Recently ten Democratic Members of Congress wrote a letter to Alan Davidson, head of the NTIA, requesting that the “NTIA immediately cease the public disclosure of personal information about users of .US” country code top-level domain (ccTLD). This communication highlights a significant concern regarding domain registration data: the need to protect the privacy rights of Registrants. However, an equally significant concern regarding registration data was raised by Rick Lane in an article he wrote in response to that communication: the need for access to this data to combat domain abuse. The conundrum confronting the secure, stable and inclusive operation of the .US country code top-level domain (ccTLD) is that these concerns may come into conflict yet must both be addressed. Moreover, parties have failed to consider a third significant concern that is fundamental to addressing the other two: the need to ensure the accuracy of registration data, which has greatly impeded resolution of this problem to date.

This is not an isolated problem

This problem of addressing the accuracy of, and access to, registrant data (historically referred to as Whois data) by legitimate third parties is not unique to the .US namespace. ICANN has struggled with the same problem within generic top-level domains (gTLDs) namespace since its foundation last century. ICANN’s failure to address the accuracy of registrant data has been the biggest impediment to finding a solution to the problem. In fact, ICANN’s Accuracy Scoping Team was unable to even reach consensus on the definition of the term “accuracy” after debating the issue for over a year.

Concerns over the need to protect the privacy of registrants expressed in the Democratic communication are valid. As someone that has previously been inundated with unwanted phone calls and email after registering a domain name, I personally would have liked a little enhanced privacy “by design”—and not through the payment of an additional privacy/proxy fee. However, as an attorney that has been combating domain abuse and illegal activity online for over two decades, I see firsthand how the access to accurate registrant data has been decreasing. Rick Lane’s concerns about how this data going dark has impeded legitimate third parties, such as law enforcement and intellectual property owners, from gaining timely access to this data are equally valid.

Why the accuracy of registrant data is so important

In an ideal world, only honest people would register domain names and only legitimate third parties would access registrant data, and there would be no problems. Unfortunately, we are far removed from that utopia. Instead, we have criminals, both foreign and domestic, that are registering .US domain names and causing harm. At the same time, we have honest individuals and businesses registering .US domains with true and accurate registrant information, which is then being illegally mined and used to inundate them with unwanted communications. Having accurate registrant data heightens the legitimate privacy concerns voiced in the Democratic letter to NTIA, while simultaneously supporting the legitimate cybersecurity interests documented in Rick Lane’s article.

NTIA should be following CISA’s leadership in balancing privacy and cybersecurity

Since taking over operation of the .GOV top-level domain from the General Services Administration (GSA), the Cybersecurity and Infrastructure Security Agency (CISA) has implemented several operational changes. These changes include enhanced KYC requirements, multi-factor authentication, enhanced privacy protection of registrant data, and several other security features while reducing the annual cost of a domain name for qualifying U.S.-based government organizations from $400 per year to free.

Under GSA operation, queries for information associated with .GOV domains returned a range of information, including personal identifying information (PII), similar to the current .US practice. Under the revised operation of CISA, a query for information associated for the NTIA.GOV domain returns the following five elements: (1) Agency: Department of Commerce; (2) Organization: National Telecommunications and Information Administration; (3) Domain Name: NTIA.GOV; (4) Status: Active; and (5) Security Contact Email: [email protected].

The CISA is providing enhanced privacy protection for .GOV registrants in exchange for registrants undergoing enhanced KYC and security requirements. This equitable quid pro quo is lacking in the current .US registry policies.

A constructive path forward

Simply requiring registrant verification is not enough. As noted in Rick Lane’s article, there are many compelling circumstances in which the public interest weighs in favor of disclosing the identity of an individual and/or business. Unfortunately, the Democratic communication did not address either the accuracy of registrant data or how legitimate third parties would gain timely access to it. But a constructive path forward should involve the following two actions.

First, NTIA should research and publish best practices used by other ccTLD operators to ensure that .US is best in class regarding data accuracy and data privacy. Following the publication of this research, NTIA should hold a formal public consultation seeking input from all stakeholders (individuals, businesses, as well as other government agencies) on how best to promote the security, stability, and inclusiveness of the .US namespace.

Second, the .US and .GOV TLDs should both be clearly recognized as critical national infrastructure. The importance of this critical national infrastructure is not Democratic or Republic issue but a United States national security interest. The European Union has clearly recognized this importance of TLD registries as essential Digital Infrastructure under its revised Network and Information Security (NIS) Directive (NIS 2.0). The US Congress should consider holding hearings on this issue to foster a bipartisan position to advance a common cybersecurity position.