ICANN indirectly controls the mother-of-all personal database systems. Never, before, has a world-wide database exposed personally identifying information of so many to so many. ICANN—also known as the Internet Corporation for Assigned Names and Numbers—in its role as a type of domain name cop requires domain name registrars and registries to maintain and publicly display technical and personal information as well as contact details on all individuals who register a domain name. With this policy in place, it is not unlikely that every Internet user one day may have personal data recorded in ICANN’s database as result of owning a domain name. The management of this scope of data collection, alone, should be a matter of far-reaching public concern. Instead, few know about ICANN, and fewer know what it does. Consequently, the media has remained relatively mute about this growing Internet privacy crisis.

For its part, ICANN does not pretend to be unaware of the enormous level of concern expressed by most Internet users regarding the lack of effective protections of privacy. ICANN chartered three Task Forces to review all aspects of the manner in which data is both collected and displayed by its domain name database system—called the WHOIS service directory. After nearly three years of study and an overwhelming focus on data accuracy issues rather than privacy concerns, ICANN is still struggling to balance the needs and rights of registrants to keep their personal information from wrongful access and misappropriation while respecting a limited and careful circumscribed access to those who genuinely need access to WHOIS.

Each Task Force recently published a report posted on ICANN’s website on recommendations for modifications or improvements to WHOIS. The Task Force recommendations include proposals ranging from a recommendation to notify those who may be included in the database of the possible uses of WHOIS data to one that recommends ICANN offer the Internet community “tiered access” to serve as a vague mechanism to balance privacy against the needs of public access. Too many of the recommendations seem to be framed by those who view Internet users with hostility, such as the recommendation to punish domain name users when a domain name is cancelled or suspended for “false contact data,” by canceling all other registrations with identical contact data.

In the main, however, recommendations reflect at least a sentimental, if not serious, attempt to balance competing interests. Still, something fundamental was overlooked by the Task Forces: a reflective reconsideration whether WHOIS should be an entirely public database. Notwithstanding that ICANN’s must suffer pressures from outside forces, including the United States, to shut down the use of WHOIS by those committing various acts of Internet-based fraud, it is unwise to assume that data accuracy is the only route to that goal. Indeed, some forms of Internet-based fraud are likely to be assisted by the ease of access to the public database. It may very well be that the right answer to concerns about privacy and certain types of fraud leads directly to the same solution: imposed restrictions on access to personally identifying information.

The WHOIS service has always been a public database, but the reasons justifying public access to WHOIS have grown more dubious as the incident of online identity theft reaches far beyond the grasp of the efforts of law enforcement and consumer protection. The Task Forces reports conspicuously confirm that the Task Forces deliberations critically overlooked the question whether the public WHOIS database should remain public. Fundamental matters are easy to overlook.

As the story goes in Greek mythology when Achilles’ mother dips her son into a special river to make his body invulnerable on all parts touched by the river’s waters, his mother overlooks a very important matter; the water did not touch the spot near Achilles’ foot, which his mother held when dipping him. Achilles’ only point of vulnerability seems to have arisen from a basic oversight. This classic tale highlights a frustratingly common experience. We are all too familiar with the failures that follow a lack of planning and deliberation, but, far less common, are the lessons learned from failures that follow what we overlook. Even looking backward, it is difficult to recognize the reason for failure in a given context where the point of failure is a fundamental matter that was overlooked.

When Warner Bros. spent nearly $175 million to deliver the summer’s first boxoffice blockbuster, something was overlooked by those planners. Certainly, not even a Hollywood movie studio would spend millions of dollars producing an epic about the Trojan War without serious discussions concerning the best way to turn a classic mythology into a movie hit; yet, those discussions clearly missed something. Even with Brad Pitt in a leading role as the Greek hero Achilles, “Troy” did not capture the hearts of moviegoers or critics ?- many critics have concluded that the apparent absence of Gods and Godesses in the movie turned a classic story into a protracted and uninvolving affair over issues that moviegoers simply found uncompelling. Quite ironically, a movie about Achilles seems to have been fated with its own Achilles’ heel: the missing Gods.

If I had to carry the analogy forward, it seems likely that for the moment ICANN’s “Achilles’ heel” is the unreflective determination that WHOIS must remain an open and entirely public database. Given concerns for the protection of privacy of domain name holders, this database ought to be protected at least at the level and in the same manner as most commercial customer lists. It is no answer to say that the entire contents of the database must remain public because the database has been designated public. At issue is—whether the database should remain public or entirely public; certainly, the protection of privacy calls for that question to be answered first.

There are millions of individuals and businesses that own domain names. In the two most popular categories (also known as top-level domains) of registered domain names—.com and .net—over 60 million domain names are registered, and in the future the number of registrations is expected to swell by leaps and bounds. (See, Data Reveals Domain Name Registrations Have Hit All-Time Highs). According to domain name registry, Verisign, the domain name database system—called the WHOIS service directory—receives well over 11 billion queries per day in just two top-level domains. The result of these queries includes the disclosure of personal information to anyone with Internet access for nearly any reason. There is no assurance of privacy in this context. Anonymous communications virtually cease to exist unless you are highly determined or, perhaps, engaged in criminal activity. Even the softer intensity of privacy offered by use of pseudonymous communications is rendered rather useless without the protection of personally identifying information in WHOIS.

Although, the concept of privacy remains somewhat unbounded, generally, and seems quite elusive as a universal norm, the scope of privacy, as it relates to Internet transactions, has been usefully confined in at least one important respect in other contexts; namely, that satisfactory protection of Internet-user privacy includes protections of a user’s control over the disclosure of personally identifying information, including the discloser of a user’s name and resident address. This minimal degree of protection is not yet met by ICANN’s administration of WHOIS as a public database.

Currently, WHOIS is used for wide-ranging purposes by all sorts of snoopy individuals as well as by genuine data users. SPAMMERS as well as junk mailers, for example, use the database to sift names and addresses of individuals for marketing uses. Even domain name registrars have used WHOIS to poach customers from competitors and for marketing purposes, despite an ineffectual contractual proscription by ICANN against such uses. Unfortunately, there are nearly an endless number of examples of the use and abuse of WHOIS.

Currently, ICANN-accredited registrars have contractual obligations to correct inaccurate personal information in WHOIS once that is brought to their attention, but this obligation seems to override all others. The Task Forces reports similarly reflect this bias. The reports are quite clear in identifying data accuracy as a problem with WHOIS. Of course, data accuracy is an implacable “problem” for WHOIS since it is an outgrowth of an attempted forced public display of information for which some will not comply. If ICANN continues to ignore the connection between its problem and its policy, the proposed recommendations, if adopted, may simply raise the stakes.

On May 28th the three ICANN Task Forces submitted Preliminary Reports regarding their findings (information about these Task Forces can be found on the GNSO Whois Issues webpage). A 20-day public comment period opened on May 28th. Comments on the WHOIS findings and recommendations must be submitted on or before June 17th. Undoubtedly, the comment period is too short; the sheer bulk of the reports issued by the Task Forces should have warranted more time for comment. More fundamentally, the enormity of importance in deciding what privacy protections matter most for the largest publicly accessed database in the world should both warrant more time for comment as well as a better attempt to publicize the solicitation of comments. Please share your comments with ICANN.