Article on WHOIS for National Journal

[KathrynKL at AOL.COM]

Attached please find an article from the National Journal, on 9/13, regarding
the debate on WHOIS privacy and access.  About midway through the article
there are good references to the work of EPIC, CDT, and even a paragraph on my
deep concerns about the human rights uses of the Net and the need to protect the
privacy of these domain name registrants.

If you know of any uses of the Net that involve human rights or other
political speech where the identify of the registrant might lead to serious harm to
the registrant and/or family (e.g., exposing corruption, human rights
violation, or corporate misdeed), please let me know.  I am compiling a list....

Regards,
Kathy



1 of 13 results       | Next Story  | Back to Results List
09-13-2003

Administration - What's in a Cybername? Plenty
William New
   A little-known global database of Web site owners has grown
into a significant worldwide cyber-crime tracking device -- and
a major source of concern to privacy advocates and foreign
governments. Despite its growing importance, the so-called
"Whois" data is plagued with inaccuracies, as well as technical,
legal, and ethical problems. The Commerce Department is facing
increasing pressure to clean it up.

   As the creator of the Internet, the U.S. government remains
responsible for ensuring its stability and competitiveness. For
this task, it created a nonprofit corporation in 1998 that is
growing up in its own right: the Internet Corporation for
Assigned Names and Numbers. ICANN, which is based in Los
Angeles, manages the domain-name system for Web site addresses
with endings such as .com, .net, and .org. It operates under a
memorandum of understanding with the Commerce Department. The
agreement expires on September 30.

   To obtain a domain name, an applicant must pay a domain-name
retailer, or registrar. Registrars are required, through
contracts with ICANN, to collect personal information about the
registrant, keep it up to date, and make it public. This
information, mainly contact details, is the Whois data, and it
is coming under intense scrutiny from a variety of Internet
constituencies.

   Registrars are also required to offer "bulk" access to the
entire database for anyone paying up to $10,000 annually for it.

   Many Internet users and others who benefit from the Internet
are pressing Commerce to require improvements in the Whois data
as part of the renewal of the agreement with ICANN. But last
week, Commerce General Counsel Theodore Kassinger told a House
subcommittee that that would not be among the top priorities for
a likely multiyear extension of the deal. That was not what
subcommittee Chairman Lamar Smith, R-Texas, and ranking Democrat
Howard Berman of California were hoping to hear.

   "Despite the demonstrated need and obligation of the
Department of Commerce, ICANN, and registrars to provide access
to accurate Whois data, there is an astonishing lack of
enforcement of these contractual terms," Smith said at the
outset of the September 4 hearing of the House Judiciary's
Subcommittee on Courts, the Internet, and Intellectual Property,
which he chairs. He said it is "inexcusable" that no registrar
has lost accreditation for failing to honor its Whois
commitments, despite widespread problems.

   Also "inexcusable," Smith said, is the fact that in its
extension of its agreement with ICANN, Commerce intends to add a
list of seven "milestones" to assess ICANN's future performance,
but none deal directly with Whois, contract enforcement, or
intellectual-property protections.

   Smith told National Journal this week that he would consider
legislation to fix the data problems if Commerce fails to act.
"We're going to wait and see if the Department of Commerce takes
sufficient actions to clean up the database and make it more
useful and more reliable to everyone involved," he said.

   Despite Kassinger's comments, Smith said he hopes Commerce's
new agreement with ICANN "will contain a major enforcement
component, where contracts will be enforced and registrars or
individuals may be dropped if they do not provide accurate
information in a timely fashion." Kassinger said in the hearing
that Commerce lacks the legal authority to force registrars to
comply, and that Commerce is not ICANN's regulator.

   "If Commerce is not ICANN's regulator, then who is?"
countered Susan Crawford, a professor at the Cardozo School of
Law in New York City. "ICANN's only powers extend from its
[memorandum of understanding] with the Department of Commerce."

   The Whois database affects a large number of people. For
instance, network administrators need it to fix Internet
problems. Law enforcement and people targeting unsolicited
e-mail, or spam, increasingly rely on the database.

   Investigators at the FBI Cyber Division use the Whois
database "almost every day," James Farnan, the division's deputy
assistant director, told the subcommittee. Farnan described how
agents used subpoenaed Whois data to find the owner of a Web
site containing child pornography. If the data is inaccurate,
officers can serve a subpoena on the registrars to obtain the
real identity of the domain owner through the credit card
information used to purchase the domain name. But not every
registrar authenticates payment information, so stolen credit
cards can be used.

   John LoGalbo, a trial lawyer in the Justice Department's
Computer Crime and Intellectual Property Section, told an ICANN
meeting in June that access to Whois data cuts through "layers
of complexity and delay" in international investigations. The
Federal Trade Commission has also publicly proclaimed the
importance of the data.

   Privacy advocates note that investigating fraud is only one
use of the database. The Electronic Privacy Information Center
said in its newly released global survey on privacy and human
rights that Whois data is available to anyone who uses the
Internet, "including stalkers, corrupt governments cracking down
on dissidents, spammers, aggressive intellectual-property
lawyers, [and] police agents without legal authority."

   Alan Davidson of the Center for Democracy and Technology, in
a letter submitted to the House subcommittee for the September 4
hearing, argued that safeguards for privacy and security are the
best way to get law-abiding people to provide accurate data.

   Kathy Kleiman, a lawyer at McLeod, Watkinson and Miller in
Washington and one of the founders of ICANN's noncommercial
constituency group, said that in some countries, citizens trying
to protect themselves have to provide inaccurate information.
She cited as an example a human-rights group with a Web site
that showed pictures of torture victims so families could
identify the bodies. "In the telephone world, we have unlisted
telephone numbers and even blocking to protect personal
privacy," Kleiman said. "We need at least the same in the
Internet world."

   Steve Metalitz, counsel to the Copyright Coalition on Domain
Names, told the subcommittee that accuracy and accessibility are
critical to electronic commerce and accountability on the
Internet. He said that access to data is "wildly inconsistent,"
and he criticized ICANN for not doing enough to fix the
database, which "remains riddled with inaccurate data."

   Benjamin Edelman of the Harvard Law School Berkman Center for
Internet and Society said that registrars and registrants need
meaningful incentives to comply with requirements, without which
the Whois database is "substantially fiction." Privacy concerns,
he argued, could be met by using third-party services.

   There's no consensus on how to improve the system, but many
Internet constituents have shown preliminary interest in "tiered
access": The data would be accessible by degrees to those who
need it. Other ideas include providing notice to users when
someone else views their data, and creating "audit trails" that
could reveal abuse of the database.

   Commerce's National Telecommunications and Information
Administration, headed by newly named Administrator Michael
Gallagher, chairs an interagency group considering changes to
the Whois database. The other participants in the group are the
Justice Department, the FTC, and the U.S. Patent and Trademark
Office.

   ICANN also has Whois contracts with eight domain-name
registries -- essentially wholesalers of domain names. Some
maintain their Whois data, and others do not. The newer
registries have begun modifying the contracts to meet new
exigencies. For instance, the London-based registry for the
.name domain developed a tiered system for allowing access to
the Whois data out of fear that the registry was violating the
European Union data-privacy directive.

   Most agree that the number of inaccuracies, whether the
result of outdated information or fraud, is high. There are more
than 30 million registrations in the "top-level" domains (.com,
.net, and .org), some 25 million of which are in the .com
domain. About 10 percent -- or 3 million -- of these
registrations are inaccurate, according to Edelman.

   Kassinger said at the September 4 hearing that in nearly 12
months of studying data problems, ICANN received 15,458 reports
concerning 10,271 different domain names. Kassinger acknowledged
that the number of reports "may just be the tip of the iceberg."
He also said that the government shares some critics' concerns.
But Commerce, he said, is "gratified" by the commitment to Whois
issues shown by the new ICANN President and CEO Paul Twomey, and
Kassinger added that new hirings would help there.

   Twomey, who took office in March, is organizing various ICANN
constituents into a new committee to discuss the Whois system.
ICANN's board has adopted a new policy requiring registrars to
contact domain-name registrants at least annually to confirm the
accuracy of their information.

   In another effort, ICANN's government advisory committee is
wrestling with the variety of standards for handling personal
information. For instance, the European Union says that making
Whois data public violates its privacy law. Canada also has
concerns. In addition, questions remain as to how the 200-plus
country domains, such as .fr for France, will deal with Whois
data.

   ICANN expects to form the new constituents committee and to
sponsor a workshop on Whois "best practices" at its next board
meeting at the end of October. Twomey said in June that the
committee's goal is to prioritize issues and develop a work plan
for addressing them. But he stopped short of stating a goal of
getting agreement on solutions.

   ICANN followers hold mixed views on whether ICANN will move
quickly enough. "It's a tremendous logjam," said one observer.
"I think we're all buckling down for a long process that will be
[conducted in] secret."

National Journal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20030923/f5bc098a/attachment.html>