Release 1-0 on piece on ICANN

[David Farber <dave () farber net>]

Begin forwarded message:

From: Esther Dyson <edyson () edventure com>
Date: December 2, 2004 5:07:50 PM EST
To: David Farber <dave () farber net>
Subject: for IP - piece on ICANN

Dave -

from  
www.release1-0.com/refer.cfm? 
ref=IP&issue=AccNet120105&author=ED&location=freshproduce/article.cfm? 
serialnum=FRP200412010000




The Accountable Net: Who Should Be Accountable?

Dec 01, 2004 By  
<http://www.release1-0.com/contributors/contributor.cfm? 
author_id=1>Esther Dyson

<http://www.release1-0.com/release1/abstracts.cfm? 
Counter=4526287>EDitor's note: The current issue of  
<http://www.release1-0.com/release1/abstracts.cfm? 
Counter=4526287>Release 1.0 covers current industry (as opposed to  
government) initiatives for a safer, less spam-ridden Net. E-mail  
service providers and a variety of other players are getting together  
to authenticate the sources of e-mail, thereby making mail senders more  
accountable for their behavior. But they are only one part of a broader  
web of parties that should be accountable if we want to take back the  
Web for its users.

Two weeks ago, the Federal Trade Commission held a summit on e-mail  
authentication in Washington, DC; the community of people who handle  
bulk mail came together and agreed on standards and processes that  
should help reduce the proliferation of spoofed mail and fraudulent  
offers. This was a big, collective step in the right direction. (See  
<http://www.release1-0.com/release1/abstracts.cfm? 
Counter=4526287>Release 1.0 for a full analysis. See  
<http://news.com.com/Hot+and+bothered+over+spam/2009-1032_3 
-5453094.html>News.com for news coverage.)

But e-mail sender authentication alone won't solve the Net's fraud and  
phishing problems - nor will any single thing. It requires a web of  
accountability among a broad range of players. Yet this week there's  
another meeting, in Cape Town, South Africa, that could make even more  
of a difference...but it probably won't. That's a meeting of ICANN, the  
Internet Corporation for Assigned Names and Numbers, the international  
organization that sets and to some extent enforces policy for the  
Domain Name System (DNS). The e-mail summit was about people's ability  
to send e-mail; the ICANN meeting, in essence, is about people's  
ability to have a presence in cyberspace.

The ability to have a presence should of course be available to anyone;  
but the ability to act in cyberspace – for example, to collect  
someone's personal information or their money – should be accompanied  
by some accountability.

Please bear with me while I go into a little detail on how things work,  
what the problem is – and how it could be addressed.

The DNS was set up back in the 70s (before it had a name) at a time  
when most people online were trustworthy (or at least behaved that  
way), and the number of individual consumers using the Net was small.  
When ICANN was created in 1998 (I was founding chairman, 1998-2000), it  
set about solving the most pressing problems – notably, privatization  
of the DNS and the creation of an open, competitive market for domain  
names. While ICANN is not a government organization - and should not be  
- it has the responsibility of regulating the DNS and the organizations  
that maintain the databases of names (registries) and those that  
register them into the registries (registrars) according to policies  
developed and agreed to by its members. Most of them would prefer to be  
responsible players if the other guys were held to the same standards.

But instead of opening the Net up to serious competition among the  
registries for top-level domains (TLDs), such as .com, .net or .jp (for  
Japan), it focused on creating competition among registrars of  
second-level domain names (SLDs) such as cnet.com. The registrars are  
in essence retailers working with the wholesalers, who are the  
registries (such as VeriSign and a few others) that control the TLDs.  
The problem is, the registrars can't really differentiate their  
product: They mostly sell the same TLDs from the same registries. They  
can try to differentiate themselves on the basis of service to their  
customers, the domain-name holders, but most of the competition among  
registrars is on the basis of price and speed of service.

I won't go into most of the problems that has produced, but there is  
one that extends outside the domain-name community, and that is that  
domain names are so easily available that their use in committing fraud  
is becoming a growing problem. Along with grandmothers, political  
activists and honest entrepreneurs, fraudsters and criminals can buy an  
online identity - that is, a domain name such as sleazyfisher.com or  
sterlingstartup.net - for a few dollars. In fact, they can buy hundreds  
of such names, use them for whatever purposes they please - such as  
collecting individuals' identity information under false pretenses -  
and abandon them hours later.

The solution, I believe, is to create a system where the registries can  
compete with TLDs that stand for something and whose SLD-holders are  
bound by some contract to specific standards of behavior. These  
contracts would be different for each TLD, rather than the current  
situation where most of the contracts are specified or ratified by  
ICANN. For example, there would be .travel for travel operators vetted  
by a travel-industry consortium (that's a real proposal before ICANN);  
.fun, a hypothetical idea for edgy humor; or .safe, my basic proposal  
here – and then the registrars can compete to work with those  
registries whose policies they support (while the registries are free  
to pick and choose only the registrars that they believe can uphold  
their standards). That is, ICANN could foster the addition of new TLDs  
that would face a market test of attracting users, rather than the  
current bureaucratic tests currently necessary for the establishment of  
a new TLD.

True, ICANN has allowed the creation of some new TLDs – notably .biz,  
.info and .name, but none of them has gained much visibility or  
differentiation, and the restrictions ICANN imposes has made it tough  
for new registry entrants. In essence, by trying to make the market  
open to everyone, ICANN restricts the ability of the TLDs to  
differentiate themselves by discriminating in favor of specific kinds  
or qualities of registrants. It's really hard to legislate goodness –  
or to define it, for that matter. It's more effective, I believe, to  
allow registries to compete on the basis of goodness, and then let  
customers pick the kind of goodness they prefer.

In short, ICANN should consider a fundamental overhaul of the system -  
not next year, but this year. It could start doing so at its meeting in  
Cape Town this week, where it plans to consider its policies for new  
registries – but the movement seems to be towards more bureaucracy  
rather than less. It's not in ICANN's nature to act speedily; the  
organization works through consensus policies, developed during a  
tortuous "due process" of discussion, comments, postings and more  
discussions. But that's all the more reason for those discussions to  
begin now.

What exactly am I proposing? I'll be sending these comments as a memo  
to ICANN's At-Large Advisory Committee, of which I am a departing  
member, and to its board.

Action requires accountability
Originally, a domain name was a form of presence, a way to express  
oneself, and a medium for freedom of speech and information. But it is  
also, more and more frequently, a medium for collection of information  
(and money). How can we foster freedom without allowing fraud free  
rein? We can make identity freely available, but we can tie some  
identities to specific, competing, "local" rules of behavior – and  
users can choose, depending on the context.

Take the example of the e-mail community, which is developing a system  
where authentication of mail servers is coupled with reputation systems  
and recipient choices about what mail to accept. It's time for the  
possibility of similar approaches to work for visits to websites.

Imagine a world where there's a new TLD; let's call it .safe. .safe  
advertises itself as a TLD for domain-holders who are willing to  
identify themselves, contract to engage in certain business practices,  
and so forth. One TLD could be, for example, something similar to an  
eBay, with its own reputation system and dispute-resolution service –  
and, of course, government law enforcement at the sidelines. Companies  
can register an SLD in the .safe TLD through a number of registrars;  
those registrars are required – by the .safe registry, not by ICANN –  
to go through a specific validation process so that .safe can make  
promises to .safe website visitors that the site has been vetted by the  
registry behind .safe.

That registry, for what it's worth, will need to be a fairly credible  
organization itself. Perhaps it could be a credit-card company. But  
note that .safe will not be alone. It will have to compete with other  
security-conscious TLDs, such as, say, .bank (sponsored by a consortium  
of banks). And it will differentiate itself from TLDs designed for  
entertainment that offer advertiser-sponsored content and would never  
ask for a consumer's credit card information.

Now, what does this mean for the various players?

For individual users, .safe is a sign that they can safely hand over  
their credit card details and expect to receive what they were promised  
in return. They can choose to buy from .safe merchants, or they can go  
to familiar names they trust, such as gap.com, target.com, whatever.  
They get a benefit, and no downside. They can also still visit all the  
sites they want (with a variety of TLDs) not just for commerce, but for  
news, political commentary, porn, sports videos, health information...

For the owners of trusted sites/SLDs such as gap.com, .safe is  
unnecessary – and perhaps slightly unwelcome, since it levels the  
playing field for smaller merchants who don't have a reputation but who  
can rely on .safe to gain consumers' trust.

For those smaller (honest) merchants, .safe is an interesting  
proposition. They know it will cost more to go through the .safe  
vetting process (and they may have to put up a bond of some kind), but  
they hope it will be worth it: more consumer trust (and business), and  
ultimately a safer environment overall for e-commerce. Accountability  
systems are not free, but they are more locally responsive than  
government regulation. Just consider: Taxes are higher in a good  
neighborhood, but you get to choose the neighborhood. The accountable  
Net is a Net of neighborhoods, rather than a one-size-fits-all,  
impossibly scaled global village. (What we actually seem to have is a  
global urban-distress zone.)

For the credit-card companies, who are troubled by the prevalence of  
fraud and phishing and who want consumers' trust, .safe is an  
interesting idea...so much so that they might even be compelled to  
support it. Anything that will increase consumer confidence and reduce  
fraud is a good idea. Of course, the credit-card companies don't want  
to train consumers to mistrust any non-.safe website, but that's a  
challenge that .safe will have to overcome.

The existing registries, of course, may not immediately welcome .safe  
either. But chances are they would appreciate the opportunity to open  
new registries of their own, and to compete on the basis of something  
other than price. Meanwhile, the very existence of .safe may cause them  
to tighten up their own registration practices, or to promote their  
registrants' websites to consumers as places where you can go to get  
information but not to give out your own personal information.

The idea is not to create a one-size-fits-all, regulated Internet. In  
fact, it's precisely the opposite. It's to create a differentiated,  
more transparent Internet where individuals can trust the road signs.  
They can choose what virtual neighborhood they want to venture into on  
the basis of those road signs and the local regulatory regimes they  
indicate. Want the official story? Try .gov. Want lots of edgy  
information with little accountability? Try .rumor.

This system would not take away the possibility of anonymity, nor would  
it force registrars to become agents of the police, the Motion Picture  
Association of America, or any other body. Instead, ICANN would be  
fostering a market where different policies can compete on the basis of  
rules that may (or may not) be appealing to the ultimate users of  
domain names – people who visit websites and who have varying degrees  
of interest in who is behind them. (But users may end up choosing to  
listen to music at a site where the downloads are certified not to  
contain spyware or viruses...)

Some people think "the government" (or ICANN, for that matter) should  
be regulating the behavior of all the entities on the Net. I don't  
believe government (or ICANN) is up to that task, especially not on the  
worldwide Net. But I do believe that the entities on the Net can  
regulate one another, if systems are set up properly and if individuals  
have the information they need to choose the peer-to-peer regulatory  
system they prefer. Call the whole set-up "the accountable Net."

Real reputation-based and quality-controlled competition among TLDs  
would not be a solution to everything, but it would be one more  
important step towards cleaning up the Net. Either those who use domain  
names need to be accountable to those they interact with, or those who  
register the domain names need to be accountable for them, in a way  
visible to individuals and the public. This accountability needs to be  
specific and granular, so that one can separate the good from the bad.  
Otherwise, the public will hold the Net as a whole accountable for the  
actions of its malefactors.




Esther Dyson              Always make new mistakes!
Editor, Release 1.0

CNET Networks - www.cnet.com
104 Fifth Avenue (at 16th Street)
New York, NY 10011    USA

+1 (212) 924-8800

www.edventure.com
current status (with pictures!) at http://www.flickr.com/photos/edyson/




-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/