An ICANN working group interim report to make Whois information generally unavailable to the general public is getting some coverage in non-domainer publications over the last couple of days
Basically the proposal calls for scrapping the current whois system which allows anyone to see who the owner of a domain is, (unless the owner has paid the registrar to have the registrar hold the domain under privacy) with a centralized Whois system called the Aggregated Registration Data Service (ARDS) which would store all domain ownership records but which would be closed by default to anyone other than those people or organizations who receive permission ton the basis that they have a legitimate need for the data.
It would make it almost impossible for John Q. Public to find out who the owner of a domain is which is definitely not good for domain investors who many times get contacted by people looking to buy their domain from the public whois record, even for domain names that are not “for sale”.
However presumable law enforcement who have access to all records.
From the Interim report:
“”A carefully selected subset of data elements would be made publicly accessible to anonymous requestors through a web interface to the RDS
Gated access would only be available to requestors who applied for and were issued credentials to be used for RDS query authentication.
The process by which credentials would be issued is not defined herein, but the EWG recommends that this process take into consideration each requestor’s purpose for wanting access to registration data.
Each gated access query would identify the authenticated requestor’s purpose (either explicitly or implicitly) and a desired list of data elements. Only data elements that were available for the domain name and accessible to the requestor for the declared purpose would be returned.””
Beyond domain holders that many times get offers or interest on their domain names by interested parties finding their ownership information in the Whois records and other big loser would seem to be registrars that are charging an extra fee per domain for those that want their domain names held under privacy.
There are tens of millions of domain names held under “privacy”.
It should be noted this is an Interim not final report.
CIO.com called the plan “Extremely Disquieting;
“A working group for Internet regulators is under severe criticism for a proposal that would put an end to the openness of the current WHOIS system for domain name registration records.”
Krebsonsecurity.com, also expressed concern on the report saying:
The plan acknowledges that creating a “one-stop shop” for registration data also might well paint a giant target on the group for hackers, but it holds that such a system would nevertheless allow for greater accountability for validating registration data.
Unsurprisingly, the interim proposal has met with a swell of opposition from some security and technology experts who worry about the plan’s potential for harm to consumers and cybercrime investigators.
“Internet users (individuals, businesses, law enforcement, governments, journalists and others) should not be subject to barriers – including prior authorization, disclosure obligations, payment of fees, etc. – in order to gain access to information about who operates a website, with the exception of legitimate privacy protection services,” reads a letter (PDF) jointly submitted to ICANN last month by G2 Web Services, OpSec Security, LegitScript and DomainTools.
“Internet users have the right to know who is operating a website they are visiting (or, the fact that it is registered anonymously),” the letter continues. “Today, individuals review full WHOIS records and, based on any one of the fields, identify and report fraud and other abusive behaviors; journalists and academics use WHOIS data to conduct research and expose miscreant behavior; and parents use WHOIS data to better understand who they (or their children) are dealing with online. These and other uses improve the security and stability of the Internet and should be encouraged not burdened by barriers of a closed by default system.”
The Center for Democracy & Technology has less than kind words about the proposal in a letter to ICANN which in part:
The EWG report does not address a number of key questions underlying these concerns. For instance, what registrant information must be collected for the domain name system to function and what information must be published? Should ICANN require individual registrants to disclose information beyond what is necessary for DNS operations, and why? What is the proper function of the WHOIS system? Is it to provide access to sensitive personal information to any party with a “use case,” or are some data needs more appropriately addressed by direct contact with registrar”
This proposed system is arbitrary and would not improve protections for user privacy. The first level mirrors the current WHOIS system. The second level would provide the same functionality as current privacy and proxy registration services, although it is not clear how ICANN would determine how registrants would be eligible to use these services.
The third level raises two significant concerns for user privacy and free ex pression.
First, the proposed system would rely on an unspecified third party to determine whether registrants are “at risk” or are exercising their free speech rights. This is a poorly defined concept that puts users’ fundamental rights to freedom of expression in the hands of an
unidentified, unaccountable arbiter who will use unspecified criteria to make potentially unreviewable decisions in an undisclosed process.
How would these determinations be made?
What sort of third party would be capable of making them in an international context with inconsistent norms and laws concerning free speech and privacy? How would international human rights case law, resolutions, and norms factor into the decision?
Assuming that a third party could reliably discern which registrants are speaking freely, there remains the problem of legal jurisdiction.
Individuals exercising free speech or those at risk due to their beliefs or activities in one jurisdiction might be subject to law enforcement sanctions from another.
How will the third party decide which jurisdiction’s law governs?
Second, while this system aims to protect vulnerable registrants, it would also identify them to bad actors. Imagine two lists of IP addresses: one associated with registrants who have freely disclosed their identifying information, and one associated with registrants designated as exercising free speech and engaging in “at risk” activities. This system would create a vector for attacks designed to access sensitive data about the most vulnerable users. Moreover, this system may create false security by giving registrants the sense that their identities are safely concealed, while providing no protection against a host of other attacks.
The EWG report proposes disclosure of registrant information as the default, allowing increased privacy protections only under certain circumstances. We strongly encourage ICANN to consider the inverse approach: privacy as the default for individual and noncommercial registrants, with disclosure only when necessary.”