Confessions of an ex-opponent of Whois Privacy

The following is the easyDNS response to ICANN’ public comment period on GNSO Privacy & Proxy Services Accreditation Issues Working Group Initial Report. The public comment period is open until July 7, 2015. We strongly urge you to make your voice known by signing the petition over at Save Domain Privacy.

I submit these comments as a CEO of an ICANN accredited registrar, a former director to CIRA and a lifelong anti spam contributor with an unblemished record of running a managed DNS provider that maintains zero tolerance for net abuse or cybercrime and as someone who maintains a healthy working relationship with the units of our local and federal Law Enforcement Agencies that deal with cybercrime.

In the past easyDNS was opposed to Whois Privacy (a.k.a “Domain Privacy”). We did not offer it and we strongly cautioned our customers against using it.

Our rationale was twofold:

#1) We felt that those connecting to the internet to originate traffic and consume system resources of external parties (i.e. people sending email) had an obligation and a responsibility to be identifiable. For example, we felt (and still do) that nobody has an obligation to accept email from a domain whose contact details are anonymized. This belief still does not conflict with our advocacy of Whois Privacy.

#2) There was agency risk to the Registrants’ themselves, as once they enabled whois privacy on their domains the “official” owner (or rights holder) to their names became the privacy provider and not the actual registrant. (This fear was bourne out as many Registrants did in fact lose their names in the failure of RegisterFly).

We eventually relented to customer pressure and implemented Whois Privacy and have since completely reversed our opinions on the efficacy of employing it and necessity of making it an option. (For the record, our opinion was not swayed by the additional revenues we garner from offering it. The vast majority of our Registrants making use of Whois Privacy get it at no cost).

It is important to note that once we did change directions and offer Whois Privacy, we found that doing so had absolutely no material effect on occurrences of net abuse, known cases of cybercrime or any other form of civil misdeed such as copyright violations or intellectual property infringement.

We think we know why this is, they are the same reasons the policy shift being considered will have zero effect toward their intended outcome and why the second order effects will be primarily negative and disruptive to those who are not guilty of any malfeasance (we refer to these innocent bystanders as “rule followers”).

As a result of these experiences, we believe that absent a breach of service terms such as net abuse, the only basis for disclosing underlying Registrant data, especially to copyright and trademark complainants should be subject to:

a court order (in a competent jurisdiction to the Proxy provider)
a subpoena (in a competent jurisdiction to the Proxy provider)
a pending civil action
a URS or UDRP action.

In other words, we feel that Section D of Annex E of the Initial Report on the Privacy & Proxy Services Accreditation Issues PDP should have precisely the opposite requirement that it now proposes.

We will explain our reasoning below. It is based on real world experiences of nearly 20 years in the domain and managed DNS business:

#1 Many Registrants Don’t Even Know That the Whois Exists or What’s In It.

Understanding that a consequence of simply registering a domain name results in one’s personal contact details being published in a world viewable, digital database is actually quite limited. People who earn their livelihood online are possibly cognizant of it, although even within this cutting edge technologically literate segment a significant number of participants are not. Your average bricklayer, baker or candlestick maker is for the most part oblivious to the existence of Whois.

What they do know, is that when they finally get motivated to “join the digital age” and register their first domain name, and after dutifully filling out the online form, which is like any other online form they fill out, within days, or even minutes they are receiving unwanted spam, phone calls or junk faxes because their personal details have been harvested from the Whois almost immediately.

Blame, or at the very least suspicion is then directed toward the Registrar (“You sold my personal data!”)

This reason in itself is enough motivation for Registrars to create privacy mechanisms to safeguard Registrants against these unwanted intrusions.

#2 Criminals Lie.

The ostensible justification for the types of changes being considered to Whois Privacy requirements are to make it easier for primarily rights holders and law enforcement agencies (LEA) to track down infringers and bad actors.

But the fact is that actual criminals do not use their true, actual contact data in domain registrations. In fact in our experience whenever we takedown a known infringing or cybercrime website, whether the domain registrations details are privacy masked or not, they always supply bogus Registrant data (often culled from a previous victim).

Similar to our objections against the highly destructive and impotent Whois Accuracy Program, implementing the proposed changes to Whois Privacy requirements will not get anybody any closer to apprehending a single cyber-criminal or preventing a single cybercrime, but will only succeed in making it easier for rule followers with legitimate requirements for Whois Privacy (i.e. whistleblowers, political dissidents, victims of abuse, et al) to have their privacy violated.

#3 Open To Abuse

We have ample first-hand experience with complainants abusing allegations of trademark or copyright infringement in an attempt to do one or more of the following:

cause a website / domain takedown without due process.
force a disclosure of Registrant data with no legal basis.
suppress websites or specific pages from search engine results.

If Section D of Annex E is adopted as proposed we foresee this as an ideal attack vector to compel Registrant data disclosure without being tested by due process.

Third Time’s a A Charm?

Any changes in Whois Privacy requirements must be considered against the backdrop of previous Whois reform initiatives, because at the end of the day, it’s the end-user Registrants who have to adjust to functioning under the combined effect of all of these new policy modifications.

ICANN has thus far implemented two policies around Whois reform which should be considered failures in that they:

do not accomplish their stated goals,
only succeed in penalizing “rule followers”
create new unintended attack vectors against legitimate Registrants.

The first was the Whois Data Reminder Policy (WDRP) which on it’s own was a annoyance and created a new spearphishing vector but the second-order effects were to induce a type of “Whois Notification Blindness” in Registrants by inculcating them with a belief that these notices are harmless annoyances which can be ignored (or worse, filtered away).

Even the creator of the WDRP has gone on record to state that the policy is a failure and should be killed.

Next came the Whois Accuracy Program (WAP) which has done nothing whatsoever to prevent cybercrime but has left a trail of destruction across the internet as legitimate production websites (some of them providing internet infrastructure functionality) inexplicably go offline for the flimsiest of reasons.

What makes WAP so pernicious is that to the average Registrant there is no discernible difference between a WDRP notice (which can be safely ignored) and a WAP notice (which can’t!)

After a one-two punch of ineffective policy failures around Whois, the idea now is to take the one remaining aspect of Whois that actually serves a purpose, which is Whois Privacy, that actually accomplishes it’s primary goals, that provides an invaluable service to law abiding citizens but makes no real difference to criminals, in other words the last vestige of useful functionality in the current Whois model and we’re going to make a new policy that maims it and provides easy mechanisms to game the system and end-run Registrant privacy?

Surely by now ICANN has learned from WDRP and WAP that trying to retrofit accountability processes onto the existing Whois implementation isn’t working. We don’t need a third policy to ignite yet another round of collateral catastrophes to hammer this lesson home.

Recommendations

Everybody close to this probably concurs that the current Port 43 Whois implementation was never designed for the type of all-reaching global internet we find ourselves in today. Change is certainly needed but it needs to be genuine change, a ground up rewrite of the entire protocol.

ICANN already had a separate EWG working on the next generation of Whois (RDS) and in their initial findings they asked the question:

Is there an alternative to today’s WHOIS to better serve the global Internet community?

“Yes, there is. The EWG unanimously recommends abandoning today’s WHOIS model of giving every user the same entirely anonymous public access to (often inaccurate) gTLD registration data.”

“Instead, the EWG recommends a paradigm shift to a next-generation RDS that collects, validates and discloses gTLD registration data for permissible purposes only.

While basic data would remain publicly available, the rest would be accessible only to accredited requestors who identify themselves, state their purpose, and agree to be held accountable for appropriate use.”

These are the groundwork for appropriate guiding principles for the next generation of Whois, of course the devil will be in the details of who has the right to request data and under what circumstances.

We here at easyDNS have spent an inordinate amount of effort over the past years to educate complainants, plaintiffs and even certain law enforcement agencies that there exists in civil society and democracies “due process” and that an allegation has to be proven legally before sanctions can be imposed on people’s websites, or before their personal data can be surrendered.

We have two main recommendations for charting the path forward:

1) Any Whois Privacy Policy revisions should be tabled until the entire Whois database is re-engineered as the next generation RDS.

2) That a guiding principle of any future Next Gen Whois / RDS Working Groups should incorporate legal due process and end-user, (that is Registrant) control over their own data records, complete with automated mechanisms to alert Registrants when inquiries are made into their records, what the purpose of those inquiries are and allowing Registrants the ability to withhold disclosure (except in cases of overt net abuse or where a law enforcement agency is pursuing a legitimate investigation subject to a valid warrant).

Thank you.