Home / Blogs

CIRA Creates Backdoor WHOIS Exceptions for Police and IP Owners

Michael Geist

Earlier this year, I wrote glowingly about the new CIRA whois policy, which took effect today and which I described as striking the right balance between access and privacy. The policy was to have provided new privacy protection to individual registrants — hundreds of thousands of Canadians — by removing the public disclosure of their personal contact information (though the information is collected and stored by domain name registrars).

Apparently I spoke too soon. Faced with the prospect of a privacy balance, special interests representing law enforcement and trademark holders quietly pressured CIRA to create a backdoor that will enable these two groups (and these two groups alone) to have special access to registrant information. In the case of law enforcement, police can bring cases to CIRA involving immediate risk to children or the Internet (ie. denial-of-service attacks) and CIRA will hand over registrant information without court oversight. In the case of trademark holders (as well as copyright and patent owners), claims that a domain name infringes their rights will be enough to allow CIRA to again disclose registrant information.

This represents a stunning about-face after years of public consultation on the whois policy. While the law enforcement exception appears to be narrowly tailored, the exception for trademark, copyright, and patent interests undermines a crucial part of the whois policy, namely compliance with Canadian privacy law (the policy now arguably violates the law) and the appropriate balance between privacy and access. For example, consider a Canadian that registers companysucks.ca (name your company) as a whistleblower site about a particular company. They understandably wish to remain anonymous to the general public since disclosure of their personal information could lead to negative repercussions. Under the new CIRA policy, if they use fake registrant information, they risk losing the domain. On the other hand, the backdoor exception means that the trademark holder can easily smoke out the identity of the registrant as CIRA will simply hand over this information.

Just over six weeks ago, CIRA celebrated its one millionth domain name registration and claimed world class status. Today, the organization has betrayed the very principles of consultation upon which it was built and sent a discouraging message that special interests matter more its own members.

By Michael Geist, Chair of Internet and E-commerce Law. More blog posts from Michael Geist can also be read here.

Related topics: Domain Names, Registry Services, Intellectual Property, Privacy, Top-Level Domains, Whois

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Good for CIRA - if done with adequate safeguards Suresh Ramasubramanian  –  Jun 11, 2008 2:02 AM PDT

A lot of spam and cybercrime abuses private or anonymous registration, far more than people legitimately use it - and not all registrars have the clue level CIRA has so that they'd be even more vulnerable. Treating what CIRA did earlier (blanket restriction) as a precedent would have been dangerous.

Privacy is a balance. Well, The Famous Brett Watson  –  Jun 11, 2008 9:10 AM PDT

Privacy is a balance. Well, actually it's an all out tug-o-war between conflicting interests. Unfortunately, it's usually the legitimate users who have the most to lose.

I suspect that the average cybercriminal only uses anonymous registration because it's checked by default. It's not like they provide anything remotely truthful to anyone, ever, so what does "anonymity" gain them? And giving law enforcement easy access to false data gains us what, exactly? The net benefit appears to be that it won't even take a court-signed warrant to obtain the personal details of those crooks who are stupid enough to provide them. I wonder whether the police, armed with easily-obtained and mostly-false data, are going to start knocking on the doors of identity theft victims. If not, then they're probably not catching the hypothetical genuinely idiotic criminals either. Bear in mind that victims of identity theft may be suspected of child pornography in this case: the exception is made only in cases of "immediate risk to children or the Internet".

You're a sensible guy, Suresh: cut it out with the alarm bells. Explicit anonymity has the superficial appearance of aiding crime, but none of the substance. This is classic security theatre, and I challenge you to provide a strong argument to the contrary if you're in earnest about the danger (although probably not in this comment thread, specifically — that would be getting off-topic).

I'd care less about the police angle, except for the fact that Trademark interests have come along for the ride. Damn typical, that. It's like the whole "think of the children" angle is the nose of the camel in the tent, and corporate interests are the head behind the nose wishing to gain access. Security theatre is bad enough in and of itself, but it looks like it's a pretext for preferential treatment of corporations in this case. Corporations have legitimate interests, of course, but I fail to see why they should be given preferential treatment with regards to access. In fact, given their track record of attempting censorship in the name of Trademark enforcement, such preferential treatment seems positively corrupt, and contrary to other legitimate public interests.

Ah, but lobbying is a very Western, Democratic form of corruption, isn't it?

Whois and anonymity - security theater? Suresh Ramasubramanian  –  Jun 11, 2008 10:22 PM PDT

Well, in my experience, even the fakery tends to follow a specific pattern, which helps tie various domains together to the same scam artist.

Please see this paper (submitted to GNSO during the whois consultation process) by OPTA, a dutch fair trade regulator that does a lot of excellent work on antispam issues (I've met them, they're brilliant)

The Importance of Whois Databases for Spam Enforcement
http://www.icann.org/presentations/opta-mar-26jun06.pdf

Canadian law enforcement seems to agree too Suresh Ramasubramanian  –  Jun 14, 2008 2:59 AM PDT

http://www.circleid.com/posts/canadian_domain_whois_law_enforcement/

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Promoted Post

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Startup League Reports from WebSummit, Lisbon

2016 U.S. Election: An Internet Forecast

.SPACE Becomes the Choice of the First Ever Space Nation Asgardia

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

8 Tips to Find Your Perfect .COM Domain Name

Why .com is the Venture Capital Community's Power Player

Understanding the Risks of the Dark Web

The .cancerresearch TLD: Search for Cure Drives Digital Innovation

New TLD? Make Sure It's Secure

Radix Launches Startup League at TechCrunch

Celebrating One Year of .online

LogicBoxes Launches the New Elite Reseller Program

Afilias Acquires Premium TLDs .ARCHI, .BIO and .SKI

Effective Strategies to Build Your Reseller Channel (Webinar)

Radix Adds Dyn as a DNS Service Provider

Sponsored Topics