IP Holders Press For Access To WHOIS Data

Stony Stevenson writes to tell us that the battle for access to whois data remains at a stalemate this week. "In a blog post on the Internet Governance Project's (IGP) Web site, Milton Mueller, Professor and Director of the Telecommunications Network Management Program at the Syracuse University School of Information Studies and a partner in the IGP, details the Final Outcomes Report of the WHOIS Working Group, published on Tuesday, and inability of the various stakeholders to reach any kind of consensus."

I can hear the rationale now...

[Red_Foreman]

I imagine the board meeting went like this:

"Clearly, Simmons, everyone who has an internet connection is a potential criminal, and we need to keep tabs on these potential criminals in case they, at some point, intentionally break international copyright law."

"Here, here!"

"So we need access to this data, and if anyone opposes it - they must be hiding something other than just a guilty conscience."

"Besides, we're doing it for the children."

Article Summary

[David+Chappell]

The article summary is vague to the point that one is unsure what the subject of the article is. The "IP holders" of the title are trademark registrants of companies which help trademark registrants identify possible infringement. The Whois data referred to is not the public data to which we all have access. Rather it is the names and addresses of the actually domain name registrants in those cases where the domain registrar is acting as a proxy and has placed its own contact information in the public Whois database. The dispute is about who should have access to this secret data and under what circumstances.

Re:Article Summary

[Overzeetop]

Personally, I think private domains should be illegal. A contact name and physical address, if not phone number and working email, should be required of every domain owner. If this "real estate" on the internet is so valuable, make the disclosure regulations match physical real estate.

Now get off my lawn...

Re:Article Summary

[Neil+Watson]

I think domain owners deserve some privacy both from shady marketers and from Internet crack-pots.

Re:Article Summary

[JasterBobaMereel]

The usual problem here is the Internet is not in the USA it is global - so which Police, which Government should have access to this information?

Re:Article Summary

[IBBoard]

I think that's taking it a bit too far. Personally, I think they should roll out something similar to UK domains across on to .coms as well.

With a .uk then you have to show your details unless you are a non-trading individual. If you are such an individual (like me, who run sites as hobbies) then you can opt out of having your details shown and it's free and done by Nominet, not the individual companies you buy domains from.

While I can see a reason for companies not to be able to hide their details (it gives you a definite address for them that you can then match to a trading location, assuming its real), I think individuals have a right to not have their details easily available on the 'net for anyone with a vigilante inclination to be able to find and abuse.

Re:Article Summary

[jcnnghm]

Spoken like someone who doesn't receive fake renewal notices for tens of domains a month from shady vendors, all gleaned from the whois records. I wish private records had existed when I first started registering domains, they won't do me any good at this point. What is unacceptable about contact via proxy?

Re:Article Summary

[Jeff+DeMaagd]

I don't think the comparison to real estate is very apt. There are enough differences such that we can't randomly apply parts of the real estate paradigm to it without thinking it through. This type of "real estate" doesn't have clearly defined neighbors, aaa.com can be a gawdy site and still not hurt aab.com because almost nobody would think to assocate the two as neighbors.

I also think that while being anonymous has some problems, having your information out there where anyone can get it can invite trouble. Upset the wrong person with a certain message on your site and you might get a stalker or worse.

Re:Article Summary

[Stanislav_J]

There already are legal procedures in place to balance personal privacy and security (keeping any miscellaneous yahoo from accessing your info for wrongdoing) with the needs of law enforcement. If someone has sufficient evidence that a particular domain holder is up to no good, then they can go before a judge and get a court order for the information to be released. That is how it is SUPPOSED to work in our system. If they don't have sufficient evidence to start with, then it is the proverbial fishing expedition and should not be allowed. It shouldn't be that hard -- after all, if their website is accessible, and clearly is in violation of some law, that should already be sufficient grounds and a slam dunk to get the info. Almost all registrars provide private domain registration, but also will happily cough up the goods if handed a legal order of some sort. That's the balance. Prosecutors can easily get the legal justification for what they want if they would bother to do so -- they just increasingly don't want to bother.

Unfortunately, in this day and age of warrentless wiretapping and the like by the Feds, I imagine investigators at every level are starting to press for wider powers and latitude in this area. They probably think "the Big Boys(TM) don't have to jump through all these hoops, so why should we have to?" Just another way in which the Bushies are cultivating a culture of "anything goes" when fighting the bad guys, and slowly eroding respect for the priciples and checks and balances that have protected us for so long.

Re:Article Summary

[IBBoard]

There's always borderline cases, but from a quick skim of their rules then I think Canada has it right. As long as you've got a presence in the country (citizen or company) then you have a reason to have a domain. I had an old domain that got snapped up by an American from New Jersey, though. Why would they have need to have a .uk presence? Surely a .com or even (logic forbid) a .us would be more applicable.

I could agree that citizenship would be difficult to enforce (although I guess the Canadians do it somehow) but residency should be easy enough and very fair from the point of view of the residents - you just need a valid address in the UK. Again, you could fake it, but then you get screwed when they try to send some required information to you.

BS

[wytcld]

"If there is no reform they can continue to sell privacy to their users using proxy registrations, making profits that far exceed those they make on normal domain name registrations," said Mueller.

The registrars I've used charge nothing to substitute their own details for the registrants in the public WHOIS response. And their "profits far in excess"? On the $15-a-year fees, they're welcome to any profit they can take.

Why do people like Mueller always lie?

Re:BS

[value_added]

The registrars I've used charge nothing to substitute their own details for the registrants in the public WHOIS response. And their "profits far in excess"? On the $15-a-year fees, they're welcome to any profit they can take.

Well, I'm sure there's sellers on eBay that don't charge for shipping, but the ones I've dealt with always do. ;-) Godaddy charges $6.99 per year for private registation.

As a side note, people on DSL (cable?) connections may want to a whois lookup on their own address. I was miffed when I discovered my personal info published. Asking my provider to mask the private information required a formal request, but unlike some registars, they did it for free.

Not just for IP.

[bladel]

While I consider myself anti-authoritarian, I recognize that there are some situations in which law enforcement and other parties have a legitimate right to pierce the anonymity of private registrations. If someone is operating a site hosting child porn or other illegal materials, the registrar should be required to give up the registrant.

Also, consider the case where a domain / site has been hijacked (or reverse-hijacked) by a thief hiding behind proxy services at a different registrar. The victim and victim's registrar cannot reliably identify them, and the Registry Operator won't get involved outside of invoking arbitration.

So keep the lawyers out, but establish some authority (Internet version of a FISA court) that can pierce anonymous registrations.

Re:Not just for IP.

[damn_registrars]

If someone is operating a site hosting child porn or other illegal materials, the registrar should be required to give up the registrant.

Unfortunately, one problem with this comes down to defining "illegal materials". By who's laws should that be dictated? There are some countries where child porn is considered more or less acceptable, and plenty of countries where the age of consent is something other than what it is here. All that the owner would have to do to claim that they are not in violation of the law is either have their registered domain or their hosting in a country where whatever they are doing is OK.

Re:Not just for IP.

[autocracy]

I just wanted to comment that you are truly insane, and that there should be no urgency for the government to request "real" details of an IP that can't be handled by means of a warrant. There's a reason for that concept.

Re:The truth about Slashdot

[razorh]

I hate you! and so does my cat! don't you snookems? yes you do, you know you do, you're a good little kitty aren't you?

I still oppose anonymous registration

[damn_registrars]

I've said this before, and I'll say it again. Registrars are a big part of the spam problem. And the fact that they will sell (or provide freely) registration obfuscation services to withhold meaningful registrant contact data shows that many registrars are still in bed with the criminal spammers.

Come on, if you really have some reason to keep your registration data private, there are better ways to do it than letting your registrar do it for you. You could just as well get a PO box and use a free email account somewhere, which would accomplish the same thing but still have some degree of accountability. As it is, registrars have been able to withhold the contact information for their clients and there's been no accountability anywhere.

Re:I still oppose anonymous registration

[IBBoard]

You could just as well get a PO box...

Taking my former blog site as an example:

I run a private little website as a hobby.
I pay $25 per year for hosting (reasonable quality host, 75MB disk space and 3GB monthly bandwidth, email, the lot).
I pay £3.69 per year (~$7-$8) for a .co.uk domain or $9 per year for a .com.

Total normally: about $35 per year, tops.

The Registrars follow your "must show details" and I suddenly have to pay £58 per year (~$120) to get a PO Box, or twice that if I don't want to have to keep checking it but instead have it delivered to my real address? (UK PO Box prices)

Total with PO Box: at least $150 to $250!

I think the only thing I can say there is "WTF? Hell, no!" That's a ridiculous amount of expense compared to the website itself.

Re:I still oppose anonymous registration

[IBBoard]

As I mentioned in another comment, I'm all for companies having their details published but not individuals. Companies have a need to be accountable. Individuals can be traced through their registrar for legal issues, but aren't accountable in the same way.

Profit is a bit of a bad example, though. Anything that is the face of a company or other such sales person is more reasonable. Something along those lines covers the spammed drugs sites and the like, but allows for bloggers and individuals to 'make a profit' through affiliate links and AdWords etc.

I doubt seeing details would help work out where spammers are, though. All they'll end up doing is providing false details. ICANN say they'll terminate domains where they can't contact the owner, but how many times do they actually try to contact them?

they need to stop the WHOIS spam first...

I use unique email addresses for almost everything online (slashdot.org@mydomainname, etc) so that I can track and block spam effectively. 99% of my spam (about 3000 per month that makes it to my spam folder in Gmail) is sent to technicalContact@mydomainname or administrativeContact@mydomainname or something similar that I have used in registering domains.

I'd be happy if they could just keep my email address private without charging extra for that.

Vagueness

[benhocking]

The article summary is vague to the point that one is unsure what the subject of the article is.

My first thought was that the holders of internet protocol addresses wanted access to all of the data stored about them in the WHOIS database. I had to actually RTFA (the horror!) to figure out that IP meant intellectual property and not internet protocol.

Same standard as corporations would be fine.

[raehl]

In most US states, each corporation is only required to maintain a registered agent address on file with the state, so anyone who needs to contact your organization can do so. The registered agent can be anyone, so for example, you might have your lawyer be your registered agent, and anyone who wants to know who owns the company has to go through him.

We've currently got the same system with domain names - your registrar can act as your registered agent, serving as a barrier between the public and you. If someone has a legitimate need to contact you, they can do so through your registrar. If not, they can't. I don't see any reason to change this.

Why change what already works?

[WalkingBear]

There is a perfectly good system in place (at least in the US) for people who have a legal right to access the private information of a domain registrant. It's called due process.

If you think someone is infringing on your trademark, committing fraud, or some other illegal or actionable offense, then you go before a judge and request the court issue a demand for that information.

Yes, it's expensive. Yes, it's a pain in the posterior. Yes, that is as it should be. The more difficult you make it to pierce the rightful barrier of privacy of an individual, the stronger that barrier is and the less capricious that piercing can be.

The courts are the place to go to acquire this information. The Markets make it profitable for legitimate companies to not hide that information.

Seems that's a pretty good system to me.

I don't know....

[kaitou]

As someone who owns a few relatively popular sites (+20k uniques daily) there have been times when people take a disliking to the sites and decide to harass me using my personal information, as I do not use whois protection (didn't use it in the beginning, and with whois history being easily accessible, it's rather pointless to start now), but a situation I am in right now is making me thing that the ownership information should be public. At least for .com, .net, .org and so on. .name which I believe is 'meant' for individuals could permit whois masking.

What happened is this. A friend of mine who also ran some relatively popular sites suddenly passed away. As his mother wasn't very knowledgeable about the internet at large, a person who had access to his servers at the time of his death decided to 'rescue' his sites, copied the data to his own servers, and then impersonated my friend, to transfer ownership from his Dotster account, to an ENOM account in the thiefs' name. He tried to do this with another name that was registered via Network Solutions, but they were "less helpful" in that.

Since he has WHOIS protection on all of his domains, it has been an uphill battle, to try and reclaim the work that my friend put in, from the thief. We tried working with GoDaddy and ENOM, but they have no interest in helping, after giving us a run around and telling us to indemnify them from any fault they may have had in it, ENOM ruled that this was an ownership dispute and not a transfer dispute and as such not something they want to deal with. GoDaddy who has been taking his money for years now has not even locked his old account, despite our efforts, so the thief keeps looking through it to find names he likes and moving them out. Both ENOM and GoDaddy are supposed to have internal dispute resolution departments, but neither is willing to take even a cursory look at such a cut and dried case of theft. There is no way my friend could've authorized his domains be moved more then a month after his death. (Sadly, I found out about this late, and had no easy way of reaching his mother for a while, so this happened before I was able to get in contact with them).

My friend is dead, we have his death certificate, we have the legal documentation that his mother is the executor of his estate (a horrible position to be in already), and we've been working since April now to try and reclaim at least part of what my friend has been working on throughout his life. The people who've worked with him on his other sites have been sitting on the fence, working more with the thief then with us, as the thief lets them pretend that they own those sites, and while they know he is wrong, they don't really think we will win.

At this point we've filed a UDRP motion on the basis of a common law trademark, since the domain is the business name my friend ran for eight years, but we can't do anything about the other sites that haven't been up for long, or domains that he never got around to using. There is no court of law that has jurisdiction here, because we don't know where the thief is based, and there is no guarantee that UDRP will see things properly, since they mainly look at it in trademark terms. When he was served with UDRP papers, the thief mirrored the site to another one of my friends old domains, and has the mirror running now, increasing his traffic that way.

If public ownership information had been required, I would like to think that people like the thief that we are dealing with would be more reticent to commit such acts of fraud with impunity. And some sort of a dispute process where registrars have to actually check what happened, and be able to resolve it. This should've been solved by GoDaddy who would be able to see that given that the account owner passed away, and the changes were made afterwards, that this is a pure case of fraud and told ENOM that the transfer was fradulent.

Corporations have to disclose more than that

[Animats]

Incorrect. Most states that aren't tax dodges (I'm looking at you Delaware) also require some combination of annual reports, corporate bylaws, and principals (often just managing partner).

Yes. I've been data-mining that data for SiteTruth, and it's amusing. No two states have the same format, although there's some similarity. Delaware provides less free info than most states. Some states have deliberate weaknesses in their data. Nevada, for example, doesn't require that changes in corporate officers be reported, so many out of state Nevada corporations have the same guy at a corporation service listed as President.

But that's OK. We're working on recognizing certain common patterns. Like "Incorporation state in low-disclosure states list AND NOT in business directories as having operations in incorporation state AND NOT in SEC Edgar AND NOT registered as foreign corporation in state where doing business IMPLIES slimeball".

Anonymous businesses deserve low search rankings. We're making that happen.