ICANN Transparency Policies and Domain Privacy Controversy

ICANN Transparency Policies and Domain Privacy Controversy Introduction According to a 2010 study1 conducted by ICANN, at least 18% of the 5 top gTLDs are registered to the global database by using a privacy/proxy service. This means that at least 18% of the WHOIS records does not provide information about the actual ownership of the domain. Considering the fact that since 2010, a lot of internet surveillance issues has emerged such as PRISM and similar, this percentage is most likely to be a lot higher now. Needless to say, WHOIS records’ accuracy and the information provided through the database are essential for effective law enforcement. This is the very reason why ICANN has established policies to make sure Registrars provide an accurate WHOIS record query service. In that regard, the question arises: Does domain privacy/proxy and ICANN transparency policies contradict? And further, what can be done when encountered with domain privacy/proxy? This article aims to answer these two fundamental questions. ICANN Registrar Accreditation Agreement ICANN Registrar Accreditation Agreement (“RAA”) is the agreement made between ICANN and Domain Registrars, and which authorises Registrars to register new names to the global database. Basically, this is the agreement that accredites registrars to ICANN. RAA has three different versions based on the year it was adopted on: 2001, 2009, and 2013. As 2013 version has just been adopted on January 27th, 2013 and not yet in full effect, this article will be based on the 2009 version2. However, an overview section concerning the 2013 agreement will be available at the conclusion of the article. Registrar Accreditation Agreement of 2009 has three relevant provisions to the issue at hand: 1. Publicity of WHOIS records 2. Accuracy of WHOIS records 3. Liability in licensing cases Firstly, concerning the publicity of the WHOIS records, RAA establishes an obligation for Registrars that each and every registrar must have a public WHOIS query service free of charge: At its expense, Registrar shall provide ... Whois service providing free public ... access to up-to-date (i.e., updated at least daily) ... this data shall consist of the following elements as contained in Registrar's database:  The name of the Registered Name  The name and postal address of the Registered Name Holder  ... Registrar shall maintain records of all Registered Name Holders for three years.3

Secondly, concerning the accuracy of WHOIS records, RAA establishes regulations to make sure that the information provided to Registrars by Registered Name Holders are accurate and therefore the WHOIS query presents truthful information. Furthermore, RAA states that failing to provide such information may result in cancellation of the domain: The Registered Name Holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the Registered Name registration...4 1

"Privacy Proxy Registration Services Study." 09, 2010. Accessed 07, 2013. http://www.icann.org/en/news/public-comment/privacy-proxy-study-report-14sep10-en.htm. 2 "ICANN Registrar Accreditation Agreement." Registrar Accreditation Agreement. 05, 2009. Accessed 07, 2013. http://www.icann.org/en/resources/registrars/raa/ra-agreement-21may09-en.htm. 3 Section 3.3 of Registrar Accreditation Agreement (2009)

A Registered Name Holder's ... willful failure ... to update information provided to Registrar... shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for cancellation of the Registered Name registration.5

Thirdly, concerning the liability in licensing cases, RAA creates a safeguard to prevent evading responsibility in which the Registered Name Holder is kept liable for the harm done by the domain even if the domain is operated by a licensee: Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible ... to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the current contact information provided by the licensee and the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.6

As can be seen from the above regulations; publicity, accuracy and the liability on licensing cases have a fundamental aim which RAA pursues: To be able to find the person who is responsible for the domain. This aim is the very essence of effective law enforcement and also effective criminal policy. However, domain privacy/proxy seems like an obstacle in that regard. Domain Privacy/Proxy Regarding the terms and the language, there is no distinction between privacy and proxy services in the internet. Both of these services are mostly included in the term “privacy” and therefore the issue is mostly addressed as “domain privacy”. However, most of the time domain privacy is mentioned, it is actually in terms of the definition of domain proxy. ICANN Privacy Proxy Registration Services Study makes the distinction between domain privacy services and domain proxy services as: A privacy service provider offers alternate contact information that the registered name holder may choose to have listed in a Whois record instead of the registrant's other addresses, telephone numbers, or email addresses. A proxy service provider acts as registered name holder of record and licenses the use of a domain name to the customer or beneficial user of the domain. The contact information in a Whois record for a domain name registered with a proxy service is that of the proxy service provider / registered name holder.

According to these definitions; in case of domain privacy, the registered name holder can be identified, however with alternate contact information. On the other hand, identification of registered name holder by WHOIS is not possible in case domain proxy. Furthermore, the same study affirms that where 91% of registrants use a domain proxy service, only 9% uses a domain privacy service. The serious issue of preventing effective law enforcement is considering mostly the proxy services which is why the main issue on this article is also regarding proxy services. This is due to the fact that proxy services replace the registered name holder’s information in the WHOIS with the information of their own. They, basically, create a relationship in which the registrant is acting on behalf of another. As a result, if a domain name registered through a proxy service is checked on the WHOIS database, instead of the actual owner of the domain, domain proxy service appears on the results and it is not possible to identify the person. ICANN

4

Registrar (WHOIS)

Section 3.7.7.1 of Registrar Accreditation Agreement (2009) Section 3.7.7.2 of Registrar Accreditation Agreement (2009) 6 Section 3.7.7.3 of Registrar Accreditation Agreement (2009) 5

Actual Owner of the Domain

Normally

Normally, the actual owner of the domain name is registered to the registrar and registrar to the ICANN. Therefore, when a search is made in registrar’s WHOIS, actual owner of the domain is found. ICANN

Registrar (WHOIS)

Proxy Service

Actual Owner of the Domain

With Domain Proxy

On the other hand, in case of domain proxy, actual owner is registered to a proxy service and proxy service to the registrar. Therefore, when a search is made in registrar’s WHOIS, this time, instead of the actual owner, only the proxy service can be found. Arguments for Domain Proxy and Publicity of WHOIS The one significant reason why domain privacy is preferred is due to the fact that ICANN’s policy of making WHOIS records accurate and public enables spammers, direct marketers, identity thieves, or other attackers to loot the directory for personal information. This is the main reason behind, especially in the case of individuals who want to keep their personal information private. On the other hand, the arguments for publicity of WHOIS records are even stronger. Firstly, there is a great need for protection against cybersquatting and deceptive trademark infringement. And secondly, identifying unlawful actions by registrants through domain names such as violations of privacy rights has a significant importance. As timely solutions of these are in favour of effective law enforcement, to be able to find the actual owner of the domain with a simple WHOIS search is essential. The Contradiction Technically, no contradiction can be found between the WHOIS publicity policy and domain proxy services. In accordance with RAA, domain proxy services put their accurate information in the WHOIS records and license the domain to another individual. However, a quite significant contradiction occurs in the aspect of the targeted outcome by establishing these policies. Firstly, as it is not possible to identify the owner of the domain with WHOIS because of the gap between the registrar and the actual owner of the domain, the person responsible for the domain cannot be determined timely. It requires filling in tons of abuse forms and emails to make proxy services reveal their customers’ identities which in most cases they do not until they receive a proper court order. The whole process of trying to make proxy services reval information of a domain creates a whole new step before the actual legal proceedings and it constitutes a major obstacle for an effective law enforcement. Secondly, proxy services constitute an incentive for cybersquatting, trademark infringements, and privacy violations. As the operator of the domain name has the belief that his identity will not be revealed and is protected in the WHOIS records, domain privacy seems as helping these unlawful actions in a psychological meaning. Concerning this point, rather than a criminal law aspect, a criminal policy perspective must be established. 18th century Italian jurist Cesare Beccaria states that “Crimes are more effectually prevented by the certainty than the severity of punishment.” The underlying idea behind this thought is that it is not the severity of the punishments that drives a criminal out of the crime way but it is her/his belief that those punishments will be applied, that s/he will be found, put on a trial, and sentenced. In that regard, unregulated domain proxy constitutes a significant obstacle.

Certainty of Domain Privacy As any unlawful actions conducted by the domain owners might create serious legal liabilities for domain proxy services pursuant to RAA Article 3.7.7.3, there is no guarantee that a domain proxy service will not disclose the information of its client. However, it is reasonable to expect a lot of effort to reveal the information as they usually either do not respond properly or do not respond at all. Firstly, domain proxy services put some clauses on their Terms of Service Agreements concerning disclosure of information. These provisions mostly involve cases of cooperation with legal authorities or other government branches. In some cases, unlawful conduct through the domain constitutes a material breach of the agreement between the domain proxy service and the actual owner of the domain which would cause the termination of this agreement and disclosure of the domain owner on WHOIS records. Secondly, in order avoid legal liabilities, most domain proxy services put an Abuse Complaint Form on their websites. If an unlawful action was done by the domain masked by the domain proxy service, this form can be filled in and after an evaluation by the service, disclosure might be possible. However, without the presence of reasonable evidence, as stated in RAA 3.7.7.3, and generally without binding documents like court orders, getting results from these forms are not very likely. Thirdly and lastly, in some occasions, domain proxy service may not respond to the abuse form or other mediums of communication. In such situations, two inferences can be made. First one is that the information provided by the domain proxy service on the WHOIS records is not accurate. In that case, ICANN has a WHOIS Inaccuracy Complaint Form7 which can be filled in for inaccurate records including domain proxy services that would force the registrar to take reasonable steps to fix the situation. Another inference may be that the domain proxy service is refusing to reply and cooperate. In that respect, a court order or similar binding document should be adequate to force for disclosure in accordance with RAA and if the service still refuses to reply, holding the service liable for the harm done by the masked domain is possible in accordance with RAA 3.7.7.3. Apart from this, proxy services are mostly provided by subsidiary branches of the registrars. In these cases, another solution can be contacting with the registrars directly and sending a notice to their legal departments which may result in receiving at least a proper answer. Conclusion It is an uncontested fact that right to privacy and anonymity on the internet are the rights which should be recognized in the aspect of free speech. However, effective law enforcement and criminal policies should not be harmed while doing so. Domain proxy is a significant obstacle within this meaning and needs to be regulated especially in terms of how and when identities are to be revealed by proxy services. In that regard, 2013 version of RAA is promising. ICANN must have seen and understood the issue well as the Registrar Accreditation Agreement 2013 which is adopted on 27 June 2013, has reasonable and accurate steps towards regulating domain privacy. In the agreement, a new provision titled “Obligations Related to Proxy and Privacy Services” is drafted in Article 3.14 and it makes obligatory for the registrars to act in accordance with the newly drafted Specification on Privacy and Proxy Registrations until an accreditation program for domain privacy services is adopted. Two promising points are coming forward in this respect. Firstly, it is a reasonable clue that ICANN is willing to establish an accreditation program for domain privacy services, in addition to RAA. Secondly, the specifications on domain privacy which is attached to the 2013 Agreement is promising and has many provisions which will direct the domain privacy in the right way. Hopefully, RAA 2013 will be a new start for dealing with proxy services, and effective law enforcement and criminal policies will not be harmed further. 7

The form is available at http://www.icann.org/en/resources/compliance/complaints/whois/inaccuracy-form.