Summary. January 31, Jo Lim. Chief Operations and Policy Officer. Dear Jo,

Transcription

1 January 31, 2014 Jo Lim Chief Operations and Policy Officer Dear Jo, Thanks for the opportunity to make a submission to the auda Whois Issues Paper The views expressed in this submission are held by me personally and are not those of my employer, nor any companies I have ownership or interest in. Summary The current auda Whois Policy appears fit for purpose. As such, there should be no substantial changes. The Issues Paper appears to focus on the possibility of enabling access to data. Specific examples are given, such as Lawyers and Law Enforcement access. There are a small number of companies that already perform these activities. For example: IPNeighborhood.com combines data from ASIC, IP Australia, USPTO, Yellow Pages, TLD s and cctld s, including.au names. These existing services can enable Law Enforcement to investigate Cybercrime and Lawyers to protect their clients Intellectual Property and investigate bad faith registrations. Such companies have already made substantial investments in both infrastructure and intellectual property. Registrars could also use these services to ensure the integrity of.au registrations. For example, Registrars could use an API to check that the registrant has provided the correct ABN/ACN or assist with reviewing a close and substantial connection to a domain name. If auda was to open up WHOIS per item (2) of the Issues Paper, I d strongly encourage auda to partner with industry to facilitate this. 1

2 Issues Paper Questions & Considerations 1. Should there be any changes to auda s WHOIS Policy covering the collection, disclosure and use of WHOIS data for.au domain names? a) There should be no substantial changes to the existing policy. b) The Issues Paper does not cite any evidence that disclosing more information on the.au WHOIS service will result in the same degradation of accuracy and integrity as per the issues paper. c) While.au WHOIS does not currently disclose a physical address or telephone number, this information can be found on a Registrant website or in the Yellow Pages. Private or Proxy Registrations d) Given that consumers can use generic addresses in WHOIS, it could be argued that there is a level of privacy protection already. For example: admin@mydomain.com.au. e) Private or Proxy Registrations may enable Registrars to earn a substantial revenue stream. I understand that this is a very significant benefit to a small portion of auda members, particularly Supply Class members. While it could be tempting for auda to rush through such an amendment, the consequences of such an action should be very carefully thought through, particularly when it comes to the public interest. f) The current policy enables people (companies, journalists, lawyers, law enforcement etc...) to investigate crime and violations of intellectual property, as the WHOIS data is not masked, proxied or hidden. g) Private or Proxy Registrations may have the unintended consequence of: a. Increased registrations in bad faith; b. An increase in complaints to auda; c. Additional overhead (compliance costs) for Registrars to reveal identities of Private Registrations; d. Reputational risk - sending the wrong message that.au is a soft target for cybersquatting; e. Increasing the likelihood of spammers and scammers using.au names (hiding behind private registrations); f. Increasing the likelihood of illegal activity in the.au namespace (fake websites); g. Negatively impacting investigations by Law Enforcement and Risk / Security Managers in the private sector. For example: a substantial amount of work is performed prior to 2

3 conducting an investigation, attending court or writing a report to Executive Management. h. Negatively impacting investigative journalism. For example, journalists often use information services to determine ownership of domain names and identify persons of interest. h) Considerations should also be given to registrars that go out of business, for example: RegisterFly. In this instance: a. The Registrant may have difficulty updating their information; b. Access to private registration information held by a Registrar may prove difficult. Recommendation: Give careful consideration to the consequences of Private & Proxy Registrations. Domain Name Creation and Expiry Dates i) Fake renewal scams still operate in.au (although not at 2002 levels). I have personally received a number of paper and based scams in the past year. j) The marketplace is far more educated 11 years after the removal of creation and expiry dates. I d suggest that any decrease in fake renewal scams is largely due to market education and growth, rather than the removal of the creation and expiry dates. k) Fake renewal notice scams can still guess expiration dates, or use the existing au drop list as a guide. l) Section 5.3 should describe what constitutes a full record. This is in contrast to Section A, which is only referred to in 4.1 as fields that are disclosed on the WHOIS service. m) Tracing the history of a domain name is currently provided by private sector services such as IPNeighborhood.com. When creation dates are not available, such services cite dates when they first know about or come into contact with a domain. The disclosure of the actual creation date would assist both the private sector and law enforcement. Recommendation: Reinstate domain name creation and expiry dates. Recommendation: The policy should describe the fields that constitute a full record. 3

4 2. Should access to.au domain name data (other than via WHOIS) be opened up? n) The Private Sector already provides the ability to search through databases of domain names based on identifiers such as a person s name, company name, , keyword and/or brand name. o) Both Law Enforcement and Lawyers use existing services to identify domain names belonging to their clients. For example, IPNeighborhood.com enables companies to receive alerts when someone registers a domain name based on their trademark. Recommendation: Investigate partnering with the private sector who already offer searchable databases of information, including domain names and trademarks. 3. Should there be restrictions on the purpose for which registry information can be requested and/or used (eg. only in relation to legal proceedings)? p) No. 4. Should there be a fee for different levels of access to registry information, or for different types of request (eg. commercial versus non-commercial, government versus non-government)? q) No. 5. What are the privacy implications/rights for.au registrants? r) RFC3912 states that WHOIS is used to provide "white pages" services and information about registered domain names. s) WHOIS data is and has always been in the public domain. 4

5 Summary of Recommendations 1. Reinstate domain name creation and expiry dates in WHOIS. 2. Update the policy to describe the fields that constitute a full record, as held by the Registry and not disclosed in public WHOIS. 3. Give very careful consideration to the risks and consequences associated with Private & Proxy Registrations. 4. Investigate partnering with an organization that already provides searchable databases of information, including domain names, company registrations and trademarks. Kind regards, 5