Home / Blogs

CIRA Creates Backdoor WHOIS Exceptions for Police and IP Owners

Earlier this year, I wrote glowingly about the new CIRA whois policy, which took effect today and which I described as striking the right balance between access and privacy. The policy was to have provided new privacy protection to individual registrants—hundreds of thousands of Canadians—by removing the public disclosure of their personal contact information (though the information is collected and stored by domain name registrars).

Apparently I spoke too soon. Faced with the prospect of a privacy balance, special interests representing law enforcement and trademark holders quietly pressured CIRA to create a backdoor that will enable these two groups (and these two groups alone) to have special access to registrant information. In the case of law enforcement, police can bring cases to CIRA involving immediate risk to children or the Internet (ie. denial-of-service attacks) and CIRA will hand over registrant information without court oversight. In the case of trademark holders (as well as copyright and patent owners), claims that a domain name infringes their rights will be enough to allow CIRA to again disclose registrant information.

This represents a stunning about-face after years of public consultation on the whois policy. While the law enforcement exception appears to be narrowly tailored, the exception for trademark, copyright, and patent interests undermines a crucial part of the whois policy, namely compliance with Canadian privacy law (the policy now arguably violates the law) and the appropriate balance between privacy and access. For example, consider a Canadian that registers companysucks.ca (name your company) as a whistleblower site about a particular company. They understandably wish to remain anonymous to the general public since disclosure of their personal information could lead to negative repercussions. Under the new CIRA policy, if they use fake registrant information, they risk losing the domain. On the other hand, the backdoor exception means that the trademark holder can easily smoke out the identity of the registrant as CIRA will simply hand over this information.

Just over six weeks ago, CIRA celebrated its one millionth domain name registration and claimed world class status. Today, the organization has betrayed the very principles of consultation upon which it was built and sent a discouraging message that special interests matter more its own members.

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Michael Geist, Chair of Internet and E-commerce Law

Filed Under

Comments

Good for CIRA - if done with adequate safeguards Suresh Ramasubramanian  –  Jun 11, 2008 9:02 AM

A lot of spam and cybercrime abuses private or anonymous registration, far more than people legitimately use it - and not all registrars have the clue level CIRA has so that they’d be even more vulnerable. Treating what CIRA did earlier (blanket restriction) as a precedent would have been dangerous.

Privacy is a balance. Well, The Famous Brett Watson  –  Jun 11, 2008 4:10 PM

Privacy is a balance. Well, actually it's an all out tug-o-war between conflicting interests. Unfortunately, it's usually the legitimate users who have the most to lose. I suspect that the average cybercriminal only uses anonymous registration because it's checked by default. It's not like they provide anything remotely truthful to anyone, ever, so what does "anonymity" gain them? And giving law enforcement easy access to false data gains us what, exactly? The net benefit appears to be that it won't even take a court-signed warrant to obtain the personal details of those crooks who are stupid enough to provide them. I wonder whether the police, armed with easily-obtained and mostly-false data, are going to start knocking on the doors of identity theft victims. If not, then they're probably not catching the hypothetical genuinely idiotic criminals either. Bear in mind that victims of identity theft may be suspected of child pornography in this case: the exception is made only in cases of "immediate risk to children or the Internet". You're a sensible guy, Suresh: cut it out with the alarm bells. Explicit anonymity has the superficial appearance of aiding crime, but none of the substance. This is classic security theatre, and I challenge you to provide a strong argument to the contrary if you're in earnest about the danger (although probably not in this comment thread, specifically -- that would be getting off-topic). I'd care less about the police angle, except for the fact that Trademark interests have come along for the ride. Damn typical, that. It's like the whole "think of the children" angle is the nose of the camel in the tent, and corporate interests are the head behind the nose wishing to gain access. Security theatre is bad enough in and of itself, but it looks like it's a pretext for preferential treatment of corporations in this case. Corporations have legitimate interests, of course, but I fail to see why they should be given preferential treatment with regards to access. In fact, given their track record of attempting censorship in the name of Trademark enforcement, such preferential treatment seems positively corrupt, and contrary to other legitimate public interests. Ah, but lobbying is a very Western, Democratic form of corruption, isn't it?

Whois and anonymity - security theater? Suresh Ramasubramanian  –  Jun 12, 2008 5:22 AM

Well, in my experience, even the fakery tends to follow a specific pattern, which helps tie various domains together to the same scam artist. Please see this paper (submitted to GNSO during the whois consultation process) by OPTA, a dutch fair trade regulator that does a lot of excellent work on antispam issues (I've met them, they're brilliant) The Importance of Whois Databases for Spam Enforcement http://www.icann.org/presentations/opta-mar-26jun06.pdf

Canadian law enforcement seems to agree too Suresh Ramasubramanian  –  Jun 14, 2008 9:59 AM

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix