ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Confessions of an ex-opponent of Whois Privacy

  • To: comments-ppsai-initial-05may15@xxxxxxxxx
  • Subject: Confessions of an ex-opponent of Whois Privacy
  • From: Mark Jeftovic <no-reply@xxxxxxxxxxxx>
  • Date: Thu, 2 Jul 2015 23:02:20 +0000 (GMT)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
<html xmlns="http://www.w3.org/1999/xhtml";>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <style type="text/css" media="screen">
    p, td { line-height: 1.3; }
    p { padding-bottom: 1em; }
    a { color: #3697b3; font-weight: bold; text-decoration: none; }
    a:hover { color: #000; text-decoration: underline; }
    a:active { color: #000; text-decoration: underline; }
<body style="font-size:12px;color:#262626;line-height:1.3;font-family:Arial, 
Helvetica, sans-serif;background-color:#fff;">
<table cellspacing="0" cellpadding="0" width="100%" 
    Enclosed please find the easyDNS public comments on the GNSO Privacy &amp; 
Proxy Services Accreditation Issues Working Group Initial 
Report.<br/><br/>Thank you.<br/><br/>- mark
   <td style="line-height:1;text-align:left;padding-bottom:0px;">
 of an ex-opponent of Whois Privacy</h1>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; 
-webkit-line-break: after-white-space;" class="ennote">
I submit these comments as a CEO of an ICANN accredited registrar, a former 
director to CIRA and a lifelong anti spam contributor with an unblemished 
record of running a managed DNS provider that maintains zero tolerance for net 
abuse or cybercrime and as someone who maintains a healthy working relationship 
with the units of our local and federal Law Enforcement Agencies that deal with 
<div>In the past easyDNS was opposed to Whois Privacy. We did not offer it and 
we strongly cautioned our customers against using it. </div>
<div>Our rationale was twofold:</div>
<div>     #1) We felt that those connecting to the internet to originate 
traffic and consume system resources of external parties (i.e. people sending 
email) had an obligation and a responsibility to be identifiable. In other 
words, we felt (and still do) that  nobody has an obligation to accept email 
from a domain whose contact details are anonymized (in fact we have been 
working on an experimental reputation zone that penalizes domains at the MTA 
level when they have privacy enabled) - This belief still does not conflict 
with our advocacy of Whois Privacy.</div>
<div>     #2) There was agency risk to the Registrants' themselves, as once 
they enabled whois privacy on their domains the &quot;official&quot; owner (or 
rights holder) to their names became the privacy provider and not the actual 
registrant. (This fear was bourne out as many Registrants did in fact lose 
their names in the failure of RegisterFly).</div>
<div>We eventually relented to customer pressure and implemented Whois Privacy 
and have since completely reversed our opinions on the efficacy of employing it 
and necessity of making it an option. <i>(For the record, our opinion was not 
swayed by the additional</i> <i><u>revenues</u> we garner from offering it. The 
vast majority of our Registrants making use of Whois Privacy get it at no 
<div>It is important to note that once we did change directions and offer Whois 
Privacy, we found that doing so had absolutely no material effect on 
occurrences of net abuse, known cases of cybercrime or any other form of civil 
misdeed such as copyright violations or intellectual property 
infringement. </div>
<div>We think we know why this is, they are the same reasons the policy shift 
being considered will have zero effect toward their intended outcome and why 
the second order effects will be primarily negative and disruptive to those who 
are not guilty of any malfeasance (we refer to these innocent bystanders as 
&quot;rule followers&quot;).</div>
<div>As a result of these experiences, we believe that absent a breach of 
service terms such as net abuse, the only basis for disclosing underlying 
Registrant data, especially to copyright and trademark complainants should be 
subject to</div>
<li><span style="font-family: Calibri; font-size: 11pt;">a court order (in a 
competent jurisdiction to the Proxy provider)</span></li>
<li><span style="font-size: 11pt; font-family: Calibri;">a subpoena (in a 
competent jurisdiction to the Proxy provider)</span></li>
<li><span style="font-size: 11pt; font-family: Calibri;">a pending civil 
<li><span style="font-size: 11pt; font-family: Calibri;">a URS or UDRP 
<div><font face="Calibri"><span style="font-size: 15px;">In other words, we 
feel that Section D of Annex E of the </span></font>Initial Report on 
the Privacy &amp; Proxy Services Accreditation Issues PDP should have precisely 
the opposite requirement that it now proposes.</div>
<div title="Page 1"></div>
 face="Calibri"><span style="font-size: 15px;"><br/></span></font></div>
<div>We will explain our reasoning below. It is based on real world experiences 
of nearly 20 years in the domain and managed DNS business:</div>
<div><b>Many Registrants Don't Even Know That the Whois Exists or What's In 
<div>Understanding that a consequence of simply registering a domain name 
results in one's personal contact details being published in a world viewable, 
digital database is actually quite limited. People who earn their livelihood 
online are possibly cognizant of it, although even within this cutting edge 
technologically literate segment <i>a significant number of participants are 
not.</i> Your average bricklayer, baker or candlestick maker is for the most 
part oblivious to the existence of Whois.</div>
<div>What they do know, is that when they finally get motivated to &quot;join 
the digital age&quot; and register their first domain name, and after dutifully 
filling out the online form, which is like any other online form they fill out, 
within days, <i>or even minutes</i> they are receiving unwanted spam, phone 
calls or junk faxes because their personal details have been harvested from the 
Whois almost immediately. </div>
<div>Blame, or at the very least suspicion is then directed toward the 
Registrar (&quot;You sold my personal data!&quot;)</div>
<div>This reason in itself is enough motivation for Registrars to create 
privacy mechanisms to safeguard Registrants against these unwanted 
intrusions. </div>
<div><b>Criminals Lie.</b></div>
<div>The ostensible justification for the types of changes being considered to 
Whois Privacy requirements are to make it easier for primarily rights holders 
and law enforcement agencies (LEA) to track down infringers and bad 
<div>But the fact is that actual criminals <i>do not use</i> their true, actual 
contact data in domain registrations. In fact in our experience whenever we 
takedown a known infringing or cybercrime website, whether the domain 
registrations details are privacy masked or not, they <i>always supply bogus 
Registrant data (often culled from a <b>previous</b> <b>victim</b>).</i></div>
<div>Similar to our objections against the highly destructive and impotent 
Whois Accuracy Program, implementing the proposed changes to Whois Privacy 
requirements will not get anybody any closer to apprehending a single 
cyber-criminal or preventing a single cybercrime, but will only succeed in 
making it easier for rule followers with legitimate requirements for Whois 
Privacy (i.e. whistleblowers, political dissidents,  victims of abuse, et al) 
to have their privacy violated.</div>
<div><b>Open To Abuse</b></div>
<div>We have ample first-hand experience with complainants abusing allegations 
of trademark or copyright infringement in an attempt to do one or more of the 
<li>cause a website / domain takedown without due process.</li>
<li>force a disclosure of Registrant data with no legal basis.</li>
<li>suppress websites or specific pages from search engine results.</li>
<div>If Section D of Annex E is adopted as proposed we foresee this as an ideal 
attack vector to compel Registrant data disclosure without being tested by due 
<div><b>Third Time's a A Charm?</b></div>
<div>Any changes in Whois Privacy requirements must be considered against the 
backdrop of previous Whois reform initiatives, because at the end of the day, 
it's the end-user Registrants who have to adjust to functioning under the 
combined effect of all of these new policy modifications.</div>
<div>ICANN has thus far implemented two policies around Whois reform which 
should be considered failures in that they:</div>
<li>do not accomplish their stated goals, </li>
<li>only succeed in penalizing &quot;rule followers&quot; </li>
<li>create new unintended attack vectors against legitimate 
<div>The first was the Whois Data Reminder Policy (WDRP) which on it's own was 
a annoyance and created a new spearphishing vector but the second-order effects 
were to induce a type of &quot;Whois Notification Blindness&quot; in 
Registrants by inculcating them with a belief that these notices are harmless 
annoyances which can be ignored (or worse, filtered away).</div>
<div>Even the creator of the WDRP has gone on record to state that the policy 
is a failure and should be killed.</div>
<div>Next came the Whois Accuracy Program (WAP) which has done nothing 
whatsoever to prevent cybercrime but has left a trail of destruction across the 
internet as legitimate production websites (some of them providing internet 
infrastructure functionality) inexplicably go offline for the flimsiest of 
reasons. </div>
<div>What makes WAP so pernicious is that to the average Registrant there is no 
discernible difference between a WDRP notice (which can be safely ignored) and 
a WAP notice (which can't!)</div>
<div>After a one-two punch of ineffective policy failures around Whois, the 
idea now is to take the one remaining aspect of Whois that actually serves a 
purpose, which is Whois Privacy, that actually accomplishes it's primary goals, 
that provides an invaluable service to law abiding citizens but makes no real 
difference to criminals, in other words the last vestige of useful 
functionality in the current Whois model and we're going to make a new policy 
that maims it and provides easy mechanisms to game the system and end-run 
Registrant privacy?</div>
<div>Surely by now ICANN has learned from WDRP and WAP that trying to retrofit 
accountability processes onto the existing Whois implementation isn't working. 
We don't need a third policy to ignite yet another round of collateral 
catastrophes to hammer this lesson home.</div>
<div>Everybody close to this probably concurs that the current Port 43 Whois 
implementation was never designed for the type of all-reaching global internet 
we find ourselves in today. Change is certainly needed but it needs to be 
genuine change, a ground up rewrite of the entire protocol.</div>
<div>ICANN already had a separate EWG working on the next generation of Whois 
(RDS) and in their initial findings they asked the question: </div>
<div title="Page 5">
<p><span style="font-size: 11.000000pt; font-family: 'Calibri,BoldItalic'">Is 
there an alternative to today’s WHO</span><span style="font-size: 11.000000pt; 
font-family: 'Calibri,BoldItalic'">IS to better serve the global Internet 
community? </span></p>
<div>&quot;<span style="font-size: 12pt; font-family: Calibri;">Yes, there 
is.</span> <span style="font-size: 12pt; font-family: Calibri;">The EWG 
unanimously recommends abandoning today’s WHOIS model</span> <span 
style="font-size: 12pt; font-family: Calibri;">of giving every user the same 
entirely anonymous public access to (often inaccurate) gTLD registration 
<div><span style="font-size: 12pt; font-family: Calibri;"><br/></span></div>
<div>&quot;I<span style="font-family: Calibri; font-size: 12pt;">nstead, the 
EWG recommends a paradigm shift to a next-generation RDS that collects, 
validates and discloses gTLD registration data for permissible purposes 
<div title="Page 5">
<div><span style="font-size: 12.000000pt; font-family: 'Calibri'">While basic 
data would remain publicly available, the rest would be accessible only to 
accredited requestors who identify themselves, state their purpose, and agree 
to be held accountable for appropriate use.&quot;</span></div>
<div><span style="font-size: 12.000000pt; font-family: 'Calibri'"> </span></div>
<div>These are the groundwork for appropriate guiding principles for the next 
generation of Whois, of course the devil will be in the details of who has the 
right to request data and under what circumstances.</div>
<div>We here at easyDNS have spent an inordinate amount of effort over the past 
years to educate complainants, plaintiffs and even certain law enforcement 
agencies that there exists in civil society and democracies &quot;due 
process&quot; and that an allegation has to be proven legally before sanctions 
can be imposed on people's websites, or before their personal data can be 
surrendered. </div>
<div>So we have two main recommendations for charting the path forward:</div>
<div>1) The entire Whois Privacy Policy revisions should be tabled until the 
entire Whois database is re-engineered as the next generation RDS</div>
<div>2) That a guiding principle of any future RDS Working Groups should 
incorporate legal due process and <b>end-user</b>, that is 
<b>Registrant</b> control over their own data records, complete with automated 
mechanisms to alert Registrants when inquiries are made into their records, 
what the purpose of those inquiries are and allowing Registrants the ability to 
withhold disclosure (except in cases of overt net abuse or where a law 
enforcement agency is pursuing a legitimate investigation subject to a valid 
<div>Thank you.</div>
<div>Mark Jeftovic, CEO &lt;markjr@xxxxxxxxxxxx&gt;</div>
<div>easyDNS Technologies Inc.</div>
<table cellspacing="0" cellpadding="0" width="100%" 
style="margin-bottom:16px;margin-top:32px;padding-top:16px;border-top:1px solid 
 Arial, sans-serif;">
     Evernote helps you remember everything and get organized effortlessly. <a 
 target='_blank' style='color: #5fb336; text-decoration: none;'>Download 


<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy