PPSAI Working Group Initial Report (id:jdw3)

[Jeff Wheelhouse <jdw@xxxxxxxxxxxxxx>]

The working group report discusses at some length the difference between 
Disclosure and Publication of the registrant's contact information and under 
what circumstance each is appropriate.

Of the two, Publication is much simpler.  Publication is impossible for an 
independent domain privacy provider.  It can only be performed by the 
registrant, the registrar, or the registry.  Keeping that in mind, there is 
exactly one circumstance under which involuntary Publication is appropriate: 
termination of the domain privacy provider's service.  (Whether for nonpayment 
or for some violation of the domain privacy provider's terms of service.)  
Beyond that, if the registrant is paying for the service, has abided by the 
terms and conditions of that service, and the service's relay process can reach 
them in timely fashion, that information is valid and they are entitled to use 
it in the whois database.  Any proposed policy to the contrary is inherently 
unconscionable.

Regardless of the stated reason, the effect of Publication of a registrant's 
information for any reason derived from the content of a site in the domain is 
to invite harassment from the public.  It is the 21st century equivalent of 
pillorying someone in the center of town, which is something that as a society 
we have already decided not to do.

Disclosure is more complex.  A properly-functioning and timely relay service, 
which is the fundamental function of a domain privacy provider, mitigates many 
situations that would otherwise require disclosure.  Even so, there are a few 
situations where disclosure is legitimately warranted.  Those situations 
largely involve litigation or law enforcement action.  In those cases, to 
balance against the harm of inappropriate disclosure society has already 
established a system of warrants, court orders, and subpoenas that is used to 
justify and validate obtaining those types of records.  In most jurisdictions, 
the bar set by these processes is not particularly high.  Yet the working group 
proposes to expressly prohibit adherence to existing, time-tested due process, 
a position which is very difficult to defend.

If there is some action occurring related to a domain, and timely intervention 
is needed to investigate or stop that action, there is nothing a domain privacy 
provider can do.  They cannot suspend the domain.  They cannot initiate, block, 
or reverse a transfer.  They cannot change the name servers associated with a 
domain.  They cannot affect any web site associated with that domain or its 
content.

But in truth, the identity of the registrant isn't needed to do any of those 
things.  For example, nobody needs to know who is running a malware site before 
they shut it down.  In taking any urgent action, stopping to obtain the 
person's identity serves only to introduce delay.  (And, in most cases 
involving malicious or illegal activity, the "real" information provided is 
fake anyway, often that of a stolen credit card.)  If it is needed after the 
fact, for example to pursue legal action or criminal investigation, it can be 
obtained as part of that action.

In fact, while a few situations do exist where disclosure is warranted, a 
vanishingly small number if any at all exist where urgent action must be taken 
with respect to a domain and that action requires the identity of the 
registrant.  And most such scenarios would serve better as plots for Hollywood 
movies than as the basis for proposed policies.

Despite this, the working group proposes a process similar to the DMCA.  
However, there are three key factors that have been overlooked:

1) DMCA actions are reversible.  Privacy disclosure is not.  Once a person's 
information is disclosed, that can never be undone.

2) Abuse of the DMCA is rampant because there is effectively no punishment for 
it.  Cases where someone has been punished for filing a false takedown notice 
are spectacularly rare.  Similar abuse of similar processes for private 
information disclosure can also be expected.

3) Taking down all or part of someone's web site does not place that individual 
in personal danger.  Disclosing their private contact information very well 
might.

All of this begs the question: if a Requester needs a registrant's name, 
address, and home phone number, but it's not for a purpose served by the 
existing legal frameworks (including the DMCA on which Annex E is based) for 
which due process is appropriate, then what exactly do they need it for?  The 
working group appears to know based on the questions the report asks but does 
not answer: harassment.  

That harassment may come in the form of extralegal threats of future legal 
action or, as has unfortunately become all too common on the Internet, death 
threats, rape threats, and the practice of tricking SWAT teams to raid 
someone's home at gunpoint in the hopes they will be terrorized or accidentally 
killed.

These policies are easily exploited as well.  Consider the scenario where a 
woman operates an Internet discussion forum on a controversial subject, like 
the role of women in the video game industry.  (A subject which one might not 
expect to be controversial, but which has generated a spectacular volume of 
abuse and threats and forced multiple individuals into hiding in the past year 
based on disclosure of their personal information and resulting threats.)  The 
operator of such a forum might well wish to avail themselves of domain privacy 
services, rather than post their home address online for all to see.  Yet all 
someone need do is register for that forum under a false name, upload an image 
or post some content, then claim under the proposed disclosure framework that 
their copyrighted material appears on the forum and that they therefore are 
entitled to the registrant’s personal information.  Under that framework, the 
registrant would either have to give up the domain or have that information 
disclosed.  (Comparatively, under the DMCA, the site operator could simply 
remove the “trojan horse” content.)

Such scenarios will occur every day, and real people will be harmed as a 
result.  The working group raises questions like "What limitations should the 
Requester be required to agree to regarding use of the revealed data?" without 
acknowledging that such limitations are, at best, advisory in nature.  A 
Requester can lie with impunity about their intentions and even their identity 
to obtain the information and, once they have it, any perceived control over 
what they do with it is purely illusionary.

Many of the working group’s proposed policies and recommendations appear 
oriented toward making protecting intellectual property interests more 
convenient.  Protecting intellectual property rights is important, and can 
often be challenging online.  However, privacy service users are overwhelmingly 
individuals and protecting the safety of individuals is more important.