Is it time to get rid of the Whois directory?

The Whois database may disappear.

An Internet Corporation for Assigned Names and Numbers committee is considering a sunset proposal at its meeting this week in Los Angeles that would effectively scrap the directory system on privacy grounds. Among those arguments is that a public-by-default Whois listing may run afoul of Canadian and European Union privacy laws.

Having this debate is not a bad idea. It's about time that we rethought whether the Whois directory service--which has public contact information for domain name owners--should exist in its current form.

Trademark and copyright holders, and their lobbyists, are opposing this move. They argue that a public Whois database is necessary to help track down trademark infringements, copyright infringements, and "cybersquatting."

The American Intellectual Property Law Association even went so far as to claim that "accurate and available information is essential for law enforcement in crimes" (PDF), including "hate literature, terrorism, and child pornography," ignoring that so-called hate literature is constitutionally protected in the United States. (And I wonder how many terrorists and child pornographers will tell the truth when asked for their real home address when registering a domain.)

This is not a new debate. Nearly four years ago, I wrote:

Whois is broken. Like the Internet mail protocols that were drafted during a more innocent era and are now being exploited by spammers, the Whois database was not intended to be melded into the shape preferred by copyright and trademark lobbyists.

The origins of today's domain name system can be found in standards RFC 1034 and RFC 1035, published in November 1987, when the Internet was still young, and commercial traffic would not officially be encouraged for another five years. Back then, before individuals started to buy their own domain names, a public Whois database was necessary to permit network administrators to fix problems and maintain the stability of the Internet.

Today, however, the open nature of the Whois database is no longer a boon to people who own domain names. If you buy a domain name, current regulations created by ICANN say you must make public "accurate and reliable contact details, and promptly correct and update them during the term of the...registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number."

Who wants to make that kind of personal information public for the benefit of spammers, direct marketers, and snoops? You shouldn't have to publish your home address--and other personal details--to everyone in the world, just to own a domain name. And if you decide to lie by typing in "1 Nowhere Road," I don't see why you should be punished for attempting to protect your and your family's privacy.

There are plenty of legitimate reasons why domain name holders might leave their address blank. As an international coalition of civil-liberties groups said in a letter to ICANN in October 2003: "Anyone with Internet access can now have access to Whois data, and that includes stalkers, governments that restrict dissidents' activities, law enforcement agents without legal authority, and spammers...Many domain name registrants--and particularly noncommercial users--do not wish to make public the information that they furnished to registrars. Some of them may have legitimate reasons to conceal their actual identities or to register domain names anonymously."

Since then, the debate has advanced. An ICANN task force published a report last year listing the widely differing views of intellectual-property lobbyists, Internet service providers, noncommercial users, and so on.

Syracuse University's Milton Mueller and Mawaki Chango wrote an analysis this year concluding that the Whois database would never have been made public if it weren't a default rule left over from the Internet's early days. There's also a handy timeline and an overview prepared this month by ICANN staff (PDF). That overview says:

Due to this lack of consensus, the GNSO Council recommends that the Board consider "sunsetting" the existing current contractual requirements concerning Whois for registries, registrars, and registrants that are not supported by consensus policy by removing these unsupported provisions from the current operating agreements between ICANN and its contracted parties, and that these provisions be sunset no later than the end of the 2008 ICANN Annual General Meeting and that such provisions will remain sunset until such time that consensus policy in this area has been developed to replace the sunset provisions, at which point, they will be eliminated or modified.

I suspect that the intellectual-property rights lobbyists will win this round, and Whois will stay around at least a while longer. But this is a fine opportunity to re-evaluate whether all domain owners must have their home addresses, phone numbers, and e-mail addresses publicly available by default to spammers and all other species of Internet miscreants.