|
||
|
||
My weekly Law Bytes column (Toronto Star version, BBC version, homepage version) examines the recent agreement between ICANN and the U.S. government. Late last month, ICANN took a major step toward addressing some ongoing concerns by signing a new agreement with the U.S. government entitled the Joint Project Agreement (JPA). ICANN immediately heralded the JPA as a “dramatic step forward” for full management of the Internet’s domain name system through a “multi-stakeholder model of consultation.” It added that the agreement grants it unprecedented independence by removing many of the U.S. government’s oversight controls. These include the elimination of a twice-annual reporting requirement to the U.S. Department of Commerce (ICANN will instead release a single annual report targeted to the full Internet community) and a shift away from the highly prescriptive policy responsibilities featured in the original ICANN contract.
While the JPA may indeed represent an important change, a closer examination of its terms suggest that there may be a hidden price tag behind ICANN newfound path toward independence—the privacy of domain name registrants.
Given that a newly independent ICANN might continue to pursue WHOIS reform, the U.S. government included a specific provision on the issue within the JPA. It mandates ICANN to “continue to enforce existing policy relating to WHOIS, such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing and administrative contact information.”
The implications of this clause seem clear—the U.S. government has undone five years of policy work that the Internet community has undertaken by requiring ICANN to enforce current WHOIS policies. As discontent over the WHOIS issue mounted late last week, ICANN CEO Paul Twomey offered a strained interpretation of the clause, suggesting that he did not believe that it restricted future WHOIS reforms.
A more realistic take is that ICANN and the U.S. government have once again undermined the confidence of the Internet community and have provided a clear signal that the U.S. government is still reluctant to transfer its oversight authority. In its zeal to obtain independence, it would appear that ICANN has bartered the privacy of millions of domain name registrants around the world.
Sponsored byCSC
Sponsored byVerisign
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byIPv4.Global
A World-Renowned Source for Internet Developments. Serving Since 2002.
I guess you are discussing a potential case - if there’s a change in the WHOIS policy, what would happen.
I know that it’s not a good idea to discuss such potential situation. Why not focus on what we have today, and see if the existing policy will be changed at some point?
What Paul Twomey has said goes in accordance with my reading of the JPA. I don’t see restrictions towards creating a new WHOIS policy, which will become existing, under the ICANN rules.
Veni, which part of “continue to enforce existing policy relating to WHOIS” in the agreement leads you to think that creating a new and different whois policy is going to be acceptable?
As I said - this is a potential situation, and I don’t like discussing in the sense of “what if”. Let’s first have a new policy, designed in the proper way, and then we’ll talk about it. In anycase, for me existing is something that exists at any given moment, not something that can not be changed.
btw, I think this discussion requires very delicate words. What’s written in the JPA satisfies both parties. Obviously there will be language that will not be crystal clear, so that it will look good to both parties, and would be used in different cases according to the needs. Again - when there’s a new policy, only then we could discuss what to do and how to do it.
heaven help us…..
Well, I wouldn’t count on heaven. I just don’t see a problem where you seem to see it (and where Michael sees it). I think that often people tend to overreact (e.g. “sacrifice privacy”). And this, being said to (mainly) Americans, who don’t even know what privacy means. You know they give personal data to almost anyone, right?
How about the flight data being given by the Europeans to the US before the flight?
And we could continue talking about it.
I don’t think the JPA prevents ICANN from adopting new policy, within its current model.
I think there’s no doubt that Paul Twomey agreed to the Whois addition in order to get the USG wording that implies a lifting of government control.
I also think he was right to do so because he didn’t have much of a choice. There were two speakers pulled into the two Senate hearings for no reason other than to go on about the US interpretation of the Whois.
FTC Commissioner Jon Leibowitz in the first and Mark Bohannon of the Software & Information Industry Association in the second. They said nothing other than “the Whois must stay as it is”. The message was loud and clear and Twomey had no choice. In fact, it would have been irresponsible of him to do otherwise.
But at the same time, I also think this post outlines the very problem that exists over Whois. For whatever tedious reasons - and they are tedious - the Whois debate has been characterised by people taking entrenched positions and shouting at each other over the top of them.
I would tend to see the Whois debate as the last stand of the IP interests that had far too much control in the early days and are now, quite rightly, being pulled out of their cubbyhole and told to line up with everyone else.
And that’s how the debate should be seen - except for the fact that it has been so bad-tempered that now every movement one way or another is seen as an affront.
What makes the whole issue so daft is that the solution is so obvious. You treat domain names like telephone numbers (and yes I know telephone numbers are treated differently across the world). There is a directory. Owners have the option to chose to be left out of the directory. Law enforcement has simple, easy and ready access to the full directory.
The rest of the debate is nonsense. The Whois *is* used by spammers to farm email addresses, and anyone that argues otherwise (including FTC Commissioners) should be told to shut up. IP lawyers will just have to get over themselves. There will very quickly be a system that appears that allows details to be released if the right paperwork is filled in. Just like any other part of the world.
Should a domain registrant’s name be listed publicly Yes. Should their address? No. Email address? No. But you could always put a system in place that means registrars are obliged to post an email address that they are able to immediately connect to the real person’s contact details - something like .(JavaScript must be enabled to view this email address).
The fact is that as soon as people start talking to one another in a calm and civil manner over this, the sooner ICANN can arrive at a real consensus and at that point, I suspect, ICANN’s decision will take precedence over this safeguard that the USG stuck in in the MoU (sorry, JPA) at this juncture.
Okay, now I’ll put on my tin helmet in preparation for the missiles thrown over the trenches.
Kieren
Wouldn’t this discussion/argument become more mature if we differentiated business whois information from personal/non-biz whois? How could a business - which by its very nature intends to transact with other businesses or people as a public entity - not be required to have its domain ownership identity clearly defined and publicly accessible? They do not and should not have the same privacy rights as individuals.
I believe that until the person/business differentiation rises within the context of the arguments, there will always be an impasse.
No missles here—seems a very reasonable and persuasive post—is this the same guy who used to skewer all the assorted absurdities at various ICANN summits around the globe?
I really enjoyed that commentary.
Re: splitting business and people.
No, there’s no need to split them. Why should there be? The splitting argument is just one of many that has caused this issue to go round and round.
What does splitting the two actually achieve in any real sense - apart from making the system several orders more complex in one fell swoop?
A business puts their details on their website. Almost no one goes to the Whois. This argument that consumers head to the Whois is rubbish. The majority of people have never even heard of a Whois, and those that have would probably not know how to find it.
Does insisting a business makes its full Whois public mean that the Whois is accurate? No. For that, every Whois record would need to be checked. And that is an absurd suggestion - especially in a free market economy.
Companies that are trustworthy will provide their full Whois and they will provide contact details on their website. Companies that are dodgy will not - and people will soon learn that. It’s like any other part of commerce. You can’t come up with a system to protect everyone all of the time because such a system would also destroy the very ability of companies to move fast and freely.
If a company *is* ripping people off, the authorities will have access to the Whois anyway.
Who exactly are these independent minded souls seeking out Whois information that is hidden elsewhere and using it to chase down companies? Where are they?
Commonsense says that they - if they exist at all - are a tiny, tiny minority of people. And so the bigger issue of sorting out the Whois question is hundreds of times more important.
Once an agreed system is in place, then the bugs can be ironed out. But this gnashing of teeth has failed for five years and unless people get off their hobby horses it will go on for another five unresolved.
Helmet back on.
Kieren
Re: Splitting biz v personal
The above argument is very human-centric. If we relied upon people to operate functionality on the internet, certificate authorities and DNS would never have been invented. Automation is only possible if the data is accurate and categorized. If the data is controlled at the outset, there is a chance of improving upon the overall data quality.
Why not segment out the business domains and hold them to a higher standard? It would certainly allow the registrars to focus on validating whois data on the commercial sites instead of every myuglycat.com domain (as they are already expected to do). If a user specifies that a domain is to be used as a commercial site, that flag can be used for holding their whois data to a higher standard, as well as requiring it to be public. All private domains should remain private. It might get messy on the margins (i.e. political blog protest sites in China), but exceptions can be managed as exceptions until a homogeneous category can be defined for them.
I’ve been involved in Identity mgt projects for a number of years and I’ve recognized a consistent difference between company-entities and human-entities. Machine-entities (i.e. routers) are another significant category, but probably not relevant to this discussion. If you throw humans and organizations into the same box, the arguments for any privacy issue will continually be muddy. Separating them and detailing the policies across each allows for a much better refinement of the policies.
I’m still not sure what’s gained apart from making any system massively more complex.
What does the split actually provide? Is the idea that it will help fraud? How? Any fraudsters will use whatever loopholes exist - and in this case the massive loophole is not registering as a commercial entity.
Are you saying that commercial companies make mistakes in their Whois information and separating them out makes it possible to focus on them?
So where does the focus lie - on those not registered as commerical organisations or those that are registered as commercial organisations?
I think a big part of the problem over this is the classic Net situation where people seek to design a new system just because it can be done. The endless possibilities problem of Internet technology is it own worst enemy when it comes to structures.
Time and again we’ve seen that the best solution is to keep it as simple as possible and to copy existing approaches as closely as possible. Make domains like telephone numbers and the rest of it will evolve.
Kieren
I understand why information must be public, but with the internet moving in the direction it is, I feel the there is a better solution:
a.) ICANN release the mandate for registrars to make information public
b.) Registrars proactively making all information private when names are purchased (Domain by Proxy) - unless otherwise requested to be made public (during purchase process - a check box).
c.) Registrars charge people or organizations ~$10 to view registrant information.
d.) Registrars charge registrants ~$10 to prevent any view of the information.
In this model, everything, as is, pretty much stays the same. Only registrants are immediately protected and the prying eye must pay for the information they seek. And if that is protected, then they need to go through the system that is already in place for currently private registered names. So everything is already in place, it’s a simply lateral move for the sake of safety.