ICANN has been wrangling about WHOIS privacy for years. Last week, yet another WHOIS working group ended without making any progress. What’s the problem? Actually, there are two: one is that WHOIS privacy is not necessarily all it’s cracked up to be, and the other is that so far, nothing in the debate has given any of the parties any incentive to come to agreement.

The current ICANN rules for WHOIS say, approximately, that each time you register a domain in a gTLD (the domains that ICANN manages), you are supposed to provide contact information including physical name and address, phone number, and e-mail. WHOIS data is public, and despite unenforceable rules to the contrary, it is routinely scraped. ICANN doesn’t enforce the rules WHOIS accuracy or completeness, either, so as a result a lot of the WHOIS information is missing or bogus.

Impelled by some horror stories from people who claim to have been stalked or worse by people who got their contact info from WHOIS, and by privacy advocates who point out that if ICANN were in Europe, which it is not, privacy laws would regulate what WHOIS could say about individuals, a variety of proposals have been floated to redact or remove contact information from WHOIS. The privacy crowd considers the merit of these changes to be self-evident, but the rest of us are not so sure.

Registering a domain is analogous to, depending who you ask, somewhere between picking up a pencil to write a letter and registering a car. While some parties (hi, Wendy) advocate fully anonymous registrations with no recourse against registrants for maximum freedom of speech, I lean more toward the car end of the spectrum; if you have a domain, you get definite benefits and gain the opportunity to do both good and bad things, and it is reasonable to expect some responsibility in return for them. I also happen to think that the argument that you need your own second level domain to speak effectively is silly.

It’s also important to keep in mind that the vast majority of Internet users have never registered a domain and never will, but have to put up with the shenanigans of the minority who do. Most registrations are by businesses and organizations, rather than individuals. Most of the names registered by individuals are used for business purposes, which in the US at least suggests they should be treated as businesses. (The .NAME domain is mostly non-business individuals, and might merit different policies, but that’s not even on the table.) So we’re talking about a small minority of a small minority of a small minority of Internet users. Minorities are still people, to be sure, but a reasonable approach would be to come up with an exception process for that minority, not screw up the whole thing to the detriment of the large majority of non-registrant users.

Another equally important point to keep in mind is that the main issue for most parties is in fact money. You can be as private as you want right now if you’re willing to pay a lawyer a few hundred bucks to front for you (and not just for domain registrations.) The question of who would pay for increased costs from any changes was unresolved except for near unanimous agreement that whoever pays, it’s not gonna be me.

Anyway, the current proposal is called OPOC, which is described in the working group’s final report. It approximately says that some of the personal information would be replaced by a pointer to a proxy, the Operational Point Of Contact (OPOC) who would in some way mediate between the actual registrant and people wanting contact info. Prior versions put an OPOC in front of every registrant, this time around it’s just in front of individuals, for some definition of individual. The final report lists a variety of points of non-consensus, but the report whitewashes the actual outcome that there was no consensus on anything beyond minor technical points (one of the few areas where I’m in complete agreement with Milt Mueller.)

So why did this process run into yet another brick wall? It’s actually quite simple: for most of the participants there was no incentive at all to agree, rather than stall and keep things the way they are now.

For registrars and registries, OPOC adds a great deal of new work. Many registrars already offer proxy registration with a thin layer of privacy for free or close to it that provides most of the likely benefits of OPOC, with less hassle. Beyond the modest technical effort to add the OPOC to the registration software, there would be the continuing load of handling complaints that an OPOC didn’t respond to a request, or a response wasn’t sufficiently responsive, or this request is really important and we need the info RIGHT NOW and forget the OPOC. There’s also questions of whether the registry or registrar has to verify that the OPOC exists and agrees to represent the registrant. In return for all of this extra work, they get nothing.

For law enforcement and the extensive web of formal and informal anti-abuse investigators at banks, ISPs, and other organizations subject to abuse, OPOC adds an extra layer of bureaucracy to fight through, with inevitable delays and screwups. The report quotes a consultant report that concluded: “I am not confident that there is an organization that can properly accredit law enforcement agencies in the United States, let alone internationally”. In return for all of this extra work, they get nothing.

The Intellectual Property constituency, primarily trademark lawyers, see WHOIS as a primary source of information about who to sue. (One of them said so at the ICANN Sao Paulo meeting.) I am not a big fan of the IP crowd, and sometimes they sue abusively to shut down something-sucks.com domains, but more often it’s phishers and counterfeiters. They face extra hurdles to get the information they need to do what they do. In return for all of this extra work, they get nothing.

So it’s hardly surprising that the broad response to the of the faction that insists on more privacy now, for free, has been no. Members of this faction have posited a variety of sinister motivations for the lack of agreement, but I find the combination of self-interest with doubt about the alleged benefits a quite adequate explanation. If there were some compensating benefit provided, like more accurate underlying info for law enforcement and IP, there could be some negotiation to balance costs and benefits, but there hasn’t, with predictable results.

The main arguments I’ve heard for OPOC or other data removal are less than compelling. There’s the stalker horror stories, which even if you believe them, the current proxy registrations address as well as OPOC. Several people have pointed out that the current WHOIS doesn’t satisfy European privacy laws, to which a reasonable response is so what? ICANN isn’t in the EU, nor are the major registries, nor are the largest registrars. They’re in the US, which has no privacy laws at all. (Tucows is in Canada, which has a privacy law, but most of their customers are outside Canada, and the privacy commissioner has shown little inclination to enforce it on behalf of non-Canadians.) And what’s the EU going to do? Tell their registrars that they can’t register any more domains?

So that’s why there was no possibility of consensus on OPOC or anything like it. Should ICANN try to push it through anyway, the chances of a lawsuit from some of the losing factions are approximately 100%, since we know from experience that suing ICANN is the most effective way of getting them to do what you want.

I wouldn’t completely rule out something changing eventually, but until the parties on all sides recognize that they have to offer something meaningful to get their opponents to move, I’m not holding my breath.