Stymie Over Whois Changes Leaves ICANN With Bad Options
At a meeting of the Internet Corporation for Assigned Names and Numbers in Los Angeles, another discussion about possible changes to a fundamental Internet process has been tabled. The implications of those changes would be substantial, and the implications of declining to make those changes may also be substantial.
It involves the Whois database - the registration of responsible authorities for the maintenance of services at designated IP addresses. Currently, the names of those authorities are typically available in the clear, and are publicly searchable. While online scam artists easily work the system to obfuscate their true identities, legitimate Web site proprietors would like some legitimate means for them to keep their public information - including their telephone numbers - out of the public view.
So the main proposal on the table concerned the possible addition of something called an operational point of contact (OPOC) - somebody with a real name and phone number who may serve as a proxy for the actual domain registrant. It could be the registrant herself, or somebody representing her. A motion to approve that proposal as it stood was defeated soundly, by a vote of 17-7, though by ICANN rules the proposal is not yet "dead."
One vocal proponent of the system change is Kathryn Kleiman, a member of the Whois Task Force and a frequent contributor to ICANN. In an open letter to the ICANN board last Saturday, Kleiman wrote, "Of course having access to the personal data of millions of domain names registrants makes life easier for those with concerns about website content and other bad acts. But this data similar exposes individuals to physical harm as well as online harassment and other illegal acts."
"Naturally, the various sides would like to 'have it all,"' Kleiman continued. "But the Whois [working group] gave us an OPOC plan with details, and a standard for access to underlying data - clear agreements which provide a roadmap that will allow registries and registrars to comply with law, protect the privacy of some domain name registrants (although only some) and provide access to those who need the underlying personal data and having 'reasonable evidence of actionable harm."'
Opponents of the OPOC proposal cite the need for law enforcement agencies to have access to possible perpetrators of online crime, and the need for companies to be able to defend their intellectual property from "cyber-squatters."
As an ICANN summary of public comments against OPOC (PDF available here) explained, "Real-time, publicly accessible Whois data is an essential tool for protecting consumers from online fraud, facilitating essential commercial transactions such as mergers and acquisitions, licenses and secured transactions, and the management of large domain name portfolios."
But there were multiple other opponents as well, with big interests to maintain. "Although many comments in support of Motion 2 [to postpone discussion on OPOC] came from large brand owners," the ICANN summary continued, "comments also reflected representation from companies from all sectors of the economy (entertainment, consumer products, computer game development, financial services, manufacturing, consumer retail, broadcasters, and real estate franchisers to name a few), and related extensive descriptions of their enforcement efforts and the harm to their customers that they combat using Whois information."
Motion 2 carried the day, the Associated Press reported late today, though the precise vote there has not yet been reported.
For whatever reason, ICANN had attached a kind of ticking time bomb to the OPOC debate process, perhaps to keep things lively: If the proposal is voted down, opponents are given the option to vote in favor of "Motion 3." ICANN describes that poison pill as follows: "Recommends that Board consider 'sunsetting' the Whois requirements in the Registrar contract due to the lack of consensus if motion #1 [to adopt OPOC] does not pass."
There's considerable disagreement about what "sunsetting" means in this context, with some major press sources this morning having jumped to the conclusion that such an act would lead to a complete scrapping of the Whois system. While something that dire may not be in the works, influential individuals in the process have been given the impression that a rejection of OPOC might give ICANN reason to outsource the Whois database to private concerns.
This raised the ire of Tristan Louis, the chief technologist for the American branch of a major global bank. "For a variety of reasons, this strikes me as a very big problem," Louis wrote the ICANN board today. "For starters, I do believe that the concerns raised in terms of changing the current state of WHOIS would not be alleviated as a result of the change since the data would just move from public domain to private providers.
"While the overview of ICANN staff work provides some interesting details in the thinking that is leading us to this event," Louis continued, "I believe that more minimal work is best to ensure proper functioning of the system. The WHOIS system may not be perfect but it is the best we have and the proposed changes would have a more disastrous impact than the current state of things. Changing the model and adding the creation of a whitelist would only increase complexity while doing little to defeat efforts by people who want to use the data in nefarious way. As a domain name owner with data in WHOIS since 1994, I can assure you that none of the current concerns about phishing and other efforts based on WHOIS data appear to be grounded in reality."
Had the "sunset" been allowed, registars would no longer have been bound by contract to make their authoritative data available to the Whois database. That measure was defeated, though late tallies of that vote today differed.
Whatever ICANN's board of directors eventually chooses to do, it will inevitably disappoint somebody, perhaps to the extent of declaring the entire Internet infrastructure corrupted. For that reason, ICANN contributor Danny Younger posited a fourth option: a kind of compromise which he calls the "Natural Persons Proposal."
"This proposal posits only one change to current WHOIS policy," Younger wrote to ICANN: "During the registration process, registrants will declare that they are either: A. Natural persons who will use their domains exclusively for non-commercial activity; or, B. Another type of registrant." ICANN noted Younger's proposal in its summary of OPOC comments.
For members to support Younger's proposal, they might have to vote to postpone discussion of OPOC (Motion 2). But whether that means Motion 3 (to "sunset" the existing Whois provisions) can still carry, is unclear. In Los Angeles this week, it appears the devil is not only in the details, but that it's taken up residence there...under an assumed name.