Home / Blogs

Confessions of an Ex-Opponent of Whois Privacy

The following is the easyDNS response to ICANN’s public comment period on GNSO Privacy & Proxy Services Accreditation Issues Working Group Initial Report. The public comment period is open until July 7, 2015. We strongly urge you to make your voice known by signing the petition over at Save Domain Privacy.

I submit these comments as a CEO of an ICANN accredited registrar, a former director to CIRA and a lifelong anti spam contributor with an unblemished record of running a managed DNS provider that maintains zero tolerance for net abuse or cybercrime and as someone who maintains a healthy working relationship with the units of our local and federal Law Enforcement Agencies that deal with cybercrime.

In the past easyDNS was opposed to Whois Privacy. We did not offer it and we strongly cautioned our customers against using it.

Our rationale was twofold:

  1. We felt that those connecting to the internet to originate traffic and consume system resources of external parties (i.e. people sending email) had an obligation and a responsibility to be identifiable. For example, we felt (and still do) that nobody has an obligation to accept email from a domain whose contact details are anonymized. This belief still does not conflict with our advocacy of Whois Privacy.
  2. There was agency risk to the Registrants’ themselves, as once they enabled whois privacy on their domains the “official” owner (or rights holder) to their names became the privacy provider and not the actual registrant. (This fear was bourne out as many Registrants did in fact lose their names in the failure of RegisterFly).

We eventually relented to customer pressure and implemented Whois Privacy and have since completely reversed our opinions on the efficacy of employing it and necessity of making it an option. (For the record, our opinion was not swayed by the additional revenues we garner from offering it. The vast majority of our Registrants making use of Whois Privacy get it at no cost).

It is important to note that once we did change directions and offer Whois Privacy, we found that doing so had absolutely no material effect on occurrences of net abuse, known cases of cybercrime or any other form of civil misdeed such as copyright violations or intellectual property infringement.

We think we know why this is, they are the same reasons the policy shift being considered will have zero effect toward their intended outcome and why the second order effects will be primarily negative and disruptive to those who are not guilty of any malfeasance (we refer to these innocent bystanders as “rule followers”).

As a result of these experiences, we believe that absent a breach of service terms such as net abuse, the only basis for disclosing underlying Registrant data, especially to copyright and trademark complainants should be subject to:

  • a court order (in a competent jurisdiction to the Proxy provider)
  • a subpoena (in a competent jurisdiction to the Proxy provider)
  • a pending civil action
  • a URS or UDRP action.

In other words, we feel that Section D of Annex E of the Initial Report on the Privacy & Proxy Services Accreditation Issues PDP should have precisely the opposite requirement that it now proposes.

We will explain our reasoning below. It is based on real world experiences of nearly 20 years in the domain and managed DNS business:

#1. Many Registrants Don’t Even Know That the Whois Exists or What’s In It.

Understanding that a consequence of simply registering a domain name results in one’s personal contact details being published in a world viewable, digital database is actually quite limited. People who earn their livelihood online are possibly cognizant of it, although even within this cutting edge technologically literate segment a significant number of participants are not. Your average bricklayer, baker or candlestick maker is for the most part oblivious to the existence of Whois.

What they do know, is that when they finally get motivated to “join the digital age” and register their first domain name, and after dutifully filling out the online form, which is like any other online form they fill out, within days, or even minutes they are receiving unwanted spam, phone calls or junk faxes because their personal details have been harvested from the Whois almost immediately.

Blame, or at the very least suspicion is then directed toward the Registrar (“You sold my personal data!”)

This reason in itself is enough motivation for Registrars to create privacy mechanisms to safeguard Registrants against these unwanted intrusions.

#2. Criminals Lie.

The ostensible justification for the types of changes being considered to Whois Privacy requirements are to make it easier for primarily rights holders and law enforcement agencies (LEA) to track down infringers and bad actors.

But the fact is that actual criminals do not use their true, actual contact data in domain registrations. In fact in our experience whenever we takedown a known infringing or cybercrime website, whether the domain registrations details are privacy masked or not, they always supply bogus Registrant data (often culled from a previous victim).

Similar to our objections against the highly destructive and impotent Whois Accuracy Program, implementing the proposed changes to Whois Privacy requirements will not get anybody any closer to apprehending a single cyber-criminal or preventing a single cybercrime, but will only succeed in making it easier for rule followers with legitimate requirements for Whois Privacy (i.e. whistleblowers, political dissidents, victims of abuse, et al) to have their privacy violated.

#3. Open To Abuse

We have ample first-hand experience with complainants abusing allegations of trademark or copyright infringement in an attempt to do one or more of the following:

  • cause a website / domain takedown without due process.
  • force a disclosure of Registrant data with no legal basis.
  • suppress websites or specific pages from search engine results.

If Section D of Annex E is adopted as proposed we foresee this as an ideal attack vector to compel Registrant data disclosure without being tested by due process.

Third Time’s a A Charm?

Any changes in Whois Privacy requirements must be considered against the backdrop of previous Whois reform initiatives, because at the end of the day, it’s the end-user Registrants who have to adjust to functioning under the combined effect of all of these new policy modifications.

ICANN has thus far implemented two policies around Whois reform which should be considered failures in that they:

  1. do not accomplish their stated goals,
  2. only succeed in penalizing “rule followers”
  3. create new unintended attack vectors against legitimate Registrants.

The first was the Whois Data Reminder Policy (WDRP) which on it’s own was a annoyance and created a new spearphishing vector but the second-order effects were to induce a type of “Whois Notification Blindness” in Registrants by inculcating them with a belief that these notices are harmless annoyances which can be ignored (or worse, filtered away).

Even the creator of the WDRP has gone on record to state that the policy is a failure and should be killed.

Next came the Whois Accuracy Program (WAP) which has done nothing whatsoever to prevent cybercrime but has left a trail of destruction across the internet as legitimate production websites (some of them providing internet infrastructure functionality) inexplicably go offline for the flimsiest of reasons.

What makes WAP so pernicious is that to the average Registrant there is no discernible difference between a WDRP notice (which can be safely ignored) and a WAP notice (which can’t!)

After a one-two punch of ineffective policy failures around Whois, the idea now is to take the one remaining aspect of Whois that actually serves a purpose, which is Whois Privacy, that actually accomplishes it’s primary goals, that provides an invaluable service to law abiding citizens but makes no real difference to criminals, in other words the last vestige of useful functionality in the current Whois model and we’re going to make a new policy that maims it and provides easy mechanisms to game the system and end-run Registrant privacy?

Surely by now ICANN has learned from WDRP and WAP that trying to retrofit accountability processes onto the existing Whois implementation isn’t working. We don’t need a third policy to ignite yet another round of collateral catastrophes to hammer this lesson home.

Recommendations

Everybody close to this probably concurs that the current Port 43 Whois implementation was never designed for the type of all-reaching global internet we find ourselves in today. Change is certainly needed but it needs to be genuine change, a ground up rewrite of the entire protocol.

ICANN already had a separate EWG working on the next generation of Whois (RDS) and in their initial findings they asked the question:

Is there an alternative to today’s WHOIS to better serve the global Internet community?

“Yes, there is. The EWG unanimously recommends abandoning today’s WHOIS model of giving every user the same entirely anonymous public access to (often inaccurate) gTLD registration data.”

“Instead, the EWG recommends a paradigm shift to a next-generation RDS that collects, validates and discloses gTLD registration data for permissible purposes only.

While basic data would remain publicly available, the rest would be accessible only to accredited requestors who identify themselves, state their purpose, and agree to be held accountable for appropriate use.”

These are the groundwork for appropriate guiding principles for the next generation of Whois, of course the devil will be in the details of who has the right to request data and under what circumstances.

We here at easyDNS have spent an inordinate amount of effort over the past years to educate complainants, plaintiffs and even certain law enforcement agencies that there exists in civil society and democracies “due process” and that an allegation has to be proven legally before sanctions can be imposed on people’s websites, or before their personal data can be surrendered.

We have two main recommendations for charting the path forward:

  1. Any Whois Privacy Policy revisions should be tabled until the entire Whois database is re-engineered as the next generation RDS.
  2. That a guiding principle of any future Next Gen Whois / RDS Working Groups should incorporate legal due process and end-user, (that is Registrant) control over their own data records, complete with automated mechanisms to alert Registrants when inquiries are made into their records, what the purpose of those inquiries are and allowing Registrants the ability to withhold disclosure (except in cases of overt net abuse or where a law enforcement agency is pursuing a legitimate investigation subject to a valid warrant).

Thank you.

By Mark Jeftovic, Co-Founder, easyDNS Technlogies Inc.

Filed Under

Comments

Two different reasons for data Todd Knarr  –  Jul 4, 2015 8:47 AM

I’m wondering if the basic problem isn’t that there’s two different reasons for WHOIS data to be recorded, with two different sets of needs for that data. One of the original purposes of WHOIS data was so that if a domain caused problems (whether malicious or otherwise) the victims could find out who to contact about it. The other was so there was a record of exactly who owned the domain if questions arose about ownership or if legal action required contact with the owner.

The administrative and technical contact information fills the first need. But there’s no need there to know who owns the domain, only that a particular contact point can relay the message to the appropriate person. I don’t see any problem with privacy shielding those two contacts (if the registrant wants it) and making them the only ones the general public can query. That lets registrants prevent disclosure of their information while not requiring any particular bureaucratic or procedural hoops if I need to get in contact with the technical person at a domain because they’ve inadvertently configured every machine on their network to query my timeserver and it’s overloading it.

The registrant information and billing contact fill the second need. There’s no need at all for anyone but the registrar to know the billing information, they’re the only ones who have any need to contact the domain owner about billing. And the registrant information isn’t needed for simple problems involving the domain, it’s only needed if there’s legal action involving the domain, domain ownership issues, law enforcement investigations or the like. So simply don’t allow that information to be queried at all, and only allow disclosure of the registrant information in one of the 4 cases you listed early on. Then there’s no need for privacy shielding of that information.

Protection from responsible operators is not the Charles Christopher  –  Jul 8, 2015 5:42 PM

Protection from responsible operators is not the problem.

Take ICANN data escrow which resulted from the RegisterFly scam. I to am an ICANN registrar, and I was a registrant at the time of RegisterFly’s attempt to steal registrant’s domain names. RegisterFly did attempt to steal my domains, by my monitoring there whois server, flagging their changes on contacts to a false third party I knew what what going on and transferred out. At the time I was not a registrar, this experience in part motivated me to become a registrar to protect my domains.

Now on to the ICANN Data Escrow.

Data Escrow allows escrowing privacy whois, which makes the entire service useless in protecting registrants. Should something happen, ICANN still has no clue who the registrant is/was and thus can’t return the domain.

So, a responsible registrar would escrow the true registrant contacts. But in general, ICANN does not have to protect registrants from responsible registrars.

However, a nefarious registrar can turn on privacy whois, and then escrow that privacy whois.

Thus data escrow protects registrants from responsible registrars, but not from nefarious registrars ... RegisterFly could happen all over again and nobody would be better off this time.

This is why I have supported accurate whois and removal of privacy whois for a very long time. Even though I generally despise the lack of privacy we have all experienced these days. I have helped in UDRP cases where fraudsters load up on typo domains across many registrars for trademark fraud.

Yes, used by responsible registrars, i don’t think privacy whois is necessarily a problem. However recall that the yearly income on a domain name is tiny, and far less than the cost of dealing with any legal issue involving the domain. Thus GoDaddy charges fees when this happens, and that makes sense to me. And here is the grey area, even responsible registrars have their limits as to how well they police their sponsored domains.

One bad apple ruins it for the bunch. That is what I see this issue about. Its not about responsible registrar, its about the nefarious ones and the ones that just don’t care. Removal of privacy whois is the only solution I have ever been able to think of. When a problem results, one tries to contact the registrant. If that fails one assumes inaccurate whois and reports this to ICANN which has a reasonable cost burden for the sponsor and thus, happening enough, would motivate them to change their ways or no longer be a registrar.

I do like like the continual erosion of privacy we all seem to be experiencing. But through the years it has seemed to me privacy whois often causes more problems than it solves.

I totally understand the need by some to have privacy, to protect themselves from people who make what to inflict real harm on them for their view and what they say. Frankly, if ICANN succeeds in removing privacy whois I expect to see THIRD PARTY services that offer “privacy whois” since ICANN can’t stop individuals from contracting with each other ... The key being the contact info might not be the entity managing the website, but it is someone that we can threaten with legal action, that is there will be a real cost for misuse of the domain ..... If its not sponsored by a responsible registrar .....

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC