Hello Ron,

I can understand your frustration, but it is a complex issue.

>From your message, I see two main issues:
(1) The ability to collect a list of domain name owners with their contact
details - possibly augmented by additional customer lists, and the ability
to share such a list with many parties.

(2) The mis-use of a such a list for unsolicited phone calls, faxes, emails
etc, and the possibility of misleading conduct etc in the process.


With regard to the first issue, the information about domain name owners is
actually broken up into two databases:
(a) Information about a domain name registrant and the admin/technical
contact information for that registrant is managed by auDA and stored on a
database on AUNIC (which is in turn hosted by NetRegistry)
(b) The DNS information about a domain name (ie the domain name, and the
nameserver information necesary to resolve a domain name to a physical IP
address) is stored on a database at Melbourne IT, along with information on
the expiry dates of domain name registrations.  The database is used to
produce the zonefile that is used by the authoritative nameserver at the
University of Melbourne (munnari) to provide the DNS service for ".au".
There are also secondary nameservers that have access to the zonefile.

I recently received a relatively complete database that incorporated
information from both databases collected over time.

Over the past 12 months, both auDA and Melbourne IT have reacted to concerns
in the industry about access to the information in the databases in bulk
form.  As David Keegel (auDA Board member and system administrator for
AUNIC) has pointed out, auDA shut down bulk access to AUNIC data last year,
and this year put limits on how many individual queries can be made on AUNIC
in a short time frame to prevent systematic data mining of AUNIC.  However
recent postings to this list indicate that this information is still being
obtained somehow.

Melbourne IT in turn has been restricting access to the expiry dates
associated with domain names in an attempt to prevent third parties from
mis-using this data.  Again, like auDA, when one method of acquiring the
data is restricted, the third parties often find another method.  The
security of this data has progressively been tightened each time Melbourne
IT has become aware of third parties acquiring the information in bulk.

In general the issue of collection of customer lists etc - relates to the
more generic problems of privacy and security of information.  The
capability of computers and the capability of networks that link the
computers make it easier to build such lists, and hence  has resulted in
recent changes to the privacy legislation to provide stronger controls and
ability to enforce those controls.  Note however that much of the privacy
act relates to businesses with a turn-over of more than $3 million.  Neither
auDA or many of the domain name retailers fall into that category.

Under the new competition model - all the data will be concentrated in the
new registry operator - hence making it even more important to protect the
security of this data.  The levels of security envisaged by auDA are stated
in its draft technical standard for discussion today.


The second issue relates to the use of data obtained from the databases
above.

In general terms the legislation governing business practices is the Trade
Practices Act that applies to all industries.  The ACCC is responsible for
monitoring compliance with this act and investigating complaints of
consumers that relate to the Act.  To date it appears that the ACCC has
found limited instances of abuse by domain name retailers with respect to
the Act - or maybe some retailers have changed their practices after
warnings and the matter has not proceeded to court.  Of course an individual
company can take action against another company under the Trade Practices
Act - but no companies to my knowledge have taken that step in the domain
name industry in Australia.

The approach that has often been suggested by this list is for Melbourne IT
itself to take action against its resellers.  However this also has
problems.  Firstly Melbourne IT provides DNS registry services to all domain
name retailers in ".com.au", and is itself a domain name retailer.  It is
difficult to be both the umpire and a player, and appear impartial.
Melbourne IT itself could be seen to be acting in a manner contrary to the
Trade Practices Act.

The action Melbourne IT has taken includes: 
· obtained undertakings in relation to potential infringement of trademarks
and passing off
· has called on auda and the ACCC to take action and suggested they release
and publicise consumer warnings (which they did)
· has cooperated with the ACCC in their investigations 
· has redrafted its own renewal notices to carry consumer warnings 
· has lobbied government and made public comments arguing for a code of
practice 
· has called on the Privacy Commissioner to consider the specific
regulations  in the light of these practices

There have been two other main alternatives, to the Trade Practices Act and
the ACCC:
(1) The Government creates specific industry regulation and licences
companies operating in the industry
(2) An industry group forms an industry association, and develops codes of
practice that are voluntary. The group then creates consumer awareness of
the voluntary code via consumer education.

An example of the first alternative - is liquor licencing, and an example of
the second alternative is the Internet Industry Association (IIA).

The telecommunications industry uses a mixture.  As Chris Disspain pointed
out in a previous message, the ACA (Australian Communications Authority)
licences telecommunications carriers.
The ACA also sets standards that must be complied with by the carriers.  The
ACIF (Australian Communications Industry Forum) creates industry standards
and codes of practice.  Some of these are voluntary, and some are endorsed
by the ACA and must be complied with.

auDA, like its counterpart at the international level (ICANN), is a new
experiment in regulation.  It is a private company that has control over the
resource (".au") and will licence domain name retailers, and it is also the
industry self-regulator for setting standards and codes of practice with the
participation of the industry.  It would be analagous to ACIF having direct
control of radio frequency spectrum, or the IIA selecting who could be an
ISP.
Because of the unique position and power of auDA (and ICANN) it is extremely
important that it continues to operate in an open, consultative, and
transparent manner.

Under the new competition model, auDA is responsible for the security and
privacy of the domain name data through its licencing of the registry
operator or operators, and is also responsible for the use of domain name
information through its licencing of some domain name retailers as
registrars.

Thus it is very important that consumers and members of the industry
continue to closely review the recent drafts published on auDAs websites (ie
the draft technical standard for registries and registrars, and the
registrars licence and accreditation agreements published yesterday), and
provide public input into auDA.

Melbourne IT believes that it is important to establish a code of practice
in the industry, and for auDA to enforce compliance with this code through
the registrar agreements.
It is important that this code of practice is widely supported by the
industry, and not imposed with potentially over-regulation of the industry.

As for the technical standards, where a public meeting will be held today,
Melbourne IT recommends that a public meeting (or possibility meetings in
different cities to save people travelling) be held to talk through the
registrar accreditationand agreements to provide better feedback to auDA.
As auDA have limited resources and don't want to delay the introduction of
the new competition model, maybe another party can volunteer to provide a
space for a public meeting and coordinate input to auDA within auDA's
timeframe for public comment. Judging by the number of posts to this list
there certainly seems to be plenty of public interest in a code of practice.

Regards,
Bruce Tonkin



> 
> 
> 
> 
> This is utter bullsh*t.  One or more lists are now 
> circulating.  One or more
> disreputable businesses are abusing the information, thence 
> OUR customers
> and sometimes colleagues.  Stopping access is now wholly 
> irrelevant - it's
> too late for that - it's the abuse that has to be stopped, 
> because otherwise
> it will surely continue and grow.
> 
> It's apparent to me that contributors to this forum (i.e. the industry
> served by auDA / MIT) want these practices stopped and the 
> perpetrators
> punished.  Now!  But to no avail.  One of two possibilities therefore
> exists.  MIT / auDA either will not, or cannot take steps to 
> act on our, the
> industry's, behalf - despite channel partner contracts and/or codes of
> practice.
> 
> If the former, MIT / auDA are tacitly endorsing the abuse of 
> which many of
> us have complained, in which case we might as well all do it - and our
> customers and the industry be dammed.  If the latter, we're clearly
> incapable of self-regulation and the Government's faith in 
> our ability to do
> so is severely misplaced.  What's more, if our 
> representatives and industry
> icons fail to heed member's calls, we don't even deserve the 
> honour and
> responsibility of self-regulation.
> 
> Whatever way it's looked at, the industry can only degenerate 
> into a dirty
> free-for-all where anything goes - and we'll all be losers 
> because of it.
> 
> MIT and auDA - are you endorsing names list abuse, or can't 
> you stop it on
> behalf of the industry you purport to represent?  Because in 
> my book, both
> are totally unacceptable and the industry deserves the 
> appalling reputation
> it's acquiring.
> 
> Ron Stark
> Business Park Pty Ltd
> mail: ronstark§businesspark.com.au
> tel: +61 (0)3 9592 6895   fax: +61 (0)3 9591 0729
> mob: +61 (0)41 812 9922
> 
> --
> This article is not to be reproduced or quoted beyond this 
> forum without
> express permission of the author. 329 subscribers. 
> Archived at http://listmaster.iinet.net.au/list/dns (user: 
> dns, pass: dns)
> Email "unsubscribe" to dns-request§auda.org.au to be removed.
> 

--
This article is not to be reproduced or quoted beyond this forum without
express permission of the author. 315 subscribers. 
Archived at http://listmaster.iinet.net.au/list/dns (user: dns, pass: dns)
Email "unsubscribe" to dns-request§auda.org.au to be removed.