The DNS as a Tool for Global Identity Policy:

WHOIS, ICANN, and Global Internet Governance

 

DRAFT – NOT FOR PUBLICATION OR ATTRIBUTION

 

Milton Mueller, Professor, Syracuse University School of Information Studies, and Mawaki Chango, Ph.D. candidate, Syracuse University School of Information Studies

 

1. Introduction: The Puzzling Persistence of WHOIS

The identity of Internet users has become a central issue in Internet governance. It has often been observed that one of the main problems with the Internet is that there is no identity layer in the TCP/IP protocols. (Cameron, 2005; Jones, 2006; Clark et al, 2002) The basic Internet protocols do not contain sufficient assurances about who the communicating parties are, nor does it authenticate the source, status or attributes of documents and other resources exchanged on the Internet. Insofar as digital identity is supplied by Internet technology, it comes from applications supplied at the edges. Thus Internet identities lack universality and, often, compatibility across domains. The concern about identity goes beyond the people involved in an actual communication. It also interests, at a broader level, third parties who have a monitoring or a surveillance interest. For various purposes -- some legitimate and some abusive, some public and some private – there is widespread demand for the ability to identify who is who on the Internet.

To fill this vacuum the WHOIS service has evolved into a surrogate identity layer, an identity system defined through contracts and policies as much as technical protocols. WHOIS service allows any Internet user to type a domain name into a web interface and be immediately returned the name and contact details of whoever has registered the domain. The businesses that provide domain name registration services are required to offer a free public WHOIS service by the ICANN contracts which authorize them to do business. In this respect it is often compared to an automated online telephone directory. But another comparison is more apt. To understand its functionality and importance, one need only imagine seeing the license plate of an automobile on the road, and being able to type it into a computer and be returned the name of the car owner and their street address, telephone number and email address. That is what WHOIS does to domain name registrants. It links the vehicle for navigating the complex arena of cyberspace (domains) to a responsible individual, a location, a jurisdiction.

It is not difficult to imagine both the benefits – and the trouble – that might be caused by free, anonymous, unrestricted public access to drivers’ license databases. No doubt amazing new information services could be developed by some Google of the future. No doubt, also, incidents of road rage and stalking would be taken to new heights. The same concerns apply to WHOIS. In addition to facilitating accountability on the Internet, open access to registrant contact data raises privacy issues and concerns about abuse of sensitive personal data by spammers, stalkers and identity thieves.

In Europe and other countries such as Australia and Canada, there exist data protection laws which are in obvious conflict with the WHOIS publication requirements of ICANN. At least since May 2000, data protection authorities outside the United States have made this conflict known to ICANN.[1] It is possible to shield certain data element of the domain name registration record from public access, or to restrict access to the full records to authorized parties. But this has not happened. Thus WHOIS as a policy controversy pits the global, contractual governance model of ICANN against the territorial jurisdiction of nation-states. It has also engaged the U.S., with its emphasis on supporting intellectual property interests at all costs and its weaker norms regarding privacy protection, in an ongoing, low-level conflict with the European Union. But despite numerous ICANN task forces, Congressional hearings, and letters from data protection authorities no major changes in access to WHOIS data have been made since the formulation of ICANN’s first registrar accreditation contract in 1999. Indeed, within the ICANN regime the WHOIS-privacy issue has become synonymous with endless policy deadlock. Why, despite the numerous national and international laws that protect citizens and consumers against indiscriminate access to their personal data without their consent, has ICANN’s global policy remained in place?

This paper focuses on the puzzling persistence of open access WHOIS. We believe that this puzzle has important implications for understanding the global governance of the Internet, particularly regarding issues of privacy and digital identity. At its simplest, it is a story of how the Internet governance regime has created a new, global “jurisdiction” wherein traditional rights to privacy are recast. It is also a story of how technological systems are shaped by interest groups: we recount in detail how the specific policies and practices of WHOIS have been shaped by political demand for adding identification capabilities to the Internet. More fundamentally, we are interested in developing an explanation for the apparently counterintuitive fact that a global governance regime can remain so impervious to national laws and well-established international norms, despite the absence of any formal treaty or agreement by the supposedly sovereign nations whose data protection guarantees have been compromised. In making this explanation, we draw upon the concept of a “default value,” which we believe is a useful way to capture the role of technological systems in generating certain kinds of institutional change.

A “default” is defined as a situation or condition that obtains in the absence of active intervention. A definition grounded more in computer science, but one that is appropriate in the context of the Internet and its protocols, defines “default” as “a particular setting or value for a variable that is assigned automatically by an operating system and remains in effect unless canceled or overridden by the operator.” Defaults tilt the playing field toward one option, by giving the specified value the benefit of inertia, forcing those who prefer an alternative to exert extra effort to change it. Most computer users are aware of the latent power of defaults. Default values can get a person to use software A over software B even when she would prefer to use B, because it is too much trouble to change it, or she doesn’t know how. Default values can get users to start their Internet browser at one site over another, steering millions of eyeballs and potential revenue-generating “hits” to one supplier instead of another.

WHOIS originated as a feature of the Internet when it was a small-scale, closed scientific network. Once the Internet evolved into a large-scale, public, commercial system, the WHOIS capability remained in place by default. The presence of an open WHOIS directory was then exploited by interest groups with the most to gain from a global identification capability, particularly trademark and copyright holders. When the ICANN regime was created, this interest group was able to institutionalize its access to user contact data by putting in place a new regime of private contracts that reconstructed an open global directory service on the Internet, despite its orthogonal relationship with national and international public laws. Once locked into place in this manner, it became very difficult, if not impossible to change. Understanding this evolutionary process holds important lessons for theories of global economic regulation, especially those, like Drezner (2006), which emphasize the need for US-EU agreement as a precondition to effective global governance.

The argument about defaults is fundamentally an argument about sequence and historical process. Thus the paper is organized around the timeline that starts on page 5. We divide the evolution of WHOIS into four phases. The first phase is the origin of a directory service known as NICNAME/WHOIS on the small-scale, restricted and experimental Internet of the 1980s. In Phase 2, the Internet is opened to the public and to commerce – yet the default value, a global directory with potentially sensitive contact data, remains in place. During this phase, those with the strongest need to identify Internet users seize upon WHOIS for its surveillance and identification capabilities, establishing both expectations about what was an appropriate level of access to user contact data and a powerful economic interest in its continued availability. Phase 3 covers the formation of the ICANN regime and the institutionalization of WHOIS capability in its contracts. In this phase, the WHOIS capability was no longer a default value but had to be actively constructed because of the transition from a single, centralized registry to a system with multiple, competing registrars and the addition of new top level domain name registries. Nevertheless, the policies that were institutionalized were clearly a function of the expectations and interests established in the default stage, and could not have been successfully institutionalized had they not been established for years as a default. The last phase, running from 2001 to the present, involves ongoing political contention between forces who want to maintain and strengthen the use of WHOIS as an identification and surveillance tool and those who want to reform it to conform to data protection and privacy norms. Despite some change around the margins, we see that massive investments of political energy on both sides have been unable to move decisively in either direction. The last section assesses the implications of the historical evidence for theories of global governance, focusing in particular on Drezner (2006).

WHOIS Timeline, 1982 – 2007

Phases:

WHOIS Established as part of Internet

WHOIS Default Remains in Place During Transition

New WHOIS Institutionalized by ICANN regime

Political contention over WHOIS as identification tool and data protection laws and norms

 

Date/Period	Event or released material (link)	Source/Author
March 1, 1982	First specification of a standard for WHOIS (NICNAME) RFC 812: http://www.ietf.org/rfc/rfc0812.txt?number=812	IETF, Ken Harrenstien Vic White (NIC; SRI International)
August 1982	First specification of the Domain Name System (DNS) in RFC 819, http://www.ietf.org/rfc/rfc0819.txt?number=819	IETF, Network Working Group Zaw-Sing Su (SRI) Jon Postel (ISI)
October 1985	RFC 954 updating the WHOIS standard, http://www.ietf.org/rfc/rfc0954.txt?number=954	IETF, Network Working Group; K. Harrenstien, M. Stahl, and E. Feinler (SRI)
1991-1992	Internet opened to public; Commercial Internet eXchange founded in 1991 and legislation passed in 1992 revising NSF's Acceptable Use Policy to permit public use of NSF supported networks	CIX, NSF
1992 - 1993	Public release of graphical World Wide Web browsers	Mosaic, Netscape
1994	First lawsuits related to domain name -  trademark conflicts http://ischool.syr.edu/~mueller/studyhp.html	US Courts
July 1995	Charging for domain registrations instituted by NSF NSI “Domain Dispute Resolution Policy”  gives trademark owners special rights to domain names	Network Solutions, Inc. (NSI)
1996 – 1999	Growth of automated processes to collect zone file / WHOIS data from centralized NSI database
November 1998	US Commerce Department recognizes ICANN as the “NewCo” called for by the June 1998 White Paper http://www.ntia.doc.gov/ntiahome/domainname/icann-memorandum.htm	US Commerce Department
January 1999	US Commerce Department, NSI agree on usage restrictions for zone file data for .com, .net and .org	US Commerce Department, NSI
March 1999 – November 1999	First ICANN Registrar Accreditation Agreement (RAA) developed http://www.icann.org/registrars/policy_statement.html http://www.icann.org/registrars/ra-agreement-12may99.htm http://www.icann.org/nsi/icann-raa-04nov99.htm	ICANN
April 30, 1999	Final Report of WIPO Internet Domain Name Process recommends that “contact details of all domain name holders should be made publicly available” http://www.wipo.int/amc/en/processes/process1/report/finalreport.html	WIPO
August 3, 2000 – February 2001	Litigation related to Verio’s use of automated collection of Whois and zone file data for marketing purposes, http://www.icann.org/announcements/advisory-02feb01.htm http://www.dnso.org/dnso/notes/20020122.rc01.4.html) Injunction granted http://www.icann.org/registrars/register.com-verio/order-08dec00.htm	Register.com v. Verio, Inc.
May 2000	International Working Group on Data Protection in Telecommunications warns ICANN that “publication of personal data of domain name holders gives rise to data protection and privacy issues.” http://www.datenschutz-berlin.de/doc/int/iwgdpt/dns_en.htm	Internationaler Datenschutz, Berlin, Germany
December 1. 2000	WHOIS Committee convened by ICANN to address implementation questions caused by registrar competition http://www.icann.org/committees/whois/	ICANN (VP & General Counsel)
March 6, 2001	ICANN WHOIS Committee recommends standardizing WHOIS output across registrars http://www.icann.org/committees/whois/committee-recommendations-06mar01.htm	ICANN WHOIS Committee
May 2001	2nd (Current) Iteration of ICANN Registrar Accreditation Agreement http://www.icann.org/registrars/ra-agreement-17may01.htm	ICANN
July2001	Congressional Hearing on "The WHOIS Database: 'Privacy and Intellectual Property Issues.'" http://judiciary.house.gov/media/pdfs/printers/107th/73612.pdf	US House of Representatives, Committee on the Judiciary, Subcommittee on Courts, the Internet, and Intellectual Property
Feb 2001 – February 2003	First ICANN Whois Task Force (WHOIS TF 1) established, focusing on accuracy, postponing privacy http://www.dnso.org/clubpublic/nc-whois/Arc00/ (List archives) http://www.icann.org/gnso/whois-tf/report-19feb03.htm (final report) http://www.icann.org/correspondence/touton-message-to-cade-30jan03.htm	ICANN/DNSO
May 2002	Congressional Hearing on "The Accuracy and Integrity of the Whois Database." http://judiciary.house.gov/media/pdfs/printers/107th/79752.pdf	US House, Committee on the Judiciary, Subcommittee on Courts, the Internet, and Intellectual Property
September 2002	ICANN WHOIS Data Problem Reports system established http://wdprs.internic.net/	ICANN
September 2003	Congressional Hearing on “Internet Domain Name Fraud – The U.S. Government’s Role in Ensuring Public Access to Accurate WHOIS Data.” http://judiciary.house.gov/media/pdfs/printers/108th/89199.pdf	US House, Committee on the Judiciary, Subcommittee on Courts, the Internet, and Intellectual Property
September 18, 2003	Second ICANN WHOIS Task Force (WHOIS TF 2), focusing on Whois-privacy issues, http://gnso.icann.org/meetings/minutes-whois-sc-18sep03.shtml:	ICANN/GNSO Council
October 2003	Registrar WHOIS Data Reminder Policy goes into effect	ICANN
November 2005	GAO releases report Quantifying Prevalence of False Contact Information for Registered Domain Names” http://www.gao.gov/new.items/d06165.pdf	US Governmental Accountability Office
November 28, 2005	GNSO Council voted by a supermajority in favor of the ‘Recommendation on a procedure for potential conflicts between Whois requirements and privacy laws’ in the Final Task Force Report of the Whois Task Force	GNSO Council
March 15, 2006	Final Task Force report on the purpose of Whois and Whois contacts http://gnso.icann.org/issues/whois-privacy/tf-report-15mar06.htm	GNSO Council / WHOIS Task Force
April 12, 2006	GNSO Council supermajority vote for narrow, technical definition of WHOIS purpose "http://gnso.icann.org/meetings/minutes-gnso-12apr06.shtml	GNSO Council
May 10, 2006	ICANN Board unanimously approves GNSO Council ‘Recommendation on a procedure for potential conflicts between Whois requirements and privacy laws’ in the Final Task Force Report of the Whois Task Force, http://www.icann.org/minutes/minutes-10may06.htm	ICANN Board
June 22, 2006	Broad set of letters to ICANN Reacting to new purpose definition, including Article 29 Working Party http://icann.org/correspondence/	Article 29 WG, Privacy Commissioner of Canada, AIPLA, banks, etc.
July 25, 2006	Letter on the consultation on the implementation of .ca Whois look-up directory privacy policy http://icann.org/correspondence/	CIRA
November 22, 2006	Preliminary Task Force Report on Whois Services http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-22nov06.htm	ICANN GNSO Council
March 12, 2007	Final task force report on Whois services,  recommending OPoC proposal http://gnso.icann.org/issues/whois-privacy/whois-services-final-tf-report-12mar07.htm	ICANN GNSO Council
	Letter from Article 29 Working Party reacting to the 'Draft Procedure on Potential Conflicts with Whois Requirements and National Laws' and 'Preliminary Task Force Report on Whois Services' http://icann.org/correspondence/	Article 29 Data Protection Working Party
March 28, 2007	GAC Principles regarding gTLD Whois services http://gac.icann.org/web/home/WHOIS_principles.pdf	ICANN’s Governmental Advisory Committee
	GNSO Council creates a new WHOIS Working Group to specify what WHOIS data elements should remain publicly available and which legitimate third parties may have access to the data that is no longer publicly available. The WG continued from April to August 2007, http://gnso.icann.org/issues/whois-privacy/whois-wg/whois-working-group-charter-16apr07.pdf	GNSO

 

 

Phase 1: Early manifestation and purpose of Whois

The WHOIS service was first defined through an Internet Engineering Task Force standards document, RFC 812 (1982), superseded a few years later by RFC 954 (1985). Both RFCs describe the underlying query/response protocol which can be consulted by any host computer on the network by sending a query from a client to a server. The introduction to RFC 954 reads:

The NICNAME/WHOIS Server is a TCP transaction based query/response server…that provides netwide directory service to internet users.  It is one of a series of internet name services maintained by the DDN Network Information Center (NIC) at SRI International on behalf of the Defense Communications Agency (DCA).  The server is accessible across the Internet from user programs running on local hosts, and it delivers the full name, U.S. mailing address, telephone number, and network mailbox for DDN users who are registered in the NIC database.

 

The first RFCs make it clear that the WHOIS protocol was intended to make available to users a general directory of other ARPANET/Internet users. At the time, ARPANET was what we would now call an “Intranet” that linked a few hundred computer scientists and researchers at less than a hundred geographically distributed sites. A critical fact about this directory, then, is that it was intended to serve a closed, relatively homogeneous and (compared to today’s internet) very small group of networked computer users.[2] The RFCs do not specify exactly what the purpose of this directory was. One can infer from context that it served a variety of purposes, and was seen as a convenience to the community of defense contractors involved in building the early Internet. Another critical fact is that for most users, participation in the directory was encouraged but was not operationally, legally or contractually required.[3] It may be that the Defense Communication Agency’s request to register in the centralized WHOIS Database is made to facilitate technical coordination, but this is not documented in the RFC, and evidence supporting this has not been found anywhere else. The RFC states only that the purpose is to provide a directory service to the network users.  In the initial (1982) description of the standard, the information requested for the WHOIS server included: “full name, middle initial, U.S. mailing address (including mail stop and full explanation of abbreviations and acronyms), ZIP code, telephone and one network mailbox.”

 

Phase 2: Internet opened to the public and to commerce

The number of hosts connected to the Internet grew rapidly throughout the 1980s, but it was still a closed community of users. From 1991 to 1995 a critical change in the status of the Internet occurred: it was opened to commercial users and to the general public. This change was accelerated by the creation and deployment of the World Wide Web and user-friendly Web browsers, which made the Internet usable and interesting to ordinary members of the public. The number of computers connected to the Internet exceeded 1.3 million before the end of 1992 and was somewhere between 6 and 8 millions by the middle of 1995. This was no longer a “community” of computer scientists and researchers, but a mass, heterogeneous public, engaged in both commerce and in public and personal communication. It was also an increasingly contentious and litigious public. As documented in Mueller (2002), the emergence of the WWW gave domain names economic value as locators of web sites. Domains were now commonly registered for speculative and sometimes fraudulent activity. The economic value of domains made them a site of conflict over legal rights to names, as trademark owners and registrants negotiated new property rights boundaries around the use of domains.

During this tornado of change the WHOIS service that was implemented between 1982 and 1985 remained in place. The user base of the Internet was no longer closed, no longer homogeneous, no longer situated within a noncommercial community, and no longer relatively small and manageable, but the protocol and the practice of supplying a “directory” of Internet users remained the same. The only significant change was that the burden of supplying the WHOIS service shifted from defense contractor SRI to civilian National Science Foundation contractor Network Solutions, Inc. As the Internet moved from the small, noncommercial and closed world of the 1980s to the open, public, and commercial world of the mid-1990s no one made a conscious decision to retain the open-access WHOIS service of RFC 954; WHOIS was an unnoticed default value.

In this constancy in the midst of radical transformation, we find an important trigger of change in global governance arrangements. As noted before, a “default” is a situation or condition that obtains in the absence of active intervention. Establishing open access to user contact information as the default gave an opening to those looking to compensate for the anonymity of Internet use. In particular, trademark lawyers viewed domain names that incorporated or resembled the marks of their clients as threats to the exclusivity and value of their brand names. These industrial interests created a strong demand for Internet capabilities that permitted them to monitor domain name registrations and identify the registrant. WHOIS records were perfectly suited to this purpose: they combined information about registered domains with the date of the registration and extensive contact information for the registrant and technical administrators. That combination enabled mark holders not only to identify what they considered infringements, but also to quickly serve legal process on the registrant. The data in the WHOIS record was as close as the internet got to an identity card. Well before the creation of ICANN’s contractual regime in 1999, information providers of trademark monitoring services, such as Thomson, Inc., were incorporating WHOIS information into their products.

The practice of using WHOIS information for private policing functions quickly spread to include copyright holders who wanted to be able to identify and prosecute web sites that were distributing infringing content. Additionally, public law enforcement agencies tracking online fraud found the instant access to identification information, without any need for due process, temptingly convenient. Social science researchers interested in objective data about aspects of the Internet also joined the game.[4] With domain name registration and web site hosting evolving into a multi-billion dollar industry, access to registration records and zone files were also being used to gain marketing data. Thus within a few years of the Internet’s commercialization, the process of using WHOIS as a form of identification, surveillance and data mining, often using automated bots to gather data, had become common practice.

In its original default, WHOIS data and the DNS zone files were pure data “commons,” accessible to anyone on the Internet. Network Solutions, Inc., the central registry which held the exclusive contract to operate the .com, .net and .org domains, was required to make its zone files available for legitimate use. In January, 1999, however – only a few months after the US government recognized ICANN – the potential for abuse of open access to WHOIS data became evident. The emergence of automated query processes directed against Network Solutions’ registration and WHOIS systems prompted it to press the Commerce Department to tighten restrictions on the use of the zone files, through a “zone file access agreement.”[5]

 

Phase 3: ICANN Institutionalizes WHOIS

A new global governance regime for the Internet’s domain name system (DNS) was created from 1998 – 1999. The regime was created by the United States and centered in a nonprofit, California public benefit corporation, the Internet Corporation for Assigned Names and Numbers (ICANN). In the following section, we trace the evolution of WHOIS policy during the early stages of the ICANN regime.

The ICANN regime had three main purposes. One was to provide a formal institutional home for the coordination of the Internet’s identifier system; the other was to develop a mechanism for handling domain name-trademark conflicts; the third was to introduce competition in the supply of domain names. The latter goal, which required separating registries from registrars and thus decentralizing the maintenance of customer account records, was incompatible with the original design of WHOIS. Put bluntly, registrar competition broke the old, centralized WHOIS. ICANN could, therefore, no longer rely on the default. In order to institutionalize the legacy capability of WHOIS it had to define new contractual relationships among the parties. As ICANN’s general counsel Louis Touton stated at the time, “An overall goal of the Whois provisions of the Registrar Accreditation Agreements was to help restore the InterNIC Whois service that existed in .com, .net, and .org prior to the introduction of multiple registrars.”[6]

As the prior statement indicates, the central component in the evolution of WHOIS policy is the Registrar Accreditation Agreement (RAA). “Registrars” are artifacts of ICANN’s regulatory regime for the supply of domain names. They are the “retail” side of a contractually-imposed vertical separation between “wholesale” registries that exclusively operate top level domains (such as .com or .info), and multiple registrars who compete at the retail level to sell second-level domain name registrations (such as aol.com or igp.info) in the top-level domains to end users. Before any company could become a registrar, they had to sign an accreditation contract with ICANN. This contract was used to impose regulations pertaining to the supply of WHOIS services (among many other things). The first RAA contract was developed between February and November 1999. The first published version of it is dated May 12, 1999; it reached something close to its current form with the November 1999 version.[7]

In the RAA and in its contracts with registries, ICANN transformed the community directory of RFC 954 into a contractual obligation on the part of registrars to provide a “free” (i.e., subsidized at registrant expense) database that could be queried an unlimited number of times by any Internet user. For registrars, the obligation to provide a WHOIS service is embodied in Section F of the 1999 RAA:

At its expense, Registrar shall provide an interactive web page and a port 43 Whois service providing free public query-based access to up-to-date (i.e. updated at least daily) data concerning all active SLD registrations sponsored by Registrar in the registry for the .com, .net, and .org TLDs. The data accessible shall consist of elements that are designated from time to time according to an ICANN-adopted policy.

 

The policy requires registrars to include “only” the name and postal address as the SLD holder’s personal data in such provision; however, the technical and administrative contacts for the SLD must provide “the name, postal address, e-mail address, voice telephone number, and (where available) fax number.” In practice, registrants are presented with a form containing all the contact data and usually not informed that they needn’t provide more than that. Additionally, a registrant who is a natural person may not have separate administrative and technical contacts and thus, must provide personal telephone and email addresses. The registrar must allow any lawful uses of the registration data provided through the query-based public access. The only exception is “mass unsolicited, commercial advertising or solicitations via e-mail (spam); or […] high volume, automated, electronic processes that apply to Registrar (or its systems).”[8]

The RAA also obligates the registrar to provide “bulk access” to WHOIS data. Upon payment of an annual fee capped at $10,000, registrars must make available “a complete electronic copy of the data available at least one time per week for downloading by third parties.” Such deals are subject to the above-mentioned restrictions. This part of the RAA was meant to accommodate the political demands of a growing number of trademark monitoring service providers who systematically collected WHOIS data and compiled it into analyses that were sold to trademark holders.[9]

The RAA contract contains several boilerplate allusions to standard data protection principles, such as a requirement to notify end users of what data was required and what the data would be used for,[10] and grants individual domain name registrants a nominal right to “opt out” of any deals for bulk access related to marketing. The basic intent of securing a “WHOIS service providing free public query-based access” largely nullifies their effect. It is as if they were driven by two heterogeneous forces, or come from two distinct sources. The concept of notifying users what purpose their data is used for becomes meaningless in the context of open, public query-based access, which makes it possible for the data to be used by anyone for practically any purpose. Aware that there might be privacy statutes and regulations that could conflict with it, Paragraph 8 under section F provides for the possibility that ICANN may change policy regarding the WHOIS public access service when required for compliance with enforceable laws and regulations.[11]

In sum, the RAA was crafted to walk a fine line between making possible identification and surveillance for the various interest groups that relied on it, including those wanting systematic bulk access to domain name records, while preventing the kind of wholesale and uncontrolled exploitation of a data commons that was beginning to emerge through automated processes. ICANN’s initial contractual regime institutionalized the capability RFC 954, making query-based access to WHOIS an obligatory part of the registration industry, while putting in place a few restrictions on use that it considered illegitimate or abusive.

In preparing the RAA, the ICANN regime openly catered to the needs of the intellectual property interests. The U.S. Commerce White Paper that set in motion the process of creating ICANN called upon the World Intellectual Property Organization (WIPO) to convene a process for making policy recommendations regarding domain names. In its Interim and Final Reports, WIPO recommended that “contact details of all domain name holders should be made publicly available.”

In this stage, ICANN WHOIS was maintained not as a default value but as an actively constructed legal obligation. Nevertheless, our argument is that ICANN’s contractual regime attempted to maintain the classical WHOIS capability in the new situation, and that the institutionalization of WHOIS along these lines never would have been possible had it not been preceded by nearly five years of the default WHOIS, which created and legitimated expectations about appropriate levels of access and vested interests in exploiting that access. To fully comprehend the power and importance of the default value, we need to rely here on a counterfactual scenario. One might want to argue, in contradiction to our point, that the trademark and copyright interests are very powerful and would have succeeded in gaining access to user contact data during the institutionalization phase regardless of the prior existence of WHOIS and the persistence of any default value. To refute this argument, we point to the absence of any similar lookup capability outside of the domain name system. A large portion of Internet users do not have their own domain registration; most rely on digital identities supplied by Internet service providers or email services; e.g., they navigate the Internet as goodperson@xs4all.nl or badperson@gmail.com. Most Internet users only possess usernames under domains registered by someone else, and these kinds of accounts are just as likely to be the basis of malicious use as directly registered domains. Suppose, then, that in response to all the problems of fraud and cybersquatting in the early years of the Internet’s existence trademark and copyright holders and law enforcement agencies had demanded that the world’s ISPs should be required to set up a globally interoperable, uniformly formatted database that allowed anyone in the world to type an ISP username such as goodperson@xs4all.nl or badperson@gmail.com into a web interface and be returned the name and street address of the account holder.[12] What would have happened if, in the absence of a pre-existing default directory, those interested in surveillance and identification on the Internet had demanded the equivalent of a WHOIS capability for ISP accounts?

The strongest answer to this question is simply the absence of such a capability, or anything close to it, anywhere in the world, much less on a global basis. Yet the justification for such a capability is just as strong as is the case for domain name WHOIS. Indeed, the case for it is stronger, because the wider scope of such a system would allow it to access the records of spammers and fraudsters who use third party ISP accounts as well as those using their own domains. But such a system has neither been created nor are there any organized efforts to lobby for it. It seems clear that trademark and copyright holders never would succeed in getting such a system implemented globally, or even within the US, no matter how strongly they wanted it. The affected businesses, the ISPs, would strenuously resist supplying unrestricted, anonymous public access to their customer lists. They would also emphasize the cost burden of creating such a globally interoperable capability, and maintain that the costs would harm the growth of the industry. ISPs would almost certainly invoke the privacy rights of their account holders, partly out of sincere concern for them and partly as a cover for their economic interest in avoiding such a scenario.[13] They would insist upon the importance of due process of law in obtaining access to the contact data, noting that only customers strongly suspected of wrongdoing should be subjected to such surveillance. Even if the advocates of such a broader lookup scheme succeeded in overcoming the resistance of the ISPs, they would then be confronted with the incompatibility of national laws throughout the world, and the differing norms that exist in different region. Privacy advocates and data protection authorities would subject such a proposal to intense scrutiny and oppose its implementation. Cooperation with such a system by national sovereigns would be voluntary, making it extremely unlikely that a global implementation would achieve critical mass. Not to mention the compatibility issues associated with offering access to usernames in Chinese, Sanskrit, Arabic as well as English. In short, the costs, political obstacles and technical barriers associated with creating a WHOIS-like capability from scratch highlights the critical role played by the default value in shaping the approach to identity policy and data access in Internet governance.

 

Phase 4: Endless Contention

 

After the basic institutional framework of ICANN was put into place, the politics of WHOIS entered a new phase, one which we call “endless contention.” The contradiction between WHOIS and data protection laws and norms became evident, leading to efforts to reform or alter WHOIS. At the same time, the economic and political interests that wanted WHOIS to become the Internet’s identity card became frustrated at its imperfections and pushed in the opposite direction, for reforms making it more comprehensive and accurate. For the first two or three years, there is no doubt that the advocates of strengthening WHOIS had the upper hand politically. Some time in late 2003 the tables turned and privacy-oriented WHOIS reformers gained the initiative. Nevertheless, neither side proved able to make comprehensive changes. For the next seven years, the issue would remain stuck in the default-driven equilibrium.

 

Strengthening WHOIS

By 2001, it was clear that the DNS WHOIS had the potential to become one of the primary identity verification mechanisms on the Internet. But the WHOIS service had important and rather obvious limitations. The information entered into it was not authenticated or verified at the point of entry and hence WHOIS contained many inaccurate, obsolete, or deliberately misleading records. The fragmentation of the supply of WHOIS services across competing registrars made it more difficult and costly to conduct comprehensive searches. Another form of fragmentation was also becoming important: as the Internet spread globally a growing number of Internet users were registering under country code top level domains (ccTLDs). Efforts by the US to rope ccTLDs into the global ICANN regime by signing contracts that reduced them to the same status as gTLD licensees were not working. Thus, nothing obligated the ccTLD operators to display the information policing agencies wanted, or to integrate their WHOIS services with those of the generic top level domains governed by the ICANN regime.

From 2000 to 2003, the economic and political interests who supported surveillance and identification initiated efforts to reform and broaden WHOIS to make it an even more effective identity tool. Three avenues of change were promoted. One was to create political pressure in the U.S. Congress. Another was to use bilateral free trade agreements to push other countries to upgrade their WHOIS to US standards. A third was to push for policy changes within ICANN that would improve the accuracy of WHOIS and to make it more universal. In each of these cases, the fact that the ICANN was regime was centered in and accountable to the U.S. government proved critical.

 

The U.S. Congress

Three Congressional hearings were held on the WHOIS issue from July 2001 to September 2003. All were sponsored by the Subcommittee on Courts, the Internet, and Intellectual Property of the Committee on the Judiciary in the U.S. House of Representatives. This committee, chaired by ranking member Howard Berman from the Congressional District in California that contains the Hollywood entertainment industry, is known to be entirely under the control of trademark and copyright interests. Berman framed the issue in terms that reflected those interests clearly:

Policy decisions about the accessibility of Whois information must be made in light of the fact that new domains are now being created, and their creation will exponentially increase the number of copyright and trademark infringing, cybersquatting, and defrauding websites. If new problems like these are going to be created, then mechanisms for addressing those problems should also be created. One such mechanism is access to the Whois Database, and accurate information therein, so that intellectual property owners, fraud busters, and the police can track down those that are taking advantage of these newly created opportunities to break the law. Registries cannot create new problems and then not provide the means to address them.

Like many other policy-makers in the U.S., Berman viewed the Internet exclusively as a tool for electronic commerce, and dismissed privacy concerns, comparing the WHOIS service with the registration system for businesses in the physical world.

Only one witnesses, an anti-spam advocate, challenged the practicality or desirability of “trying to get absolute identification from anyone who registers for a domain name.” He also invoked the relationship between free speech and anonymity on the Internet.  In contrast, Steven Mitchell from Interactive Digital Software Association (IDSA) emphasized that WHOIS was the very tool that the U.S. Congress intended to be used to enforce the Digital Millennium Copyright Act; it was “the service that allows notice and takedown to work.” He asserted that automated and cheap means for the registrar to detect false WHOIS data exist, but deplored the fact that ICANN does not require them to do so, although ICANN has the authority to impose such requirements.

Timothy Trainer of the International Anticounterfeiting Coalition (IACC) insisted that a publicly available identification service is absolutely necessary for the Internet and online business. “WHOIS provides one of the few links to real live people behind the website, behind the URL,” he said. He asserted that “domain name ownership is not a right,” and that “a person making a decision to have a presence on the Internet…should have a lowered expectation of privacy” – indicating the degree to which the emergence of the Internet invites redefining the nature of basic rights. Trainer also invoked ICANN’s contractual governance regime as a justification for any diminishment of privacy, noting that “with all ICANN-accredited registrars, a domain name registrant gives consent to providing public access to some information.” Like Mitchell, Trainer called for more pressure from the U.S. Government on ICANN, and from ICANN on the registrars in order for the latter to fulfill their contractual obligations to collect, maintain, and make publicly available the domain name registrant’s contact information.[14]

Privacy concerns having been largely dismissed by Congress in 2001, the 2002 hearings focus exclusively on “Accuracy and Integrity of the Whois Database” and ways to enforce such qualities on the WHOIS information. This round of testimony focused extensive criticism on the conduct of registrars. Registrars were accused of making “the bulk of their money from cybersquatters and speculators.” The hearing also treated WHOIS as an exclusively domestic (U.S.) issue. Mr. Howard Beal, Director of the U.S. Federal Trade Commission, called upon registrars to suspend domain name registrants whose contact information is incomplete or inaccurate, and to implement upfront verification procedures. The FTC Director did, however, distinguish between commercial websites and those that are set up for “personal and political reasons,” recognizing for the latter “legitimate privacy interests at stake.”

 

ccTLDs and Bilateral FTAs

If the Congressional hearings provide evidence of the strong political demand for identification via WHOIS, and the intention to leverage the ICANN regime to deliver those goals, the Commerce Department showed that it was willing and able to take the objectives into other international forums as well. Theodore Kassinger, General Counsel of the Department of Commerce, acknowledged during the 2003 Hearings on WHOIS that the USG started inserting into its bilateral free trade agreements (e.g., with Singapore and Chile) the adoption of an ICANN-style WHOIS service by the trading partner’s ccTLD.[15] The relevant language was crafted by the US Patent and Trademark Office. It reads:

Each Party shall also ensure that its corresponding ccTLDs provide public access to a reliable and accurate WHOIS database of domain name registrant contact information

An industry group commenting on the agreement complained that this was not good enough; it preferred “that there be a direct reference to the “Whois” database as available in the gTLDs namespace [i.e., the namespace coordinated by ICANN]. Inclusion of this direct reference would clarify the type of information this database must contain.”[16]

            Privacy advocacy seems to have had an effect on the Dominican Republic-Central American FTA (DR-CAFTA), however. The language on WHOIS was modified to say:

“Each Party shall require that the management of its ccTLD provides on-line public access to a reliable and accurate database of contact information for domain-name registrants. In determining the appropriate contact information, the management of a Party’s ccTLD may give due regard to the Party’s laws protecting the privacy of its nationals.”

 

The intergovernmental FTA negotiation process reflected privacy concerns more readily than the ICANN regime, which was dominated by US-based business and intellectual property interests acting with the official support of the US Government, and burdened with the default value of the original WHOIS.

 

The 2001 WHOIS Task Force of ICANN

 

Parallel to the U.S. Congress engaging in repeated scrutiny of the WHOIS situation, the ICANN policy development process launched its own Task Force in February 2001 to work on the issue. The Task Force was a continuation of a committee handpicked by ICANN’s management,[17] which was formed in the aftermath of the Verio v. Register.com litigation and the struggle to understand, define and implement the WHOIS provisions of the RAA.

ICANN and its policy making processes were still young and lacked well-defined procedures and reporting mechanisms. The TF’s terms of reference were broad and rather indeterminate: “To consult with the community with regard to establishing whether a review of any questions related to ICANN’s WHOIS policy is due and if so to recommend a mechanism for such a review.” Eventually AT&T’s Marilyn Cade, a leader of the Business Constituency and strong advocate of the use of WHOIS for surveillance and identification purposes, emerged as chair of the WHOIS Task Force.[18] Not surprisingly, the focus of the first Task Force on WHOIS ended up being on the accuracy of WHOIS data, a decision being made to set aside privacy concerns until later. The Policy Report released in November 2002 and the updated Final Report dated February 19, 2003, recommended that ICANN and registrars take steps to better enforce the RAA provisions pertaining accurate WHOIS information. Recommendations also included detailed instructions for processing accuracy complaints. As an outgrowth of this work, ICANN implemented its WHOIS data report problem system, allowing inaccurate data to be reported and for the domain names of persistent offenders to be discontinued. Intellectual property interests remained dissatisfied with ICANN and the accuracy of WHOIS nevertheless, complaining that no registrar had ever been de-accredited and advocating that ICANN be kept on a short, one-year leash with respect to the renewal of its MoU with the Department of Commerce.[19]

As detailed in the November 2002 Policy Report, the other main focus of the TF was on Marketing Use of WHOIS as related to the RAA provisions for bulk access. The TF took recommendation “against marketing use of bulk access”; however, it must be noted that the RAA already disallowed bulk access for marketing purposes. The report indicated that privacy is, with “Uniformity and Enhanced Searchability”, is one of the points that needed further work. Furthermore, a number of other key issues were identified along the way: “differential access” to WHOIS data, privacy considerations in terms of the type of entity (natural individuals or organizations) registering domain name, and the question of extending the regime to ccTLDs.

            In 2005, the Government Accountability Office conducted tests and found that only 5.14% of the WHOIS entries were patently false, and 3.65% were incomplete in one or more data fields. Only a small portion of that total, they estimated, used inaccurate data to shield illegal activity; the rest are made by registrants who try to avoid having their personal data publicly displayed for unsolicited marketing.

 

Universal WHOIS?

Another bold initiative to expand WHOIS emerged from VeriSign’s 2001 agreement with the US Commerce Department to divest itself of the .org top level domain and to rebid the .net top level domain. In its new contract, VeriSign agreed to allocate at least $200 million dollars for R&D, and improvements to the registry infrastructure between 2001 and 2010.[20] ICANN specifically requested that, in terms of infrastructure improvements, priority be given to the design and development of “a Universal Whois Service that will allow public access and effective use of Whois across all Registries and all TLDs.” Such service would truly be universal beyond the domain names operated by VeriSign, since it would be extended to all of them, including country code TLDs. In case of success, VeriSign agreed to “make the Application Program Interfaces necessary to produce software which can efficiently deploy and use the Universal Whois Service available to applications developers on an open, non-proprietary, standards-based and royalty-free basis.” Work was due to commence no later than 31 December 2001, and notable progress with the implementation expected exactly a year later. With a great level of attention, ICANN also requested that most of that sum be expended before 10 November 2007, and that VeriSign provide an annual report on the progress of activities.

For a time, VeriSign was indeed actively involved in designing Whois-related technical proposals. Indeed, data show traces of a certain “uwho” service which presumably was the company’s first response to the ICANN’s Appendix W. VeriSign’s work on uwho was transferred to the Internet Registry Information Service (IRIS) protocol developed by the Cross-Registry Internet Service Protocol (CRISP) Working Group inside IETF. While IRIS was intended to supersede the “aging Nicname/Whois” protocol, the CRISP working groups have not had any impact on WHOIS implementation to date. Issues of technical standards are superseded by the lack of consensus on the policy issues surrounding WHOIS and the inertia of the current system.

            To summarize, the push by trademark and copyright interests, aided by the U.S. Commerce Department, to strengthen WHOIS and make it a more powerful tool of identification and surveillance have met with limited success. Measures to report and correct inaccuracy have been implemented, but there has been little progress on attempts to universalize WHOIS.

 

            Privacy gains the upper hand.

As noted before, the Working Group on Data Protection in Telecommunications issued a statement in May 2000 raising privacy concerns about the publication of the individual domain name holders’ information.  This was the first public statement on record claiming that privacy be respected in the WHOIS policy by ICANN. The statement concludes with the assertion that the WHOIS policy implemented by ICANN-accredited registrars should ultimately be contingent upon the legislations and public policy provisions in effect in the territorial jurisdictions the registrars are subject to:

 

The Working Group stresses that any registrar operating within the jurisdiction of existing data protection laws and any national domain name registration procedures are subject to the existing national data protection and privacy legislation and to the control by the existing national Data Protection and Privacy Commissioners.

 

This position will be reiterated in January 2003, in a letter directly addressed to ICANN and referring back to the initial statement. At this point privacy concerns had exploded among ICANN constituencies and within the Internet community, so that privacy advocates seeking reform become a strong counterweight to the previous trend for an open, universal and accurate WHOIS database. Another important shift occurs among the registry and registrar businesses, who openly break with the intellectual property interests and begin to actively support privacy oriented reform. One reason for this was the growing abuse of registrars’ and registries’ WHOIS capability. WHOIS operates on Port 43 which was designed to be a vehicle for individual queries. Yet by 2003, port 43 was now being pounded by automated request programs to systematically collect a registrar’s customer data. Such programs had the same effect as bulk access downloads, yet strained the registrars infrastructure while producing no revenue. The World Summit on the Information Society, which in late 2003 concentrated world attention on ICANN and its unilateral control by the US government, also contributed to the shift.

So from early 2003 on, privacy activists inside the ICANN structure, who had had a low profile or had been ignored, gained support and became more visible and vocal. In March 2003, the Non-Commercial User Constituency (one of the stakeholder groups that composed the ICANN’s Generic Name Supporting Organization) submitted to the GNSO Council an issues report stating that privacy concerns need to be addressed properly and that a new task force was needed to achieve this. The European Article 19 Data Protection Working Party called on the ICANN community to undertake a clear definition of the purpose of WHOIS directories and to look for way to achieve such purpose without making personal data public and undermining the privacy rights of individuals.[21]

Responding to these concerns, the GNSO Council reconvened a new task force on WHOIS and privacy. The WHOIS task force would continue working for four years, an astoundingly long period of time for a policy development process that, according to ICANN’s bylaws, is supposed to last a few months. The Task Force’s political alignments were predictable, with domain name supply industry interests (registrars and registries) and privacy advocates within the Noncommercial Users Constituency pitted against the three trademark-oriented business user constituencies. The WHOIS Task Force did produce three outcomes:

-          A policy that recognizes the existence of, and defines a procedure for handling, conflicts between the RAA and national privacy laws;

-          A definition of the purpose of Whois that is narrow and focused on technical coordination rather than law enforcement; and

-          A proposal for shielding some of the displayed WHOIS information from public access, known as the Operational Point of Contact (OPoC).

 

These privacy-oriented initiatives, however, produced a second surge of opinions, positions and statements in 2006 and 2007, from what can now be called the identification party: intellectual property holders, and public and private law enforcement agencies. The critical flashpoint in the debate came from the April 2006 vote taken by the GNSO council on a definition of the purpose of WHOIS. The GNSO Council voted by 2/3 majority for a narrowed and technical definition of the purpose of WHOIS, as opposed to a broader one that defined its purpose as providing information to resolve any issues regarding domain names.[22] The formulation that won the vote reads:

 

The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver.

 

That vote generated a strong protest from private business associations and some prominent government representatives. Indeed, the Australian Government representative, in contradiction to his country’s privacy legislation, sent a letter opposing the definition to ICANN’s GNSO Council chair Bruce Tonkin immediately following the vote, which was forwarded to the Council list on 13 April 2006.[23] Strong behind-the-scenes pressure was placed on ICANN and the GNSO to reconsider its vote, and ICANN de facto backed away from the new purpose definition. Other letters of protest came from entities such as: BITS Financial Service Roundtable (April 14), International Trademark Association INTA (June 12), the American Intellectual Property Law Association AIPLA (June 15), the UK’s Office for Fair Trading (June 20), the InterContinental Hotels Group, the Finance Services Sector Coordinating Council for critical infrastructure protection and homeland security FSSCC (June 22), the International Franchise Association (June 23), the International Anti-Counterfeiting Coalition IACC (June 26), and RSA Security (July 6). Overall, the motivations raised are per se as legitimate as protecting customers against frauds, and assisting law enforcement in investigating frauds and taking down incriminated web sites. However, despite all the claims to recognize privacy issues at various extents and certain instances, these letters basically insisted on retaining the status quo of open access WHOIS. Furthermore, it clearly appears that most of the uses claimed are for identification, as showed in the following anthology of excerpts:

 

We believe the adoption of formulation 1 [the new, restrictive definition of WHOIS purpose] would make it more difficult and time-consuming for financial institutions to identify and stop domain-based scams and the identity theft and account fraud that result. (BITS)

 

To protect our hotel consumers, members of the HCPC use Whois repeatedly on a daily basis to identify domain name registrants and website operators that are creating websites using our trademarks to mislead consumers.  (HCPC)

 

WHOIS not only facilitates the investigation of legal violations on the Internet, but serves a basic function in making the rule of law apply to the Internet by providing information necessary to serve notice and institute legal action against violators. Similarly, the ICANN Uniform Dispute Resolution Policy, an anticybersquatting tool and one of ICANN’s greatest successes, requires that complainants and dispute resolution providers serve notice of complaints upon domain name owners, using information found in the Whois database. (INTA)

 

It should also be noted that the US government in September 2006, in renewing ICANN’s contractual agreement until 2009, inserted a provision requiring ICANN to “enforce existing Whois policy” and maintain “timely, unrestricted and public access to accurate and complete Whois information.”

The privacy party also weighed in, either to support the path taken with the newly formulated and adopted purpose for WHOIS or to raise remaining issues regarding privacy. Highlighting that privacy is increasingly recognized as a human right, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) outlined as follows the conundrum created by ICANN policy with national legislations:

 

[T]automatic and mandatory publication of individual registrant contact information via the online WHOIS database may violate Canadian privacy law. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) -- requires that an individual be supplied with a service even he or she refuses to consent to the disclosure of personal information, as long as the disclosure is not essential to the transaction. It could be argued that disclosure of registrant contact information is not essential to the registering of a domain name. If a Registrant requests that his or her information not be disclosed through the WHOIS directory, the Registrar thus faces a quandary: it will be violating its agreement with ICANN if it complies with the request, but it may be violating Canadian law if it does not. ICANN should not be forcing Registrars into this difficult position.

 

Furthermore, the Privacy Commissioner of Canada applauded to the resolution of the GNSO Council opting for a technical, narrow definition of the WHOIS purpose. As she noted, this is in line with the approach adopted by the Canadian Internet Registration Authority (operator of the .ca top level domain) who, after public consultation on WHOIS, opted for the Canadian privacy law as per the Personal Information Protection and Electronic Document Act.

 

While recognizing that there are legitimate law enforcement reasons to access personal information in the WHOIS database, appropriate checks and balances are required to prevent fishing expeditions. I am certain that a tiered approach to this access with appropriate controls, authentication, and accountability can be developed which will not paralyze law enforcement but in fact will be consistent with the approach we have taken with respect to access to subscriber information in the telecom realm.

 

In a letter dated June 22, 2006, the Article 29 Working Party pointed out that domain name registration by natural persons raises a different set of legal questions than by organizations and legal entities, and that a principle of proportionality should be observed in order to retain WHOIS services without mandatory publication of the personal data of non-consenting natural individuals. The Privacy Commissioner of Belgium (June 22) supported the position taken by the Article 29 Working Party as well as the position issued much earlier by the International Working Group on Data Protection in Telecommunications. Another mail of March 12, 2007 from the WP commented on the preliminary task force report of November 22, 2006, and the draft ICANN procedure for handling WHOIS conflicts with privacy law (3 December 2006.) They welcomed the OPoC proposal with some reservations:

 

The Article 29 WP welcomes that the so called "OPoC" (Operational point of contact) proposal seems to offer a much more privacy-friendly solution compared to the current situation by reducing the amount of personal data published through the WHOIS services. Taking into account the purpose definition it however still remains unclear why for the stated purpose the domain name holder's name (and nationality) has to be published. The explanations given in the Task Force Report, not being related to the purpose definition, are unsatisfactory and not convincing. The Article 29 WP therefore recommends to modify the proposal in such a way that at least for private domain holders that use domains solely in a non-commercial context the name of the domain holder should only be published in the WHOIS service with the explicit, freely given consent of the data subject.

 

Addressing the draft ICANN procedure for handling WHOIS conflicts with privacy law, the Article 29 clarified the role of Internet registries and registrars as “data controllers” in the nomenclature of the EU Data Protection Directive, as well as some ambiguities in the terms of the document. Alluding to a language that seemed only to refer to “potential” conflicts and contemplate the possibility of negotiated accommodations between registration authorities and law enforcement authorities, the WP explained that it is an unquestionable fact that there is a conflict between ICANN WHOIS policies and European legislations, and that “the negotiation procedure between ICANN and a “local/national enforcement authority” as foreseen in 2.1 of the Draft should not obscure the fact that national privacy legislation is not negotiable as such.”[24]

In April 2007, a newly authorized ICANN registry, Telnic, requested changes to its contract with ICANN in order to comply with UK and EU data protection law, in particular the UK's 1998 Data Protection Act, and the Directive 95/46/EC of the European Parliament. To support its request, Telnic specifically invokes the following provisions of its contract with ICANN: the Appendix S Parts VI and VII.

Telnic requested an alteration to its contract in order to make allowances to the legal requirements in the legislatures it is bound to. This implies that provisions have to be made for the registrant to give consent to, or to deny, the disclosure of their personal data. Telnic argues that the same mechanism has been granted to Global Name Registry for the .name registrations, as per the ICANN Board approval of 2/12/02.

In March 2007, after nearly a year of deliberations sparked by the new WHOIS purpose definition, ICANN’s GAC issued its policy principles regarding gTLD WHOIS services. In these principles it identified a set of “legitimate activities” that WHOIS was currently used for, that included everything from policing trademark and copyright infringement to looking up the expiry date of a domain. Due to pressure from European Union participants, however, the statement said only that the activities were legitimate and did not specifically say that open access to WHOIS data to pursue these activities was legitimate. The GAC statement also recognized “concerns” about the misuse of the public data and that ICANN policies could only be implemented within the confines of national laws.

While privacy became widely recognized as an issue during the concluding part of this phase, the presence of powerful trademark, law enforcement and governmental interests on the opposing side prevented the emergence of a clear consensus within ICANN on systematic reform to shield personal contact data. Other than the national law exceptions, no real changes have been made in WHOIS.

 

 

Conclusion: Identity, Privacy, and global Internet governance

 

Tufts political scientist Daniel Drezner has produced an appealingly simple model to explain the typology of global economic governance. His basic thesis is that global governance is still driven by the power of states – actually not states exactly, but "Great Powers." There are at the moment only two Great Powers, the US and the EU. From this, he derives a useful typology. When the US and EU interests are congruent, and the rest of the world isn't adamantly opposed, we will get harmonized and effective global governance. When the EU and US agree, but the rest of the world won't go along, the Great Powers will avoid universal institutions and forum shop, and we will get "club" standards. When the EU and US disagree, and there is wide divergence of interest among the rest of the world, we will get "sham" standards, putative global governance principles that don't mean anything and can't be enforced. And when the EU and US disagree and have clusters of allies around the world we will get rival governance standards, as in the case of genetically modified foods.

It is evident that in this case – privacy/data protection standards in Internet governance – Drezner’s model would predict the emergence of rival standards. There should be a standoff between the US and EU which would result in fragmented and inconsistent global governance principles. The long history of indecisive contention and deadlock around WHOIS within ICANN proves that the prediction of fragmented and inconsistent global governance would certainly come true, were it not for the prior existence of WHOIS in the early Internet and its retention as the default value as the Internet became public. Because of its adoption by default, and the ability of US-based interests to institutionalize that default in the ICANN contracts, the inability of the great powers to agree simply means that the status quo remains in place. And the status quo is the US standard, a globally accessible, open access directory of domain name registrants, regardless of whether they are natural or legal persons. The fact that the Internet originated in the US and that the US Government was able to unilaterally set the parameters of the regime makes a huge difference in this case. It has privileged the role of US-based interest groups, who can exert direct pressure on Congress and the Commerce Department; it has allowed the Commerce Department to leverage its contractual authority over ICANN to rebuff challenges to the regime’s privacy policy; and of course it allowed the US to establish the substantive policy in the first place.

An even more interesting modification of Drezner’s theory is suggested by the way in which interest groups outside of the US have reacted to the opportunities created by the persistence of a default value. Many European or non-US public law enforcement agencies have given their tacit or active support to open access WHOIS, even while acknowledging that it would be illegal under their own national law. Government officials who claim that the Internet will become a wild and lawless place unless they have immediate and unimpeded access to all WHOIS records are often forced to admit that yes, their own country code TLD (which is not all that lawless) follows a more privacy-friendly policy. This phenomenon was most glaring in the case of Australia, whose governmental representative to ICANN came out publicly and vigorously in favor of the retention of open access WHOIS, even though there have been court decisions in Australia denying law enforcement agencies access to WHOIS records, such a policy contravenes Australian law, and it is a policy not followed by the ccTLD manager for Australia. This suggests, first, that governments are not homogeneous, and second that components of disaggregated states, like private parties, have “special interests” of an economic or political nature that they can and will pursue by taking advantage of the contingencies created by technological defaults or other extra-legal changes in a regime.

Our study shows that the US and EU can be poles apart on a critical policy issue and yet the US position can prevail globally, because in this case the international regime basically constitutes a global extension of the U.S. system. The U.S. achieved this global hegemony not because of its superior state power or even because it intentionally set out to achieve a particular end result. It achieved it because of the world’s unanticipated convergence on the TCP/IP protocols. Complaints about excursions into the “law of the horse” notwithstanding (Easterbrook, 1999; Murray 2007), the process of “applying existing law” to new technological systems is neither simple nor straightforward, and often causes legal rights to veer off in new directions.

 

References

Cameron, Kim. 2005. The Laws of Identity. White Paper. http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf

 

Clark, D., Wroclawski, J., Sollins, K., Braden, R. 2002. “Tussle in Cyberspace: Defining Tomorrow’s Internet.” SIGCOMM’02, August 19-23, 2002, Pittsburgh, Pennsylvania, USA.

 

Drezner, D. 2007.  All Politics Is Global: Explaining International Regulatory Regimes. Princeton: Princeton University Press

 

Jones, M. B. 2006, http://www.w3.org/2005/Security/usability-ws/papers/28-jones-id-metasystem/

 

K. Cameron and M. B. Jones 2006, http://research.microsoft.com/~mbj/papers/Identity_Metasystem_Design_Rationale.pdf