When supporters of a group of right wing Colombian militants didn’t like a website that criticized their activities in 2001, they sent a threat to the home address of activist Anriette Esterhuysen, using the public Whois database that compiles the name, address, email and phone number of everyone with registered to manage a domain name for a website. This particular website was hosted by a member of the Association for Progressive Communications (APC) advocacy group, and had a domain name ending with APC.org.
“Because my home address was listed on the home address for http://www.APC.org, I got a letter saying ‘I know where you live, I know where your house is, and I’m going to come and kill you and your family,’” said Esterhuysen, executive director of the APC. “Prior to that it never really occurred to me about the risks surrounding Whois.”
One organization decides what information goes into that global Whois database: the Internet Corporation for Assigned Names and Numbers (ICANN), a San Diego-based non-profit that coordinates the global system of web addresses known as the domain name system, or as techies call it, “the DNS.” As the divide between our physical lives and our online activity shrinks everyday, and as the world’s dependence on the Internet grows, ICANN is expanding the global DNS and revising some of its underlying rules governing who is allowed to own what domain names under what conditions, and what is known about website owners by whom.
At such a critical time in the Internet’s development it is vitally important that Internet users’ privacy and free expression rights not be overshadowed by other considerations that serve corporate and government interests.
The DNS is the digital directory that tells your computer where to go when you type in address such as “slate.com” – and makes sure that computers all over the world end up in the same place when they type in the same address. The Whois database was created by ICANN to publicly keep track of what website names are registered to whom worldwide. That Whois information can make free speech on a website very dangerous for domain name holders such as Esterhuysen, members of minorities, political activists, religious communities and for anybody seeking to protect their right to political anonymity or keep their email off a spammer’s target list.
Formed in 1998 with the blessing of the U.S. Department of Commerce, which controls the root servers for the DNS, ICANN’s rules and policies are developed by a multi-layered system of committees and councils who debate rules governing not only who gets to own a domain name, but also the technical use of domains, and what names are trademarked and off limits for new applicants.
ICANN’s policy-making model is described as “multi-stakeholder”: committees and councils represent diverse sectors, including governments, corporations, technologists and noncommercial representatives such as civil society groups interested in human rights. However this system is far from perfect because Western governments and corporate lawyers have a large stake in the organization’s foundation and still exert the most influence. Intellectual property interests assign full-time staff to ICANN committees, while non-profit civil society groups representing non-commercial interests generally rely on volunteers to travel the world for agency meetings, although few can afford the travel costs.
While ICANN’s system needs a lot of work to make sure that all “stakeholders” have an equal voice, the alternatives are much worse. Imagine if the Internet were regulated only by governments, in a system where they did not share information about meetings or give a vote to business and human rights communities. That is the possible alternative to ICANN that could emerge out of the December World Conference on Telecommunications [WCIT], when 193 Member States of the United Nations’ International Telecommunications Union (ITU) will gather in Dubai to discuss whether, and how, to regulate the Internet.
The ITU currently regulates telephones and satellite orbits, and gives every Member State one vote. As it prepares for the WCIT the United Nations group has been criticized by non-governmental organizations, human rights groups, companies, and many Western governments for sharing little of its plans. However leaked memos on a site called WCITLeaks.org revealed some proposals by nations such as Russia and China that press for the group to assume regulatory powers over the Internet. If such recommendations were approved then repressive nations could use the ITU to expand their control over networks to advance their surveillance and censorship agendas.
While the ICANN system is more inclusive and transparent than a UN-controlled Internet governance system would be, governments can still exert influence that could endanger privacy rights. Trademark interests such as the World Intellectual Property Organization (WIPO) and law enforcement agencies backed by government representatives within ICANN are pushing to tighten accuracy checks of the Whois database by amending a document called the Registrar Accreditation Agreement (RAA), which a company must sign if it wants to become a domain name “registrar:” an organization like GoDaddy or BlueHost that sells domain names. The requested amendments, available here, call for domain registrars to retain user data for two years, and to cancel the domain names if the registered user does not promptly verify their account information every year by phone and email.
However public interest advocates argue that if ICANN decides to make Whois verification more “accurate,” it would not only put a user’s privacy at risk but could also be very costly to implement and enforce, said Milton Mueller, currently a professor at Syracuse University’s School of Information Studies.
“The new costs would fall on registrars and end users, not the trademark owners and law enforcement agencies who want it,” said Mueller, whose writings about ICANN’s governance structure include the books “Ruling the Root” and “Networks and States.”
Other criticism of the potential misuse of the Whois database came from the Article 29 Working Party of the European Union, which wrote to ICANN calling proposals for stricter identification of domain name registration on Whois “excessive and therefore unlawful.”
“It’s important for you realize that the fact that you’re hearing about these things means the ICANN multi-stakeholder model is working,” Atallah said. “If you say [Internet governance] is only about government then you are forgetting about a lot of other interests. If you say it’s only civil society then you are forgetting about business interests.”
If users want to apply for a domain name privately they can pay a domain registrar to enter that company’s information on the Whois registry instead of a user’s personal data. But that information could still be made accessible to groups such as government entities depending on that company’s terms of service.
“The Whois is a big issue that we are looking at from all sides, and we are trying to work with some of the entities that can represent civil liberties,” Atallah said. “At the end of the day the process involves everybody, and it’s not limited to the law enforcement.”
New demands for increased identification come in part because of the expansion of generic top-level domains (gTLDs). Approximately 1,930 applicants are seeking rights to new domains, and up to 1,000 gTLDs could be approved early as March 2013, Atallah said. It would be up to individual gTLD operators to determine how quickly new domains would be available on the market.
Web searches will be redefined forever soon as .com websites will be joined by proposed gTLDs such as “.book” and “.click.” Small businesses could launch with new domains such as “buynewwriters.book” and artists could compete with larger websites such as YouTube with domains such as “awesomevideos.click.”
The creation of all that digital real estate puts pressure on ICANN to respect free expression by giving the owners of new domains a chance to defend their claim against a trademark infringement challenge that could take away their website address. Trademark interests fought against expanding gTLDs for years because it could dilute the uniqueness of their catchy trademarked domain names with new websites that sound similar- or better.
Companies often file intellectual property complaints, using challenges including claims that a newer website is “confusingly similar” to theirs. For instance, Google used that case in a failed challenge to remove an existing user’s claim to www.oogle.com. Seeking to avoid other similar-sounding domain names and lay claim to other domains, Google applied for the rights to 101 new gTLDs , including “.google,” “.soy” and “.lol.”
This unprecedented growth of the domain name system poses risks for privacy and free expression in separate but related ways. Along with the privacy concerns related to expanding Whois that could give governments another resource to gather data about cybercrime and on “persons of interest,” more rigorous identification of domain name holders on Whois could speed up trademark infringement disputes and make defending against challenges more difficult.
Some of the more creative new gTLDs proposed such as .gripe and .gay could grow into a new social network for lifestyles and opinions, but could also upend trademark enforcement as we know it and put ICANN’s free expression commitment to the test, Mueller said.
“For example, a proposed ‘.sucks’ domain would be interesting, it touches on one of the longstanding sore points of the trademark owners,” Mueller said. “It would allow legitimately registered domains to be used for criticism or ‘.gripe sites’– and this domain has been targeted by trademark owners even though the law makes it clear that domain names are a form of expression and that a legitimate noncommercial gripe site has the right to use the name of the company it is griping about in the domain.”
While WIPO and law enforcement agencies push for stricter identification on WhoIs to speed up trademark disputes, negotiations on Whois requirements include how much information is needed for user verification. Chief issues concerned with privacy on Whois include specifying what kind of data is retained in Whois records and whether home addresses or phone numbers are needed when emails might suffice, said Kathy Kleiman, an Internet lawyer at the communications law firm of Fletcher, Heald & Hildreth. Negotiating a verification response time long enough for users to assert their domain ownership would also protect free expression rights.
“Your email could get lost, you might not speak English and you might need a translator or a lawyer to respond effectively,” said Kleiman, who was a member of the group of people that founded ICANN in 1998.
Serving as the vice chair of ICANN’s Whois Policy Review Team, Kleiman helped issue a final report in May with recommendations on how Whois data should be shared and when requests for personal data should be relayed to a user.
“Overall, our goal on the Whois Review Team was contactibility – that the domain name registrant should be contactable by email or telephone, their choice,” Kleiman said. “There is no reason you have to reveal my home address when someone wants to buy a domain name. Feel free to relay all that information to me.”
As ICANN plans an unprecedented expansion of the Web, Atallah said the group is aiming to be more inclusive of its stakeholders by reaching out to areas of the developing world such as Africa. October’s meeting in Toronto will announce a new campaign for outreach in Africa, a continent that only filed 17 requests for gTLDs out of the 1,930 applicants, Atallah said.
“I think within the ICANN system it’s not how much you are represented as much as how vocal are you. If you do the work and you present your case and you participate in the forums and everything, you will be heard.” Atallah said. “Our hope is that ICANN will be an international organization that will serve the needs of all the countries equally, and more importantly will serve every stakeholder equally.”
For that hope to succeed ICANN will have to expand the advantage it has over the ITU by restructuring to involve more non-commercial groups and human rights advocates, said Alex Gakuru, who represents Africa on the Non-Commercial Users Constituency group of ICANN’s Generic Names Supporting Organization. Developing nations with less business representation than Western countries at the nonprofit also need a greater voice, or Gakuru said politicians in Africa might favor the ITU, which would give one vote each to small nations and tech superpowers such as the United States.
“Increasingly, civil society is not being treated as an equal partner in ICANN, not being given an equal seat at the decision-making table because of the heavy commercialization of the multi-stakeholder model’s policy making,” Gakuru said. “Both models have their shortcomings, but ITU is worse. We need a new, third model with open access where people meet as equal partners.”
With most of the Internet’s growth now taking place in the developing world, finding a way to make sure that the rights and interests of all stakeholders are taken into account will not be easy. The United Nations is not the place to govern the Internet. Yet it is unclear whether ICANN can evolve in a way that is acceptable to all stakeholders, or whether a new organization will ultimately be necessary.