Privacy reduction's next act

The Fraudulent Online Identity Sanctions Act is misdirected in its effort to crack down on domain registrations, says CNET News.com's Declan McCullagh.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
The U.S. Congress is hard at work trying to punish Internet users who value their privacy.

That's not how Capitol Hill politicians describe a new bill introduced last week, of course, but that's what it would accomplish if it becomes law.

Called the Fraudulent Online Identity Sanctions Act, the measure would increase prison sentences by up to seven years in criminal cases if someone provided "material and misleading false contact information to a domain name registrar, domain name registry, or other domain name registration authority." That's a reference to the Whois database that lists information about who owns each domain name.

In civil lawsuits, such as when the movie studios or the Recording Industry Association of America (RIAA) sue someone over copyright infringement, the bill would make it far easier for them to claim $150,000 in damages for each violation.

The justification? To make it easier to track down miscreants. "The government must play a greater role in punishing those who conceal their identities online, particularly when they do so in furtherance of a serious federal criminal offense or in violation of a federally protected intellectual property right," Rep. Lamar Smith, R-Texas, said during a hearing in a copyright subcommittee last week. (The co-sponsor is Rep. Howard Berman, D-Calif., best known for his carefully thought-out proposal to permit copyright holders assail computers suspected of copyright infringement.)

Because Smith chairs the subcommittee, he was able to prevent any opponents of the bill from testifying. The chairman's hand-picked witnesses predictably swooned over the proposal. Mark Bohannon, general counsel for the Software and Industry Information Association, testified that "copyright owners are currently battling an epidemic of online piracy. Whois is a key tool for investigating these cases and identifying the parties responsible." Added J. Scott Evans from the International Trademark Association: "Trademark owners have for many years been encountering instances of blatantly inaccurate or missing data often from fictitious entities listing false addresses, as well as information that is simply out of date."

The copyright and trademark lobbyists do have a point: Scammers and reprobates lie when typing in their Whois information. But if a law actually has been violated, there already are plenty of ways to unearth someone's identity. The RIAA is doing that with scant difficulty in its flurry of "John Doe" lawsuits recently filed against anonymous song swappers. The FBI didn't need Whois information to find Kevin Mitnick when he was on the lam. Besides, credit cards used to purchase domain names can be easily traced with a court order.

A better solution?
By bowing to corporate special interests, Washington politicians are heading in the wrong direction. They're ignoring the real problem, which is that Whois is broken. Like the Internet mail protocols that were drafted during a more innocent era and are now being exploited by spammers, the Whois database was not intended to be melded into the shape preferred by copyright and trademark lobbyists.

The origins of today's domain name system can be found in standards RFC 1034 and RFC 1035, published in November 1987, when the Internet was still young and commercial traffic would not officially be encouraged for another five years. Back then, before individuals started to buy their own domain names, a public Whois database was necessary to permit network administrators to fix problems and maintain the stability of the Internet.

Today, however, the open nature of the Whois database is no longer a boon to people who own domain names. If you buy a domain name, current regulations created by the Internet Corporation for Assigned Names and Numbers (ICANN) say you must make public "accurate and reliable contact details and promptly correct and update them during the term of the...registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number."

Who wants to make that kind of personal information public for the benefit of spammers, direct marketers and snoops? You shouldn't have to publish your home address--and other personal details--to everyone in the world just to own a domain name. And if you decide to lie by typing in "1 Nowhere Road," I don't see why you should be punished for attempting to protect your and your family's privacy.

There are plenty of legitimate reasons why domain name holders might leave their address blank. As an international coalition of civil liberties groups said in letter to ICANN in October: "Anyone with Internet access can now have access to Whois data, and that includes stalkers, governments that restrict dissidents' activities, law enforcement agents without legal authority, and spammers...Many domain name registrants--and particularly noncommercial users--do not wish to make public the information that they furnished to registrars. Some of them may have legitimate reasons to conceal their actual identities or to register domain names anonymously." (The coalition also suggested ways for ICANN to fix Whois.)

These rights to anonymity are enshrined in the Bill of Rights, both in the First Amendment, which guarantees freedom of speech, and in the Ninth Amendment, which was intended to curb government's power.

The U.S. Supreme Court upheld Americans' right to be anonymous in a landmark 1995 decision, McIntyre v. Ohio Elections Commission, in which the majority said anonymity "is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority."

If you think about it, that makes sense. Not only were the Federalist Papers published anonymously under the pseudonym of "Publius," but anonymous pamphleteering was commonplace at the time, from the famous 1735 John Peter Zenger trial to the attempts of the Continental Congress in 1779 to learn the identity of a critical article in the Pennsylvania Packet that was cryptically signed "Leonidas."

Unfortunately, the Bush administration is demonstrating its lack of appreciation for both history and liberty by requiring that ICANN improve the "accuracy of Whois data" through strong-arming registrars.

This is almost as wrongheaded as the Smith-Berman bill in Congress. Both proposals side with well-heeled intellectual-property lobbyists over Internet users, and neither has a proper place in a free society.