Original URL: http://www.theregister.co.uk/2007/11/01/whois_reform/

Whois reform: ICANN says let's run more tests

You know, we shouldn't rush into anything

By Burke Hansen

Posted in Broadband, 1st November 2007 09:56 GMT

ICANN 2007 Los Angeles Quick, people: what takes seven years? Biblical plagues? Itches?

If you guessed an ICANN policy development process - that's a PDP to you, luddite - you are correct. ICANN today officially cut off the oxygen to its Whois reform PDP after seven years in favor of... well, no one's quite sure, yet. Something must have happened - after all, we're not hanging out at LAX for the charming scenery and the cool jumbos.

Beating that moribund horse

This is the 23rd consecutive meeting that ICANN has had the Whois privacy debate on its official agenda and yet, somehow, the Whois database lurks stubbornly out there much in the fashion it always has.

The scope of the debate about the Whois database - personal privacy rights versus corporate profits and law enforcement interests - hasn't changed either. The Intellectual Property Constituency (IPC) - bit of a misnomer, since it represents only owners of intellectual property, not consumers - fired the first salvo across the bow on Monday at the IPC Whois Informational Briefing.

The briefing allowed the IPC to present its usual arguments about the importance of the Whois database to law enforcement efforts and consumer protection - and, oh yeah, it's cheaper for corporations and industry groups like the RIAA to track down real or imagined troublemakers.

One of the main thrusts of this intense lobbying effort has been to emphasize the importance of Whois information to law enforcement, since the IPC is well aware of the low esteem in which much of the public holds its paymasters.

To this end, they trotted out a real-life FBI agent to testify to the importance of Whois to his investigative work, and to that of private parties. Most investigations into phishing, for example, are conducted by private parties, rather than law enforcement, and a tiered access system as some have proposed would make it significantly more difficult for private parties to pursue phishers.

One can debate the extent to which private parties should engage in law enforcement, but there is no doubt that a more restricted Whois database will cost money. Of course, the Whois database is no law enforcement panacea, and at times creates more problems than it solves - considerable amounts of spam have been traced to the Whois database as well. There are also inaccuracies, although forged Whois information may sometimes lead at least to the innocent victims.

Wouldn't it be more accurate to go straight to the offending IP address, we asked?

Well, they frequently switch IP addresses, came the response - although it seems that anyone clever enough to continually switch IP addresses would be unlikely to leave much helpful information in the Whois database.

The argument that subpoenas interfere with the need to move quickly in response to phishing attacks is more troubling, particularly in light of the alarming speed with which the FBI is able to get information from the telecoms these days. We don't suspend established constitutional procedure because a burglar might commit another burglary before he (or she) gets caught.

Rader's gambit - a PDP by any other name...

Ross Rader of Tucows, in his last meeting on the Generic Names Supporting Organization (GNSO) council, wasn't going to take it anymore.

The GNSO council has the power to vote its approval of new policies and to recommend changes to the full ICANN Board, nothing more, but Rader had submitted a motion to eliminate the Whois database requirements from the Registrar Accreditation Agreement (RAA) if the council would not approve either one of two other motions submitted to the board: one, which would have replaced the current system with the Operational Point of Contact (OPOC) proposal, thereby allowing natural persons to substitute another contact entity for privacy purposes; and a second proposal, pushed by the IPC which, in classic ICANN fashion, would have extended the status quo indefinitely under the guise of more impact studies on the current system and proposed changes.

Rader's move was a feint, designed to force the hand of the other council members, who clearly were not going to support abandoning the current system altogether. Rader had also submitted an amendment to the IPC proposal, trying to narrow the focus of the studies to the truly contentious issues to force the process along.

We can dream, can't we?

After the OPOC proposal had already been junked, the usual intransigent opposing interests set about hijacking Rader's amendment to narrow the proposal by adding language that expanded the parameters of the amendment almost to the original scope of the initial motion - for all intents and purposes gutting the amendment. A semantic spat about "lawful" versus "appropriate" access to information dragged on long enough almost to kill the entire meeting, which would have left the council with no policy at all, until the IPC finally blinked and prevented the session from degenerating into complete farce.

Rader almost walked out in protest, and tried to pull his amendment, before relenting on procedural grounds and demanding that his opinions on this procedural clusterf*ck at least be read into the record.

In short, we have been left with something suspiciously similar to a PDP.

ICANN chugs on

Who's reponsible for this mess?

ICANN has at times gained notoriety for itself by debating important issues into oblivion. It's not entirely ICANN's fault, inasmuch as its internal institutions rest on the principle of bottom up consensus - an arduous process that rarely lends itself to efficient and nimble decision-making.

Something has to give, however. Forever extending the status quo is itself a policy decision, and ICANN needs to find a way to break this internal logjam.

Clearly, more compromise and a bit more direction are in order. ®

Burke Hansen, attorney at large, heads a San Francisco law office