisign is providing more elaborate check services to eBay. SnapNames may be able to provide such services as well.
I am not saying that 100 percent accuracy is that achievable at a relatively inexpensive cost, but it wouldn't be hard to weed out a lot of blank entries or entirely false entries, and I am just wondering why these checks are really beyond the ability of the registrar. I am wondering if the failure of a lot of these registrars to comply is about maximizing their revenue andor perhaps I am just an old man who doesn't understand. I am not with it in terms of some deep metaphysical feeling that there is something wrong with undertaking this obligation that is contrary to Internet philosophy.
Page 79 PREV PAGE TOP OF DOC Mr. PALAGE. I think it is a combination of a lot of different factors. There are some registrars that do employ checks. They will not accept no fields, blank fields during submission process. There are some registrars that, if the data fields are less than three characters, they will run a check. So there is some meaningthere are some registrars within the constituency that have voluntarily employed these prescreenings.
Mr. BERMAN. Why couldn't all registrars do that?
Mr. PALAGE. One of the things that we are trying to do right now within the constituency is to come up with a code of conduct or a best practice standards to move forward. One of the problems that we have in initiating this document are the current restraints within ICANN regarding consensus policy and bringing consensus to a code of conduct within the registrar constituency.
We meaningfully tried to engage in this approximately a year ago, and after about 6 to 8 months it unfortunately stalled.
One of the reasons I think that a meaningful reform of ICANN is needed is that it will provide a mechanism for new initiatives such as the accuracy of data to move forward in a less political environment and achieve results in a more timely fashion.
I would like to address some of your other concerns because I don't think they are valid concerns.
Regarding credit card verification, there are some registrars that I know that do use credit card processing to verify. Some of the limitations, however, deal with credit card verifications with European addresses. Within the U.S., it appears to be very accurate. I am heard positive things with some registrars that have employed this to cut down on fraud. Because if they don't get paid, it is a business decision. They are not out there just providing a forum for bad people to register domain names anonymously.
Page 80 PREV PAGE TOP OF DOC
Another problem in the domain name industry is that there are a lot of different business models, and there are some registrars that actually provide reseller services for their channel partners. So sometimes the registrar does not have the actual registrant's credit card data. It may be through a third party. For example, Yahoo is not an accredited registrar, but if you go to Yahoo dot com you can register domain names. So there are a lot of different business channels.
Some of the things the constituency is trying to come up with is what is reasonable and what can be done to minimize, you know, the accuracy problems.
One of the concernsand Mr. Metalitz and I agree on a lot of things. One of the only things where we did sort of disagree on is the screening upfront of data. I think the more important mechanism has to be on the back end. When data is found to be inaccurate, it needs to be tracked, docketed so that there could be, shall we say, a log of what conduct is going on. So that, in the example of the OECD case where the person just changed one field and then was required to change another field, to identify that contact and bring an end to it.
Dealing with at least one specific example of people providing false information upfront to get through filters, in the Affiliate Sunrise Challenge with the World Intellectual Property Organization we actually had one individual that literally stole the identity of a trademark owner. He had the business address, all the trademark data, and he purported himself to be the trademark owner before an administrative proceeding before the WIPO and actually prevailed. It wasn't until the trademark owner found out that someone had misappropriated his identity that we were able to correct the action.
Page 81 PREV PAGE TOP OF DOC
Again, the nefarious element out there on the Internet, they will find everything they can to circumvent mechanisms put in place. That is why I think we need to look at meaningful enforcement and cancellation of domain names on the back end.
So I hope I tried to answer your questions.
Mr. BERMAN. My time has expired.
Mr. COBLE. As I said, we will have a second round.
Mr. Palage, I want to give you a chance to weigh in on the privacy question, but before I forget it, when I indicated that the staff would share the responses with you, what I indicated was I wanted to be sure it was proper. I want people who do respond to our inquiries to feel secure that we as a Subcommittee are not going to willy-nilly disseminate their names and responses. But in this case, since you represent them, I think there is nothing at all improper about that. And I would like to know why we didn't get more responses.
But on the privacy question, Mr. Palage.
Mr. PALAGE. Turning to the privacy question, one of the unique aspects, one of the things that I have appreciated working within the ICANN structure is that there is a global perspective on issues. There areactually, I have seen one or two European registrars in this room today; and one of the things that the European registrars always try to enforce is the European directive on privacy.
Page 82 PREV PAGE TOP OF DOC
It is a concern, however, based upon the current contracts with ICANN as they are stated, that data need to be made available. It needs to be open and available for all third parties. I think it is important to look for mechanisms in the future to possibly qualify or restrict access to data, but until those mechanisms can be properly vetted and explored, I think it is critical for law enforcement and intellectual property owners to have open and full access to the data.
Mr. COBLE. Thank you, sir.
Mr. Powell, this was touched on, but I want to againfor emphasis, I want to give you an a shot at it. In your opinion, what would constitute a model Whois policy for registrars to maintain, A, and should Congress be the source of issuing such a model policy?
Mr. POWELL. That is a very good question. Taking the last part first, I am not sure I yet have an opinion of all the consequences of who issues the policy or where the mandate comes from. Certainly, even if Congress were to act, if it were to impose by statute a policy, then arguably that policy could only really be enforced against U.S.-based registrars. If the policy comes from ICANN, whether it is of ICANN's own volition or whether Congress encourages the policy, then there is something that is enforceable against all ICANN-accredited registrars, regardless of where they may live.
Mr. COBLE. Mr. Metalitz, you want to insert your oars into these waters?
Page 83 PREV PAGE TOP OF DOC Mr. METALITZ. Just briefly. I think Mr. Powell is right. ICANN is the logical party to do this. They have reserved to themselves their agreements, the authority to do it. They can require the registrars to live up to it. They can discredit registrars who don't live up to it.
If ICANN won't do it, I think you have to look at legislation and other options, but I think ICANN is the logical party to take this step.
Mr. COBLE. Do you want to comment as to what would constitute the policy. You want to get into that or not?
Mr. POWELL. Yes, I would. As I suggested in some of my recommendations, I think there are actually existing requirements that if enforced would get us a long way toward where we want to go. The problem, though, is that ICANN really doesn't have the budget to sue everyone who doesn't comply. By my count, perhaps three quarters of the 100 registrars have Whois policies that are at odds with what ICANN's agreements allow them to have. Very expensive. I would, I think, eliminate the idea of bulk Whois access. I think the law of intended consequences comes into play. Not only is bulk Whois access abused for the most part and not used as it was intended by third parties to provide a value added searchable database, but it actually gives registrars incentives to keep as much good data out of the bulk Whois that they might be handing to their competitors.
So they do things like they automatically opt out customers by default, even though the agreements with ICANN say that only the registrant can choose to opt out. So that what happens is the registrar then gives maybe one fifth of its total data in the bulk Whois format. So there are a lot of unintended consequences of that requirement.
Page 84 PREV PAGE TOP OF DOC
Mr. COBLE. You all can think about that and let us know in writing if you would like to do that. We have a vote on now, but I want to recognize the gentleman from California for the second round.
Mr. BERMAN. I would like Mr. Beales just to sum up what you thinkyou made reference to this in your testimony, but I want to make sure I understand it, but just sum what you think the FTC or ICANN or the Congress should be doing to reach theI mean you seem to be coming from the same place I am on a lot of these issues, and therefore I am curious on how you think we can make it make happen.
Mr. BEALES. I think ICANN is the logical place to try to make it happen.
Mr. BERMAN. We talked about ICANN for a year-and-a-half. I have a feeling there are people around here who have been talking about it longer than that. They don't seem to be serious about this up until now.
Mr. BEALES. There are discussions going on about the structure of ICANN that may be part of the problem here. And reform of ICANN itself may be a first step toward addressing problems with the Whois database. I think what is important to us is we don't want to seethe reason ICANN is important because it is an international body and an international standard, and we don't want to see standards that are different in the United States because we are concerned that it will simply push fraudsters abroad where it is even harder for us to get accurate information and to find out what is going on. So it may not be the perfect institution, but it is the only institution that can address the problem uniformly and across borders at the moment.
Page 85 PREV PAGE TOP OF DOC
Mr. BERMAN. Well, Mr. Chairman, there is a lot in the testimony here, I think, to work with and, because of the votes, I think we can pursue this in a nonhearing mechanism, but I do want to thank you again for holding the hearing and yield back.
Mr. COBLE. Howard, if you have another question or two, we probably have time.
Mr. BERMAN. No. I think I am finished.
Mr. COBLE. I agree with the gentleman from California. I think it has been a good hearing and gentlemen and particularlywell, strike that. Not necessarily particularly, but my question regarding what would constitute the policy and who would disseminate it or who would issue it, I would like to hear from you about that. I thank you for your testimony, the Subcommittee appreciates your contribution. This concludes the oversight hearing on the accuracy and the integrity of the Whois database. The record will remain open for 1 week for you all to respond in any way you see fit. Thank you for your attendance as well as the people in the audience, and the Subcommittee stands adjourned.
[Whereupon, at 11:05 a.m., the Subcommittee was adjourned.]
A P P E N D I X
Statements Submitted for the Hearing Record
Page 86 PREV PAGE TOP OF DOCPREPARED STATEMENT OF THE HONORABLE HOWARD L. BERMAN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA
I thank you for calling this hearing on the accuracy of the Whois database. This issue has been a priority for this Subcommittee over the last year, and I am pleased to advance the discussion of the Whois database through today's hearing. I look forward to the testimony of today's witnesses.
The internet is invaluable as a tool for communication, commerce, and information transfer. At the same time, however, it has proven invaluable as a tool for fraud, pornography, and piracy. These crimes are exacerbated by fraudulent contact information in a domain name registrationwithout accurate information, it is difficult for law enforcement officials to trace the perpetrator of a crime, and it is difficult for a consumer to make an informed decision about the integrity of a particular web site.
In several recent fraud investigations performed by the Federal Trade Commission, the Commission uncovered false registration information while investigating other cybercrimes. For instance, the FTC recently won a judgment against a domain name owner who operated an illegal web-based billing scam. That particular owner had registered his domain name with the address of ''here there, California''. The FTC has also found clearly false entries while sampling the Whois database, such as domain names registered to ''mickey mouse'' and ''god''. Some copyright owners estimate that 30% of web sites that sell pirated content are hosted on domain names with obviously false Whois information.
Page 87 PREV PAGE TOP OF DOC
Clearly, there is a problem with this database. One counter-argument that is commonly made when discussing this issue is that of anonymitythat domain name registrants may lie because they wish to protect their privacy. However, I do not believe that accurate, valid Whois information conflicts with anonymity on the internet. I can understand that many people are concerned about protecting their privacy online, particularly if they choose to use the internet as a platform political or controversial speech. But there are ample opportunities for anonymity on the internet. Most ISPs provide a user with the opportunity to publish a web page at little or no cost using the ISP servers. A user can obtain an anonymous third-level domain name through some host companies. Anonymous email can be sent through re-mailers, and there are anonymous chat rooms and anonymous FTP servers. Privacy technologies exist to allow anonymous web surfing. A person who requires anonymity does not also require his own personal domain name to post whatever it is he wishes to say. Indeed, anonymity has no place in dot-com or dot-biz domain names, which are centered on commercial activity.
We can consider the analogy in the brick-and-mortar world. If a consumer has a question about a brick-and-mortar store, he can search publicly accessible records to determine who owns that store. That information is based upon the legal records, and the consumer can feel confident in the accuracy of the information. The same opportunity, and the same confidence, should exist for consumers in the online world.
Online, registrars and other entities already appear to be taking steps toward information verification, and I applaud these efforts. For instance, registrants to the dot-pro domain are required to be certified professionals, and RegistryPro will only register a domain name if it can first verify the certification information provided by the registrant. Additionally, eBay recently announced that it will use VeriSign to authenticate the addresses and telephone numbers of auction sellers by cross-checking with the U.S. Postal Service and phone records. I believe this type of verification must be done for domain name registrations, to ensure that internet web-surfers and consumers can have a positive online experience.
Page 88 PREV PAGE TOP OF DOC
Several weeks ago, Mr. Coble and I introduced legislation to create criminal penalties for deliberately providing false information when registering an internet domain name. I hope that this legislation is a first step towards an improved, accurate Whois. I also hope that additional steps toward the goal of accurate Whois will be inspired by our discussion today.
Material Submitted for the Hearing Record
LETTER FROM BENJAMIN EDELMAN, THE BERKMAN CENTER FOR INTERNET & SOCIETY AT HARVARD LAW SCHOOL
Page 89 PREV PAGE TOP OF DOCEdel17.eps
Page 90 PREV PAGE TOP OF DOC
(Footnote 1 return)
This written statement presents the views of the Federal Trade Commission. My oral statement and responses to questions are my own and are not necessarily those of the Commission or any individual Commissioner.
(Footnote 2 return)
The FTC's Bureau of Consumer Protection staff also filed a public comment with the ICANN DNSO Names Council on the importance of accurate Whois data for law enforcement purposes. See Letter of Howard Beales to Louis Touton dated August 6, 2001, re ICANN DNSO Names Council Whois Survey.
(Footnote 3 return)
15 U.S.C. §41 et seq. The Commission has responsibilities under 40 additional statutes, including the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §6501 et seq., which prohibits unfair and deceptive acts and practices in connection with the collection and use of personally identifiable information from and about children on the Internet. See www.ftc.gov/ogc/coppa1.pdf. The Commission also enforces over 30 rules governing specific industries and practices, including the Mail and Telephone Order Merchandise Rule, 16 C.F.R. Part 435, which covers purchases made over the Internet and spells out the ground rules for making promises about shipments, notifying consumers about unexpected delays, and refunding consumers' money. See www.access.gpo.gov/nara/cfr/waisidx99/16cfr43599.html.
(Footnote 4 return)
15 U.S.C. §45(a) and 53(b).
(Footnote 5 return)
See Leslie Miller, ''Web Growth Slows, But Online Time Rises,'' USA Today, March 28, 2002, available at www.usatoday.com/life/cyber/tech/2002/03/28/net-statistics.htm.
(Footnote 6 return)
See U.S. Census Bureau, ''Retail E-Commerce Sales in Fourth Quarter 2001 Were $10.0 Billion, Up 13.1 Percent from Fourth Quarter 2000,'' www.census.gov/mrts/www/current.html.
(Footnote 7 return)
This number represents an exponential growth in the number and percentage of Internet fraud-related complaints received in 1997, when the Commission received fewer than 1,000 Internet fraud complaints. See Prepared Statement of the Federal Trade Commission on ''Internet Fraud,'' Before the House Committee on Energy and Commerce, Subcommittee on Commerce, Trade and Consumer Protection, 107th Cong., 1st Sess. (May 23, 2001), available at www.ftc.gov/os/2001/05/internetfraudttmy.htm. For additional statistics from the Consumer Sentinel database, see www.consumer.gov/sentinel.
(Footnote 8 return)
(Footnote 9 return)
(Footnote 10 return)
For more information about the IMSN, see www.imsnricc.org.
(Footnote 11 return)
(Footnote 12 return)
See Agreement Between the Government of the United States of America and the Government of Canada Regarding the Application of their Competition and Deceptive Marketing Practices Laws, Trade Reg. Rep. (CCH) 13,503 (1995); Agreement Between the Federal Trade Commission of the United States of America and the Australian Competition & Consumer Commission On the Mutual Enforcement Assistance in Consumer Protection Matters (July 20, 1999), www.ftc.gov/opa/2000/07/usaccc.htm; Memorandum Of Understanding On Mutual Enforcement Assistance In Consumer Protection Matters Between The Federal Trade Commission Of The United States of America And Her Majesty's Secretary of State for Trade And Industry And The Director General Of Fair Trading In The United Kingdom (October 31, 2000), www.ftc.gov/opa/2000/10/ukimsn.htm.
(Footnote 13 return)
Information on ''Operation Top Ten Dot Cons'' (October 21, 2000) is available at www.ftc.gov/opa/2000/10/topten.htm; information on the International Netforce project (April 2, 2002) is available at www.ftc.gov/opa/2002/04/spam.htm.
(Footnote 14 return)
Cited in Thomas Fuller, ''OECD's Cautionary Tale of Porn and Cyberspace,'' International Herald Tribune at 1 (April 3, 2002), available at www.iht.com/articles/53353.html.
(Footnote 15 return)
CV991367A (E.D.Va. filed Sept. 14, 1999)(Preliminary Injunction entered Sept. 21, 1999). See www.ftc.gov/os/1999/9909/index.htm#22.
(Footnote 16 return)
Civ. No. 9900044ABC (AJWx) (C.D. Cal.).
(Footnote 17 return)
Many of these initiatives were generated by the FTC's database of unsolicited commercial e-mail (UCE or spam). Consumers currently send unwanted spam to the agency at a rate of approximately 35,000 e-mails a day using the agency's database address, email@example.com. The FTC has collected more than 10 million unwanted spam messages since 1998.
(Footnote 18 return)
(Footnote 19 return)
Guidelines on Consumer Protection in the Context of Electronic Commerce, Part Two, Section III(A), OECD (December 9, 1999) available at www.ftc.gov/opa/1999/9912/oecdguide.htm.
(Footnote 20 return)
ICANN Registrar Accreditation Agreement, May 17 2001, §3.3.1, www.icann.org/registrars/ra-agreement-17may01.htm.
(Footnote 21 return)
Id. at §188.8.131.52.
(Footnote 22 return)
Cybersquatting means registering, trafficking in, or using a domain name with bad-faith intent to profit from the goodwill of a trademark belonging to someone else. It refers to the practice of buying up domain names reflecting the names of existing businesses, intending to sell the names for a profit back to the businesses when they go to put up their websites. See http://www.nolo.com/lawcenter/ency/article.cfm/objectID/60EC3491B4B54A98BB6E6632A2 FA0CB2. For an FTC case involving cybersquatting, see FTC v. Zuccarini, C.A. No. 01CV4854 (E.D. Pa., filed Sept. 25, 2001), available at http://www.ftc.gov/opa/2001/10/cupcake.htm.
(Footnote 23 return)
See CybersquattingThe OECD's Own Experience and the Problems It Illustrates with Registrar Practices and the ''Whois'' System, OECD Directorate for Science, Technology and Industry, Committee on Information, Computer and Communications Policy, DSTI/ICCP(2002)8 (2002), available at www.oecd.org/pdf/M00027000/M00027316.pdf.
(Footnote 24 return)
See supra note 20 at §184.108.40.206.
(Footnote 25 return)
See supra note 14.
(Footnote 26 return)
See supra note 20.
(Footnote 27 return)
Two letter domains, such as .uk, .de and .jp (for example), are called country code top level domains (ccTLDs) and correspond to a country, territory, or other geographic location. The rules and policies for registering domain names in the ccTLDs vary significantly and some are reserved for use by citizens of the corresponding country. See ICANN Frequently Asked Questions, available at www.icann.org/general/faq1.htm.
(Footnote 28 return)
See supra note 20 at §220.127.116.11.
(Footnote 29 return)
See supra note 20 at §3.7.8.
(Footnote 30 return)
Of course, as noted above, exactly what might be done will depend on whether and to what extent the structure of ICANN is changed as a result of the reform process.
(Footnote 31 return)
See supra note 20 at §18.104.22.168 (stating that a registrant's wilful failure to provide accurate contact details shall ''be a basis for cancellation of the Registered Name registration.'')
(Footnote 32 return)
The Commission recognizes that the proposed measures are not a cure-all. They would not, for example, limit in any way the ability of a registrant who has had a domain name terminated to register new domain names.
(Footnote 33 return)
See www.icann.org/cctlds for more information about ccTLDs.
(Footnote 34 return)
(Footnote 35 return)
(Footnote 36 return)
See www.cnnic.net.cn. U.S. law enforcement efforts against websites with country-code TLDs is made more difficult by the fact that it is extremely difficult, and in some cases, virtually impossible to enforce a subpoena against a foreign registrar requesting additional information about a registrant.
(Footnote 37 return)
See .jp ccTLD Sponsorship Agreement (April 1, 2002), at §4.5.1, www.icann.org/cctlds/jp; see .au ccTLD Sponsorship Agreement (October 25, 2001), at §4.5.1, www.icann.org/cctlds/au/sponsorship-agmt-25oct01.htm
(Footnote 38 return)
See http://www.aunic.net; see http://jprs.jp/eng.
(Footnote 39 return)
See Model ccTLD Sponsorship AgreementTriangular Situation, Posted September 2, 2000, at 4.5.1, available at www.icann.org/cctlds/model-tscsa-02sep01.htm., Principles for Delegation and Administration of ccTLDs Presented by Governmental Advisory Committee (23 February 2000), www.icann.org/committees/gac/gac-cctldprinciples-23feb00.htm.
(Footnote 40 return)
Although these comments here focus largely on data accuracy and integrity, there are also a number of related issues, such as the scope of information collected and the searchability of that information. For a further discussion of these issues, see FTC Bureau of Consumer Protection letter to Louis Touton, supra note 2. We plan to examine these issues as well with the relevant international stakeholders.
(Footnote 41 return)
Our initiatives in this area include beefing up enforcement against deceptive spam, helping victims of identity theft, enforcing privacy promises, increasing enforcement and outreach on children's online privacy, and encouraging consumers to report privacy complaints. See www.ftc.gov/privacy/index.html.
(Footnote 42 return)
Guidelines for Consumer Protection in the Context of Electronic Commerce, OECD, December 9, 1999, Part Two, §3(a), available at www.ftc.gov/opa/1999/9912/oecdguide.htm.
(Footnote 43 return)
The .name TLD is reserved for registrations by individuals.
(Footnote 44 return)
We acknowledge that requiring all registrars to police whether a site is being registered for commercial or non-commercial purposes may impose undue costs on registrars. We will take into account this concern in our further consideration of these issues.
(Footnote 45 return)
This includes the unfortunate current practice known as ''porn-napping,'' whereby a domain name (usually previously registered by a religious organization, non-profit, municipal government, or other similar entity) is inadvertently allowed to expire and be returned to availability, only to be registered by a second party who publishes pornographic or other content that is likely objectionable to the previous registrant. The second registrant offers the name back to the original registrant at a premium price, with the hope that the original registrant will accept the sale offer as a way to avoid embarrassment or reputational damage. Regrettably, this represents no technical violation of registration procedures, though our industry as a whole widely condemns it as distasteful, as does SnapNames. We and our industry colleagues encourage all registrants to be active and informed custodians of their domain name assets.
(Footnote 46 return)
E.g., 3.7.8 ''Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information.''
(Footnote 47 return)
22.214.171.124 ''Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.''
(Footnote 48 return)
3.6 ''Data Escrow. During the Term of this Agreement, on a schedule, under the terms, and in the format specified by ICANN, Registrar shall submit an electronic copy of the database described in Subsection 3.4.1 to ICANN or, at Registrar's election and at its expense, to a reputable escrow agent mutually approved by Registrar and ICANN . . .''