On the FTC and Whois

The Federal Trade Commission’s letter to ICANN of 16 December has been ruffling feathers – and quite right too. Although its principal theme was the introduction of new generic top-level domains, the letter highlighted the need for accurate Whois data as a key element in protecting consumers against online crime.

The FTC cited the recently published draft report [pdf] of the Whois Review Team, which I chair. The Whois Review was set up to fulfill ICANN’s obligations under its Affirmation of Commitments with the United States Government. Therefore, while the Whois Review is “ICANN’s own” (as the FTC puts it), the Review Team is a group of volunteers drawn from a broad spectrum of stakeholders: from techies to governments; policemen to privacy experts. So, we were convened by ICANN, not working for ICANN.

There is plenty of synergy between the Whois Review Team’s focus and the FTC’s purview: the legitimate needs of law enforcement, and the promotion of consumer trust.

The need for more accurate data

The FTC rightly emphasises the importance of accurate Whois data. Of 20 recommendations in the Whois Review Team’s draft report, one quarter relate to Whois data accuracy.

Nearly two years ago, a report commissioned by ICANN at great expense found that the Whois data in over 20 percent of gTLD domain names was so inaccurate that it was impossible to reach the registrant. That translates to over 20 million “unreachable” dot-com registrations. For ICANN to have sat on this report for nearly two years without launching any programme to address such high levels of inaccuracy is, in my personal opinion, unacceptable. It feeds the perception that nothing is being done, which seems to pervade the FTC's letter, and was also reflected by many of the stakeholders we spoke to this year.

The Whois Review Team’s draft recommendations on data accuracy include the following:

• Reduce the number of “unreachable” domain name registrations by half within 12 months, and by half again over the following 12 months.
• ICANN to produce annual accuracy reports which track progress on reducing the “unreachables”
• ICANN should ensure a clear, unambiguous and enforceable chain of contractual agreements throughout the supply chain, with graduated sanctions (including de-registration or de-accreditation) for serious or serial non-compliance.
• A proactive communication campaign on the importance of accurate data.

If implemented, these recommendations would address many of the FTC’s concerns, and show that industry self-regulation is not just an ill-fitting fig leaf for “no regulation”.

Effective compliance is about political will, not just resources

Citing our finding that ICANN lacks adequate compliance resources, the FTC encourages ICANN to hire more staff. ICANN’s compliance team could definitely do with more bodies. It could also do with some proper systems to scale its operations.

But this does not address the core problem: the way ICANN is structured. ICANN is funded by the very industry it seeks to regulate. Effective compliance will upset ICANN’s funders. Without courageous leadership at VP level and above, the compliance staff can never be properly empowered, and their efforts will be hamstrung. This is why, rather than saying “hire more staff”, the Whois Review Team recommends that ICANN make Whois a strategic priority, and develops a culture of compliance.

Whois abuse: the other side of consumer protection

There is a lot of common ground between the FTC and the Whois Review Team. One key difference, however, is the FTC’s focus on data accuracy alone as essential to consumer protection. The Whois Review Team recognised that consumers also need to be protected against fraud which can arise through automated harvesting of Whois data.

There are numerous, legitimate reasons why registrants, especially individuals, would not want to have their data published on the Internet. At the same time, as the FTC eloquently expresses, those enforcing laws have a legitimate right to expect timely access to Whois data. Any consideration of Whois has to consider how to balance these competing, but legitimate interests.

The Whois Review Team noted that “a gross understatement is that tensions exist between the various ICANN constituencies regarding Whois”, especially on this issue. Unfortunately, the policy dialogue within ICANN has been characterised by a combative, win-lose approach by all parties for the last decade. Meanwhile, an entire industry of proxy and privacy providers has sprung up in a policy vacuum.

There is an urgent need for proxy and privacy services, which now affect over 40 million gTLD domain names, to be brought into the policy and contractual regimes. The Whois Review Team has set out detailed recommendations, including the development of clear, consistent and enforceable requirements for providers, standardised reveal and relay processes and timeframes, dedicated abuse points of contact, and incentives for registrars to interact with providers who adopt best practices.

Data verification – the silver bullet?

The FTC calls for verification of Whois data at the point of registration – on the way in. Many would support that call, including ICANN’s compliance staff. However, the Whois Review Team did not go that far. We felt it was more appropriate at this stage, to set a target for accuracy to improve (or specifically, for “unreachables” to be eliminated), and leave it to ICANN and the industry to work out how best to achieve this. Of course, if the industry response proves inadequate, it may be appropriate to be more directive on the “how” not just the “what”.

The hidden dragon – Internationalised Domain Names

Finally, I think the FTC should be far more worried than it seems to be about the lack of standardisation for Whois data relating to Internationalised Domain Names. This is a major source of inaccuracy at present, and will only increase with new gTLDs, unless urgent, concerted efforts are made to develop a standardised data model for IDN Whois, and define metrics for measuring accuracy and availability of data in local languages.

What happens next?

The Whois Review Team’s draft report [pdf] is currently open for public comment until March 2012. The final report will be published at the end of April 2012.

So if you do believe that self-regulation of the domain name system can work, or you share the review team's or the FTC's concerns, I would strongly encourage you to lend your support to the report's recommendations by sending a comment to whois-rt-draft-final-report@icann.org.