http://www.msnbc.com/news/322926.asp?cp1=1

Web site holders surrender privacy

Domain name owners’ personal information up for grabs

By Brock N. Meeks
MSNBC

WASHINGTON, Oct. 13 — When Robert Cohen set up an Internet site to sell
unpopular political films he was looking for customers; now he’s afraid of the
crackpots. Because the personal information required to register a domain name
has no privacy protections, Cohen’s name, home address and telephone number are
available to anyone. “I don’t want a bomb coming in the mail,” Cohen says, “and
I don’t want to have phone calls in the middle of the night.”


“We are aware that this information is exploited and abused and that there is no
current opt out provisions.”
— CHRISTOPHER CLOUGH
Network Solutions Inc.


SOON AFTER COHEN registered his domain name, he was flooded with unsolicited
calls and junk mail, all addressed to “Radical Films,” the Web site he set up to
sell the political films. But the only thing tying his personal residence and
phone number to Radical Films was the information he had to provide to register
his Web site.

“I assumed that [domain name] information was for billing purposes only, not
that it would be sold or be publicly available,” said Cohen. “If this is
happening to me, it’s happening to others.”

Cohen’s plight strikes at the soft white underbelly of Web site ownership. All
Web site owners are required to list their name, address and phone number for
billing purposes. All that information is contained in a publicly available
online database called “whois.” And because of a mandate from the Department of
Commerce, all the “whois” information is completely stripped of any privacy
protections.

Domain name holders have no rights and no options regarding what is done with
their personal information once it’s registered in the “whois” database.

WHERE’S THE PROTEST?

Privacy issues are often a lightning rod for public attention — protecting Web
user privacy hit the national stage last year when several interest groups
exposed that personal information was being collected by Web sites without
consumers’ consent.

When the Federal Trade Commission threatened it might have to step in with
regulations, several industry groups leapt into action, pledging a
self-regulation regime. Today Web sites with privacy protection policies are
commonplace, though not universal.

Yet, to date, there has been no serious debate or discussion about protecting
the personal information required when one registers to acquire a domain name.

The Privacy Alliance, an ad-hoc cross-industry coalition of more than 80 global
companies and associations, strives to keep consumers informed of how to protect
their privacy online. The group says “most ethical Web sites put a link to a
privacy policy right on the home page” and that such a policy should tell you
how the information is used and “give you the option of restricting such use.”

Commerce Department Secretary William Daley is a big believer in such Web site
privacy policies. In April, Daley sent a letter to the top ten Web advertisers
urging them to not advertise on Web sites that don’t have a privacy policy.

Ironically, the Web site for Network Solutions, Inc., the company that, until
recently, had a government-granted monopoly on registering domain names and
which runs the “whois” database, contains no privacy policy statement.

When Cohen complained to NSI, fearing they were selling the domain name
information to third parties, NSI Spokesman Christopher Clough said his company
“does not sell personal contact information to any direct marketers.”

But the information is readily available on NSI’s Web site — as required. “You
should know that it is due to our agreements with the US Department of Commerce
that we are compelled to provide customer information, or whois records, for
public access,” Clough wrote to Cohen. “We are aware that this information is
exploited and abused and that there is no current opt out provisions for
registrants’ personal information.”

YOU HAVE THE RIGHT TO NO PRIVACY

“Network solutions has been working on a privacy policy for quite some time and
we are hopeful to have one published in the near future,” Clough told MSNBC.

But Clough’s remarks belie the dilemma facing the company: How do you write a
coherent privacy policy that basically has to say, “You have no privacy rights.”


“There’s a really difficult problem of balancing a lot of interests.”
— ANDREW PINCUS
Commerce Department lawyer


Although online privacy groups advocate that consumers must be given a choice to
opt out of having their information made publicly available, the Commerce
Department will not allow NSI to endorse such a policy.

“Right now there is no ability, for example, for having people opt out of having
their names in the ‘whois’ database,” said Andrew Pincus, general counsel for
the Commerce Department. “There’s a really difficult problem of balancing a lot
of interests.”

Pincus says the “whois” database “serves an important law enforcement function,”
including an important intellectual property enforcement function. “And for
right now, that’s the resource where if bad things are happening on a Web site
you can trace it back to find the servers and find the responsible people,”
Pincus says.

The risks to privacy stemming from the public “whois” records, “is a huge
problem and it’s a good story because no one has been paying attention to it,”
said Alan Davidson, a policy analyst for the Center for Democracy and
Technology. “It’s totally outrageous.”

Davidson has his own real-life example of the “whois” privacy concerns. He
recently registered a domain name for his girlfriend as a gift, “the present of
the ’90s,” he said. But he was forced to provide her name, address and home
phone number because “it was the only contact information that made sense,” he
said. “But does that mean that the whole world should be able to get access to
that information for any purpose? I don’t think so, I think that creates a huge
privacy problem.”

Davidson acknowledges that there are bona fide uses for the “whois” information.
Legitimate trademark or copyright infringement concerns as well as the need for
someone to track down a rogue router spun out of control and bollixing Net
traffic.

The argument that all the information must be publicly available for law
enforcement and intellectual property policing efforts is bogus, Davidson says.
“We could come up with some sensible rules for who has access to all of the
information in the whois database. That debate has not happened yet,” he said.


“We could come up with some sensible rules for who has access to all of the
information in the whois database. That debate has not happened yet.”
— ALAN DAVIDSON
Center for Democracy and Technology


Law enforcement agencies could get access via a court order or subpoena;
intellectual property concerns could be addressed in the course of a court case,
Davidson says. “To date extremists have ruled this debate,” he said, “where the
baseline is that all data must be 100 percent accessible.”

WORSE BEFORE BETTER

The privacy risks are about to get worse. NSI recently signed an agreement with
the Commerce Department recognizing the authority the Internet Corporation for
Assigned Names and Numbers (ICANN), the non-profit group tasked to transition
the domain name registration process to a competitive environment. As part of
that agreement, NSI agreed to make the “whois” database available to all
competing domain name registrars; the Commerce Department also mandated that the
entire “whois” database could be sold to appropriate third parties for $10,000.

Although the agreement allows domain name holders the right to opt out of having
their information sold to third parties, no procedures or guidelines have been
written to implement such an option. Nor is it clear that all domain name
registrars must provide their customers that option.

Pincus told MSNBC that the issue of domain name privacy might be something ICANN
could take up on a later date.

ICANN’s interim CEO Mike Roberts told MSNBC that continued public access to
“whois” information “also needs to include a thoughtful consideration of
latter-day concerns about personal information and its uses in the network
context.”

Roberts said ICANN is “committed to protecting privacy… both as a matter of law
and principle. How exactly the sometimes conflicting needs of public access and
personal privacy will be balanced is a job that is still in front of us.”


“Citizens will be faced with the choice to waive privacy in favor of corporate
interests or to forgo full participation on the Internet.”
— JOEL R. REIDENBERG
law professor


However, Roberts gave no firm assurances that any such discussion or debate
would be on ICANN’s agenda any time soon.

Meanwhile, another privacy train wreck is merely waiting to happen vis-à-vis the
more than 1.5 million .com, .net, and .org holders who are not U.S. citizens -
most are from European Union nations.

The EU has very strict privacy protections and the directive outlining those
protections carries teeth. If EU citizens aren’t allowed to opt out of having
their domain name information sold to third parties, it would “certainly raise
serious problems under the EU Privacy Directive,” said Joel R. Reidenberg,
professor of law at the Fordham University School of Law.

In fact, “the collection of registration information from French residents that
is intended for resale without any opt-out might even be considered a criminal
offense under the French data protection law,” Reidenberg said.

Beyond the EU issues, Reidenberg said the “the lack of privacy protections for
domain name holders is appalling.” When domain name holders were primarily
corporate entities, privacy wasn’t a big issue, Reidenberg said.

“However, as individuals increasingly become domain name holders, the failure to
include protections for citizen privacy in the name registration system subverts
democratic values on the Internet,” Reidenberg said. “Citizens will be faced
with the choice to waive privacy in favor of corporate interests or to forgo
full participation on the Internet.”