Privacy Policy Attorneys | WhoIs Privacy Debate: The Invisible Cybersquatter

Traverse Legal interview with Internet expert John R. Levine concerning the WHOIS online privacy debate.

The WHOIS registry is the domain name systems' legacy database; it contains names and contact information of all those who register Internet domains.  Many people who register domains pay extra to keep their registrant information private. Trademark holders complain that WHOIS privacy policy allows cybersquatters to hide their identity and makes it difficult for companies to protect their trademarks and brands from domain and typo squatters. Cybersquatters often times enter inaccurate or intentionally fraudulent information into  WhoIs database to deter trademark registrants from asserting their rights.

The WHOIS privacy debate has become a hot topic for those interested in domain name registration, privacy rights on the internet, cybersquatting and the domain monetization industry.  In this interview with leading internet law expert John Levine, the WHOIS privacy debate is explained and explored. There are so many different interests involved in the whois issue, that it appears unlikely that ICANN will do anything to change WHOIS database in the near term.  Invalid WhoIs data is a problem but there is little being done to fix it. This is too bad since virtually everyone believes it is time for a change. 

Related links:  ICANN’s Whois Privacy Reforms Stalled /  If WHOIS Privacy is a Good Idea, Why is it Going Nowhere?

ANNOUNCER: Welcome to VTalk Radio Tech Spotlight with your host, Damien Allen.

DAMIEN: Good afternoon and welcome to the VTalk Radio Tech Spotlight. My name is Damien Allen, and today on the phone we have Mr. John R. Levine and the debate is all about WhoIs privacy.

John Levine is a writer and speaker who does consultation on internet and electronic mail and cyber security and all related topics.

He speaks to trade policy in general groups, he's testified for the Federal Trade Commission for the spam forum on the mechanics of spam. He co-founded the Domain Assurance Council, a non-profit industry consortium that established standards for email certification security. He served as an expert witness on a variety of computer topics including email spam, compilors software, and graphic image file formats, and he's written many books on the internet and other computer topics. His books range from the best selling Internet for Dummies with over 7 million copies and 11 editions in print in a dozen languages, Fighting Spam for Dummies, and Windows Vista: The Complete Reference to books on computer language tools and graphics programming. Welcome to the VTalk Radio Tech Spotlight, John.

JOHN: Well, hi glad to be here.

DAMIEN: We are most happy to have you. Today's topic of course is: Who Is in the privacy debate that's going on. John, could you please tell me, What is the WhoIs Database?

JOHN: Whenever you register an internet domain, like a dot.com or a dot.org or a dot.net or any of the whole bunches of lessor known domains. When you register your domain, you're supposed to provide contact information. You're supposed to provide name and address, email address, phone number of the owner, and if there's a technical contact who is different provide that. If the billing contact is different, you provide that. The idea has always been that WHOIS is there so that if people have a question about your domain, or need to contact you about it, they can look it up and they can talk to you. And, to that extent it works fine. The problem with WHOIS is that it's also been subject to a fair amount of abuse. Spammers routinely scrape email addresses out of it which means that people get lots and lots of spam, and we also find that people claim, although I'm not sure I believe them, that they have had their personal details scraped out by people who wanted to stalk and harrass them. Although I find that less credible. The other issue is that a lot of places, particularly in Europe, if an individual is a registrant, there are privacy laws that limit how much public information you can publish about individuals. The claim has been made at least for those domains that are located in Europe which is none of the major ones, that they are subject to these European laws.

DAMIEN: And what are the restrictions on privacy from Europe compared to what we have here?

JOHN: Here in the US there's basically no privacy laws at all. Here in the US if you are a business, if you can scrape, steal, borrow, you know defraud, basically any scrap of personal information you can get about an individual for the most part you can use. I mean it's a national shame that we have no privacy laws at all. On the other hand, it's really sort of a side show with WHOIS, because if you look at the vast majority of internet domains, you know, let's just look at .com because it's bigger than all of the rest of them put together. The vast majority of domains in .com are in fact registered by organizations and businesses and no matter where you are in the world businesses do not have privacy rights, and if you're a business people need to know how to find you. And so, we have this tiny fraction of domains registered by individuals, and then if you go look at all the individuals on the internet, the vast majority of individuals on the internet will never register their name for any purpose. I mean like my, you know my mother-in-law is an avid internet user, you know, but she uses her ISP's domain. So what we're talking about is a tiny minority of internet users and a tiny minority of the registrants who are individuals who perhaps have some interest in WHOIS privacy. There's been a huge stink about what if anything to do to the WHOIS database to provide more privacy for this relatively small number of individual registrants.

DAMIEN: How does this database work in relationship to, "I wanna know who owns joeblow.com?" Now as Joe Smoe, John Q. Public I can go to this database and find out who supposedly owns this?

JOHN: Yeah, for the…there are two ways the WHOIS works. You can go to thick and thin. The traditional approach, the thin approach is if you go to Verisigns macro database for .com which is I believe it's crsnic.com. You can look up any registered domain and it will give you the skeleton information. It'll tell you when it expires and it will tell you who the registrar is. You can then turn around and go to the registrar who then will provide you with the rest of the contact information and this is deliberately available to the public. They put some rate limits on it. If you tried to look up a million registrations a day, they wouldn't let you do it, because there are very few people who have a legitimate reason to do that. Some other domains like .org, it's only one step. All the information is in the main WHOIS If you go to the .org WHOIS server, which I believe is at pir.org the domain that is sponsored. Again, you can look up any .org and you can find at least what's supposed to be the WHOIS data for any .org domains. So it really is available and it's not hard to find.

DAMIEN: And there is a WHOIS directory for all the dots, .com, .biz, .org, .net?

JOHN: It's for all of the domains that ICANN controls. Which is basically all of the 3-letter and greater domains. The 2-letter country domains are not managed by ICANN and they vary. For .us for example, there is a WHOIS database that's just like the one for .org, run by the same people in fact. For other countries and Canada and in Europe, there is somewhat less information because of the privacy issues and then in some small countries, it's run very informally and there is no WHOIS at all. But I think for the most part, for the domains you've actually heard of like .com, there is WHOIS data for all of them.

DAMIEN: And for clarification for our listeners, ICANN is the International Corporation for Assigned Names and Numbers who is supposedly the policing group for all domain registrars.

JOHN: I think they would argue about whether policing is their job, but we can talk about that in a little bit.

DAMIEN: Of course, my use of the word "policing" is broad and wide in spectrum. Of course, we're discussing the amount of discourse in the internet community concerning WHOIS privacy. What are the other basic standpoints of this issue? What are the things people are complaining the most about?

JOHN: You've got an incredibly wide range of positions on this. At one end, or what I might call the privacy freaks, of whom the best known to be are the Electronic Frontier Foundation. One of the EFF's major concerns is to make anonymous speech possible. In the US we have a long tradition of permitting anonymous speech, you know, like if you send a letter to your elected representatives, you know, even if you don't sign it, they're supposed to look at it. And there is no requirement in the US that you identify yourself and speak. So the EFF thinks that you shouldn't have to provide any contact information at all, you should be completely anonymous. And then it goes from there to again the Europeans who are more concerned with individual rights just for privacy rights for individuals, and if you go all the way to the other end, you have law enforcement who routinely use the WHOIS database to track down the usual array of crooks and scammers, fraudsters and pornographers, and the trademark lawyers who have always had, I believe, an undue influence on ICANN. And they are terribly concerned with cybersquatting which we'll probably talk about in a minute. But again, their concern is that if there is some intellectual property issues, or a copyright issue or a trademark issue, they want to be able to find exactly who from the WHOIS database, they want to find out exactly to whom they send the lawyer letters and the lawsuits, you know so, at one end are the, you know we need all the data and more, and the other end is no, no, no it should all be private. Take your pick anywhere in between.

DAMIEN: Indeed. We are in the studio today with Mr. John Levine and we are discussing the WHOIS database and the controversy surrrounding it. You are listening to the VTalk Radio Tech Spotlight. We're going to take a short break for these commercial interruptions and we'll be right back.

ANNOUNCER: This VTalk Radio Spotlight is brought to you by www.traverslegal.com , a high-tech law firm providing international representation in business technology, intellectual property, Digital Millenium and Copyright Act ligitation, domain name disputes, cybersquatting matters, and complex litigation matters. You can contact Traverse Legal through its website at www.traverselegal.com.

VTALK RADIO: VTalk Radio.

ANNOUNCER: We now return you to the VTalk Radio Tech Spotlight, only on vtalkradio.com .

DAMIEN: Welcome back to the VTalk Radio Tech Spotlight. I am Damien Allen and today we are in the studio via phone with John R. Levine discussing the WHOIS database and the controversy surrounding it with the privacy act. Welcome back to the program, John.

JOHN: Hello again.

DAMIEN: Well, we've been discussing what's been going on and the controversy involved in all this, and we've mentioned cybersquatting at the end of the last segment. What is the relationship between cybersquatting and the current debate?

JOHN: It's pretty congential. Cybersquatting is when somebody registers a domain typically to harrass or impersonate somebody with a similar name. For example, if I registered yahoo with three o's or a "0" instead of an "o" or something. The goal there would clearly be to siphon off traffic intended for Yahoo and there are straightforward legal reasons why that's a violation of trademark law. So the intellectual property lawyers want to be able to identify people doing this kind of cybersquatting and chase them away. Now, having said that, it turns out that the main issue with WHOIS privacy is only tangentially about cybersquatting because with cybersquatting you can always go after the registrar or registry, because we don't care who's behind this, we want to shut it down. So it certainly makes it easier for them to deal with cybersquatters if the WHOIS data is all there. But it's not as essential as it is for some of the law enforcement and abuse uses.

DAMIEN: Allright. And as ICANN is supposedly the body that is supposed look out for these things. What is ICANN doing on this?

JOHN: Well, kinda. ICANN has what's known as the Uniform Dispute Resolution Policy which is pages and pages of legalese. You know, they have a list of approved arbitrators who are supposed to follow procedures and it takes a while and several thousand dollars. So, again we could have a whole separate issue about whether the remedies for cybersquatting are on the one hand too slow and on the other hand too onerous for people who are being harrassed by overly aggressive trademark owners. But, I think what everybody agrees is that whatever the process is, it's not very good, and ICANN should do something better.

DAMIEN: Why is this issue, we talked about the thick and thin version of it and we've talked about differences between Europe and America, why is there not one standard for all of it.

JOHN: Well the reason there is not one standard basically is that there is more than one country in the world. But ICANN is located in the US so historically it's been controlled by US laws and US traditions. And then there has been a series of working groups and task forces and stuff attempting to come up with some changes to the current WHOIS rules, but they have I think been dominated by people who are better at advocacy than at politics. And this is essentially a political process which we can get into it a little more and you simply end up with the people shouting at each other. On the one hand there is academics and privacy advocates who are saying, "It's gotta be more private." and on the other hand you have the people say, "We need all the existing data." and then in the middle you have the registrars who say, "We don't care what you do as long as it doesn't cost us anything extra." So it's just been a stalemate.

DAMIEN: What is your opinion of what should happen and what will actually happen next on this debate?

JOHN: What I think actually will happen is probably nothing. Because I don't see any likely change to stalemate. And I've said in some of my blog postings, the problem is that this is a political process and it's fundamentally about money. The reason it's fundamentally about money is that if you are willing to spend enough money, you can be as private as you want. You know, even with the most onerous WHOIS disclosure rules. I mean I could pay a few hundred bucks to my lawyer to register stuff as my proxy. If I wanted to pay $200 more I could find a lawyer somewhere on the Caymen Islands where the law makes it much easier for him to blow off subpoenas. So if I really want to be anonymous, I can be anonymous. The question is how easy should it be? And, one of the issues that has always just paralyzed it, is that the privacy people say, "We want to be more anonymous, we're not willing to spend any money on it at all, we just have to change" and the other parties are saying, "Well, no." The only way it's likely to change is if we can get some horse trading going on. And the one thing that the pro-privacy group could offer, although they haven't yet, is to make the underlying WHOIS data, more accurate. The way it is now, although in theory ICANN has a policy for policing WHOIS data that is not valid, in practice, if you go through the WHOIS database, you'll find random garbage that clearly never could have been right. Phone numbers are the wrong number of digits, you know, street addresses that don't exist. Some of it are people with nefarious purposes. Some people don't want to get the junk mail. But whatever it is, although the majority of WHOIS is correct, there's a lot of stuff which is wrong. So if the privacy advocates would say, well ok, we want to have a level of cloaking, where you need to go to operational point of contact, basically a registrar level proxy to find out who is behind there. If there was some guarantee that once you went through this contact that the data they would reveal would be accurate then the pro-data people would say, oh, well in that case, you know let's talk about what can we do. It might be a little harder for us to get to the data, but if the data we actually get to is better, then you know, overall we are ahead because then we don't have to do the second level of tracing when people lie. Some of the layers … there's this whole layer of stuff you might want registrars to do. The registrars who run on extremely thin margins. I mean if you pay $9.00 for a domain registration, you know, $6 goes to the registry. So you know registrars working for a couple of dollars per registration, they simply do not have enough money to do significant validation. Within the current proposal, the one with the proxy, they're not even willing to validate that the proxy is real much less the data behind the proxy is real. So, if there were better politicians here, and if people were more willing to try and figure out something that might be less perfect for them in one direction, but more perfect in other directions. You know it comes down to your classic political compromise where nobody's perfectly happy, but everybody agrees that in some way it is better than they are now, you might get some progress. At this point, because of the people involved in the debate and particularly the people who want more privacy simply are not politically very skillful. You know they haven't made their coalitions. You know so, I think what we're gonna see is, is we're gonna see round after round after round of people arguing past each other and stalemating and nothing is gonna happen and even if something were to happen, the trademark lawyers are so upset about this that if there's any net loss in information to them, they would certainly sue ICANN and ICANN has a history of caving into lawsuits. So the short answer to your question is there's a lot of stuff that could happen in a more perfect world, but in this world I don't think it's gonna change.

DAMIEN: This is promising to be a debate that is going to go on forever and ever and ever at this point of time. We are speaking today with John Levine. Thank you very much for joining us today, John, and giving us a little bit of insight into this debate. You can reach John at his web site at www.johnlevine.com . John speaks and consults on all internet aspects with electronic mail, cybersecurity and this issue, the WHOIS You can find his blog there where he writes about it and tells you what he thinks is going on and what's going on in the world as far as internet security, email and spam and such related topics. Again, his website is www.johnlevine.com. Thank you very much for joining us today, John.

JOHN: It's been my pleasure.

DAMIEN: You have been listening to the VTalk Radio Tech Spotlight. This is Damien Allen. Thank you for joining us. Have a good afternoon.

VTALK RADIO: You have been listening to the VTalk Radio Spotlight. Only on vtalkradio.com. Radio for the 21st century. This VTalk Radio Spotlight is brought to you by www.traverslegal.com , a high-tech law firm providing international representation in business technology, intellectual property, Digital Millenium and Copyright Act litigation, domain name disputes, cybersquatting matters, and complex litigation matters. You can contact Traverse Legal through its website at www.traverselegal.com.