Comments by Karl Auerbach on:

Improvement of Technical Management of Internet Names and Addresses;
Proposed Rule

as published in the Federal Register: February 20, 1998
(Volume 63, Number 34)

A copy of this document is available in HTML format at:
http://www.cavebear.com/archive/nsf-dns/ntia-comments.html

A copy is also available in Adobe Acrobat format at:
http://www.cavebear.com/archive/nsf-dns/ntia-comments.pdf


About The Author

I am Karl Auerbach.

I am a citizen of the United States and a resident of the State of California.

I have been involved with the creation of the Internet since 1973, before there was TCP/IP and well before even the invention of the Domain Name System.

I am an active member of the Internet Engineering Task Force and have been for many years. I have edited RFC's and have co-chaired IETF working groups, including the IETF Working Group on Procedures and Policies (POISED). I am presently active in a number of IETF technical working groups.

I am involved in the daily operation of multiple networks. I operate a number of networks for both commercial and community organizations. I operate the domain name services for those organizations. I am the technical and administrative contact for a number of domains in the .com and .org TLDs.

I write several checks a year to Network Solutions, Incorporated. (NSI)

I have run my name servers using the normal root servers. I have also run "rootless" (a situation in which my server has information permitting it to directly locate the various TLD servers without recourse to a public root server.) And I have run using the services of some of the root server confederations. All of these have provided equally satisfactory service and have not resulted in any loss of any ability to freely exchange electronic communications with anyone anywhere in the world.

I was a participant in the open IAHC process that led to the creation of the "MoU/PAB/POC/CORE" mechanisms.

I am cognizant of the realities of business and finance.

I have founded or participated in the startup and development of a number of companies based on network technologies.

I am an attorney. I obtained my degree of Juris Doctor (cum laud) in 1978 from Loyola Marymount University of Los Angeles. I am licensed in the State of California. I am a member of the California State Bar Section of Intellectual Property.

My web site is http://www.cavebear.com/

My electronic mail address is karl@cavebear.com


Structure of My Comments

My comments are organized according to the following structure:

Overview

Privacy Concerns

The National Science Foundation Problem

Statutory Impediments to Implementation

Technical Impediments to Implementation

Domain Name versus Trade and Service Mark

How The Proposal Promotes Unfair Trade Practices, Anti-Competitive Activities, and Monopoly Building

Continued Government Subsidization of Network Solutions, Inc.

The Corporation

Flaws In The Proposal's Concept of A Registrar

Procedural Defects

Miscellaneous Problems

Comments on Specific Sections of the Proposal

Appendix A -- NSF's Statement Regarding Control And Ownership Of The Domain Name Contact Records


Overview

This writer finds himself to be strongly opposed to many parts of the Proposal.

harvbull.gif (257 bytes) The Proposal fails to address issues of personal privacy of the information that is gathered and used to operate the Domain Name System (DNS).

 

harvbull.gif (257 bytes) The Proposal fails to address the fact that the National Science Foundation (NSF) purported to have made a legally binding commitment that vests Network Solutions Incorporated (NSI) with private property rights in vast amounts of highly valuable information gathered under contract to the Government of the United States.

Because of NSF's action the United States will find it difficult or impossible to coerce Network Solutions to divulge this information as proposed in the Proposal.

 

harvbull.gif (257 bytes) The Proposal establishes a highly anti-competitive system of worldwide, virtually unregulated monopolies known as Registries.

 

harvbull.gif (257 bytes) The Proposal makes an unwarranted, unjustified, and unfair gift to Network Solutions, Incorporated by conferring upon NSI a unique status, including a triple monopoly Registry containing the most commercially viable and lucrative top level domains, .com, .net, and .org.

 

harvbull.gif (257 bytes) By virtue of the Proposal's amazing benevolence towards Network Solutions all new Registries are condemned to impotence and the rights of hundreds of thousands, if not millions, of domain name holders are rendered a nullity. The proposal grants to Network Solutions such a dominant position that few, if any, competing Registries or Registrars will have any chance of success, leaving consumers will little or no choice other than NSI.

 

harvbull.gif (257 bytes) The Proposal creates a Corporation, purportedly to control this system. Yet the Proposals fails to indicate any significant details about the structure of this corporation, the authority under which it will be formed, its powers, its source of funds, or the means to guarantee that it be responsive to the Internet community and to the public.

Moreover the Proposal appears to contradict itself in its appointment of powers to this Corporation in the text but to IANA in the requirements enumerated in the Appendix to the Proposal.

 

harvbull.gif (257 bytes) The Proposal fails to recognize the full technical capabilities of the Domain Name System. In particular the Proposal fails to recognize that the Internet can run very well with distinct DNS roots or with locally administered name servers which avoid the root servers altogether.

 

harvbull.gif (257 bytes) The Proposal creates new trademark law by granting trade and service mark holders a previously unknown power.

The Proposal allows mark holders to veto, or substantially impede, uses of a name by a third party in the total absence of any evidence that the third party is either using or intending to use that name in a way which violates the rights of the mark holder.

The Proposal also will lead to lawsuits in the Courts of the United States between parties who have no contact with the United States except for the fact that one of them may have attempted to register a domain name with a Registrar in the United States.

 

harvbull.gif (257 bytes) The Proposal fails to properly consider the international scope of the Internet.

 

harvbull.gif (257 bytes) The Proposal fails to mesh with the well thought through IAHC/MoU/PAB/POC/CORE mechanism that has come into being over the last 18 months.

 

harvbull.gif (257 bytes) The Proposal fails to mesh with the alternative Root Server Confederations that have come into being over the last two years.

 

harvbull.gif (257 bytes) Apparent defects in the Federal Register notice may render this whole round of rulemaking null and void.

 

harvbull.gif (257 bytes) The Proposal is too vague.

 


Privacy Concerns

The Issue of Privacy In General

The Domain Name System contains two major classes of information, "zone files" and "contact records".

The zone files are essentially lists of domain names and associated IP addresses.

The contact records contain the names, addresses, telephone numbers, affiliations, and other information pertaining to individuals.

The Proposal does not define a privacy policy for this information.

It is suggested that NTIA look to Records, Computers and the Rights of Citizens, The Report of the Secretary's Advisory Committee on Automated Personal Data Systems, Department of Health, Education and Welfare, July 1973.

That report enunciated a "Code of Fair Information Practice" consisting of five basic principles. These principles have been incorporated into recordkeeping practices of agencies the United States via the Privacy Act of 1974 (5 USC 552a). It would be wise to incorporate these same principles into the operation of the Internet's Domain Name System and the IP Address Registration system. (Indeed, because the new regime that would be created by the Proposal is a creation of the United States Federal Government a strong case can be made that the Privacy Act of 1974 applies automatically to any institutions created by the Proposal.)

1. There must be no data record-keeping systems whose very existence is secret.

 

2. There must be a way for an individual to find out what information about him is in a record and how it is used.

 

3. There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent.

 

4. There must be a way for an individual to correct or amend a record of identifiable information about him.

 

5. Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.

As it stands, the Proposal permits unrestrained access to domain name information (including the names, addresses, company affiliations, telephone numbers, and e-mail addresses) for any commercial use.

Domain name holders have no means to restrict the use of this information, no way of obtaining the equivalent of an "unlisted phone number", and no way of knowing who is accessing nor of learning how that information is being used.

This is inappropriate.

This writer recommends that the Proposal impose limitations such as the following on Registries and Registrars:

No Registry or Registrar shall collect any information directly linked to an identifiable person ("personally identifiable information") except as is strictly necessary for the performance of its functions.

No Registrar shall collect any personally identifiable information except that strictly necessary for the performance of its registrar functions unless it gives specific prior notice to the registrant of the Registrar's privacy policies.

Registrars and Registries shall not use personally identifiable information in any way except to support domain name registration. Nor shall such information be made available to third parties except in response to a court order of subpoena. Appropriate security policies and mechanisms shall be employed to prevent unauthorized access to, or manipulation of, personally identifiable information.

Registrars and Registries shall take steps at least once a year to ensure that any personally identifiable information is accurate. Registrars and Registries shall inform registrants of the existence and contents of the records and ask registrants to verify the accuracy of those records. (It is expected that this verification would occur as a normal part of the domain name renewal and billing cycle.)

Registrars and Registries shall permit registrants, upon reasonable notice, at no cost to the registrant, and at the option of the registrant, via the Internet, to inspect all records maintained by the Registry or Registrar which specifically pertain to that registrant.

These privacy obligations need not be burdensome. Registries and Registrars may ask registrants to waive these limitations. Indeed, a waiver could be handled by through checkbox (or set of checkboxes) on the domain name application or renewal form, much as one finds a checkbox on product warranty registration or magazine subscription forms.

The Privacy Act of 1974

The contact records currently maintained by Network Solutions in performance of its obligations as a Registrar and Registry under Cooperative Agreement NCR-9218742. are arguably subject to the provisions of the Privacy Act of 1974, 5 USC 552a.

The only reason I use the word "arguably" is that there is some question whether the National Science Foundation is "under the control" of the records as defined in 5 USC 552a(a)(5):

(5) the term ``system of records'' means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual; (emphasis added)

The National Science Foundation regards these records as merely "for [NSI's] own use in administering certain domain names".

There are certain ramifications of this situation that will be addressed later in this document under the heading of "The National Science Foundation Problem".

Clearly, in order to implement this Proposal, it will be necessary for the United States Government to obtain these records or otherwise obtain sufficient control to cause NSI to transfer them to other the Registries and Registrars contemplated by this Proposal.

Thus, in order to implement this plan, the US Government will have to obtain control over these records, if even for the limited period of transferring the information from NSI to the new Registries and Registrars. That control will trigger the obligations of the Privacy Act.

Those obligations will severely constrain how the US Government handles those records and what conditions the US Government must impose upon those who receive the records or any portion thereof.

This writer strongly recommends that the NTIA seek guidance from Congress, in the form of specific legislation, that clarifies the relationship of these records to the Privacy Act of 1974 and defines the appropriate procedures that should be applied as this record base is moved from the auspices of the United States Government to private Registrars and Registries.


The National Science Foundation Problem

The National Science Foundation problem is simple:

On one hand, the National Science Foundation has legally obligated itself to the proposition that those parts of the Domain Name System which contain the names, addresses, and other contact information of registrants are the private property of Network Solutions, Incorporated, a private, for-profit corporation.

With respect to these contact records, the National Science Foundation has made the following statement in a formal response to a Privacy Act request: (The full text of NSF's response is attached to these comments in Appendix A.)

NSF has neither created nor obtained the records NSI uses in day-to-day administration of domain name registration activities. The agency does not possess the database and cannot access it electronically (except in the same manner that is available to you and the general public through the Internet). Neither does NSF control the requested database. NSF has never acquired the database and, accordingly, has never integrated the database into NSF's files. Neither does the agency nor its employees retrieve, use, or rely on the data in conducting official agency duties or accomplishing any agency function. Thus, the requested database is not an agency record.

On the other hand, implementation of the plan described in "The Proposal" requires that the US Government obtain and exercise control over those same records, if only to transfer those records, in whole or in part to other registries and registrars.

In order for "The Proposal" to be implemented one of two things must occur:

Either NSF must reverse its position or the US Government will be forced to acquire (and probably pay for) the property rights of Network Solutions in those records.

NSF's position with regard to these records appears to come from NSF's desire to avoid having to recognize that these records are subject to either the Freedom of Information Act (FOIA - 5 USC 552) or the Privacy Act (5 USC 552a).

This writer has made a claim to NSF under the provisions of the Privacy Act and received, in reply a refusal based on NSF's assertion that the records are beyond NSF's control and are merely the internal working materials of Network Solutions, Inc. A copy of that exchange is attached to this submission as Appendix A.

If NSF reverses its position, then those individuals, including this writer, who have made requests under these acts and been refused may have a cause of action against the United States.

Under Cooperative Agreement NO. NCR-9218742 with Network Solutions Incorporated, NSF has the ability to request that Network Solutions deliver to NSF the work product generated under the contract:

E. Final Report

The Awardee shall submit electronically and in ten hard (10) copies a final report to NSF at the conclusion of the Cooperative Agreement. The final report shall contain a description of all work performed and problems encountered (and if requested a copy and documentation of any and all software and data generated) in such form and sufficient detail as to permit replication of the work by a reasonably knowledgeable party or organization

However, unless NSF reverses its position, NSF will not be able to fully exercise Article 10, Section E.

In particular, NSF will be unable to obtain the contact records used to create the "WHOIS" database and upon which NSI maintains the lists of who has registered what domain name.

This, in turn, forecloses the ability of the United States to easily obtain the use of those contact records as proposed in the Proposal.


Statutory Impediments to Implementation

Lack of Statutory Authority

The Proposal calls for a number of concrete steps. Yet the Proposal fails to indicate which body or bodies of the United States government will be responsible for implementing each specific part and under what statutory or Constitutional authority each of those bodies will have the power to so act.

The Proposal cites the following sources of authority: 15 U.S.C. 1512; 47 U.S.C. 902(b)(2)(H); 47 U.S.C. 902(b)(2)(I); 47 U.S.C. 902(b)(2)(M); 47 U.S.C. 904(c)(1).

These sources of authority are adequate for the formation of policy.

But those same sections do not contain any language upon which NTIA can claim sufficient authority to carry out and put into practice those steps defined by the policy.

For example, nowhere in the cited sections can one find authority to establish a Corporation, much less a Corporation with anti-trust immunity. Nor can one find any authority in the cited sections for NTIA to allocate top level domains (TLDs) among NTIA mandated monopoly registrars.

It is not the burden of a citizen to demonstrate that an agency of the government does not have a given power. Rather, the burden is on NTIA to show, with clarity and precision, the sources of its claimed authority.

The United States operates on a system of delegated and enumerated powers. No agency of the United States Government has any intrinsic power whatsoever. Agencies receive their right to act only through specific delegations. These delegations are most frequently in the form of enabling statutes enacted by Congress. Sometimes the delegation to an agency is achieved through an Executive Order in which powers of the President, derived either directly from the Constitution or delegated to the President by Congressional statute, are, in turn, passed to the agency through an explicit order.

In no case does an agency have native powers.

An agency must be able to articulate, with specificity and precision, the authority under which it is purporting to act.

For example, the Proposal calls for "the creation of a private, not-for-profit corporation (the new corporation) to manage the coordinated functions in a stable and open institutional framework. The new corporation should operate as a private entity for the benefit of the Internet as a whole."

What specific statutory authority enables the creation of this corporation?

Furthermore, the Proposal perpetuates the de-facto, worldwide monopoly, and highly preferred status of Network Solutions, Incorporated, a privately held, for-profit corporation. Under the Proposal this would be accomplished through a US government initiated, unilateral, non-competitive process.

What specific statutory authority enables the creation and continuation of this US government sponsored monopoly?

What specific statutory authority permits Network Solutions to obtain new or extended contractual rights from the United without competitive bids?

What specific statutory authority permits the transfer of top level domain names from the United States to a private company without the formal procedures defined for the disposal of government property?

This writer recommends that the Proposal be revised to identify, with specificity, clarity, and precision the authority for each element of the Proposal and, where necessary, what new statutory authority would be required.

Some have asked whether NTIA or any agency of the United States requires authority in order to simply walk away from the management of the Internet. That would be an interesting question were it relevant.

However, the question is not relevant. The Proposal does not simply announce a policy under which the United States would simply abandon the Internet, leaving the pieces to be picked up by whomever and whatever. Rather the Proposal creates a new management structure for the Internet, assigns legally cognizable property rights to private entities, and imposes regulations.


Technical Impediments to Implementation

The Proposal appears to be constructed on the premise that there can be exactly one "root" of the Domain Name System.

That premise is not correct.

The technology and software underlying the domain name system allow the operation of multiple, simultaneous "roots". The operators of domain name servers (those servers found in ISPs and in companies around the world) can elect which root, if any, they will honor.

The fact that the current "root" servers are honored is merely an historical convention adhered to by the vast majority of the millions of domain name server operators. There is no power, technical or legal, to compel those operators to continue to use the current "root" servers.

Any domain name server operator or group of operators can establish and operate a "root" domain. There is no mechanism, technical or legal, to prevent them from doing so.

Whether they can convince anyone to use their "root" is another matter.

Any domain name server operator can elect to operate "rootless". This means that the operator simply resolves names within TLDs by bypassing the root entirely and going directly and immediately to the various TLD server(s.) This writer operates a number of servers in this mode.

The sole value of having a root is to permit domain name servers to resolve TLDs for which they have no other information. The root merely allows a user's local domain resolver to locate the DNS server that handles a particular TLD.

If a domain name server operator believes he or she has enough information about the servers for the TLDs within which he wishes to resolve names, then that operator can quite successfully, and without the need for permission, operate with no recourse to a root server.

(This is not a difficult thing to do. There is freely available software to assist operators build the appropriate server configuration files. This writer has tried it and found it to be easy and painless; there was no impairment of DNS services.)

Any domain name operator anywhere in the world can establish a TLD. Whether anyone knows of or uses that operator's TLD server is a different matter.

If a significant number of domain name server operators elect to recognize a TLD and point their servers in that direction, there is no mechanism, technical or legal, to prevent them from doing so.

Similarly, if a significant number of domain name server operators elect to organize and operate a "root" server, there is no mechanism, technical or legal, to prevent them from doing so.

(There are already a number of "Root Server Confederations" active around the world. This writer has used one of them and has found that the quality of service offered is indistinguishable from that offered by the "legacy roots" discussed in the Proposal. This writer has, indeed, never bothered to switch back to the "legacy roots.")

As the Internet grows, operators of domain name servers may find that they can offer their customers faster name resolution services if they cut straight to the chase and go directly to the TLD servers rather than going through a congested root server.

Thus, there is a non-trivial chance that the consensus of Internet domain name operators may evolve over time to bypass any mechanisms of root server governance and TLD limitation established by this Proposal and thus render this Proposal nugatory.

Today, there are many publishers of telephone directories -- some on paper, some on CD-ROMs, some online. It is desirable that these be consistent with one another, yet the US government has not created a law or regulation mandating that this be so.

Similarly, it is desirable that all the root and TLD servers be consistent with one another. But it is not imperative. It will not cause the network to fail. And we can allow the pressure of consumers demand to drive root and TLD operators to maintain consistency -- in other words, legislation or administrative regulations are an unnecessary imposition of governmental coercion.

In the case of telephone directories, customer demand for consistency drives the publishers. Why not allow the same consumer pressure to ensure that root zone operators avoid excessive divergence or inconsistencies in their domain name offerings?

To impose a single root is highly anti-competitive and is, indeed, tantamount to the establishment of worldwide monopolies. This is something that the US Government can not undertake without legislation. It is also unwise to do so without an international accord.


Domain Name versus Trade and Service Mark

Trade and service marks do not represent an intrinsically superior form of right towards a name.

Rather, trade and service marks represent merely one way that one may have a right to use a name.

One may have the right to use a name because one was born with it. Or a name used in trade may be such as to be non-registrable as a trade or service mark because, in the context of use, it is too descriptive, generic, or geographic.

There is an excessive-tendency for trademark holders to assume that the mere existence of a domain name constitutes automatic infringement. That, of course, is contrary to normal trademark law, which requires that infringement be measured in a specific context of use.

Simply stated: a domain name, in and of itself, does not infringe on any trade or service mark.

It is only in the context of a specific usage that there can be infringement. A domain name is like a name on a white, blank, empty box. A white box bearing the word "Sun" is not automatically infringing on trademarks of either Sun Microsystems (a computer manufacturer), Sun Chemicals, or Sun Baskets. It is only when that box is filed with a computer, with oil, or with a basket and used in trade is there a potential for infringement.

Of course there are highly famous names, such as Disney or Coca-Cola, which can perhaps obtain protection from domain name registrations under a theory of dilution. But this is a limited case that does not apply to normal, non-famous trade and service marks.

The Proposal appears to follow the notion that domain names are, in and of themselves, and absent a context of use in trade, capable of infringing on a non-famous mark. Why else would the Proposal suggest that domain names be suspended, even if temporarily, on the mere objection by a mark holder?

The Proposal is creating a presumption not found elsewhere in law that without any evidence of use or intention that a domain name will be used to infringe upon a trade or service mark.

The Proposal gives holders of trade and service mark powers that are not found in existing law. In particular the Proposal gives mark holders the means to censor or interfere with domain name registrations without any facts or evidence of infringement.

The Proposal's grant of such power is as unwarranted as allowing trade or service mark holders to interfere with the naming of a baby.

Can Microsoft, for example, deny parents the right to name their child "Bob" on the basis that Microsoft has a trademark on the word "Bob" in the context of computer operating systems and user interfaces? Of course not.

We can readily see that such a result is absurd. Yet the example is really no different than the power of a mark holder to force the suspension of a domain name without a demonstration of actual or intended infringement by the domain name holder.

This writer believes that the interaction between domain names and trade and service marks is an issue that should be resolved by the courts, the Congress, or by international Treaty. An executive branch agency, such as NTIA, is not the correct forum to impose legislation of this magnitude.

This writer urges that the Proposal be made neutral with regard to the interaction of domain names and trade and service marks.

This is not to say that the Proposal should not suggest certain paths for Congress to consider.

These paths would include:

harvbull.gif (257 bytes) Removal of any obligation for Registrars or Registries to investigate whether an application could eventually lead to possible infringement.

 

harvbull.gif (257 bytes) Removal of any right for Registrars or Registries to resolve or otherwise act, absent an order from a court of competent jurisdiction, in regard to possible infringement

 

harvbull.gif (257 bytes) A gazette in which the names of recently created domains are listed.

How The Proposal Promotes Unfair Trade Practices, Anti-Competitive Activities, and Monopoly Building

The Proposal creates a set of Registries. Each such Registry is granted exclusive control over one or more Top Level Domains (TLDs).

Under the Proposal each Registry is free to charge as much or as little money as it desires. Each Registry is free to impose whatever policies it pleases. Each Registry sets the qualifications for the Registrars with which it is willing to do business.

The Proposal asserts that this situation creates inter-Registry competition and hence will not result in abuse of Registrars and domain name holders.

Under the Proposal there will, in fact, be no significant competition among Registries. And there will be no protections to prevent abuse. The reason for this is simple: domain name holders will have to subject themselves to substantial financial loss to switch from one Registry to another.

A domain name holder usually makes a significant investment in its domain name. By this I mean the entire domain name, including the TLD portion. For example, consider how much money has been spent to promote "amazon.com", or "microsoft.com", or "fedex.com"? Notice how each of these names includes the TLD. One would not expect Federal Express to change from "fedex.com" to "fedex.firm" absent substantial pressures to do so.

This is not a matter of one TLD versus another. It is not a matter of whether .com is a "better" TLD than .firm. Rather it is a matter of what happens after a domain name holder chooses a TLD and makes an investment in establishing the full domain name, including the chosen TLD.

A domain name, once obtained, becomes a person's or company's "name" on the Internet. Major marketing investments are made in promoting and branding these names. A change of an internet name can bring major disruption to a company's operation, indeed to its continued existence.

Microsoft, for example, has invested considerable sums in creating "microsoft.com" as its name on the network.

This investment locks the domain name holder into the one registry that operates whatever TLD that domain is registered in.

Microsoft, for example, is beholden to Network Solutions, Inc., because NSI has the sole (and unregulated) Registry for .com.

How much would it cost Microsoft in money, lost business, and lost business opportunities if Microsoft had to change its domain name to microsoft.newcom?

(At least Microsoft has an option unavailable to most domain name holders in .com -- Microsoft could simply acquire Network Solutions and compel NSI to fix whatever policy might be irritating Microsoft.)

Unless a domain name holder is willing to abandon its investment in its domain name, its Internet name, the domain name holder must jump through whatever hoops, pay whatever fees, and submit to whatever policies that the registrar wants to impose.

A registry can jack up rates and can impose oppressive policies to a considerable degree before the typical domain name holder would be willing to undertake the expense and trouble of moving to another TLD in another Registry.

Consider an analogous situation. Suppose that you were required pay tribute to some organization for the use of your last name. What expense and trouble would you incur if you had to change your last name?

In more concrete terms: imagine the chill on competition between long-distance telephone companies if telephone subscribers were required to abandon their established surname and adopt a new surname as a condition of switching from AT&T to MCI.

Silly? Yes. Yet this silly notion is exactly what the Proposal would use to engender inter-Registry (inter-TLD) competition.

The circle of Registrars provides no protection for the domain name holder. Indeed, the Registrars are just as vulnerable as the domain name holders, perhaps even more so.

The Proposal appears to believe that Registrars will be immune to manipulation and abuse by the Registries. This writer believes that Registries will have substantial power to impose their will on Registrars and domain name holders. Indeed, our experiences with NSI and its unilateral imposition of new policies shows that such power for abuse is more than a mere conjecture.

A Registry's lock-in factor on the holder of a domain name is more than substantial. Especially in the new area of electronic commerce, a domain name holder's business could wither or even collapse as the result of changing to a new domain name. In these situations, a domain name holder will move to a new TLD, a new Registry, only as a last resort.

The Proposal assumes that domain name holders, after investing large efforts in publicizing their domain names would be willing to throw all that away and move to another TLD. That is unrealistic.

The result of the structure defined by the Proposal is a highly unbalanced relationship -- Each Registry will have enormous power over the domain name holders and the Registrars that have elected to make use of that Registry's services.

This is an invitation to abuse by registries.

The Registry function is a "natural monopoly". The Registry function is not readily accommodated by multiple, competing organizations.

This writer strongly asserts that it is necessary to regulate Registries.

Registries must be regulated as either:

harvbull.gif (257 bytes) A non-profit organization with strict limits on salaries, payouts, and benefits to employees and executives

 

harvbull.gif (257 bytes) A for-profit organization but operated under the aegis of a regulatory body much like a public-utilities commission.

 

That regulation should not be blind to financial manipulation, such as a single organization having a TLD Registry and a Registrar within that TLD. (An organization in this position can manipulate Registry policies and fees to maximize the combined profits of its Registry and Registrar operation.)

This writer recognizes that imposition of regulation is a substantial matter. However, this writer reminds NTIA that regulation need not be in the form of a governmental body overseeing all details of the domain name system and its Registries and Registrars. Rather, regulation can come from structural means.

This writer does not wish to suggest an exact means of regulation except to note that the IAHC/MoU/PAB/POC/CORE structure contains within it a mechanism through which domain name holders themselves regulate the Registry they use. There are many who dislike the MoU system. However, this writer suggests that much of that dislike may arise out of details of the plan or personality rather than out of its basic structure.

An alternative might be to more strongly empower the Corporation to keep Registries operating within acceptable bounds. Of course, one would have to ensure that the Corporation itself is responsive to the needs of the citizenry of the Internet.


Continued Government Subsidization of Network Solutions, Inc.

Network Solutions, Incorporated (NSI) is a for-profit, publicly held, corporation.

NSI is obligated to perform registration services for the National Science Foundation under Cooperative Agreement No. NCR-9218742.

That agreement grants to NSI a de-facto, worldwide, unregulated monopoly.

Although this contract was placed for bid and granted as a "Cost-Plus-Fixed-Fee Cooperative Agreement", NSF has amended it to become an extraordinarily lucrative source of income for NSI.

NSI's operational duties under that agreement terminate as of April 1, 1998. The agreement itself terminates six months later at the end of September 1998.

Yet despite the lapse of NSI's contract, the Proposal unilaterally grants to NSI a continuation of its highly preferred position. In effect the Proposal grants to NSI a continuation of its monopoly position and removes even that thin veneer of potential regulation by NSF.

This is an unacceptable subsidy of a private corporation by the United States government and taxpayers.

But, like a Ginsu knife, NSF is giving NSI even more unwarranted preferences and favors:

The Proposal makes this unacceptable situation even worse:

Without any statement of purpose or rationale, the Proposal hands over to NSI the three most lucrative TLDs while, at the same time, restricting any other Registry to one single TLD. These are public properties worth perhaps billions of dollars.

Some have indicated that perhaps this apparent benevolence towards NSI will last only during the transition period. Yet, if that is the case, it is not something which is clearly articulated in the Proposal. And, indeed, the Proposal itself seems to indicate that after the transition NSI will be free to do what it may: A. The NSI Agreement 1. NSI … will price registry services according to an agreed upon formula for a period of time.

This writer strongly recommends that the Proposal discard this overt favoritism and subsidy of Network Solutions.

This writer strongly recommends that there immediately be instituted a competitive procurement of interim registration services to fill any gap that may arise after the currently scheduled completion of the Cooperative Agreement between NSF and NSI. This interim procurement should be operated on a strict "Cost-Plus-Fixed-Fee" basis.

In addition, this writer recommends that NSI not automatically become a Registry for any TLDs. Rather, NSI should be treated equally with other vendors who wish to bid to become one of the limited number of Registries.

Furthermore, in order to facilitate competition upon the end of the existing Cooperative Agreement between NSF and NSI, all materials, including the domain name contact records should be recovered from Network Solutions. Those materials should then be made available on a fair basis to all bidders.

There is no legal justification for NSI to receive any special treatment.

This writer fails to understand what caused NTIA to even consider such overt benevolence and preference for a private company.

Hasn't Network Solutions, Incorporated, a private, for-profit corporation, already had enough of a sweet deal from the United States Government?

It is patently unfair to allow Network Solutions to obtain further beneficial preference as a result of its existing contract, especially given the extraordinary financial preferences that have already been granted by the United States government during the life of the NSF-NSI cooperative agreement.

It is time to end the subsidy of Network Solutions.


The Corporation

The Proposal envisions the creation of a "private, not-for-profit corporation" with significant authority in some areas and inadequate authority in other areas.

But, before getting into the issue of the powers of the corporation, let us first examine its corporate structure.

Structure Of The Corporation

The Proposal does not address any of the following structural issues:

harvbull.gif (257 bytes) Under what authority and system of laws is the Corporation to be established?

 

harvbull.gif (257 bytes) What will be in the Articles of Incorporation (including issues regarding the powers of the Board, super-majority voting requirements, powers of officers, and requirements for open meetings.)?

 

harvbull.gif (257 bytes) Who can alter the Articles of Incorporation and under what conditions?

 

harvbull.gif (257 bytes) Who are the shareholders? Can shareholders alienate their shares or pledge them to another's benefit?

 

harvbull.gif (257 bytes) What will be the initial By-Laws? Who can alter the By-Laws and under what conditions?

 

harvbull.gif (257 bytes) How is the Corporation to be capitalized? What will be its source of revenue to cover operating expenses?

 

harvbull.gif (257 bytes) What happens to its assets upon dissolution or demise?

These issues are critical. The answers will determine whether the Corporation is an open organization, responsive to the needs of the Internet or whether it will be a closed body that will eventually impede innovation.

Enumerated Powers Of The Corporation

The Proposal defines the following powers to the Corporation:

1. to set policy for and direct the allocation of number blocks to regional number registries for the assignment of Internet addresses;

2. to oversee the operation of an authoritative root server system;

3. to oversee policy for determining, based on objective criteria clearly established in the new organization’s charter, the circumstances under which new top-level domains are added to the root system; and

4. to coordinate the development of other technical protocol parameters as needed to maintain universal connectivity on the Internet.

This writer strongly urges that there is no need to mix IP address allocation with domain name administration.

Current practice separates the functions of DNS administration and IP address allocation.

Nothing has been shown wrong with current practice. In this regard, the system is not broken. It does not need fixing.

Combining IP address allocation with domain name administration would merely muddy the Corporation's role.

This writer strongly urges that all matters of IP address allocation be removed from the Proposal with the single exception of recognizing that there will have to be some registry for the .arpa TLD.

Similarly, there is no need to include matters pertaining to " technical protocol parameters". There is nothing wrong with the existing procedures or institutions in this area. And, if it is felt desirable to move those functions to a new institution, it need not, and should not, be the same institution that is focused on domain name issues.

One should remember that the title of the Proposal is "Improvement of Technical Management of Internet Names and Addresses", not "Consolidation of All Technical and Procedural Matters Involving The Internet Into One Corporation".

Non-Enumerated Powers Of The Corporation

The proposal is very vague or ambiguous about certain issues.

For example, the text declares that the Corporation will set standards for Registries and Registrars, but the Appendix says that IANA will do that.

In addition, can either the Corporation or IANA disestablish a Registry or Registrar? In particular, can the Corporation or IANA remove NSI from its role should it fail to be responsive or meet standards?

It would seem that in order for the Corporation to be anything but a figurehead that it would require these powers.

If the Corporation is invested with such powers, will it be exercised by the Board of Directors or by an officer of the Corporation?

The Board of Directors

The Proposal states that the Board of Directors of the Corporation should consist of the following:

The board of directors for the new corporation should be balanced to equitably represent the interests of IP number registries, domain name registries, domain name registrars, the technical community, and Internet users (commercial, not-for-profit, and individuals). Officials of governments or intergovernmental organizations should not serve on the board of the new corporation.

This writer very strongly objects to this formulation.

IP address registries do not deserve any automatic place on the board of directors. IP address allocation and domain name matters are essentially entirely separate and distinct issues. They should not be mixed together.

In addition, this writer does not understand why officials of governments, especially of local governments and educational boards, should be excluded.

There are other issues with regard to the Corporation:

harvbull.gif (257 bytes) The Corporation should do nothing by informal consensus. On-the-record voting is necessary for the public to evaluate the performance of their representatives on the Board. In addition, consensus voting is an invitation for abuse by the Chairman.

 

harvbull.gif (257 bytes) The Corporation must have at least some revenue stream.

 

harvbull.gif (257 bytes) Not everyone involved in the Internet is wealthy. Much of what has been built has been the result of voluntary, private work. In order to facilitate a reasonably diverse membership on the board, members of the board should be reimbursed for their expenses.

 

harvbull.gif (257 bytes) Board members, like those of other Corporations, must be held to a fiduciary level of responsibility.

 

harvbull.gif (257 bytes) Board members must have the rights typically accorded to board members of corporations. In particular: the members of the board of the Corporation must have the ability to fully examine and audit all records, accounts, and operations of the Corporation, and to receive regular detailed reports from management.

 

harvbull.gif (257 bytes) The Board must have the ability to replace any officer of the Corporation, including the CEO.

 

harvbull.gif (257 bytes) The Board must not be a closed, self-perpetuating body. However, this writer does not believe that term limits are needed or even desirable given the complex and often technical content of the decisions that will be made by the board.

Making The Corporation Truly "Non-Profit"

The phrase "non-profit corporation" is not a magic talisman that prevents the Corporation from being a major cash conduit to its executives and employees. Many "non-profit corporations" have extremely generous salary and benefits packages far beyond what is necessary to recruit and retain competent executives and employees.

This writer urges that the Corporation be organized with mechanisms to prevent the payment of excessive salaries and benefits to executives, staff, board members, consultants, and suppliers.


Flaws In The Proposal's Concept of A Registrar

What is the purpose of a Registrar? The answer is that a Registrar provides the simple clerical function of taking a domain name registration order from a registrant and passing that order on to a Registry to be entered into the zone files and contact database. A Registrar may add other services in order to differentiate itself from other Registrars for the same TLD, but at the bottom, the role with respect to the domain name system is the same for all Registries.

The Proposal appears to assume that Registrars will not share information about their clients and that a Registrar merely informs a Registry of the existence of -, or expiration of a registered domain name within the Registry's TLD(s).

However, effective operation of the Internet requires that the core information base -- the zone files, the contact records, the records of registration expiration, be maintained in one easy to find place -- the TLD Registry, not the individual Registrars. This leaves Registrars as almost translucently thin shell organizations with very little non-shared customer information.

The Proposal appears to consider that each Registrar must function as some sort of public service, available to all.

While that may very well be a valid requirement for Registries, why should that be the case for Registrars?

Why should a Registrar be forced to offer services to anyone and everyone?

For example, why should a large ISP that wants to offer registrar services to its customers be required to offer those services to customers of its competitors?

The Proposal does not permit this. Rather it requires the creation of a body of temple priest Registrars who are the only means to the holy shrine of a Registry?

The Proposal imposes some fairly stringent technical requirements on Registrars.

While those requirements make sense for Registries, it is far from clear that Registrars need have such impressive technical infrastructures in order to interact with their customers.

There is no need for a Registrar to have high availability. Indeed there is no need for a Registrar even to use a computer at all except to communicate with the Registry. Why should a Registrar be compelled to use a network connection to receive and process requests from its customers?

This writer would like to emphasize that it is appropriate to require Registrars to use modern, electronic techniques to interact with Registries. The distinction is with regard to interactions between a Registry and its customers.

With regard to interactions between a Registrar and its customers, many of the Plan's requirements on Registrars, technical and otherwise, are unnecessary featherbedding. They promote no policy purpose.

They are simply excessive, expensive, and unnecessary government regulation and intrusion into business matters.

This writer urges that all technical requirements concerning Registrar-customer interactions be eliminated from the proposal. The Proposal should recognize that it is possible to operate a Registrar using traditional, paper-based records except for the submission of registrations to a Registry.

This does not relieve a Registrar from obligations for proper record keeping, or for ensuring the security and accuracy of its records, or for properly authenticating the identity of its customers. Rather, it merely lets the Registrar select the method best for its business.

This writer also urges that the Proposal be changed to recognize that Registrars can serve a limited or specialized customer base.


Procedural Defects

The Proposal has several potential procedural defects which could invalidate this entire exercise in rulemaking.

The Proposed Rule as published in the February 20, 1998 Federal Register refers to various findings made under Executive Orders and US Statutes.

The NTIA has not demonstrated that those findings are based on any specific or identified body of facts. Nor has NTIA revealed any logical thought process by which those facts were weighed and the findings reached.

Any finding not based on clearly identified facts, made without an articulated sequence of logical steps, or made without an articulated balancing of competing interests is a finding which is, as a matter of law, arbitrary and capricious, an abuse of authority, and a failure of due process.

An agency can not simply point to a thick book of submissions under a previous information gathering exercise. While that may, arguably identify the factual basis, it certainly does not reveal the thought process used to evaluate those submissions.

In particular, NTIA can not simply point to the mass of submissions made last year under its previous inquiry (Request for Comments on the Registration and Administration of Internet Domain Names, July 1, 1997, Docket No. 970613137-7137-01) regarding the domain name system and say "based on this material we find thus and so."

Rather, the agency must indicate which materials it accepts, and why, which materials it rejects, and why, and the agency also must reveal the chain of logic and balancing of interests that was used to reach a given finding.

Section
VIII. Other Information Executive Order 12866

The Proposal makes the following finding under Executive Order 12866:

This proposal has been determined not to be significant under section 3(f) of Executive Order 12866.

Section 3(f) of Executive Order 12866 reads as follows:

(f) "Significant regulatory action" means any regulatory action that is likely to result in a rule that may:

(1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal governments or communities;

(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in this Executive order.

This writer challenges the proposition that "[t]his proposal has been determined not to be significant under section 3(f) of Executive Order 12866."

What concrete facts substantiate such a determination?

This writer wonders why and how NTIA found that the Proposal does not raise significant "novel legal or policy issues"?

Indeed, given the fact that the Proposal creates new monopolies that are immune from anti-trust laws and given the fact that the Proposal grants trade and service mark holders new rights and privileges beyond those granted by existing US Statutes and Treaties, it is incredible for the Proposal to assert that no novel legal or policies issues are involved.

Furthermore, a few "back of the envelope" calculations clearly indicate that the impact of this Proposal may be well in excess of $100 million annually, even if only the United States is considered and the economic impact on the rest of the world is excluded.

NSI's revenue stream alone constitutes a significant portion of the $100,000,000. And the Proposal makes a clear decision to continue to grant to NSI that stream of revenue and thus deny it to others. That alone is a substantial allocation of money.

In addition, NTIA should recognize that there is a thriving industry of companies that intermediate between NSI and the domain name registrant. These intermediaries typically add $50 to $100 on top of NSI's registration fees. Thus, there is a secondary industry which will be strongly impacted by this Proposal with revenues that can be guessed to be on par with those of NSI alone, i.e. yet another $100 million.

It has been argued that the Proposal does not have as large an economic impact as the above rough calculations indicate. That argument is based on the premise that if the Proposal merely continues the status quo that there is no economic impact.

While that argument may make sense in a normal rulemaking process, that argument does not make sense in the context of the Proposal.

This writer asserts that because the Proposal continues a monopoly situation in NSI, the measure of economic impact should be based on a comparison of economic flows between the natural, fully competitive situation and the artificial, monopoly situation imposed by the Proposal.

NTIA has a legal duty to make and articulate a meaningful and supportable determination under Executive Order 12866 using standard economic tools and resources.

Whether based on the notion of novel legal issues or on economic impact, this writer urges that NTIA reconsider its determination under Executive Order 12866.

Section
VIII. Other Information Regulatory Flexibility Act

The Proposal makes the following finding under the Regulatory Flexibility Act:

In fact, businesses will enjoy a reduction in the cost of registering domain names as a result of this proposal.

This writer does not see that the Proposal guarantees any such thing. Indeed, the Proposal introduces substantial non-competitive practices that could readily increase the cost of domain name registration.

The "finding" in the Proposal is merely a bald assertion made without supporting facts or logic.

This writer urges that NTIA remove this unsupportable conjecture and amend its findings under the Regulatory Flexibility Act.

The Proposal goes on to make the following finding under the Regulatory Flexibility Act:

The proposal is pro-competitive because it transfers the current system of domain name registration to a market-driven registry system.

This writer is stunned and appalled that the Assistant General Counsel for Legislation and Regulation of the Department of Commerce certified to the Chief Counsel for Advocacy of the Small Business Administration that this Proposal is "pro-competitive".

This writer challenges NTIA to demonstrate how individual, unregulated, worldwide monopolies (which is what the Registries are when stripped of all technical verbiage) are "pro-competitive".

Indeed, this writer perceives that the exact inverse is true: that this Proposal is highly anti-competitive. The Proposal claims to create a population of TLD Registries that will compete with one another, even though this same Proposal imposes restrictions that will lock-in customers to a single Registry and prevent consumer choice.

The Proposal doesn't even create a significant new population of Registries which, even if the finding were to be believed, could compete with one another. The Proposal calls for five new Registries, but one would assume that most of these they would simply pick up one of the current (and less lucrative) gTLDs from NSI.


Miscellaneous Problems

There are numerous other problems in the Proposal:

harvbull.gif (257 bytes) Ultimate "owner" of TLDs:

Who or what is the ultimate "owner" of TLDs? This issue is important because eventually Registries will fail or have their privileges revoked for sub-standard performance.

This writer urges that "ownership" of TLDs be vested in the Corporation. Registries should be required to receive their privilege to operate a TLD registry by explicit, written, delegation from the Corporation.

This creates a clear structural vehicle through which the Corporation can regulate the performance of registries.

This system of delegation should be instituted from the outset -- no registry should receive its TLD directly through implementation of the Proposal. Rather, during initial implementation of the Proposal, the TLDs should be transferred to the Corporation. Then there should be a formal delegation from the Corporation to the initial set of Registries.

 

harvbull.gif (257 bytes) Where do all the gTLDs go:

The Proposal is very vague regarding the fate of the current gTLDs: .com, .net, .org, .edu, .gov, .mil, .int. .arpa.

It is clear that .arpa must be tied to IP address allocation. And it makes sense for .mil to move to the United States military, or move under the .us TLD. Perhaps .gov should move under .us as well. And .edu deserves some special treatment as well.

But what happens to .com, .net and .org? The Proposal is vague regarding whether these will remain NSI's forever?

This writer suggests that limited duration licenses to operate a Registry for each of these TLDs be sold at auction, much like how the United States is selling licenses for parts of the radio spectrum. No awardee could get more than one. NSI would, of course, be allowed to make its bid along with everyone else. It is suggested that this auction occur under the auspices of the Corporation.

 

harvbull.gif (257 bytes) Network Solution's Big Head Start:

The United States has paid Network Solutions several millions of dollars over the last few years under a "cost plus" contract to perform domain name registration services. NSI has used that money and that time to build its infrastructure and to establish a "brand".

This marketing position and infrastructure was funded either directly by the United States or indirectly through its grant of permission to NSI to collect inordinately high registration fees.

In effect, the United States has funded NSI to the point where NSI will have the resources and established brand recognition to dominate anyone who tries to compete.

 

harvbull.gif (257 bytes) Domain Name Queries. The Proposal focuses primarily on the back-room operations of domain name registration. Bu what happens when computers out on the Internet make domain name queries. There are issues regarding how this real-time service is performed:

Fair and Equal Service -- A TLD name server must fairly and without discrimination respond to queries. A TLD name server must not give any querier higher precedence other than as occurs in the normal internal scheduling of internal database lookups.

This should not be read to say that a TLD name server should not have appropriate firewalls or other protections against attacks originating on the network. Nor should a TLD name server be prevented from imposing rate limits to protect itself against attacks disguised as abnormally high query activity.

No charging for domain name queries -- Neither the roots nor a TLD name server should impose a charge for the making of queries.

Zone transfers -- All TLD servers should allow open transfers of the TLD zone. This will enable administrators of high-availability or closed sites to operate their own mirror servers.

Network Solutions is currently blocking zone transfers of .com. This has negatively impacted network operations and those measuring performance of the network and the domain name system.

 

harvbull.gif (257 bytes) The in-addr.arpa. domain is used to provide IP address to name mappings. The .arpa TLD is unique among TLDs in that it is a single, irreplaceable part of the domain name system. It is inextricably tied to IP address block allocations. Whoever controls the .arpa TLD should not be permitted to use this as way to impose unregulated policies, rules, or fees.

 

harvbull.gif (257 bytes) It may be useful, as is done with the registration of marks, to require either actual use of a domain name or to allow a filing of a "notice of intention to use" to reserve a name absent actual use for at most a short and well-defined period. The term "use" should not simply mean that a name can be resolved by a server, but, rather, some measure that it indicates that the name is more than a mere placeholder awaiting a purchaser.

This writer recognizes that some organizations have found it difficult to measure "actual use". Nevertheless, the Corporation should have the ability to study this issue and make it a requirement if an adequate technical means can be developed.

This writer urges that overt domain name "parking" services, such as proposed by Network Solutions as part of its "WorldNIC", are inappropriate and should not be permitted.


Comments on Specific Sections of The Proposal

Section
II. Background

The History of the Internet as described in the Proposal is excessively US-centric. Yes, much was done in the USA. And, indeed, much of the work was funded by the US government. However, the Proposal ignores the major works funded by private organizations (such as Digital Equipment Corporation, Xerox, and Sun Microsystems) and by individuals. The Proposal also ignores non-US contributions. For instance, many of the basic elements of the World Wide Web were developed in Europe.

Section
II. Background: Assignment of numerical addresses to Internet users

This section of the Proposal raises ARIN to a much higher position than it deserves. This section is also somewhat factually incorrect: many users, such as myself, have our own address blocks which were not assigned by the mechanisms described in the Proposal. Of course, this is all irrelevant to the Domain Name System.

Section
III. The Need For Change

The Proposal makes the following assertion:

Without changes, a proliferation of lawsuits could lead to chaos as tribunals around the world apply the antitrust law

The Proposal offers no basis for its conclusion. This writer questions how this Proposal will reduce legal proceedings or harmonize worldwide Intellectual Property or Anti-Competitive law regarding the Internet.

Section
Section VI. C. The Creation of New gTLDs

The Proposal makes the following assertion:

Individual companies and consortia alike may seek to operate specific generic top-level domains. Competition will take place on two levels. First, there will be competition among different generic top-level domains.

This writer is utterly astonished at the assertion that "there will be competition among different generic top-level domains" for two reasons. First, the current TLDs are so well established and entrenched that new TLDs will suffer a serious competitive disadvantage. Second, the barriers for customers of one TLD to move to another TLD are very high.

When an organization takes a domain within a TLD, that TLD becomes much like that organization's surname. Over time, the holder of that domain makes a substantial investment in that entire name, including the TLD suffix.

There is no effective inter-TLD competition when the holder of a domain name must abandon those substantial investments in order to move to a new TLD.

Consider how little real competition there would be in the long distance telephone arena if customers were required to change their surname when they wanted to switch between MCI and AT&T.

Yet that is a very close analogy to what this Proposal is advocating -- that organizations, individuals, and businesses abandon their established network identity, their TLD, in order to move to another Registry.

Section
Section VI. The Proposal D. The Trademark Dilemma

The Proposal makes the following assertion:

It is important to keep in mind that trademark/domain name disputes arise very rarely on the Internet today.

This is contrary to this writer's own experience.

This writer has personally received challenges from others who were desirous of obtaining a domain name I use which is based on my surname, auerbach.com.

Perhaps the authors of the Proposal were looking only at formal litigation over domain names? That would be far too narrow a point of view.

This writer has heard unverified reports indicating that Network Solutions has alone been involved in between 1,500 and 2,000 disputes related to its registration policies.

The Proposal makes the following assertion:

There are certain steps that could be taken in the application process that would not be difficult for an applicant, but that would make the trademark owner's job easier. For instance, gTLD registrants could supply basic information--including the applicant's name and sufficient contact information to be able to locate the applicant or its representative. To deter the pirating of domain names, the registry could also require applicants to certify that it knows of no entity with superior rights in the domain name it seeks to register.

This suggestion raises multiple problems.

First is the issue of Privacy. This particular contact information should not necessarily be available to the public at large. Rather it should be maintained by a Registry and provided only to those who present evidence of a bona fide disagreement over the name. What would constitute a bona fide disagreement should be sufficiently inclusive as to allow disputants to contact one another before initiation of litigation or other formal processes.

Second, a requirement that an applicant "certify that it knows of no entity with superior rights in the domain name it seeks to register" is full of problems:

It is an invitation for "know nothing" registrants.

It is a very subjective standard. Enforcement would be expensive and slow.

It requires registrants to make an assessment of the term "superior rights". This requires a registrant to make a judgment based on a disjointed system of Intellectual Property laws in all countries of the world. This is a judgment beyond even experts in the field.

This writer, for example, uses the domain name "auerbach.com". Under recent case law in Germany, since "Auerbach" is my surname, I would have superior rights to many, perhaps to all, of those who would contest my use. In the United States, the determination of a superior right is highly contextual. Even if we were to focus only on Federal trade and service mark laws in the United States, it is very unlikely that an existing registered mark could trump my established usage and my right to use auerbach.com.

The Proposal makes the following assertion:

The job of policing trademarks could be considerably easier if domain name databases were readily searchable through a common interface to determine what names are registered, who holds those domain names, and how to contact a domain name holder.

As usual, there is the issue of Privacy, something that the Proposal generally fails to consider.

And this provision is yet another instance in which the Proposal fails to recognize that the mere existence of a domain name does not in itself constitute infringement of a trade or service mark. Infringement can only arise through actual use of a domain name, in a specific context and in trade.

This Proposal should not accord wealthy trade and service mark holders any additional means by which to coerce underfinanced domain name holders into relinquishing their domain names. Mark holders already have sufficient rights under existing laws. No additional mechanisms are necessary.

Moreover, this writer believes that the power to grant these new rights to mark holders is to be found only in the Congress of the United States and under the Treaty power of the Executive.

The Proposal makes the following assertion:

Mechanisms that allow for on-line dispute resolution could provide an inexpensive and efficient alternative to litigation for resolving disputes between trademark owners and domain name registrants. A swift dispute resolution process could provide for the temporary suspension of a domain name registration if an adversely affected trademark holder objects within a short time, e.g. 30 days, of the initial registration. We seek comment on whether registries should be required to resolve disputes within a specified period of time after an opposition is filed, and if so, how long that period should be.

While Alternative Dispute Resolution (ADR) mechanisms may be desirable, the authors of the proposal are reminded that Amendment VII of the United States Constitution limits the applicability of ADR.

And, as usual, this part of the Proposal fails to distinguish between the mere existence of a domain name, which, in itself, may not violate any trade or service mark, and the use of that domain name, in trade, in a specific context.

It is exceedingly inappropriate to give mark holders a new club with which to beat down domain name registrations absent any evidence that the accused domain name is actually used, in trade and in a specific way that gives rise to an actual, bona-fide claim of infringement.

There are adequate and well-established mechanisms by which a mark holder can deal with a situation in which a new or proposed domain registration infringes on a mark holder's rights.

These existing mechanisms are known as a Temporary Restraining Order (TRO) and a temporary injunction. If a mark holder can demonstrate to a court that it is likely that the mark holder would prevail in an infringement dispute and if the mark holder can also demonstrate that allowing the registration of the domain name to proceed would result in irreparable harm, then the court may issue the TRO and injunction, thus blocking the registration and the use of the domain name.

There is absolutely no need for any new mechanisms; existing legal processes are more than adequate to meet the needs of a mark holder. And, except for honoring a TRO or injunction, there is no need to even involve Registrars or Registries in this process.

The Proposal makes the following statement:

Trademark holders have expressed concern that domain name registrants in faraway places may be able to infringe their rights with no convenient jurisdiction available in which the trademark owner could file suit to protect those rights. At the time of registration, registrants could agree that, in the event of a trademark dispute involving the name registered, jurisdiction would lie where the registry is domiciled, where the registry database in maintained, or where the ``A'' root server is maintained. We seek comment on this proposal, as well as suggestions for how such jurisdictional provisions could be implemented.

This agreement to jurisdiction would cut both ways -- it would allow the holder of a mark registered outside of the United States to come in and displace a domain name registrant in the United States.

Trademark pirates will applaud this section; it makes trademark piracy so much easier. A pirate could register a large number of words as marks in, say, Tunisia and then wait for people to try to register domain names containing those words. The pirate could then have the benefit of the United States courts to block the domain registration (presumably the pirate would block the registration only until the registrant paid a license fee to the pirate.) This would save the pirate the overhead of obtaining a Tunisian judgment and then trying to get that judgment honored in the United States.

This section opens up the courthouses of United States to disputes between parties, neither of which may have any substantial contact with the United States. It is easy to foresee that this section will allow a dispute between a French trademark holder and a Japanese domain name applicant to be fought out in a court of the United States. This is contrary to well established policies against the United States being a forum for litigation which has little or no real contact with the US.

Many are concerned that without using the legal fiction of in rem jurisdiction over a domain name registration in a Registry, such as is set forth in the Proposal, mark holders may be forced to travel great distances to find a forum that has jurisdiction over the defendant. That may indeed be a problem. However, this writer suggests that we have as yet too little experience with this problem to impose as radical a solution as that set forth in the Proposal.

This writer strongly urges the Proposal to abandon this artificial in rem jurisdiction and simply require the true parties of interest to find an appropriate forum as they have always had to do in the past

Section
VII. The Transition A. The NSI Agreement

The Proposal proposes the following:

The U.S. government will ramp down the NSI cooperative agreement and phase it out by the end of September 1998. The ramp down agreement with NSI should reflect the following terms and conditions designed to promote competition in the domain name space.

1. NSI will effectively separate and maintain a clear division between its current registry business and its current registrar business. NSI will continue to operate .com, .net and .org but on a fully shared-registry basis; it will shift operation of .edu to a not- for-profit entity. The registry will treat all registrars on a nondiscriminatory basis and will price registry services according to an agreed upon formula for a period of time.

Why does NSI need or deserve any further special treatment?

In particular, why should NSI be granted, gratis, continued and permanent control of the extremely lucrative .com TLD, and the net TLD and the .org TLD?

It is patently unfair to allow NSI to obtain a beneficial position as a result of its expiring contract, especially given the extraordinary financial preferences that have been granted, without compensation to the US government or taxpayers, during the life of the NSF-NSI cooperative agreement.

3. NSI will give the U.S. government a copy and documentation of all the data, software, and appropriate licenses to other intellectual property generated under the cooperative agreement, for use by the new corporation for the benefit of the Internet.

The existing Cooperative Agreement between the National Science Foundation and Network Solutions Incorporated should be allowed to lapse according to its own provisions.

Everything, including the domain name contact records, should be recovered from NSI. And those materials should be made available on a fair basis to all bidders.

Anyone who desires to establish the Registry for.com, .net, .org, and other TLDs now operated by NSI should compete for those concessions on an equal and fair basis. Network Solutions may, of course, submit its bid along with everyone else.

Should Network Solutions win an award, it should be required to rebuild its databases from the same information that is made available to other winners. NSI should not be able to obtain the benefit of simply continuing its database. Allowing NSI to do so is both unfair and an invitation for NSI to make a less than full return of all the information.

For this Proposal to do otherwise would be the height of governmental preferential treatment and suppression of competition.

This Proposal carries the banner of being pro-competitive and non-regulatory. Indeed in its statement under the Regulatory Flexibility Act, the Proposal states: "The proposal is pro-competitive because it transfers the current system of domain name registration to a market-driven registry system." The Proposal's outright grant of TLD's to Network Solutions belies the truth of the quoted statement.

There is no shortage of organizations willing to step in and take over NSI's duties. As has been recently demonstrated by contingency testing by IANA, there would almost certainly be no degradation in the operation of DNS servers for existing registered domains. Perhaps there would be a short-term disruption in registration processing, but that is a small price to pay in order to move from the current US Government imposed NSI monopoly to a truly open, competitive environment.

Section
VII. The Transition. D. The .us Domain

Clearly, there is much opportunity for enhancing the .us domain space, and the .us domain could be expanded in many ways without displacing the current geopolitical structure.

The .us domain servers at many levels are hobbyist operations. This may well explain why many people have avoided the .us domain.

Moreover, the .us domain is presently subdivided and structured along geographic lines.

The geographic focus of the .us domain requires a registrant to pound a stake deep into a bit of geography and say "here I am". That does not work well for large or distributed organizations.

The silliness of the geographic focus in a large country like the USA is illustrated by "asylum.sf.ca.us". It is not in San Francisco; nor is it even in California. It used to be in Belmont, California, but is now in Cambridge, Massachusetts.

Section
VII. The Transition. E. The Process

The U.S. government … cannot cede authority to any particular commercial interest or any specific coalition of interest groups.

The principle stated above is absolutely correct.

Unfortunately the Proposal runs to the contrary:

The outright gifts and waivers of normal legal provisions that the Proposal grants to Network Solutions are a very clear cession of authority to a particular commercial interest.

Section
Appendix 1 Recommended Registry and Registrar Requirements

Only prospective registries that meet these criteria will be allowed by IANA to register their gTLD in the ``A'' server. If, after it begins operations, a registry no longer meets these requirements, IANA may transfer management of the domain names under that registry's gTLD to another organization.

It would seem that this is a matter for the Corporation rather than IANA.

Registries will be separate from registrars and have only registrars as their customers. If a registry wishes to act both as registry and registrar for the same TLD, it must do so through separate subsidiaries. Appropriate accounting and confidentiality safeguards shall be used to ensure that the registry subsidiary's business is not utilized in any manner to benefit the registrar subsidiary to the detriment of any other registrar.

What precisely constitutes " Appropriate accounting" safeguards?

Who will audit these safeguards?

Will the public, the Corporation, or Registry customers be able to review the Registrar's books?

What precisely constitutes " Appropriate … confidentiality safeguards"? Indeed, "confidentiality" cuts in the opposite direction. How is Registry confidentiality going to do anything but promote temptations to play a bit loose with the rules?

And what, precisely, will be the enforcement mechanism and the remedies available to those who are damaged should a Registry violate these safeguards? Perhaps there should be provisions for statutory damages, treble actual damages, and compensation for attorney's fees.

Each top-level domain (TLD) database will be maintained by only one registry and, at least initially, each new registry can host only one TLD.

If this is important, then why is Network Solutions being allowed to simply inherit three TLDs?

The Proposal is very vague whether grant of three TLDs is merely for the "transition" period. But even if that is the case, why should NSI be allowed this preference during the transition period? If some of NSI's TLDs are going to be transferred immediately, why stop with those, why not transfer all but one, or even all?

a. Alternate (i.e., non-litigation) dispute resolution providing a timely and inexpensive forum for trademark-related complaints. (These procedures should be consistent with applicable national laws and compatible with any available judicial or administrative remedies.)

Since NTIA is an agency of the United States Government and since NTIA is proposing to mandate these provisions, this section must be applied carefully in light of the Constitutional requirements for Due Process and Jury Trial.

a. Allows multiple competing registrars to have secure access (with encryption and authentication) to the database on an equal (first-come, first-served) basis.

What does "equal … basis" mean in other contexts? Can a registrar offer different pricing depending on the quantity of business that a registrar submits, or whether the registrar submits its updates in batches rather than individually or during the registrar's business hours rather than in the wee hours of the night?

b. Is both robust (24 hours per day, 365 days per year) and scalable (i.e., capable of handling high volumes of entries and inquiries).

Must the registry allow zone transfers to all who ask?

This writer strongly urges that the answer be "yes". That would permit the operation of redundant/backup servers and allows users on the net to self-protect themselves against registry outages. It would also permit those who operate servers in parts of the network which are normally disconnected or in which external connection is slow or expensive (for example the South Pole research station) to provide good service to their users.

Can Registries discriminate? I.e. can a Registry serve some name queries or zone transfers at higher priority than others, and perhaps even disregard queries from some sites? Or will Registries be essentially equivalent to "common carriers" that must serve all queries equally?

Can a registry charge a fee for name queries or zone transfers?

e. Incorporates a record management system that maintains copies of all transactions, correspondence, and communications with registrars for at least the length of a registration contract.

"length of a registration contract"? Does this mean the period in which a registration is valid? Or does it mean the length of time of a valid contract between the Registry and Registrar.

And, what is done with such records at the end of the registration contract? Should not these records be delivered to the Corporation for archival storage? Should Registries and Registrars be bonded to ensure compliance?

This raises the whole issue of how often Registrars and Registries must refresh or re-confirm registrations.

f. Features a searchable, on-line database meeting the requirements of Appendix 2.

This raises substantial privacy concerns.

How is this database to be protected from becoming a source of information for spammers and telemarketeers?

How is this database going to be protected against aggregation with other databases to help compile dossiers on individuals?

Will Registries be allowed to sell this database? Indeed, who will actually have title to these databases?

On the other hand, to promote competition, it is important that these databases be available to other Registries and Registrars. This is especially important with regard to those databases held by Network Solutions -- NSI has had a long period of US Government sponsored monopoly. Other Registries and Registrars will not be able to effectively compete with NSI unless they have an opportunity to try to sell into NSI's inherited customer base.

Section
Appendix 1 Registrar Requirements

Registries will set standards for registrars with which they wish to do business.

This is an invitation for abuse. A Registry could easily set standards which none but its favored Registrars could meet.

The following are the minimal qualifications that IANA should mandate that each registry impose and test or inspect before allowing a registrar to access its database(s). Any additional requirements imposed by registries on registrars must be approved by IANA and should not affect the stability of the Internet

This seems to be a job for the Corporation rather than IANA.

Registries may …may remove domain names from the registries if at a later time the registrar which registered them no longer meets the requirements for registrars.

This is exceedingly unfair to the domain name registrants. They should not be punished for a dispute between their Registrar and it's Registry.

This is also anti-competitive. Few customers will elect to deal with a Registrar which may experience a dispute with its Registry. Indeed, this will tend to drive customers to those Registrars which are owned by the same organization that owns the TLD Registry, in practice this means Network Solutions, Incorporated.

This writer strongly urges that Registries have no power to remove registrations except under limited and well-defined circumstances.

Further, the Registrar and Registry hold a huge hammer over those who have registered domain names. This creates a significant imbalance between a Registrar and a domain name holder in the event of a dispute.

This writer further urges that Registries not honor instructions from Registrars to remove a domain name without first contacting the domain name holder and giving a reasonable period for a reply. If the domain name holder indicates that there is a bona fide dispute between the domain name holder and the Registrar, the Registry should not remove the name except pursuant to an order from a court of competent jurisidiction.

1. A functioning Database and Communications System that supports:
a. Secure access (with encryption and authentication) to the registry.

Is NTIA implicitly saying that it is OK, and indeed, necessary, to use non-trivial encryption outside of the United States and across the borders of the United States?

Can a Registry export the software that a Registrar must use if that software contains a non-trivial encryption scheme such as PGP?

How is this provision going to be honored by registries which are in countries in which encryption is not allowed?

How are Registrars and Registries to abide by transnational data flow laws which, in some nations, regulate the flow of information pertaining to named individuals?

Section
Appendix 2--Minimum Dispute Resolution and Other Procedures Related to Trademarks

1. Minimum Application Requirements.

a. Sufficient owner and contact information (e.g., names, mail address for service of process, e-mail address, telephone and fax numbers, etc.) to enable an interested party to contact either the owner/applicant or its designated representative;

It would seem adequate that such information should be made available only in the case of a bona fide dispute. Simply slathering that data into a public database with no controlled access and without any journal (including the name of the person making the request) of access requests is a violation of privacy and an invitation to expropriation by spammers and marketeers.

2. Searchable Database Requirements.

a. Utilizing a simple, easy-to-use, standardized search interface that features multiple field or string searching and the retrieval of similar names, the following information must be included in all registry databases, and available to anyone with access to the Internet:

--Up-to-date ownership and contact information;

--Up-to-date and historical chain of title information for the domain name;

--A mail address for service of process;

--The date of the domain name registration; and

--The date an objection to registration of the domain name was filed.

This raises significant privacy concerns.

4. Alternative Dispute Resolution of Domain Name Conflicts.

If an objection to registration is raised within 30 days after registration of the domain name, a brief period of suspension during the pendency of the dispute will be provided by the registries.

Rather than automatic suspension, this Proposal should rely on the time tested, flexible mechanism known as a Temporary Restraining Order (TRO) and temporary injunction.

If a mark holder can demonstrate to a court that it is likely that the mark holder would prevail in an infringement dispute and if the mark holder can also demonstrate that allowing the registration of the domain name to proceed would result in irreparable harm, then the court may issue a TRO and injunction blocking the registration and use of the domain name.


Appendix A -- NSF's Statement Regarding Control And Ownership Of The Domain Name Contact Records

The following consists of two letters.

harvbull.gif (257 bytes) The first is a request by this writer to the National Science Foundation.

 

harvbull.gif (257 bytes) The second is the response of the National Science Foundation. NSF takes the position that those records underlying the Domain Name System which contain personally identifiable information are not subject to the control of the National Science Foundation.

This response from NSF contains many questionable legal propositions, cites inapplicable case law based on an entirely different statute, and misconstrues facts and history. Nevertheless, unless overturned, it is a formal, binding statement of NSF's position vis--vis the contact records in the domain name database.

The importance of this exchange of letters is that it contains an assertion by the National Science Foundation which imputes ownership of the contact records underlying the domain name system to Network Solutions, Incorporated.

In other words, the National Science Foundation claims to have permitted ownership of those records to lapse into the hands of Network Solutions, Incorporated.

Since the United States is prohibited from simple expropriating private property, NSF's decision represents a substantial obstacle to implementation of the steps set forth in the Proposal, especially those steps which require the redeployment of information being used by NSI by other Registries and Registrars.

If NSF were to reverse its position, NSF should expect to face legal actions by those who made Privacy Act and Freedom of Information Act requests which were denied on the basis of NSF's non-ownership of this information.


Karl Auerbach

218 Carbonera Drive

Santa Cruz, California 95060-1500

NSF Privacy Act Officer
Division of Contracts, Policy, and Oversight
Room 485
National Science Foundation
4201 Wilson Boulevard
Arlington, VA 22230

 

PRIVACY ACT REQUEST

November 16, 1997

To Whom It May Concern:

As provided by the Privacy Act of 1974 (5USC 552a) and the 45 CFR part 613, I hereby make the following request.

As provided under 45 CFR part 613.2, please inform me of the existence of records pertaining to me, Karl Auerbach, contained within the following "system of records":

The "domain name database" (including the "whois" database and all ancillary record systems used for fee collection) operated by National Science Foundation through its contractor, Network Solutions, Incorporated, under cooperative agreement No. NCR-9218742.

The National Science Foundation has apparently failed to publish notice of this system of records in the Federal Register. However, it is my belief that this system of records is in daily use and that information may be obtained from that system by the name of an individual as well as by "handles" assigned to individuals.

Please let me know if you need any further information to facilitate the processing of this request.

Sincerely,

Karl Auerbach


NATIONAL SCIENCE FOUNDATION
4201 WILSON BOULEVARD
ARLINGTON, VIRGINIA 22250

December 24, 1997

Mr. Karl Auerbach

218 Carbonera Drive

Santa Cruz, CA 95060-1500

Dear Mr. Auerbach:

Thank you for your patience in awaiting our response. We felt it was important, however, to answer fully your November 16, 1997 letter, especially since it is not uncommon for individuals unfamiliar with federal disclosure statutes to confuse the Privacy Act with the Freedom of Information Act (FOIA). For example, you mistakenly maintain that the statutory response dates applicable to FOIA requests similarly apply to the Privacy Act, and that clearly is not the case. Although National Science Foundation regulations certainly state that the agency will attempt to respond to Privacy Act requests within ten working days, there is no statutory deadline. And I am sure you appreciate the legal and factual difference between asking for whether records exist and seeking to amend a Privacy Act record pertaining to you.

Specifically, you ask us to inform you "of the existence of records pertaining to [you]" in what you assert to be a Privacy Act system of records referred to as the "domain name database." NSF maintains no such system of records and, consequently, cannot have "failed to publish notice of this system of records in the Federal Register" as you incorrectly state.

The Privacy Act's provisions apply to systems of records maintained by a Federal agency. 5 U.S.C 552a(e). A "system of records" includes only records under the control of the agency from which information is retrieved by an individual identifier. 5 U.S.C 552a(a)(5). The Privacy Act's definition of "agency" at 5 U.S.C 552a(a)(1) is the same as is defined in the Freedom of Information Act. See 5 U.S.C 552(f)(1)

The United States Supreme Court in Department of Justice v. Tax Analysts, 492 U.S. 136 (1989), established a two-pronged test for determining whether material constitutes an agency record". First, a federal agency must "either create or obtain" the materials. Id. at 144, citing Kissinger n Reporters Committee for Freedom of the Press, 445 U.S. 136 (1980), and Forsham v. Harris, 445 U.S. 169 (1980). Second, the agency "must be in control of the requested materials at the time the FOIA request is made." Tax Analysts, 492 U.S. at 145. Moreover, the Court held, "[b]y control we mean that the materials have come into the agency's possession in the legitimate conduct of its official duties." Id.

Network Solutions, Inc. (NSI) maintains records for its own use in administering certain domain names under a cooperative agreement with NSF, NCR-9218742. The so-called domain name database to which you refer consists of information collected, maintained and used by NSI pursuant to that cooperative agreement, which is a type of federal assistance award made by NSF under the Federal Grant and Cooperative Agreement Act of 1977, 4 U.S.C. 503, where the agency transfers money to the recipient to accomplish a public purpose of support or stimulation. NSF Grant Policy Manual 210.

NSF has neither created nor obtained the records NSI uses in day-to-day administration of domain name registration activities. The agency does not possess the database and cannot access it electronically (except in the same manner that is available to you and the general public through the Internet). Neither does NSF control the requested database. NSF has never acquired the database and, accordingly, has never integrated the database into NSF's files. Neither does the agency nor its employees retrieve, use, or rely on the data in conducting official agency duties or accomplishing any agency function. Thus, the requested database is not an agency record. See id. at 145-47.1

Private organizations like NSI that receive federal financial assistance grants are not within the definition of "agency," Forsham v. Harris, 445 U.S. 169, 179 (1980), and the documents created by a grant recipient are the property of the recipient, not the Federal Government. Id. at 180-81.2 The "written data generated, owned, and possessed by a privately controlled organization receiving federal study grants are not 'agency records' within the meaning of the Act when copies of those data have not been obtained by a federal agency subject to the FOIA." Id. at 171. Nor does the agency's right of access to the materials change this result. Tax Analysts, supra at 144. Rather, "the FOIA applies to records which have been in fact obtained, and not to records which merely could have been obtained." Id. at 186 (emphasis in original).3

Similarly, the records of recipients of federal grants fall outside the purview of the Privacy Act. General federal supervision of grantees remains insufficient to establish the substantial federal control and supervision necessary to characterize the grantee as a "federal" entity or instrumentality. Dennie v. University of Pittsburgh School of Medicine, 589 F. Supp. 348, 352 (D.V.I. 1984), aff'd, 770 F. 2d 1068 (3d Cir. 1985) citing Forsham. Applying Forsham to a claim under the Privacy Act, the Dennie court concluded that "absent extensive detailed and virtually day-to-day supervision" -- the standard of Forsham, "the recipient of public funds does not become a federal instrumentality" for Privacy Act purposes. Thus, the Federal agency has no obligation to insure that records held by its grantee are maintained in compliance with the Privacy Act. Id at 352-53.4

NSF maintains no such supervision and control over NSI databases. The terms of the cooperative agreement make clear that NSI -- as the awardee -- has primary responsibility for carrying out the agreement while NSF conducts oversight, monitoring, and evaluation of the awardee's performance. As in Forsham, supra at 172-73 and Dennie, supra at 352, NSF exercises limited oversight over the funded activity including review of periodic reports submitted by the grantee and agency approval of major program or budgetary changes, while NSI conducts the day-to-day administrative activities under the agreement. NSF's general oversight does not establish agency control of the database. See Forsham at 182 and Dennie at 352-53.

Thus, your assertion that the "domain name database" is an NSF system of records is incorrect, and NSF maintains no system of records responsive to your request.

Sincerely,

Herman G. Fleming

Privacy Officer

1 Compare Tax Analysts, supra at 145-148 (agency had records in its possession at the time of the request, had placed them in its official case files, and was routinely using the records in the performance of its official duties); Burka v. HHS, 87 F.3d 508,515 (D.C. Cir. 1996) (agency exercised control over data tapes in the possession of its contractor sufficient to render them "agency records" for FOIA purposes where the agency ordered creation of the records, plans to take physical possession of the tapes at the end of the project, has indicated it will disclose the information after the agency's publication schedule is completed and prohibited the contractor from making any independent disclosures, and has read and relied significantly on the information in writing articles and establishing agency policies); and St Paul's Benev. Educ. Inst v. U.S., 506 F. Supp. 823, 829 (ND. Ga. 1980) (computer tape possessed by the agency; facts reveal the agency did "create or obtain a record," which is now in its possession, and that it may certainly rely or use this record in the future because of the importance of the data).

 

2 Compare Hurcules Inc. v. Marsh, 839 F.2d 1027(4th Cir. 1988) (where an agency directory prepared by a contractor for the agency and marked as the property of the government agency was held to be an agency record).

 

3 See also Animal Legal Defense Fund v. Secretary of Agriculture, 813 F. Supp. 882 (D.D.C. 1993) (regulated entities' plan stored "on-site" does not constitute an "agency record" under the meaning of the FOIA).

 

4 See also 5 U.S.C 552a(m)(1) and Office of Management and Budget Guidelines, 40 Fed. Reg. 28,948, 28,951,28,975 76 (July 9, 1975) (Privacy Act applies only to a system of records controlled by an agency within the terms of the Act, i.e., to those systems operated under a federal procurement contract "by or on behalf of the agency … to accomplish an agency function". "The qualifying phrase 'to accomplish an agency function' limits the applicability of subsection (m) to those systems directly related to the performance of Federal agency functions by excluding from its coverage systems which are financed, in whole or part, with Federal funds, but with are managed by state or local governments for the benefit of state or local governments." Similarly, "[t was not intended to cover private sector record keeping systems" including those of federal grantees funded to support a public purpose.)