The Security and Stability Advisory Committee (SSAC) has added a new wrinkle to the ongoing domain name Whois saga. In a document released late last week, it identified some well known and other less talked about problems with the Whois protocol and it called on ICANN and its community to pursue a more holistic approach involving policy recommendations. Interestingly, it also called for consideration of a new “formal directory service for the Internet” standard to serve domain name interests.
SSAC identified conditions of particular concern to law enforcement and trademark interests which plague the domain name system Whois. Specifically, that the distributed database that the protocol relies on does not necessarily contain accurate data, nor does the protocol provide for data authentication, data confidentiality, or data integrity. SSAC argues that the existing domain name Whois database and protocol is unlikely to ever provide these capabilities. According to SSAC, the limitations of the protocol and the “variability among WHOIS implementations and services” are the chief culprits of inaccurate Whois database information.
In response, SSAC recommends a two pronged approach. Recognizing the shortcomings of current Whois policy, they suggest ICANN continue efforts to resolve the legal and privacy conflicts. In addition, they suggest ICANN “take aggressive measures with respect to improving registration data accuracy and integrity” including providing guidelines and provisions for sanctions or other penalties for noncompliance in future contractual agreements. SSAC makes no mention whether individual registrants or registrars should bear these costs. More fundamentally, however, SSAC is recommending the ICANN community adopt a new Internet standard directory service “as an initial step toward deprecating the use of the WHOIS protocol.”
Specifically, SSAC recommended the ICANN community review standards developed by the IETF's Cross Registry Information Service Protocol (CRISP) Working Group. Initiated in 2004, the group seeks to define functional requirements for domain name registries and provide common base requirements for other distributed Internet registries like those used for IP address space and autonomous system numbers and routing policies. By default the requirements provide for granular assignment of multiple types of access to data according to the policies of the operator. If the right policies are adopted, these capabilities could make civil liberties advocates particularly supportive of its adoption. But it is important to remember that operators are under contract, and ICANN, under pressure from the U.S. government, could override this privacy-enhancement capability through policy enforcement.
Whether CRISP gets any traction as a replacement for the domain name Whois will be interesting to see. Collective action and economic theories of standards suggest an uphill battle. There is evidence that registrars are exploring adapting the incumbent domain name Whois protocol to be a more reliable form of reputation and identity. But the individual benefits are highly concentrated on a small number of powerful interests (specifically law enforcement and trademark) that are entrenched in ICANN’s supporting bodies. In either case, privacy advocates will want to pay attention to the policy choices and what could be an important and protracted standards battle.