|
ICANN indirectly controls the mother-of-all personal database systems. Never, before, has a world-wide database exposed personally identifying information of so many to so many. ICANN—also known as the Internet Corporation for Assigned Names and Numbers—in its role as a type of domain name cop requires domain name registrars and registries to maintain and publicly display technical and personal information as well as contact details on all individuals who register a domain name. With this policy in place, it is not unlikely that every Internet user one day may have personal data recorded in ICANN’s database as result of owning a domain name. The management of this scope of data collection, alone, should be a matter of far-reaching public concern. Instead, few know about ICANN, and fewer know what it does. Consequently, the media has remained relatively mute about this growing Internet privacy crisis.
For its part, ICANN does not pretend to be unaware of the enormous level of concern expressed by most Internet users regarding the lack of effective protections of privacy. ICANN chartered three Task Forces to review all aspects of the manner in which data is both collected and displayed by its domain name database system—called the WHOIS service directory. After nearly three years of study and an overwhelming focus on data accuracy issues rather than privacy concerns, ICANN is still struggling to balance the needs and rights of registrants to keep their personal information from wrongful access and misappropriation while respecting a limited and careful circumscribed access to those who genuinely need access to WHOIS.
Each Task Force recently published a report posted on ICANN’s website on recommendations for modifications or improvements to WHOIS. The Task Force recommendations include proposals ranging from a recommendation to notify those who may be included in the database of the possible uses of WHOIS data to one that recommends ICANN offer the Internet community “tiered access” to serve as a vague mechanism to balance privacy against the needs of public access. Too many of the recommendations seem to be framed by those who view Internet users with hostility, such as the recommendation to punish domain name users when a domain name is cancelled or suspended for “false contact data,” by canceling all other registrations with identical contact data.
In the main, however, recommendations reflect at least a sentimental, if not serious, attempt to balance competing interests. Still, something fundamental was overlooked by the Task Forces: a reflective reconsideration whether WHOIS should be an entirely public database. Notwithstanding that ICANN’s must suffer pressures from outside forces, including the United States, to shut down the use of WHOIS by those committing various acts of Internet-based fraud, it is unwise to assume that data accuracy is the only route to that goal. Indeed, some forms of Internet-based fraud are likely to be assisted by the ease of access to the public database. It may very well be that the right answer to concerns about privacy and certain types of fraud leads directly to the same solution: imposed restrictions on access to personally identifying information.
The WHOIS service has always been a public database, but the reasons justifying public access to WHOIS have grown more dubious as the incident of online identity theft reaches far beyond the grasp of the efforts of law enforcement and consumer protection. The Task Forces reports conspicuously confirm that the Task Forces deliberations critically overlooked the question whether the public WHOIS database should remain public. Fundamental matters are easy to overlook.
As the story goes in Greek mythology when Achilles’ mother dips her son into a special river to make his body invulnerable on all parts touched by the river’s waters, his mother overlooks a very important matter; the water did not touch the spot near Achilles’ foot, which his mother held when dipping him. Achilles’ only point of vulnerability seems to have arisen from a basic oversight. This classic tale highlights a frustratingly common experience. We are all too familiar with the failures that follow a lack of planning and deliberation, but, far less common, are the lessons learned from failures that follow what we overlook. Even looking backward, it is difficult to recognize the reason for failure in a given context where the point of failure is a fundamental matter that was overlooked.
When Warner Bros. spent nearly $175 million to deliver the summer’s first boxoffice blockbuster, something was overlooked by those planners. Certainly, not even a Hollywood movie studio would spend millions of dollars producing an epic about the Trojan War without serious discussions concerning the best way to turn a classic mythology into a movie hit; yet, those discussions clearly missed something. Even with Brad Pitt in a leading role as the Greek hero Achilles, “Troy” did not capture the hearts of moviegoers or critics ?- many critics have concluded that the apparent absence of Gods and Godesses in the movie turned a classic story into a protracted and uninvolving affair over issues that moviegoers simply found uncompelling. Quite ironically, a movie about Achilles seems to have been fated with its own Achilles’ heel: the missing Gods.
If I had to carry the analogy forward, it seems likely that for the moment ICANN’s “Achilles’ heel” is the unreflective determination that WHOIS must remain an open and entirely public database. Given concerns for the protection of privacy of domain name holders, this database ought to be protected at least at the level and in the same manner as most commercial customer lists. It is no answer to say that the entire contents of the database must remain public because the database has been designated public. At issue is—whether the database should remain public or entirely public; certainly, the protection of privacy calls for that question to be answered first.
There are millions of individuals and businesses that own domain names. In the two most popular categories (also known as top-level domains) of registered domain names—.com and .net—over 60 million domain names are registered, and in the future the number of registrations is expected to swell by leaps and bounds. (See, Data Reveals Domain Name Registrations Have Hit All-Time Highs). According to domain name registry, Verisign, the domain name database system—called the WHOIS service directory—receives well over 11 billion queries per day in just two top-level domains. The result of these queries includes the disclosure of personal information to anyone with Internet access for nearly any reason. There is no assurance of privacy in this context. Anonymous communications virtually cease to exist unless you are highly determined or, perhaps, engaged in criminal activity. Even the softer intensity of privacy offered by use of pseudonymous communications is rendered rather useless without the protection of personally identifying information in WHOIS.
Although, the concept of privacy remains somewhat unbounded, generally, and seems quite elusive as a universal norm, the scope of privacy, as it relates to Internet transactions, has been usefully confined in at least one important respect in other contexts; namely, that satisfactory protection of Internet-user privacy includes protections of a user’s control over the disclosure of personally identifying information, including the discloser of a user’s name and resident address. This minimal degree of protection is not yet met by ICANN’s administration of WHOIS as a public database.
Currently, WHOIS is used for wide-ranging purposes by all sorts of snoopy individuals as well as by genuine data users. SPAMMERS as well as junk mailers, for example, use the database to sift names and addresses of individuals for marketing uses. Even domain name registrars have used WHOIS to poach customers from competitors and for marketing purposes, despite an ineffectual contractual proscription by ICANN against such uses. Unfortunately, there are nearly an endless number of examples of the use and abuse of WHOIS.
Currently, ICANN-accredited registrars have contractual obligations to correct inaccurate personal information in WHOIS once that is brought to their attention, but this obligation seems to override all others. The Task Forces reports similarly reflect this bias. The reports are quite clear in identifying data accuracy as a problem with WHOIS. Of course, data accuracy is an implacable “problem” for WHOIS since it is an outgrowth of an attempted forced public display of information for which some will not comply. If ICANN continues to ignore the connection between its problem and its policy, the proposed recommendations, if adopted, may simply raise the stakes.
On May 28th the three ICANN Task Forces submitted Preliminary Reports regarding their findings (information about these Task Forces can be found on the GNSO Whois Issues webpage). A 20-day public comment period opened on May 28th. Comments on the WHOIS findings and recommendations must be submitted on or before June 17th. Undoubtedly, the comment period is too short; the sheer bulk of the reports issued by the Task Forces should have warranted more time for comment. More fundamentally, the enormity of importance in deciding what privacy protections matter most for the largest publicly accessed database in the world should both warrant more time for comment as well as a better attempt to publicize the solicitation of comments. Please share your comments with ICANN.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byWhoisXML API
This whole discussion seems to stem from an attempt by various people to turn whois into something that it is not.
Presently whois is a convenient way to publish contact information for a domain. This information needs to be publically accessible because the whole point is to provide a public point of contact.
However, there is absolutely no good reason to require that this information be accurate. I’ve read and read and read about this subject and I’ve yet to see one solid argument for accurate information in whois, and yet so many people seem to take it as given. If you don’t want to publish contact information for your domain, why should you have to? What problem are we solving?
If someone running a domain is responsible for fraud, and you need to track them down, you traceroute their IP address and subpoena their ISP. Your “tiered access control system” is the court system, and if you have valid legal authority to obtain the information you are seeking it will be provided to you.
The RIAA has had little difficulty suing thousands of P2P internet users over the past few years who don’t even have domain names associated with their IPs through this exact method.
The only exception is the case where a domain is pointed at a compromised DNS server which is not controlled by it’s owner. These cases are hardly common enough to justify the means of an internet wide identity requirement, nor would any identity requirement be particularly difficult for hard core computer criminals to subvert.
The motive behind requiring accurate information in whois is clear, and it is sinister. It is the belief that its “too much trouble” to comply with the legal standards in one’s country for obtaining information about a service provider’s customer. It is an attempt to create a new, extra-legal mechanism for obtaining contact information about an internet user, without that user’s consent, and with fewer safeguards and balances then exist in any legal system anywhere on this planet. These proposals ought to be loudly rejected!
The author didn’t understand DNS when he wrote “According to domain name registry, Verisign, the domain name database system—called the WHOIS service directory—receives well over 11 billion queries per day in just two top-level domains.” Those are DNS queries (e.g. websurfers querying the nameservers to find out where hosts are, i.e. to determine that www.icann.org translates to 192.0.34.163). WHOIS queries are entirely different, and would be a lot smaller than 11 billion queries per day.
Personally, I’m happy with the public WHOIS database—it encourages responsible behaviour on the internet, among other things. ICANN taskforces have done public surveys regarding WHOIS usage, and a significant number of survey takers regarded the continuing public access to WHOIS as important. Proxy registrations are available very cheaply, as a good compromise.
Update: Public Comment Period for GNSO Whois Task Force Preliminary Reports Extended to Monday, 5 July 2004
George Kirikos’s comment regarding Verisign’s esitmation of the current DNS queries is correct. A DNS query is not the same as a WHOIS database query, and I should have identified the distinction properly. Thanks.
As for whether WHOIS encourages “responsible behaviour on the Internet,” I am unsure what that really means. The fact that George at least identified a reason for favoring a public WHOIS puts him in better company than those who advocate strongly for a public WHOIS without stating why. A great deal of emphasis has been on why the data must be accurate…leaving the unchallenged assumption that the data also must be public.
In my opinion, Tom Cross’s points are very interesting, and would make a persuasive point about the dubious likelihood that WHOIS should continue to be a public database, if the word public were substituted in places where he mentions ‘accuracy.’
Instead, he argues that WHOIS should be public because of convenience. Well, yes, ANY publicly accessible database is convenient - - and much more likely to be so than a database that is not publicly accessible. Since the essence of a publicly accessible database is convenience, convenience alone cannot be a sufficient rationale for why WHOIS should be public; this is an especially important hurdle to make when the entire contents of the database need not be public and the privacy interests of those whose data is in the database are at risk of abuse. On the other hand, Tom’s arguments regarding the number of alternative ways intellectual property holders or law enforcement officials may identify the targets of litigation are very persuasive points that seem to me to support my argument that WHOIS need not be publicly accessible at all or, perhaps, at least not entirely.