Please see the revised and condensed version of
this paper in First Monday, April 1999 issue, at
http://firstmonday.org/issues/issue4_4/gerck/
The Internet Corporation for Assigned Names and Numbers (ICANN) [ICANN] is a US non-profit corporation under the laws of California [ICANNa], that was formed to take over the US responsibility for the IP address space allocation, protocol parameter assignment, domain name system management, and root server system management functions now performed under U.S. Government contract by IANA and other entities [ICANNb]. However, ICANN's policies also have a worldwide reach, not only because the Internet is worldwide but also due to the fact that as of March, 1999, more than 25 governments and international organizations have already endorsed ICANN as the body to set Internet policy matters [Cuk99]. However, each world State is sovereign in their own management of their ccTLDs namespaces such as .us (US), .jp (Japan), .de (Germany), .br (Brazil), etc. -- besides the gTLDs, such as .org., .com, .net, etc. which are not country-specific but are managed according to US laws.
On June 5,1998, the U.S. Government called upon several organizations, including WIPO and ICANN, to: (1) develop recommendations for a uniform approach to resolving trademark/domain name disputes involving cyberpiracy, (2) recommend a process for protecting famous trademarks in the generic top level domains, and (3) evaluate the effects, based on studies conducted by independent organizations, of adding new gTLDs and related dispute resolution procedures on trademark and intellectual property holders. This action was based on the Statement of Policy on the Management of Internet Names and Addresses (the "White Paper"), issued by the National Telecommunications and Information Administration (NTIA) [NTIA], an agency of the United States Department of Commerce.
In response to NTIA, WIPO has produced the document RFC3 [RFC3], which is one of the subjects of this essay. But, already, WIPO is using their proposed RFC3 to provide a justification for WIPO's own commercial activities in domain name arbitration for the .io domain, as announced and sold in [IO99] and [WIPOb]. However, domain names in the .io domain are provided on a first-come first-served basis [IO99] -- which tends to maximize arbitration costs, later on to be collected by WIPO. The unfortunate ethics and the conjunction of legislative and judicial powers jointly performed by WIPO under the practical model they have set forth in [RFC3], [WIPOb] and [IO99] is also a subject of discussion in this paper, compounded by the fact that the executive power is tied in under WIPO by the respective domain registrar [IO99].
Also in response to NTIA, ICANN has proposed Guidelines for Accreditation of Internet Domain Name Registrars and for the Selection of Registrars for the Shared Registry System Testbed for .com, .net, and .org Domains [ICANN]. These Guidelines will be used in competitive registration services for DNS designations worldwide, and thereby will impose rules upon anyone that will need to register a DNS -- also private users, not only companies. But, contrary to WIPO [IO99, WIPOb], these Guidelines were not applied before the consultation process ended -- nor will ICANN profit from a maximization of conflicts. In fact, ICANN asked for public comments whether the proposed regulation in [ICANN] is adequate and fair for its intended purpose -- also targeting the trademark versus DNS issues. However, ICANN's Guidelines have also come under criticism [Cuk99].
One of the next ICANN tasks is to review WIPO's RFC3 recommendations on the settling of trademark-domain name disputes -- and is also taking suggestions from brand holders. For example, Bell Atlantic, co-holder of the famous mark "BELL", issued comments [Bel99] to [ICANN] -- where Bell Atlantic contends that we are witnessing widespread trademark abuse in DNS references, as provided in several DNS registrars worldwide, which have gone out of current controls and seriously menace previous rights by trademark owners -- specially famous marks like "BELL". However, this conclusion is not materially supported by the arguments that Bell Atlantic themselves present in [Bel99], as discussed in [Ger99b] and summarized here -- which also seriously undermines the factual base presumed by WIPO to justify RFC3.
As the above paragraph shows, the issues dealt with by ICANN, WIPO, Bell Atlantic and others under the motivation of NTIA's request, are intertwined enough to justify their joint appraisal for a critique of RFC3, in this paper -- in a broad view.
This essay shows that WIPO's RFC3 document is basically flawed in more than ten major technical areas and should be recalled in totum. Otherwise, pursuing the RFC3 recommendations will just lead to harm worldwide e-commerce, the Internet itself, Internet security, the public trust on business marks-- and, most importantly, users and consumers.
The essay supports some other views of Bell Atlantic and major brand
holders to WIPO, but specifically in the suggestion that domain names not
be squandered or brokered. In addition, this essay advances that a positive
answer to the US's NTIA requests is possible. However, only by taking a
quite different approach and by providing for a separation of powers.
The question arises whether this WIPO "declaration of conflict" is justified.
In other words, even though Internet Domain Names are surely a human friendly form of Internet addresses and they are also used to designate Internet addresses where businesses may be reached, are they also "business identifiers" for the specific purposes of intellectual protection rights?
If they would be business identifiers or marks, then in WIPO's RFC3 words, enforcing intellectual property rights would be useful, since: "The exclusive right to the use of the mark enables the owner to prevent others from misleading consumers into wrongly associating products with an enterprise from which they do not originate." Thus, if Internet Domain Names are business identifiers then they should allow customers to associate products with a business. But, they do not.
In fact, Internet Domain Names highest security threat comes from such association -- which is fully unwarranted and forewarned against by every Internet Certification Authority (CA), browser's on-screen instructions to users, and security work groups such as the Internet Engineering Task Force (IETF), the Meta-Certificate Group (MCG) and also so handled by Network Solutions, Inc. (NSI), the current exclusive registrar for the gTLD .com, .org and .net domains as appointed by the United States.
Instead, Internet Domain Names in naming conventions such as e-mail addresses, DNSs and IPs are actually just convenient mirages in the worldwide Internet. For example, it is perfectly possible for a site that ends with .jp (i.e., Japan) to be hosted in the USA -- so, just by the DNS convention one cannot affirm anything about the site's whereabouts, contents, owner or business branch. Further, such names can be diverted to different Internet locations by URL-hijacking, router intervention, malicious JavaScript, etc.
Thus, the bottom line is that Internet Domain Names are not business
identifiers as RFC3 postulates, which negates the very conflict that is
stated by WIPO to provide a need for RFC3 within WIPO. This conclusion
is further supported by the next discussions.
As usual, data without a verifiable context has no meaning -- so, the question arises -- what is the meaning of the "600 cases" reported by Bell Atlantic?.
First, Bell Atlantic did not report how the "BELL" trademark was identified in the DNS references. Perhaps, they mean any DNS registration that uses the word "bell" within other letters, defining the occurrence of trademark infringement regardless of use, likelihood of confusion, commercial nature of the site, etc. [Mue99]. Given that "BELL" is a pretty common English name and is also present in other languages, also inside words, it is probably a gross overstatement to consider every occurrence of "bell" a trademark infringement on Bell Atlantic's "BELL" trademark -- for example, is the site www.belle-epoque.com a problem? Or, the threat of www.bellow.net? But, perhaps, Bell Atlantic means only registrants attempting to use the word "bell" which are actually connected to telephone products and services. Thus, since Bell Atlantic does not report on these issues, the next calculation will consider the best case for their analysis and total in all 600 cases -- also without taking into account rejoinders by the other side.
Second, NSI reports in [NSI99] that it currently receives 500,000 applications/quarter -- so, approximately 1,500,000 in a nine month period. The Bell Atlantic's reported number of DNS problems, in their terms (i.e., as above), is only 0.04% of all cases of DNS registration of NSI. If we consider the worldwide Internet, with all other ccTLDs, it is much less than 0.04%.
The third question is how much reported "BELL" possible copyright infringements are reported on average for a nine month period from all other sources -- such as business names registrars, copyright registrars, simple use, etc. Given the novelty of the Internet, even without comparative data that would be necessary to access the relative importance of that -0.04% from the Internet alone vis a vis all other sources, it is already clear that this is hardly an issue that justifies harassing +99.96% of Internet users.
However, Bell Atlantic declares "Based on the testimony of Bell Atlantic and many other brand holders, the World Intellectual Property Organization will soon be issuing final recommendations to ICANN." -- and also "In view of this history of brand abuse under the current system that Bell Atlantic and the other members of the Private Sector Working Group, INTA (sic), AIPLA, ICC and other members of the business community have well documented,... is a problem that should be among the top issues to be considered and addressed directly in the goals and principles of registrar accreditation. " Which declarations, however, lack the material base for the arguments, if we take the data provided by Bell Atlantic in the proper perspective as -0.04% . Rather, the data indicate a lack of extent of abuse.
In discussing the lack of extent of the alleged infringements, it is also important to note that Bell Atlantic as a brand holder have chosen their infringement metric to be "number of cases", not "amount lost in business". However, "amount lost in business" is probably much lower, as discussed in other items.
Thus, the entire argument line of nearly 600 cases in a nine month period
seems to contradict itself. Indeed, -0.04% of all cases is not an issue
that seem to justify harassing +99.96% of all cases -- and may just be
included in the usual cost of doing business and defending one's own viewpoints
in a competitive global society. Possibly, considering the fact that
"BELL" is a very common word and word fragment, other brand holders will
count less than 0.04% of potential infringements -- thus, again, denying
the very conflict assumed by WIPO that would justify their extension into
a regulation of Internet matters.
Internet Domain Names are not stable references -- the first notion, according to some experts, that define the possibility of a mark that can serve as a business identifier. I doubt someone could trademark a cloud formation -- which is however a good metaphor for Internet Domain Names.
Further, Internet Domain Names are not even objective as a cloud is -- they are simply references that depend on references, which are again references. They are intersubjective [Ger97, Ger98a]. Thus, no one can be objectively certain to any degree that they reached the correct Internet address when they type an Internet Domain Name. I doubt someone could understand a mirage on the Sahara desert of a reference of a cloud formation to be a business mark -- which is however and again a good metaphor for Internet Domain Names.
On another aspect to the lack of objective reality, there are personal names which are oftentimes used in Internet Domain Names -- but do they they really point to a specific person? No, and this is a common local misconception -- that a name, even a personal name, has a meaning per se. As Nicholas Bohm reports for the UK [Boh97a]: " And there are many countries, such as the United Kingdom, where people can change their names without formality or official records, and can use several names for different purposes, none of which are more truly theirs than any other. (Authors and entertainers commonly use several names.)".
Now, of course, in some cases the rules may vary -- as in Texas, when one cannot use a different name longer than two months without registering it. But, there are thousands of "J. Smith" in California so that they do not pay the monthly unlisted fee in phone directories -- not because they are called "J. Smith". And, the "real" J. Smiths cannot even complain.
Thus, Internet Domain Names do not need to have any specific relationship that one could rely upon in order to associate them with something else -- even when a personal name is used. They are just a syntactic reference, perhaps mnemonic, perhaps made up to be distinguished or even purposefully obscure or ambiguous, perhaps inactive or even deleted tomorrow.
Another aspect is that an Internet site may have a perfectly non descriptive
and non trademarked name, such as www.123abc.com and still infringe several
trademarks by its contents and goods sold. This means that site content
can be much more harmful to brand holders than simply a similar site name
but with unrelated goods -- which can however be solved under existing
regulations.
There is an ongoing education effort on the Internet, to explain to users what Internet Domain Names are -- and what they are not. Even, and specially, when such understanding may increase the user's doubts. Companies, associations, groups, discussion lists and individuals have invested much time and resources in order not to provide ground for unwarranted associations. This can be seen in commercial browser's on-screen user messages such as this one from Netscape: "...you cannot check the identity of the web site."
However, WIPO's RFC3 goes blatantly against such principles and implies
an Internet address assurance which simply does not exist and is even denied
by the TCP/IP design.
However, by using them in RFC3, WIPO will not be able to increase their public trust as business identifiers -- which is one of NTIA's motivations. Why? As shown in [Ger98a], trust is qualified reliance on received information. The degree of trust is measured by reliance extent, clearly reduced here by denying the very fabric of traditional rules that WIPO's member States must follow when issuing a trademark -- and which consumers need to rely upon.
In this analysis, Internet Domain Names under RFC3 would then become "third-class" business identifiers, one that is not quite a mark, one which history no one is sure of or can verify. Which negates the very purpose of RFC3 and denies truth -- since an Internet Domain Name cannot possess the basic trust qualities that would qualify it to be a mark under current and tried trademark agreements.
Moreover, lack of trust here will negate trust there, by association
[Ger98a] -- which will hurt the investments of companies
in their good-will and business identification for traditional commerce.
Perhaps, it would force the way to a worldwide "generic" movement on Internet names for e-commerce -- for example with non denominated product auction sales sites, where the user places a bid for a good from a non denominated supplier as we can already see today.
Which can have positive sides for e-commerce at the beginning but will,
however, glitch on the lack of a mechanism to adequately represent and
sustain reputation -- one of the prime factors of a valuable mark -- as
a deterrent factor against a non denominated supplier's default.
No, on both counts.
First, note that the Internet is an open system, where the identity and origin of the communicating partners is not easy to define. Each user controls only their end of the connection -- and no one controls both ends at the same time. Further, the communication path is non-physical and may include any number of eavesdropping and active interference possibilities. Thus, Internet communication is much like anonymous postcards, which are answered by anonymous recipients. Further, these postcards are open for anyone to read -- and even write in them [Ger97].
This means that Internet Domain Names have routing problems which are actually a feature of the Internet TCP/IP packet traffic design and which cannot be avoided. So, they need to be solved in an additional design layer -- which is the principle behind Internet protocols and their reliability. On the Internet, reliability is not obtained by a "perfect" process but by redundancy employing "real-world" and per se unreliable processes.
The standard solution to the routing problem is to use cryptographic authentication by means of digital certificates to assure that communication is happening between the desired endpoints -- for example, also including real-time challenge response authentication to avoid replay attacks. This has been ignored by WIPO's RFC3.
In this regard, the ITU-T Recommendation X.509 (which has been implemented as a de facto standard) defines a framework for the provision of authentication services, under a central control paradigm represented by a "Directory". It describes two levels of authentication: simple authentication, using a password as a verification of claimed identity; and strong authentication, involving credentials formed by using cryptographic techniques [Ger97].
The WIPO RFC3 however intends to provide a type of "business certification" (i.e., a mark) by means of simple Internet Domain Name unchallenged protocol authentication, without cryptographic challenge response and without even a password. This is clearly technically wrong and is by itself a sole reason to recall RFC3 -- as it imposes what the Internet denies.
The consequences?
The problems that may be caused by false certification or no certification mechanisms can range from a "man-in-the-middle" attack in order to gain knowledge over controlled data, to a completely open situation to gain access to data and resources [Ger97]. It is important to note that these problems do not disappear with encryption or even a secure protocol such as SSL. If the user is led to connect to a spoofing site, which appears to be what he wants, he may have a secure connection to a thief and that will not make it safer.
To make matters worse, and as already commented, DNS hijacking can make connections to www.good.com go to www.bogus.com -- without anyone noticing it, even if you know that "bogus" is bad. Further invalidating any presumed routing that an Internet Domain Name might have locally acquired by trusted repeated use -- such as www.amazon.com. Each Internet connection is a new one and each connection may go through different routers, even on the other side of the globe, which can be compromised without user control or perception.
Thus, identity certification, or at least origin authentication, is a must in order to really define a business identifier -- which points out the direction that WIPO could have followed on this matter in order to define stable and objective references.
However, WIPO's RFC3 notion of "business authentication" behind the
use of Internet names as marks cannot help but may harm -- by implying
a level of security which is simply fictional.
Thus, RFC3 confuses the extent of a worldwide Internet address model,
where no one controls both sides of a connection, all Internet Domain Names
are peers and any machine (i.e., possibly business site, possibly hacker)
can be made to respond to any name (i.e., would-be mark in RFC3) by a variety
of techniques [Ger97] which the user cannot distinguish...
and eventually learns not to rely upon but for routing purposes
only, never as a business identifier per se.
Perhaps, one's tentative conclusion is that when one exchanges communications with an entity that uses a common name, one generally relies on being able at least to find behind that name either a particular mind or particular assets or, a particular business. This thought implies a referential model of meaning, similar to Plato's view of referential forms. This is the theoretical name model followed by RFC3.
To better investigate this, suppose we express the general concept of a name, as a sign or a symbol -- e.g., my name is a symbol for myself. Now, for example, if I see footsteps on the sand (i.e., a symbol, a name) then I generally rely on the existence of someone that walked by (which is the meaning or cause of the footsteps), or, if I see smoke (i.e., a symbol, a name) then I rely on the existence of fire, and so on. Or, as in the above questions, I would expect to find a particular mind or particular assets, or particular business bearing a causal relationship to that name -- which would provide meaning to that name in my communication.
However, this model breaks down as I exemplify in [Ger98a] and Frege [see Ger98a] has shown around 1910.
Paraphrasing one of Frege's examples, if I tell you "I will photograph the Morning Star" or if I tell you "I will photograph the Evening Star" then, clearly, the two phrases have the same reference (i.e., the planet Venus) but one describes it as the last celestial body to disappear at dawn and the other as the first one to appear at dusk -- thus, they have different senses or meanings. The same can happen with Internet Domain Names.
If I see a site with a Domain Name "www.gifts.com" -- what do they sell?
Presents -- as the English word "gift"? No, perhaps they distribute
poison as the German word for it (and pronunciation) is the same. Or perhaps,
they simply count all visitor's URLs (which they can automatically collect
upon entry) as the "General Insurrection on Free-Trade Support" movement
-- whatever that name may mean to them. As another example, if an Internet
Domain Name is www.amazon.com -- do they sell trips to the Amazon?
However, all legally allowed uses -- since they are simply routing designations.
Similarly, on the Internet. Which seems to deny the reasoning of [Bel99],
as derived from a pre-existent and similar case.
"We are, therefore, disturbed by the language in Guideline 4 that limits a registrars information only the information required to make a registration. That phraseology suggests that there could be even less information identifying domain name holders than is available today. For example, the language of the proposal suggests that perhaps not even all the information currently available under NSI's WHOIS database would remain available under a new system. Without at least that much information, a substantial question remains whether registrars would even have the records needed to permit a trademark holder to find out who an infringing domain name holder is."
Thus, in order to substantiate its call for less privacy, this section is essentially confusing "who" or "reaching the culprit" (which may never be possible, and was so even without the Internet [Boh97b]) with "reaching the culprit's address" or "where" -- which is much more simplified by today's public and open lines with automatic detailed traffic-signal recording for worldwide billing purposes under strict non-repudiation limits (as phone companies must have) -- all saved in tapes for tens of years. As Bell Atlantic must know, with all tracing possibilities for SMTP, HTTP, ping, traceroute, phone ID, phone call routing, postal mail, bank cash-order tracing, etc.
So, while it is true that anonymous remailers may not be traceable for
their users, anonymous owners of Internet Domain Names will not be found,
and anonymous Internet host accounts may be used in trademark infringement
attempts -- their physical access lines can be routinely traced and cut
off as they have been, by court decisions. Effectively providing means
for stopping any harmful activity against a brand holder, without any of
additional ruling, imposed mediation or privacy encumberments from RFC3.
This seems to parallel a recurring theme -- the "privacy versus security paradox" [Ger98a], which I find exemplified in several cases where networks of networks are involved. As in the Internet, when no one controls both sides and multiple intersubjective issues have to be addressed in a peer-to-peer objective approach. But, as discussed [Ger98b], privacy cannot be properly traded off for security. Once lost, privacy is lost for life -- while security is a short-time asset.
However, I find that the Bell Atlantic paper [Bel99] and RFC3 are not even a consequence of such paradox, as the security needs they postulate would not be enhanced by the privacy restrictions they propose.
As it stands and as analyzed in item (2), [Bel99]
and RFC3 base their call to reduce user privacy mostly on a sequence of
unsubstantiated factoids, such as "600 cases of infringement", which are
raised to the qualified level of "evidence of harm" a while later -- but
which, even if correct, actually undermines their call into less privacy
and more regulation. In other words, [Bel99]
and RFC3 set out to combat trademark infringements (which has to do with
objective quantities such as business names, business logos, site's contents,
goods sold, etc.) but end up not doing that -- but, harassing and encroaching
into the privacy of all users in order to try to resolve less than 0.04%
of syntactic name collisions in Internet Domain Names (which has to do
with intersubjective and overly-variable names that do not satisfy the
requirements of trademarks, see items 1 to 10). This imposes a privacy
burden without security justification.
Also, we must protect responsible use of anonymous speech. Anonymity has been useful very often in history and, I remind, is allowed in the United States and in several countries. US President Nixon was accused of criminal acts and faced an impeachment motion which led to his resignation, based on data from the anonymous speaker "Deep Throat" -- whose identity was protected.
However, following the call for less privacy in RFC3 would make it impossible
to protect an anonymous Domain Name. This would again go against previous
legal principles and rights -- specially the right for anonymous speech
-- and their usefulness, with practically no security gain as discussed
in other items. Further, the next item discusses a possible solution to
the security issues even when anonymity is considered, which makes its
denial even more questionable.
Further, anonymity does not preclude an ISP call or an Internet link to be correctly traced -- as any phone system operator must know and use when they want to charge for the call even across different systems, satellites and countries.
Which is, for example, Bell Atlantic's field of expertise. And, perhaps,
a business opportunity -- Bell Atlantic and other phone companies can provide
that service to customers that want to find the physical whereabouts of
potential intellectual property offenders. Possibly, I argue technically
in item (11), with even less privacy information than required today. Of
course, this should need a court order in most countries. But, the issue
here is that it is possible and does not need to potentially jeopardize
the privacy information from +99,96% of all users -- further denying the
call for less privacy in DNS registry in the name of more security for
trademark owners.
However, I believe this question cannot be answered historically. The Internet today is vastly different than what it originally was or, will be in the future. Rather, we need to realize that we must first define what a "name" is in communication systems. And, what a "Internet Domain Name" is; what types of names we may have; what purposes they may fulfill; what they are not; etc. -- before we can go into models and protocols that will use them. Otherwise, "Internet Domain Name" models will just reflect our ignorance, increase conflicts and cause public harm -- not to mention the loss of opportunities for private, public and commercial sectors alike.
Indeed, the public discussions led by NTIA, with focus on the .us domain at the DoC [Ger99c] and on trademarks at WIPO and ICANN, may have just provided us with a taste of this need -- and a clear view of the wide spectrum of interests and expertise that may need to come together, with no exceptions, for its proper assessment.
Since there is also considerable latitude as to what a trademark is, it is clear this two-sided lack of definition is at the base of the DNS versus trademark unresolved issues -- we do not really know what we are talking about, collectively and in our intersubjective trust assessments.
The solution thus begins by addressing this basic issue. What do we trust, in other words [Ger98a], what do we rely upon for our decisions on Internet Domain Names? How do we rely upon an Internet Domain Name and, to what extent?
On the Internet, as in law, reliance on a Domain Name needs to be justified by an examination of the facts presented. Therefore, an Internet Domain Name is not only what I think it is but also what the underlying protocol says it is -- and, what the Name-holder thinks it is.
In law, the past trend was on "reasonable reliance" -- based on the "reasonable man" doctrine, "what would be reasonable for a prudent man to do under the circumstances". This is an objective metric, called an "objective test" in law, an objective legal standard for collective evaluations (such as by a jury) . However, as pointed out in a recent decision by the US Supreme Court [SCUS], for individual actions, the majority of US States now favor the "justified reliance" metric, "that which what can be justified by an examination of the facts presented". The "justified reliance" metric is essentially a subjective test -- allowed by law even if the effort to obtain objective confirmation is "as easy as crossing the street". However, subjective reliance does not preclude a verification of the intersubjective aspects -- otherwise it would be "actual reliance", what the truster has actually relied upon without any consideration of "why". Even though some US States favor "actual reliance", others "reasonable reliance", the trend and the majority favor "justified reliance". For further discussion, see [Ger98a].Thus, it is not justified to rely only on what WIPO thinks an Internet Domain Name is -- suppose, a trademark linked to the site's contents or business or even, a description of the site's contents or products. By typing www.gifts.com, no one is technically justified in intersubjective sense to rely on finding anything related with "presents" (see item 9) -- though I could be in subjective sense (looks logical in English, to me), or even in objective sense (there is a trademark "gifts" and I know by trademark registration in a certain country that it relates to presents in that country). In legal terms, missing therefore the technical basis, no one can then be legally justified in making those associations of www.gifts.com with a website that sells presents or with the trademark "gifts".
Likewise, when I type jsmith@sacramento.ca.us -- I may or may not be justified to rely that it will actually contact me to a "John Smith" that is registered in Sacramento, CA, US. If I take the subjective stance, yes -- I may be justified by "actual reliance". But, if I take the objective stance then I may realize that nothing can guarantee who or what actually is responding at that address, at that computer. Moreover, if I take the intersubjective stance then I must also take into consideration that the underlying protocol does not warrant either identification or authentication -- so, no one may even be "at that address, at that computer" and, "that address" may not be the one I am directed to.
Thus, Internet Domain Names are essentially intersubjective references,
which do not warrant any particular subjective or objective interpretation.
Being intersubjective, they are essentially overly-variable in relationship
to a trademark, which is an objective property enforceable by law to friends
and foes alike. Technically, we have thus no justification to reduce the
over-variability in Internet Domain Names unless an added factor would
be introduced -- with the needed objective qualities. This points out
the direction of a possible solution to NTIA's requirements, as given next.
The paragraph above is the motivation and gist behind abstract models, or an "abstract model for names in communication systems" in the case at hand. In a truly abstract model, the different instances (i.e., actual cases), the different observers (i.e., players, users, attackers) and the different views (i.e., subjective, intersubjective, objective) are not even mentioned -- so, no conflict is possible on these three items. Instead, we focus only on behavior, which is then common to all views and provides a common thread. For further reference on this approach, please see the discussion of objective, intersubjective, subjective and abstract instances in [Ger98c].Thus, a solution to the DNS/TM question posed by NTIA's White Paper cannot rely on Internet routing -- which depends on networks of networks, overly-variable in relationship to what we can control. In other words, DNS name routing cannot be relied upon as a business identification that would need to be an objective trademark.
A practical and effective solution to the DNS/TM question could however rely on cryptographic certificates and their legal significance in "business server certificates" -- which is additional to an Internet Domain Name and thus would not impose any additional privacy/regulation burden whatsoever upon private DNS registrants. Domain-name policies worldwide would be hardly affected -- since this is an additional layer.
This points out the direction that WIPO could follow on this matter
in order to help provide stable and objective references that would have
business significance. In this approach, Internet Domain Names may also
be less susceptible to parasitical appropriation -- for example, if the
corresponding certification would need to link the Internet address to
a company's legal name. This approach can be carried out both in the extrinsic
certification mode (X.509, CAs, PGP) as well as with intrinsic certification
(Meta-Certificates) [Ger97], offering flexibility
and technologically neutral options both to users as well as to businesses.
Further, such business server certificates can be inexpensive, even self-signed,
and would have other purposes since they would naturally provide a basis
for SSL and e-commerce in certification and encryption services.
"We would also suggest that domain names not be squandered or brokered.
We recognize that domain names are not conceptually identical to telephone
numbers; in particular, unlike telephone numbers, they are not a resource
subject to exhaustion. However, in an important regard, they are not unlike
telephone numbers in that they are a public resource whose principal use
is to identify a unique person or entity for the purpose of enabling communications
to take place efficaciously. Practices such as number hoarding are inconsistent
with this purpose and, therefore, are not permitted in the public telephone
network. We believe that the practice of "cybersquatting" is equally inappropriate
in the context of the Internet and should be stopped."
That is why Internet Domain Names are simply -- names. Any extent added to them is not warranted by the supporting Internet infrastructure and protocols. So, their use as a mark would deny the minimal objective properties that WIPO member States have agreed upon to define what a mark is -- as a mark is not simply a name. And, WIPO would need to affirm what Internet security protocols need to deny.
These points, discussed in several items in the text, cannot allow such references to be meaningful in a trademark system -- which would be essential to support a least agenda of WIPO's objectives in RFC3.
Thus, I suggest that RFC3 should be recalled in totum. Its application will more probably cause more difficulties to Internet users and to trademark owners than the few pathological cases it may avoid -- and which have other solutions in public and open Internet discussions within the jurisdiction of each country's domain name registrar, according to local uses, rules and laws. As they have had in the recent past -- but the Internet is a learning experience and certainly the WIPO consultation has served and will serve that purpose.
On the other hand, identity certification, or at least origin authentication, is suggested for "business server certificates" based on cryptographic challenge-response -- in order to concretely define a business identifier on the Internet that can be used to support trademark requirements.
Certainly, this proposal leaves room for different views -- and, they must exist in an intersubjective approach [Ger98c]. However, all participants may still agree to the same abstract model if the abstract model is flexible enough to support the different views in their entirety, while negating what is patently unwarranted. Thus, the present work may also serve to advance issues useful to such general endeavor, by technically presenting what can or cannot be relied upon regarding names in communication systems.
The author is indebted to several commentators, also in earlier threads,
specially Nicholas Bohm, Tony Bartoletti, Einar Stefferud, Peter, Tony
Rutkowski, Milton Mueller and Alistair Campbell-Dick. Am earlier version
of this paper is available in [Ger99a].
[Boh97a] Bohm, N. "Authenticating identities", in http://www.mcg.org.br/identity.txt
[Boh97b] Bohm, N. "Authentication, Reliability and Risks", in http://www.mcg.org.br/auth_b1.htm
[Cuk99] Cukier, Kenneth, "Contemplating life after Postel" in http://www.totaltele.com/secure/cwiview.asp?Target=topArticleID=21654Pub=cwi
[Fro99] Froomkin, M. "A critique of RFC3" in http://www.law.miami.edu/~amf/critique.htm - 1999.
[Ger97] Gerck, E., Overview of Certification Systems: X.509, CA, PGP and SKIP. MCG, http://www.mcg.org.br/cert.htm - 1997.
[Ger98a] Gerck, E., "Towards Real-World Models of Trust: Reliance on Received Information", in http://www.mcg.org.br/trustdef.htm - 1998.
[Ger98b] Gerck, E., "Dr. Faust's Internet Dilemma", in http://www.mcg.org.br/faust.htm - 1998.
[Ger98c] Gerck, E., "What is Identification, that we can identify it?", in http://www.mcg.org.br/coherence2.txt
[Ger99a] Gerck, E., "Arguments for recalling WIPO
RFC3", in http://www.mcg.org.br/wiporfc3.txt
- and in
http://wipo2.wipo.int/dns_comments/rfc3/0076.html
- 1999.
[Ger99b] Gerck, E., "Comments on ICANN Accreditation Guidelines", in http://www.mcg.org.br/icanba.txt - 1999.
[Ger99c] Gerck, E., "REFLECTIONS UPON THE .US MEETING", March 16, 1999, in mcg-talk and e-carm list discussions, archives at http://www.mcg.org.br/emails.htm and http://www.ecarm.org
[ICANN] "Guidelines for Accreditation of Internet Domain Name Registrars", in http://www.icann.org
[ICANNa] http://www.icann.org/articles-pr23nov98.html
[ICANNb] http://www.ntia.doc.gov/ntiahome/domainname/icann-memorandum.htm
[IO99] "Internet ONE" -- http://www.io.io
[Kle99] Kleiman, Kathryn, "WIPO RFC3", in http://wipo2.wipo.int/dns_attachments/rfc3/attach921601818.rtf
[Mue99] Mueller, Milton -- <mueller@syr.edu>, thanks for private comments.
[NTIA] -National Telecommunications and Information Administration, in http://www.ntia.doc.gov
[NSI99] http://www.netsol.com/nsi/facts.html
[RFC3, WIPO ] WIPO, "THE MANAGEMENT OF INTERNET NAMES AND ADDRESSES: INTELLECTUAL PROPERTY ISSUES", in http://wipo2.wipo.int - 1998.
[Rut99] Rutkowski, A.M., "Internet Transitions: the assigning of names and numbers," 3 IEEE Internet Computing No. 1, Jan/Feb 1999, and private comment:
[SCUS] available at http://supct.law.cornell.edu/supct/html/94-967.ZO.html
[WIPOb] http://wipo1.wipo.int
------------------------------------------------------------------------
NOTE: Dr. rer. nat. Ed Gerck, Coordinator - Meta-Certificate
Group. E-mail: egerck@mcg.org.br. The arguments herein represent matters
that were publicly discussed by the MCG, an Internet Open Group on Security
and Certification that includes participants from 28 countries, and in
other fora. However, this presentation is not a MCG document nor should
its terms be considered statements by anyone but the author.