Home / Blogs

ICANN and the DOC

ICANN today issued a press release and a series of documents about its relationship with the U.S. Department of Commerce.

Speaking only for myself, and not on behalf of ICANN, I want to make three points:

1. ICANN is no longer bound by the specific set of milestones that were in its prior MoU with DOC. With this freedom comes great responsibility. Without detailed government oversight, and without market competition for policymaking for domain names, ICANN (and the ICANN Board) has a great obligation to be accountable to its community.

2. We have a very long way to go in creating adequate accountability and transparency mechanisms for policymaking for gTLDs, as a recent London School of Economics report demonstrated. And this is only one aspect of ICANN’s operations that needs improvement—we still haven’t figured out a rational way to involve individuals and we still don’t have a rational process for adding new gTLDs. ICANN has to continue to change for the better, and we have a lot of mileage to cover in this respect.

3. The Preliminary Report of the recent Board meeting (here) reflects that the Board adopted the new agreement with the DoC. It does not record the statements that were made by Board members, including me, at the time of that meeting—these must be coming later in the minutes, which will need to be approved by the Board. I was deeply concerned about the agreement’s apparent wholesale ratification of the DOC’s desire to retain the current WHOIS policy. It would be completely inappropriate to bind ourselves contractually to that policy in advance in order to satisfy the USG, particularly when members of the ICANN community have devoted tens of thousands of hours to discussing possible changes to that policy.

To me, personally, it doesn’t make sense to require public display of private information as a condition of registering a domain name.

I have been assured, again and again, that ICANN’s own current PDP processes are not undermined by this agreement, and that should a changed WHOIS policy be adopted by the Board it can be enforced without the DOC’s agreement. That was certainly the understanding I had in agreeing to adoption of this new agreement with the Department of Commerce.

All comments more than welcome.

By Susan Crawford, Professor, Cardozo Law School in New York City

Filed Under


George Kirikos  –  Sep 29, 2006 10:34 PM

WHOIS was a divisive issue, and there was no real consensus. While privacy advocates are well intentioned, they were unrealistic to expect that anonymous registrations would exist that increase costs for law enforcement, while increasing the protection for scammers, phishers, terrorists and other malevolent forces operating on the internet.

A Domains By Proxy type compromise is a very low cost alternative for those who wish to have an intermediary act as a representative. My proposal of a “Legal Representative” contact is very similar, and is consistent with what is being done in German (.de).

Privacy advocates always talk about the “European Privacy Directives” but it’s really a myth that it means anonymous WHOIS.

Why are other people permitted to see my data, for example my address, in the whois query?

This data has been rendered public in the whois query for some very good reasons.

Firstly, it is important to be able to contact you if ever there are any technical difficulties caused by your domain or its use, which might lead to problems for others. Of course, it would normally be your provider who would sort out such technical problems for you, but that does not affect publication of your data. It may happen that your provider is partly to blame for the technical difficulties and, ultimately, you, the domain holder, will be held liable (and that includes liability for any legal consequences).

Secondly, your data must be made public, so that, if your domain is the source of an infringement of somebody else’s rights, it will be possible to establish against whom to proceed, if need be.

There is another angle you should consider. In registering a domain and using it, for instance as the address for a website, you as a rule become the provider of a media service which prescinds your usual privacy considerations. There are special laws that apply here and they require all providers of such services to provide a masthead disclosing their name and address. So, since everyone can see who you are here anyway, there would be no point in DENIC keeping your data confidential.

Against this background, incidentally, the German data-protection authorities have expressly approved of the publication of personal data in the whois query. Further information on this subject is to be found, for example, in the thirteenth data-protection report by the government of the German federal state of Hesse (sections 9.2 and 9.3) and also in its fifteenth data-protection report (section 8.7).

If you do not want to have your address made public, the only option you have is to get the domain registered by someone else whom you trust. This other person will then be the legal domain holder instead of you, and their address will, of course, be made public in the whois query.

Hopefully the three years gives ICANN the opportunity to mature. It’s now like an awkward teenager, making a lot of mistakes but hopefully learning from them. You wouldn’t want them to drive your car, or manage your finances, but can give them growing responsibilities as they demonstrate success. While the US Government has received criticism from some that ICANN should be let free and unleashed, they’ve been a benevolent and thoughtful parent so far, and the internet has been functioning smoothly. Teenagers can always find someone who’ll argue they should have more freedom, but when that teenager drinks and drives, experiments with dope, crashes the car and has failing report cards, a good parent will continue their oversight a little bit longer.

Suresh Ramasubramanian  –  Sep 30, 2006 1:00 AM

Well said, George

And Susan - if you increase whois privacy (and that is, by itself not a bad thing at all) you’ll need to have enough ICANN policy and enough work done with registrars that there’s a clear and well defined way to take down abusively registered domains.

Phishers register several hundred domains for just a single campaign - one that lasts less than 24 hours and gets taken down within 4 days.  And that’s only an example.

As for privacy - well, PO boxes and other maildrops have existed for decades before even the ARPANET, and hotmail / gmail etc provide a sufficient degree of anonymity for people who don’t want their regular email address exposed online.

It’d be a complete disaster if domain registrations were 100% anonymized WITHOUT empowering + making registrars take adequate (and in most cases, that means, “proactive”) action to put in place measures to prevent abusive domain registration, and to take down abusive domains that have actually been registered.

Several registrars are already doing this - the good ones, the proactive ones.  And several others just don’t care, or in some cases say “ICANN policy prevents them from doing this, except when the contact information has been found, after a long drawn out procedure, to be false”.  For phishing domains, hosted on botnets, yet.

I don’t need to dig very deep to find plenty of precedents where a well intentioned tool to facilitate anonymous communication on the Internet ended up being far more widely abused by spammers, scam artists etc, than being used by a political dissident to protect his identity.

Providers of anonymous services have long advocated, for example, rate limiting as an acceptable way to stop massive abuse.  Rate limiting will not work, not by itself, given “horizontal scaling” by botnets, and by lots of people in an LDC city’s cybercafe who do nothing but solve captcha puzzles or other hoops set up to manually register domains ...

Well, it will cut the abusive registrations down to slightly more manageable levels, after which you have to have other measures to restrict signup, keep more of a watch for stolen / fake credit cards, have a proactive abuse desk that is empowered to quickly take down domains in a certain number of cases etc.

For the pitfalls of running an open service - probably the most famous example is John Gilmore’s toad.com open relay. He loved to say that he had lots of unspecified foo in place that’d help John Perry Barlow get access to smtp even if he was traveling through the middle of Africa, while keeping abusers out.  You’ll find that whatever Gilmore did didn’t work out too well.  Lots of viruses back then were hardcoded to relay out their payload through toad.com - all this before verio took toad.com down for running a persistently open relay, sending John ballistic and providing for a lot of impassioned discussion on politech, IP and elsewhere.

Provide anonymity by all means - but before you do, please do make sure that your good intentions and your trust don’t get massively abused.  Which they will - unless you’re careful to prevent such abuse.  They’ll get abused even then - whatever you put in place will absolutely not be foolproof, it is a case of building a better mousetrap and running up against smarter rats [no, I won’t say mice, they’re too cute and fluffy for this analogy]

The Famous Brett Watson  –  Sep 30, 2006 1:17 AM

“...we still haven’t figured out a rational way to involve individuals and we still don’t have a rational process for adding new gTLDs.” [Susan]

I certainly don’t envy ICANN the job. I suspect that objective, rational solutions to this problem simply do not exist. Any proposal will be a blend of pragmatism, politics, and ideology. My instinct is that ICANN should do its best to pass off this area to some explicitly international political body, and reserve the right only to vet the proposals of that body for technical sanity. This won’t promote progress, but at least the lack of progress won’t be ICANN’s fault anymore.

At the same time, I don’t believe that this has a snowball’s chance of happening. To relinquish authority in this manner runs contrary to the natural inclination of any governing body.

“To me, personally, it doesn’t make sense to require public display of private information as a condition of registering a domain name.” [Susan]

I agree, but I can see that this thread is going to degenerate into an ideological clash on the matter, now that it’s been brought up. Please forgive in advance my use of sarcasm here, but heavy rhetoric seems to be the appropriate response. I’ll try to keep it funny.

“...anonymous registrations would exist that increase costs for law enforcement, while increasing the protection for scammers, phishers, terrorists and other malevolent forces operating on the internet.” [George]

Quite so. As we all know, law enforcement and other Forces Of Good save an immense amount of time and money by simply looking up the entirely truthful and accurate WHOIS records of these evildoers. Indeed, the very requirement for truthful and accurate WHOIS data has nearly eliminated all use of domain names for nefarious purposes, as no malefactor with an ounce of sense wants to paint a target on himself.

“...it is important to be able to contact you if ever there are any technical difficulties caused by your domain or its use, which might lead to problems for others.” [DENIC]

Note well: this is about technical difficulties. Legal difficulties are addressed in a separate point (see below).

The DNS, being what it is, experiences frequent technical conflicts between unrelated zones. Contrary to popular belief, the most common point of technical failure is not the registrar (already a public entity in any case), but the registrant. The exact details of this problem are sufficiently obscure that I won’t elaborate on it here, but suffice it to say that the DNS would promptly disintegrate if registrant contact details (including postal addresses and telephone numbers) were withheld. The inevitable abuse of those contact details (for purposes other than DNS administration) is a small price to pay under the circumstances. Anyone not willing to act (or to pay someone else to act) as a public point of contact has no business being a domain name registrant.

“...your data must be made public, so that, if your domain is the source of an infringement of somebody else’s rights, it will be possible to establish against whom to proceed, if need be.” [DENIC]

More precisely, it is an unfair and onerous burden on the corporations who invariably initiate such proceedings to file a “John Doe” suit and issue a subpoena to the registrar. After all, what’s more important: a general right of privacy, or added convenience in litigation? Bear in mind that the vast majority of domain name registrations wind up in litigation of exactly this sort, and the needs of the many outweigh the needs of the few. If that isn’t argument enough, lawyers have notoriously high hourly costs, whereas “privacy” is a vague and nebulous thing against which no dollar figure can be realistically placed. Thus, privacy is of no value anyway, relatively speaking.

“...as the address for a website, you as a rule become the provider of a media service which prescinds your usual privacy considerations.” [DENIC]

It is, of course, a given that every domain name is used at least to host a public media service (website), so there’s no point in denying it. Any attempt to convey information to the broader public without fully identifying oneself would be a crime on a par with anonymous pamphlet distribution—a practice which is outlawed (or expected to be outlawed soon) in all the more civilised nations, given its close relationship to terrorism.

Is this what it feels like to be a troll? Interesting.

Milton Mueller  –  Oct 1, 2006 4:20 PM

OK. Watson disregards all individual human rights and says “the convenience of the many outweigh the rights of the few,” a philosophy that has been used to rationalize oppression from the Holocaust to less drastic examples. Not very convincing. Suresh says:

“Phishers register several hundred domains for just a single campaign - one that lasts less than 24 hours and gets taken down within 4 days.  And that’s only an example.”

Yes, it is an example of the futility of relying on Whois. Those people will not provide accurate contact data and if you want to catch them there is no need to make everyone on the planet who registers a domain to expose themselves to spam, identity theft or censorship.

The simple fact is that law enforcement can get access to the sensitive data it needs to combat crime without publishing it to anyone and everyone on the internet. This very simple principle governs all kinds of data bases, from driver’s licenses to telephone numbers to cable tv subscription records. It just reflects ignorance—of law, politics, policy and rights—to suggest that there is anything difficult or unusual about this.

The problem of reforming Whois policy is all about the powerful grip that copyright and trademark interests have on the US government. That is all. There is nothing more to it. Many other countries have found better solutions than ICANN. Look at what Canada’s ccTLD has done. Look at Germany, UK, Poland, etc. The solution is simple. The roadblocks are political.

Watson thinks there is no solution to this. Famous Bret, if I see your driver’s license should I be able to type it into the Internet and look your home address up? Think about road rage and why we don’t let that happen. Yes, people can do a lot of damage to me with a car, and commit lots of crimes with a car; more so than with a domain name. But it doesn’t mean

My advice is for you two to bone up on privacy law, the U.S. constitution, the EU privacy directives, the OECD data protection principles, and even the report of ICANN’s whois Task Force which you obviously haven’t read. The Whois debate has moved far beyond these casual and uninformed expressions of opinion. Try to take advantage of it. Approach it with a bit more humility.

Suresh Ramasubramanian  –  Oct 1, 2006 5:44 PM

Milton - do me a favor and tell me what difference (or use to an email / filtering admin) you can see between a bunch of domains with whois records

M.Mouse (.(JavaScript must be enabled to view this email address))
1600 Pennsylvania Avenue
Washington DC

and when all those domains and others are buried under something like

Foo.Registry Private Registration

Or even

[The ccTLD .xx has no whois server]

Those two are useless for all practical purposes, and would involve interacting with the registry each time before you can even see a pattern evolve.

Even fake whois records tend to have patterns, and those patterns get spotted, and used to link the records together.

That’s just for starters.  Tracing the address in the whois quite often brings you to the person whose identity and credit card was ripped off by an ID thief to buy domains.  And where there’s a stolen card, and an investigation in progress, LE will usually find at least some amount of money trail for them to follow.

By the way, I do actually happen to have reviewed quite a few aspects of the regulations (EU, OECD et al) that you mention.  And I’m fairly familiar with the current conflicts those have with proposed data retention regimes as well.  And the efforts to reconcile these two so that legitimate law enforcement needs (and yes, they do exist) are met while at the same time protecting privacy.

There are two separate sets of people campaigning for a fully open whois - copyright and IP lobbies, and people concerned with law enforcement, [and with spam filtering, anti phish etc]. 

And opposed to those are the “total privacy or bust” people who are opposed to everything from ISPs maintaining server log files (about which there’s some significant amount of litigation going on in Germany and other places), to partially or fully anonymized whois - the focus of this article.

The funny thing is that the people you’re opposing (at least the spam filter operators etc) quite often ARE quite conscious of privacy issues, and are, surprisingly enough, your natural allies for the simple reason that they’re not out to mine whois for marketing, or looking to haul political dissenters into a concentration camp - they’re going after people who don’t just violate your privacy, people who will strip your identity and bank account bare, given a chance.

Oh well, it is not the first time I’ve had words with representatives of the privacy or bust school of thought. A quick google search for “Suresh Ramasubramanian EFF” should probably turn up a little interesting reading for those long winter evenings.

Suresh Ramasubramanian  –  Oct 1, 2006 6:12 PM

Given the turn this thread has been taking, people coming to the IGF might take a look at this session -

Human Rights and the Internet: how anonymous can and should we be?, organized by the The Council of Europe

The Famous Brett Watson  –  Oct 2, 2006 7:10 AM

Milton, please note that everything in my previous comment beyond the paragraph in which I say, “please forgive in advance my use of sarcasm here”, is sarcastic, insincere, not representative of my beliefs, and damnable sophistry to boot. One can never be too obvious, it seems. My intention was to arrive at ridiculous conclusions by accepting the (IMHO) ridiculous arguments presented in the corresponding quotations.

Suresh, I must emphasise that I agree with you on the importance of fighting Internet-based crime. A significant amount of my time is currently spent on this very task. At the same time, I think that efforts to maintain public WHOIS data as a means to this end are sorely misdirected. The actual usefulness of WHOIS data is very limited when we know the data to be false. That in itself would not be a major issue if it weren’t for the corresponding loss of privacy for honest people. The argument over WHOIS privacy has strong parallels with the encroaching imposition of mandatory identity checks in the USA (and elsewhere) in the name of catching terrorists: the cure is as bad or worse than the disease—and it’s not clear that the cure works as advertised in any case.

Like all good security measures, the burden of security needs to be correctly placed. In this case, the problem is lax registrars that are tardy (or utterly inert) in responding to DNS-supported criminal activity as a matter of economic rationality (i.e. it’s “not their problem”). I believe the effective approach is to create economic incentives sufficient to motivate rapid response from registrars (e.g. contractual penalty clauses), and let the crime-spotters report abuse to registrars using well-defined channels. This kind of thing attacks the problem directly, not as a matter of side-effect, and it’s the sort of thing that a governing body like ICANN is able to impose.

I hasten to add that my suggestion here is not the only possibility, and not necessarily the best possibility, but much better than the approach of enforcing public WHOIS. This is a situation in dire need of fresh approaches and fresh thinking.

Suresh Ramasubramanian  –  Oct 2, 2006 1:13 PM

Brett:  Suffice to say I’m sure a balance can be struck, but there shouldn’t be total anonymity in whois.

Even with substantial initiatives taken by ICANN (and there are, effectively, none at present) to make registrars crack down on abusive registrations, all the usual reasons (incompetence and/or greed) will kick in to ensure that the situation is little better than it is now.

Milton Mueller  –  Oct 2, 2006 5:49 PM

Famous Bret:
My bad. I read it waiting for a connecting flight in an airport on the way back from a long trip and skimmed a bit too much. It did surprise the h*** out of me that you would take a position like that, so the now-noted sarcasm overlay is welcome and appreciated.

The Famous Brett Watson  –  Oct 3, 2006 12:44 AM

Suresh, I’m not an advocate of total anonymity: I’m just opposed to a situation in which only the dishonest can maintain privacy. That’s a perverse incentive we ought to avoid.

I think that the workable middle ground looks something like netblock allocation WHOIS data. This identifies the ISP, not the ISP’s customer, unless a portion of the network space has been fully delegated to the customer (possibly another ISP). If you have a complaint, the buck stops with the WHOIS contact.

In the case of DNS WHOIS, a similar arrangement could work. An “anonymous” registration would merely list the responsible registrar, and that registrar becomes responsible for enforcing whatever AUP is associated with their name service. This may include “no phishing” in the same way that most ISP AUPs include “no spamming”. If the registrar receives a verifiable AUP violation notice, they should promptly suspend the name service until they have sorted out the matter with their client (the registrant).

A “public” registration would be slightly different. The registrar would no longer be the primary point of contact, and would not accept abuse reports, but they would be responsible for validating the registrant’s WHOIS data before allowing this status. Most businesses would prefer this option, since they are inherently public entities in any case, and it reduces the risk that the name service will be suspended without notice. The registrar should still accept complaints of the form “the WHOIS data is invalid; please revalidate it or suspend the service”.

I think this general approach has many positive possibilities, but I leave them as an exercise for the reader—or a discussion forum more properly dedicated to the problem.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign