To break privacy deadlock, some seek to scrap Whois databases on domain name registrations

NEW YORK – Tech industry lawyer Mark Bohannon frequently taps a group of searchable databases called Whois to figure out who may be behind a Web site that distributes pirated software or tricks visitors into revealing passwords. Like a “411” for the Internet, Whois contains information such as names and phone numbers on the owners of millions of “.com” and other Internet addresses. Bohannon and his staff at the Software and Information Industry Association rely on the free databases daily in their efforts to combat theft and fraud.

Law-enforcement officials, trademark lawyers and journalists, as well as spammers, also use it regularly.

“The Whois database is in fact the best, most well-recognized tool that we have to be able to track down who in fact you are doing business with,” said Bohannon, the trade group’s general counsel, adding that alternatives such as issuing subpoenas to service providers take more time and cost money.

Nonetheless, some privacy advocates are proposing scrapping the system entirely because they can’t agree with the people who use the system on how to give domain name owners more options when they register – such as designating third-party agents. Privacy advocates say individuals shouldn’t have to reveal personal information simply to have a Web site.

The so-called “sunset” proposal is expected to come up Wednesday before a committee of the Internet Corporation for Assigned Names and Numbers, or ICANN, a key Internet

oversight agency. It will have a tough time winning approval – and could create chaos. But the fact that abandoning Whois is on the table underscores frustrations among privacy advocates that ICANN appears on the verge of launching new studies and deferring a decision yet again after some six years of debate.

Ross Rader, a member of ICANN’s generic names council and the sunset proposal’s chief sponsor, said many negotiators are stalling because they prefer the status quo, which gives them the access to Whois that they desire.

An executive with domain registration company Tucows Inc., Rader said he is just trying to break the deadlock and doesn’t necessarily want the databases to disappear.

“What removing the status quo will do is force all of the actors to come together without the benefit of a status quo to fall back on and say, ‘We are now all screwed. What will we do?”‘ Rader said. “It will lead to better good-faith negotiations.”

Think of it as saving the system by breaking it first.

Marilyn Cade, a former AT&T executive who has been active on Whois advocacy, called the sunset proposal “an emotional overreaction that somehow got crystalized into an option. Everyone who has done the long hours of hard work to examine policy options thinks that they have a monopoly on what is best, but the facts are not yet there.”

Cade is part of the camp that prefers further studies on the extent of any Whois abuse and the degree to which individuals are actually registering names for personal use – which could justify more privacy – rather than for businesses, nonprofit endeavors or domain name speculation.

Those findings, she said, would help ICANN tailor new policies that address actual problems, even if it means delay. And the study option seems likelier than the sunset proposal to prevail Wednesday.

When the current addressing system started in the 1980s, government and university researchers who dominated the Internet knew one another and didn’t mind sharing personal details to resolve technical problems.

Since then, the use of Whois has changed greatly.

Law-enforcement officials and Internet service providers use it to fight fraud and hacking. Lawyers depend on it to chase trademark and copyright violators. Journalists rely on it to reach Web site owners. And spammers mine it to send junk mailings for Web site hosting and other services.

Internet users, meanwhile, have come to expect more privacy and even anonymity. The requirements for domain name owners to provide such details also contradict some European privacy laws that are stricter than those in the United States.

There’s agreement that more could be done to improve the accuracy of Whois, as scammers and even legitimate individuals who want to remain anonymous can easily enter fake data.

The disagreements are over “who gets to see it (and) how can we protect people’s privacy while at the same time making accurate information available to those who need it,” said Vint Cerf, ICANN’s chairman.

ICANN’s Generic Names Supporting Organization Council appeared to break a logjam in March when it formed a working group to consider letting domain name owners designate third-party agents in Whois listings. Currently, owners must provide their full names, organizations, postal and e-mail addresses and phone numbers.

But when the working group started developing an implementation plan, the opposing sides quickly disagreed on the basics, including the level of detail required.

“There were a number of parties that just would not compromise and could not accept that there are legitimate uses of Whois,” said Margie Milam, a working group member and general counsel of the brand-protection firm MarkMonitor.

Approval of the sunset proposal, as drafted, would mean abolishing the current Whois requirements by late 2008. After that, individual registration companies would be able to decide whether to continue offering data on their customers, leading to gaps in the registration records.

The threat of losing Whois would force serious negotiations before it happens, said Milton Mueller, a Syracuse University professor on the Whois working group. “The sense of shock that would settle around certain people would be rapid and immediate.”

Leave a Reply

Your email address will not be published.