ICANN’s assault on personal and small business privacy
TLDR
This post is extremely long and detailed and is on quite a dense subject. Here is the short version.
Trouble is brewing.
ICANN, the body that has a monopoly on domain registrations, is now planning to attempt to take over domain privacy providers (like RespectMyPrivacy) as well. Driven in no small part by the people who brought you SOPA, they have a three-step plan:
- They will introduce a new accreditation program for domain privacy providers, complete with fees and compliance headaches. (Meaning higher costs for you.)
- As a condition of accreditation, require domain privacy providers to adopt privacy-eviscerating policies that mandate disclosure and, in some cases, publication of your private information based on very low standards.
- They will require ICANN-accredited domain registrars (i.e. all domain registrars) to refuse to accept registrations that use a non-accredited domain privacy provider, thus driving any privacy provider that actually plans to provide privacy right out of business.
- Barring privacy providers from requiring a court order, warrant, or subpoena before turning over your data.
- A policy based on the “don’t ask questions, just do it” model of the DMCA. Except that with the DMCA your site can be put back after an error or bogus request; your privacy can never be put back.
- Requiring privacy providers to honor law enforcement requests to turn information over secretly, even when under no legal obligation to do so.
- Outright banning the use of privacy services for any domain for which any site in that domain involves e-commerce.
- ICANN is the organization that granted Verisign a(n effectively) perpetual monopoly over .com and .net, complete with provisions for automatic regular price increases without any sort of oversight or justification.
- ICANN is the reason why we have to hassle you repeatedly when your domain expires, even if you tell us in no uncertain terms that you want it to expire.
- ICANN is behind the policy that requires your domains to be suspended if you don’t respond to email verifications that have ICANN-mandated text that frequently trips spam filters.
- ICANN is a “non-profit” that is massively profitable. The fees they charge (which are ultimately borne by you the domain registrant) are so far in excess of what they need to operate that as of the end of 2013, they had $168M in cash on hand.
- It’s ICANN that requires that when you register a domain, you make your full name, address, telephone number, and email address available in the public whois database, helping to make sure that anyone who might object, stalkers, creepers, criminals, mentally unbalanced people, big corporations or anyone else to find, harass, and possibly murder you.
- “Domains used for online financial transactions for commercial purpose should be ineligible for privacy and proxy registrations.” (Yeah, your home-based business? Sorry about that.)
- The working group is still debating whether accredited proxy providers would be required to comply with law enforcement requests not to tell a registrant about an inquiry, even and expressly in the absence of any legal requirement to do so. (Thankfully we live in a world where abuse of investigative powers by government agencies never happens. Oh, hang on a second…)
- Requiring a court order to release information to someone who asks for it is specifically called out as prohibited. I.e. an accredited privacy or proxy provider would be required to have a policy allowing disclosure of your private information based solely on “well it sounds like they have a good reason.” (Copyright and trademark issues have been specifically called out as nigh-unchallengeable examples of “a good reason.” Criticize a big company by name? “Trademark!” They get your info.)
- Should registrants of domain names associated with commercial activities and which are used for online financial transactions be prohibited from using, or continuing to use, privacy and proxy services?
- If they do prohibit privacy and proxy services for domains that perform either “commercial” or “transactional” activities, should they define “commercial” or “transactional?” (No, I am not making this up.)
- Should it be mandatory for accredited P/P providers to comply with express LEA requests not to notify a customer?
- Should there be mandatory Publication for certain types of activity e.g. malware/viruses or violation of terms of service relating to illegal activity? (In this context, “Publication” means canceling the privacy service and posting all details in the public whois database.)
- Should a similar framework and/or considerations apply to requests made by third parties other than LEA and intellectual property rights-holders?
Here are some of the great ideas they’re considering:
If this happens, domain privacy will become little more than a fig leaf. Your private information will be available to anyone who can write a convincing-looking letter, and you may or may not be able to find out that it was disclosed.
The whole proposal is a giant pile of BS that does nothing but service ICANN’s friends in governments and intellectual property (think RIAA/MPAA) at the expense of anyone who’s ever set up a web site and thought that maybe it would be good if their detractors didn’t have their home address. But as much as some at ICANN want to, they can’t just scrap privacy services. ICANN’s members are domain registrars and they make a lot of money from it. So this is the compromise: providers can still sell privacy, it just won’t actually do any good, and when they hand over your info, if they tell you about it at all, they’ll blame ICANN and say their hands are tied by the policies they have to follow.
If you think maybe paying a lot more for a lot less privacy isn’t such a great idea, ICANN is accepting public comment on this subject until July 7th, 2015. You can email them at comments-ppsai-initial-05may15@icann.org or fill out their online template if you prefer.
If you do feel like submitting a comment on this, I encourage you to read this whole post (and, if you have time, the working group report). The more informed you are, the more effective your comments will be.
The full story
If you’ve never heard of ICANN, you could perhaps be forgiven for that. The Internet Corporation for Assigned Names and Numbers (ICANN) is the behind-the-scenes non-governmental organization that runs Internet domain registration.
If you are familiar with them, it may be thanks to some of their greatest hits:
ICANN is sad
For several years, something has been bothering ICANN. They’re worried that their treasured public whois database isn’t “effective” enough. (Some of us strongly feel that the public whois database is a menace and should not exist at all, but ICANN is not at home to that point of view.) Part of the effectiveness problem, they posit, stems from inaccurate information. And they’ve tried to address that with programs like WAPS (the “whois accuracy program specification” that leads to your domain being suspended for not clicking a link in a spammy-looking email).
But the real “problem” with the “effectiveness” of the public whois database is the proliferation of privacy and proxy contact services (like RespectMyPrivacy). These services allow you to outsource the service of making it possible to contact you by receiving mail, telephone calls, email, and faxes on your behalf and forwarding them to you. This is an invaluable service for anyone who may want to register a domain name but doesn’t have a (required) phone number. Or anyone who doesn’t want to put their home address on their blog about abuses by their local police department. Or anyone who doesn’t have a corporate legal department to hide behind, in an era when death threats, rape threats, and tricking SWAT into raiding people’s houses, all as retaliation for what people say online, are everyday occurrences.
So ICANN is looking to put a stop to that.
Their planned method of doing so is to introduce a new accreditation program for privacy and proxy providers, complete with fees, compliance requirements, and strict guidelines on how they can operate, and then to require accredited domain registrars to refuse any registration that uses a non-accredited privacy or proxy service.
That is, itself, a disturbing abuse of their monopoly position in the domain registration market to gain control of a related industry. Where does that end? How long before your ICANN-accredited domain registrar must refuse any registration that uses a non-accredited web host? How long before your ICANN-accredited web host requires you to use an ICANN-accredited payment processor? Or an ICANN-accredited blog software vendor? (Some large hosting/domain companies would just love the ability to dictate what providers you use for every aspect of your online presence.) If you’re a tech-head, and this sounds familiar, it may be because Microsoft was sued by the DoJ for using their Windows monopoly to force Internet Explorer on the world. However, the DoJ will not be our friend here as there are few things they despise more than online privacy.
They claim this is to protect registrants, but their actions do not bear this out. This is the initial report of their working group, and here are some of the ways they want to “protect” registrants:
Having read the entire 98 page working group report, it sounds like their goal is to adopt “don’t ask, don’t tell” as a policy; you can keep your information private as long as no one asks for it.
Much of the proposed policy is misguided on a technical level as well. There are many areas where the privacy and proxy provider would be required to take actions that such a provider can typically only do if they are also your domain registrar. Actions like publishing something in the whois database entry for your domain — like your contact information, often without your consent and possibly without telling you first. Only your registrar can do that. It could well be that independent companies (like RespectMyPrivacy) that exist only to protect your privacy will no longer be allowed to exist. Only “captive” services — those run by the registrars themselves — will be able to meet the proposed requirements. And I’m sure no one reading this has ever had a problem with one of those.
There are also huge issues the working group hasn’t considered at all, like correlation. What if Jane Smith has an online business and a blog? Even if her blog is “allowed” to have a private registration, her business may not be. (I say “allowed” because the nerve of a group of self-appointed people deciding who deserves privacy and who doesn’t galls me. Like speech, privacy is an inalienable right.) If someone doesn’t like the content of her blog, do we think they won’t look at her business domain to get her home address just because it’s unrelated? That’s pretty farfetched. Correlating details from multiple unrelated sources, and lying to get them are standard practice for Internet harassers and “doxxers.”
But, really, ICANN as an international organization tasked with managing domain names, should not be sticking its nose into issues related to the content. Which is ultimately what this is about. What determines if your domain will be eligible for privacy services? It’s content. What determines if your info will be revealed to anyone who asks? Your content. This is a massive effort by the “if you have nothing to hide, you have nothing to fear” crowd to undermine anonymous online speech.
Why are we telling you about this? Because right now the working group is soliciting public comment. You have the opportunity to make your voice heard. (Although given ICANN’s past disregard for the registrant constituency it supposedly serves, I won’t pretend that I’m expecting miracles. That doesn’t mean you shouldn’t do it. This isn’t a situation where we expect to tell them and for them to listen, this is a situation where we feel it will be important later to be able to say “we told you and you didn’t listen.”
What do we think about this?
There are real issues with privacy and proxy services. There’s a lot of trust there, as it is almost always possible for such a provider to hijack your domain if they decide they want it. So there is real potential for abuse, and some oversight really could help keep the industry clear of unethical providers. There are also some services that are really inadequate, like the registrar-affiliated ones that (in violation of already-existing registrar rules) plaster “POSTAL MAIL DISCARDED” in the address field.
Along that line, the working does have some good ideas for policies that privacy and proxy services not interested in screwing their customers would have. And anytime a good idea comes up, it doesn’t matter the source, so it’s certainly given some food for thought for how to improve things. But RespectMyPrivacy doesn’t need to be forced to improve things for its customers; that’s its job. So whatever good ideas do come out of this process, we’ll take ’em.
However, ICANN has demonstrated again and again that they prioritize the concerns of their executives, law enforcement agencies, intellectual property holders, registries and registrars; registrants are dead last by a wide margin. They are not an organization that most people would trust to look out for the best interests of registrants. We certainly wouldn’t.
If ICANN wants to develop an accreditation program for privacy and proxy providers, even if that’s nowhere in their official mission, they should feel free to do so. If they developed a good one, RespectMyPrivacy would do it. This isn’t a good one.
But even if they do develop an accreditation program for privacy and proxy providers, ICANN absolutely must not require accredited domain registrars to refuse to accept registrations that use privacy and proxy services not accredited by ICANN. That its morally bankrupt to do so really ought to be enough, but it’s also illegal. Their accredited privacy and proxy providers must succeed or fail on their own, not be handed success by banning everything else.
What to do?
The working group is soliciting feedback from the public on these issues, among others:
You can send your thoughts on these matters or on other aspects of the proposal to comments-ppsai-initial-05may15@icann.org by July 7, 2015. You may also fill out their online template if you prefer.
Please take a few minutes to tell the working group that you value your online privacy and that you oppose any proposal that will make it easier for large, powerful organizations and dangerous individuals to get at their critics. Tell them that policies that require providers to have low standards for disclosure of personal information harm that privacy. And please remind them that imposing requirements on privacy and proxy providers that are really the province of domain registrars will only create a broken, unworkable system that creates more problems than it purports to solve.
17 Comments
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.
Entries and comments feeds.
Valid XHTML and CSS.
Powered by WordPress. Hosted by NearlyFreeSpeech.NET.
I’m not an attorney, but I think one result will be that lawyers will offer undisclosed registration, because I think they can offer confidentiality (called “privilege”) unless a court orders disclosure, and a lawyer might make a substantial business out of it, as long as people become the lawyer’s clients, but that might be very inexpensive. An existing provider might get an attorney for the purpose, not as a mere general counsel but as a CEO.
I think the Supreme Court has recognized that speech may be anonymous and both the speech and the utterer’s identity would still be protected, within some limits, but I don’t have a source to cite for that.
I’ll probably email ICANN. Sometimes volume slows an institution down, because everyone who contacts them more or less represents a number who almost contacted them, in which case a short email is about as efficacious as a long one.
Comment by Nick Levinson — June 27, 2015 #
That wouldn’t be allowed under ICANN’s proposal because the lawyer wouldn’t be an accredited privacy provider. (And if she became one, she’d have to agree to follow the same take-your-due-process-and-shove-it disclosure practices that ICANN wants to impose on everybody else.)
-jdw
Comment by jdw — June 27, 2015 #
Just wondering, but if you were to create a company who is the legal registrant of the domain and simply has a contract with a customer to perform the customers wishes, could you not comply with the new rules (being the legal registrant and listing your companies information publicly)?
As long as the contract between customer and registrant is that the customer has control (but not ownership), the customer experience is the same.
It is still absurd and I plan to write in against this, but it doesn’t seem insurmountabke
ICANN already distinguishes between “privacy services” in which you remain the registrant and outsource operation of the domain contact information and “proxy services” in which the service is the registrant and “licenses” you use of the domain. However, they consider them to be the same and would impose the same draconian disclosure policies on both. (The key element of the proposal being that if a service is not accredited, whether privacy or proxy, registrars will not be allowed to accept registrations that use it.) -jdw
Comment by Logan — June 28, 2015 #
I will be sending them my comments soon. However, this is ICANN. Let’s assume that they ignore us and push ahead to destroy domain privacy. What option remains for the people?
For example, if I register an LLC in Delaware using a registered agent, my LLC public filing will not contain my personal info and my personal info will be known only to the registered agent, who will provide it only under court order. Could I transfer ownership of my domain names to my LLC and thereby use my LLC’s contact info (a corporate remailer service) for ICANN’s public records? This would cost $300-500 per year (but could cover an unlimited number of domains owned by the LLC) but surely it would be better than the sham privacy offered by ICANN, for those who can afford it?
In most jurisdictions, corporations and LLC must list the addresses of their owners/shareholders/members/directors in their state filings. If you don’t want to use your home address for that (thereby defeating the purpose), you’ll need another address and (again, in most jurisdictions) it has to be a physical address, not a PO Box or maildrop. Registered agents will not do this, nor do they typically do mail forwarding. If you skimp and get a maildrop (like a UPS Store) anyway, since that probably won’t be noticed, that’s another couple hundred dollars a year. Some “virtual office” programs satisfy legal requirements, but they tend to run $100+ per month, sometimes much more depending on where you live. Plus you’ll need a lawyer to respond to any correspondence on behalf of the LLC unless you want your name on that. So, to do it right, you’re in the $1k – $2k per year range. And, in most cases, after all of that your name is still on the state paperwork and can be downloaded from the state’s web site. (I am no expert, but I think Nevada might be the exception to this, but I also think you have to live in Nevada for that to apply.)
At that point, your LLC is essentially a proxy service with one customer. And so it’s supposed to be accredited. Even so, you’d probably get away with it because how would the registrar know that? (Unless they provided you any sort of material aid or guidance at all in implementing the above.) But every “probably” is a potential problem, and they are multiplicative. If your domains are valuable enough to spend hundreds of dollars a year to keep them private, “probably” typically is not the level of certainty you’re looking for.
But, yes, it can be done with enough money and effort. And that is, of course, no problem for the rich and powerful who already hide behind corporations and LLC’s every day. But it’s not a solution for the 99%, which is the constituency we serve.
-jdw
Comment by rob — June 28, 2015 #
You never were a sysadmin with real network problems?
We need whois database
https://archive.icann.org/en/comments-mail/01apr99-30apr99/msg00085.html
First reason being: human are not perfect, neither their creations (code, server/router configurations) and there are a lot of positive feedback loops that requires a very prompt reactions when detected to prevent network instabilities.
Like this:
http://www.bgpmon.net/massive-route-leak-cause-internet-slowdown/
In fact we have decades of experience dealing with “real network problems” every day. Which is why we know that when you need to reach the operator of another system or network, you use the SWIP databases maintained by the regional Internet registries, not the public whois database maintained by domain registrars. The name and home address of a domain registrant (or, for a company, the name and office address of some legal department schmuck who may or may not be able to spell “Internet”) has no relevance for operational purposes. The public whois database is useful for harassment, spamming, and precious little else. Privacy services didn’t get so popular because people like paying for stuff they don’t need. -jdw
Comment by julien — June 28, 2015 #
I wrote to them. This is worrying.
Comment by jandm — June 28, 2015 #
Unfortunately I wouldn’t be able to continue hosting content on the web under my own domain if I have to make my contact info public.
Aside from the “Short Name” provided by NFS, are there any other alternatives to ICANN domain names that could be supported?
No. That’s why they have a monopoly. There used to be alternative DNS roots, but ICANN crushed them with the new gTLD program. Now the only alternatives are ccTLD’s which are run by national governments and bring their own set of problems. (The .us ccTLD for example outright bans domain privacy services.) -jdw
Comment by Eric — June 28, 2015 #
Notes for other folks filling out the ICANN form:
It goes point-by-point through the specific recommendations. Don’t just blindly say “no” to everything; some of them (“p/p services must disclose their terms clearly”) are perfectly reasonable.
Questions you’re likely to care about include: 13 (affiliation with registrars), 14 (empowerment of the point of contact), 16 (dealing with lists of proposed conduct–this is okay if you want ICANN to have their fingers in it at all, but I took the comment space to say otherwise), 18-20 (what to relay), and 22 (details of disclosure framework. The really big one is 23, mandatory disclosure. There’s also a general “more comments” field at the end.
It’s helpful to have the working group report open in another tab, even if you’re not going to read the whole thing. When they cite specific documents, they link them.
Final thought on finishing: ICANN uses generic web-based survey-makers? Seriously?!
Thanks for looking out for us, NFSN. 🙂
Great analysis of their form! -jdw
Comment by Finn — June 29, 2015 #
TDW – You commented earlier that the only alternatives might be ccTLD’s run by national governments. This is going to be a *huge* issue for so many of us. Any thoughts on which ones might pose the fewest issues regarding domain privacy? Thanks much for any suggestions you can provide.
We’re not big fans of any ccTLD, so we’re not the best people to ask about this. As far as I can tell, every single one of them has its own unique crippling problem. -jdw
Comment by Judy — June 30, 2015 #
International protection is vital for critics under repressive antidemocratic regimes. Granted that nations already have plenty of power with which to uncover contact information, it shouldn’t be made even easier.
Some privacy/proxy services will seek to mobilize their customers but some probably won’t and, worse, not everyone who receives a call to action is in any position to respond without giving away their identity.
I emailed ICANN.
Comment by Nick Levinson — June 30, 2015 #
This may need political organizing to push ICANN, although the issue is probably too obscure for a Congressional committee.
On the Supreme Court supporting anonymity, see https://www.congress.gov/constitution-annotated/ and open the 1st Amendment PDF to pp. 1346-47; it’s about paper material but for the Internet see p. 1333; and consider all the cases as forming one body of law.
Comment by Nick Levinson — July 1, 2015 #
Maybe time to prioritise this proposed feature?
https://members.nearlyfreespeech.net/support/voting?issue=33055#prop33055
Comment by Daran — July 3, 2015 #
The survey link to Survey Monkey says: “This survey is currently closed. Please contact the author of this survey for further assistance.”
Comment by Steve — July 8, 2015 #
The deadline for responses was July 7th. -jdw
Comment by jdw — July 8, 2015 #
I have a psycopath out there that attacked my family long ago, and swore to kill me. So I am incredibly against allowing my personal information to be easily accessible. If they are insisting on it, they also should insist on paying the damages that are incurred (including loss of life and property damage) as a result of these types of policies. and regarding the ‘need’ for a whois database. A good sysadmin will have the server notify him via email/pager/ text if there are any issues, anyone that might need to notify them would have their contact info. As someone else mentioned, these databases are used entirely by spammers and thugs.
Comment by james — July 9, 2015 #
I’m so sorry to have missed the deadline for online survey submissions to ICANN but will email them direct anyway because this is a huge global problem impacting so many people. Any idea when we’ll hear more about this issue?
Comment by Anita — July 10, 2015 #
Sadly, based on ICANN’s history, once the comment period closes they lose all interest in what the public has to say. It’s almost like accepting public comment at all is just an empty pro-forma gesture. I hope that’s not the case, but we should hear more about this within the next couple of months. -jdw
Comment by jdw — July 10, 2015 #