2015-06-29

ICANN’s assault on personal and small business privacy

TLDR

This post is extremely long and detailed and is on quite a dense subject. Here is the short version.

Trouble is brewing.

ICANN, the body that has a monopoly on domain registrations, is now planning to attempt to take over domain privacy providers (like RespectMyPrivacy) as well. Driven in no small part by the people who brought you SOPA, they have a three-step plan:

They will introduce a new accreditation program for domain privacy providers, complete with fees and compliance headaches. (Meaning higher costs for you.)

As a condition of accreditation, require domain privacy providers to adopt privacy-eviscerating policies that mandate disclosure and, in some cases, publication of your private information based on very low standards.

They will require ICANN-accredited domain registrars (i.e. all domain registrars) to refuse to accept registrations that use a non-accredited domain privacy provider, thus driving any privacy provider that actually plans to provide privacy right out of business.



Here are some of the great ideas they’re considering:

Barring privacy providers from requiring a court order, warrant, or subpoena before turning over your data.

A policy based on the “don’t ask questions, just do it” model of the DMCA. Except that with the DMCA your site can be put back after an error or bogus request; your privacy cannever be put back.

Requiring privacy providers to honor law enforcement requests to turn information over secretly, even when under no legal obligation to do so.

Outright banning the use of privacy services for any domain for which any site in that domain involves e-commerce.

If this happens, domain privacy will become little more than a fig leaf. Your private information will be available to anyone who can write a convincing-looking letter, and you may or may not be able to find out that it was disclosed.

The whole proposal is a giant pile of BS that does nothing but service ICANN’s friends in governments and intellectual property (think RIAA/MPAA) at the expense of anyone who’s ever set up a web site and thought that maybe it would be good if their detractors didn’t have their home address. But as much as some at ICANN want to, they can’t just scrap privacy services. ICANN’s members are domain registrars and they make a lot of money from it. So this is the compromise: providers can still sell privacy, it just won’t actually do any good, and when they hand over your info, if they tell you about it at all, they’ll blame ICANN and say their hands are tied by the policies they have to follow.

If you think maybe paying a lot more for a lot less privacy isn’t such a great idea, ICANN is accepting public comment on this subject until July 7th, 2015. You can email them atcomments-ppsai-initial-05may15@icann.org or fill out their online template if you prefer.

If you do feel like submitting a comment on this, I encourage you to read this whole post (and, if you have time, the working group report). The more informed you are, the more effective your comments will be.

The full story

If you’ve never heard of ICANN, you could perhaps be forgiven for that. The Internet Corporation for Assigned Names and Numbers (ICANN) is the behind-the-scenes non-governmental organization that runs Internet domain registration.

If you are familiar with them, it may be thanks to some of their greatest hits:

ICANN is the organization that granted Verisign a(n effectively) perpetual monopoly over .com and .net, complete with provisions for automatic regular price increases without any sort of oversight or justification.

ICANN is the reason why we have to hassle you repeatedly when your domain expires, even if you tell us in no uncertain terms that you want it to expire.

ICANN is behind the policy that requires your domains to be suspended if you don’t respond to email verifications that have ICANN-mandated text that frequently trips spam filters.

ICANN is a “non-profit” that is massively profitable. The fees they charge (which are ultimately borne by you the domain registrant) are so far in excess of what they need to operate that as of the end of 2013, they had $168M in cash on hand.

It’s ICANN that requires that when you register a domain, you make your full name, address, telephone number, and email address available in the public whois database, helping to make sure that anyone who might object, stalkers, creepers, criminals, mentally unbalanced people, big corporations or anyone else to find, harass, and possibly murder you.

ICANN is sad

For several years, something has been bothering ICANN. They’re worried that their treasured public whois database isn’t “effective” enough. (Some of us strongly feel that the public whois database is a menace and should not exist at all, but ICANN is not at home to that point of view.) Part of the effectiveness problem, they posit, stems from inaccurate information. And they’ve tried to address that with programs like WAPS (the “whois accuracy program specification” that leads to your domain being suspended for not clicking a link in a spammy-looking email).

But the real “problem” with the “effectiveness” of the public whois database is the proliferation of privacy and proxy contact services (like RespectMyPrivacy). These services allow you to outsource the service of making it possible to contact you by receiving mail, telephone calls, email, and faxes on your behalf and forwarding them to you. This is an invaluable service for anyone who may want to register a domain name but doesn’t have a (required) phone number. Or anyone who doesn’t want to put their home address on their blog about abuses by their local police department. Or anyone who doesn’t have a corporate legal department to hide behind, in an era when death threats, rape threats, and tricking SWAT into raiding people’s houses, all as retaliation for what people say online, are everyday occurrences.

So ICANN is looking to put a stop to that.

Their planned method of doing so is to introduce a new accreditation program for privacy and proxy providers, complete with fees, compliance requirements, and strict guidelines on how they can operate, and then to require accredited domain registrars to refuse any registration that uses a non-accredited privacy or proxy service.

That is, itself, a disturbing abuse of their monopoly position in the domain registration market to gain control of a related industry. Where does that end? How long before your ICANN-accredited domain registrar must refuse any registration that uses a non-accredited web host? How long before your ICANN-accredited web host requires you to use an ICANN-accredited payment processor? Or an ICANN-accredited blog software vendor? (Some large hosting/domain companies would just love the ability to dictate what providers you use for every aspect of your online presence.) If you’re a tech-head, and this sounds familiar, it may be because Microsoft was sued by the DoJ for using their Windows monopoly to force Internet Explorer on the world. However, the DoJ will not be our friend here as there are few things they despise more than online privacy.

They claim this is to protect registrants, but their actions do not bear this out. This is the initial report of their working group, and here are some of the ways they want to “protect” registrants:

“Domains used for online financial transactions for commercial purpose should be ineligible for privacy and proxy registrations.” (Yeah, your home-based business? Sorry about that.)

The working group is still debating whether accredited proxy providers would be required to comply with law enforcement requests not to tell a registrant about an inquiry,even and expressly in the absence of any legal requirement to do so. (Thankfully we live in a world where abuse of investigative powers by government agencies never happens. Oh, hang on a second…)

Requiring a court order to release information to someone who asks for it is specifically called out as prohibited. I.e. an accredited privacy or proxy provider would be required to have a policy allowing disclosure of your private information based solely on “well it sounds like they have a good reason.” (Copyright and trademark issues have been specifically called out as nigh-unchallengeable examples of “a good reason.” Criticize a big company by name? “Trademark!” They get your info.)

Having read the entire 98 page working group report, it sounds like their goal is to adopt “don’t ask, don’t tell” as a policy; you can keep your information private as long as no one asks for it.

Much of the proposed policy is misguided on a technical level as well. There are many areas where the privacy and proxy provider would be required to take actions that such a provider can typically only do if they are also your domain registrar. Actions like publishing something in the whois database entry for your domain — like your contact information, often without your consent and possibly without telling you first. Only your registrar can do that. It could well be that independent companies (like RespectMyPrivacy) that exist only to protect your privacy will no longer be allowed to exist. Only “captive” services — those run by the registrars themselves — will be able to meet the proposed requirements. And I’m sure no one reading this has ever had a problem with one of those.

There are also huge issues the working group hasn’t considered at all, like correlation. What if Jane Smith has an online business and a blog? Even if her blog is “allowed” to have a private registration, her business may not be. (I say “allowed” because the nerve of a group of self-appointed people deciding who deserves privacy and who doesn’t galls me. Like speech, privacy is an inalienable right.) If someone doesn’t like the content of her blog, do we think they won’t look at her business domain to get her home address just because it’s unrelated? That’s pretty farfetched. Correlating details from multiple unrelated sources, and lying to get them are standard practice for Internet harassers and “doxxers.”

But, really, ICANN as an international organization tasked with managing domain names, should not be sticking its nose into issues related to the content. Which is ultimately what this is about. What determines if your domain will be eligible for privacy services? It’s content. What determines if your info will be revealed to anyone who asks? Your content. This is a massive effort by the “if you have nothing to hide, you have nothing to fear” crowd to undermine anonymous online speech.

Why are we telling you about this? Because right now the working group is soliciting public comment. You have the opportunity to make your voice heard. (Although given ICANN’s past disregard for the registrant constituency it supposedly serves, I won’t pretend that I’m expecting miracles. That doesn’t mean you shouldn’t do it. This isn’t a situation where we expect to tell them and for them to listen, this is a situation where we feel it will be important later to be able to say “we told you and you didn’t listen.”

What do we think about this?

There are real issues with privacy and proxy services. There’s a lot of trust there, as it is almost always possible for such a provider to hijack your domain if they decide they want it. So there is real potential for abuse, and some oversight really could help keep the industry clear of unethical providers. There are also some services that are really inadequate, like the registrar-affiliated ones that (in violation of already-existing registrar rules) plaster “POSTAL MAIL DISCARDED” in the address field.

Along that line, the working does have some good ideas for policies that privacy and proxy services not interested in screwing their customers would have. And anytime a good idea comes up, it doesn’t matter the source, so it’s certainly given some food for thought for how to improve things. But RespectMyPrivacy doesn’t need to be forced to improve things for its customers; that’s its job. So whatever good ideas do come out of this process, we’ll take ’em.

However, ICANN has demonstrated again and again that they prioritize the concerns of their executives, law enforcement agencies, intellectual property holders, registries and registrars; registrants are dead last by a wide margin. They are not an organization that most people would trust to look out for the best interests of registrants. We certainly wouldn’t.

If ICANN wants to develop an accreditation program for privacy and proxy providers, even if that’s nowhere in their official mission, they should feel free to do so. If they developed a good one, RespectMyPrivacy would do it. This isn’t a good one.

But even if they do develop an accreditation program for privacy and proxy providers, ICANN absolutely must not require accredited domain registrars to refuse to accept registrations that use privacy and proxy services not accredited by ICANN. That its morally bankrupt to do so really ought to be enough, but it’s also illegal. Their accredited privacy and proxy providers must succeed or fail on their own, not be handed success by banning everything else.

What to do?

The working group is soliciting feedback from the public on these issues, among others:

Should registrants of domain names associated with commercial activities and which are used for online financial transactions be prohibited from using, or continuing to use, privacy and proxy services?

If they do prohibit privacy and proxy services for domains that perform either “commercial” or “transactional” activities, should they define “commercial” or “transactional?” (No, I am not making this up.)

Should it be mandatory for accredited P/P providers to comply with express LEA requests not to notify a customer?

Should there be mandatory Publication for certain types of activity e.g. malware/viruses or violation of terms of service relating to illegal activity? (In this context, “Publication” means canceling the privacy service and posting all details in the public whois database.)

Should a similar framework and/or considerations apply to requests made by third parties other than LEA and intellectual property rights-holders?

You can send your thoughts on these matters or on other aspects of the proposal tocomments-ppsai-initial-05may15@icann.org by July 7, 2015. You may also fill out theironline template if you prefer.

Please take a few minutes to tell the working group that you value your online privacy and that you oppose any proposal that will make it easier for large, powerful organizations and dangerous individuals to get at their critics. Tell them that policies that require providers to have low standards for disclosure of personal information harm that privacy. And please remind them that imposing requirements on privacy and proxy providers that are really the province of domain registrars will only create a broken, unworkable system that creates more problems than it purports to solve.

Show more