ICANN Whois Privacy Reforms Stalled Again

A working group set up by the Internet Corporation for Assigned Names and Numbers (ICANN) to thrash out differences over proposed privacy changes to the WHOIS database stopped work last week with little real agreement on how or even whether to implement the reforms.

The group’s failure to come up with a proposal that could have been accepted by ICANN continues a long-standing stalemate on efforts to reform the way WHOIS data is handled. The group’s findings were summarized in a final outcomes document released Aug. 20.

“The WHOIS debate has gone on for years, and [ICANN] needs to call an end to it for now,” said Tim Ruiz , vice president of corporate development and policy at The Go Daddy Group Inc., a Scottsdale, Ariz.-based domain name services provider. “It’s been clear for some time that unanimity, or even consensus, on any changes is not possible.”

Ruiz was a member of the 60-person working group. Other members included user representatives, as well as representatives of service providers, registrars and law enforcement authorities.

The WHOIS registry is the domain name systems’ legacy database; it contains names and contact information of all those who register Internet domains. The contents of the database have been publicly accessible to anyone who wanted it.

Companies, intellectual property holders and law enforcement authorities have argued in favor of such open access to the WHOIS database on the grounds that it helps them go after phishers, trademark infringers, copyright violators and other crooks. Privacy advocates, on the other hand, have opposed unrestricted WHOIS access on the grounds that it could expose individual domain registrants to spam and unwanted surveillance. They have for some time now wanted the information in the WHOIS database to be shielded from public access.

“It’s a basic disagreement about the relative rights of a tiny minority of Internet users versus all of the Internet users who have to deal with the mischief” that some domain registrants do, said John Levine, co-founder of the Domain Assurance Council, a standards body for e-mail certification.

According to Levine, only a small percentage of domain registrants are individuals rather than businesses. And while there is a need to address privacy concerns, “it is absurd to cripple all of WHOIS for the putative interests of this tiny group,” said Levine, who was a member of the WHOIS working group.

A WHOIS task force set up by ICANN has been working for more than four years to address the needs of the competing sides and recently came out with a proposal called the Operational Point of Contact (OPoC). Under OPoC, domain name registrars would have been able to continue collecting contact information from all those who wanted to register domains. But they would have been required to keep the street level of the addresses of domain registrants shielded from public access, except in cases where law enforcement authorities and other entities could demonstrate a valid need for it.

The OPoC proposal, however, failed to gain broad support within ICANN because of, among other things, concerns over how the exceptions process would be handled, said Milton Mueller, a professor at Syracuse University’s school of information studies and a partner in the Internet Governance Project.

The concerns related to who should have access to shielded WHOIS data, when they should have it and under what circumstances, said Mueller.

The ICANN working group was set up five months ago to address that issue and came up with several ideas for structuring access to WHOIS data, Mueller said. One of the most significant was a proposal to shield the contact information of individual domain registrants while making that of commercial registrants publicly accessible. There were also suggestions on how access to shielded WHOIS information could be provided on a one-time basis or on an as-needed basis to those who could demonstrate a valid reason for access to the information, he said.

However, the proposals failed to gain broad support for a variety of reasons, Mueller said. Representatives from commercial entities and intellectual property holders, for instance, tried to whittle down the privacy protections and make information available only to individuals whose Internet activities were completely noncommercial in nature. Along with the law enforcement and banking interests, this group also wanted backdoor processes for gaining access to the shielded information on any domain based purely on their assertions that they needed it for valid reasons, he said.

There was also concern among the registrars about the cost implications of some of the proposed changes, said Lynn Goodendorf, vice president of information privacy protection at Intercontinental Hotels Group, the Atlanta-based owner of hotel brands such as Holiday Inn and Crowne Plaza.

For instance, if the proposal to shield contact data of individual registrants had been accepted, it would have required registrars to implement an authentication process to ensure that registrants were indeed individuals and not commercial entities, she said. “The implication was that it would cost money to implement solutions to improve the security and accuracy of WHOIS data and improve it in a way it can’t be abused,” Goodendorf said. Most registrars appear to be unwilling to pass these costs onto their customers, she added.

Registrars today also sell proxy services that allow registrants to hide their identities and contact information from WHOIS queries. “If there is no reform, they can continue to sell privacy to their users using proxy registrations, making profits that far exceed those they make on normal domain name registrations,” Mueller explained. Therefore, she said, “they bailed out.”

In addition to those issues, there was some disagreement over accountability issues under OPoC and the speed at which registrars would be required to respond to requests for access to shielded data, said Eric Dierker, chairman of the general assembly of ICANN’s Generic Names Supporting Organization. The GNSO is the body responsible for developing policy for the domain name system.

According to Dierker, who was a working group member, the final outcomes report released last week downplays some of the disagreements among members. One area in particular that appears to have been glossed over is the concern registrars expressed over the potential costs of the proposed changes. “The one thing that we were agreed on is that something needs to be done to fix the current situation,” Dierker said.

Ultimately, Mueller said, implementing any of the proposed changes would have meant less access to the WHOIS information that has been freely available for a long time. For those used to getting that information for free, that appears to have been more than they were willing to concede, he said

“Despite flirting with the kind of compromises and reforms that might actually reconcile privacy rights with identification needs, in the final weeks of the process, trust and agreement among the parties broke down completely,” Mueller said in a blog post.