Who would have imagined that so much business and so much abuse would center around Internet domain names? Certainly not the designers of the system, including those of the Whois service, which reports on ownership and some other data on domain names. But an effort to reform the process is underway, and you have just a few days left to get in your opinion.
Whois, like so much else of the Internet, was designed in an era of hippie trust amounting to naiveté. Of course it would have been better and, like, beautiful, man, if we could just trust users with ownership and contact information for domain names.
But instead, the administration of the Domain Name System has turned into a disaster for everyone except those who abuse it, and much of the trouble stems directly from the free availability of this information. I suspect that one of the earliest sources for spam address harvesting was Whois, and it also provides the foundation for most examples of domain name theft.
And then theres the general issue of privacy. Is it right that, in order to acquire and use a domain name, a user should have to disclose his or her address, phone number and e-mail address? In fact, Internet rules, promulgated by those great folks at ICANN (Internet Corporation for Assigned Names and Numbers), require that Whois data for a domain be accurate and up to date.
There are very good reasons for keeping that information accurate and up-to-date: This is the contact information that will be used if an attempt is made to transfer your domain to a different registrar, and it may be up to you to deny the request. Other attempts to contact you, for reasons legitimate or otherwise, may go to these contact points.
Faced with the abuse that comes from addresses being freely available, including spam and junk mail through the postal system, some people give false contact information. This is a bad idea. Even just putting a “nospam-remove” in your name could cause problems you might regret.
So, some time ago ICANN formed a Whois Privacy Task Force. Actually, there seems to have been more than one Whois Task Force, and the discussions go back to 2003. But there is a Preliminary Task Force Report on Whois Services, Nov. 22, 2006, and the public comment period ends on Monday, Jan. 15.
The first big “uh-oh” comes from the conclusion, up top, that the task force was, on the one hand, unable to agree on the purpose of Whois records or what data should be published, and on the other did agree that the current system is inscrutable and that any changes to it will be problematic. In other words, whatever we do will impinge on someones interests.
The Case of OpOc
vs. Special Circumstances”>
There are two main proposals being considered and a number of more detailed questions. The two new models are called OPoC (the Operational Point of Contact) and the Special Circumstances proposal.
OPoC, which I discussed in a recent column, is backed by many (self-styled, perhaps) privacy advocates, and is similar to GoDaddys DomainsByProxy model: The contact information is no longer that of the actual domain owner, but some third party with a code that allows them to contact the actual owner. Crucially, OPoC, as the ICANN report says, “does not include a mechanism for access to Whois data by, for example, law enforcement agencies or intellectual property rights holders.”
This limitation has led many to support the alternative Special Circumstances model, also known as the Netherlands Model, because the rules are similar to those governing the .nl top-level domain: “It allows individuals who demonstrate the existence of special circumstances to substitute contact details of the registrar for the data that would otherwise appear in published Whois.” In other words, it allows some people to use the OPoC model if they qualify.
So who qualifies? According to the ICANN report:
The classic example is a Web site for a battered womens shelter.
Special Circumstances is backed most famously by intellectual property holders and their attorneys, and law enforcement. MarkMonitor, a corporate identity management and protection services company and a domain registrar itself, is organizing a campaign in support of Special Circumstances. Its got an impressive list of supporters there, and if you agree you can join the endorsement.
I really am sympathetic to the interests of intellectual property owners, but Special Circumstances is a pretty meager concession to the privacy and abuse problems. Sure, I sympathize with battered womens shelters, but what about the more general problems of abuse, spamming and domain theft, for example? These didnt show up on the radar of the Special Circumstances people.
I wish I could come up with a proposal that could satisfy both parties, and I dont want to look at it too much from the point of view of my own private interests. The best I can come up with is that I can understand the interests of both sides, but I think its best to support OPoC, and, once thats in place, see how to facilitate access to registrant information for law enforcement and legitimate legal mechanisms. At least theres a chance that could be accomplished. If we adopt Special Circumstances then the interests of most of the public are shoved aside.
But enough about me, what do you think? Tell ICANN yourself by e-mailing it on this matter: [email protected]
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at [email protected]
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.