ICANN's War On Whois Privacy
from the don't-let-them-win dept
If you follow internet governance issues at all, you know that ICANN is a total freaking mess. It's a dysfunctional organization that has always been dysfunctional, but remains in charge because of the lack of any reasonable alternatives. ICANN frequently seems to be driven by powerful interests that are just focused on squeezing as much money as possible out of the domain system, and appears to have little appetite for being what it should be: an independent body protecting the core of the internet. As if to put an exclamation point on that, it appears to now be going to war against basic privacy. Here are two separate, but somewhat related, examples.First up, we have EasyDNS, who last month didn't beat around the bush in explaining just how ridiculous ICANN's new Whois Accuracy Program (WAP) is. The company noted that it regretted renewing its ICANN accreditation, even though it's necessary to register domain names. As EasyDNS notes, the whole WAP program is insane, and is almost designed to force domain owners to lose their domains -- especially if they want to keep a modicum of privacy. Under the program any time you change or renew your domains, you now will get an email requiring you to "verify" your whois data. As EasyDNS notes, since it's an email, it's designed in a way that looks very much like a phishing attempt, meaning many domain holders will ignore it. And if you ignore it... within 15 days, your registrar is supposed to suspend your domain. That program went into effect yesterday, and I imagine it won't be long before we hear the shrieks of pain as it impacts website owners. As EasyDNS notes:
You can thank ICANN for this policy, because if it were up to us, and you tasked us with coming up with the most idiotic, damaging, phish-friendly, disaster prone policy that accomplishes less than nothing and is utterly pointless, I question whether we would have been able to pull it off at this level. We're simply out of our league here.But, that's not all! The good folks at Namecheap (who have sponsored us in the past here on the blog) have sent out an alarm (along with the EFF and Fight for the Future) over another proposal from ICANN concerning privacy and proxy services that many domain owners use to keep their information private. This is necessary these days, in part, because as anyone who owns a domain knows, that information gets scraped and you get spammed. A lot. And also, sometimes, people say things on the internet that they want to be anonymous in saying. And proxy services help you do that. But ICANN is effectively trying to kill that. Namecheap has put together the site RespectOurPrivacy.com to explain the issue and to ask people to tell ICANN to reject this proposal -- which was put together by MarkMonitor. Yes, MarkMonitor, the company famous for being engaged in all sorts of bogus censorship and takedown requests:
Under new guidelines proposed by MarkMonitor and others who represent the same industries that backed SOPA, domain holders with sites associated to "commercial activity" will no longer be able to protect their private information with WHOIS protection services. "Commercial activity" casts a wide net, which means that a vast number of domain holders will be affected. Your privacy provider could be forced to publish your contact data in WHOIS or even give it out to anyone who complains about your website, without due process. Why should a small business owner have to publicize her home address just to have a website?That site has more info and shows you how to contact ICANN to protest this move.
We think your privacy should be protected, regardless of whether your website is personal or commercial, and your confidential info should not be revealed without due process. If you agree, it’s time to tell ICANN.
You can also look directly at the proposal itself, which notes that this view is not universal and there is disagreement over where the final rules will end up, but some have argued that:
"domains used for online financial transactions for commercial purpose should be ineligible for privacy and proxy registrations."If MarkMonitor's involvement didn't tip you off, this is really a proposal of Hollywood who hates the fact that people can be anonymous online. It was presented to Congress last month by Steve Metalitz under the guise of the "Coalition for Online Accountability" -- a "coalition" made up of the MPAA, RIAA, ESA and SIIA (all copyright extremists). If you recognize Metalitz's name, it's because it's come up before. He's one of the entertainment industry's favorite lawyers, who helped push ACTA, SOPA and other bad copyright proposals. And now suddenly he's "concerned" about online accountability? Really? The main goal of the proposal is to destroy anonymity online by only allowing it in cases Hollywood approves of. In his presentation, Metalitz noted that there is only a "legitimate role for proxy registrations in limited circumstances." Have you applied for your special license to be anonymous yet? The MPAA and ICANN need to approve it first...
Hopefully ICANN backs away from these plans and starts to get its act together. ICANN could and should be a powerful force in favor of an open internet with strong privacy protections -- and not encouraging programs that require giving up your privacy just to have a domain name.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: icann, privacy, proxy, registrations, verification, whois, whois accuracy, whois accuracy program
Companies: icann
Reader Comments
Subscribe: RSS
View by: Time | Thread
Color me skeptical
Given ICANN's history, I'd consider that something of a minor miracle. But yes, I share in the hope.
This is yet another step in the ongoing effort to turn the internet away from being a many-to-many medium to a one-to-many medium like cable TV.
[ link to this | view in thread ]
In other words apply for a bit of privacy, and promptly get demands from the copyright trolls as an assumed pirate.
[ link to this | view in thread ]
Gray market business opportunity
[ link to this | view in thread ]
Re: Gray market business opportunity
Example:
http://www.whoisguard.com/
https://www.domainsbyproxy.com/default.aspx
[ link to this | view in thread ]
What about correcting whois info?
[ link to this | view in thread ]
Re: What about correcting whois info?
[ link to this | view in thread ]
You'd be slightly more credible if didn't support Google surveilling everyone everywhere on the net.
Oh, but requiring businesses to fill out an email, that's tyranny!
As ever for Masnick, he only worries that commercial interests might be a little incovenienced, with no concern for the public, let alone for scams and other known problems.
Every time "business" comes up seems Masnick never heard of commercial law and that businesses are licensed entities that have intrinsic NO rights, are NOT persons, are subject to vast number of constraints and requirements. Masnick comes across like Mitt Romney, simply doesn't understand that ordinary people rightly regard businesses as predatory.
[ link to this | view in thread ]
Open Public Comment period for WHOIS at ICANN
A summary of the review process ICANN is conducting with respect to their Whois Accuracy Program can be found here. Note that this is actually a review of the program that was proposed in 2013.
[ link to this | view in thread ]
Yet the US government is set to transfer ownership of the DNS root to them in September, and nobody's doing anything to stop it.
[ link to this | view in thread ]
[ link to this | view in thread ]
Meh, it has some merit, well in theory
As a dev that has tried so often to find domains for my clients, it's beyond frustrating.
If not this proposal then something else to free up parked domains.
[ link to this | view in thread ]
[ link to this | view in thread ]
MarkMonitor and SOPA
FYI, MarkMonitor is where Wikimedia moved its registrations to when it left GoDaddy in protest of GoDaddy's support of SOPA. Wikimedia's domains (including wikipedia.org) are still there.
The article is FUD.
[ link to this | view in thread ]
Re: You'd be slightly more credible if didn't support Google surveilling everyone everywhere on the net.
[ link to this | view in thread ]
Huh? Since it's an email? As opposed to .... what? Registration renewal reminders are usually sent by email, reigistration payment confirmations are usually sent by email, domain transfer steps are usually reported by email. What other method would there be? Text messages might be phishing. Would FB posts be better? Tweets?
I really fail to see why an email reminder is by definition a problem. My mortgage company reminds me by email to update property insurance information. Credit card firms remind us by email to update contact and other information. Credit car firms email us depending on the alert conditions we want. Banks ditto. I would expect that a person who is so technically-literate as to be able to register and pay for a domain to be able to recognize a phishing email if they see one exactly as they are already probably doing for fake bank emails etc (And if not, then education is needed, not shroud-waving and freakouts about teh evil email spammers).
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Meh, it has some merit, well in theory
All of which only require minor changes on the side of ICANNs policies. The thoughts behind it may be good enough, but the execution is beyond terrible.
[ link to this | view in thread ]
Re:
I don't have as big a problem with that as some because the alternatives are even worse. And it's not really "transferring" ownership, it's just making explicit what has really been the case for a while.
[ link to this | view in thread ]
How to define commercial activity?
2. Will a single advertisement turn a site into a commercial site?
3. What punishment will there be for false claims (answer: none)?
[ link to this | view in thread ]
Re:
No hyperlinking. That is inevitably suspicious.
Registration-scams are very common. Don't make the formulation too demanding.
Don't insinuate that you need personal information in the mail. Firstly those informations should only be given in safe channels and second it is suspicious.
Use a more respectable timeframe for answering. Using a low timeframe is often used by phishing to force people to make a fast decission.
So you can do plenty to make the mail believable.
[ link to this | view in thread ]
Re: How to define commercial activity?
We are eventually back to having to trust ICANN on this. That, on its own, is unsettling.
[ link to this | view in thread ]
Re:
ITYM 1984. Big Brother had a plan and procedures worked out to implement said plan. ICANN is just another loose cannon, rolling around beneath decks, smashing into whatever's in its way, grasping at things it considers shiny. Leviathan.
Bravo, USA! Good job. Mission accomplished!
[ link to this | view in thread ]
Re:
Some examples:
"We need to verify your account information in order to continue using your apple ID" - I do not have an apple ID
"Please confirm your Paypal Debit mastercard to avoid account closure" - Do not have a paypal account
"The check bounced and Joe from accounting told me to contact you" - We have no Joe in accounting
"Verify your whois or your domain will be suspended in 15 days" - will be treated as phishing too
[ link to this | view in thread ]
Re:
If I logged into some provider every time I got some scarry email threating account closure I would never have time to get any real work done.
[ link to this | view in thread ]
Re: Re:
The US government is accountable to its people in ways that ICANN is not. I can think of worse organizations than ICANN to manage the DNS root (United Nations, for instance), but there's no way ICANN is the best of all possible stewards.
I'd prefer an organization whose primary reason for adding new TLDs is not to bring in more revenue. I'd prefer an organization that won't grant registries like ICM monopoly control of an entire TLD category*. I want strong freedom of speech guarantees and protections against vicarious liability of any kind. I want a DNS system that can't be manipulated by censors or special interests. I want the Internet equivalent of strong constitutional guarantees.
* ICM Registry's (.adult, .sex, .porn, .xxx) CEO Stuart Lawley recently said: "When ICANN announced the new gTLD program, we felt a sense of obligation to ensure that we continued to provide that type of space in any of the adult-oriented TLDs that grew out of ICANN’s new program; we did not want adult-oriented TLDs to get into the wrong hands."
[ link to this | view in thread ]
Re: Re:
As for scary emails, most of them are obvious fakes (I don't have an account there, wrong email address, obviously bogus source and so on). When I get one that isn't an obvious fake, yes I do check my account to make sure there isn't anything I need to take care of. It doesn't happen that often, maybe once every couple of months, so it's not a big deal.
[ link to this | view in thread ]
Re: Re: Gray market business opportunity
[ link to this | view in thread ]
Re: What about correcting whois info?
[ link to this | view in thread ]
Re: Meh, it has some merit, well in theory
How would this proposal address parked domains? If people are sitting on domains so they can sell them, then they're already telling people how to get in touch with them (how else could people make a bid?)
Also, not all parked domains go unused. I had a domain for years that was "parked" in the sense that it didn't lead to a website because it was solely for email purposes.
[ link to this | view in thread ]
Re: Re:
This. Also, any email that contains links is immediately suspected of being a phishing attempt -- but it's not a slam-dunk rejection like "you need to take action immediately" emails.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: How to define commercial activity?
Which is one of the many reasons why they have zero credibility.
[ link to this | view in thread ]
You know, no court orders/subpoenas or anything similar, the information of the registrant gets disclosed on alleged copyright/trademark infringement allegations.
Or at best, your provider might give you the option to terminate your domain name (he might blacklist you, tho).
It also intrudes in national laws, in some countries you can't disclose private information just because, you need a court order to do so.
There are courts for something: their job is to determine wether something is infringing or not, and it's always defensible. That shouldn't be neither the ICANN or the Registries'/Providers' job.
They say so in the paper too (in the last statement against it), that the ICANN is intruding in national laws, and that customer privacy shouldn't be compromised just because someone made a copyright infringement allegation. They also comment that it goes against ICANN's policies about not considering the content.
I think it's the trojan horse they want to get through in this proposal. Still, it's strange (well, it isn't, actually) that only get that detailed procedure while other issues, such as LEA related ones, don't have such procedure.
Btw, what's the timetable behind this? In the paper they only mention January 1st 2017 as the date where some provisions apply, but not sure about the rest.
Also, I see many site operators eyeing .bit domains and similar services instead of using ICANN related domain registries/registrants.
Not sure if there is such a provider (registry, privacy or proxy provider, I mean) outside that jurisdiction that can tell ICANN to go fuck themselves. Anyone knows?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
The new program just forces registrars that have signed the 2013 RAA to be a little more proactive about domain suspensions.
As an example, here's what ICANN asks from a registrar when they send an invalid WHOIS report under the 2009 RAA:
Dear ,
ICANN received the Whois Inaccuracy complaint below. It claims that the contact information associated with the domain name below is inaccurate:
As required under Section 3.7.8 of the Registrar Accreditation Agreement (RAA), please take reasonable steps to investigate this Whois Inaccuracy claim; and, where appropriate, correct the contact information, suspend or delete the domain registration.
To demonstrate compliance, please indicate which option below describes the actions taken by your registrar on or before :
1. Your registrar confirmed that the reported inaccuracy was corrected.
2. Your registrar obtained satisfactory verification from the registrant that the data was correct.
3. Your registrar suspended, deleted, cancelled or otherwise deactivated the domain name.
4. Your registrar did not investigate the inaccuracy as Section 3.7.8 of the RAA requires.
If 1 or 2 above applies, please provide copies of any correspondence between your registrar (or reseller if applicable) and the registrant - including the registrant's response and any dates, times, means of inquiries, telephone numbers, email addresses and/or postal addresses used - while investigating this Whois Inaccuracy claim in accordance with Section 3.4 of the RAA.
Please send the information and records requested above via reply email (no more than 4 MB total) and do not change the email subject heading. Please provide records as attachments in .TXT, .PDF, or .DOC(X) format.
For your reference, please find below the link to the RAA:
2009 RAA: http://www.icann.org/en/resources/registrars/raa/ra-agreement-21may09-en.htm
--------
You'll notice that the registrar doesn't really have the option of doing nothing, without risking escalation of the issue.
Unfortunately, ICANN also doesn't do any kind of due diligence on these reports. Any random person can submit and invalid WHOIS claim, and even if there's nothing wrong with the WHOIS info, a registrar can be forced to suspend the domain if the domain owner doesn't respond to an inquiry.
It's pretty sucky all around.
[ link to this | view in thread ]
Re:
It's hard to understand what the legitimate reason for that proposal is. The reason for the inclusion of contact information is to allow people to contact the domain owner. Using a privacy proxy does not prevent that.
[ link to this | view in thread ]
Re: MarkMonitor and SOPA
No, MarkMonitor is one of those 'anti-piracy' companies the promise that their accuracy is top notch at spotting piracy, while at the same time showing that it's more along the lines of the accuracy you'd expect a drunk, blind person who's never held a gun in his life to exhibit.
[ link to this | view in thread ]
Re: Re: MarkMonitor and SOPA
[ link to this | view in thread ]
Re: Re: Re: MarkMonitor and SOPA
[ link to this | view in thread ]
I'm not worried. Bring it on ICANN. The future looks bright for censorship resistance. =)
[ link to this | view in thread ]
Re: Re: Re:
I nominate the IETF. I wish they'd just summon up the will power and take it. They're the only org that appears to know how it all works right down to the nitty gritty level, and ICANN (those in charge of it) wouldn't have a clue what happened nor how to get it back.
Problem solved.
[ link to this | view in thread ]
All the corruption money i(can)n buy...
---
[ link to this | view in thread ]
Re: Color me skeptical
[ link to this | view in thread ]
ICANN verifications
[ link to this | view in thread ]
1. Obviously denying "privacy" to commercial sites in no way requires Jane Doe to reveal her private address as claimed. That is a disgraceful lie.
2. Obviously there is no issue of personal privacy involved.
3. This site admits being sponsored by NameCheap, a notorious pirate that provides CONCEALMENT to copyright pirates, financially ruining hundred of thousands of copyright owners.
The owners of this website and NameCheap should be jailed for criminal collusion to steal copyrighted work. Everything they own should be seized and sold for compensation of damages.
CONDEMN this website and NAMECHEAP and support the ICANN proposal!
[ link to this | view in thread ]