<incom> Last Call for Whois Comments [fwd.]

Heimo Claasen hc at revobild.net
Fri Jan 12 23:43:59 CET 2007 

Just now received this myself - a bit late: but I didn't see _anything_
on this in the various (WSIS-, "eGovernment"-, etc.) lists despite of its
evident relevance. -hc

--------------------Forwarding:--------------

http://www.eweek.com/article2/0,1895,2082346,00.asp?kc=EWSTEEMNL011107EOAD

Last Call for Whois Comments

January 11, 2007
By  Larry Seltzer

Who would have imagined that so much business and so much abuse would
center around Internet domain names? Certainly not the designers of the
system, including those of the Whois service, which reports on ownership
and some other data on domain names. But an effort to reform the process
is underway, and you have just a few days left to get in your opinion.

Whois, like so much else of the Internet, was designed in an era of
hippie trust amounting to naiveté. Of course it would have been better
and, like, beautiful, man, if we could just trust users with ownership
and contact information for domain names.

But instead, the administration of the Domain Name System has turned
into a disaster for everyone except those who abuse it, and much of the
trouble stems directly from the free availability of this information. I
suspect that one of the earliest sources for spam address harvesting was
Whois, and it also provides the foundation for most examples of domain
name theft.

RELATED LINKS

     * Guess 'Whois' Going to Lose the Privacy Debate
     * Registrar Protocol Change Could Bring More Security to Domains
     * Typo-Squatting, DNS Wildcards and the Sucky State of Domain Affairs
     * Domain Wars: The U.S. Versus .xxx
     * Effects of Domain Hijacking Can Linger

Larry Seltzer thinks there's more evidence that the domain registration
system is failing to serve the public's interests, and it's going to get
even worse. Click here to read more.

And then there's the general issue of privacy. Is it right that, in
order to acquire and use a domain name, a user should have to disclose
his or her address, phone number and e-mail address? In fact, Internet
rules, promulgated by those great folks at ICANN (Internet Corporation
for Assigned Names and Numbers), require that Whois data for a domain be
accurate and up to date.

There are very good reasons for keeping that information accurate and
up-to-date: This is the contact information that will be used if an
attempt is made to transfer your domain to a different registrar, and it
may be up to you to deny the request. Other attempts to contact you, for
reasons legitimate or otherwise, may go to these contact points.

Faced with the abuse that comes from addresses being freely available,
including spam and junk mail through the postal system, some people give
false contact information. This is a bad idea. Even just putting a
"nospam-remove" in your name could cause problems you might regret.

So, some time ago ICANN formed a Whois Privacy Task Force. Actually,
there seems to have been more than one Whois Task Force, and the
discussions go back to 2003. But there is a Preliminary Task Force
Report on Whois Services, Nov. 22, 2006, and the public comment period
ends on Monday, Jan. 15.

The first big "uh-oh" comes from the conclusion, up top, that the task
force was, on the one hand, unable to agree on the purpose of Whois
records or what data should be published, and on the other did agree
that the current system is inscrutable and that any changes to it will
be problematic. In other words, whatever we do will impinge on someone's
interests.

Next page: The case of OPoC vs. Special Circumstances.

There are two main proposals being considered and a number of more
detailed questions. The two new models are called OPoC (the Operational
Point of Contact) and the Special Circumstances proposal.

OPoC, which I discussed in a recent column, is backed by many
(self-styled, perhaps) privacy advocates, and is similar to GoDaddy's
DomainsByProxy model: The contact information is no longer that of the
actual domain owner, but some third party with a code that allows them
to contact the actual owner. Crucially, OPoC, as the ICANN report says,
"does not include a mechanism for access to Whois data by, for example,
law enforcement agencies or intellectual property rights holders."

Someone is spying on Whois requests and snatching the domains. How does
it work? Click here to read more.

This limitation has led many to support the alternative Special
Circumstances model, also known as the Netherlands Model, because the
rules are similar to those governing the .nl top-level domain: "It
allows individuals who demonstrate the existence of special
circumstances to substitute contact details of the registrar for the
data that would otherwise appear in published Whois." In other words, it
allows some people to use the OPoC model if they qualify.

So who qualifies? According to the ICANN report:

       The proposal envisages that full contact data of individuals
would be held back from publication in the Whois only when this "would
jeopardize a concrete and real interest in their personal safety or
security that cannot be protected other than by suppressing that public
access." This would seem to indicate that the vast majority of contact
information would be published in the Whois, and that means of access to
unpublished data would rarely be required.

The classic example is a Web site for a battered women's shelter.

Special Circumstances is backed most famously by intellectual property
holders and their attorneys, and law enforcement. MarkMonitor, a
corporate identity management and protection services company and a
domain registrar itself, is organizing a campaign in support of Special
Circumstances. It's got an impressive list of supporters there, and if
you agree you can join the endorsement.

I really am sympathetic to the interests of intellectual property
owners, but Special Circumstances is a pretty meager concession to the
privacy and abuse problems. Sure, I sympathize with battered women's
shelters, but what about the more general problems of abuse, spamming
and domain theft, for example? These didn't show up on the radar of the
Special Circumstances people.

I wish I could come up with a proposal that could satisfy both parties,
and I don't want to look at it too much from the point of view of my own
private interests. The best I can come up with is that I can understand
the interests of both sides, but I think it's best to support OPoC, and,
once that's in place, see how to facilitate access to registrant
information for law enforcement and legitimate legal mechanisms. At
least there's a chance that could be accomplished. If we adopt Special
Circumstances then the interests of most of the public are shoved aside.

But enough about me, what do you think? Tell ICANN yourself by e-mailing
it on this matter: whois-comments at icann.org

Security Center Editor Larry Seltzer has worked in and written about the
computer industry since 1983. He can be reached at
larryseltzer at ziffdavis.com.

-------------------unquote.-------------

More information about the incom-l mailing list