Home / Blogs

If WHOIS Privacy is a Good Idea, Why is it Going Nowhere?

ICANN has been wrangling about WHOIS privacy for years. Last week, yet another WHOIS working group ended without making any progress. What’s the problem? Actually, there are two: one is that WHOIS privacy is not necessarily all it’s cracked up to be, and the other is that so far, nothing in the debate has given any of the parties any incentive to come to agreement.

The current ICANN rules for WHOIS say, approximately, that each time you register a domain in a gTLD (the domains that ICANN manages), you are supposed to provide contact information including physical name and address, phone number, and e-mail. WHOIS data is public, and despite unenforceable rules to the contrary, it is routinely scraped. ICANN doesn’t enforce the rules WHOIS accuracy or completeness, either, so as a result a lot of the WHOIS information is missing or bogus.

Impelled by some horror stories from people who claim to have been stalked or worse by people who got their contact info from WHOIS, and by privacy advocates who point out that if ICANN were in Europe, which it is not, privacy laws would regulate what WHOIS could say about individuals, a variety of proposals have been floated to redact or remove contact information from WHOIS. The privacy crowd considers the merit of these changes to be self-evident, but the rest of us are not so sure.

Registering a domain is analogous to, depending who you ask, somewhere between picking up a pencil to write a letter and registering a car. While some parties (hi, Wendy) advocate fully anonymous registrations with no recourse against registrants for maximum freedom of speech, I lean more toward the car end of the spectrum; if you have a domain, you get definite benefits and gain the opportunity to do both good and bad things, and it is reasonable to expect some responsibility in return for them. I also happen to think that the argument that you need your own second level domain to speak effectively is silly.

It’s also important to keep in mind that the vast majority of Internet users have never registered a domain and never will, but have to put up with the shenanigans of the minority who do. Most registrations are by businesses and organizations, rather than individuals. Most of the names registered by individuals are used for business purposes, which in the US at least suggests they should be treated as businesses. (The .NAME domain is mostly non-business individuals, and might merit different policies, but that’s not even on the table.) So we’re talking about a small minority of a small minority of a small minority of Internet users. Minorities are still people, to be sure, but a reasonable approach would be to come up with an exception process for that minority, not screw up the whole thing to the detriment of the large majority of non-registrant users.

Another equally important point to keep in mind is that the main issue for most parties is in fact money. You can be as private as you want right now if you’re willing to pay a lawyer a few hundred bucks to front for you (and not just for domain registrations.) The question of who would pay for increased costs from any changes was unresolved except for near unanimous agreement that whoever pays, it’s not gonna be me.

Anyway, the current proposal is called OPOC, which is described in the working group’s final report. It approximately says that some of the personal information would be replaced by a pointer to a proxy, the Operational Point Of Contact (OPOC) who would in some way mediate between the actual registrant and people wanting contact info. Prior versions put an OPOC in front of every registrant, this time around it’s just in front of individuals, for some definition of individual. The final report lists a variety of points of non-consensus, but the report whitewashes the actual outcome that there was no consensus on anything beyond minor technical points (one of the few areas where I’m in complete agreement with Milt Mueller.)

So why did this process run into yet another brick wall? It’s actually quite simple: for most of the participants there was no incentive at all to agree, rather than stall and keep things the way they are now.

For registrars and registries, OPOC adds a great deal of new work. Many registrars already offer proxy registration with a thin layer of privacy for free or close to it that provides most of the likely benefits of OPOC, with less hassle. Beyond the modest technical effort to add the OPOC to the registration software, there would be the continuing load of handling complaints that an OPOC didn’t respond to a request, or a response wasn’t sufficiently responsive, or this request is really important and we need the info RIGHT NOW and forget the OPOC. There’s also questions of whether the registry or registrar has to verify that the OPOC exists and agrees to represent the registrant. In return for all of this extra work, they get nothing.

For law enforcement and the extensive web of formal and informal anti-abuse investigators at banks, ISPs, and other organizations subject to abuse, OPOC adds an extra layer of bureaucracy to fight through, with inevitable delays and screwups. The report quotes a consultant report that concluded: “I am not confident that there is an organization that can properly accredit law enforcement agencies in the United States, let alone internationally”. In return for all of this extra work, they get nothing.

The Intellectual Property constituency, primarily trademark lawyers, see WHOIS as a primary source of information about who to sue. (One of them said so at the ICANN Sao Paulo meeting.) I am not a big fan of the IP crowd, and sometimes they sue abusively to shut down something-sucks.com domains, but more often it’s phishers and counterfeiters. They face extra hurdles to get the information they need to do what they do. In return for all of this extra work, they get nothing.

So it’s hardly surprising that the broad response to the of the faction that insists on more privacy now, for free, has been no. Members of this faction have posited a variety of sinister motivations for the lack of agreement, but I find the combination of self-interest with doubt about the alleged benefits a quite adequate explanation. If there were some compensating benefit provided, like more accurate underlying info for law enforcement and IP, there could be some negotiation to balance costs and benefits, but there hasn’t, with predictable results.

The main arguments I’ve heard for OPOC or other data removal are less than compelling. There’s the stalker horror stories, which even if you believe them, the current proxy registrations address as well as OPOC. Several people have pointed out that the current WHOIS doesn’t satisfy European privacy laws, to which a reasonable response is so what? ICANN isn’t in the EU, nor are the major registries, nor are the largest registrars. They’re in the US, which has no privacy laws at all. (Tucows is in Canada, which has a privacy law, but most of their customers are outside Canada, and the privacy commissioner has shown little inclination to enforce it on behalf of non-Canadians.) And what’s the EU going to do? Tell their registrars that they can’t register any more domains?

So that’s why there was no possibility of consensus on OPOC or anything like it. Should ICANN try to push it through anyway, the chances of a lawsuit from some of the losing factions are approximately 100%, since we know from experience that suing ICANN is the most effective way of getting them to do what you want.

I wouldn’t completely rule out something changing eventually, but until the parties on all sides recognize that they have to offer something meaningful to get their opponents to move, I’m not holding my breath.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By John Levine, Author, Consultant & Speaker

Filed Under

Comments

The Famous Brett Watson  –  Aug 29, 2007 7:19 AM

Several people have pointed out that the current WHOIS doesn’t satisfy European privacy laws, to which a reasonable response is so what?

In other words, it’s not a problem for Americans, and “sucks to be you” if you aren’t one. Three cheers for imperialism, USA-style.

Which brings us back to the governance Andreas Pappas  –  Jan 20, 2009 1:35 PM

Which brings us back to the governance debate..

John Berryhill  –  Aug 29, 2007 2:29 PM

I’m confused, John.

If you see domain registration as analogous to automobile registration, I have to wonder whether auto registration is available to the general public in your state.

Automobile registration, in most states, is readily available to law enforcement, but is not readily available to the general public.  So, what is it that you would find appropriate?

Or is it that you find the automobile registration system to be flawed in that regard?

The OPOC proposal is very much like corporate registration in most jurisdictions.  One can do a lot of damage with a corporation, too, but the only available information in, say, Delaware, is the identity of a corporate agent to whom legal papers may be sent.  Sending process to the registered agent satisfied the requirement of service of process, and the world has functioned quite comfortably with that mechanism for many decades.

Suresh Ramasubramanian  –  Aug 30, 2007 1:25 AM

Yes, except when the domain registrant is fake, and the opoc is fake as well. Call it an extra layer of obfuscation to fight through.

Even there - only natural persons get extended that kind of protection, with business entities bound to publish full information.

Mike OConnor  –  Aug 30, 2007 2:30 PM

I agree with the broad strokes of your argument John.  As an ICANN-newbie (my first meeting was Wellington) and end-customer of the domain system, I’ve been bewildered by the conversation about WHOIS privacy and found this article to be helpful and illuminating.

The privacy case doesn’t speak terribly strongly to me, since my contact information has been in WHOIS since 1993, has been scraped a boatload of times, and those lists already provide my spam filter plenty of opportunities to learn about new things.  Nobody has dropped by my house in St Paul, MN and asked to meet .(JavaScript must be enabled to view this email address), so I’m fairly complacent about the physical security risk.  Admittedly, I get the occasional angry email from a spam recipient berating The Foo for something or other, but those are few and far between these days.  Current registrants and I have registrar-provided privacy options available if we so choose.  So that leaves me scratching my head and asking “aren’t we trying to either un-ring a bell, or solve a problem for which a solution already exists?”

I’ve always thought of myself as being entrusted with (and accountable for) a gaggle of domains that are part of an open/public system.  If I screw up with those domains, it seems fair that people can very quickly get in touch to get things fixed.

Admittedly, I’m merely a customer.  And an ICANN newbie at that.  So I’m game for compelling arguments, but the status quo on WHOIS privacy is ok with me.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global