|
Earlier this year, I wrote glowingly about the new CIRA whois policy, which took effect today and which I described as striking the right balance between access and privacy. The policy was to have provided new privacy protection to individual registrants—hundreds of thousands of Canadians—by removing the public disclosure of their personal contact information (though the information is collected and stored by domain name registrars).
Apparently I spoke too soon. Faced with the prospect of a privacy balance, special interests representing law enforcement and trademark holders quietly pressured CIRA to create a backdoor that will enable these two groups (and these two groups alone) to have special access to registrant information. In the case of law enforcement, police can bring cases to CIRA involving immediate risk to children or the Internet (ie. denial-of-service attacks) and CIRA will hand over registrant information without court oversight. In the case of trademark holders (as well as copyright and patent owners), claims that a domain name infringes their rights will be enough to allow CIRA to again disclose registrant information.
This represents a stunning about-face after years of public consultation on the whois policy. While the law enforcement exception appears to be narrowly tailored, the exception for trademark, copyright, and patent interests undermines a crucial part of the whois policy, namely compliance with Canadian privacy law (the policy now arguably violates the law) and the appropriate balance between privacy and access. For example, consider a Canadian that registers companysucks.ca (name your company) as a whistleblower site about a particular company. They understandably wish to remain anonymous to the general public since disclosure of their personal information could lead to negative repercussions. Under the new CIRA policy, if they use fake registrant information, they risk losing the domain. On the other hand, the backdoor exception means that the trademark holder can easily smoke out the identity of the registrant as CIRA will simply hand over this information.
Just over six weeks ago, CIRA celebrated its one millionth domain name registration and claimed world class status. Today, the organization has betrayed the very principles of consultation upon which it was built and sent a discouraging message that special interests matter more its own members.
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
A lot of spam and cybercrime abuses private or anonymous registration, far more than people legitimately use it - and not all registrars have the clue level CIRA has so that they’d be even more vulnerable. Treating what CIRA did earlier (blanket restriction) as a precedent would have been dangerous.
Privacy is a balance. Well, actually it's an all out tug-o-war between conflicting interests. Unfortunately, it's usually the legitimate users who have the most to lose. I suspect that the average cybercriminal only uses anonymous registration because it's checked by default. It's not like they provide anything remotely truthful to anyone, ever, so what does "anonymity" gain them? And giving law enforcement easy access to false data gains us what, exactly? The net benefit appears to be that it won't even take a court-signed warrant to obtain the personal details of those crooks who are stupid enough to provide them. I wonder whether the police, armed with easily-obtained and mostly-false data, are going to start knocking on the doors of identity theft victims. If not, then they're probably not catching the hypothetical genuinely idiotic criminals either. Bear in mind that victims of identity theft may be suspected of child pornography in this case: the exception is made only in cases of "immediate risk to children or the Internet". You're a sensible guy, Suresh: cut it out with the alarm bells. Explicit anonymity has the superficial appearance of aiding crime, but none of the substance. This is classic security theatre, and I challenge you to provide a strong argument to the contrary if you're in earnest about the danger (although probably not in this comment thread, specifically -- that would be getting off-topic). I'd care less about the police angle, except for the fact that Trademark interests have come along for the ride. Damn typical, that. It's like the whole "think of the children" angle is the nose of the camel in the tent, and corporate interests are the head behind the nose wishing to gain access. Security theatre is bad enough in and of itself, but it looks like it's a pretext for preferential treatment of corporations in this case. Corporations have legitimate interests, of course, but I fail to see why they should be given preferential treatment with regards to access. In fact, given their track record of attempting censorship in the name of Trademark enforcement, such preferential treatment seems positively corrupt, and contrary to other legitimate public interests. Ah, but lobbying is a very Western, Democratic form of corruption, isn't it?
Well, in my experience, even the fakery tends to follow a specific pattern, which helps tie various domains together to the same scam artist. Please see this paper (submitted to GNSO during the whois consultation process) by OPTA, a dutch fair trade regulator that does a lot of excellent work on antispam issues (I've met them, they're brilliant) The Importance of Whois Databases for Spam Enforcement http://www.icann.org/presentations/opta-mar-26jun06.pdf
http://www.circleid.com/posts/canadian_domain_whois_law_enforcement/