Confessions of an ex-opponent of Whois Privacy (clean copy)

["Mark E. Jeftovic" <markjr@xxxxxxxxxxx>]

(This is a resend of my comments from July 4, 2015 which were archived
with extraneous html markup)

I submit these comments as a CEO of an ICANN accredited registrar, a
former director to CIRA and a lifelong anti spam contributor with an
unblemished record of running a managed DNS provider that maintains zero
tolerance for net abuse or cybercrime and as someone who maintains a
healthy working relationship with the units of our local and federal Law
Enforcement Agencies that deal with cybercrime.

In the past easyDNS was opposed to Whois Privacy. We did not offer it
and we strongly cautioned our customers against using it.

Our rationale was twofold:

     #1) We felt that those connecting to the internet to originate
traffic and consume system resources of external parties (i.e. people
sending email) had an obligation and a responsibility to be
identifiable. In other words, we felt (and still do) that  nobody has an
obligation to accept email from a domain whose contact details are
anonymized (in fact we have been working on an experimental reputation
zone that penalizes domains at the MTA level when they have privacy
enabled) - This belief still does not conflict with our advocacy of
Whois Privacy.

     #2) There was agency risk to the Registrants' themselves, as once
they enabled whois privacy on their domains the "official" owner (or
rights holder) to their names became the privacy provider and not the
actual registrant. (This fear was bourne out as many Registrants did in
fact lose their names in the failure of RegisterFly).

We eventually relented to customer pressure and implemented Whois
Privacy and have since completely reversed our opinions on the efficacy
of employing it and necessity of making it an option. (For the record,
our opinion was not swayed by the additional revenues we garner from
offering it. The vast majority of our Registrants making use of Whois
Privacy get it at no cost).

It is important to note that once we did change directions and offer
Whois Privacy, we found that doing so had absolutely no material effect
on occurrences of net abuse, known cases of cybercrime or any other form
of civil misdeed such as copyright violations or intellectual property
infringement.

We think we know why this is, they are the same reasons the policy shift
being considered will have zero effect toward their intended outcome and
why the second order effects will be primarily negative and disruptive
to those who are not guilty of any malfeasance (we refer to these
innocent bystanders as "rule followers").

As a result of these experiences, we believe that absent a breach of
service terms such as net abuse, the only basis for disclosing
underlying Registrant data, especially to copyright and trademark
complainants should be subject to

    a court order (in a competent jurisdiction to the Proxy provider)
    a subpoena (in a competent jurisdiction to the Proxy provider)
    a pending civil action
    a URS or UDRP action.

In other words, we feel that Section D of Annex E of the Initial Report
on the Privacy & Proxy Services Accreditation Issues PDP should have
precisely the opposite requirement that it now proposes.
http://gnso.icann.org/en/issues/raa/ppsai-initial-05may15-en.pdf

We will explain our reasoning below. It is based on real world
experiences of nearly 20 years in the domain and managed DNS business:

Many Registrants Don't Even Know That the Whois Exists or What's In It.

Understanding that a consequence of simply registering a domain name
results in one's personal contact details being published in a world
viewable, digital database is actually quite limited. People who earn
their livelihood online are possibly cognizant of it, although even
within this cutting edge technologically literate segment a significant
number of participants are not. Your average bricklayer, baker or
candlestick maker is for the most part oblivious to the existence of Whois.

What they do know, is that when they finally get motivated to "join the
digital age" and register their first domain name, and after dutifully
filling out the online form, which is like any other online form they
fill out, within days, or even minutes they are receiving unwanted spam,
phone calls or junk faxes because their personal details have been
harvested from the Whois almost immediately.

Blame, or at the very least suspicion is then directed toward the
Registrar ("You sold my personal data!")

This reason in itself is enough motivation for Registrars to create
privacy mechanisms to safeguard Registrants against these unwanted
intrusions.


Criminals Lie.

The ostensible justification for the types of changes being considered
to Whois Privacy requirements are to make it easier for primarily rights
holders and law enforcement agencies (LEA) to track down infringers and
bad actors.

But the fact is that actual criminals do not use their true, actual
contact data in domain registrations. In fact in our experience whenever
we takedown a known infringing or cybercrime website, whether the domain
registrations details are privacy masked or not, they always supply
bogus Registrant data (often culled from a previous victim).

Similar to our objections against the highly destructive and impotent
Whois Accuracy Program, implementing the proposed changes to Whois
Privacy requirements will not get anybody any closer to apprehending a
single cyber-criminal or preventing a single cybercrime, but will only
succeed in making it easier for rule followers with legitimate
requirements for Whois Privacy (i.e. whistleblowers, political
dissidents,  victims of abuse, et al) to have their privacy violated.

Open To Abuse

We have ample first-hand experience with complainants abusing
allegations of trademark or copyright infringement in an attempt to do
one or more of the following:

    cause a website / domain takedown without due process.
    force a disclosure of Registrant data with no legal basis.
    suppress websites or specific pages from search engine results.

If Section D of Annex E is adopted as proposed we foresee this as an
ideal attack vector to compel Registrant data disclosure without being
tested by due process.

Third Time's a A Charm?

Any changes in Whois Privacy requirements must be considered against the
backdrop of previous Whois reform initiatives, because at the end of the
day, it's the end-user Registrants who have to adjust to functioning
under the combined effect of all of these new policy modifications.

ICANN has thus far implemented two policies around Whois reform which
should be considered failures in that they:

    do not accomplish their stated goals,
    only succeed in penalizing "rule followers"
    create new unintended attack vectors against legitimate Registrants.

The first was the Whois Data Reminder Policy (WDRP) which on it's own
was a annoyance and created a new spearphishing vector but the
second-order effects were to induce a type of "Whois Notification
Blindness" in Registrants by inculcating them with a belief that these
notices are harmless annoyances which can be ignored (or worse, filtered
away).

Even the creator of the WDRP has gone on record to state that the policy
is a failure and should be killed.
http://www.circleid.com/posts/20120719_a_confession_about_icann_whois_data_reminder_policy/

Next came the Whois Accuracy Program (WAP) which has done nothing
whatsoever to prevent cybercrime but has left a trail of destruction
across the internet as legitimate production websites (some of them
providing internet infrastructure functionality) inexplicably go offline
for the flimsiest of reasons.

What makes WAP so pernicious is that to the average Registrant there is
no discernible difference between a WDRP notice (which can be safely
ignored) and a WAP notice (which can't!)

After a one-two punch of ineffective policy failures around Whois, the
idea now is to take the one remaining aspect of Whois that actually
serves a purpose, which is Whois Privacy, that actually accomplishes
it's primary goals, that provides an invaluable service to law abiding
citizens but makes no real difference to criminals, in other words the
last vestige of useful functionality in the current Whois model and
we're going to make a new policy that maims it and provides easy
mechanisms to game the system and end-run Registrant privacy?

Surely by now ICANN has learned from WDRP and WAP that trying to
retrofit accountability processes onto the existing Whois implementation
isn't working. We don't need a third policy to ignite yet another round
of collateral catastrophes to hammer this lesson home.

Recommendations

Everybody close to this probably concurs that the current Port 43 Whois
implementation was never designed for the type of all-reaching global
internet we find ourselves in today. Change is certainly needed but it
needs to be genuine change, a ground up rewrite of the entire protocol.

ICANN already had a separate EWG working on the next generation of Whois
(RDS) and in their initial findings they asked the question:
https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf

Is there an alternative to today’s WHOIS to better serve the global
Internet community?
"Yes, there is. The EWG unanimously recommends abandoning today’s WHOIS
model of giving every user the same entirely anonymous public access to
(often inaccurate) gTLD registration data."

"Instead, the EWG recommends a paradigm shift to a next-generation RDS
that collects, validates and discloses gTLD registration data for
permissible purposes only.

While basic data would remain publicly available, the rest would be
accessible only to accredited requestors who identify themselves, state
their purpose, and agree to be held accountable for appropriate use."

These are the groundwork for appropriate guiding principles for the next
generation of Whois, of course the devil will be in the details of who
has the right to request data and under what circumstances.

We here at easyDNS have spent an inordinate amount of effort over the
past years to educate complainants, plaintiffs and even certain law
enforcement agencies that there exists in civil society and democracies
"due process" and that an allegation has to be proven legally before
sanctions can be imposed on people's websites, or before their personal
data can be surrendered.

So we have two main recommendations for charting the path forward:

1) The entire Whois Privacy Policy revisions should be tabled until the
entire Whois database is re-engineered as the next generation RDS

2) That a guiding principle of any future RDS Working Groups should
incorporate legal due process and end-user, that is Registrant control
over their own data records, complete with automated mechanisms to alert
Registrants when inquiries are made into their records, what the purpose
of those inquiries are and allowing Registrants the ability to withhold
disclosure (except in cases of overt net abuse or where a law
enforcement agency is pursuing a legitimate investigation subject to a
valid warrant).

Thank you.


Mark Jeftovic, CEO <markjr@xxxxxxxxxxxx>
easyDNS Technologies Inc.
http://www.easydns.com