Home / Blogs

Why FOISA Should Never Become Law

Rod Dixon

In a recent issue of the Wall Street Journal, I noticed an underreported story about an embarrassing glitch that occurred involving the "washpost.com" domain name, which is used by the Washington Post Newspaper Company. Apparently, recently, the domain name stopped working — no domain name services. This disrupted the flow and access of e-mail at the Washington Post as well as the operations of the washpost.com website.

The Washington Post had not been hacked or overcome by a computer virus; instead, the newspaper's registrar had pulled the plug on its domain name. The Washington Post eventually renewed the registration for its domain name and services were restored. The newspaper discovered that Network Solutions had sent an expiration notice to an e-mail address no longer actively monitored by newspaper personnel, and this change had not been reported to Network Solutions, which carries several domain name registrations for the newspaper. This particular domain name problem is likely to signify that a database called "WHOIS" contained outdated information on the Washington Post; the problem also illustrates a common circumstance in which the data in WHOIS — though misleading or inaccurate — is not linked to conduct aimed at committing trademark or copyright infringement. Yet, the link or nexus to conduct aimed at committing trademark or copyright infringement and entering misleading false information in WHOIS is hard-coded in misguided legislation currently under consideration by the United States' Congress.

On Wednesday, February 4, 2004, the House Subcommittee on Courts, the Internet, and Intellectual Property Legislative held a hearing on H.R. 3754, the "Fraudulent Online Identity Sanctions Act" (FOISA). A better name for this legislation might be the Internet Anti-Privacy Act since this proposed law boldly punishes Internet users who wish to protect their privacy when registering a domain name. The "WHOIS" database is a publicly accessible database operated by domain name registrars, which, in addition to other data, lists the names and addresses of domain name registrants. FOISA is an indirect attempt to regulate the accuracy of the contents of the database. Imagine someone suing the Washington Post for copyright infringement in connection to an item on the Post's website during the time its domain name records contained and inaccuracy; FOISA appears to allow increased damages to be sought and possibly recovered from the Post merely because of a presumption that copyright infringes are likely to disguise their identity by entering inaccurate data in domain name registrations. FOISA does not seem to clarify whether the presumption is rebuttable. More troubling, FOISA contains no provisions indicating that privacy matters.

FOISA, perhaps, among other things, is aimed at eliminating a bugaboo identified by some intellectual property holders as a serious threat to trademark holders; namely, the inability to reliably use a consumer database of domain name registrations for investigations and identity checks when intellectual property holders prepare for various forms of dispute resolution, including litigation. Why legislative approval for using the WHOIS database for a purpose it was never intended seems imminent confirms the status and lobbying power of certain intellectual property holders.

FOISA seems to have come out of nowhere since the legislation neither reflects conventional wisdom, nor current trends within ICANN (the Internet Corporation for Names and Numbers already has authorized measures to help ensure the accuracy and integrity of the WHOIS database as well as retard abusive and excessive use of the database by bulk users).

Of course, FOISA did not come out of nowhere; Congress has been considering WHOIS legislation for at least two years. The legislation appears to have grown out of assumptions are either wrong or highly contested. FOISA is incredibly unbalanced. There are no safe harbors or carefully drafted exceptions to the increased penalty provisions. FOISA is drafted as if its sponsors had never considered that WHOIS is just as susceptible to abuse by those who the legislation favors as it is for those who the legislation targets. Not long ago, a U.S. District Court in New York City, ordered Verio to stop using customer contact information housed in Register.com's WHOIS database to carry out a telephone and e-mail campaign. As a result of Register.com v. Verio, it is likely that a court might find the use of WHOIS to compile massive lists of new customers and flooding them with marketing messages an impermissible use. Notably, Register.com filed suit against Verio after receiving a number of complaints from domain name registrants who had been solicited by Verio by e-mail and postal mail. If Register.com had not had an acceptable use policy that restricted permissible uses of its database, domain name registrants may have had no other avenue available to them to vindicate their rights. Consequently, if a legislative solution to WHOIS accuracy is necessary — and that case has never been made, genuinely balanced legislation would ensure that WHOIS services provide personal data, if a registrant decided to make that information publicly available, while also promoting fundamental fairness in protecting the privacy interests of domain name holders.

As a matter of Trademark law, FOISA ostensibly outlaws knowingly entering misleading or false contact information when registering, renewing, or maintaining a domain name. There is no sense of balance in this either. The proposed law is heavily tilted toward a presumption that domain name registrants, who are reluctant to enter personally identifying data in a public database, are up to something. The legislation is drafted in a manner where the link or nexus between trademark infringement and the accuracy of the content of the WHOIS database is virtually conclusive. Trademark holders could use FOISA to assess increased damages merely because a registrant had "misleading" information in the WHOIS database entry tied to a domain name targeted in a trademark lawsuit. Would an e-mail address no longer being monitored for e-mail from a domain name registrar be considered misleading? Not only is punishing a domain name registrant for potentially misleading information repugnant to Internet privacy, but the conception of "misleading information" is vague and begs for trademark holder abuses that exceed those involved in reverse domain name hijacking.

FOISA also has a provision that deems willful copyright infringement to include "knowingly provided material and misleading false contact information to a domain name registrar" for a domain name "used in connection with an online location." Drawing out what WHOIS contact information has to do with copyright I leave to those with the clairvoyance to see inside the minds of legislators. Regardless, the provision suffers from the same offense as the trademark provision; it conclusively ties misleading or false WHOIS data to infringing conduct without regard for the privacy interests of domain name registrants or the possibility that inaccurate WHOIS data is simply that inaccurate data, not indicia of copyright or trademark infringement.

Of course, there is no need to strengthen penalties for providing inaccurate personal information, if the information is neither requested, nor disclosed in the first place. A registrar may need to collect personal information to process payment for registration services, but this does not mean that the customer's data should be disclosed to the public. WHOIS need not exist as a public database at all, yet some members of Congress seem willing to go as far as imposing criminal sanctions on those who would thwart the efforts of a few intellectual property holders. If the choice were FOISA or a substitute, since FOISA would codify the irrelevance of privacy interests, I would prefer a substitute. ICANN is already engaged in a process that provides a substitute — thought it, too, is still lacking in protections of privacy — that should render FOISA unnecessary. Another alternative might be the privatization of WHOIS that allows registrars to obtain the benefit of market driven access to WHOIS content as long as individual domain name holders could opt-out/opt-in depending on their interests in privacy.

Regardless of the substitute selected, Congress should be keenly aware that there is no reasonable basis to bestow legislative benevolence only upon trademark and copyright holders when addressing WHOIS issues. With WHOIS concerns in mind, the question is whether privacy matters and, if so, how may the privacy interest of domain name holders be protected while providing due regard for the substantial interests of others (including, but not exclusively, intellectual property holders)? It is clear whose rights matter most under FOISA, and that is precisely why the unbalanced legislation should never become law.

By Rod Dixon, Attorney
Follow CircleID on
Related topics: DNS, Domain Names, ICANN, Privacy, Whois
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Why FOISA Should Never Become Law Peter Bachman  –  Apr 18, 2004 3:55 AM PDT

I agree, this is bad law.

Certainly privacy matters, and the original RFC for email states you should have a valid email address for postmaster.

That's known as "acting in role as",
and should always go to someone who reads the mail.

Whether that's also the valid, continuing address for a whois record is up to the domain owner. Many corporations pay a fee to someone to maintain the
IP connected with their domain name.

I've also seen domains of Dow Jones corporations registered to people who have Hotmail accounts, which indicates to me they are sans clue. Or maybe they
do have a clue on what to do if their domain fails.

The fact that someone will likely spam that address is a different issue, and the WHOIS has now come full circle as an identifier database of internet users. At one point in the early '90's, late '80s, whois was thought to be some sacrosanct, super secret listing. Then it became sort of a poor cousin to LDAP and X.500, but with some development potential as a rapid way to look up someone's email address.

In essense, the whois records are published handles, and should not be overloaded by legislation into being any sort of legal document; but we can see functionally why stakeholders, and particularly those tasked with investigating crime on the internet, would want authoritative records.

Fine, let's just do that right as a contract between users and those who need that information rather than this sloppy back door method, especially with this strong intellectual property slant.

Whois simply was not designed for that. We should look for methods that were actually designed for that in the first place, i.e. a directory, and then deliberately build in safeguards, not the other way around.

BTW, I registered washingtonpost.com for them back in the '90's and I'm glad they didn't forget to renew that
:-)

Peter Bachman
CEO
Cequs Inc.

To post comments, please login or create an account.

Related

Topics

Cybercrime

Sponsored byThreat Intelligence Platform

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias