IGP Blog :: Whois Privacy Stalemate...Again

Subscribe to IGP

Get IGP via RSS

Get IGP via Email

Follow IGP on Twitter

Recent Twitter Updates

Recent Comments

Re: ICANN hires superhero to resolve its political problems

Re: Second thoughts about that Wall St. Journal article on Iran and DPI

Re: Will Rod Beckstrom replace Twomey?

Month Archive

October 2007
September 2007
August 2007
July 2007
June 2007

Year Archive

2009
2008
2007
2006
2005

Main Page

Previous:	Response to Professor Zittrain
Next:	Timeline of the WHOIS saga

Whois Privacy Stalemate...Again

by Milton Mueller on Wed 22 Aug 2007 01:03 AM EDT | Permanent Link |

The ICANN Working Group that was trying to reconcile data protection and privacy principles with the domain name system’s legacy Whois directory, which publishes the name and full contact details of all domain name registrants, was finished today. “Finished off” might be a better term. Despite flirting with the kind of compromises and reforms that might actually reconcile privacy rights with identification needs, in the final weeks of the process trust and agreement among the parties broke down completely. The WG report has zero chance of gaining the 2/3 majority required to become an approved policy of the GNSO Council in its current form. It is unclear what the Board will make of it.

The battle between human rights advocates, who want to shield certain kinds of data from indiscriminate public access, and corporate and law enforcement interests, who want to use the Whois service as a free, open-access method for identification and surveillance of Internet users, has been going on for seven years now. Registrars are in the thick of this fight, since they are the entities whose customer data is exposed for anyone in the world to see, the ones who are obligated to operate the current Whois service, and the ones who stand to bear most of the cost burdens of certain proposed reforms. It was the registrar constituency that proposed the “Operational Point of Contact” (OPoC) reform that formed the basis of the Group’s work. OPoC would have shielded the registrant’s street address from public view, putting in its place a contact person that consolidated the role of administrative and technical contact in the old system. An OPoC would relay requests for information to the registrant. All the information contained in the current Whois service would have remained in place except for one thing: the street address of the registrant. That’s all. Even the real name and national and state (provincial) jurisdiction of the registrant would have been exposed.

It is hard to believe that such a miniscule change could generate three months of contentious work by nearly 60 people, ranging from representatives of each GNSO constituency to law enforcement agencies from the US, the Netherlands, and Canada; representatives of the banking and real estate industry; 5 or 6 intellectual property, hoteliers and software producers associations; not to mention a few companies that literally make their living collecting and selling Whois data. But it did.

The problem was that the intellectual property owners and to some extent also the LEAs wanted to offer a minimal amount of data protection with one hand, and then take most of it away with the other. The intellectual property lawyers tried to make the OPoC into an entity formally accredited and regulated by ICANN; they tried to make it into a third party with the authority to reveal the private data on demand and even to take down web sites or disable domains; they insisted on obtaining some kind of verification of the OPoC’s consent to be an OPoC; all activities that, however, potentially useful in theory, would increase the cost and complexity of registering domains and massively increase the risk that users would lose a domain for not responding to inquiries from trademark lawyers. They tried to whittle down the shielding of data to natural persons whose internet activities were completely noncommercial in nature. Along with the law enforcement and banking interests, they wanted backdoor access procedures enabling almost any private company to gain unlimited access to the shielded data of any domain merely by asserting that they needed it to pursue bad actors.

At some point in the process, the registrars decided that the additional costs of the Frankenstein-monster OPoC emerging from the WG was not worth the gains it would produce. If there is no reform they can continue to sell privacy to their users using proxy registrations, making profits that far exceed those they make on normal domain name registrations. They bailed out. It’s not clear yet whether the registry representatives are also giving up on the process.

Most of the really bad ideas failed to gain consensus, and the report recognizes that. On the critical issue of granting access to the shielded data outside the open public Whois service, however, the Chair of the Working Group, Philip Shepherd, who represents a European trademark lobbying group, played fast and loose with the definition of “Agreement.” The final draft of the report claims that certain highly contested views about access to data have reached “AGREEMENT.” What it doesn’t tell you is that the definition of the term Agreement was changed at the last minute, without permission agreement or even notice. If you look at the earlier versions of the report, AGREEMENT is defined very clearly as: “there is broad agreement within the Working Group (largely equivalent to “rough consensus” as used in the IETF).” This means that all but a couple of holdouts have converged on a common position. In the final report, Shepherd failed to obtain agreement on points he considered to be the desired policy. So the definition of agreement was changed. The definition now reads:

“there is broad agreement expressed by the contributing members of the working group though not necessarily unanimity. (This agreement is majority based and no attempt has been made to categorise agreement by interest group because participation had not been solicited nor organised by interest group)”

What this means in practice is that if 6 trademark lawyers and companies who profit from the sale of Whois data showed up for a conference call (and they often did) and only 5 people representing the rest of the world showed up, then the chair could describe as "agreed" and "broadly supported" whatever the surveillance party wanted. Not only has the WG abandoned consensus decision-making in favor of majority rule, but it does not even bother to balance representation when taking majority votes. It is just a matter of which group puts the most people on a conference call. In fact, it’s not even that fair; I am sure that if Noncommercial users managed to put 16 people on the call the definition of “agreement” would be modified again. So-called "rough consensus" decision making is always susceptible to this kind of abuse, but rarely is it done so blatantly.

In reality, on most of the key issues there was no agreement, just the same division of opinion between registries, registrars and civil society on the one hand, and trademark and law enforcement interests on the other.

This latest Working Group started out well. New participants were brought into the process and agreement around certain new ideas were forged. An important idea -- a distinction between legal and natural persons -- coul have formed the basis of an important compromise and move forward, but the registrars thought it would be too expensive to make that distinction at the point of registration. As time wore on, the trust and credibility of the group deteriorated rapidly as the most intransigent corporate and LEA interests came face to face with the fact that reforms might actually restrict access to data they wanted, and the registrars realized that reforms might cost them money.

Keywords: Whois, Registrars, privacy, NCUC, ICANN

Posted to:

Main Page

Comments

Post a comment

Re: Whois Privacy Stalemate...Again

by Jean Naimard on Fri 24 Aug 2007 10:13 AM EDT | Permanent Link

If there are extremely compelling reasons to get one domain's final details, surely one can convince a judge to issue a judicial warrant for the said information. Otherwise, the system is wide open to abuse, because law enforcement as well as corporate lawyers are extremely prone to abuse (not to mention scammers who send bogus domain renewal invoices).

Re: Re: Whois Privacy Stalemate...Again

by Anonymous on Fri 24 Aug 2007 12:20 PM EDT | Permanent Link

The whole point of a "surveillance" group who monitors is to "fish" for suspected infractions, as opposed to actual violations. It seems the 'consensus' failed by opposing a lobbying group whose interests are directly against those of the domain holders. It seems that every time we ask IP-holders to follow the same rules as everyone else in criminal court(showing probable cause) they complain it's too complicated, yet they are unwilling to go back to civil court(where they have to pay their own costs)... As an interest group, IP-holders are certainly pampered

Re: Re: Whois Privacy Stalemate...Again

by Anonymous on Sun 30 Sep 2007 10:09 PM EDT | Permanent Link

Nice generalization that law enforcement and corporate lawyers are extremely prone to abuse. Come on - at least base your opinions on logic and not on abuse for certain professions.

For numerous reasons people legitimately need to access Whois data and not simply to find out whom to sue, which seems to be the general assumption. As an IP lawyer I most commonly use Whois to check that use of a mark by a client will not infringe another person's mark (for which they have a domain name registered).

It is simply not practical to expect people to have to go to the Courts for a warrant in order to access this information, especially given the delays that this would cause.

There are problems with the system but I think that the lack of agreement reached shows that there are no easy answers and the problems associated with shielding all this information causes as many problems as it solves.

Re: Whois Privacy Stalemate...Again

by wireless surveillance systems on Thu 17 Jan 2008 07:22 AM EST | Permanent Link

If the Internet starts to be a monitored place where else would we get our feeling of freedom? I don't wanna see any more pop-ups restricting me to access some site. I'm not talking about mature content sites, I'm just talking about domains that are currently disputed in court.

Trackbacks

TrackBack URL:
http://blog.internetgovernance.org/blog/_trackback/3174023

Weblogs that reference this article:

The Battle Over Whois Policy Continues
Weblog:	I Squatted Your EU
Excerpt:	One of the sessions I attended at the ICANN meeting in Lisbon earlier this year centred on whois. It became abundantly clear to me that the various stakeholders had very different views and objectives on how to treat and...
Posted:	Wed Aug 22 15:33:51 EDT 2007

Post comment:

Format Type:
	Convert newlines
	Receive comment notifications for this article
Subject:

Comment:

Comment verification:

Please enter the text you see inside the graphic to post your comment:

You are not currently logged in. If you would like your user information to be displayed with your comment, please enter your login information below.

Username:
Password:

If you would like to post contact information on your comment, please enter your information into the optional fields below:

Contact information:

Name:
URL:		example: http://yourdomain.com
Email:

Please note: email will not be displayed on the site, only for the blog owner. If logged in, URL will only be used.

Currently Reading

Internet Governance News

Upcoming Events

View all Events

Who's Reading IGP Blog?

Wowzio

grab this · technology blog