Internet Policymakers May Punt on Privacy Issue

By Brian Krebs Staff Writer
Tuesday, October 30, 2007; 6:54 PM

The nonprofit organization that manages the Internet's domain-name system is set to vote Wednesday on changes to the Web site registration process that would make it easier for people to shield their identities online and, indirectly, cut spammers off from an easy-to-mine database of legitimate e-mail addresses.

The proposed change to the public Web site registration database -- known as "WHOIS" -- is expected to be considered Wednesday by the Internet Corporation for Assigned Names and Numbers (ICANN), the Los Angeles-based group that oversees key technical matters governing how computers communicate over the Internet.

Under the existing process, any person or entity that registers a Web site name is required to provide their name, e-mail and physical addresses, and a telephone number. The information is then entered into a publicly searchable database.

Privacy groups say the domain registry has become a data-mining dream for marketers and spammers, who constantly trawl the database for new e-mail addresses. Opponents of any change in the system counter that the data is essential in resolving intellectual property disputes, aiding cyber crime investigations, and helping computer security experts quickly shutter fraudulent Web sites.

Under the change being debated Wednesday at an ICANN meeting in Los Angeles, Web site owners would still be required to provide accurate contact information when registering a Web site. But domain registrants could opt out of having their personal information published to a public database. Instead, they would be permitted to list a third-party contact -- such as the Web site registrar that sold the domain name to the registrant. The third party would then route any legal, technical or operational inquiries to the registrant.

Wendy Seltzer, a visiting cyber law professor at Northeastern University School of Law and a fellow at the Berkman Center for Internet & Society, took issue with arguments that the open database aides law enforcement and security experts. While legitimate Web site owners may not understand that the information they provide will be entered into a public database, she said, scam artists and shady Web site operators rarely provide their true credentials. Seltzer also noted that the current system violates European data protection laws, which requires explicit consent from citizens before their personal data -- even addresses -- can be made public.

"There are limited ways in which this information is actually helpful and there are good reasons for due process protections here," Seltzer said. "Sure, having an open database of this information is convenient for law enforcement and intellectual property owners, but it's also been convenient to plenty of spammers and stalkers and harassers."

But Dave Jevans, chairman of the Anti-Phishing Working Group, an industry consortium of banks, Internet service providers and big businesses intent on protecting their brands online, said even purely fraudulent information entered into the WHOIS database can help companies protect their name and customers from "phishing" Web sites, those that impersonated trusted companies to steal personal data from consumers.

Because many scam artists offer the same fake credentials or certain pieces of telltale data when registering multiple Web sites to used in future fraud scams, investigators can often identify a phishing or spam site before it even opens for business, Jevans said. Forcing law enforcement officials and companies to go through a third-party contact to find this information would allow criminals to keep their fraudulent Web sites active for longer periods, potentially ensnaring a greater number of victims.

"We understand that legitimate Web site owners don't want to be spammed because somebody harvested their WHOIS data, but we think it's important for there to be a rapid and efficient way for brand owners to investigate phishing and spam sites."

Also at stake is the ability of companies to police their brands for trademark and copyright infringement, said Steven J. Metalitz, counsel to the International Intellectual Property Alliance, which represents more than 1,900 companies worldwide. Changing the current requirements would only make it more difficult and costly for companies to resolve these disputes, Metalitz said.

An alternative proposal that ICANN will consider Wednesday would recognize the fact that there is little consensus on the WHOIS issue, absolving Web site registrars of their obligation to mandate collection of contact information from registrants. Privacy advocates say that faced with the potential loss of a publicly searchable WHOIS database, intellectual property owners and other constituencies that have resisted calls for change would have more of an incentive to devise a workable solution that might be more palatable to both sides.

But Milton Mueller, a partner in the Internet Governance Project and professor at Syracuse University, said he believes ICANN is likely to punt on the issue by voting for a third proposal currently on the table, which calls for additional studies on the privacy impact of the WHOIS database.

"The people who already have what they want now have an advantage, so why should they agree to change anything?" Mueller said.

Even if ICANN approves the privacy changes to WHOIS, it's not clear how long it would take to change the domain registration process. ICANN staff would need to re-write the contracts with domain registrars, and spell out the process for new registrants as well as how data might be redacted or changed for Web sites that have already been registered.

© 2007 The Washington Post Company