ICANN and Hollywood want to kill off domain privacy

ICANN proposed changes that could mean domain owners who use a proxy service to keep their personal details private could no longer use that service.

protect privacy
Rafa Garcés (Creative Commons BY or BY-SA)

So you may have a little website and use ads to make a little money, but should that mean you should be stripped of online privacy by anyone who does a WHOIS lookup? The Internet Corporation for Assigned Names and Numbers (ICANN) proposed changes that could mean domain owners who use a proxy service to keep their personal details private could no longer use that service. There's debate about whether having an ad on a site makes it as commercial as a site that sells products.

A privacy and proxy service report (pdf) by ICANN's working group "Generic Names Supporting Organization" states:

Although the WG agreed that the mere fact that a domain name is registered by a commercial entity or by anyone conducting commercial activity should not preclude the use of P/P services, there was disagreement over whether domain names that are actively used for commercial transactions (e.g. the sale or exchange of goods or services) should be prohibited from using P/P services. While most WG members did not believe such a prohibition is necessary or practical, some members believed that registrants of such domain names should not be able to use or continue using P/P services.

Behind the scenes, who is really pushing for the changes and wants to destroy your privacy? Flipping Hollywood strikes again, according to the EFF.

Who the hell does Hollywood think it is? Neither the world nor the Internet revolves around Hollywood. But that didn't stop the likes of the MPAA, RIAA, and ISPs such as Comcast, Time Warner Cable, Verizon, and AT&T from banding together under the umbrella of "Center for Copyright Information" (CCI); then the CCI tried to control the Internet with its Copyright Alert System (CAS) aka the stupid "Six Strikes" rule. No one crowned Hollywood as king of the copyright cops. But hey, someone forget to tell Hollywood that, because now if you have a website with an ad on it, then Hollywood says you don't deserve privacy at all.

MPAA documents which leaked in January acknowledged that Six Strikes is a failure and has not impacted piracy; the MPAA gnashed its teeth and decried that P2P piracy will get worse and "will likely require substantial additional resources." Then in May, a coalition of smaller studios dubbed the "Internet Security Task Force" said the Copyright Alert System is a "sham" and called for the end of it.

Killing off domain privacy is another plan that is off-the-charts stupid. For starters, for reasons that escape me, not too many people bother with domain privacy. Only 20% of domains were registered via privacy or proxy services, according to a study (pdf) requested by ICANN in 2013. Unmasking 20% of website owners will not solve Hollywood's – or anyone else's – copyright problems. Unlike Six Strikes, stripping people who own domains of the right to keep their personal information private opens them up to any crazy stalker or harassment-happy troll that wants their full name, address, and phone number.

Let's be kind and double that number; let's assume 40% of people use a proxy to protect their privacy when they register a domain. How many of those are actually doing anything illegal? How many are engaged in copyright infringement? Unmasking all to nail a few is like those ridiculous "you might be a domestic terrorist IF" lists; some of them claim you are suspicious enough to be reported if you try to protect your privacy at an Internet café or pay with cash. Out of all the people who still pay with cash, how many are actually terrorists?

And even if you do use a proxy for domain privacy purposes, it's not like the cops can't get hold of your real information. If you keep the same domain for years, you receive a notification on behalf of ICANN every year asking you to verify that your personal information is still accurate. So if something shady is going on, the cops can get personal info from the domain registrar. In fact, as the EFF pointed out, sometimes Johnny Law doesn't even have to get involved, as some registrars "cave in and suspend domains at the first whiff of a complaint."

That's not good enough for Hollywood and for some in ICANN who want to penalize you for running a little website and making a little money; ads suck, that's true, but making a few dollars doesn't mean you should have your privacy stripped away and have your personal safety at risk by making the "real" WHOIS data accessible to all.

The EFF wrote:

This change is being pushed by US entertainment companies, who told Congress in March that privacy for domain registration should be allowed only in "limited circumstances." These and other companies want new tools to discover the identities of website owners whom they want to accuse of copyright and trademark infringement, preferably without a court order. They don't need a new mechanism for this—subpoenas for discovery of the identities of website owners do regularly issue [PDF]. The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft. The ability to speak anonymously protects people with unpopular or marginalized opinions, allowing them to speak and be heard without fear of harm. It also protects whistleblowers who expose crime, waste, and corruption. That's why EFF opposes the new proposal to roll back anonymity.

Save Domain Privacy gave the example below, showing how proxy services submit their own contact info to the public WHOIS database instead of the domain owner's private information. If ICANN's proposed changes go forward, all domain owners would be in the No Privacy pile.

Domain privacy before and after Save Domain Privacy

We need to shut this down as it's just unwise to have your name, address, phone number and email address out there for anyone and everyone to access. We only have until July 7 to send our comments to ICANN (comments-ppsai-initial-05may15@icann.org). You can also protest by signing a petition, or by using the phone and email tool at Respect Our Privacy. Seriously, tell ICANN to "Respect our privacy. Don't expose WHOIS data."

Copyright © 2015 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022