OPOC Is Dead

Opinion: Whois going to save domain owners? Looks like they're on their own.

For the first time in many years ICANN is meeting in, of all places, the United States of America. Nice of them to show that they know the USA is still as relevant in Internet matters as, say, Tunisia.

The most news from the meeting has been generated by the ongoing meetings to discuss proposals to change rules for the whois database. ICANNs GNSO (Generic Names Supporting Organization) formed a Whois Privacy task force which has been looking into the problems with the whois database for a long time. Earlier this year they issued a preliminary report and asked for public comment. As of Oct. 31, the comments are closed.

The report summarizing the public comment makes clear what seemed obvious for a long time: Intellectual property interests and law enforcement are dead-set against any privacy protections in whois. Their remarks dominated the public comment, according to the report.

/zimages/4/28571.gifSomeone has figured out how to hijack domain research requests and steal the domains in advance. Click here to read more.

The proposal at issue, called OPOC (Operational Point Of Contact), replaces the current whois rules that state real names, addresses, phone numbers and e-mails be included in public whois records for a registered domain, with a single point of contact that is not necessarily the actual registrant. Like private registrations such as GoDaddys DomainsByProxy, there would be a contact to take care of operational matters and who could get in touch with the actual registrant, if necessary, but no third parties could directly contact the registrant except by going through the OPOC.

Both the intellectual property and law enforcement concerns start from the assumption that the whois records contain useful information that will allow them to track down the domain owner. This has been true in the past and is probably less true every day. Its not hard for registrants to hide their identities if they want to be hidden, either with mostly false information or through a privacy service like DomainsByProxy. And there are plenty of shady registrars out there who cant be expected to cooperate with rules about requiring accurate whois information.

There is one important exception where quick access to the actual registrant is important: In many cases, malicious sites are actually legitimate sites that have been hacked to host malware, phishing or whatever. In such cases, often law enforcement (or other private investigators) can contact the actual registrant and have them clean up the site.

This is a beautiful story, but you still dont need actual registrants contact information to do it. OPOC doesnt mean you cant reach the registrant, just that you have to reach them through the OPOC, which is probably a registrar or hosting service for most people. Some of the public comments objecting to OPOC complained that there werent sufficient assurances that this would be reasonably implemented:

The Whois Working Group did not reach consensus on a critical aspect of the OPOC policy such as standards for the timely transmission of requests, mechanisms for enforcing OPOC compliance with its obligations, and the mechanisms for providing legitimate third parties with access to unpublished data. Sheesh! After all this time they didnt come up with a rule defining how long the OPOC has to respond to a law-enforcement request? If so, maybe OPOC is useless.

With OPOC all but destined to the death sentence of long-term study, some geniuses in the pro-OPOC group thought up the attention-grabbing proposal, according to the GNSO report, that:

If OPOC is not implemented, all non-consensus Whois provisions in registry and registrar agreements should sunset. This has been widely reported as calling for the death of whois, but notice the weasel words "non-consensus" in there. This proposal has exactly as much potential for implementation as OPOC itself, and is therefore a waste of bits on the disk.

In the end it was silly to think OPOC had a chance. Nobody who matters backed it. Even the large registrars have more of an interest in keeping private registration as a fee-based service that they can "up-sell" to customers, and perhaps we can expect that business to grow. At least theres an option for people and theres competition in it, too.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack

More from Larry Seltzer