Home / Blogs

Using Whois to Enforce Law?

Karl Auerbach

Before starting I'd like to remind you that there are two distinct Whois systems — the one for IP address delegations and one for DNS registrations. I believe that the former is a useful system in which there are clear utility values that outweigh the privacy costs, and in which the person whose privacy is exposed has made a knowing choice. I do not believe that these arguments apply to the latter, the DNS, form of Whois.

As you know I am a firm believer in the right of personal privacy.

One of the well established principles of privacy is that information that is gathered for a particular purpose be used only for that purpose. Remember, people who disclose information are making an implicit balance between their loss of privacy and the gain of a desired service. To use personal information in additional ways throws out that balance and, in the end, will make people less willing to disclose information for any purpose.

We have to remember that people have a strong interest in protecting privacy — for example, consider parents of a pre-teenage daughter who is using the internet for school and social purposes. Those parents can easily have a legitimate fear that Whois information about where the family lives and their net addresses could subject the daughter to risks from stalkers and predators. It's Megan's law in reverse — the contact information of potential victims is published 24x7x365 to potential predators.

As for the utility of Whois for the vindication of intellectual property rights or other perceived abuses: In our society we have a very well oiled and very effective system for dealing with situations in which someone claims that their rights have been violated. That system is called the legal system. It requires that the putative damaged party make a showing that there is some reason to believe that rights have been damaged. If that showing is met then the system allows the supervised opening of records in order to ascertain additional information, such as the true identity of the accused.

The Whois system is being used in a unique way. The IP industry seems intent on creating a system of internet-related law in which guilt is presumed and the accused party must prove innocence. That is more reminiscent of the Inquisition than of the modern concept of civil rights.

Law enforcement people already have subpoena powers that can be used to open otherwise closed records. Law enforcement people do not need an open Whois in order to obtain the information they want. And in these years of paranoia, the mechanism of a subpoena may help law enforcement people retain their sense of balance between a fishing expedition and a focused investigation.

I'm sure that you have seen my "First law of the internet:

+ Every person shall be free to use the Internet in any way that is privately beneficial without being publicly detrimental.

- The burden of demonstrating public detriment shall be on those who wish to prevent the private use.

-- Such a demonstration shall require clear and convincing evidence of public detriment.

- The public detriment must be of such degree and extent as to justify the suppression of the private activity.

Well, the proposed use of Whois turns this first law on its head. The proposed use of Whois says that people are able to use the internet only if those uses are deemed permissible by the few who are rich and have the ear of Congress.

I've been thinking of writing an anonymous DNS registration system under the GPL — this system would issue digitally signed certificates of ownership of a domain and retain no record of who those certificates were issued to. Amendments to domain information would require the presentation of the certificate. A transfer authority - -which would not need to know what the certificate represents — could sign a new certificate and enter the old one into a non-repudiation database.

This system would not have "Whois", nor could it have "Whois"; it simply would not have that information.

The basic purpose of Whois, once one strips off the arguments about intellectual property protection and tracking down spammers, is to support the expiration and renew/rebilling relationship between the domain name customer and the registrar. That renewal/rebilling represents the major cost of the DNS system to the consumer. If we allowed domain names to be registered for longer terms than ICANN's arbitrarily imposed 10 year limit and did not mandate the publication of Whois, I believe that the cost to the consumer for domain names could drop from the roughly $18/year average it is today to something on the order of $0.25 — that amounts to a savings of tens to hundreds of millions of dollars per year.

We consumers could buy a lot of tunes and movies with that amount of extra money in our pockets.

Anyway that's my 2 cents worth.

By Karl Auerbach, Chief Technical Officer at InterWorking Labs
Related topics: DNS, Domain Names, ICANN, Privacy, Spam, Whois
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Using Whois to Enforce Law? Mike O'Donnell  –  Feb 10, 2004 10:38 AM PDT

"I've been thinking of writing an anonymous DNS registration system ... — this system would issue digitally signed certificates of ownership of a domain and retain no record of who those certificates were issued to. Amendments to domain information would require the presentation of the certificate." Karl Auerbach

This is a great idea. It converges real well with the "Nym" approach to identity pushed by the Open Privacy Initiative and others. The basic point is that (hashes of) public keys are raw identities, and other information (such as corporate or human names) can be associated with them by a variety of mechanisms, or omitted entirely, depending on particular needs.

Mike O'Donnell
http://people.cs.uchicago.edu/~odonnell/
http://people.cs.uchicago.edu/~odonnell/Citizen/Network_Identifiers/

Re: Using Whois to Enforce Law? Phil Howard  –  Feb 23, 2004 7:23 PM PDT

How about a whois system that allows those who wish to provide verifiable identity to do so, and those who elect to remain anonymous to do that, but to outlaw the presentation of an identity that is specifically fraudulent, either by impersonation of someone else, or by fabrication of a non-existant identity.

If someone wishes to be anonymous and makes it clear that they are anonymous, I don't feel my rights (or those of anyone else) have been violated when we try to find out who they are.  I can elect to block communications from those who choose to be anonymous, if I wish (if a proper protocol is established, which could be done via DNS).

Where I feel a violation would be occurring is where someone claims an identity that is not truthful.

A registrar could keep the domain name in anonymous mode initially, and offer a verification means for making the identity of the domain owner public.  This would require the registrar to verify that the information is valid.  Snail mail would be sent to the postal address given with a code to enter into the registrar web panel to verify that address.  A phone call can be made to the voice phone number.  A fax can be sent to the fax number (no advertising included).  Each piece of identity would be separately verified, and then can be made public or kept private at the owner's option.  Then at least if I do see information there, I can know it has been verified.  Severe penalties would have to be in place for registrars doing false verification.  Registrars should be allowed to charge an extra fee to carry out those registration steps.

At the same time, a new DNS hierarchy could be established within which the registered domain would be a subdomain to acquire information about the domain owner.  Just what format this would be in would be decided, but since this would be a special use namespace, overloading TXT records would probably be adequate.  One record would identify the registrar.  Other records would be present for specific pieces of identity only if verified.  This would allow for automated checks for anonymity, such as to refuse email from mail servers with reverse DNS listing an anonymous domain (not everyone would do this, but I would for other than trusted domains I would whitelist).

You might guess my concerns are about spam, and if you do, you would be correct.  Ultimately some means of verified identity in the SMTP session could be provided for before the DATA part of the transaction.  But there is great resistance to such changes to SMTP by the "it isn't broken so it doesn't need fixing" crowd.

Re: Using Whois to Enforce Law? Howard C. Berkowitz  –  Mar 14, 2004 10:32 AM PDT

You make many excellent points on how the proposed legislation is overkill.  Without challenge to your basic ideas, perhaps you would have suggestions on how certain issues could be handled — I suspect the answer lies in legislation or regulated directed at the particular behaviors
Anonymity has its definite place, but so does accountability.  In particular, I'm thinking of the issue of effectively anonymous issue positions, often attack advertising, whether Internet, television, or other media.
I'll use US examples here, but the problem certainly is not limited to the US.  Let us say someone creates a website that uses carefully crafted emotional language to promote or attack pending legislation. An excellent example in television would be the "Harry and Louise" issue ads against the Clinton administration health care plans.  As with many such issue positions, the ostensible sponsor is an ad hoc committee.  "Citizens for foo" implies a broad-based organization, when, in actuality, the "citizens" are the lobbyists and executives of a particular industry.
I'm troubled by what I might term pseudonymous (as in the form of Citizens for Foo) as opposed to anonymous speech.  Now, I will defend the rights of the health insurance industry to put forth its positions in a political debate, and I believe there should be safe harbors for such discussion. In like manner, while I think the tendency to negative political advertising hurts the deliberative process of democracy, it is free speech.  I simply object to the attack coming from the otherwise unidentifiable "citizens for bar". 
Again, I'd be perfectly happy with making this protected speech, as long as the real funding is known and used to assess the credibility of the report.  In a related issue, I have no problem with a free-speech protection for consumer protest sites such as "manufacturer-sucks.com", again as long as the source is attributed.
You mention, correctly, that law enforcement can subpoena records. I was unclear whether you meant this purely in a criminal law context, or if it could be general court orders, say, in a libel case.
Given the costs of discovery and the reality of fishing expeditions, I'd rather avoid the need for civil subpoenas, which I think can be circumvented by some requirement for accountability of issue-related speech. 
Incidentally, I would have no problem with only limited disclosure of the identity of a sponsor — no personal details, but disclosure, possibly to a neutral third party, of conflict of interest data.  I'd generally restrict this area to political speech.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC