Commerce under pressure to clean up giant Web database

By William New

September 12, 2003

A little-known global database of Web site owners has grown into a significant worldwide cyber-crime tracking device-and a major source of concern to privacy advocates and foreign governments. Despite its growing importance, the so-called "Whois" data is plagued with inaccuracies, as well as technical, legal, and ethical problems. The Commerce Department is facing increasing pressure to clean it up.

As the creator of the Internet, the U.S. government remains responsible for ensuring its stability and competitiveness. For this task, it created a nonprofit corporation in 1998 that is growing up in its own right: the Internet Corporation for Assigned Names and Numbers. ICANN, which is based in Los Angeles, manages the domain-name system for Web site addresses with endings such as .com, .net, and .org. It operates under a memorandum of understanding with the Commerce Department. The agreement expires on September 30.

To obtain a domain name, an applicant must pay a domain-name retailer, or registrar. Registrars are required, through contracts with ICANN, to collect personal information about the registrant, keep it up to date, and make it public. This information, mainly contact details, is the Whois data, and it is coming under intense scrutiny from a variety of Internet constituencies.

Registrars are also required to offer "bulk" access to the entire database for anyone paying up to $10,000 annually for it.

Many Internet users and others who benefit from the Internet are pressing Commerce to require improvements in the Whois data as part of the renewal of the agreement with ICANN. But last week, Commerce General Counsel Theodore Kassinger told a House subcommittee that that would not be among the top priorities for a likely multiyear extension of the deal. That was not what subcommittee Chairman Lamar Smith, R-Texas, and ranking Democrat Howard Berman of California were hoping to hear.

"Despite the demonstrated need and obligation of the Department of Commerce, ICANN, and registrars to provide access to accurate Whois data, there is an astonishing lack of enforcement of these contractual terms," Smith said at the outset of the September 4 hearing of the House Judiciary's Subcommittee on Courts, the Internet, and Intellectual Property, which he chairs. He said it is "inexcusable" that no registrar has lost accreditation for failing to honor its Whois commitments, despite widespread problems.

Also "inexcusable," Smith said, is the fact that in its extension of its agreement with ICANN, Commerce intends to add a list of seven "milestones" to assess ICANN's future performance, but none deal directly with Whois, contract enforcement, or intellectual-property protections.

Smith told National Journal that he would consider legislation to fix the data problems if Commerce fails to act. "We're going to wait and see if the Department of Commerce takes sufficient actions to clean up the database and make it more useful and more reliable to everyone involved," he said.

Despite Kassinger's comments, Smith said he hopes Commerce's new agreement with ICANN "will contain a major enforcement component, where contracts will be enforced and registrars or individuals may be dropped if they do not provide accurate information in a timely fashion." Kassinger said in the hearing that Commerce lacks the legal authority to force registrars to comply, and that Commerce is not ICANN's regulator.

"If Commerce is not ICANN's regulator, then who is?" countered Susan Crawford, a professor at the Cardozo School of Law in New York City. "ICANN's only powers extend from its [memorandum of understanding] with the Department of Commerce."

The Whois database affects a large number of people. For instance, network administrators need it to fix Internet problems. Law enforcement and people targeting unsolicited e-mail, or spam, increasingly rely on the database.

Investigators at the FBI Cyber Division use the Whois database "almost every day," James Farnan, the division's deputy assistant director, told the subcommittee. Farnan described how agents used subpoenaed Whois data to find the owner of a Web site containing child pornography. If the data is inaccurate, officers can serve a subpoena on the registrars to obtain the real identity of the domain owner through the credit card information used to purchase the domain name. But not every registrar authenticates payment information, so stolen credit cards can be used.

John LoGalbo, a trial lawyer in the Justice Department's Computer Crime and Intellectual Property Section, told an ICANN meeting in June that access to Whois data cuts through "layers of complexity and delay" in international investigations. The Federal Trade Commission has also publicly proclaimed the importance of the data.

Privacy advocates note that investigating fraud is only one use of the database. The Electronic Privacy Information Center said in its newly released global survey on privacy and human rights that Whois data is available to anyone who uses the Internet, "including stalkers, corrupt governments cracking down on dissidents, spammers, aggressive intellectual-property lawyers, [and] police agents without legal authority."

Alan Davidson of the Center for Democracy and Technology, in a letter submitted to the House subcommittee for the September 4 hearing, argued that safeguards for privacy and security are the best way to get law-abiding people to provide accurate data.

Kathy Kleiman, a lawyer at McLeod, Watkinson and Miller in Washington and one of the founders of ICANN's noncommercial constituency group, said that in some countries, citizens trying to protect themselves have to provide inaccurate information. She cited as an example a human-rights group with a Web site that showed pictures of torture victims so families could identify the bodies. "In the telephone world, we have unlisted telephone numbers and even blocking to protect personal privacy," Kleiman said. "We need at least the same in the Internet world."

Steve Metalitz, counsel to the Copyright Coalition on Domain Names, told the subcommittee that accuracy and accessibility are critical to electronic commerce and accountability on the Internet. He said that access to data is "wildly inconsistent," and he criticized ICANN for not doing enough to fix the database, which "remains riddled with inaccurate data."

Benjamin Edelman of the Harvard Law School Berkman Center for Internet and Society said that registrars and registrants need meaningful incentives to comply with requirements, without which the Whois database is "substantially fiction." Privacy concerns, he argued, could be met by using third-party services.

There's no consensus on how to improve the system, but many Internet constituents have shown preliminary interest in "tiered access": The data would be accessible by degrees to those who need it. Other ideas include providing notice to users when someone else views their data, and creating "audit trails" that could reveal abuse of the database.

Commerce's National Telecommunications and Information Administration, headed by newly named Administrator Michael Gallagher, chairs an interagency group considering changes to the Whois database. The other participants in the group are the Justice Department, the FTC, and the Patent and Trademark Office.

ICANN also has Whois contracts with eight domain-name registries-essentially wholesalers of domain names. Some maintain their Whois data, and others do not. The newer registries have begun modifying the contracts to meet new exigencies. For instance, the London-based registry for the .name domain developed a tiered system for allowing access to the Whois data out of fear that the registry was violating the European Union data-privacy directive.

Most agree that the number of inaccuracies, whether the result of outdated information or fraud, is high. There are more than 30 million registrations in the "top-level" domains (.com, .net, and .org), some 25 million of which are in the .com domain. About 10 percent-or 3 million-of these registrations are inaccurate, according to Edelman.

Kassinger said at the September 4 hearing that in nearly 12 months of studying data problems, ICANN received 15,458 reports concerning 10,271 different domain names. Kassinger acknowledged that the number of reports "may just be the tip of the iceberg." He also said that the government shares some critics' concerns. But Commerce, he said, is "gratified" by the commitment to Whois issues shown by the new ICANN President and CEO Paul Twomey, and Kassinger added that new hirings would help there.

Twomey, who took office in March, is organizing various ICANN constituents into a new committee to discuss the Whois system. ICANN's board has adopted a new policy requiring registrars to contact domain-name registrants at least annually to confirm the accuracy of their information.

In another effort, ICANN's government advisory committee is wrestling with the variety of standards for handling personal information. For instance, the European Union says that making Whois data public violates its privacy law. Canada also has concerns. In addition, questions remain as to how the 200-plus country domains, such as .fr for France, will deal with Whois data.

ICANN expects to form the new constituents committee and to sponsor a workshop on Whois "best practices" at its next board meeting at the end of October. Twomey said in June that the committee's goal is to prioritize issues and develop a work plan for addressing them. But he stopped short of stating a goal of getting agreement on solutions.

ICANN followers hold mixed views on whether ICANN will move quickly enough. "It's a tremendous logjam," said one observer. "I think we're all buckling down for a long process that will be [conducted in] secret."

By William New

September 12, 2003