Who is reading the WHOIS Review? Part 1

 

The Internet Corporation for Assigned Names and Numbers (ICANN) is a key part of the global machinery which keeps the internet going. ICANN does exactly what it says on the tin. Here is how ICANN itself describes its primary functions:

To reach another person on the Internet you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet.

The Domain Name System

ICANN runs the domain name system. Your email or web site address ends in .eu, .de, .tv or what have you. That’s down to them. The letters at the end, after the final dot, signify your domain. Many of us use a country specific top level domain, like .uk, and then there are the first born, the giant generics of .com, .org and .net. Around the world there are hundreds of thousands of companies selling domain names. The key ones are the registrars. In one way or other the registrars’ authority and their ability to sell domain names traces back to ICANN.

Meanwhile on Mount Olympus

My past dealings with ICANN as an institution have been few, far between and unhappy.

I have only actually been to one full or “proper” ICANN meeting although for a while I played my part as a foot soldier in its online at-large world. Until I realised my life was draining away simply trying to keep up with the email exchanges. In these exchanges I often picked up more than a hint that, rather as Prometheus had brought fire to Earth, too many of my then fellow ICANNites felt they had given the mortal world the internet, which of course they hadn’t.

The ICANN meeting I attended was held in Brussels in the summer of 2010. I went at the invitation of and alongside the FBI and the UK’s Serious and Organized Crime Agency (SOCA). Ruben Rodriguez of INHOPE, the global association of internet hotlines was my partner. We were appearing before ICANN’s “Governmental Advisory Committee” (GAC).

The police had asked Ruben and I to speak directly to members of the GAC about the volume, nature and consequences of the trade in child abuse images on the internet, much of it happening through the web. But what lay behind this request?  What was it that the FBI and SOCA were after? And by the way it was clear the FBI and SOCA were speaking  for law enforcement agencies across the world including INTERPOL. They all shared the same views. The world’s police were arguing for improvements in WHOIS.

What is WHOIS?

ICANN maintains a list which is meant to contain the contact details of everybody who owns a domain. It is called WHOIS. The outrageous idea the police were putting forward, and Ruben and I were supporting, was that ICANN should make sure it contained accurate information.  Shocking! You can almost hear the jackboots. Where will it all end?

What’s the problem?

Why were the cops so agitated about something so simple? Not hard to work that one out. The level of inaccuracy in WHOIS is phenomenal. The police were absolutely categorical. In approaching 100% of the cases where they have to begin a criminal investigation into anything at all involving a dodgy web site the name and address of the owner of the site shown in WHOIS will be false. This means that, before they can even get to first base with an enquiry, they have to go through a series of other and more time-consuming, more expensive procedures.

In other words ICANN’s incompetence is costing the police time and money, time and money that wider society can ill afford. And it’s not just the police. Think about the vast superstructure of private security Departments inside or contracted to various companies. A significant proportion of their workload can be attributed to the holes created by the shortcomings of WHOIS. The registrars are supposed to investigate any complaints they receive alleging that any particular pieces of WHOIS data are inaccurate, but they are under no obligation to be proactive, to confirm the accuracy of the data at the point of acquisition or subsequently at renewal.

I have no doubt at all, even if the cops publicly deny it, this state of affairs means some investigations simply get dropped, or never get started, unless it is obvious that a serious threat to life or limb is involved. The constant buzz of annoying low level online crime, and the associated fear of crime that is part of the background noise of daily life in the 21st Century, is therefore at least in part attributable to ICANN’s self-regulatory failure.

The left hand is at odds with the right hand

Elsewhere other parts of the internet industry spend millions and millions promoting safety messages, advising us all to be careful when we log on to the internet, to be sceptical about extravagant promises and enticements made on the web. In the ICANN neck of the cyber woods, however, others are providing the gangsters with all possible assistance. You could not make it up.

Is there any other industry where, on a colossal scale, companies enter into agreements with apparent indifference as to the veracity of some otherwise and ordinarily important bits of information being provided to them? As long as they get paid, they don’t care, or that’s how it seems. Welcome to my world. Welcome to the internet. It’s pretty close to criminal negligence.

Let me go back on that a bit. The people responsible for this muddle do care in a very general sense. They would, of course, prefer the other contracting party not to be naughty. It’s just that, so far, enough of them haven’t cared enough to stir themselves to do anything meaningful about it. I appreciate that by no means all or even most of the inaccuracies in WHOIS are deliberate lies linked to criminal organizations or individuals bent on profiting from unlawful behaviour, but too many of them fit that bill.

And what does this tells us about ICANN?

Think about what this little insight reveals. ICANN was established in 1998 when it inherited the pre-existing WHOIS system. That system was first established in 1982 and updated in 1985, years before the worldwide web came along and the explosion in internet usage began.  In all the time that has elapsed since, as our Olympians hopped from cloud to cloud, they could not find the time, the resources or the inclination to eliminate practices which in any other walk of life would have been considered, not mildly off-beam or only just wide of the mark but utterly insane. Their alibi for inaction expired a long time ago. Who benefits from this?

There aren’t many rooms you can go into on this planet and, as I have done, in effect hear people make the positive case for acquiescing in or accepting lying. You don’t often hear mendacity applauded or see papers which, by deliberately refusing to make enforcement mechanisms obligatory, on the contrary elevate untruthfulness and allow it to continue to be enshrined as an officially approved or at any rate a benignly tolerated policy.

What was that song by Liza Minelli called?

Often what stands behind this whimsy is self-interest or, to give it a less complicated name, money. The people who make their living in the chain that sells domain names do not want to have to make the investment in putting in place systems that will allow them to check the details of people’s names and addresses. They worry that, if they do, the extra bureaucracy that might, only might, also be involved and the higher prices which may result will put off too many people from buying a new domain name in the first place or from maintaining an existing one. This means revenues could fall. Oh dear.

Such an unadorned, nakedly financial argument is not calculated to set anyone’s blood racing or heart pounding, other than, of course, the shareholders of the companies whose income may be heading south. This is where cynicism and calculation kick in. They furnish the gullible with superficially plausible arguments and let them ride to their rescue. Add a little bit of smoke and mirrors, talk a lot about the need for consensus, sprinkle a few lobbyists and PR agents about the place and bingo! The cash cow’s life is extended and extended beyond any reasonable expectation. Maybe they know that one day the game will be up but, hey, if they can keep it going for a little longer it might just pay for the second yacht in the marina. They can learn frugality later.

Price elasticity of demand

One non-argument you hear is that making domain names dearer, changing the price from, say, £10 to £12, or even £20, would have a chilling effect on economic growth. By the way, to take the UK as an example, I don’t think anyone sells any top level domain names for as much as £10 at the moment so here I’m being generous.

My point is, at least in most of the developed world, domain names cost practically nothing so making them cost, perhaps, nothing plus a little bit extra, is likely to have an immeasurably small impact on any country’s or the global economy, even in “normal” times (should those halcyon days ever return). To put it another way, the cost of the domain name relative to the costs of anything you might do with it, can barely figure in any serious equations. Some non-country domain names sell for sums considerably more than £10 to no obvious ill effect, although I concede they are not directly comparable products.

Is it the same in the developing world? I have not seen any data on the range of potential impacts on developing world economies or on internet take up in the developing world which might flow from alterations to domain name pricing. From the brief investigation I carried out the prices being charged in several places in Asia and Africa at the moment are already eye-wateringly high. So high, in fact, that either something else is going on or maybe I only managed to find premium rate dealers. Alternatively it seems to me the fees in at least some parts of the developing world could perfectly well accommodate any increased costs that might be entailed by the need to validate the data at the time of purchase or renewal.

For a few dollars more 

Anyway it is hard to believe that an alternative Amazon or PayPal would be stillborn because a new Jeff Bezos or Peter Thiel could not find £20, or that they were deterred by having to wait for a short period until their credentials were checked and cleared.

But even if higher prices or minor delays did put some people off is that a good enough reason why the rest of us have to endure the current painful consequences? I don’t think so. If they were discouraged by a comparatively small uplift in the price of the domain (please do not talk to me about percentages: 50% of nothing is still nothing) isn’t it quite likely that they were weakly attached to the idea to begin with? Any other small side wind would be just as likely to deter or divert them.

However, let’s assume such changes did kill off or greatly reduce the number of spur of the moment impulse buys or major speculative purchases of domain names thereby reducing sellers’ revenues significantly. By how much would the general price level of domain names have to increase in order to maintain registrars and registries as going concerns? Could we live with that? I suspect we probably could.

Or maybe the whole way we sell and administer domains is just wrong? Instead of selling them maybe we should be giving them away with grants or loans to help would-be online entrepreneurs get going? Every citizen or family gets their own domain name along with their social security number or tax code? OK. Maybe these ideas are a bit wild. All I’m saying is it doesn’t always have to be the way it is. I mean what we have at the moment does not prove beyond peradventure that free market mechanisms are alive and well producing the best obtainable results.

If the internet is so central to the operation of our national and the global economies and how we live our lives today, why should the interests of, to be frank, relatively marginal players be given such weight? If the industry can collectively gird itself, finally, to make the transition from IPv4 to IPv6, sorting out a new and better way of providing domain names ought to be a walk in the park. It might take several years to complete the walk, but identifying where and how to take the first steps is not hard if you really want to do it and you are willing to acknowledge not everybody will or can be happy about it.

Totalitarianism

Moving on, seemingly some people who defend or are willing to allow large scale inaccuracy believe that requiring everyone to tell the verified truth about their personal contact details when they buy or renew a domain name is just the thing certain tyrants have been waiting for in their never ending quest to identify dissidents and suppress free speech. Control of global internet policy-making has been handed over to the least progressive Governments in the world. Brilliant. Whoever drove us into this cul de sac should be given a big medal.

I’m trying to conjure up in my mind a putative dissident in a country where the rule of law is not respected, where political liberties are so narrowly restricted that owning a web site but choosing to call yourself Mickey Mouse and telling fibs about your where you live is the only serious weapon left in your armoury. It’s complete baloney.

Authoritarian regimes have many ways of and many tools for rooting out opponents, online and off. Only a truly incompetent subversive would choose to set up their own domain name as his or her channel of choice for reaching out to the hoodwinked masses. Cyber samizdat needs a little more cunning. The people who principally benefit from the present mess are scam artists and divers criminals.

There is definitely a case for anonymity

If you were engaged in lawful but sensitive activities I can see why you might not want your name and address permanently on public view. The risk of a brick through the window or a knock on the door at midnight could be too high. There may even be local laws restricting the publication of such data or making it optional for some national registries.

But at the end of the day there is no good argument which says anyone and everyone can lie because, by default, nothing will be done to prevent it, or that any and every type of entity which can buy a domain name can opt for anonymity simply because they prefer it that way. There could be a greater public interest in compelling disclosure. We don’t allow anonymity in several areas of economic or civic life. What is so different about buying a domain name which takes it to another place?

Thus there is certainly a case for allowing people to buy or own domain names and for their names not to be published or not to be instantly viewable to everyone everywhere. Their details could be held, for example, by a trusted proxy only being handed over to law enforcement or other third parties with a legitimate interest following due process.

A substantial, unregulated industry has grown up ad hoc to provide just such proxy and privacy services but the scale suggests it is being used by individuals or entities who, on any reasonable examination of the facts, have no real claim to need that kind of cover. It is being used simply as a convenient shield for, well, all sorts of things. Moreover this growth in anonymising services undermines the whole idea of having a WHOIS directory at all. If privacy and proxy services are going to be a permanent part of the landscape the principle should be debated and enforceable rules should be set to govern their operation.

Individual national registries, like my own dear Nominet in the UK, have been taking some steps to put things right of their own volition but looked at in the round, globally, we are a long way from being in a good place.

A shaft of light

I had more or less forgotten about the whole WHOIS business and consigned it to that bit of my brain where I store lost but virtuous causes. Until last week when I read what I can only describe as a truly wonderful report.

I hope I am not revealing too much about the geeky side of my nature when I say I found the document completely riveting. It is beautifully and concisely written in crisp, clear, accessible English. I’m not so good at concise (as if you hadn’t noticed) but I always know it when I see it, even in a document that is 92 pages long. I was disappointed with one aspect of the paper but in the greater scheme of things the burden of the report is an extremely refreshing blast of fresh air.

How to induce a big yawn

The document goes under the less than electrifying or attention grabbing name of “The WHOIS Review Team Draft Report”. I think it should have been given a name like “The Unbelievable Truth About How The Internet Is Run And How It Killed My Pet Dog”. Alright. I withdraw that. There is just so far you should be willing to go in order to attract publicity but here’s the thing: anybody reading the report is bound to wonder, if “they” can’t sort out something as obvious and apparently simple as gathering the names and addresses of people buying domain names, and “they’ve” been able to keep it under wraps for so long, what else might “they” be screwing up that we don’t yet know about?

Going back to a theme I picked up earlier, given the importance of the internet to how the world works, are the people running ICANN and are ICANN’s decision-making processes fit for purpose? The emphasis ICANN places on the need to develop a consensus before moving forward on policy seems to me, however laudable and desirable at a stratospheric level, when it gets right down to the nitty gritty it can too easily guarantee gridlock, producing stalemate. There has to be a moment when a bit of decisive leadership is needed to get things going.

Do we need to make a radical break with the whole ICANN system and strike off in a new direction with new institutions? I think the answer to that is “no”, but until we see how ICANN responds to the Review Team’s recommendations others may well suspend judgement. There are powerful forces patrolling the corridors of power who would like to see ICANN consigned to the rubbish bin of history and its inglorious record on WHOIS helps them make their case.

In my next blog I will not heap any more praise on the writing but I will tell you what I think about the content of the WHOIS report in some detail. I will also discuss the one area where I think they flunked. But I will do it concisely. Honest.

About John Carr

John Carr is a member of the Executive Board of the UK Council on Child Internet Safety, the British Government's principal advisory body for online safety and security for children and young people. In the summer of 2013 he was appointed as an adviser to Bangkok-based ECPAT International. Amongst other things John is or has been a Senior Expert Adviser to the United Nations, ITU, the European Union, a member of the Executive Board of the European NGO Alliance for Child Safety Online, Secretary of the UK's Children's Charities' Coalition on Internet Safety. John has advised many of the world's largest internet companies on online child safety. In June, 2012, John was a appointed a Visiting Senior Fellow at the London School of Economics and Political Science. More: http://johncarrcv.blogspot.com
This entry was posted in Default settings, ICANN, Internet governance, Self-regulation. Bookmark the permalink.

One Response to Who is reading the WHOIS Review? Part 1

  1. Wow! Finally I ggot a weblog from wheree I be capable oof in fact get helpful fats concerning mmy study and knowledge.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s