Arguments for Recalling WIPO RFC3
and Proposal for DNS/TM Resolution

Ed Gerck
Copyright © 1999 by E. Gerck and MCG. See Note.
All rights reserved, free copying and citation allowed with source and author reference.

Please see the revised and condensed version of this paper in First Monday, April 1999 issue, at
http://firstmonday.org/issues/issue4_4/gerck/

INTRODUCTION

The World Intellectual Property Organization (WIPO) [WIPO] is an organization founded through a treaty by States, which has 171 States of the World as members, essentially establishing international frameworks for each of the rights that make up intellectual property, and systems for obtaining international protection of such intellectual property rights. However, there is a large diversity in worldwide legislation, as each member State is sovereign and may have different rules, rights and trademark limitations -- including the recognition of famous trademarks.

The Internet Corporation for Assigned Names and Numbers (ICANN) [ICANN] is a US non-profit corporation under the laws of California [ICANNa],  that was formed to take over the US responsibility for the IP address space allocation, protocol parameter assignment, domain name system management,  and root server system management functions now performed under U.S. Government contract by IANA and other entities [ICANNb]. However, ICANN's policies also have a worldwide reach, not only because the Internet is worldwide but also due to the fact that as of March, 1999, more than 25 governments and international organizations have already endorsed ICANN as the body to set Internet policy matters [Cuk99]. However, each world State is sovereign in their own management of their ccTLDs namespaces such as .us (US), .jp (Japan), .de (Germany), .br (Brazil), etc. -- besides the gTLDs, such as .org., .com, .net, etc. which are not country-specific but are managed according to US laws.

On June 5,1998, the U.S. Government called upon several organizations, including WIPO and ICANN,  to: (1) develop recommendations for a uniform approach to resolving trademark/domain name disputes involving cyberpiracy, (2) recommend a process for protecting famous trademarks in the generic top level domains, and (3) evaluate the effects, based on studies conducted by independent organizations, of adding new gTLDs and related dispute resolution procedures on trademark and intellectual property holders. This action was based on the Statement of Policy on the Management of Internet Names and Addresses (the "White Paper"), issued by the National Telecommunications and Information Administration (NTIA) [NTIA], an agency of the United States Department of Commerce.

In response to NTIA, WIPO has produced the document RFC3 [RFC3], which is one of the subjects of this essay. But, already, WIPO is using their proposed RFC3 to provide a justification for WIPO's own commercial activities in domain name arbitration for the .io domain, as announced and sold in [IO99] and [WIPOb]. However, domain names in the .io domain are provided on a first-come first-served basis [IO99] -- which tends to maximize arbitration costs, later on to be collected by WIPO. The unfortunate ethics and the conjunction of legislative and judicial powers jointly performed by WIPO under the practical model they have set forth in [RFC3], [WIPOb] and [IO99] is also a subject of discussion in this paper, compounded by the fact that the executive power is tied in under WIPO by the respective domain registrar [IO99].

Also in response to NTIA, ICANN has proposed Guidelines for Accreditation of Internet Domain Name Registrars and for the Selection of Registrars for the Shared Registry System Testbed for .com, .net, and .org Domains [ICANN]. These Guidelines will be used in competitive registration services for DNS designations worldwide, and thereby will impose rules upon anyone that will need to register a DNS -- also private users, not only companies. But, contrary to WIPO [IO99, WIPOb], these Guidelines were not applied before the consultation process ended -- nor will ICANN profit from a maximization of conflicts. In fact,  ICANN asked for public comments whether the proposed regulation in [ICANN] is adequate and fair for its intended purpose -- also targeting the trademark versus DNS issues. However, ICANN's Guidelines have also come under criticism [Cuk99].

One of the next ICANN tasks is to review WIPO's RFC3 recommendations on the settling of trademark-domain name disputes -- and is also taking suggestions from brand holders. For example, Bell Atlantic, co-holder of the famous mark "BELL",  issued comments [Bel99] to [ICANN] -- where Bell Atlantic contends that we are witnessing widespread trademark abuse in DNS references, as provided in several DNS registrars worldwide, which have gone out of current controls and seriously menace previous rights by trademark owners -- specially famous marks like "BELL".  However, this conclusion is not materially supported by the arguments that Bell Atlantic themselves present in [Bel99], as discussed in [Ger99b] and summarized here -- which also seriously undermines the factual base presumed by WIPO to justify RFC3.

As the above paragraph shows, the issues dealt with by ICANN, WIPO, Bell Atlantic and others under the motivation of NTIA's request, are intertwined enough to justify their joint appraisal for a critique of RFC3, in this paper -- in a broad view.

This essay shows that WIPO's RFC3 document is basically flawed in more than ten major technical areas and should be recalled in totum. Otherwise, pursuing the RFC3 recommendations will just lead to harm worldwide e-commerce, the Internet itself, Internet security, the public trust on business marks-- and, most importantly, users and consumers.

The essay supports some other views of Bell Atlantic and major brand holders to WIPO, but specifically in the suggestion that domain names not be squandered or brokered. In addition, this essay advances that a positive answer to the US's NTIA requests is possible. However, only by taking a quite different approach and by providing for a separation of powers.
 

1. WIPO'S POSTULATED CONFLICT WITH THEIR JURISDICTIONAL MATTERS

The RFC3 specifically postulates that "Internet Domain Names have come into conflict with the system of business identifiers that existed before the arrival of the Internet and that are protected by intellectual property rights" -- which matters are under the jurisdiction of WIPO.

The question arises whether this WIPO "declaration of conflict" is justified.

In other words, even though Internet Domain Names are surely a human friendly form of Internet addresses and they are also used to designate Internet addresses where businesses may be reached, are they also "business identifiers" for the specific purposes of intellectual protection rights?

If they would be business identifiers or marks, then in WIPO's RFC3 words, enforcing intellectual property rights would be useful, since: "The exclusive right to the use of the mark enables the owner to prevent others from misleading consumers into wrongly associating products with an enterprise from which they do not originate." Thus, if Internet Domain Names are business identifiers then they should allow customers to associate products with a business. But, they do not.

In fact, Internet Domain Names highest security threat comes from such association -- which is fully unwarranted and forewarned against by every Internet Certification Authority (CA), browser's on-screen instructions to users, and security work groups such as the Internet Engineering Task Force (IETF), the Meta-Certificate Group (MCG) and also so handled by Network Solutions, Inc. (NSI), the current exclusive registrar for the gTLD .com, .org and .net domains as appointed by the United States.

Instead, Internet Domain Names in naming conventions such as e-mail addresses, DNSs and IPs are actually just convenient mirages in the worldwide Internet. For example, it is perfectly possible for a site that ends with .jp (i.e., Japan) to be hosted in the USA -- so, just by the DNS convention one cannot affirm anything about the site's whereabouts, contents, owner or business branch. Further, such names can be diverted to different Internet locations by URL-hijacking, router intervention, malicious JavaScript, etc.

Thus, the bottom line is that Internet Domain Names are not business identifiers as RFC3 postulates, which negates the very conflict that is stated by WIPO to provide a need for RFC3 within WIPO. This conclusion is further supported by the next discussions.
 

2. WIPO'S REPORTED EXTENT OF CONFLICT IS CONTRADICTED BY CONTEXT

In RFC3 WIPO declares that there is a large conflict between Internet Domain Names and marks. Indeed so it may seem to the reader  -- "The scope of infringing activities is staggering",  as Bell Atlantic reported [Bel99] and testified before the WIPO Panel of Experts, "over a nine month period we logged nearly 600 separate instances of infringement for our famous BELL mark in the existing gTLDs -- .com, .net and .org alone."

As usual, data without a verifiable context has no meaning -- so, the question arises -- what is the meaning of the "600 cases" reported by Bell Atlantic?.

First, Bell Atlantic did not report how the "BELL" trademark was identified in the DNS references. Perhaps, they mean any DNS registration that uses the word "bell" within other letters, defining the occurrence of trademark infringement regardless of use, likelihood of confusion, commercial nature of the site, etc. [Mue99]. Given that "BELL" is a pretty common English name and is also present in other languages, also inside words, it is probably a gross overstatement to consider every occurrence of "bell" a trademark infringement on Bell Atlantic's "BELL" trademark -- for example, is the site www.belle-epoque.com a problem? Or, the threat of www.bellow.net? But, perhaps, Bell Atlantic means only registrants attempting to use the word "bell" which are actually connected to telephone products and services. Thus, since Bell Atlantic does not report on these issues, the next calculation will consider the best case for their analysis and total in all 600 cases -- also without taking into account rejoinders by the other side.

Second, NSI reports in [NSI99] that it currently receives 500,000 applications/quarter -- so, approximately 1,500,000 in a nine month period. The Bell Atlantic's reported number of DNS problems, in their terms (i.e., as above), is only 0.04% of all cases of DNS registration of NSI. If we consider the worldwide Internet, with all other ccTLDs, it is much less than 0.04%.

The third question is how much reported "BELL" possible copyright infringements are reported on average for a nine month period from all other sources -- such as business names registrars, copyright registrars, simple use, etc. Given the novelty of the Internet, even without comparative data that would be necessary to access the relative importance of that -0.04% from the Internet alone vis a vis all other sources, it is already clear that this is hardly an issue that justifies harassing +99.96% of Internet users.

However, Bell Atlantic declares  "Based on the testimony of Bell Atlantic and many other brand holders, the World Intellectual Property Organization will soon be issuing final recommendations to ICANN."  -- and also "In view of this history of brand abuse under the current system that Bell Atlantic and the other members of the Private Sector Working Group, INTA (sic), AIPLA, ICC and other members of the business community have well documented,... is a problem that should be among the top issues to be considered and addressed directly in the goals and principles of registrar accreditation. "  Which declarations, however, lack the material base for the arguments, if we take the data provided by Bell Atlantic in the proper perspective as -0.04% . Rather, the data indicate a lack of extent of abuse.

In discussing the lack of extent of the alleged infringements, it is also important to note that Bell Atlantic as a brand holder have chosen their infringement metric to be "number of cases", not "amount lost in business". However, "amount lost in business" is probably much lower, as discussed in other items.

Thus, the entire argument line of nearly 600 cases in a nine month period seems to contradict itself. Indeed, -0.04% of all cases is not an issue that seem to justify harassing +99.96% of all cases -- and may just be included in the usual cost of doing business and defending one's own viewpoints in a competitive global society.  Possibly, considering the fact that "BELL" is a very common word and word fragment, other brand holders will count less than 0.04% of potential infringements -- thus, again, denying the very conflict assumed by WIPO that would justify their extension into a regulation of  Internet matters.
 

3. WIPO ASSUMPTIONS NOT GRANTED EVEN IF ONE-SIDED

Notwithstanding what has been explained in items (1) and (2)  above, if WIPO one-sidedly views or wants Internet Domain Names to be viewed as business identifiers, it should become aware that the basic requirements for a business identifier or mark are directly denied by the underlying DNS protocol.

Internet Domain Names are not stable references -- the first notion, according to some experts, that define the possibility of a mark that can serve as a business identifier. I doubt someone could trademark a cloud formation -- which is however a good metaphor for Internet Domain Names.

Further, Internet Domain Names are not even objective as a cloud is -- they are simply references that depend on references, which are again references. They are intersubjective [Ger97, Ger98a]. Thus, no one can be objectively certain to any degree that they reached the correct Internet address when they type an Internet Domain Name. I doubt someone could understand a mirage on the Sahara desert of a reference of a cloud formation to be a business mark -- which is however and again a good metaphor for Internet Domain Names.

On another aspect to the lack of objective reality, there are personal names which are oftentimes used in Internet Domain Names -- but do they they really point to a specific person? No, and this is a common local misconception -- that a name, even a personal name, has a meaning per se. As Nicholas Bohm reports for the UK [Boh97a]: " And there are many countries, such as the United Kingdom, where people can change their names without formality or official records, and can use several names for different purposes, none of which are more truly theirs than any other.  (Authors and entertainers commonly use several names.)".

Now, of course, in some cases the rules may vary -- as in Texas, when one cannot use a different name longer than two months without registering it. But,  there are thousands of "J. Smith" in California so that they do not pay the monthly unlisted fee in phone directories -- not because they are called "J. Smith". And, the "real" J. Smiths cannot even complain.

Thus, Internet Domain Names do not need to have any specific relationship that one could rely upon in order to associate them with something else -- even when a personal name is used. They are just a syntactic reference, perhaps mnemonic, perhaps made up to be distinguished or even purposefully obscure or ambiguous, perhaps inactive or even deleted tomorrow.

Another aspect is that an Internet site may have a perfectly non descriptive and non trademarked name, such as www.123abc.com and still infringe several trademarks by its contents and goods sold. This means that site content can be much more harmful to brand holders than simply a similar site name but with unrelated goods -- which can however be solved under existing regulations.
 

4. UNWARRANTED ASSOCIATION -- SECURITY FLAW

As discussed in Items (1) and (3), Internet Domain Names are address identifiers which may point to any Internet host in the world, to any business and may even be diverted without anyone noticing it. Thus, it is a basic security flaw to proceed with WIPO's RFC3 and try to associate Internet Domain Names with stable, objective, well defined marks. They are not and never will be, by TCP/IP Internet design.

There is an ongoing education effort on the Internet, to explain to users what Internet Domain Names are -- and what they are not. Even, and specially, when such understanding may increase the user's doubts. Companies, associations, groups, discussion lists and individuals have invested much time and resources in order not to provide ground for unwarranted associations. This can be seen in commercial browser's on-screen user messages such as this one from Netscape: "...you cannot check the identity of the web site."

However, WIPO's RFC3 goes blatantly against such principles and implies an Internet address assurance which simply does not exist and is even denied by the TCP/IP design.
 

5. "THIRD-CLASS" TRUST ASSOCIATION

As items (1, 3, 4) show, Internet Domain Names are on the same trust level as a cloud mirage on the Sahara when used as business identifiers.

However, by using them in RFC3, WIPO will not be able to increase their public trust as business identifiers -- which is one of NTIA's motivations. Why? As shown in [Ger98a], trust is qualified reliance on received information. The degree of trust is measured by reliance extent, clearly reduced here by denying the very fabric of traditional rules that WIPO's member States must follow when issuing a trademark -- and which consumers need to rely upon.

In this analysis, Internet Domain Names under RFC3 would then become "third-class" business identifiers, one that is not quite a mark, one which history no one is sure of or can verify. Which negates the very purpose of RFC3 and denies truth -- since an Internet Domain Name cannot possess the basic trust qualities that would qualify it to be a mark under current and tried trademark agreements.

Moreover, lack of trust here will negate trust there, by association [Ger98a] -- which will hurt the investments of companies in their good-will and business identification for traditional commerce.
 

6. WRONG MARKET MOTIVATION

What is the message that WIPO RFC3 is sending to the market, with its apparently unreasonable restrictions and imposed  clauses [Fro99], coupled with the perceived lack of trust on Internet Domain Names as stable and objective as a "real" mark should be?

Perhaps, it would force the way to a worldwide "generic" movement on Internet names for e-commerce -- for example with non denominated product auction sales sites, where the user places a bid for a good from a non denominated supplier as we can already see today.

Which can have positive sides for e-commerce at the beginning but will, however, glitch on the lack of a mechanism to adequately represent and sustain reputation -- one of the prime factors of a valuable mark -- as a deterrent factor against a non denominated supplier's default.
 

7. WRONG CERTIFICATION

As discussed in Item (1), Internet Domain Names are address identifiers. However, do they authenticate a business site? Do they provide some degree of assurance that the address has been reached?

No, on both counts.

First, note that the Internet is an open system, where the identity and origin of the communicating partners is not easy to define. Each user controls only their end of the connection -- and no one controls both ends at the same time. Further, the communication path is non-physical and may include any number of eavesdropping and active interference possibilities. Thus, Internet communication is much like anonymous postcards, which are answered by anonymous recipients. Further, these postcards are open for anyone to read -- and even write in them [Ger97].

This means that Internet Domain Names have routing problems which are actually a feature of the Internet TCP/IP packet traffic design and which cannot be avoided. So, they need to be solved in an additional design layer -- which is the principle behind Internet protocols and their reliability. On the Internet, reliability is not obtained by a "perfect" process but by redundancy employing "real-world" and per se unreliable processes.

The standard solution to the routing problem is to use cryptographic authentication by means of digital certificates to assure that communication is happening between the desired endpoints -- for example, also including real-time challenge response authentication to avoid replay attacks. This has been ignored by WIPO's RFC3.

In this regard, the ITU-T Recommendation X.509 (which has been implemented as a de facto standard) defines a framework for the provision of authentication services, under a central control paradigm represented by a "Directory". It describes two levels of authentication: simple authentication, using a password as a verification of claimed identity; and strong authentication, involving credentials formed by using cryptographic techniques [Ger97].

The WIPO RFC3 however intends to provide a type of "business certification" (i.e., a mark) by means of simple Internet Domain Name unchallenged protocol authentication, without cryptographic challenge response and without even a password. This is clearly technically wrong and is by itself a sole reason to recall RFC3 -- as it imposes what the Internet denies.

The consequences?

The problems that may be caused by false certification or no certification mechanisms can range from a "man-in-the-middle" attack in order to gain knowledge over controlled data, to a completely open situation to gain access to data and resources [Ger97]. It is important to note that these problems do not disappear with encryption or even a secure protocol such as SSL. If the user is led to connect to a spoofing site, which appears to be what he wants, he may have a secure connection to a thief and that will not make it safer.

To make matters worse, and as already commented, DNS hijacking can make connections to www.good.com go to www.bogus.com -- without anyone noticing it, even if you know that "bogus" is bad. Further invalidating any presumed routing that an Internet Domain Name might have locally acquired by trusted repeated use -- such as www.amazon.com. Each Internet connection is a new one and each connection may go through different routers, even on the other side of the globe, which can be compromised without user control or perception.

Thus, identity certification, or at least origin authentication, is a must in order to really define a business identifier -- which points out the direction that WIPO could have followed on this matter in order to define stable and objective references.

However, WIPO's RFC3 notion of "business authentication" behind the use of Internet names as marks cannot help but may harm -- by implying a level of security which is simply fictional.
 

8. WRONG ADDRESS MODEL

The "parochial model" of the Internet that is thus at the base of WIPO's RFC3 breaks down easily when we recognize that all machines and addresses are essentially peers in the Internet. The DNS system is only hierarchical to the extent that one branch follows another but there is no imposed relationship whatsoever between machines in different branches or even in the same branch. For example, the .ml.org domain has several fully unrelated machines in it, in different parts of the world.

Thus, RFC3 confuses the extent of a worldwide Internet address model, where no one controls both sides of a connection, all Internet Domain Names are peers and any machine (i.e., possibly business site, possibly hacker) can be made to respond to any name (i.e., would-be mark in RFC3) by a variety of techniques [Ger97] which the user cannot distinguish... and eventually learns not to rely upon but for routing purposes only, never as a business identifier per se.
 

9. WRONG THEORY

What is a name? What does it reference? What does a name mean? When I communicate over the Internet with an entity that has an Internet Domain Name, what can I suppose about the entity if I rely on that Name's significance to me?

Perhaps, one's tentative conclusion is that when one exchanges communications with an entity that uses a common name, one generally relies on being able at least to find behind that name either a particular mind or particular assets or, a particular business. This thought implies a referential model of meaning, similar to Plato's view of referential forms. This is the theoretical name model followed by RFC3.

To better investigate this, suppose we express the general concept of a name, as a sign or a symbol -- e.g., my name is a symbol for myself. Now, for example, if I see footsteps on the sand (i.e., a symbol, a name) then  I generally rely on the existence of someone that walked by (which is the meaning or cause of the footsteps), or, if I see smoke (i.e., a symbol, a name) then I rely on the existence of fire, and so on. Or, as in the above questions, I would expect to find a particular mind or particular assets, or particular business bearing a causal relationship to that name -- which would provide meaning to that name in my communication.

However, this model breaks down as I exemplify in [Ger98a] and Frege [see Ger98a] has shown around 1910.

Paraphrasing one of Frege's examples, if I tell you "I will photograph the Morning Star" or if I tell you "I will photograph the Evening Star" then, clearly, the two phrases have the same reference (i.e., the planet Venus) but one describes it as the last celestial body to disappear at dawn and the other as the first one to appear at dusk -- thus, they have different senses or meanings. The same can happen with Internet Domain Names.

If  I see a site with a Domain Name "www.gifts.com" -- what do they sell?

Presents -- as the English word "gift"? No, perhaps they distribute poison as the German word for it (and pronunciation) is the same. Or perhaps, they simply count all visitor's URLs (which they can automatically collect upon entry) as the "General Insurrection on Free-Trade Support" movement -- whatever that name may mean to them. As another example, if an Internet Domain Name is www.amazon.com -- do they sell trips to the Amazon?
 

10. DENIAL BY SIMILARITY

Bell Atlantic, as a metaphor for a brand holder of a famous mark, can certainly find many telephone numbers in the world which can be dialed as CALL-BELL ...which they then could choose to designate as mark infringements by interpreting those numbers in the ABC code. And, not only leading to many more than 600 cases (as they report for the entire Internet) but all linked to telephone services -- the actual application area of their mark "BELL".

However, all legally allowed uses -- since they are simply routing designations. Similarly, on the Internet. Which seems to deny the reasoning of [Bel99], as derived from a pre-existent and similar case.
 

11. CONFUSING "WHO" WITH "WHERE"

A general concern of RFC3 is to find mechanisms to curb cyberpiracy, by resorting to trademark registration and arbitration rules. However, while the concern on cyberpiracy is justified and even required by NTIA's "White Paper" [NTIA], RFC3 misses the issue by focusing on "who" and not on "where" -- thus imposing privacy penalties in its attempt. Indeed, no trademark can be anonymously granted -- which would imply no Internet Domain Name could be protected under RFC3 terms if anonymous. While this issue will be taken up in item (12)  on privacy versus security grounds, this item concerns itself with the underlying assumptions. As we can read in the following section of [Bel99], where the proposed ICANN rules for Internet Domain Name (DNS) registration are criticized by Bell Atlantic based on trademark protection arguments:

"We are, therefore, disturbed by the language in Guideline 4 that limits a registrars information only the information required to make a registration. That phraseology suggests that there could be even less information identifying domain name holders than is available today. For example, the language of the proposal suggests that perhaps not even all the information currently available under NSI's WHOIS database would remain available under a new system. Without at least that much information, a substantial question remains whether registrars would even have the records needed to permit a trademark holder to find out who an infringing domain name holder is."

Thus, in order to substantiate its call for less privacy, this section is essentially confusing "who" or "reaching the culprit" (which may never be possible, and was so even without the Internet [Boh97b]) with "reaching the culprit's address" or "where" -- which is much more simplified by today's public and open lines with automatic detailed traffic-signal recording for worldwide billing purposes under strict non-repudiation limits (as phone companies must have)  -- all saved in tapes for tens of years. As Bell Atlantic must know, with all tracing possibilities for SMTP, HTTP, ping, traceroute, phone ID, phone call routing, postal mail, bank cash-order tracing, etc.

So, while it is true that anonymous remailers may not be traceable for their users, anonymous owners of Internet Domain Names will not be found, and anonymous Internet host accounts may be used in trademark infringement attempts -- their physical access lines can be routinely traced and cut off as they have been, by court decisions. Effectively providing means for stopping any harmful activity against a brand holder, without any of additional ruling, imposed mediation or privacy encumberments from RFC3.
 

12. PRIVACY VERSUS SECURITY

In the above item, we see Bell Atlantic's call for less privacy for DNS registrants, in the name of more security for trademark owners. This is the same call made in WIPO's RFC3.

This seems to parallel a recurring theme -- the "privacy versus security paradox" [Ger98a], which I find exemplified in several cases where networks of networks are involved. As in the Internet, when no one controls both sides and multiple intersubjective issues have to be addressed in a peer-to-peer objective approach. But, as discussed [Ger98b], privacy cannot be properly traded off for security. Once lost, privacy is lost for life -- while security is a short-time asset.

However, I find that the Bell Atlantic paper [Bel99]  and RFC3 are not even a consequence of such paradox, as the security needs they postulate would not be enhanced by the privacy restrictions they propose.

As it stands and as analyzed in item (2), [Bel99] and RFC3 base their call to reduce user privacy mostly on a sequence of unsubstantiated factoids, such as "600 cases of infringement", which are raised to the qualified level of "evidence of harm" a while later -- but which, even if correct, actually undermines their call into less privacy and more regulation. In other words,  [Bel99] and RFC3 set out to combat trademark infringements (which has to do with objective quantities such as business names, business logos, site's contents, goods sold, etc.) but end up not doing that -- but, harassing and encroaching into the privacy of all users in order to try to resolve less than 0.04% of syntactic name collisions in Internet Domain Names (which has to do with intersubjective and overly-variable names that do not satisfy the requirements of trademarks, see items 1 to 10).  This imposes a privacy burden without security justification.
 

13. NEGATION OF PREVIOUS LEGAL PRINCIPLES

WIPO's RFC3 stands for the understanding that Internet Domain Names are potential trademarks per se, which principle is negated by WIPO themselves, worldwide -- since Internet Domain Names could not satisfy requirements in order to be trademarks, as discussed in previous items. Please see Michael Froomkin [Fro99]  for the legal aspects, as well as Kathryn Kleiman remarks to WIPO [Kle99] on the requirements of a trademark. But, RFC3 attempts to deny other legal principles, for example as indicated in item (10) by a parallel with telephony.

Also, we must protect responsible use of anonymous speech. Anonymity has been useful very often in history and, I remind, is allowed in the United States and in several countries. US President Nixon was accused of criminal acts and faced an impeachment motion which led to his resignation, based on data from the anonymous speaker "Deep Throat" -- whose identity was protected.

However, following the call for less privacy in RFC3 would make it impossible to protect an anonymous Domain Name. This would again go against previous legal principles and rights -- specially the right for anonymous speech -- and their usefulness, with practically no security gain as discussed in other items. Further, the next item discusses a possible solution to the security issues even when anonymity is considered, which makes its denial even more questionable.
 

14. INTERNET ANONYMITY NOT AN INSURMOUNTABLE THREAT TO TRADEMARK PROTECTION -- A COMMERCIAL OPPORTUNITY?

Useful as it is for one-way speech, anonymity poses -- by definition -- several difficulties for two-way communication and even for the flow of monies and goods in a public environment since the anonymous party cannot be reached by the public. Even if untraceable electronic cash or cryptographic cash tokens would be used, the recipient of these monies would be strongly restricted by money-laundering bars being enacted throughout the world.

Further, anonymity does not preclude an ISP call or an Internet link to be correctly traced -- as any phone system operator must know and use when they want to charge for the call even across different systems, satellites and countries.

Which is, for example, Bell Atlantic's field of expertise. And, perhaps, a business opportunity -- Bell Atlantic and other phone companies can provide that service to customers that want to find the physical whereabouts of potential intellectual property offenders. Possibly, I argue technically in item (11), with even less privacy information than required today. Of course, this should need a court order in most countries. But, the issue here is that it is possible and does not need to potentially jeopardize the privacy information from +99,96% of all users -- further denying the call for less privacy in DNS registry in the name of more security for trademark owners.
 

15. WHAT IS AN INTERNET DOMAIN NAME?

Historically, as Tony Rutkowski comments [cf. Rut99],  Internet Domain Names were established because former Peggy Karp (now Weir) in Sept 1971 proposed that networked machines should have names (IETF RFC-206). It was her rejoinder to Jim White's suggestion a few weeks before that they should have "call letters." Peggy wrote the implementing RFC and the first host table. The DNS -- and with it the notion of "domain names" -- occurred simply to distribute the growing maintenance problem of the table. Internet Domain Names are literally just maintenance zones for the construct of host names; just pieces of a "name expression".

However, I believe this question cannot be answered historically. The Internet today is vastly different than what it originally was or, will be in the future. Rather, we need to realize that we must first define what a "name" is in communication systems. And, what a "Internet Domain Name" is; what types of names we may have; what purposes they may fulfill; what they are not; etc. -- before we can go into models and protocols that will use them. Otherwise, "Internet Domain Name" models will just reflect our ignorance, increase conflicts and cause public harm -- not to mention the loss of opportunities for private, public and commercial sectors alike.

Indeed, the public discussions led by NTIA, with focus on the .us domain at the DoC [Ger99c] and on trademarks at WIPO and ICANN, may have just provided us with a taste of this need --  and a clear view of the wide spectrum of interests and expertise that may need to come together, with no exceptions, for its proper assessment.

Since there is also considerable latitude as to what a trademark is, it is clear this two-sided lack of definition is at the base of the DNS versus trademark unresolved issues -- we do not really know what we are talking about, collectively and in our intersubjective trust assessments.

The solution thus begins by addressing this basic issue. What do we trust, in other words [Ger98a], what do we rely upon for our decisions on Internet Domain Names? How do we rely upon an Internet Domain Name and, to what extent?

On the Internet, as in law, reliance on a Domain Name needs to be justified by an examination of the facts presented. Therefore, an Internet Domain Name is not only what I think it is but also what the underlying protocol says it is -- and, what the Name-holder thinks it is.

In law, the past trend was on "reasonable reliance" -- based on the "reasonable man" doctrine, "what would be reasonable for a prudent man to do under the circumstances". This is an objective metric, called an "objective test" in law, an objective legal standard for collective evaluations (such as by a jury) . However, as pointed out in a recent decision by the US Supreme Court [SCUS], for individual actions, the majority of US States now favor the "justified reliance" metric, "that which what can be justified by an examination of the facts presented". The "justified reliance" metric is essentially a subjective test -- allowed by law even if the effort to obtain objective confirmation is "as easy as crossing the street". However, subjective reliance does not preclude a verification of the intersubjective aspects -- otherwise it would be "actual reliance", what the truster has actually relied upon without any  consideration of "why". Even though some US States favor "actual reliance", others "reasonable reliance", the trend and the majority favor "justified reliance". For further discussion, see [Ger98a].
Thus, it is not justified to rely only on what WIPO thinks an Internet Domain Name is -- suppose, a trademark linked to the site's contents or business or even, a description of the site's contents or products. By typing www.gifts.com, no one is technically justified in intersubjective sense to rely on finding anything related with "presents" (see item 9) -- though I could be in subjective sense (looks logical in English, to me), or even in objective sense (there is a trademark "gifts" and I know by trademark registration in a certain country that it relates to presents in that country). In legal terms, missing therefore the technical basis, no one can then be legally justified in making those associations of www.gifts.com with a website that sells presents or with the trademark "gifts".

Likewise, when I type jsmith@sacramento.ca.us -- I may or may not be justified to rely that it will actually contact me to a "John Smith" that is registered in Sacramento, CA, US. If I take the subjective stance, yes -- I may be justified by "actual reliance". But, if I take the objective stance then I may realize that nothing can guarantee who or what actually is responding at that address, at that computer. Moreover, if I take the intersubjective stance then I must also take into consideration that the underlying protocol does not warrant either identification or authentication -- so, no one may even be "at that address, at that computer" and, "that address" may not be the one I am directed to.

Thus, Internet Domain Names are essentially intersubjective references, which do not warrant any particular subjective or objective interpretation. Being intersubjective, they are essentially overly-variable in relationship to a trademark, which is an objective property enforceable by law to friends and foes alike. Technically, we have thus no justification to reduce the over-variability in Internet Domain Names unless an added factor would be introduced -- with the needed objective qualities. This points out  the direction of a possible solution to NTIA's requirements, as given next.
 

16. ANSWERING NTIA'S WHITE PAPER REQUESTS

In software engineering terms, we are used to deal with isolated computers (subjective view) and well defined networks (objective view) with a client-server paradigm. Now, on the Internet, we must deal with networks of networks (intersubjective view) -- which is an overly-variable concept in regard to isolated computers and networks. We can no longer control both ends of the communication channel, and never will -- as a writer will never control what a reader says or, not says.
The paragraph above is the motivation and gist behind abstract models, or an "abstract model for names in communication systems" in the case at hand. In a truly abstract model, the different instances (i.e., actual cases), the different observers (i.e., players, users, attackers) and the different views (i.e., subjective, intersubjective, objective) are not even mentioned -- so, no conflict is possible on these three items. Instead, we focus only on behavior, which is then common to all views and provides a common thread. For further reference on this approach, please see the discussion of objective, intersubjective, subjective and abstract instances in [Ger98c].
Thus, a solution to the DNS/TM question posed by NTIA's White Paper cannot rely on Internet routing -- which depends on networks of networks, overly-variable in relationship to what we can control. In other words, DNS name routing cannot be relied upon as a business identification that would need to be an objective  trademark.

A practical and effective solution  to the DNS/TM question could however rely on cryptographic certificates and their legal significance in "business server certificates"  -- which is additional to an Internet Domain Name and thus would not impose any additional privacy/regulation burden whatsoever upon private DNS registrants. Domain-name policies worldwide would be hardly affected -- since this is an additional layer.

This points out the direction that WIPO could follow on this matter in order to help provide stable and objective references that would have business significance. In this approach, Internet Domain Names may also be less susceptible to parasitical appropriation -- for example, if the corresponding certification would need to link the Internet address to a company's legal name. This approach can be carried out both in the extrinsic certification mode (X.509, CAs, PGP) as well as with intrinsic certification (Meta-Certificates) [Ger97], offering flexibility and technologically neutral options both to users as well as to businesses.  Further, such business server certificates can be inexpensive, even self-signed, and would have other purposes since they would naturally provide a basis for SSL and e-commerce in certification and encryption services.
 

17. AVOIDING THE "TRAGEDY OF THE COMMONS"

This essay is not a dismissive appraisal of all trademark issues raised by Bell Atlantic [Bel99] or WIPO. In fact, [Bel99] has other suggestions which may be useful to ICANN and reflect positively on WIPO's members, to decrease what is usually called the "tragedy of the commons" -- arising when a public resource is degraded by over-use from a group of "commons". As I argue in [Ger98a], the onset of degradation can however regulate the over-use by calling attention to the fact. This is essentially what [Bel99] does, when it remarks:

"We would also suggest that domain names not be squandered or brokered. We recognize that domain names are not conceptually identical to telephone numbers; in particular, unlike telephone numbers, they are not a resource subject to exhaustion. However, in an important regard, they are not unlike telephone numbers in that they are a public resource whose principal use is to identify a unique person or entity for the purpose of enabling communications to take place efficaciously. Practices such as number hoarding are inconsistent with this purpose and, therefore, are not permitted in the public telephone network. We believe that the practice of "cybersquatting" is equally inappropriate in the context of the Internet and should be stopped."
 

CONCLUSIONS

We must recognize that Internet Domain Names can contain reference information in varying degrees of completeness and human reading, but not at all the corresponding sense or meaning. Further, by their DNS/IP free floating assignment rules and by the TCP/IP design of the Internet, they inherently lack any objective and stable information qualities -- i.e., they afford no objective reliance.

That is why Internet Domain Names are simply -- names. Any extent added to them is not warranted by the supporting Internet infrastructure and protocols. So, their use as a mark would deny the minimal objective properties that WIPO member States have agreed upon to define what a mark is -- as a mark is not simply a name. And, WIPO would need to affirm what Internet security protocols need to deny.

These points, discussed in several items in the text, cannot allow such references to be meaningful in a trademark system -- which would be essential to support a least agenda of WIPO's objectives in RFC3.

Thus, I suggest that RFC3 should be recalled in totum. Its application will more probably cause more difficulties to Internet users and to trademark owners than the few pathological cases it may avoid -- and which have other solutions in public and open Internet discussions within the jurisdiction of each country's domain name registrar, according to local uses, rules and laws. As they have had in the recent past -- but the Internet is a learning experience and certainly the WIPO consultation has served and will serve that purpose.

On the other hand, identity certification, or at least origin authentication,  is suggested for "business server certificates" based on cryptographic challenge-response -- in order to concretely define a business identifier on the Internet that can be used to support trademark requirements.

Certainly, this proposal leaves room for different views -- and, they must exist in an intersubjective approach [Ger98c]. However, all participants may still agree to the same abstract model if the abstract model is flexible enough to support the different views in their entirety, while negating what is patently unwarranted. Thus, the present work may also serve to advance issues useful to such general endeavor, by technically presenting what can or cannot be relied upon regarding names in communication systems.

The author is indebted to several commentators, also in earlier threads, specially Nicholas Bohm, Tony Bartoletti, Einar Stefferud, Peter, Tony Rutkowski, Milton Mueller and Alistair Campbell-Dick. Am earlier version of this paper is available in [Ger99a].
 

REFERENCES:

[Bel99] Bell Atlantic, "Comments of the Bell Atlantic Corporation on the ICANN's Draft Registrar Accreditation Guidelines" in http://www.icann.org/comments-mail/comment-guidelines/doc00112.doc

[Boh97a] Bohm, N. "Authenticating identities", in http://mcwg.org/mcg-mirror/identity.txt

[Boh97b] Bohm, N. "Authentication, Reliability and Risks", in http://mcwg.org/mcg-mirror/auth_b1.htm

[Cuk99] Cukier, Kenneth, "Contemplating life after Postel" in  http://www.totaltele.com/secure/cwiview.asp?Target=topArticleID=21654Pub=cwi

[Fro99] Froomkin, M. "A critique of RFC3" in http://www.law.miami.edu/~amf/critique.htm - 1999.

[Ger97] Gerck, E., Overview of Certification Systems: X.509, CA, PGP and SKIP. MCG, http://mcwg.org/mcg-mirror/cert.htm - 1997.

[Ger98a] Gerck, E., "Towards Real-World Models of Trust: Reliance on Received Information", in http://mcwg.org/mcg-mirror/trustdef.htm - 1998.

[Ger98b] Gerck, E., "Dr. Faust's Internet Dilemma", in http://mcwg.org/mcg-mirror/faust.htm - 1998.

[Ger98c] Gerck, E., "What is Identification, that we can identify it?", in http://mcwg.org/mcg-mirror/coherence2.txt

[Ger99a] Gerck, E., "Arguments for recalling WIPO RFC3", in http://mcwg.org/mcg-mirror/wiporfc3.txt - and in
 http://wipo2.wipo.int/dns_comments/rfc3/0076.html  - 1999.

[Ger99b] Gerck, E., "Comments on ICANN Accreditation Guidelines", in http://mcwg.org/mcg-mirror/icanba.txt - 1999.

[Ger99c] Gerck, E., "REFLECTIONS UPON THE .US MEETING", March 16, 1999, in mcg-talk and e-carm list discussions, archives at http://mcwg.org/mcg-mirror/emails.htm and http://www.ecarm.org

[ICANN] "Guidelines for Accreditation of Internet Domain Name Registrars", in http://www.icann.org

[ICANNa]  http://www.icann.org/articles-pr23nov98.html

[ICANNb]  http://www.ntia.doc.gov/ntiahome/domainname/icann-memorandum.htm

[IO99] "Internet ONE" -- http://www.io.io

[Kle99] Kleiman, Kathryn, "WIPO RFC3", in http://wipo2.wipo.int/dns_attachments/rfc3/attach921601818.rtf

[Mue99] Mueller, Milton -- <mueller@syr.edu>, thanks for private comments.

[NTIA] -National Telecommunications and Information Administration, in http://www.ntia.doc.gov

[NSI99]  http://www.netsol.com/nsi/facts.html

[RFC3, WIPO ] WIPO, "THE MANAGEMENT OF INTERNET NAMES AND ADDRESSES: INTELLECTUAL PROPERTY ISSUES", in http://wipo2.wipo.int - 1998.

[Rut99] Rutkowski, A.M., "Internet Transitions: the assigning of names and numbers," 3 IEEE Internet Computing No. 1, Jan/Feb 1999, and private comment:

[SCUS] available at http://supct.law.cornell.edu/supct/html/94-967.ZO.html

[WIPOb] http://wipo1.wipo.int

------------------------------------------------------------------------
NOTE: Dr. rer. nat. Ed Gerck, Coordinator - Meta-Certificate Group. E-mail: egerck@mcwg. The arguments herein represent matters that were publicly discussed by the MCG, an Internet Open Group on Security and Certification that includes participants from 28 countries, and in other fora. However, this presentation is not a MCG document nor should its terms be considered statements by anyone but the author.