DNSO Mailling lists archives


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [ga] Bulk WHOIS Data Issue


Continuing with my prior thoughts, based on weighing the costs and
benefits of switching to "absolute privacy", and the notion of
"personal responsibility", I offer up a couple of links.

First, here's the experience of the OECD, with regards to one of their
domain names:


Secondly, I offer the example of the Canadian registry's agreement, at:


and in particular the words in section 4 (the kind of information
disclosed to the public), Registrant obligations in section 3
(especially legal ones), and also highlighting 3.1(n)

"(n)be wholly responsible for the use and operation of any third,
fourth, or further sub-level domain to any second level Domain Name
Registration in the Registrant's name and the Registrant shall ensure
that the use and operation of any such sublevel domain is conducted in
compliance with this Agreement;"

Having presented these, let's consider the arguments of those
advocating absolute privacy in WHOIS data. The OECD suffered damages
because of the fake registration data of "ocde.org" (the French version
of oecd.org, that had been taken by a pornographer, and habitual
cybersquatter), and this is undeniable. Furthermore, the innocent
individuals who were named in the WHOIS (i.e. not the name of the true
registrant -- the cybersquatter used names of previous victims!)
suffered damages of being hassled even more, by those who thought they
were the true owners. The actions of the Registrar were quite
unhelpful, and time was not "of the essence" in their behaviour.
Ultimately, what moved things forward towards a favourable outcome was
that the registrant was being forced to put TRUE and PUBLIC contact
information into the WHOIS database. Instead of doing that, the
cybersquatter chose to hand over the domain. The cybersquatter is
*still* at large. I am sure he or she would be quite pleased by the
"absolute privacy" arguments being made by a few advocates on this

I think it is undeniable that having this absolute privacy become
standard would only encourage and embolden those who seek to commit
abuse and use the domain name irresponsibly, as it raises the costs of
those who need to identify them, creates time lags, and increases the
damages that take place due to those greater time lags. Thus, not only
would there be greater number of abusers (since it is much "cheaper" in
a sense, for the abuser to hide behind anonymity, thus opening the
market to more abusers), the damage from each instance of abuse would
be higher.

The second example above, CIRA's document, is just a reminder that
we're a society governed by laws. Some advocates seem to be taking the
position that they have absolute rights to certain privileges, without
having to take the commensurate responsibilities for those privileges,
or making it extremely difficult and costly to enforce those
responsibilities, for minor personal benefit.

Some on this list are nothing more than advocates, in my view. What
separates decision-makers (leaders), from simple zealots and advocates
is that decision-makers judge issues by weighing the facts. In an
economic and policy framework, this involves making certain
compromises, and looking at the costs and benefits of certain choices.
This allows one to come to a reasoned decision, instead of "religious"
decisions of absolutist zealots.

<rant mode on>
For the peanut gallery, if it be a sin to covet logic and reason, then
I'm the most offending soul alive. :) A sound and reasoned economic
framework doesn't make one "audacious", unless you mean the definition
"contemptuous of religion", where one is arguing with those who see
their positions as coming from God, and present no further arguments
rather than "it's in the Good Book". Insinuating a relation to
terrorists is ludicrious, and as William Walsh put it best "we expect
more from you".
<rant mode off>

Some of the privacy advocates actually atempted to make a positive
contribution, by presenting some arguments as to the benefits of
greater privacy. Joanna Lane rightly brought up the personal safety
argument. I am in 100% agreement with her that personal safety is an
important issue. I personally know of individuals who've suffered from
violence, and know that the effects of those acts has a lasting legacy,
not only on themselves, but on their families, friends, and society at
large. No one should have to live in fear.

However, I think Joanna then goes a bit too far (perhaps for dramatic
effect -- debates are entertainment, for some). Citing statistics about
1 in 5 children being solicited online is all good and well. Then
beating one's chest that "we're concerned about the CHILDREN", as
though anyone else who might put up an opposing argument is some
monster. These are motherhood issues -- issues that everyone agrees on,
and you're attempting to preach to the choir (I can almost hear the
violins playing!). However, to go on and then demand a right to
absolute privacy, making the implicit assumption that the benefits in
terms of personal safety are INFINITE, and incalculable, and that all
other considerations are moot, reveal oneself to be a bit naive.

The benefits of personal safety are NOT infinite. If they were, the
average car would cost $1 million, and everyone would own $250,000 home
security systems, and would be wary of leaving their house at all. The
reality is, folks make decisions (implicitly, using costs and benefits,
and risk analysis) everyday about personal safety, when they step into
their car, when they decide to buy a new TV instead of spending the
money on a security guard for their home, etc. Providing online
examples, how many people use PGP for security of their emails? Or,
similar encryption/digital signing, to provide some protection against
identity theft? Too few people signed up for Zero Knowledge's
"Freedom.net" project, to have anonymity which was only priced at
$50/yr. And I go back to my examples of the average person who will
give up their privacy for a $5 Amazon.com coupon, or a miniscule chance
of winning a prize in a lottery.

I think it is even a fallacious argument that improving the privacy
will have an enormous impact on the issues Joanna raised. Statistics
can be misused, to become fear mongering. Most rapists, for example,
are already friends or relatives of the victim, sadly. Removing a few
WHOIS details is no replacement for parental supervision of children.
While the "anonymous stranger" mentality is good for fear mongering in
the media, it's out of step with reality. If 1 in 5 children have been
solicited online, shouldn't it be like "shooting fish in a barrel" to
catch those online criminals? Yet, the facts are those offenders are
*drawn* into  the anonymity of the online world, and increasing their
anonymity only will embolden them further! Creating that link to the
offline world keeps things "real", and enhances personal
responsibility. A few anarchists are in favour of total lack of
personal responsibility online, but most members of society choose to
be governed by law.

For some of the older ones on the list, we remember the days of rotary
telephones, and without the caller id to see who was calling. Remember
how many harassing phone calls people used to get (e.g. deep breathing,
etc)? Telephone companies can verify that once the technology reduced
that anonymity, folks became more responsible, and abusers sought out
different places to commit abuse. (the telephone metaphor is only being
used in a limited sense, as it's a 1-to-1 technology, and much less
powerful than an internet technology)

Even though economics is my religion (just kidding; I do believe in
God!), I do agree that Joanna raises a valid concern. How can this
concern be addressed then? As decision-makers, what is the compromise?

Clearly, the "absolute privacy" isn't a compromise. It would only
represent a compromise IF the responsibility for damage resulting from
abuse become shifted to the registrar or registry (which would have
alleviated the problem in the OECD example). This is probably
unrealistic, for most registrars, and more than they signed on for when
they became registrars. Ultimately, society at large needs a way to be
able to legally "serve" a legal person (i.e. an individual, a
corporation, etc.) when the need arises. 

The compromise proposed by Jeff, i.e. a single email address, is
interesting. i.e. in the WHOIS, all that would be present would be
"EXAMPLE.com" and "postmaster@EXAMPLE.com". The pitfalls of this
proposed solution are that we're not ready for it, yet, as a planet. I
believe one court in Texas allowed "service" of a legal document to an
email address of a domain holder, where all other avenues had been
exhausted. However, the law in this area is VERY new, and needs to be
worked on internationally. Furthermore, e-mail is not a technology with
guaranteed delivery. Even in the OECD example, the registrar was
willing to wait 10+ days to hear from the registrant in response to an
e-mail only inquiry -- this recognizes that in this day and age, people
do not check their email regularly, except for those advanced once
(like ourselves perhaps), who are checking things continuously. In 20
or 30 years, when all nations have supplied unique e-mail addresses to
their citizens with guaranteed delivery/receipt mechanisms, which are
recognized as being sufficient for "serving" legal processes, I think
Jeff's proposal would work. Unfortunately, we're not there yet (I wish
we were, and that technology would catch up to our imagination!).
Perhaps the slow pace of technological progress is helpful, as it
allows the rest of society's institutions enough time to catch up to
our imagination....

What compromise do I envision? I've mentioned it in the past, but let
me expand on it. Firstly, we don't *need* all the present info that is
in the WHOIS, to achieve a desirable balance in the costs/benefits of
privacy. For instance, who needs a public billing contact? That's
between the registrar and the registrant, and could be kept private (or
optionally be made public). A technical contact? While it could be
helpful to some people, in some cases, the technical contact is of most
importance only to the registrant (and could be optionally made public,
at the registrant's whim). That leaves us with the administrative
contact (i.e. owner). For them, sufficient info (name, address, phone
number, enough details to be identified and legally served a process,
as recognized by international law) should be minimized, in keeping
with international law developments (e.g. once international law
recognizes e-mail as sufficient, then we move to Jeff's solution).

I think from a policy point of view, allowing a 3rd party to be the
administrative contact could work, as long as from a legal point of
view it is recognized that the 3rd party is "responsible" (i.e. it is
sufficient to contact only them, and if they represent someone else,
it's their own problem to deal with contacting that person, and acting
if they can't reach them, etc.).  This would work within the framework
of the CIRA text above, and also within the framework of international

Who would that third party be? It's up to the owner of the domain (i.e.
the registrant). It could be themselves, i.e. self-representation. For
most people and corporations, that would likely be their pick -- they
have nothing to hide and don't place a high value on the extra privacy.

For others, they might choose a friend, a lawyer, or even the registrar
itself (if the registrar is willing to take on the risk, and is
compensated). For instance, a friend of mine wanted a domain, and I
registered it on her behalf, and put "Domain Trust" as the contact,
with my own corporation and personal address and details in the contact
info. If there's someone to be contacted for any reason about the
domain, I can handle things, and help preserve her privacy. I am
legally responsible should abuse originate from the domain. The cost of
providing this "service" to her? Absolutely zero. For a registrar?
Perhaps a few pennies or dollars -- most registrants are not abusive,
and have a relationship with the registrar or reseller, or would be
quick to end abuse if they are responsible for ending it, and couldn't
point the finger to someone else (like in the OECD example).

A few people might say "well, that's not good enough, I demand ABSOLUTE
privacy". I have no sympathy for those people, unless they tell me how
much (monetarily) they value their privacy. Suppose they repeat the
mantra that it's of "Infinite value" -- then, they should just pay the
$5 or whatever it'll cost to have a representative agent be in the
WHOIS information, and then spare us the whining. If instead they say
"I value my privacy at $2, and $5 is too expensive for that extra
element of privacy", my reply is "then don't waste our time quibbling
over things you don't value, and let's return to real issues, and not
religious ones."

Note that the above compromise can also be implemented by adding a
brand new contact ("legal contact"), and then hiding all current
contacts (administrative, technical, billing). 

Reading through the other posts, I think Kristy brings up a good point,
as to the Bulk access (we kind of strayed a bit, once the "absolute
privacy" zealots entered the fray). Maybe there'd be a way to do things
like Verisign's bulk access agreement when getting access to the zone
file, for port 43 WHOIS access. This would reduce the amount of
"harvesting" of the WHOIS data by spambots. If registrars were able to
seed a few fake domain names with unique fake registration data (as
physical mailing lists do), and then catch abusers red-handed and hold
them accountable if they break the WHOIS port access agreement, things
would be rosy indeed. There's no replacement, though, for strong
anti-spam laws.

Reading through even more posts, people seem to be struggling for
metaphors. The telephone example tends to be overused. If we look at
the example in trademark registries, there's sufficient "whois" data
for a trademark to be able to serve someone. Individuals, companies,
and other entities register trademarks, without some of the personal
safety issues that freaks out some individuals. Trademarks represent
division of a public resource/namespace, like domain names. Similarly,
in the case of licensing of radio or TV stations -- it's made easy for
the public to look up the owner of that frequency/station.
Registrations of corporations, personal businesses, etc. are another
metaphor. Some folks seemed to have attempted to make the domain itself
a unique legal entity unto itself, and that argument is deeply flawed.
One can't "serve" a domain or find it responsible for itself.

In conclusion, I hope folks who contribute further to this thread try
to focus on costs and benefits, and come up with workable compromises.
Other examples of "benefits" to greater privacy are always welcome, so
we can try to come up with even more satisfactory solution.

And that's my audacious post for today. :)


George Kirikos

Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html

<<< Chronological Index >>>    <<< Thread Index >>>