June 25, 2003

Privacy in Domain Name Registration

Filed under: phone — Wendy @ 8:52 am

Karl Auerbach is here in Montreal, adding notes on WHOIS and privacy to his CaveBear Blog. I particularly appreciate his proposal to establish a truly anonymous domain name registration service, capturing only technically relevant data:

I hope to run an experiment soon in which people can register names anonymously and without the retention of any contact information whatsoever - control of a name would be in the form of a digital certificate, a kind of bearer bond.

Thomas Roessler, also here and blogging many of the sessions, shares concern over privacy in WHOIS records, and busts a few strawmen.

Internet Exceptionalism Dominates ICANN WHOIS Panel

Filed under: phone — Wendy @ 5:27 am

Discussion on the first panel of ICANN’s WHOIS Public Workshop has been heavily skewed toward “law enforcement and intellectual property interests.” Speakers from the U.S. Department of Justice, OECD, and WIPO have emphasized their “need” for WHOIS data including names and contact information of domain name registrants in order to pursue alleged infringers, fraudsters, and criminals doing business online. Due Process to the accused is too inconvenient, it seems.

According to John LoGalbo, U.S. DOJ, law enforcement needs public access to accurate WHOIS data. It’s not enough to give access to law enforcement officials, for once public access is restricted, then law enforcement must use legal process to get at it — the delay of legal process is unacceptable. What is it about online activity that justifies such prior restraint (forced identification of speakers online that we wouldn’t accept in other media)? The speed of “harm” from online speech.

OECD has privacy guidelines, but its representative here, Michael Donohue, thinks that consumers use WHOIS data to investigate websites before doing business with them, and that this purpose warrants a data disclosure requirement. This analysis ignores that good business will want to spread their reputation by whatever means available, and don’t need the WHOIS database, while bad businesses will fake “reputation” wherever they can, including in WHOIS. WHOIS shouldn’t be the Better Business Bureau.

Please, folks. The Internet doesn’t eliminate due process concerns. We’ve developed extensive procedural protections precisely because we value individual freedoms of privacy and presumptions of innocence. The burden of official justification is not an accident, but a basic component of liberty from unjustified investigation.

There are some welcome voices on the other side:

Sarah Deutsch, Verizon: “Convenience” doesn’t cut it. Law enforcement still needs to use fair process when it demands access to data.

Jeff Neuman, Neustar registry, notes that various national privacy laws conflict with ICANN WHOIS disclosure mandates: “Do we break the law to provide this WHOIS information so that you may catch others who break the law?”

Diana Alonso Blas, European Commission: Build privacy protections into the system. Think about limiting collection and access, auditing use of the data collected.

Paul Stahura, eNom: Availability of privacy (including proxy services) increases accuracy. The bad guys will always put in false info, but the good guys are more likely to give real data if they know it will not be disclosed haphazard.

Tom Keller, Schlund: Privacy is a right, not something for which registrants should have to pay extra.

Powered by WordPress