Page 1       TOP OF DOC
89–199 PDF









Serial No. 50

 Page 2       PREV PAGE       TOP OF DOC
Printed for the use of the Committee on the Judiciary

Available via the World Wide Web: http://www.house.gov/judiciary


F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
HENRY J. HYDE, Illinois
HOWARD COBLE, North Carolina
MARK GREEN, Wisconsin
MELISSA A. HART, Pennsylvania
 Page 3       PREV PAGE       TOP OF DOC

JOHN CONYERS, Jr., Michigan
HOWARD L. BERMAN, California
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ADAM B. SCHIFF, California
LINDA T. SÁNCHEZ, California

PHILIP G. KIKO, Chief of Staff-General Counsel
PERRY H. APELBAUM, Minority Chief Counsel

Subcommittee on Courts, the Internet, and Intellectual Property
LAMAR SMITH, Texas, Chairman
 Page 4       PREV PAGE       TOP OF DOC
HENRY J. HYDE, Illinois
MARK GREEN, Wisconsin
MELISSA A. HART, Pennsylvania

HOWARD L. BERMAN, California
JOHN CONYERS, Jr., Michigan
ZOE LOFGREN, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts

 Page 5       PREV PAGE       TOP OF DOC
MELISSA L. MCDONALD, Full Committee Counsel
ALEC FRENCH, Minority Counsel



    The Honorable Lamar Smith, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Courts, the Internet, and Intellectual Property

    The Honorable Howard L. Berman, a Representative in Congress From the State of California, and Ranking Member, Subcommittee on Courts, the Internet, and Intellectual Property


Mr. Steven J. Metalitz, Partner, Smith and Metalitz, LLP, and Counsel, Copyright Coalition on Domain Names
Oral Testimony
Prepared Statement

Mr. Benjamin Edelman, Fellow, Berkman Center for Internet and Society, Harvard Law School
Oral Testimony
 Page 6       PREV PAGE       TOP OF DOC
Prepared Statement

Mr. James E. Farnan, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation
Oral Testimony
Prepared Statement

Mr. Theodore W. Kassinger, General Counsel, U.S. Department of Commerce
Oral Testimony
Prepared Statement


    Letter to Secretary Donald Evans, U.S. Department of Commerce, from the Subcommittee

    Letter from Theodore W. Kassinger, General Counsel, U.S. Department of Commerce, on behalf of Secretary Evans, to the Subcommittee

    Letter from Margie Milam, General Counsel, eMarkmonitor, Inc. to the Subcommittee

    Prepared Statement of the Internatonal Trademark Association


 Page 7       PREV PAGE       TOP OF DOC
Material Submitted for the Hearing Record

    Department of Commerce Statement regarding Extension of Memorandum of Understanding with the Internet Corporation for Assigned Names and Numbers

    Prepared Statement of the Honorable Robert Wexler, a Representative in Congress From the State of Florida

    Letter from Alan Davidson, Center for Democracy and Technology, to the Subcommittee

    Letter from Brian Cute, Director of Policy, Network Solutions, Inc.; Elana Broitman, Director of Policy, Register.com; Tom D'Alleva, Vice President, Bulk Register; and Paul Stahura, President, eNom, to the Subcommittee

    Letter from Michael D. Maher, Chairman of the Board, Public Interest Registry, to the Subcommittee



House of Representatives,
Subcommittee on Courts, the Internet,
 Page 8       PREV PAGE       TOP OF DOC
and Intellectual Property,
Committee on the Judiciary,
Washington, DC.

    The Subcommittee met, pursuant to notice, at 2:02 p.m., in Room 2141, Rayburn House Office Building, Hon. Lamar Smith (Chair of the Subcommittee) presiding.

    Mr. SMITH. The Subcommittee on Courts, the Internet, and Intellectual Property will come to order. Today's hearing is on ''Internet Domain Name Fraud—The U.S. Government's Role in Ensuring Access to Accurate Whois Data.'' I am going to recognize myself for an opening statement, then the Ranking Member, and then we will proceed to hear from our witnesses.

    The August infection of more than 7,000 computers with a variant of the blaster worm serves as a graphic reminder of the dangers that persist for Internet users. As devastating as this attack was, the damage it caused pales in comparison to the nearly 63,000 viruses that have been released on the Internet, which have caused $65 billion worth of damages. Yet only one person in the U.S. has received a prison sentence in connection with these crimes. The FBI's blaster investigation was assisted by the suspect's provision of truthful information to the Whois database upon registering his website, but this result is the exception rather than the rule.

    Consumers, business owners, intellectual property holders, parents, and law enforcement officials understand that these attacks impose real and substantial costs on each of them and they have called out for tougher enforcement.
 Page 9       PREV PAGE       TOP OF DOC

    Copyright owners use Whois to identify pirated sites—excuse me, pirate sites that operate on the Internet. Trademark owners use Whois to resolve cyber squatting disputes, learn the contact details for owners of websites offering counterfeit products or otherwise infringing on intellectual property. And law enforcement officers use Whois as the first step in most web-based child pornography and exploitation cases.

    The enforcement of contracts that already exist between the Department of Commerce and the Internet Corporation for Assigned Names and Numbers, ICANN, and its registrars in the top-level domains, such as .com, .net, and .org, and the registrants who operate websites could do much to clean up the World Web. The task of concealing one's identity is made considerably easier when registrars refuse to take reasonable steps, as their contracts require, to ensure that website registrants accurately report their identity and contact information to the Whois database.

    Since 1999, all accredited registrars have been required to provide access to the full database of registered domain names. Despite the demonstrated need and obligation of the Department of Commerce, ICANN, and the registrars to provide access to Whois data, there is an astonishing lack of enforcement of these contractual terms. In ICANN's history, not one registrar has had their accreditation revoked for failure to honor their Whois commitments. This is inexcusable.

    Since the issuance of a Presidential directive in 1997, the responsibility for overseeing the Domain Name System (DNS) and managing the transition to private sector control of the technical functions of the Internet has resided with the National Telecommunications and Information Administration, an agency within the United States Department of Commerce. Pursuant to the directive, NTIA entered into a contract with the newly-formed Internet Corporation for Assigned Names and Numbers (ICANN) in 1998. Since creation, ICANN's legitimacy and its activities have been the subject of constant controversy.
 Page 10       PREV PAGE       TOP OF DOC

    The Commerce Department's relationship with ICANN is governed by three major agreements: One, a Memorandum of Understanding (MOU) for a joint domain name system; two, a cooperative research and development agreement; and three, a sole-source contract to perform certain technical functions relating to the coordination of the DNS. In spite of a nearly 5-year-long relationship with ICANN, there is a growing awareness that Commerce has failed to exert its authority to ensure that the public domain name registrant databases known as Whois contain accurate information. Agreements that are not enforced undermine the very authority, stability, and sustainability that Commerce purports to want to ensure for ICANN.

    With the current MOU due to expire September 30, Mr. Berman and I wrote Secretary Evans on August 8 requesting that, among other things, any succeeding MOU be limited to 1 year, preserve public access to online systems like Whois, and take steps to improve the integrity of registrant contact information. Without objection, that letter will be made a part of the record.

    [The letter to Secretary Evans follows:]




 Page 11       PREV PAGE       TOP OF DOC

    [The response from Theodore W. Kassinger, on behalf of Secretary Evans, follows:]

    Mr. SMITH. In response, we will hear testimony that Commerce, one, intends to extend the MOU with ICANN for more than 1 year; two, recognizes the value of public access to online systems like Whois; and three, intends to include no affirmative steps in the MOU in an effort to improve ICANN's underwhelming enforcement record.

    While Commerce intends to add a laundry list of seven milestones to assess ICANN's—excuse me, to assess ICANN's future performance, not one of these deals principally with Whois, contract enforcement, or intellectual property protections. This, too, at least in my judgment, is inexcusable.

    If, as they say, the Commerce Department truly believes in a robust Whois, there is still time in the next MOU to address the well-established concerns of parents, consumers, intellectual property holders, and others who advocate for better Whois information. Rest assured, the Committee's attention to these issues will be judged by results, not by rhetoric.

    That concludes my opening statement and the gentleman from California, Mr. Berman, will be recognized for his.

    Mr. BERMAN. Thank you, Mr. Chairman, and thank you for scheduling this hearing today.
 Page 12       PREV PAGE       TOP OF DOC

    For the past three or more Congresses, this Subcommittee has examined the widespread problem of inaccurate and incomplete information in the Whois database. We have documented how inaccurate Whois data hampers law enforcement investigations, facilitates consumer fraud, impairs copyright and trademark protection, imperils computer security, enables identity theft, and weakens privacy protection efforts.

    Recent events only serve to highlight the critical importance of accurate and complete Whois data. For several weeks last month, as the Chairman has mentioned, variants of the blazer computer worm disrupted or disabled approximately one million computers worldwide. Late last week, the U.S. Attorney in Seattle charged Jeff Parson, a Minnesota teenager, with writing and distributing lovesanB, a variant of the blaster worm that infected at least 7,000 computers. Accurate Whois data played a key role in identifying Jeff Parson as the culprit.

    This investigation of Mr. Parson and the subsequent arrest made possible by the information on the Whois database represent just the latest example of the importance of an accurate Whois data. As did witnesses at many past hearings, witnesses today will provide further examples of the need for accurate Whois data while detailing its current unreliability. The importance of accurate and complete Whois data is, thus, well-documented. Well-documented, also, is the general unreliability and inaccuracy of the Whois data.

    These facts beg the question. What should Congress do to remedy this serious problem? The time for cajoling relevant industry actors to act responsibility and self-regulate has expired. Former Chairman Coble and I contacted scores of registrars to gather information on their efforts to ensure accurate, complete Whois information. The handful of responses revealed little desire on behalf of registrars to take this issue seriously. We have tried through letters, hearings, and meetings to convince ICANN to deal with this problem, but nothing of significance has happened. In fact, lately, there are indications of back-sliding.
 Page 13       PREV PAGE       TOP OF DOC

    Many times, we have encouraged the Commerce Department to vigorously advocate the demonstrated U.S. interest on this issue. Most recently, Chairman Smith and I, as he mentioned, asked the Commerce Department to address Whois issues in the process of renegotiating its Memorandum of Understanding with ICANN. These efforts also have proved wholly unsatisfactory. Unless Mr. Kassinger has a surprise announcement in store for us today, it appears the draft MOU fails to require that ICANN take steps to improve the accuracy or completeness of Whois data.

    Rather than outlining any new Whois initiatives including—included in the Memoranda of Understanding, Mr. Kassinger's advance testimony only references several ongoing measures that have already proved woefully inadequate. Mr. Kassinger's testimony notes the existence of contractual obligations between ICANN and registrars and registrars and registrants providing for the accuracy and completeness of Whois data. However, a lack of enforcement has rendered these obligations meaningless. Registrars and registrants responsible for thousands of publicly-identified inaccurate or incomplete Whois entries ignore their obligations and fail to correct inaccuracies or incomplete Whois information. In the face of this, ICANN has only threatened one registrar with loss of accreditation.

    While the Whois data problems report referenced by Mr. Kassinger is commendable, systems for self-reporting by victims should not relieve registrars of the obligation to proactively verify the accuracy of their Whois data. Prevention of crimes is more useful than setting up a mechanism for victims to identify themselves after the fact.

    In conclusion, I am disappointed with the failure of both the marketplace and regulators to deal with this growing problem. A legislative solution seems necessary. Through section 303 of H.R. 2752, Ranking Member Conyers and I took one stab at crafting such a solution. I am open to other legislative approaches. And Mr. Chairman, if you are so inclined, I would welcome the opportunity to work with you in crafting an appropriate solution.
 Page 14       PREV PAGE       TOP OF DOC

    With that, I yield back. Thank you.

    Mr. SMITH. Thank you, Mr. Berman. Our opening statements were not coordinated, but obviously, we have similar sentiments.

    Let me just thank the gentleman from Texas, Mr. Carter, for being here today, as well as the gentleman from Wisconsin, for their interest in the subject at hand.

    I will introduce our witnesses, and our first witnesses is Steven J. Metalitz, a partner in the firm of Smith and Metalitz, who specializes in intellectual property, privacy, E-commerce, and information law. Mr. Metalitz serves as Senior Vice President of the International Intellectual Property Alliance and is counsel to the Copyright Coalition on Domain Names. Formerly, Mr. Metalitz served as President of the Intellectual Property Constituency of ICANN as well as Vice President and General Counsel of the Information Industry Association. Mr. Metalitz is a Phi Beta Kappa graduate of the University of Chicago and a graduate of the Georgetown Law Center.

    Our next witness is Benjamin Edelman, a fellow at the Berkman Center for Internet and Society at Harvard Law School. Mr. Edelman analyzes ICANN activities, operates the Berkman Center webcast, and develops software tools for real-time use in meetings, classes, and special events. He has authored articles regarding domain name issues, including the matter of expired domain names that are subsequently registered with false Whois data and used to sell pornography. Mr. Edelman graduated from Harvard College and is currently pursuing a law degree and doctorate in economics from Harvard.
 Page 15       PREV PAGE       TOP OF DOC

    Our third witness is James E. Farnan, the Deputy Assistant Director of the FBI's Cyber Division. Mr. Farnan was a Captain in the U.S. Air Force prior to joining the FBI in 1984. During his assignments in Houston, New Orleans, Las Vegas, and Washington, he has served as a civil litigator, general counsel, and drug and computer crimes investigator. Mr. Farnan received a bachelor's degree from Wheeling Jesuit University, a master's degree from Pittsburgh, and a J.D. from Temple School of Law.

    Our final witness is Ted Kassinger, the General Counsel for the U.S. Department of Commerce. Prior to his current position, Mr. Kassinger was a member of the law firm of Vinson and Elkins. Mr. Kassinger received his undergraduate and law degrees from the University of Georgia.

    Let me thank you all for participating, but before I get to that, let me say in Mr. Kassinger's defense, because he is going to get some tough questioning, that the Assistant Secretary who would have testified left 2 weeks ago, so we are catching him not exactly unawares, but he is not the original witness, so we may have to somewhat, Mr. Berman, mitigate our charges, but we will see on that.

    In any case, we welcome you all, and just a reminder that we are limiting your testimony to 5 minutes and there will be ample time for us to ask you questions afterwards.

    Mr. Metalitz, we will begin with you.

 Page 16       PREV PAGE       TOP OF DOC

    Mr. METALITZ. Thank you very much, Mr. Chairman and Mr. Berman, Members of the Subcommittee. Thanks for the opportunity to testify on behalf of the Copyright Coalition on Domain Names representing a wide range of copyright owners.

    CCDN's goal is to maintain public access to Whois data and to improve its accuracy and reliability because it is a key enforcement tool against online infringement. But as your opening statements clearly show, we are not the only ones who rely on Whois data. It's essential for protecting consumers online, as the FTC told you in last year's hearing before this Subcommittee. It's important for safeguarding network security and for law enforcement investigations. In fact, all Internet users, we believe, have a stake in keeping Whois data accessible and making it more accurate.

    When this Subcommittee last looked at this issue 16 months ago, the accuracy and reliability of Whois data was deplorably bad. The first question is, has that changed? The short answer is, no. The Whois database remains riddled with obviously inaccurate data, in some cases, the very same data that we cited to this Subcommittee last May. You have an expert witness here today in Mr. Edelman and I am sure he'll provide more detail about this problem.

    Aside from the question of accuracy, Whois data has also become less accessible over the last year. For example, bulk access to Whois data, which all domain name registers are required to provide, has essentially been eliminated. The statement submitted by the International Trademark Association has some more details on this.

 Page 17       PREV PAGE       TOP OF DOC
    And finally, within the fastest growing part of the domain name space, the two-letter codes, the country code top-level domains, public accessibility of registrant contact data remains wildly inconsistent.

    Now, what is ICANN doing about this problem? On paper, ICANN has established a good framework with three main features that are found in the registrar accreditation agreement that every domain name registrar must sign in order to go into the business of registering domain names in .com, .net, or .org.

    First, domain name registrants consent in that agreement to collection of their contact data and its dissemination through Whois.

    Second, the registrars are required to make that data available to the public via the web and through other means, such as bulk access.

    And finally, registrants are required to provide complete and accurate data and to keep it current and they can lose their domain names if they don't do that.

    Now, in practice, this system simply is not working. The basic problem remains that ICANN has never effectively enforced the contractual commitments that the registrars have made. Whois is a glaring example of this, although it's not the only one.

    We see this as a fundamental flaw in ICANN's performance. The whole concept behind ICANN, to privatize management of the domain name system, depends on enforcing contracts that define what behavior is and isn't allowed. Much of ICANN's unfinished business that the Commerce Department has identified involves entering into additional agreements, making new contracts. So in this context, the question of whether ICANN is enforcing the agreements that it's already entered into isn't just a relevant question, it seems to us it's the central question in evaluating ICANN's performance.
 Page 18       PREV PAGE       TOP OF DOC

    ICANN now has a new structure. It has new leadership which is in a position to make a difference here. But the new leadership has inherited a gathering crisis of confidence about ICANN's willingness or ability to hold its contract partners accountable. How the ICANN leadership responds may determine ICANN's future prospects for success.

    And I should add, I say this as a representative of a sector that supports ICANN. It participates actively in ICANN's processes. It believes ICANN has done many things right and it very much wants to see ICANN succeed.

    But instead of prioritizing contract compliance and enforcement, ICANN has spent a lot of time and effort tinkering around the edges, and your opening statements refer to the complaint mechanism that has been established. That has had only marginal impact on data accuracy. The fact that it has processed only 10,000 complaints over the last year is evidence of how peripheral it is, because this problem is much, much bigger than 10,000 domain names.

    Then there was an ICANN task force on which I served that worked for 2 years looking at Whois issues, to try to get the registrars to step up and take some small steps to improve the quality of the data. But the final recommendations that emerged from this process were very modest and unlikely to be effective in tackling the real problem, and that problem is registrants who supply false contact data because they don't want to be accountable for their use of domain names or for what happens on their sites.

    So how do we improve the situation? A year ago in our testimony, we said the buck stops with ICANN, and I think Subcommittee has correctly realized that that statement is incomplete. The buck really stops with the Department of Commerce and the impending expiration of the MOU is a critical juncture. We believe that now is the time for Commerce to obtain an ICANN commitment to contract enforcement and to write that commitment into the MOU with appropriate reporting requirements. This would be a big step forward for accountability on the Internet and for the healthy growth of E-commerce. We have a few other suggestions in our testimony that I would be glad to go into later.
 Page 19       PREV PAGE       TOP OF DOC

    Beyond oversight, Congress does need to consider legislative options, particularly if an ICANN contractual enforcement campaign never materializes or is ineffective, and the CCDN and others in the intellectual property community stand ready to work with the Subcommittee on the necessary changes.

    Thank you again for your continued commitment to this important issue.

    Mr. SMITH. Thank you, Mr. Metalitz.

    [The prepared statement of Mr. Metalitz follows:]


    Chairman Smith, Representative Berman, and Members of the Subcommittee:

    Thank you for this opportunity to appear again to present the views of organizations of copyright owners on an issue that is vital to the enforcement of intellectual property rights in the online environment: ready access to accurate Whois data.

    Before beginning my testimony, I would like to commend the subcommittee for its diligent and consistent focus on this critical issue over the past several years. The convening of this timely hearing, as well as the letter which Chairman Smith and Representative Berman sent to Secretary Evans last month on this issue, should be applauded by all who care about the healthy development of the Internet and e-commerce.
 Page 20       PREV PAGE       TOP OF DOC

    I am here today as counsel to the Copyright Coalition on Domain Names (CCDN), which has worked since 1999 on this issue. CCDN participants include leading industry trade associations such as the Business Software Alliance (BSA), the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and the Software and Information Industry Association (SIIA); the two largest organizations administering the performance right in musical compositions, ASCAP and BMI; and major copyright-owning companies such as AOL Time Warner and the Walt Disney Company.

    The interests of copyright owners in preserving and improving access to reliable Whois data overlap considerably with those of trademark owners. Of course, many of the companies participating in CCDN, either directly or through their trade associations, own some of the world's most valuable trademarks and service marks. These companies invest heavily in defending these marks against infringements of their intellectual property rights that take place online. Many of my remarks today apply at least as much to trademark concerns as they do to copyright matters.

    This testimony will address four main questions:

 Why is real-time public access to complete and accurate Whois data essential?

 What is the current situation, and how has it changed since the Subcommittee's last hearing on the topic in May 2002?

 What is ICANN doing about the problem?
 Page 21       PREV PAGE       TOP OF DOC

 What steps can be taken by the Department of Commerce—or by Congress—to improve the situation?


    In its hearings over the past few years, this Subcommittee has compiled a comprehensive record, establishing why it is essential for the public to continue to have real-time access to contact data on domain name registrants—referred to as ''Whois data''—and why the accuracy and currentness of this data is of the utmost concern. CCDN's primary focus is on the availability of Whois data for use in enforcing intellectual property rights online, but we know that is only part of a wider picture of the importance of accurate and accessible Whois.

    As you know, copyright owners are currently battling an epidemic of online piracy. Whois is a key tool for investigating these cases and identifying the parties responsible. Every pirate site has an address on the Internet; and through Whois and similar databases, virtually every Internet address can be linked to contact information about the party that registered the domain name corresponding to the site; about the party that hosts the site; or about the party that provides connectivity to it. No online piracy case can be resolved through the use of Whois alone; but nearly every online piracy investigation involves the use of Whois data at some point.

    Trademark owners use Whois in a similar way to combat cybersquatting, the promotion of counterfeit products online, and a wide range of other online infringement problems. They also depend on accurate and accessible Whois for a number of other critical business purposes, such as trademark portfolio management, conducting due diligence on corporate acquisitions, and identifying company assets in insolvencies/bankruptcies.
 Page 22       PREV PAGE       TOP OF DOC

    Enforcing intellectual property rights is only one of the beneficial uses of Whois data. Others include:

 Consumer protection: In your hearings last year, the Federal Trade Commission explained how they rely upon accessible and accurate Whois data to track down online scam artists, particularly in the cross-border fraud cases to which consumer protection agencies around the world are devoting increasing attention.

 Law enforcement: You will hear from a representative of the FBI today about the role Whois data plays in law enforcement activities generally. Public access to this data is critical to facilitate the gathering of evidence in cases of crimes carried out online, particularly in complex cybercrimes.

 Network security: The applications of Whois data in this arena deserve more attention than they have received. When a virus is detected, a denial of service attack unfolds, or another threat to the security of networked computing resources is identified, the response often requires instantaneous access to Whois data. ICANN's expert Security and Stability Advisory Committee recently concluded that ''Whois data is important for the security and stability of the Internet'' and that ''the accuracy of Whois data used to provide contact information for the party responsible for an Internet resource must be improved.''

    In practice, several of these well-established and vital uses of Whois data often overlap. Consider the troubling upsurge in cases of ''phishing'' or ''corporate identity fraud.''
 Page 23       PREV PAGE       TOP OF DOC

    In recent weeks, hackers have set up ''cloned sites'' on the Internet that skillfully imitate the look and feel of the sites of major financial institutions, online service providers, or E-commerce companies, and that use domain names that are confusingly similar to the marks of these legitimate companies. These fraud artists then send mass e-mails to depositors, subscribers, or other customers of the legitimate companies, directing them to the cloned site where they are asked to provide social security numbers, PIN numbers, credit card numbers or other sensitive personal information, purportedly to ''verify,'' ''update,'' or ''renew'' their accounts. As the chairman of the FTC recently observed, ''Phishing is a two time scam. Phishers first steal a company's identity and then use it to victimize consumers by stealing their credit identities.''

    Phishing is thus not only of concern to law enforcement agencies, consumer protection groups, intellectual property owners, and network security specialists: it also threatens the personal privacy of every consumer who is active online. Ready access to accurate Whois data can play a critical role in determining who is engaged in this scam and in bringing them to justice. Indeed, if the quality of Whois data were considerably more accurate than it is today, then it would be that much more difficult for this type of destructive fraud to be carried out.

    Whois data has other important uses. It helps parents know who stands behind sites their children visit online; it helps consumers determine who they are dealing with when they shop online; and it plays a role in ferreting out the source of e-mail spam. In short, all Internet users need Whois to provide essential transparency and accountability on the Internet. We all have a stake in preserving and enhancing real-time access to this database, and in improving its quality and reliability.
 Page 24       PREV PAGE       TOP OF DOC


    Of course, Whois cannot perform the critical functions I have just mentioned if the data it contains is false, incomplete, inaccurate or out of date. As the record of your May 2002 hearing amply demonstrated, at that time the quality of Whois data was deplorably bad. So has the situation changed since then? In a word, no.

    The Whois database remains riddled with inaccurate data. This problem has been so well documented, particularly in the work of Ben Edelman of the Berkman Center, that there is little I need to add to his statistical studies and anecdotal examples. Suffice it to say that the specific example of obviously false Whois data that I cited to the subcommittee in my testimony almost sixteen months ago remains in the database today. Indeed, the Whois data for this domain name was even updated in December 2002—but apparently only to change the registrant's ''name'' from ''DVD Copy HQ'' to ''Rico Suave.'' The address—1000 Lavaland Lane, Flabberville, CA—remains unchanged, and is obviously phony.

    Accuracy of Whois data was the focus of last year's hearing. But the accessibility of Whois data is also a critical issue, and on that front it is clear that conditions have worsened since last May. For example, one of the key mechanisms for providing public access to Whois—''bulk access''—is in a shambles.

    Under their contractual agreements with ICANN, domain name registrars are required to make Whois data on their registrants available under license in bulk. This ''bulk Whois data'' is used by licensees to create value-added services, such as those marketed in connection with trademark searches. The ''bulk Whois'' obligation has never been popular with registrars, partly because the ICANN contract caps the license fees they can charge. But over the past year, registrars have taken matters into their own hands. They have evaded or defied their contractual obligations to ICANN, and have essentially eliminated bulk access to Whois data.
 Page 25       PREV PAGE       TOP OF DOC

    Some registrars have imposed onerous ancillary restrictions in their bulk access contracts; others have deleted most of the registrations from their database before making it available via bulk access; other registrars have just stopped offering these licenses, even though they promised ICANN they would do so. ICANN has done nothing to stop this. As a result, since so little of the total universe of Whois data can be obtained under bulk licenses, many of the value-added services have been withdrawn from the market.

    The agreements with ICANN also require that registrars make Whois information available in response to queries from the public, including via the Web. To date, most registrars continue to make some Whois data publicly available on a retail basis. But too often the data available is incomplete, provided in non-standard formats, or simply not fully accessible. At the same time, many registrars advocate changes to ICANN policies that would allow them to significantly reduce public access to Whois data. If, in the near future, registrars decide unilaterally to restrict query-based public access, just as they have done with bulk access, we have very little confidence that ICANN would move to stop them.

    I should add here that the observations above apply only to contact data on registrants in .com, .net or .org—the so-called ''legacy generic Top Level Domains,'' (gTLDs) for which Whois data is decentralized and held by each registrar, not by the centralized registry. While this still represents most of the domain name universe, the fastest growing part of that universe is found in the 243 ''country code Top Level Domains'' (ccTLDs), the two-letter domains like .us, .uk and .de (the German ccTLD, which is the world's largest). The accessibility of registrant contact data for the ccTLDs remains a patchwork quilt; while some ccTLD registries make this data readily available, others (including some of the largest ccTLDs) provide access to only very limited categories of data, or impose other restrictions on access that make it much more difficult to employ Whois.
 Page 26       PREV PAGE       TOP OF DOC


    Since the last hearing, and no doubt stimulated in great part by this Subcommittee's clear interest in the topic, ICANN has taken some steps to address the problems with Whois. However, they fall far short of an effective response to the reality of continued low data quality and reduced access.

    The main step taken by ICANN management was to establish a centralized mechanism for receiving complaints of false contact data in Whois and passing these complaints along to registrars for action. ICANN even went so far as to threaten one registrar with the loss of its ICANN accreditation if it failed to respond to a handful of specific complaints. But it is very difficult to tell if the creation of this complaint mechanism has had any real impact on the problem of false Whois data. ICANN has released very few statistics on the operation of the complaint system, and we understand that some registrars take the position that they are not even obligated to report back to ICANN on what action, if any, they have taken in response to a complaint.

    ICANN's Generic Name Supporting Organization (GNSO) has also undertaken a protracted process of examining Whois policy issues in an attempt to achieve consensus on what changes are needed. During its life span of over two years, the Whois Task Force conducted a massive online survey about how Whois was being used and what users expected from the system. It also issued a number of interim, draft and final reports. But in the end, the thousands of man-hours devoted to this effort produced remarkably little progress in addressing the problems plaguing Whois.
 Page 27       PREV PAGE       TOP OF DOC

    With respect to improving the accuracy of Whois data, in particular, the Task Force considered a number of proposed recommendations to require registrars to do more, in at least some circumstances, to increase the chances that the registrant contact data they are collecting is bona fide. Virtually all these proposals were rejected, deferred, or watered down to almost nothing. Inexpensive programs are available to registrars that will at least help screen out some false contact data; but registrars have shown little willingness to take even minimal reasonable steps to improve the quality of Whois data.

    The final decision adopted by the Task Force and ultimately ratified by the GNSO and the ICANN Board boils down to this: registrars will be required to provide a reminder and an opportunity at least annually for registrants to update or correct their contact data in Whois. This extremely modest reform is likely to have little or no effect on the real problem: registrants who intentionally provide false contact data because they are making uses of domain names for which they do not want to be found.

    Finally, with regard to the chaotic state of Whois accessibility in the ccTLDs, ICANN essentially seems to have thrown in the towel. The recent establishment of a country code name Supporting Organization (ccNSO) within the ICANN framework is certainly a positive step; but the scope of the ccNSO's jurisdiction is extremely circumscribed and appears to rule out any policy role for ICANN on Whois issues.

    In short, the current stance of ICANN on Whois reflects an all too familiar theme. Within the gTLD environment, the contractual framework for a viable Whois policy is already in place. In order to be accredited by ICANN to register domain names, registrars are required to notify registrants about the need to provide accurate, complete and current contact data; to obtain their consent for making this data available to the public through Whois; to take steps to ensure that the data is in fact bona fide; to respond to reports of false contact data (including by canceling registrations that are based on false data); and to make specified Whois data available to the public, both in real time on an individual query basis, and through bulk access, under specified terms and conditions. The problem is—and the problem has long been—that these obligations have never been effectively enforced by the one entity with clear authority to enforce them: ICANN.
 Page 28       PREV PAGE       TOP OF DOC

    Copyright and trademark owners, and the organizations that represent them, support ICANN. We support the underlying concepts of this great experiment in private sector self-management of a critical Internet resource. Through the Intellectual Property Constituency, we have participated actively in the many and manifold ICANN policy development processes, including those related to Whois, and will continue to do so. Much can be accomplished through dialogue in the ICANN framework, and we remain deeply engaged in that dialogue. But it is essential that ICANN understand that its failure to effectively tackle the problems plaguing Whois—which translates, to a great extent, to its failure to effectively enforce the contracts it has entered into with registrars and registries—is severely testing this continued support and engagement.

    Under new leadership and with a reformed structure and charter, ''ICANN 2.0'' is laying great plans to take more comprehensive steps to ensure stability and security in the Domain Name System. But all those plans depend upon the development and implementation of voluntary agreements with key players. Unless and until ICANN can instill greater confidence in its approach by effectively enforcing the agreements it has already entered into, its future plans, and indeed perhaps its future viability, will remain shrouded in uncertainty.

    The success of the ICANN model for private sector, consensus-based management of the DNS depends upon scrupulous observance of the contractual undertakings which embody the policies developed by ICANN. The widespread failure of registrars to abide by those undertakings with respect to Whois, and the even more disturbing failure of ICANN to enforce those undertakings vigorously, does not bode well for the success of the ICANN model. Accreditation by ICANN as a domain name registrar is not an entitlement, but a privilege regulated by contract; and ICANN has not effectively used the power to revoke accreditation in order to achieve higher levels of compliance with contractual commitments.
 Page 29       PREV PAGE       TOP OF DOC


    Mr. Chairman, in our testimony at last year's hearing, we said that, with respect to the problems of accuracy and integrity of the Whois database, ''the buck stops with ICANN.'' I believe that you and Mr. Berman have correctly recognized that this statement is incomplete. In many respects, the buck stops with the Department of Commerce, which oversees and manages the relationship with ICANN as part of the overall task of managing the Domain Name System. That relationship is at a critical juncture with the impending expiration of the Memorandum of Understanding between the Department and ICANN. We believe that your letter of August 8 to Secretary Evans correctly framed many of the key questions that need to be answered in fashioning the terms and conditions under which that MOU will be extended past September 30.

    The staff of the Department of Commerce, and the other US government representatives who have participated in ICANN, have certainly played a constructive role in encouraging ICANN to step up to the issues of Whois availability and accuracy. We believe that they can and should do more. Here are some specific proposals which we urge DOC to consider.

 (1) Obtain an ICANN commitment to contract enforcement, embodied in the MOU. As I have already noted, the ineffectiveness of ICANN's enforcement of its agreements with registrars and registries has repercussions far beyond the issue of Whois. It is long past time for ICANN to commit to devoting adequate resources to the contract compliance, monitoring and enforcement functions, and to providing greater transparency in its enforcement efforts. In the MOU, ICANN should make this commitment, and also agree to much more detailed reporting on its efforts to ensure that registrars and registries meet their responsibilities with regard to Whois data quality and accessibility, among other issues. If ICANN demonstrates its readiness to prioritize contract enforcement activities, DOC should in turn be supportive of proposals for a moderate increase in the per-registration ICANN assessment fee collected by gTLD registrars, if this is needed to achieve adequate funding.
 Page 30       PREV PAGE       TOP OF DOC

 (2) Keep a close eye on the Whois policy development process. Following a successful and informative set of workshops on Whois at its recent Montreal meeting, ICANN is embarking on a new phase of policy development activities with respect to Whois and privacy issues. While a number of issues could legitimately enter into this debate, these activities will be most constructive if they focus on incremental steps, particularly in improvement of the quality and accuracy of Whois data, rather than on more sweeping changes that could reduce or restrict access to Whois data and thus undermine the transparency and accountability that Whois can provide. ICANN's CEO has already stressed the important role of governments in the reorganized ICANN framework for developing policy. The U.S. government should step up to this role in the case of Whois.

 (3) Build an international constituency for Whois within the ICANN Governmental Advisory Committee (GAC). Ordinary Internet users all around the world will benefit from the increased transparency and accountability that Whois can provide if the quality of its data is improved and if ready access to the data is maintained and enhanced. The governments that participate in the GAC will also benefit, since public access to accurate Whois data facilitates key government functions such as law enforcement, consumer protection, and protection of children from inappropriate online activities. However, these broader public safety and governmental concerns are not always voiced within the GAC, whose participants can be influenced by other bureaucratic and ideological goals. The US government participants in the GAC should make it a priority to build international support for the role of Whois, and to promote awareness of the social costs of restricting access to Whois or failing to address the accuracy issue.

 (4) Push for best practices on ccTLDs. Although ICANN may not be in a position at present to develop binding Whois policies for ccTLDs, there is much that DOC can do, including within the GAC, to encourage other governments to move their local ccTLD registries toward improved policies. The ''GAC Principles for the Delegation and Administration of Country Code Top Level Domains,'' adopted in 2000 as a result of U.S. leadership, provide a good starting point for this discussion, and their underlying approach should be maintained. DOC should also consider how our own ccTLD registry—.us—could be promoted as a model for others to emulate. The same agency within DOC both leads the US delegation to the GAC and administers the registry contract for .us; coordination between these two roles should be enhanced.
 Page 31       PREV PAGE       TOP OF DOC

 (5) Advocate within intergovernmental organizations for accessible and accurate Whois. The World Intellectual Property Organization (WIPO) is a key forum in this regard. Its ''ccTLD Best Practices for the Prevention and Resolution of Intellectual Property Disputes,'' adopted in 2001, offer an excellent resource for ccTLDs seeking to adopt sound Whois policies. Because of the importance of Whois as an intellectual property enforcement tool, WIPO's increased focus on enforcement best practices provides a good opportunity to reinforce the value of accurate and accessible Whois. In addition to WIPO, the International Telecommunications Union (ITU) is becoming increasingly active on issues relating to the domain name system (DNS). While it would certainly be counterproductive for ITU to usurp or supplant ICANN's role, to the extent the ITU is involved, the USG should be engaged and should advocate for sound policies that promote the transparency and accountability of the DNS.

 (6) Be alert for other international fora. Promotion of sound Whois policies should be integrated into DOC's trade policy, e-commerce, and other international activities. With regard to ccTLDs, future trade agreements should build on and improve the provisions of the Singapore and Chile Free Trade Agreements that call on signatories to promote Whois access and accuracy, as well as alternative resolution systems for domain name disputes within their national registries. DOC and other Executive Branch agencies should also consider how best to use fora such as the World Trade Organization to reduce impediments to public access to accurate Whois data, bearing in mind the obligation of all WTO member states to provide effective mechanisms against infringements of intellectual property rights, including those taking place online.


 Page 32       PREV PAGE       TOP OF DOC
    Finally, although we recognize that this is an oversight hearing, we urge the subcommittee to also consider legislative changes that could advance the cause of accessible and accurate Whois data. Some relatively simple steps could help. For example, online criminals often submit false Whois data to evade detection when they set up an Internet site for use in carrying out piracy, fraud, or other offenses. It would make sense to adopt a provision increasing the potential sentence of a person convicted of carrying out a federal crime online, when it is proven that false contact data was intentionally submitted in furtherance of the criminal scheme.

    The more complex challenge is to enhance existing incentives for registrars and registries to handle Whois data more responsibly. It is obvious that existing incentives are insufficient. Too many registrars and registries do far too little to screen out false contact data at the time of submission; to verify or spot-check contact data that is submitted; or, at a minimum, to respond promptly and effectively to complaints of false contact data, including by canceling the domain name registrations which the false data supports. We hope that more aggressive and effective enforcement by ICANN will make a difference. But if it does not, or if the needed ICANN enforcement campaign is not forthcoming, Congress must seriously consider stepping in to provide the incentives by statute. Should this occur, CCDN would be pleased to work with this Subcommittee on appropriate legislative options.

    Thank you once again for the opportunity to testify today. I would be pleased to answer any questions.

    Mr. SMITH. Mr. Edelman?

 Page 33       PREV PAGE       TOP OF DOC

    Mr. EDELMAN. Chairman Smith, Ranking Member Berman, Members of the Subcommittee, in the interests of full disclosure, let me pause to add one sentence to my biography. I previously worked for ICANN as a consultant, primarily making their meetings available for viewing and participation over the Internet, but to be sure, also on some substantive issues, including even Whois. Suffice it to say that we have parted ways and I am here for myself and for the Berkman Center at Harvard, not for ICANN. But let no one think I have anything to hide.

    Like Members of the Subcommittee, I've followed Whois accuracy problems for, at this point, more than a decade. My recent research has attempted to bring the issue into a new focus by finding some of the bad apples, and to the extent I am able, calling attention to them.

    Indeed, I have published lists of many thousands of domains with invalid Whois data, as well as what information I can find about their likely registrants and about the registrars who continue to serve them. I want to note that this reporting is a poor substitute for real efforts at enforcement of the sort I'll propose in a moment and of the sort that took place yesterday in Florida, when notorious false Whois registrant John Zuccarini was arrested. Ultimately, even if I write an article about a registrant, the registrant keeps the domain and the problem remains.

    With that, let me review the key findings of my research and the suggested solutions in my testimony.

 Page 34       PREV PAGE       TOP OF DOC
    As to what's going wrong, I see two sets of problems. First, registrants face no meaningful incentives to provide accurate Whois data. Registrants can submit blatantly invalid data without fear of monetary or other sanction, and so they do.

    Second, registrars face no meaningful incentives to demand accurate Whois data from registrants, to be sure, their customers. What few incentives registrars might face are toothless, infrequently and arbitrarily invoked, and, therefore, ignored.

    The result is that in terms of accuracy, when compared with other compilations of public data, like drivers' licenses and trademark registrations, the Whois database is substantially fiction.

    With these diagnoses in mind, let me suggest five policy responses.

    First, a reduction in the leniency of opportunity to cure intentionally invalid data. At present, when a registrant is caught with invalid Whois data, the registrant can fix it without penalty. Sounds great, but so long as this is the policy, why would a registrant ever provide correct data in the first place? Some form of sanction, be it forfeiture of the domain or payment of a fine, is necessary to discourage intentionally invalid entries.

    Second, for registrants with multiple domains with intentionally invalid data, forfeiture of all domains when any are to be canceled. For a registrant with, say, 5,000 domains, it's laughable to seize just one. The registrant will never notice and certainly will never much care.

 Page 35       PREV PAGE       TOP OF DOC
    Third, statistically valid surveys of registrars' Whois accuracy with public reporting of each registrar's performance. Registrars with poor record can expect a sort of public humiliation, at the very least, invitations to explain themselves before Committees like this one.

    Fourth, improvements in transparency of ICANN's Whois complaint system. At present, the status of Whois complaints is largely unknown. There is no systematic way to track which registrars act on complaints and which ignore them. Publishing the complaints and their dispositions would be beneficial to all, would allow researchers, the press, and this Subcommittee to know which registrars are doing best, and to be sure, which worst at Whois accuracy.

    Finally, if reporting and suggestions three and four didn't succeed in inspiring registrars to demand accurate data from their customers, ICANN or the Department of Commerce could impose financial and other penalties on registrars with the worst Whois accuracy records. It may sound far-flung, but it's actually hardly unprecedented. ICANN's contracts with registries already impose financial sanctions for poor performance.

    I appreciate the opportunity to offer these suggestions and I look forward to working with the Subcommittee in the future.

    Mr. SMITH. Thank you, Mr. Edelman.

    [The prepared statement of Mr. Edelman follows:]

 Page 36       PREV PAGE       TOP OF DOC













 Page 37       PREV PAGE       TOP OF DOC





    Mr. SMITH. Mr. Farnan?


    Mr. FARNAN. Good afternoon. I would like to thank Chairman Smith, Ranking Member Berman, and Members of the Subcommittee for the opportunity to testify today. We welcome your Subcommittee's leadership in dealing with the serious issues associated with use of the Whois database.

    Cyber Division investigators use the Whois database every day. Querying of domain name registries is the first step in most cyber crime investigations. While this process identifies the entity responsible for operating an Internet site, it does not provide identifying information about users of that site.
 Page 38       PREV PAGE       TOP OF DOC

    For instance, we may receive a complaint that a website is being used to solicit personal, credit card, or financial information. Our first task is to identify the operator of that site using the Whois database. We will query the domain name registry where the target domain is registered. If the information in the registry is accurate, it will show the name, location, and contact information for the operator of that site. With this information in hand, we know where to direct the appropriate legal process to obtain additional information.

    Unfortunately, there is no system for authenticating information provided to domain name registries other than to ensure that the payment mechanism, usually a credit card, is authorized at the time the domain name was purchased. In other words, a stolen credit card may be used to purchase a domain name and provide fictitious information which is never checked or verified.

    In addition to law enforcement's use of domain registry information, system administrators use this information to identify sites that may be causing technical problems over the Internet or which are the source of certain abuses, such as viruses or other malicious code, and then use this information to contact the site owner to advise them of the problem.

    I have two examples of cases in which Cyber Division investigators and analysts use the Whois database. In a significant intellectual property rights investigation, a site that was used to host pirated computer software had a domain name that was registered with fraudulent information. Investigators took logical steps to identify the subject who owned and operated that site, but the fraudulent information in the domain name registry substantially hampered the investigation at its critical early stages.
 Page 39       PREV PAGE       TOP OF DOC

    To obtain valid identifying information regarding the subject's location, investigators were required to implement more complex and time-consuming legal processes through a series of Internet service providers associated with Internet traffic to and from the subject website. The subject was ultimately identified and prosecuted, although the process was substantially lengthened and complicated due to the inaccuracy of information provided to the domain registry. A delay of this type in identifying subjects and locations of relevant computers could result in the loss of critical evidence or the complete failure to locate subjects.

    In a second case, we received information that a particular website contained images of child pornography. Our analysts used Whois to identify the Internet Service Provider, or ISP, hosting the website. Soon, a subpoena to the ISP generated a response which provided significant leads, including web logs that generated activity in foreign countries, as well as a name for the owner/operator of the original website. There was no other identifying information on the owner/operator. Analysts searched other databases and eventually linked the subject to a previously unknown website. Using the name of the new website matched with the subject's name, and again using the Whois database, analysts were able to completely identify the subject and a geographic location.

    In this example, Whois was used twice, first to generate a single subpoena to the proper ISP, and secondly, to positively identify the subject. Without the assistance of the Whois database, analysts would have had to rely on more conventional search methods which would have led to dozens of subpoenas being issued with no certainty the true subject would have ever been identified.

 Page 40       PREV PAGE       TOP OF DOC
    The use of these more conventional investigative methods is extremely time consuming and resource intensive. The Whois database greatly enhances the accuracy of the FBI's investigations as it allows analysts and agents with the ability to create—to accurately issue subpoenas, some of which may otherwise not be issued to the correct ISP.

    Our interest in Whois can be summarized in one sentence. Anything that limits or restricts the availability of Whois data to law enforcement agencies will decrease its usefulness in FBI investigations, while anything that increases the accuracy and completeness of Whois data will improve timeliness and efficiency in our cases. There are other means for obtaining this information, but these can degrade efficiency and timeliness.

    I thank you for your invitation to speak with you today, and on behalf of the FBI, look forward to working with you on this very important topic.

    Mr. SMITH. Thank you, Mr. Farnan.

    [The prepared statement of Mr. Farnan follows:]


    Good Afternoon. I would like to thank Chairman Smith, Ranking Member Berman, and members of the Subcommittee for the opportunity to testify today. We welcome your Subcommittee's leadership in dealing with the issues associated with use of the ''Whois'' database.

 Page 41       PREV PAGE       TOP OF DOC
    Cyber Division investigators use the Whois database almost every day. Querying of domain name registries is the first step in many cybercrime investigations. This task may help identify the entity responsible for operating an Internet web site. For instance, law enforcement may receive a complaint that a web site is being used to solicit personal credit card financial information from victims. The first task for law enforcement is to identify the operator of that site. This may be accomplished by querying the domain name registry where the target domain is registered. If the information in the registry is accurate, then it will show the name, location, and contact information for the operator of that site. With this information in hand, law enforcement knows where to direct the appropriate legal process (a subpoena, court order, or other process) if additional information is required.

    Sometimes the publicly available identifying information in the Whois database is inaccurate but the non-public payment information used to purchase the domain name is valid and legitimate. In those instances, serving a subpoena on the registrar can yield the real identity of the domain owner. Unfortunately, not every domain name registrar authenticates credit card or other payment information at the time the domain name is registered. Therefore, a suspect using a stolen credit card may be able to purchase a domain name with fictitious identifying information which is never checked or verified. Obviously we would prefer that registrars take steps to increase the reliability of the Whois database, but as I will describe in a moment, there are other tools available to law enforcement to supplement the information found in the Whois records.

    Allow me to set forth the facts of a typical case in which Cyber Division investigators and analysts have used the Whois database, along with other tools, to quickly identify the targets of an investigation.
 Page 42       PREV PAGE       TOP OF DOC

    Recently, the National Center for Missing and Exploited Children (NCMEC) and the FBI received information that a particular web site contained images of child pornography. Analysts with the FBI checked the Whois database to ascertain the identity of the Internet Service Provider (ISP) hosting the web site. (Note that this information is readily available from other public sources as well.) A subpoena for information pertaining to the web site's owner/operator was soon obtained. Two weeks later, the subpoena generated a response which provided significant leads, including web logs which indicated activity in foreign countries, as well as a name for the owner/operator of the original web site. There was no other identifying information on the owner/operator.

    Analysts continued to search other databases to locate any other possible businesses or locations affiliated with the subject. Eventually, a link was made between the subject and a previously unknown web site. Matching the name of the new web site against the subject's name, and again using the Whois database, analysts were able to completely identify the subject, including a geographic location.

    Additionally investigators use the Whois database in investigations ranging from online fraud, threat, to computer intrusion cases. The information obtained from the Whois database is often used to generate investigative leads and is the starting point for utilizing other investigative techniques.

    As the above example shows, the publicly accessible Whois database of domain name registrations can be a useful tool in law enforcement investigations. That is not to say that Whois is indispensable, however. As I've indicated, sometimes the Whois data is inaccurate, incomplete, outdated, or deliberately falsified. If the Whois data leads to a dead-end, the FBI has other tools at its disposal to obtain information concerning the identity of domain owners. Some of those tools include publicly available sources of information similar to the Whois records. For example, in addition to the Whois database covering domain name registrations, there is an entirely different set of records covering the assignment of Internet Protocol (IP) addresses. The IP address assignment records tend to be more accurate than the Whois domain name records, and in most cases they will lead us either to the domain owner's ISP or to the Web hosting company. The publicly available sources also include technical tools such as traceroute, which ''traces'' the electronic path to a Website, and domain name service (''DNS'') lookups, which again usually reveal the ISP or the Web hosting company. Once we know the ISP or the Web hosting company, law enforcement can serve subpoenas or court orders to obtain personally identifying information for the domain name owner, or to gain leads on other useful information.
 Page 43       PREV PAGE       TOP OF DOC

    Obviously it is quicker to use Whois to obtain instant electronic access to data that could identify the perpetrator of a crime, as opposed to serving a subpoena or court order and waiting on a third party to deliver the same information. In addition, although international cooperation is improving for computer crime and terrorism investigations, there is always the possibility of delay in getting responses to formal legal process whenever our investigations cross international boundaries. Whois can be useful in those cases, assuming the Whois data is accurate and complete, which it often is not.

    The Justice Department is aware of efforts currently underway to enable the Internet Corporation for Assigned Names and Numbers (ICANN) to address some of the public policy issues associated with the Whois database. We are aware of these discussions and have tried to ensure that law enforcement interests are clearly understood by the participants in the ICANN process. The Justice Department has stated that it does not endorse any particular solution among those now being considered by ICANN. Anything that limits or restricts the availability of Whois data to law enforcement agencies will decrease its usefulness in FBI investigations, while anything that increases the accuracy and completeness of Whois data will improve timeliness and efficiency in our cases.

    I thank you for your invitation to speak to you today and, on behalf of the FBI, I look forward to working with you on this topic.

    Mr. SMITH. Mr. Kassinger?

 Page 44       PREV PAGE       TOP OF DOC

    Mr. KASSINGER. Mr. Chairman, Mr. Berman, Members of the Subcommittee, thank you for your warm words of welcome in your opening statements. [Laughter.]

    It's true that Assistant Secretary Victory resigned a month ago and that proved to be an opportune time, but I welcome the opportunity to be here today. This is an important subject and I'm happy to represent the Department and discuss these issues with you.

    In my prepared statement, I spent a fair amount of time discussing our thoughts about the MOU. I hope we'll spend more time on that in the question and answer session. That is a key task facing us.

    But I wanted to take this—these brief moments here to address seriatim the six questions you posed in your letter to Secretary Evans on August 8. I thought we ought to get that on the record in simple terms, so let me briefly walk through those.

    Your first question was whether—was you asked for the Department's assessment of ICANN's efforts to enforce the——

    Mr. SMITH. Mr. Kassinger, of course, there was an easier way to get that letter on the record, and that would have been to respond to us before today, but we'll let that go.

    Mr. KASSINGER. I take your point. You asked for an assessment of ICANN's efforts to enforce the Whois related provisions of the registrar accreditation agreements. In our judgment, ICANN's management, led by the new CEO, Mr. Twomey, understands the need for accurate and publicly available Whois data and is committed to improving the Whois system. Clearly, more work needs to be done in this area.
 Page 45       PREV PAGE       TOP OF DOC

    The two developments that you alluded to, and Mr. Berman and others—the new Whois data problem report system and the data date reminder policy—are steps in the right direction. They are not enough. I would suggest, however, that there's a lot more going on than would be suggested by some of the discussion here today. Mr. Twomey has appointed a Presidential advisory body to specifically work on these issues, and as we'll discuss—and I'll discuss in answer to your other questions, there's an awful lot of activity going on. So a lot of work needs to be done, but we think things are headed in the right direction.

    Second, you asked for the steps the Department has taken to encourage ICANN registrars and registries to honor their contractual obligations. We've done a number of things in that area. First, the Department has monitored developments in the Whois arena closely since ICANN's inception and will continue to do so. The Department is particularly interested in the impact of the new complaint reporting process and the Whois update requirement on improved accuracy, but there are other things we're working on.

    Second, the Department has focused its efforts in the international arena primarily through the Government Advisory Committee, the GAC, WIPO, and the International Telecommunication Union. We're active in all those fora. Most recently, the Department took a leadership role in the June 2003 education workshop hosted by ICANN that focused on Whois issues.

    Third, the Department through WIPO and the GAC has actively encouraged the development and enforcement of best practices for accurate and publicly available Whois data.

 Page 46       PREV PAGE       TOP OF DOC
    Fourth, the Department has advocated the adoption of Whois type registrant contact data and dispute resolution policies for ccTLD operators in bilateral trade agreements, such as the recent trade agreements with Singapore and Chile.

    And finally, we took the lead in forming a Government interagency working group to increase the effectiveness of our analyses and advocacy on these issues. This group includes representatives from the Department, including the PTO, the Justice Department, and the Federal Trade Commission. We're in the process of formulating a set of recommendations to be presented to the GAC at the ICANN meeting in October. So we're doing a lot.

    The third question you raised was the manner in which the Department intends to address intellectual property concerns in any MOU extension. This is a conversation I'm sure we ought to have in an extended way in the Q&A session, but let me just say that we have not finalized our proposal to ICANN. This question is still on the table. How to address it is a difficult one.

    Our primary focus, as indicated in the written testimony, is on matters that go to the core sustainability of ICANN. The question of how Whois data is handled would be academic if ICANN cannot survive, and we have perceived serious issues for the long term that ICANN must address in the next phase under the MOU. There is, for example, at this point, to my knowledge, no strategic plan at ICANN of where it wants to go and how it's going to get there. There is a serious question of financial resources that are essential for, among other things, to address Whois issues.

    So we have identified the seven areas that were listed in my written statement. We're considering what other items should be in the MOU. We welcome your thoughts in that regard.
 Page 47       PREV PAGE       TOP OF DOC

    Fourth, you asked for the Department's opinion on whether the ccNSO structure and charter adopted by the ICANN board satisfy the MOU obligation with regard to ccTLDs. The short answer is no. We think it's a good thing. We support it. We support the effort to bring the ccTLDs into the ICANN world through that organization and the policies it may recommend, but our MOU requires actual agreements, and that is what we will look for.

    Fifth—I'm sorry, Mr. Chairman, I've run out of time. If you can stand the suspense, I'll address your last two questions later.

    Mr. SMITH. Okay. Thank you, Mr. Kassinger.

    [The prepared statement of Mr. Kassinger follows:]

    Mr. Chairman,

    Thank you and the members of the Subcommittee on Courts, the Internet, and Intellectual Property for this opportunity to testify on developments that affect the operation of the Internet domain name system and the enforcement of intellectual property rights in the digital environment. The Department of Commerce believes that the public domain name registrant database known as the ''WHOIS'' is a particularly valuable tool in enforcing intellectual property rights.


 Page 48       PREV PAGE       TOP OF DOC
    The Department continues to serve as the steward of critical elements of the domain name and number system (DNS), while pursuing the policy goal of privatizing technical management of the DNS. The vehicle for achieving this goal is the Memorandum of Understanding (MOU) between the Department and the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is the private sector entity responsible for day-to-day management of Internet names and numbers.

    The Department continues to believe that the stability and security of the DNS can best be achieved through privatization of and global participation in technical management of the system. The Department supports the ongoing work of ICANN and its efforts to engage stakeholders in its decision-making processes. The Department especially desires to see ICANN evolve into an independent, stable, and sustainable organization that is well-equipped to weather a future crisis. We are encouraged that ICANN has been making progress toward this end.

    Last year, the Department and ICANN agreed to renew the MOU for a period of one year with a focus on improving stability and sustainability. These improvements required ICANN to clarify its mission and responsibilities; to ensure transparency and accountability in its processes and decision making; to increase its responsiveness to Internet stakeholders; to develop an effective advisory role for governments; and to ensure adequate and stable financial and personnel resources to carry out its mission and responsibilities.

    ICANN made strides during the past year towards developing into a more stable, transparent, and responsive organization. It completed a reform effort that resulted in structural adjustments and refinements to its decision-making processes designed to allow for greater transparency and responsiveness to all critical Internet stakeholders. In addition, the corporation hired a new Chief Executive Officer with both management expertise and experience in dealing with this unique organization. ICANN collaborated with governments to improve communication on public policy issues by establishing liaisons between its Governmental Advisory Committee and each of the ICANN supporting organizations.
 Page 49       PREV PAGE       TOP OF DOC

    While ICANN made progress, both the Department and ICANN recognize that there remains much to be accomplished in order for ICANN to evolve into the stable and sustainable management organization that it must be. The Department believes that the MOU, therefore, should be extended and amended to include milestones to ensure ICANN's steady progress towards that end.

    These milestones would encompass the following areas of ICANN's development: (1) a strategic plan with goals for securing long-term sustainability of its critical domain name and numbering system management responsibilities; (2) a contingency plan to ensure continuity of essential domain name system operations in the event of the corporation's bankruptcy, dissolution, or any other catastrophic failure or natural disaster; (3) ICANN's relationship with the root server system operators to enhance the security of the root server system; (4) agreements with and more involvement from Regional Internet Registries, which are responsible for allocating numbering resources within their respective geographic regions; (5) accountability mechanisms such as arbitration procedures and selection of an ombudsman; (6) agreements with and more involvement from country code top level domain operators; and (7) an appropriate long-term strategy for selecting new top level domains.

    If the MOU is amended in this manner, then ICANN should be afforded sufficient time to complete the agreed tasks. Thus, the Department intends to negotiate an extension of the MOU that is likely to exceed one year, while ensuring timely and steady progress is achieved. An extension of more than one year would allow for the completion and realization of structural and organizational changes that ICANN has initiated in the past year. It would also give ICANN sufficient time to seek and to provide opportunities for enhanced cooperation by all participants necessary to complete the tasks remaining under the MOU. The Department further is sympathetic to the view that a longer term for the MOU would permit ICANN to attract and to retain staff with the expertise critical to the success of this continued effort.
 Page 50       PREV PAGE       TOP OF DOC


    The Department has long been concerned about the protection of intellectual property rights on the Internet. In order for the Internet to be a secure and stable network for electronic commerce, businesses must have confidence that their intellectual property can be protected in the online environment. The Department has worked for many years, domestically and internationally, to provide appropriate enforcement tools for U.S. intellectual property rights holders and to urge our trading partners to do the same.

    In 1998, when the Department first set forth its statement of principles for private sector management of the Internet name and numbering system, it highlighted the importance of intellectual property issues. In particular, the Department's Statement of Policy on the Privatization of the Internet Domain Name System on the Management of Internet Names and Addresses called for a dispute resolution policy to address cybersquatting as well as a ''searchable database of registered domain names that provide information necessary to contact a domain name registrant when a conflict arises between a trademark holder and a domain name holder.''

    The World Intellectual Property Organization (WIPO) responded to this call regarding cybersquatting by developing a Uniform Dispute Resolution Policy (UDRP) and recommending this policy to ICANN for consideration. The UDRP requires domain name registrants in all generic top level domains (such as .com, .org., .biz) to agree to an arbitration mechanism in the event that the domain name infringes a trademark holders rights. In 1999, ICANN adopted and implemented the UDRP as its first consensus policy. It is widely recognized as one of ICANN's significant achievements.
 Page 51       PREV PAGE       TOP OF DOC

    The Department's 1998 Statement of Policy also called for introduction of competition in the domain name registration market. In response, ICANN established a process in 1999 to accredit domain name retailers or registrars. This accreditation process for registrars was accepted by the Department and the U.S. intellectual property community as one avenue for addressing concerns regarding transparency and accountability in the domain name system. This process requires registrars to agree to collect and make available to the public contact information for domain name registrants.


    This public domain name registrant database, known as the ''WHOIS'' database, serves many important public policy needs. For example, it allows intellectual property owners to determine the identity of those conducting piracy or trademark counterfeiting operations; Internet Service Providers, hosting companies, and network operators to maintain network security and investigate technical problems; law enforcement officials to investigate illegal activities online; and consumers to identify the commercial entity with whom they are dealing online. With regard to intellectual property owners, the WHOIS database provides a quick and effective way to reach a domain name registrant that might be engaged in intellectual property infringement.

    Concern has been raised by privacy advocates and other national governments, however, about the administration of the WHOIS database, including the protection of the privacy of citizens who use the Internet; compliance with national laws that restrict the collection and availability of personal data; prevention of the use of WHOIS data for purposes of unsolicited commercial marketing; and prevention of personal contact information contained in the database from being used for purposes such as harassment or identity theft.
 Page 52       PREV PAGE       TOP OF DOC

    The Department of Commerce is working, along with the ICANN community, to explore the issues implicated by WHOIS and to find an appropriate balance among competing public policy interests to achieve a more accurate and available WHOIS database. A number of U.S. government agencies participate in a U.S. interagency working group that is examining what changes, if any, would improve the accuracy and availability of the WHOIS database. The Department's National Telecommunications and Information Administration (NTIA) chairs that group, which also includes the U.S. Patent and Trademark Office (USPTO), the Federal Trade Commission, and the Department of Justice.

    ICANN has provided a valuable international forum to seek consensus on WHOIS issues on a global scale. The Department participates in the ICANN discussions through its representation within the Governmental Advisory Committee. An NTIA representative sits on the Governmental Advisory Committee and works closely with the USPTO to ensure that the United States' intellectual property interests are recognized and taken into account in ICANN's policies.

Top Level Domain Registry Agreements

    All ICANN agreements with generic top level domain registries include WHOIS database requirements. The newer registry agreements (e.g., .biz, .name, .pro) provide for more robust WHOIS data collection at the registry level. ICANN's registrar accreditation agreements require registrars to collect, to maintain and to make publicly available, up-to-date WHOIS data for registrants in the generic top level domains. These agreements require registrars to have written agreements with each registrant to provide accurate registrant contact information, to update such data promptly, and to respond in a timely manner to a registrar's request regarding the accuracy of such data. A registrant's failure to meet these requirements constitutes a breach of this agreement that can result in the cancellation of that registrant's domain name. In addition, ICANN adopted a new policy in June 2003, the WHOIS Data Reminder Policy (WDRP), which now requires all accredited registrars to contact each registrant, at least annually, to confirm the accuracy of their contact information or to make necessary corrections. Failure to do so can result in domain name cancellation. This new policy goes into effect as of October 31, 2003 for existing accredited registrars. All new accredited registrars must comply with this policy as of the date of their agreement with ICANN.
 Page 53       PREV PAGE       TOP OF DOC

    In addition, ICANN has established a central mechanism for receiving complaints about false WHOIS data. The ''WHOIS Data Problem Reports'' system has been operational for almost 12 months. During that time, ICANN has received 15,458 problem reports, concerning 10,271 unique domain names (some names were the subject of multiple reports). ICANN forwards complaints received to the relevant registrar for investigation and resolution under the terms of the registrar accreditation agreement. While most of the reports concerned inaccurate WHOIS data, some of the reports were general queries or misdirected attempts by registrants to update their contact information with their registrar. At present, the total number of all registrations in generic top level domains is a little over 30 million names (registrations in .com represent a little less than 25 million of that number). Thus, if all of the more than 10,000 reports received by ICANN over the course of the past year represent inaccurate data, these complaints would total only 0.03% of all registrations. ICANN is currently working to improve the functionality of this system, including making it easier for registrars to process and report on the status of individual investigations and making the operations more transparent for persons submitting problem reports.

    These contractual obligations and reporting mechanisms are important tools for ensuring continued access to accurate WHOIS data. Concern has recently been raised by users of this WHOIS data that some ICANN accredited registrars may not be abiding by the terms of their agreements with ICANN. We share these concerns, and are thus gratified that ICANN's new President and CEO, Dr. Paul Twomey, has demonstrated an understanding and commitment to resolving WHOIS issues, including enforcement of its registrar agreements. Enforcement should also improve as new staff is hired. Moreover, the new WHOIS complaint reporting system and newly adopted WDRP are important developments in improved WHOIS accuracy.
 Page 54       PREV PAGE       TOP OF DOC

    Lastly ICANN conducted an educational workshop at its June 2003 meeting to encourage dialogue within the ICANN community on WHOIS and to promote the development of consensus policies to address concerns. As a favorable response to this workshop, several stakeholder groups, including the intellectual property community, have begun additional work on the technical and policy aspects of collection and dissemination of WHOIS data.

Country Code Top Level Domains

    Appropriate tools for intellectual property enforcement are equally vital in the context of country code top level domains. Sales of these country code top level domain names, such as those within .uk, are growing at a faster rate than sales of generic names, such as .com. Because it has very few agreements with operators of country code top level domains, ICANN can only attempt to influence best practices in these domains, including the development of accurate and available WHOIS databases. Moreover, registrar accreditation agreements currently apply only to registrations in generic top level domains. Through informational sessions and discussions on the many uses of the WHOIS database, such as the June 2003 workshop, the Department expects many country code top level domain operators to acquire a better appreciation for the expectations of other ICANN constituencies regarding the accuracy and availability of WHOIS data in those name spaces, and to adopt practices consistent with those expectations.

    Achieving stable agreements with country code top level domain operators should be one of ICANN's top priorities. While ICANN continues to make progress towards establishing such agreements, forward movement has been slow. ICANN must develop a framework agreement that not only appeals to the majority of country code top level domain operators, but also recognizes differences in national law and other national sovereignty concerns. In this regard, the Department is pleased that the ICANN Board recently adopted bylaws creating a new supporting organization representing country code top level domain name operators. This supporting organization will be an important forum for ICANN to address policies on cross-cutting issues such as WHOIS and in working towards a country code framework agreement.
 Page 55       PREV PAGE       TOP OF DOC

    In the ICANN forum, the Department has actively encouraged the adoption of a dispute resolution policy to address cybersquatting as well as the collection and public availability of registrant contact information in country code top level domains. The Department uses its own agreement with the operator of the United States country code top level domain, ''.us,'' as a model of the way that such a domain can be administered consistent with intellectual property protection. Provisions in the .us contract with NeuStar, Inc., include a sunrise period for pre-registration of trademarks when the expanded name space came online, a dispute resolution procedure to address cybersquatting, and a robust WHOIS database of domain name registrant contact information. Moreover, the .us WHOIS database is centralized at the registry level to permit any interested party to search all registered names in .us without having to conduct multiple searches of the data collected by individual .us registrars.

Other International Efforts

    The Department's efforts to protect intellectual property rights in the domain name system have not been limited to its relationship with ICANN. The Department, through the USPTO, participates in WIPO, an important global forum for the debate of intellectual property issues including those pertaining to the digital environment. At the request of the United States and other WIPO members, discussions on appropriate WHOIS policies for both generic and country code domain names have long been underway. In 2000, WIPO launched a program to assist country code top level domain managers in the design of appropriate domain name registration practices, including WHOIS database and dispute resolution procedures. In 2001, WIPO published Best Practice Guidelines for country code top level domain managers that set forth minimum standards for the protection of intellectual property in the country code top level domains. The WIPO guidelines will be an important resource for ICANN's new country code supporting organization.
 Page 56       PREV PAGE       TOP OF DOC

    The Department is also addressing these issues in bilateral free trade agreements by advocating that these agreements include commitments by governments that their country code top level domain operators will provide WHOIS-type registrant information and a cybersquatting dispute resolution procedure. As a result of this advocacy, such provisions were included in the free trade agreements between the United States and Singapore and the United States and Chile.


    The Department remains committed to enforcement of intellectual property rights in the digital environment. We recognize that accurate and available WHOIS data is also a useful tool for law enforcement officials, network operators, and consumers, among others. For these reasons, the Department will continue to advocate in ICANN for a and other appropriate venues for a more accurate and available WHOIS database and will work to ensure that U.S. intellectual property rights holders are provided appropriate enforcement tools in generic and country code top level domains.

    Mr. SMITH. Let me address my first question to Mr. Metalitz and Mr. Edelman. Mr. Metalitz, you mentioned that you thought the Whois database was and is deplorably bad. Mr. Edelman, you called the Whois database substantially fiction. Do you think that any of the seven milestones mentioned by the Department of Commerce—we just heard about five and there are two others you may be familiar with—are any of those milestones or anything that you've heard or seen from the Department of Commerce to date convinced you that we're on the verge of having accurate, reliable database—Whois database that is going to be helpful in the future? Mr. Metalitz?
 Page 57       PREV PAGE       TOP OF DOC

    Mr. METALITZ. Mr. Chairman, the—none of the seven milestones that are listed in the Commerce Department's written testimony address this directly or even indirectly.

    Two of them do talk about entering into new agreements, in one case with the country code top-level domains and in another case with the regional Internet registries, and this is why we think the question of contract enforcement is so important in evaluating ICANN at this point. But certainly in the list of seven milestones that were in the written testimony, there is nothing that directly relates to Whois or that will have much impact in this area.

    Mr. SMITH. Mr. Edelman?

    Mr. EDELMAN. I stand by Mr. Metalitz's comments.

    Mr. SMITH. Okay. Fair enough. Let me address my next question both to Mr. Edelman and Mr. Farnan, and this goes to the Department of Commerce assertion that ICANN provided inaccurate data—complaint record amounts to only about three one-hundredths of 1 percent. That is contradictory to the testimony that you have given, Mr. Edelman—as far as that goes, testimony of Mr. Metalitz. But Mr. Farnan said in his testimony that the Whois database was—the ICANN provided Whois database was often inaccurate and incomplete in cases that you needed it to be complete and accurate.

    Mr. Edelman and Mr. Farnan, what do you think of that suggestion that the inaccurate data is just a small percentage of the overall? Mr. Edelman?
 Page 58       PREV PAGE       TOP OF DOC

    Mr. EDELMAN. First, I don't want to mischaracterize Mr. Kassinger's testimony. As I read it here on page four, he points out that if one takes the quotient of the number of complaints received to the number of domains in existence—that is about 10,000 divided by about 30 million—the result is three one-hundredths of a percent.

    Mr. SMITH. Right.

    Mr. EDELMAN. To be sure, no one is saying that every domain with invalid Whois data has been the subject of a complaint. Quite the contrary.

    Mr. SMITH. That's the point.

    Mr. EDELMAN. So that would not be a statistic that would really provide any information whatsoever as to the number of domains with invalid Whois data. It's a difficult subject to estimate. I've attempted to do it on some occasions. Certainly, I had no trouble in a project conducted while a full-time college student in identifying 12,000 domains in the space of perhaps just a few hours of work designing the algorithm to do the research and then some additional work preparing the lists and publishing them.

    I suspect the true answer is on the order of several percent. I wouldn't be surprised if it was as high as 10 percent. These are on the order of two to even three orders of magnitude larger than the written testimony would suggest.

    Mr. SMITH. Okay. Thank you, Mr. Edelman.
 Page 59       PREV PAGE       TOP OF DOC

    Mr. Farnan?

    Mr. FARNAN. Sir, based on what we do for a living at the FBI, we don't accumulate the kind of statistics that would be directly responsive to what Mr. Kassinger testified to. But what I can tell you is this. When we go to Whois, we access Whois, we would not take the information directly from Whois and put it instantly into an affidavit, for example, or other kind of court document. We would verify that what we're getting from Whois is accurate, and we do that on a regular basis. So we would not rely on Whois explicitly. That's probably the best I can do to answer that one.

    Mr. SMITH. Okay. Thank you, Mr. Farnan.

    Mr. Kassinger, let's pursue that question of how accurate the Whois database is. Would you agree that your three one-hundredths of 1 percent is not representative of an accurate database?

    Mr. KASSINGER. The data were not put in that testimony to suggest that it was, and I think the previous witness identified that correctly. That may just be the tip of the iceberg. However, I'm very interested——

    Mr. SMITH. If it's just the tip of the iceberg, why did you use it, or why did you not admit to a larger inaccuracy?

    Mr. KASSINGER. The point wasn't to assert the value of inaccuracy one way or the other. The point was to show that the system is up and running, and I understand that it is ramping up and they're getting more and more names. It is not the answer to inaccurate data.
 Page 60       PREV PAGE       TOP OF DOC

    But Mr. Chairman, if I might say, we heard a characterization of the problem as—of the Whois database as substantially fiction, and yet the high-end number we've just gotten here was 10 percent. Now, one of the real issues here is we don't know how widespread it is. Clearly, it's a large problem. I think one of the suggestions made in testimony earlier was to invest in resources and identifying the number of registrars that are bad actors and developing better data. We would support that.

    Mr. SMITH. Yes. I think you made a fair point about the 10 percent figure used by Mr. Edelman, and maybe he can refer to it a little bit later on, and I thought of substantial fiction and thought it might be more than 10 percent. On the other hand, I think it's also a fair point to make that your mentioning that three one-hundredths of 1 percent was a little misleading when, in fact, those were just sort of self-initiated complaints and really not a real reflection on the inaccuracy found at the Whois database.

    My time is up, but I'll return with some more questions in a minute. The gentleman from California, Mr. Berman, is recognized for his questions.

    Mr. BERMAN. Thank you, Mr. Chairman.

    At least in this round, I'd like to start with Mr. Edelman. Just first of all, thank you very much for coming in, for your—the candid nature of your testimony. I think it dispels a lot of the rationalizations for failing to improve Whois and gets to the real reason why we have seen so little progress on this issue. I'd like to ask you a few questions just—in some cases they repeat points you make, but I think sometimes it's worth hearing them several times.
 Page 61       PREV PAGE       TOP OF DOC

    Just on your first point, Mr. Smith, the Chairman, brought this out. For those of us who are really stupid in math, two or three times the order of magnitude is different than two or three times. I take it you're distinguishing between three-hundredths of 1 percent of complaints received and what you think might very well be two or 3 percent, and perhaps up to 10 percent, of the 30 million domain names have misleading information.

    Mr. EDELMAN. That's quite——

    Mr. BERMAN. It's not a multiple, it's an exponential kind of——

    Mr. EDELMAN. It's an exponential, and order of magnitude refers to a power of ten, so two orders of magnitude would be a factor of 100 and three a factor of 1,000.

    Mr. BERMAN. That's what I wanted. Thank you. Okay. I knew there was something there—— [Laughter.]

    —but I couldn't say it. Do you believe that accurate and complete Whois databases can exist with adequate privacy protections, and if so, could you elaborate?

    Mr. EDELMAN. Absolutely. There are a number of ways that accurate Whois data could take place at the same time as individual privacy is protected. The easiest way to think about this is a post office box operated by the U.S. Postal Service. It's quite easy to register a box at the post office and then have the post office receive your mail, perhaps even without distributing your name to those organizations or companies sending you mail.
 Page 62       PREV PAGE       TOP OF DOC

    Similarly, one can register a domain name with a registrar that provides a sort of escrow service whereby the registrar puts its own name in place of the registrant's name and accepts the legal responsibility for passing communications on to the actual registrar as received. This takes place——

    Mr. BERMAN. Actual registrar or actual registrant?

    Mr. EDELMAN. Actual registrant. Please excuse my mistake. And this takes place already for a very small supplemental fee. Registrar ''GoDaddy,'' one of the largest five registrars currently operating, has this service. Others use their lawyers. You can imagine any of a number of other services that could provide this escrow facility.

    Mr. BERMAN. Thank you. Do reasonably effective and inexpensive mechanisms exist with which registrars could substantially improve the accuracy and completeness of Whois data?

    Mr. EDELMAN. Yes. The irony is that many registrars are already using such systems to make sure that they get paid. When they receive a credit card number, they want to verify that that credit card is actually a valid credit card, one for which they will receive payment from Visa or Master Card, so they cross-check the name on the credit card with the address initially offered. At that point, there is good reason to believe that someone, at least, has this credit card with that name. Perhaps it's stolen, but that may be a de minimis problem.

    On the other hand, they subsequently allow changes. You could change your registrant name, certainly your address and your phone number, at which point your Whois data could be full of intentional errors.
 Page 63       PREV PAGE       TOP OF DOC

    Mr. BERMAN. In your opinion, is cost and potential lost revenue one of the major reasons registrars fail to verify the accuracy and completeness of Whois data? In other words, is it at the present time, given the nature of enforcement, is it in their registrars' financial interest not to verify the accuracy and completeness of Whois data beyond their billing and collection purposes for registration?

    Mr. EDELMAN. I think the cost of conducting verification is one of the factors at issue here, but I'm not sure it's the largest factor. I think the largest factor is probably that any registrar conducting these sorts of verifications would tend to drive customers away. The very lucrative customers registering 10,000 domains, perhaps putting pornography on all of them and attempting to encourage children to access them, these are good customers to a registrar because they pay their fees every year and they have a large number of domains. One wouldn't want to send away that sort of customer unless it was absolutely necessary, say, due to active enforcement efforts by ICANN. And so we see registrars continuing to serve that sort of customer because, at least so far, they can.

    Mr. BERMAN. So that I take from those comments that this might be the classic case where effective minimum standards and enforcement of those standards removes the competitive advantage of—of no—of inadequate efforts to get accurate information.

    Mr. EDELMAN. Precisely. Without that sort of regulation, there would tend to be a race to the bottom, which I believe is what we've seen so far.

    Mr. SMITH. Thank you, Mr. Berman.
 Page 64       PREV PAGE       TOP OF DOC

    The gentleman from Texas, Mr. Carter, is recognized for his questions. The gentlewoman from Wisconsin, Ms. Baldwin, is recognized.

    Ms. BALDWIN. Thank you, Mr. Chairman.

    Mr. Kassinger, I wanted to use the opportunity presented by this hearing to call your personal attention to a related matter, a matter that Senator Cantwell raised in a recent Senate Subcommittee hearing and which has been addressed in legislation introduced in this House by Representatives Baird, Pickering, Inslee, McDermott, and Case, embodied in H.R. 2521.

    ICANN has indicated that it will soon grant an exclusive contract to one company to process requests by consumers for back-order domain names. In an August 15 letter, a written response to Senator Cantwell's question, Assistant Commerce Secretary Nancy Victory assured that Senate Subcommittee that the Department was authorized to evaluate in advance of granting approval how such activities undertaken by ICANN could affect the public interest.

    I'm concerned about whether this exclusive contract is necessary since the current system has resulted in competition among a multitude of small business registrars, domain registrars, and competition has also led to lower prices for domain names on this secondary or back-order market.

    Therefore, I am asking that you evaluate the impact of the ICANN proposal, the impact that it will have on consumers and the nearly 100 small and medium-sized businesses that are currently competing in this business market and report back to us on the matter before the exclusive contract is approved. Obviously, I'm not asking for you to provide that analysis immediately. I understand that you cannot do so today. But I would note that significant time sensitivity does exist and I would welcome your cooperation in that matter.
 Page 65       PREV PAGE       TOP OF DOC

    Mr. KASSINGER. Congresswoman Baldwin, we certainly will get back to you on that. If I understand the subject of your question correctly, it has to do with the proposed Verisign WLS contract——

    Ms. BALDWIN. Yes.

    Mr. KASSINGER. That, first of all, I should clarify, is not an ICANN proposal. It's a Verisign proposal that they must submit and work through the ICANN process for approval. I'm not sure it's exclusive. I just think it's a proposed service that they would have to get approved.

    By virtue of our legacy agreements, we do, in that particular situation, have a right and responsibility to review the ultimate agreement and we will do so. We have not been presented with such an agreement yet so there's nothing yet to analyze. But when it is presented, if and when it's presented, we certainly will analyze it and get back to you about that.

    Ms. BALDWIN. I think part of my concern is the appearance that it's gearing up and ready to be unfolded on a very short timeline, maybe on a 1-year trial basis. But we're certainly eager to see the results of a thorough analysis, especially its impact on consumers in terms of price as well as on the multitude of small and medium-sized businesses that are potentially going to be displaced by this activity.

    Mr. SMITH. Thank you, Ms. Baldwin.
 Page 66       PREV PAGE       TOP OF DOC

    Mr. Kassinger, let me return to a couple of the points that I was making before, but let me quote from your written testimony, where you say registrants that fail to provide such information, meaning accurate database information, to their registrar run the risk of losing their domain name. Failure to do so can result in domain name cancellation.

    Why is it that ICANN seems not to enforce the contract with the registrars? Why has there not been a single cancellation? Why has not a single accreditation been revoked? It seems to me that that would indicate pretty strongly that there's not a real seriousness of intent by ICANN or by the Department of Commerce to have an accurate and reliable Whois database.

    Mr. KASSINGER. Mr. Chairman, I don't know fully the answer to your question of why ICANN has approached the problems evidently raised by the Administration of the registrar agreements, in the way they have, but I think there are pretty clearly a couple of forces at work.

    One is resources. There are roughly 170 registrar agreements. A substantial number of those are overseas. The threat of cancellation of an RAA on the basis of breach is a pretty serious one and ICANN understandably has to approach that carefully. It could find itself pretty quickly in a lot of litigation, which it's not, in my judgment, equipped to handle, financially or otherwise.

    So I think the approach of ICANN has been to work through the various constituencies to identify reasons why, as mentioned earlier, there seems to be a number of disincentives to adhere to these agreements. I think Congressman Berman used the phrase preventive—prevention earlier, and I completely agree. In general, it's much better to use preventive medicine than it is to try to cure a problem later, and I think that generally has been the approach ICANN has been trying to follow.
 Page 67       PREV PAGE       TOP OF DOC

    Mr. SMITH. Mr. Kassinger, if you've been using prevention, it hasn't worked, and if you don't enforce, the message you send is that you don't care or it's not important. And regardless of the inaccuracy rate, whether it's 10 percent plus or minus, that's still way too high. My guess is it could be more from anecdotal information. And 10 percent, as I say, is a huge number when you look at how much, or how much that data is relied upon by so many individuals and so many organizations.

    But let me address my question maybe to Mr. Metalitz, Mr. Edelman, and perhaps Mr. Farnan, as well. What is your opinion? If there is no enforcement, if there is no revocation of accreditation, if there is no sort of effort to have registrars comply with the contracts that they have with ICANN, do you think that that's part of what accounts for the substantial inaccuracies in the Whois database? Mr. Metalitz?

    Mr. METALITZ. I think it's definitely a causative factor. I think this really gets back to the questioning that Mr. Berman posed to Mr. Edelman. One of the reasons why registrars accept so much bad data is that there's no penalty for doing so. Not only do they not have to expend even the minimal cost of verifying data, but they—there's no penalty if they just let anybody come in and put any data they want in the Whois database. So if that provision were enforced, if action were taken or case files were opened to enforce those provisions against some registrars, I think it would have a salutary effect.

    Mr. SMITH. Okay. Mr. Edelman?

    Mr. EDELMAN. I agree, of course, with Mr. Metalitz. The core problem here is a lack of oversight by ICANN, encouraging the registrars to accept anyone who comes with money or credit card in hand wanting to register a domain, be it with truthful or with intentionally invalid Whois data. A registrar has the choice between making some money or turning away a would-be customer to one of its competitors. In that context, it's not hard to understand why the registrars always choose the former.
 Page 68       PREV PAGE       TOP OF DOC

    Mr. SMITH. Okay. Thank you, Mr. Edelman.

    Mr. Farnan?

    Mr. FARNAN. Sir, from a law enforcement perspective, anything that can be done that would increase the accuracy of the information in Whois would be helpful. Anything contrary to that is not helpful, and I walk a very fine line between suggesting how that can be fixed, which I don't believe is our place from the law enforcement community, but our point is that to the extent that the information is inaccurate causes us to expend more resources and more time to find the accurate data.

    Mr. SMITH. Okay. Thank you, Mr. Farnan.

    Mr. Kassinger, let me conclude with a question to you, but in passing, let me follow up on the word ''resources'' that you used and Mr. Farnan just used. It seems to me that no matter how thin the resources, there just isn't really any good explanation for not a single instance of going after a bad actor here, not a single instance of revocation or loss of accreditation or whatever, and regardless of—you can offer excuses, but I'm not sure it's a real explanation.

    As far as the inaccurate data goes, and I've forgotten which witness suggested it in their testimony, but would you be willing to have an outside audit conduct a study of just—as to the extent of the inaccurate database of—Whois database?

 Page 69       PREV PAGE       TOP OF DOC
    Mr. KASSINGER. I think the development of better data on the extent of this problem is essential, and if that's one way of getting at it, that would be welcome. I don't know who pays for that. We'd have to figure that out.

    Mr. SMITH. But in theory, you're not opposed to it?

    Mr. KASSINGER. In theory, I'm not opposed to it.

    Mr. SMITH. Okay. Thank you, Mr. Kassinger. I know Mr. Berman has a couple questions, as well.

    Mr. BERMAN. Thank you, Mr. Chairman.

    You talked about resources. Mr. Edelman mentioned a specific act that registrars frequently do, which is to verify the name and address of the credit card holder submitting the credit card payment. Would it cost a lot and take a lot of effort for a registrar to at least determine the information they have received in trying to verify the validity of the credit card, they cross-check it with the Whois database to make sure that's the same name and address used on the Whois database?

    Mr. KASSINGER. Technically, that sounds quite feasible to me. I'm honestly not an expert in the financing of setting up those cross-checking systems. I know the registrars argue that there are thin margins in this business and they have invested a lot of money. I don't know the accuracy of their claims.

 Page 70       PREV PAGE       TOP OF DOC
    Mr. BERMAN. This seems like a pretty thin effort they would have to undertake to simply do that, but that's more a comment.

    What's the status of the draft MOU? Are we sort of whistling in the wind here, nothing we say, no new insights? Obviously, you've gotten some insights from your written testimony to your testimony today, because the written testimony sort of gave a, there are no problems, things are okay, air to it, and your testimony today is very, I think, useful and helpful in acknowledging the problem could be far greater than perhaps we concluded from reading your testimony and that there are many problems still remaining. Is there a chance through this draft MOU for Commerce, if it wanted to, to propose some additional provisions not now in the draft MOU?

    Mr. KASSINGER. Uh——

    Mr. BERMAN. In other words, is this the final MOU? [Laughter.]

    Mr. KASSINGER. There is no MOU.

    Mr. BERMAN. There isn't?

    Mr. KASSINGER. Certainly, this Subcommittee is never whistling in the wind, Mr. Berman. We listen carefully and we value your input. Here's the situation.

    We have spent a lot of time over the last 3 months internally and working with ICANN management to identify the issues that would go into an MOU. We have been drafting an MOU. We have not presented a draft MOU to ICANN yet. We anticipate doing that in the near future. So yes, this is an issue on the table and——
 Page 71       PREV PAGE       TOP OF DOC

    Mr. BERMAN. Well, let me make a suggestion, not that this should be the only one. I think a lot of things have been said here that Commerce might want to consider. But I'm told that several services, such as Fraudit, operated by Alice's Registry, exist to improve the accuracy and completeness of Whois data. Mr. Edelman notes that no registrar has thus far opted to use those services.

    Why shouldn't the Commerce ICANN MOU require registrars to use such services or take other proactive measures, like cross-checking the credit card information with the Whois database information or any of a number of things, or not make it a choice between doing nothing and having ICANN have to cancel, but imposing a series of fines and other kinds of sanctions on registrars for failing to do things that don't—you know, that are short of the registrar death penalty but still can provide some meaningful deterrence for—that would incentivize registrars to do what they should be doing? Why couldn't the MOU have these kinds of provisions?

    Mr. KASSINGER. It misconceives the nature of the MOU is fundamentally the reason, Mr. Berman. We actually are attracted to a number of the ideas that Mr. Edelman mentioned and others have in our interagency committee. Those are the kinds of things we're looking at proposing within ICANN to impose. The MOU does not—we are not a regulator. The MOU is not a regulatory instrument. It is a contract where we define certain goals and expectations. Now, that's how we might get at some of this, defining what we expect, but not going to the level of detail of you shall impose a fine for, you know, in X circumstances.

    Mr. BERMAN. What do you mean? I mean, Department of Defense is a contractor, not a regulator, but it certainly imposes on its contractors certain kinds of penalties for not meeting its contract terms. Why couldn't this be—why can't you sort of expand the horizons of this MOU to include some of these things, including obligating uses of those services?
 Page 72       PREV PAGE       TOP OF DOC

    Mr. KASSINGER. Well, you know, we're not in contractual relationship or privity with the registrars, so we're not——

    Mr. BERMAN. No, I'm talking about with ICANN.

    Mr. KASSINGER. I raise, you know, query, what's the point of penalizing financially ICANN? This is an organization——

    Mr. BERMAN. No. You're requiring ICANN, and ICANN is agreeing through this Memorandum of Understanding, to undertake provisions in its contracts with its registrars to impose penalties short of cancellation for failure to do certain relatively simple, relatively low-cost kinds of things to improve the accuracy of the Whois database.

    Mr. KASSINGER. Using the MOU as an instrument to secure better compliance with Whois data is in the realm of possibility and should be considered. I do not think the MOU is an appropriate instrument to specify to ICANN precisely how it carries out the roles that we envision for it.

    ICANN is—you know, we're trying to privatize this. We're trying to get them to stand up on their own and figure out for themselves how to walk and run. They have a lot of constituencies with whom they deal. It's—in the next 30 days to figure out what the appropriate penalty structure should be and then impose that through the MOU, I don't think would be a wise course of action.

 Page 73       PREV PAGE       TOP OF DOC
    Mr. BERMAN. Well, I'm disappointed by your answer. Mr. Metalitz?

    Mr. METALITZ. Mr. Berman, if I could just add something on that, I can understand the reluctance of the Commerce Department to get into a lot of detail in the MOU, but as Mr. Kassinger said, the model should be that ICANN would work this out itself and come to some solution like this. But in that regard, it's very discouraging to have to report that many of the solutions that are being talked about this afternoon have been proposed within ICANN and they've never gotten anywhere.

    We've proposed intermediate sanctions, the idea that for violation of the registrar accreditation agreement, there should be some penalty short of disaccreditation. We've proposed that, and I don't think an idea that's been placed on the table in ICANN has ever been shot down so fast as that one. Registrars and registries didn't want to hear of it, and since there was no consensus, we couldn't proceed any farther.

    Some of the suggestions that Mr. Edelman made in his testimony, which I think are very good ones, we put forward. The intellectual property constituency put forward the idea that if you catch John Zuccarini in one false Whois registration, why not cancel all 8,000 of them that are registered exactly the same way? That got shot down, as well.

    So I think there has been a lot of opportunity for ICANN to put its house in order and put some of these rules into effect and it may be that the MOU does need to be somewhat more detailed in some of these areas in order to perhaps nudge ICANN in the right direction.
 Page 74       PREV PAGE       TOP OF DOC

    Mr. BERMAN. In closing, since my red light has probably gone off——

    Mr. SMITH. Long ago.

    Mr. BERMAN.—an entity which at this point is doing very little to meet its lip service to commitment to improving the Whois database, the Department of Commerce is trying to privatize without any serious demonstration by that entity that it will do something to give meaning to what it pays lip service to. That's just an off the top of my head conclusion, not a question. Thank you, Mr. Chairman.

    Mr. SMITH. Thank you, Mr. Berman.

    Mr. Kassinger, you just—I'm going to interject. You mentioned that you wanted ICANN to walk before they run, or walk and then run. When it comes to enforcement, they're still crawling, and I think your MOU is going to have to include an enforcement component or we will not be convinced that you are really heeding a lot of serious concerns, not only by us, but by every other organization that has any connection to the Whois database. I think you're going to need to reassure us with some more attention given to enforcement.

    The gentleman from Texas, Mr. Carter.

    Mr. CARTER. I think this is the only way I can talk to you, if this thing over here doesn't set off that noise again. I happen to believe in enforcement, and what I can't understand as I hear this is that at least someone could be starting to pressure for enforcement. They're not crawling. They're not even out of the gate.
 Page 75       PREV PAGE       TOP OF DOC

    It seems to me that the thing—a suggestion, and maybe it's a bad suggestion, you tell me, Mr. Edelman's done some research where he's identified several thousand of these false sites. So you've got somebody who's already done some research for you. Why not send notice and put them on notice that it's the Department of Commerce's position that they should enforce against those identified sites, and you provide them to them, with the idea to—and by noticing them to correct their data, give them 30 days, and if not, to strike their domain.

    And then put that—publish that. That certainly is going to get the information out to the entire world, and those people who innocently gave bad data are going to say, wow, I'm going to get in here and correct my data because I'm innocent on this. I just didn't—really didn't really intend it that way, and there may be millions of those, I don't know. But those who are intentionally trying to deceive will then be put on notice if deception will come with a death penalty, and I happen to believe in the death penalty.

    Mr. KASSINGER. Mr. Carter, just to clarify again, the Commerce Department doesn't have a direct relationship with the registrars. I think we do from time to time get complaints about specific misleading or false registrations and we do pass those to ICANN or the registrar or registry operator that's relevant. But it is up to those organizations to take action, and I think the broader question here is what should we, as an agency, be doing to move those groups along in the direction of stiffer enforcement.

    Mr. CARTER. Well, if the Commerce of the United States requires that we have accurate data, if the chief law enforcement or law enforcer—yes, I guess you're law enforcers—are concerned about the lack of data as they try to operate within the realm that they operate, then what is the role of Commerce in telling this private entity, you're not doing your job. This is what you're here for. You're not doing your job. We're concerned about it. Do you want the Government to get in the middle of your business or are you going to clean up your act? And that's kind of where we are right now, it looks like to me. And to me, someone's got to speak up somewhere and say, this is not working, and you seem to have, at least by your relationship with them, some influence over them and should be able to make suggestions to that effect.
 Page 76       PREV PAGE       TOP OF DOC

    Mr. KASSINGER. And we do make those suggestions. We are actively involved in a number of ICANN groups that are working on this very issue and we do press those views vigorously. But we are—again, we're not the regulator of ICANN, so—but it——

    Mr. CARTER. Well, somebody else certainly could get to be the regulator of ICANN in a heartbeat if it doesn't get doing its job.

    Mr. KASSINGER. Well, I think ICANN dissolves in that case and we try a different experiment, so hopefully, that—we can solve this issue without getting to that point.

    Mr. CARTER. And that's a worldwide death penalty.

    Mr. KASSINGER. That's right.

    Mr. CARTER. It's okay with me.

    Mr. SMITH. Thank you, Mr. Carter, for those good points.

    We thank you all. It was excellent testimony. And let me reassure the witnesses and also the audience that we are not going to drop this subject. Mr. Kassinger, we will be watching closely, of course, what the Department of Commerce does, also what ICANN does or does not do, and if we have to take appropriate action, we'll do so.
 Page 77       PREV PAGE       TOP OF DOC

    As Mr. Carter suggested, you know, ignoring the inaccuracies in the Whois database is not an option and I hope that—and one way I know for you all to show that you're not ignoring the problem is, in fact, to have better enforcement. I think a little enforcement will go a long ways, by the way, as far as getting more accurate information and having it more reliable and more accessible.

    Before adjourning, I would like to include in the record a statement submitted by Margie Milam, General Counsel for eMarkmonitor, Inc.

    [The letter from Ms. Milam follows:]




    Mr. SMITH. I would also like to include a statement from the International Trademark Association.

    [The prepared statement of the International Trademark Association follows:]

 Page 78       PREV PAGE       TOP OF DOC

    Mr. SMITH. Thank you all again. We look forward to being in touch with you.

    [Whereupon, at 3:14 p.m., the Subcommittee was adjourned.]


Material Submitted for the Hearing Record


    Mr. Chairman:

    I want to thank you for holding this important hearing today; however, I am deeply concerned with an issue related to today's hearing.

    At a recent Senate hearing in the Commerce, Science & Transportation Committee, Senator Cantwell got assurance from the Commerce Department, specifically from the departing head of the NTIA, that the Commerce Department believes it is authorized to review and make a decision on approving ICANN's proposal to grant VeriSign a contract that will provide exclusive control over the backordering of domain names. This proposal would effectively end the competition that exists today among some 100 firms engaged in this industry, including some in my state of Florida.
 Page 79       PREV PAGE       TOP OF DOC

    As the Department of Commerce moves forward in its dealings with ICANN, I feel that the Judiciary will require an assurance that the Department will review the impact of ICANN's proposed exclusive contract concerning the backordering of domain names on competition, particularly as it affects small businesses and consumers. Additional scrutiny of this matter by the Judiciary is warranted, particularly given that despite the official assurance the Department of Commerce gave to Senator Cantwell in July and despite any official approval on such a measure from the Department of Commerce or any evaluation by the Department on the measure's impact on the consumer or the dozens of small businesses now providing this service, this proposed exclusive backordering service is already being advertised on the Internet, saying that it will take effect in October. Mr. Chairman, I hope you will join me in ensuring that these questions be adequately resolved before the Department of Commerce finalizes its Memorandum of Understanding with ICANN.