Who is reading the WHOIS Review? Part Deux

Posted on February 8, 2012 by John Carr

The story so far

Readers of Part 1 of this blog will know that the WHOIS directory is meant to be the definitive and publicly accessible list or database of owners of internet domain names. ICANN is responsible for its management and maintenance. Their main agents in this work are the registries and the registrars

It can get a bit fuzzy with some of the smaller top level domains but normally registrars and registries are separate legal entities. Registries and registrars can take on any of several forms: co-ops, not-for-profits, commercial enterprises, or even be public bodies of one kind or another.

In the UK the registry responsible for managing the .uk domain is a not-for-profit body called Nominet. It enters into contracts with registrars who are then empowered to sell and renew domain names which end in .uk. One way of putting it would be to say that, inter alia,  Nominet is responsible for the management of .uk, Britain’s virtual emblem or internet flagship. That responsibility embraces the accuracy of the contact details and other information about people or organizations buying or renewing .uk domain names.

I have had a long-standing (but until last week dormant) interest in WHOIS, arising from the work I do in the field of online child protection. I was prompted to revisit this territory by the recent publication of “The WHOIS Review Team Draft Report”. I agree the title does not immediately suggest that Jo Nesbø  or John le Carré have much to worry about but for those of you with any sort of interest in the politics and history of how the internet developed it is truly fascinating.  Moreover, very few documents which deal with such geeky issues are so easy to read and understand. Maybe that is because, at the end of the day, this isn’t really a geeky issue at all. It’s about things and ideas we take for granted in almost every other walk of life.

In Part 1 of my blog I discussed at a fairly general level the major problem associated with the operation of WHOIS, namely the extremely high level of inaccuracies in the database which underpins its operation.

In this second and final part I look at several of the Review Team’s findings and recommendations in more detail. I have not commented on some of the findings and recommendations not because I do not think they are important but, relative to the items I have selected, in my opinion they are slightly lower down on the Richter scale. My blogs are way too long as it is without making them any longer.

Click here to see an example of a WHOIS entry that I called up earlier. This is what they should all look like, or something similar. The inaccuracies in WHOIS arise for several reasons. Chief among them is the failure of ICANN to require all parts of the domain name value chain to verify the information proffered to them by whoever buys or renews a domain name at the time that they are doing the buying or the renewing.

Registrars have a general obligation to ensure that the data they collect is accurate. There is a requirement to investigate complaints received about inaccurate data within WHOIS. However, on page 39 of the Report we learn that in 2007 only 10 people accounted for 87% of all WHOIS inaccuracy reports. We are not told the actual number of inaccuracy reports only that it is “unacceptably low”. Furthermore and inexplicably, under ICANN’s rules there is no obligation to rescind a registration solely on the grounds that it is erroneous, even if it is clear that the inaccuracy is intentional (p82).

The Review Team discusses (pages 37 and 40) some of the measures that are taken to try to minimise inaccuracies, for example the “Data Reminder Policy”, but the report readily and repeatedly acknowledges that the sum total of all of these efforts is vanishing small. Out of a current total of 220 million domain names only 23% are fully accurate.    

Why is this important? The principal reason is that the inaccuracies help shield a substantial amount of online criminal behaviour. Moreover it is the long-standing, declared policy of ICANN to make WHOIS accurate.

In 2009 this position was expressly reiterated and reflected in a cornerstone document known as the Affirmation of CommitmentsICANN confirmed to the world’s governments that WHOIS would provide for

…..timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information.

This remains a promise unfulfilled. It has profound consequences for the rest of us. Much of the constant low level buzz of online crime or the fear of online crime can be traced straight back to the failings of WHOIS. The holes in the system have enabled significant numbers of fraudsters, child pornographers and felons of various sorts to pursue their criminal purposes over the internet. It has made the job of the police or others with a legitimate interest in crime prevention or detection more difficult, more time-consuming and more expensive than it should be. In practice this means many investigations get dropped or never get started.  

The high level of inaccuracies are therefore causing avoidable hardship to the fraudsters’ and felons’ victims but also it undermines consumer trust in the operation of the internet in general and in e-commerce in particular. By extension, and here the relevant audience is not internet users as such but Governments and potential alternative regulators, the high level of inaccuracies erodes confidence in ICANN as an institution. Some would say deservedly so.

To complicate matters it has become hard to disentangle legitimate concerns about  anonymity from the deliberate manipulation of the system by criminals.

While personally I accept there are limited circumstances where anonymity perhaps ought to be provided to the owners of certain kinds of domains e.g. those dealing with sensitive issues, the unvarnished truth is that this appears to conflict with one of the founding principles of ICANN i.e. that all entries in WHOIS should be open and accessible.

Either way a practice has grown up willy nilly of allowing domain name owners to decide for themselves whether or not to disclose their identities on the public record. On one reckoning (p63) over 20 million domain names have been deliberately hidden from public view in this way. Elsewhere in the report (p60) it is suggested the number could be between 30 and 55 million. Law enforcement officers maintain that most of the bad guys are in amongst these and the rest that are not hiding but are just full of dud data.

To be fair I should point out that the Review Team’s report provides numerous examples of the positive steps which ICANN and others have taken over the years to try to address some of the inaccuracy issues associated with WHOIS. You can read about them for yourself if you are so minded. Here I am going to focus on what I think are the Review Team’s major criticisms of the status quo. Through the prism of the Team’s work we see how and why the current lamentable level of misinformation has arisen.

I think some of the report’s comments and findings are devastating. They amount to a more or less complete indictment of ICANN’s recent leadership and its current methods of decision-making, by which I really mean non-decision-making. If ICANN is unwilling or unable to sort out something of such fundamental importance to the operation of and confidence in the internet what else might be going on, or not going on, within its well upholstered walls? Are we safe in their hands?

A little bit of history

I guess we all know that the internet came out of the world of academia and the research community, principally in the USA. Perhaps for the greater part of its existence, and very definitely in the early days, the internet truly was small enough to be able legitimately to describe itself as a “community”. At the time a number of key decisions affecting WHOIS were taken there was a high level of trust among and confidence in the pioneers, the rarefied coterie of early users. We’re talking long before the internet welcomed the rough, rude world of commerce and opened its doors to the toiling masses. Nobody saw the tsunami coming. No one can be blamed for that. The subsequent failure to adapt is what prompts questions and invites substantial criticism.

The guys who put the early internet together needed a way of recording who owned what. In 1982 they devised and started using a simple form to help accomplish this. It was modified in 1985 and that modified version is still in use. It is what WHOIS is based upon. 

This was all pre the web, pre the worldwide explosion and internationalization of internet usage which were the principal reasons why ICANN was created in the first place in 1998. Prior to that date the US Department of Commerce ran everything directly or through companies which it appointed, companies such as Network Solutions.

According to one source as late as 1995, ICANN minus 3, there were still only 100,00 registered domains. 1995 was the year Microsoft brought out the first version of Internet Explorer. The growth curve starts getting steeper from here on. In 1998, ICANN’s Year 0, Network Solutions registered 1.9 million new domain names, almost double the 1997 total. I haven’t been able to get a precise fix on the total number of domains in existence at the end of 1998 but, generously, it is unlikely to have exceeded 3 million by a great deal. At the end of the third quarter of 2004, when Verisign started publishing regular bulletins on registrations, we were up to 66 million. At the end of December 2011 we were at 220 million. Oh boy.

In the UK we have an expression: “A stitch in time saves nine”, meaning if you act early enough to deal with a problem it will save you much more trouble later when, by ignoring it, it will have worsened. I’d say ICANN wins the all-time prize. I’m going to amend the saying to read “A stitch in time would have saved ICANN a gazillion”. The scale of neglect takes your breath away.

The level of inaccuracy

According to the Review Team (p81), as previously stated only 23% of all the WHOIS data are wholly and completely accurate and 21.6% are so defective it renders the owner unreachable. Taking today’s 220 million as the base, to put numbers on that this means nearly 51 million domain names are on the system as they were intended to be and 47 million are completely out of it, sheltering all manner of chicanery.

By the way for those among you who are not mental arithmetic wizards, we see that approximately 77% of the WHOIS records, or roughly 170 million out of 220 million, greater than three out of every four, are on the system but do not fully meet the system’s requirements. Would it be too harsh to say that this shows, in fact, there is no system worthy of the name? Apparently if you applied a slightly less strict interpretation of what counted as an accurate record you could double the percentage from 23% to 46% but that would, er, still leave over half failing. Instead of 170 million defective records we would be down to “only” 119 million. Better but……

One omission from the Review Team’s report which I found curious was an analysis, linked to an explanation, of differential rates of inaccuracy within domains. Is there a level of inaccuracy which broadly holds across all domains? Or are some better than others? Within the 51 million fully accurate entries are there any registrars, registries or domains which, pro rata, show up more frequently than others? Within the inaccuracies are there any patterns? I’m guessing a large chunk of the inaccuracies will be in .com, closely followed by .net but (a) I could be .wrong and (b) having .numbers would help anyway.

There is a reference, on page 72, to the .cn domain. This belongs to China. Seemingly they claim a 97% accuracy rate since they started verifying data provided to them. But this claim is then almost casually dismissed or ignored by the Review Team without any elucidation or references to support such a stance. The authors simply

noted that this is one of a number of changes of policy that have led to a dramatic reduction in the number of .cn registered domain names.

I know China is not ICANN’s favourite because it appears to believe the ITU could do a better job, a view held by others not all of whom are followers of Chairman Mao, but I think we ought nonetheless to engage with their arguments in a serious way. And are there no other domains which can claim a high level of accuracy for their WHOIS entries? If there are wouldn’t it be good and useful to know how they manage to do it? 

Aside from inaccuracy there are proxy and privacy services

I’m not sure from reading the report how the accuracy/inaccuracy numbers square with or incorporate those addresses which are shielded by a privacy or a proxy service. Being inaccurate and being hidden are clearly not the same thing although, from a law enforcement perspective, in some circumstances they might as well be.

The Review Team noted (p60) that the use of proxy and privacy services is widespread. In footnote 44 they refer to a 2010 study carried out by ICANN which suggested that between 15% and 25% of all entries in WHOIS take you to a proxy or privacy service.

On page 65 Time Warner, while not opposing proxy or privacy services, nonetheless claims it did see

The development of a vast universe of 20 million or more….. domain name registrations, for which the identity and contact data of the registrant is hidden and, all too often, completely inaccessible….(as) a direct attack on ICANN’s chief policy goal for WHOIS.

On the same page the Coalition for Online Accountability acknowledged that some domain name holders may require specific privacy protection, but in their view they only accounted for

an infinitesimal fraction of current privacy and proxy registrations

They suggested the

Creation of a vast unmanaged database of tens of millions of effectively anonymous domain names … is an irrational and socially damaging ‘solution’, one that inflicts far greater costs than warranted upon legitimate e-commerce, consumer interests, law enforcement and the public at large.

We can see from the number of people or entities using them that there is obviously a market for privacy and proxy services. But there is also a “market” for cocaine and pirated software. You don’t have to be a committed anti-capitalist taking a day off from occupying Wall Street to believe that just because people are willing to pay for something this alone does not amount to conclusive proof that they should have it, proof which will brook no contrary public policy considerations.

At several points the report bemoans ICANN’s failure to intervene to regulate proxy and privacy services which have grown up alongside WHOIS. Others say that would be ultra vires. If that is correct maybe a more vigorous ICANN could nonetheless have helped draw up rules that would be widely adopted by sellers of privacy and proxy services, rules which did not help the gangsters.

In Part IV of the appendices to the report there is a short video showing the experience of several people who were asked to find or fill in WHOIS data. One guy bought a domain name, completed the form online but remarked that the company selling him the domain name simultaneously offered to sell him an additional service which would allow him not to reveal the contact details he had just handed over to them. Something about that seems a little bit off to me. ICANN’s agents actively undermining a key ICANN policy.

Inaccuracy built in to the system

In my earlier blog I focused on the way criminals were exploiting the holes in the system, usually by just telling lies, but I acknowledged that it was not only criminals who were responsible for the inaccuracies. Turns out some inaccuracies were well nigh unavoidable. They were caused by the WHOIS system’s dependency, from the very beginning, on the ASCII character set.

The ASCII character set is perfect for English-speakers. It can be somewhere between OK and manageable for many, not all, other languages that also use a form of Latin script, but it definitely will not work seamlessly for everyone in the Latin boat.  For example, the ASCII character set doesn’t even fully accommodate people who use such exotic and rare languages as, say, French or Spanish. I will let the report speak for itself (p41)

This lack of support for non-ASCII characters within the registration data has triggered two sources of inaccuracies in the data. For the languages using an extended set of letters in Latin script, limitations of use have forced registrants to “simplify” their information, e.g. document it without the use of accents and/or marks used by their language and community. For languages and communities, which use non-Latin scripts, registrants have been forced arbitrarily to transliterate and/or translate their contact information into an ASCII based writing system. Communities which use syllable-based or an ideographic writing systems, e.g. Chinese, are even more disadvantaged in this respect, compared to other languages which use a sound based writing system. Where the lack of local script support has been too much of a barrier, some ccTLD registries and registrars have implemented ad hoc solutions, using arbitrary mappings of local script onto ASCII code points and interpreting the data in their script instead of ASCII as a result. This has included using alternate international 8-bit standards for such mapping, e.g. ISO 8859-x or even local national standards. However, as this encoding information is not part of the WHOIS data, it is not possible for a user to know or predict this. As a result, the data can appear as a nonsense sequence of ASCII characters. This is also a major source of inaccuracy of data (highlighted by NORC WHOIS Data Accuracy Study 2009/10), not due to its content, but due the lack of mechanisms available for its interpretation.

With a certain understated charm the report goes on to suggest, on page 42

…..many people attach some pride and fondness to the correct representation of their name and other data. While this is not a purely technical or administrative requirement, it is relevant in the context of (developing and sustaining) Consumer Trust.

I think I may have been tempted to use rather more muscular language. The word “insulting” might even have found its way in there. But that’s me.

And just so you don’t miss the enormity of this point, this discussion is taking place against a back drop of a long anticipated further major growth following the adoption of non-Latin scripts for domain name registrations, as in Chinese, Arabic and so on. At page 43 we find this

The need for internationalized registration data has also been highlighted in the recent SSAC report SAC 05115. Work is also underway (but in early stages) to look into how internationalized data will be associated with variants of internationalized domain names through the IDN Variant Issues Project (IDN VIP) and more recently the discussion list related to internationalization of Domain Name Registration Data at WHOIS-based Extensible Internet Registration Data Service (WEIRDS) through IETF. The situation highlights a general unpreparedness and lack of urgency in the community to support registration data in non-ASCII letters. This is highlighted by not taking up measures to store data and making it accessible for global registrants for ASCII domain names, not addressing this issue for the Fast Track program, and still having no agreement on how to resolve this for the upcoming gTLD program. Interestingly, scoring of internationalized registration data is in place for new IDN gTLD application without stipulating the mechanism (emphasis added).

Some of those references passed me by as well but it is not hard to catch the drift. But if there were any lingering doubts clap your peepers on this from page 7

Perhaps it should be no surprise that in this environment, policy and implementation have not kept pace with the real world. International Domain Names (IDNs) were introduced to great fanfare by ICANN in 2000, and in 2010 at the root level, without a corresponding change to its policies related to WHOIS.

What this means, is that while domain names can now be written in Arabic for example, the contact information for these domains must still be transliterated into a format ill-suited to the purpose. The issues are well understood and mechanisms exist to address them. Admittedly, change in this space will take time, and ICANN (and others) are taking steps to improve the situation but we find it is a case of too little too late. (emphasis added)

And where is the policy?

In an earlier life, when I was a management consultant, it would be commonplace to begin the serious discussions with a client by asking to see the Board minutes or company documentation, Staff Newsletters, memos, whatever, setting out precisely what the official policies and goals were in a given area. You would be surprised, or perhaps you wouldn’t, how often it turned out there were no papers or they were incomplete. When it came right down to it nobody could say with complete confidence what it was the company was trying to achieve in relation to a specific policy. In such circumstances it was hardly surprising that key players within the organization were often found to be working off slightly, occasionally radically different hymn sheets. The scale of the crisis I would be asked to help solve or manage typically was in direct proportion to the degree of difference there was between what A thought they were supposed to be doing as compared to B who was doing something else.

Some of the WHOIS report’s most withering, one might even say damning, language deals with this very point. On page 6

One of our earliest findings was our inability to find a clear, concise, well-communicated WHOIS Policy. The Team was assured that one existed and that it had been in force for some time. Several versions of Registrar and Registry contracts were reviewed as were compliance activities related to the policy. Throughout, we were unable to locate a document labelled “WHOIS Policy” as referenced by the ICANN-approved Affirmation of Commitments.

….. As a consequence, (policy) is not clear, concise, or well communicated…… What once might have been simple has been allowed to become complex, difficult to understand or to identify the parties responsible for changing it. (emphasis added)

Sorry to be a bore with these parenthetical interjections but let us remind ourselves of what it says in the Affirmation of Commitments. At paragraph 9.3.1 we find

ICANN additionally commits to enforcing its existing policy relating to WHOIS, subject to applicable laws. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information. One year from the effective date of this document and then no less frequently than every three years thereafter, ICANN will organize a review of WHOIS policy and its implementation to assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of law enforcement and promotes consumer trust. (emphasis added)

Are you thinking what I’m thinking? The Affirmation of Commitments was adopted in 2009. That year most emphatically was not a new Year 0 for ICANN, at least not in relation to policy on WHOIS. But even if it was you might have thought that in two years or more they could at least have cleared up what the policy was supposed to be? No?

Resources

Further evidence of a lack of focus on or serious engagement with this issue by ICANN’s top management is provided at several points in the Review Team’s report. On page 37 this appears

A major challenge facing the (ICANN) Compliance Team is the lack of clarity as to who “owns” WHOIS as an issue, where responsibility lies within the organization.

At page 38

…..ICANN’s compliance effort has historically been overstretched, and under resourced.  It has struggled to obtain priority (in terms of strategy, budget or visibility) within the organisation, and to fill vacant positions.  

Further down

The Compliance Team has to date been inadequately resourced.  Open positions have remained vacant for long periods.   

And on page 41

The system for WHOIS Data Problem Reporting generates a high level of duplicates. ICANN’s compliance staff have inadequate workflow systems or automation to enable them to keep on top of their existing workload – this provides an internal disincentive to ensuring that the system is better known and more widely used, because it may increase backlogs in an already overloaded department.

In the recommendations on page 8 it says

ICANN should make WHOIS a strategic priority. This should involve allocating sufficient resources, through the budget process, to ensure that ICANN compliance staff is fully resourced to take a proactive regulatory role and encourage a culture of compliance. The Board should ensure that a senior member of the executive team is responsible for overseeing WHOIS compliance.

Amen to that.

Validation of data

Here is perhaps the strangest aspect of the report, and the area of my greatest disappointment with it.

In Chapter 6, especially between pages 71 and 76, we get quote after quote from a range of organizations supporting stronger measures being taken to authenticate people who buy or renew domain names. Some expressly say validation at the point of entry is essential, a view I wholly endorse. If you don’t do that you simply add to the number of inaccurate reports you have to deal with later (see earlier references to a “stitch in time”). Nobody is cited in the report saying they think validation at the point of entry is a bad idea, or evil in any way. In footnote 72 on page 73 we are told that a former member of the GAC, Christopher Wilkinson, said

Registrars have long asserted that full verification of the accuracy of all records, including what by now must be a considerable backlog, would be financially unsustainable.

That’s as close as it gets to a statement of opposition to data validation at the point of entry or at renewal. And to paraphrase the immortal words of Mandy Rice-Davies

Well they would say that wouldn’t they?

If there was no evidence presented which opposed data validation at the point of entry and renewal, and on the contrary such evidence as was presented tended to support it, on what basis did the Review Team fail to recommend data validation?

There is a reference, on page 5, to members of the Review Team agreeing to disagree but we are not told about what. All  we are told is that every recommendation that does appear in the document is a consensus position. From this I deduce that data validation was discussed but there was no consensus about what to recommend in relation to it. It would have been useful to have this spelled out and for the positions taken by different parties to be open and on the record. I mean it is not as if this is a minor detail. It is the red meat of the whole argument.

In the UK if a public body had produced a report like this, where the weight of evidence pointed to one conclusion but in fact another, completely different or opposite conclusion was reached, whether by default or otherwise, it would almost certainly leave that body open to a challenge by way of judicial review.

Consensus

The Review Team’s report is peppered with references to consensus. They tell us that within ICANN they even have something called a “Consensus Procedure”. I detect a highly pungent rodent. Dr Johnson once said that

Patriotism is the last refuge of a scoundrel

By that he meant when people in authority could give no good reason for doing something, or had to disguise their real intentions to hide an unpalatable truth, they would play to people’s natural tendency to love their country. Constantly speaking of the need to develop a consensus sounds to me like it fulfills a similar function. Consensus is nice. Consensus is cuddly. Consensus induces warm fuzzy feelings. Who could be against consensus? Consensus can also be a trick. If you are thinking about draining the swamp it’s not hard to guess what the frogs will say. In such circumstances the scope for developing a consensus with our amphibious friends is highly constrained although they definitely have a right to know what’s coming. They might even have some good ideas about alternative ways of keeping themselves alive while at the same time allowing the proposed new housing project to proceed.

When you tie in the notion of consensus building with multistakeholder, bottom up methods of doing things, in the context of ICANN it starts to look highly questionable. Earlier we saw the Review Team report acknowledged that within ICANN

policy and implementation have not kept pace with the real world. 

Too right. And how strange that this should happen in an industry where, otherwise, speed and flexibility are defining hallmarks.

Riding shotgun with consensus is its close ally “the study”. Only a moron could be against research. Very definitely research has a part to play in many decision making processes. Evidence is good. But cries of “we need more research” can also be used in a very political way. It can induce paralysis by analysis and be a simple way of kicking something into the long grass in the hope it might never find its way back to the field of play.

Sometimes the right thing to do is obvious. It needs little or no elaboration or embellishment. How much research does it take to convince someone that pressing on with getting accurate names and addresses is the only answer? Page 5 speaks eloquently to this point

In order to inform the debate, and perhaps make the decision-making process easier, ICANN has adopted the age-old tradition of “the study” in lieu of or a precursor to action. Significant sums have been spent studying WHOIS, more is being spent, and yet more is planned with the span of time now stretching into decades.  (emphasis added)

Decades?

I am not sure I know what the Review Team is trying to say here. A unique lapse in lucidity. On page 85 “the study” is spoken of as a “surrogate for action”. Can you be a precursor, a surrogate and also be in lieu of something? Maybe you can.  It continues

Significant sums have been invested over a number of years providing considerable information that is then debated, questioned, and studied again. The Review Team would welcome a more joined up approach, where such studies would provide a resource for the benefit of the entire ICANN Community as it decides, in a timely manner, actions necessary to remedy policy or policy implementation failures. Whilst it is laudable to adopt an evidence-based approach, there must be tangible, measurable follow up in order to capitalize on the investment made in the reports. (emphasis added) 

It is fine, maybe even essential, to hang on to bottom up multistakeholderism for reaching consensus and agreeing narrowly technical standards, as in the IETF and W3C frameworks but in the field of what is in effect a social policy it is less obvious that it will be eternally useful. Of course you need to consult and gather in the widest possible range of views and opinions to help you make the best possible decisions but taken too far and you end up with snails on Valium. Stasis thy name is ICANN.

Bringing people together who have diametrically opposed positions, rooted in how they earn their living, will inevitably take you to a point or a line some will be unable to cross or move beyond, even if privately they agree with your argument. Preaching the virtues of consensus will butter no parsnips.

On the internet things can change at great speed yet ICANN marches to the slow beat of a different drum. To say it was glacial would be unfair to most of the glaciers I hang out with. They look like greyhounds in comparison. Here speaks the report, pages 5 and 6

A gross understatement is that tensions exist between the various ICANN constituencies regarding WHOIS. Issues abound including right to privacy, anonymity, intellectual property protection, security and abuse, among others……

We find little consensus within the ICANN community on the issues. More concerning, there appears to be no coordinated effort to achieve consensus on these important, and admittedly difficult issues. Neither ICANN the corporation nor ICANN the community have seen the need to charge an individual or group as responsible for WHOIS. We find this a significant oversight and surmise that without such a coordinating effort, the small steps required for consensus may never be taken. It is hoped that the establishment of regular WHOIS Reviews will assist in this regard. (emphasis added)

Here we see the Review Team making the ritual obeisance towards the idea of consensus. I fear, even if someone had made an effort to achieve it, consensus on the things that need to be done to put WHOIS right may just be unattainable within ICANN as it is currently constituted, no matter how much time you devote to trying to produce one.

Could the powers that be within ICANN have known this all along? Are they deliberately stringing things along hoping people like me will go away and give up, meanwhile their bank accounts continue to grow? It’s not an implausible strategy. But for the publication of the Review Team report my keyboard had been silent on the topic for several years as the need to earn a living, be a father, life, claimed my attention. The fact that the Review Team was commissioned and reported is evidence of an awareness of the problem, or at any rate it is evidence of an awareness of the need to be seen to be, at least, thinking and worrying about it. It is not yet evidence that anything will be done.

To be clear, I am not suggesting everyone everywhere abandons bottom up multistakeholderism. Its potential benefits are plain enough for all to see. It is very well-suited to a non-decision making forum such as the IGF, although even here sometimes a little bit of top down steering wouldn’t be wholly out of place. But in relation to ICANN if people come to believe their core method of doing business is a sham or simply a delaying tactic exploited by vested interests the institution which is ICANN will lose credibility. Alibis for inaction are too easily acquired when no one is responsible for anything because everyone is responsible for everything.

The conditions in which ICANN was originally established have changed beyond all recognition. If today we were starting with a clean sheet of paper would we recreate ICANN exactly as it now is? I doubt it. I appreciate there is no point talking wistfully about clean sheets of paper because they don’t exist but blue sky thinking does have its place and could help point to possible solutions. If ICANN does not sort itself out there is no question that eventually someone else will.

 Money makes the world go around

In many detective novels you are told to cherchez la femme! The corporate world’s equivalent is cherchez l’argent.

If you look at ICANN’s budget for the year ending 30th June 2012 you will see that of ICANN’s anticipated revenues of US$65.5 million, fully 49.8% is expected to come from registries, and an almost equally massive 44.5% is expected to come from registrars. The projected budget for the next fiscal year envisages similar ratios.

I’d say ICANN could easily be portrayed as being in the grip of producer capture, the creature of the registrars and the registries. Thus if it wishes to convince a wider audience it is genuinely a self-regulatory body worthy of the name, and is not simply a cartel floating on a sea of dollars, they will need to extract their digits from wherever they have been hiding them and start working the crowd.

I tried to understand how the voting system works, where decision making power lies within ICANN but I gave up. It seems to be the cyber equivalent of the Schleswig-Holstein question about which it was said only three people ever fully understood it, one of whom was dead and one of whom was very obviously mad. The third was a British Prime Minister. Transparent it ain’t.

From what I have been able to deduce effectively ICANN’s processes hand a permanent veto to the registrars and registries. Quelle surprise (sadly I don’t know how to say that in German or Danish). It’s a duopoly. True enough there seem to be lots of players in both groups but their interests are aligned on easy to spot tram lines. These tram lines do not work in the consumers’ or law enforcement’s interests.

Paragraph 8 of the Affirmation of Commitments alludes to ICANN not being controlled by “one entity”. If only it had said “two entities”.

I have no desire to see ICANN’s or anybody’s income fall. If domain names became more expensive and the process of acquiring a domain name took a bit longer because data was being verified at the point of purchase or renewal I am not convinced, or I have seen no evidence which suggests, anything would change on any sort of significant or unacceptable scale. Obviously fewer criminals would be buying and misusing the system. That’s the whole point. But I do not believe the whole edifice would collapse if, instead of costing £10 a domain name went up to £12 and it took a bit longer to come through. In many countries in the developed world and elsewhere systems are already in place that conform to the legal standards prescribed by the anti money laundering rules. These allow data verification to be done online in real time within seconds and very cheaply.

At the height of the .com boom domain names were typically selling for around US$35. Some information on the selling prices of domain names around the world should have been prominently presented and discussed in the report. Among other things it would have helped us form our own judgement about the price sensitivity of domain names. Price is not everything, but it is a key factor in any economic transaction.

I am left with the suspicion that those who are benefiting from the present arrangements see no compelling reason to take any risks by changing anything. As they see it for as long as the money keeps rolling in the present system cannot be broken so why try to fix it?

Me and my interests

If any of you have ever troubled to look up my cv (there is a permanent link to it from this blog otherwise click here), you will see that I have been involved in the online child protection space for many years, since before ICANN was founded. Not long after I started work in the area I became completely convinced that many of the enduring problems on the internet were linked to the abuse of anonymity or to the belief that one can make oneself untraceable online. People behave more badly than they would otherwise do if they think they can get away with it.

Ages before I had heard of WHOIS I was campaigning on this issue. As a result of my appearances on TV, the radio and elsewhere talking about the challenges associated with the misuse of anonymity, in 2008 I was approached by someone who had just established a business to do online authentication. The founder, Alex Hewitt, was motivated entirely by a vision to protect kids on the internet. I became and remain a non-Executive Director and minor shareholder of his company, NetID Me Ltd. I am very proud of the work the company does and I am glad to say it is thriving.

Clearly, therefore, if there was any major expansion in the person authentication business Net ID Me Ltd could stand to benefit from it.

Finally

Unless provoked or invited I have now said more or less everything I ever intend to say on the subject of WHOIS. I know it’s easy for an outsider who has not been involved in the day to day fray to lob pot shots from a great distance. In the circumstances that was unavoidable. But I acknowledge completely we all need ICANN or something like it to succeed. We all should be grateful for the work everyone involved with ICANN does for us, whether paid or especially unpaid. I hope the powers within ICANN, like me, really appreciate the work of the Review Team in shining a strong light on this area and explaining it so well. More than that I hope these same powers act on the Review Team’s recommendations expeditiously and resolve the point on data validation which they ducked.

And I’m sorry I didn’t crack the concise thing again. Must try harder.

About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised. http://johncarrcv.blogspot.com
This entry was posted in Default settings, ICANN, Internet governance, Self-regulation. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s