Columns Archive

ICANN Sacrifices Privacy for Shot at Independence

Appeared in the Toronto Star on October 9, 2006 as Web's Naming Body Barters Away Privacy 

Appeared in the BBC on October 10, 2006 as Internet Privacy 'Sacrified" By ICANN 

Internet governance has attracted increasing attention in recent years as governments, business communities, and Internet users struggle to develop a model that adequately takes into account the concerns of all stakeholders.  At the center of this debate is the Internet Corporation for Assigned Names and Numbers (ICANN), a California-based non-profit corporation charged with the principal responsibility for maintaining the Internet's domain name system.

ICANN has been dogged by criticism since it was established under contract to the U.S. government in 1998.  Those concerns have focused primarily on poor accountability practices.  The power retained by the U.S. – the 1998 agreement gave it significant oversight powers – has left many governments uncomfortable with their limited input into Internet governance decisions, while the business community, particularly companies involved in the multi-billion dollar domain name registration sector, have become increasingly vocal about ICANN's lack of transparency and due process mechanisms.

Meanwhile Internet users, who were initially promised a "bottoms-up" policy making process with half of the seats on the ICANN board reserved for their interests, have become steadily marginalized within the ICANN community with no guaranteed board representation and with limited support for policy initiatives.

Late last month, ICANN took a major step toward addressing some of these concerns by signing a new agreement with the U.S. government entitled the Joint Project Agreement.  ICANN immediately heralded the JPA as a "dramatic step forward" for full management of the Internet's domain name system through a "multi-stakeholder model of consultation."

ICANN stated that the agreement grants it unprecedented independence by removing many of the U.S. government’s oversight controls.  These include the elimination of a twice-annual reporting requirement to the U.S. Department of Commerce (ICANN will instead release a single annual report targeted to the full Internet community) and a shift away from the highly prescriptive policy responsibilities featured in the original ICANN contract.

Moreover, with the JPA scheduled to expire in September 2009, ICANN supporters believe that the stage is now set for formal privatization of Internet governance responsibilities with the U.S. government ultimately relinquishing any further oversight authority.

While the JPA may indeed represent an important change, a closer examination of its terms suggest that there may be a hidden price tag behind ICANN newfound path toward independence – the privacy of domain name registrants.

For the past five years, privacy has lingered as one of ICANN's most contentious policy issues.  Information on tens of millions of domain name registrants are contained in the "WHOIS database", which is readily available to anyone with Internet access.  Pre-dating ICANN, the database identifies the name, address, and other personal information of domain name registrants. 

Privacy groups, including European data protection commissioners, have expressed misgivings about the mandatory collection and the disclosure of registrant personal information.  They note that domain name registrants are required to provide accurate registration information (failure to do so may result in a loss of the domain name) and that the open disclosure of this personal data may create a chilling effect on the registration of controversial websites where the registrant desires to remain anonymous.  For example, registrants in oppressive political regimes may need to hide their identity to avoid criminal prosecution, while corporate whistleblowers in North America could lose their jobs if their identities were discovered.

After years of debate, the ICANN community recently took baby steps toward eliminating the mandatory disclosure of personal information within the WHOIS database.  The U.S. government strenuously objected to the WHOIS reforms, arguing that law enforcement and intellectual property interests rely on easy availability of such data. Yet with the reforms, the data would be readily available to law enforcement, with the appropriate due process measures (such as court orders). The issue is whether the data should be available without any oversight.

Given that a newly independent ICANN might continue to pursue WHOIS reform, the U.S. government included a specific provision on the issue within the JPA.  It mandates ICANN to "continue to enforce existing policy relating to WHOIS, such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing and administrative contact information."

The implications of this clause seem clear – the U.S. government has undone five years of policy work that the Internet community has undertaken by requiring ICANN to enforce current WHOIS policies.  As discontent over the WHOIS issue mounted late last week, ICANN CEO Paul Twomey offered a strained interpretation of the clause, suggesting that he did not believe that it restricted future WHOIS reforms.

A more realistic take is that ICANN and the U.S. government have once again undermined the confidence of the Internet community and have provided a clear signal that the U.S. government is still reluctant to transfer its oversight authority.  In its zeal to obtain independence, it would appear that ICANN has bartered the privacy of millions of domain name registrants around the world.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

Tags: / /

2 Comments

  1. Neil Schwartzman says:

    Of course, ‘owning’ a domain name is a poriviledge not a right, and far from a neccessity and there are plenty of registrars that offer a clocking service for a few bucks more than the cost of the yearly domain fees. Blocking out all domain registrants will hinder in the investigations by many volunteer network abuse investigators whose work makes up the lions share of the efforts, and without which the spam/virus/spyware load would go through the roof.

    For every example I can think of where there is an absolute need for a private whois record, I can supply about 100,000 examples of why spammers and other network abusers will be the first to avail themselves of that service if it is made the defacto standard. Yes, they enter intentionally erroneous data, but that do so in a patterned way which an experienced investigator can tie to a real person. 100,000 would be 100 days worth of spam that hits my inbox, by the way. Yes, really.

  2. Mr. Geist, good article.
    Mr. Schartzman, seek help. Perhaps in time you’ll learn to think in a patterned way that a reasonable person can tie to the real world.

    The information in the Whois database should be private and require the likes of a court order to obtain. Investigators would be able to obtain a spammer’s info just as easily as anyone else’s. There is no reason to treat it any differently than the customer information stored by an ISP.