[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]



                FRAUDULENT ONLINE IDENTITY SANCTIONS ACT

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON COURTS, THE INTERNET,
                       AND INTELLECTUAL PROPERTY

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                                   ON

                               H.R. 3754

                               __________

                            FEBRUARY 4, 2004

                               __________

                             Serial No. 63

                               __________

         Printed for the use of the Committee on the Judiciary


    Available via the World Wide Web: http://www.house.gov/judiciary


                                 ______

91-605              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                       COMMITTEE ON THE JUDICIARY

            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
HENRY J. HYDE, Illinois              JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina         HOWARD L. BERMAN, California
LAMAR SMITH, Texas                   RICK BOUCHER, Virginia
ELTON GALLEGLY, California           JERROLD NADLER, New York
BOB GOODLATTE, Virginia              ROBERT C. SCOTT, Virginia
STEVE CHABOT, Ohio                   MELVIN L. WATT, North Carolina
WILLIAM L. JENKINS, Tennessee        ZOE LOFGREN, California
CHRIS CANNON, Utah                   SHEILA JACKSON LEE, Texas
SPENCER BACHUS, Alabama              MAXINE WATERS, California
JOHN N. HOSTETTLER, Indiana          MARTIN T. MEEHAN, Massachusetts
MARK GREEN, Wisconsin                WILLIAM D. DELAHUNT, Massachusetts
RIC KELLER, Florida                  ROBERT WEXLER, Florida
MELISSA A. HART, Pennsylvania        TAMMY BALDWIN, Wisconsin
JEFF FLAKE, Arizona                  ANTHONY D. WEINER, New York
MIKE PENCE, Indiana                  ADAM B. SCHIFF, California
J. RANDY FORBES, Virginia            LINDA T. SANCHEZ, California
STEVE KING, Iowa
JOHN R. CARTER, Texas
TOM FEENEY, Florida
MARSHA BLACKBURN, Tennessee

             Philip G. Kiko, Chief of Staff-General Counsel
               Perry H. Apelbaum, Minority Chief Counsel
                                 ------                                

    Subcommittee on Courts, the Internet, and Intellectual Property

                      LAMAR SMITH, Texas, Chairman

HENRY J. HYDE, Illinois              HOWARD L. BERMAN, California
ELTON GALLEGLY, California           JOHN CONYERS, Jr., Michigan
BOB GOODLATTE, Virginia              RICK BOUCHER, Virginia
WILLIAM L. JENKINS, Tennessee        ZOE LOFGREN, California
SPENCER BACHUS, Alabama              MAXINE WATERS, California
MARK GREEN, Wisconsin                MARTIN T. MEEHAN, Massachusetts
RIC KELLER, Florida                  WILLIAM D. DELAHUNT, Massachusetts
MELISSA A. HART, Pennsylvania        ROBERT WEXLER, Florida
MIKE PENCE, Indiana                  TAMMY BALDWIN, Wisconsin
J. RANDY FORBES, Virginia            ANTHONY D. WEINER, New York
JOHN R. CARTER, Texas

                     Blaine Merritt, Chief Counsel

                         David Whitney, Counsel

              Melissa L. McDonald, Full Committee Counsel

                     Alec French, Minority Counsel


                            C O N T E N T S

                              ----------                              

                            FEBRUARY 4, 2004

                           OPENING STATEMENT

                                                                   Page
The Honorable Lamar Smith, a Representative in Congress From the 
  State of Texas, and Chairman, Subcommittee on Courts, the 
  Internet, and Intellectual Property............................     1
The Honorable Howard L. Berman, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Courts, the Internet, and Intellectual Property................     3
The Honorable Bob Goodlatte, a Representative in Congress From 
  the State of Virginia..........................................    47

                               WITNESSES

Mr. Timothy P. Trainer, President, International 
  AntiCounterfeiting Coalition, Incorporated (IACC)
  Oral Testimony.................................................     5
  Prepared Statement.............................................     7
Mr. J. Scott Evans, Chairman, Internet Committee, International 
  Trademark Association (INTA)
  Oral Testimony.................................................    13
  Prepared Statement.............................................    14
Mr. Rick H. Wesson, President and Chief Executive Officer, 
  Alice's Registry, Incorporated
  Oral Testimony.................................................    18
  Prepared Statement.............................................    20
Mr. Mark Bohannon, General Counsel and Senior Vice President, 
  Public Policy, Software and Information Industry Association 
  (SIIA), on behalf of Copyright Coalition on Domain Names (CCDN)
  Oral Testimony.................................................    25
  Prepared Statement.............................................    27

                                APPENDIX
               Material Submitted for the Hearing Record

Letter to Chairman Lamar Smith from Network Solutions, LLC, Bulk 
  Register, Register.com, Melbourne IT...........................    47
Letter to Chairman Lamar Smith from Brian Cute, Director of 
  Policy, Network Solutions, LLC.................................    50

 
                      FRAUDULENT ONLINE IDENTITY 
                             SANCTIONS ACT

                              ----------                              


                      WEDNESDAY, FEBRUARY 4, 2004

                  House of Representatives,
              Subcommittee on Courts, the Internet,
                         and Intellectual Property,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:09 a.m., in 
Room 2141, Rayburn House Office Building, Hon. Lamar S. Smith 
(Chair of the Subcommittee) presiding.
    Mr. Smith. The Subcommittee on Courts, the Internet, and 
Intellectual Property will come to order. I am going to 
recognize myself for an opening statement, then the Ranking 
Member, Mr. Berman, and without objection, other Members' 
opening statements will be made a part of the record.
    Today's hearing is on H.R. 3754, the ``Fraudulent Online 
Identity Sanctions Act.'' There are two overriding 
characteristics of this bill which the Ranking Member, Mr. 
Berman, and I have introduced. First, we target those who 
register false domain name contact information in furtherance 
of a Federal criminal offense or in violation of Federal 
copyright or trademark law. Second, we ensure that these 
individuals face more severe civil and criminal penalties for 
their regrettable conduct.
    Five months ago, this Subcommittee conducted an oversight 
hearing entitled, ``Internet Domain Name Fraud: The U.S. 
Government's Role in Ensuring Public Access to Accurate Whois 
Data.'' At that time, the Department of Commerce was 
considering whether and under what terms to renew its agreement 
with the Internet Corporation for Assigned Names and Numbers, 
ICANN.
    As a result of the testimony received that day and the 
attention focused on the U.S. Government's negotiations with 
ICANN, the Commerce Department required ICANN for the first 
time to implement a series of Whois specific reports and 
improvements. I am disappointed to say that the early signs 
from ICANN are not encouraging.
    It is beyond dispute that the public needs and deserves 
access to accurate data on domain name registrants. Whois was 
created to serve precisely this role. Whois data is relied upon 
by a wide variety of users, but is particularly important to 
those in the IP community. Copyright owners use it to identify 
pirate sites that operate on the Internet. Trademark owners use 
it to resolve cybersquatting disputes and to track down owners 
of websites that offer counterfeit goods or otherwise infringe 
upon intellectual property rights.
    Parents and law enforcement officers rely on Whois data to 
protect our children from online threats. Officials have 
publicly stated the database is the first step in most web-
based child pornography and exploitation cases. Consumers and 
businesses rely on Whois to identify the owners of websites in 
order to protect confidential information, such as credit card 
numbers.
    Late last month, the Federal Trade Commission released its 
2003 consumer sentinel report on trends and fraud in identity 
theft. The report revealed that Internet-based scams were 
second only to identity theft as the top fraud complaint 
reported to the Government. In 2003, Internet-related fraud 
accounted for 55 percent of all fraud reports to the FTC. 
Losses associated with Internet-related fraud were estimated to 
approach $200 million.
    Two years ago, the Director of the FTC testified before 
this Subcommittee on the relation between accurate Whois data 
and the FTC's ability to protect the public. Quote, ``It is 
hard to overstate the importance of accurate Whois data to our 
Internet investigations. In all of our investigations against 
Internet companies, one of the first tools FTC investigators 
use to identify wrongdoers is the Whois database. We cannot 
easily sue fraudsters if we cannot find them,'' end quote, and 
that's a statement of the Honorable J. Howard Beales, III, 
Director of the FTC.
    But Whois data is of little or no use to the FTC or anyone 
else if registrars who are contractually obligated to verify 
its accuracy refuse to do so. Similarly, it is also of no use 
if registrants perceive there to be no credible deterrent or 
sanction for providing fraudulent data.
    The Government must play a greater role in punishing those 
who conceal their identities online, particularly when they do 
so in furtherance of a serious Federal criminal offense or in 
violation of a federally protected intellectual property right. 
These individuals impose real and substantial cost on 
legitimate users of the Internet. There is a growing 
recognition that both registrants who provide false Whois as 
well as those who enable them to remain anonymous must be held 
accountable.
    The Fraudulent Online Identity Sanctions Act is a targeted 
measure that will complement related provisions that were 
recently included in the PROTECT Act and in the CAN-SPAM bill.
    This concludes my opening statement. Before recognizing the 
gentleman from California for his, let me just say at the 
outset that the testimony that we received today was uniformly 
superb. It did exactly what I hoped it would do, which was to 
suggest to the Members of this Subcommittee what changes, what 
additions, what modifications we can make to the bill to make 
it a better piece of legislation, and every one of you all have 
made specific and substantive and practical suggestions for us 
to modify this bill and I would certainly expect before we get 
to markup next month that there will be a substantial amendment 
in the nature of a substitute as a result of the testimony that 
we expect to receive here today momentarily.
    Second of all, I want to thank David Whitney, who is the 
Subcommittee counsel who put on this, or helped arrange this 
hearing. We had to switch this hearing with one that is now 
scheduled for next week, so on very short notice and with just 
a few days to pull together this hearing, David Whitney was 
able to do so in a superb manner. In fact, one night he had to 
stay up until 3 a.m. to try to work out the kinks to make this 
run smoothly today. So I appreciate his effort very, very much.
    And lastly, we are going to hold our witnesses strictly to 
the 5 minute limit and try to recognize all the Members for 
their questions and conclude by 11:00, when a joint session of 
Congress is scheduled. So that is the reason to kind of 
expedite this hearing today if at all possible.
    Having said all that, I'm now happy to recognize the 
Ranking Member, Mr. Berman, for his opening statement.
    Mr. Berman. Thank you very much, Mr. Chairman, and I'll try 
and speak quickly so we can achieve the goal. I appreciate your 
holding the hearing. The issue of Internet domain name fraud is 
not a new one for our Subcommittee, but what I'm happy to say 
is we're now beginning to embark on an effort to find some 
legislative solutions.
    We've already documented through a series of hearings how 
inaccurate Whois data hampers law enforcement investigation, 
facilitates consumer fraud, impairs copyright and trademark 
protection, imperils computer security, enables identity theft, 
and weakens private protection efforts.
    Although the Commerce Department appears to recognize the 
problem of inaccurate Whois data, the time has come for 
Congress to act. In sections 303 and 305 of the legislation, 
H.R. 2752, the legislation that Mr. Conyers and I introduced, 
we took one stab at crafting a solution. After taking into 
account various criticisms, including privacy concerns, 
Chairman Smith and I decided to try a different approach.
    Therefore, we introduce a bill before us today which uses a 
similar underlying principle, that of penalizing those who 
submit false or misleading domain name information while 
addressing the privacy issues raised with Mr. Conyers' and my 
approach. I believe this legislation will start to rectify the 
problem of inaccurate Whois data.
    It focuses on three initiatives. The first provides for a 
sentencing enhancement when an individual uses false or 
misleading data in furtherance of a criminal offense. The other 
two provisions entail amending the copyright and trademark 
statutes to allow for an enhanced penalty for a civil violation 
committed in connection with the provision of false contact 
information.
    These are good initial steps. The legislation is crafted in 
a way that it targets only the bad actors who register false or 
fraudulent domain name contact information in furtherance of a 
violation of law, a preexisting violation of law. Furthermore, 
this legislation provides for the possibility of increased 
damages in civil copyright and trademark infringement cases 
where false or misleading information is used knowingly by the 
registrant most often in his attempt to avoid detection.
    I have some concerns that the bill lacks a specific mandate 
to the Sentencing Commission to craft appropriate sentencing 
enhancements and I would hope to strengthen the bill by 
including such a directive before we go to markup.
    In last year's hearing on Whois, the FTC testified that 
traditional scams such as pyramid schemes and false product 
claims thrive on the Internet. They explain that it's hard to 
overstate the importance of accurate Whois data to our Internet 
investigations. One of the first tools they use to investigate 
these scams and identify wrongdoers is the Whois database. 
Inaccurate data severely hampers their law enforcement, 
consumer protection, and investigative abilities.
    Another example of the effects of providing false or 
misleading information relates to the spam problem. I want to 
just describe an FTC, a specific FTC problem. The FTC and its 
enforcement powers in our new anti-spam law performed a sting 
operation to test compliance with the ``remove me'' or 
``unsubscribe'' options. From e-mail forwarded to the FTC's 
database of unsolicited commercial e-mails by participating 
agencies, they culled more than 200 e-mails that purported to 
allow recipients to remove their name from the spam list. The 
agency set up dummy e-mail accounts to test the pledges.
    They discovered that most of the addresses to which they 
sent the request were invalid. Most of the ``remove me'' 
requests did not get through. Based on information gathered 
through this operation, the FTC sent 77 letters warning 
spammers that deceptive removal claims and unsolicited e-mail 
are illegal. They sent the letters to addresses listed in the 
Whois database. Sixteen of the 77 letters, or approximately 21 
percent, were returned to the FTC because the addresses in the 
Whois database were inaccurate.
    Faulty Whois data seriously imperils the effectiveness of 
the legislation we just passed relating to spam. It is for this 
reason that while I support the legislation, I think we haven't 
gone far enough. The only complete solution would hold the 
registrars accountable for accurate--inaccurate--the only 
complete solution would hold the registrars accountable for 
inaccurate Whois information. We should craft legislation 
mandating that registrars comply with their registrar 
accreditation agreements, which require verification and 
periodic reverification of the information.
    This should not be difficult to do. The registrars are 
already contractually bound to do so, but neither the Commerce 
Department nor ICANN seems willing to enforce those contracts. 
As we move forward with the legislation, I hope we can place 
just such responsibilities on registrars.
    I appreciated the Chairman's comments regarding possible 
refinements and improvements between now and a markup and I 
urge my colleagues to support the legislation we've introduced.
    Mr. Smith. Thank you, Mr. Berman.
    I just want to say I appreciate the attendance of Mr. 
Jenkins of Tennessee and Mr. Pence of Indiana. I appreciate 
your interest in the subject at hand.
    Let me now introduce our witnesses. Our first witness is 
Timothy P. Trainer, who has served as President of the 
International AntiCounterfeiting Coalition, IACC, since 
September 1999. With approximately 140 members, the IACC is the 
largest organization that deals exclusively with issues that 
relate to the theft of intellectual property.
    As President, Mr. Trainer oversees the day-to-day 
operations of IACC, including its domestic and international 
enforcement programs. He has worked extensively with Interpol's 
IP Crime Action Group as well as on intellectual property 
initiatives in the Newly Independent States of Eastern Europe.
    Mr. Trainer has a law degree from the Cleveland Marshall 
College of law and an M.A. from the University of Pittsburgh. 
He completed his undergraduate studies at Kent State University 
and Keio?--Keio University's International Center in Tokyo.
    Our second witness is J. Scott Evans, who is a shareholder 
in the Charlotte intellectual property law office of Adams 
Evans, where he specializes in the areas of trademark, 
copyright, unfair competition, and Internet law. Mr. Evans 
serves as chair of the International Trademark Association's 
Internet Committee and he will testify in that capacity today. 
It is worth noting that he also serves as President of ICANN's 
Intellectual Property Constituency and that he served as one of 
the principal authors of ICANN's Uniform Dispute Resolution 
Policy.
    A native Texan, Mr. Evans received his undergraduate degree 
from Baylor University and his J.D. from the University of 
Louisville.
    Our third witness is Rick Wesson, who is the CEO of Alice's 
Registry, an ICANN accredited registrar that has developed and 
marketed their fraud detection system to other registrars in 
the ICANN community. Mr. Wesson serves as both Vice Chair and 
Chief Technical Officer of ICANN's Registrars' Constituency and 
is a member of ICANN's Security and Stability Committee. His 
testimony today reflects his own views and experiences and is 
not presented on behalf of either ICANN or other registrars.
    Our remaining witness is Mark Bohannon, General Counsel and 
Senior Vice President of Public Policy for the Software and 
Information Industry Association, SIIA. In that capacity, Mr. 
Bohannon is responsible for the legal and public policy agenda 
of SIIA, including issues that involve privacy, e-commerce, 
intellectual property protection, and Internet security. His 
testimony will be presented on behalf of the Copyright 
Coalition on Domain Names, an organization whose principal 
goals are to maintain public access to Whois data and to 
improve its accuracy and reliability.
    Another Texan, Mr. Bohannon graduated from the School of 
Foreign Service at Georgetown University and George Washington 
University Law School.
    Welcome to you all. We have written statements from all the 
witnesses today and without objection, the complete statements 
will be made a part of the record.
    Mr. Trainer, we will begin with you.

   STATEMENT OF TIMOTHY P. TRAINER, PRESIDENT, INTERNATIONAL 
       ANTICOUNTERFEITING COALITION, INCORPORATED (IACC)

    Mr. Trainer. Thank you, Mr. Chairman, Mr. Berman, and 
Members of the Subcommittee. Good morning. On behalf of the 
IACC, I thank the Committee for the opportunity to testify on 
the issue that impacts intellectual property owners, Internet 
users, and the public at large, the collection, availability, 
use, and most importantly, the accuracy of identification 
information collected from domain name registrants by the 
registrars. We commend the Subcommittee on the proposals that 
it has put forth for our consideration and we look forward to 
continuing our cooperative efforts.
    The IACC represents a cross-section of industries, 
including automotive, electric, software, luxury goods, 
personal care, and pharmaceutical sectors. We are prepared to 
work with the Subcommittee toward passage of a bill that 
provides effective protection of intellectual property--to 
intellectual property owners and will result in a more 
effective Whois system. We seek provisions that deliver what 
the registrar accreditation agreement promises and that respond 
to the Internet users' ability to use Whois effectively.
    One thing is clear. Whois is still problematic and is 
illustrated by the list we have provided which identifies 
registered names that have inaccurate and/or false contact 
information. In July 2001, I testified before this Subcommittee 
stating that the Whois database not only needed to be publicly 
accessible, but accurate. I also stated that rather than 
legislation, the registrars needed to meet the obligations of 
their agreement by ensuring the accuracy of information that is 
provided. This hearing is evidence that the hoped for 
improvements of Whois have not occurred.
    Today, we address two general issues, first, the ongoing 
problems of Whois and the resulting elements of the current 
problems; second, I will address the extent to which the 
proposed amendment might address the problem.
    Essentially, two fundamental shortcomings undermine 
confidence and reliance on Whois, inadequate obligations on 
registrars to check information submitted by applicants for 
registered names and the ease of applicants to submit false 
information and continue using registered names.
    The registrar receives information and is required to 
obtain and maintain this information and the registered name 
holders must enter into a registration agreement with 
registrars and provide a minimum amount of accurate and up-to-
date information regarding their contact information. Despite 
the agreement, deterrence is inadequate to stop the practice of 
individuals obtaining registered names by using false 
information.
    Applicants have provided bogus telephone numbers, city 
names, zip codes, and have successfully obtained registered 
names, indicating an absence of registrar oversight. There are 
times when existing addresses are used, but not one that 
actually belongs to the person operating the registered name.
    Another ploy of those who trade in counterfeit goods is to 
use a proxy service to obtain registered names so that the 
contact information belongs to the proxy service, which in turn 
may not have received accurate information from the person who 
seeks anonymity in the first place, adding another layer for 
the person seeking to be beyond the reach of the authorities, 
intellectual property owners, and consumers.
    Even if the information was initially accurate, members 
have reported that attempts to contact registered name holders 
have been time consuming and expensive because information is 
not updated. One trademark owner attempting to resolve a 
trademark infringement case found that a business having a New 
York City address and contact information had moved to New 
Jersey 2 years earlier. The information about current location 
was obtained by the trademark owner's attorney going to the old 
address, learning that the business had moved, and checking 
records held by the State, not the registrar's Whois database.
    A glance at the list of registered names we have provided 
leaves no question as to why false names would be used. One 
member company reported at least 15 cases of false Whois 
information during the past year when it tried to pursue those 
offering counterfeit goods. These sites facilitate the trade in 
counterfeit merchandise. It is difficult to believe that any 
verification efforts are made.
    Regarding the proposed section 1117(e), we recommend that 
the provision be broad enough to subject persons submitting any 
false information to these penalties. Essentially, anyone 
deliberately submitting any false information could be punished 
by the provisions of this bill. Thus, in addition to the 
information such as an address, telephone, and facsimile 
number, this could include Internet protocol addresses and 
other possible information.
    Next, in addition to the violator who provided the false 
information, we recommend the provision also aim to subject the 
person who caused this false information to be provided to a 
registrar. The IACC would support including penalties against 
persons who register and obtain names that are never used in 
connection with an online location. This would subject those 
who obtain registered names that are used for false information 
but do not have active websites to the penalties intended by 
this proposal.
    In addition, the IACC members believe that the proposal 
could be broadened to impose liability on parties who, having 
initially provided accurate information to obtain the 
registered name, thereafter fail to provide updated 
information. The current proposal addresses the act of 
affirmatively providing false information, but not willful 
refusals or failure to provide valid contact information 
thereafter.
    We also support the criminal sentencing recommendation as 
reflected in the bill to add the provision to title XVIII, 
section 3559, although we have no opinion regarding the 
specific recommendation of 7 years. We hope that the proposal 
for section 3559 might also include language that appears in 
the proposed 1117(e), referring to a person acting in concert 
with a defendant. Similar to our recommendation for 1117(e), we 
recommend a parallel provision to subject persons causing false 
information to be provided within the scope of 3559.
    I thank the Subcommittee for allowing me to testify and 
will attempt to answer any questions Members may have. Thank 
you.
    Mr. Smith. Thank you, Mr. Trainer.
    [The prepared statement of Mr. Trainer follows:]

                Prepared Statement of Timothy P. Trainer

    Mr. Chairman and Members of the SubCommittee, Good morning. I am 
Timothy Trainer, President of the International AntiCounterfeiting 
Coalition (IACC). On behalf of the IACC, I would like to thank the 
Committee for the opportunity to testify on an issue of great 
importance to intellectual property owners, Internet users, and the 
public at large--the collection, availability, use, and, most 
importantly, the accuracy of identification information collected from 
domain name registrants by Registrars.
    The IACC is the largest organization dealing exclusively with 
issues involving intellectual property theft. The IACC has 
approximately 140 members who represent a cross-section of industries, 
including the automotive, electrical, motion picture, software, sound 
recording, apparel, luxury goods, personal care and pharmaceutical 
sectors. The total annual revenues of IACC members exceed US$650 
Billion. The objective that brings such diverse industries together is 
their need to protect their intellectual property and their customers 
from those who would steal such property.
    Initially, we apologize for our short submission on this issue, but 
will work with the Subcommittee and staff to continue providing input 
on this issue and this bill. I begin first by underscoring the fact 
that our comments are limited to the relationship between WHOIS and 
trademark enforcement issues and the proposed new subparagraph (e) of 
Section 1117 of Title 15, United States Code and leave to my copyright 
industry colleague on the panel to address the proposed changes 
affecting the copyright law and copyright owners. It is clear, however, 
that most, if not all, trademark owners are also copyright owners and, 
therefore, we have a significant overlap of interest and agree with the 
copyright industry's views. Second, on behalf of IACC members, we are 
prepared to work with the Subcommittee and staff toward passage of a 
bill that provides effective protection for intellectual property 
owners and will result in a more effective WHOIS system that assists 
law abiding parties. We seek provisions that deliver what the Registrar 
Accreditation Agreement \1\ (hereinafter ``RAA'' or ``Agreement'') 
promises and that responds to internet users' ability to use WHOIS 
effectively.
---------------------------------------------------------------------------
    \1\ Registrar Accreditation Agreement (RAA) (17 May 2001) 
(Appendices posted: November 25, 2002, January 23, 2003, and April 3, 
2003). http://www.icann.org.
---------------------------------------------------------------------------
    Although different industries have different experiences and 
challenges when attempting to protect their intellectual property 
assets, one thing is clear, WHOIS is still problematic for many 
companies. In July 2001, I was asked to testify before this 
Subcommittee and did so, supporting the view that the WHOIS database 
not only needed to be publicly accessible, but accurate. In addition, I 
indicated that rather than legislation, the Registrars needed to meet 
the obligations of the Registrar Accreditation Agreement by ensuring 
the accuracy of information that is provided by registrants. This 
hearing is evidence that the hoped-for improvements of WHOIS have not 
occurred and my members have provided examples of the problems they 
encounter using WHOIS.
    The IACC's testimony will address two general issues. First, I will 
address the ongoing problems of WHOIS and the resulting elements of the 
current problems. Second, I will address the extent to which the 
proposed amendment might address the problem.

                        WHOIS: CURRENT PROBLEMS

    Essentially, two fundamental shortcomings undermine confidence and 
reliance on WHOIS:

         Inadequate obligations on Registrars to check 
        information submitted by applicants for Registered Names and

         Ease of applicants to submit false information and 
        continue using registered domain names.

    What is commonly referred to as the WHOIS database is the 
collection of information gathered by a Registrar concerning active 
Registered Names.\2\ On the one hand, the Registrar is required to 
obtain and maintain this information. On the other hand, the Registered 
Name Holders must enter into a registration agreement with Registrars 
and provide a minimum amount of accurate and up to date information 
regarding their contact information.\3\ Despite the RAA's provisions, 
there is not sufficient deterrence to stop the practice of individuals 
obtaining Registered Names by using false information. Some applicants 
have provided clearly bogus telephone numbers (000-000-0000 or 555-555-
5555), cities (Blahville, AH), zip codes (00000) or indicated that the 
contact information is not available (N/A) and have still successfully 
obtained Registered Names, indicating an absence of oversight by 
Registrars. There are times when existing addresses are used, but not 
one that actually belongs to the person operating the Registered Name. 
Another ploy of those who trade in counterfeit goods is to use a proxy 
service to obtain a Registered Name so that the contact information is 
that of the proxy service, which in turn may not have received accurate 
information from the person who seeks anonymity in the first place. 
This adds another layer for the person seeking to remain beyond the 
reach of the authorities, intellectual property owners, or consumers.
---------------------------------------------------------------------------
    \2\ RAA at 3.3 Public Access to Data on Registered Names. ``During 
the term of this Agreement:

  G3.3.1.  At its expense, Registrar shall provide an interactive web 
page and a port 43 Whois service providing free public query-based 
access to up-to-date (i.e. updated at least daily) data concerning all 
active Registered Names sponsored by Registrar for each TLD in which it 
is accredited. The data accessible shall consist of elements that are 
designated from time to time according to an ICANN adopted 
specification or policy. Until ICANN otherwise specifies by means of an 
ICANN adopted specification or policy, this data shall consist of the 
---------------------------------------------------------------------------
following elements as contained in Registrar's database:

  G3.3.1.1.  The name of the Registered Name;

  G3.3.1.2.  The names of the primary nameserver and secondary 
nameserver(s) for Registered Name;

  G3.3.1.3  The identity of Registrar (which may be provided through 
Registrar's website;

  G3.3.1.4  The original creation date of the registration;

  G3.3.1.5  The expiration of the registration;

  G3.3.1.6  The name and postal address of the Registered Name Holder

  G3.3.1.7  The name, postal address, e-mail address, voice telephone 
number and (where available) fax number of the technical contact for 
the Registered Name; and

  G3.3.1.8  The name, postal address, e-mail address, voice telephone 
number and (where available) fax number of the administrative contact 
for the Registered Name.
---------------------------------------------------------------------------
    \3\ 3.7.7 Registrar shall require all Registered Name Holders to 
enter into an electronic or paper registration agreement with Registrar 
including at least the following provisions:

  G3.7.7.1  The Registered Name Holder shall provide to Registrar 
accurate and reliable contact details and promptly correct and update 
them during the term of the Registered Name registration, including: 
the full name, postal address, e-mail address, voice telephone number, 
and fax number if available of the Registered Name Holder; name of 
authorized person for contact purposes in the case of an Registered 
Name Holder that is an organization, association, or corporation; and 
---------------------------------------------------------------------------
the data elements listed in Subsections 3.3.1.2, 3.3.1.7 and 3.3.1.8.

  G3.7.7.2  A Registered Name Holder's willful provision of inaccurate 
or unreliable information, its willful failure promptly to update 
information provided to Registrar, or its failure to respond for over 
fifteen calendar days to inquiries by Registrar concerning the accuracy 
of contact details associated with the Registered Name Holder's 
registration shall constitute a material breach of the Registered Name 
Holder-registrar contract and be a basis for cancellation of the 
Registered Name registration.

  G3.7.7.3  Any Registered Name Holder that intends to license use of a 
domain name to a third party is nonetheless the Registered Name Holder 
of record and is responsible for providing its own full contact 
information and for providing and updating accurate technical and 
administrative contact information adequate to facilitate timely 
resolution of any problems that arise in connection with the Registered 
Name. A Registered Name Holder licensing use of a Registered Name 
according to this provision shall accept liability for harm caused by 
wrongful use of the Registered Name, unless it promptly discloses the 
identity of the licensee to a party providing the Registered Name 
Holder reasonable evidence of actionable harm.

  G3.7.7.4  Registrar shall provide notice to each new or renewed 
Registered Name Holder stating:

  G3.7.7.4.1  The purposes for which any Personal Data collected from 
the applicant are intended;

  G3.7.7.4.2  The intended recipients or categories of recipients of 
the data (including the Registry Operator and others who will receive 
the data from Registry Operator);

  G3.7.7.4.3  Which data are obligatory and which data, if any, are 
voluntary; and

  G3.7.7.4.4  How the Registered Name Holder or data subject can access 
and, if necessary, rectify the data held about them.
    To the extent that the information was initially accurate, members 
have reported that attempts to contact some Registered Name Holders 
have been time consuming and expensive because information is not 
updated. One trademark owner, attempting to resolve a trademark 
infringement case, found that a business having a New York City address 
and contact information had moved to New Jersey two years earlier. The 
information about current location was obtained by the trademark 
owner's attorney going to the old address, learning that the business 
had moved and checking records held by the state, not the Registrar's 
WHOIS database.
    Based on our efforts to prepare for this hearing, members have 
provided a list of Registered Names that all had false information in 
the WHOIS database. A glance at the list leaves no question as to why 
false contact information would be used. One member company reported at 
least 15 cases of false WHOIS information during the past year when it 
tried to pursue those offering counterfeit goods. These sites 
facilitate the trade in counterfeit merchandise. As long as a name, 
phone number and other contact information appear to be legitimate, 
there is no verification by the Registrars, despite the language of the 
Agreement to verify the information.\4\
---------------------------------------------------------------------------
    \4\ RAA at 3.7.8 Registrar shall abide by any specifications or 
policies established according to Section 4 requiring reasonable and 
commercially practicable (a) verification, at the time of registration, 
of contact information associated with a Registered Name sponsored by 
Registrar or (b) periodic re-verification of which such information. 
Registrar shall, upon notification by any person of an inaccuracy in 
the contact information associated with a Registered Name sponsored by 
Registrar, take reasonable steps to investigate that claimed 
inaccuracy. In the event Registrar learns of inaccurate contact 
information associated with a Registered Name it sponsors, it shall 
take reasonable steps to correct that inaccuracy.
---------------------------------------------------------------------------
    The list of sites having false contact information associated with 
them has resulted in increased investigative and legal costs to the 
trademark owners. It is the IACC's position that the accuracy of 
registrant information is critical to allowing intellectual property 
owners to enforce their rights over the Internet and for providing 
consumers with some recourse against counterfeiters and pirates.
    If a businessman wants to acquire a Registered Name, if a parent 
wants to know who owns the website that is distributing harmful toys, 
if a consumer wants to know who owns the website that is offering 
discounted pharmaceuticals, or if a trademark or copyright owner wants 
to know who owns the Registered Name from which a counterfeit version 
of its products are being sold, they have one place to turn--WHOIS. We 
commend this effort to impose higher penalties on persons who 
deliberately disregard their obligations and submit false information. 
However, half of the problem may rest with the Registrars because of 
the absence of an effective method of verifying the information 
submitted to them, including cases in which the requested name appears 
suspicious on its face.
    Registrars, once on notice of false contact information, should be 
subject to a requirement that in such a case they must contact the 
registrant and if no accurate and verifiable contact information is 
provided in a short, fixed period of time, the site will be shut down. 
It is clear from the information collected by our members that the 
Registrars are not fulfilling their obligations to ensure the accuracy 
of the information it is receiving. Registrars should also have 
increased obligations to verify the information.

         PROPOSED AMENDMENT 15 U.S.C. 1117 AND CRIMINAL PENALTY

    The Subcommittee has proposed the following language to be added to 
Title 15 U.S.C. 1117(e):

        ``(e) In a case of a violation under this section, occurring at 
        or in connection with an online location, the violation shall 
        be considered to be willful for purposes of this section if the 
        violator, or a person acting in concert with the violator, 
        knowingly provided material and misleading false contact 
        information to a domain name registrar, domain name registry, 
        or other domain name registration authority in registering a 
        domain name used in connection with the online location, or in 
        maintaining or renewing such registration.''

    The IACC commends the effort to impose greater liability on those 
who provide false information regarding their contact information. The 
deterrent effect of the provision will depend upon the willingness of 
federal prosecutors to take cases and use these provisions in any 
prosecution of counterfeiting cases to increase penalties.
    Regarding the specific language, there is no current definition for 
``online location''. For specificity, this may mean the Registered Name 
for the domain name used by the person who has provided false contact 
information.
    Next, we recommend that the provision be broad enough to subject 
persons submitting any false information to these penalties. 
Essentially, anyone deliberately submitting any false information could 
be punished by the provisions of this bill. Thus, in addition to 
information such as an address, telephone and facsimile number, this 
could include internet protocol addresses and other possible 
information.
    In addition, in view of the existence of a definition of 
``violator'' as referenced in 15 USC 1114(2)(E), a clarification may be 
necessary to avoid any confusion.
    Next, in addition to the violator who provided the false 
information, we recommend that the provision also subject a person who 
causes false information to be provided to a Registrar to be 
sanctioned. Under the proposed language, it appears to be the intent 
that both a violator and a person acting in concert can brought within 
the scope of the provision.
    The IACC would support the proposal's applicability to persons who 
register and obtain names that are never ``used in connection with the 
online location''. This would subject those who obtain Registered Names 
through the use of false information, but do not have active websites, 
to the penalties intended by this proposal.
    In addition, IACC members believe that the proposal could be 
broadened to impose liability on parties who, having initially provided 
accurate information to obtain the Registered Name, thereafter fail to 
provide updated information. The current proposal addresses acts of 
affirmatively providing false information, but not willful refusals or 
failure to provide valid contact information thereafter. Registered 
Name Holders should be required to provide valid contact information 
not only upon renewal, but also during the course of each registration 
period within a certain period of time after the former contact 
information is no longer valid. This is asking Registered Name Holders 
to do nothing more than individuals are asked to do with a driver's 
license when there is a change of residential address or one moves to a 
new state and needs to obtain a new license.
    The IACC also supports the criminal sentencing recommendation as 
reflected in the bill to add the provision to Title 18, U.S.C. Section 
3559, although we have no opinion regarding the specific recommendation 
of seven years.
    Regarding the actual text of the proposed new paragraph in Section 
3559, the IACC is interested in learning of the possibility of 
including similar language in this Section that appears in the proposed 
15 U.S.C. 1117(e), referring to a person acting in concert with the 
defendant. Similar to our recommendation for 1117(e), we recommend a 
parallel provision to subject persons causing false information to be 
provided to be within the scope of Section 3559. This would encompass 
offenders who either directly submit false information or cause false 
information to be submitted.

        ``(e) SENTENCING ENHANCEMENT FOR FALSIFICATION RELATING TO 
        DOMAIN NAMES IN CONNECTION WITH OFFENSES.--The maximum 
        imprisonment otherwise provided by law for a felony offense 
        shall be increased by 7 years if, in furtherance of that 
        offense, the defendant knowingly provided material and 
        misleading false contact information to a domain name 
        registrar, domain name registry, or other domain name 
        registration authority in connection with a domain name 
        registration. For purposes of this subsection, the term `domain 
        name' has the meaning given that term in section 45 of the Act 
        entitled `An Act to provide for the registration and protection 
        of trademarks used in commerce, to carry out the provisions of 
        certain international conventions, and for other purposes' 
        approved July 5, 1946 (commonly referred to as the `Trademark 
        Act of 1946'; 15 U.S.C. 1127).''

    Given the linkage of this provision to another felony offense, it 
would seem that a defendant would have to be found guilty of 
trafficking in counterfeit goods under 18 U.S.C. 2320 to have this as a 
possible sentencing departure for the add-on. We would hope that this 
might encourage more federal prosecutors to accept counterfeiting 
cases.

                               CONCLUSION

    The IACC appreciates the opportunity to testify before the 
Subcommittee and will be happy to work with the Subcommittee in moving 
this bill forward. The IACC and its members will endeavor to provide 
information when possible. I will attempt to answer any questions the 
Members may have.

                               ATTACHMENT



    Mr. Smith. Mr. Evans.

  STATEMENT OF J. SCOTT EVANS, CHAIRMAN, INTERNET COMMITTEE, 
           INTERNATIONAL TRADEMARK ASSOCIATION (INTA)

    Mr. Evans. Good morning, Mr. Chairman. The International 
Trademark Association appreciates very much your invitation to 
testify on ways in which we can improve the accuracy of Whois, 
the database that contains contact information on registered 
domain names.
    INTA, which has served as the voice of trademark owners 
during the ongoing international debate on the running of the 
domain name system, is grateful to this Subcommittee for its 
diligence in ensuring that trademark owners have the right 
tools to protect their intellectual property in cyberspace and 
that consumers can make safe and informed choices when working 
online.
    This Subcommittee has already provided tremendous 
assistance by highlighting the importance of Whois, and through 
hearings like the one held last September, as well as through 
frequent contacts with the Department of Commerce and the 
Internet Corporation for Assigned Names and Numbers, also known 
as ICANN. Subcommittee Members know how important accurate 
Whois data is for intellectual property owners, law 
enforcement, and consumer protection interests.
    Only with access to accurate and up-to-date Whois data can 
the Internet be a safe environment that people and businesses 
can rely on with confidence. Only with accurate Whois data can 
trademark owners more easily resolve cybersquatting disputes 
and learn the contact details for owners of websites offering 
counterfeit products.
    ICANN has in place a registrar accreditation agreement that 
requires each domain name registrant to provide to domain name 
registrars accurate and reliable contact details. Domain name 
registrants are further required to promptly correct and update 
those details during the term of the registration. 
Unfortunately, despite these requirements, trademark owners 
have for many years been encountering instances of blatantly 
inaccurate or missing data, often from fictitious entities 
listing false addresses, as well as information that is simply 
out of date.
    My written statement lists several examples where trademark 
owners like Kodak, Nintendo, Nokia, and even the USO have 
encountered patently inaccurate Whois data when attempting to 
track down cybersquatters and online counterfeiters. This is 
not even the tip of the iceberg.
    There are thousands of examples where a trademark owner 
finds that the registrant of a domain name that is infringing 
its rights lives on Darth Avenue in Vader, California, or on 
Small Wok Way in Chopsticks Town, Wisconsin. Some of the more 
interesting names used by cybersquatters and counterfeiters are 
Buy This Name, or Nuclear Marshmallows, and even millionaire 
Thurston Howell III, who along with Gilligan resided on that 
uncharted desert isle we all tuned in to watch during the 
1960's.
    Some people might find this amusing, and if there wasn't so 
much at stake in terms of time and expense for trademark owners 
and safety and reliability for consumers, we might be able to 
laugh, as well. But there is a lot to be worried about. The 
problem of inaccurate Whois data and the failure on the part of 
domain name registrars and ICANN to enforce the provisions of 
the RAA has reached the point where many trademark owners no 
longer rely on Whois. It is simply too expensive and too time 
consuming and there is little prospect of positive results. 
Instead, trademark owners are forced to hire private 
investigators, sometimes at great expense, and, of course, 
consumers don't even have that option.
    There have been some recent attempts by ICANN to begin to 
address the problems of inaccurate Whois data. For example, 
thanks in large part to the efforts of this Subcommittee, 
amendment 6 to ICANN's and the Commerce Department's MOU 
includes a requirement that ICANN continue to assess the 
operation of Whois, implement measures to secure improved 
accuracy, and develop a strategic plan that includes a system 
for auditing material contracts like the RAA for compliance by 
all parties to such agreements. Once again, however, despite 
what appears in black and white, as well as repeated pleas by 
the intellectual property community, we have not seen any 
concrete steps by ICANN or domain name registrars to improve 
Whois accuracy.
    INTA, therefore, supports your efforts, Mr. Chairman, as 
well as those of Ranking Member Berman, to try and develop new 
statutory tools that will help accomplish this goal. We have 
recently received the Fraudulent Online Identity Sanctions Act 
from the Subcommittee staff and are in the process of reviewing 
the proposed language, which would amend the damages section of 
the Lanham Act. INTA looks forward to working closely with the 
Subcommittee and its staff to develop statutory language that 
will command the most support and strengthen the safety of 
online commerce by helping to ensure that domain name 
registrants provide accurate and reliable data for the Whois 
database.
    This concludes my opening statement. I thank the 
Subcommittee once again for the invitation to testify. I would 
be pleased to answer your questions.
    Mr. Smith. Thank you, Mr. Evans.
    [The prepared statement of Mr. Evans follows:]

                  Prepared Statement of J. Scott Evans

                            I. INTRODUCTION

    Good morning, Mr. Chairman. My name is J. Scott Evans. I currently 
serve as chairman of the Internet Committee of the International 
Trademark Association (INTA). I am a shareholder in the firm of Adams 
Evans, which is an INTA member. As do all INTA officers, board members 
and committee members, I serve on a voluntary basis. In addition to my 
volunteer service with INTA, I also volunteer as president of the 
Intellectual Property Constituency of the Internet Corporation for 
Assigned Names and Numbers (ICANN).\1\ My appearance before the 
subcommittee, however, is only on behalf of INTA.
---------------------------------------------------------------------------
    \1\ ``The Internet Corporation for Assigned Names and Numbers 
(ICANN) is an internationally organized, non-profit corporation that 
has responsibility for Internet Protocol (IP) address space allocation, 
protocol identifier assignment, generic (gTLD) and country code (ccTLD) 
Top-Level Domain name system management, and root server system 
management functions. These services were originally performed under 
U.S. Government contract by the Internet Assigned Numbers Authority 
(IANA) and other entities. ICANN now performs the IANA function.'' 
http://www.icann.org/general/.
---------------------------------------------------------------------------
    INTA is pleased to be here today to offer testimony in connection 
with this subcommittee's efforts to develop new criminal and civil 
enforcement tools to help curb online fraud.

                             II. ABOUT INTA

    INTA is a 126-year-old not-for-profit organization comprised of 
over 4,300 member companies and firms. It is the largest organization 
in the world dedicated solely to the interests of trademark owners. The 
membership of INTA, which crosses all industry lines and includes both 
manufacturers and retailers, values the essential role that trademarks 
play in promoting effective commerce, protecting the interests of 
consumers, and encouraging free and fair competition. During the 
ongoing international debate on the running of the domain name system 
(DNS), INTA has served as the voice of trademark owners in the United 
States and around the globe, working to ensure that their trademarks 
are protected and, more importantly, that consumers have a safe and 
reliable choice in cyberspace.

                        III. THE WHOIS DATABASE

A. Whois and Uses By Trademark Owners
    INTA is grateful to this subcommittee for its diligence in ensuring 
that trademark owners have the proper safeguards in order to protect 
their intellectual property in cyberspace. Measures such as the 
``Anticybersquatting Consumer Protection Act,'' \2\ have helped 
tremendously in curbing online bad-faith activity that harms not only 
trademark owners, but, more importantly, consumers who rely on 
trademarks to provide information that will enable them to make 
important decisions about the goods and services they purchase.
---------------------------------------------------------------------------
    \2\ Pub. L. No. 106-113, Sec. 3002, 113 Stat. 1501, 1537 (1999) 
(amending 15 U.S.C. Sec. 1125).
---------------------------------------------------------------------------
    Also, we are very pleased with your leadership, Mr. Chairman, in 
taking such a strong interest in the critical issue of ensuring the 
accuracy of contact data on registered domain names, which is typically 
known as ``Whois.'' \3\ Whois serves a vital role in preventing domain 
name fraud. Its uses include: law enforcement, consumer protection, and 
the protection of intellectual property rights. Only with access to 
accurate and up-to-date Whois data can the Internet be a safe 
environment that consumers can rely on with confidence. Trademark 
owners value Whois data in order to resolve domain name disputes (e.g., 
cybersquatting), learn the contact details for owners of websites 
offering counterfeit products or other infringement of intellectual 
property, manage trademark portfolios, provide due diligence on 
corporate acquisitions, and identify company assets in insolvencies/
bankruptcies.
---------------------------------------------------------------------------
    \3\ See, e.g., Letter from Chairman Smith and Ranking Member Berman 
to Secretary of Commerce Donald Evans regarding developments that 
affect the operation of the Internet, August 8, 2003 (``[I]t is vitally 
important to ensure public access to online systems like Whois.''); 
Oversight Hearing on Internet Domain Name Fraud--the U.S. Government's 
Role in Ensuring Public Access to Accurate Whois Data, September 4, 
2003.
---------------------------------------------------------------------------
    Today, there are basically two types of Whois: (1) free, 
interactive, publicly accessible web-based Whois data that can be found 
by going to any domain name registrar's website, finding the icon 
labeled ``Whois,'' ``clicking,'' and typing in a particular domain 
name; and (2) bulk Whois data that is the whole of a particular 
registrar's database, which can be purchased from a registrar. 
Trademark owners use both types of Whois.

B. ICANN Whois Requirements
    Since November 1998, the United States Government (USG) through a 
memorandum of understanding (MOU) has entrusted administration of the 
DNS to ICANN. Amendment 6 to the MOU was entered into on September 17, 
2003, extending the relationship between the USG and ICANN for another 
three years.\4\
---------------------------------------------------------------------------
    \4\ See http://www.ntia.doc.gov/ntiahome/domainname/agreements/
amendment6--09162003. htm.
---------------------------------------------------------------------------
    ICANN, upon its formation and as part of its initiative to expand 
the number of domain name registrars,\5\ crafted the Registrar 
Accreditation Agreement (RAA), a contract between itself and domain 
name registrars that addresses the obligations ICANN accredited 
registrars have with respect to domain names registered in the global 
top-level domain (gTLD) space.\6\ This includes the familiar suffixes 
of .com, .net, and .org, as well as gTLDs that were approved by ICANN 
in 2000: .info, .biz, .name, .pro, .museum, .coop, and .aero. In 
particular, the RAA requires that ICANN accredited registrars have all 
of their registrants enter into an agreement wherein each registrant 
``shall provide to Registrar accurate and reliable contact details and 
promptly correct and update'' those details during the term of the 
registration.\7\
---------------------------------------------------------------------------
    \5\ Today there are approximately 167 ICANN accredited registrars 
from 25 countries. http://www.icann.org/registrars/accredited-
list.html.
    \6\ RAA, at http://www.icann.org/registrars/ra-agreement-
17may01.htm.
    \7\ Id. at para. 3.7.7.1.
---------------------------------------------------------------------------
C. Problems with Whois Accuracy
    Unfortunately, despite the RAA requirement that registrants provide 
``accurate and reliable contact details,'' trademark owners have for 
many years been encountering instances of blatantly inaccurate or 
missing data often from fictitious entities listing false addresses, as 
well as information that is simply out of date. These are just a few 
examples of bad data that trademark owners have recently come across:

         (1) In a Uniform Dispute Resolution Policy (UDRP) \8\ case 
        involving the cybersquatting of www.nhlpenguins.com, the 
        individuals listed as administrative and technical contacts for 
        the contested domain name, Allen Ginsberg and Charles Bukowski, 
        respectively, are the names of deceased poets from the American 
        ``Beat Generation.'' The contact address listed in the Whois 
        records was the Russian Institute of Physics and Power 
        Engineering in a town 100 kilometers south of Moscow.\9\
---------------------------------------------------------------------------
    \8\ ``All ICANN-accredited registrars follow a uniform dispute 
resolution policy. . . . In disputes arising from registrations 
allegedly made abusively (such as `cybersquatting' and `cyberpiracy'), 
the uniform policy provides an expedited administrative procedure to 
allow the dispute to be resolved without the cost and delays often 
encountered in court litigation.'' http://www.icann.org/general/
glossary.htm#U.
    \9\ National Hockey League And Lemieux Group Lp v. Domain For Sale, 
IPO Mediation and Arbitration Center, Administrative Panel Decision 
Case No. D2001-1185.

         (2) When attempting to track down the registrant of 
        www.wwwsportauthority.com, the Sports Authority found that the 
---------------------------------------------------------------------------
        name of the registrant was replaced with a pornographic phrase.

         (3) The domain name www.kodakphotospot.com, was listed by its 
        owner as being for sale, does not provide an owner, 
        administrative, or technical contact address.

         (4) Intel Corporation discovered that a cybersquatter 
        registered the domain name www.intel64fund.com. (The Intel 64 
        Fund is a quarter billion dollar equity investment fund that 
        invests in certain technology companies.) The domain name 
        linked to a pornographic site. The Whois information provided 
        by the registrar listed ``Buy This Name'' as the owner. Also, 
        in a dispute involving www.pentium.org, Intel found that the 
        registrant's address listed in the Whois database was a P.O. 
        Box without a P.O. Box number.

         (5) In attempting to track down the owner of www.Nokia-
        uk.com, Nokia, the mobile communications company, found that 
        the domain name was registered in the name of: ``European 
        Distributor, Nokia UK Limited, Nokia Venture Partner, GB-
        Farnborough, GU14 0NG.'' The domain name was used to send 
        emails falsely representing that the sender was from Nokia. 
        Anyone checking the Whois directory would have believed the 
        owner of the domain name to be Nokia UK Ltd., which is based in 
        Farnborough, UK.

         (6) For the domain name www.harleydavidsonmotorcompany.net, 
        counsel investigating the ownership of the name found the 
        telephone and fax numbers were listed as ``+1.11111111111'' in 
        the Whois database.

         (7) Internet services company Verio discovered that the 
        registrant for the domain name www.1verio.com was 
        ``sunshinehh.'' The listed email address, which was 
        [email protected], was not operative, and attempts to send email to 
        it resulted in a bounce back.\10\
---------------------------------------------------------------------------
    \10\ http://arbiter.wipo.int/domains/decisions/html/2003/d2003-
0255.html.

         (8) Investigating the domain name www.amazonshopper.com, 
        Amazon.com found that the domain name registrar had accepted 
        the registration even with the registrant listing most of the 
        contact information as ``unknown.'' The telephone number for 
---------------------------------------------------------------------------
        the administrative contact was listed as ``+1.1234567891.''

         (9) When Nintendo attempted to track down the registrant of a 
        domain name that corresponded to one of its popular Pokemon 
        characters, www.gyrados.org, it found that contact fields in 
        Whois were filled with nonsense, such as ``asdasdsdaasdsa.''

        (10) In an attempt to track down the owner of a website that 
        was selling unauthorized ``USO Care Packages'' online, the 
        United Service Organizations (USO) found that the Whois 
        information listed an address in the Faeroe Islands (between 
        Iceland and Norway, administered by Denmark). This address was 
        not real. The USO has thus far been unable to locate the 
        registrant. As a result, there remains potential consumer 
        confusion and potential loss of goodwill for the USO if the 
        ``care packages'' contain goods of inferior quality.\11\
---------------------------------------------------------------------------
    \11\ See http://www.all-worlds-shopping.com/gifts&flowers/
care%20packages/uso-care-packages.htm. Whois information at http://
www.betterwhois.com/bwhois.cgi?domain=all-worlds-
shopping.com&x=42&y=15.

    Other examples of bad Whois data have included addresses like 
``Small Wok Way, Chopsticks Town, WI 00000'' and ``1412 Darth Ave., 
Vader, CA 93702,'' and domain name registrants listed as ``Nuclear 
Marshmallows'' and ``Thurston Howell III,'' a character from the 
television show ``Gilligan's Island.'' \12\ One might consider these 
blatantly false Whois entries as amusing.\13\ But, the truth is, they 
cost brand owners a great deal in terms of time and expense, and they 
put consumers at great risk.
---------------------------------------------------------------------------
    \12\ U.S. Franchise System v. Thurston Howell III, National 
Arbitration Forum, Claim Number: FA0303000152457, at http://www.arb-
forum.com/domains/decisions/152457.htm.
    \13\ ``The Professor's scientific prowess is not in dispute in this 
case, yet the Panel doubts that he would be able to create a means of 
accessing the Internet from little more than coconuts and knowledge of 
the type of technology that existed decades ago. Respondent can 
obviously afford to register a domain name; what is doubtful is the 
means (or desire) to do so from an uncharted desert isle.'' Id. at fn. 
1.
---------------------------------------------------------------------------
    Supposedly, there is a means for addressing these flagrant 
violations of the RAA. Paragraph 3.7.8 of the RAA stipulates:

        Registrar shall, upon notification by any person of an 
        inaccuracy in the contact information associated with a 
        Registered Name sponsored by Registrar, take reasonable steps 
        to investigate that claimed inaccuracy. In the event Registrar 
        learns of inaccurate contact information associated with a 
        Registered Name it sponsors, it shall take reasonable steps to 
        correct that inaccuracy.

Registrars also have the authority to cancel domain name registrations 
that are based on false contact data or whose owners do not make a 
timely response to an inquiry about allegedly false data. Paragraph 
3.7.7.2 of the RAA stipulates:

        A Registered Name Holder's willful provision of inaccurate or 
        unreliable information, its willful failure promptly to update 
        information provided to Registrar, or its failure to respond 
        for over fifteen calendar days to inquiries by Registrar 
        concerning the accuracy of contact details associated with the 
        Registered Name Holder's registration shall constitute a 
        material breach of the Registered Name Holder-registrar 
        contract and be a basis for cancellation of the Registered Name 
        registration.

    Regardless of these provisions, many accredited registrars have 
been lax in investigating and cleaning up registrations with false 
Whois data. The problem of inaccurate Whois data and the failure on the 
part of domain name registrars to ensure reliable data has reached the 
point that many trademark owners no longer seek assistance from the 
domain name registrar. It is simply too time consuming and there is 
little prospect of positive results. Instead, trademark owners are 
forced to hire private investigators, sometimes at considerable 
expense, to obtain the accurate contact data.
    Trademark and copyright owners have repeatedly drawn ICANN's 
attention to the problems with respect to inaccurate Whois data.\14\ 
There is, however, only one reported instance in which ICANN has 
advised a domain name registrar that it was in violation of the RAA's 
Whois provisions, specifically paragraph 3.7.8, and threatened to 
terminate the registrar's accreditation.\15\ Beyond this one case, we 
are not aware of any other time whereby ICANN has sought to enforce the 
Whois accuracy provisions of the RAA.
---------------------------------------------------------------------------
    \14\ In addition to the problems associated with accuracy, it 
should also be noted that trademark owners continue to have problems 
with respect to registrars granting accessibility to bulk Whois data. 
See, e.g. Letter from Jane Mutimear, then-president of the ICANN IPC to 
ICANN's then-general counsel Louis Touton, May 1, 2003, at http://
www.icann.org/correspondence/mutimear-to-touton-01may03.htm (``Denial 
of such access is a violation of the RAA, something that falls squarely 
within the purview of ICANN's enforcement responsibilities.''). We 
understand, however, that accessibility is not the focus of this 
hearing, but nonetheless want to state that accessibility remains of 
equal concern to INTA members.
    \15\ Letter from Louis Touton to Bruce Beckwith, Notice of Breach 
of ICANN Registrar Accreditation Agreement, September 3, 2002, at 
http://www.icann.org/correspondence/touton-letter-to-beckwith-
03sep02.htm.
---------------------------------------------------------------------------
D. DOC/ICANN MOU Amendments
    There have been some recent attempts by ICANN to begin to address 
the problem of inaccurate Whois data. For example, thanks in large part 
to the efforts of this subcommittee, Amendment 6 to the MOU, which I 
referenced earlier, includes a requirement that ICANN, ``Continue to 
assess the operation of WHOIS databases and to implement measures to 
secure improved accuracy of WHOIS data,'' \16\ as well as, by December 
31, 2003, develop a strategic plan that includes a review and 
augmentation of ICANN's corporate compliance program, ``including its 
system for auditing material contracts for compliance by all parties to 
such agreements.'' \17\
---------------------------------------------------------------------------
    \16\ This includes a requirement that ICANN ``publish a report no 
later than March 31, 2004, and annually thereafter, providing 
statistical and narrative information on community experiences with the 
Whois Data Problems Reports system.'' To date, INTA has not seen any 
increased effort by ICANN to publicize this system in order to collect 
data.
    \17\ MOU, Amendment 6, Article II (C)(10) & 14(d), at http://
www.ntia.doc.gov/ntiahome/domainname/agreements/amendment6--
09162003.htm
---------------------------------------------------------------------------
                        IV. LEGISLATIVE OPTIONS

    Once again, despite what appears in ``black and white'' in the MOU 
and the RAA, as well as repeated pleas by the intellectual property 
community, we have not seen any concrete steps by ICANN or domain name 
registrars to improve Whois accuracy. INTA therefore, supports your 
efforts, Mr. Chairman, as well as those of Ranking Member Berman, to 
try and develop new statutory tools that will help accomplish this 
goal. The subcommittee staff has recently shared with INTA the 
``Fraudulent Online Identity Sanctions Act,'' which would add a new 
Section 35(e) to the Lanham Act to make a violation specified in that 
section (i.e., infringement, dilution, counterfeiting, and 
cybersquatting) ``willful'' if it is committed in connection with an 
online site and with the provision of false registrant contact data. 
Proof of willfulness would permit a judge to impose higher monetary 
penalties against a defendant.
    While INTA is currently in the process of reviewing the proposed 
approach and language in the ``Fraudulent Online Identity Sanctions 
Act,'' particularly with regard to the broader implications for 
trademark law generally of expressly identifying one type of willful 
misconduct in the statute,\18\ we believe that the subcommittee is 
moving in the right direction in pursuing the concept of greater 
penalties against those who provide false Whois data. INTA, therefore, 
would very much like to work closely with this subcommittee and its 
staff to develop statutory language that will command the most support.
---------------------------------------------------------------------------
    \18\ The question of what is a ``willful'' act under trademark law 
remains a subject of debate. See, e.g., Koelemay, ``A Practical Guide 
to Monetary Relief in Trademark Infringement Cases,'' 85 Trademark Rep. 
263, 270 (1995) (``Those courts that retain a scienter requirement have 
not defined `bad-faith' or `willfulness' consistently. These cases have 
ranged from holding mere knowledge of the plaintiff's mark sufficient, 
to requiring a deliberate intention to infringe and to trade on the 
plaintiff's goodwill.'') (Citations omitted).
---------------------------------------------------------------------------

                             V. CONCLUSION

    Thank you for the opportunity to testify. Where accurate Whois 
information has been provided, trademark owners can often amicably 
resolve problems quickly and without the need to resort to legal 
proceedings, and the interests of consumers are well served. INTA looks 
forward to working with this subcommittee to strengthen the safety and 
reliability of the DNS and, in particular, to improve the accuracy of 
Whois data.

    Mr. Smith. Mr. Wesson.

  STATEMENT OF RICK H. WESSON, PRESIDENT AND CHIEF EXECUTIVE 
            OFFICER, ALICE'S REGISTRY, INCORPORATED

    Mr. Wesson. Thank you very much, Chairman Smith, Ranking 
Member Berman, and Members of the Subcommittee for this 
opportunity to testify on this important subject.
    I have followed and participated in Whois issues for nearly 
a decade. When a member of Mr. Berman's staff came to discuss 
intellectual property issues with the Registrars' Constituency 
at one of our interim meetings in Washington, D.C., the staffer 
enumerated the issues of Whois accuracy. He spoke of such 
problems as invalid and missing registrant data and provided 
examples that were obviously incorrect to even the most basic 
validation would have identified the domains as lacking correct 
or valid information.
    I initially thought that this task was too complicated and 
impossible and set out to prove myself wrong. Beginning in 
2001, I spent the next 18 months developing the technology to 
perform fraud analysis on electronic commerce transactions with 
the intent of solving the registrars' Whois data accuracy 
problems. The technology we developed was specifically targeted 
to identify invalid and undeliverable postal addresses, 
undeliverable e-mail addresses, and non-dialable telephone 
numbers.
    Understand that customers for Internet domains are a global 
population and registrars in France sell to customers in the 
United States and U.S.-based registrars sell domains to 
registrants in many countries. Performing analysis on the 
registrant data when the registrant is located in one of over 
200 countries is difficult, but not beyond the reach of all 
Internet-based businesses.
    Eventually, we learned how to correlate postal addresses, 
e-mail addresses, and telephone numbers with IP addresses and 
verify that they all existed in over 200 countries. Using this 
technology, we were able to make our business unattractive to 
individuals looking to fraudulently register domain names. It's 
simply an artifact of our anti-fraud technology that it 
prevents invalid registrant data.
    A case in point where I encountered fraudulent data 
occurred last year when some of my computers had been infected 
with a virus that gave control of the system to a third party 
without my knowledge. When I tracked down the hacker and 
discussed with them how I became infected, I learned that the 
hackers controlled over 3,500 computers, and for a fee, one of 
the operators offered to perform denial of service attacks on 
any network that I requested.
    I attempted to have the Whois of this domain that they used 
to perform these attacks deleted. I submitted a Whois update 
request through ICANN and eventually the domain's incorrect 
Whois was updated, but the domain was not deleted, allowing 
distributed denial of service attacks to continue. Shortly 
after the domain's Whois was updated, it was updated again with 
bogus information.
    Currently, this entire deception is completely legal. The 
same dynamic directly and immediately impacts trademark and 
copyright issues exactly the same way.
    We launched the service Fraudit, as in Fraud Audit, for 
registrars to increase their data accuracy at the ICANN--at the 
2002 ICANN meeting in Shanghai, China. To our surprise, 
registrars were somewhat angered to learn that someone had come 
up with a solution to the Whois data accuracy problem. 
Registrars appeared to believe that as long as no solution 
existed, there was no good reason to audit their registrant 
data. In fact, the only time that they performed self-audits 
was when the registrar was faced with a financial loss. 
Registrars have been hit hard with credit card fraud, and one 
large registrar had a rather embarrassing incident by nearly 
losing their merchant account, removing their ability to take 
credit cards over the Internet, all because of fraud.
    Although all registrars experience some credit card fraud 
and most have invested in mitigating that risk, they have not 
attempted nor invested in the ability to prevent the 
introduction of fraudulent registrant data. As long as a domain 
is paid for and the registrar is not hit with a credit card 
charge-back, there is no business reason to prevent invalid 
registrant data from the Whois system.
    My ultimate realization that ICANN, gTLD registries, and 
accredited registrars had no intention, desire, or incentive to 
audit their registrant data caused us to withdraw the product 
from the Whois accuracy space.
    I do support the proposed legislation as a step forward and 
hope it will deter those intent on registering domains with 
fraudulent contact data. While it might indeed have a deterrent 
effect, we cannot solely rely on industry regulation to prevent 
false and invalid registrant data from entering the Whois 
database.
    As it stands, the proposed legislation does not impact 
registrars. With no provision barring registrars from accepting 
fraudulent registrant data or requiring a registrar to prevent 
registrant--to verify registrant data, I expect the industry to 
continue on its present course. With no real-time analysis of 
registrant data on the front end, we're leaving it up to law 
enforcement to determine the accuracy only during an 
infringement investigation. With simple regulation, the 
registrars could validate the accuracy of their Whois data and 
law enforcement may uphold the law. Without it, law enforcement 
will just be swimming around in invalid data.
    It's that simple. The technology exists, but legislation 
needs to require a reasonable effort upon registrars' part to 
use it. Please add a requirement that registrars be involved in 
validating a potentially accurate representation of those they 
register. Don't miss this opportunity to evolve the Internet 
beyond the wild, wild West and to the safety of a civilized 
community.
    Thank you. I'd be happy to answer any questions you have.
    Mr. Smith. Thank you, Mr. Wesson.
    [The prepared statement of Mr. Wesson follows:]

                  Prepared Statement of Rick H. Wesson

    Thank you very much, Chairman Smith, and Ranking Member Berman, and 
Members of the Subcommittee for the opportunity to testify on this 
important subject. In the interests of full disclosure I am the Vice-
Chair and Chief Technical Officer of the Registrars Constituency within 
ICANN and also serve on the ICANN Security and Stability committee. 
Today I am testifying for my self as President and CEO of Alice's 
Registry Inc., an ICANN accredited Registrar.
    This testimony will address two main issues. First, I will address 
Whois data accuracy as a function of fraud in domain registrations by 
ICANN accredited registrars. Second, I will address the issues of this 
legislation and further goals to peruse.
    I've followed and participated in Whois issues for nearly a decade. 
When a member of Mr. Berman's staff came to discuss IPR issues with the 
Registrars' Constituency at one of our Interim meetings in Washington, 
DC, the staffers enumerated the issues of Whois accuracy, such as 
invalid or missing registrant data, examples given were obviously 
incorrect and even the most basic validation would have identified the 
domains as lacking correct or valid information.
    Beginning in 2000, I spent the next 18 months developing a 
technology to perform fraud analysis on electronic commerce 
transactions with the intent of solving registrars' Whois data accuracy 
problems. The technology we developed was specifically targeted to 
identify invalid and undeliverable postal address, undeliverable e-mail 
address, and nondialable telephone numbers.
    Understand that the registrants for Internet domain names are a 
global population. Registrars in France sell to registrants in the US 
and US based registrars sell domains to registrants in India and many 
other countries. Performing analysis on the registrant data when the 
registrant is located in one of over 200 countries is difficult but not 
beyond the reach of all but the largest Internet based businesses. We 
developed Fraudit, our fraud detection technology, because registrants 
were committing credit card fraud from Eastern Europe using addresses 
located in 2nt and 3rd world countries.
    Typical scams included using cities that did not exist within the 
country they stated they were in, or telephone numbers that were valid, 
but proved to be a directory assistance number. Often fraudsters would 
use e-mail addresses that were undeliverable, telephone numbers that 
did not exist at all, and postal addresses that could not exist.
    Eventually we learned how to correlate the postal address, email 
address, and telephone numbers with IP addresses and verify that they 
all exist, in over 200 countries. Using this technology we were able to 
make our business unattractive to individuals looking to fraudulently 
register domain names. It is simply an artifact that our anti-fraud 
technology prevents invalid registrant data.
    While it is easy for the untrained eye to see that the domains 
enumerated in Mr. Trainer's testimony are registered with inaccurate 
data, we provide three examples of domain name registrations in our 
written testimony that are more difficult to determine the accuracy of. 
While the Canadian and US registrations do contain a mix of accurate 
and inaccurate data, the domain registered to a registrant in INDIA, 
which appears suspect, is actually correct. Without special knowledge 
of each countries telephone-numbering plan, postal addressing system 
and special knowledge of Internet addressing and email delivery no 
human could be expected to be capable of validating registrant data for 
over 200 countries.
    A case in point where I encountered fraudulent data occurred last 
year when some of my computers had been infected with a virus that gave 
control of the system to a third party without my knowledge. When I 
tracked down the hacker and discussed with them how I became infected I 
learned the hackers controlled over 3,500 computers and for a fee, one 
of the operators offered to perform a denial of service attacks on any 
network I requested.
    I attempted to have the Whois of the domain that they used to 
perform these attacks deleted. The domain was igger.com and the host 
they used to coordinate these attacks from was named n.igger.com. I 
submitted a Whois update request through ICANN and eventually the 
domain's incorrect Whois was updated but not deleted, allowing the 
distributed denial of service attacks to continue. Shortly after the 
domain's Whois was updated, it was updated again with bogus 
information. Currently this entire deception is completely legal. The 
same dynamic directly and immediately impacts trademark and copyright 
issues exactly the same way.
    We launched the service Fraudit, as in ``Fraud-Audit'', for 
registrars to increase their data accuracy at the 2002 ICANN meeting in 
Shanghai, China. To our surprise registrars were somewhat angered to 
learn that someone had come up with a solution to the Whois data 
accuracy problem.
    Registrars appeared to believe that as long as no solution existed, 
there was no good reason audit their registrant data. In fact the only 
time they preformed self-audits is when the registrar was faced with a 
financial loss. Registrars have been hit hard with credit card fraud. 
One large registrar had a rather embarrassing incident by nearly 
loosing their merchant account, removing their ability to take credit 
cards over the Internet, because of fraud. Although all registrars 
experience some credit card fraud and most have invested in mitigating 
that risk, they have not attempted, nor invested in, an ability to 
prevent the introduction of fraudulent registrant data--as long as the 
domain is paid for and the registrar is not hit with a credit card 
charge back there is no business reason to prevent invalid registrant 
data in the Whois system. My ultimate realization that ICANN, gTLD 
registries and accredited registrars had no intention, desire, or 
incentive to audit their registrant data caused us to withdraw the 
product from the registrar Whois accuracy space.
    I do support the proposed legislation as a step forward and hope it 
will deter those intent on registering domains with fraudulent contact 
data. While it might indeed have a deterrent effect, we cannot solely 
rely on industry regulation to prevent false and invalid registrant 
data from entering the Whois database. As it stands, the proposed 
legislation does not impact registrars. With no provision barring 
registrars from accepting fraudulent registrant data or requiring a 
registrar verify registrant data, I expect the industry to continue on 
its present course. With no real-time analysis of registrant data on 
the front end we are leaving it up to law enforcement to determine the 
accuracy only during an infringement investigation.
    With simple regulation that registrars validate the accuracy of 
their Whois data, then law-enforcement can uphold the law. With out it, 
law-enforcement will just be swimming around in invalid data. It's that 
simple. The technology exists, but legislation needs to require a 
reasonable effort on registrars' part to use it. Please add a 
requirement that registrars be involved in validating a potentially 
accurate representation of those they register. Don't miss this 
opportunity to evolve the Internet beyond the wild, wild west toward 
the safety of any civilized community.
    Again, thank you for this opportunity to testify today and I am 
happy to answer any questions you have.







    Mr. Smith. Mr. Bohannon.

  STATEMENT OF MARK BOHANNON, GENERAL COUNSEL AND SENIOR VICE 
  PRESIDENT, PUBLIC POLICY, SOFTWARE AND INFORMATION INDUSTRY 
ASSOCIATION (SIIA), ON BEHALF OF COPYRIGHT COALITION ON DOMAIN 
                          NAMES (CCDN)

    Mr. Bohannon. Chairman Smith, Representative Berman, 
Members of the Subcommittee, it's always a privilege and a 
pleasure to appear before you and I want to commend and thank 
you for your continued focus on this critical issue to us.
    Your hearing last September in particular not only 
reinforced the critical role of Whois in protecting 
intellectual property and other vital issues, but it made a 
very real difference as the Department of Commerce renewed its 
MOU with ICANN, and I want to put that on the record and make 
sure that we're clear, that without your help, I don't think we 
would have gotten what we did in the MOU.
    I'm here today on behalf of the Copyright Coalition on 
Domain Names, which has worked since 1999 on this issue. Our 
members, who I'm sure you are very familiar with, are listed on 
the front of our testimony, but represent leaders in software, 
motion picture, recording, performance rights, and digital 
content.
    I know that and hope that my full testimony will be 
submitted for the record. Let me just emphasize a couple of 
points as we go into the question and answer period.
    The first is that Whois data is essential and there's not 
really much I can add to the testimony of my colleagues, the 
comprehensive record of this Committee, the excellent testimony 
of Mr. Edelman last September, who documented the fact that 
many of the domain name registrations for which there is 
inaccurate Whois data are, in fact, those engaging in illegal 
infringement and other activities.
    The second question is how will your legislation help solve 
this problem? The Whois database simply cannot perform those 
critical functions that we've all identified if the data is 
inaccurate, out of date, or otherwise unreliable. 
Unfortunately, I doubt there's anyone who has ever stood up and 
said that the Whois database is something that we can actually 
rely on.
    It's our view that it is time for Congress to act on this 
problem, and we believe that the legislation on the table at 
this hearing, H.R. 3754, takes the right approach. The 
legislation is focused and it is narrowly tailored. It deals 
solely with those already convicted of serious crimes or found 
liable for online infringements and who also have tried to hide 
their tracks, complicate the work of law enforcement, and 
undermine public confidence in e-commerce by deliberately 
inserting materially false contact data into Whois.
    Significantly, it does not create a new crime or civil 
cause of action, and it does not target those with contact 
information that is either stale or outdated, and it does not 
penalize inadvertent or immaterial errors in Whois data, and it 
does not interfere in any way with domain names used for 
legitimate purposes.
    In our testimony, we identify three initial areas that we 
would like to work with the Committee on clarification. Mr. 
Chairman and Ranking Member Berman, we appreciate your 
willingness to say that there will be further work on this.
    The three points are that, first, we believe it has to be 
made absolutely clear that providing false Whois contact data 
is not the exclusive way of proving willful infringement in the 
online environment. I don't think that's what anyone intended, 
but we just have to make sure that willfulness remains, as it 
is today, a flexible concept.
    Secondly, and I believe this emphasizes Mr. Berman's point, 
we believe the bill should address directly the role of the 
U.S. Sentencing Commission to make sure that Congress's intent 
is fully carried out.
    And third, we would apply the criminal provisions not only 
to those who knowingly submit false contact information, but to 
those who knowingly cause such information to be submitted, 
since registrant contact data is not always submitted directly 
to a registrar but often goes through an intermediary.
    In sum, while some further tinkering in the language in the 
proposal before you today may be needed, CCDN is pleased to be 
here to support the legislation in principle and we commend 
your leadership in introducing it and look forward to working 
to see it enacted.
    The third point is, what further steps should we consider? 
I don't think any of us are under any illusions that this 
legislation is a panacea, that ultimately we see this 
legislation as one element of a broader strategy to make 
comprehensive progress to improve the accuracy and currentness 
of Whois contact data. It is clear that domain name registrars, 
the resellers, the domain name registries have key roles to 
play in this area.
    The reality is that today, far too many registrars and 
registries do far too little to screen out false contact data, 
don't bother to verify or spot check data, and don't even 
bother to respond promptly in many cases to complaints.
    We all are familiar with the current framework that imposes 
contractual obligations to drive accessibility and accuracy. 
The reality is that ICANN simply has not effectively enforced 
them. You've heard some of the reasons today. I think there are 
others that we might want to discuss in Q and A.
    Thanks in large part to your oversight, we do have an 
updated MOU with ICANN that underscores the depths of concerns 
of the U.S. Government on the issues of Whois accuracy and 
accessibility. There are a number of obligations of ICANN, and 
unfortunately, we've already seen one key deadline, the end of 
the year, pass without a strategic plan. We have another one 
coming up at the end of March, where we will hopefully get a 
solid update on what is going on with what ICANN is doing with 
Whois accuracy and reliability. We'll see what they have to say 
at that time. But if we don't hear anything, we think Congress 
must seriously consider stepping in.
    We look forward to working with all the key participants 
together in a collaborative way to increase the incentives on 
domain name registries and registrars to demand accurate data, 
to take reasonable steps to verify the accuracy of such data, 
and in the end, to cancel registrations of those registrants 
who refuse to live up to this obligation.
    Thank you again for the opportunity to testify and I look 
forward to answering any questions that you may have.
    Mr. Smith. Thank you, Mr. Bohannon.
    [The prepared statement of Mr. Bohannon follows:]

                  Prepared Statement of Mark Bohannon



























    Mr. Smith. It's nice for those of us who are Members of 
this Subcommittee to have a panel of four witnesses basically 
in agreement on almost every point, and that's a rare thing 
sometimes.
    Mr. Trainer, let me address my first question to you, and 
perhaps to Mr. Wesson, as well, and thank you. You made a half-
a-dozen suggestions on provisions that we ought to include in 
the bill, and to me, they're good suggestions and we'll look at 
them seriously.
    My question, Mr. Trainer and Mr. Wesson, is this. We really 
have two problems with registrars. One, we have the problem 
that either they aren't or won't verify the information they're 
given. Maybe they don't have the incentive. For whatever 
reason, the information is not being verified by the 
registrars.
    The other half of the problem, and I think you noted this, 
Mr. Trainer, is that they're not able to verify the 
information. They just don't have the tools they need to verify 
what they're given. How would you solve that problem with the 
registrars?
    Mr. Trainer. Well, one of the things that I think I noted, 
and hopefully correctly, is in reviewing the Registrar 
Accreditation Agreement, frankly, I felt that there was a lack 
of obligation, affirmative obligation, on the registrars to 
truly act, and if they didn't, where was the liability on the 
registrars if they didn't act?
    I think Mr. Wesson has raised a very interesting issue with 
regard to maybe there's, if not a full solution, a partial 
solution, and that is technology. Given the fact that we have 
many companies out there every day trying to come up with new 
and better things, it's hard to believe that there's not 
someone out there that can write a software program certainly 
to identify some of the basic problems that we have found 
through our Members. So I think it's really, as he said, if 
they felt that there was no solution out there, why would they 
bother to take the next step?
    So I think we have to put a little more pressure on the 
registrars and we're more than happy to work with you and your 
colleagues here on the panel with regard to the way in which we 
may do that with regard to registrars.
    Mr. Smith. Okay. Thank you, Mr. Trainer.
    Mr. Wesson?
    Mr. Wesson. Certainly, the registrars didn't know that 
there was a way to do this until about 18 months ago, and it is 
difficult for any business that's on the Internet that needs to 
be able to validate address, telephone, postal information for 
200-plus countries where all of your customers might reside, 
and we don't want to leave a space so that people can 
constantly register in one place and you know that it's going 
to be fraudulent because we can't perform analysis from that 
particular country.
    As far as having the registrars participate in a program 
like this, one would be cost, and two, that there's nothing 
right now that, as a registrar, as long as you're paid, then 
what's the problem? There's no incentive. There's no business 
reason to require accurate information.
    Mr. Smith. Okay. Thank you, Mr. Wesson.
    Although it was Mr. Evans, I think, that gave examples a 
while ago that there are just some common sense types of 
information that were given that were still being accepted 
without any question, and that was disappointing, as well.
    Mr. Evans, let me ask you about ICANN. I think you pointed 
out that, or you were disappointed, as I am, that ICANN really 
has not taken very many steps. In fact, I think they've really 
only gone after one registrar when it comes to supplying 
inaccurate information and that doesn't seem to me to be a 
particularly good faith effort to try to clean up the system 
itself.
    Mr. Bohannon, you pointed out that we're getting the first 
report from the MOU at the end of March. I think it's due March 
31, and I'm not particularly hopeful about what that may or may 
not show us.
    But in any case, my question to Mr. Evans and Mr. Bohannon 
is this. What is your opinion so far of ICANN's performance and 
what specifically should we do to try to persuade or make them 
do a better job of providing consumers and attorneys and 
businesses with more accurate Whois data. Mr. Evans?
    Mr. Evans. Well, in my opinion, ICANN's progress today is 
typical. For people who have followed the activities of ICANN, 
I think while they have begun some type of process with regards 
to Whois accuracy, it is one that is mired in discussing the 
process rather than one in coming up with concrete results and 
solutions to a problem. So I would say it's typical and it's 
mired in squabbling over process rather than actually moving 
forward, which tends to bog a lot of ICANN's progress down.
    With regards to what this Subcommittee can do to assist 
ICANN is I'm not so sure that you all can do anything to assist 
ICANN, but you can give tools to trademark owners, intellectual 
property owners, to be able to go to the registrars or the 
individuals and/or companies that participate in these 
activities and reckon from them the just penalty for their 
unfortunate activities.
    Mr. Smith. Thank you, Mr. Evans.
    Mr. Bohannon?
    Mr. Bohannon. Mr. Chairman, I want to make sure I answer 
the question as clearly as I can, but I think it's important to 
distinguish between the overall mission of ICANN and the 
particular role of ICANN with regard to Whois issues.
    With regard to the first, CCDN has actually not taken a 
position on the overall mission of ICANN. I can say for my own 
personal association's point of view, we continue to believe 
that ICANN remains the most viable way of avoiding complete 
Government regulation of the Internet in terms of the domain 
name registration process, and we think it is generally headed 
in the right direction with regard to that.
    With regard to the second question about what it is doing 
to enforce the contracts and make sure that Whois data is 
available, I would have to give it a grade of D or D-minus. I 
think we're talking about some really serious problems here, 
some of which have to do with elements of the accreditation 
agreement, some of which have to do with the practical 
economics, some of which have to do with time commitments, 
priorities. We're simply not seeing any pressure to say to the 
registrars, this is something you're obligated to do. What are 
you doing about it? What are you doing to hold them 
accountable? So that's the bottom line on that.
    Mr. Smith. Thank you, Mr. Bohannon.
    The gentleman from California, Mr. Berman, is recognized 
for his questions.
    Mr. Berman. Well, thank you, Mr. Chairman.
    This issue of the feasibility of the registrars playing a 
greater role in obtaining accuracy and the incentive, 
incentives to do it, how do the registrars normally get paid? I 
assume by credit card in most cases. Is that a reasonable 
assumption?
    Mr. Wesson. That's correct, sir.
    Mr. Berman. I mean, they certainly have an incentive to do 
something to ensure that the credit card they're being given is 
that person's credit card and that payment will be made. What 
do they do to determine that the person registering for the 
domain name is providing a valid credit card which will be 
paid?
    Mr. Bohannon. There's actually no way to determine the 
association of the contact information with the cardholder, and 
that's a global problem. In the United States, a registrar will 
simply charge the card and hopefully use some of the security 
features available in processing that card, and then if the 
card is not--if the transaction is not disputed by the 
individual that owns the card, they get to keep the money.
    Mr. Berman. When you go through checking out the person who 
owns that card, does that provide information that the 
registrar could then include on the--in terms of domain name 
information?
    Mr. Wesson. No, sir. There's no way to correlate 
cardholders with any kind of registrant information.
    Mr. Berman. But there would be a way, at least in some 
cases, to assume the cardholder would know where to get the 
accurate information about the domain name owner.
    Mr. Wesson. Actually, it's very difficult and there's no 
capabilities as credit card processors to retrieve the 
information about the credit card holder. So we can't even 
contact them----
    Mr. Berman. You're basically checking with a credit card 
company and they're saying this card is a valid card and--and 
if the money is paid and no dispute is sent about the bill, 
that's--all you have is that it was valid.
    Mr. Wesson. Yes, sir. This is how credit card transactions 
work generally over the Internet.
    Mr. Berman. Some people argue that this legislation, and 
more particularly, some of the future amendments that you're 
suggesting and we're contemplating, encroaches on an 
individual's legitimate expectation of privacy. Mr. Bohannon, 
how would you respond to that? Are we proposing and 
contemplating measures which would be invasive of legitimate 
privacy concerns?
    Mr. Bohannon. I think, Mr. Berman, the privacy question is 
an important one, but I think it's also a red herring in this 
area. I think--our view is that, in fact, accurate, up-to-date, 
reliable Whois will do more to promote privacy than the 
existing system since, as we know from the studies that most of 
the misinformation--those registrations that have bad 
information are, in fact, those engaging in identity theft, 
fraud, copyright infringement, trademark infringement, and 
that, in fact, an accurate Whois will go far toward promoting 
privacy. That is, if someone is, in fact, engaging in identity 
theft, taking your information, we have a better chance of 
tracking that person down or that entity down than we did 
before.
    I think that with regard to those websites that may be 
registered by individuals, which I think is probably the more 
sensitive issue, in principle, we work with intermediaries and 
proxy services who can, in fact, keep that information, and so 
long as it is accurate and readily available, we have no 
problem with that.
    I think that the expectation of privacy question, when 
you're talking about a domain name--not an e-mail address but a 
domain name--is really very, very different than, I think--that 
it really doesn't raise the issues that you're talking about.
    Mr. Berman. It's like applying for a business permit in the 
city. There are certainly expectations and you want to have a 
license to do business, you provide certain information about 
the place and ownership of the business.
    On the other side of the coin, for people who seek domain 
names in order to--let's put it in the most important, say, 
first amendment areas. They want to send a political message 
and they want to maintain anonymity because they're fearful of 
repercussions. I mean, this came up in the non-digital world 
many years ago in the case about the membership lists of the 
NAACP and things like that. Is there anything here that would 
be intrusive of some fundamental right to association and----
    Mr. Bohannon. Not at all. I think because the bill does not 
create a new crime for providing, knowingly providing or 
causing to provide, hopefully, misinformation, we're really 
talking about a class of people that have already been, in 
fact, found to have been guilty of a Federal crime. So I don't 
think we're talking about creating a new crime here that would 
raise the kind of issues that you talk about.
    Mr. Berman. But are any of you suggesting that we alter 
this bill to create a new crime on the--are you all comfortable 
with the approach where essentially this becomes an additional 
liability or an additional sentence, either civil or criminal 
liability, for the posting of a false domain name? Do you find 
that to be the best way to approach this issue?
    Mr. Evans. I certainly think you avoid some of the privacy 
concerns, because unless you're using the domain name to 
violate a crime that already exists and you have in association 
with that supplied the false and misleading information, you 
don't--you're not guilty of anything. So if you are perhaps an 
individual that wants to rail against a particular point of 
view and are concerned about your privacy, you never fall 
within the legislation at all.
    Mr. Berman. If what you do isn't a substantive crime----
    Mr. Evans. That's correct.
    Mr. Berman.--providing false information will not----
    Mr. Evans. That's correct.
    Mr. Smith. Thank you, Mr. Berman.
    The gentleman from Virginia, Mr. Goodlatte, is recognized 
for his questions.
    Mr. Goodlatte. Thank you, Mr. Chairman. I very much 
appreciate your holding a hearing on this very important 
subject. I have an opening statement I'd ask be made a part of 
the record.
    Mr. Smith. Without objection, the opening statement will be 
made a part of the record.
    [The prepared statement of Mr. Goodlatte follows in the 
Appendix]
    Mr. Goodlatte. Thank you. Mr. Trainer, can you comment on 
the global scope of this problem? Mr. Wesson testified that the 
registration of Internet domain names is a global undertaking. 
Registrars in France can sell domain names to U.S. entities as 
well as to entities from other countries. What can we do in 
America to ensure that registrars in other countries require 
accurate registration information?
    Mr. Trainer. I'm not sure that I'm the best person to be 
able to respond to that one----
    Mr. Goodlatte. We'll give anybody else that wants to jump 
in an opportunity.
    Mr. Trainer.--but given that our members and my interaction 
with our members is really to deal with the counterfeiting/
piracy issues, certainly it is important globally because they 
are--the multinationals are active globally.
    So I think--I find it very interesting, what Mr. Wesson has 
raised with regard to possible technological fixes. I think, 
again, what we talked about earlier, about possibly looking at 
this and placing more burden on the registrars to actually have 
a more affirmative role here, to look at what they're getting 
and verifying what they're getting rather than sitting back and 
simply accepting credit cards and the cash payments. But yes, 
it's an issue that I think would affect our members around the 
world.
    Mr. Goodlatte. Anybody else want to jump in on that? Mr. 
Wesson?
    Mr. Wesson. I believe that the only--the only entity that 
really has any oversight over them would be ICANN. I don't know 
how effective they would be or if they would even have the 
capability to do anything about it, but----
    Mr. Goodlatte. Is ICANN attempting to put forth any 
protocols on what steps should be taken to assure accurate 
information when they set these up?
    Mr. Evans. I think ICANN is spending a lot of time talking 
about the process of how they should go about doing that, but I 
don't think they've offered any solutions.
    And I would also point out that, you know, the Internet is 
not something that is so different from the rest of industries 
that exist in the brick-and-mortar world that we should worry 
about the global implications. There are many international 
corporations that do business in the United States and are 
subject to our laws. So I think that putting forth and 
promulgating statutory solutions for businesses that choose to 
do business in the United States is the right step if we can't 
get solutions elsewhere. And the fact that there may be 
international institutions involved, they accept the benefits 
of doing business in this country and they will have to assume 
the risk, as well.
    Mr. Goodlatte. Thank you. Mr. Wesson, I believe that 
technology such as yours will go a long way toward determining 
the accuracy of domain registration information. However, as 
you point out in your testimony, these types of technologies 
can only be leveraged when domain name registrars have the 
incentives to use the information derived from the technologies 
to make registration information accurate.
    In your opinion, what would be the most effective way to 
encourage these registrars to ensure the accuracy of domain 
name registration information?
    Mr. Wesson. That's a very good question, sir, and 
unfortunately, I don't have an answer for you. I do not know, 
and I have worked at some length to convince registrars that it 
is in their best interest and in the best interest of the 
Internet community that this job be undertaken, and I was 
unable to convince them. I do not know the best methodology to 
do that.
    Mr. Goodlatte. Anybody else have any thoughts on that 
subject? Let me ask Mr. Bohannon or Mr. Evans, what additional 
steps do you believe need to be taken to encourage domain name 
registrants to provide--and registrars to ensure accurate 
registration information?
    Mr. Bohannon. Mr. Goodlatte, good to see you. Thank you for 
coming today. I like your question. In our testimony, we're 
very clear that we see this bill not as a panacea but as one 
step toward a comprehensive effort to improve accuracy. 
Clearly, we've got to focus on the registries, the resellers, 
and the registrars.
    We don't come with a proposal, but we look forward to 
working with this Committee and all the stakeholders to sit 
down and say, we've got to come up with some real incentives 
for the registries and the registrars to demand accurate data, 
to take reasonable steps to verify, and in the end, to cancel 
registrations for those registrants who aren't living up to 
what they're supposed to be doing.
    We don't come with preconceived notions, but we've got to 
figure out a way, with the oversight and leadership of this 
Subcommittee, to get all the key players together to figure out 
how we can do that together.
    Mr. Goodlatte. Thank you.
    Mr. Evans. Just let me echo Mr. Bohannon's comments. We 
look forward to working with this Subcommittee and its staff to 
help craft solutions. We see that the pending legislation is a 
move in the right direction and we are hopeful that, working 
with the staff and the Subcommittee, that we can together 
collectively come up with creative solutions that will move us 
forward in order to solve the problem that I think we all have 
identified.
    Mr. Goodlatte. Very good. Thank you, Mr. Chairman.
    Mr. Smith. Thank you, Mr. Goodlatte, and thank all the 
witnesses today for their testimony. As I mentioned at the 
outset, it's been very, very useful and we will, I suspect, 
adapt a lot of the suggestions that you all made for additional 
provisions in the bill. You are welcome to continue your 
comments between now and markup, but we very much appreciate 
your input today. Thank you all.
    We stand adjourned.
    [Whereupon, at 11:04 a.m., the Subcommittee was adjourned.]

                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

Prepared Statement of the Honorable Bob Goodlatte, a Representative in 
                  Congress From the State of Virginia

    Mr. Chairman, thank you for holding this important legislative 
hearing regarding the ongoing problem that fraudulent domain name 
registration information poses for the safety and fairness of the 
Internet.
    ``WhoIs'' databases consist of the names, addresses, email 
addresses, and phone numbers of domain name registrants. While many 
Internet users wish to maintain anonymity, this information is crucial 
to law enforcement officers trying to locate and detain criminals who 
use the Internet to perpetrate crimes, including those who falsify 
their identities to perpetrate crimes against children.
    In addition, in the digital age, one of the most crucial hurdles in 
enforcing intellectual property rights is to determine the identities 
and locations of the infringers. Accurate ``WhoIs'' data enables IP 
owners to find violators quickly in order to defend their property 
rights. WhoIs data is also essential to finding perpetrators and 
alerting potential online targets regarding network attacks.
    With the advent of additional top-level domain names and due to the 
stiff competition among registrars in the registration of these new 
domain names, some argue that currently there is an incentive for 
registrars to turn a blind eye to false information or to overlook many 
of the requirements to monitor and keep track of accurate ``WhoIs'' 
data. Further complicating the problem is the fact that there are 
relatively few enforcement tools to punish those that provide 
fraudulent domain name registration information.
    H.R. 3754, the ``Fraudulent Online Identity Sanctions Act,'' is one 
additional arrow in the quivers of law enforcement officials, 
intellectual property owners, network security specialists and 
consumers. This bill will provide greater penalties for providing 
fraudulent contact information to a domain name registry, when the 
perpetrator uses the online location in connection with trademark and 
copyright infringement, or in connection with federal criminal 
offenses. I applaud the introduction of this legislation and look 
forward to hearing from the expert witnesses on the merits of the bill.
    Thank you again for holding this important hearing.

                              ----------                              

    To the honorable Chairman Lamar Smith,

    The undersigned registrars commend the Subcommittee for 
highlighting the issue of Whois accuracy. It is a complex topic of 
importance to governments, intellectual property interests, the 
Internet sectors, and individuals and organizations registering domain 
names. Because Whois data must be available to third parties under 
current ICANN policies, both privacy and accuracy concerns are 
involved. Registrars respectfully submit the information below to round 
out the various issues related to data accuracy.

The Bill

    The current draft of the bill seems to impose additional liability 
on persons who knowingly provide false data when registering a domain 
name--the ``registrants'' or their representatives acting on their 
behalf. While it appears to target bad actors who have already been 
found by a court to have violated provisions of the Lanham Act and the 
Copyright Act, to the extent that the bill would create liability for 
registrars, we would favor textual clarification of that point. Based 
on an understanding that the bill does not create liability for 
registrars, we are not taking a position to oppose the bill and, in 
fact, we support the bill's overall goal of improving data accuracy.

    We look forward to continuing to work with your Subcommittee on 
this bill. If upon closer examination, issues of concern are noted, we 
would respectfully request the opportunities to work with you and your 
staff on suggestions and amendments to this language.

What is the Whois

    Essentially, the Whois is a database of contact information about 
domain name registrants. It is accessed through the websites of 
registrars or registries, as well as through technical means by the 
registrars and registries, themselves. Due to vigorous competition in 
the registrar market, the provision of Whois data may vary among 
different registries - the operators that maintain the list of 
available domain names within their extension - and registrars - the 
organizations, such as the undersigned, that maintain contact with the 
client and act as the technical interface to the registry on the 
client's behalf.

    Currently for the generic top-level domains (gTLDs) .com and .net, 
the registry holds a 'thin' Whois, which has a limited subset of the 
Whois information in the registrars' Whois database (registrar name, 
name servers and expiry date). The registrar for each domain name holds 
the 'thick' Whois, which contains more detailed information. A lookup 
for the same name at the registrar will also include details of the 
registrant, administrative, technical and billing contacts.

    In the case of the country code top-level domains (ccTLDs) such as 
.uk for the United Kingdom and .de for Germany, and the new gTLDs such 
as .biz and .info, both the registries and registrars generally hold 
the 'thick' Whois. However, the level of detail kept by the registries 
will vary. While gTLDs hold full information, some ccTLDs have no 
information immediately available. The ccTLDs' rules are often shaped 
by their jurisdictions' privacy and other laws.

    Over the last couple of years there has been a debate within ICANN 
(the domain name oversight body) and among various governments over 
Whois information, with intellectual property owners on one side 
arguing for greater access and more Whois details, and privacy 
advocates arguing for greater privacy protection of and less publicly 
available personal data. Full and accessible Whois details are 
important to IP owners for the monitoring of trademark infringements 
and to determine whether a particular individual has developed a 
pattern of cyber squatting activities. Consumers have grown increasing 
more concerned about the privacy of their personal contact information 
as they are increasingly victimized by bad actors, which include 
spammers, fraudsters, and stalkers who mine the Whois database for 
unscrupulous purposes.

    The broad interest in Whois privacy protection and accuracy has 
prompted a policy development process within ICANN. ICANN's counsel 
wrote a report regarding the issues and processes surrounding Whois and 
privacy. The GNSO Council reviewed the report and launched three task 
forces, which are currently working with the full support of registrars 
on these matters. The goal of the process is to identify the 
experiences and interests of the relevant stakeholders - providers, 
users, and consumers - and arrive at a technical and policy solution 
that balances these interests and concerns. The results and education 
from these processes can feed into improved ICANN policies, helping to 
hasten a solution.

Current Safeguards

    Even while working through this process, various registrars already 
use accuracy processes, including:

         updating a registrant's data upon notice;

         taking down a registration if inaccurate information 
        is not cured in a timely manner;

         sending notifications to all customers reminding them 
        to update their data or face the risk of the registration being 
        taken down or put on hold; and

         checking credit cards prior to registration to 
        minimize fraud.

    Despite such precautions, the savvy cyber squatter can sneak 
through. He can use stolen credit cards or credit cards that are in 
good standing; provide apparently valid information, and update it to 
other seemingly valid addresses when prompted. But, credit card 
companies' privacy rules prohibit use of their data for other purposes, 
such as Whois verification. There simply is no guarantee that persons 
intent on registering a domain name with invalid data can be stopped 
and anyone who offers automated filters cannot claim to have found a 
comprehensive solution.

Privacy

    What seems to help, actually, is increased privacy protection on 
the Whois database. Many individuals and even corporations today seek 
greater privacy - to avoid spam, to safeguard addresses, and for many 
other valid reasons (illustrated below). Recent legal cases illustrate 
the great harm caused by the unscrupulous taking and use of openly 
available Whois data.

    Such efforts to increase privacy should not be confused with 
complete anonymity, however. A responsible registrar that increases its 
customers' privacy would also be able to provide legitimate interests, 
such as trademark holders and law enforcement, with access to the 
information they need. The benefit for all parties is that greater 
privacy would encourage registrants, who are justifiably concerned 
about unfettered free-for-all access to their emails or phone numbers, 
to provide accurate data if it is protected.

    While we do not oppose this bill, subject to the statements in our 
opening comments, we believe that its goals would be strengthened if 
paired with legislation facilitating greater privacy.

Illustration of Fraud Problems Associated with Mining the Whois 
        Database

    Registrants have been hit by fraudulent, abusive and annoying 
solicitations directed at their contact information mined from the 
public Whois database. Below is only a sample of the many instances in 
which scam companies have mined the Whois database.

    The issues span the gamut from outright fraud to stealing credit 
card information, to fear-instilling ``renewal'' notices, to annoying 
and unwanted spam solicitations. Few instances of Whois abuse involve 
simple, non-deceptive transfer solicitations. Too many registrants have 
fallen victim to credit card schemes, or have paid registration fees to 
unscrupulous marketers who pass themselves off as the registrar, using 
deceptive marketing techniques, only later to learn that they have paid 
a non-refundable fee to a shady company.

    Highlights (or more accurately, low points) include:

         Credit Card Fraud: Perpetrators of a credit card 
        fraud scheme mined the automated Whois database to obtain a 
        registrar's customer contacts and sent deceptive ``renewal'' 
        notices to its customers. There is reason to believe that tens 
        or hundreds of thousands of customers received the fraudulent 
        email. There was no way of knowing how many of the customers 
        fell prey to the scam and provided their credit card 
        information, but suspect that the number may be in the 
        hundreds. The dollar value of the harm inflicted on the 
        customers could range from the hundreds of thousands of dollars 
        to the millions of dollars, depending on whether their credit 
        cards were charged prior to cancellation, and on whether the 
        above scam is a part of a larger identity theft ring. The 
        perpetrators of the fraud repeatedly circumvented efforts to 
        shut down the site's operation and re-launched it with the same 
        or different hosting providers.

                 These types of scams, known as ``phishing,'' 
                are increasing in popularity among fraudsters, and are 
                particularly difficult to locate and stop, especially 
                given the global nature of the Internet.

         Renewal Scams: Another scheme relies upon Whois 
        information that has been mined to inundate registrants with 
        misleading ``renewal'' solicitations. These solicitations do 
        not explain that registrants who accept the solicitation will 
        actually be transferring their domain name registrations away 
        from their current registrar. To the contrary, the 
        solicitations are designed to induce customers to falsely 
        believe that the solicitations were sent by or on behalf of 
        their registrar, and/or that they were required to ``renew'' 
        their registrations with the sender of the notices or they will 
        risk losing the ability to use their domain names altogether.

                 Customers may believe they are simply 
                ``renewing'' their existing registrations and 
                unwittingly pay and transfer their domain names. In 
                many instances, customers who seek to unwind these 
                transactions are unable to recover their money.

                 Customers induced to ``renew'' their 
                registrations have lost email records, contact 
                directories, and other benefits attached to their 
                accounts.

                 Other customers, believing that the reseller 
                is affiliated with their registrar complained that 
                their privacy has been violated by the aggressive 
                solicitation campaign and even erroneously accused 
                their registrar of selling their contact information.

    Sincerely,

    Network Solutions, LLC
    Bulk Register
    Register.com
    Melbourne IT

    Cc: Ranking Democrat Berman

                              ----------                              

    February 13, 2004

    The Honorable Lamar Smith
    Chairman
    U.S. House of Representatives
    Committee on the Judiciary
    Subcommittee on Courts, the Internet
    and Intellectual Property
    B-351-A Rayburn Building
    Washington, D.C. 20515

        Re: Fraudulent Online Identity Sanctions Act

    Dear Chairman Smith,

    Network Solutions, LLC (``Network Solutions'') submits this letter 
to the Subcommittee on Courts, the Internet and Intellectual Property 
(``Subcommittee'') concerning proposed H.R. 3754 otherwise cited as the 
Fraudulent Online Identity Sanctions Act (``FOISA''). Network Solutions 
writes to address concerns raised under the current version of the 
draft bill.

    The consensus of the bill's proponents, as reflected in their 
testimony before the Subcommittee on February 4, 2004, seems to support 
a narrow interpretation of the bill in terms of criminal or civil 
liability. Network Solutions would agree with this interpretation of 
the bill. Certain provisions of the bill, however, raise concern that 
prosecutors or intellectual property rights holders may nevertheless 
seek to hold registrars liable under its provisions should the bill 
become law. The bill would add an additional provision to Section 35 of 
the Trademark Act of 1946 that states, ``(e) In a case of a violation 
referred to in this section, occurring at or in connection with an 
online location, the violation shall be considered to be willful for 
purposes of this section if the violator, or a person acting in concert 
with the violator, knowingly provided material and misleading false 
contact information to a domain name registrar, domain name registry, 
or other domain name registration authority in registering a domain 
name used in connection with the online location, or in maintaining or 
renewing such registration.'' The bill also proposes an amendment to 
the Copyright Act containing similar provisions.

    In carrying out their ICANN accredited functions, domain name 
registrars provide contact information to registries when registering 
domain names. Registrars do so at the time of an initial domain name 
registration and whenever registrants update their contact 
information--during the maintenance or at the renewal of said domain 
name registration.

    Additionally, as noted in prior testimony before the Subcommittee, 
registrars are obligated under their agreements with ICANN to 
investigate complaints of inaccurate Whois data and to take action, if 
warranted, in response to those complaints. The receipt by registrars 
of complaints about inaccurate Whois data could raise a question of 
notice, albeit inconsistent with the intent of this bill, that could be 
put forward by parties seeking to impose liability on registrars. 
Although such a construction would be beyond the bounds of a reasonable 
interpretation of this bill, Network Solutions suggests that such 
claims can be anticipated.

    As noted in the testimony of Mr. Mark Bohannon of the Copyright 
Coalition on Domain Names, ``[t]he legislation is focused and narrowly 
tailored. It does not create any new crime or civil cause of action; it 
does not target those whose registrant contact information has grown 
stale or outdated; it does not penalize inadvertent or immaterial 
errors in Whois data; and it does not interfere in any way with the 
activities of those who register domain names and use them for 
legitimate purposes. Instead, it targets the 'bad actors' who are using 
the Internet to commit crimes, infringe on intellectual property 
rights, or commit cybersquatting. It focuses solely on those already 
convicted of serious crimes, or found liable for online infringements, 
and who also have chosen to try to hide their tracks, complicate the 
work of law enforcement and undermine public confidence in e-commerce 
by deliberately inserting materially false contact data into Whois.''

    Since proponents of the bill believe that the provisions are 
narrowly tailored to target ``bad actors'' who have violated the 
Trademark Act or Copyright Act, inclusion of an explicit exemption for 
ICANN accredited registrars and registries, when acting in the normal 
course of their accredited functions, would be consistent with the 
intent of the bill and would add clarity to relieve the above stated 
concerns held by registrars under the current draft version of the 
bill.

    Network Solutions would be happy to provide proposed language to be 
included in the bill and would welcome the opportunity to further 
discuss this matter at your convenience.

    Sincerely,

    X

    Brian Cute
    Director of Policy
    Network Solutions, LLC

    Cc: Ranking Minority Leader Berman

