[dow1tf] "Recent WHOIS Report Overlooking Fundamental Issue?"
- To: "1DOW1tf" <dow1tf@xxxxxxxxxxxxxx>
- Subject: [dow1tf] "Recent WHOIS Report Overlooking Fundamental Issue?"
- From: "GNSO SECRETARIAT" <gnso.secretariat@xxxxxxxxxxxxxx>
- Date: Thu, 17 Jun 2004 07:19:15 +0200
- Importance: Normal
- Reply-to: <gnso.secretariat@xxxxxxxxxxxxxx>
- Sender: owner-dow1tf@xxxxxxxxxxxxxx
1. From: Circle ID: "Recent WHOIS Report Overlooking Fundamental Issue?"
Jun 16, 2004 | From CircleID Privacy Matters
By Rod Dixon
ICANN indirectly controls the mother-of-all personal database systems.
Never, before, has a world-wide database exposed personally identifying
information of so many to so many. ICANN -- also known as the Internet
Corporation for Assigned Names and Numbers -- in its role as a type of
domain name cop requires domain name registrars and registries to maintain
and publicly display technical and personal information as well as contact
details on all individuals who register a domain name. With this policy in
place, it is not unlikely that every Internet user one day may have personal
data recorded in ICANN's database as result of owning a domain name. The
management of this scope of data collection, alone, should be a matter of
far-reaching public concern. Instead, few know about ICANN, and fewer know
what it does. Consequently, the media has remained relatively mute about
this growing Internet privacy crisis.
For its part, ICANN does not pretend to be unaware of the enormous level of
concern expressed by most Internet users regarding the lack of effective
protections of privacy. ICANN chartered three Task Forces to review all
aspects of the manner in which data is both collected and displayed by its
domain name database system -- called the WHOIS service directory. After
nearly three years of study and an overwhelming focus on data accuracy
issues rather than privacy concerns, ICANN is still struggling to balance
the needs and rights of registrants to keep their personal information from
wrongful access and misappropriation while respecting a limited and careful
circumscribed access to those who genuinely need access to WHOIS.
Each Task Force recently published a report posted on ICANN's website on
recommendations for modifications or improvements to WHOIS. The Task Force
recommendations include proposals ranging from a recommendation to notify
those who may be included in the database of the possible uses of WHOIS data
to one that recommends ICANN offer the Internet community "tiered access" to
serve as a vague mechanism to balance privacy against the needs of public
access. Too many of the recommendations seem to be framed by those who view
Internet users with hostility, such as the recommendation to punish domain
name users when a domain name is cancelled or suspended for "false contact
data," by canceling all other registrations with identical contact data.
In the main, however, recommendations reflect at least a sentimental, if not
serious, attempt to balance competing interests. Still, something
fundamental was overlooked by the Task Forces: a reflective reconsideration
whether WHOIS should be an entirely public database. Notwithstanding that
ICANN's must suffer pressures from outside forces, including the United
States, to shut down the use of WHOIS by those committing various acts of
Internet-based fraud, it is unwise to assume that data accuracy is the only
route to that goal. Indeed, some forms of Internet-based fraud are likely to
be assisted by the ease of access to the public database. It may very well
be that the right answer to concerns about privacy and certain types of
fraud leads directly to the same solution: imposed restrictions on access to
personally identifying information.
The WHOIS service has always been a public database, but the reasons
justifying public access to WHOIS have grown more dubious as the incident of
online identity theft reaches far beyond the grasp of the efforts of law
enforcement and consumer protection. The Task Forces reports conspicuously
confirm that the Task Forces deliberations critically overlooked the
question whether the public WHOIS database should remain public. Fundamental
matters are easy to overlook.
As the story goes in Greek mythology when Achilles' mother dips her son into
a special river to make his body invulnerable on all parts touched by the
river's waters, his mother overlooks a very important matter; the water did
not touch the spot near Achilles' foot, which his mother held when dipping
him. Achilles' only point of vulnerability seems to have arisen from a basic
oversight. This classic tale highlights a frustratingly common experience.
We are all too familiar with the failures that follow a lack of planning and
deliberation, but, far less common, are the lessons learned from failures
that follow what we overlook. Even looking backward, it is difficult to
recognize the reason for failure in a given context where the point of
failure is a fundamental matter that was overlooked.
When Warner Bros. spent nearly $175 million to deliver the summer's first
boxoffice blockbuster, something was overlooked by those planners.
Certainly, not even a Hollywood movie studio would spend millions of dollars
producing an epic about the Trojan War without serious discussions
concerning the best way to turn a classic mythology into a movie hit; yet,
those discussions clearly missed something. Even with Brad Pitt in a leading
role as the Greek hero Achilles, "Troy" did not capture the hearts of
moviegoers or critics -- many critics have concluded that the apparent
absence of Gods and Godesses in the movie turned a classic story into a
protracted and uninvolving affair over issues that moviegoers simply found
uncompelling. Quite ironically, a movie about Achilles seems to have been
fated with its own Achilles' heel: the missing Gods.
If I had to carry the analogy forward, it seems likely that for the moment
ICANN's "Achilles' heel" is the unreflective determination that WHOIS must
remain an open and entirely public database. Given concerns for the
protection of privacy of domain name holders, this database ought to be
protected at least at the level and in the same manner as most commercial
customer lists. It is no answer to say that the entire contents of the
database must remain public because the database has been designated public.
At issue is -- whether the database should remain public or entirely public;
certainly, the protection of privacy calls for that question to be answered
There are millions of individuals and businesses that own domain names. In
the two most popular categories (also known as top-level domains) of
registered domain names -- .com and .net -- over 60 million domain names are
registered, and in the future the number of registrations is expected to
swell by leaps and bounds. (See, Data Reveals Domain Name Registrations Have
Hit All-Time Highs). According to domain name registry, Verisign, the domain
name database system -- called the WHOIS service directory -- receives well
over 11 billion queries per day in just two top-level domains. The result of
these queries includes the disclosure of personal information to anyone with
Internet access for nearly any reason. There is no assurance of privacy in
this context. Anonymous communications virtually cease to exist unless you
are highly determined or, perhaps, engaged in criminal activity. Even the
softer intensity of privacy offered by use of pseudonymous communications is
rendered rather useless without the protection of personally identifying
information in WHOIS.
Although, the concept of privacy remains somewhat unbounded, generally, and
seems quite elusive as a universal norm, the scope of privacy, as it relates
to Internet transactions, has been usefully confined in at least one
important respect in other contexts; namely, that satisfactory protection of
Internet-user privacy includes protections of a user's control over the
disclosure of personally identifying information, including the discloser of
a user's name and resident address. This minimal degree of protection is not
yet met by ICANN's administration of WHOIS as a public database.
Currently, WHOIS is used for wide-ranging purposes by all sorts of snoopy
individuals as well as by genuine data users. SPAMMERS as well as junk
mailers, for example, use the database to sift names and addresses of
individuals for marketing uses. Even domain name registrars have used WHOIS
to poach customers from competitors and for marketing purposes, despite an
ineffectual contractual proscription by ICANN against such uses.
Unfortunately, there are nearly an endless number of examples of the use and
abuse of WHOIS.
Currently, ICANN-accredited registrars have contractual obligations to
correct inaccurate personal information in WHOIS once that is brought to
their attention, but this obligation seems to override all others. The Task
Forces reports similarly reflect this bias. The reports are quite clear in
identifying data accuracy as a problem with WHOIS. Of course, data accuracy
is an implacable "problem" for WHOIS since it is an outgrowth of an
attempted forced public display of information for which some will not
comply. If ICANN continues to ignore the connection between its problem and
its policy, the proposed recommendations, if adopted, may simply raise the
On May 28th the three ICANN Task Forces submitted Preliminary Reports
regarding their findings (information about these Task Forces can be found
on the GNSO Whois Issues webpage). A 20-day public comment period opened on
May 28th. Comments on the WHOIS findings and recommendations must be
submitted on or before June 17th. Undoubtedly, the comment period is too
short; the sheer bulk of the reports issued by the Task Forces should have
warranted more time for comment. More fundamentally, the enormity of
importance in deciding what privacy protections matter most for the largest
publicly accessed database in the world should both warrant more time for
comment as well as a better attempt to publicize the solicitation of
comments. Please share your comments with ICANN.
Posted: Jun.16.2004 @ 07:37 AM PDT | comments: 0