At a recent gathering of the New York Metropolitan Area chapter of the Internet Society at the Jefferson Market library in Greenwich Village, there was a panel discussion on Whois policy. The panel was top-notch, including people representing the varied interests in the matter. And while there is an interesting proposal on the table for a change to Whois policy, I wish I could say I was optimistic about it.
You can download recordings of the debate in various formats from the Punkcast Web site.
The issues are important: It has always been policy that the registration information for Internet domains is public and publicly available through a database service called “Whois.” Unix and Linux users typically have a Whois command line program that knows how to query the database.
Most Internet users, to the extent that they interact with the system at all, query through a Web-based proxy form, such as CompleteWhois (a good site with many other useful tools). If you do a lot of Whois-ing on Windows I recommend getting Jwhois for Windows.
Its also always been policy that owners of domains have to keep accurate information in their publicly accessible Whois entries. So if you own a domain for your personal use you have to have your address, phone number and an accessible e-mail in the record.
You really need to have an accessible e-mail address in that space because it is at that address you will be contacted if someone attempts to transfer your domain. That may also be the address at which your registrar will contact you if you when your registration is expiring.
But this policy also means that anyone can get this information for their own purposes.
If you put your e-mail address in Whois you will be spammed. Youre also likely to receive solicitations from other registrars, and theres a history of sleazy registrars making misleading solicitations.
For these and other reasons, many have called over the years for privacy for domain owners. But there are arguments against it and privacy advocates have the disadvantage of fighting the mighty status quo, which has home-field advantage in matters to do with ICANN (Internet Corporation for Assigned Names and Numbers.)
ICANN to the Rescue
If ICANN has done anything well its protecting the rights of intellectual property owners. A mandatory arbitration process was created through which trademark holders can reclaim domain names created by others that infringe the trademark.
It costs a couple thousand dollars to do this, if you have a decent lawyer and the infringing party doesnt dispute the process. Infringing domains are extremely prevalent and its common for the owner not to bother responding to the arbitration process. Two grand is too much, but at least trademark owners have recourse. If your domain is simply stolen, ICANN doesnt care, and youre on your own.
One of the panel members at the Internet Society discussion was a trademark attorney who argued against any changes that would make it harder to find the owners of domains in order to bring them to the arbitration process.
The specific proposal he was concerned about is called the OPOC, or Operational Point of Contact. Heres the initial description of the proposal (PDF). Currently Whois has to contain three contacts, the Administrative, Billing and Technical contacts. The distinctions never really amounted to what the designers intended, and most people dont know what it really means. And in order to escape abuse, many people put false information in these fields, which is against the rules and leaves the owner at risk of not receiving important communications.
The discussion at the Internet Society indicated that OPOC now no longer includes the address or phone number as public information, just the country and state of the registrant.
Put briefly, OPOC replaces them with one contact point and theres an understanding that it might be the hosting service or someone else who can deal with domain issues and can get in touch with the actual owner if necessary. The proposal also makes unrelated suggestions about record keeping and processes for transfers.
This would be a good thing, but it still seems to me to be inferior to the arrangements you can make with various registrars to protect your privacy. There are two approaches taken: Theres the GoDaddy approach, in which a proxy service actually becomes the registrant of the domain. E-mail sent to the address does not go to you unless you arrange for it, and theyll also do spam filtering on it.
Network Solutions private registration is different. They hide the address and phone numbers and set up a forwarding e-mail account to you where the name in the address changes every 10 days so that spammers cant do much damage with it. But you, and not a proxy service, are the registrant.
Theres some dispute over whether some or all of these techniques violate ICANN rules, especially the proxy approach, but they seem too entrenched to do anything about. But private registration services were banned on the .us top-level domain. The private registration services will pass on contact information pursuant to a valid subpoena or, I would suppose, the ICANN arbitration process, so it gets in the way but isnt too much of a problem.
OPOC doesnt solve other problems, including the ones about which I have been very concerned, such as domain theft and mass-scale name speculation. One reason is the transfer policy that says that transfers will go through unless the owner stops it.
Another reason Im leery of OPOC is that it was designed by registrars. There are lots of reputable registrars, but ICANN has created a situation where anyone can become a registrar and often for obviously shady purposes. In fact, Bruce McDonald, the trademark attorney in the panel group I mentioned, said in it:
Yes, thats right. The registrars themselves are the ones doing domain name speculation. Of course we knew about this from the typo-squatting lawsuit against Dotster by Neiman Marcus and Bergdorf Goodman.
A couple years ago in an interview ICANN dismissed to me the idea of a rogue registrar, saying no registrar would risk its accreditation. Turns out a registrar wouldnt have to, because registrars dont ever get in trouble for violating rules.
Hes right, and thats why things wont get better. In fact, if it serves the interests of ICANN and their masters, expect things to get worse.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at [email protected]
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.