ICANN's War On Whois Privacy
from the don't-let-them-win dept
If you follow internet governance issues at all, you know that ICANN is a total freaking mess. It’s a dysfunctional organization that has always been dysfunctional, but remains in charge because of the lack of any reasonable alternatives. ICANN frequently seems to be driven by powerful interests that are just focused on squeezing as much money as possible out of the domain system, and appears to have little appetite for being what it should be: an independent body protecting the core of the internet. As if to put an exclamation point on that, it appears to now be going to war against basic privacy. Here are two separate, but somewhat related, examples.
First up, we have EasyDNS, who last month didn’t beat around the bush in explaining just how ridiculous ICANN’s new Whois Accuracy Program (WAP) is. The company noted that it regretted renewing its ICANN accreditation, even though it’s necessary to register domain names. As EasyDNS notes, the whole WAP program is insane, and is almost designed to force domain owners to lose their domains — especially if they want to keep a modicum of privacy. Under the program any time you change or renew your domains, you now will get an email requiring you to “verify” your whois data. As EasyDNS notes, since it’s an email, it’s designed in a way that looks very much like a phishing attempt, meaning many domain holders will ignore it. And if you ignore it… within 15 days, your registrar is supposed to suspend your domain. That program went into effect yesterday, and I imagine it won’t be long before we hear the shrieks of pain as it impacts website owners. As EasyDNS notes:
You can thank ICANN for this policy, because if it were up to us, and you tasked us with coming up with the most idiotic, damaging, phish-friendly, disaster prone policy that accomplishes less than nothing and is utterly pointless, I question whether we would have been able to pull it off at this level. We’re simply out of our league here.
But, that’s not all! The good folks at Namecheap (who have sponsored us in the past here on the blog) have sent out an alarm (along with the EFF and Fight for the Future) over another proposal from ICANN concerning privacy and proxy services that many domain owners use to keep their information private. This is necessary these days, in part, because as anyone who owns a domain knows, that information gets scraped and you get spammed. A lot. And also, sometimes, people say things on the internet that they want to be anonymous in saying. And proxy services help you do that. But ICANN is effectively trying to kill that. Namecheap has put together the site RespectOurPrivacy.com to explain the issue and to ask people to tell ICANN to reject this proposal — which was put together by MarkMonitor. Yes, MarkMonitor, the company famous for being engaged in all sorts of bogus censorship and takedown requests:
Under new guidelines proposed by MarkMonitor and others who represent the same industries that backed SOPA, domain holders with sites associated to “commercial activity” will no longer be able to protect their private information with WHOIS protection services. “Commercial activity” casts a wide net, which means that a vast number of domain holders will be affected. Your privacy provider could be forced to publish your contact data in WHOIS or even give it out to anyone who complains about your website, without due process. Why should a small business owner have to publicize her home address just to have a website?
We think your privacy should be protected, regardless of whether your website is personal or commercial, and your confidential info should not be revealed without due process. If you agree, it?s time to tell ICANN.
That site has more info and shows you how to contact ICANN to protest this move.
You can also look directly at the proposal itself, which notes that this view is not universal and there is disagreement over where the final rules will end up, but some have argued that:
“domains used for online financial transactions for commercial purpose should be ineligible for privacy and proxy registrations.”
If MarkMonitor’s involvement didn’t tip you off, this is really a proposal of Hollywood who hates the fact that people can be anonymous online. It was presented to Congress last month by Steve Metalitz under the guise of the “Coalition for Online Accountability” — a “coalition” made up of the MPAA, RIAA, ESA and SIIA (all copyright extremists). If you recognize Metalitz’s name, it’s because it’s come up before. He’s one of the entertainment industry’s favorite lawyers, who helped push ACTA, SOPA and other bad copyright proposals. And now suddenly he’s “concerned” about online accountability? Really? The main goal of the proposal is to destroy anonymity online by only allowing it in cases Hollywood approves of. In his presentation, Metalitz noted that there is only a “legitimate role for proxy registrations in limited circumstances.” Have you applied for your special license to be anonymous yet? The MPAA and ICANN need to approve it first…
Hopefully ICANN backs away from these plans and starts to get its act together. ICANN could and should be a powerful force in favor of an open internet with strong privacy protections — and not encouraging programs that require giving up your privacy just to have a domain name.
Filed Under: icann, privacy, proxy, registrations, verification, whois, whois accuracy, whois accuracy program
Companies: icann
Comments on “ICANN's War On Whois Privacy”
Color me skeptical
Given ICANN’s history, I’d consider that something of a minor miracle. But yes, I share in the hope.
This is yet another step in the ongoing effort to turn the internet away from being a many-to-many medium to a one-to-many medium like cable TV.
Re: Color me skeptical
they will never turn the internet in cable TV but also I don’t see this passing at all, it wont take a miracle there is already huge outrage over this and its also unworkable
In other words apply for a bit of privacy, and promptly get demands from the copyright trolls as an assumed pirate.
Gray market business opportunity
If this passes, I suspect that we’ll see gray market proxy services pop up. In the end, the real difference will simply be that you won’t get this privacy protection from your registrar, but you’ll still be able to get it from someone else.
Re: Gray market business opportunity
I do believe most of the privacy companies are already listed as separate entities from the registrar.
Example:
http://www.whoisguard.com/
https://www.domainsbyproxy.com/default.aspx
Re: Re: Gray market business opportunity
Ahh, my registrars have always provided mine so I never looked further. Thanks!
What about correcting whois info?
Try correcting your whois info sometime and see what hoops you have to jump through. Our owner could not believe he had to submit his personal utility bills to correct our business whois information.
Re: What about correcting whois info?
At least you could find out who to contact, I’ve run through hoops trying to determine what reseller had purchased the domains from the accredited registrar. Basically, employee is fired and has all domain information, and the company can’t even find out that poweryourname.com is the purchasing party from web.com. Perhaps this was just a shoddy employee at Network Solutions/Web.com, but with their track record I doubt it.
Re: What about correcting whois info?
This might be something that depends on which registrar you use. I’ve never had a problem with modifying my whois records at all, but I avoid the big nasties such as GoDaddy.
You'd be slightly more credible if didn't support Google surveilling everyone everywhere on the net.
But since Techdirt has tons of Google’s javascript (just save a complete page and look!), with the purported bad enough purpose of targeting advertising, which in fact is collated and used to identify persons everywhere on the net, and which gives NSA “direct access”, then as usual you have zero credibility to rail about “privacy” for commercial interests. Since when does Google respect MY privacy? It’s unavoidable. You can’t even “opt out” unless Google can identify you! — Or Techdirt? You claim can do anything you want with names and other info!
Oh, but requiring businesses to fill out an email, that’s tyranny!
As ever for Masnick, he only worries that commercial interests might be a little incovenienced, with no concern for the public, let alone for scams and other known problems.
Every time “business” comes up seems Masnick never heard of commercial law and that businesses are licensed entities that have intrinsic NO rights, are NOT persons, are subject to vast number of constraints and requirements. Masnick comes across like Mitt Romney, simply doesn’t understand that ordinary people rightly regard businesses as predatory.
Re: You'd be slightly more credible if didn't support Google surveilling everyone everywhere on the net.
I’m sorry, but we must censor you. Speaking truth to power is not allowed here.
Open Public Comment period for WHOIS at ICANN
The Whois Accuracy Program Specification Review remains open for public comment on the ICANN website through the 3rd of July 2015. This topic, and other topics open for comment can be found here. In order to leave a comment with ICANN, you will need to register with their site.
A summary of the review process ICANN is conducting with respect to their Whois Accuracy Program can be found here. Note that this is actually a review of the program that was proposed in 2013.
“If you follow internet governance issues at all, you know that ICANN is a total freaking mess.”
Yet the US government is set to transfer ownership of the DNS root to them in September, and nobody’s doing anything to stop it.
Re: Re:
Yet the US government is set to transfer ownership of the DNS root to them in September, and nobody’s doing anything to stop it.
I don’t have as big a problem with that as some because the alternatives are even worse. And it’s not really “transferring” ownership, it’s just making explicit what has really been the case for a while.
Re: Re: Re:
As things now stand, ICANN’s contract with the government could be left to expire and the government could grant administration of the DNS root to a different organization. The proposed transfer in September would rule this out, so it’s a transfer of ownership in every sense that matters.
The US government is accountable to its people in ways that ICANN is not. I can think of worse organizations than ICANN to manage the DNS root (United Nations, for instance), but there’s no way ICANN is the best of all possible stewards.
I’d prefer an organization whose primary reason for adding new TLDs is not to bring in more revenue. I’d prefer an organization that won’t grant registries like ICM monopoly control of an entire TLD category*. I want strong freedom of speech guarantees and protections against vicarious liability of any kind. I want a DNS system that can’t be manipulated by censors or special interests. I want the Internet equivalent of strong constitutional guarantees.
* ICM Registry’s (.adult, .sex, .porn, .xxx) CEO Stuart Lawley recently said: “When ICANN announced the new gTLD program, we felt a sense of obligation to ensure that we continued to provide that type of space in any of the adult-oriented TLDs that grew out of ICANN’s new program; we did not want adult-oriented TLDs to get into the wrong hands.”
Re: Re: Re: Re:
I nominate the IETF. I wish they’d just summon up the will power and take it. They’re the only org that appears to know how it all works right down to the nitty gritty level, and ICANN (those in charge of it) wouldn’t have a clue what happened nor how to get it back.
Problem solved.
And this is why we need projects like namecoin so we aren’t subject to this sort of cronyism
Meh, it has some merit, well in theory
Heres the benefit I see with the “respond to email or lose your domain”…domain squatters. There are literally millions of domains that sit, unused and who’s only intent is to hope someone wants the domain at some point so they can try and sell it.
As a dev that has tried so often to find domains for my clients, it’s beyond frustrating.
If not this proposal then something else to free up parked domains.
Re: Meh, it has some merit, well in theory
I think the main beefs are the phishing-like mail, the only 15 days response period and the very bad registration processes.
All of which only require minor changes on the side of ICANNs policies. The thoughts behind it may be good enough, but the execution is beyond terrible.
Re: Meh, it has some merit, well in theory
“If not this proposal then something else to free up parked domains.”
How would this proposal address parked domains? If people are sitting on domains so they can sell them, then they’re already telling people how to get in touch with them (how else could people make a bid?)
Also, not all parked domains go unused. I had a domain for years that was “parked” in the sense that it didn’t lead to a website because it was solely for email purposes.
Nineteen eighty-four!
Re: Re:
ITYM 1984. Big Brother had a plan and procedures worked out to implement said plan. ICANN is just another loose cannon, rolling around beneath decks, smashing into whatever’s in its way, grasping at things it considers shiny. Leviathan.
Bravo, USA! Good job. Mission accomplished!
MarkMonitor and SOPA
“Under new guidelines proposed by MarkMonitor and others who represent the same industries that backed SOPA”
FYI, MarkMonitor is where Wikimedia moved its registrations to when it left GoDaddy in protest of GoDaddy’s support of SOPA. Wikimedia’s domains (including wikipedia.org) are still there.
The article is FUD.
Re: MarkMonitor and SOPA
What? As far as I know, unless there are two companies with the same name, ‘MarkMonitor’ is not in the business of hosting or registering sites, so the idea that Wikimedia would move it’s registrations to them makes absolutely no sense.
No, MarkMonitor is one of those ‘anti-piracy’ companies the promise that their accuracy is top notch at spotting piracy, while at the same time showing that it’s more along the lines of the accuracy you’d expect a drunk, blind person who’s never held a gun in his life to exhibit.
Re: Re: MarkMonitor and SOPA
MarkMonitor is also a registrar. They package it as part of their “brand management” service.
Re: Re: Re: MarkMonitor and SOPA
Learn something new every day I guess. Still, from GoDaddy to MM? Talk about from the frying pan into the fire.
“since it’s an email, it’s designed in a way that looks very much like a phishing attempt”
Huh? Since it’s an email? As opposed to …. what? Registration renewal reminders are usually sent by email, reigistration payment confirmations are usually sent by email, domain transfer steps are usually reported by email. What other method would there be? Text messages might be phishing. Would FB posts be better? Tweets?
I really fail to see why an email reminder is by definition a problem. My mortgage company reminds me by email to update property insurance information. Credit card firms remind us by email to update contact and other information. Credit car firms email us depending on the alert conditions we want. Banks ditto. I would expect that a person who is so technically-literate as to be able to register and pay for a domain to be able to recognize a phishing email if they see one exactly as they are already probably doing for fake bank emails etc (And if not, then education is needed, not shroud-waving and freakouts about teh evil email spammers).
Re: Re:
You can change the look of the e-mail, which is the thing here. Good e-mail etiquette today:
No hyperlinking. That is inevitably suspicious.
Registration-scams are very common. Don’t make the formulation too demanding.
Don’t insinuate that you need personal information in the mail. Firstly those informations should only be given in safe channels and second it is suspicious.
Use a more respectable timeframe for answering. Using a low timeframe is often used by phishing to force people to make a fast decission.
So you can do plenty to make the mail believable.
Re: Re:
Any email that claims my lack of immediate action will result in some negative consequence is immediatly ignored and deemed phishing.
Some examples:
“We need to verify your account information in order to continue using your apple ID” – I do not have an apple ID
“Please confirm your Paypal Debit mastercard to avoid account closure” – Do not have a paypal account
“The check bounced and Joe from accounting told me to contact you” – We have no Joe in accounting
“Verify your whois or your domain will be suspended in 15 days” – will be treated as phishing too
Re: Re: Re:
“ny email that claims my lack of immediate action will result in some negative consequence is immediatly ignored and deemed phishing.”
This. Also, any email that contains links is immediately suspected of being a phishing attempt — but it’s not a slam-dunk rejection like “you need to take action immediately” emails.
I’d suggested one solution to EasyDNS: have a way to verify the information from the domain’s information page in addition to the e-mail, so when you got one of those e-mails you could simply log in to EasyDNS as usual and check the domain information to see if verification was really required. That’d comply with ICANN’s spec and allow those that care about it to avoid phishing attempts at the same time.
Re: Re:
And for the people who thingk the email notification is a phishing email thus are unaware its real….They will magically somehow know they need to go log into EasyDNS and verify the whois?
If I logged into some provider every time I got some scarry email threating account closure I would never have time to get any real work done.
Re: Re: Re:
All the service providers I use have an RSS feed of their blogs where they post information like this policy change. I subscribe to them and put them in a Providers feed so I can keep up with things I may need to know about. If someone owns a domain and isn’t keeping up with what’s required of a domain owner in some fashion… tough, that’s what happens when you don’t pay attention to your stuff.
As for scary emails, most of them are obvious fakes (I don’t have an account there, wrong email address, obviously bogus source and so on). When I get one that isn’t an obvious fake, yes I do check my account to make sure there isn’t anything I need to take care of. It doesn’t happen that often, maybe once every couple of months, so it’s not a big deal.
Re: Re: Re: Re:
Wow, people actually read service provider blogs/RSS feed?? I learn something new every day!
How to define commercial activity?
1. Will registrars perform any kind of checking that a site really is commercial in nature? Or will a single complaint result in an automatic, unverified DNS-level take-down?
2. Will a single advertisement turn a site into a commercial site?
3. What punishment will there be for false claims (answer: none)?
Re: How to define commercial activity?
Yeah. Bordering such vague and heavily market-distorting rules is a bitch.
We are eventually back to having to trust ICANN on this. That, on its own, is unsettling.
Re: How to define commercial activity?
Yeah, I love how they just say “commercial websites” as if that’s some kind of definitive thing that is easy to determine. I suppose that in the eyes of the MPAA/RIAA, it is: they have long asserted that even a single ad makes the site “commercial”.
Which is one of the many reasons why they have zero credibility.
Nobody has checked the Annex E – Illustrative Draft Disclosure Framework for Intellectual Property Rights-holders?
You know, no court orders/subpoenas or anything similar, the information of the registrant gets disclosed on alleged copyright/trademark infringement allegations.
Or at best, your provider might give you the option to terminate your domain name (he might blacklist you, tho).
It also intrudes in national laws, in some countries you can’t disclose private information just because, you need a court order to do so.
There are courts for something: their job is to determine wether something is infringing or not, and it’s always defensible. That shouldn’t be neither the ICANN or the Registries’/Providers’ job.
They say so in the paper too (in the last statement against it), that the ICANN is intruding in national laws, and that customer privacy shouldn’t be compromised just because someone made a copyright infringement allegation. They also comment that it goes against ICANN’s policies about not considering the content.
I think it’s the trojan horse they want to get through in this proposal. Still, it’s strange (well, it isn’t, actually) that only get that detailed procedure while other issues, such as LEA related ones, don’t have such procedure.
Btw, what’s the timetable behind this? In the paper they only mention January 1st 2017 as the date where some provisions apply, but not sure about the rest.
Also, I see many site operators eyeing .bit domains and similar services instead of using ICANN related domain registries/registrants.
Not sure if there is such a provider (registry, privacy or proxy provider, I mean) outside that jurisdiction that can tell ICANN to go fuck themselves. Anyone knows?
Re: Re:
Country-code TLDs aren’t regulated by ICANN (unless the domain registry chooses to use their policies). One could always purchase a ccTLD instead of a .com, .net, or any of those eleventy-billion new gTLDs that have launched over the past year.
Even under the previous (2009) Registrar Accreditation Agreement, a registrar was still obligated to investigate WHOIS inaccuracy issues. A failure to respond by the registrant within 15 days was still considered a breach of the agreement and the registrar would be obligated by their contract with ICANN to take action.
The new program just forces registrars that have signed the 2013 RAA to be a little more proactive about domain suspensions.
As an example, here’s what ICANN asks from a registrar when they send an invalid WHOIS report under the 2009 RAA:
Dear ,
ICANN received the Whois Inaccuracy complaint below. It claims that the contact information associated with the domain name below is inaccurate:
As required under Section 3.7.8 of the Registrar Accreditation Agreement (RAA), please take reasonable steps to investigate this Whois Inaccuracy claim; and, where appropriate, correct the contact information, suspend or delete the domain registration.
To demonstrate compliance, please indicate which option below describes the actions taken by your registrar on or before :
1. Your registrar confirmed that the reported inaccuracy was corrected.
2. Your registrar obtained satisfactory verification from the registrant that the data was correct.
3. Your registrar suspended, deleted, cancelled or otherwise deactivated the domain name.
4. Your registrar did not investigate the inaccuracy as Section 3.7.8 of the RAA requires.
If 1 or 2 above applies, please provide copies of any correspondence between your registrar (or reseller if applicable) and the registrant – including the registrant’s response and any dates, times, means of inquiries, telephone numbers, email addresses and/or postal addresses used – while investigating this Whois Inaccuracy claim in accordance with Section 3.4 of the RAA.
Please send the information and records requested above via reply email (no more than 4 MB total) and do not change the email subject heading. Please provide records as attachments in .TXT, .PDF, or .DOC(X) format.
For your reference, please find below the link to the RAA:
2009 RAA: http://www.icann.org/en/resources/registrars/raa/ra-agreement-21may09-en.htm
——–
You’ll notice that the registrar doesn’t really have the option of doing nothing, without risking escalation of the issue.
Unfortunately, ICANN also doesn’t do any kind of due diligence on these reports. Any random person can submit and invalid WHOIS claim, and even if there’s nothing wrong with the WHOIS info, a registrar can be forced to suspend the domain if the domain owner doesn’t respond to an inquiry.
It’s pretty sucky all around.
Re: Re:
Personally, I think that none of that is the objectionable part. The objectionable part is the proposal to make using a privacy proxy against the rules.
It’s hard to understand what the legitimate reason for that proposal is. The reason for the inclusion of contact information is to allow people to contact the domain owner. Using a privacy proxy does not prevent that.
Just another nail in ICANN’s legacy DNS system coffin. The more draconian ICANN becomes, the faster an alternative DNS system that’s resistant to censorship will become popular.
I’m not worried. Bring it on ICANN. The future looks bright for censorship resistance. =)
All the corruption money i(can)n buy...
I’m starting to think that the members of ICANN have lately opened accounts in Switzerland, in order to hold the very large amounts of graft they’re receiving from Hollywood, the Federal Governments of the Five Eyes nations, and most of the other “should have been extinct 50 years ago” Internet-hating institutions the world over.
—
ICANN verifications
ICANN, if you’re reading this, GO FUCK YOURSELF!!
This article and this website are propaganda operations serving the exact opposite purpose than they claim:
1. Obviously denying “privacy” to commercial sites in no way requires Jane Doe to reveal her private address as claimed. That is a disgraceful lie.
2. Obviously there is no issue of personal privacy involved.
3. This site admits being sponsored by NameCheap, a notorious pirate that provides CONCEALMENT to copyright pirates, financially ruining hundred of thousands of copyright owners.
The owners of this website and NameCheap should be jailed for criminal collusion to steal copyrighted work. Everything they own should be seized and sold for compensation of damages.
CONDEMN this website and NAMECHEAP and support the ICANN proposal!