http://www.circleid.com/article/474_0_1_0_C/
Using Whois to Enforce Law?
Feb 10, 2004 | From CircleID Privacy Matters
By Karl Auerbach
Before starting I'd like to remind you that there are two distinct Whois systems -- the one for IP address delegations and one for DNS registrations. I believe that the former is a useful system in which there are clear utility values that outweigh the privacy costs, and in which the person whose privacy is exposed has made a knowing choice. I do not believe that these arguments apply to the latter, the DNS, form of Whois.
As you know I am a firm believer in the right of personal privacy.
One of the well established principles of privacy is that information that is gathered for a particular purpose be used only for that purpose. Remember, people who disclose information are making an implicit balance between their loss of privacy and the gain of a desired service. To use personal information in additional ways throws out that balance and, in the end, will make people less willing to disclose information for any purpose.
We have to remember that people have a strong interest in protecting privacy -- for example, consider parents of a pre-teenage daughter who is using the internet for school and social purposes. Those parents can easily have a legitimate fear that Whois information about where the family lives and their net addresses could subject the daughter to risks from stalkers and predators. It's Megan's law in reverse -- the contact information of potential victims is published 24x7x365 to potential predators.
As for the utility of Whois for the vindication of intellectual property rights or other perceived abuses: In our society we have a very well oiled and very effective system for dealing with situations in which someone claims that their rights have been violated. That system is called the legal system. It requires that the putative damaged party make a showing that there is some reason to believe that rights have been damaged. If that showing is met then the system allows the supervised opening of records in order to ascertain additional information, such as the true identity of the accused.
The Whois system is being used in a unique way. The IP industry seems intent on creating a system of internet-related law in which guilt is presumed and the accused party must prove innocence. That is more reminiscent of the Inquisition than of the modern concept of civil rights.
Law enforcement people already have subpoena powers that can be used to open otherwise closed records. Law enforcement people do not need an open Whois in order to obtain the information they want. And in these years of paranoia, the mechanism of a subpoena may help law enforcement people retain their sense of balance between a fishing expedition and a focused investigation.
I'm sure that you have seen my "First law of the internet:
+ Every person shall be free to use the Internet in any way that is privately beneficial without being publicly detrimental.
- The burden of demonstrating public detriment shall be on those who wish to prevent the private use.
-- Such a demonstration shall require clear and convincing evidence of public detriment.
- The public detriment must be of such degree and extent as to justify the suppression of the private activity.
Well, the proposed use of Whois turns this first law on its head. The proposed use of Whois says that people are able to use the internet only if those uses are deemed permissible by the few who are rich and have the ear of Congress.
I've been thinking of writing an anonymous DNS registration system under the GPL -- this system would issue digitally signed certificates of ownership of a domain and retain no record of who those certificates were issued to. Amendments to domain information would require the presentation of the certificate. A transfer authority - -which would not need to know what the certificate represents -- could sign a new certificate and enter the old one into a non-repudiation database.
This system would not have "Whois", nor could it have "Whois"; it simply would not have that information.
The basic purpose of Whois, once one strips off the arguments about intellectual property protection and tracking down spammers, is to support the expiration and renew/rebilling relationship between the domain name customer and the registrar. That renewal/rebilling represents the major cost of the DNS system to the consumer. If we allowed domain names to be registered for longer terms than ICANN's arbitrarily imposed 10 year limit and did not mandate the publication of Whois, I believe that the cost to the consumer for domain names could drop from the roughly $18/year average it is today to something on the order of $0.25 -- that amounts to a savings of tens to hundreds of millions of dollars per year.
We consumers could buy a lot of tunes and movies with that amount of extra money in our pockets.
Anyway that's my 2 cents worth.