Original URL: http://www.theregister.co.uk/2007/11/05/telnic_whois_proposal/

Telnic proposal spurs internal ICANN debate

Road map at last for intractable Whois mess?

By Burke Hansen

Posted in Broadband, 5th November 2007 10:46 GMT

ICANN 2007 - Los Angeles The acrimonious debate surrounding the Whois database is ICANN's most enduring ritualistic dance.

Three times each year, The Register covers the ICANN meetings; and at each meeting the same intransigent entrenched opposing interests, after considerable howling and gnashing of teeth, throttle whatever reform efforts are on the table, leaving the status quo intact.

Last week's meeting in Los Angeles was the 23rd consecutive meeting with Whois reform on the agenda, and also the 23rd consecutive meeting without meaningful progress. The Generic Names Supporting Organization (GNSO) council meeting that voted on three different motions of the Whois database (though without any real effect) degenerated into utter farce. Is there really any way forward?

Outside observers should be forgiven their cynicism but, with almost no fanfare, a proposal to reconcile the requirements of the Whois database with the privacy laws of European Union countries, which are generally more stringent than those of the United States, has been percolating through the back halls of ICANN and inspiring a bit of optimism.

Sterile debate

The proposal - an amendment to the Telnic.org Registry Agreement - did not receive the floor time we had hoped at the ICANN meeting, but is being taken seriously at the upper level of ICANN management and deserves serious consideration.

The Whois database debate is important not only for privacy reasons but because the conflict between the registrant reporting requirements of the Whois database and the laws of EU countries has up to now stifled the development of EU-based generic Top Level Domains (gTLDs), forcing EU registrants to register domains through their country code TLDs such as .uk or .fr, which, for sovereignty reasons, are not subject to the Whois requirements. The expansion of the gTLD space is a top ICANN priority, and it grates on the organization that the world's largest trading block is hamstrung in this emerging economic field.

The proposal has been put forward by the ersatz operator of the .tel gTLD, Telnic.org, a UK-based company that has been working for years to develop a service that would provide registrants the opportunity to publicize whatever contact information about themselves or their business they so desire, in a kind of net-based directory. As a UK-based company, Telnic has been struggling to balance the Whois database requirements with the conflicting privacy requirements of UK law.

Telnic's latest effort at balancing UK law with ICANN policy is a tiered access proposal, in which natural persons (as opposed to legal persons, such as corporations) are given the opportunity as a matter of right to opt-out of the disclosure requirements of the Whois database, subject to "requestors...able to demonstrate legitimate need" for access to the obscured personal information. Obviously, that means law enforcement, but it also applies to the anyone in the general public with a demonstrable, legitimate need.

Requestors need to register only once with Telnic's Special Access Service, and then demonstrate the required need when requesting information about a specific site. To prevent spamming or other potential abuses, requestors are only allowed to make five requests in any 24 hour period.

Indeed, Telnic appropriately enough reserves the right to deny access to any requestors engaged in spam, unsolicited marketing, or other dubious activities.

The Registry Operator reserves the right to take any preventive action necessary to prohibit any requestor of WHOIS data from using the WHOIS service to collect WHOIS data on Natural Persons for marketing purposes, spamming, data-mining, or unlawful purposes.

Telnic originally proposed to charge requestors for access to restricted information, but the latest amendment makes access free, effectively shifting the cost burden from the requestor to the Telnic registry itself. This is a major concession, inasmuch as most of the intellectual property constituency's complaints about abandoning the Whois database model usually boil down to the potentially increased costs born by businesses seeking to protect their trademarks - protestations to the contrary aside.

The other tried and true complaint has been that gutting the database would impede investigations into phishing attacks and other illegal or unlawful activities on IPC's Whois - a claim even asserted by the FBI at the IPC's Whois informational briefing.

This cuts both ways, however - ICANN's own investigations have established beyond any doubt that the current Whois database is a major source of spam, which is itself frequently a vehicle for viruses, Trojan horses, and assorted other malware. The extent to which the self-reporting and frequently inaccurate data in Whois is useful for investigative purposes needs to be examined more closely, and at the very least balanced against the extent to which the database is abused for questionable purposes.

If the best argument the IPC can articulate turns out to be a cost-shifting argument, it needs to be rejected outright - that argument, we can only assume, has already been made at the national level in the affected countries, and resolved. If so, it is simply a matter of national sovereignty, and an established cost of doing business in those jurisdictions that they have simply managed to avoid so far.

Only in LA

There is irony in the Telnic Whois debate not lost on those involved - after all, they are arguing over restricting access to personal information in a service whose sole purpose is to allow users to publish personal contact information.

Nevertheless, Telnic allows users to screen what contact information is published, and as conceived is not in conflict with any established law (the Whois requirements are merely contractual obligations between registrars and ICANN).

The proposed amendment to the Telnic contract was put up for comment the week before the Los Angeles meeting, to little fanfare and almost no public comment. However, after conversation with upper level ICANN management at the Los Angeles meeting, the Telnic proposal seems to have given them cause for optimism that the long-running Whois debate - which has gone absolutely nowhere for seven years - might at last move forward, at least incrementally.

The ICANN board also needs to consider short-circuiting a process that is pathologically dysfunctional. The opposing interests in this debate - privacy advocates versus corporate and law enforcement groups - give no quarter, and have shown no interest whatsoever in any sort of compromise. The GNSO council has proven completely ineffectual in pushing this forward, but the ICANN board is bound by neither the decision, nor the indecision, of the council. After all, inaction is simply a way to preserve the status quo and is itself a policy choice.

ICANN should seriously consider integrating something like the Telnic proposal into the revisions of the Registrar Accreditation Agreement (RAA) that are currently underway. It is the closest thing to a well-conceived compromise that has been proposed, and if the mortal enemies that have dragged this debate out for seven years don't like it, well, tough luck.

If that threat proves insufficient, ICANN should argue, based on national sovereignty alone, that viable registrars be approved by ICANN in accordance with the laws of the jurisdiction where they are incorporated or have their principal place of business. If businesses migrate to jurisdictions with more favorable regulations, so be it - it happens every day in tax law, and the world hasn't come to a stop.

ICANN is not some supra-jurisdictional entity, and it boggles the mind that otherwise legitimate businesses have been prevented from operating legally in their own jurisdiction due to ICANN's embrace of an anachronistic database which was originally designed to allow academics to keep in contact with each other to maintain the technical integrity of the network.

The board should make clear to all of its constituents that some sort of revision will be worked into the new RAA, with provisions for future review of the RAA if need be, and the interested constituents can either be a part of the solution or not. They clearly are incapable of resolving this on their own.

The Telnic amendment can be found here (PDF). ®

Burke Hansen, attorney at large, heads a San Francisco law office