Domain system overseer disagrees with FDA rep’s complaints about Whois.
ICANN CEO Göran Marby has sent a letter (pdf) to the U.S. Food and Drug Administration disputing a presentation (pdf) one of its representatives made this month.
Dan Burke, the U.S. FDA’s Chief of the Investigative Services Division, gave a presentation on June 2 about Whois at a webinar sponsored by The Coalition for a Secure and Transparent Internet (CSTI).
DomainTools, LegitScript, and Spamhaus founded CSTI to advocate for open Whois records in the wake of the EU’s General Data Protection Regulation (GDPR). All of these groups use Whois data for investigations, and much of that information has been obscured in the wake of GDPR.
ICANN disputes several things that Burke said during the presentation.
1. A requestor must have a subpoena to access non-public registration data
The prepared presentation said that most registrars will not share Whois data without a subpoena. But during the presentation, Burke said that the only way to get Whois data was with a subpoena.
ICANN noted that registrars and registry operators must provide reasonable access to registrant data at the request of legitimate interests. How this plays out in practice is open for debate, though.
Burke notes that some registrars won’t take action. He pointed to adderallstore(.)com, a domain registered at Crazy Domains (owned by Newfold Digital). He said that the FDA asked Crazy Domains to take the domain down and the registrar said it’s just the registrar and the FDA should contact that host. (Note that this was a take-down request, not a Whois request.) Burke said some registrars help in cases like this, and some don’t.
He also said unwillingness by registrars has led the FDA to go up a level to registries, and pointed to a pilot program it is running with Verisign and PIR:
2. ICANN salaries and those at registrars/registries are tied to selling more domains.
The insinuation is that ICANN looks the other way because its people make more money when more domains are registered. ICANN denies this. Given current registration numbers and ICANN’s budget, I’m inclined to agree that “bad domains” aren’t propping up salaries.
It’s a more relevant argument for some registrars and registries that count on malicious registrations to fill their coffers.
3. ICANN ignores complaints from government agencies
ICANN explained its role in the internet ecosystem and the ways to participate. In his presentation, Burke said he doesn’t have the bandwidth to try to work with ICANN.
The takeaway
Whenever I write about the lack of public Whois data, people inevitably comment that bad actors used fake Whois data. But security researchers point out that even bad data has value. Burke mentioned that Whois data allowed it to draw links between networks and more easily get subpoenas based on that info.
If I were to use the Politifact rating system, I’d give Burke’s presentation a “Mostly True” or “Half True” rating. It’s mostly accurate but leaves out important details.
The Honourable Neil Anthony Brown QC says
It is at least good to see a debate about the WHOIS.When acting as an arbitrator ( panelist) in domain name cases there are now two barriers to getting the complete information one needs to reach a rational and supportable decision. The first is the WHOIS which does not always tell you the most basic facts you need to know : who owns the domain name, who owned it in the past and when? Sometimes it does, as it used to do, but usually it does not. It is largely hit and miss. If the rule were that your registration of a domain name carried a condition that your name and a contact address of some sort would be available for public viewing, that is a small price to pay for having the domain name and being able to use it. So, the more on WHOIS, the better.
Secondly, the Wayback Machine at http://www.archive.org is nowhere near the useful tool it used to be. These days, you are lucky if you find there is any record at all of the domain name being used in a website. The Wayback Machine used to find this information regularly, but these days it frequently does not. Even if it finds something, the information that is revealed is sparse, old and unclear.
If both of these features were improved, domain name decisions, especially in defended cases where there is a real dispute, would be quicker, more accurate and more reliable, because they would more likely to be based on facts.
I am not advocating, of course, that panelists should go off on a frolic of their own and dig up whatever they can find. That is the job of the parties and their lawyers. But if panelists do come across relevant facts they can, as they should, put this to the parties and ask them if they want to say something about it.
lothar97 says
Dan is about 8 years late to the “ICANN wants more abuse so they make more money” party.
I don’t recall the specific year, but it was likely around 2014. ALAC got the idea that the reason ICANN was not doing more against abuse and allowing spam was because it would mean getting more of the $0.18 fees per domain. ICANN actually did the analysis- assumed X number of abuse domains times the number of ICANN fees, and concluded it was something like $30-50,000 annual revenue to ICANN. At the time ICANN’s annual budget was around $100 million, so the “abuse money” while a large amount, was a tiny percentage of ICANN’s total budget.
So nice to see the same rhetoric is being promoted as “fact” in a policy discussion, likely taken as gospel by many, when it is basically wrong and not part of the calculus whatsoever.
Disclaimer: I could not find the actual letters on this ALAC/ICANN discussion, so my numbers/recollection might be slight off.