As someone who works on a daily basis (www.secfirst.org) with human rights defenders, this policy is ridiculous and potentially life threatening to many people. Privacy around Whois etc should not be compromised for courageous people who are running things like democracy activist websites in China etc.
I agree, but the flipside for me is the various shitheels who use domain privacy to avoid accountability for bad behavior. Spammers, squatters, criminals, network abusers.
Is there some sort of middle ground where somebody like Amnesty International is one of the domain privacy providers? And another is, say, the Society of Professional Journalists? I would totally trust well-established organizations like that to make reasonable decisions about when to keep information private.
You're going to have to get used to equality between people you do like and people you don't like, if you want people you do like to have rights and privacy.
That's a bold claim. But a) criminality and abuse go beyond "things wpietri does't like". And b), you haven't supported the claim, so I suspect it's bold and wrong.
Not only that, by the time the authorities catch up to the lawbreakers they'll have seized the domain regardless of whether it has accurate whois data. You can't threaten wrongdoers with something they're already subject to. The penalty is only a penalty to innocent people.
Depends on the spammers and the scammers, and the strictness of the verification policy. It's relatively easy to verify physical addresses and phone numbers, and quite a number of criminals are not particularly sharp.
No measure eliminates crime, but some do reduce it.
I just wrote to ICANN with their basically arguing that, although I used minorities in the US as an example.
There has got to be a few radfems who have top level domains too. Say what you want about their politics but they are excellent at wiping up a shit storm.
You obviously can't count on people to 'do the right thing', ICANN in this case, so what basis for litigation is there here? I would think some case could be brought, espcially in demanding providers to turn over domain owner information without a court order (if that's what they are asking), they seem to certainly be overreaching.
Its mostly a problem if someone decides to target you for harassment (i.e. SWAT-ing). It is ridiculous to expect personal websites to reveal home addresses to the world. WHOIS is definitely another one of those technologies leftover from a more naive time in the internet's history.
That's just one example - your use of 'mostly' implies you don't actually know any other examples. I've got another case; I know someone who has a stalker that threatened to abduct her (and his biological) son. She's very cautious about her privacy online, and things like Facebook's mandatory real-name usage policy and now this are actively threatening her and her son's personal security. She can't properly run her business because she can't use her real name or address and has to go through a business address and - in this case - a registrar hiding her personal details to stay reasonably safe.
Isn't that why government grants hidden identity or new identities? In Sweden, the .SE rules regarding WHOIS explicitly provides an exception for people with hidden identities. Everything regarding open government has to follow those same rules, incuding also car registration, phone registrations and home owner registration.
The UK company registration system has an address exception for directors that was put in place for and used by one very specific company: Huntingdon Life Sciences. They are a medical research company that were targeted by activists with death threats, arson, and other acts of minor terrorism over a 15-year period.
This is only effecting individuals. Massive companies are going to use the front office mail address.
SWAT-ing is really one of the less serious things that could happen. Crazy nutjobs are born every day. Someone didn't like a banner on my website, now they know where to find me, and they brought tanks. Meaning that it could be the government you are peaceably criticizing.
My first thought after reading the tl;dr was, "what do I do about it"? The answer is at the end of the article: the working group is accepting comments on the matter at a certain email address.
Our privacy online and off is already being deeply threatened on many other fronts. If you think this proposal is bad for our privacy and bad for our internet, please take a moment and email your thoughts to the working group.
I wonder if a decentralized type of DNS, like blockchain-based DNS, will ever take off. If we even have an acceptable alternative right now, I suppose the first meaningful step towards adoption would be baking support in to a major browser.
1) Make sure to click on a link in the follow-up email they send you in order for your comment to go through.
2) The contents of your email (though it seems not the email address itself) will be made public, so if you don't want your real name in the open, don't sign with it.
Disclosure cannot be refused solely for lack of any of the following: (i) a court order; (ii) a
subpoena; (iii) a pending civil action; or (iv) a UDRP or URS proceeding; nor can refusal to
disclose be solely based on the fact that the request is founded on alleged intellectual property
infringement in content on a website associated with the domain name.
As much as I hate broaching the topic on HN, I'm really excited about the potential for blockchain or other distributed consensus-based technologies to disrupt the many centralized authorities that are currently so critical to operation of the internet. Namecoin, for example, is really interesting for this reason.
Amusingly, NearlyFreeSpeech.net, which is a hosting provider run by libertarians, does not allow their customers to be anonymous to them. (Except by very special arrangement for people facing serious threats in non-US countries.) [1] They accept payment in Bitcoin, so, technically, they could offer a fully anonymous service.
So they want to prohibit anonymity when it might hurt them, but allow it when it might hurt the customers of their hosting clients.
Why do you say they are libertarian? Or do you mean libertarian in the strict sense of supporting free speech?
I think requiring real names from their clients but opposing it for publicly accessible WHOIS records is perfectly consistent with their views:
Since we started back in 2002, one of the things that's repeatedly been made clear to us is that governments aren't the biggest threat to free speech. They certainly bear watching and perpetual wariness, but they're just not the source of the everyday threats to our members' ability to express themselves.
The most common threats come from corporations and the pressure they can bring. Not a week goes by that we don't hear from some cheap lawyer about how mad some company is that some website said something that they don't like and what horrible things they're going to do to us if we don't hop to and do their bidding.
If the WHOIS records were only viewable by the courts, or at least ICANN, your implication of hypocrisy would carry some weight, but they're viewable by everyone, and that makes it a much larger threat.
It's not necessarily a contradiction to want anonymity to be piercable by a court's subpoena (which would force NFS to divulge their records), but not by anyone who can send a convincing looking letter. A hosting service which makes a point of protecting its members in the event of complaints, even if this is intended for the type of stuff you'd classify as "free speech" (which is mostly, though not entirely, legally protected in the U.S.), is likely to attract a lot of users with various less sympathetic purposes; whether or not you think any particular such purpose should be allowed on the Internet, they have the right to think it shouldn't.
NameCheap sent out an email about the same ICANN proposal a few days ago. Unfortunately, the NameCheap email focused almost exclusively on the lack of privacy for businesses. It merely glossed over the more important issues, such as ambiguity about what counts as a a business, as well as the requirement that privacy services disclose their customer's identities to anyone who asks.
This is bad. Very bad. The NameCheap email probably gave a lot of people the wrong first impression about what ICANN's proposal really means. Seriously, it sounded like they were just complaining about their bottom line. And since a lot more people use NameCheap than NearlyFreeSpeech, not many people are going to read the more thorough analysis and urgent call to action that the NearlyFreeSpeech article contains.
If anyone around you has read the NameCheap email, please tell them to forget about it. Tell them to read this article instead.
>"Commercial activity" casts a wide net, which means a vast number of domain holders will be affected. Your privacy provider could be forced to publish your contact data in WHOIS or give it out to anyone who complains about your website, without due process. Why should a small business owner have to publicize her home address just to have a website?
>We think your privacy should be protected, regardless of whether your website is personal or commercial, and your confidential info should not be revealed without due process.
I can't say that it "glosses over what counts as a business" or the requirement to disclose customer identities.
Sure, their bottom line is at stake, but it didn't feel to me that that's all this is about.
> Under new guidelines proposed by MarkMonitor and other organizations who represent the same industries that backed SOPA, domain holders with sites associated to "commercial activity" will no longer be able to protect their private information with WHOIS protection services.
Maybe it's just me, but this gives the impression that the remainder of the paragraph only applies to sites associated with commercial activity. This impression is reinforced by the last sentence, which again focuses only on commercial activity.
The email does mention "without due process", but that's pretty vague. The landing page of their petition site is slightly more informative, as it says:
> Let ICANN know that you object to any release of personal information without a court order.
But even this is misleading. The issue is NOT that ICANN will release your information without a court order. The issue is that ICANN wants to force third parties to have weak privacy policies. Now that sounds ridiculous, which it should, because it is indeed a ridiculous demand.
I haven't seen the NameCheap email, but I noticed that the savedomainprivacy.org petition contains:
That privacy providers should not be forced to reveal my private information without verifiable evidence of wrongdoing
Which sounds goods when you first read it. However, I think that wording might be interpreted by ICANN as an endorsement of privacy providers being the ones to decide what is "wrongdoing" and when registrant details get published or disclosed to requesters. Many people don't want information being published or disclosed unless there is a court order, subpoena, etc.
Perhaps the common point would be: pay close attention to what the different parties are proposing and make sure it is exactly what you want before you follow their lead.
Could this be worked around by using a pseudonym, registering a PO Box address, and using the number from a pay-as-you-go SIM card? Not false information as such, but not particularly revealing either.
Alternatively, one could enter information that looks plausibly valid but is in fact completely invented. How often does one receive articles in the mail or phone calls to the whois contact points anyway? As far as I've experienced, any communication is to the email address. I suppose it depends what the penalties are if you're somehow found out.
Doesn't work in the UK. We have to provide Nominet with documents for some domains. We can opt out of publishing them on the whois but the killer is that someone can contact Nominet and just pretty much ask for the data instead.
Legalities aside - that'd work fine, until you needed some assurance of long term ownership of a domain.
It wouldn't be prudent to build a business/brand/reputation on a domain name where you've intentionally registered it to a false identity.
To me, the penalties are only one of the concerns - how you'd deal with someone attempting to hijack your domain when you've faked the ownership records is a problem too.
Last time I checked, which was probably a couple years ago, you couldn't use a PO Box address.
In the U.S., some/all post offices have added the option of real "street addressing." Before, you'd have to use PO Box 123, City, State. But with street addressing, now you can use - say - 45 Main St #123, City, State.
Non-USPS places have had this sort of thing for a while. Some will even "let" you call it "Suite 123" - despite it being a small metal box with not much room for furniture. (I think the "letting" part is more them just not caring, and only looking at the numbers. It's not impossible but I'd be surprised if there were actual laws covering that. Though it could be a factor if something like fraud were being committed. IANAL.)
Googling, it seems like there has been some confusion in the past about what constitutes a "physical address" for the purposes of domain registration, but I don't see anything that suggests that PO boxes aren't allowed.
All of my domains (that don't use WhoisGuard or similar) have my PO Box as the address. My PO Box is under my business' name but I had to provide identification and my personal information when I first got it.
> Could this be worked around by using a pseudonym, registering a PO Box address, and using the number from a pay-as-you-go SIM card? Not false information as such, but not particularly revealing either.
No. They will require PO box providers to be accredited with ICANN and subject to all these crazy rules, giving you no privacy.
> Alternatively, one could enter information that looks plausibly valid but is in fact completely invented.
This is exactly what all the real crooks will do, but you and me will not be able to, because we don't want to lose our domains.
> No. They will require PO box providers to be accredited with ICANN and subject to all these crazy rules, giving you no privacy.
Well, I'd be very interested to see how ICANN could get post offices, like the United States Postal Service or Royal Mail, to go along with submitting to ICANN accreditation. That aside, data on people who own USPS-provided post office boxes and boxes held at commercial mail receiving agencies (CMRAs, like the UPS Store, and so on) can be obtained from the USPS, per 39 CFR 265.6(d)(5)(i) through (iii):
(i) To a federal, state or local government agency upon prior written certification that the information is required for the performance of its duties.
(ii) To a person empowered by law to serve legal process, or the attorney for a party in whose behalf service will be made, or a party who is acting pro se, upon receipt of written information that specifically includes all of the following: (a bunch of things)
(iii) In compliance with a subpoena or court order, except that change of address or boxholder information which is not otherwise subject to disclosure under these regulations may be disclosed only pursuant to a court order.
I dont like to be taken as threatening, but it feels like the rulers up in ICANN who are making these decisions need to understand the impact of said decisions and as they are not avoiding dangerous people or situations, they simply dont care.
Are all of their domain names registered properly? Shall we start sending them A LOT of mail explaining these consequences?
I agree with you. Because using completely invented information makes me a liar. And why do they need it? Its not like they are sending packets to that address. We should stop every invasion of freedom no matter how well it is sold.
ICANN is only the authority because we all said they are the authority. Do you know the fight that would break out if we lost faith in ICANN and multiple firms in the right economic place who know the right people at the right time provided an alternative authority? The switch to ipv6 is already weakening ICANN authority. The value of an ip address is decreasing.
We have to trust someone. End users are not gonna type in ip addresses human brains just aren't wired like that. But talking with any government is not cool. ICANN is a trust all citizens of earth currently agree on. ICANN is the global diplomat they need diplomatic immunity - and need not abuse it.
There seems to be yet another threat to our collective privacy every month or so. Normally, I sit firmly on the side of an individual's right to privacy, but in this case, I think ICANN have a legitimate point even if they're being quite heavy handed about it.
WHOIS is an extraordinarily valuable protocol with a heritage dating back to the ARPANET days. As an example, for quite a while we've had this ideal of the semantic web we're trying to move towards, but in practice each website is its own special snowflake with more concern given to legacy rendering in Internet Explorer than making sure that contact information is easily findable and semantic. But it's mostly okay, because if I really need to contact someone there's this almost 40-year-old protocol which gives me unfettered access to information such as a technical contact email and an address.
Many registrars don't seem to pay much attention to the quality of their WHOIS records and most people or businesses probably don't give it a second thought or check the records after registering a new domain. But they should; and I applaud ICANN for their efforts to uphold the quality and integrity of WHOIS.
That said, the right to freedom of speech implies that one should have the ability to disseminate ideas with complete anonymity. ICANN's proposal would completely undermine this, which is unacceptable.
I think there is space for a middle ground, where ICANN can ensure that the WHOIS records aren't what amounts to a blantant lie in the case of anonymous registrations (i.e the registrar providing their own details as the contact information). The current situation is pretty bad: if I want to contact the owner of such a domain, all I can reasonably expect is for any email sent to be blackholed by the registrar. I'm not talking about attempting to deanonymise the owner of such a domain, merely the idea that a domain is a named endpoint with an owner who is contactable through freely available means.
Imagine if ICANN created a new class of domains where it was made explicit in the WHOIS that the owner wished to remain anonymous, but nonetheless provided accurate information such as a pseudonym and a means of contact without violating their privacy. This means of communication could be some form of email hosted by a trusted third party, or potentially something more esoteric such as a GPG-encrypted message embedded in the bitcoin blockchain.
This would preserve the correctness and utility of the WHOIS database while respecting the rights I believe ICANN have a responsibility to uphold.
There won't be much semantic web left in anybody who is posting interesting things are too afraid to talk about them.
Also under your system I could still blackhole the email or just let it go straight to gmails archive.
You may need to contact me, but that doesn't mean I give a rats ass about what you have to say - frequently not being able to be contacted is more valuable than being able to be contacted (for one thing if you can't contact me you can't threaten me with a lawsuit if I don't remove some content that you object to) and anyway my blog accepts comments.
I'm curious how this policy will affect ccTLDs where the registry already has a policy of not publishing whois information.
For example, individual owners of Canadian .ca domains can have their contact info hidden, whereas corporations can't. Similar policies are in effect in a number of other countries, as well as .eu.
Will these countries need to change their policies so that individuals who have ads on their blogs will have their contact info exposed? Will they have to change the way they respond to requests for disclosure?
I don't know the specific of this proposal, but generally ICANN policies only apply in very limited ways to ccTLDs. That makes them an incredible headache for registrars as they all of their own special rules and regulations and many don't even use EPP.
Even gTLD operators are special little snowflakes in their own way: if the EPP RFCs and ICANN regs give them any leeway to do something silly, they'll do it. Some of them, such as Neustar, don't even bother responding with correct greeting documents.
Dealing with registries, be they ccTLD or gTLD registries, is just a massive pain in the ass.
[Disclosure: I work for a domain registrar based in the EU, and I implemented pretty much 95% of the company's infrastructure as far as us acting as a registrar goes.]
I think there are some major misunderstandings around what ICANN are doing with WHOIS privacy.
ICANN have pretty much always required that registrants provide registrars with accurate contact information. ICANN required that registrars periodically escrow this data with an escrow provider (Iron Mountain, usually, though there are now more).
When you use registrar-provided WHOIS privacy, the registrar is still able to escrow the correct contact information. This is not the case with third-party WHOIS privacy providers. The difference now is that, due to the demands of law enforcement agencies, they're now requiring that information be validated and verified.
Third-party WHOIS privacy services always existed in a legal grey area, whereas registrar-provided WHOIS privacy did not. Even before the 2013 RAA came in, you were risking having your domain being taken from you by using a third-party provider and providing their contact information to your registrar as it meant that the registrar had inaccurate contact information and thus could not provide accurate information to the escrow provider.
Before the LEAs got all antsy about this, the WDRP emails you get from your registrar, giving you a list of domains and their WHOIS data and a warning of the consequences of providing inaccurate data, were the most ICANN required in practice. It was an honour system, and the requirement to provide accurate data - which has always been a requirement - wasn't actively enforced. All that's changing now is that ICANN are actively enforcing a part of the registrant contact they previously had been laissez-faire regarding.
The requirement on third-party WHOIS privacy providers is to normalise their situation so that they have the same requirements to record information correctly and escrow it that domain registrars already have had to do for ages. And it's not that onerous a requirement: actually implementing an EPP client is orders of magnitude more difficult that writing the code needed to do data escrow: https://www.icann.org/en/system/files/files/rde-specs-09nov0... - you can implement that in an afternoon. The accreditation process for a WHOIS privacy provider is nowhere near as horrible as it's being made out to be. All you need to do is show that you can accurately escrow data.
Everybody's so late to the party on this one. The registrar constituency in ICANN fought pretty hard against this. If you think what ICANN are requiring now is bad, the LEAs were demanding much crazier stuff during the negotiations. If you're an EU citizen or using an EU registrar, you're even better off, as EU data protection law meant that some of the requirements of the RAA were illegal in the EU, so EU-based registrars are able to get an opt-out of certain requirements of the RAA. We still do have to validate, verify, and escrow contact details associated with domains we manage, however.
> All that's changing now is that ICANN are actively enforcing a part of the registrant contact they previously had been laissez-faire regarding.
You say that like it's a small thing.
If the government suddenly started throwing all the operators of marijuana dispensaries in federal prison, you could say that all they're doing is enforcing the law, but it still represents a fundamental shift in policy.
Rules that aren't enforced don't get repealed because people care more about what happens in actual fact than what would happen on paper. Threaten to start enforcing them and you can't be surprised when the thing people want to know is not why it wasn't previously enforced but rather why such a stupid rule is still on the books.
I wrote that ICANN were laissez-fair about enforcement, not that they didn't enforce these rules. The difference is when they enforce them.
In the past, they encouraged an honour system through the use of WDRP emails. In addition, they only acted or required registrars to act when an issue was reported or noticed. I guess you could call this passive enforcement.
Now, what they're requiring is that contact details are validated and verified upon first use and subsequent changes. This would be active enforcement, and was requested by the LEAs.
The practical difference that when you register a domain name, the registrar will attempt to make sure that your address is valid, that the email address you provide actually accepts email and you answer it, and check that the phone number you provide is valid.
I'm fully aware of the impact of all this. Even if wasn't personally affected by it, given I own domain names, I had to implement this stuff on the technical end, and make sure that in enabling it, we wouldn't end up scheduling thousands of our customers' domains for deletion. From a purely selfish point of view, I'm all too familiar of what the impact of the change from passive to active enforcement means.
> In the past, they encouraged an honour system through the use of WDRP emails. In addition, they only acted or required registrars to act when an issue was reported or noticed. I guess you could call this passive enforcement.
In practice for anyone who isn't a wrongdoer this is also known as non-enforcement. Nobody would normally notice or care when a website operated by an innocent person has inaccurate whois data or uses a whois privacy service that will actually keep the registrant's personal information private.
You're wrong there. I know that, because unlike you, I work for a domain registrar. And let me tell you something. There are actually people there who purposely trawl WHOIS looking for invalid data, just so that they can submit WHOIS inaccuracy reports to ICANN. The ICANN compliance department is far from underworked. You should talk to some of their staff some time.
Who are they and why would they do that to innocent people?
Perhaps more importantly, how can they even tell when the data is inaccurate? I have a hard time believing that domain contacts are inclined to respond to unsolicited unprovoked third party "offers" to verify their address. Hi, can you let me know that someone is reading this so I can start sending you an unending stream of spam? Meanwhile just because you have a third party whois privacy service doesn't mean they don't faithfully forward your mail.
All that's changing now is that ICANN are actively enforcing a part of the registrant contact they previously had been laissez-faire regarding.
All that will be changing on the data collection, verification, and escrow front, you mean? That isn't an aspect that people seem focused on at the moment. Almost everyone is focused on REVEALS and what processes will become mandatory.
We already had a requirement to reveal contact information to LEAs with just cause. At least here in the EU, we can't go revealing data to just about anybody who asks for it due to data privacy law.
'Relays' isn't a big deal. In fact, it was already a requirement for registrars to deal with registrants in the first place. After all, registrars were required to send out WDRP notices and potentially schedule a domain for deletion if those emails bounced. Moreover, registrars required valid email addresses so that domain transfers could take place and, also, so that people could be billed.
'Relays' requires that email forwarding works on the provider's side when WHOIS privacy is in place. There are other complicating factors that can cause issues here, such as SPF records for the domain that don't mention the forwarding mailserver, but that's really it.
'Reveal' is a consequence of the situation with third-party WHOIS privacy services being normalised. Up until now, you were effectively in breach of your contract with ICANN as a registrant if you used a third-party WHOIS privacy/proxy service because the registrar had invalid contact details for the registrant.
'Reveal' does not mean that just anybody will be able to ask or demand that the provider disclose the contact details behind a private registration. Most registrars have LEA liaisons who they use to validate that a request from a law-enforcement agency is genuine. If we get a legal demand disclose to disclose details, that goes straight to our solicitors, and we would only reveal them if there's a genuine legal reason for doing so. Any other requests are invalid and, at least here in the EU, giving out the contact details of a proxy registration would be against data protection law. So no, the argument that this would be a conduit for doxxing isn't a valid one. The exact baseline requirements for the reveal process haven't been locked down yet, but they will likely be similar to what I've outlined.
You see, both of these processes are already mandatory based on other parts of the registrar-registrant relationship and existing legal requirements. The difference is that it wasn't explicitly formalised and non-registrar WHOIS privacy was a massive grey area.
I'm generally supportive of privacy providers being required to forward important communication to the registrant. I hope the finalized requirements will be sensible, and I hope there will be no attempts to equate contacting the privacy provider with having given registrants sufficient legal notice.
I, like most of people, live outside the EU and lack experience with EU privacy protection laws. So it is difficult to evaluate your optimism.
Here in the USA, for example, we'd be concerned about not only LEA requests but also requests by individuals and corporations. We just don't have privacy laws that are sufficient to protect against inappropriate disclosures to such parties.
Here, and in many other places I suspect, the best case would be privacy providers voluntarily adhering to a standard where they refuse to disclose registrant information to any party unless compelled to do so by law. If language like "Disclosure cannot be refused solely for lack of any of the following: (i) a court order; (ii) a subpoena;" remains in the final cut, privacy providers won't be able to do this and remain accredited.
Just register the domain with a bogus name that sounds real. I don't think the domain provider will care as long as the bill gets paid.
I do not however like that companies can be totally anonymous on the Internet. It's not like the average person checks out the people behind a company before they buy some commodity from them. I do however whois a domain if I'm suspicious and a common thing is that most use anonymous registrars. Even serious companies use anonymous registrars now a days, witch is weird, or maybe I'm the only one who thinks it's important to know who the people behind a company are before you do business with them.
Well, where I live, if the domain ever runs out, or you want to transfer it, they’ll send a letter to the name and address you gave with a code. This is to prevent shady registrars from taking your domain away from you, but it also means the registry knows your address.
Luckily, the organization that administrates .de domains has 4 types of contact data: zone-C, the person managing the whole DNS zone, Tech-C, the person managing the servers of the specific domain, Admin-C, the person practically owning the domain, and OWNER, the person who gets the letters. Only Tech-C and Zone-C are available through WHOIS.
In the US it is already relatively easy to compel disclosure of an anonymous registrant. It is also easy to use false ID on registration, and I'm sure will remain so even if higher verification standards are implemented. Ultimately if you want to find someone who is careful, you have to get to their ISP or correlate their activity with other accounts.
I honestly don't understand why people don't just use a fake address then. I've never gotten anything other than spam mail when using a real address on a domain registration. It's not like ICANN can in any way verify addresses.
In my country, every business is required by law to provide detailed contact information and registration numbers on their website. It baffles me whenever I see one of those US startup websites with no contact info, not even an address or a PO box, and still they expect their customers to provide detailed billing info and share private data.
How can I trust a business when it hides behind an anonymous registrar? If something goes wrong with my order, I'd have no way to even determine who is behind the company.
Of course, the free speach argument is mostly irelevant. There are plenty of ways to share anonymously either on other people's domains, on TOR, or using just IP addresses. If my privacy was important, I wouldn't rely on Godaddy to protect it.
I'm honestly so tired of crap like this. My hopes of living in a reasonable society are being crushed every single day. Things should be improving as time goes on, not going downhill. Ugh.
"The more laws, the less justice" Marcus Tullius Cicero
"The more laws that governments pass, the less individual freedom there is. Any student of history will tell you that. Totalitarian countries ban pretty much everything.
Bill O'Reilly (He couldn't be the first one to coin this?)
I think this is a naive view of the situation. The authority still belongs to the US Department of Commerce -ICANN just has a contract, which incidentally expires this year- and multiple governmental organizations have publicly argued that fake WHOIS records impede their regular activities.
The apparent externalization is great for shifting blame, though.
I'm in favor of "outright banning the use of (WHOIS) privacy services for any domain for which any site in that domain involves e-commerce." In California and in the European Union, attempting to conceal the identity of the business behind an e-commerce site is a criminal offense.
Individuals have privacy rights. Businesses do not. The EU is very clear on this. The European Privacy Directive covers individual privacy. The European Directive on Electronic Commerce covers business privacy online. They're very different.
That depends on the definition of "e-commerce", you know. LLCs required to identify themselves – fine.
But an author selling an e-book or a lone developer earning a side income from ads should not be required to publish their home address and cell phone numbers. This is ridiculous.
Somehow I doubt that the definition will be a reasonable one, given everything else in the article.
They are not being required to publish their home address or phone number. Businesses are being required to publish their business address. If you're engaged in trade as a business, this is a reasonable requirement. (Otherwise, how do your trading partners reach you if they need to for legal reasons or any other legitimate reason?)
At the same time, it should be perfectly reasonable for a business to hire a registered agent and supply their contact information. The point is that the business be reachable.
You seem to be talking about registered businesses, while ICANN is targeting all commercial activity, which is much wider.
Why should I be required to publish my home address just because I run ads on my website? If I sell ebooks and someone wants to dispute their purchase they're free to do a chargeback on their card if I run off with their money.
Whatever stupid requirements ICANN introduces, the real scammers will easily bypass them while legitimate sellers will be robbed of their privacy.
There are business that are almost like self-employments, dressed up as LLC or similar, registered to the home address of the owners. It is very reasonable for them to hide their address and reveal it only to the clients that do buy their services (e.g. on invoice).
I would rather have a restricted whois database, where the authorities can look at the street address, but Average Joe can not.
> Individuals have privacy rights. Businesses do not.
That's silly. I, as an individual, am a business: I perform work in return for pay, just as a business provides goods and services in return for payment. If the work I do is writing a blog, and the payment comes from ads or subscriptions, I should be permitted not to have my home address broadcast to all and sundry.
(on a related note, I should also be able to deduct expenses like a business does for tax purposes, but that's a different topic)
And how do you contact a NOC without whois database to:
- contact a sysadmin who is creating BGP instabilities?
- contact a domain with an openrelay?
- contact the webadmin that is hacked?
- contact technician when programs are creating infinite loops by ping ponging bogus messages?
...
(see this link as a "story from the trenches: why whois contacts are important": https://archive.icann.org/en/comments-mail/01apr99-30apr99/m...)
How do you check an operator has really the use of the IPv4/v6/AS BGP... resources if you cannot find the contact and correlate with the RIR who allocated?
How do you check a set of IP address given to be routed in Europe (for defragmentation purpose of the BGP stream) is indeed routed in Europe without whois?
You know all network protocols are far from perfects and don't always detect "infinite loops" and whois database really needs to exists.
If you had to deal with serious scale sys/net admin you know why this article is as stupid as "having a national ID is a privacy violation and I don't want alien on my territory".
Internet cannot work without all sysadmins communicating together by the means of the contacts given in whois database. Or nanog for the big one in america.
You are talking about whois information for IPs and ASs. This is not about that (based on my brief skimming of it - I'm not sure how I feel about IPs and ASs having their identities obscured). This is about domain whois privacy.
