An ICANN working group interim report to make Whois information generally unavailable to the general public is getting some coverage in non-domainer publications over the last couple of days
Basically the proposal calls for scrapping the current whois system which allows anyone to see who the owner of a domain is, (unless the owner has paid the registrar to have the registrar hold the domain under privacy) with a centralized Whois system called the Aggregated Registration Data Service (ARDS) which would store all domain ownership records but which would be closed by default to anyone other than those people or organizations who receive permission ton the basis that they have a legitimate need for the data.
It would make it almost impossible for John Q. Public to find out who the owner of a domain is which is definitely not good for domain investors who many times get contacted by people looking to buy their domain from the public whois record, even for domain names that are not “for sale”.
However presumable law enforcement who have access to all records.
From the Interim report:
“”A carefully selected subset of data elements would be made publicly accessible to anonymous requestors through a web interface to the RDS
Gated access would only be available to requestors who applied for and were issued credentials to be used for RDS query authentication.
The process by which credentials would be issued is not defined herein, but the EWG recommends that this process take into consideration each requestor’s purpose for wanting access to registration data.
Each gated access query would identify the authenticated requestor’s purpose (either explicitly or implicitly) and a desired list of data elements. Only data elements that were available for the domain name and accessible to the requestor for the declared purpose would be returned.””
Beyond domain holders that many times get offers or interest on their domain names by interested parties finding their ownership information in the Whois records and other big loser would seem to be registrars that are charging an extra fee per domain for those that want their domain names held under privacy.
There are tens of millions of domain names held under “privacy”.
It should be noted this is an Interim not final report.
CIO.com called the plan “Extremely Disquieting;
“A working group for Internet regulators is under severe criticism for a proposal that would put an end to the openness of the current WHOIS system for domain name registration records.”
Krebsonsecurity.com, also expressed concern on the report saying:
The plan acknowledges that creating a “one-stop shop” for registration data also might well paint a giant target on the group for hackers, but it holds that such a system would nevertheless allow for greater accountability for validating registration data.
Unsurprisingly, the interim proposal has met with a swell of opposition from some security and technology experts who worry about the plan’s potential for harm to consumers and cybercrime investigators.
“Internet users (individuals, businesses, law enforcement, governments, journalists and others) should not be subject to barriers – including prior authorization, disclosure obligations, payment of fees, etc. – in order to gain access to information about who operates a website, with the exception of legitimate privacy protection services,” reads a letter (PDF) jointly submitted to ICANN last month by G2 Web Services, OpSec Security, LegitScript and DomainTools.
“Internet users have the right to know who is operating a website they are visiting (or, the fact that it is registered anonymously),” the letter continues. “Today, individuals review full WHOIS records and, based on any one of the fields, identify and report fraud and other abusive behaviors; journalists and academics use WHOIS data to conduct research and expose miscreant behavior; and parents use WHOIS data to better understand who they (or their children) are dealing with online. These and other uses improve the security and stability of the Internet and should be encouraged not burdened by barriers of a closed by default system.”
The Center for Democracy & Technology has less than kind words about the proposal in a letter to ICANN which in part:
The EWG report does not address a number of key questions underlying these concerns. For instance, what registrant information must be collected for the domain name system to function and what information must be published? Should ICANN require individual registrants to disclose information beyond what is necessary for DNS operations, and why? What is the proper function of the WHOIS system? Is it to provide access to sensitive personal information to any party with a “use case,” or are some data needs more appropriately addressed by direct contact with registrar”
This proposed system is arbitrary and would not improve protections for user privacy. The first level mirrors the current WHOIS system. The second level would provide the same functionality as current privacy and proxy registration services, although it is not clear how ICANN would determine how registrants would be eligible to use these services.
The third level raises two significant concerns for user privacy and free ex pression.
First, the proposed system would rely on an unspecified third party to determine whether registrants are “at risk” or are exercising their free speech rights. This is a poorly defined concept that puts users’ fundamental rights to freedom of expression in the hands of an
unidentified, unaccountable arbiter who will use unspecified criteria to make potentially unreviewable decisions in an undisclosed process.
How would these determinations be made?
What sort of third party would be capable of making them in an international context with inconsistent norms and laws concerning free speech and privacy? How would international human rights case law, resolutions, and norms factor into the decision?
Assuming that a third party could reliably discern which registrants are speaking freely, there remains the problem of legal jurisdiction.
Individuals exercising free speech or those at risk due to their beliefs or activities in one jurisdiction might be subject to law enforcement sanctions from another.
How will the third party decide which jurisdiction’s law governs?
Second, while this system aims to protect vulnerable registrants, it would also identify them to bad actors. Imagine two lists of IP addresses: one associated with registrants who have freely disclosed their identifying information, and one associated with registrants designated as exercising free speech and engaging in “at risk” activities. This system would create a vector for attacks designed to access sensitive data about the most vulnerable users. Moreover, this system may create false security by giving registrants the sense that their identities are safely concealed, while providing no protection against a host of other attacks.
The EWG report proposes disclosure of registrant information as the default, allowing increased privacy protections only under certain circumstances. We strongly encourage ICANN to consider the inverse approach: privacy as the default for individual and noncommercial registrants, with disclosure only when necessary.”
Andrew Allemann says
I’d recommend reading the report, which was released a couple months ago. (Krebs refers to an interim report, but links to the same initial report from June).
It would not prevent you from accessing a whois record in order to send an inquiry about buying a domain name. There’s an entire use case for people to use whois if they want to buy domains.
The devil will be in the details, and personally I’m OK with the “status quo” in whois, but the expert working group did consider (nearly) all ways people legitimately use whois today.
George Kirikos says
Folks can read the initial announcement at:
https://www.icann.org/en/news/announcements/announcement-08aug13-en.htm
My comments were at:
http://mm.icann.org/pipermail/input-to-ewg/2013/000021.html
and all the others were at:
http://mm.icann.org/pipermail/input-to-ewg/2013/
The comments by LegitScript were very good, too:
http://mm.icann.org/pipermail/input-to-ewg/2013/000015.html
Technically, there was *supposed* to have been a Reply Period (after the initial comment period ended September 6th), but ICANN has apparently closed down comments:
http://www.icann.org/en/news/public-comment
“The official minimum Reply period is 21 days.”
Instead they placed it into the “Recently Closed” section, despite the initial comment period ending September 6:
http://www.icann.org/en/news/public-comment/closed
This appears to be another case of ICANN trying to silence opposition to their unacceptable plan.
Joe says
That would be a big rock falling on domaining! Does this include ccTLDs or is it limited to gTLDs?
George Kirikos says
Andrew: Those in journalism might be compelled to agree to a “Terms of Use” to access WHOIS data that should be in the public domain, thereby limiting their freedom of speech and the public’s right to now. Let’s suppose one is doing an investigative piece…..how would that research be done, without giving notice to the target of the reporting? Indeed, the new monopolist WHOIS provider might permanently bar one’s usage of the system for alleged violations, with no recourse. Indeed, they might even sell the data of the journalist’s usage to someone else, since they’d be logging all usage.
The data must remain in the public domain, with no monopolist dictating usage requirements or gating access.
RaTHeaD says
every response posted here is just plain stupid. it’s like the phone company charging you extra to keep your name out of the phone book ’cause it costs them thousands of dollars to do that. i don’t think so. it might even be some kind of a profit deal.
Andrew Allemann says
George, I’m not saying I like it. I also think that the journalism use case was the key one missing from the initial report.
What I’m trying to do is prevent people from being misinformed about what the report suggests.
George Kirikos says
Well, it comes down to ICANN taking a database that’s in the public domain, and privatizing it, in order to profit from it. By centralizing it, they’d eliminate all the innovative users of WHOIS, e.g. DomainTools, WHOISology, etc. If you have automated tools that do bulk checking of the WHOIS (for example, for your weekly “End User Purchases” stories), those tools would break.
As I noted in my own comments, ICANN didn’t even attempt to be honest by conducting a cost-benefits analysis (0ne that’s required by the Affirmation of Commitments), or even attempt to to present alternatives. They simply presented one solution (after declaring the current system “broken”, without any data to support that conclusion), without even attempting to quantify and assess the impact on users of WHOIS, registrants, registrars, registries, etc. When there’s no data, or no economics involved, that’s not a scientific report — it’s a religious report.
We know that there’s one prime beneficiary of their “solution”, namely the new monopolist WHOIS provider that would be created, and who would then be able to make money from the data (currently in the public domain) by shutting out all other sources of that data. Follow the money!
George Kirikos says
ICANN just “teased” the findings of a WHOIS study report on their blog, regarding abusive domains and WHOIS privacy:
http://blog.icann.org/2013/09/results-of-the-gnso-whois-privacyproxy-abuse-study/
(without publishing the actual report)
George Kirikos says
BTW, the “journalism use case” needs to be clarified somewhat, because journalists don’t have superior rights to the public. Journalists often act as surrogates for the public, but the underlying data is still public. For example, in court cases, court records are public due to the open court principle. Anyone can have access to them, although it’s often the case that it’s journalists doing the grunt work. So, no special rights should be made for journalists to get superior access, beyond those of the public itself…..the records should remain in the public domain, for all users.
As I noted in my submitted comments, what would happen if the USPTO handed over exclusive data for the TM/patent databases to a private entity who would charge monopoly rates for access? Or if PACER dealt exclusively with Westlaw or another private database provider, instead of providing open access to the public domain court records? Such proposals would be regarded as preposterous, and rightly so. The trend is towards open data, not creation of new monopoly sources of that data.
cmac says
wow, this benefits no one except the company who makes bank to set it up and run it. small to large businesses contact domain owners every day to purchase domains. i guess with this they’d just have to settle for whatever is available…sounds great.
jp says
I think would be problem short term for domain sales but long term there will be more emphasis on marketplaces and landers. Also would be good for domain industry coz tere would be so much less spam selling domains outbound (presumably). I think it would be a net gain over time. Just my opinion.
I think some buyers do whois to go straight to the domain owners so they can do their megotiation with the domain owner direct. If they don’t have this option then they will just have to rely on the marketplace or the contact info provided on the lander. I also think most end users don’t know what a whois is anyway.
cmac says
jp, as for relying on marketplaces..which one or how many would someone have to use in hopes that the end users happens to come across the domain they wanted to look up whois for anyways. and why should domain sellers be forced to use marketplaces and give the marketplaces their cut?
Louise says
I told you. I told you. I told you. The crime syndicate. Any offers on dot coms will go through the Registrars/Verisign first, to alert them to potential sale.
Domo Sapiens says
@GK
“By centralizing it, they’d eliminate all the innovative users of WHOIS, e.g. DomainTools,”
Interesting choice of words…
Innovative WHOI$
Volker Greimann says
I will take a contrary position here as we are talking about peoples’ private details here. The publication of whois data is abhorrent to privacy protection interests and many registrants. The publication of private data of registrants in the whois is at best legally problematic in many jurisdictions, as evidenced by the communications of the Article 29 working group to ICANN.
Publicly accessible whois data is a remnant of a time when sys-admins needed to know how to contact each other. It is no longer needed for that, so it is time for something new.
That is not to say that I would prefer a centralized gated database of the same data in any one jurisdiction either.
cmac says
vokler, what privacy rights are registrants entitled to? You can’t legally hide who owns a home, commercial building or piece of land so why should you be able to hide who owns a domain? sure you can use shell corps or whatever but in the general sense, who owns what is public information that anyone can access if they so chose.
Domainer Extraordinaire says
Spammers love whois data. I’m for 100% private whois.
Domain Observer says
Leave the internet alone. Why disturbing stability? Internet users want stability rather than frequent changes.
John Berryhill says
“You can’t legally hide who owns a home, commercial building or piece of land so why should you be able to hide who owns a domain?”
Well that’s simply not true.
You can’t find out who owns most privately-held corporations in the United States.
Forming a corporation in Delaware, Nevada or Wyoming, to name a few, requires NO disclosure of who owns the corporation. The only person associated with the corporation in public records is the appointed agent for service of process. In Delaware, there are about two or three companies who provide that agency service for thousands and thousands of corporations.
That corporation can buy a house, a commercial building, or a piece of land, and the title owner will only be that corporation. You have no way of knowing through public information who is that owner.
Not only can that corporation buy those things, but corporations and other structures can buy firearms too. This is a route used by many people who are otherwise unable to purchase a firearm due to a criminal conviction or other disqualification.
Domo Sapiens says
Is always good to have a choice,
who owns the rights to the domain ? the right to choose, anyway
or am I being simplistic?
Could this proposal even have a chance of passing muster? seriously.
cmac says
@John, yes I understand but my point was that *some kind* of info is publiclly available, no matter if its an agent representin the true owner or the owner themselves, something has to be there.
in the end my main gripe with this is that it will make researching domains a very long slow process instead of the tools we have now to do it.
Michael Berkens says
Domo
Its the suggestion of the working group that ICANN set up to look at the issue so yes it has a good chance
Domo Sapiens says
You are the lawyer…
You don’t see any violations of laws, rules or rights?
(including retroactive agreements)
Conflict of interest?
Michael Berkens says
Conflict of interest? with whom
(including retroactive agreements)
if you mean the one between you the registrant and the registrar they are bound by rules of ICANN
You don’t have a contract with ICANN
Domo Sapiens says
Mike,
It seems to me this is another attempt of creating/making obscure policy (Comments closed) to then be the “One and Only Enforcer”, at a time where the public/organizations and consumers are asking from more transparency or at the very least choice as we have it right now…
Who supervises ICANN?
[h]. Employ open and transparent policy-making mechanisms that promote well-informed, technically sound decisions.
Retroactive as: Suddenly everything will go private/dark? almost reads as Science fiction.
Michael Berkens says
Who supervises ICANN?
US Department of Commerce (for now)