Whois Privacy Stalemate…Again

The ICANN Working Group that was trying to reconcile data protection and privacy principles with the domain name system’s legacy Whois directory, which publishes the name and full contact details of all domain name registrants, was finished today. “Finished off” might be a better term. Despite flirting with the kind of compromises and reforms that might actually reconcile privacy rights with identification needs, in the final weeks of the process trust and agreement among the parties broke down completely. The WG report has zero chance of gaining the 2/3 majority required to become an approved policy of the GNSO Council in its current form. It is unclear what the Board will make of it.

The battle between human rights advocates, who want to shield certain kinds of data from indiscriminate public access, and corporate and law enforcement interests, who want to use the Whois service as a free, open-access method for identification and surveillance of Internet users, has been going on for seven years now. Registrars are in the thick of this fight, since they are the entities whose customer data is exposed for anyone in the world to see, the ones who are obligated to operate the current Whois service, and the ones who stand to bear most of the cost burdens of certain proposed reforms. It was the registrar constituency that proposed the “Operational Point of Contact” (OPoC) reform that formed the basis of the Group’s work. OPoC would have shielded the registrant’s street address from public view, putting in its place a contact person that consolidated the role of administrative and technical contact in the old system. An OPoC would relay requests for information to the registrant. All the information contained in the current Whois service would have remained in place except for one thing: the street address of the registrant. That’s all. Even the real name and national and state (provincial) jurisdiction of the registrant would have been exposed.

It is hard to believe that such a miniscule change could generate three months of contentious work by nearly 60 people, ranging from representatives of each GNSO constituency to law enforcement agencies from the US, the Netherlands, and Canada; representatives of the banking and real estate industry; 5 or 6 intellectual property, hoteliers and software producers associations; not to mention a few companies that literally make their living collecting and selling Whois data. But it did.

The problem was that the intellectual property owners and to some extent also the LEAs wanted to offer a minimal amount of data protection with one hand, and then take most of it away with the other. The intellectual property lawyers tried to make the OPoC into an entity formally accredited and regulated by ICANN; they tried to make it into a third party with the authority to reveal the private data on demand and even to take down web sites or disable domains; they insisted on obtaining some kind of verification of the OPoC’s consent to be an OPoC; all activities that, however, potentially useful in theory, would increase the cost and complexity of registering domains and massively increase the risk that users would lose a domain for not responding to inquiries from trademark lawyers. They tried to whittle down the shielding of data to natural persons whose internet activities were completely noncommercial in nature. Along with the law enforcement and banking interests, they wanted backdoor access procedures enabling almost any private company to gain unlimited access to the shielded data of any domain merely by asserting that they needed it to pursue bad actors.

At some point in the process, the registrars decided that the additional costs of the Frankenstein-monster OPoC emerging from the WG was not worth the gains it would produce. If there is no reform they can continue to sell privacy to their users using proxy registrations, making profits that far exceed those they make on normal domain name registrations. They bailed out. It’s not clear yet whether the registry representatives are also giving up on the process.

Most of the really bad ideas failed to gain consensus, and the report recognizes that. On the critical issue of granting access to the shielded data outside the open public Whois service, however, the Chair of the Working Group, Philip Shepherd, who represents a European trademark lobbying group, played fast and loose with the definition of “Agreement.” The final draft of the report claims that certain highly contested views about access to data have reached “AGREEMENT.” What it doesn’t tell you is that the definition of the term Agreement was changed at the last minute, without permission agreement or even notice. If you look at the earlier versions of the report, AGREEMENT is defined very clearly as: “there is broad agreement within the Working Group (largely equivalent to “rough consensus” as used in the IETF).” This means that all but a couple of holdouts have converged on a common position. In the final report, Shepherd failed to obtain agreement on points he considered to be the desired policy. So the definition of agreement was changed. The definition now reads:

“there is broad agreement expressed by the contributing members of the working group though not necessarily unanimity. (This agreement is majority based and no attempt has been made to categorise agreement by interest group because participation had not been solicited nor organised by interest group)”

What this means in practice is that if 6 trademark lawyers and companies who profit from the sale of Whois data showed up for a conference call (and they often did) and only 5 people representing the rest of the world showed up, then the chair could describe as “agreed” and “broadly supported” whatever the surveillance party wanted. Not only has the WG abandoned consensus decision-making in favor of majority rule, but it does not even bother to balance representation when taking majority votes. It is just a matter of which group puts the most people on a conference call. In fact, it’s not even that fair; I am sure that if Noncommercial users managed to put 16 people on the call the definition of “agreement” would be modified again. So-called “rough consensus” decision making is always susceptible to this kind of abuse, but rarely is it done so blatantly.

In reality, on most of the key issues there was no agreement, just the same division of opinion between registries, registrars and civil society on the one hand, and trademark and law enforcement interests on the other.

This latest Working Group started out well. New participants were brought into the process and agreement around certain new ideas were forged. An important idea — a distinction between legal and natural persons — coul have formed the basis of an important compromise and move forward, but the registrars thought it would be too expensive to make that distinction at the point of registration. As time wore on, the trust and credibility of the group deteriorated rapidly as the most intransigent corporate and LEA interests came face to face with the fact that reforms might actually restrict access to data they wanted, and the registrars realized that reforms might cost them money.

5 comments

  1. Anonymous

    If there are extremely compelling reasons to get one domain's final details, surely one can convince a judge to issue a judicial warrant for the said information.
    Otherwise, the system is wide open to abuse, because law enforcement as well as corporate lawyers are extremely prone to abuse (not to mention scammers who send bogus domain renewal invoices).

  2. Anonymous

    The whole point of a “surveillance” group who monitors is to “fish” for suspected infractions, as opposed to actual violations. It seems the 'consensus' failed by opposing a lobbying group whose interests are directly against those of the domain holders.
    It seems that every time we ask IP-holders to follow the same rules as everyone else in criminal court(showing probable cause) they complain it's too complicated, yet they are unwilling to go back to civil court(where they have to pay their own costs)…
    As an interest group, IP-holders are certainly pampered

  3. Anonymous

    Nice generalization that law enforcement and corporate lawyers are extremely prone to abuse. Come on – at least base your opinions on logic and not on abuse for certain professions.
    For numerous reasons people legitimately need to access Whois data and not simply to find out whom to sue, which seems to be the general assumption. As an IP lawyer I most commonly use Whois to check that use of a mark by a client will not infringe another person's mark (for which they have a domain name registered).
    It is simply not practical to expect people to have to go to the Courts for a warrant in order to access this information, especially given the delays that this would cause.
    There are problems with the system but I think that the lack of agreement reached shows that there are no easy answers and the problems associated with shielding all this information causes as many problems as it solves.

  4. Anonymous

    This website is being used by criminals hiding behind your privacy blocks. If regular civilians are required to get a subpoena from a judge to get the information necessary to catch criminals and be able to prosecute them, that is an extreme injustice to the people. If you need privacy that badly, then stay off the internet, stay out of other people's business. Your site is just as guilty as the criminal hiding on your site as you are aiding and abetting the crime that is taking place. Cyberstalking and all sorts of other crimes can take place through the internet as it is a way of life for most people today. What you are doing should be made illegal and the public should know about your transgretions. It is disgusting!

  5. Anonymous

    What give you the right to review comments????? Who the hell do you think you are???? Judge, jury and executioner. Bullshit!